Light Node Pointer SRM Brief Notes (Torches)

1. Light Node Pointer SRM Brief Notes (Torches)
2.  
3.  
4. Light Node Pointer (LNP) is 4 bytes stored at Torch + 0x1E0. The value of LNP is initially 801Fxxxx.
5.  
6. We can use Pot + 0x32 (Movement Angle) to write to Torch + 0x1E2, which allows us to edit the last 2 bytes of LNP.
7.  
8. Pot + 0x32 = Torch + 0x1E2
9. Pot = Torch + 0x1B0
10.  
11. Edit the value of LNP to be 801FXXXX. Call this address LN (Light Node; i.e. LN = 801FXXXX).
12.  
13. LN + 4 = Ptr1 (LN.prev)
14. LN + 8 = Ptr2 (LN.next)
15.  
16. Ptr1 has value Addrees1
17. Ptr2 has value Address2
18.  
19. When you deallocate the torch you SRM'd, the following happens...
20.  
21. - The 4 bytes stored at Address1 + 8 are overwritten by the value Address2
22. - The 4 bytes stored at Address2 + 4 are overwritten by the value Address1
23.