This is a completely new type of a Super Mario World run. It beats the game by getting the THE END [dead link removed] screen in the 2nd level (Yoshi's Island 3).
After the discovery of a new glitch by あんた (anta), our Skype TASing community was trying to understand what happened in the .smv. Since he only uploaded the .smv and a japanese documentation, we had to find it out by ourselves.

Game objectives

  • Emulator used: Snes9x 1.43 v17
  • Aims for fastest time
  • Uses game-breaking glitches
  • Heavy luck manipulation
  • Achieves credits early

The "credits glitch"

"spit sprite position = yoshi X position + offset to spit object(index by Y which is the direction) normally, this would store to the sprites X position, however, because the sprite index is #$FF It writes to #$E4 + #$FF which is #$01E3. This is the stack address that is corrupted. If yoshi is facing left he must be at the position #$86, and if he is facing right it should be #$66."
p4plus2's documentation of the "credits glitch" [dead link removed]

Addresses which have to be manipulated

RAM Addressneeded ValueDescription
$7E:148C#$7CRNG 1 | See explanation below
$7E:148D#$92RNG 2
$7E:148E#$F7RNG 3
$7E:00E8#$86X position of sprite #04 (it's Yoshi in this case) (freezes when the sprite disappears, though you shouldn't have him disappear)
OAM Addressneeded ValueDescription
$01:02D4#$26X position of some score numbers onscreen (freezes when it disappears)
$01:02FC#$A3X position of the "smoke" effect (like when a fireball goes into a wall) (freezes when it disappears)
$01:02FD#$F0Y position of the "smoke" effect (same as above) (sets to #$F0 when it disappears)
$01:0304#$81X position of a Mario tile that appears when Mario is on Yoshi and he is in the turning animation (freezes when it disappears)
$01:0305#$39Y position of the same Mario tile as above (freezes when it disappears)
$01:0308#$B0X position of a cape tile (freezes when it disappears)
$01:0309#$F0Y position of a cape tile (sets to #$F0 when it disappears)
$01:030C#$60X position of a cape tile that appears when mario is flying (freezes when it disappears)
Those addresses starting with "01" are just OAM Addresses. OAM is a chunk of memory that stores the data about the sprite tiles to draw onto screen.
RNG:
The Random Number Generators (RNGs) change with certain events. We have to change the RNG 1197 times for it to work in our favor. When a koopa spawns, it's called once (when the RNG is "called", it changes). Before going into the pipe in YI3, three koopas appear; this leaves the RNG to be called a remaining 1194 times. This is where the fish come in. When a flopping fish bounces on the floor, it calls the RNG three times. So, that means the fish need to bounce 396 times (to call the RNG 1188 more times). After the fish manipulation, there are exactly six koopas that spawn. After they spawn, the RNGs are set perfectly in order for me to activate the credits.
There are also some OAM addresses that have more than one possible values, they have to have the same bytes of opcode and they also have to not affect the A register.
OAM AddressBytes of OpcodeDescription
$01:02FA2Will be the right value when you shoot a fireball with X
$01:02FE2Will be the right value when you shoot a fireball with Y
$01:03004X position of a koopa shell tile
$01:03023Will be the right value when you pick up a shell
$01:03062Nearly always right
$01:030A2Nearly always right
(actually you can change the bytes of the opcode, only the number of bytes between two required values is important)

Stage by stage comments

Yoshi's Island 2

We can't manipulate the addresses here since they would reset in the overworld.

Yoshi's Island 3

If you jump on a p-switch and then get the "pressed" p-switch in Yoshi's mouth on the right time, you will spawn a fish if you spit out the p-switch fast enough. Also, there can only be eight fishes in the room. After this room, I went back to the Yoshi block. I spawned two Yoshi's by hitting the block with Mario and the p-switch at the same time. I jumped on one Yoshi, got the p-switch in his mouth and let him die, so the second - invisible - Yoshi becomes visible and have a null sprite in his mouth. Then I go right to perform a PI (Powerup Incrementation) so i get a cape, to manipulate some values.

Other comments

Potential Improvements

Maybe the part with the fishes can be improved, since its heavy luck manipulation. Also, maybe there is a faster strategy to get all the right values.

Suggested Screenshots

[dead links removed]

Thanks to

  • Our Skype TASing community, for being able to help each other.
  • あんた (anta), for the discovery of this awesome glitch.
  • p4plus2 and smallhacker, for their awesome work exploring the glitch.
  • DarkMoon and Kaizoman666, for helping me writing this submission text.
  • bahamete, for creating some helpful lua scripts.
  • Mister, for helping me with YI2 :P.

adelikat: Judging

Accepting this movie as a new 'ram corruption' category. See this post for details.

