MrCheeze | Ocarina of Time - Setting up Total Control ACE with Arbitrary Ramwrites, also a new 100% NSR route @MrCheeze | Uploaded 3 years ago | Updated 1 hour ago
The most powerful effects that we can achieve using SRM are arbitrary code execution (code modification) and arbitrary RAM modification (via methods other than ACE). Until now, though, we've only ever done those two things separately.
It turns out, though, that using LightNode arbitrary ramwrite SRM, we can set up large-scale ACE payloads (what I call "total control ACE") much faster than the old setups (youtube.com/watch?v=wIyEUScOMxc and youtube.com/watch?v=xWevY4JOUAA).
The core idea is still the same as in those videos - we eliminate one of the checks on filename length in file select, which serves the dual purposes of 1) giving us a space to type our payload, and 2) letting us corrupt various internal variables of a file select screen in a way that allows us to jump into the payload.
With that plus an optimized payload, we can complete 100% NSR faster than any previous method. Detailed setup for NTSC 1.2 (N64 or Wii U) below:
0:00 Create a new File 2 (not a file 1!) with the filename 803AB288 8000A260 (ラぅHァラ0ブキ).
0:20 Completely ordinary LightNode SRM setup up until dropping the rock with angle ACA0, as usual.
7:52 Cross the load plane three times, die to the deku babas, save, and return to title. The first time triggers the LNSRM - from now on, the game will overwrite a specific address every frame. Specifically, it constantly overwrites the address that the "check filename length" code will load in later on. The second and third crossing of the loading plane is just to get the babas to reload so that we can die to them.
8:18 Create a File 1 with the filename 803B2FA0 801DD928 (ラぇよバラとuま). Doesn't do anything yet, but this filename encodes a pointer to where we will be writing our ACE payload.
8:26 Go into File 3 name entry.
Press c-right until 'つ' is highlighted and then enter 'ち'
Press c-left all the way and enter 'リ' four times.
8:31 Enter the ACE payload now. For 100% NSR, use this one: pastebin.com/qKju5TFn
Press B to exit (don't create the file!)
Now, our payload is sitting in memory. We just need a way to run it.
8:58 Enter and exit options, then go back into File 3 name entry.
Press c-right until 'd' is highlighted and then enter '7'
Press c-right until 'a' is highlighted and then enter 'b'
Press c-right until 'b' is highlighted and then enter 'X'
Press c-left twice and enter 'い'
Blindly press up once, and then A. Wait for the file copy sound to play.
The effect of this setup is to copy our File 1 filename over a location in memory that specifies what code should run when the file select screen UNLOADS. And we made it point to the ACE payload that we entered in the previous step. Which means now we can...
9:20 Blindly press down, A, and A again to load file 2. The unloading of file select will cause our payload to run once.
As for what the NSR payload actually, it accomplishes 3 goals in just eight instructions:
1) The first is to enable use of the debug inventory editor whenever you pause - the inventory editor lets us obtain most - but not all - of the items required for 100% NSR, with an amount of control that would be hard to get via ACE alone without writing a much longer payload.
2) The second goal is to get the NSR requirements that are not covered by inventory editor: magic flag, double magic flag, double defence flag, double defense heart count, biggoron's sword flag, and has-obtained-any-gold-skulltulas flag. As a bonus, I also include making the gold skulltula count greater than 100, because doing that with the inventory editor is really slow. Funnily enough, the fastest way to set all this data without writing very much code is to paste a random chunk of memory over the save context that happens to fulfill all these conditions by calling the MemCpy function. I wrote a script to search RAM to find the block of data that we copy. Note that doing this completely overwrites our inventory with garbage, but this is fine because we're going to be fixing it with the inventory editor anyway.
3) The third requirement is a way to reach the credits.The Lost Woods bridge is already coded to trigger a cutscene when you enter it, so I just changed it so that it triggers a credits cutscene again.
9:26 After loading up the newly corrupted file, just pause and the debug menu will open automatically. Fill it in the way that I do to get all the necessary items and such. After doing so, probably best to verify the pause screen contents, since otherwise it might be tricky to spot if you missed anything.
10:29 Now, just go to the kokiri bridge as fast as possible. Note that as a side effect of the random garbage that we copied over our file, we have F boots equipped and a stick on B. Also a glitched C item that probably crashes, I wouldn't try to use it. Just make sure not to accidentally fly off to space, and then enjoy the credits!
