Expert player (3646)
Joined: 11/9/2007
Posts: 375
Location: Varberg, Sweden
AnS wrote:
Aglar wrote:
If someone with more knowledge than me in this area could analyse the input file we might be getting somewhere.
Can you record it for FCEUX (preferably the 2.1.6, but 2.1.4a should sync too)? The FCEU-RR doesn't have sufficient debugging tools.
Tried for 10 minutes, thought I wouldn't be able to replicate it, but eventually it happened again. Now find out why. :) It happens at frame 11632.
feos wrote:
Only Aglar can improve this now.
Personman
Other
Joined: 4/20/2008
Posts: 465
I have absolutely nothing constructive to add to this discussion, but I am nevertheless compelled to post about how amazing this glitch is and how much I hope someone figures out what's going on and (maybe?) finds a way to abuse it in a run.
A warb degombs the brangy. Your gitch zanks and leils the warb.
AnS
Emulator Coder, Experienced player (728)
Joined: 2/23/2006
Posts: 682
Sweet, a memory corrupton glitch. The "Autobomb" enemy is very buggy, in both PRG0 and PRG1 versions. I wonder why no one noticed it before. Every time it shoots a fireball, it corrupts some byte of zero page!
$AE36:A6 00     LDX $0000 = #$05
$AE38:A9 27     LDA #$27
$AE3A:20 04 90  JSR $9004
$AE3D:A6 00     LDX $0000 = #$97
$AE3F:D6 33     DEC $33,X @ $00CA = #$00
$AE41:D6 33     DEC $33,X @ $00CA = #$FF
The same code translated to Symbolic debugging:
$AE36:		LDX Temp
$AE38:		LDA HORIZONTAL_FIREBALL_ID
$AE3A:		JSR ShootObject
$AE3D:		LDX Temp
$AE3F:		DEC Ypos[Temp]
$AE41:		DEC Ypos[Temp]
The code is typical for many NES and SNES games. The "Temp" variable stores current value of "objects counter" (e.g. if there are 6 objects on screen then the loop should iterate through those values: 0, 1, 2, 3, 4, 5). The iterator (counter) is used to access memory arrays storing objects' properties (X/Y coordinates, direction, ID, timers, etc). Naturally, the value of the counter is supposed to always be within the range [0 - MAX_NUMBER_OF_ENEMIES). In SMB2U the max is 9. But here's what went wrong. The "ShootObject" function uses "Temp" variable for its own purposes (to calculate Y coordinate of the new object, so that it appears right from the cannon nozzle). So after creating the fireball the counter value becomes corrupted, and any following RAM access (using this counter as a reference) will modify someone else's data! In theory the value of counter can be anything from 0 to 0xFF, so those two instructions (DEC Ypos[Temp]) may alter any address in the zero page of RAM (decrease the value by 2). But in practice some values are more likely than others, because of level design. The Autobomb's Y coordinate is usually the same (the enemy moves back and forth horizontally), for example when the enemy is on the high platform its Y = 0x70, thus the counter turns to 0x90, and the code will corrupt address $C3. If the enemy falls to the lower platform, its Y becomes 0x80, and the iterator turns to 0xA0, the code will corrupt address $D3. Same with $E3 and $F3. But all those addresses don't seem to hold any critical data, so this blatant bug was left unnoticed. The real potential of the bug comes from the very small possibility that the Autobomb shoots in the middle of falling from a platform to platform. This death glitch appeared because the Autobomb created a fireball while having Y = 0x77, so the code decreased $CA, which stores the higher byte of vertical scrolling position. Basicaly, it made the player teleport 2 screens down and thus instantly fall into a bottomless pit. That's why no death animation was played. Here's Lua script that helps you monitor the glitch:
Language: lua

function ShowMessage() addr = ((0x33 + memory.readbyteunsigned(0x00)) % 256); textpos = (movie.framecount() % 7); gui.text(1 + textpos, 20 + textpos, "Frame " .. movie.framecount() .. ": corrupting the address 0x" .. string.format("%02X", addr)); end memory.registerexecute(0xAE3D, ShowMessage);
Former player
Joined: 5/4/2005
Posts: 502
Location: Onett, Eagleland
Nice find AnS!
I think.....therefore I am not Barry Burton
Expert player (3646)
Joined: 11/9/2007
Posts: 375
Location: Varberg, Sweden
Great work! Taking into account the range of addresses that can be corrupted and that it's stuck to be decreased by 2, it doesn't seem like this can be used to save time. For a play-around TAS there's quite some potential though:)
AnS wrote:
Basicaly, it made the player teleport 2 screens down and thus instantly fall into a bottomless pit.
It's even more extreme than that, right? That value decreases 2 from 0, meaning that you're actually teleported 254 screens down! Makes sense why the video Svenne posted looks like it does. He simply corrupted one or many addresses related to graphics by having the cannon shoot while falling from one of the lower platforms.
feos wrote:
Only Aglar can improve this now.
