2 Theory 2: Remove Maridia Navigation from 13%. Super Metroid Inanity: series of funny glitches involving Mother Brain.Dying in Ceres: contrary to the popular belief, it is possible to die that early in the game before it has a chance to blow the station up.Super missiles use up two projectile slots, but the second projectile used can be ignored. : Add 2 to the address to get the next projectile's data. Useful as a frame-counter when measuring by in-game time rather than absolute time. : This value increments by 1 for each frame that counts toward the Momentum often must reach 0 before Samus can stop or change direction. : Momentum and speed together determine how far Samus moves per frame. Samus is moving, these are always positive. : Samus's position and speeds are tracked down to 1/65536th of a pixel, although the effective values are all multiples of 256, ☑. : Is this optimal? Maybe laying the bombs earlier so that you have a greater average speed is best : How fast must you be falling, does it vary? : Can this be applied horizontally (except on moving wrecked ship robots), may be a faster way to skip the Zebetites. Projectile 1 Y position, fraction of a pixelįirst Enemy's (Most Bosses) invincibility timer Projectile 1 X position, fraction of a pixel More memory addresses can be found at Kejardon's RAM Map. These transfers take a whole 6 frames to execute, which is more than enough to get our new inputs in place before the next instruction executes. Writing this to $420b (the DMA activation register) will start 6 maximally-sized DMA transfers, but 3 of these will be killed by the HDMA we start at the same time (due to A being 16 bit), leaving 3. By virtue of the way we got here, the accumulator and x/y registers are all 16 bit, and A contains the value 9f33. These will pause the CPU while in progress, and can easily last for several frames. Masterjun suggested a simple way of doing this: Activate some huge DMA transfers. So we need a way to wait long enough for the registers to have updated. And even if it did, we wouldn't know where in the loop we are at that point. However, in order to do anything interesting, we will need to change the values of these registers for the next frame (by changing which buttons are pressed), and this does not happen instantaneously. That leaves us 6 bytes for other purposes. $90/A513 60 RTS Will return somewhere crazy $90/A512 28 PLP This messes up the stack! The intial value of A no longer matters at this point. $90/A4BD A5 8F LDA $8F Controller button pressed this frame! That makes this a promising avenue for exploits. What happens depends on the direction the beam was fired in, as well as the controller input for that frame, and lots of other stuff on the instruction pointer's wild romp through the ROM. This is half-way through some other function, which due to an extra PLP instruction fails to return properly, leading to the function failing to return properly, and almost certainly leading to a crash. Jumps to $90a4aa (ROM) (but only if not fired to the left. The minimum distance required to charge the spark using this technique is 157.668 pixels.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |