Skip to content

Instantly share code, notes, and snippets.

@fuzyll

fuzyll/smb3-notes-2016-07-24.md

Created July 25, 2016 07:03
Show Gist options
  • Save fuzyll/832a9004473c25f7728e02358582d3c1 to your computer and use it in GitHub Desktop.
Save fuzyll/832a9004473c25f7728e02358582d3c1 to your computer and use it in GitHub Desktop.
Download ZIP
My notes from DwangoAC's stream on 2016-07-24
Raw
smb3-notes-2016-07-24.md

@fuzyll's notes from @MrTasBot's late-night stream on 2016-07-24

I wrote these notes right as the stream ended so we could capture the knowledge we gained after streaming for 2-3 hours. I'm hoping to revisit these myself and get to the bottom of things, but we'll see if time permits. In the meantime, a lot of other people in the stream found watching the process helpful. If anyone else wants to keep poking at this and moving forward, go for it! Hopefully, these notes will help.

Files

Setup

I used File -> Lua -> New Lua Script Window to load the lua script (which loads the inputs) in FCEUX. Then, I opened Debug -> Debugger... and Debug -> Trace Logger.... I turned on "Symbolic Trace" in the "Trace Logger" so I could see where I came from when I hit one of my breakpoints.

I set execute breakpoints on:

  • $0000-$00FF - Scratch
  • $0100-$01FF - Stack

At this point, doing NES -> Reset in the main window and Run in the debugger while having logging started got me to most of what's in the notes section below.

Notes

Question:

We know that the function at $FEBE can be placed into an infinite loop by never having two values from $FF12 match when coming through the loop. How does that lead us to hitting the credits sequence..?

See http://arstechnica.com/gaming/2016/07/how-to-beat-super-mario-bros-3-in-less-than-a-second/ for more info.

Starting to answer:

These instructions appear to place an unexpected value onto the stack (FIXME: why?):

0F:F7B0:AD FF 7A  LDA $7AFF = #$00
>0F:F7B3:48        PHA

This instruction then leads us to executing on the stack (FIXME: not entirely sure why yet):

A:FF X:07 Y:01 S:E4 P:NvUbdIzc                            $A84B:60        RTS ----

When we start executing on the stack, we go to $0101, which decodes as a jump:

>  :0101:20 00 00  JSR $0000

This transfers execution to the beginning of memory:

>  :0000:A8        TAY

We service some interrupts (FIXME: one interrupt?) and then start executing at $0001 again:

>  :0001:9A        TXS

We stumble through more interrupts (FIXME: how many?) as we're executing through the beginning of the address space. Then, we hit the following instruction:

>  :00F5:50 98     BVC $008F

This transfers our execution backward on the scratch space to more BRKs that we're going to slide through. Then, this random instruction appears and we no longer execute anything further in this address space:

>  :00F6:20 5A B8  JSR $B85A

Credits roll and everything is great! ...why? (FIXME: It's 3am...figure this out later :P)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment