banker pointer conversation

1. IndexticToday at 9:06 PM
2. what's all this talk about pal gamecube now
3.  
4. faschToday at 9:16 PM
5. long story short, there is a potential way to manipulate memory without overwriting graphics pointers which would crash the game
6. pal gamecube (spanish) just happens to have a nice low index to work for that
7.  
8. IndexticToday at 9:17 PM
9. so this is non-debug menu, then?
10.  
11. faschToday at 9:17 PM
12. yes
13. the debug menu method overwrites these graphics pointers, which is what causes the crashes when hovering over sword in the inventory. And causes the crash when you close the debug menu
14.  
15. ImbuedToday at 9:17 PM
16. does it just so happen to write good values to the 2 graphics pointers or does it somehow completely avoid writing to them at all? if the latter, I have no idea how that would work
17.  
18. faschToday at 9:18 PM
19. latter
20. the science discord has the theory
21. its builds upon the theory for the current method with the graphics buffer stuff
22. index overflow into the instruction counter manipulation into graphics buffer manipulation
23. im probably not sounding like i make any sense to anyone
24.  
25. ImbuedToday at 9:21 PM
26. I heard something about
27. Bank Withdraw/Deposit Digit Position related
28. pointing to stuff (which i notice comes before both of the graphics pointers)
29. is that involved at all
30.  
31. faschToday at 9:21 PM
32. so the game draws each printed character in memory
33. one after another
34. but the bank needs to know where these characters are drawn when you manipulate them
35. so that address is an offset into the graphics buffer
36. graphics_buffer_base + offset + column*0x80
37. is where it draws the character
38. cause each character is 128 bytes
39.  
40. ImbuedToday at 9:24 PM
41. what is the graphics buffer exactly? also where is it in memory in relation to Buffer B/how can you find it in memory?
42.  
43. faschToday at 9:24 PM
44. its before buffer A in memory
45. 3EF190 i think
46. is the start
47.  
48. ImbuedToday at 9:25 PM
49. US?
50.  
51. faschToday at 9:25 PM
52. yes
53. graphics buffer is just
54. the raw pixel data
55. of the printed characters
56. rgba5551 i think
57.  
58. ImbuedToday at 9:26 PM
59. by "column" i assume you mean
60. Bank Rupee Column Selected
61.  
62. faschToday at 9:26 PM
63. yes
64.  
65. ImbuedToday at 9:27 PM
66. do you know how many bytes the graphics buffer is?
67. approx
68.  
69. faschToday at 9:27 PM
70. 3c00 maybe
71. thats 15360 bytes
72.  
73. ImbuedToday at 9:28 PM
74. I see
75.  
76. faschToday at 9:28 PM
77. i think
78.  
79. ImbuedToday at 9:28 PM
80. yea 15360
81.  
82. faschToday at 9:28 PM
83. i mean, i think thats how large it is
84. lol
85.  
86. ImbuedToday at 9:28 PM
87. lol ic
88.  
89. faschToday at 9:28 PM
90. theres multiple buffers
91.  
92. ImbuedToday at 9:32 PM
93. so what is the relation between the 128-byte characters that are drawn in the graphics buffer with the 1 byte characters (2 byte on jp) that are displayed in textboxes?
94.  
95. faschToday at 9:32 PM
96. 128 bytes is the raw pixel data
97. of what makes the image
98.  
99. ImbuedToday at 9:32 PM
100. ah I see
101.  
102. faschToday at 9:32 PM
103. where as the 1 byte (2 in J) is just the "ASCII" equivalent
104.  
105. ImbuedToday at 9:35 PM
106. so how does drawing the characters work in relation to text being processed? like I get that we can manipulate this graphics buffer offset, but I'm not really sure what kind of memory is getting written in the graphics buffer or how that works
107.  
108. faschToday at 9:35 PM
109. so this is post-message being printed
110. So think about the banker text
111. you can manipulate the numbers.. and on screen you can visually see the number's image change
112. the game needs to know based on those addresses, where in the graphics buffer, what to change to make it that new number's image
113.  
