• Emulator: lsnes rr2-beta23
  • Rom: Final Fantasy III (U) (V1.0)
  • Aims for fastest time
  • Uses game-breaking glitch
  • Abuses programming errors
  • Manipulates luck
During the previous TAS, we managed to get the Moogle Kutan in our crew to save the world. We are pleased to announce that this time, we also managed to get Kurin with us. As a side effect, we saved more than two hours and a half over the previous TAS, achieving a final time of 32 minutes and 54 seconds using a new game breaking glitch involving 52 gameover in a row on the world map.

Gameover glitch

On May 2015, a new ff6 glitch was discovered, where dying 52 times in a row on the world map leads to odd consequences. Often the game will freeze, sometimes it will trigger glitched cutscenes.

Deciphering

In this game, the developers have implemented a script language for scripted events, which contains everything from music, graphical effects, invoking windows, dialogues, character movements, etc. Two events in this game have a behaviour very close to the JSR and RTS assembly instructions. The first one (event B2) saves the pointer to the current event into a stack and starts executing a series of sub events. The second one (event FE) finishes the series of sub events by loading the event pointer from the top of the stack. Every call to event B2 is meant to be eventually followed by a call to event FE.
During a gameover screen, however, the game calls event B2 twice but only once event FE. This has the consequence of filling the event pointer stack, which can lead to a stack overflow with repeating gameovers. This is generally unnoticed, because entering any inside map (towns or dungeons) will clear the event pointer stack.
The event pointer stack is stored starting $0594 and the size of the stack is stored in $E8 and $12E8 (backup). The memory after this stack is largely unused, the only addresses that are often written by the game are located at $0630-$0632. The game repeatedly stores into $0630 the horizontal scanline location, into $0631 the vertical scanline location and into $0632 the maximum of all $0631 values. We are not sure if these values are actually used by the game.
After the 51 gameover, $E8 contains 0x99. At the 52nd gameover, the game writes the event pointer to $062D-$062F (first call to event B2) then to $0630-$0632 (second call to event B2). Before the game executes event FE, the values in $0630-$0632 have changed and contains the some scanline location coordinates. The game loads those values as the current event pointer, and executes events starting this location. This is what is causing the glitch.
By conducting a lot of tests, we observed that address $0630-$0632 is dependent on the frame where the gameover is confirmed, the inputs pressed 3 frames before confirmation and the number of characters in the party.

Triggering the ending

To trigger the game ending, one way is to set the event pointer to the address of the ending, which is located at $CA0F70 (just after the boss fight). However, the game will freeze if we jump there because it will try to move characters which are not present. Pointing after the post-Kefka dialogues does work, which was done in the present TAS (address $CA134E).
As expected, no value of $0630-$0632 comes near the values required to launch the ending sequence. Luckily, most of the values in $0630-$0632 actually point to RAM addresses, between $1700 and $2000. Here is a summary of what is present in these addresses:
$1600-$184F: Character data (592 bytes, 37 bytes each character)
$1850-$185F: Setup of current party (which party/slot/row for each character)
$1860-$1862: Gold
$1863-$1865: Game time
$1866-$1868: Steps
$1869-$1968: Items possessed
$1969-$1A68: Item quantities
$1A69-$1D4C: Espers, Magic, SwdTechs, Blitz, Lores, Rages, Dances
$1D4D-$1DC6: Menu configuration
$1DC7-$1FFF: Various stuff 

