EDIT: The rerecord count should be 40365 according to the lsnes message window when the movie is loaded, but shows up as just 1 for some reason.

Details

  • Emulator used: lsnes rr2-β17
  • Aims for fastest time
  • Manipulates luck
  • Takes damage to save time
  • Abuses programming errors
  • Finishes with suspiciously high item collection percentage
  • Saves the animals?

cpadolf's comments

Recently a set of discoveries in the Super Metroid speedrunning community involving the fabled Space/Time beam led some runners to beat the current any% TAS, obviously something had to be done about that. This new TAS beats the current any% TAS by 23446 frames, or about 6.5 minutes (thereby turning it into a low% run instead of an any% run), and finishes with an ingame time of about 06:15 (although it's displayed as 00:05, more on that later). This substantial improvement comes from using an entirely new route and a new way of finishing the game involving arbitrary code execution, a phenomenon that seems to become more and more common in the TAS communtiy. As an aside, with the timing used for runs in the real time speedrunning community this run is about 12:30.
The point of the route is to get to Gold Torizo as fast as possible and use the so called "GT Code" which instantly gives Samus most of her upgrades and a lot of ammo, enabling the glitching that takes place afterwards. There are basically two routes for doing this, both of which were fully run through and optimized. The first one is to go to Kraid in order to receive the Varia Suit that will take you through norfair and LN without having to collect a bunch of energy tanks. This is the one that was used by Saturn in his GT code run, and is used by the real time speedrunners (minus the hi-jump boots which can be skipped with some tricky kago balling and walljumping during the lava dive before LN). The second one is to skip out on Kraid and instead use the somewhat unknown and never before (to my knowledge) constructively used pause glitch that keeps Samus from dying as long as the game is constantly being paused. The second option turned out to be faster by about 30 seconds despite the game only being able to run for about 1 second per 2 seconds of paused time.
In order to make it all the way to GT with the pause abuse a reserve tank had to be collected as Samus has to have at least 1 energy when riding on an elevator to keep from dying, and to refill on energy before using the PB in the Gold Pirate room in LN as the game can't be paused after a PB has been placed. Because of the time saved by avoiding an extra pause a lot of extra drops were farmed and damage avoided throughout the run in order to minimize the amount of pauses. An interesting side effect of the pause glitch is that the game clock stops running while Samus health is 0, which makes the ingame clock about 20 seconds lower than it should be by the point that GT is reached, therefore displaying a 00:05 at the end instead of 00:06.
With that I'll leave it over to amaurea and total to get into the more technical stuff of the glitching in the run.

