1 2
16 17 18
24 25
Posted: 12/5/2015 11:19 AM
Quote
MUGG
Editor, Expert player (2329)
Joined: 5/15/2007
Posts: 3933
Location: Germany
Gameboy TASer of 2015 NES TAS of 2013 Gameboy TASer of 2011 Gameboy TASer of 2010
I tried to research some stuff today. -I wanted to find an address that determines if the brothers are together or split. But I couldn't find it. - I found some in-battle addresses for the brothers. These seem fixed - the addresses don't change. 
EWRAM

9c8e mario hp
9c94  mario bp
9c9a  mario pow
9c9c  mario def
9c9e  mario spd
9ca0  mario stache

9bb0 mario x 
9bb4 mario altitude
9bb8 mario y

-----

9dbe luigi hp
9dc4 luigi bp
9dca  luigi pow
9dcc   luigi def
9dce  luigi spd
9dd0  luigi stache

9ce0  luigi x
9ce4  luigi altitude 
9ce8  luigi y
- I found some enemy addresses too. The problem is that I barely understand how those addresses are organised. In addition, those addresses seem dynamic. But here is what I found. For one given enemy, the addresses have been like this: 
8acc x pos (4byte)
8ad0 y pos (4byte)
8ad4 altitude (4byte)
8ad8 z pos (4byte)  ?

8b34 size of shade
8b35 dont display shade if nonzero
8b40-8b6f enemy specific
8b70-8b73 triggers enemy hitstun animation 

8b8c xpos of starting location (4byte)
8b90 ypos of starting location (4byte)
8b94 altitude of starting location (4byte)

8b98-8b9f pointers to rom function? Is enemy specific

8baa enemy health

8bd2-8bd3 status effects/ailments:
These are the actual flags
But I think if you edit an enemy to have the "Pow raised" flag, it doesn't actually do anything. There seem to be extra addresses that multiply def/pow.
0000 0000 0000 0001 = stunned
0000 0000 0000 0010 = ?
0000 0000 0000 0100 = ?
0000 0000 0000 1000 = ? 
0000 0000 0001 0000 = ?
0000 0000 0010 0000 = ?
0000 0000 0100 0000 = ?
0000 0000 1000 0000 = ?
0000 0001 0000 0000 = fire (1)
0000 0010 0000 0000 = fire (2)
0000 0100 0000 0000 = pow raised
0000 1000 0000 0000 = pow dropped
0001 0000 0000 0000 = def raised
0010 0000 0000 0000 = def dropped
0100 0000 0000 0000 = spd raised
1000 0000 0000 0000 = spd dropped

8bd9 pow multiplier ? (1 byte)