Our goal is to write somewhere in RAM an event that will jump to the ending. A few events can do that: B2, B3, B6, B7, BD, BE, C0-CF, following by the destination address (e.g. B2 4E 13 00 jumps to $CA0000 + $00134E = $CA134E). The values inside $0630-$0632 heavily depend on the number of characters in the party. Here is roughly which address we have access:
  • 1 character: $1700-$1900
  • 2 characters: $1900-$1B00
  • 3 characters: $1B00-$1D00
  • 4 characters: $1D00-$1FFF
The earliest point where we can trigger the glitch is with a party of two characters. With this party, we can jump to the addresses storing the inventory, the Espers and magics. The problem is that we cannot write any of the jumping events above in memory because no item with the corresponding id is available, and we are limited to 99 for item quantities. Of course, we don't have any Esper or magic available.
Then, for a very small time, we have access to a 1 character party (solo Terra) during Figaro castle. With this party, we can jump to part of the character data, gold, game time, steps and part of the inventory. Character data would have been very encouraging, but the only characters we can control are Terra and Locke, which are at the beginning of the section, outside our range. Like before, we cannot write the event code using the inventory, but we can use either one byte of the Gold or one byte of the step counter easily. The second problem was to write the destination address in RAM next to the event code, which is of the form XX 13 00 with XX being several values possible between 0x20 and 0x70. We couldn't manage to write these values, however we could make an intermediate jump to a much more friendly area in RAM where we can control values: the config menu. It is located starting $1D4D and luckily, we have access to the Mithril Pike (id 1D), the Buckler (id 5A) and the Mithril Shield (id 5C).
Here is the state of the memory starting $1860:
|     Gold     |   Game Time  | Step counter |                  Inventory
| A0 | xx | xx | xx | xx | xx | C1 | xx | xx |   01    |  00  |   5A    |   1D    |   5C    |
                                               Mithril | Dirk | Buckler | Mithril | Mithril |
                                               Knife   |      |         |  Pike   | Shield  |
We tried to jump directly to the step counter, but we only could jump to the Gold address. That is why we manipulated the first byte of the Gold value to be A0 (by selling stuff), an event which takes 5 bytes as argument, so that we arrive at the beginning of the step counter.
Event C1 has 3 arguments: t1 (2 bytes), t2 (2 bytes) and addr (3 bytes). The meaning of this event is: if the story bit t1 or the story bit t2 is true, then jump to $CA0000+addr. We manipulated t2 with the MithrilKnife and the Dirk so that the corresponding story bit is true. So the game jumps at $CA0000 + $5C1D5A = $261D5A, which is the RAM address $1D5A, in the middle of the colours of the windows.
Now we have full control over the events we can trigger. We previously changed the value of those colours so that the bytes starting $1D5A are:
  • 5B is a no argument event that does (almost) nothing. We couldn't write B2 on the first byte because the way the colours are stored implied that every other value must be below 7E.
  • B2 00 53 00 jumps to address $CA0000 + $005300 = $CA5300. This is the very end of the world destruction sequence that loads the World of Ruin maps. It was necessary to avoid a softlock during the game ending.
  • A9 triggers the game opening, because why not.
  • 5C is another dummy event like 5B
  • B2 4E 13 00 jumps to address $CA0000 + $00134E = $CA134E. This triggers the ending sequence.

Run comments

Narshe

As opposed to the previous TAS, we did not need to level-up Terra so that other characters who join get a higher level. However, we still need Terra to be at least level 4 so that the quick kill on Whelk is possible. The fastest way we found was to escape the first and fourth fights, to fight the third one and to make Wedge escape the second fight. This gives level 4-3-2 for Terra, Vicks and Wedge, respectively. The quick kill on Whelk was barely possible by manipulating the random damage to always be a high value. The fight against Marshal and Lobo was improved from the previous TAS by manipulating both Lobo not to attack. Both Mithril Pike and Mithril Shield are removed from Mog for the glitch.
Extra steps were used to manipulate the battle RNG, because we had to do a lot of steps anyway for the glitch.

Figaro

The inventory is sorted as described above during the two random fights to Figaro castle. After being solo Terra, two Tonics and 4 Echo Screen are bought to get Gold to xxxxA0. Then the remaining number of steps are performed to get the number xxxxC1 at the second fight in the world map.
The first fight in the desert is manipulated to get Terra's HP as low as possible. A critical could not be manipulated for the Sand Ray because this enemy has the bad habit of skipping his turn; it was replaced with his special attack.

Glitch

One step before the second fight, the battle speed was set to 1 so that the enemy can act faster. The fight to get the gameover to was chosen to be a solo enemy, so that the initial ATB are very high. 51 gameover later, the message and gameover screen were confirmed at the right frame and the input was chosen so that the game loads address $1860 as the event pointer. As explained above, this eventually triggers the ending.