amaureas comments

Some of the first TASes of Super Metroid made use of a glitched beam combination called the "Murder beam", which was activated by shooting a charged shot to the left with all the beams equipped, even the incompatible Plasma and Spazer beams. That combination results in a sort of area-of-effect damage that keeps damaging nearby enemies forever, and was used in the Mother Brain fight until it was discovered that it was faster to just shoot optimally charged normal beams.
Since then, no glitched beams have been used in TASes here, though two other non-crashing beam combinations were known: The zero range, zero-damage, rapid-fire "chainsaw beam", and the seriously glitched space-time beam (uncharged plasma, spazer and ice), which could bring the bosses back to life, retile the rooms, reset items, or trigger the escape sequence. But despite the known potential of the space-time beam it was not used here, possibly due to it being emulated differently by the previous generation of snes emulators. Its most powerful effects may have been thought to be emulation errors.
This TAS uses not only the space-time beam, but also another beam previously thought to be useless: The charged space-time beam. After performing a trace log while firing the various glitched beam combinations, I found that out of the 8 possible glitched beams, the three known beams (murder, chainsaw and space-time) jumped to ROM data, while the remaining 5 all jump to RAM. That is why the former beams were reliable enough to use, and why the latter beams would always lead to a crash: RAM contents are variable, but rarely contain sequences of bytes that when interpreted as machine code do anything safe. In particular, more than half of all RAM values are 0, which when interpreted as an instruction means BRK, aka "hang forever".
But on the other side, while ROM is unchangable, the player can to some extent control the content of RAM. Many of the glitched beams jump to interesting RAM locations, but the one used in this TAS (but not the only potentially useful one) is the charged space-time beam, which jumps to ram location 0x900a0a, where we can find Samus' super missile count, followed by her power bomb count and selected item etc. These are all under the player's control, and have a large enough range that it is possible to perform some interesting operations.
For example, a super missile count of 32 corresponds to the instruction JSR (jump to subroutine), which lets us jump to a location of our choice based on the power bomb count. The most promising targets are the gamepad auto-read registers at location 0x4218 to 0x421f, which contain the current button presses of four gamepads, effectively giving us 8 consecutive bytes which we can freely choose, and which we can update every frame. Reaching these registers would be enough to let us execute arbitrary code, and take total control over the game.
However, both the super missile and power bomb counts are 2-byte variables, and what forms the address to jump to is the second byte of the super missile count and the first byte of the power bomb count. Jumping to 0x4218 using JSR would require 0x18 in the second byte of super missiles, and 0x42 in the first byte of power bombs, for a total of 6176 super missiles and 66 power bombs. Which would take a while to get. So we can't jump there directly. With reasonable ammunition counts, we can hope to jump to addresses 0x0000, 0x0100, 0x0200, 0x0300, ..., 0x3200. That's a lot to choose from, but most of them are hard to influence and contain large stretches of repetetive bytes, such as tile maps etc. But at least two of these are suitable: 0x0400 (OAM data), and 0x0b00 (position and scroll-related variables). The former is what I used in this demonstration video, but it is quite fickle, and requires the right enemies at the right position in the room. The second one I had given up on after almost making it work, because I thought Samus' relative screen position could never get much larger than 256, which would not get me the bytes I needed:
     b00 height       stand=(15,ORA,A),jump=(13,ORA,A),aimdown (0a,bad),crouch=(10,BPL,nop)
     b01 00
     b02 coltype      L=BRK, R=ORA, U=COP, D=ORA, so R or D are OK,  though both modify A.
     b03 00
     b04 x_screenrel low  practially any value
     b05 x_screenrel high nonzero only if Samus is off-screen
     b06 y_screenrel low  typically between 2c and c0
     b07 y_screenrel high
The first 4 bytes here are not useable, but can be made equivalent to harmless operations that bring us to 0x0b04. There we have 4 bytes in a row related to the Samus' screen-relative x and y position. If these could take any value, then we could use this to perform a jump to 0x4218. But when I first investigated this, I thought both these scroll values would be between 0 and 255 (i.e. Samus inside the screen) or at least not values much higher than that. That would make 0x0b05 and 0x0b06 zero, as indicated in the excerpt from my notes above, and would limit us to the same kind of restricted jump that brought us here in the first place.
But total pointed out that I had forgotten out-of-bounds travel (OOB), where it is possible to get almost arbitrarily far outside the screen. That made this method an easy and reliable (to a TASer anyway) method: Position Samus such that her screen-relative position is (x,y) = (0x1182,0x??37), where the ??-part is irrelevant. This corresponds to the machine code
     $90/0B04 82 11 37    BRL $3711
Which finally brings us to the gamepad auto-read registers! At that point we have total control over the game: We could for example set up a jump from the last register to the first one, trapping the game inside this 8-byte register range (this is what I did in my OAM example). But total found a more efficient setup, as he will explain.
See the Super Metroid game resources page for a more detailed analysis of the glitched beams.
Potential improvements: While we investigated the other glitched beams, we were not exhaustive, and they may be usable for gaining control earlier. This includes the standard murder beam, if fired in another direction than left. It might also be possible to gain control without the use of glitched beams at all, by triggering a glitched door transition while out of bounds (for example using the X-ray gltich). I've discussed this with PJBoy, but we didn't find a concrete way of realizing this. To execute larger amounts of arbitrary code, it will be useful to use the manual gamepad registers instead, as the current method only lets us execute about 2-3 instructions per frame.

