(Link to video)
Recently, a glitch was found that can replace an egg with a null sprite so that you can basically take any sprite with you. I use this glitch to confuse the game with its indexing and jump to controller data to manipulate some data and jump to the credits.

Game objectives

  • Emulator used: lsnes rr1-Δ18
  • Aims for fastest time
  • Abuses programming errors in the game
  • Executes arbitrary code
  • Achieves credits early

Comments

The glitch happens when you grab the egg from the head of a Mouser and let him despawn before he "realized" that you took it from him (without him touching the floor). Then the egg also despawns but you still "have" this egg (the RAM value of the egg counter is still showing that you have this egg) and the sprite slot of that egg is also saved, but opened so that every sprite can take its place. So far so good but the problem that people had was that when they went into the goal ring, the game crashes for 99% of the sprites that were brought. So I took a look at what was going on with the game and found out that it checks every egg you have and indexes it so that every different sprite ID has it's own function (a normal egg just returns from this function). This is probably for the other sprites you can have, for example a key or a big egg and so on. I quickly found out that a Shy Guy will bring the code to $02:608C... and that just happens to be the x position of Yoshi!
So $608C is the low byte, $608D is the high byte, $608E is the y subposition and $608F is some value from 0x04 to 0xFC (probably for calculation stuff)
So I want to jump to controller data, that would be JMP $4218, in hex: 4C 18 42, but I had a better idea that made the run a bit faster: instead of JMP $4218 I would JML $024218, in hex: 5C 18 42 02, because getting my x position to 0x5C instead of 0x4C was faster.
So I will cover changing x position low byte later, but how do I change my x position high byte to 0x18? I don't! The high byte is 0x0E at the end of 2-2 and jumping to $420E wasn't a problem because YI is good at recovering from BRKs (0x00), so I just let the game jump over some of the registers. Changing y subposition to 0x42 wasn't a big problem either, you just have to press B and release B at the correct times, and the last value wasn't a problem, it just was 0x02 (it could have been every value from 0x00 - 0x04).
So now to the x position change. The goal ring is not movable so how do I trigger the goal ring while being at the correct position? I just use another null sprite egg to change the properties of the goal to make it possible to lick it and spit it out. Then it recovers itself so I can trigger it again.
When the code is at controller data, I couldn't just use WAI to get the next input, because IRQ is activated every H-Blank, so it will stop there. Changing the mode of IRQ (so that it only fires at V-Blank) also isn't possible since it changes itself back to the other mode. Deactivating IRQ also isn't an option because NMI is very short and returns while Auto-Joypad Read is enabled (so the controller data is garbage).
The way I did it was just activating DMA controllers to stop the game for a few frames (that is why strange things are going on with the video at the end). That worked wonderful and all I had to do was set Data Bank and Direct Page to zero, setting gamemode ($0118) to 0x1B and jumping to the start of the main game routine (which loads the gamemode and decides what to do/where to jump next) to trigger the credits. The good thing is that normally the main game routine is called at the highest stack value, meaning that the code will never return back to the controller data/egg routine/garbage code.

Stage by stage comments

Intro

Trying to get 14 coins as fast as possible to do the warp glitch to go to 2-2.

2-2

I took the fastest route I could think of while getting 4 eggs for the third/last room. There I had to manipulate sprite slots to do the glitch and win the game.

Other comments

Possible improvements

  • Maybe some tiny frame improvements in room 1 (any% like route)
  • Finding another glitch (infinite tongue glitch?) to reach credits faster

Thanks to

  • Arne for finding this glitch
  • Carl Sagan for the possible improvements
  • YI community for finding every glitch in the Game Resource page

Suggested Screenshots

[dead links removed]

Nach: Once of the most awesome runs of the year, accepting.

