Golden Sun Hacking Community
July 26, 2017, 02:43:29 PM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News:
 
  Home Forum DC Wiki Help Search Calendar Downloads Login Register  
  Show Posts
Pages: [1] 2 3 ... 222
1  The Community / Creative Works / Re: Big Brother Fangame Idea on: July 20, 2017, 02:25:49 AM
Oh? So Role's talking about Gov't's spying on people? While I'm talking about the game show itself....? Did I get that correct? As I'm not familiar with the novel. (Though I did find references to it when I googled.)


I've been finding that game show addicting again this year.... wasn't sure if I'd watch much of it or not... but it looks like I will. .... Heh.

2  The Community / Creative Works / Re: Big Brother Fangame Idea on: July 19, 2017, 01:07:22 PM
Well.. umm... yeah... What I had in mind is that there'd be an HOH every in-game week, ~two nominees go up, one goes out the door... so...

1984-esque? I'm not sure what that means....

Watch Dogs? Don't believe I've heard of it....
3  The Community / Creative Works / Re: Big Brother Fangame Idea on: July 19, 2017, 12:45:40 AM
For me to brainstorm ideas on what a Big Brother (or some variant) game could be like as a video game. ...
Whether or not I ever get into the coding of it is another question altogether.
And likely wouldn't be anytime soon...
-Planning would need to be done.
-Too low of a priority. (at this time, at least.)

But it is still nice to have some reference just in case I magically want to pick up on doing something interesting.)
4  The Community / Creative Works / Big Brother Fangame Idea on: July 17, 2017, 01:07:04 PM
- There may be some Phoenix Wright references if I can think of any good ones. Phoenix Wright is mostly a novel, and seeing as Big Brother is mostly done in the House, well, yeah. There are some similarities. Court vs. Nomination ceremonies and Evictions.... Except that court is a trial against one person, and Evictions is picking to Evict one or the other. (Or a third if there is a third nominee.)


Event: The Broken Bone (Foot?)
 If certain events take place (such as two people being in the game up to a certain point), then one of them could have their foot broken/sent to hospital for surgery. There, they could cast their vote through a phone call. One thing to spice this up a bit, is that the phone call wasn't completely hanged up, and so the voter could here the quantity of votes against each nominated houseguest before it continued with the rest of the votes. (Difference is, the phone voter doesn't get the see the voter order.)

Event: The Talk Show (Or whatever, but this can be an example.)
If a particular houseguest makes it to a certain point, s/he'll start doing talk shows by gathering the people around to interview the nominees.

Event: Storytime
If a particular houseguest makes it to a certain point, there will be a story time routine. Could be an old guy like Kraden.

Event: There could be a series of events that could lead to a house guest self-evicting.  (Probably female, since it often feels like they are twice as emotional than guys.) Self-eviction(s) should occur pretty early in the game, though. Likewise, other forms of evictions like rule-breaking could be considered.

Twist: A voice may talk in the main character's(?) head instructing them what to do for a week. (Stanley Parable reference.) Whether these to-dos are good or bad, who knows?

---

One of my ideas for this game idea (Not saying whether a game will be in the works.) , is that there could be an Achievements system. In a perfect world where you could get a perfect score, it could be to have had a final two with all houseguests, never been voted against, and get all the Jury votes. (And if you can pick a character, to do the same with each.) But realistically, I'm sure that would take an extremely long time to accomplish... Oh, and did I mention this is currently just an idea for now?


--
Implementation idea:
There could be a Trust table with 16x16 numbers = Whatever numbers are set here, the lesser could be voted out by voter. - It may be more complicated, though. (Such things like flip votes, and trying to fool people abut your vote and such.) But in that case, other data could overwrite who's voted out. (e.g. Like what item classes are to GS's class system.) For example... the most trusted of a person could sway one's vote. And the HOH could sway it if one of the top 2-3 trusted of a person... (Only a theory to give an example scenario.)
5  Golden Sun Games / Golden Sun / Re: I crashed the game in Tret tree on: July 16, 2017, 01:35:33 PM
The thing is... When I posted the previous post, I didn't check to see if it worked the same way out-of-bounds as well... I mean like, the games can be quite clever with limiting functionality.... What is the possibility they check that it is in-bounds first (Like the X/Y location of the PC.), and the crashes being because of something else?
It seems like these events have some sort of activate once only type of mechanic... Eh? EDIT: It does something when [02001000] is not the same as the event id. (Then sets that to the Event ID) ... but if these are shared across event ids... then ... I guess you can only activate it twice since the second time is the drop.
Well, more research has to be done if we can actually do things. (Don't count your chickens before they hatch!)


