Welcome to Data Crystal's new home! Data Crystal is now part of the TCRF family (sort of).
The wiki has recently moved; please report any issues in Discord. Pardon the dust.

Secret of Evermore/Alchemy RAM manipulation: Difference between revisions

From Data Crystal
Jump to navigation Jump to search
No edit summary
No edit summary
Line 93: Line 93:
| 0x910000
| 0x910000
| Base jump address
| Base jump address
| Bank $91 mirrors bank $11 ($0000-$1FFF refer to LowRAM)
| Bank $91 mirrors bank $11 ($0000-$1FFF refer to [[Secret_of_Evermore:RAM_map|LowRAM]])
|-
|-
| #8000
| #8000
Line 188: Line 188:
| $12
| $12
| $0000-$1FFF
| $0000-$1FFF
| LowRAM, shadowed from bank $7E
| [[Secret_of_Evermore:RAM_map|LowRAM]], shadowed from bank $7E
|-
|-
| $A000-$A0FF
| $A000-$A0FF
Line 236: Line 236:
|}
|}


LowRAM:
[[Secret_of_Evermore:RAM_map|LowRAM]] is the easiest memory to manipulate and contains promising values:
{| class="wikitable"
{| class="wikitable"
|-
|-
Line 242: Line 242:
! Comment
! Comment
|-
|-
| ?
| $0AC6-$0AC8
| ?
| Money - Talons
|-
|-
| 0x2000-0xFFFF
| $0AC9-$0ACB
| Money - Jewels
|-
| $0ACC-$0ACE
| Money - Gold Coins
|-
| $0ACF-$0AD1
| Money - Credits
|-
| $2000-$FFFF
| Can't be addressed via HiROM
| Can't be addressed via HiROM
|}
|}

Revision as of 13:32, 27 December 2019

This is a sub-page of Secret of Evermore.

Affects of the Alchemy Crash to a Player

Details

Usually there are only up to 2-3 spells active, because the game limits how many can be cast:

  • The boy has an internal cooldown on opening the ring menu after using alchemy
  • Bosses have some kind of internal cooldown
  • Only 8 alchemy spells per type can be active at any given moment
    • Projectile type alchemy (like Flash and Fireball)
    • Animation type alchemy (like Crush and Acid Rain)

But there are known ways to circumvent these limitations:

  • Opening the boys ring menu as the dog can be done once per frame (Also known as 8cast, because the same spell can be cast up to 8 times)
  • Bosses cast their spells regardless of the limit (Which can lead to a crash, if 8 spells of that type are already active)
    • Magmar casts at a certain damage threshold Heat Wave, which is an animation spell
    • Aquagoth randomly casts Lightning Storm and other spells, which are animation spells
    • Verminator randomly casts Acid Rain and other spells, which is are animation spells

Additional facts:

  • The 2x8 alchemy slots aren't cleared once the spell has been resolved, they are just flagged as inactive (Leaving the game overrides all memory with zeros, though)

Crash

Once the game tries to put the 9th alchemy spell in a slot the game somewhat freezes:

  • The game no longer progresses states
    • User inputs are blocked
    • Spell projectiles stop moving
    • Enemies stop moving
  • The music keeps playing

Reproducing the Crash

Preparation:

  • Read up on 8casts
  • Stock up on ingredients and/or Call Beads

Triggered by a Boss

  • Damage Magmar if neccessary (Heat Wave is triggered by a damage threshold)
  • Cast 8 animation spells via 8cast (E.g. Storm from Fire Eyes Call Beads)
  • Magmar will cast Heat Wave in response to the damage
  • The game tries to adds a 9th animation spell in a slot (Sometimes refereed to as 9cast)
  • The game "freezes"

With Screen Transitions

  • 8cast on an enemy near a map exit
  • Leave the screen instantly
  • The game ends up in a buggy state, where the information of the 8cast is being stored somehow (Similar to to a 9cast)
  • Once the next spell is being cast the game "freezes"

