News:

As a consequence of the forum being updated and repaired, the chatbox has been lost.
However, you can still come say hi on our Discord server!

Main Menu

Possible to glitch NPC Scripts?

Started by Daddy Poi's Oily Gorillas, 11, July, 2017, 07:35:47 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Daddy Poi's Oily Gorillas

Edit: Due to certain pieces of Research... I have decided that this is Mission Failed for now. (It's possible I could still be missing something, though.)

--
After Retreat Glitching, Saving, and loading the room... the objects loaded are the ones in the Retreat Room (The number of objects, and their sprites.) ... however, the idle script and position is from the room you retreat-glitched in.

(In GS1, you should get just those objects in the room you retreated to, so thus one reason for this being in TLA forum.)

I am not sure if there are any "good" ways of doing something useful, but the picture will at least show SOMETHING. :P Maybe some people can look into it and see if anything useful can come out of it. (Would be quite complex that I am just simply not sure/kind of doubting it in a way.)


08024DDC = Data Script 11,31-35 - End Script (17), End (49)
08024DEC = Data Script 12 - [npc+0x57]=read_flag([0])
08024E10 = Data Script 13 - [npc+0x57]=read_flag([0]) , and sets the flag.
08024E3C = Data Script 14 - [npc+0x57]=read_flag([0]) , and clears the flag.
08024E68 = Data Script 15 - [npc+0x57]=read_flag([0]) , and toggles the flag.


Areas to look at: (Areas containing more than one map code file... with the ability to Retreat.)
Lemuria Ship
Gondowan Cliffs
Gabomba Statue
0200A53C / 10 object slots (Map 120:3 / Map Code 0x672) - Mouth entrance (Map code file small enough for Gold Password, but are there any objects in the area with scripts pointing to that section?)
0200EFC8 / 5 object slots (Map 123:1 / Map Code 0x671) - Underground entrance

Map Code Idle Scripts:
Map 116 (Map Code 0x671)
0200DFC8 (6th slot) - Lash peg that moves in circles on a gear.

Can a Jump to address script be used to forward it to Gold Password section? (Can use any map in which you can save to do that... Doesn't need to be in the same Area.)

Edit again: Quick testing makes me wonder how the script is even executed.... o.O So still not sure if this glitch idea would even work or not. It sounds like the Retreat Room may have coding that tells whether the script should execute or whatever... I dunno yet? - Or maybe I'm wrong and that's what happens when you execute something in the wrong way...? Hmmm...

Jupiter Lighthouse - 2 object slots
Mars Lighthouse - 2 object slots
Anemos Inner Sanctum



Not sure if invalid commands increment or not... but was an assumption since I remember each command's code incrementing it. (Rather then being in the base function.)


In case of Gold Password being used to code scripts:
Retreat Map needs to be not using up the space at 0200A74A-0200A84D. (0200A88A-0200A938 might be another alternative??? But likely more difficult to use.)
But this will mean the map where you use the Retreat Glitch may?? need to take up that space. (Otherwise how will an object's script point there?)
Golden Sun Docs: Broken Seal - The Lost Age - Dark Dawn | Mario Sports Docs: Mario Golf & Mario Tennis | Misc. Docs
Refer to Yoshi's Lighthouse for any M&L hacking needs...

Sometimes I like to compare apples to oranges. (Figuratively) ... They are both fruits, but which one would you eat more? (If taken literally, I'd probably choose apples.)
Maybe it is over-analyzing, but it doesn't mean the information is useless.


The only GS Discord servers with significance are:
Golden Sun Hacking Community
GS Speedrunning
/r/Golden Sun
GS United Nations
Temple of Kraden

Can you believe how small the Golden Sun Community is?

2+2=5 Don't believe me? Those are rounded decimal numbers. Take that, flat earth theorists! :)

Plexa

Very interesting stuff. I will alert people to this and hopefully something can come of it.

Plexa

#2
Okay I think we're onto something here. I'll link a video once I'm done with my stream - but the important take away is that retreat glitch during the 'mirror puzzle' and then save/reset crashes my game. Probably trying to execute something it shouldn't or ... idk but it seems promising!

