1 2
19 20 21 22 23
Skilled player (1117)
Joined: 4/11/2008
Posts: 162
Location: Anime land
When I heard sketch glitch is useful in speedrun, I was wondering how ff6 would be. Great job :) I'll watch whole run after submission comes.
Active player (430)
Joined: 9/7/2007
Posts: 329
hahaha "rafting" through Kefka's Tower. I also like how a character sprite got turned into MissingNo. Those battle strategies really "blew" me away! Good work!
Joined: 6/5/2005
Posts: 139
dunnius wrote:
"rafting" through Kefka's Tower.
Hehe, I enjoyed that as well. Incredible ending to a great run!
I like stuff...
Fortranm
He/Him
Editor, Experienced player (882)
Joined: 10/19/2013
Posts: 1125
Great job! Will there be an overlay like in FF4 and CT videos?
Joined: 11/17/2005
Posts: 278
Location: Massachusetts, USA
No one's talking about the Inferno skip or the conveyor belt climb? I was surprised! Sketching the Zone Eater causes the "landing on Kefka's Tower" cutscene to play very late. But I guess it must be the fastest way to get Moogle Charms. It seems like it beats 8 rounds of messing around with Tincture/Imp.
Player (13)
Joined: 6/17/2006
Posts: 511
I just saw keylie's amazing TAS with commentary on Twitch, and I have to point out a critical oversight that nullified most the enjoyment I had: the ending sequence is interrupted by a softlock and never completes. As a reference, this is what should actually happen. Now, I don't have anything against glitched endings (on the contrary), but I do have a problem with endings sequences interrupted before the actual end. Personally, I feel that such a situation doesn't count as beating the game and falls in the "missing critical ending routines" category. That said, I know of at least one precedent to the contrary, so I don't think it would be an issue for publication, but it at least is an issue for me. By the way, I don't want to start an argument in this thread. I just wanted to point out this issue as soon as possible. If someone wants to debate this, I think it would be better to do so in a separate thread to avoid going off-topic.
Joined: 11/16/2009
Posts: 68
This run wasn't ended by a glitch, it was ended in the normal way of completing the final battle without dying. Other glitches done previously in the run interact negatively with the ending, but it is not a glitch-ending.
Joined: 2/12/2008
Posts: 67
Location: San Francisco Bay Area, CA
Dessyreqt wrote:
This run wasn't ended by a glitch, it was ended in the normal way of completing the final battle without dying. Other glitches done previously in the run interact negatively with the ending, but it is not a glitch-ending.
Well, technically the final fight wasn't completed either (though I don't think it matters; I also don't think the ending softlock matters since the ending sequence clearly started). I'm curious though: Did the softlock occur due to script problems or due to memory corruption? Since a bunch of the memory corruption problems caused by the sketch bug can be fixed with a save, load, and reset, that might suffice to fix the softlock (maybe at one of the save points in Kefka's Tower). But, if it's a script problem, that'll be nasty to fix… You'd have to reverse engineer the script and see what it's expecting :(
LCC
Joined: 7/26/2014
Posts: 12
From what I understand there is a flag set during the transition from World of Balance to World of Ruin where that map is used as a part of a cutscene, which is what allows to ending to complete. Since this cutscene is skipped, the ending has the last final bit cut off, though the music still plays out.
Joined: 11/17/2005
Posts: 278
Location: Massachusetts, USA
I think the ending is fine because it is reached normally. Examples of endings that have been rejected by tasvideos: - Super Mario World, using ACE to draw the final image of "The End" and then ending the program. No, you must either kill Bowser or jump to the parade. - A Boy and His Blob, literally walking to the credits and ending input. Because the credits in this game appear to be implemented as a map it is possible to display them by walking out of bounds. But again, no, you must trigger the ending sequence. Endings that are acceptable: - Castlevania: Dawn of Sorrow, using memory corruption to flag the final boss as already dead. Entering the final screen instantly begins the credits. - Super Mario Land 2: 6 Golden Coins, an older run used memory corruption to begin the ending by starting a level with a specific ID. The ending was glitched, but otherwise legit. - Dragon View: what is even going on? But the submission text says that the ending is not correctly displayed and doesn't finish. This submission seems to be the most like FF6. The FF6 credits are about 30 minutes long and they still play almost entirely in keylie's TAS. The part where it hangs is close to the end of the end. But more importantly the final boss is fought (and 'beaten' by running away) and the legit credits trigger normally.
