1 2
15 16 17
20 21
Active player (252)
Joined: 1/26/2014
Posts: 14
I can't say I really understand this SMS glitch, but from what it sounds like and if Saturn works in the same way, you might already have enough to do the glitch. All it takes is a single missing/incorrect value in the inventory and you can swap overflow. Just figure out what value is missing (X). Then, assuming you have quantity 0 of item X, you just acquire it (by buying it, picking it up, or unequipping it). Then it should swap whatever the value is in the first empty spot with the first value of X it finds, which would be past the inventory. Preferably, X would be a low value (a value between 1-89) and the first empty spot would be a high value (above 89). Then you should get a glitch armor in your inventory, at which time you basically have complete, if slow, control over the weapon values in the inventory.
Banned User
Joined: 1/26/2014
Posts: 49
Location: United States
Patashu wrote:
Wow, very cool looking glitch! Perhaps you should try using a memory editor in saturn emulator to artificially make SOS possible to do, to see if it works the same as in PS1, and also look and see what stats and pointers are immediately after the inventory in saturn (for instance, is there an equivalent to the music pointer? I imagine the music works differently, but how much differently?) and if you can do anything cool with it, that should make you more motivated to find a way to set up SOS ;)
sockfolder wrote:
I can't say I really understand this SMS glitch, but from what it sounds like and if Saturn works in the same way, you might already have enough to do the glitch. All it takes is a single missing/incorrect value in the inventory and you can swap overflow. Just figure out what value is missing (X). Then, assuming you have quantity 0 of item X, you just acquire it (by buying it, picking it up, or unequipping it). Then it should swap whatever the value is in the first empty spot with the first value of X it finds, which would be past the inventory. Preferably, X would be a low value (a value between 1-89) and the first empty spot would be a high value (above 89). Then you should get a glitch armor in your inventory, at which time you basically have complete, if slow, control over the weapon values in the inventory.
Yeah, I have been thinking all these things too... I would have started testing them, but I figured once you perfected SOS/Total Control on PSX, and if you were not burned out after it sockfolder, you would possibly move on to Saturn once you knew about the SMS glitch and also since you founded Total Control on PSX and are way better at coding then me, it would take you less time to try and repeat it on Saturn... but I know there is still quite a lot of work on PSX Total Control to be done before it is perfected, so I feel no rush on me or on you if you want to help with Total Control on Saturn in the future... and when it comes to the SMS glitch, it is quite complicated if you are not familiar with Saturn, so here is a summary with the videos from the beginning if anyone is interested... The Glitch started when veterans from Castlevania MSN and World Beyond Walls were making a glitch to completely white out both maps... http://www.youtube.com/watch?v=xNbLDiGFlD4 At the end of the video you see that they discovered a area off of the map that they called Matrix Room/Area, which increases your Rooms Number/Game Percentage by its self when in the area. This led to me wanting to know what the max game percentage on Saturn could be. So on one of my laptops, I opened the SSF emulator and let Alucard sit in a Matrix Area for almost 1 month real time, only shutting off the laptop every couple of days so it would not over heat... so the Max Game percentage on Saturn ended up being 4,559,413.2 % Then we discovered that 1 shift before the game crashes, if you exit the Anti-Chapel you are able to free fall into hidden memory areas that glitches and increases some of your stats and weapons, and can also teleport you to Richter's Castle... we called this Super Infinite Glitch/Matrix Stats Glitch. http://www.youtube.com/watch?v=puC_6Rv5xbw Soon after this we discovered that there were even more hidden memory areas, so we found a way to moon walk with the glitch and leave the screen to reach the areas. These new memory areas caused are stats to glitch even more and also caused equipment in are inventory to become misplaced, we called this new discovery SMS... and we still have not even found all the hidden memory areas yet. these are the 2 videos I already posted. http://www.youtube.com/watch?v=nfBPC9EPivE http://www.youtube.com/watch?v=aSA6zFlPrlg So if after PSX Total Control is perfected, you sockfolder/Patashu or anybody else that is good with coding would like to help with it on Saturn, I have all the save files/save states so we don't have to start the glitch from the beginning... we can just pick up where us from Castlevania MSN left off ;)
Active player (252)
