Posts for FractalFusion

1 2
55 56 57
128 129
Posted: 12/24/2012 8:11 AM
Quote
FractalFusion
Editor, Experienced Forum User, Published Author, Skilled player (1941)
Joined: 6/15/2005
Posts: 3247
Glitchy TAS of 2013 Gameboy TAS of 2013 PSX TASer of 2010
I think this is probably a movie that will go into Vault. Does anyone else have any opinions or comments about this run?
Posted: 12/23/2012 7:52 AM
Quote
FractalFusion
Editor, Experienced Forum User, Published Author, Skilled player (1941)
Joined: 6/15/2005
Posts: 3247
Glitchy TAS of 2013 Gameboy TAS of 2013 PSX TASer of 2010
Any of the controller 2 tricks are considered cheat/debug codes. This includes: - controller 2 right for superjump - controller 2 up for slow motion - controller 2 up + A for time freeze See http://www.mmhp.net/GameHints/MM3.html (Tricks and Secrets) for more information.
Posted: 12/22/2012 1:00 AM
Quote
FractalFusion
Editor, Experienced Forum User, Published Author, Skilled player (1941)
Joined: 6/15/2005
Posts: 3247
Glitchy TAS of 2013 Gameboy TAS of 2013 PSX TASer of 2010
Samsara wrote:
It's so obscure, Wikipedia doesn't even have a page for it.
There's a page for it on the Japanese Wikipedia, yet it is a complete stub. That speaks a lot about its obscurity.
Posted: 12/21/2012 10:09 PM
Quote
FractalFusion
Editor, Experienced Forum User, Published Author, Skilled player (1941)
Joined: 6/15/2005
Posts: 3247
Glitchy TAS of 2013 Gameboy TAS of 2013 PSX TASer of 2010
JWinslow23 has recently been warned at least twice, and users have repeatedly called for his ban. Despite this, he still continues to make inane (and most recently, contentious) posts. JWinslow23 is now banned from posting and making submissions until Dec. 24, 2012. JWinslow23 received the short end of the stick in this topic derailment, but users who contributed to this derailment are now warned that such continued behavior will lead to a ban in the future.
Posted: 12/21/2012 8:57 PM
Quote
FractalFusion
Editor, Experienced Forum User, Published Author, Skilled player (1941)
Joined: 6/15/2005
Posts: 3247
Glitchy TAS of 2013 Gameboy TAS of 2013 PSX TASer of 2010
There is a history to this. It is neither an easter egg nor a bug. http://tasvideos.org/forum/viewtopic.php?t=6054 Also, a lot of tag abuse occurred shortly after it was implemented.
Posted: 12/19/2012 10:18 PM
Quote
FractalFusion
Editor, Experienced Forum User, Published Author, Skilled player (1941)
Joined: 6/15/2005
Posts: 3247
Glitchy TAS of 2013 Gameboy TAS of 2013 PSX TASer of 2010
Someone is doing the Japanese version (video on nico) Account: (Part 1) http://www.nicovideo.jp/watch/sm19575142 (Part 2) http://www.nicovideo.jp/watch/sm19620678 No account: (Part 1) http://www.nicozon.net/watch/sm19575142 (Part 2) http://www.nicozon.net/watch/sm19620678
Posted: 12/18/2012 9:49 AM
Quote
FractalFusion
Editor, Experienced Forum User, Published Author, Skilled player (1941)
Joined: 6/15/2005
Posts: 3247
Glitchy TAS of 2013 Gameboy TAS of 2013 PSX TASer of 2010
Because of the split, a few useful parts of posts were diverted. I'll post the quotes here.
Hina98 wrote:
On-topic: Cronikeys you're doing some amazing things with these clips! I remember being incredibly impressed by Sami's 100% TAS, but you're blowing it out of the water! Good luck, I can't wait to see some WIP's.
Cronikeys wrote:
Anyway. Regarding Banjo-Kazooie: I'm working on a few ideas to skip more jiggies by entering levels early. I had an idea for Bubblegloop Swamp but I found that the "water" in the marsh outside of the level is a different object which you can't swim in. It has depth if you look at it from the side (using L to Levitate cheat codes or MHS to hack yourself oob) whereas normal water does not. The floor of the BGS lobby area is also what damages you and the "water" object is what spawns the little red dot particle effect from the piranhas.
EEssentia wrote:
Phew. Anyway, Cronikeys, I think it's great that you're finding all these glitches! Keep up the good work and don't let these people get to you! You are as welcome as anyone else. So instead of fighting, let's have fun. Let's enjoy these things we do for fun.
HiipFire wrote:
btw, great job you're doing on breaking this game.
Posted: 12/17/2012 6:53 PM
Quote
FractalFusion
Editor, Experienced Forum User, Published Author, Skilled player (1941)
Joined: 6/15/2005
Posts: 3247
Glitchy TAS of 2013 Gameboy TAS of 2013 PSX TASer of 2010
You're right. I also added Demonstration, Uses a game restart sequence, Heavy glitch abuse, and Corrupts save data.
Posted: 12/16/2012 5:52 AM
Quote
FractalFusion
Editor, Experienced Forum User, Published Author, Skilled player (1941)
Joined: 6/15/2005
