tips and how to

How to get marathon-safe arbitrary code execution. For real this time!
(a modification of http://pastebin.com/1jKvFdvP)
---------------

Use Powerup Incrementation to get from powerup 3 (fire) to powerup 6. Use Dots's method for this. (http://pastebin.com/2VRPTdr8)

Go to Yoshi's Island 2, set up the shells and all that jazz.

Instead of eating a chuck in slot 9, touch a 1-up in slot 9. This will cause the game to attempt to execute $014122 as code rather than the $014A13 you get from eating a chuck.

We are now executing at $014122. As with the original route, the initial open bus value is 01. This translates to the instruction ORA ($01,x) which is ORA ($0A). When touching a 1-up rather than eating it, the values in 0A and 0B depend on the 1-up's position. Specifically, loads from the address YYXX, where YY is the high byte of the 1-up's Y position, and XX is the high byte of its X position. If we're on the bottom half of screen 5 (http://i.imgur.com/9KJI09B.png) then this loads the value in $0105, which is 15.

We are now executing from $014124. The value on open bus is 15, so we execute 15 15 which is ORA $15,X. Since X is still 9 this is ORA $1E, and this the part we can manipulate a bit - address $1E is the low byte of the level background's X position. What we want is to stand in either of these two positions (http://imgur.com/a/LW2rP) while touching the 1-up, so that the next value loaded into open bus is 50.

We are now executing from $014126. The instruction is "50 50" or "BVC #$50" which, tells us to branch forward 0x50 bytes if the overflow flag is clear. Which it always will be at this point, because reasons.

The BVC skips us forward to $014178. At this point the open bus value is unchanged, so we skip forward another 0x50 bytes to reach $0141CA, and again to reach $01421C.

We are now in the middle of the joypad hardware registers. (http://en.wikibooks.org/wiki/Super_NES_Programming/SNES_Hardware_Registers). Oddly, even though the SNES supports 8 controllers in theory and 5 controllers in practice... there are only enough controller registers for 4 controllers. See this diagram for details: http://i.imgur.com/IGRBLMq.png. (If there's no multitap plugged into a socket, it acts the same as if there was a multitap with only the first controller plugged in.)

Anyway, since we're now at $421C, the game's execution is controlled by the second controller plugged into a multitap in the first controller socket. By holding L+B+Y+Select+Down, we JSR to $00E4 and the shell code can be executed.

(For credits warp, this is sufficient. But if we want a longer ACE for whatever reason, we can use a second multitap and a third controller to type an RTS into register $421F by pressing Y+select. This eliminates the need to pop two values from the stack in our code, making it just long enough to, for example, warp to Bowser's Back Door in one go.)

So, put together. The route is as the following:
1) Complete YI2 normally, grabbing Yoshi on the way.
2) Grab the fire flower in YI3, then powerup increment and complete the level.
3) PI two more times, this time you can use start+select to quit the level.
4) Enter YI2, first thing you should to is run to the right and eat the red shell that a koopa is about to climb into, to kill both of them. Otherwise they mess up sprite slots later.
5) Go back and set up the line of koopas for your ACE
6) Walk up to the first Yoshi block and hit it. Since we have yoshi already it gives a 1-up
7) Quickly run to the right so that you're on screen 5 and the background position is $xx50. If you go too far, moving left again won't shift the camera back, so be careful.
8) Hold several buttons on the other controller as the 1-up hits you.

Things change a bit if the code needs to be 8 bytes long rather than 1-7, though that isn't needed just for credits warp.