Sluts #2

1. Full knowledge dump as of today:
2.  
3.  
4. Ancilla concepts
5. ================
6.  
7. (When talking about ex. "slot 0-4", I mean "0 _to and including_ 4", which is 5 slots total)
8.  
9. When adding an ancilla (bomb, lamp, arrow), it first checks if there's a slot open.
10.  
11. There's 10 slots.
12. - Bombs is coded to be in slot 0 or 1.
13. - Almost every other usable item is coded to be in slot 0-4.
14. - The stuff that occupy slot 5-9 is usually graphical sparks and such, not items that Link can use.
15.  
16. The logic when figuring out if there's a slot open works like this:
17.  
18. 1. Check slots 0-4 and count how many of the ancilla we already have spawned.
19. For example, when adding a bomb, it goes through slots 0 through 4 and counts the number of bombs it can find. It knows there should only be 2 bombs spawned at any time, and will return with a failed attempt to find a slot in that case.
20.  
21. 2. It then checks slot 0-1 (if you try to add bombs) or 0-4 (if trying to add anything else) for an open spot. If an open spot is found, your ancilla will be added in that slot.
22.  
23. 3. If there were no open spots, it will try to see if there's an ancilla that we can just replace.
24. The idea is that if you're trying to put down a bomb, but all the slots is full of arrows in the wall or red boom sparks, the game will just remove an arrow or a spark to make room for your bomb. How nice!
25. There's only 3 types of ancilla that can be replaced; arrows in the wall, and two types of sparks (I've found red boom spark & ice rod spark to be of these, but I haven't extensivly looked for others).
26. This is the part of the logic that we have found is exploitable.
27.  
28. The general gist of it is "search slot 0 to (not including) $03C4 for sparks/arrows in the wall". But the exact logic is important here, so here it is:
29. a) Decrement $03C4
30. b) If $03C4 is now negative, set $03C4 to "the allowable number that we allow on the screen, minus one"
31. Basically, you can have 2 bombs on the screen, so if you end up here when trying to add a bomb, it will be set to 1. Same with fire rod. For lantern, it will set the number 2 (since 3 flames are allowed).
32. c) Then it checks slots 0-$03C4 in reverse order (slot 0 last). If it didn't find anything, $03C4 will remain 0. If it found something, $03C4 will be the index of whatever slot was found.
33.  
34.  
35. Manipulating $03C4
36. ==================
37. $03C4 can be manipulated. Most usefully by spawning a lamp flame in slot 2 (just spam Y). Due to a different error, $03C4 is set to either 7, 10, 13 or 16, depending on which direction Link is facing.
38. This means that we suddenly can have a bomb in slot 8, or a somarian block in slot 7, if we set everything up correctly.
39. The code for each item is _not_ coded with this in mind. Bombs will assume it's in slot 0 or 1, and when it's put in slot 9, then weird things will happen.
40.  
41. Notice how two of those values are higher than 10. If we set it to 13 or 16 we are actually setting it out of bounds, since there are only 10 ancilla slots. (Actually 10 is also out of bounds by one, since we start with 0.) So when it tries to find arrows in the wall, on ancilla slot 14 for example, it actually looks at completely different memory. If this memory can be manipulated to seem as if there's an arrow in the wall there (which it can), the code will just return that slot (14), and whatever code that follows will write and read memory from out of bounds. For example, it might try to initialize the X coordinate of a bomb, but write into the Y coordinate of a somarian block you already had spawned, and effectively moving it. Just as an example. The possibilities are endless, but little concrete has been found yet.
42.  
43.  
44. "Duplicating" items
45. ===================
46. As written above, when you try to add a bomb, it looks in slot 0-4 and counts how many bombs are already there. If there's already 2 bombs, it won't let you add another.
47.  
48. A way to circumvent this, is by:
49. - filling up your slots 0-4 (somarian block + 4 somarian sparks is enough)
50. - manipulate $03C4 to be a high number like 7
51. - add a red boom spark in slot 6 (for this example)
52. - try to put down a bomb.
53.  
54. Following the logic I wrote above, this is what will happen:
55. 1. It counts 0 bombs in slot 0-4, and thus will not stop you from adding a bomb.
56. 2. It finds that neither slot 0 or slot 1 is open, and thus won't let you add a bomb (yet)
57. 3. It looks for replaceable ancillae from 6 and downwards (we set 03C4 to 7, which is decremented once before it starts searching). It will find the red boom spark that we added there, and return slot 6.
58.  
59. It will now be added to a slot it's not supposed to be in. This can already glitch out the game, like making your boom go slowly or even follow Link around, but we can also use this to have more than 2 bombs on the screen.
