Advertisement

Achieving ACE-like effects without ACE (arbitrary function calls)

Achieving ACE-like effects without ACE (arbitrary function calls) In Ocarina of Time, we can use arbitrary code execution glitches to accomplish literally anything. Even so, there are certain disadvantages to doing so: for one, "true ACE" isn't possible on VC, because of how the recompiler works.

What is possible on VC, however, and legal in the OoT ruleset as of today, is arbitrary manipulation of function pointers. Currently this is used for obtaining items early (Pot Chest/Butte Chest), but this vastly understates the power of this... There are entire classes of programming (e.g. Return-Oriented Programming) that assume as a given that you have control over the instruction pointer, but not the ability to craft payloads.

In any case, what is shown here is a method to call any loaded function in the game, instead of the limited selection that editing draw pointers gives us. The function to call is specified in the filename - but unlike previous videos, the filename is not code. Instead, we jump into the middle of a pre-existing function in the middle of the sign overlay, in such a way that registers aren't set up as the function expects. The game tries to load the data "address to jump to next" from elsewhere in the overlay (specifically from address 8020ACA4), but instead ends up loading it from the filename (address 8011ACA4). This is enough to let us call any function, although we have no control over what arguments get passed to it. Not quite the level of true ACE payloads, but there's still big things you can do with this.

(The fact that both addresses end with ACA4 is not a coincidence. This technique only works because the lower half of the address the game thinks it's reading, and the address we actually want it to read, are the same. But overlay code is relocatable, so we can find a heap manip that places the overlay at exactly the right location in memory so that the lower halves will match. Because of this additional requirement, the heap manip used here is slower than the one in any%.)

The following function effects are shown off in this video (all addresses are NTSC 1.2). All of them are possible to type as filenames on 1.2 except for the last one, but I showed it anyway because some related technique should make it possible also.

8009073C load title screen save
80090610 load empty save
800818C4 edit upgrades
80081760 edit equipment
80073FA0 trade sequence timer
80070130 give [broken?] giant's knife
8006FE64 change equips as if travelling through time
Some of these functions take arguments and so the exact effect (e.g. what equipment you get) depends on the exact heap used, as well as on the build of the game. For the time travel effect, the effect changes once you've been adult for the first time, as usual.


Setup:
Play on J 1.2 - not J 1.0 as all my previous videos have been.
In the main Kokiri Forest room, grab none of the one-time rupees except for the two that I backflip for.
The transitions in the hallway need to be done as shown in the video.
Unlike previous setups, we need to cut one particular bush before entering the crawlspace to get WWT.
The rock needs to be dropped with angle 8090. To get this angle, first lock Link and the camera to angle 8000. Then walk towards the camera for a bit without rotating it and then stop. The camera will pan around from 8000 down to 0000. On one of the intermediate frames, the camera angle will be exactly 0090 - press directly down on this frame to set Link's angle to 8090, and drop the rock there.
If everything was done correctly, the draw function pointer at of a certain bush will have been corrupted (the value at 8020E034 will be 80208090). Every time you draw the bush, the game will look at the first half of your filename, and jump to whatever function it points to. For most choices of function, you now just have to go near the rock, but in the special cases of functions that overwrite your filename - especially the title screen file - you need to make sure to run the code for only one frame by standing in a certain position and rotating with c-up.

Note: the value that determines what function the game jumps to doesn't necessarily have to be filename, with techniques like this. With this heap manip, it will be, but with a different heap you could (for example) use controller 1 or 3 to point to the function location instead. This would be good because some values can't be typed in the filename - especially if playing on a non-japanese cart - and because you can change the controller inputs to call multiple functions.

calls)

Post a Comment

0 Comments