Joined: 11/16/2009
Posts: 68
Nightwatch wrote:
Well, technically the final fight wasn't completed either (though I don't think it matters; I also don't think the ending softlock matters since the ending sequence clearly started).
Of course it was completed; it just wasn't completed in the normal way. However, the completion (without dying) of that fight is the normal trigger for the ending.
Post subject: Tool Assisted Exploit Search - JP ROM
Joined: 11/17/2005
Posts: 278
Location: Massachusetts, USA
I have an idea for a process that might result in the discovery of an exploit in the JP version, but I don't know how to implement it. Correct me if I'm wrong, but the fun started when Kadamony made the spreadsheet tool. Originally I think Keylie was going to make a run featuring the airship glitch. But it was the super-optimization of the sketch glitch that led to skipping even the Floating Continent and also getting Moogle Charms on everyone. We've seen what the Goggles Glitch can do, and I think the Equip Anything glitch should lead to a big exploit at the start of the game. The Goggles themselves have a different effect in the JP version but there are still bad animations being played and bad sprites being drawn. The question is, what is going on? I've tested every item from 5A-FE multiple times over the years but I've never known what to look for. The Goggles Glitch for example also requires specific timing. I could've been close to finding it and not known it. What if attacking with a TortoiseShld causes monster 5's common steal to change into a Charm Bangle? What if attacking with a Potion sets the Engulf bit for ally 4 only? If I'm testing against a Leafer then I'll never notice. I can't watch every known address at once. But if a spreadsheet existed that listed each combination of (weapon id) : (list of addresses changed) then FF6 nerds everywhere could pick through the data and look for exploits. It would be a lot of data to look at, but we're good at it. And tests would need to be done. For example sketching the Intangir has always crashed the game with 100% reliability. But the spreadsheet led me to test one specific high-payoff possibility anyway, and the result was a miracle. Likewise some theoretically easy sketches actually softlocked the game. (Like so many outcomes involving the Moogle Charm, doh!) I think this procedure might produce a good spreadsheet? 1) Play the game normally until Terra is alone in the cave. 2) Empty her hands. Get into a preemptive battle. Save state 'alpha'. 3) For each value 5A-FE: -- poke it into Terra's L-Hand -- save state 'beta' -- attack, wait 10 whole seconds -- stave state 'gamma' -- binary diff 'beta' with 'gamma', and save all changes from 7E2000-7E3FFF -- load state 'alpha' Some variations in the initial state unfortunately probably matter: is the attack mirrored from the left side, what else might be in the R-hand, and potentially the position/size of the enemy. But at least to begin this should identify the dangerous items to attack with. I'd be shocked if there isn't at least one. EDIT: RAM map for reference. Check the theoretical spreadsheet against this, then look for exploits related to the description of that RAM address.
Joined: 7/27/2014
Posts: 4
Hey keylie, I had some questions about the whole tier changing thing. I read what you wrote here and also on the tasvideos page.
keylie wrote:
With a sketch glitch against a formation mold 4, with a 0x41 aiming spell and 0xBF availability, the second command of the third character will be replaced with the command 32, which triggers the tier change during the Kefka fight. In this case, the tier change will load another enemy formation depending on the aiming of the command. The binary representation of the aiming value is the following two-bytes integer: 0 0 foe6 foe5 foe4 foe3 foe2 foe1 0 0 0 0 char4 char3 char2 char1 So we can load enemy formations with an id as high as 16143, knowing that formations are normally included between 0 and 575.