8bb8 def?
8bba speed
8bbe pow
8bc2 number of turns this enemy has had
I need: - address that tells an enemy's dropped items/money. - address that tells an enemy's type (enemy ID). - brothers' status ailments - information on how battle order works. I only know it depends on what your or the enemies' speed is. But what exactly happens, I would be interested to know. It would be cool to make the luascript tell what is going to be the battle order. I think I will not be able to make something like "make your own battles" or "customize". But I should be able to make a basic display of everyone's stats and make them editable.
YoutubeLivestreamProgress 11th TASer of the Decade 2010-2019 !
Posted: 12/7/2015 3:41 PM
(Edited: 12/9/2015 2:18 PM)
Quote
jdaster64
He/Him
Joined: 12/1/2012
Posts: 103
Location: New Donk City
The enemy data's position is somewhat dynamic; the battles I tested on had the enemy data in the 9500-9700 range. I'm pretty sure Mario and Luigi's data moves around as well, unfortunately. POW, DEF (and SPD?) modifiers are two bytes, with 0x100 = normal. I don't think item drop data is stored in the enemy's battle RAM data, at least not in the same format as in the ROM's enemy data. I can look into exact positions for some of this stuff, enemy ID, and so forth later tonight. Edit: Here's all the stuff I know about. The enemy I tested on's current health is at x020096AA for reference; everything is 2 bytes except the level. Enemy ID = 96A0. Level = 96A9 (1 byte) Current HP = 96AA Max HP = 96AC (Base) DEF = 96B8 SPEED = 96BA STACHE = 96BC POW Multiplier = 96BE DEF Multiplier = 96C0 SPEED Multiplier = 96D0 Not sure how SPEED affects turn order, but it's definitely taken into account before the "end" of the turn; e.g. if Mario SPD > Luigi SPD > Tanoomba SPD and it's Mario's turn, if I hex edit Tanoomba's SPD / SPD multiplier to something above Mario's, it will move after Mario and before Luigi, and then before Mario on subsequent turns. Editing the enemy ID doesn't seem to have any effect, but you can use it as an index into the enemy data in the ROM to get EXP, coins, and item drop info: EXP = (Starting address) + 0x2C * (Enemy ID) + 0x24 Coins = (Starting address) + 0x2C * (Enemy ID) + 0x26 Item 1 = (Starting address) + 0x2C * (Enemy ID) + 0x28 Item 2 = (Starting address) + 0x2C * (Enemy ID) + 0x2A The starting address is x08500A98 in (U), and x083E97F0 in (J). Not sure about (E), but the stats should be the same as in (U). The Item 1 / 2 data contains both the type and drop rate of the item. The first four bits are the item category (0 = nothing, 1 = badge, 2 = gear, 3 = bean, 4 = item), the next seven are the item type (starting with 0 = Mushroom, Bean Badge, Work Pants, Woo Bean; order is the same as my guide), and the last five are the drop rate out of 31. Example: Super Syrup with drop rate 15/31 = 412F = binary [0100][0001001][01111].
Posted: 12/8/2015 4:26 AM
Quote
jdaster64
He/Him
Joined: 12/1/2012
Posts: 103
Location: New Donk City
Don't know how much of this is known already, but here's the formula for calculating the result of a rand[0, N): x2001e60 = rand steps left before restarting / regenerating random buffer (counts down from x270) x2001e64 = address of current random seed (x2001e60 - 4 * number in x2001e60) Given variable X = the value pointed by x2001e64: X ^= (X >> 11) X ^= (X << 7) & x9D2C5680 X ^= (X << 15) & xEFC60000 X ^= (X >> 18) The result of this calculation is multiplied by N to produce a 64-bit integer, then shifted right 32 bits to yield a number between 0 and N-1. Not sure how the random numbers are regenerated when the they're exhausted, but for most cases, this should be useful for determining the result of a single RNG roll on a frame (e.g. Lucky! attacks). EDIT: A cursory Google search suggests this is the MT-19937 random engine, if that's of any use. Here's a C implementation that looks identical to the one used in the game (besides the initial seeding, potentially). I'll see if I can't write a lua script to predict the next ten or so random numbers later.