Joined: 1/26/2014
Posts: 14
I spent a while looking for new vectors for total control, i.e. new values for the music pointer (which I will call MP). The key pattern I use is that if the last nibble of the int at MP+0x90 is 8, then the first byte of the int at MP+0x28 is set to 0x01 and the aforementioned nibble is set to 0. Then you can modify code either by changing the 8 to a 0 (Type A), or by changing a byte to 0x01 (Type B). The goal is to change the code so that it jumps to a controllable area. The two ways I consider doing this are: 1) Create a jump to register instructions. 2) Corrupt the stack so that the jr r31 instruction goes to somewhere good. You can do this by messing up the instructions modifying r29 (the stack pointer), or by messing up the instructions storing or loading r31 into/from the stack. SotN code is quite large, so I couldn't check very much by hand. However, I went and took the open source emulator PCSX-Reloaded and changed the emulator so it would test those types of corrupts as it ran. So, now I have a lot of possible vectors, but sadly and surprisingly, I didn't find any that would that good. Key criteria are that all bytes in the music pointer are 1-169 (easiest to set values), easy to trigger code, minimal "fixing" of whatever was corrupted, and jumping to a good location. I will list some methods. I will refer only to the line of code modified, not to the music pointer itself. Original Method: Type B change at 0x800F52D8, making a jalr r8, r16. Jumps to 0x80097C1C, requiring setting resists using glitch armor items from Elixir and Item 155. This makes an instruction jumping past the music pointer (which is dangerous to change). Then you have to use Swap Overflow to modify the next nonzero int, and make it an instruction to jump to your inventory. You also have to fix r16. New Methods: 1) Type B change at 0x800E446C, making a jr. Jumps to 0x80097BA8, where stats are located. Then you'd have to set your gold to a value so that it makes an instruction to jump to the inventory. This is easy to make, but sadly has the large flaw this code is triggered halfway through a loading zone, which makes it hard to use. Possibly the best though. 2) Type A change at 0x8010E1D4, causing a stack corruption. Jumps to 0x80097410. This area includes flags for what enemies are killed (could be used for an instruction) and the input, which can also be used to jump into the inventory. Triggered on level up and heart refreshes (only once). You can't use any potions or spells or it will cause an invalid jump. This MP also fails the 1-168 criteria. TAS might able to use the adjustable input to some effect though... 3) Type B change to 0x800F8920, causing stack corruption. Jumps to 0x80097BD4 (so gold used as instruction). Activates when opening the sort menu. Fails the 1-168 criteria BARELY. Very sad about this. There are quite a few others, but those are probably the best or at least equal to others. It would be helpful to find more controllable memory regions from which it is possible to jump to inventory. There were also a few others that were inconsistent or something. I still have some hope of finding a method that is clearly the best.
Banned User
Joined: 1/26/2014
Posts: 49
Location: United States
Mmmmmm? very interesting... Will you be doing any more streaming on twitch.tv, I know me and all the others love watching your progress. Oh, and if you didn't know, me and Kainblox post all your progress on Castlevania MSN for others to see http://castlevania.msnboard.net/t589-item-fabrication-swap-overflow-shenanigans-elaboration
Active player (252)
Joined: 1/26/2014
Posts: 14
I finally found a total control vector I'm pretty happy with. I found some more controllable manipulations of the music pointer. Namely, if the 'control nibble' is 2,8, or A, the 'modified byte' is set to 0x00, 0x01, or 0x01 respectively. Using this, I found the following Muramasa based total control. Type B change at 0x80016F68 (Music Pointer = 0x80016F40). This is triggered when Muramasa is equipped or highlighted in your inventory. It jumps to 0x80097BE8, shortly before your gold amount. Unfortunately, gold itself cannot have the most significant byte set to something != 0 due to the 999999 cap, and that byte controls the op code of the instruction. But, after some experimentation, I found if you set the Music Pointer to 0x80097BA8 and restart the music, the gold gets set to 0x01E00000 and all the values around it are valid instructions. So with that, you can buy some stuff and Swap Overflow over the 0x01 to make a branch to jump to your inventory. One nice thing about this glitch is that r31 has the correct return value. So, if there is a function that starts the credits, we could probably just jump to it to end the game, and everything should behave well (no stack overflows or infinite loops). I was planning on streaming when everything was more solid, but I guess I can start showing the final steps of getting this to work.