Seems the numbers they become are at 02014700. (As in "not hard-coded"....) ... For both the "Damaged" leaves" and "Broke/fall through" leaves. ([+0x200])



Functions I am studying:
At the base of the research should be the Event Table in map code, the Event ID in this example shall use 0x1F...
02008560 = Just a call with args. == 02008334(0x209, 0x49, 0x23, 0x1F)
Args:
0x00000209 = r0 = Flag index
0x00000049 = r1 = source x
0x00000023 = r2 = source y
0x0000001F = r3 = event id?

02008334 = ?

This function is called around 02008390 and 020083BA:
080105D4 = I assume it replaces a tile, and transfers the modified tiles from RAM to VRAM.
Args:
r0 = source X
r1 = source Y
r2 = width
r3 = height
sp $44 = destination X
sp $48 = destination Y



EDIT: CONFIRMED!!! OUT-OF-BOUNDS STILL EDITS VALUES THE SAME WAY BUT THIS TIME IN THE OPPOSITE DIRECTION!!!! (-0x100)

Since -0x100 is the case, then there may be good reason to look into using garbage data (map code) from other maps. .... Hm... Although, I get the feeling it is entirely unnecessary. We might have this in the bucket? You think?
6  Golden Sun Games / Golden Sun / Re: I crashed the game in Tret tree on: July 16, 2017, 11:02:55 AM
Oh. Thanks! Sounds interesting, and that is unfortunate...

Update: Meanwhile, I think I see something? Is it accurate?

(+0x100 for the next layer... since the tilemap is made of three layers.)

Layer 1 .... Layer 2
Layer 3 .... Probably nothing?


End of game here we come? (If possible.)

14 and below = (Nothing changed?)
15 = 000003FC
16 = 0000009A ; 00000005 (But also drops down / warps to another room.) ; I like how this is here since it is practically nudging Jenna flag.
17 = 000003FD
18 = 000003FE
19 = 000003FF
1A = 000003FC
1B = 00000400
1C = 00000401
1D = 000003FD
1E = (Nothing changed?)
1F = 000003FF
20 = 00000288

32 = 00000404
33 = 00000402
34 = 00000288
35 = 00000403
36 = 000002EB
37 = 00000405
38 = 00000406
39 = 00000407
3A = 00000359
3B = 00000406

--

Good news is that you can find a path pass the Map Code file, but it gets a little difficult....
7  Golden Sun Games / Golden Sun / Re: I crashed the game in Tret tree on: July 16, 2017, 10:10:16 AM
Okay thanks! - It resets.... (Or well, I went directly to the final coordinates first to make sure, so that I could also get the number 0x1D -- Apparently most of that are about setting a tile to the PC's position... I assumed this was calculated with the base address of 06003000, but I will definitely want to do more testing before I go with basic assumptions....


@Hard Reset = I thought I noticed some strange object just barely peeking out on the right side of your screen... so I thought that was strange.....
8  Golden Sun Games / Golden Sun / Re: I crashed the game in Tret tree on: July 16, 2017, 06:27:33 AM
Tried to do this directly in the map (Using Debug Mode's Walk-Through-Walls instead of Retreat-Glitching... and umm... I think I got lost? (e.g. It looks like you can go right quite a bit. Edit: Although, if you are one tile off, it might just be a tiny bit. ... But then when I go up/left... I get a door/no crash.)

What are the coordinates of the crash? (And maybe the 'tile data' there too...) (The value at 020301B8 or 020301BC , and the value of whatever that points to.)