60.  
61. Since the game only counts slot 0-4 when counting your bombs, it will now let you add two more bombs into slot 0 and 1.
62.  
63. Other items we've done this with:
64. - Somarian blocks
65. - Byrna charges
66. - Hookshots
67.  
68.  
69. Skipping boss heart containers
70. ==============================
71. When you grab a heart container after killing a boss, the game spawns two ancillae, one after the other (one frame apart):
72. 1. A "Received Item" ancilla for grabbing the heart container
73. 2. A pendant/crystal ancilla
74.  
75. The logic of adding these ancillae is the same as what's written above.
76.  
77. So if you fill slot 0-4, and pick up the heart container, you will get neither the heart container nor the pendant/crystal.
78. This works for Moldorm, because you can then fall down to the next floor and go up again to get the pendant, thereby skipping the heart container but still getting the pendant.
79.  
80. For most other bosses, there's no way to return to the boss room afterwards. Though it is technically possible in LW to do this, and then mirror to the entrance and get back, it's pretty slow. And in DW, you're not allowed to menu after killing the boss at all.
81.  
82. We've found 2 RTA friendly ways to do this; one with Arrows & Lamp, and the other with Somaria & Boots.
83.  
84.  
85. Arrows & Lamp method
86. ====================
87. One thing I need to mention here, is that ArrowInWall ancilla does not use the exact same logic as adding other ancillae.
88. The main difference is that if it already finds 3 arrows in the wall, it will go on to try and replace one of the arrows that's already in the wall, instead of returning "no slots available". It uses 03C4 for this, just like normal ancillae.
89.  
90. Here's the method:
91. 1. Spam your lamp 3 times
92. 2. Put 6 arrows into the wall
93. 3. Spam your lamp 2 times
94. 4. Walk into the heart
95.  
96. Let's break it down
97.  
98. 1) This puts a flame in slot 2, and you manipulate 03C4 to be a high value, as explained above. Doesn't really matter which value you get, as long as it's 5 or more.
99. 2) Arrow 1-3: After putting 3 arrows in the wall, your slots 0-4 looks like this: [empty, empty, ArrowInWall, ArrowInWall, ArrowInWall].
100. Arrow 4: When adding one more arrow, it will find that there's already 3 arrows in the wall, and then move on to try and replace one of them with a new one.
101. If you follow the logic I wrote about this above, you'll see that it will decrement 03C4 until if finds slot 4, which it will replace with the new arrow in the wall.
102. Arrow 5: Same as above, but 03C4 was 4 after the fourth arrow, and so it will now find slot 3.
103. Arrow 6: Same as above, but 03C4 will be 2 after the sixth arrow.
104.  
105. We do this only to make sure 03C4 is 2. We need it for step 4.
106. 3) After spamming lamp twice, we have the following state: 03C4 is 2, slots are [Flame, Flame, ArrowInWall, ArrowInWall, ArrowInWall]
107. 4) As written above, grabbing the heart tries to spawn two ancillae, ReceiveItem and Pendant. We want to skip the first one.
108. ReceiveItem: It will be unable to find a spot in slot 0-4.
109. It will then decrement 03C4 to 1, and then look for replaceable ancillae in slot 0 and slot 1.
110. Since slot 0 and slot 1 is Flame, which is not replaceable, it will fail to spawn.
111. Pendant: It will be unable to find a spot in slot 0-4.
112. It will then decrement 03C4 to -255, and then replace it with _4_. Why 4? I did say that it was replaced by the "the allowable number that we allow on the screen, minus one", but the game apparently allows for 5 pendants or crystals, so it's set to 4.
113. It will then find slot 4, which DOES have an ArrowInWall, which IS replaceable, and thus replace it with the pendant.
114.  
115.  
116. Somaria & Boots method
117. ======================
118. Method:
119. 1. Put somarian block near center of the room
120. 2. Go close-ish to the heart (can be a couple tiles from it)
121. 3. Start a canedash into the heart
122.  
123.  
124. This is easier to explain.
125.  
126. 1) You start out with slots [empty, empty, empty, empty, Somarian]
127. 2) After initiating the cane dash, it will look like this: [Blast, Blast, Blast, BootsDust, Blast]
128. 3) Just like with Moldorm, when you hit the heart, it will find no open slots 0-4, nor any replaceable ancillae in slots 0-$03C4 and thus fail.
129. 4) We're lucky again; the pendant is actually spawned the next frame. And between trying to spawn ReceiveItem and Crystal/Pendant, the game will have stopped Link's dash, and removed the BootsDust ancilla. Thus the slots will be [Blast, Blast, Blast, empty, Blast], and there will be a slot open!