Cave Story 3D inventory glitch theory

1. >> Technical explanation of the inventory glitch in Cave Story 3D, with some examples <<
2.  
3. Most of this is based on descriptions of the glitch that I read online, as well as
4. studying the source code of CSE2 (a Cave Story freeware decompilation -- though, note that
5. freeware Cave Story doesn't have this glitch). As such, there's a chance that this might
6. not be 100% accurate (and I'm definitely oversimplifying some of the explanations), but
7. it's hopefully at least pretty close to what's going on.
8.  
9. Also, shoutouts to Amber for answering all of my questions and helping me confirm that
10. all/most of this is actually accurate, without me having to get the game myself >:)
11.  
12. (Already intimately familiar with Cave Story modding? Feel free to skip to the
13. "THE INVENTORY GLITCH" section starting on line 205.)
14.  
15. === THE BASICS ===
16.  
17. Stage data in vanilla Cave Story is divided into several files:
18.  
19. Map data (irrelevant for our purposes):
20. bk[bg].pbm -- Basically a renamed .bmp image used as the background
21. Prt[tileset].pbm -- Contains the visual appearance of each of the map tiles
22. [tileset].pxa -- Tile attributes (solid block, water block, etc.)
23. [map name].pxm -- Tilemap (the actual layout of the stage)
24.  
25. NPC data (i.e. anything that's not a map tile):
26. Npc[name].pbm -- NPC spritesheet
27. [map name].pxe -- NPC info (location, properties, etc.)
28. [map name].tsc -- TSC (Text SCript), specifying the events associated with each NPC
29.  
30. Cave Story 3D has all of these same files (except, the ".tsc" files were renamed to ".sjs"
31. files for whatever reason). Additionally, CS3D also has some other ".n3ddta" and ".n3dhdr"
32. files that I assume contain the 3D models for everything.
33. (Fun fact: From what I've been told, it's possible to take the data files from the CS3D
34. ROM (aside from the .n3d* ones) and stick them directly into the original freeware engine
35. (well, after renaming "sjs" back to "tsc", I assume).
36. Apparently, it actually (mostly) works and plays like what Cave Story 3D would've been
37. like if it wasn't 3D and used the original assets instead of 3D models.)
38.  
39.  
40. In particular, the thing to take away here is that the *properties* of each NPC in a
41. given stage are stored separately from the actual *behavior* of that NPC. The former are
42. loaded with the stage's .pxe file, while the latter is loaded with the stage's .sjs file.
43. (Some things, like enemy AI, are also hardcoded into the game engine itself.)
44.  
45. As an example, consider the life capsule in First Cave (which is just called "Cave" in
46. the data files).
47. Cave.pxe would contain the following info about that life capsule:
48. -- It is located at (6, 24)
49. -- It is of type 32 (Life Capsule)
50. -- The flag number associated with it is 304
51. -- The event number associated with it is 400
52. -- It has the following additional properties:
53. * Player can press down to interact with it (doing so runs event 400 in the TSC)
54. * Disappears once its flag number is set (usually happens via TSC)
55.  
56. Cave.sjs contains the following TSC:
57. #0400
58. <PRI<SOU0022<DNP0400<CMU0016
59. <MSG<GIT1006
60. Obtained a Life Capsule.<WAI0160<NOD<RMU<ML+0003
61. Max life increased by 3.<NOD<END
62. In English:
63. #0400 -- This is event number 400
64. <PRI (PRevent Interaction) -- Freeze the game and lock player controls
65. <SOU0022 (SOUnd) -- Play sound #22 (some kind of click sound)
66. <DNP0400 (Delete NPc) -- Delete the life capsule (also sets its flag number, 304)
67. <CMU0016 (Change MUsic) -- Change the music to #16 (life capsule jingle)
68. <MSG (MeSsaGe) -- Open a message box
69. <GIT1006 (Graphic ITem) -- Display icon #1006 (life capsule) above the message box
70. Obtained a Life Capsule. -- Text to be displayed
71. <WAI0160 (WAIt) -- Wait for 160 frames
72. <NOD -- Wait for player to press jump or shoot
73. <RMU (Restore MUsic) -- Resume the last song that was played
74. <ML+0003 (Max Life +) -- Increase the player's max HP by 3
75. Max life increased by 3. -- More text to be displayed
76. <NOD -- Wait for jump/shoot to be pressed
77. <END -- End of event (restore normal game operation)
78.  