I've watched the video and, if I'm understanding correctly, using this method to change tier would only give us access to a very limited amount of encounter formations, right? Because if the aiming of the command is single-target, I guess the aiming value can only be 0x0001, 0x0002, 0x0004, 0x0008, 0x0100 or 0x0200 (since targetting foe3, foe4, foe5 or foe6 would result in an unexisting formation). I guess that's what you do in your video when char3 targets himself, you get the id 4 encounter formation (Lobo*2 + Marshal). But you seem to say that it's possible to load any encounter formation, maybe by changing the targetting of the command... but I don't get how you would do that without sketch glitching again. But you also said in the thread that it's possible to have the tier changing command available by goggles glitching and swapping characters instead of opening the magic menu:
keylie wrote:
Other ideas that will probably not be useful: we can merge the item list with the command list by swapping characters during the Goggles glitch. This can be helpful to: [...] - use the battle script to move to the next tier, which allows us to access to other formation molds while still being in the Triangle Island. The formation loaded depends on the aiming of the command. We can flag the corresponding item to have the aiming byte we want, so we have a bit of freedom on the target formation. The binary representation of the aiming value is the following two-bytes integer:
0 0 foe6 foe5 foe4 foe3 foe2 foe1 0 0 0 0 char4 char3 char2 char1
By aiming our party, we can have access to formations [1;15] By aiming the ennemies, based on the fact that formations 6, 7 and 8 are available on the Triangle Island, we have access to formations 1024 * [1;15]. All those formations are glitched because there are 576 formations. Unfortunately, the two Zone Eater formations (335 and 501) are not accessible.
Now, this sounds like a great thing, but I don't really understand of you do it after goggles glitching. Does a particular item correspond to the tier changing command? I guess that if the item is not useable in battle, you have to flag it beforehand using the sketch glitch. But in that case, how does the aiming byte change, and how does that affect the tier change? Your alternative route for the Engulf was to flag a Partisan and Goggles glitch with it to trigger a mold 7 formation, but I don't get it: wouldn't 0x20 get you the id 32 formation, aka Brawler*2 (mold 0)? EDIT: I think I'm confusing between the id of the item (corresponding to the tier changing command) and its aiming value... I get it now, id 32 is the id of the tier change command, like you said. EDIT2: OK, I checked again in the spreadsheet and target value of the Partisan in sketch glitch 41FF is A0, meaning id 160 encounter formation, aka Baskervor (mold 0). Yep, I don't get it, how do you mould 7? Sorry for all the questions :D
@oxydoreduction twitch.tv/oxydoreduction
keylie
He/Him
Editor, Emulator Coder, Expert player (2889)
Joined: 3/17/2013
Posts: 392
oxydoreduction wrote:
I've watched the video and, if I'm understanding correctly, using this method to change tier would only give us access to a very limited amount of encounter formations, right? Because if the aiming of the command is single-target, I guess the aiming value can only be 0x0001, 0x0002, 0x0004, 0x0008, 0x0100 or 0x0200 (since targetting foe3, foe4, foe5 or foe6 would result in an unexisting formation). I guess that's what you do in your video when char3 targets himself, you get the id 4 encounter formation (Lobo*2 + Marshal). But you seem to say that it's possible to load any encounter formation, maybe by changing the targetting of the command... but I don't get how you would do that without sketch glitching again.
Well, in this case, I don't think it is possible to change the aiming, so yes, the choices are more limited that I'm indicating. I didn't check, but there might be other setups giving command 32 with a multi-target aiming.
oxydoreduction wrote:
Your alternative route for the Engulf was to flag a Partisan and Goggles glitch with it to trigger a mold 7 formation, but I don't get it: wouldn't 0x20 get you the id 32 formation, aka Brawler*2 (mold 0)? EDIT: I think I'm confusing between the id of the item (corresponding to the tier changing command) and its aiming value... I get it now, id 32 is the id of the tier change command, like you said. EDIT2: OK, I checked again in the spreadsheet and target value of the Partisan in sketch glitch 41FF is A0, meaning id 160 encounter formation, aka Baskervor (mold 0). Yep, I don't get it, how do you mould 7?