114. LinkCrismonrunsToday at 9:37 PM
115. Is it possible Other locations can be possible to do Debug menu at to
116.  
117. ImbuedToday at 9:40 PM
118. so how graphics_buffer_base + offset + column*0x80 says where to draw the character, but how does the game know what image to draw?
119.  
120. faschToday at 9:41 PM
121. so the normal values for bank are 0-9
122. (the ascii equivalent values, not the actual numbers)
123. and i'm not sure where exactly the character data is stored
124. but it just pulls the 128 bytes from there
125. but those are constants
126. they will always be the same
127. theres only one way to draw a '9' on the screen
128.  
129. ImbuedToday at 9:45 PM
130. I see, so the main take away is that we're pulling 128 bytes from somewhere and overwriting the first 128 bytes we see based on the offset, and is the idea with the manipulation to get an offset big enough so that we're copying these 128 bytes somewhere outside of the graphics buffer (idk if drawing them in the wrong spot of the graphics buffer causes any issues) to change the value of some unrelated addresses that are favorable to overwrite?
131.  
132. faschToday at 9:45 PM
133. yes
134.  
135. ImbuedToday at 9:45 PM
136. and I guess we have 10 options for what the 128 bytes can be since only 0-9
137.  
138. faschToday at 9:45 PM
139. yep
140. and the offset can be misaligned
141. cause normally its every 0x80 bytes
142. but you could in theory overwrite it to something like 0x00000001
143. instead of ending in 0x00, 0x80, 0x100, 0x180, 0x200, etc.
144.  
145. ImbuedToday at 9:47 PM
146. I see, so can get like an overlap in the groups of 128 bytes (though not entirely sure what the implications of that can be)
147. since i assume we mostly care about stuff outside of the graphics buffer
148.  
149. faschToday at 9:48 PM
150. yeah
151. if it was shifted in the graphics buffer itself
152. the image would be shifted if it was shifted by a multiple of 2 bytes
153. mostly you'll just get garbled displayed characters
154.  
155. ImbuedToday at 9:53 PM
156. all right, so in practice, if trying to use this, I assume we want some terminator character sometime after overwriting the banker column + offset, but before the first graphics pointer and then I guess hope it overwrites the offset to something big enough that it reaches far forward into useful places of memory
157.  
158. faschToday at 9:53 PM
159. yep
160.  
161. ImbuedToday at 9:53 PM
162. okay cool, this all makes sense than I think
163. actually
164. I forget if I asked this already
165. but how do we know which of the 10 digits it'll write?
166.  
167. faschToday at 9:56 PM
168. it snaps to the nearest number
169. when you press the control stick to change the number
170. i think?
171. it might not snap
172.  
173. ImbuedToday at 9:57 PM
174. I think I'm missing a detail
175. so like
176.  
177. SeedBornToday at 9:57 PM
178. You talk to the banker, Imbued
179.  
180. ImbuedToday at 9:57 PM
181. ah
182.  
183. faschToday at 9:57 PM
184. well it would be like talking to the banker
185. but its a message from song of soaring
186.  
187. SeedBornToday at 9:58 PM
188. Oh I see
189. What would happen if you talked to the banker after
190.  
191. faschToday at 9:58 PM
192. values would be reset i'm sure
193.  
194. ImbuedToday at 9:58 PM
195. wait, so SoS would bring up the text where we can scroll?
196.  
197. faschToday at 9:58 PM
198. yes
199.  
200. ImbuedToday at 9:59 PM
201. not obvious to me why that would get brought up instead of the "soar to ..." or what that actually means
202.  
203. faschToday at 9:59 PM
204. ok so
205. first it does the index overflow with the destination string
206. then it does the overflow with the instruction counter stuff
207. in the instruction counter stuff is the values to manipulate the column + offset
208. and a control code that activates the text for the banker stuff
209.  
210. ImbuedToday at 10:00 PM
211. ah
212.  
