Submission #6610: r.bin's SNES Secret of Evermore "game end glitch" in 09:56.27

(Link to video)
Super Nintendo Entertainment System
game end glitch
lsnes rr2-β23
35835
60.0988138974405
2613
Unknown

(Additionally: r.bin)
Secret of Evermore (U).smc
Submitted by r-bin2 on 1/29/2020 9:10:58 PM
Submission Comments
This game would feature an epic storyline, where the protagonist saves the virtual world of Evermore and the lives of those who are trapped inside… If we wouldn't skip all but two minor dialogs of the game. This is the story of "The Dog" and his trancendence once he's realized that he's actually trapped in the Matrix.

Game objectives

  • Emulator used: lsnes rr2-β23
  • Objective: Reach the credits as quickly as possible
  • Categories:
    • Heavy glitch abuse
    • Corrupts memory
    • Uses a game restart sequence
    • Genre: Action RPG

Glitches/Techniques

Indefinite Projectiles

Alchemy in the game is heavily restricted. Presumably to make alchemy feel less overpowered there are many restrictions that apply to casting:
  • Alchemy can be classified in two schools and has 8 slots for each
    • Projectile (E.g. Hard Ball, Flash, etc.)
    • Animation (Everything else, including items)
  • Both schools are limited in the amount of concurrent spells
    • The Boy realistically cannot cause the game to have more than 2-3 active alchemy spells (Cooldown capped)
    • The Dog has no mandatory cooldown, but instead runs into the limited slots (Memory capped)
Generally referred to as "multi-casting", having the Dog as the active player and opening the Boy's menu pushes the game to it's limits. So why is this important, you may ask?
Because even though they added a hard limit to the amount of alchemy slots to 8 each, they did not limit the amount of projectiles that can be on screen:
  • Projectiles are only loosly linked to the projectile alchemy slots that created them
  • Projectiles are marked as active until the game decides that they aren't being used anymore
    • In the frame the damage number shows up a projectile is being marked as inactive
    • A map transition marks all pending projectiles as inactive
  • This leads to a so-called race condition, which means that based on the frame you leave a screen it either happens before or after
    • Position close to a map exit (projectile count = 0)
    • Cast 8 projectile alchemy spells and walk into the transition (The game clears pending projectiles, projectile count = 8)
    • Upon entering the new map the game is tricked into thinking the projectiles are still on the screen (projectile count = 8)
From now on every new projectile corrupts the memory of the animation alchemy, which crashes the game on every frame it tries to render that memory.

Executing Code (ACE)

As with most ACEs we abuse the fact that a loop in the controller registers can be performed.
Disclaimer: The background information isn't too important. The focus should be on the fact that the projectile makes the game execute the controller register as code, if everything was lined up perfectly!
To access the controller registers various aspects have been abused:
  • The 9th projectile overflows the available memory (And ends up corrupting the memory of the first animation alchemy slot)
    • It's yet unknown what influences the pseudo random values (But getting a specific value of $00xx or $FFxx seems to be roughly 1:600)
    • Jumping directly into $0100 would also work, but the probability for that to happen is way lower (Therefore it's not worth the trouble)
  • Code from the alchemy spells is executed in bank $91
    • No direct accces to WRAM values (Which is located in bank $7E)
    • In multiple locations the bank can access the LowRAM, which shadows parts of the WRAM (Only $0000-$1FFF, which excludes the Boys name e.g.)
    • Overflowing an address within a bank makes it wrap around, which is somewhat important to access the LowRAM (Which is located in $0000-$1FFF)
  • The "default bank" (database) is bank $7E, which allows us to access WRAM without "long" commands
  • WAI makes the controller inputs update, while the code is still being executed
    • This is important, because controller inputs may not be changed while they are being updated
    • It's important not to change the general structure of <code><wait><loop>, because after WAI the following byte is still being executed, which has to perform a loop
  • RTS returns from the corrupted script and progresses the game up until the next frame
    • If the game crash is no longer wanted the corrupted memory has to be cleared before
Long story short - The corrupted animation alchemy jumps to a pseudo random address, which can be manipulated by having entities walk around.
The jump happens in three steps, because of the properties of all involved memory addresses, which leads to those memory values during the crash:
AddressNameValueComment
$7E/3378Parts of alchemy Slot #0$005APoints at the Camera Offset
$91/005ACamera Offset (LSB Y, MSB X)$8100Points at the Frame Counter (Offset $8000)
$91/0100Frame Counter$4218Points at the Controller Registers
$91/4218Controller Register$xxxxxxxxxxxxxxxxThe executed code is based on the buttons pressed in the current frame
After the jump into the controller registers we end up in a state called total control, which we use to write the following, very generic code: (<code><wait><loop>)
  • NOP NOP NOP NOP NOP WAI BRA $F8 ; Synchronize first jump in the controller register
  • LDA $yy $xx NOP NOP WAI BRA $F8 ; Load value $xxyy
  • STA $yy $xx NOP NOP WAI BRA $F8 ; Store value to address $xxyy
  • RTS RTS RTS RTS RTS RTS RTS RTS ; Unfreeze the game

