Experienced Forum User, Published Author, Active player
(282)
Joined: 10/8/2006
Posts: 356
Trying to throw the "hiding" sprite upwards will land you in $0583, which indicates the directions sprites are facing. Unfortunately, you can't get any useful instructions in here. Even if you could fill it up with $01, you'd at most be able to reach $0591, which doesn't seem to ever change.
Experienced Forum User, Published Author, Active player
(282)
Joined: 10/8/2006
Posts: 356
Zowayix wrote:
What criteria does the game use to determine whether Mario can enter a pipe?
It takes your X position & 15, and if it's less than 12 (or 8, for a level with hills or if you're in air), it subtracts 16. It then adds 16 if you're standing on the left side of a pipe. If the resulting value is between 3 and 13, you may enter. In other words, you should be standing on the left side of a pipe with X & 15 between 3 and 12, or on the right side with X & 15 equal to 12. Since you were standing on the right side, then got ejected so that X & 15 became 12, you can enter.
Experienced Forum User, Published Author, Active player
(282)
Joined: 10/8/2006
Posts: 356
Writing to any even location in the range 8000-9FFE will program the MMC3 Bank Select register. Bit 6 of this register selects the PRG bank mode. When set, the first 8K is fixed and the third 8K is swappable. When cleared, it is the other way around. SMB3 uses the layout where the first 8K is fixed. By writing 80 to 9C70, the other layout is selected, and eventually execution reaches 0081. (Return addresses are stored as 1 less than the address to return to.)
For the pipe glitch to work, you must be standing on the pipe end, and you must be ejected to the right (so that you cross into the next tile) while holding the down button on the same frame. By being ejected, your position no longer corresponds with the tile the game assumes you're standing on.
Experienced Forum User, Published Author, Active player
(282)
Joined: 10/8/2006
Posts: 356
I think you don't need to call ReadJoypads, as it's called automatically during NMI. The X register is then free. The extraneous jumps are unnecessary. Thus, you get:
loop:
jsr $96e5
inx
lda $f7
sta program - initialX - 1, x
bne loop
program:
It would be beneficial to find a spot where a suitable BNE instruction already exists, so you don't need to enter it.
Another possibility:
Experienced Forum User, Published Author, Active player
(282)
Joined: 10/8/2006
Posts: 356
Marx wrote:
prove -12 = 12
Let's assume that if I am right, then -12 equals 12. If I am indeed right, it then follows that -12 equals 12, just like I said it would - therefore I am right, and -12 does equal 12.
Experienced Forum User, Published Author, Active player
(282)
Joined: 10/8/2006
Posts: 356
Luckily I was able to figure out how to skip directly from the title screen to the introduction using a peculiar button sequence that tricks the game into executing the introductory scenes, or this never would have happened.
Experienced Forum User, Published Author, Active player
(282)
Joined: 10/8/2006
Posts: 356
Zowayix wrote:
What causes the jump here?
When going outside the valid coordinates, it will start interpreting ROM bytes as tiles. In this glitch, we interact with a note block, and the game wants to replace it with a blank tile. But, by writing to the ROM area, we program a MMC3 register instead, and the PRG-ROM layout changes, so that wrong code gets executed, and it ends up doing a RTS with S=FF, taking the bytes $80 and $00 from $0100, thus returning to $0081.
Experienced Forum User, Published Author, Active player
(282)
Joined: 10/8/2006
Posts: 356
The X position and the tile you're standing on are used to determine if you can enter. To trigger the pipe glitch your X position & 15 must be equal to 11, and you must then be ejected 1 pixel to the right. The game will still think you're on the right side of the pipe, although you've been ejected into a different tile. If you are standing, you can then enter the pipe if you hold down on the same frame. This also works on the top side of the pipe, of course.
Experienced Forum User, Published Author, Active player
(282)
Joined: 10/8/2006
Posts: 356
Yeah, that's another way of triggering the ending scene. If you can somehow put a nonzero value into $07d8 and manage to get back to the world map, then the game will end the next time you exit a level.
By the way, to be reproducible on a real NES, a run should not depend on the values of uninitialized bytes of RAM. That's why you should avoid executing past $0102.
Experienced Forum User, Published Author, Active player
(282)
Joined: 10/8/2006
Posts: 356
The display shows the bytes from $0081 up until the desired address that you want to manipulate (I used $00ae). White bytes are the beginnings of instructions. A red byte means that execution will be diverted before the target is reached. A yellow byte is a branch instruction. The target address is highlighted in green if it will be reached (assuming no branches are taken).
Experienced Forum User, Published Author, Active player
(282)
Joined: 10/8/2006
Posts: 356
I made a LUA script to show if a given instruction can be reached starting at $0081.
target = 0xae
lengths={2,2,2,2,2,2,2,2,1,2,1,2,3,3,3,3,
2,2,0,2,2,2,2,2,1,3,1,3,3,3,3,3}
while true do
addr=0x81
j=0
y=0
b=0
while y<16 do
op=memory.readbyte(addr)
l=lengths[AND(op,31)+1]
color='#ffffff'
if op==0x20 or op==0x4c then color='#ff0000' l=3 b=b+1 end
if l==0 or AND(op,0x8f)==2 or op==0x40 or op==0x60 then color='#ff0000' l=1 b=b+1 end
if AND(op,31)==0x10 then color='#c0c000' end
if addr==target then color='#00ff00' end
for i=0,l-1 do
x=memory.readbyte(addr)
if b>1 then color='#502020' end
gui.text(j*20,y*8,string.format('%02X',x),color)
color='#bf9090'
addr=addr+1
j=j+1
if j==12 then j=0 y=y+1 end
if b==1 then b=2 end
end
if addr>target or addr<0x80 then break end
end
FCEU.frameadvance()
end
This requires a recent version of FCEUX (2.0.3 doesn't support colored text).
