• Major skip glitch
  • Uses a game restart sequence
  • Corrupts save data
  • Abuses opposite D-Pad presses (U+D/L+R)
  • Heavy luck manipulation
  • Genre: Strategy
I have a feeling this will be too boring to be published but I had a lot of fun with it. This is my first time doing something this technical & I took the game apart quite a bit.
This TAS uses a mid-frame reset to corrupt the save file in a way that it can be used to trigger the game's ending as quickly as possible.
There is an array of Officers beginning at 6005. Each officer is part of a linked list: the first attribute of each Officer is a 16-bit pointer to another Officer (or null, if they're the last in the list), which are dereferenced one after the other in order to loop through officer lists. By resetting in the space between the low and high byte being overwritten by new save data, I can create a glitched pointer which causes incorrect data in the officer array to be interpreted as an officer.
The other issue is that the game has a checksum for sensing corrupt files, so we have to bypass it by making sure that the corrupt file sums to the same value as the original save. This is easier to resolve if the glitch is performed on an officer with a lower RAM adress (60XX-62XX), because all of these officers belong to France, so it limits the amount of changes that can randomly happen to relevant RAM during any AI turns.
Scenario 4 is chosen because all of Napoleon's relatives become player-controlled, which allows me to execute the glitch in a single in-game month.
The route is as follows:
NATIONAL PHASE:
  • Deploy Jerome to Bordeaux, & send Dombrowski to Paris. This is done to ensure that both Mobrogue and Dombrowski are in player-controlled cities.
CITY PHASE, PART 1:
  • BORDEAUX: Save the game, then give a speech - by sheer coincidence this caused game RAM to go up exactly how much I needed it to match the checksum (51).
  • PARIS: Move four officers to another city. The purpose of this is to cause Ney's "next officer" stat to change from 61F4 (Lannes) to 67C1 (Dombrowski).
  • CITY 3: Save the game, then mid-frame reset so that the officer pointer is now 61C1 - This creates a glitched officer starting at Mobrogue's men/horses stat.
CITY PHASE, PART 2:
  • BORDEAUX: Assign 156 men to Mobrogue. Because the RAM address we're writing to is shared by the glitched officer, this causes a new officer to appear in Paris at 9C, which contains PAD1/PAD2 input.
  • PARIS: Rest, triggering the random Ball event, & perform input on PAD1/PAD2 equivalent to 6FE5. The Ball is a random event that assigns a random amount of morale, training and experience to each officer in the city.
At this point our officer list contains:
61C1 -> 009C -> 6FE5 -> ???? (keeps following values until it finds zero)
What we want from the ball is to have the glitched officer at 6FE5 to be assigned exactly 3 experience, because its experience stat is located at 6FEB (game state) and 3 is the flag for the game ending.
Because we are randomly assigning stat boosts to some critical memory regions, we also have to make sure the event we manipulate doesn't crash the game in the process.
IMPROVEMENTS:
There could possibly be a route in which the AI commander performs an action that fixes the checksum exactly for us, preventing me from having to take a turn to do it; however it already took me a really long time testing RNG branches to even come up with this & that's way too complex to work out unless I find some way to automate the testing process. I am happy with this run for now.
Because all we need is a link leading to 9C, there could very well be a faster solution that traverses some less obvious path through the RAM data, but I searched for a while & this was the only one I could find that worked. I haven't gone very far in investigating the Japanese release but there could very well be an exclusive solution.
I can almost certainly perform this same type of glitch on other Koei games, although some of the ones I've looked at use dual checksums which complicate the bypass process.

Memory: Judging
Memory: Optimization appears fine though it can be hard to tell due to the nature of the glitch.
This game has multiple different scenarios that change starting conditions and other mechanics. However, all scenarios share the same ending so I think only one variant of this branch needs to exist. I do not see the need for this save glitch to be replicated in other scenarios, but I could be wrong. In my opinion other scenarios would best be represented if they do not use this glitch and are entertaining enough to be accepted to Moons.