79.  
80. === TSC LOADING ===
81.  
82. The game contains a buffer in its memory containing a copy of the TSC that it's currently
83. working with. Each time a new stage is loaded, the game first copies the contents of
84. "Head" into that buffer, then it loads the specific TSC file for that stage after that.
85. The "Head" script isn't super important for understanding the inventory glitch, but if
86. you're curious what it is, it contains events that are common to many areas in the game.
87. For Cave Story 3D, it begins like this:
88. #0000
89. <END
90.  
91. #0001
92. <PRI<MSG
93. Empty.<NOD<END
94.  
95. #0016
96. <PRI<MSG
97. Do you want to save?<YNJ0000<CLR<MSG<TURDo not turn the system off or remove
98. the Nintendo 3DS Game Card
99. <WAI0020<FL+0431<SVP<CLR
100. Game saved.<NOD<END
101.  
102. #0017
103. <PRI<FLJ0201:0018
104. <LI+1000<SOU0020<AE+<MSG
105. Life refilled.<NOD<END
106.  
107. #0018
108. <PRI
109. <LI+1000<SOU0020<AE+<MSG
110. Life and missiles refilled.<NOD<END
111.  
112. #0019
113. <KEY<MSG
114. Do you want to rest?<YNJ0000<FAO0004<CMU0000<WAI0020<CLR
115. .....<NOD<CLO
116. <WAI0050
117. <LI+1000<SOU0020<MYD0002<MSG
118. Life refilled.<NOD<CLO<RMU<FAI0004<END
119.  
120. #0030
121. <PRI<FLJ0202:0032<FLJ0201:0031<FL+0201<GIT0005<AM+0005:0010
122. <CMU0010Obtained the Missile Launcher.<WAI0160<NOD<RMU<CLR
123. The Missile Launcher is a powerful
124. weapon, but it has limited ammo.<NOD
125. Collect additional ammunition
126. from fallen enemies.<NOD<END
127. [...more stuff that I cut out...]
128.  
129. TSC events are always arranged in order by increasing event number in the script files.
130. After loading the Head script and the stage-specific TSC file into the TSC buffer, the
131. game writes a "null" character (essentially a blank character) to denote the end of the
132. script. This character is used in several places in the script engine to tell the game not
133. to continue reading past that point. (Spoiler alert: With the inventory glitch, you can
134. sometimes get the game to read past that null character regardless...)
135.  
136. === TSC PARSING ===
137.  
138. TSC parsing is handled in two separate areas of the game logic:
139. (1) When a request is made to run TSC event number X, the game makes the following
140. preparations:
141. (a) The game sets an internal flag to indicate to the rest of the game logic that it
142. is currently running a TSC event. A few other (mostly uninteresting) internal
143. game variables relating to TSC execution are reset at this point.
144. In CS freeware (and a few early Nicalis ports?), the player's i-frames are also
145. reset here. (This is what allows Chako skip to be possible without needing the
146. Map System in these versions of Cave Story.)
147. (b) The game looks for the start of the event in the TSC buffer: Starting from the
148. beginning of the TSC buffer, the game scans one character at a time, looking for
149. the "#" symbol. When it encounters a "#" character, it reads the next four
150. characters as a number and compares that number to X.
151. * If that number is equal to X, then the game stops scanning and moves the "scan
152. cursor" (so to speak) to the next line. The event is now ready to be parsed and
153. executed.
154. * If that number is bigger than X, then we've passed where the event should have
155. been in the TSC but didn't find it. In this case, the game stops scanning and
156. returns an error status (leaving the scan cursor in place).
157. * Otherwise (if the number is smaller than X), the game continues scanning.
158. If the game at any point encounters the null character used to mark the end of the
159. script, the game stops scanning and returns an error status (again, leaving the
160. scan cursor in place at that null character).
161. Note that this initial step doesn't actually run anything; it just places the scan
162. cursor at the start of the event and leaves it like that.
163. (2) In a separate part of the game code, the game checks every frame to see if the
164. "currently in a TSC event" flag is set. If it is, then it starts parsing and executing
165. the data in the TSC buffer, starting from wherever the scan cursor left off from.