Special Thanks

  • pirohiko for posting the new glitch in the ff6 topic
  • Catastrophe for helping disassembling the new glitch
  • Yousei for providing a very detailed description of the ff6 ROM, including the list of events
  • Imzogelmo for providing a dump of the entire list of events of the game

ars4326: (Replaced movie file with updated version that accesses full ending). Claimed for judging!
ars4326: Hello, Keylie and Kadmony. Fantastic work on executing this unique 'game end glitch' method, as well as listing out the intricate details in the submission text. The minor strategic optimizations made during battles were a treat to watch, as well. Altogether though, as others have expressed in the thread, there honestly just isn't too many ways that one can make 52 straight game-overs entertaining. The payoff of watching the glitched ending (with more Moogles, this time around!) was indeed enjoyable, but the more repetitive 15+ minute lead-in must also be considered. Outstanding work, nonetheless!
edit: Accepting for publication to the Vault, and to obsolete the current 'sketch glitch' run. Reason being, an issue was brought up in the thread concerning how this movie, initially (and similar to the 'sketch glitch' run) soft-locked at the end and didn't technically complete the game. Keylie addressed this and made some adjustments to this run which allowed the complete ending to take place. Therefore, for the sake of consistency, we've got to abide by this standard going forward. And since the 'sketch glitch' run soft-locks, it now must be obsoleted by a run that doesn't.
fsvgm777: Processing.