---
Referring to this topic? http://forum.goldensunhacking.net/index.php?topic=2611.0 ... Looks like I forgot to look it up, huh?

9  Golden Sun Games / Golden Sun: The Lost Age / Re: Possible to glitch NPC Scripts? on: July 15, 2017, 04:21:25 AM
Okay. Alright.... I still have to figure out exactly how the Script Engine works... as my testing a few days ago looked like it turned the script I was trying to test off (I think?) for some reason... (Was unexpected.) ... so one does need to actually do the research to get results...

Spider puzzle = Yeah, the positions are based on the x/y locations of the objects in the room you retreated from. That was also the case for the Mars Lighthouse example in the first post. (That last room, and the three entrance  hallways use the same map...)
As for how it is solved/activited.... erm... could be that the 0x200-0x2FF flags do not get reset when Retreat-glitching + Saving + Resetting.


---
Good news!
I looked at the code, and it turns out if the script command is invalid (>0x3F), the position in the script does get incremented by 1! (aka: four bytes) :) Happy for me in case that increases the chance of finding something.

To execute a script.
-Script addr  [npcDataAddr+0x0] must be non-zero.
-8-bit at [npcDataAddr+0x5B] must be zero.
-16-bite at [npcDataAddr+0x5E] must be zero. (Should be the counter/delay... so will likely hit zero without worry if it was set to something.)



---
@02009970 = Looking a the map code data makes that look normal. ... So I'm not much worried about it... (Guessing the pointers were going to change if the crash didn't happen?) ... I'm guessing the Retreat Map's objects are loaded fully... and then the saved NPC data stuff gets loaded on top. (Didn't confirm.)


--
@Mirroring clones == I think it crashes because a tile has an event set where the function assigns another function to an npc object... (So that the "another function"'s pointer gets saved/loaded when saving/loading a file.)... Interesting...
So not as a script pointer that uses commands, but as a direct function pointer.
The function being at 020097B5. (So thumb for 020097B4.) .And the pointer to that is stored at [npcDataAddr+0x6C].. So yes, I guess your memory viewer was semi-relevant afterall. :) (Except I think you were viewing the wrong object. And/or doing the wrong mirror puzzle. ...since each mirror puzzle's object is a separate. Obj. #0x8-0xA depending on puzzle.)
Now that we know what's going on with the Mirror Puzzle... (Well the first bit, anyway... I still would like to know if the program counter can still be controlled... which I may or may not bother with... (Probably not?) but I doubt you could get rid of the error message without other unknown glitching, so....) I guess we check something else...


--
Now back to Script studies:

Mars Lighthouse

Spoiler for If there's only one entrance, these don't count.:
Map 281
0200CDE8

Map 282
0200CEB8

Map 284
0200CF44

Map 292
0200D7BC

Map 294
0200D890
0200D93C


---
Result: So... I found out some (maybe not all of them??) scripts are turned off when you enter the pause menu... so when you save, that's how they are saved.... but I still need to figure out how they get re-enabled. I'm not feeling good about this....
Update: Seem to be based on flag 0x106 ... (Possibly with more checks?). ... However here's the kicker.... the code for this is in the map code. :/
Update 2: This now guarantees that Map Code from the Retreat Room has to enable them itself (which will be the case if the Retreat Room has such a script. Or wait. Maybe not? Not sure.) should a script be disabled due to pausing before saving. (Probably by storing the function pointer to a table to be called every frame of which is not saved in Save data.) ... If it doesn't setting the script is pointless.... As for the direct Thumb pointer? Hm? Can't say....
I feel like I'm going to just have to give up...?  This topic is still here to discuss anything I may have missed, though.
10  Golden Sun Games / Golden Sun: The Lost Age / Re: Possible to glitch NPC Scripts? on: July 15, 2017, 03:22:34 AM
To do something other than what was intended, yes.
Most scripts that do nothing. (Or finish what they're doing so it can do nothing.), end up pointing to the Return/End of script command in the ROM section.
(I suppose there could be the possibility of executing the exact same script if it caused some strange functionality do to being in a different room, but I doubt that would be the case by itself...)