Posts: 3247
Glitchy TAS of 2013 Gameboy TAS of 2013 PSX TASer of 2010
Excellent. Yes vote. You made Nightmare Mother look so easy. And apart from the first couple stages, it is really just another Mega Man Zero game.
Posted: 12/14/2012 3:04 AM
Quote
FractalFusion
Editor, Experienced Forum User, Published Author, Skilled player (1941)
Joined: 6/15/2005
Posts: 3247
Glitchy TAS of 2013 Gameboy TAS of 2013 PSX TASer of 2010
Hm, I somehow missed the part of p4wn3r's post that said that after a HALT, the game writes input to FFF5. Well then, that makes it even easier. 
76        HALT
F0 F5     LDH A (FFF5)
22        LDI (HL) A
C3 xx D3  JP D3xx
... provided that the code is followed by a bunch of 0s or statements that have no significant effect when executed. The jump to D3xx goes into these 0s, and the code is located so that xx D3 falls on D36D, which is the pointer to this code. Of course HL is set to D3xx as well, and the program writes there. The mind-numbing thing is that the program continuously executes (every cycle) whatever is written there. This can be bypassed using some well-placed spaghetti code, provided there is enough room to do so. I'll get to that later. I now change the code to make use of rival name, and avoid switching parity. Here is the 11-byte block (all NOPs are hack bytes): 
00        NOP
00        NOP
22        LDI (HL) A
00        NOP
76        HALT
00        NOP
F0 F5     LDH A (FFF5)
D4 50 D3  CALL NC D350
Note that the program will always call routine since carry is always clear. The initial placement of LDI (HL) A means that the program will start by writing 0x50, and fortunately this is a harmless instruction (LD D B). In terms of taking D343-D34D and swapping it to D322-D32C, this is: 
   00 30 00 sp       fm pk ed
0  $1 $2 $3 N1 0  0  N2 N3 N4 0
*  .  *  .  *  .  *  .  *  .  *
00 00 22 00 76 00 F0 F5 D4 50 D3
where $ is money byte, N is rival name byte, * means quantity (when switched to D322-D32C), and . means item ID. Some * bytes must be reduced through item tossing, but . bytes are exact, so parity need not be switched. I then place this 11-byte block at D364-D36E. When executed, this program writes 0x50 at D350, then writes in forward direction whatever input you give it. D350 is also executed every frame (this is why the writing program must be preceded by harmless opcodes such as 0s). Using input, I write the following at D351 (remember this is located just before the writing program): 
18 0F     JR there
there2:
16 80     LD D 0x80 (limit)
21 6F D3  LD HL D36F (target)
input:
76        HALT
F0 F5     LDH A (FFF5)
22        LDI (HL) A
15        DEC D
CA 6F D3  JP Z D36F (target)
18 F6     JR input
there:
18 EF     JR there2
Here's an explanation of why this works: - The program first writes 0x18 so the instruction reads "jump relative by 0". When executed, this doesn't branch anywhere (think about it), so execution normally falls back into the writing program. - Next time through, the program writes 0x0F so now the instruction reads "jump relative forward by 15". Provided there is enough space, execution still falls back into the writing program. - Because of the jump instruction, the program will not execute the following 15 bytes through the next 15 cycles, so the program can write whatever it wants there. - At the destination of the jump, the program then writes 0x18. The instruction there reads "jump relative by 0", and again no harm is done. - Finally, the program writes 0xEF so now the instruction reads "jump relative backward by 17". When execution hits this instruction, it jumps into the new program written in the 15 bytes between the jumps, and stage 2 begins.
Posted: 12/12/2012 6:47 PM
Quote
FractalFusion
Editor, Experienced Forum User, Published Author, Skilled player (1941)
Joined: 6/15/2005
Posts: 3247
Glitchy TAS of 2013 Gameboy TAS of 2013 PSX TASer of 2010
In profile, you'll need to put $ in the URL. The site will replace the $ with the number corresponding to whichever mood avatar you choose. For example, if you enter "http://tasvideos.org/avatar$.png" as the URL, then mood 1 will use "http://tasvideos.org/avatar1.png", mood 2 will use "http://tasvideos.org/avatar2.png", and so on. All your mood avatars must be located at the same path and the same name except for the mood number.
Posted: 12/10/2012 1:40 AM
Quote
FractalFusion
Editor, Experienced Forum User, Published Author, Skilled player (1941)
Joined: 6/15/2005
Posts: 3247
Glitchy TAS of 2013 Gameboy TAS of 2013 PSX TASer of 2010
I'm thinking about changing the game forum descriptions to something like this: 
NES Games
Nintendo Entertainment System (Famicom), Famicom Disk System