TASVideoAgent
They/Them
Moderator
Joined: 8/3/2004
Posts: 14773
Location: 127.0.0.1
z1mb0bw4y
She/Her
Joined: 11/26/2012
Posts: 70
After watching Carl Sagan's stream, I was wondering how long something like this was going to take. Apparently not very... Well done, the glitchy video stuff near the end made it all the better.
Patashu
He/Him
Joined: 10/2/2005
Posts: 3999
My laptop is full of cum. Yes vote
My Chiptune music, made in Famitracker: http://soundcloud.com/patashu My twitch. I stream mostly shmups & rhythm games http://twitch.tv/patashu My youtube, again shmups and rhythm games and misc stuff: http://youtube.com/user/patashu
Editor, Skilled player (1502)
Joined: 7/9/2010
Posts: 1317
Easy yes vote.
Favorite animal: STOCK Gt(ROSA)26Sortm1.1(rtTA,EGFP)Nagy Grm7Tg(SMN2)89Ahmb Smn1tm1Msd Tg(SMN2*delta7)4299Ahmb Tg(tetO-SMN2,-luc)#aAhmb/J YouTube Twitch
TheKDX7
He/Him
Player (113)
Joined: 7/9/2011
Posts: 392
Location: Switzerland
Yes vote! First screenshot is the best
Noxxa
They/Them
Expert player, Moderator (4131)
Joined: 8/14/2009
Posts: 4083
Location: The Netherlands
Great, another game broken to the point it just jumps to the credits routine. Yes vote.
http://www.youtube.com/Noxxa <dwangoAC> This is a TAS (...). Not suitable for all audiences. May cause undesirable side-effects. May contain emulator abuse. Emulator may be abusive. This product contains glitches known to the state of California to cause egg defects. <Masterjun> I'm just a guy arranging bits in a sequence which could potentially amuse other people looking at these bits <adelikat> In Oregon Trail, I sacrificed my own family to save time. In Star trek, I killed helpless comrades in escape pods to save time. Here, I kill my allies to save time. I think I need help.
Patashu
He/Him
Joined: 10/2/2005
Posts: 3999
Mothrayas wrote:
Great, another game broken to the point it just jumps to the credits routine. Yes vote.
The best part is that this is such a well designed game, with almost no glitches in comparison to how messed up Super Mario World 1 was... and all it took was ONE glitch to break it wide open. I'm reminded of Luigi's Mansion King Boo Early.
My Chiptune music, made in Famitracker: http://soundcloud.com/patashu My twitch. I stream mostly shmups & rhythm games http://twitch.tv/patashu My youtube, again shmups and rhythm games and misc stuff: http://youtube.com/user/patashu
Experienced player (764)
Joined: 7/14/2007
Posts: 66
Location: Japan
Wow... beautiful abusing, I laughed out. Yes vote
Joined: 7/7/2012
Posts: 16
It's a definite yes vote from me even though I'm very confused and have no clue what happened
Active player (432)
Joined: 4/21/2004
Posts: 3516
Location: Stockholm, Sweden
Amazing run. Easy yes vote :)
Nitrogenesis wrote:
Guys I come from the DidyKnogRacist communite, and you are all wrong, tihs is the run of the mileniun and everyone who says otherwise dosnt know any bater! I found this run vary ease to masturbate too!!!! Don't fuck with me, I know this game so that mean I'm always right!StupedfackincommunityTASVideoz!!!!!!
Arc wrote:
I enjoyed this movie in which hands firmly gripping a shaft lead to balls deep in multiple holes.
natt wrote:
I don't want to get involved in this discussion, but as a point of fact C# is literally the first goddamn thing on that fucking page you linked did you even fucking read it
Cooljay wrote:
Mayor Haggar and Cody are such nice people for the community. Metro City's hospitals reached an all time new record of incoming patients due to their great efforts :P
Experienced player (512)
Joined: 7/23/2011
Posts: 108
Well, at one point I had said, "The eggs, they can do anything!" but this wasn't what I had in mind! :P Very cool masterjun. Do you know if it's possible to do something like this with the infinite tongue glitch? Also sometimes the game crashes when you bring certain sprites, and other times bringing the exact same sprites does not cause a crash. Any idea why this may be? These rats are also in 6-2 and 6-4, but I'm not sure if it would be faster to get to them or if those levels have all the necessary components to set up the glitch. I'm also not sure about the route you took through 2-2, but whatever, great work :)
Joined: 7/2/2007
Posts: 3960
That was awesome. I love these game-breaking glitches; they're always so interesting to read about and to see in action. Nice work!
