1 2
5 6 7 8
Tompa
Any
Editor, Expert player (2214)
Joined: 8/15/2005
Posts: 1941
Location: Mullsjö, Sweden
If you do the glitch Mugg mentioned, you can reenter the level, hold left and you'll land at the exit. Which is faster than playing through the whole level. Edit: Just did a sloppy test: http://dehacked.2y.net/microstorage.php/info/807270039/SML2FirstLevel.vbm (VBAm used) As seen, not optimised at all. And with the pixel trick, you can do the glitch at the first pipe instead of the second. Still, this was 750 frames faster than the current run.
Editor, Expert player (2329)
Joined: 5/15/2007
Posts: 3933
Location: Germany
I thought we already tried this, You can't skip the intro stage by pipe glitch...
Yes, somehow during testing, I didn't test moving to the left like Tompa mentioned. Sorry about that.
Editor, Expert player (2329)
Joined: 5/15/2007
Posts: 3933
Location: Germany
My first SML2 TAS using the new pixel trick! I didn't spend a lot of time doing this, so maybe I lost 1 or 2 pixels somewhere, maybe andymac can have a look at it. This is 19 seconds ahead of the published run. WIP (VBA23, 1.0 ROM)
Editor, Expert player (2329)
Joined: 5/15/2007
Posts: 3933
Location: Germany
pause glitch testing At least this glitch can do other stuff besides creating/destroying blocks right above Mario. But this is the only outstanding effect of the glitch that I got after 2 hours of testing. Also, it doesn't appear to be possible to crush blocks beneath Mario, only ones directly above him.
Editor, Expert player (2329)
Joined: 5/15/2007
Posts: 3933
Location: Germany
So.. instead of a very quick 15 second finish, I thought maybe the pause glitch could be used in a different way. See here. http://dehacked.2y.net/microstorage.php/info/54288588/sml2NewRoute.vbm I only need to test if I can reach A2D5 from there on out. One crazy idea would be to extend the pipe, but unfortunately as I already said in a previous post, blocks can only be generated directly above Mario. This idea works as small Mario, but there aren't enough objects/enemies to create any lag since I can't shoot any fire balls as small Mario, obviously. EDIT: I forget I still have to quit the stage after crushing a2d5... So maybe this route will end up slower. EDIT2: This strategy is actually slower since I didn't take into account that getting Fire flower or a third shell is too slow. But completing the game visiting only the first level is still a pretty cool thing, right? Glitched background graphics http://www.youtube.com/watch?v=5xcET7f6syM http://dehacked.2y.net/microstorage.php/info/1066455919/sml2GlitchedBGgraphics.vbm
Editor, Expert player (2329)
Joined: 5/15/2007
Posts: 3933
Location: Germany
But completing the game visiting only the first level is still a pretty cool thing, right?
done http://www.youtube.com/watch?v=YAiuGusrjsk
Joined: 2/20/2011
Posts: 11
MUGG wrote:
But completing the game visiting only the first level is still a pretty cool thing, right?
done http://www.youtube.com/watch?v=YAiuGusrjsk
Mind explaining what's going on here? (especially the first part)
Joined: 6/27/2004
Posts: 55
After going trough the underworld you landed inside an abstract alternative reality and cured the castle! This is some seriously fucked up stuff. :D
Editor, Expert player (2329)
Joined: 5/15/2007
Posts: 3933
Location: Germany
E1dan wrote:
MUGG wrote:
But completing the game visiting only the first level is still a pretty cool thing, right?
done http://www.youtube.com/watch?v=YAiuGusrjsk
Mind explaining what's going on here? (especially the first part)
There is a pause glitch that occurs when the game lags a lot and you pause, which causes memory to be messed up, so often it will freeze, reset, or - interestingly - just generate a solid or breakable block right above Mario (I don't know why). In the beginning of this video, I get the fireflower and have two shells nearby so I can create lag sufficiently in order to use the pause glitch. I use it to generate blocks so I can go out of bounds. Refer to this image to understand what the garbage area consists of. There may be errors in this image, I made it a long time ago, but the main idea should be visible: You go all the way down to the block that represents 0xA2D5 (SRAM) and break it, which causes the game to run the credits next time you enter a level. I pause the game a few times while still inside the first two rows of garbage. This is to let the game change memory values in places that Mario is about to enter, so the way becomes "solid" and Mario doesn't drop out of the "pipe". Near the end I break the block that represents the autoscrolling flag ( 0xA2C8), in order to kill myself. This is because I can't exit the level without completing it first, and this appeared to be the fastest way of killing myself.