One of the advantages (I think) that we have is that map code files are different sizes ... and after it is decompressed, the rest (pass the size) is not cleared/is left alone as we well know. (That's why we do soft-resetting when going out of bounds.)  My idea was to find a way to take advantage of that.... (Sort of).... Well, the tables at the end of map code data can be altered for some maps that have them, as we know..

(Even if they were the same sizes, then we'd only be able to solely rely on the Retreat map to have magical data... without relying on the other maps.)
11  Golden Sun Games / Golden Sun: The Lost Age / Re: Possible to glitch NPC Scripts? on: July 15, 2017, 02:11:04 AM
@0656 = Yeah... But note that it is just the Map Code file to load to the 02008000 RAM section. (Nothing else.)
@01 = Yep!
@0C = Yep!
@0000007F = First, it isn't a 32-bit... (Either two 16-bits, or two 8-bits and a 16-bit?? Forget.)... but the 7F part is an index number for another table (That has indexes for files to retrieve.) Those being for Map Data file (containing seven compressed files for GS2, and probably six compressed files for GS1), Palette, and the Tilesets. ; The World Map is a bit weird, and does things a little differently, which is how I guess the separation makes sense??
12  Golden Sun Games / Golden Sun: The Lost Age / Re: Possible to glitch NPC Scripts? on: July 14, 2017, 07:42:53 PM
Quote
Not entirely sure that my memory viewer was pointing at anything interesting at all - it just happened to be up at that address when the idea came to me to check that room.
Okay, alright.  Was also saying just in case I missed something that I wasn't looking at prior (or whatever)....




Yes, when I listed the six areas to look at, I quite literally worked this out in a paint document. (See first attachment. Tried to fix it a little before posting by removing the unnecessary Memory Viewer windows stuff.)

Each map is 8 bytes/entry... (@Below: Where I say First/Second/third/forth... I mean them in address order and not left to right in how it is displayed here.)
The first 2 bytes are the Map Code file index. (To know which Map Code file to get) , and the third byte is the area number. (So Retreat knows which room to retreat to. That being the first map you enter that is in the area.) .. The fourth byte says whether you can retreat or not.)
So... orange is when an area only ever uses one Map Code file (But you can still Retreat.), and Red is when you cannot Retreat at all. (I skipped the first four maps, though, for obvious reasons.) Anything that is white pass that, still needs research and is not guaranteed to be able to abuse the glitch in a useful way or not. (Just that it got pass the first assumed pre-requisites... )

---
@2nd attachment:  Forgot to mention the second section shows the Retreat Map *without* the glitch used.
13  Golden Sun Games / Golden Sun: The Lost Age / Re: Possible to glitch NPC Scripts? on: July 14, 2017, 06:38:35 AM
Um? Which part is relevant in your memory viewer that is displayed? (Well, outside of 0203236C being the Felix Copybot object.)

I've been only paying attention to RAM / Map Code section pointers there... but I don't see anything pointing there in your video? (They're pointing to 0802EC48, which should have values that never change = Unlikely to be abusable. ... Especially since the data there is 00000011 ... which is like a Return/End of script command that doesn't really do anything. Although, with further thinking, I suppose ROM pointers could (even though I can't think of anything.) still be vulnerable to a degree, but it really just depends on the code being executed. I feel it would be a lot trickier than Map Code pointers, though. Both are tricky, however.)

Anyway, GS2 does save that NPC info to the sav file, GS1 doesn't (If I recall.)...  but I guess that's because GS1 probably solely relies on the flags for everything it needs on NPCs??)

Maybe I look into why it is crashing in a bit. (Could be NPC/Object scripts, but I'm not sure. - I'm not even sure if the Retreat Room having move objects than the one you retreated from could even cause problems... but you did get an error in the Map Code section... soo.... something should be up... *Checks* ... Hmm.. still need to do more looking, but all those objects at the end point to 02009970... Which does Command 0x0000002E (Function call to whatever the following value is.) ... 02009974 is 0200833D (So thumb call to 0200833C.)... If we can get something like that to point to the Gold Password section... then we could do almost anything...? Maybe not, because the main problem is, the Password feature only allows you to edit six of the eight bits in a byte. (With the exception of the initialized bytes being something like 0x63.))


