API tools faq
paste
tomoha

SMW Max Score ACE Technical Explanation

tomoha
Jan 4th, 2022 (edited)
530
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.16 KB | None | 0 0
raw download clone embed print report
  1. This is a technical explanation of how the arbitrary code execution works in the Max Score ACE route.
  2. In this document, I will confirm that arbitrary code execution is allowed in Max Score, describe RAMs involved, and explain how to execute arbitrary codes which make score 9999990.
  3.  
  4. Max Score is an extension category of Super Mario World.
  5. According to speedrun.com, the game rule is only ’Time begins 2.2 seconds after selecting 1 player. Time ends when you have 9999990 points.’
  6. Therefore, we can interrupt this rule that arbitrary code executions is not prohibited in this category though moderators will separate this category into ’NO ACE’ and ’ACE’ like In the 6, which is the best way I can guess.
  7.  
  8. In the normal route, players go to Forest of Illusion 1 or Outrageous in Special World to stomp enemies continuously, which normally takes 15-25 minutes.
  9. However, players can gain max score under three minutes by arbitrary code execution.
  10.  
  11. According to SMWCentral, memories from $7E0F34 to $7E0F39 manage players’ score.
  12. Especially, from $0F34 to $0F36 count Mario’s score, and from $0F37 to $0F39 count Luigi’s score, so after here I will explain only the RAM region from $0F34 to $0F36.
  13.  
  14. In Super Mario World, score is shown like ABCDEF0 (A-F are numbers.)
  15. Note that 0 in the first digit is fixed because all scores players gain are multiples of 10.
  16. So, we have to care about ABCDEF.
  17. These score numbers are stored in the three memories in hex though ABCDEF is decimal.
  18. Plus, as usual, the hex value is stored in little-endian.
  19. For example, if player's score is 1234560, remove the last 0 first.
  20. Second, transfer the value, 123456, into the hexadecimal value.
  21. In this case, it is $01E240.
  22. Then, divide this into three groups: 01; E2; 40.
  23. Finally, store these values into $0F36, $0F35 and $0F34 respectively, which is a little-endian way.
  24.  
  25. As I explained, Mario’s score is managed by three RAMs: $0F34, $0F35 and $0F36.
  26. Here, you may have a question: what happens if player gain 9999990+ score?
  27. My fellow SMW researcher discovered that codes from $008E95 to $008EC4 (from $008E2A to $008E59 in Japanese ROM) handle this problem.
  28. These instructions are interrupted like 'If players gain more than $0F423F (9999990 in decimal) score, then make the player's score $0F423F.'
  29. Therefore, our goal in Max Score ACE is to contain a value more than $10 into $0F36.
  30.  
  31. Now I will talk about the route and its technical explanation.
  32. However, everything is the same as RLX shell code credits warp invented by SethBling until we reach $421A, multitap resisters.
  33. So, the explanation begins from $421A.
  34. For beforehand information, read his technical explanation in the reference list.
  35.  
  36. $421A and $421B are port 2 slot 1, which is pressing A, L, B.
  37. Then, $421A is $A0 and $421B is $80, which means LDY #$80 (A0 80), but as you read before, we can use any values more than $10 instead of $80.
  38. $421C and $421D are port 1 slot 2, which is pressing L, Select, Y, B, Down and Right.
  39. Then, $421C is $20 and $421D is $E5.
  40. We do not plug anything into port 2 slot 2, $421E and $421F are both $00.
  41. So, these code means JMP $0000E5 (20 E5 00 00).
  42. Now we are at $E5 which is the sprite x-coordinate low byte table at slot #1.
  43. We spit out shell for slots #1-5: $8C, $36, $0F, $4C, $87 and $EF, which mean STY $0F36; JMP $EF87.
  44. As $80 is stored in Y resister by controller inputs, LDY $0F36 seemingly stores $80 into $0F36, but as I described, this makes score 9999990.
  45. Then players jump to $EF87 in order not to return to open bus, but this is explained well on SethBling’s explanation which is mentioned earlier, so read it for the explanation.
  46. After all, score becomes 9999990 thanks to the instructions from $008E95 to $008EC4.
  47.  
  48. References
  49.  
  50. Karaage. (n.d.). 65C816.
  51. https://donkeyhacks.zouri.jp/databank/65C816/65c816.html
  52.  
  53. SethBling. (2016, April 9). RLX Credits Warp Technical Explanation. PASTE- BIN.
  54. https://pastebin.com/t17QxjvX
  55.  
  56. SMW Central. (n.d.). SMW Memory Map. SMW Central.
  57. https://www.smwcentral.net/?p=memorymap&game=smw&region=ram
  58.  
  59. tomoha. (2021, December 27). SMW In the 6 ACE Multitap Route Technical Explanation. PASTEBIN.
  60. https://pastebin.com/Z3QwNKpp
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!