Manipulating Memory

Affects on the Hardware

S-CPU:

  • 99% of crashes end up in a "freeze" (S-CPU comes to a halt)
  • The rest of the crashes aren't freezing the game, but produce severe visual glitches (The S-CPU keeps going)
    • Black screen
    • Repeating patterns
    • Colorful forms

Sound:

  • Unaffected

Details on the Crash

Casting 6 Hard Balls in the transition leads to the game crashing on the next 3+cast, which in almost all cases looks the same: 

9198f7 ldx $0014,y   [7e3378] A:000a X:0000 Y:3364 S:1ff1 D:0000 DB:7e nvmxdizC V: 72 H:226 F:48
9198fa beq $9907     [919907] A:000a X:d22c Y:3364 S:1ff1 D:0000 DB:7e NvmxdizC V: 72 H:236 F:48
9198fc lda $0028,y   [7e338c] A:000a X:d22c Y:3364 S:1ff1 D:0000 DB:7e NvmxdizC V: 72 H:239 F:48
9198ff sta $4c       [00004c] A:4e89 X:d22c Y:3364 S:1ff1 D:0000 DB:7e nvmxdizC V: 72 H:249 F:48
919901 jsl $919750   [919750] A:4e89 X:d22c Y:3364 S:1ff1 D:0000 DB:7e nvmxdizC V: 72 H:256 F:48
919750 lda $910000,x [91d22c] A:4e89 X:d22c Y:3364 S:1fee D:0000 DB:7e nvmxdizC V: 72 H:270 F:48
919754 tax                    A:800a X:d22c Y:3364 S:1fee D:0000 DB:7e NvmxdizC V: 72 H:279 F:48
919755 jsr ($8000,x) [91000a] A:800a X:800a Y:3364 S:1fee D:0000 DB:7e NvmxdizC V: 72 H:282 F:48
00885f stp                    A:800a X:800a Y:3364 S:1fe8 D:0000 DB:7e NvmxdIzC V: 72 H:312 F:48
Address/Value Register/Usage Comment
0x7e3378 (16 bit) X Is the 14th and 15th byte of the first animation alchemy slot (7E3364-7E3563, 40 bytes per slot)
0x7e338c (16 bit) A Is the 28th and 29th byte of the first animation alchemy slot (7E3364-7E3563, 40 bytes per slot)
0x910000 Base jump address Bank $91 mirrors bank $11 ($0000-$1FFF refer to LowRAM)
#8000 Jump offset -

Which means that the jump address can be altered, by casting alchemy. Animation alchemy, which ends up in the first animation alchemy slot, to be specific.

Manipulating the Jump Address

Usually X can be altered by casting animation based alchemy, but not during this crash.

Based on yet unknown factors seemingly random values between $0000 and $FFFF are being used. 

9198f7 ldx $0014,y   [7e3378] A:000a X:0000 Y:3364 S:1ff1 D:0000 DB:7e nvmxdizC V: 72 H:226 F:48
9198fa beq $9907     [919907] A:000a X:d22c Y:3364 S:1ff1 D:0000 DB:7e NvmxdizC V: 72 H:236 F:48
9198fc lda $0028,y   [7e338c] A:000a X:d22c Y:3364 S:1ff1 D:0000 DB:7e NvmxdizC V: 72 H:239 F:48
9198ff sta $4c       [00004c] A:4e89 X:d22c Y:3364 S:1ff1 D:0000 DB:7e nvmxdizC V: 72 H:249 F:48
919901 jsl $919750   [919750] A:4e89 X:d22c Y:3364 S:1ff1 D:0000 DB:7e nvmxdizC V: 72 H:256 F:48
919750 lda $910000,x [91d22c] A:4e89 X:d22c Y:3364 S:1fee D:0000 DB:7e nvmxdizC V: 72 H:270 F:48
919754 tax                    A:800a X:d22c Y:3364 S:1fee D:0000 DB:7e NvmxdizC V: 72 H:279 F:48
919755 jsr ($8000,x) [91000a] A:800a X:800a Y:3364 S:1fee D:0000 DB:7e NvmxdizC V: 72 H:282 F:48