213. faschToday at 10:01 PM
214. So the message gets done printing
215. and now you have control in the textbox
216. at which point you just use the control stick to change the values, which in turn change the graphics buffer values
217.  
218. SeedBornToday at 10:02 PM
219. Oh I see, that's what the control code is for
220.  
221. ImbuedToday at 10:02 PM
222. confused which control code it is though... I see F0 which does
223. Print: Total Rupees in Bank
224. and CE which does
225. Print: Total Rupees in Bank or Won by Betting
226. doesn't sound like either of these would involve scrolls
227.  
228. faschToday at 10:03 PM
229. the display prompt ones
230. CC
231.  
232. ImbuedToday at 10:03 PM
233. oh lol
234. ctrl + f "bank" was insufficient
235.  
236. faschToday at 10:04 PM
237. im not sure if the others work, but they might
238.  
239. ImbuedToday at 10:04 PM
240. so I assume the first 3*128 bytes get occupied with 3 0's?
241. and then after that, every time I scroll, the next 128 bytes get overwritten with the next number I scroll to?
242.  
243. faschToday at 10:05 PM
244. yes
245.  
246. ImbuedToday at 10:05 PM
247. wow
248.  
249. faschToday at 10:05 PM
250. its not the next 128 bytes
251. its the same 128 bytes that was containing the graphics data for the 0
252.  
253. ImbuedToday at 10:05 PM
254. oh
255.  
256. faschToday at 10:05 PM
257. if you had 0 0 0
258. and changed it to 1 0 0
259. you overwrite that initial 0 to 1
260. so thats in column 0
261.  
262. ImbuedToday at 10:06 PM
263. I see, so basically I just have 3*128 bytes that I can change
264.  
265. faschToday at 10:06 PM
266. graphics_buffer_base + offset + 0 * 0x80
267. so it changes what was at graphics_buffer_base + offset
268. yes but
269. remember you can manipulate the column address
270. you have way more than 3 columns
271.  
272. ImbuedToday at 10:07 PM
273. ah
274.  
275. faschToday at 10:07 PM
276. -32768 to 32767
277.  
278. ImbuedToday at 10:07 PM
279. ok so
280. suppose I set it so that the column I have selected is column 8, for example (also I assume from left to right the columns are numbered 0, 1, 2 and that I start on column 2 by default in normal gameplay), then would I be able to scroll to the left to hit column 7 and column 6? or does it not quite work this way?
281.  
282. faschToday at 10:09 PM
283. thats right
284. you can go towards 0
285. but not further away
286.  
287. ImbuedToday at 10:10 PM
288. by I only have access to 3 slots at a time, right?
289. they just might be shifted
290. columns I should call them I guess
291.  
292. faschToday at 10:10 PM
293. if you start at column 8
294. you can go down to column 0
295.  
296. ImbuedToday at 10:10 PM
297. oh wow
298.  
299. faschToday at 10:10 PM
300. but when you reach column 2
301.  
302. ImbuedToday at 10:10 PM
303. I was thinking I'd only have 8, 7, and 6
304.  
305. faschToday at 10:10 PM
306. you're stuck in that 3 range
307. 0 1 and 2
308.  
309. ImbuedToday at 10:10 PM
310. ah
311. so I can go from 7 to 8?
312.  
313. faschToday at 10:11 PM
314. i should rephrase
315. if you are above 2
316.  
317. ImbuedToday at 10:11 PM
318. but not 2 to 3
319.  
320. faschToday at 10:11 PM
321. you can only go down
322.  
323. ImbuedToday at 10:11 PM
324. ah
325. makes sense
326.  
327. faschToday at 10:11 PM
328. and if you are below 0, you can only go up
329.  
330. ImbuedToday at 10:11 PM
331. ah
332. ok cool
333. and I guess if I wanted to check for myself what the values of the 128 bytes are for each digit, I could probably easily do that just by going to the banker and looking at the addresses we just discussed
334. so I think that's all the necessary info right there just discussed
335. thanks
336.  
337. faschToday at 10:14 PM
338. np