Editor, Expert player (2329)
Joined: 5/15/2007
Posts: 3933
Location: Germany
I've been thinking about this for a while... If I were to do a "fullgame" run, what category or rules should I stick to? * glitchless any%/100% banned glitches: pause glitch, pipe glitch, tree zone 3r OoB, carry items into other levels, enemy spawn glitch, turtle zone 2 wall glitch, other glitches... grey area: pixel trick, corner boosting <-- those are more like exploits rather than glitches, so probably they are allowed. Discuss! * pipe-glitchless no-A2D5 any%/100% allowed glitches: all the aforementioned glitches except for pipe glitch (= 1.1 ROM). going through the game using glitches as seen in andymacs 21 minute run but going out of bounds and breaking A2D5 is banned, the normal ending must be achieved. * pipe glitched no-A2D5 any%/100% allowed glitches: all the aforementioned glitches with no exceptions. This is what we already have: andymac's 21 minute run. Breaking A2D5 is banned, the normal ending must be achieved. -> no real point doing pipe glitched no-a2d5 any% since andymac already did it, albeit with the old pixel trick. * playaround/glitchfest? ta-daa! There are some parts in this video that take too much time (tree zone 3r, hippo level), and the pause glitch has been discovered since, among other things... I'm only thinking about it, not planning anything at all.
Active player (279)
Joined: 4/30/2009
Posts: 791
I think for this game, a glitchless speedrun which completes all exits would be the best way to approach a 100%. Pixel trick/corner boost allowed, since they are positioning based and not really glitches as you say.
Former player
Joined: 6/30/2010
Posts: 1107
Location: Zurich, Switzerland
The rule for a glitchless run could be, that you have to finish each level legitimately by touching the regular (inbounds) exit.
Current project: Gex 3 any% Paused: Gex 64 any% There are no N64 emulators. Just SM64 emulators with hacky support for all the other games.
Joined: 6/4/2009
Posts: 570
Location: 33°07'41"S, 160°42'04"W
andypanther wrote:
The rule for a glitchless run could be, that you have to finish each level legitimately by touching the regular (inbounds) exit.
However this would allow for the bell glitch and the bubble glitch, which should be avoided instead.
Editor, Expert player (2329)
Joined: 5/15/2007
Posts: 3933
Location: Germany
Here are the latest two discoveries about this game: * http://www.youtube.com/watch?v=toBoR_Y2uZ4 This trick, which I almost found in December 2009 already, grants access to Wario early. I don't know if it saves time, I think it does. * If you carry over the checkpoint bell to a level that doesn't have one, then exit the level (dying or pause-select), then re-enter the level, you are positioned in the top left corner of the level. In some levels you can wander downwards or upwards if you carry the pipe-glitch state over - this currently only allows access to the garbage data below the level. There's still no known way to access the garbage data above the level directly. Your position doesn't change if you do this on Wario's castle, though. This was already known. What's new is that you aren't positioned to the top left corner in v1.2 - it only happens in v1.0 and v1.1, which means this is a reliable way of finding out what version of the game you have (if you got the actual catridge). This way I found out that my catridge is v1.2, because I didn't get positioned in the top left corner.