Posted: 12/9/2015 4:14 AM
Quote
jdaster64
He/Him
Joined: 12/1/2012
Posts: 103
Location: New Donk City
Finished the script; this shows the next ten RNG values, as well as the corresponding rand_range(0,100) value. At the very least, I'm able to predict whether the next hit will be Lucky! or not using the formulas on the previous page! It works on both (U) and (J), I presume it works the same on (E). Here's the script; feel free to integrate it into the next version of your big M&L script. https://dl.dropboxusercontent.com/u/64507723/mlss_rng_viewer.lua Preview: EDIT: It appears that the random seeds to reset every time a battle starts, probably seeded based on a global timer or something; I set the whole random page to 0's during a battle, and it stayed that way until the next time I started one. I may look into it, but barring special conditions like that, the next several values should be completely deterministic. EDIT again: Apparently the minecart mini-game uses the RNG, but does not reset it before starting. Starting with a full page of zeroes has... interesting effects. No other replayable mini-game uses the RNG, as far as I can find.
Posted: 12/9/2015 6:29 PM
Quote
MUGG
Editor, Expert player (2329)
Joined: 5/15/2007
Posts: 3933
Location: Germany
Gameboy TASer of 2015 NES TAS of 2013 Gameboy TASer of 2011 Gameboy TASer of 2010
Your item stat guide https://www.dropbox.com/s/beg7ugxqc5kerqq/mlss_uj_allstats.xlsx?dl=0 doesn't tell which badges can be used by which brother in J and U. I would like this information if possible. As for your other findings, good stuff! I'll look at it at a later time and try to add it to the script.
YoutubeLivestreamProgress 11th TASer of the Decade 2010-2019 !
Posted: 12/9/2015 7:55 PM
Quote
jdaster64
He/Him
Joined: 12/1/2012
Posts: 103
Location: New Donk City
All badges can be used by both Bros. in both versions, I believe. EDIT: Updated my RNG script with correct use of locals, and a couple more functions. untwist(n) takes a hex value, and returns the random seed required to produce that value. getseedfornum(x,mx) is similar, returning a random seed that gives the value x when rand-ranged on [0, mx). For example, getseedfornum(10,100) gives the seed 0x4B72A7A8; if you replace the currently pointed-to RNG seed with that one, the next RNG will be 0x1999999A, which is the smallest value that comes out to 10 in the range [0, 100). Calling untwist(0x1999999A) gives the same seed, but I thought the extra layer of abstraction would be more useful. RNG viewer script: https://dl.dropboxusercontent.com/u/64507723/mlss_rng_viewer.lua
Posted: 12/10/2015 11:28 PM
(Edited: 12/12/2015 2:36 AM)
Quote
jdaster64
He/Him
Joined: 12/1/2012
Posts: 103
Location: New Donk City
OK, found a bit more stuff. Battle data is arranged in eight blocks of 0x130 bytes, starting at the address in 0x03000FDC (U,E) / 0x03000FE0 (J). There are also pointers in 0x03003FA4-C0 (C4-E0 in (J)) to each of the actors' battle data. Mario and Luigi are always the last two blocks, and the enemies take up some number of the first six. Some of the addresses above, relative to the start of a block: 
addr  size value
--------------------
0x018 word current xpos
0x01c word current ypos
0x020 word current altitude
0x0d8 word starting xpos
0x0dc word starting ypos
0x0e0 word starting altitude
0x0ec half enemy ID
0x0f5 byte level
0x0f6 half current HP
0x0f8 half max HP
0x0fa half HP - old value, when changing
0x0fc half current BP
0x0fe half max BP
0x100 half BP - old value, when changing
0x102 half pow (Bros. only)
0x104 half def
0x106 half speed
0x108 half stache (includes Lucky Mushroom)
0x10a half pow multiplier
0x10c half def multiplier
0x11c half speed multiplier
0x11e half status effect flags
0x12b byte badge effect +1
0x12c byte gear effect +1
0x12d byte pin effect +1
