[LOTAD] Super Mario Sunshine Arbitrary Code Execution: Any% in

RTA timing: 34:13.385
TAS timing: 34:28.300
Rerecords: 131,338 (probably way more from unsaved brute force sessions)

DTM download: https://drive.google.com/file/d/16t8-...

First, I unlock Bianco, and save before both Ricco and Gelato are unlocked. Then I enter the eel fight with 0 lives left, get eaten 3 times, then spawn the Shine. That way, the Shine spawn cutscene loads into the 4th cutscene slot, and doesn't get overwritten later. Then I game over in order to reload the saved plaza state without loading the title screen FMV, which would result in all cutscene slots being cleared.

Once back to the plaza, I start by spraying water and doing an insanely precise sidestep to make sure one of the splash effects that appear on the ground ends up at a very specific coordinate relative to the camera. That coordinate translates to a memory address inside the spin buffer, which stores the stick's angle every quarterframe for spinput checks.

Finally, I prepare for cutscene underflow, which occurs when a Shine Get cutscene tries to start while another cutscene is playing. While waiting for that other cutscene to start, I write arbitrary code into the spin buffer, using pause buffering to control my stick angle on every in-game quarterframe, rather than every frame. Once cutscene underflow triggers, the game reads my splash effect coordinate, which leads code execution into the spin buffer, where my code achieve 4 things:
- set the Bowser fight as the next area;
- set the current cutscene as the last one to play (otherwise the game would play the following invalid cutscenes and crash);
- overwrite the game's code to lower the Bowser fight's handle count requirement from 5 to 1;
- branch back to game code safely.

Then the Bowser fight starts, and swiftly ends because of the aforementioned code patch.

=== FAQ ===
Is this specific to PAL? What is possible on other versions?
Italian PAL just happens to be the version where I did my research, but it's not unlikely that a similar setup could work on any other GC version. PAL only gets more chances because each language has a different set of possible setups. As for 3D All-Stars, the glitch doesn't seem to be patched (unlike shinehax), but to my understanding, Nintendo's emulator can't execute code directly from its emulated GC memory, so we'd only get to call existing game functions (similarly to SRM on the Master Quest edition of Ocarina of Time).

Is there potential for a faster setup?
Absolutely! The eel Shine is one of the slowest spawn cutscenes to reach from new file, so it only gets better from here. I looked into 435 different setups before making my original cutscene underflow demo, and that was only scratching the surface, which is why I'm planning to make a tool that will allow anyone to help without technical knowledge by simply playing on Dolphin.

Will this ever be done RTA?
Not with the current setup. Getting the splash to stop at a usable coordinate took 2 weeks of automated brute forcing (on and off because Dolphin would crash every hour), and the next steps depended on the exact value I got. But assuming we find a way for humans to get that first pointer right, camera setups could be found to make the rest possible. The player would only need to hold the stick at specific angles and pause on the first possible frame after unpausing, a couple times in a row, with the ability to immediately try again on failure.

Droplets or splashes?
The cutscene underflow demo I made in May 2020 was pretty rushed, and in particular I said I was hacking water droplets instead of water splashes. In reality, there are two setups in the eel fight: if you spawn the eel's Shine, you'll need to manipulate a splash on the plaza, and if you spawn the 100 coin Shine, you'll need to manipulate a droplet. I got the two mixed up and since I was hacking in values either way, I didn't have to question which one it was. But in practice, splashes were more convenient to work with.