Tools:
	Creating overlay files:
		https://github.com/z64tools/nOVL/
	Disassembling overlay files:
		(broken)
		https://bitbucket.org/mbr/zovldis

https://wiki.cloudmodding.com/oot/Actor_Overlay_Table

The actor table manages the actor files (overlays). It defines an actor's number, maps the actor to a virtual address, and during gameplay is used to find the overlay in ram.
Format

xxxxxxxx yyyyyyyy aaaaaaaa bbbbbbbb
rrrrrrrr iiiiiiii nnnnnnnn vvvvcc00

This breaks down into-
x y: Start/End Virtual Rom addresses of the actor file
a b: Start/End Virtual Ram addresses of the actor file
r: Ram address of actor file (00000000 if overlay isn't loaded, or if in ROM)
i: Virtual Ram address of the start of the actor instance initialization variables, located within the file
n: Address of actor filename (Debug ROM only, value is 0 in commercial releases)
v: Allocation Type, affects how overlay is allocated. See below for values
c: Number of actor instances of this type currently loaded (ram only)
Allocation Type Values

00 performs a "low to high" address allocation (high address volatility), unloading the overlay if no instances of that actor exist
01 performs a "high to low" address allocation (low address volatility), reserving a fixed space for all overlays of this type until the scene is destructed. Only one overlay of this type can ever be loaded at once. The pointer to this space is located at Game Play + 0x1C60
02 performs a "high to low" address allocation (low address volatility), keeping the overlay in ram until the scene is destructed

Note: The record for Link's actor in rom (the first record in the table) only sets the vram address that points to the start of the variable info 


code (File)
Actor Overlay Table
Version		Offset				VRom								VRam
Debug			0F9440	00B8D440	00B90F20	801162A0	80119D80
NTSC 1.0	0D7490	00B5E490	00B61F70	800E8530	800EC010
PAL MQ		0D4480	00B5C480	00B5FF60	800E5380	800E8E60



In zoras river:	

	Based on findings, modifying the last pointer in an actor (like the skultula token)
	can lean to crashes (but not always) modifying the value it points to also leads to a crash
	
	
SRM/UAF:	

	We have to perform a superslide, making sure the object we pick up is not destroyed in the process
	and then pass a loading zone.
	That way we get a Stale Reference.
	
	We can do something simmilar with the boomerang.
	
	We can abuse HESS with combination of the boomerang to pick up a rupee and cross a loading trigger. (need testing, but MM does
	something like this already)
	
	
Loading/unloading actors:
	As per testing, actors do not get unloaded in hyrule field (tried grass)
	Seems like the game is keeping them loaded all the time.
	We can try to abuse this by spawning bugs,fish,slingshot seeds,bombs,bombchus,etc. and try 
	to cause an Out-of-Memory condition.
	
	This means however that hyrule field is not a good canditate for SRM due to a lack of methods
	to force the game to unload some actors. (we can try OOM).
	
	Coincidentally, there are the weird rotating enemies that can spawn more enemies, each hit during night
	spawns more of the flying rotating things. (OOM)
	
	Confirmed that we can trigger an OOM condition in hyrule field. Bugs and fish do the trick well enough.
	Things just stopped spawning after the 4th bug drop + fish
	
	
== FOUND OFFSETS ==
	\*SR = Stale Reference

	800c3ff8 - in ram in game (gz practice rom)
	80b393c8 - in RAM of n64 file
		diff: 0xa753d0
	SRM:
	{{{txt
	(address values only for reference, they are slightly different each session)
	
	801e97d0 - current holding item

	(link actor base)
	801daa30 -> 0x801dab4c <- value of stored pointer in links actor
				+0x11c	 |
						 |
	+--------------------+
	v
	801e97d0
		+ 0x30 to write links rotation to DP rotation.
			halfword gets writen and its the lower part of the word.
			so 0x32 to be precise
		+ 0xb4 to rotation of DP -> links rotation? this somehow also gets written, seems to be in the same place
			This is likely related to the drawable. It updates the position in the entity and then this
			so that the drawable gets drawn where the entity actually is.
		+ 0x248 to position of DP -> links position + offset above his head?
																	something probably calculates this before its written
																	
	Boomerang:
		0x120 - Likely a linked list of entites. Every entity seems to have
				one. Its likely related to a linked list, pointing to
				relevant tables and next entity in RAM.
				- Checked cloud modding and indeed this is a pointer
				to the next entity of the same type.
		0x13c - "self" or "this" instance pointer (like in regular classes).
				- the pointer before this one points to a table
					when the boomerang is thrown, it updates a value
					following that pointer and ends up at an entry
					into the table. This could be the entity table
					drawable table, or other table.
					They each have their own pointers and values.
				- the word after this is filled with the pointer
					of a colliding entity (like a rock) after a flag
					lower in RAM gets set to 0xf (-1)?
		0x1bc - chase target for boomerang
		0x1c0 - stored pointer of carried object
		\written likely in multiple places
	}}}
	We do not have direct control over where links data is coppied.
	We can only manipulate this by loading/unloading varius actors such as fish,bugs,bombchus,etc.
	in the given area.
	Walking through another loading plane clears the reference.
	
	I noticed something else was being updated when the SR was held. Possible the position above links
	head, bobing up and down with his breathing animation.
	
	Collision:
		Each actor (checked only npcs) has a very obvious 'solid' or 'collision' flag that when set to 0
		lets us walk through them. When set to 1, it detects them as solid and pushes us outwards.
		
	Boomerang notes:
		If objects despawn they are properly disassociated from the
		boomerangs caried object pointer.
	