SNES Games
Super Nintendo Entertainment System (Super Famicom)

Nintendo 64 Games

GameCube and Wii Games

Game Boy Games
Game Boy, Super Game Boy, Game Boy Color

Game Boy Advance Games

Nintendo DS Games

SMS and ColecoVision Games
Sega Master System, Game Gear, SG-1000, ColecoVision

Sega Genesis Games
Genesis (Mega Drive), 32X, CD (Mega-CD)

Sega Saturn Games

PlayStation Games

PlayStation 2 Games

TG-16/PCE Games
TurboGrafx-16 (PC Engine), SuperGrafx, CD-ROM, PC-FX

Arcade Games

MS-DOS Games
Old DOS games on PC

MSX Games
MSX, MSX2, MSX2+

Atari Games
2600, Lynx

Windows Games
Games that operate with Hourglass

Other Handhelds
Virtual Boy, Neo Geo Pocket (Color), WonderSwan (Color)

Anything Else
I'll do something as well for the emulator forums. Edit: Here is my plan for the emulator forums: 
Bizhawk
NES/FDS, SNES, GB/SGB/GBC, SMS/GG/SG-100, TG-16(PCE)/PCE-CD/SGX, Atari 2600, ColecoVision, TI-83

SNES: lsnes, Snes9x, ZSNES

N64: Mupen64

GCN/Wii: Dolphin

GBx: Visual Boy Advance

DS: DeSmuME

GEN(SMD): Gens

SAT: Yabause

PS: PSXjin, PCSX-rr

Arcade: FBA, MAME

MS-DOS, MSX: JPC-rr, openMSX

Mednafen/PCEjin/VBjin
TG-16(PCE)/PCE-CD/PC-FX, Lynx, WonderSwan (Color), Neo Geo Pocket (Color), SuperGrafx

Windows: Hourglass
Technically not an emulator

Other Emulators

SMS emulators (deprecated)
Deprecated Sega Master System Emulators such as Dega. BizHawk is the preferred emulator.
I also plan to shut down the Swedish, German, and Finnish boards and create a new "Other Languages" forum. 
日本語
日本語でTASについて話す場所。 Japanese

