Skip to content

Long jumps from C1 bank

Jump to bottom Edit New page
Clément Gallet edited this page May 19, 2016 · 19 revisions

Destination addresses

Possible addresses seems to be:

  • 0Exx
  • AExx
  • EExx
  • CExx

JML (5C) opcode

SRAM jumps

We can jump to $106F in SRAM from $C1/CEC7, $C1/DC11, $C1/F791 or $C1/F80F. $606F is stored from $166F of first save slot

$166F        Shadow's Sprite set (03)
$1670        Shadow's Level adjustment factor (03)
$1671-$1676  Shadow's Name

First instruction is ORA $03,S, unharmed.

We can jump from $C1/2459 6B24 is stored from $1724 of second save slot

$1724        Strago's Helmet
$1725        Strago's Armor
$1726        Strago's Relic 1
$1727        Strago's Relic 2
$1728        Relm's Sprite set
$1729        Relm's Level adjustment factor
$172A-$172F  Relm's Name

Values available for renaming characters (JP):

  • 20 - 5C
  • 60 - CC
  • CE - D1
  • D3

With these values, we can trigger the ending using the following code:

C2 20         REP #$20       16-bit accumulator
A9 C4 26      LDA #$25CA
4A            LSR A          A is #$12E5
85 A2         STA $A2
A9 C4 26      LDA #$26C4
4A            LSR A          A is #$1362
92 A2         STA ($A2)      Store to $12E5
A9 C2 2B      LDA #$2BC2
4A            LSR A          A is #$15E1
5C 7A 8D C1   JML $C18D7A    Will call TCS then RTS.
                             We still have 16-bit accumulator, I hope it won't break things
                             We could switch to using 16-bit X register if it does

With the flow in different names:

Shadow's Sprite and Level adjustment factor
AE/606F: 03 03        ORA $03,S    Harmless
Shadow's name
AE/6071: C2 20        REP #$20     16-bit accumulator
AE/6073: 80 8D        BRA $6002
Terra's name
AE/6002: A9 C4 26     LDA #$25CA
AE/6005: 80 20        BRA $6027
Locke's Name
AE/6027: 4A           LSR A        A is #$12E5
AE/6028: 85 A2        STA $A2
AE/602A: 80 20        BRA $604C
Cyan's Name
AE/604C: 48           PHA
AE/604D: A9 C4 26     LDA #$26C4
AE/6050: 80 44        BRA $6096
Edgar's Name
AE/6096: 4A           LSR A        A is #$1362
AE/6097: 92 A2        STA ($A2)    Store to $12E5
AE/6099: 80 20        BRA $60BB
Sabin's name
AE/60BB: A9 C2 2B     LDA #$2BC2
AE/60BE: 80 20        BRA $60E0
Celes's Name
AE/60E0: 4A           LSR A        A is #$15E1
AE/60E1: 28           PLP          Restore 8-bit accumulator
AE/60E2: 5C 7A 8D C1  JML $C18D7A  Will call TCS then RTS.

JSL (22) opcode

C1/00009D
C1/000129
C1/0001A0
C1/0001A0
C1/0001A0
C1/0001A0
C1/0006A0
C1/0007A0
C1/010029
C1/1B0E4C
C1/200880
C1/2010E2
C1/207F85
C1/2564AA
C1/2564AA
C1/291085
C1/2910A7
C1/2910A7
C1/2916A5
C1/2916A5
C1/2916A5
C1/3803A9
C1/380490
C1/380490
C1/3810A5
C1/801090
C1/850309
C1/8506A9
C1/8506A9
C1/850CA9
C1/8516A9
C1/8516A9
C1/8516A9
C1/8518A9
C1/9D1A1A
C1/9D1A1A
C1/A41E20
C1/A41E20
C1/A41E20
C1/A41E20
C1/A41E20
C1/A41E20
C1/A41E20
C1/A41E20
C1/A50D90
C1/A57D85
C1/A57D85
C1/A81085
C1/A87D18
C1/AD0710
C1/AD0710
C1/AE1A1A
C1/AE1A1A
C1/B709D0
C1/B91230
C1/B91230
C1/B91230
C1/BF0043

Intermediate jump

Jumping a bit before C1/CE59 execute the following code:

$C1/CE59 A5 0E       LDA $0E    [$00:130E]   
$C1/CE5B 0A          ASL A                   
$C1/CE5C 85 12       STA $12    [$00:1312]   
$C1/CE5E 0A          ASL A                   
$C1/CE5F 0A          ASL A                   
$C1/CE60 85 10       STA $10    [$00:1310]
...
RTS

So by filling $0E and $0F carefully, we can write many addresses in $11 and $12. As the stack pointer is on $11, it will return to the 16bit address $11.

frame count: xxxabcde fghijklm
return address: ghijklm1 abcdefgh
and 40 < xxxabcde < 57

opcode 22 pistes:

C1/8518A9
C1/9D1A1A
C1/9D1A1A

JSL A41E20: C1/A21C, C1/A239, C1/A256, C1/A276, C1/A30C, C1/A32E (C1/A32B, C1/A329, C1/A328), C1/A3CE, C1/A3E6

$11 = A32B and $14 = 0 works!

Return address: 10100011 00101010 (A32A)
Frame count: xxx00101 01010001 (X5 51)
Chosen frame count: 01000101 01010001 (45 51)
Whole setup is: $0E = 51, $0F = 45, $10 = CE
Add a custom footer
Add a custom sidebar
Clone this wiki locally