total's comments

Now that we've finally managed to direct the game to execute code from controller registers using the methods explained by amaurea we need to make sure that we can stay in control for long enough to change the game state and do any other modifications that might be needed to keep the game from crashing. This can be done as explained earlier by crafting a loop that keeps code execution within the controller registers but in this case there's a slightly more efficient method using the games own programming against it.
So what we can do now is to overwrite the function pointer in memory for the charged space-time beam (the one that right now points to 0x0a0a where our first entry point is) with 0x4218. This has the effect that for the following frames as long as the space-time beam projectile still exists, when the game runs code to update it, it will no longer be using the chain of super missile and power bomb count and positional requirements but instead helpfully enter the controller registers as a subroutine. This gives us plenty of controllable bytes each frame since we only need one byte to return control back to the game.
Below is the final five frames of meaningful input using four controllers and some quick notes on what they do (the 0-3 buttons are extra bits that can be set, but does not represent a button on the controller):
   ...Su...A.L.0..3|....ud...XL.0...|B...ud.r.X....2.|.Ys......XLR0.2. 
   LDA #$4218
   STA $0C68
   PLY
   RTS
As explained above, this is our first chance to run our own code and we'll use it right away to overwrite the function pointer so the game will keep calling into the controller registers no matter our ammo or position. Before returning back to the game we'll also have to clean up the stack so we return back to the right place.
   ..s..dl.A.L.0..3|....u..rA..R0...|B...ud.r........|.........XL..... 
   LDA #$26
   STA $0998
   RTS
This sets 0x0998 in RAM to 0x26 which changes the gamestate and tells the game that we've just finished it, and it will now start a fadeout into the ending.
   B.......A.L.0..3|BY.Su.....L....3|B...udlr........|.Ys......XLR012.
   LDA #$80
   STA $7ED821
   RTS
Since we still have a few frames to work with while the game is fading out, there's some small details we can do while we're waiting for the ending to start. So why not be nice and make sure our animal friends make it out safely.
   BY..udlrA.L.0..3|....u..rAX..0...|B...ud.r...R..2.|.........XL..... 
   LDA #$12CF
   STA $09C8
   RTS
And this increases our missile count to get a nice item completion percent.
   .Y......A..R01..|................|.Ys.........01..|................ 
   STZ $0C40
   RTS
Before returning full control to the game, we delete the charged space-time beam projectile to make sure the game does not try to call into the controller registers again.
It should be noted that instead of overwriting the function for the beam handling code, there are a few other pointers that can be overwritten to keep in control of the game that will persist through door transitions and does not need an active fired beam projectile. It is not used in this case since it would require quite a bit more code to setup and was not needed in this case where we just need to end the game.
As mentioned before this run also uses the uncharged space-time beam a few times. First to exit Golden Torizo's room without fighting him and also resetting the super missile in the room, and finally to create a door transition block that will place us out-of-bounds in the next room which is needed to be able to manipulate the screen-relative position enough to be able to execute code.
The way this works is that when you fire the uncharged space-time beam, the game jumps into the middle of a routine in ROM that does a memory copy into RAM. But since we're entering that routine from the wrong place and with non-intended values in the X and Y registers, this routine will copy a whole lot more data than it is supposed to. It will end up overwriting data for events, items collected, bosses defeated and so on which is what makes it possible to collect the same super missile pack three times. An even more destructive thing happens as well though, it will also overwrite room data with "garbage" blocks where some of these will be valid door transition blocks. We abuse this by using these to first escape GT's room and fight, and last to quickly get out-of-bounds in the room left of GT's room where we can finally get into position to fire the charged space-time beam and ending the game.

Thanks to

Big thanks to all of the Super Metroid speedrunning community for their recent efforts in glitching the game, as well as all the people actively contributing to the TASvideos forum thread. Special thanks to hero of the day for suggesting the use of the pause glitch to skip going to kraid.

Noxxa: Judging.
Noxxa: This is a quite unique run. It uses a debug code to aid in reaching its end goal faster, which is arbitrary code execution. We have had varying precedents on runs using cheat codes that were accepted, and that were rejected. These cases all differ in multiple fields, including whether the debug code or cheat code is conventionally accessible in gameplay, whether they are intentionally put in the game for the player to use, and how much of an impact they have on gameplay. But in the end, this just turns out to be an entirely unique case. This is because the run does not just clear the game like a normal playthrough - it takes over control of the game code to trigger the ending.
The movie rules contain a rule against cheat codes, so if the rules are to be followed, this run would be rejected. However, we need to look at the spirit of the rule here. Normally, cheat codes are used to make gameplay easier - make it simpler to finish the game. However, in this case, the run is not ordinarily "finishing the game". It does not actually make "gameplay" easier, because what it actually affects here can barely be called "gameplay". In odd instances such as these, where the game is not being conventionally played or finished, we can make an exception to this rule.
So putting aside the use of the debug code, we are met with a nice, entertaining and well-received run which finishes the game fast. Accepting for Moons. This run will not obsolete any previous run - the current any% ("X-Ray glitch") seems to hold enough merit on its own to keep publication, as it is a more "true" run which completes the game without arbitrary code execution or use of debug codes.
Ilari: Processing.