166.  
167. An important thing of note here is that even though step (1) can return an error status
168. (if it couldn't find the requested event number), the game doesn't actually bother to
169. do anything about it if that happens. (In fact, the error goes completely unnoticed -- the
170. game doesn't even care to check for it.)
171. This means that the game also doesn't clear the "currently in a TSC event" flag when that
172. happens, so step (2) will start reading from wherever the scan cursor happens to be and
173. execute whatever TSC it finds in the buffer at that point.
174. Often, this just means that the next-highest event number in the TSC buffer gets executed,
175. but if the initial scan errored out because it reached the null character at the end of
176. the script, then the game will start reading past that null character and beyond the end
177. of the current stage's script, which can lead to some crazy and unpredictable results.
178. (As we'll see below.)
179.  
180. === THE INVENTORY MENU ===
181.  
182. The inventory has its own script associated with it, called "ArmsItem".
183. When the inventory is opened, the game does the following:
184.  
185. (1) It stores the name of the currently-loaded script, so that it can be reloaded upon
186. closing the inventory
187. (2) It loads the contents of the ArmsItem script into the TSC buffer
188. (3) It enters a separate game loop that handles everything that happens within the
189. inventory. Within that game loop, it runs TSC events as follows:
190. * When you cursor over a weapon, it runs TSC event number (1000 + [weapon ID]).
191. If there's no weapon to be selected, then it just runs event #1000 ("No weapon").
192. * When you cursor over an item, it runs TSC event (5000 + [item type ID]).
193. If there's no item in that spot, then it just runs event #5000...that said, it's not
194. actually possible to cursor over an empty item, so you never get to see this :P
195. * When you select an item, then it runs TSC event (6000 + [item type ID]).
196. (4) Upon closing the inventory, the game reloads the previously-loaded script, according
197. to the name that it stored in step (1) and the process outlined in the previous
198. section.
199.  
200. Note that the only thing that gets shuffled around here is the script that's loaded into
201. the TSC buffer -- other aspects of the current stage you're in (including the .pbm
202. background and map tiles, the .pxa and .pxm map data, and the .pxe NPC data) are
203. untouched by opening and closing the inventory.
204.  
205. === THE INVENTORY GLITCH ===
206.  
207. The inventory glitch works by going into a map (call it Map B), opening the inventory,
208. then pause-exiting out and loading any save file into a different map (call it Map A).
209. The result is that Map A will have many NPCs that appear to behave as if you were in
210. Map B.
211. What exactly happens is the following:
212. (1) Upon opening the inventory, the game stores the name of Map B so that it can reload
213. its TSC upon closing the inventory.
214. (2) After pause-exiting out and loading a save file in Map A, the game (correctly) loads
215. Map A and its TSC file according to the process described previously.
216. However, the game (incorrectly) loads with the inventory still open, meaning that
217. moving the cursor around in the inventory will run TSC events (as described
218. previously) but using Map A's TSC rather than ArmsItem's.
219. (This can lead to some pretty glitchy results, especially considering that the event
220. numbers being run here are all fairly high-numbered, and most stage TSCs don't use
221. event numbers that high.)
222. (3) After closing the inventory, the game loads the "previous" script from before opening
223. the inventory. Apparently, this also doesn't get reset when exiting out of the game,
224. so the game is still remembering that you were in Map B before opening the inventory,
225. hence it loads Map B's script.
226.  
227. The end result is that you are now in Map A, with Map A's map data and NPC (*.pxe) data
228. loaded, but with Map B's TSC events loaded.
229. Let's look at a few examples of how this can wreck havoc:
230.  
231. Example #1: Getting the (normally unobtainable) Beast Fang
232.  
233. The Beast Fang is hidden in an unreachable location in Yamashita Farm. We can get it
234. as follows:
235. (1) Go to the Egg Observation Room and save.
236. (2) Go to Yamashita Farm, open the inventory, and exit out.
237. (3) Reload your save file to go back to the Egg Observation Room. Open the treasure chest
238. that normally contains the Missile Launcher, to get the Beast Fang instead.
239. Why does this work? Upon reloading the game, the game loads the data for EggR (which is
240. the internal name for the Egg Observation Room), including its .pxe NPC data, which
241. specifies that there is a chest at the upper corner of the room, and that that chest runs
242. event #300 upon inspecting it.