Joined: 6/20/2012
Posts: 27
Can't thank you enough! My glitch finally got answers! :D
Editor, Skilled player (1441)
Joined: 3/31/2010
Posts: 2113
That is fascinating. Who knows what could be done using this glitch. ...well, I think it's pretty easy to determine by just looking up what addresses are stored in zero page, but still, this could be awesome.
AnS
Emulator Coder, Experienced player (728)
Joined: 2/23/2006
Posts: 682
Aglar wrote:
AnS wrote:
Basicaly, it made the player teleport 2 screens down and thus instantly fall into a bottomless pit.
It's even more extreme than that, right? That value decreases 2 from 0, meaning that you're actually teleported 254 screens down!
No, wait, since the addresses $CA-CB store the "Camera Y", this value is subtracted from the "Real Y" of an object (to get its onscreen Y). Normally in 4-1 it calculates like this: OnscreenY = RealY - 0. But after the glitch it becomes like this: OnscreenY = RealY - 0xFE * 0x100 = RealY + 0x02 * 0x100. So the onscreen Y of all objects becomes 0x200 pixels more than it should be. And the coordinates are counted top-down.
Aglar wrote:
Makes sense why the video Svenne posted looks like it does. He simply corrupted one or many addresses related to graphics by having the cannon shoot while falling from one of the lower platforms.
Right, probably $FD or something.
Expert player (3646)
Joined: 11/9/2007
Posts: 375
Location: Varberg, Sweden
AnS wrote:
No, wait, since the addresses $CA-CB store the "Camera Y", this value is subtracted from the "Real Y" of an object (to get its onscreen Y). Normally in 4-1 it calculates like this: OnscreenY = RealY - 0. But after the glitch it becomes like this: OnscreenY = RealY - 0xFE * 0x100 = RealY + 0x02 * 0x100. So the onscreen Y of all objects becomes 0x200 pixels more than it should be. And the coordinates are counted top-down.
Ok, I just thought that since the value of $CA-CB increases as you go down a vertical room it would make most sense that the value 0xFE for $CA would mean 254 screens below the top.
feos wrote:
Only Aglar can improve this now.
AnS
Emulator Coder, Experienced player (728)
Joined: 2/23/2006
Posts: 682
Aglar wrote:
Ok, I just thought that since the value of $CA-CB increases as you go down a vertical room it would make most sense that the value 0xFE for $CA would mean 254 screens below the top.
Note that it only increases when the camera is moving down (and at the same time all sprites move up), so it's the opposite to objects' coordinates. When it increases, Toad's onscreen Y decreases and vice versa - when it decreased by 2, Toad's Y increased by 2.
Joined: 6/20/2012
Posts: 27
How am I suppose to do WR attempts when the game decide to troll me, have you seen this before, this would be very useful in a run if one got more knowledge what triggered it: http://twitch.tv/svenne1138/c/1826020
Expert player (3646)
Joined: 11/9/2007
Posts: 375
Location: Varberg, Sweden
Svenne wrote:
How am I suppose to do WR attempts when the game decide to troll me, have you seen this before, this would be very useful in a run if one got more knowledge what triggered it: http://twitch.tv/svenne1138/c/1826020
You entered the door just as the screen started to scroll upwards. In the warpless TAS you can see that glitch being used in the very same level, and 2-3.
feos wrote:
Only Aglar can improve this now.
Joined: 6/20/2012
Posts: 27
Oh ok! I have practiced this level countless times but first time getting this, if one is fast enough, will this be a thing you can get frequently? Also, why does luigi get a key from out of no-where and why didint I start at the door, but untop of the screen.
Expert player (3646)
Joined: 11/9/2007
Posts: 375
Location: Varberg, Sweden
Svenne wrote:
Oh ok! I have practiced this level countless times but first time getting this, if one is fast enough, will this be a thing you can get frequently?
Maybe if you're good enough :). You must open the door at the frame that you land on that floor, otherwise you lose control until the screen is done scrolling.
Svenne wrote:
Also, why does luigi get a key from out of no-where and why didint I start at the door, but untop of the screen.
This would be a question for AnS. My guess would be that you, in the next room, start at the y-position from where you initially opened the door (I'm could very well be wrong).
feos wrote:
Only Aglar can improve this now.
Joined: 3/21/2013
Posts: 12
Anyone have any idea what might have caused the enemy to bounce this way? http://www.twitch.tv/jeffrosledger/c/2051368
MarbleousDave
He/Him
Player (13)
Joined: 9/12/2009
Posts: 1560
There is a ponified hack called Pony Poki Panic, which replaces the characters with those from My Little Pony: Friendship is Magic. Being only a graphics hack, we could make encodes of existing runs using graphics hacks/texture mods. The first being The Legend of Zelda: Ocarina of Time Cel-Shaded texture pack.