Glitching the command window with the Goggles and using the item Partisan (id 0x20) should execute the command 0x20 which is the tier change. The aiming byte of the item Partisan will determine which target(s) can I choose. The actual targets I choose will determine which formation will be loaded after the tier change. To be able to have a multiple target, I need to have in the aiming byte of the Partisan either 0x04 (Affects all allies and enemies), 0x08 (Affects all allies or all enemies) or 0x20 (Multiple selection possible).
Post subject: Re: Tool Assisted Exploit Search - JP ROM
keylie
He/Him
Editor, Emulator Coder, Expert player (2889)
Joined: 3/17/2013
Posts: 392
Catastrophe wrote:
But if a spreadsheet existed that listed each combination of (weapon id) : (list of addresses changed) then FF6 nerds everywhere could pick through the data and look for exploits.
What I can do at least is, for each weapon, to which address is the game wrongly jumping and which function this address is in (for documented functions at least). It might give a clue if this weapon can lead to an exploit or not.
Catastrophe wrote:
EDIT: RAM map for reference. Check the theoretical spreadsheet against this, then look for exploits related to the description of that RAM address.
Beware, almost all the addresses $2xxx are wrong. The author confused $2xxx (RAM address, $7E2xxx) and $002xxx which holds PPU and other stuff.
Post subject: Re: Tool Assisted Exploit Search - JP ROM
Joined: 11/17/2005
Posts: 278
Location: Massachusetts, USA
keylie wrote:
Catastrophe wrote:
But if a spreadsheet existed that listed each combination of (weapon id) : (list of addresses changed) then FF6 nerds everywhere could pick through the data and look for exploits.
What I can do at least is, for each weapon, to which address is the game wrongly jumping and which function this address is in (for documented functions at least). It might give a clue if this weapon can lead to an exploit or not.
That would make sense and be useful, but come to think of it does a semi-documented disassembly exist of the Japanese version? I'm sure most of it is the same besides being moved around, but obviously that matters. Although without ANY knowledge I could at least scan the potential list for jumps which don't return quickly. So if I notice that the X-Potion returns after two instructions but the Genji Helm seems to run for awhile over many branches before potentially returning then I can aimlessly test the Genji Helm for corruption. If I see corruption in the 7E2000-7E3FFF range then I'll figure out with a watch what those memory addresses are for. (Hopefully something useful.)
Catastrophe wrote:
EDIT: RAM map for reference. Check the theoretical spreadsheet against this, then look for exploits related to the description of that RAM address.
Beware, almost all the addresses $2xxx are wrong. The author confused $2xxx (RAM address, $7E2xxx) and $002xxx which holds PPU and other stuff.
gaaaahh. Thank you. Although again, different ROM, so I may have to re-solve the purpose of 7E2xxx anyway. But that's something I know how to do.
LCC
Joined: 7/26/2014
Posts: 12
Quick heads up for future reference: when entering a screen that starts you on stairs you can hold up or down during the fade-in then go down the stairs at a faster rate than you normally would. Places affected in the current route: Doma Castle after poison Post KaN Figaro Castle basement Opera when going back to your seat - This was done in both Erokky's as well as Kilaye's TAS's Kefka's tower center switch room (both sides) and the room on the right path with the hidden Aegis Shld.
