Originally posted by Roy
Anyway, during such an interrupt (BRK causes one), a few things get pushed on the stack: return address (24-bit) and I also believe processor flags, but I'm not 100% certain of this.
Yes. The interrupt pushes the processor flags, then the return address. This is a 24-bit address in native mode or a 16-bit address in 6502 emulation mode; Super Mario World uses native mode. See page 391 of Programming the 65816.
You can use RTI without an interrupt, if you push the correct stuff. For example, this patch (for xkas v0.12 against a clean ROM) does work.
Code
// use-rti.s arch snes.cpu header lorom // Disable the Y button. Use the RTI opcode. define free_space $0ff000 org $00a299 // each frame, after reading controller but before moving Mario jsl {free_space} // displaces jsl $00f6db org {free_space} phk pea + // push 24-bit return address php // push processor flags bra disable_y_button +; jml $00f6db // tail call for displaced jsl disable_y_button: // Remove flag $80 (the Y or X button) from the controller data // in DP $15 and the controller (this frame) data in DP $16. // rep #$20 // 16-bit A lda.b $15 // load DP $15, $16 and.w #$bfbf // no Y or X button $80 sta.b $15 // store DP $15, $16 rti // restore 8-bit A, return
Congratulations to Pseudonym for unbreaking the BRK.