Fyi Anemos can be accessed as soon as you enter the Western Sea - importantly before you get Isaac's party so you can still input a password on the loading screen and then load into the room after using the retreat glitch. I have attached a battery file for your convenience :)

Update: here's the console verification
https://www.twitch.tv/videos/158981607

Update 2: here's the first time I encountered the crash, it gave me an error message in VBA https://www.twitch.tv/videos/158989891

Daddy Poi's Oily Gorillas

#3
Um? Which part is relevant in your memory viewer that is displayed? (Well, outside of 0203236C being the Felix Copybot object.)

I've been only paying attention to RAM / Map Code section pointers there... but I don't see anything pointing there in your video? (They're pointing to 0802EC48, which should have values that never change = Unlikely to be abusable. ... Especially since the data there is 00000011 ... which is like a Return/End of script command that doesn't really do anything. Although, with further thinking, I suppose ROM pointers could (even though I can't think of anything.) still be vulnerable to a degree, but it really just depends on the code being executed. I feel it would be a lot trickier than Map Code pointers, though. Both are tricky, however.)

Anyway, GS2 does save that NPC info to the sav file, GS1 doesn't (If I recall.)...  but I guess that's because GS1 probably solely relies on the flags for everything it needs on NPCs??)

Maybe I look into why it is crashing in a bit. (Could be NPC/Object scripts, but I'm not sure. - I'm not even sure if the Retreat Room having move objects than the one you retreated from could even cause problems... but you did get an error in the Map Code section... soo.... something should be up... *Checks* ... Hmm.. still need to do more looking, but all those objects at the end point to 02009970... Which does Command 0x0000002E (Function call to whatever the following value is.) ... 02009974 is 0200833D (So thumb call to 0200833C.)... If we can get something like that to point to the Gold Password section... then we could do almost anything...? Maybe not, because the main problem is, the Password feature only allows you to edit six of the eight bits in a byte. (With the exception of the initialized bytes being something like 0x63.))


Anemos Inner Sanctum (Retreat Maps) map code files....
Left, center, and right room ends at... 02009D20
But the Djinn Door room... ends at.... 0200C450? (Maybe,)... it overwrites the Gold Password data area. (If entering from Teleport Lapis.) But ofcourse, with the Retreat glitch. we do not need to come from there, thankfully.
(Of course, regardless of how it is done, no one says we actually need to use the Gold Password area... I just thought if we could find a way to, it'd be easier to abuse the glitch.)
Golden Sun Docs: Broken Seal - The Lost Age - Dark Dawn | Mario Sports Docs: Mario Golf & Mario Tennis | Misc. Docs
Refer to Yoshi's Lighthouse for any M&L hacking needs...

Sometimes I like to compare apples to oranges. (Figuratively) ... They are both fruits, but which one would you eat more? (If taken literally, I'd probably choose apples.)
Maybe it is over-analyzing, but it doesn't mean the information is useless.


The only GS Discord servers with significance are:
Golden Sun Hacking Community
GS Speedrunning
/r/Golden Sun
GS United Nations
Temple of Kraden

Can you believe how small the Golden Sun Community is?

2+2=5 Don't believe me? Those are rounded decimal numbers. Take that, flat earth theorists! :)

Plexa

Not entirely sure that my memory viewer was pointing at anything interesting at all - it just happened to be up at that address when the idea came to me to check that room. I also probably dont understand the technical details of what's going on here beyond getting some command to act on some nonexistent NPC.

Even if this room doesn't do anything interesting there are still plenty more rooms to check, and getting the game to crash is independently an interesting thing anyway.

Daddy Poi's Oily Gorillas

#5
QuoteNot entirely sure that my memory viewer was pointing at anything interesting at all - it just happened to be up at that address when the idea came to me to check that room.
Okay, alright.  Was also saying just in case I missed something that I wasn't looking at prior (or whatever)....




Yes, when I listed the six areas to look at, I quite literally worked this out in a paint document. (See first attachment. Tried to fix it a little before posting by removing the unnecessary Memory Viewer windows stuff.)