Audience response was fairly mixed. There were some people that felt the TAS was boring and others that were very entertained. There was 84% support in the votes (12 yes, 3 meh, 1 no). I personally felt the TAS was a little dull but I'm not super against the movie. I could see this movie being moons but if ratings swing the other way I could easily see this being sent to Vault later on.
Accepting to Moons.
fsvgm777: Processing.


TASVideoAgent
They/Them
Moderator
Joined: 8/3/2004
Posts: 15542
Location: 127.0.0.1
This topic is for the purpose of discussing #6538: Jigwally's NES L'Empereur "save glitch" in 01:52.08
Active player (302)
Joined: 3/15/2018
Posts: 235
Location: United States
Linked lists! Finally putting that computer science degree to good use! Was there a chance that you'd end up with an unlucky series of pointers that overflows the menu and crashes or something?
Jigwally
He/Him
Active player (427)
Joined: 3/11/2012
Posts: 119
warmCabin wrote:
Linked lists! Finally putting that computer science degree to good use! Was there a chance that you'd end up with an unlucky series of pointers that overflows the menu and crashes or something?
Yeah, there are several actions you can try to take that will cause the game to crash when trying to load the officer list, including AI turns when it's scanning through the officer lists of hostile neighbor cities. I'm guessing it's because it gets stuck in a permanent loop trying to traverse the officer list. The path it takes through RAM & whether it gets stuck in a loop probably depends on which ROM page is loaded into the RAM banks at the time. It now occurs to me that you could probably circumvent this by making sure controller input points to a zero value on the critical frame. My first attempt to set the ending flag was to set a glitched officer's number of men horses or cannons to 3 but that ended up crashing, but then I figured out the Ball event which is way faster anyway. Sometimes when you attempt the Ball it will immediately crash afterwards and/or display graphical glitching. You can actually see a graphical glitch occur at the moment the bonuses are applied during the Ball.
Joined: 5/23/2014
Posts: 162
Interesting from a technical perspective. Okay from an entertainment perspective.
letcreate123
He/Him
Player (210)
Joined: 11/16/2012
Posts: 42
Location: Chile
Points for the technical quality of the movie, but it wasn't that entertaining to watch, what with this being a simulation game. Voting Meh.
Banned User
Joined: 8/2/2017
Posts: 89
Location: Brazil
Does it took 1 year to make this TAS? also save glitch looks like arbitrary code execution, Yes vote by the way.
Cuphead TASes desyncs unfortunately.
Lobsterzelda
He/Him
Skilled player (1256)
Joined: 3/17/2019
Posts: 282
Nice TAS. I found it entertaining due to the impressive technical feat of corrupting the game's linked list of officers to point to a spot in memory you want to beat the game quickly. This gets a yes vote for me. I do have 2 questions for you though: 1. Without this save glitch, roughly how long does the game take to complete? 2. How did you discover that the game's officers were being stored in a linked list, and how did you find where the linked list was in memory?
Joined: 5/2/2012
Posts: 5
Lobsterzelda wrote:
1. Without this save glitch, roughly how long does the game take to complete? 2. How did you discover that the game's officers were being stored in a linked list, and how did you find where the linked list was in memory?
1. Not entirely sure, hopefully sub-20 minutes. Your AI commanders can request to attack cities on their own which lets you capture cities without having to view battle sequences. You can manipulate RNG to capture (almost) all of the enemies' officers each battle. You can also bait the enemy into attacking your city only for them to lose & get all their officers captured. England's sea control makes it hard to go after them but you can start decimating their ship count by baiting them into attacking an unoccupied coastal city & then recapturing it. To further weaken the enemy you can manipulate national actions so that nations go to war with each other & whittle down each others' forces in the process, or random events like the plague to hit a bunch of enemy cities. I might try it at some point but clearly it takes a lot of planning & manipulation. 2. Pretty sure I started off just using RAM search to detect changes I made to a specific officer's stats & then slowly intuited the meaning of the entire array from that. btw, the NES Koei games (& some of their SNES games) all appear to have been compiled from C source code to a custom bytecode interpreted by a virtual machine: https://forums.nesdev.com/viewtopic.php?f=2&t=15931 There are also games functions that are in 6502 but I'm pretty sure were also directly compiled from C based on their formatting. The text strings are formatted like C-strings and the games contain functions from the C standard library, including the random number generator.
