API tools faq
paste
SethBling

SMW PI5 ACE Technical Explanation

SethBling
Jun 21st, 2017
1,524
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.31 KB | None | 0 0
raw download clone embed print report
  1. When collecting a 1-Up in powerup state $05, the game reads from out of bounds in a function pointer table, and jumps to $0103D0, with the accumulator holding the value $D0, and the x index register holding the value $09. This execution address is in the middle of the OAM (Object Attribute Memory) table, where the game stores coordinates and graphics settings for on-screen sprites. The game carefully sets x and y coordinates for all on-screen sprites every frame. Once a sprite is no longer on-screen, its last-seen data remains behind, although its y-coordinate gets replaced with $F0. Each tile has four bytes:
  2.  
  3. 0: x-coordinate
  4. 1: y-coordinate
  5. 2: tile id
  6. 3: tile settings
  7.  
  8. Each sprite slot has five tiles set aside for it. $03D0 is the beginning of the five-tile set that belong to sprite slot 8. At the time of the ACE, the first two tiles of sprite slot 8 are taken up by an on-screen Yoshi, who is bouncing around at on-screen x-coordinate $05, so the first instruction is ORA dp. His y coordinate bounces around, so the operand for the ORA instruction is variable, but it turns out that the address for the OR operation actually doesn't matter.
  9.  
  10. The next instruction comes from the 3rd and 4th byte of the first OAM tile, which are $06 (Yoshi's neck) and $6A (because Yoshi is facing left). This instruction is ASL $6A, which doesn't do anything important.
  11.  
  12. The next instruction comes from the 1st-4th bytes of the second OAM tile for Yoshi. The first byte is $0F (Yoshi's head's on-screen x-coordinate). Once again the 2nd byte is variable because yoshi is bouncing up and down. The 3rd byte is $08 (Yoshi's head) and the fourth byte is $6A (because Yoshi is facing left). This instruction is ORA long, which, again, has no impact.
  13.  
  14. The next instruction comes from the 1st-3rd bytes of the third OAM tile. This tile is not used by Yoshi, so it contains data left behind by a green shell that we destroyed. Its x-coordinate was $4C. Since it's no longer on-screen, the game sets its y-coordinate to $F0. And its graphics id was $8C. This instruction is JMP $8CF0.
  15.  
  16. $018CF0 enters ROM misaligned in the middle of an instruction, and the code there happens to be misread as JSR $02F0.
  17.  
  18. $02F0 is back in a different part of the OAM table. The first two OAM tiles at $02F0 are used to draw the white "splat" whenever you kick a shell. By kicking the shell at the left end of the level, the OAM x-coordinate at $02F0 is $10, and the y-coordinate is $F0, since it's off-screen. This instruction is BPL $02E4. However, the negative flag is guaranteed to be set here. The most recent instruction that affected the negative flag was a ORA long instruction at $03D4, and A is guaranteed to be negative, since it started at $D0 and has only been affected by ORA operations. So the BPL instruction is skipped.
  19.  
  20. At $02F2, the splat's graphic id is $7C, and the tile settings are $20. The next tile, also belonging to the white splat, had an x-coordinate of $18 from kicking the shell, which makes the next instruction JMP ($1820,x). Since X is $09, this will jump to the absolute address stored at $1829. $1829 is within the minor extended sprite y velocity table. We spawned a Yoshi shell and carefully made one of its particles despawn early by controlling the screen scroll, to make the jump's destination address $4218.
  21.  
  22. $4218 is the joypad auto-read registers for controller 1. $4218 contains the bits for BYETudlr (E=select, T=start), and $4219 contains the bits for AXLR0000 (the last four bits are always 0). $421A is $00 because no second controller is being used. By holding L, down, select, Y and B, the instruction at $4218 is JSR $00E4.
  23.  
  24. $00E4 is the beginning of the sprite x-coordinate low byte table. This table contains the left-behind x-coordinates of red shell that we destroyed by spitting out. The code here is:
  25. A9 1C LDA #$1C
  26. 92 3D STA ($3D)
  27. 68 PLA
  28. 68 PLA
  29. 60 RTS
  30.  
  31. We store the value $1C to the address contained at $3D, which is $0100. $0100 is the game mode. Then we pull two bytes off the stack (the return address to the joypad auto read registers) and RTS back to $018CF3 in ROM, where the program counter has now become re-aligned to the code, and this safely returns control to the game, which continues running in game mode $1C. Game mode $1C is partway in the credits, the beginning of the section where the enemies are all named.
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!