As for turn order stuff, this appears to be the formula: When choosing an actor to move, all eight actor slots are considered (I believe dead actors are treated the same as live ones). The following are special cases: - If the actor doesn't exist, nothing happens. - If the actor has already moved this turn, they are not considered. If the actor is eligible for a move this turn (i.e., it does not meet those two criteria): - Their (spd * spd multiplier) >> 8 is compared with the highest thus far. - If it is higher (or the first eligible actor), they will be the next to move. - If it is lower, ignore the actor, it cannot be the next to move. - If it is the same, generate a number N in range [0, # of actors thus far with that value); the N'th of those actors (0-indexed, in actor order) will be the next to move. As an example, given the start of a battle on (U) with three Paratroopeas, Mario (speed 120), and Luigi (speed 20): - Paratroopea 1 considered (speed = 80). First actor to be considered, so it is the next to move by default. - Paratroopea 2 considered (speed = 80). Tie with the current highest speed, so RNG is rolled for range [0, 2). Result is 1, so second Paratroopea becomes the next to move. - Paratroopea 3 considered (speed = 80). Tie with the current highest speed, so RNG is rolled for range [0, 3). Result is 0, so first Paratroopea again becomes the next to move. - <skips next three actors> - Mario considered (speed = 120). His speed is highest, so he becomes the next to move. - Luigi considered (speed = 20). His speed is lower than the current highest (Mario's), so he is ignored. - All actors have been considered; Mario gets to move next, and will not be considered again until all actors have taken a turn. I presume there are special cases for the Mario Follow / Mario Ahead effects that skip Luigi and make him move before / after Mario in the event he is selected.
Posted: 12/11/2015 2:52 AM
Quote
BioSpark
Editor, Player (95)
Joined: 5/27/2006
Posts: 240
That is quite useful information. I don't have time to work on the damage prediction script, but it seems now you have all the pieces necessary for such a script. Also, I assume a lot of the other values for battle data are graphics related or are pointers to enemy AI, name, etc. It seems you've found the most important stuff already.
Posted: 12/12/2015 3:28 AM
Quote
jdaster64
He/Him
Joined: 12/1/2012
Posts: 103
Location: New Donk City
Huh. I was wondering why the RNG ran four times when you use a solo-hammer attack instead of just twice (once for the Lucky! roll and once for the hammer damage if that fails). Turns out it does three separate rolls, and calculates the following three values (for Luigi, Mario's are somewhat different): 1.0 + 0.15 * rand1[0, 3), 0.9 + 0.23 * rand2[0, 3), 0.8 + 0.30 * rand3[0, 3). But then it just ignores the former two and always uses the third one. So when doing a solo-hammer, if the first RNG value won't get you a Lucky!, the fourth value is the one that determines the amount of damage you do. EDIT: Agh, scratch that, the solo-hammer damage ranges change based on Normal / Super / Ultra Hammers!!! I'll have to find out a bunch of these constants again. At least the Bros. Attacks' constants appear to not vary. EDIT again: Yeah, solo Hammer constants in all versions (Lucky doesn't change): Normal Hammers = xE6 / x100 / x119 (M), x100 / x126 / x14C (L), 2nd RNG value Super Hammers = xCC / x100 / x133 (M), xE6 / x121 / x15C (L), 3rd RNG value Ultra Hammers = xCC / x10C / x14C (M), xCC / x119 / x166 (L), 4th RNG value Funny that Luigi's average damage output actually drops with the "stronger" hammers. Updated constants guide: https://dl.dropboxusercontent.com/u/64507723/mlss_damage_disassembly.txt I might try to put together a script to calculate damage in the (U) version later tonight or tomorrow.
Posted: 12/12/2015 4:34 PM
Quote
jdaster64
He/Him
Joined: 12/1/2012
Posts: 103
Location: New Donk City