Joined: 10/30/2011
Posts: 146
Location: Auckland, New Zealand
My mind is completely blown by the beauty of your work on this, that coming from a computer science undergraduate.
Active player (252)
Joined: 1/26/2014
Posts: 14
SotN is such an unlucky game. First of all, it shouldn't be so difficult to jump to your inventory considering all the code in the game and the power of the music pointer corruption. But okay, so I did the previously mentioned technique to set my gold amount. As a side effect, it turned armors to 0x7f007f. When you select the armor slot, it 'corrects' to 0x7f which happens to be one of the glitch armors that crash. Unlucky. But you are okay if you never select them, except that for some reason, going into the buy menu of the shop will 'correct' them and cause you to crash when you go to equip something again. Unlucky. Sadly, since the gold amount is 0x01E00000, the only way to get the last 4 byte not to be 0 is to buy stuff. You can use SoS% though to try to store over the 0x7F items in advance though so you don't crash. Except, 0x7F is a 2 Handed Greatsword, and apparently 2 handed weapons "absorb" their own swap value, so you can't write any memory locations beyond the weapon slot. If 0x7F was any single handed item, this would be possible. Unlucky. So long story short, the method mentioned in my previous post doesn't work. There might possibly be a modification if someone can figure out the Music Pointer better, but it seems a little complex.
Active player (252)
Joined: 1/26/2014
Posts: 14
I did find a way to get the gold strategy to work. If you set the music pointer to 0xA8660 and restart it, it will overwrite the data read for the stats of the glitch armor. In particular, it overwrites the pointer used for the name of the armor and thereby avoids the crash. However, I did find if the control nibble has bit 1 set (and not bit 4), it often starts timers in certain locations. I used this to find another way to get total control with the timer. If you set the Music Pointer to 0x800F6090, then the code at 0x800F60FC will change over time. After 23-23.5 seconds, it forms a jalr r20,r27 instruction. This code is run when you open the relic menu, and r20 is set to the relic spot the cursor is at in that menu, which is located right before your inventory. You can run code either using item quantities (harder), or just using where stuff is in your inventory. I used this to run the credits. The basic idea is you need to call function 0x800E4124 with parameter 9 (in r4). This runs an 'ending' cutscene. Then you need to set 0x800978B4 to either 3 (best ending) or 5 (normal ending). By moving my inventory around, I create the code: 0x26826012 addiu r2, r20, 0x6012 0x84245812 lh r4,0x5812(r1) 0x08039049 j 0x000e4124 0xA0599F2E sb r25, -0x60d2(r2) With the cursor 2 slots above the fairy card, this will write 3 for best ending and call the credits. The real time record with this trick is 13:37 (also first real time completion), with substantial improvements possible. http://www.twitch.tv/sockfolder/c/3801775 To be honest, I'm not sure this approach is best for TAS because of the super fast menuing possible there and the 23 second wait. There might be a better approach, maybe such as setting music pointer to 0x801B4FA0, which should jump to 0x80097C14 (right below inventory) when going into the shop buy menu.
Skilled player (1097)
Joined: 9/15/2013
Posts: 116
tried making a test run for credits warp TAS to see what sort of time a finished product might get, but even just doing everything as close to exactly similar to sock's finished real-time test of the route still results in crashes no matter what i do. just optimizing everything from the save corruption onwards is probably going to be at least as obnoxious for me as making the entirety of the normal TAS, considering I didn't come into TASing this game expecting to have to understand ASM to have a grasp of how some speed trick works. I'll keep at it for now, but this is seriously a pain.
Joined: 10/30/2011
Posts: 146
Location: Auckland, New Zealand
This time is really appropriate for the level of awesomeness that you presented us
Patashu
He/Him
Joined: 10/2/2005
Posts: 4046
ForgoneMoose wrote:
tried making a test run for credits warp TAS to see what sort of time a finished product might get, but even just doing everything as close to exactly similar to sock's finished real-time test of the route still results in crashes no matter what i do. just optimizing everything from the save corruption onwards is probably going to be at least as obnoxious for me as making the entirety of the normal TAS, considering I didn't come into TASing this game expecting to have to understand ASM to have a grasp of how some speed trick works. I'll keep at it for now, but this is seriously a pain.