Français
Un lieu pour parler de TAS en français. French

Español
Un lugar para hablar de TAS en español. Spanish

Português
Um lugar para falar de TAS em português. Portuguese

Русский
Поговорим о тасинге по-русски. Russian

Other Languages
Something like this.
Posted: 12/7/2012 9:10 PM
Quote
FractalFusion
Editor, Experienced Forum User, Published Author, Skilled player (1941)
Joined: 6/15/2005
Posts: 3247
Glitchy TAS of 2013 Gameboy TAS of 2013 PSX TASer of 2010
This thread was formed from the merging of various splits from submission threads. All concerned posts were off-topic and had nothing to do with the submissions.
Posted: 12/6/2012 12:44 AM
Quote
FractalFusion
Editor, Experienced Forum User, Published Author, Skilled player (1941)
Joined: 6/15/2005
Posts: 3247
Glitchy TAS of 2013 Gameboy TAS of 2013 PSX TASer of 2010
For me, the movie still stops before clearing the dialog.
Posted: 12/4/2012 3:15 AM
Quote
FractalFusion
Editor, Experienced Forum User, Published Author, Skilled player (1941)
Joined: 6/15/2005
Posts: 3247
Glitchy TAS of 2013 Gameboy TAS of 2013 PSX TASer of 2010
From all the information (or lack thereof) I gather about this game, it appears that: - this game was made using a Knytt Stories level editor, from which many such game mods are made ( see http://nifflas.lpchip.nl/index.php?board=39.0 and http://knyttlevels.com/ ). - this game has very little open information about it on the internet. It seems that the only place where it can be downloaded is here on TASVideos, in either of the two submissions pertaining to it. - this game is not promoted by anyone aside from those with vested interest in the Zelda speedrunning community. - based on comments in the two submissions, this game is not finalized. I would like some opinions or feedback about this game or about Knytt (Stories) in general from more members. Do you think that this should be published as Moon(+), Vault, or neither? The [Vault] criteria page currently says that hacks are off-limits (of which this may be argued as one) and unlicensed and homebrew games are judged based on notability. The [Moons|Moon] criteria page does not specifically mention these two, only "entertainment value", although I think there should be standards for Moon as well. According to people in our community, Desert Bus is entertaining. Does that mean Desert Bus should be published in Moon tier?
Posted: 12/4/2012 1:02 AM
Quote
FractalFusion
Editor, Experienced Forum User, Published Author, Skilled player (1941)
Joined: 6/15/2005
Posts: 3247
Glitchy TAS of 2013 Gameboy TAS of 2013 PSX TASer of 2010
dunnius reported on IRC that the RNG in this game is at 0x2E-0x2F (0x2C-0x2D for J version). In fact, using FCEUX's debugger, I figured out that the formula is as follows: 
x := 9*x + 97 (mod 65536)
where x is 16-bit value at 0x2E (big endian). This makes it a linear congruential generator with period 65536. The routine that does this is: 
00:968E:85 32     STA $0032 = #$81
00:9690:E6 32     INC $0032 = #$81
00:9692:A5 2E     LDA $002E = #$92