Finished the first draft of the damage-calculation script: https://dl.dropboxusercontent.com/u/64507723/mlss_dmg_calculator.lua Known issues: - Only supports (U) version thus far. - No way to filter out attacks that aren't available. - Doesn't handle Great Force properly if the wearer is not in-battle or is dead. - Rare off-by-one errors. - Might have forgotten some attack immunity cases? Screenshot of the script in action: Shows the next four RNG values, and the damage of every attack on the first enemy. First two columns: Mario / Luigi solo jump, hammer, hand, jump-counter, hammer-counter Third column: Splash Bros., Chopper Bros. (1st hit), Fire Bros. (1 ball), Swing Bros. (perfect hit) Fourth column: Splash Adv., Chopper Adv. (1st hit), Fire Adv. (1 ball), Swing Adv. (perfect + extra hit) Fifth column: Bounce Bros., Knockback Bros., Thunder Bros., Cyclone Bros. (1 hit) Sixth column: Bounce Adv. (1 hit), Knockback Adv. (1st hit), Thunder Adv., Cyclone Adv. (1 hit + extra hit) Each move has a calculation function, like mariojump(M) or chopperbrosadv(M, N); M is the enemy targeted (0-5), and N is the total damage from the first N hits.
Posted: 12/26/2015 2:48 PM
Quote
MUGG
Editor, Expert player (2329)
Joined: 5/15/2007
Posts: 3933
Location: Germany
Gameboy TASer of 2015 NES TAS of 2013 Gameboy TASer of 2011 Gameboy TASer of 2010
I will probably never really get around to working on damage prediction, item cost/sell prediction and RNG display. So is it going to be ok with you guys if you work on these and I add them to my script and give you credit? If yes: jdaster, will you refine your damage script to fix the known issues? For attacks that hit multiple times, it would be good to know how much damage the 2nd, 3rd etc. hits deal. Are you adding (J) support? --- I'd like to make a script "go to any room", so I need some information. If you can help me, I'd appreciate it. - addresses related to room ID and entrance point ID (which loading zone it is entered from) - can you force a fade-out and load the new room (by editing memory) without having to travel onto a loading zone? - otherwise, what address can be edited to force a custom room to load after you have walked into a loading zone? Thanks all.
YoutubeLivestreamProgress 11th TASer of the Decade 2010-2019 !
Posted: 12/28/2015 3:14 PM
Quote
jdaster64
He/Him
Joined: 12/1/2012
Posts: 103
Location: New Donk City
I could finish the damage calculation and item price scripts, though it'll probably be a couple of weeks before I have the time. Don't really know anything about how warping / screen transitions work, but I might look into it.
Posted: 1/13/2016 4:06 AM
Quote
jdaster64
He/Him
Joined: 12/1/2012
Posts: 103
Location: New Donk City
Well, I feel silly. The thing I thought was a damage rounding error was when I used Thunder Bros., then noticed the value that showed afterwards was wrong; I failed to notice that the enemy's DEF dropped, and the value shown originally was correct. Also, I didn't mention this explicitly before, but the script already supports calculating the total damage for any number of hits on a multi-hit attack; it just shows the damage for the first hit in the test script. I'll probably try add JP / EU support to the damage script and write the item price script within the next couple of weeks. I don't think I'll bother doing proper Great Force checking; it works in most cases, and since that's the last thing in the damage calculation, it's easy enough to work around in the ones that it doesn't.
Posted: 3/9/2016 10:30 AM
Quote
MUGG
Editor, Expert player (2329)
Joined: 5/15/2007
Posts: 3933
Location: Germany
Gameboy TASer of 2015 NES TAS of 2013 Gameboy TASer of 2011 Gameboy TASer of 2010
MLSS Luascript v0.8 MLSS Luascript v0.8 r1 Sorry, this does not have the things I promised, only very small changes. I basicly sat on this version for 3 months and didn't have the strength to put more work into it yet so I figured I might as well release what I had. This version now assumes you are on Bizhawk 1.11.6. 
Changes in 0.8 r1
- Fixed that "Basic Info" didn't show anything.
- Other minor fixes.