The most powerful effects that we can achieve using SRM are arbitrary code execution (code modification) and arbitrary RAM modification (via methods other than ACE). Until now, though, we've only ever done those two things separately.
It turns out, though, that using LightNode arbitrary ramwrite SRM, we can set up large-scale ACE payloads (what I call "total control ACE") much faster than the old setups (youtube.com/watch?v=wIyEUScOMxc and youtube.com/watch?v=xWevY4JOUAA).
The core idea is still the same as in those videos - we eliminate one of the checks on filename length in file select, which serves the dual purposes of 1) giving us a space to type our payload, and 2) letting us corrupt various internal variables of a file select screen in a way that allows us to jump into the payload.
With that plus an optimized payload, we can complete 100% NSR faster than any previous method. Detailed setup for NTSC 1.2 (N64 or Wii U) below:
0:00 Create a new File 2 (not a file 1!) with the filename 803AB288 8000A260 (ラぅHァラ0ブキ).
0:20 Completely ordinary LightNode SRM setup up until dropping the rock with angle ACA0, as usual.
7:52 Cross the load plane three times, die to the deku babas, save, and return to title. The first time triggers the LNSRM - from now on, the game will overwrite a specific address every frame. Specifically, it constantly overwrites the address that the "check filename length" code will load in later on. The second and third crossing of the loading plane is just to get the babas to reload so that we can die to them.
8:18 Create a File 1 with the filename 803B2FA0 801DD928 (ラぇよバラとuま). Doesn't do anything yet, but this filename encodes a pointer to where we will be writing our ACE payload.
8:26 Go into File 3 name entry.
Press c-right until 'つ' is highlighted and then enter 'ち'
Press c-left all the way and enter 'リ' four times.
8:31 Enter the ACE payload now. For 100% NSR, use this one: pastebin.com/qKju5TFn
Press B to exit (don't create the file!)
Now, our payload is sitting in memory. We just need a way to run it.
8:58 Enter and exit options, then go back into File 3 name entry.
Press c-right until 'd' is highlighted and then enter '7'
Press c-right until 'a' is highlighted and then enter 'b'
Press c-right until 'b' is highlighted and then enter 'X'
Press c-left twice and enter 'い'
Blindly press up once, and then A. Wait for the file copy sound to play.
The effect of this setup is to copy our File 1 filename over a location in memory that specifies what code should run when the file select screen UNLOADS. And we made it point to the ACE payload that we entered in the previous step. Which means now we can...
9:20 Blindly press down, A, and A again to load file 2. The unloading of file select will cause our payload to run once.
As for what the NSR payload actually, it accomplishes 3 goals in just eight instructions:
1) The first is to enable use of the debug inventory editor whenever you pause - the inventory editor lets us obtain most - but not all - of the items required for 100% NSR, with an amount of control that would be hard to get via ACE alone without writing a much longer payload.
2) The second goal is to get the NSR requirements that are not covered by inventory editor: magic flag, double magic flag, double defence flag, double defense heart count, biggoron's sword flag, and has-obtained-any-gold-skulltulas flag. As a bonus, I also include making the gold skulltula count greater than 100, because doing that with the inventory editor is really slow. Funnily enough, the fastest way to set all this data without writing very much code is to paste a random chunk of memory over the save context that happens to fulfill all these conditions by calling the MemCpy function. I wrote a script to search RAM to find the block of data that we copy. Note that doing this completely overwrites our inventory with garbage, but this is fine because we're going to be fixing it with the inventory editor anyway.
3) The third requirement is a way to reach the credits.The Lost Woods bridge is already coded to trigger a cutscene when you enter it, so I just changed it so that it triggers a credits cutscene again.
9:26 After loading up the newly corrupted file, just pause and the debug menu will open automatically. Fill it in the way that I do to get all the necessary items and such. After doing so, probably best to verify the pause screen contents, since otherwise it might be tricky to spot if you missed anything.
10:29 Now, just go to the kokiri bridge as fast as possible. Note that as a side effect of the random garbage that we copied over our file, we have F boots equipped and a stick on B. Also a glitched C item that probably crashes, I wouldn't try to use it. Just make sure not to accidentally fly off to space, and then enjoy the credits!
![[S] Collide - Single Character Edits - Dad Crocker (Homestuck)](https://i.ytimg.com/vi/sBbOHW4a54A/hqdefault.jpg "[S] Collide - Single Character Edits - Dad Crocker (Homestuck)
From Homestucks final battle at the end of act 6.")