00:9694:85 30     STA $0030 = #$92
00:9696:A5 2F     LDA $002F = #$C9
00:9698:85 31     STA $0031 = #$C9
00:969A:06 2F     ASL $002F = #$C9
00:969C:26 2E     ROL $002E = #$92
00:969E:06 2F     ASL $002F = #$C9
00:96A0:26 2E     ROL $002E = #$92
00:96A2:06 2F     ASL $002F = #$C9
00:96A4:26 2E     ROL $002E = #$92
00:96A6:A5 2F     LDA $002F = #$C9
00:96A8:18        CLC
00:96A9:65 31     ADC $0031 = #$C9
00:96AB:85 2F     STA $002F = #$C9
00:96AD:A5 2E     LDA $002E = #$92
00:96AF:65 30     ADC $0030 = #$92
00:96B1:85 2E     STA $002E = #$92
00:96B3:A5 2F     LDA $002F = #$C9
00:96B5:18        CLC
00:96B6:69 61     ADC #$61
00:96B8:85 2F     STA $002F = #$C9
00:96BA:A5 2E     LDA $002E = #$92
00:96BC:69 00     ADC #$00
00:96BE:85 2E     STA $002E = #$92
00:96C0:C5 32     CMP $0032 = #$81
00:96C2:90 05     BCC $96C9
00:96C4:E5 32     SBC $0032 = #$81
00:96C6:4C C0 96  JMP $96C0
00:96C9:60        RTS
To find the routines, just set read/write breakpoints on the RNG address. Of course it depends on the emulator.
Posted: 12/3/2012 2:51 AM
Quote
FractalFusion
Editor, Experienced Forum User, Published Author, Skilled player (1941)
Joined: 6/15/2005
Posts: 3247
Glitchy TAS of 2013 Gameboy TAS of 2013 PSX TASer of 2010
Now to the patching program, which writes a 34-byte program at D465. Here is the table of 1x2y and 2x2y addresses: 
xxyy
 yy=20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F
xx=
10: FA E0 D4 A7 C8 47 0E 00 11 10 C1 2A 12 14 7B C6
11: 0A 5F 3E 6B 22 7B A7 28 06 18 F1 3E 63 83 77 D1
12: D1 3C 22 F1 77 C9 3E 01 EA 4A CC 3E 40 EA 9A D0
13: D1 06 41 C3 5B 3C 21 DB D0 4F 06 00 09 7E C9 F0
14: 3E 09 38 17 78 FE 4A 3E 0A 38 10 78 FE 74 3E 0B
15: D4 CB BE E1 C9 E5 21 2F D4 CB 9E E1 C9 E5 21 2F
16: 1E F1 CD 7E 3E F1 E0 BA C9 3E 08 E0 C6 CD 64 1E
17: 20 FC C9 E5 1A FE 50 20 04 44 4D E1 C9 FE 4E 20
18: C3 24 17 93 8C 50 93 91 80 88 8D 84 91 50 8F 82
19: F0 F9 AB EA 57 D3 79 EA 3A CC 78 EA 3B CC 2A FE
1A: 28 10 FE 16 28 0C 7E CD 38 22 CD 3E 37 E1 C1 C3
1B: 2A 12 7B 3C E6 1F 47 7B E6 E0 B0 5F 0D 20 EE C9
1C: C9 F0 C6 A7 C8 08 BF FF F0 C7 6F F0 C8 67 F9 F0
1D: E0 4A E0 06 E0 07 E0 47 E0 48 E0 49 3E 80 E0 40
1E: 00 20 CD 9B 49 CD F5 1E CD 6D 3E CD C8 01 F0 D6
1F: 3C C0 AF EA 43 DA FA 42 DA 3C EA 42 DA FE 3C C0
20: CD 93 20 20 DE C3 9B 20 F0 FF E6 0F FE 08 20 D3
21: 33 21 FA 42 CC C6 60 E0 AC F0 AA FE 02 20 04 3E
22: 78 18 15 AF EA 2A C0 EA 2B C0 EA 2C C0 EA 2D C0
23: C0 F0 B8 F5 3E 01 CD 7E 3E 3E FF EA CA CF CD B7
24: 3E 03 EA A6 D0 AF EA A0 D0 EA A1 D0 EA A7 D0 CD
25: D0 67 23 C3 8D 27 E1 AF EA A0 D0 FA A7 D0 CB 4F
26: FA A3 D0 85 30 01 24 EA AC D0 7C EA AD D0 FA A0
27: D0 47 FA A2 D0 B8 20 BD AF EA A0 D0 C9 11 5D 27
28: 84 3E 21 11 CF CB 46 CB 86 20 06 FA 5D D3 CD 8B
29: 29 3E 02 EA 93 CF F0 B8 F5 3E 01 CD 7E 3E CD A5
2A: D7 CB 6F FA 26 CC 0E 07 20 01 0D B9 20 C6 AF EA
2B: 93 CF A7 20 03 CD 1C 23 3E 01 EA 37 CC FA 29 D1
2C: 2F D7 CB B6 C3 E8 35 CB 4F C2 33 2D CB 57 C2 C9
2D: C9 AF EA 35 CC 3E FF C9 F1 F6 F7 50 7F 7F 7F 7F
2E: CD 03 13 F1 EA 1D D1 E1 D1 13 FA 93 CF FE 03 20
2F: F1 06 F6 80 12 13 3E 50 12 F1 EA 1D D1 C1 D1 E1