Editor, Expert player (2329)
Joined: 5/15/2007
Posts: 3933
Location: Germany
Here is a testrun showcasing the new any% route (which means it's an improvement to andymac's 21:43 TAS) http://dehacked.2y.net/microstorage.php/info/1631594978/sml2tastestrun.vbm (UE) v1.0 vba24m It's testrun quality and doesn't use the pixel trick (also I forgot to use pipe death in the first level lol), so I think its 22 minute time is impressive.. Probably it's possible to go below 21 minutes with this route, but I won't make such a run since the pixel trick is too hard for me and due to TASvideos' strange ruling, making the 2 minute run obsolete the fullgame 21 minute run... which means there's no point in doing such a run anymore, sadly. 1st level Tree (1) Pipe death in Macro (1) Pumpkin (all levels) Pipe pause-select in Pumpkin (1) Mario (all levels) Pipe pause-select in Pumpkin (1) Turtle (1) Pipe pause-select in Pumpkin (1) Turtle (2), (3) Pipe pause-select in Pumpkin (1) Macro (1),(secret),(boss) Pipe-death in Macro (1) faster by about 74 frames than pumpkin 1 Tree (2),(leaf),(boss) Space (Hippo),(1),(re-enter 1 for checkpoint bell),(2) take bubble from Space (Hippo) Wario's Castle glitched
Editor, Expert player (2329)
Joined: 5/15/2007
Posts: 3933
Location: Germany
I tested the pause bug again today, and I managed to change a portion of level memory (and SRAM memory I would think, due to the screen blinking). We're getting closer to a glitched TAS that's under a minute. http://www.youtube.com/watch?v=7eWBPPoAQTo http://dehacked.2y.net/microstorage.php/info/767390219/lightning%2C%20glitched%20up%20row%20inside%20level.vbm
Editor, Expert player (2329)
Joined: 5/15/2007
Posts: 3933
Location: Germany
The credits glitch from the published TAS works also on the real console. I completed the game in 9 minutes in a test RTA. http://en.twitch.tv/mugg1991/b/316311856
Editor, Expert player (2329)
Joined: 5/15/2007
Posts: 3933
Location: Germany
I completed the game in 3 minutes 42 seconds on console: http://www.twitch.tv/mugg1991/b/316538077 As for pause bug testing, I got these new results: * another glitched background * a "semi-reset" - The game reset itself and was technically on the title screen but didn't clear the screen so the level where I glitched around was still visible * glitched to Wario from Macro 1, using bubble lag zip. It didn't save the VBM sadly, and I'm not even sure if I used pause. It seems to be some weird "next room" bug where it tried to load a boss from Macro 1, and so I got Wario in a largely glitched up form of Wario's castle. I was able to walk right for a long time, going through some pipes,then I ended up in a certain out of bounds spot that I recognized to be in Wario's castle. (This was verified to be a new glitch - By using lag zip, you can under very special circumstances that I don't understand yet, go to the boss room in levels that don't have a boss. Thus you end up in a glitched version of Wario's rooms where you can only battle the first phase of Wario.) Also it seems to be viable to lag zip all the way into the SRAM, I'll be seeing if this can help improve the glitched TAS.
Editor, Expert player (2329)
Joined: 5/15/2007
Posts: 3933
Location: Germany
About pause glitch again, I've been testing this for a bunch of hours but I get so little successful or interesting outcomes... During a lag roll (when too much stuff is on the screen and it causes you to loop into a direction infinitely or once), I became big Mario for an unknown reason and it almost looked like you could enter SRAM from below and become big at the same time, but I didn't manage to do it. E: Come to think of it, I have deemed it impossible in the past at some point. The only two new outcomes I got were this (small -> big) and another glitched background. If you want you can try yourself: http://dehacked.2y.net/microstorage.php/info/1121448780/3.vbm VBM http://pastebin.com/GKdf1PnN (lua that darkens the screen to make pause autofiring less head-ache inducing, and also shows some stuff onscreen) --- I noticed the pause bug that I got some months ago, that changed level data and made the screen blink a bit has resemblances with a kind of bug that glitches up the screen for 1 frame and then resets the game or makes the game turn white forever. The resemblance showed up when I compared that vbm with one of my glitched background vbms on different versions of the game. So in a nutshell, I think the outcome may be somewhat level dependent, to some extent. And a very special condition must be met for that certain glitch (level data change; glitched background) to happen. Right now this is just useless theorizing and I need to do more testing, possibly in other levels. --- Apparently you can do pipe glitch death not only on 1.0 but on 1.1. It's only fixed in 1.2, whereas the normal pipe glitch is fixed in 1.1 and 1.2.
Joined: 1/18/2006
Posts: 27
Location: Samsara
I've been doing some testing and debugging of the pause glitch, and I seem to have figured out how it works! The reason it happens is a bit technical, so bear with me:
  • Every frame the normal program flow is "interrupted" by the VBlank interrupt, which draws the graphics to the screen. The code that does this is called the VBlank interrupt.