keylie
He/Him
Editor, Emulator Coder, Expert player (2889)
Joined: 3/17/2013
Posts: 392
I managed to get ACE on ff6 japanese version. Here is a proof of concept video: Link to video User movie #21824914608942764 FF6 Japanese version features a glitch called equip-anything glitch, where you can equip any item at any equipment slot. To equip an item on a weapon slot, for example, you must: * sell every weapon that a character can equip * place the item in the last (256) slot * select "Optimise" During a fight, when you attack with a weapon, the game loads the weapon graphics properties from address $ECE400+8*id into $623B-$6242. Address $6240, which stores if the weapon has a short or long range animation, takes values between 0 and 4. According to this value, the game loads a different function, as shown below:
$C1/C217 AD 40 62    LDA $6240
$C1/C21A 29 7F       AND #$7F                
$C1/C21C 0A          ASL A                   
$C1/C21D AA          TAX                     
$C1/C21E 7C 21 C2    JMP ($C221,x)

Pointers:
$C1/C221 34 C2  
$C1/C223 47 C2
$C1/C225 2B C2
$C1/C227 C0 C2
$C1/C229 21 C3
However, for items that are not weapons, address $6240 can store any value, so that the jump instruction above leads to many wrong addresses. Among all the wrong jumps, the one with address $6240 being 0x07 (weapons X-Ether, Gold Hairpin, Czarina Ring or Charm Bangle) is interesting because the game jumps to address C1/8D7A which holds:
$C1/8D7A 1B          TCS      Push accumulator to the stack pointer
...
$C1/8DE6 60          RTS
The accumulator happens to be 0x000E when instruction TCS is executed, so at the RTS instruction, the game pulls the value of address $000F-$0010 and jumps there. Address $000E-$000F is the battle ticks (i.e. the number of frames since the beginning of the fight) and address $0010 is often used to store a pointer to ROM, so it can takes several values. So we have many possibilities to jump here, but still inside the C1 bank. To jump outside the C1 bank and hopefully inside RAM or SRAM, we need to execute long jump instructions. When searching for JML (5C) instructions inside the C1 bank, I found several jumps into SRAM:
$C1/CEC7 5C 6F 60 AE  JML $AE606F
$C1/DC11 5C 6F 60 AE  JML $AE606F
$C1/F791 5C 6F 60 AE  JML $AE606F
$C1/F80F 5C 6F 60 A4  JML $A4606F
Among all these options, the first one ($000F = 0xC7; $0010 = 0xCE) was found to be possible as sometimes $0010 holds 0xCE during the wrong jump. $AE606F corresponds to address $006F in SRAM, which is saved from address $166F in RAM. This address and following ones store:
$166F        Shadow's Sprite set (03)
$1670        Shadow's Level adjustment factor (03)
$1671-$1676  Shadow's Name
The first instruction is then interpreted as ORA $03,S and we can manipulate the next 6 bytes by cleverly naming Shadow. To trigger the ending, the way I found was to overwrite the event pointer, a 24-bit address that stores where in the list of events ($CA0000-$CCE5FF) we are. The event pointer is stored at $E5-$E7. However, during a fight, the game makes a backup to $12E5-$12E7. To trigger the ending, we need to store 0x1362 into $12E5. However, as we are using name characters to write instructions, we have a limited choice, namely bytes 20 - 5C, 60 - CC, CE - D1 and D3. Using the name of many characters, I could overcome the limitations and came up with this set of instructions:
AE/606F: 03 03        ORA $03,S    Harmless
AE/6071: C2 20        REP #$20     16-bit accumulator
AE/6073: 80 8D        BRA $6002    Jump to Terra's name
AE/6002: A9 C4 26     LDA #$25CA
AE/6005: 80 20        BRA $6027    Jump to Locke's name
AE/6027: 4A           LSR A        A is #$12E5
AE/6028: 85 A2        STA $A2      Stores to $A2
AE/602A: 80 20        BRA $604C    Jump to Cyan's name
AE/604C: 48           PHA          We push #$E5 to the stack for later
AE/604D: A9 C4 26     LDA #$26C4
AE/6050: 80 44        BRA $6096    Jump to Edgar's name
AE/6096: 4A           LSR A        A is #$1362
AE/6097: 92 A2        STA ($A2)    Store to $12E5
AE/6099: 80 20        BRA $60BB    Jump to Sabin's name
AE/60BB: A9 C2 2B     LDA #$2BC2
AE/60BE: 80 20        BRA $60E0    Jump to Celes's name
AE/60E0: 4A           LSR A        A is #$15E1
AE/60E1: 28           PLP          Pull Processor status register
                                   This restores 8-bit accumulator
                                   We couldn't use the standard SEP (E2) instruction
AE/60E2: 5C 7A 8D C1  JML $C18D7A  This calls TCS then RTS to fix the stack pointer
                                   and continue the normal flow.
