Submission #5039: londonb415's SNES Battle Dodge Ball "game end glitch" in 00:56.21

(Link to video)
Super Nintendo Entertainment System
game end glitch
lsnes rr2-β23
3378
60.0988138974405
17
Unknown
Battle Dodgeball (J).smc
Submitted by londonb415 on 3/13/2016 10:48:45 AM
Submission Comments

Game objectives

  • Emulator used: lsnes rr2-β23
  • Aims for fastest time
  • Uses glitched password
  • Corrupts memory
  • Executes arbitrary code

Executing $00F9

Big characters and small characters

Generally, big characters are placed in inside of the field. And small characters are in outside. Big characters aren't placed in outside if you play this game normally. (Sometimes small characters are in inside.)

Placing a big character in outside by using password

You can use a password at "スーパーバトルリーグ:Super Battle League" or "激闘対戦モード:VS Mode" for organization of the team and fix ability of each character. It depends on whether the 39th and 40th letter of a password who enters the outside. Before the start of the match, Graphic data is loaded from rom. But if a big character is placed in outside, memory corruption may be occured. It's depend on some characters. Perhaps it is unexpected that a big character enters the outside.

How to executing $00F9

Outside player: Grate Kaminarimon(グレートかみなりもん)
Stage: Moon
Opponent: Knight Gundam team(ナイトドラゴンズ)
This combination makes stack corruption, and executing $00F9 occured.

Jumping to password area

Usable memory address

$00F9 = a number of times attract mode match is watched
$00FA = a number of times cursor is moved
$00FB = a number of times A or B are pushed at password mode.
$00FC = a number of times sounds when cursor is moved
$00FD = a number of times sounds when A or B are pushed at password mode.
$1F80-$1FB1 = password

A barrage

As you barrage the A with a password mode, $00FD will not catch up with $00FB, because the sound is not in time. If the difference between $00FB and $00FD is set to 1 at the moment when screen gliches, it is possible to make the instruction for jump to password area.
Address Bytes Instruction Comment
$00/00F9 01 80 ORA ($80,x)
$00/00FB 20 80 1F JSR $1F80 Jump to password area

Jumping to ending

Password

ノノノぼご ルじKぐチ ニニワおネ ネネネネネ
ネヤlネず ミ ネネネ ネネネネネ ネネネテテ
テテテテテ テテテテせ
Address Bytes Instruction Comment
$00/1F80 59 59 59 EOR $5959,y
$00/1F83 4A LSR A
$00/1F84 0E 99 1F ASL $1F99 $1F99 is shifted left of 1
$00/1F87 9C 0C 42 STZ $420C $420C is set to 0(to stop HDMA)
$00/1F8A 56 56 LSR $56,x
$00/1F8C A9 04 LDA #$04 The accumulator is set to 0x04
$00/1F8E 58 CLI
$00/1F8F 58 CLI
$00/1F90 58 CLI
$00/1F91 58 CLI
$00/1F92 58 CLI
$00/1F93 58 CLI
$00/1F94 58 CLI
$00/1F95 85 C2 STA $C2 $00C2 is set to 0x04
$00/1F97 58 CLI
$00/1F98 20 74 C0 JSR $C074 0x74 will be shifted left of 1 to 0xE8
becomes...
$00/1F98 20 E8 C0 JSR $C0E8 Call final scene

Password Text Table

000102030405060708090A0B0C0D0E0F10111213
1415161718191A1B1C1D1E1F2021222324252627
28292A2B2C2D2E2F303132333435363738393A3B
3C3D3E3F404142434445464748494A4B4C4D4E4F
505152535455565758595A5B5C5D5E5F60616263
6465666768696A6B6C6D
6E6F707172737475767778797A7B7C7D7E7F8081
A B C D E F G H I J
82 83 8485 86 8788898A8B8C8D8E8F9091
K L M N O P Q R S T
92939495969798999A9B9C9D9E9FA0A1A2A3A4A5
U V W X Y Z
A6 A7 A8A9 AA ABACADAEAFB0B1
B2B3B4B5B6B7B8B9BABBBCBDBEBFC0
C1 C2 C3C4 C5 C6
C7C8

Other comments

This ending is not for "スーパーバトルリーグ:Super Battle League". This is for "真・闘球王伝説:Shin Toukyuou Densetsu".

Samsara: Judging.
Samsara: Changing branch to just "game end glitch" and accepting to Moons.
Samsara: Hopefully replacing with a file with the blank SRAM removed.
Guga: Processing...
Last Edited by adelikat on 10/15/2023 7:23 PM
Page History Latest diff List referrers