 yy=20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F
If the desired number is in the 1x2y table, use the two-byte load (0x11): 
11 2y 1x *2F 1A 22
If the desired number is in the 2x2y table, use two one-byte loads (0x16, 0x1E): 
16 2x 1E 2y 1A 22
It is somewhat more complicated if the number is not in the table. I won't say more on that now. Here is the patching program. It begins at D37D and runs for 232 bytes. It sets the HL pointer to D465, then writes the stage 2 program (bytes indicated on the right, with assembly translation). Starred (*) opcodes in the patching program are hack bytes. 
21 10 2F *1F                       HL=2F10
29 *1F                             HL=5E20
29                                 HL=BC40
11 25 18 *2F                       DE=1825
19 *2F                             HL=D465
11 25 1A *2F 1A 2F *13 22          F3  DI
16 21 1E 21 1A 22                  21  LD HL 98EE
11 2E 1B *2F 1A 22                 EE
11 2D 1C *2F 1A 2F *13 22          98
11 22 11 *2F 1A 22                 3E  LD A 77
11 2E 11 *2F 1A 22                 77
11 24 11 *2F 1A 22                 22  LDI (HL) A
11 24 11 *2F 1A 22                 22  LDI (HL) A
16 27 1E 2D 1A 22                  11  LD DE FEFF
11 27 1C *2F 1A 22                 FF
11 25 14 *2F 1A 22                 FE
16 21 1E 21 1A 22                  21  LD HL DAAA
16 21 1E 2A 1A 22                  AA
11 25 1F *2F 1A 22                 DA
                                   input:
11 2C 19 *2F 1A *24 17 *25 *13 22  76  HALT
16 21 1E 2F 1A 22                  3E  LD A 3
16 24 1E 21 1A 22                  03
16 22 1E 24 1A 22                  EA  LD (2000) A
11 27 10 *2F 1A 22                 00
16 20 1E 22 1A 22                  20
16 20 1E 20 1A 22                  CD  CALL 4004
16 21 1E 2E 1A 22                  04
11 2C 12 *2F 1A 22                 40
16 20 1E 28 1A 22                  F0  LDH A (FFF5)
16 23 1E 23 1A 22                  F5
11 24 11 *2F 1A 22                 22  LDI (HL) A
16 2E 1E 22 1A 22                  13  INC DE
11 2E 10 *2F 1A 22                 7B  LD A E
11 2A 17 *2F 1A 2F *13 22          B2  OR D
16 23 1E 2C 1A 22                  CA  JP Z DAAA
16 21 1E 2A 1A 22                  AA
11 25 1F *2F 1A 22                 DA
16 22 1E 21 1A 22                  18  JR input
16 2E 1E 22 1A 2F *13 22           EC
*1F *2F *1F
About the stage 2 program: The initial part (above HALT) sets the size of the stage 3 program (0x10000-0xFEFF = 257 bytes) and where it is written to (0xDAAA). The part under input uses bank switch to 3 and call routine at 0x4004 (thanks p4wn3r) to get input value to FFF5. I also did some study on VRAM and experimented. Since there was a little room left to fit in a few more bytes into the stage 2 program, I inserted instructions (above HALT) to write ぇ tiles on the screen. The tiles already exist from before the PC hijack. I'm currently planning what the stage 3 program should do. I'll probably need to study sound as well. I'm not sure how the music keeps playing or where the music data is stored. (I used HALT, unlike bortreb's submission at least for his first 3 stages).
Posted: 11/30/2012 9:21 AM
Quote
FractalFusion
Editor, Experienced Forum User, Published Author, Skilled player (1941)
Joined: 6/15/2005
Posts: 3247
Glitchy TAS of 2013 Gameboy TAS of 2013 PSX TASer of 2010
OK, I've managed to reduce it to 11 bytes. I must warn though that what follows is pretty hackish: 
24      INC H
input:
76      HALT
E2      LDH (C) A
F2      LDH A (C)
2F      CPL A
32      LDD (HL) A
02      LD (BC) A (item hack)
18 F8   JR input
64 D3   (not executed) pointer
Inject this code into D364. The pointer above will fall on D36D, as desired. This code relies on the fact that the registers have preset values at the moment of PC hijack: 
AF: 5880
BC: AF00
DE: 0D5D
HL: D364 (or whatever D36D points to)
SP: DFF9
PC: D364