I suggest you watch sockfolder's after-run explanation on how SoS and the setup works: http://www.twitch.tv/sockfolder/b/506995128?t=2h19m20s In particular, he goes over an important thing that will randomly make the setup not work - If the minutes, seconds or the frames of the timer has exactly the same byte value as the ID's byte value of the weapon you're dropping (and trying to swap it with something deeper in memory, in this case the music pointer), then the timer will 'grab' the item and the setup is ruined. He has a hex editor open while doing the setup, so make sure that your hex is behaving the same as his as he does the setup. In addition, the real time you wait after fully corrupting the music pointer is significant, since a certain instruction needs to be mutated into a 'correct' new instruction. (And don't feel obliged to do this, of course :) ) EDIT: Romscout can't get it either. So sockfolder needs to elaborate on what we're missing as mere mortals.
My Chiptune music, made in Famitracker: http://soundcloud.com/patashu My twitch. I stream mostly shmups & rhythm games http://twitch.tv/patashu My youtube, again shmups and rhythm games and misc stuff: http://youtube.com/user/patashu
Skilled player (1097)
Joined: 9/15/2013
Posts: 116
https://www.youtube.com/watch?v=e8DsHZMbavo Test run for the save corruption route. Very sloppy once it hits library, not sure if an extra big toss is worth it or not. Sub 10 minutes is almost certainly possible.
Active player (316)
Joined: 2/28/2006
Posts: 2275
Location: Milky Way -> Earth -> Brazil
The main problem here is that dumb twitch thing... who the hell can sit and watch hours of nothing going on? Couldn't he write a simple guide? (I'm sure he has notes he follows during his recordings)
"Genuine self-esteem, however, consists not of causeless feelings, but of certain knowledge about yourself. It rests on the conviction that you — by your choices, effort and actions — have made yourself into the kind of person able to deal with reality. It is the conviction — based on the evidence of your own volitional functioning — that you are fundamentally able to succeed in life and, therefore, are deserving of that success." - Onkar Ghate
Bisqwit wrote:
Drama, too long, didn't read, lol.
Skilled player (1097)
Joined: 9/15/2013
Posts: 116
pirate_sephiroth wrote:
The main problem here is that dumb twitch thing... who the hell can sit and watch hours of nothing going on? Couldn't he write a simple guide? (I'm sure he has notes he follows during his recordings)
That was definitely a big problem I had working with him. He has highlight videos that are just concise, to the point flythroughs of specific swap sequences and such but it's still a pain. In the end I just had to ask him for the exact swaps for the TAS for me to optimize. He also gave me a script that points out relevant instructions and lists item ID beside all weapon slots, including blank ones: http://pastebin.com/jPQTxAQk If you or anyone else wants to try improving the TAS already, I'd personally at least wait a while. Apparently, a way to do credits call without the 23 second timer during the last menu access seems possible, and that would be a large improvement as it is.
Active player (252)
Joined: 1/26/2014
Posts: 14
What is it you want to know sephiroth? I've tried to clarify how a lot of it works in this thread. The final payload used in the TAS is the following code: 0x26 0x82 0x61 0x12 addiu r2,r20,0x6112 0x84 0x24 0x58 0x12 lh r4,0x5812(r1) 0xA4 0x40 0x99 0x66 sh r0, -0x669A (r2) 0xA0 0x59 0x9E 0x2E sb r25, -0x61D2 (r2) 0x3C 0x0A 0x80 0x0E * lui r10, 0x800E 0x35 0x4A 0x41 0x42 * ori r10, r10, 0x4142 0x08 0x03 0x90 0x49 jr 0xE4124 0xA1 0x44 0x67 0x92 * sb r4, 0x6792 (r10) The instructions marked with * were added for the TAS since there was extra time and it just messed up some of the palette code for the weird looking Alucard at the end. I separated each byte because each byte corresponds to an item in a slot in the inventory. So a 0x12 for example corresponds to the Basilard item. Coding is simply a process of arranging the items in your inventory to match the above order (each line must be reversed due to Little Endian order though).
