SMW In the 6 ACE Multitap Route Technical Explanation

SMW In the 6 ACE Technical Explanation
by tomoha

This is a technical explanation of how the arbitrary code execution works in the multitap In the 6 route.

First, I’ll explain what is our goal in In the 6 ACE.

All levels are managed by hex numbers like 01.
After now, we’ll call it ‘level number’.

So, contained a level number in specific RAM address decides where to exit when we enter the pipes.
$19B8 in the length of 32 bytes are ‘exit table’.

According to SMWCentral,

	This connects doors and exit-enabled pipes to their correct entrances. The index for this exit table is the position of the exit (relative to layer 1) divided by 256. If layer 1 is vertical, then use the Y position of the exit, else use the X position. This is also known as the current screen number.

The exit of blue pipe in YI2 is managed by $19C7.
And the level number of our destination, Bowser’s castle’s second floor, is $D0.
Therefore, our goal is to contain $D0 in $19C7.

The route with one additional controller plugged into port2 invented by 333Rich333 and MostlySMW firstly goes to YI1 and drop a power up mushroom twice to store $C7 in $EE and $19 in $EF because the number of red koopas at the beginning of YI2 is not enough to write codes to load $D0 in a resister, store it in $19C7 and avoid returning to openbus.
The following are instructions executed in the one additional controller route.

ORA ($01,X)
ORA [$17],Y
JSR ($19FC,X)
BRA $F0
JMP ($1820,X)
JMP $421A
JSR $00E5
LDA #$D0
STA ($EE)
JMP $EF87

Instructions from LDA #$D0 to JMP $EF87 are written in shell-code (A9 D0; 92 EE; 4C 87 EF).
However, writing LDY instruction on the controller plugged into port2 slot1 enables us to omit YI1 as we do not have to write LDA #$D0 in shell-code.

Next, I’ll talk about the new route and its technical explanation.
However, everything is the same as RLX shell code credits warp invented by SethBling until we reach $421A, multitap resisters.
So, I’ll omit the explanations about instructions before $421A and ask you to read his explanation in a reference list at bottom.

$421A and $421B are port 2 slot 1, which is pressing A, L, B, Y and Start.
Then, $421A is $A0 and $421B is $D0, which means LDY #$D0 (A0 D0).

$421C and $421D are port 1 slot 2, which is pressing L, Select, Y, B, Down and Right.
Then, $421C is $20 and $421D is $E5.
Since we do not plug anything into port 2 slot 2, $421E and $421F are both $00.
So, these code means JMP $0000E5 (20 E5 00 00).

Now we are at $E5 which is the sprite x-coordinate low byte table at slot #1.
We spit out shell for slots #1-5:
$8C, $C7, $19, $4C, $87 and $EF, which mean STY $19C7; JMP $EF87.
As we stored $D0 in Y resister by controller inputs, LDY $19C7 stores $D0 into $19C7 which contains a level number of the blue pipe’s exit.
Then we jump to $EF87 in order not to return to open bus, but this is explained well on SethBling’s explanation I mentioned earlier, so read it for the explanation.
After all, $19C7 contains $D0, so the blue pipe now takes us to Bowser’s Castle’s second floor.

Instractions:

ORA ($01,X)
ORA [$17],Y
JSR ($19FC,X)
BRA $F0
JMP ($1820,X)
JMP $421A
BVS
LDY #$D0
JMP $0000E5
STY $19C7
JMP $EF87


References

Drummerrific. (2018, April 16). Hexadecimal List of Super Mario World Levels by Drummerrific. SMW Central.
    https://www.smwcentral.net/?p=viewthread&t=94452&page=1&pid=1474840#p1474840

In the 6. (2018, August 26). In Super Mario World Wiki.
    https://smwspeedruns.com/index.php?title=In_the_6&oldid=2853

MostlySMW. (2017, December 22). In the 6 ACE route. PASTEBIN.
    https://pastebin.com/yQnfdUhy

SethBling. (2016, April 9). RLX Credits Warp Technical Explanation. PASTEBIN.
    https://pastebin.com/t17QxjvX

SMW Central. (n.d.). SMW Memory Map. SMW Central.
    https://www.smwcentral.net/?p=memorymap&game=smw&region=ram

改造ドンキーの館. (n.d.). 65C816命令表.
    https://donkeyhacks.zouri.jp/databank/65C816/65c816.html