Dacicus: Publication underway


1 2
6 7 8 9 10
Player (13)
Joined: 6/17/2006
Posts: 510
Weatherton wrote:
If the process were real (i.e. glitch the menus to get a file with 120 stars), it could be used to beat the current 0 star TAS. Assuming all keys were also opened (a reasonable assumption given that this is a hypothetical situation anyway), the player could simply run up to the final Bowser fight and beat him to see the credits.
I don't understand what you're trying to say. What's your point?
Joined: 12/22/2009
Posts: 291
Location: Michigan
SmashManiac wrote:
Weatherton wrote:
If the process were real (i.e. glitch the menus to get a file with 120 stars), it could be used to beat the current 0 star TAS. Assuming all keys were also opened (a reasonable assumption given that this is a hypothetical situation anyway), the player could simply run up to the final Bowser fight and beat him to see the credits.
I don't understand what you're trying to say. What's your point?
He's saying this if that video were real, and you could corrupt the save file to give you 120 stars, would it obsolete the current SM64 TAS. He's comparing it to how Masterjun skipped over so much of the game.
Current projects: Yoshi's Island Disassembly Yoshi's Island any% TAS with Carl Sagan
Joined: 6/26/2011
Posts: 167
Well, if it existed, it would be a run using obvious SRAM corruption. The closest the existing run gets is BLJ abuse, which is really more of a physics oddity than an outright glitch. So I think, if such a hypothetical run were made, it would gain its own "glitched" category. (Plus, it's fun to watch the frame competition on SM64.)
First a movie gets submitted, and ends up accepted despite breaking rules other runs have been rejected for. And when I vote less than spectacularly on this movie, I become the victim of harassment and threats. Yay, favoritism.
Joined: 5/30/2007
Posts: 324
This might be the single coolest TAS I have ever seen. The set of actions on Yoshi Island 3 are borderline random/insane/impossible unless you know the specific glitches being abused. I believe we should have a new SMW category for this insanely cool run, just like there is for Link to the Past, Castlevania: Aria of Sorrow, and others.
adelikat
He/Him
Emulator Coder, Site Developer, Site Owner, Expert player (3576)
Joined: 11/3/2004
Posts: 4754
Location: Tennessee
We do not have consistent rules regarding having separate categories for any% movies that use glitches. However, I think the glitch exploited here is sufficient to warrant a new category, and I get the feeling that the general consensus is that this should not obsolete the 'traditional' any% movie. I'm fine with this being a new category as long as we can have a clear line as to what constitutes this category vs the any%. The difference here is ram corruption from what the 'experts' have told me. This is probably going to be clear cut enough, though I suspect there will be at least one TAS that challenges this potential gray line. The downside to this category difference is that the difference will not be perceivable visually. Someone will have to verify that ram was or wasn't 'corrupted'. But that just means more work for the and community on future TASes. As such, I will be accepting this movie as a 'ram corruption' category for this game. I'm open to suggestions for a better category name.
It's hard to look this good. My TAS projects
Joined: 7/2/2007
Posts: 3960
Doesn't the run that gets a goal sphere to clear Izzy's castle also use RAM corruption? What about the glitch to get a set of Yoshi wings to skip part of YI3? Not that I have any better ideas for a category name.
Pyrel - an open-source rewrite of the Angband roguelike game in Python.
Joined: 6/4/2009
Posts: 570
Location: 33°07'41"S, 160°42'04"W
"ram corruption" is a bit too generic indeed, but it's also hard to find an effective name, correct but also not too technical. An univoque alternative could be simply "game mode corruption", but I'm afraid it's too technical. The upside is that it would still allows for a future obsoletion if it will turns out other game modes are faster such as 27.
Active player (441)
Joined: 3/21/2011
Posts: 127
Location: Virginia (United States)
Derakon wrote:
Doesn't the run that gets a goal sphere to clear Izzy's castle also use RAM corruption? What about the glitch to get a set of Yoshi wings to skip part of YI3?
No, not even closely in the same way that this run does. The goal sphere involves eating the Chuck with Yoshi, and the Chuck has a byte that tells the game to give Mario a goal sphere when eaten (even if it wasn't meant to be read). This byte was always in the ROM, and we did nothing to make the game read it. The only glitch we really did was make the Chuck eatable using an overload of the game's sprites. However, in this glitch, the game is jumping to the RAM and reading it like it would ROM. By then manipulating the RAM, the glitch manages to store the right value to to $0100. This is what you would call RAM corruption, as the game was never meant to read RAM as a ROM code. EDIT: Except for one particular case at $7F8000, which was just pointed out to me.