Changes in 0.8
- Item Display: When in edit mode, you can no longer equip Pants or Badges that you don't have enough of.
- Item Display: When in edit mode, you can no longer equip the same coffee item to both brothers at the same time.
- Item Display: When in edit mode, you can no longer equip Pants that weren't meant for either Mario or Luigi.
- Edit Position: Added "Move around" amount slider.
- Console Notifications: Will now keep track of green pipe changes.
- Console Notifications: Will now keep track of item changes.
EDIT: I added new download above.
YoutubeLivestreamProgress 11th TASer of the Decade 2010-2019 !
Posted: 3/20/2016 5:08 PM
(Edited: 4/1/2016 9:21 AM)
Quote
MUGG
Editor, Expert player (2329)
Joined: 5/15/2007
Posts: 3933
Location: Germany
Gameboy TASer of 2015 NES TAS of 2013 Gameboy TASer of 2011 Gameboy TASer of 2010
MLSS Luascript v0.9 MLSS Luascript v0.9 r1 
Changes in v0.9
- Added Battle Display. Shows Mario/Luigi HP/BP and enemy HP for now.
- Console Notifications: Fixed script crash that sometimes happened when loading a savestate.
- Fixed terrible performance caused by the script always skimming through your items and green pipes instead of only when needed.
- Script can now be interacted with while emu is paused. When playing Snake, emu pauses until you are done playing.
- Fixed other minor bugs:
-- Position Display: Fixed minor bug that happened with high numbers.
-- Basic Info: Fixed minor bugs related to input display.
Changes in v0.9 r1
- Basic Info: Fixed that the bros' stats didn't update at all.
YoutubeLivestreamProgress 11th TASer of the Decade 2010-2019 !
Posted: 3/21/2016 12:51 AM
Quote
Weegeechan
Former player
Joined: 4/18/2015
Posts: 168
Location: Canada
MUGG, thanks to your awesome lua script, I've been doing some Mario & Luigi glitch hunting today! With it, I was able to find what I think is a new clip and it almost led to a suitcase skip. So in other words, it's completely useless since skipping the suitcase would be pointless :P Link to video Anyways, you can get OoB in the first area by aligning Luigi into a precise position then jumping behind him into another precise position. When you get into the correct spot, moving down into Luigi's body will eject you into the northern wall. Then moving up will send Mario flying high OoB. You can't move very far from here and it's not possible to jump over Toadsworth's trigger for the suitcase. There is still an invisible wall that stops you at Y:14080 and getting past the trigger requires to be at Y:14064 or lower. It would be completely useless anyways since it doesn't seem the suitcase can be activated any other way. Here's a short movie file if anyone wants to try this out themselves: Clip Test Bk2 File
Posted: 3/21/2016 7:55 AM
Quote
MUGG
Editor, Expert player (2329)
Joined: 5/15/2007
Posts: 3933
Location: Germany
Gameboy TASer of 2015 NES TAS of 2013 Gameboy TASer of 2011 Gameboy TASer of 2010
I can't seem to get Luigi to that spot. Did you edit his position or is this legit in the game? Otherwise... I feel flattered :P I actually didn't know about this kind of clip. Maybe it can be useful in other places! Points of interest: - Clip onto the ledge after the Hijump/Spinjump tutorial - ...
YoutubeLivestreamProgress 11th TASer of the Decade 2010-2019 !
Posted: 3/21/2016 8:32 PM
Quote
MUGG
Editor, Expert player (2329)
Joined: 5/15/2007
Posts: 3933
Location: Germany
Gameboy TASer of 2015 NES TAS of 2013 Gameboy TASer of 2011 Gameboy TASer of 2010
I can get the Luigi clip to work. He does move to that spot but you have to be precise about your movement. I can't get the clip to work on other NPCs though, even after extensive testing with editing memory addresses and whatnot. I can tell this: - The luigi that you can clip on is an NPC, not the same luigi that you can control in the game. - That NPC-Luigi has some kind of event running. He moves depending on where you move. So he is not like most other NPCs - This might explain why the clip works on him and not others. - More likely explanation for me, however, is that all NPCs have their own width, length and height. Luigi looks to have more length than the nearby Toad in that room (the male one). This property means you get ejected to the top more. But I could be completely wrong. It's all theory right now.
YoutubeLivestreamProgress 11th TASer of the Decade 2010-2019 !
Posted: 3/22/2016 12:56 AM
Quote
Weegeechan
Former player
Joined: 4/18/2015
Posts: 168
Location: Canada
MUGG wrote:
