Okay, plan of attack:
* Start game in any difficulty, it shouldn't matter too much (
although Hard would be tight on cash)
* Build rows of power lines. We are writing a bootstrap code, with each tile representing one bit.
* Build power plant, maybe two, to power these lines we just placed
* Wait long enough for the game to calculate the power
* Build Mass Transit (rails) tile on 0064 (
206 tiles left of the normal top-left corner)
* Build Roads on 0090 (
184 tiles left of that same corner)
* Spam-build over the timers at 012C (
106 tiles left), 12E (
105), and 12F (
104) for great justice
* Build Roads on 00AA
* ACE achieved. Now press buttons several thousand times faster than normal humans.
Well, I'm hoping this plan is simple and effective. It should, at least, give something concrete to try out as opposed to simply hand waving possible ideas around.
About the spam-building for great justice step: There are a few two-byte timers we can corrupt and abuse to our liking. Whenever we build over one of these, we set the upper byte of one timer to one of three values (
0x32, 0x62, or 0x72, depending on tool) and zero out the lower byte of another. The timers tick down every frame, so zeroing out the low byte will effectively decrement the upper byte. We can simply zero out the low byte multiple times to adjust the high byte as needed, and pick a different timing on when we zero out that low byte for the last time to line up the values of different timers.
I took a look at moving the cursor off the top edge of the map. Judging from where it's corrupting stuff, it's probably just taking the effective Y position you would be building on, modulo 256. This would modify 7FF110 for going one tile up, and will never reach the 7E0000 region we want to modify. I'm thinking we're stuck with moving the cursor to the left a ways.
As the width of the map is 120 tiles, and we are guaranteed to be able to have two functioning rows of power lines for purposes of ACE, we can get ourselves 30 easy bytes of bootstrap code in the power array. If it's necessary, we can probably get more bytes by adding more rows, but we start to lose precision control on how we set the individual bits as we need some continuous connection to every power line. The more 1 bits in your code, the less of a problem this would be, though. On the other hand, 30 bytes of bootstrapping with absolute control over every byte of this 30 really should be a dream compared to getting an ACE in something like Super Mario World.
But once we hit ACE, what then? Fix the stack, and any critical memory we ruined along the way, then run the 600k population message routine? Well, that would seem like a really basic way to achieve the "ending". Use it as a shortcut to glitch our money? But then we're not actually using the full power to get to the "ending" as soon as possible. Something...
Interesting? A bit outside what I'd do myself, but snap, it would be awesome if someone has ideas and can execute those. I, for one, would like to see someone bulldoze a tornado. Or the plane, it keeps crashing on nice buildings even on Easy.
In any case, I feel as though I have 99% confirmation that ACE is possible. My method was basically running a debugger and doing direct memory edits on spots we should be able to corrupt as the Program Counter was getting close. To my knowledge, the spots I wrote over do not refresh so long as you don't enter any menus, and apparently don't have critical function for reads, apart from the final step of corrupting the stack.
Finally, we have a LOT of room in the 7F bank. Well, a lot of it is dedicated to the 120x100 building area, but after that is the History stats and the various map stats. Since we should have ACE, we can simply prevent the game from ever recalculating what the stats should be, possibly by convincing it the calculation was already done.