d-feather
He/Him
Joined: 2/12/2015
Posts: 152
Location: Everett, WA
Terra pretends to be Princess Luna in that one MLP:FiM fic where the aforementioned princess attempts to kill herself in many ways, but fails. Unlike Luna here, Terra ascends to godhood and wins the game after dying 52 times. Meh vote.
:shrug: I'm more active on Twitter nowadays: @HunterCoates5
Skilled player (1672)
Joined: 7/1/2013
Posts: 448
It was a mistake to accept the previous submission as it was. To argue that the new submission should be accepted based on a previous mistake is fallacious. I respect that Keylie has been receptive in addressing this issue, and even has a plan. You are a true TASer, sir.
Joined: 3/9/2009
Posts: 530
£e Nécroyeur wrote:
It was a mistake to accept the previous submission as it was. To argue that the new submission should be accepted based on a previous mistake is fallacious. I respect that Keylie has been receptive in addressing this issue, and even has a plan. You are a true TASer, sir.
Agreed. I feel it provides a solid, distinct measure of completion. I think if the softlock occurred much sooner in the ending and/or the ending was much shorter, there wouldn't even be a debate here after the Pokemon glitched ending ruling. That it slips by seems more an artifact of the ending being really long than it does realizing that it doesn't fully play out. If a faster run of this was made that froze as soon as it tried to load graphics from Kefka's tower for the ending sequence, I don't think anybody would count that as valid. Assuming that it doesn't take much to address it, as seems to be the case, I'd suggest this should also obsolete the Sketch Glitch run (and obviate the precedent issue) since both are memory corruption things, although I really don't follow the technical side enough to say whether that's appropriate or not.
Senior Moderator
Joined: 8/4/2005
Posts: 5777
Location: Away
I do think it should obsolete the sketch run in any case, as they both follow the exact same goal: rush to the ending using any glitches available.
Warp wrote:
Edit: I think I understand now: It's my avatar, isn't it? It makes me look angry.
Skilled player (1416)
Joined: 10/27/2004
Posts: 1978
Location: Making an escape
In any event, I find it interesting that four, arguable five, of the first six Final Fantasies have been completed through sheer repitition of a given action. Is this a common trait among RPGs of the day?
A hundred years from now, they will gaze upon my work and marvel at my skills but never know my name. And that will be good enough for me.
Joined: 3/9/2009
Posts: 530
Ferret Warlord wrote:
In any event, I find it interesting that four, arguable five, of the first six Final Fantasies have been completed through sheer repitition of a given action. Is this a common trait among RPGs of the day?
Eh, it's similar to the overloading in Super Mario World and Megaman. The Final Fantasies are just turn based, so it gets stretched out a lot more.
Joined: 6/12/2015
Posts: 2
Tangent wrote:
[...] since both are memory corruption things, although I really don't follow the technical side enough to say whether that's appropriate or not.
No, this submission isn't memory corruption. Sketch is memory corruption because it forces the game to perform a task that's too large for the allocated space in the RAM; kind of like trying to empty a bathtub into a bucket the bucket just isn't big enough so the water overflows and spills on the floor. The sketch glitch is doing the same thing, but instead of water it's trying to create a gigantic monster sprite. The space given to it in the RAM just isn't big enough so it ends up writing monster sprite pixel data to other parts of the memory. This submission exploits a programming error that allows them to create an event script that will run after the final game over. It doesn't corrupt any memory, it manipulates some values to make the event script work (step count, money, items in inventory, settings in the config menu, battle inputs in the last suicide fight, and the frame that the final game over starts). Currently it looks something like this: The Battle inputs and frame of the final game over tell the game to go to the address for your money, (game time as well but as I understand it the game time doesn't matter for the event script they use) step count, and the first 5 items in the inventory. These values tell the game to go to addresses in the config menu, and the stuff they manipulated in there tells the game to go to the address for the credits. Now it doesn't have to go to money, step count, inventory, or the config menu addresses; there's a range of possible addresses they could jump to. They choose these addresses for pragmatic reasons.
Player (13)
Joined: 6/17/2006
Posts: 508
For the category issue, it's my opinion that this counts as ACE. While it's not assembly language ACE, it's still in-game script language ACE. Same technique, just at a higher level of language abstraction.
Satarack wrote:
If the completing the credits is to be considered having finished the TAS, then yes this doesn't complete the run. But I think a good philosophical case could be made that reaching the credits is a completed state, if you take examples from other forms of media. For example, do you finish watching a movie once you reach the credits, or do you have to watch the credits to say you have finished the movie? Or how about books, if you have a novel and the author left a personal message at the end of his book after the story, and you choose not to read the author's message, can you say that you finished the book? And in speed running different communities have elected to follow different views on the matter. Eg. By SDA rules when using real time, time ends when the player loses complete control at the credits, effectively saying that that is the point when the runner has completed the game. I'm not trying to say it should be one way or another; my point is more that it isn't as cut and dry as it might seem. I mean it's conceivable to have standards based on the kind of exploits involved in a run; which would allow for a more nuanced way of appraising submissions.
I agree, and this is exactly why I would like the rules to be updated: so that our community may come to a consensus as to which approach is the most relevant, and have an objective set of criteria to compete against based on this consensus. Until then, I can only rely on my personal feelings, which are strongly in favor of reaching the very end of the end for a satisfying conclusion as opposed to any part of the end, regardless of the media.
Skilled player (1416)
Joined: 10/27/2004
Posts: 1978
Location: Making an escape
d-feather wrote:
pony crap
Perhaps a more culturally relevant example would be Bill Murray in Groundhog Day.