243. Normally, with the EggR script loaded, this gives you the missiles:
244. #0300
245. <PRI<FLJ0200:0001<FL+0200
246. <SOU0022<CNP0300:0021:0000
247. <MSG
248. Opened the treasure chest.<NOD<CLR<EVE0030
249. (The <EVE0030 at the end jumps to event #30, which is defined in Head and gives you the
250. Missile Launcher.)
251.  
252. However, inventory-glitching in this way causes the Plant script (Yamashita Farm's TSC)
253. to be loaded overwriting EggR's script in the TSC buffer, which means that Plant's
254. event #300 is run instead of EggR's:
255. #0300
256. <PRI
257. <FL+0410
258. <DNP0300
259. <MSG
260. You don't see anything...<NOD<CLR<CMU0010<GIT1005<IT+0005
261. How did you get the Beast Fang?
262. ...<WAI0160<NOD<CLO
263. <RMU<END
264. Voila! Now you have the Beast Fang.
265.  
266. Example #2: Accessing Sand Zone early
267.  
268. Save in the Save Point in Mimiga Village, then go to Arthur's House and inventory-exit
269. out. Reload into the Save Point and inspect the door. You should be taken to Sand Zone
270. instead of Mimiga Village.
271.  
272. Why does this work? Inventory-glitching in this way causes MiBox (the Save Point) to be
273. loaded but with the Pens1 script (Arthur's House) in the TSC buffer. The door in the
274. Save Point is set to run event #100 upon inspecting it. Event #100 in MiBox takes you out
275. to Mimiga Village:
276. #0100
277. <PRI<FAO0004<TRA0011:0094:0024:0034
278. (Translated: "Freeze the game and lock player input, then fade out the screen in
279. direction 4 (center), then transport the player to map #11 (Mimiga Village), at
280. coordinates (24, 34), and run event #94 in the Mimiga Village script when you get there".)
281.  
282. However, with the Pens1 script loaded, this runs Arthur's House's event #100 instead:
283. #0100
284. <PRI<FAO0004<TRA0010:0094:0018:0032
285. This takes you to map #10 (Sand Zone), at coordinates (18, 32), which is 3 blocks to the
286. left and 1 block above where Curly is when you first meet her.
287.  
288. Note that there's no way to naturally trigger this event without inventory glitching.
289. My guess is that this is probably a remnant of some kind of debug testing mechanism that
290. was eventually disabled before the release of the game. (It's present in the Pens1 script
291. in the original freeware CS, as well, so it's something Pixel put in rather than Nicalis.)
292.  
293. Example #3: No, I don't want to teleport to Egg Corridor
294.  
295. Save in Arthur's House, then inventory-exit out from anywhere. Upon reloading your save,
296. cursoring over any inventory item will cause a "Teleport to the Egg Corridor?" prompt to
297. pop up.
298.  
299. Why does this happen? When you load the save back into Arthur's House, the game loads all
300. of the data for the Pens1 stage, including the Pens1 TSC file. However, the game starts
301. you in the inventory instead of directly inside Arthur's House.
302. Recall from the previous section that cursoring over an item in the inventory runs TSC
303. event number (1000 + [weapon ID]) for weapons, or (5000 + [item ID]) for items. Since the
304. Pens1 script is loaded instead of ArmsItem, this tries to run that event number in
305. Arthur's House. However, Arthur's House doesn't have any events in the 1000-50XX range:
306. [...stuff...]
307. #0660
308. <KEY<FLJ1020:0661<MSG<FAC0018
309. Take Sue with you and
310. leave this island...<NOD
311. Please...<NOD<END
312. #0661
313. <KEY<MSG<FAC0018
314. I'm sorry.
315. We've ruined your island.<NOD<CLR
316. We humans are evil.<NOD<END
317.  
318.  
319. #0700
320. <KEY<CMU0000<FAO0004<TRA0024:0700:0002:0000
321.  
322.  