I can get the Luigi clip to work. He does move to that spot but you have to be precise about your movement. I can't get the clip to work on other NPCs though, even after extensive testing with editing memory addresses and whatnot. I can tell this: - The luigi that you can clip on is an NPC, not the same luigi that you can control in the game. - That NPC-Luigi has some kind of event running. He moves depending on where you move. So he is not like most other NPCs - This might explain why the clip works on him and not others. - More likely explanation for me, however, is that all NPCs have their own width, length and height. Luigi looks to have more length than the nearby Toad in that room (the male one). This property means you get ejected to the top more. But I could be completely wrong. It's all theory right now.
Ya, I noticed a few NPC's have different height and are a little easier to jump over. That could be the reason why it's easier to clip with Luigi. Maybe he has a bigger hitbox overall? I also feel like the reason the clip works might be because when Luigi is walking forward he is pushing Mario into the wall and OoB. I'm semi-playing through the game right now, glitch hunting as I go, so I'll definitely be messing around with this.
Posted: 4/1/2016 6:36 PM
Post subject: added note
Quote
MUGG
Editor, Expert player (2329)
Joined: 5/15/2007
Posts: 3933
Location: Germany
Gameboy TASer of 2015 NES TAS of 2013 Gameboy TASer of 2011 Gameboy TASer of 2010
MLSS Script v0.10 MLSS Script v0.10 r1 preview image wiki page Notes - Before using, go to Config>Display and turn off "Stretch by integers only". - Stats shown in "Basic Info Display" are out-of-battle. Stats shown by "Battle Display" are in-battle. - I learned that the game crashes if you get hit in-battle while you have more than 32767 HP, because the ingame display can't handle it. - I learned that Red and Green Pepper boost to x1.25 in Japan, but x1.5 in English. The Pepper glitch works only on English. 
Changes in 0.10
- Minor bugfixes and changes here and there.
- Added "Add more space": You can now set extra screen space to move displays into. The script does not account for displays ending up off-screen, so be careful.
- Battle Display: Now accounts for camera scrolling.
- Battle Display: You can click on a field to show more stats per enemy.
- Notifications: Keeps track of in-battle changes (currently only health).
- Added "Run while paused" option, because I don't like the flickering when frame-advancing... 
Changes in 0.10 r1
- Battle: Fix camera position bug.
- Notifications: Buggy notifications when loadstating from titlescreen to ingame should not show up anymore.
I need an address that indicates if I control Mario, Luigi or both. I wasn't able to find it... I think I will add RNG display next.
YoutubeLivestreamProgress 11th TASer of the Decade 2010-2019 !
Posted: 4/13/2016 5:50 PM
(Edited: 4/13/2016 6:50 PM)
Quote
MUGG
Editor, Expert player (2329)
Joined: 5/15/2007
Posts: 3933
Location: Germany
Gameboy TASer of 2015 NES TAS of 2013 Gameboy TASer of 2011 Gameboy TASer of 2010
I don't know why it didn't occur to me before but I think there is a very real possibility to corrupt savegames by subframe resetting. From what I've seen, the game doesn't seem to have any checksum protection. Unfortunately, it looks like no rerecording GBA emulator is capable of doing subframe stuff yet. I first researched savegames in November 2014. If my calculation is right, savegame file 1 has memory dedicated to it ranging from address $02001E80 to $02002578. That's a range of 0x6F8. $02001E90 keeps track of the room you were in. If this is 0x1DF, 0x1E or 0x1C7 upon loading, you are in one of the last screens and the ending will trigger automatically. So the idea now was to interrupt the write to that address during the save. But the write seems to occur in one chunk, as a 'word' (2 bytes). Still, maybe there is some other way to abuse this. I've been trying to use memory write/read register lua functions but I haven't been very lucky. My test on Bizhawk yielded: The mgba-core does a print telling that memory callbacks aren't supported. The VBA-core, nothing seems to happen. Maybe the lua implementation is broken. See here for my inquiry. So I looked at the standalone VBA 24m. My script for it works, but I can't pause or do anything until after the frame ends. I can read the memory addresses following $02001E90. During frame 14001, $02001E90 gets written to which fires my function that reads the upcoming addresses. The reads all yielded 0. At the end of that frame, all those addresses have been written to (as you can see in the memory viewer). I don't know if the game performs any check if nothing has gone awry during that crucial frame, but I haven't seen anything that indicates that yet. Maybe I will investigate this some more and if I see the chance of a very quick theoretical TAS, I will make it. 
Language: Lua
--mlsstestVBA.lua
function NumToHex(IN)
    local B,K,OUT,I,D=16,"0123456789ABCDEF","",0
    while IN>0 do
        I=I+1
        IN,D=math.floor(IN/B),math.mod(IN,B)+1
        OUT=string.sub(K,D,D)..OUT
    end
    return OUT
end

