API tools faq
paste
imbued

Frog HP SRM Notes

imbued
Dec 22nd, 2019
154
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.88 KB | None | 0 0
raw download clone embed print report
  1. This was found by Seedborn (https://pastebin.com/BBKi8qB4).
  2.  
  3. We can use SRM to collect the frog HP in Spring Mountain Village from source without collecting the other frogs.
  4.  
  5. The frog has actor Id 0022
  6.  
  7. There is a pointer (which is 4 bytes) in the frog Actor Instance starting at [frog] + 0x13C which points to code in the frog's Overlay.
  8.  
  9. Initially, before interacting with the frog, the value of the 4 bytes starting at [frog] + 0x13C is 0x80XYZWUV + 0x15A4 if we assume that the frog's overlay is at address 0xXYZWUV in the actor heap. That is, the pointer initially points to [overlay] + 0x15A4. If we manipulate the value of this pointer to point to [overlay] + 0xFC0 or [overlay] + 0xFC4, then the frog will give us the HP when we get close to it.
  10.  
  11. If we aim to use angle (0xBE is the offset for angle (2 bytes)) to manipulate the value of the pointer, then we'll want to attempt to manipulate the last 2 bytes of the pointer.
  12.  
  13. To manipulate the last 2 bytes of the pointer in the frog AI using angle of a pot (for example) we want:
  14. [pot] + 0xBE = [frog] + 0x13C + 0x2
  15. [pot] - [frog] = 0x80
  16.  
  17. However, if we only manipulate the last 2 bytes, we also need to hope that the first 2 bytes of [overlay] + 0x15A4 are the same as the first 2 bytes of [overlay] + 0xFC0 or [overlay] + 0xFC4.
  18.  
  19. For example, if [overlay] + 0x15A4 = 0x410000 and thus the pointer in the frog is 0x8041000 initially, then we want to edit it to point to [overlay] + 0xFC0 = 0x40FA1C or [overlay] + 0xFC4 = 0x40FA20 (and thus the pointer would have value 0x8040FA1C or 0x8040FA20). Then manipulating only the last 2 bytes using angle will be insufficient because the second byte of 0x8041000 is 0x41 and the second byte of
  20. 0x8040FA1C or 0x8040FA20 is 0x40 and we're only manipulating the third and fourth bytes of the pointer using angle.
  21.  
  22. -----
  23. So the conditions we need for frog SRM with pot angle are:
  24.  
  25. [pot] - [frog] == 0x80
  26.  
  27. hex([overlay] + 0x15A4)[2:4] == hex([overlay] + 0xFC0)[2:4] OR hex([overlay] + 0x15A4)[2:4] == hex([overlay] + 0xFC4)[2:4]
  28. (python syntax; assuming that each output from hex() is a string in the form '0xXXXXXX', i.e. the first of the 3 bytes must match)
  29.  
  30.  
  31. EDIT: seedborn says that working overlay offsets are: 0xFC0, 0xFC1, 0xFC2, 0xFC3, 0xFC4, 0xFC5, 0xFC6, 0xFC7
  32. -----
  33.  
  34. Also, our pot positions end up writing to the frog's velocities...
  35.  
  36. If [pot] - [frog] = 0x80, then (Pot X Position) = [pot] + 0x24 = [frog] + K
  37. K = [pot] - [frog] + 0x24 = 0xA4 and [actor instance] + 0xA4 is X Velocity, so what ends up happening is that the X Position of the pot (for example) ends up overwriting the X Velocity of the frog, the Y Position overwrites the Y Velocity of the frog, and the Z Position overwrites the Z Velocity of the frog.
  38.  
  39. However, when you drop the pot, the frog's velocities become 0 (for some reason). So when making a setup, we need to be careful to not let the frog zoom away before we drop the pot.
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!