Experienced player (702)
Joined: 2/19/2006
Posts: 742
Location: Quincy, MA
http://www.twitch.tv/andrewg1990/c/2306411 Curious how I did this slow throw. I tried to mimic it, and couldn't. I have an idea for a possible improvement if this could be duplicated (or done with any object/enemy).
Super Mario Bros. console speedrunner - Andrew Gardikis
Patashu
He/Him
Joined: 10/2/2005
Posts: 4045
andrewg wrote:
http://www.twitch.tv/andrewg1990/c/2306411 Curious how I did this slow throw. I tried to mimic it, and couldn't. I have an idea for a possible improvement if this could be duplicated (or done with any object/enemy).
Nice catch! What's the idea?
My Chiptune music, made in Famitracker: http://soundcloud.com/patashu My twitch. I stream mostly shmups & rhythm games http://twitch.tv/patashu My youtube, again shmups and rhythm games and misc stuff: http://youtube.com/user/patashu
Expert player (3646)
Joined: 11/9/2007
Posts: 375
Location: Varberg, Sweden
andrewg wrote:
Curious how I did this slow throw. I tried to mimic it, and couldn't. I have an idea for a possible improvement if this could be duplicated (or done with any object/enemy).
What happens is an instance of the invisible enemy glitch (the one we never found out exactly how it worked). You pick up the veggy and throw it while crouching which makes it hit the invisible shyguy.
feos wrote:
Only Aglar can improve this now.
Experienced player (702)
Joined: 2/19/2006
Posts: 742
Location: Quincy, MA
Hmmm... it didn't seem like it bounced off anything, just moved slowly, but I guess that would make sense for why it did that. I think 4 seconds could maybe be saved because I think you can get to Wart to give you a veggie right away if you get the room a little earlier), and then the next one pops out right when Wart's about to open his mouth (but it doesn't because you're holding the one that popped out a cycle earlier). So in the end one cycle could potentially be saved...but it seems a bit unlikely.
Super Mario Bros. console speedrunner - Andrew Gardikis
cak
Joined: 1/7/2010
Posts: 16
Location: Oregon USA
Regarding 3-2: http://www.youtube.com/watch?v=EcijxfDN7C0 You can see in the beginning of the video that I'm able to jump off the Beezo and over the Panser, but on console the Beezo spawn is consistently different and I have to jump under the Panser's fire, which is difficult. Is there a trick to manipulating the Beezo spawn? Maybe some pre-level controller input? Thanks. edit: I should add that I'm using a Game Genie to start on world 3. I dunno if this affects anything.
speedrunner of SMB2, Metroid, Pitfall II, Blinky Goes Up
Expert player (3646)
Joined: 11/9/2007
Posts: 375
Location: Varberg, Sweden
cak wrote:
Is there a trick to manipulating the Beezo spawn? Maybe some pre-level controller input?
There is, but I don't know how feasible it is in real time. The Beezos spawn according to a global timer that only counts up when you're at places with Beezo swarms (such as in 2-3 and 3-1). Maybe you could wait a little at the end of the swarm in 3-1 (for a certain Beezo to appear as a reference, for instance) and use that to always manage that jump, if it doesn't cost too much time.
feos wrote:
Only Aglar can improve this now.
cak
Joined: 1/7/2010
Posts: 16
Location: Oregon USA
Ok, that makes sense. I'll probably just refine my method of jumping under, since I would lose a Birdo cycle in 3-1.
speedrunner of SMB2, Metroid, Pitfall II, Blinky Goes Up
cak
Joined: 1/7/2010
Posts: 16
Location: Oregon USA
Hmm, I can't figure out how to consistently skip layers of sand through Shyguys in the digging parts. Any ideas? edit: Ok, I figured out that quickly pressing jump before digging the last layer seems to trigger something.
speedrunner of SMB2, Metroid, Pitfall II, Blinky Goes Up
Expert player (3646)
Joined: 11/9/2007
Posts: 375
Location: Varberg, Sweden
cak wrote:
Hmm, I can't figure out how to consistently skip layers of sand through Shyguys in the digging parts. Any ideas? edit: Ok, I figured out that quickly pressing jump before digging the last layer seems to trigger something.
Unfortunately there's no way to make this consistent in real time. In order to land on an enemy right below a layer of sand you must cut through the first 3 pixels of the platform right above, which becomes a subpixel story when falling from one sandblock above. Your y-subpixels can be of 16 different values and in this particular case only the 4 lowest ones (while standing on the block above) make you cut through the below sand block, so there's 25% chance to pull it of - if you don't hold the a-button while falling, otherwise the chance is even smaller.
feos wrote:
Only Aglar can improve this now.