Grabbed Item Manipulation

1. There are several types of objects in the DK64 world, I refer to the most complex objects as actors, these include the player, barrels, boulders, enemies, vines, etc. Actors are the only type of objects that can be grabbed, wrong-grabbed, and taken through loading zones.
2.  
3. The player actor contains a pointer to the actor they are currently holding. When the player grabs an actor, the pointer is set to the address of that actor in memory. Normally the held actor pointer is reset to 0 when the held actor is lost or destroyed, but during a shockwave-grab the grabbing animation is interrupted in an unexpected way, so this safeguard doesn’t kick in and the player’s held actor pointer isn’t reset. At this point the player is “holding” a block of newly freed memory that was previously occupied by the shockwave-grabbed actor that was destroyed. This newly freed and potentially overwritten block of memory will be treated as an actor by some parts of the game leading to some interesting glitches. This concept is known in computer security as a “use after free” bug.
4.  
5. Exchord’s example of spawning a vase in Jungle Japes abuses this bug. Upon entering some loading zones, the game checks whether the player is holding something, if so, it interprets whatever memory the held actor pointer points to as an actor regardless of its actual data type and reads its actor type index to spawn and grab it after the next map has loaded. Whatever arbitrary data was loaded into the freed memory block happened to produce the actor type index corresponding to a vase. It is important to note that it’s not always an actor that loads into the freed block, as actors share a giant pool of memory called the “heap”, which is used for almost everything in the game. This shared heap is the only reason why a vase can be spawned in Japes, even though none exist in that map. With precise manipulation, this technique could theoretically be used to spawn many different actors, including the seldom seen model 1 Golden Banana. My attempts thus far have been fruitless.
6.  
7. Wrong-grabs occur when a newly spawned actor gets loaded into the memory block that was previously occupied by the shockwave-grabbed actor. For example, let’s say the destroyed actor was located at 0x80100000 in memory. Now the player walks around and loads a Tag Barrel, the game needs somewhere in memory to put the newly spawning Tag Barrel. If some currently unknown and unpredictable requirements are met, the game will decide on 0x80100000 as the location to load the new Tag Barrel into. The held actor pointer will still be pointing to this location, and as such the player will be holding the newly spawned Tag Barrel. From the player’s perspective there is no functional difference between this state and a state where they legitimately picked up the Tag Barrel. There is a difference on the held actor’s side however, since the actor was freshly spawned, and wasn’t grabbed in the usual way, it is possible that the held actor will not behave as expected due to a difference in its movement state value, for example the player could wrong-grab a stubborn boulder or barrel that doesn’t seem to move in the normal way when walking with it.
8.  
9. There are some limitations as to what can be wrong-grabbed or spawned through loading zones. Firstly, any actor that was loaded (and stays loaded) at the time of the shockwave-grab, will not be relocated in memory to the freed block and thus cannot be wrong-grabbed. Secondly, there are many actor indexes that will simply crash the game on the attempt to spawn them using a loading zone, for example NPCs and enemies.
10.  
11. There are some related glitches that aren’t as well understood. Another form of wrong grab, shown here https://www.twitch.tv/videos/43960368 where Tiny appears to pick up an already spawned TNT pad, and the “phantom shot”, shown here https://www.youtube.com/watch?v=KZSbJgrY-W4 seen most commonly in barrel barrel, when a coconut is fired as a barrel explodes, the coconut spawns at the exploded barrel instead of DK’s gun. I suspect that these glitches are related either to the order of the list which keeps track of the currently loaded actors, or a related static pointer that I have dubbed the “current actor pointer” being corrupted somehow.