Each map is 8 bytes/entry... (@Below: Where I say First/Second/third/forth... I mean them in address order and not left to right in how it is displayed here.)
The first 2 bytes are the Map Code file index. (To know which Map Code file to get) , and the third byte is the area number. (So Retreat knows which room to retreat to. That being the first map you enter that is in the area.) .. The fourth byte says whether you can retreat or not.)
So... orange is when an area only ever uses one Map Code file (But you can still Retreat.), and Red is when you cannot Retreat at all. (I skipped the first four maps, though, for obvious reasons.) Anything that is white pass that, still needs research and is not guaranteed to be able to abuse the glitch in a useful way or not. (Just that it got pass the first assumed pre-requisites... )

---
@2nd attachment:  Forgot to mention the second section shows the Retreat Map *without* the glitch used.
Golden Sun Docs: Broken Seal - The Lost Age - Dark Dawn | Mario Sports Docs: Mario Golf & Mario Tennis | Misc. Docs
Refer to Yoshi's Lighthouse for any M&L hacking needs...

Sometimes I like to compare apples to oranges. (Figuratively) ... They are both fruits, but which one would you eat more? (If taken literally, I'd probably choose apples.)
Maybe it is over-analyzing, but it doesn't mean the information is useless.


The only GS Discord servers with significance are:
Golden Sun Hacking Community
GS Speedrunning
/r/Golden Sun
GS United Nations
Temple of Kraden

Can you believe how small the Golden Sun Community is?

2+2=5 Don't believe me? Those are rounded decimal numbers. Take that, flat earth theorists! :)

Plexa

#6
Lets quickly check that I understand the first image.

Let's take 0x080F18E8, which has the information 010C0656.

0656 = map file to load.
01 = Can retreat (02 being cannot retreat)
0C = location (Lemurian Ship)

Then 0x080F18EC, which is 0000007F, tells you what exit/entry map to use?

Edit: Just playing around with the Lemurian ship, doesn't look like I can retreat in Atteka Inlet while I can in Lemuria or East Indra Shore. Curious.

Daddy Poi's Oily Gorillas

#7
@0656 = Yeah... But note that it is just the Map Code file to load to the 02008000 RAM section. (Nothing else.)
@01 = Yep!
@0C = Yep!
@0000007F = First, it isn't a 32-bit... (Either two 16-bits, or two 8-bits and a 16-bit?? Forget.)... but the 7F part is an index number for another table (That has indexes for files to retrieve.) Those being for Map Data file (containing seven compressed files for GS2, and probably six compressed files for GS1), Palette, and the Tilesets. ; The World Map is a bit weird, and does things a little differently, which is how I guess the separation makes sense??
Golden Sun Docs: Broken Seal - The Lost Age - Dark Dawn | Mario Sports Docs: Mario Golf & Mario Tennis | Misc. Docs
Refer to Yoshi's Lighthouse for any M&L hacking needs...

Sometimes I like to compare apples to oranges. (Figuratively) ... They are both fruits, but which one would you eat more? (If taken literally, I'd probably choose apples.)
Maybe it is over-analyzing, but it doesn't mean the information is useless.


The only GS Discord servers with significance are:
Golden Sun Hacking Community
GS Speedrunning
/r/Golden Sun
GS United Nations
Temple of Kraden

Can you believe how small the Golden Sun Community is?

2+2=5 Don't believe me? Those are rounded decimal numbers. Take that, flat earth theorists! :)

Plexa

So then the next question is, for this glitch to work we need a script to tell an NPC to do something in a room where it normally is doing nothing? That script needs to be running in the room we're retreating glitching in?

Daddy Poi's Oily Gorillas

#9
To do something other than what was intended, yes.
Most scripts that do nothing. (Or finish what they're doing so it can do nothing.), end up pointing to the Return/End of script command in the ROM section.
(I suppose there could be the possibility of executing the exact same script if it caused some strange functionality do to being in a different room, but I doubt that would be the case by itself...)

One of the advantages (I think) that we have is that map code files are different sizes ... and after it is decompressed, the rest (pass the size) is not cleared/is left alone as we well know. (That's why we do soft-resetting when going out of bounds.)  My idea was to find a way to take advantage of that.... (Sort of).... Well, the tables at the end of map code data can be altered for some maps that have them, as we know..

(Even if they were the same sizes, then we'd only be able to solely rely on the Retreat map to have magical data... without relying on the other maps.)
Golden Sun Docs: Broken Seal - The Lost Age - Dark Dawn | Mario Sports Docs: Mario Golf & Mario Tennis | Misc. Docs
Refer to Yoshi's Lighthouse for any M&L hacking needs...