Banned User
Joined: 1/26/2014
Posts: 49
Location: United States
Sock, can you make a video using the library card teleport method you used at 06:06:29 of this video http://www.twitch.tv/sockfolder/b/498009259 to get to the Programmers Room? or a simplified method if you can find one. I did some testing with hex editing software to mimic what you were doing in the video, and found a excellent way to get to the Programmers Room with out crashing the game. Link to video
Skilled player (1097)
Joined: 9/15/2013
Posts: 116
Got bored, made this thing: Link to video Pretty cool for an arbitrary category actually. Uses lots of really precise and obscure tricks there's otherwise no use for, and the wolf charge actually sees the light of day for more than 5 seconds for once. Also marks the first use of screen pause deletion in a serious setting. For reference, the WR, as far as I know, is over 45 minutes long, as seen here: http://www.twitch.tv/kayinnasaki/c/3157394
Fortranm
He/Him
Editor, Experienced player (882)
Joined: 10/19/2013
Posts: 1125
Epic. I really like the boomerang show.
Patashu
He/Him
Joined: 10/2/2005
Posts: 4046
ForgoneMoose wrote:
Got bored, made this thing: Link to video Pretty cool for an arbitrary category actually. Uses lots of really precise and obscure tricks there's otherwise no use for, and the wolf charge actually sees the light of day for more than 5 seconds for once. Also marks the first use of screen pause deletion in a serious setting. For reference, the WR, as far as I know, is over 45 minutes long, as seen here: http://www.twitch.tv/kayinnasaki/c/3157394
Thank you for this excellent guide! I have forwarded it to a friend of mine in Transylvania so he can practice hard to defeat Dracula. I hope this is OK. He wants to begin training to become a Vampire Killer starting tomorrow.
My Chiptune music, made in Famitracker: http://soundcloud.com/patashu My twitch. I stream mostly shmups & rhythm games http://twitch.tv/patashu My youtube, again shmups and rhythm games and misc stuff: http://youtube.com/user/patashu
Fortranm
He/Him
Editor, Experienced player (882)
Joined: 10/19/2013
Posts: 1125
Patashu wrote:
Thank you for this excellent guide! I have forwarded it to a friend of mine in Transylvania so he can practice hard to defeat Dracula. I hope this is OK. He wants to begin training to become a Vampire Killer starting tomorrow.
He had better get ready before 2035.
Skilled player (1097)
Joined: 9/15/2013
Posts: 116
I was thinking for a while about what sort of new category could fill the "100% completion" role for SotN since it lacks a major sidequest like DoS's soul collection, and I decided that all bosses and relics is the best way to go. I was initially opposed to all bosses, as I didn't think that the bosses were challenging enough to warrant the killing of them being an arbitrary objective, but after talking about it with a number of viewers unfamiliar with SotN speedrunning they said that they felt that a lot of the existing TASes lacked interesting combat. While my initial concern is still obviously a good point, I'm going to do pretty much everything I can to add variety to as many of the bosses as possible, so it's at least interesting to see exactly which way you can lay waste to these things the fastest. Hopefully, skipping the shield rod entirely for the first castle will be viable and I can show off a bunch of different strange weapons. I'm willing to sacrifice time to show off more, within reason. I also made this decision based on the fact that I literally could not think of any good reason to visit some of the areas using just all relics alone. That would mean skipping out on the catacombs, the necromancy laboratory, etc. - I want to show off as much of the game as possible here. Despite the fact that the previous TAS had map completion as a goal, I still believe that I can see about as much of the game, and in less time. I chose against repeating the same goal of map completion for a number of reasons. One, the main glitch that makes it bearable, save corruption, is now in a very grey area what with how it can now be used for ACE, making the whole arbitrary condition thing pointless. Map collection was already a slog that really brought the old TAS down, and without that it would probably be unbearable. Second, even with corruption, like I said, it's boring. Despite all the fun glitches arukAdo did to try and keep it interesting, there was still a lot of backtracking and still a lot of entering rooms for no reason besides getting map, which is never good in my opinion. Overall, it will end up being a somewhat less glitchy run, unfortunately, but it will be much faster paced and have more variety and action, so it balances out in my book. Link to video
Joined: 7/2/2007
Posts: 3960
Looking good so far! I look forward to seeing updates on this run.