Anemos Inner Sanctum (Retreat Maps) map code files....
Left, center, and right room ends at... 02009D20
But the Djinn Door room... ends at.... 0200C450? (Maybe,)... it overwrites the Gold Password data area. (If entering from Teleport Lapis.) But ofcourse, with the Retreat glitch. we do not need to come from there, thankfully.
(Of course, regardless of how it is done, no one says we actually need to use the Gold Password area... I just thought if we could find a way to, it'd be easier to abuse the glitch.)
14  Golden Sun Games / Golden Sun: The Lost Age / Possible to glitch NPC Scripts? on: July 11, 2017, 11:35:47 AM
Edit: Due to certain pieces of Research... I have decided that this is Mission Failed for now. (It's possible I could still be missing something, though.)

--
After Retreat Glitching, Saving, and loading the room... the objects loaded are the ones in the Retreat Room (The number of objects, and their sprites.) ... however, the idle script and position is from the room you retreat-glitched in.

(In GS1, you should get just those objects in the room you retreated to, so thus one reason for this being in TLA forum.)

I am not sure if there are any "good" ways of doing something useful, but the picture will at least show SOMETHING. :P Maybe some people can look into it and see if anything useful can come out of it. (Would be quite complex that I am just simply not sure/kind of doubting it in a way.)


08024DDC = Data Script 11,31-35 - End Script (17), End (49)
08024DEC = Data Script 12 - [npc+0x57]=read_flag([0])
08024E10 = Data Script 13 - [npc+0x57]=read_flag([0]) , and sets the flag.
08024E3C = Data Script 14 - [npc+0x57]=read_flag([0]) , and clears the flag.
08024E68 = Data Script 15 - [npc+0x57]=read_flag([0]) , and toggles the flag.


Areas to look at: (Areas containing more than one map code file... with the ability to Retreat.)
Lemuria Ship
Gondowan Cliffs
Gabomba Statue
0200A53C / 10 object slots (Map 120:3 / Map Code 0x672) - Mouth entrance (Map code file small enough for Gold Password, but are there any objects in the area with scripts pointing to that section?)
0200EFC8 / 5 object slots (Map 123:1 / Map Code 0x671) - Underground entrance

Map Code Idle Scripts:
Map 116 (Map Code 0x671)
0200DFC8 (6th slot) - Lash peg that moves in circles on a gear.

Can a Jump to address script be used to forward it to Gold Password section? (Can use any map in which you can save to do that... Doesn't need to be in the same Area.)

Edit again: Quick testing makes me wonder how the script is even executed.... o.O So still not sure if this glitch idea would even work or not. It sounds like the Retreat Room may have coding that tells whether the script should execute or whatever... I dunno yet? - Or maybe I'm wrong and that's what happens when you execute something in the wrong way...? Hmmm...

Jupiter Lighthouse - 2 object slots
Mars Lighthouse - 2 object slots
Anemos Inner Sanctum



Not sure if invalid commands increment or not... but was an assumption since I remember each command's code incrementing it. (Rather then being in the base function.)


In case of Gold Password being used to code scripts:
Retreat Map needs to be not using up the space at 0200A74A-0200A84D. (0200A88A-0200A938 might be another alternative??? But likely more difficult to use.)
But this will mean the map where you use the Retreat Glitch may?? need to take up that space. (Otherwise how will an object's script point there?)
15  Golden Sun Games / Golden Sun: The Lost Age / Re: Help finding some memory addresses on: July 09, 2017, 02:16:50 AM
The other day (When studying stuff on your last topic), I saw code putting data in the flags as bytes... I thought that was odd, but thought nothing of it...

Now, after thinking about your thing for a bit, it just occurred to me.... that that was the way it transferred the coordinates to the next room.

The flags are at 0x380 (8 bits for X position), and 0x388 (8 bits for Y position)
0x020000B0 = Address of where those flags are if you choose to edit from memory instead of flag menu.