YouTube Channel - Twitter Current projects: Sutte Hakkun, Hyper VI, RTDL, own hacking projects
Joined: 1/2/2012
Posts: 2
I feel that this SMW run bears a striking resemblance to GB SML2:6GC http://tasvideos.org/1886M.html - completely breaks the game sequence - debugs/modifies memory to "summon" end screen - skips 95% of the game For some reason that video was hailed and accepted, and even obsoleted full game runs (which I don't think was right), as well as became a "notable publication". If anything, this run should definately be published but put in a "glitched" category as to preserve runs that don't just summon end screen and beat the game properly.
Active player (441)
Joined: 3/21/2011
Posts: 127
Location: Virginia (United States)
birkhalter wrote:
I feel that this SMW run bears a striking resemblance to GB SML2:6GC
SML2:6GC isn't the best example to bring up, due to it obsoleting the previous run that wasn't labeled "glitched", because the previous run abused a glitch that was part of the "glitched" run, and so the two runs were considered too similar to be separated. Doesn't mean a non-glitched run can't be submitted, it just can't use the glitch. It'd be like if you used the walk-through-walls glitch to TAS ALTTP without skipping to the credits, and still tried to submit it as a non-glitched run.
YouTube Channel - Twitter Current projects: Sutte Hakkun, Hyper VI, RTDL, own hacking projects
Joined: 1/2/2012
Posts: 2
kaizoman666 wrote:
birkhalter wrote:
I feel that this SMW run bears a striking resemblance to GB SML2:6GC
SML2:6GC isn't the best example to bring up, due to it obsoleting the previous run that wasn't labeled "glitched", because the previous run abused a glitch that was part of the "glitched" run, and so the two runs were considered too similar to be separated. Doesn't mean a non-glitched run can't be submitted, it just can't use the glitch. It'd be like if you used the walk-through-walls glitch to TAS ALTTP without skipping to the credits, and still tried to submit it as a non-glitched run.
I understand now why the old runs were obsoleted, however, if that run was published then shouldn't this one as well? I mean, they almost do the same thing. (not exactly the same, but to me very similar)
Joined: 12/22/2009
Posts: 291
Location: Michigan
birkhalter wrote:
I understand now why the old runs were obsoleted, however, if that run was published then shouldn't this one as well? I mean, they almost do the same thing. (not exactly the same, but to me very similar)
This run has already been accepted.
Current projects: Yoshi's Island Disassembly Yoshi's Island any% TAS with Carl Sagan
Joined: 12/28/2011
Posts: 14
i personally think that labeling this movie as "glitched" would be perfectly fine, because it just seems to be the standard name for runs on this site that do things to beat the game in a way it wasn't intended to be beaten (sorry this is very vague, but it kind of has to be because each individual "glitched" run is unique in its own way). even if the name is arbitrary, it seems to work for the most part as most everyone understands that just about every run on this site uses glitches, but that doesn't qualify them as being "glitched."
adelikat
He/Him
Emulator Coder, Site Developer, Site Owner, Expert player (3576)
Joined: 11/3/2004
Posts: 4754
Location: Tennessee
DJWebb32 wrote:
i personally think that labeling this movie as "glitched" would be perfectly fine, because it just seems to be the standard name for runs on this site that do things to beat the game in a way it wasn't intended to be beaten (sorry this is very vague, but it kind of has to be because each individual "glitched" run is unique in its own way). even if the name is arbitrary, it seems to work for the most part as most everyone understands that just about every run on this site uses glitches, but that doesn't qualify them as being "glitched."
except that the traditional any% is VERY glitched as is.
It's hard to look this good. My TAS projects
Joined: 2/16/2005
Posts: 462
Due to severity of the bug used here and the questionable finished state (no credit sequence), I agree this run be published along-side the current SMW submission as a "glitched" run. This would be similar to the LttP "glitched" run where link walks OOB directly to the end room without "beating" anything. While the distinction is somewhat subjective, in my eyes a "glitched" run puts the game into an endstate condition without actually "beating" it. To "beat" something means to conquer it or defeat it. This run doesn't conquer the game since it evades the actual objectives: rescue baby yoshis, beat bowser, rescue the princess.
This signature is much better than its previous version.
Player (13)