  • After the VBlank interrupt, the program normally returns exactly to where it left off.
  • Sometimes a bank can be switched during the VBlank interrupt. Normally this isn't a problem, because the VBlank normally only occurs when code in bank 0 (code from 0000-3FFF) is being executed. It looks like normally the game tries to switch back the bank to what it was, but fails sometimes.
  • Notably, the bank is always switched from 4 -> 1 during VBlank when the game is paused.
  • In certain situations, the game will return to the the wrong bank, and resume execution in the wrong place -- this is how the glitch occurs!
  • I haven't quite figured out why this occurs, but it seems to have to do with lag caused by having too many objects on screen.
So in short, some situations, notably pausing, cause the game to switch banks during VBlank. Sometimes, the game will return to the wrong code (this happens when the return address is >=0x4000) and glitches will happen. I made a Lua script to investigate the glitch. It will constantly spit out information about the VBlank in the debug menu and will pause VBA when the glitch occurs. (Try it on some of the vbm's mugg posted!) pause_glitch.lua: http://slexy.org/view/s2aZxMaoKS I also did a more in-depth analysis of the video MUGG posted where it corrupted the level (http://dehacked.2y.net/microstorage.php/info/767390219/lightning%2C%20glitched%20up%20row%20inside%20level.vbm): Using my Lua script, you can see that the glitch occurs when the game should be returning to 4:4067, but returns to 1:4067. The code at 1:4067 just happens to jump to A201 and execute the code there. This is remarkable because A201 is in SRAM and is manipulable by the object duplication glitch! Strangely enough, this isn't even what causes the level to be corrupted - that has to do with the next VBlank, and doesn't really seem important to me. The code that the game actually runs at A201 mostly doesn't do anything and then hits a STOP instruction, which causes it to wait until the next VBlank. This is important because it stops the game from running a bunch of garbage code and crashing. Sorry if that's all too technical, so let me summarize: We can use the pause glitch to run arbitrary code from an area of RAM we can control! I think a with a little more testing and cleverness we could easily use this to set A2D5. (One final note: an alternative to setting A2D5 is setting FFB9 to 12,13, or 23 -- this will skip to the credits directly without having to die first. 13 hits the cutscene two frames before 23 and one frame before 12 - although I'm not sure that matters if last input is how movie length is counted.) Edit: Seems obvious in retrospect, but what's causing the the glitch is a VBlank happening before the previous VBlank is finished. This is probably caused by lag - possibly it trying to draw too many objects and taking too long to finish. In practical terms, this means the only possible return addresses we can exploit are inside VBlank - which is good, because it should make manipulation a bit less of a guessing game. Summary of return addresses of various glitch executions: 4067 - this runs code at A201 - the holy grail is being able to hit this after manipulating A201 to the code we want to run 5911 - causes a coin to appear 51D5 - freezes game 5916 - causes block to appear 4035 - glitched graphics (may be exploitable?) Edit 2: New version of the Lua script: http://slexy.org/view/s2PmJh4Gdv This one assists in automatically triggering the pause glitch. Simple create a savestate in an area with lots of lag (I use the macro zone - wait just offscreen by the ant until the timer is ~333, and the game will be really laggy when you scroll the rocks on screen), then hold G to trigger the glitch. Here's some more return addresses I was able to trigger: 4074 - soft reset 51C1,51C5,51D4,51D6,51D7 - freeze 58F7 - soft reset 590E,5914 - coin 5916 - break a block (glitch block appears) triggered this twicem, only one time a block appeared 7FED,7FEF,7FFC - soft reset Edit 3: Unfortunately I didn't record a movie of this, but I was spin jumping while running the Lua script and this happened - I zipped upwards into glitch world, fell back down and the level was corrupted. Note that the pause glitch didn't trigger this. So it looks like the level corruption glitch is actually separate from the pause glitch.