Sometimes I like to compare apples to oranges. (Figuratively) ... They are both fruits, but which one would you eat more? (If taken literally, I'd probably choose apples.)
Maybe it is over-analyzing, but it doesn't mean the information is useless.


The only GS Discord servers with significance are:
Golden Sun Hacking Community
GS Speedrunning
/r/Golden Sun
GS United Nations
Temple of Kraden

Can you believe how small the Golden Sun Community is?

2+2=5 Don't believe me? Those are rounded decimal numbers. Take that, flat earth theorists! :)

Plexa

I've been exploring these areas all day and other than the mirror puzzle crash, I haven't found anything remarkable.

I guess the next closest thing is the following. The floating spider puzzle at the end of anemos has its blocks randomly dispersed after retreat glitching depending on the room you came from. (Dullahan and the Mercury Lighthouse Orb can also be found). Solving the mirror puzzle 'solves' the spider puzzle i.e. it activates the blocks. You can't do anything with this and the puzzle resets upon loading a new room... so yeah nothing interesting.

If you have thoughts I'm happy to explore them.

Daddy Poi's Oily Gorillas

#11
Okay. Alright.... I still have to figure out exactly how the Script Engine works... as my testing a few days ago looked like it turned the script I was trying to test off (I think?) for some reason... (Was unexpected.) ... so one does need to actually do the research to get results...

Spider puzzle = Yeah, the positions are based on the x/y locations of the objects in the room you retreated from. That was also the case for the Mars Lighthouse example in the first post. (That last room, and the three entrance  hallways use the same map...)
As for how it is solved/activited.... erm... could be that the 0x200-0x2FF flags do not get reset when Retreat-glitching + Saving + Resetting.


---
Good news!
I looked at the code, and it turns out if the script command is invalid (>0x3F), the position in the script does get incremented by 1! (aka: four bytes) :) Happy for me in case that increases the chance of finding something.

To execute a script.
-Script addr  [npcDataAddr+0x0] must be non-zero.
-8-bit at [npcDataAddr+0x5B] must be zero.
-16-bite at [npcDataAddr+0x5E] must be zero. (Should be the counter/delay... so will likely hit zero without worry if it was set to something.)



---
@02009970 = Looking a the map code data makes that look normal. ... So I'm not much worried about it... (Guessing the pointers were going to change if the crash didn't happen?) ... I'm guessing the Retreat Map's objects are loaded fully... and then the saved NPC data stuff gets loaded on top. (Didn't confirm.)


--
@Mirroring clones == I think it crashes because a tile has an event set where the function assigns another function to an npc object... (So that the "another function"'s pointer gets saved/loaded when saving/loading a file.)... Interesting...
So not as a script pointer that uses commands, but as a direct function pointer.
The function being at 020097B5. (So thumb for 020097B4.) .And the pointer to that is stored at [npcDataAddr+0x6C].. So yes, I guess your memory viewer was semi-relevant afterall. :) (Except I think you were viewing the wrong object. And/or doing the wrong mirror puzzle. ...since each mirror puzzle's object is a separate. Obj. #0x8-0xA depending on puzzle.)
Now that we know what's going on with the Mirror Puzzle... (Well the first bit, anyway... I still would like to know if the program counter can still be controlled... which I may or may not bother with... (Probably not?) but I doubt you could get rid of the error message without other unknown glitching, so....) I guess we check something else...


--
Now back to Script studies:

Mars Lighthouse

[spoiler=If there's only one entrance, these don't count.]Map 281
0200CDE8

Map 282
0200CEB8

Map 284
0200CF44[/spoiler]