write_1E90 = function()

	emu.pause()
	
	print(emu.framecount()..": Write to $02001E90 occured.")
	print("$02001E90 now reads ".. NumToHex(memory.readwordsigned(0x02001E90)))
	print("Next memory addresses read:")
	
	counter=0
	for k, v in pairs( memory.readbyterange(0x02001E92,10) ) do
		print(NumToHex(0x02001E92+counter) ..": ".. v)
		counter=counter+1
	end
	
	print("---")
end

memory.registerwrite(0x02001E90,write_1E90)


while true do

emu.frameadvance()
end
Edit: I think there is a checksum protection after all. I've seen it delete my custom save upon reset sometimes. Also, I think savegame abuse is not possible. The room ID gets written in one piece and that's the only lead I had.
YoutubeLivestreamProgress 11th TASer of the Decade 2010-2019 !
Posted: 4/13/2016 6:39 PM
Quote
jlun2
Skilled player (1738)
Joined: 9/17/2009
Posts: 4980
Location: ̶C̶a̶n̶a̶d̶a̶ "Kanatah"
GBA TASer of 2010
Can you manually edit the save file and check if the game still loads it? Also if this leads to something, maybe request for subframe input.
LLCoolDave wrote:
This seems to be competing for the "Worst looking TAS of 2011" Award.
Posted: 4/13/2016 7:55 PM
Quote
MUGG
Editor, Expert player (2329)
Joined: 5/15/2007
Posts: 3933
Location: Germany
Gameboy TASer of 2015 NES TAS of 2013 Gameboy TASer of 2011 Gameboy TASer of 2010
Yes, I can edit it and load it. But after more testing, it looks like the game will always delete (or overwrite with the previous savegame) when resetting before the save is finished. So this is not going to lead to anything after all.
YoutubeLivestreamProgress 11th TASer of the Decade 2010-2019 !
Posted: 4/30/2016 11:35 AM
Quote
MUGG
Editor, Expert player (2329)
Joined: 5/15/2007
Posts: 3933
Location: Germany
Gameboy TASer of 2015 NES TAS of 2013 Gameboy TASer of 2011 Gameboy TASer of 2010
jdaster64 wrote:
Finished the first draft of the damage-calculation script: https://dl.dropboxusercontent.com/u/64507723/mlss_dmg_calculator.lua Known issues: - Only supports (U) version thus far. - No way to filter out attacks that aren't available. - Doesn't handle Great Force properly if the wearer is not in-battle or is dead. - Rare off-by-one errors. - Might have forgotten some attack immunity cases? Screenshot of the script in action: Shows the next four RNG values, and the damage of every attack on the first enemy. First two columns: Mario / Luigi solo jump, hammer, hand, jump-counter, hammer-counter Third column: Splash Bros., Chopper Bros. (1st hit), Fire Bros. (1 ball), Swing Bros. (perfect hit) Fourth column: Splash Adv., Chopper Adv. (1st hit), Fire Adv. (1 ball), Swing Adv. (perfect + extra hit) Fifth column: Bounce Bros., Knockback Bros., Thunder Bros., Cyclone Bros. (1 hit) Sixth column: Bounce Adv. (1 hit), Knockback Adv. (1st hit), Thunder Adv., Cyclone Adv. (1 hit + extra hit) Each move has a calculation function, like mariojump(M) or chopperbrosadv(M, N); M is the enemy targeted (0-5), and N is the total damage from the first N hits.
I'm currently trying to convert this vba lua script to bizhawk. http://pastebin.com/mgSCLgwJ But when I run drawRNG(), it prints a ton of out of bounds memory read messages and it basicly frozen. It displays something every 10 sec though. Help?
YoutubeLivestreamProgress 11th TASer of the Decade 2010-2019 !
Posted: 4/30/2016 11:40 AM
Quote
AntyMew
It/Its
Encoder, Player (35)
Joined: 10/22/2014
Posts: 425
MUGG wrote:
I'm currently trying to convert this vba lua script to bizhawk. http://pastebin.com/mgSCLgwJ But when I run drawRNG(), it prints a ton of out of bounds memory read messages and it basicly frozen. It displays something every 10 sec though. Help?
You forgot to set the memory domain to ROM in actorenemydata() Also, ENEMY_DATA_START should be 0x500a98
Just a Mew! 〜 It/She ΘΔ 〜
1 2
16 17 18
24 25
1731790691