323. #6001
324. <PRI<MSG
325. Teleport to the Egg Corridor?<YNJ0000<CLO
326. <KEY<CNP0300:0111:0002<HMC<WAI0060<ANP0500:0001:0000
327. <WAI0100<FAO0004<FLJ0159:6011<TRA0002:0099:0005:0006
328. #6002
329. <PRI<MSG
330. Teleport to Bushlands?<YNJ0000<CLO
331. <KEY<CNP0300:0111:0002<HMC<WAI0060<ANP0500:0001:0000
332. <WAI0100<FAO0004<TRA0006:0098:0004:0018
333. [...stuff...]
334. The result is that when the game scans the TSC buffer looking for the event, it reaches
335. event #6001 (which is past where the event should be), and stops scanning and returns an
336. error status. However, as discussed previously, the game doesn't care about that and
337. starts executing TSC anyways, beginning at the point that the scan cursor left off
338. (which would be at the "6" in "#6001").
339. What ends up happening is that the game outputs "6001" as text to an invisible message
340. box, then opens an actual message box and prompts you to teleport to the Egg Corridor.
341. Saying yes can cause glitchy things to happen, including softlocking the game
342. (I'm not sure why this happens, honestly), but it seems that waiting long enough without
343. closing the inventory causes the teleport to succeed (though once you close the inventory,
344. it'll load the "previous" stage's TSC, which means Egg Corridor will now behave as if
345. inventory-glitched).
346.  
347. Example #3a: Teleporting to other places
348. Recall from the previous example that the teleporter prompts in Arthur's House are
349. numbered starting from #6001. Specifically, here they all are:
350. #6001
351. <PRI<MSG
352. Teleport to the Egg Corridor?<YNJ0000<CLO
353. <KEY<CNP0300:0111:0002<HMC<WAI0060<ANP0500:0001:0000
354. <WAI0100<FAO0004<FLJ0159:6011<TRA0002:0099:0005:0006
355. #6002
356. <PRI<MSG
357. Teleport to Bushlands?<YNJ0000<CLO
358. <KEY<CNP0300:0111:0002<HMC<WAI0060<ANP0500:0001:0000
359. <WAI0100<FAO0004<TRA0006:0098:0004:0018
360. #6003
361. <PRI<MSG
362. Teleport to Sand Zone?<YNJ0000<CLO
363. <KEY<CNP0300:0111:0002<HMC<WAI0060<ANP0500:0001:0000
364. <WAI0100<FAO0004<TRA0010:0099:0036:0033
365.  
366. #6004
367. <PRI<MSG
368. Teleport to the Labyrinth?<YNJ0000<CLO
369. <KEY<CNP0300:0111:0002<HMC<WAI0060<ANP0500:0001:0000
370. <WAI0100<FAO0004<TRA0043:0099:0010:0034
371.  
372. #6005
373. <PRI<MSG
374. Teleport to the Plantation?<YNJ0000<CLO
375. <KEY<CNP0300:0111:0002<HMC<WAI0060<ANP0500:0001:0000
376. <WAI0100<FAO0004<TRA0060:0099:0009:0009
377.  
378. #6011
379. <KEY<TRA0049:0099:0007:0006
380. Also recall from previously that selecting an item in the inventory runs TSC event
381. (6000 + [item ID]). Thus, you can teleport anywhere you want granted that you have the
382. correct item in your inventory:
383. * For Egg Corridor (#6001), you need item ID 1 (Arthur's Key)
384. (Note that this takes you to Egg Corridor? instead if it would do so normally, due to
385. the <FLJ0159:6011 in the event script (If flag 159 is set, jump to event #6011).)
386. * For Bushlands (#6002), you need item ID 2 (Map System)
387. * For Sand Zone (#6003), you need item ID 3 (Santa's Key)
388. * For Labyrinth (#6004), you need item ID 4 (Silver Locket)
389. * For Plantation (teleporter room) (#6005), you need item ID 5 (Beast Fang)
390. * For Egg Corridor? (#6011), you need item ID 11 (Gum Base).
391.  
392. Unfortunately, closing the inventory after teleporting causes game to reload the TSC for
393. the stage you inventory-exited out of, so you likely won't be able to do anything useful.
394.  
395. Example #4: Getting infinite Life Capsules
396.  
397. Save in the Prefab House (before Hell). Enter Hell and inventory-exit out. Reload into the
398. Prefab House and inspect the bed for a Life Capsule. You can continue inspecting the bed
399. as many times as you like to keep getting Life Capsules.