Joined: 6/17/2006
Posts: 510
kaizoman666 wrote:
SML2:6GC isn't the best example to bring up, due to it obsoleting the previous run that wasn't labeled "glitched", because the previous run abused a glitch that was part of the "glitched" run, and so the two runs were considered too similar to be separated. Doesn't mean a non-glitched run can't be submitted, it just can't use the glitch. It'd be like if you used the walk-through-walls glitch to TAS ALTTP without skipping to the credits, and still tried to submit it as a non-glitched run.
In the case of SML2:6GC, the fact that the same glitch was used in the previous movie was not the only reason for obsoletion. See here: http://tasvideos.org/forum/viewtopic.php?p=258997#258997 As for ALttP, the only reasoning I could find for having 2 categories was that the long version was considered a full playthrough, even though the short version is currently labeled "glitched" while the long version is also full of game-breaking glitches (including passing through solid objects and hovering over holes). The original decision goes back from 2005 when the site was still young, so I couldn't find any better explanation. asteron's explanation of what a "glitched" category is matches the full playthrough reasoning perfectly however so I'm gonna go with that (although I find this definition of "glitched" vague and highly confusing). Considering the above, and since I'm in the opinion that a full playthrough of SMW is a full 100% run, creating a separate category for this run would not be consistent with past decisions.
Joined: 12/29/2011
Posts: 13
Really what define "RAM corruption"? I seriously do not consider this to be "RAM corruption". Most glitches in SMW involve manipulating RAM on some level, so where do you draw the line? Code can execute in RAM and does so in SMW every frame($7F8000 in RAM is the OAM clear routine that sets sprites off screen), so that is a poor argument as well. It is additionally unfair to call this a glitched run and a "regular" any% non-glitched. All SMW TASes I am aware of abuse glitches, even if it is simply using alternating frames to gain extra speed. And I am pretty sure the definition of a glitch is malfunction, which this certainly is.
ALAKTORN
He/Him
Former player
Joined: 10/19/2009
Posts: 2527
Location: Italy
p4plus2 wrote:
Really what define "RAM corruption"? I seriously do not consider this to be "RAM corruption". Most glitches in SMW involve manipulating RAM on some level, so where do you draw the line? Code can execute in RAM and does so in SMW every frame($7F8000 in RAM is the OAM clear routine that sets sprites off screen), so that is a poor argument as well. It is additionally unfair to call this a glitched run and a "regular" any% non-glitched. All SMW TASes I am aware of abuse glitches, even if it is simply using alternating frames to gain extra speed. And I am pretty sure the definition of a glitch is malfunction, which this certainly is.
we’ve already been through the definition of a “glitched” branch name, don’t bring that stuff back up… uses glitches =/= glitched
Joined: 2/16/2005
Posts: 462
p4plus2 wrote:
Really what define "RAM corruption"? I seriously do not consider this to be "RAM corruption". Most glitches in SMW involve manipulating RAM on some level, so where do you draw the line? Code can execute in RAM and does so in SMW every frame($7F8000 in RAM is the OAM clear routine that sets sprites off screen), so that is a poor argument as well. It is additionally unfair to call this a glitched run and a "regular" any% non-glitched. All SMW TASes I am aware of abuse glitches, even if it is simply using alternating frames to gain extra speed. And I am pretty sure the definition of a glitch is malfunction, which this certainly is.
No one is calling the other run non-glitched. This one is labeled "glitched" (in quotes) because it is dominated by a glitch that evades pretty much all of the game objectives. The glitch in this run is similar to a buffer overrun exploit I believe in which you are manipulating executable code as if it was data. This tends to be among the most extreme of glitches and is not employed in the other run. While the "glitched" label is old, I think it is fine to use. It is there as a kind of warning to the viewer that this run will be using glitches to "complete" the game in an unusual manner that evades major game objectives. A casual viewer may not consider the game to be "beaten" as much as it has been "broken".
This signature is much better than its previous version.
marzojr
He/Him
Experienced player (762)
Joined: 9/29/2008
Posts: 964
Location: 🇫🇷 France
kaizoman666 wrote:
However, in this glitch, the game is jumping to the RAM and reading it like it would ROM. By then manipulating the RAM, the glitch manages to store the right value to to $0100. This is what you would call RAM corruption, as the game was never meant to read RAM as a ROM code. EDIT: Except for one particular case at $7F8000, which was just pointed out to me.