Experienced Forum User, Published Author, Active player
(282)
Joined: 10/8/2006
Posts: 356
For Super Metroid, which is a mode 20 cartridge, addresses $8000-$ffff in banks $80-$df (and in $00-$5f) are ROM.
The first 8K of RAM, as well as CPU/PPU/DMA/controller registers, are always available in banks $00-$3f and $80-$bf.
Experienced Forum User, Published Author, Active player
(282)
Joined: 10/8/2006
Posts: 356
amaurea wrote:
Much of its shenanigans are sadly blocked by most writes being redirected to ROM, where they have no effect
Why do you think that? $900000-$901fff refers to the same locations as $7e0000-$7e1fff.
So, if $7e0dc2, $7e1cad or $7e0a0a can be controlled, you can execute anything.
Experienced Forum User, Published Author, Active player
(282)
Joined: 10/8/2006
Posts: 356
Total control is definitely possible with this bug. After it writes $80 to $9c70, it starts executing completely wrong things and then it returns to $0081. A BRK is then needed to get the PRG layout back to normal. So, by manipulating some bytes between $0088 and $00ff to read 20 e3 8f, you can get to the ending scene. Note that the stack pointer is overflowing, so a JSR is needed to get it back where it should be (or the ending will be bugged and get stuck when the carpet goes up).
Edit: I tried killing the 3 plants, then went up the next two pipes and brought down the flying koopa. I killed the koopa down below so that it died at X position $20. Then I brought the other koopa back to the beginning of the stage and sent it spinning, then placed the first koopa on the middle pipe. I stopped the spinning koopa at position $e3 and the walking koopa at position $8f, then went down into the glitched area. Unfortunately, my attempt was thwarted by a JSR $0010 instruction having appeared at $00a6, but it seems like it should be doable.
Experienced Forum User, Published Author, Active player
(282)
Joined: 10/8/2006
Posts: 356
The game just goes haywire and ends up jumping into the middle of some function, and the current player ($0726) gets set to 255. That's why you start at a strange map location.
Edit: The crash happens on frame 3329. Since you're outside the valid playing area, it is interpreting ROM bytes as tiles. In this case, you hit a $03 byte at $9c70, which is a note block. It eventually writes a $80 back to this location, which changes the PRG layout, and it starts executing random things it shouldn't.
Experienced Forum User, Published Author, Active player
(282)
Joined: 10/8/2006
Posts: 356
Level 9 requires a fair bit of creativity to gather all the missing ingredients and building the right kind of container to put them into.
At level 10, converting to HTML would be fine if it weren't for one little thing...
Managed to beat 14. You just need to confuse the browser a little.
Experienced Forum User, Published Author, Active player
(282)
Joined: 10/8/2006
Posts: 356
The solution for level 8 is obvious. Don't know how to beat level 9, though.
If I could just get at the window object, I could call eval and I'd be done.
Edit: Oh, got it now, didn't have to call eval after all.
Experienced Forum User, Published Author, Active player
(282)
Joined: 10/8/2006
Posts: 356
A basketball that's 1m above the Earth has less entropy than a basketball sitting on the Earth that has released the rest of the energy in the form of heat and sound. The measurement of the difference of this entropy is the potential energy of the system.
No, entropy is something entirely different. It is a logarithmic measure of the number of microstates available for a thermodynamic system. Entropy is measured in joules per kelvin. It has nothing to do with potential energy, which is strictly defined by the fields and valid even at microscopic scales.
Experienced Forum User, Published Author, Active player
(282)
Joined: 10/8/2006
Posts: 356
Energy in a physical sense is absolutely not the kind of energy we usually talk about. "There's energy coming out of that wall socket", "This light bulb uses 50 watts of energy".. nope.
Energy is a physical quantity defined in such a way that the sum of energy in a closed system cannot change. So you cannot "use" energy, and it's not quite like the thing your intuition tells you it is.
Your reasoning is flawed. A building on Earth, or an electrical cord, is not a closed system, and it's perfectly possible to use up a concentration of energy existing within that system. When you turn on your light bulb there is real energy coming out of your wall socket, through the cord and into the light bulb, which then disperses out into the room and eventually into the surrounding air and soil. As long as the 50 W light bulb is on, the amount of (useful) energy contained within your house increases by 50 J each second, minus any leakage through walls and windows.
Furthermore, potential energy is as real as other forms of energy and could in theory be measured with very high precision instruments. Gravitational energy is always negative. At the center of the earth, it is at a local minimum, and approaches zero in outer space. Usually, the absolute value of a system's energy does not matter, and one is primarily concerned about energy gradients, which are much more easily observed. Therefore, on the surface, it looks like an abstract mathematical tool where in reality that is far from the case.