Experienced player (875)
Joined: 11/15/2010
Posts: 267
nice job breaking a CRC. Love this stuff! Easy yes vote
Player (13)
Joined: 6/17/2006
Posts: 506
Short and sweet - yes vote! Looking forward to what you can do with other NES Koei games!
Alyosha
He/Him
Editor, Emulator Coder, Expert player (3807)
Joined: 11/30/2014
Posts: 2827
Location: US
Cool! I'm always surprised how these type of things end up with a useful result instead of just random nonsense. Nice work, yes vote.
Banned User
Joined: 8/2/2017
Posts: 89
Location: Brazil
Everyone please give yes vote for TASMania!
Cuphead TASes desyncs unfortunately.
EZGames69
He/They
Publisher, Reviewer, Expert player (4454)
Joined: 5/29/2017
Posts: 2761
Votes do not determine if a tas gets accepted.
[14:15] <feos> WinDOES what DOSn't 12:33:44 PM <Mothrayas> "I got an oof with my game!" Mothrayas Today at 12:22: <Colin> thank you for supporting noble causes such as my feet MemoryTAS Today at 11:55 AM: you wouldn't know beauty if it slapped you in the face with a giant fish [Today at 4:51 PM] Mothrayas: although if you like your own tweets that's the online equivalent of sniffing your own farts and probably tells a lot about you as a person MemoryTAS Today at 7:01 PM: But I exert big staff energy honestly lol Samsara Today at 1:20 PM: wouldn't ACE in a real life TAS just stand for Actually Cease Existing
Banned User
Joined: 12/26/2006
Posts: 231
Location: Lonely City
I like Strategy Game from Koei,Capcom,Namco,Nintendo...Now,I have appreciated a brilliant decision maker and an awesome heavy luck manipulation in this tas.Easy yes vote.
work hard
Memory
She/Her
Site Admin, Skilled player (1551)
Joined: 3/20/2014
Posts: 1765
Location: Dumpster
Do the other scenarios share the same ending?
[16:36:31] <Mothrayas> I have to say this argument about robot drug usage is a lot more fun than whatever else we have been doing in the past two+ hours
[16:08:10] <BenLubar> a TAS is just the limit of a segmented speedrun as the segment length approaches zero
Jigwally
He/Him
Active player (427)
Joined: 3/11/2012
Posts: 119
Yes, they all lead into each other. In Scenarios 1/2 you aren't the ruler yet so you only have partial control. You can advance to the next Scenario after you control a certain number of cities + centers of power (important cities). Alternatively in Scenario 2 you can go on an Egyptian expedition event, if you succeed (get the Rosetta stone) you can then immediately go to Paris to advance to Scenario 3. The only variation you can get in the ending I think, is that the first quote is said by whoever your wife is at the time (it won't appear at all if you win the game before your first marriage or between marriages), & the subsequent quotes have different portraits depending on who the other current leaders are. Also, in the other releases of this game there's a very difficult Scenario 5 that is unlocked if you get a game over from Napoleon getting captured. The game doesn't contain the starting data for Scenario 5 or any way to unlock it but the code/data pertaining to it is still intact. In fact if you change the scenario (0x6FEA) to 5 you can see that it causes every nation in the game to try to break off ties with you, eventually every nation you aren't allied with will be at war with you.
Post subject: Movie published
TASVideoAgent
They/Them
Moderator
Joined: 8/3/2004
Posts: 15542
Location: 127.0.0.1
This movie has been published. The posts before this message apply to the submission, and posts after this message apply to the published movie. ---- [4065] NES L'Empereur "save glitch" by Jigwally in 01:52.08