By this description, it sounds more like a stack buffer overrun (resulting in "arbitrary" code execution) than it does generic RAM corruption. I must admit, though, that calling the category "stack buffer overrun" would not convey much to the vast majority of users...
Marzo Junior
Joined: 7/2/2007
Posts: 3960
kaizoman666 wrote:
Derakon wrote:
Doesn't the run that gets a goal sphere to clear Izzy's castle also use RAM corruption? What about the glitch to get a set of Yoshi wings to skip part of YI3?
No, not even closely in the same way that this run does. The goal sphere involves eating the Chuck with Yoshi, and the Chuck has a byte that tells the game to give Mario a goal sphere when eaten (even if it wasn't meant to be read). This byte was always in the ROM, and we did nothing to make the game read it. The only glitch we really did was make the Chuck eatable using an overload of the game's sprites.
Ah, okay. Thanks for the clarification.
Pyrel - an open-source rewrite of the Angband roguelike game in Python.
Joined: 12/28/2011
Posts: 14
adelikat wrote:
DJWebb32 wrote:
i personally think that labeling this movie as "glitched" would be perfectly fine, because it just seems to be the standard name for runs on this site that do things to beat the game in a way it wasn't intended to be beaten (sorry this is very vague, but it kind of has to be because each individual "glitched" run is unique in its own way). even if the name is arbitrary, it seems to work for the most part as most everyone understands that just about every run on this site uses glitches, but that doesn't qualify them as being "glitched."
except that the traditional any% is VERY glitched as is.
just rewatched the new submission, and i guess i forgot just how many glitches are exploited, but imo, only the first world seems extremely glitched, and after that the rest of the levels seem relatively normal, while with this run obviously once you get into yi3 things just go crazy
Active player (441)
Joined: 3/21/2011
Posts: 127
Location: Virginia (United States)
marzojr wrote:
By this description, it sounds more like a stack buffer overrun (resulting in "arbitrary" code execution) than it does generic RAM corruption.
Not really, to my knowledge. Although the glitch messes with the stack to cause the wrong jump, it does not overflow it.
YouTube Channel - Twitter Current projects: Sutte Hakkun, Hyper VI, RTDL, own hacking projects
marzojr
He/Him
Experienced player (762)
Joined: 9/29/2008
Posts: 964
Location: 🇫🇷 France
kaizoman666 wrote:
Not really, to my knowledge. Although the glitch messes with the stack to cause the wrong jump, it does not overflow it.
A "stack buffer overrun" does not overflow the stack -- it writes (overruns) the limits of some data (a "buffer") placed in the stack; this can be used to overwrite the return location of a function to be to whatever location is possible to engineer with the input data. Anyway, I was talking about what it seemed to be from your description; if I am wrong, then I am wrong :-p
Marzo Junior
Joined: 12/29/2011
Posts: 13
asteron wrote:
No one is calling the other run non-glitched. This one is labeled "glitched" (in quotes) because it is dominated by a glitch that evades pretty much all of the game objectives. The glitch in this run is similar to a buffer overrun exploit I believe in which you are manipulating executable code as if it was data. This tends to be among the most extreme of glitches and is not employed in the other run.
Totally false. This glitch changes one value on the stack, but it is by no means an overflow. The stack is altered from spitting out a sprite with index #$FF, so when "sta $00e4,y" is executed ($01f203)it stores to $01E3. As linked in the original post, I have documented how this glitch works very thoroughly here: http://99.10.160.182/glitch.asm My point was, "extreme" glitches are still glitches. How does one arbitrarily decide what is "extreme"? Just because a glitch requires more planning makes it "extreme"? Or is it by how the game reacts to the glitch? or is it by how the glitch interacts as a software level? Or by how hard it is to pull off? Glitches are glitches, there is no magical way to classify them on magnitude.
While the "glitched" label is old, I think it is fine to use. It is there as a kind of warning to the viewer that this run will be using glitches to "complete" the game in an unusual manner that evades major game objectives. A casual viewer may not consider the game to be "beaten" as much as it has been "broken".
I am not saying a warning shouldn't exist, I am saying that this "glitch" does not need a special category. Any% is any% and an ending was achieved via glitches. So, the warning in tags in justified, but saying it needs a special category because of the style of glitch is ridiculous. See above about judging the magnitude of a glitch.
1 2
6 7 8 9 10