In particular, HL is whatever D36D points to (D364), so INC H (making it D464) to obtain a sane starting point for HL (byte sequence will be written backwards and will overwrite the JR opcode thus allowing execution of the byte sequence). C already has 0, and A already has a number whose 4th bit is 1 and 5th bit is 0, so there is no need to initialize them. Finally, DI is not required for this, and HALT controls it so bytes are written per frame. This code also relies on the fact that a patching program can be written entirely in the 1x and 2x opcode rows. Note that the output byte sequence is limited to 1x and 2x opcodes, and 1x alternates with 2x (this is from "LDH A (C)" and "CPL A" above). The idea is to load an address 1x2x or 2x2x into DE, load A with the value at that address (which comes from the ROM) and put it in the address pointed by HL (which should be Dxxx-something). A can also be modified using CPL, DAA, RR, and RL, and the address for HL can be set up quickly because of "ADD HL,HL" (essentially HL:=HL*2), among H and L-modifying opcodes. All these opcodes come from the 1x and 2x rows. A self-contained program cannot be written entirely in 1x and 2x rows (because no backward branches are possible) but since this patching program need not be self-contained, just write a new program after the byte sequence. I should do more testing.
Posted: 11/28/2012 9:19 PM
Quote
FractalFusion
Editor, Experienced Forum User, Published Author, Skilled player (1941)
Joined: 6/15/2005
Posts: 3247
Glitchy TAS of 2013 Gameboy TAS of 2013 PSX TASer of 2010
I'm experimenting with making a total control hack using as little time to set up as possible. Noting that it is possible to switch 11-byte blocks (thanks p4wn3r), I've been planning to inject the following byte sequence into D358: 
00 21 FF D3 AF 4F 7C F3 E2 F2 BA 28 F9 5F CB 37 AA 32 53 20 F1 58 D3
Notice that this sequence is 23 bytes long, and D359 is the start of an 11-byte block. The byte sequence has to be carefully chosen since not all items are tossable (and some of them crash when selected). I also want the program to be zero-free, except for D358. Explanation: 
00            NOP (item hack)
21 FF D3      LD HL D3FF
AF            XOR A (A:=0)
4F            LD C A (C:=A)
input:
7C            LD A H (A:=H, works because D3 has bit 4 on and bit 5 off)
F3            DI (disable interrupts)
E2            LDH (C) A ((FF00):=A)
F2            LDH A (C) (A:=(FF00))
BA            CP D (check input changed)
28 F9         JR Z input (if not, goto input)
5F            LD E A (E:=A)
CB 37         SWAP A (swap nibbles)
AA            XOR D (XOR with last input)
32            LDD (HL), A (write A to memory pointed by HL and decrement HL)
53            LD D E (D:=E, new last input)
20 F1         JR NZ input (goto input; NZ is for item hack)
58 D3         (not executed) (this pointer falls on D36D and jumps to D358)
This program starts writing from D3FF backwards. It writes a "nibble chain program" in which the low nibble of byte N is the same as the high nibble of byte N+1. Also, the nibbles of a byte cannot be the same. Input is A, B, Select, Start which can write any nibble values from 0x0 to 0xF. The program is set up so that when writing backwards, it will trample D36C (the F1 in "20 F1", or JR NZ input) which would allow jumping to the new program. I still have to check that a valid program can be written but I am confident that it can be done. I made a movie (starting from savestate) showing how the 23 bytes above can be injected into D358 (actually, I made a mistake and used D4 instead of D3 in "21 FF D3", or LD HL D3FF). This is how (after reset and continue): - Switch the 6th and 10th pokemon to overwrite the item counter. - Throw away the 3rd item; this messes up all the game settings and causes text to appear instantly. - Switch the 9th and 11th pokemon; this fills the item area with FF, which is much faster to scroll through (this is why I aim for a zero-free program, since it is not possible to get 0 if the item quantity is 0xFF). - Toss items so that half the bytes of D322-D337 are set to the program above (excluding initial NOP). - Switch the 17th and 18th pokemon; this switches D322-D32C with D32D-D337 to switch item parity. - Toss items to complete D322-D32C and D32D-D337 (these are still switched). - Switch the 17th and 19th pokemon; this sends D322-D32C to D338-D342 so D32D-D342 contains the program (except for the initial NOP) in the correct order. - Switch the 16th and 17th pokemon; since D321 is 0, this sends D317-D321 to D322-D32C so D32C becomes 0, so D32C-D342 contains the above program. - Finally, switch the 11th and 12th pokemon; this sends D32C-D342 to D358-D36E. - Close the menu. Since most of the time is spent scrolling through numbers, it may be possible to optimize further by having a program that may be longer but has numbers closer to 0xFF and 0x00. Numbers close to 0x80 take the longest.