Editor, Expert player (2329)
Joined: 5/15/2007
Posts: 3933
Location: Germany
Any updates? We haven't conversed on Youtube for a month
Joined: 1/18/2006
Posts: 27
Location: Samsara
I wasn't able to exploit it any further, except that I was able to get reproduce the level corruption glitch in the first level of the game (returning to 4067) and confirm that it executed code at A201. This is good news, since we should be able to perform the glitch in the first level. Unfortunately, I had a really hard time manipulating the values around A201 into meaningful code, and further, figuring out how to get it to return to 4067 while also manipulating those values. I get the sense that you would need an extraordinary amount of luck to get the proper values. I considered the possibility of coding some sort of bot to brute force the manipulation, but there didn't really seem to be enough interest in the posts I'd made here for me to put that much work into exploiting this. Also, I found an easy method of manipulating the glitch in the first level: run to the part of the level that has the star, hit the heart, then get the star, and run around the without getting the heart. If you jump (or better, spin jump) near the edge of the screen the glitch is triggered pretty easily. (Using my script to auto pause when there is lag.) Here's the latest version of the script, not sure I posted it here: http://slexy.org/view/s202A5h2BW
Editor, Expert player (2329)
Joined: 5/15/2007
Posts: 3933
Location: Germany
but there didn't really seem to be enough interest in the posts I'd made here for me to put that much work into exploiting this.
You might not be getting feedback here. I only suggested it in the first place so that your discoveries are archived here and there is easy access to them. I'm not really sure what to say to encourage you. Beating the game in 2 minutes is already crazy, but beating it in 30 seconds would be an even greater accomplishment. I will be really happy about such a run and hundred thousand people on nicovideo would watch that, too. All I can really do is test out your scripts again and again. I was able to execute A201 code a few times with the instructions you gave me. I think it may be possible even earlier. You say executing A201 code is difficult, because it's hard to manipulate. Did you try entering custom values into those addresses at the right frame to see if it does something desireable? So that we know we're on the right track? I hope that you don't give up. Finalfighter has done crazy things to Rockman, he ran bots over 2 weeks to brute force something and put I-don't-know-how-much-time into that game. Other TASers accomplished crazy things in other games, see the glitched Pokemon Yellow TAS... or the recent one that runs custom code (Control Hack or what it's called). Please keep going!
Joined: 1/18/2006
Posts: 27
Location: Samsara
MUGG wrote:
You say executing A201 code is difficult, because it's hard to manipulate. Did you try entering custom values into those addresses at the right frame to see if it does something desireable? So that we know we're on the right track? I hope that you don't give up. Finalfighter has done crazy things to Rockman, he ran bots over 2 weeks to brute force something and put I-don't-know-how-much-time into that game. Other TASers accomplished crazy things in other games, see the glitched Pokemon Yellow TAS... or the recent one that runs custom code (Control Hack or what it's called). Please keep going!
Yeah actually I did try that, and I was able to get it to jump to the credits screen. I was also able to do a simple proof of concept Total Control hack (like the Pokemon Yellow thing), but that would be much harder to manipulate. I think it will be possible, but there are some restrictions, for example, several of the values from A201-A210 change at the same time and depend on the same thing (eg. where you are on the screen), so there are certain pairs of values that must be used, where one of the values is something like FF which results in a freeze. This ends up giving us weird restrictions like mario must be facing right when the glitch is executed, he must be at a certain height of his jump, etc. But anyway, thanks for the encouragement, I'll take another look and see what I can do. :) If you've found a place earlier in the first level where the glitch is easily repeatable could you upload a vbm? My guess is if I make a bot that successfully manipulates the A201 values and executes the glitch we won't have much chance to optimize the start afterwards.