00885f stp                    A:800a X:800a Y:3364 S:1fe8 D:0000 DB:7e NvmxdIzC V: 72 H:312 F:48

9198f7 ldx $0014,y   [7e3378] A:000a X:0000 Y:3364 S:1ff1 D:0000 DB:7e nvmxdizC V: 45 H:176 F:31
9198fa beq $9907     [919907] A:000a X:0003 Y:3364 S:1ff1 D:0000 DB:7e nvmxdizC V: 45 H:186 F:31
9198fc lda $0028,y   [7e338c] A:000a X:0003 Y:3364 S:1ff1 D:0000 DB:7e nvmxdizC V: 45 H:189 F:31
9198ff sta $4c       [00004c] A:4e89 X:0003 Y:3364 S:1ff1 D:0000 DB:7e nvmxdizC V: 45 H:199 F:31
919901 jsl $919750   [919750] A:4e89 X:0003 Y:3364 S:1ff1 D:0000 DB:7e nvmxdizC V: 45 H:206 F:31
919750 lda $910000,x [910003] A:4e89 X:0003 Y:3364 S:1fee D:0000 DB:7e nvmxdizC V: 45 H:220 F:31
919754 tax                    A:c900 X:0003 Y:3364 S:1fee D:0000 DB:7e NvmxdizC V: 45 H:230 F:31
919755 jsr ($8000,x) [914900] A:c900 X:c900 Y:3364 S:1fee D:0000 DB:7e NvmxdizC V: 45 H:233 F:31

918080 iny                    A:c900 X:c900 Y:3364 S:1fec D:0000 DB:7e NvmxdizC V: 45 H:246 F:31
918081 sta $a841,y   [7edba6] A:c900 X:c900 Y:3365 S:1fec D:0000 DB:7e nvmxdizC V: 45 H:249 F:31
918084 stx $a7       [0000a7] A:c900 X:c900 Y:3365 S:1fec D:0000 DB:7e nvmxdizC V: 45 H:259 F:31
918086 ora ($ab),y   [7edaf8] A:c900 X:c900 Y:3365 S:1fec D:0000 DB:7e nvmxdizC V: 45 H:266 F:31
918088 rti                    A:c900 X:c900 Y:3365 S:1fec D:0000 DB:7e NvmxdizC V: 45 H:278 F:31
00885f stp                    A:c900 X:0000 Y:0065 S:1fec D:0000 DB:7e nVmXdIZC V: 45 H:307 F:31

9198f7 ldx $0014,y   [7e3378] A:000a X:0000 Y:3364 S:1ff1 D:0000 DB:7e nvmxdizC V: 78 H: 74 F:53
9198fa beq $9907     [919907] A:000a X:004e Y:3364 S:1ff1 D:0000 DB:7e nvmxdizC V: 78 H: 84 F:53
9198fc lda $0028,y   [7e338c] A:000a X:004e Y:3364 S:1ff1 D:0000 DB:7e nvmxdizC V: 78 H: 87 F:53
9198ff sta $4c       [00004c] A:4e89 X:004e Y:3364 S:1ff1 D:0000 DB:7e nvmxdizC V: 78 H: 97 F:53
919901 jsl $919750   [919750] A:4e89 X:004e Y:3364 S:1ff1 D:0000 DB:7e nvmxdizC V: 78 H:104 F:53
919750 lda $910000,x [91004e] A:4e89 X:004e Y:3364 S:1fee D:0000 DB:7e nvmxdizC V: 78 H:117 F:53
919754 tax                    A:00b2 X:004e Y:3364 S:1fee D:0000 DB:7e nvmxdizC V: 78 H:127 F:53
919755 jsr ($8000,x) [9180b2] A:00b2 X:00b2 Y:3364 S:1fee D:0000 DB:7e nvmxdizC V: 78 H:130 F:53