Posted: 11/28/2012 7:16 PM
Quote
FractalFusion
Editor, Experienced Forum User, Published Author, Skilled player (1941)
Joined: 6/15/2005
Posts: 3247
Glitchy TAS of 2013 Gameboy TAS of 2013 PSX TASer of 2010
This run is a playaround but I think the branch should be changed. To me, "Total Control Hack" is misleading, but I can't think of another name for it at the moment. "Hacking" is fine, but not "Hack". Also, which tier do you think this should go in?
Posted: 11/24/2012 2:24 AM
Quote
FractalFusion
Editor, Experienced Forum User, Published Author, Skilled player (1941)
Joined: 6/15/2005
Posts: 3247
Glitchy TAS of 2013 Gameboy TAS of 2013 PSX TASer of 2010
Thanks, t3h Icy. I've removed the "unassisted record" for now.
Posted: 11/23/2012 5:26 AM
Quote
FractalFusion
Editor, Experienced Forum User, Published Author, Skilled player (1941)
Joined: 6/15/2005
Posts: 3247
Glitchy TAS of 2013 Gameboy TAS of 2013 PSX TASer of 2010
bortreb wrote:
When writing your payload program, you are not allowed to use any interrupts or the fixed jump instructions, since the interrupt handling code and fixed jump vectors are inside pokemon yellow's ROM. Without interrupts it's harder to play music and get input.
Does this apply to all programs written in RAM, or only the payload program? The initial bootstrap program uses absolute jumps, as detailed in this post. Also, since interrupts are like subroutines, does it mean that call routine instructions cannot be used? Edit: bortreb, you may use the edit button in the top right corner of each post.
Posted: 11/23/2012 3:40 AM
Quote
FractalFusion
Editor, Experienced Forum User, Published Author, Skilled player (1941)
Joined: 6/15/2005
Posts: 3247
Glitchy TAS of 2013 Gameboy TAS of 2013 PSX TASer of 2010
I played this run back in VBA and looked at the memory. I'm very pleased with how it works. Basically, this run hijacks the program counter so that it starts executing from RAM (which should never happen). The program counter is redirected to D53A (not at first, but close enough) to execute the first bootstrap program (~90 bytes). It writes the second bootstrap program at D162 (~200 bytes) and jumps there. It then writes the third bootstrap program at DAD9 (~730 bytes) and jumps there. Finally, it writes (while visibly showing the hex) the payload program and data at C000 (~4300 bytes) and jumps there. It actually starts writing a bit behind C000 but it doesn't matter since only the region C000-DFFF can be written to. Unfortunately, this region is only 8K, and this run uses over half of it for the payload. Compare the Super Mario Land ROM, which is 64K. Of course space optimization is a possibility, as well as just overwriting RAM data once it has been used up. By the way, if you play the run back, if you leave it running after it finishes the MLP jingle, weird sounds start playing back as the program reads sound data from uninitialized RAM. This isn't really a surprise though.
Posted: 11/22/2012 9:08 AM
Quote
FractalFusion
Editor, Experienced Forum User, Published Author, Skilled player (1941)
Joined: 6/15/2005
Posts: 3247
Glitchy TAS of 2013 Gameboy TAS of 2013 PSX TASer of 2010
No problem. I think VBA reports the true frame time (based on filesize). So VBA gives the correct time.
Posted: 11/22/2012 9:06 AM
Quote
FractalFusion
Editor, Experienced Forum User, Published Author, Skilled player (1941)
Joined: 6/15/2005
Posts: 3247
Glitchy TAS of 2013 Gameboy TAS of 2013 PSX TASer of 2010
Thank you, bortreb. I have already updated the submission with the correct time though (the insanely large time that occurred was because of my testing).
1 2
55 56 57
128 129