The Boys Tale

Arc I: Save+Reset

Unlike all previous runs of this game, our first goal is to reset the frame counter as fast as possible. By not skipping the Raptor Fight event we end up in the first of two dialogs, where we kindly accept the offer to save the game.
Timesaves:
  • Avoiding unnecessary screen transitions, because they stop the frame counter from incrementing for a brief moment
  • Losing the Raptor Fight instantly by entering the screen with 0 HP
  • Resetting the frame counter isn't part of the upcoming setup, but reduces the waiting time from ~23 to ~2 minutes

Arc II: Setup

Because there is no known intro skip most of this segment is dedicated to waiting for the frame count to contain a specific value. (See "The Dogs Tale") The time can be used to set up the ACE, though. Our second and last dialog rewards us with the Hard Ball formula, which is also the reason why we have to gather ingredients for 9 casts on the way.
The setup:
  • Glitching 8 projectiles to stay in memory indefinitely (Projectile count = 8)
  • Positioning the camera in a specific area ($91/005A = $8100)
  • Waiting for the frame counter to reach a certain frame ($91/0100 = $4218)

Arc III: ACE

By aligning all the previously set up memory values with a RNG manipulated crash in the same frame makes the game execute code from the controller inputs.
What happens while the game appears to be frozen:
  • Casting the 9th Hard Ball makes the game glitch out on every frame the game tries to render it ($7E/3378 = $005A, projectile count = 9)
  • Pressing buttons now is being treated as code, that can be used similar to the concept of a Game Genie:
    • Set all story progress flags to true (Takes 3 frames)
    • Remove the 9th projectile from the memory (Takes 14 frames, projectile count = 8)
    • Warp into the trigger that takes us back to the previous area (Takes 2 frames)
    • Return to the game (Takes 1 frame)
Walking into the Sandpit area with the glitched story progress flags now makes the game play the credits in a rather odd order. But at some point the game reaches the "The End" screen, which concludes the run.

The Dogs Tale

Disclaimer: This part does not affect the ACE whatsoever! It just acts as a segue while waiting for a specific frame between Arc II and III!
Hear me out on this. This is the story of an unnamed hero, often referred to as "The Dog".
The game actively prevents our true hero from being used as the main character, by not letting him interact with many objects and events.
Due to the fact that every input can be buffered it's possible to circumvent those restrictions:
  • Skipping triggers
    • Inactive characters do not interact with triggers and can walk right through them
    • L and R can be used to let the dog sniff, which makes him walk towards gourds
    • Pressing a directional button the frame before you switch characters makes the AI "leash" in that directional
    • B makes the dog leap during an attack, which has the same properties as leashing
    • Standing pixel-perfectly inbetween triggers to prevent activating them (E.g. sandpits)
  • Looting gourds
    • Interact with B
    • Perform a frame perfect character switch
    • Wait for the Boy's looting animation to finish (First frame with text)
    • Switch back to the Dog
  • Talking to people
    • Same as looting
  • Casting alchemy
    • X opens the Boys ring menu which can be freely accessed for "multi casts"
  • Looting "incorrect" ammounts of ingredients
    • Interact with B as the dog (Which "progresses" the loot table and increases the amount you loot, because it's based on the order)
    • Loot it again as usual
A lot of small tricks have been performed that can be considered "normal" for the Boy, but impossible for the Dog. The most important part being the skip of the Jaguar Ring, which was supposed to be mandatory for the Sandpits area.
Additionally the gameplay has been slowed down as inconspicuously as possible:
  • Dodging enemy attacks triggers an animation, which slows the character down
  • For the final ingredient (the 9th clay) the gourd that was the furthest away was chosen
…OK, OK, I'll admit that this is not a good idea… But it's technically possible and could be called "dog%"!
Anyway, this excursion takes roughly 1 minute, doesn't waste any valuable frames, but fills the waiting time quite nicely.

Thanks!

  • Black_Sliver, p4plus2, as well as the TASBot and TASvideos discord for the technical guidance
  • itsCliqz, MetaSigma, Solarcell007, TheAngryPanda, ZockerStu for helping me understand the game
  • And basically the whole Evermore discord for all the streams and being awesome!
Last Edited by adelikat on 11/2/2023 2:24 PM
Page History Latest diff List referrers