Crash Bash Memory Manipulation

1. Disclaimer: I did not revise the whole thing.
2.  
3. Crash bash Memory Manipulation
4. ==============================
5. So. Stuff happened in Crash Bash lately, and as the first real Memory Manipulation to be discovered
6. in a game I have some remote interest in (It's a PS1 game of the Sprash sort...), I needed to jump
7. in an try to uncover its secrets. Quickly, after playing around with it, I found the memory adress
8. that contains which letter/action of the "ENTER NAME" screen is selected... Those actions are in a
9. simple array, with A being 0 and CANCEL being 29, and it happens that they never fool-proofed
10. pressing Down-left on V, which takes you to ID 34. Great. Now from there you can do 5 things:
11.  
12. - Press DOWN: Nothing happens...
13. - Press LEFT: You move to 45, then you're stuck.
14. - Press RIGHT: You move to 48, then you're stuck.
15. - Press UP-LEFT: You move to 59, from here only pressing UP does something, and it brings you on H.
16. - Press RIGHT: Here is where all the magic happens. It brings you to -94.
17.  
18. Now the wonderful thing is that it probably uses that number as the index of the array in which all
19. these actions are stored. I noticed that after every press of a button that does not leave the
20. cursor in place, one value becomes 2, while the one that was previously changed to 2 becomes 0. My
21. guess: 2 means "Selected", while 0 means "Not selected". In the end, every visited address becomes
22. 0, except for the last which remains 2, and that for as long as the game is not restarted (We're
23. directly modifying the game code after all...)
24.  
25. By observing the RAM throughout the Panic Dash code, I managed to find a small change in the index,
26. and map it to 2 addresses. There should therefore be a change of 3 "units" between addresses
27. 0B83E4 and 0B85DC, which gives us 504 bytes or 168 bytes per "unit". In this case, this size also
28. corresponds to the size of the letter/action objects in memory. I confirmed this by comparing the
29. change in modified addresses and the change in index to multiple steps in the code, and it
30. corresponds perfectly.
31.  
32. So what now? Well, knowing this, we can theorize that ANY 4-byte in memory that has a 168-byte
33. integral offset from address 0x000004 can be changed to 2, and then to 0. What's beautiful with this
34. is that 0 is a magic value in computers. It represents "nothing" and if, say, the value modified was
35. a pointer to a function, then the whole sequence of operations executed by that function will be
36. skipped.
37.  
38. Now, I have not investigated what the changed values represent, and still do not understand how some
39. of these changes can cause confusing things like enable Instawin, or (this strangest effect if you
40. ask me), make the timer jump from 1:00 to 0:05 consistently... Anyway... Finding exactly which value
41. does what would take too long, and to be honest I don't really want to be the one breaking the game
42. even more. All I wanted here was to help understand what was happening under the hood, and give us
43. a better understanding of what could be possible using this glitch.
44.  
45. Verdict: We are lucky that this glitch has so many useful effects. Some of them were completely
46. unpredictable, while some others make sense. Actually scrap that. They are all completely
47. unpredictable. I mean, what? Instawin on everything, timer jumping to 5 seconds, auto-receiving
48. wumpa fruits and stuff? Wow. With a little bit of wizardry, I wouldn't be surprised if we could use
49. it to bypass requirements, but that's as far as it could go in the WARP rooms.
50.  
51. Also, no Pokémon-like programming will be possible with this kind of memory manipulation. It's too
52. basic. This makes me a bit sad :(
53.  
54.  
55. Anyway, I wanted to spend the rest of this bin exploring the effect of each of the possible actions
56. on the index, which is, here, clearly the magical value. Unfortunately, as the following table
57. shows, the changes seem to follow no logic whatsoever. I do not know whether or not we will
58. eventually be able to find a specific logic, but either way it seems it wouldn't help to know the
59. specifics, unlike what I initially thought. What we should keep in mind though, is that the behavior
60. for each input is set per value. We are just blindly navigating a one-way portals maze, and the
61. entrance is intersection "34"... I don't know, I felt like that was a nice metaphor :^)
62.  
63. v d
64. -> 34 | |
65. R -> -94 | -120 |
66. D -> -143 | -49 |
67. U -> -199 | -56 |
68. L -> -161 | 38 |
69. U -> -145 | 16 |
70. L -> -134 | 11 |
71. D -> -131 | 3 |
72. R -> -259 | -128 |
73. D -> -387 | -128 |
74. L -> -476 | -89 |
75. L -> -473 | 3 |
76. R -> -457 | 16 |
77. U -> -456 | 1 |
78. R -> -578 | -122 |
79. L -> -576 | 2 |
80. U -> -568 | 8 |
81. L -> -504 | 64 |
82. R -> -593 | -89 |
83. U -> -693 | -100 |
84. L -> -784 | -91 |
85. L -> -716 | 68 |
86. L -> -780 | -64 |
87. R -> -886 | -106 |
88. R -> -866 | 20 |
89. U -> -838 | 28 |
90. R -> -919 | -81 |
91. L -> -917 | 2 |
92. L -> -1005 | -88 |
93. L -> -1070 | -65 |
94. D -> -1071 | -1 |
95. R -> -1051 | 20 |
96. L -> -1142 | -91 |
97. R -> -1223 | -81 |
98. U -> -1190 | 33 |
99.  
100. Using my observations, I decided to rework the currently used codes. I figured I could make them
101. "better", or at least shorter. Considering a shorter code means fewer destroyed memory, I came to
102. the conclusion that a shorter code was likely to make the game more stable, with low risks of
103. breaking it further.
104.  
105.  
106. Following here are my updated/new codes. Keep in mind that I have not tested them as thoroughly as
107. I should have and therefore they need to be confirmed viable before being used in runs. I used a
108. similar format as the most recent post on the forum, since the codes most likely won't be used
109. individually anyway.
110.  
111. "Panic Dash": (Final value = -1190)
112. (was R D U L U L D R D L L R U R L U L R U L L L R R U R L L L D R L R U)
113. now R L L R R L R R R U L R U L L L L L L R
114. Side effects: Cannot use WARP room changer right after using the code... Crash out of N. Ballism?
115.  
116. "PD" -> "Time code": (Final value = -1608)
117. (was L R U L R R L D R L R L U D L R R)
118. now R L L R U R
119.  
120. "PD" -> "Instaboss": (Final value = -1399)
121. (was R L R U D L U L U U L)
122. now Couldn't find anything shorter
123.  
124. "TC" -> "Instaboss": (Final value = -1399)
125. (was NONE)
126. now U L L U U L
127. Note: Doesn't seem to crash. Doesn't crash Bear, nor Papu. Didn't test the other 3 freaks...
128.  
129. "IB" -> "Instawin": (Final value = -1569)
130. (was L R U D L R L R L L L R L R R L U R D U U R R L R L U R U)
131. now L R U D L D R R U U D U R U
132. crsh U _ (Note: Index -1381 actually fucks up AI and other stuff real bad...)
133. Note: Seems to work with everything. Removes scary Fox visual shenanigans.
134.  
135.  
136. "All in one": (To be fair, that's all we really care about isn't it?)
137. R L L R R L R R R U L R U L L L L L L R R L L R U R U L L U U L L R U D L D R R U U D U R U
138.  
139.  
140. List of values that cause a crash:
141. -1381
142. -1383
143. -1400
144. -1409