And those are in area based flags, so leaving Jupiter Lighthouse altogether will reset them back to 0.



Map 286 (Mars Lighthouse) has it at 020000A8! (0x340) - Possible to use for a skip?? I don't know. -

286:11 =  Number does NOT get set to 0 after landing. ; Only works with door 11. (So unless you can manipulate the number (Like maybe keep it at 00 00), and get this door some other way, may not be manipulative?) And since the number doesn't reset to 0, Retreat glitch not useful??

Jupiter Lighthouse isn't based on door and simple requires the values to be non-zero. They are 0'd after landing.


Ofcourse, Mars Lighthouse example isn't about cracked ground, but rather falling through the darkness....
Pages: [1] 2 3 ... 222
Cbox
Today at 01:11:03 PM
Luna_blade: was there not a program already supporting delayed messages?
Yesterday at 06:42:07 PM
Fox: Depends on what you're up to... But on the surface, it's not likely you'd need it... I love it when things can be versatile.
Yesterday at 08:41:08 AM
Crystal Sonata: I don't much see a purpose for it, but interesting.
July 24, 2017, 02:53:28 AM
Fox: I'm Teawater, by the way... Hi!
July 24, 2017, 02:52:34 AM
Fox: Who?
July 24, 2017, 02:40:42 AM
Takumi: GUESS WHO'S BACK BITCHES \o/
July 22, 2017, 07:18:23 PM
FoxI felt a sudden Piers reference. :P - @avatar:  And yeah, it's easy to forget about things like that.
July 22, 2017, 07:15:48 PM
leaf: I didn't even realize my avy was still hosted on photobucket. fixed now.
July 22, 2017, 07:15:20 PM
leaf: and... looks like photobucket is kill
July 18, 2017, 02:20:00 PM
Fox: @Gameradar = I like that approach.... 30 second video ad for one ad-free day... as an option.... Interesting? - Of course, keeping to using an adblocker is also an option... but the point is how they made it almost sound encouraging. :P
July 16, 2017, 12:06:02 AM
Fox: Recent research is making me worried that it might not be vulnerable enough to do anything with it. Not absolutely sure, though.
July 14, 2017, 06:12:12 AM
Fox: Well thanks. While it does appear to be a vulnerable glitch, we still need to find a way to succefully abuse it. It's a bit complex, so I'd be amazed if someone actually finds a good method! :)
July 14, 2017, 02:01:57 AM
Ark: Game crash: successful. Shoutouts to Fox for being amazing
July 14, 2017, 12:20:07 AM
Plexa: I'll play around with this stuff on stream in 20 mins or so. No idea if I'll find anything or if I even understand properly what you're doing - but we'll see!
July 11, 2017, 09:50:07 AM
Fox: Initial process of elimination. (When taking into consider if whether you can retreat in a map or not, and if the are contains at least two map code files....) ... I'm left with these to look at: Lemuria Ship, Gondowan Cliffs, Gabomba Statue, Jupiter Lighhouse, Mars Lighthouse, Anemos Inner Sanctum ; Not much room for luck if my hunch is even correct at all... 
July 11, 2017, 08:11:16 AM
Fox: Oh yes... Map code files can be shared across maps, but I don't think the same map code files is used for all maps of an area... So.... I will need to do so testing to verify my hunch about whether NPC Script glitching could even be a thing... or if it is just me imagining things....
July 11, 2017, 07:41:34 AM
Fox: of the commands*
July 11, 2017, 07:41:11 AM
Fox: That is to say... if I recall correctly... that NPC Scripting (idle scripts, I think.)  ... is basically custom code (aka: Not asm/arm/thumb)... and I do believe _at least_ one that commands.... might deal with flags (assuming if I remember)... I need to confirm my hunch, though... but finding tricks to even do script code properly will probably be next to impossible.
July 11, 2017, 07:16:12 AM
Fox: case*

Affiliates
Temple of Kraden Golden Sunrise
Powered by MySQL Powered by PHP Powered by SMF 1.1.21 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!
Page created in 0.103 seconds with 20 queries.