400.  
401. Why does this work? Inventory-glitching in this way causes the Prefa2 (Prefab House) stage
402. to be loaded, but with the Hell1 (Blood Stained Sanctuary - B1) script in the TSC buffer.
403. The bed in Prefa2 is set to run event #250 when interacted with. However, Hell1 doesn't
404. have an event #250:
405. [...stuff...]
406.  
407. #0200
408. <PRI<MSG<TUR
409. Welcome to Hell!<NOD<END
410.  
411.  
412. #0400
413. <PRI<SOU0022<DNP0400
414. <MSG<GIT1006
415. Obtained a Life Capsule.<NOD<ML+0005
416. Max life increased by 5.<NOD<END
417.  
418. [...stuff...]
419. Similar to Example #3, this causes the script engine to start executing TSC starting from
420. the last position of the scan cursor (in this case, the first "0" in "0400"), which
421. ends up giving you a Life Capsule.
422. But Life Capsules normally delete themselves when you collect them. Why are you able to
423. repeatedly collect this one? (In other words, why does the bed not get deleted in place of
424. the Life Capsule?)
425. The answer lies in the TSC itself:
426. 0400 -- Printed to an invisible message box
427. <PRI (PRevent Interaction) -- Lock player input and freeze the game
428. <SOU0022 (SOUnd) -- Play sound #22 (click)
429. <DNP0400 (Delete NPc) -- Delete the NPC associated with event #400
430. <MSG (MeSsaGe) -- Open a message box
431. <GIT1006 (Graphic ITem) -- Display icon #1006 (life capsule) above the message box
432. Obtained a Life Capsule. -- Text to display
433. <NOD -- Wait for player to press jump/shoot
434. <ML+0005 (Max Life +) -- Increase player's max HP by 5
435. Max life increased by 5. -- More text to display
436. <NOD -- Wait for player to press jump/shoot
437. <END -- End of event, resume normal game operation
438. What happens is that the <DNP0400 tries to delete the NPC tied to event #400, which in
439. the Hell1 stage is the Life Capsule entity. However, since we're in Prefa2, the game has
440. the Prefa2 NPC data loaded instead of Hell1! So it tries to delete the NPC associated with
441. event #400 in Prefa2, which silently fails since no such NPC exists. (Remember, the bed is
442. tied to event #250, not #400!)
443. This means that you can keep interacting with the bed and it will keep running event #400
444. in Hell1 and keep giving you Life Capsules as much as you want.
445.  
446. Example #5: Boundary Break (Obtaining Booster v2.0 early)
447.  
448. Strap yourselves in; this one is a bit crazy.
449.  
450. Save in Arthur's House while Sue et al. are present in the room. Go to Mimiga Village and
451. inventory-exit out. Upon reloading your save, talk to any of the characters in the room
452. to obtain the Booster v2.0.
453.  
454. Why does this work? In fact, it almost doesn't. Let's see what's going on inside the
455. TSC buffer when you load back into Arthur's House:
456. (1) The game loads the Pens1 (Arthur's House) stage data. The Head and Pens1 scripts are
457. loaded into the TSC buffer, followed by a null character to denote the end of the
458. script. Basically, the TSC buffer looks like this:
459. #0000
460. <END
461.  
462. #0001
463. <PRI<MSG
464. Empty.<NOD<END
465.  
466. #0016
467. <PRI<MSG
468. Do you want to save?<YNJ0000<CLR<MSG<TURDo not turn the system off or remove
469. the Nintendo 3DS Game Card
470. <WAI0020<FL+0431<SVP<CLR
471. Game saved.<NOD<END
472.  
473. [...]
474.  
475. #0042
476. <KEY<CMU0000<WAI0040<PRI<WAI0040<CMU0003
477. <MSG<HMC
478. You were never seen again...<NOD<CLR
479. Want to retry?<YNJ0049<CLO
480. <FAO0001<WAI0050<FLJ0431:0048<INI<END
481.  
482. #0048
483. <SMC<LDP<END
484.  
485. #0049
486. <CLO<FAO0004<ESC
487.  
488.  