1 2
5 6
TASVideoAgent
They/Them
Moderator
Joined: 8/3/2004
Posts: 15628
Location: 127.0.0.1
This topic is for the purpose of discussing #4224: amaurea, Cpadolf & total's SNES Super Metroid in 14:52.88
Joined: 1/17/2008
Posts: 133
... wow.
Player (26)
Joined: 8/29/2011
Posts: 1206
Location: Amsterdam
Player (89)
Joined: 11/14/2005
Posts: 1058
Location: United States
Great job guys!! It is cool to see the game pushed to it's theoretical limit. It will be interesting to see how this one gets judged, and whether it replaces the old x-ray glitch run. Yes vote here. Kudos for saving the animals too!
They're off to find the hero of the day...
Joined: 7/2/2007
Posts: 3960
Didn't complete the game in a negative amount of time, no vote. Seriously though, this is fascinating stuff, great work! I don't even care about the use of a debug code (the GT code) because it's been put to such neat use.
Pyrel - an open-source rewrite of the Angband roguelike game in Python.
Skilled player (1743)
Joined: 9/17/2009
Posts: 4986
Location: ̶C̶a̶n̶a̶d̶a̶ "Kanatah"
Yes vote. Edit:
thereby turning it into a low% run instead of an any% run
Hey, a low%, 100% 999% run simultaneously! :D
Joined: 6/4/2009
Posts: 893
so... will there be a new 999% branch ? wow yes vote
Skilled player (1444)
Joined: 7/15/2007
Posts: 1468
Location: Sweden
hero of the day wrote:
Great job guys!! It is cool to see the game pushed to it's theoretical limit. It will be interesting to see how this one gets judged, and whether it replaces the old x-ray glitch run. Yes vote here. Kudos for saving the animals too!
Well it certainly obsoletes the x-ray run as an any% run, but I think the X-ray run could be kept because it's still the true low% run for Super Metroid. And it should probably be prioritized over the two 14% runs if it's a question of too many categories, don't know how TASvideos policy about that looks nowadays though.
Agare Bagare Kopparslagare
mklip2001
He/Him
Editor
Joined: 6/23/2009
Posts: 2227
Location: Georgia, USA
I haven't seen this run yet (it sounds awesome), but I'm a little concerned about the use of the GT Code. Part of the reason Saturn's GT-code run wasn't published is because it was considered a debug feature or cheat code rather than a proper glitch. I can see why the code is unavoidable here, but I'd be curious to see how we can justify its use. My thinking was that the latest Earthbound runs have finished the game quickly by triggering debug menus, so that's set a precedent for allowing those kinds of exploits.
Used to be a frequent submissions commenter. My new computer has had some issues running emulators, so I've been here more sporadically. Still haven't gotten around to actually TASing yet... I was going to improve Kid Dracula for GB. It seems I was beaten to it, though, with a recent awesome run by Hetfield90 and StarvinStruthers. (http://tasvideos.org/2928M.html.) Thanks to goofydylan8 for running Gargoyle's Quest 2 because I mentioned the game! (http://tasvideos.org/2001M.html) Thanks to feos and MESHUGGAH for taking up runs of Duck Tales 2 because of my old signature! Thanks also to Samsara for finishing a Treasure Master run. From the submission comments:
Shoutouts and thanks to mklip2001 for arguably being the nicest and most supportive person on the forums.
Skilled player (1743)
Joined: 9/17/2009
Posts: 4986
Location: ̶C̶a̶n̶a̶d̶a̶ "Kanatah"
mklip2001 wrote:
My thinking was that the latest Earthbound runs have finished the game quickly by triggering debug menus, so that's set a precedent for allowing those kinds of exploits.
Also, this was more entertaining than the GT code since the code is like only used at the very end of the movie; the majority of it still contains TAS-like gameplay. Oh, and Cpadolf, do we even have a low% run? :o
Noxxa
They/Them
Moderator, Expert player (4128)
Joined: 8/14/2009
Posts: 4090
Location: The Netherlands