Pyrel - an open-source rewrite of the Angband roguelike game in Python.
Fortranm
He/Him
Editor, Experienced player (882)
Joined: 10/19/2013
Posts: 1125
A less glitchy run actually sounds promising. However, might it be better to make a "all bosses and relics" run on the Saturn version? There are two more bosses(and you can fight Richter/Shaft as well since you are gonna meet Maria at the center of the first castle anyway) and three more relics in the Saturn version.
Skilled player (1097)
Joined: 9/15/2013
Posts: 116
After doing some testing, skipping shield rod entirely is perfectly reasonable. I've been looking into strats for second castle bosses, and it seems like I'm going to need mablung sword for at least a couple of the bosses, though. I've been looking into possible ways to outmatch the alucard shield's damage on galamoth, but youd need things like dual rings of varda and/or STR potion and whatnot as well as a slow ass sword like gurthang or masamune to even break 200 damage per hit, whereas alucard shield does almost 200 damage per hit without ATT boosts, and hits faster. I was considering doing a glitch where you can kill richter and the shaft orb at the same time, but that just gives you the same result as killing just the shaft orb except richters dieing in the background during shaft's one line before the FMV.
Fortranm wrote:
A less glitchy run actually sounds promising. However, might it be better to make a "all bosses and relics" run on the Saturn version? There are two more bosses(and you can fight Richter/Shaft as well since you are gonna meet Maria at the center of the first castle anyway) and three more relics in the Saturn version.
I actually initially started this on the Saturn version. I decided to switch to PSX due to the fact that, one, this version looks and runs better and is in English, and two and more importantly, when I tried a test TAS of the Saturn version, it was a miserable experience. I couldn't even get past a quick run of the prologue; multiple desyncs, and bizhawk crashed multiple times when i tried to play it back, before even getting to the intro text scroll - this isn't even mentioning that I capped at about 19 FPS on the fastest settings I could find, which isn't acceptable to me. Yabause was better, but it still had a number of problems and I don't think I'd want to make a bigger project like this on it either.
Skilled player (1097)
Joined: 9/15/2013
Posts: 116
Got Mino/Wolf fight that I think is as good as I can get it today. Went with simultaneous kill with summon spirit, as the slash dual kill turned out to be slower than killing them normally with crits involved. I was able to get 3 and 3 slashes respectively to kill each of them in my take to test killing them normally, but I had to settle for 4 and 3 in the dual kill; I guess I just got the god RNG the first time around. I'm also happy that I was able to avoid map buffering for the first set of crits, as doing so while the two of them are still being summoned causes this really irritating flickering effect as long as the game is paused. 2 slashes on werewolf might be possible, but manipulating crits is impractical for the first one you attack as the animation of them appearing generates tons of randomness, along with the flickering I mentioned. Combine that with the fact that both slashes would have to be very powerful crits and it just isn't at all practical to go for, especially since you'd still need good RNG for minotaur immediately after as well. 3 slashes on Minotaur probably isn't worth even trying for in the dual kill; this would allow me to use summon spirit after my second to last hit on werewolf instead of after the last, meaning werewolf dies sooner, but this would require not only getting all of the hits on mino to be crits, but very powerful crits. The time it would take to manipulate this can't be worth it in my mind. Anyways, at Library now. Jump > mist > jump kick to the faerie card is the fastest book jump up to Faerie Card that I am aware of, I'm mostly just deciding whether it's better to get the Faerie Scroll in the same go or to get it on the way out. If I get it on the way out, I have to take the long way all around the library, whereas otherwise I'd just get bat, library card, then zip to the bottom of the level and wing smash straight out. A really cool strat involving a strange upward zip to the room above the Librarian was something I tested as well earlier, but it turned out to be impractical as the glitch disables menu access, the nearest method of restoring it being the save point, costing way too much time. I might make a video of what that would have looked like some time.
1 2
15 16 17
20 21