                                   We couldn't call directly TCS (1B)
Player (203)
Joined: 1/24/2011
Posts: 108
Wow, I go to grad school, come back, and this game's broken wide open! Looks like that goggles glitch I found back in the day actually led to something! Awesome!
Rayas wrote:
Dunno if I'm really clear. I need to drink more.
<br>
adelikat wrote:
The idea was to kill off my family to avoid lost time to them getting sick and other inconvenient things.
Fortranm
He/Him
Editor, Experienced player (882)
Joined: 10/19/2013
Posts: 1125
Great discovery! I thought it's a prank due to the date you posted the video. :P When is the earliest point the glitch can be triggered? Do you have to proceed to the world of ruined like what the video shows?
Skilled player (1748)
Joined: 9/17/2009
Posts: 4995
Location: ̶C̶a̶n̶a̶d̶a̶ "Kanatah"
So uh....what to do with the current movie + previous movie? Branch it off again? lol Quite amazing this game can be broken in 2 different ways using 2 region specific glitches.
keylie
He/Him
Editor, Emulator Coder, Expert player (2889)
Joined: 3/17/2013
Posts: 392
Fortranm wrote:
Great discovery! I thought it's a prank due to the date you posted the video. :P When is the earliest point the glitch can be triggered? Do you have to proceed to the world of ruined like what the video shows?
Yeah, I happened to finish this route on April 1st, but this is totally legit. You pointed out the problem of this route, and why I'm not working on the TAS. Each one of the items required for this glitch is available during late World of Balance, meaning after 2 hours of TAS. Also, we need to wait for 15 minutes during the fight so that the tick counter is at the right value. I hope I can either find another useful setup, or rewrite my inventory somehow to get one of the four needed items.
Skilled player (1748)
Joined: 9/17/2009
Posts: 4995
Location: ̶C̶a̶n̶a̶d̶a̶ "Kanatah"
Fortranm
He/Him
Editor, Experienced player (882)
Joined: 10/19/2013
Posts: 1125
So both of the 2 different ways to break the game using 2 region specific glitches require more than half of the game to be finished in the end. This game is much better programmed than 1st gen Pokemon games after all. :P
keylie
He/Him
Editor, Emulator Coder, Expert player (2889)
Joined: 3/17/2013
Posts: 392
jlun2 wrote:
Any other uses for this glitch?
Well, every weapon can possibly cause a different glitch when attacking. I listed all of them and the executed assembler code here: https://github.com/clementgallet/ff6-tas/wiki/attacking-with-objects Other than that, maybe blocking with an item that isn't a shield may provoke a glitch, but this is unlikely. I guess it only changes the sprite palette. Equipping wrong items as an armor or an accessory gives weird stats, but nothing game-breaking as far as I know.
Fortranm wrote:
So both of the 2 different ways to break the game using 2 region specific glitches require more than half of the game to be finished in the end. This game is much better programmed than 1st gen Pokemon games after all. :P
Actually, the equip-anything glitch is available from the beginning when you take control of solo Terra. This is why I've been focusing on the JP version of the game. Just that the items needed to get one useable game-breaking glitch are not available until pretty far in the run :(
1 2
19 20 21 22 23