Pyrel - an open-source rewrite of the Angband roguelike game in Python.
ALAKTORN
He/Him
Player (99)
Joined: 10/19/2009
Posts: 2527
Location: Italy
Carl Sagan wrote:
I'm also not sure about the route you took through 2-2, but whatever, great work :)
what do you think could be changed?
MESHUGGAH
Other
Skilled player (1884)
Joined: 11/14/2009
Posts: 1349
Location: 𝔐𝔞𝔤𝑦𝔞𝔯
You are ridiculously awesome Masterjun! Good job as always! This game was the first one where I disassembled my controller to check the L+R glitch with red coins. Now I need to get my SNES back and try this too. I've played the game long time ago, but isn't there other places where Mousers also spawned and won't touch the floor once despawned? IIRC end of world 6 contains too, but it would be much more longer (collecting the red coins and that level's length). edit: next time I should read the posts (Post #351729) Easy yes vote.
PhD in TASing 🎓 speedrun enthusiast ❤🚷🔥 white hat hacker ▓ black box tester ░ censorships and rules...
Editor
Joined: 3/31/2010
Posts: 1466
Location: Not playing Puyo Tetris
YES.
When TAS does Quake 1, SDA will declare war. The Prince doth arrive he doth please.
AnS
Emulator Coder, Experienced player (723)
Joined: 2/23/2006
Posts: 682
Very nice. In the past we were afraid of console crashes, now we see them as opportunities.
Amaraticando
It/Its
Editor, Player (157)
Joined: 1/10/2012
Posts: 673
Location: Brazil
Oh yeah, Yes vote.
Masterjun
He/Him
Site Developer, Skilled player (1968)
Joined: 10/12/2010
Posts: 1179
Location: Germany
Thanks for all the good feedback =D
Carl Sagan wrote:
Do you know if it's possible to do something like this with the infinite tongue glitch?
I have yet to test things out since that is not that easy to tracelog and find out about (basically it's hard to figure out what exactly is going wrong and how to use it right).
Carl Sagan wrote:
Also sometimes the game crashes when you bring certain sprites, and other times bringing the exact same sprites does not cause a crash. Any idea why this may be?
Yes, the game often jumps to complete random addresses (sometimes even RAM) that can be different every time you jump into the goal ring. Also, the game is good at jumping over code with a lot of 00 in it so sometimes it can somehow get back to normal code.
Carl Sagan wrote:
These rats are also in 6-2 and 6-4, but I'm not sure if it would be faster to get to them or if those levels have all the necessary components to set up the glitch.
6-2 is long as hell + the time it needs to get enough coins for warping and 6-4 doesn't have a goal ring.
Carl Sagan wrote:
I'm also not sure about the route you took through 2-2
I used this to make my route, I wonder which route you think is faster...
Warning: Might glitch to credits I will finish this ACE soon as possible (or will I?)
Experienced player (576)
Joined: 2/23/2008
Posts: 266
Location: CA, USA
I wonder just how many games can be glitched like this, it's crazy. Yes vote.
creaothceann
He/Him
Editor
Joined: 4/7/2005
Posts: 1874
Location: Germany
Bobmario511 wrote:
I wonder just how many games can be glitched like this, it's crazy.
Games featuring inventories maybe? Bugs are fun.
Player (12)
Joined: 11/23/2012
Posts: 94
Patashu wrote:
My laptop is full of cum. Yes vote
"Masterjun, why have you hijacked my Yoshi's Island?" "Because I'm a terrorist!" Very entertaining. Easy No vote and 1/10.
Emulator Coder, Skilled player (1140)
Joined: 5/1/2010
Posts: 1217
Tested with modified bsnes core (more accurate emulation of autopolling). Works fine.
Spikestuff
They/Them
Editor, Expert player, Publisher (2254)
Joined: 10/12/2011
Posts: 6324
Location: The land down under.
Yes vote. 2nd Screenshot.
WebNations/Sabih wrote:
+fsvgm777 never censoring anything.
Disables Comments and Ratings for the YouTube account. These colours are pretty neato, and also these.
PCachu
He/Him
Joined: 10/1/2009
Posts: 166
It's getting so that even a dinosaur can't wander around hereabouts without a rape whistle.
Editor, Player (44)
Joined: 7/11/2010
Posts: 1022
Bobmario511 wrote:
I wonder just how many games can be glitched like this, it's crazy. Yes vote.
Seriously? Probably most of them. The vast majority of released programs end up having exploitable security bugs, at least in their earliest versions. Games are no different, and an exploitable security bug in a game = total control. It's just a matter of trying to find it.