The way I see it, this run is not directly comparable to previous submissions, although there are many with someone similar properties. #3023: Saturn's SNES Super Metroid "any%, GT Code" in 32:06.33 - the most obvious parallel: a Super Metroid run that uses the GT code to finish the game fast. Received moderately well by the audience, but was rejected. #3620: FractalFusion's SNES Mega Man X "glitched password, walkathon" in 16:56.88, which uses passwords (although indirectly) for a demonstration run. Mediocre viewer reception, accepted for publication. #1528: Vatchern's NES Mega Man 3 in 06:54.92. Using debug codes to clear a game faster. Bad viewer feedback and rejected. There are probably some more. I might edit in more examples later. In my opinion, the EarthBound runs aren't comparable as those used glitches to access debug features, a much less dubious case than directly accessible debug tools, which are considered cheats. It's a really dubious case. We have both negative and positive precedents here.
http://www.youtube.com/Noxxa <dwangoAC> This is a TAS (...). Not suitable for all audiences. May cause undesirable side-effects. May contain emulator abuse. Emulator may be abusive. This product contains glitches known to the state of California to cause egg defects. <Masterjun> I'm just a guy arranging bits in a sequence which could potentially amuse other people looking at these bits <adelikat> In Oregon Trail, I sacrificed my own family to save time. In Star trek, I killed helpless comrades in escape pods to save time. Here, I kill my allies to save time. I think I need help.
Joined: 2/18/2007
Posts: 63
Location: New York City
Saves the animals?
I don't think there were any survivors...
Editor, Skilled player (1441)
Joined: 3/31/2010
Posts: 2113
If nothing else, I think this movie is more of a proof-of-concept movie to show how you can open a TC vector in Super Metroid, and an incredible one at that. Sure, you could collect the necessary items legitimately using a normal TAS playthrough, but it would take longer while not being very different from other Super Metroid TASes. Instead, this run shows the fastest way to access the GT code and then use it to quickly set up the Space-Time beam. The sheer spectacle of having a completion timer of 5:00, without even messing with it and saving the animals in a TAS (the only TAS to have done so) makes it worth it in my opinion. Therefore, regardless of the legitimacy of the GT code, I'm all for publishing this run as a glorious proof of concept.
Joined: 6/4/2009
Posts: 893
scwizard wrote:
Saves the animals?
I don't think there were any survivors...
dude, they donnated for... as for the category i was woried about the use of the GT code, this submision reminds me of the spiderman run that used a code and glitched it to trigger the ending, that submission got rejected/canceled/ deleted ? (can't find it) but the code here is used to speed things up ( the glitch is not triggered by the code) so i guess this run is good as a moon run (star run since it's Super metroid ?) if this gets published, it should be published as a "execute arbitrary code" as a main goal / branch ( like masterjun's smw total control run ) and triggering the ending just to finish the movie (not fastest execution / any % )
NitroGenesis
He/Him
Editor, Experienced player (556)
Joined: 12/24/2009
Posts: 1873
Radiant wrote:
0 + 0 + 0 = 999
YoungJ1997lol wrote:
Normally i would say Yes, but thennI thought "its not the same hack" so ill stick with meh.
Skilled player (1743)
Joined: 9/17/2009
Posts: 4986
Location: ̶C̶a̶n̶a̶d̶a̶ "Kanatah"
Banned User
Joined: 3/10/2004
Posts: 7698
Location: Finland
Being a party pooper again, but... I was super-excited when I saw this submission... until I saw the three dreaded words: "arbitrary code execution". I'm just not in the camp who gets all excited by a game being completed by glitching into running arbitrary code, and then jumping to some arbitrary end routine. I understand perfectly that others are, but it's just not my cup of tea. I just don't like the idea. Kudos for the technical achievement (and I do honestly appreciate the work that went into this, and has overall been put into Super Metroid speedrunning in general), but this kind of completion just isn't for me. (Since I have conflicting views on what the voting should mean, and what it says, and I'm not technically speaking opposed to publication, I'll just resolve the conundrum by abstaining from voting. It's not a statement or a protest, it's just personal preference.)