Editor, Expert player (2329)
Joined: 5/15/2007
Posts: 3933
Location: Germany
Making an optimized VBM is hard because of the pixel trick. I could make VBMs that don't use the pixel trick though. If I try it in the very beginning like here, I hardly get any results. If I take the koopa shell to the breakable blocks with a koopa on them, and spinjump through the whole thing, I get a lot of lag and many results, but I haven't seen A201 (or is it 4201 , I don't know). log:
*** GLITCH - 7FE9 ***
*** GLITCH - 51D4 ***
*** GLITCH - 51D5 ***
*** GLITCH - 51C1 ***
*** GLITCH - 7FED ***
*** GLITCH - 51DB ***
*** GLITCH - 51D6 ***
*** GLITCH - 5920 ***
*** GLITCH - 7FE7 ***
*** GLITCH - 5914 ***
*** GLITCH - 5914 ***
*** GLITCH - 5914 ***
*** GLITCH - 4033 ***
*** GLITCH - 4033 ***
*** GLITCH - 5916 ***
*** GLITCH - 4033 ***
*** GLITCH - 4033 ***
*** GLITCH - 4033 ***
*** GLITCH - 5901 ***
*** GLITCH - 51C5 ***
*** GLITCH - 5918 ***
*** GLITCH - 5907 ***
*** GLITCH - 51D4 ***
*** GLITCH - 51D5 ***
*** GLITCH - 7FF1 ***
*** GLITCH - 58FA ***
*** GLITCH - 51D4 ***
*** GLITCH - 5907 ***
*** GLITCH - 51D4 ***
*** GLITCH - 7FEF ***
*** GLITCH - 51D4 ***
*** GLITCH - 51D4 ***
*** GLITCH - 5917 ***
*** GLITCH - 4035 ***
*** GLITCH - 51D5 ***
*** GLITCH - 7FFA ***
*** GLITCH - 4074 ***
*** GLITCH - 4030 ***
*** GLITCH - 51D7 ***
*** GLITCH - 4030 ***
*** GLITCH - 7FF7 ***
*** GLITCH - 4030 ***
*** GLITCH - 51D7 ***
*** GLITCH - 4030 ***
*** GLITCH - 51D7 ***
*** GLITCH - 4030 ***
*** GLITCH - 51D7 ***
*** GLITCH - 4030 ***
*** GLITCH - 4074 ***
*** GLITCH - 51D4 ***
*** GLITCH - 51D4 ***
*** GLITCH - 51C1 ***
*** GLITCH - 51C1 ***
*** GLITCH - 51C1 ***
*** GLITCH - 4071 ***
*** GLITCH - 5923 ***
*** GLITCH - 4077 ***
*** GLITCH - 7FF7 ***
*** GLITCH - 51D6 ***
*** GLITCH - 5918 ***
*** GLITCH - 5901 ***
*** GLITCH - 7FED ***
*** GLITCH - 5907 ***
*** GLITCH - 51D4 ***
*** GLITCH - 7FEB ***
*** GLITCH - 7FEB ***
*** GLITCH - 7FEB ***
*** GLITCH - 51D6 ***
*** GLITCH - 51D5 ***
*** GLITCH - 7FEB ***
*** GLITCH - 5923 ***
*** GLITCH - 5907 ***
*** GLITCH - 51D4 ***
*** GLITCH - 5917 ***
*** GLITCH - 58FE ***
*** GLITCH - 7FF3 ***
*** GLITCH - 5920 ***
*** GLITCH - 51D4 ***
*** GLITCH - 7FF5 ***
*** GLITCH - 5916 ***
*** GLITCH - 5918 ***
*** GLITCH - 7FEB ***
*** GLITCH - 5916 ***
*** GLITCH - 51D4 ***
*** GLITCH - 7FE7 ***
*** GLITCH - 5916 ***
*** GLITCH - 4071 ***
*** GLITCH - 4131 ***
*** GLITCH - 51D3 ***
*** GLITCH - 7FEF ***
*** GLITCH - 51D4 ***
*** GLITCH - 7FF7 ***
*** GLITCH - 7FFA ***
*** GLITCH - 7FFA ***
*** GLITCH - 7FEF ***
*** GLITCH - 7FED ***
*** GLITCH - 7FED ***
*** GLITCH - 5914 ***
*** GLITCH - 51D5 ***
*** GLITCH - 4C4A ***
*** GLITCH - 4C4A ***
*** GLITCH - 4C4A ***
*** GLITCH - 51D3 ***
*** GLITCH - 51D5 ***
*** GLITCH - 51D5 ***
*** GLITCH - 51C3 ***
*** GLITCH - 51C3 ***
*** GLITCH - 591D ***
*** GLITCH - 7FE9 ***
*** GLITCH - 5907 ***
*** GLITCH - 5914 ***
http://dehacked.2y.net/microstorage.php/info/1445298149/sml2crash.vbm If it's not too much trouble, I suggest you try making a test run, just entering the first level without optimizing your movement but still going at a steady pace. If you then manage to do 'something' in the testrun, then I can make an optimized VBM. Ok?
1 2
5 6 7 8