489. XX: head.tsc  4000 - 4099
490. 4000:Almond…“ï
491. [end of Head, start of Pens1]
492. #0090
493. <MNA<CMU0002<FAI0000<END
494. #0091
495. <MNA<CMU0002<FAI0001<END
496. #0092
497. <MNA<CMU0002<FAI0002<END
498. #0093
499. <MNA<CMU0002<FAI0003<END
500. #0094
501. <MNA<FLJ0341:0095<CMU0002<FAI0004<END
502.  
503. [...]
504.  
505. #6005
506. <PRI<MSG
507. Teleport to the Plantation?<YNJ0000<CLO
508. <KEY<CNP0300:0111:0002<HMC<WAI0060<ANP0500:0001:0000
509. <WAI0100<FAO0004<TRA0060:0099:0009:0009
510.  
511. #6011
512. <KEY<TRA0049:0099:0007:0006
513.  
514.  
515. [end of Pens1]
516. <null character>
517. [garbage data after this point]
518. (2) Upon closing the inventory, the game loads the TSC for the stage that was loaded prior
519. to opening the inventory -- in this case, Mimiga Village. So, the game loads Head and
520. Mimi into the TSC buffer, followed by a null character to mark the end of the scripts.
521. Now, the key point here is that the TSC buffer is NOT cleared before this happens!
522. The new scripts get loaded on top of whatever is currently in the TSC buffer. Since
523. the Pens1 script is a bit longer than the Mimi script, what happens is that the Pens1
524. script doesn't get fully overwritten when Mimi is loaded in:
525. #0000
526. <END
527.  
528. [...]
529.  
530. #0049
531. <CLO<FAO0004<ESC
532.  
533.  
534. XX: head.tsc  4000 - 4099
535. 4000:Almond…“ï
536. [end of Head, start of Mimi]
537.  
538. #0090
539. <MNA<FLJ0341:0095<CMU0009<FAI0000<END
540. #0091
541. <MNA<FLJ0341:0096<CMU0009<FAI0001<END
542.  
543. [...]
544.  
545. #0610
546. <FLJ0224:0611
547. <KEY<MSG<FAC0007
548. This is what happens to
549. those who defy the order
550. of the village.<NOD<END
551. #0611
552. <KEY<MSG<FAC0007
553. They're not coming...<NOD<END
554.  
555.  
556. [end of Mimi]
557. <null character>e island.<NOD<CLO<FAC0000
558. <ANP0650:0003:0002<WAI0022
559. <ANP0650:0005:0002
560. <IT+0023<FL+0744<FL+0162<FL+1801<GIT1023
561. <MSG
562. Obtained the Booster v2.0.<WAI0030<NOD<CLO<GIT0000
563. <ANP0650:0000:0002
564. <MSG<FAC0018
565. Please honor my final request.<NOD<CLR
566. If you see Sue one last time,
567. please take her and...
568. escape... from the island.<NOD<CLR
569. She is Dr. Sakamoto's
570. daughter.<NOD
571. For the longest time she
572. resisted coming to this
573. island.<NOD
574. But she couldn't be left
575. behind, all alone...<NOD<CLR
576. She had no choice but to
577. follow us to the island.<NOD<CLR
578. Please.<NOD<CLR
579. Take her and escape.<NOD<CLO
580. <FL-0160<FL+0161<FL+0741<PS+0004:6004<END
581.  
582. [...]
583. Now, in the Pens1 NPC data, the characters are set to run event #621 (Booster),
584. #622 (Kazuma), #624 (King), and #625 (Sue). Since the Mimi script is what's in the TSC
585. buffer, and the last event in the Mimi TSC is numbered 611, attempting to trigger any of
586. these events results in the scan cursor reaching the null character at the end of the
587. Mimi script. This causes the scan to fail without finding the requested event, but since
588. the game doesn't care about that, it starts reading TSC from that point onwards
589. regardless.
590. This results in "<null character>e island." being printed to an invisible message box, and
591. then a real message box pops up and informs you that you've obtained the Booster 2.0.
592. It turns out that if the Mimiga Village script was just a little bit longer
593. (by 76 characters or more), then you wouldn't be able to get the Booster this way!
594.  
595.  
596. These aren't the only ways of abusing the inventory glitch -- in fact, I haven't even
597. begun to scratch the surface of what's possible with this glitch. So, I'll just leave you
598. to experiment with it and find out on your own what you can do. :)