Brief Index Warp Text Overflow Explanation

1. Debug Menu Explanation
2.  
3. Special shoutouts to fasch, exodus, mrcheese, indextic, and others
4.  
5. In 2014, indextic discovered a glitch that came to be known as Index Warp. This glitch works by manipulating a value known as your "soar index" (among other names) by highlighting specific locations on the pause screen map. If you've ONLY hit the hidden owl and no real owls, when you play the Song of Soaring, the game uses this value to determine where to make you soar. For example, if you highlight Woodfall (soar index 4) in the pause menu and play Song of Soaring, the soar menu will allow you to soar to Clock Town. For years, this has been used in every glitched category in Majora's Mask.
6.  
7. In early 2019, an extended use for this concept known as the "Index Warp Text Overflow" was found. Things are about to get technical, but I'll try to keep it digestible.
8.  
9. The game uses your soaring index value to determine how to fill out the "Soar to" textbox.
10.  
11. For example, if you have a soaring index of 0, the game will look up two things. First, it looks up how long the string to put after "Soar to". It does this by applying an offset of (2 * soaring index) to the beginning of the length array and reading the two bytes it finds there. This array is located at 801D07C4 on US, 801CAEC8 on JP 1.0, and 801CB0D8 on JP 1.1. This is a picture of what that memory looks like on the US version - https://i.imgur.com/CogjRou.png (I've highlighted the entire array)
12.  
13. Say, for example, you have a soaring index value of 2. The game will apply an offset of 4 bytes to the beginning of that array. If you look at the above image, you can see that will give you a length of 0008 (I have the memory shown as two bytes, so it's the third set of 2 bytes).
14.  
15. Then, the game calculates where in the game's message array to start reading the string from. The game goes to the beginning of the soaring message array and applies an offset of (16 * soaring index). Here's what that looks like in memory on the US version - https://i.imgur.com/MxoQ0fE.png
16.  
17. Take your soaring index of 2 from earlier and apply an offset of 16 * 2 = 32. 32 bytes after the beginning of the array will give you this - https://i.imgur.com/IfDvJOn.png
18.  
19. So, if you take that starting location and use the length of 8 bytes we got from earlier, you get this set of bytes: 53 6E 6F 77 68 65 61 64 | This, of course, is "Snowhead."
20.  
21. Before we continue, we need to understand a region of memory known as "Message Content." The game copies messages to be shown on the screen to this location in memory. When soaring, "Soar to" is written here as well as the location. If you take the example above, "Soar to Snowhead" is written to this location, and the "Snowhead" part was calculated as shown before.
22.  
23. Normally, this system works perfectly fine. However, you can have a soaring index outside of the range of 0-10. If you highlight the Z button on the map in the pause menu, your index is set to -1. If you highlight the R button, it is set to 11. If you play Song of Soaring and cancel the soaring menu, you can pause and press the control stick towards the Z button if you highlighted the Z button to begin with or the R button if you highlighted the R button to begin with. Doing this, you can subtract 1 or add 1 to your soaring index. If you go towards the Z button, one is subtracted, and vice-versa with the R button.
24.  
25. If you have an index outside of the range from 0-10, the game grabs data it shouldn't. Take, for example, a soaring index of 30. Using the method we used earlier, we see that this is grabbed as the "length" of the string to be written - https://i.imgur.com/sjvwY9k.png (00AA -> 170 in decimal).
26.  
27. The starting location of the string will then be: https://i.imgur.com/ZwWB8G2.png , and it will grab 170 bytes from there, which is this entire region - https://cdn.discordapp.com/attachments/343235723866144779/609598035600605194/Hex_Editor_-_Editing_Address_0x1D08F4___2019-08-09_21-04-45.png
28.  
29. ***SOMETIMES, and this is the very important part of this, the length to be written will be huge. Remember the message content area of memory earlier? That is only meant to hold about 200 bytes. If you get a string of, say, 5000 bytes, it overwrites the 200 bytes of memory that was allocated for that string, but also the following 4800 bytes.
30.  
31. This means that depending on your soaring value, you can grab different regions of memory (which can themselves be manipulated by things like what you have equipped, items you've highlighted in your pause menu, etc.) and overwrite them to the Message Content area and beyond. Some important things are located just beyond the Message Content area of memory, such as the bytes that determine whether or not to open the debug menu.
32.  
33. There are some other things to keep in mind, such as the fact that certain bytes will crash when the game attempts to write them to Message Content. For more information on this and lots of other things, check out this: https://docs.google.com/spreadsheets/d/1QhucUVkOGwpO2d_OX8hsn61jHtYVQALj2iUag7HDiTQ/edit#gid=636467355
34.  
35. Summary
36. -------
37. Long story short, if you have a soaring value of a sufficient value, you can grab memory that you shouldn't be grabbing (and this memory can sometimes be manipulated directly by you by standing in certain locations, having certain things equipped, setting certain flags, etc.), completely overflow the Message Content location of memory with a very long string, and overwrite adjacent memory, including the bytes that determine if the debug menu is open.
38.  
39. If you have any questions, ask in the MM Discord!