918988 bit $00,x     [0000b2] A:00b2 X:00b2 Y:3364 S:1fec D:0000 DB:7e nvmxdizC V: 78 H:153 F:53
91898a cop #$00               A:00b2 X:00b2 Y:3364 S:1fec D:0000 DB:7e nvmxdizC V: 78 H:162 F:53
00885e stp                    A:00b2 X:00b2 Y:3364 S:1fe8 D:0000 DB:7e nvmxdIzC V: 78 H:177 F:53

9198f7 ldx $0014,y   [7e3378] A:000a X:0000 Y:3364 S:1ff1 D:0000 DB:7e nvmxdizC V: 62 H: 28 F:22
9198fa beq $9907     [919907] A:000a X:ff85 Y:3364 S:1ff1 D:0000 DB:7e NvmxdizC V: 62 H: 38 F:22
9198fc lda $0028,y   [7e338c] A:000a X:ff85 Y:3364 S:1ff1 D:0000 DB:7e NvmxdizC V: 62 H: 41 F:22
9198ff sta $4c       [00004c] A:4e89 X:ff85 Y:3364 S:1ff1 D:0000 DB:7e nvmxdizC V: 62 H: 51 F:22
919901 jsl $919750   [919750] A:4e89 X:ff85 Y:3364 S:1ff1 D:0000 DB:7e nvmxdizC V: 62 H: 58 F:22
919750 lda $910000,x [91ff85] A:4e89 X:ff85 Y:3364 S:1fee D:0000 DB:7e nvmxdizC V: 62 H: 72 F:22
919754 tax                    A:0300 X:ff85 Y:3364 S:1fee D:0000 DB:7e nvmxdizC V: 62 H: 81 F:22
919755 jsr ($8000,x) [918300] A:0300 X:0300 Y:3364 S:1fee D:0000 DB:7e nvmxdizC V: 62 H: 84 F:22

91001a rol $ff00     [7eff00] A:0300 X:0300 Y:3364 S:1fec D:0000 DB:7e nvmxdizC V: 62 H: 97 F:22
91001d sbc $000000,x [000300] A:0300 X:0300 Y:3364 S:1fec D:0000 DB:7e nvmxdizc V: 62 H:112 F:22
00885f stp                    A:c8c1 X:0300 Y:3364 S:1fe8 D:0000 DB:7e NvmxdIzc V: 62 H:150 F:22

Desired Values

The offset of 0x918000 leads to the following jumps for X:

X Value Bank Addresses Comment
$0000-$7FFF $11 $8000-$FFFF HiROM section (program memory)
$8000-$9FFF $12 $0000-$1FFF LowRAM, shadowed from bank $7E
$A000-$A0FF $12 $2000–$20FF Unused
$A100–$A1FF $12 $2100–$21FF PPU1, APU, hardware registers
$A200–$AFFF $12 $2200–$2FFF Unused
$B000–$BFFF $12 $3000–$3FFF DSP, SuperFX, hardware registers
$D000–$D0FF $12 $4000–$40FF Old Style Joypad Registers
$D100–$D1FF $12 $4100–$41FF Unused
$D200–$D4FF $12 $4200–$44FF DMA, PPU2, hardware registers
$D500–$EFFF $12 $4500–$5FFF Unused
$E000–$FFFF $12 $6000–$7FFF RESERVED

LowRAM is the easiest memory to manipulate and contains promising values:

Value Comment
$0AC6-$0AC8 Money - Talons
$0AC9-$0ACB Money - Jewels
$0ACC-$0ACE Money - Gold Coins
$0ACF-$0AD1 Money - Credits
$2000-$FFFF Can't be addressed via HiROM
Retrieved from "https://datacrystal.tcrf.net/w/index.php?title=Secret_of_Evermore/Alchemy_RAM_manipulation&oldid=44232"