Map 292
0200D7BC

Map 294
0200D890
0200D93C


---
Result: So... I found out some (maybe not all of them??) scripts are turned off when you enter the pause menu... so when you save, that's how they are saved.... but I still need to figure out how they get re-enabled. I'm not feeling good about this....
Update: Seem to be based on flag 0x106 ... (Possibly with more checks?). ... However here's the kicker.... the code for this is in the map code. :/
Update 2: This now guarantees that Map Code from the Retreat Room has to enable them itself (which will be the case if the Retreat Room has such a script. Or wait. Maybe not? Not sure.) should a script be disabled due to pausing before saving. (Probably by storing the function pointer to a table to be called every frame of which is not saved in Save data.) ... If it doesn't setting the script is pointless.... As for the direct Thumb pointer? Hm? Can't say....
I feel like I'm going to just have to give up...?  This topic is still here to discuss anything I may have missed, though.
Golden Sun Docs: Broken Seal - The Lost Age - Dark Dawn | Mario Sports Docs: Mario Golf & Mario Tennis | Misc. Docs
Refer to Yoshi's Lighthouse for any M&L hacking needs...

Sometimes I like to compare apples to oranges. (Figuratively) ... They are both fruits, but which one would you eat more? (If taken literally, I'd probably choose apples.)
Maybe it is over-analyzing, but it doesn't mean the information is useless.


The only GS Discord servers with significance are:
Golden Sun Hacking Community
GS Speedrunning
/r/Golden Sun
GS United Nations
Temple of Kraden

Can you believe how small the Golden Sun Community is?

2+2=5 Don't believe me? Those are rounded decimal numbers. Take that, flat earth theorists! :)

Plexa

Found something pretty minor the other day, that entering Anemos through the teleport entrance and doing the retreat glitch (+S&Q) in the mirror puzzle does not crash the game.

I got some interesting behavior in Gabomba as well. When you enter the gabomba puzzle the retreat pointer is set to area 114 (gabomba exterior during night). If you retain this retreat pointer, go to the room with the gear puzzle, retreat glitch + S&Q you can get some things to move around in the room (as well as find some unused sprites).

Daddy Poi's Oily Gorillas

#13
QuoteFound something pretty minor the other day, that entering Anemos through the teleport entrance and doing the retreat glitch (+S&Q) in the mirror puzzle does not crash the game.
In that case, the function used is still the same one. ... If there was a way to abuse that (because you are not in the exact same place/room), then that'd be cool, but I doubt that there is... ; (I start thinking of possible scripts that could be based on door number , but can't think of any potentially useful ones at the moment... assuming there is any.)

I do know with the mirror puzzle... That each of the three puzzles... the tile where it starts.... uses different event ids... (0x32-0x34)... (Each linked to the same function..) However, the function seems to check based on door number (And not event id, interestingly enough), ... If it does, this might not really mean much, either way. Except to serve as an example. Door 1 = Object 0x8, Door 3 = Object 0x9 , All others = Object 0xA)

^Would be interesting to see this type of abuse with story flags. (But I can't imagine how it would be possible... Are there any other maps you can use Retreat in that also somehow use Map/Door Number for its puzzle(s)?)

Mirror puzzles = The first puzzle has random battles, the other two don't. (So what happens if one could change door number, start mirror puzzle, get battle, come back (to revert map/door numbers).... erm...  likely nothing different changes.... (Door 99 is the teleport circle?)

QuoteI got some interesting behavior in Gabomba as well. When you enter the gabomba puzzle the retreat pointer is set to area 114 (gabomba exterior during night). If you retain this retreat pointer, go to the room with the gear puzzle, retreat glitch + S&Q you can get some things to move around in the room (as well as find some unused sprites).
Sounds interesting.... = But if the scripts happen to be disabled... as in not reenabled with the different map code file... then.... it's kinda hard to see how to abuse it.... (I should probably look into it/see ifthis is the case/whatever, before saying anything, though.)
Golden Sun Docs: Broken Seal - The Lost Age - Dark Dawn | Mario Sports Docs: Mario Golf & Mario Tennis | Misc. Docs
Refer to Yoshi's Lighthouse for any M&L hacking needs...

Sometimes I like to compare apples to oranges. (Figuratively) ... They are both fruits, but which one would you eat more? (If taken literally, I'd probably choose apples.)
Maybe it is over-analyzing, but it doesn't mean the information is useless.


The only GS Discord servers with significance are:
Golden Sun Hacking Community
GS Speedrunning
/r/Golden Sun
GS United Nations
Temple of Kraden

Can you believe how small the Golden Sun Community is?

2+2=5 Don't believe me? Those are rounded decimal numbers. Take that, flat earth theorists! :)