Editor
Joined: 11/3/2013
Posts: 506
^How else could so much time be cut from such a well-explored game other than ACE? I absolutely love this. The ending reminds me of the Super Mario World in the way that the game gets more and more illogical until it finally gives up and gives the player his win.
Patashu
He/Him
Joined: 10/2/2005
Posts: 4045
SEE YOU NEXT TAS YOUR RATE FOR SAVING FRAMES IS 999%
My Chiptune music, made in Famitracker: http://soundcloud.com/patashu My twitch. I stream mostly shmups & rhythm games http://twitch.tv/patashu My youtube, again shmups and rhythm games and misc stuff: http://youtube.com/user/patashu
darkszero
He/Him
Joined: 7/12/2009
Posts: 181
Location: São Paulo, Brazil
Yes for cheating death and saving the animals.
mklip2001
He/Him
Editor
Joined: 6/23/2009
Posts: 2227
Location: Georgia, USA
After watching this, I've decided I'm fine with the debug code. It also allows a much more entertaining route with the pause glitches. The code is also not the focus of the run, unlike Saturn's run. It really adds to the overall WTF factor. The glitchy running across the screen looks great. I'm giving this a Yes vote. I don't have any suggestions, though, about what happens to the current any% run if this is published. I recommend keeping that run and this run published as separate categories, but I could see the case for obsoletion as well.
Used to be a frequent submissions commenter. My new computer has had some issues running emulators, so I've been here more sporadically. Still haven't gotten around to actually TASing yet... I was going to improve Kid Dracula for GB. It seems I was beaten to it, though, with a recent awesome run by Hetfield90 and StarvinStruthers. (http://tasvideos.org/2928M.html.) Thanks to goofydylan8 for running Gargoyle's Quest 2 because I mentioned the game! (http://tasvideos.org/2001M.html) Thanks to feos and MESHUGGAH for taking up runs of Duck Tales 2 because of my old signature! Thanks also to Samsara for finishing a Treasure Master run. From the submission comments:
Shoutouts and thanks to mklip2001 for arguably being the nicest and most supportive person on the forums.
ALAKTORN
He/Him
Former player
Joined: 10/19/2009
Posts: 2527
Location: Italy
using a cheatcode to beat the game? I thought that was against the rules
Patashu
He/Him
Joined: 10/2/2005
Posts: 4045
ALAKTORN wrote:
using a cheatcode to beat the game? I thought that was against the rules
Is the old Earthbound TAS against the rules (the one that glitchily accesses the debug menu)?
My Chiptune music, made in Famitracker: http://soundcloud.com/patashu My twitch. I stream mostly shmups & rhythm games http://twitch.tv/patashu My youtube, again shmups and rhythm games and misc stuff: http://youtube.com/user/patashu
ALAKTORN
He/Him
Former player
Joined: 10/19/2009
Posts: 2527
Location: Italy
Patashu wrote:
ALAKTORN wrote:
using a cheatcode to beat the game? I thought that was against the rules
Is the old Earthbound TAS against the rules (the one that glitchily accesses the debug menu)?
glitching the game to use “cheatcodes” is different than plainly using cheatcodes
Player (13)
Joined: 6/17/2006
Posts: 510
I should point out that the cheating rule states that it's not strict and motivated by the same concept as the guideline that says you should play on the hardest difficulty. Said guideline states that if the difference in difficulty is inapplicable for the run, then selecting the hardest mode is unnecessary. Considering this, I don't see any problem with the usage of the GT Code here, since playing the game is not the point of this run. Of course, it should not obsolete other runs, since they don't use cheats. (And also because it would make Warp very sad.) Also, I have a question: are the last 2 input frames necessary? Because if they aren't, I think it would be smart to delete them, because they artificially inflate the frame count. (Not that I don't care about saving the animals or 999% completion, but if it's slower it's not worth it in my opinion - even if it's just for 2 frames.)
1 2
5 6