A hundred years from now, they will gaze upon my work and marvel at my skills but never know my name. And that will be good enough for me.
Experienced player (704)
Joined: 2/5/2012
Posts: 1798
Location: Brasil
softlock is trouble,maybe research more and do another run without it? but if we already accepted the shitty ending then we just go along with it... how about proper ending being another category?
I want all good TAS inside TASvideos, it's my motto. TAS i'm interested: Megaman series, specially the RPGs! Where is the mmbn1 all chips TAS we deserve? Where is the Command Mission TAS? i'm slowly moving away from TASing fighting games for speed, maybe it's time to start finding some entertainment value in TASing.
Joined: 6/4/2009
Posts: 893
this is the most realistic gameplay ever : you die : GAME OVER , THE END ! also, i liked the fact that the game allow you to skip everybody exept lock, terra, celes edgard & setzer... yes vote, another FF bites the dust... what's next ? a FFVII stairs glitch that call the CD3 & a glitched save that triggers the ending ? NASIR's Ghost haunt this series with his "screen transitions overflow glitch"
Editor, Experienced player (848)
Joined: 5/2/2015
Posts: 696
Location: France
Nicos wrote:
what's next ? a FFVII glitched save that triggers the ending ?
Pretty close: Link to video
Banned User
Joined: 8/5/2015
Posts: 9
Surely here will accept any trash that ends in game over by a strange glitch
Synahel
She/Her
Former player
Joined: 1/19/2011
Posts: 260
Location: France
I'm glad everybody here can see how much work and research was put into making this TAS.
Editor, Expert player (2098)
Joined: 8/25/2013
Posts: 1200
fail wrote:
Surely here will accept any trash that ends in game over by a strange glitch
First off, this is not trash. This is a well optimized TAS, and an excellent example of how speedrunning can break a game. Second off, a strange glitch is not what this is. As you can see from the branch name, it is a 'game end glitch'.
effort on the first draft means less effort on any draft thereafter - some loser
Skilled player (1741)
Joined: 9/17/2009
Posts: 4981
Location: ̶C̶a̶n̶a̶d̶a̶ "Kanatah"
fail wrote:
Surely here will accept any trash that ends in game over by a strange glitch
Technically, this site has accepted worse that doesn't even feature any glitches.
Noxxa
They/Them
Moderator, Expert player (4124)
Joined: 8/14/2009
Posts: 4090
Location: The Netherlands
fail wrote:
Surely here will accept any trash that ends in game over by a strange glitch
A certain type of trash we do not accept here is ban evasion. Be gone.
http://www.youtube.com/Noxxa <dwangoAC> This is a TAS (...). Not suitable for all audiences. May cause undesirable side-effects. May contain emulator abuse. Emulator may be abusive. This product contains glitches known to the state of California to cause egg defects. <Masterjun> I'm just a guy arranging bits in a sequence which could potentially amuse other people looking at these bits <adelikat> In Oregon Trail, I sacrificed my own family to save time. In Star trek, I killed helpless comrades in escape pods to save time. Here, I kill my allies to save time. I think I need help.
keylie
He/Him
Editor, Emulator Coder, Expert player (2841)
Joined: 3/17/2013
Posts: 392
Here is a new movie that triggers the full ending. It adds about 4 seconds to the TAS. User movie #24682228050711354
fsvgm777
She/Her
Senior Publisher, Player (226)
Joined: 5/28/2009
Posts: 1213
Location: Luxembourg
I got caught off-guard when the game suddenly cut back to the intro scene after the movie finished....but then it proceeded to the ending anyway. This new ending has a lot more Terra in it, and the portraits of the many characters that weren't recruited glitch up a bit when "Terra" is off-screen, it seems. Anyway, from a technical standpoint, this is pretty impressive. However, seeing so many game overs in a row hurts the entertainment quite a bit. I'm going to vote Meh.
Steam Community page - Bluesky profile Oh, I'm just a concerned observer.
Sir_VG
He/Him
Player (40)
Joined: 10/9/2004
Posts: 1913
Location: Floating Tower
Voting YES for the vault.
Taking over the world, one game at a time. Currently TASing: Nothing
keylie
He/Him
Editor, Emulator Coder, Expert player (2841)
Joined: 3/17/2013
Posts: 392
I replaced the encode on the submission with the new TAS.
Skilled player (1785)
Joined: 5/7/2008
Posts: 187
Location: Japan
It looks very good. Yes vote.
Joined: 6/4/2009
Posts: 893
xy2_ wrote:
Nicos wrote:
what's next ? a FFVII glitched save that triggers the ending ?
Pretty close: Link to video
nice video, thanks i know about the 2h PC glitched category but, "semi recent" pc games still not being tasable, i'll set my hope on the original PSX version...
Joined: 11/17/2005
Posts: 278
Location: Massachusetts, USA
You did it!! Now no one has to play this game anymore! ;) And I thought this glitch was useless. I thought the first sub-hour run would use the equip anything glitch on the Japanese version. You found more ways to manipulate the outcome than I did.
Satarack wrote:
No, this submission isn't memory corruption. Sketch is memory corruption because it forces the game to perform a task that's too large for the allocated space in the RAM; kind of like trying to empty a bathtub into a bucket the bucket just isn't big enough so the water overflows and spills on the floor. The sketch glitch is doing the same thing, but instead of water it's trying to create a gigantic monster sprite. The space given to it in the RAM just isn't big enough so it ends up writing monster sprite pixel data to other parts of the memory. This submission exploits a programming error that allows them to create an event script that will run after the final game over. It doesn't corrupt any memory, it manipulates some values to make the event script work (step count, money, items in inventory, settings in the config menu, battle inputs in the last suicide fight, and the frame that the final game over starts).
I wouldn't tag this run with "memory corruption" either, but the Game Over Glitch does corrupt memory. The game keeps a stack of cutscene pointers which I'm sure was never meant to exceed 32 cutscenes in length. (Or 32 at most. Could be less.) When you trigger the 33rd+ copy of the Game Over cutscene you're actually corrupting the next part of memory, which is a bunch of variables used by the cutscene engine. (And the fun starts when a certain animation counter rewrites the previous stack location after it was written.)
Skilled player (1741)
Joined: 9/17/2009
Posts: 4981
Location: ̶C̶a̶n̶a̶d̶a̶ "Kanatah"
I'm curious on one thing now. I never played this game, so I don't know if the game has any post-credit content, but what happens if you continue on from this movie?