Türkenheimer | Human in First Cycle @turkenheimer4448 | Uploaded 2 years ago | Updated 3 hours ago
Happy 21st birthday PAL MM
Special thanks to MrCheeze who worked with me on this.
This video is only a demonstration. There will be better setups and tutorials. I am quite sure that the Bomber Kid can be manipulated in a better way.
What you see in the video:
We make use of Stale Reference Manipulation (SRM), which is an application of Use After Free in the N64 Zelda Games. There are several things in the game that can freeze Link in place, while other actors around him are still updating normally. When you catch a Bomber Kid and close the textbox Link stays frozen for another 3 frames. Now when you charge a bubble and catch the Bomber it will expire, but the pointer to the bubble will not. Like other things that Link can carry around, Link's actor is writing position and angle data to the bubble to create the illusion of carrying it. Since the pointer to the bubble doesn't expire when Link is frozen he will keep writing position and angle data to the memory where the bubble was loaded.
At 2:55 Link catches the Bomber on the same frame that the balloon is hit. The balloon takes another frame to explode, but is frozen for the time the textbox is up. We let the bubble expire and can then close the textbox. When the balloon explodes it spawns a new actor, En_Clear_Tag which is the cloud of smoke. What we care about is the overlay of this actor, it needs to load to the right address relative to the bubble.
The manipulation of the heap is done mostly with the Keaton Grass. Depending on the camera it can spawn and despawn. But first we wait for night. This will make a few actors unload and some new ones load. It will free memory where we want it. Then we despawn the grass and cut the sign (spawns a sign actor), then spawn the grass again. The bubble used for SRM will load after the grass. When we catch the Bomber we will also get just the right camera to despawn the grass again. So the overlay will load lower relative to the bubble.
Now the memory is set up so that angle data from the bubble will line up with the destroy function of the smoke actor. We change the final line of this function with our angle to this:
sd $s7 0xDCE7($s7)
This will corrupt data related to the menu cursor. The value for the row in which the cursor currently is, is set to 0x3FFD (16381). Because this is a positive value the game will allow us to scroll up, decreasing the row number. The value for row is handled as a halfword, however, the game only uses the lower byte to calculate which item the cursor hovers over. When we scroll up 12 times to row 0x3FF1, it behaves as row 0xF1 (-15). For this row the game is looking at the filename. Long story short, you can equip your filename as items. So you can thereby choose your items when you type your filename.
Some more notable things:
- With the corrupted menu cursor, if you scroll to the left or right arrow on the sides the game will crash :)
- The instruction we corrupt is the final jump instruction (JR RA), which is normally used to return to normal procedure. Removing this line will in most cases result in a crash. Luckily for us what follows in memory is some other function in the smoke overly. The game will run that function and then return. To be honest, I don't even know what that function does, but it doesn't crash... good enough :D
- This setup only works on the North American version on Wii (probably also Wii U, but untested and who cares about Wii U anyway hehe). The setup is specifically designed for this ROM. The heap setup to write and execute a line of code might in general work on PAL and GameCube, but they would need different code, and with that a new angle setup. There are several reasons why this setup would crash on N64 (misaligned store, denormal floats, invalid code that Wii just ignores).
Watches I used in the video:
803FFE6E "a", Link's y-angle (facing angle).
804000FC "held-actor", a pointer to the actor you are carrying. With the right heap the SRM-bubble loads to 80424210
804242CC "ACE-Code", if the heap is set up right then this is the xy-angle of the bubble and later the address of the line of code in the overlay that we write to.
Happy 21st birthday PAL MM
Special thanks to MrCheeze who worked with me on this.
This video is only a demonstration. There will be better setups and tutorials. I am quite sure that the Bomber Kid can be manipulated in a better way.
What you see in the video:
We make use of Stale Reference Manipulation (SRM), which is an application of Use After Free in the N64 Zelda Games. There are several things in the game that can freeze Link in place, while other actors around him are still updating normally. When you catch a Bomber Kid and close the textbox Link stays frozen for another 3 frames. Now when you charge a bubble and catch the Bomber it will expire, but the pointer to the bubble will not. Like other things that Link can carry around, Link's actor is writing position and angle data to the bubble to create the illusion of carrying it. Since the pointer to the bubble doesn't expire when Link is frozen he will keep writing position and angle data to the memory where the bubble was loaded.
At 2:55 Link catches the Bomber on the same frame that the balloon is hit. The balloon takes another frame to explode, but is frozen for the time the textbox is up. We let the bubble expire and can then close the textbox. When the balloon explodes it spawns a new actor, En_Clear_Tag which is the cloud of smoke. What we care about is the overlay of this actor, it needs to load to the right address relative to the bubble.
The manipulation of the heap is done mostly with the Keaton Grass. Depending on the camera it can spawn and despawn. But first we wait for night. This will make a few actors unload and some new ones load. It will free memory where we want it. Then we despawn the grass and cut the sign (spawns a sign actor), then spawn the grass again. The bubble used for SRM will load after the grass. When we catch the Bomber we will also get just the right camera to despawn the grass again. So the overlay will load lower relative to the bubble.
Now the memory is set up so that angle data from the bubble will line up with the destroy function of the smoke actor. We change the final line of this function with our angle to this:
sd $s7 0xDCE7($s7)
This will corrupt data related to the menu cursor. The value for the row in which the cursor currently is, is set to 0x3FFD (16381). Because this is a positive value the game will allow us to scroll up, decreasing the row number. The value for row is handled as a halfword, however, the game only uses the lower byte to calculate which item the cursor hovers over. When we scroll up 12 times to row 0x3FF1, it behaves as row 0xF1 (-15). For this row the game is looking at the filename. Long story short, you can equip your filename as items. So you can thereby choose your items when you type your filename.
Some more notable things:
- With the corrupted menu cursor, if you scroll to the left or right arrow on the sides the game will crash :)
- The instruction we corrupt is the final jump instruction (JR RA), which is normally used to return to normal procedure. Removing this line will in most cases result in a crash. Luckily for us what follows in memory is some other function in the smoke overly. The game will run that function and then return. To be honest, I don't even know what that function does, but it doesn't crash... good enough :D
- This setup only works on the North American version on Wii (probably also Wii U, but untested and who cares about Wii U anyway hehe). The setup is specifically designed for this ROM. The heap setup to write and execute a line of code might in general work on PAL and GameCube, but they would need different code, and with that a new angle setup. There are several reasons why this setup would crash on N64 (misaligned store, denormal floats, invalid code that Wii just ignores).
Watches I used in the video:
803FFE6E "a", Link's y-angle (facing angle).
804000FC "held-actor", a pointer to the actor you are carrying. With the right heap the SRM-bubble loads to 80424210
804242CC "ACE-Code", if the heap is set up right then this is the xy-angle of the bubble and later the address of the line of code in the overlay that we write to.