== Helper projects ==

	mupdbg.pl - perl script wrapper around mupen64plus built-in debugger console.
	Pretty good at this point.
	Could use:
		struct parsing or searching. At least links actor and its pointers for easier bug searching.
		object ID parser/translator
		
	Current save state has excelent 2nd rotation write and the rest seem to be in data sections.
	We can modify 1 instruction which modifies an offset against the base register $v0 (return value
	from function)
	Savestates 3 and 7 and 6 (?) are relevant
	
== Entity structure ==
	Coppied from CloudModding wiki
	{{{c
	typedef struct {
		f32 x, y, z;
	} Coord_f;

	typedef struct {
		s16 x, y, z;
	} Rotation;

	typedef struct
	{
		struct
		{
			char Damage : 4;
			char Effect : 4;
		} Attack[0x20];
	} z_ActorDamageTable;

	typedef struct
	{
		/* 0x00 */ u16      id; //Entity Id. 
		/* 0x02 */ u8       type; //Entity Type. See Below
		/* 0x03 */ u8       room; //Room number the Entity is part of. FF denotes that the Entity won't despawn on a room change
		/* 0x04 */ s32      flags; //Special flags (green arrow, etc.) over the object, or identifying the object as invisible maybe
									//safe to call these misc flags for special purposes.
		// & 0x0040 0000 = Affects Entity lighting. 0 passes current coords to 80066298 func, else pass null for coords
		// & 0x0000 1000 = ?
		// & 0x0000 0040 = ?
		/* 0x08 */ Coord_f  pos1; // Looks more like spawn position x, considering we have rotation right bellow 
										//-(older comment)-Related to collision detection routine
		/* 0x14 */ Rotation initRot; //Initial Rotation when spawned
		/* 0x1A */ u16      unk_0x1a;
		/* 0x1C */ u16      variable; //Configurable variable set by an Entity's spawn data
		/* 0x1E */ s8       objTableIndex; //index to table at Game Play + 0x117A4 
		/* 0x1F */ u8       alloc_flags; // alloc / free / realloc  lags
		//with bush it just disappears when OR'ed with 0x1000, it seems like this is some sort of integer-bit-field for flags
										//could be a free'd flag? indicating if the object is to be freed or is freed?
										//kinda just disappears from ram altogether
		/* 0x20 */ u16      soundEffect; //Plays sound effect relative to Entity's location (if within range of camera?)
		/* 0x22 */ u16      unk_0x022;
		/* 0x24 */ Coord_f  position; //Current coordinates
		/* 0x30 */ Rotation speedRot; //0x32 sets what direction the 0x68 speedXZ variable is moving the Entity
		/* 0x36 */ u16      unk_0x036; //same as 0x1A
		/* 0x38 */ Coord_f  pos3; //Related to camera
		/* 0x44 */ Rotation rot1; //0x30 rotation copied into here
		/* 0x4A */ u16      rotation_on_x_axis;
		/* 0x4C */ float    unk_0x04C; /* I know this is a float from breakpointing it */
		/* 0x50 */ Coord_f  scale; //sets x,y,z scaling fEntity. Typically, a fEntity of 0.01 is used for each axis
		/* 0x5C */ Coord_f  velocity;
		/* 0x68 */ float    speedXZ; //Always positive, stores how fast the Entity is traveling along the XZ plane
		/* 0x6C */ float    gravity; //acceleration due to gravity; value is added to Y velocity every frame
		/* 0x70 */ float    minVelocityY; //sets the lower bounds cap on velocity along the Y axis
		//struct, collision related
		/* 0x74 */ int*     wallPoly; //Wall polygon an Entity is touching
		/* 0x78 */ int*     floorPoly; //Floor polygon an Entity is over/touching
		/* 0x7C */ u8       wallPolySource; //Complex Poly Surface Source. 0x32 = Scene
		/* 0x7D */ u8       floorPolySource; //Complex Poly Surface Source. 0x32 = Scene. related to 0x80/88
		/* 0x80 */ float    unk_0x080; //floor poly height?
		/* 0x84 */ float    unk_0x084;
		/* 0x88 */ u16      unk_0x088; //unknown
		// & 0x0100 = ?
		/* 0x8A */ s16      unk_roty; //rotation y (give item, possibly next facing dir?/face toward link?)
		/* 0x8C */ float    unk_0x08C;
		/* 0x90 */ float    xzDistanceFromLink; 
		/* 0x94 */ float    yDistanceFromLink; // relative distance
		/* 8-10-2012 : Addition made by Jason777 */
		/* For Entitys which contain a damage chart (example: Stalfos)... */
		struct 
		{
		/* 0x98 */ z_EntityDamageTable* DamageChart;  /* Pointer to the Entity's Damage Chart in RAM. */
		/* 0x9C */ Coord_f  displacement; //amount to correct velocity (0x5C) by when colliding into a body
		//following 3 variables correspond to a chicken running away when hit.
		//so likely a target position for the entity to go to
		/* 0xA8 */ s16      unk_0x0A8; 
		/* 0xAA */ s16      unk_0x0AA; 
		/* 0xAC */ u16      unk_0x0AC; //unk
		/* 0xAE */ u8       mass; // Used to compute displacement, 50 is common value, 0xFF for infinite mass/unmoveable
		/* 0xAF */ u8       health; 
		/* 0xB0 */ u8       damage; //amount to decrement health by
		/* 0xB1 */ u8       damageEffect; //Stores what effect should occur when hit by a weapon
		/* 0xB2 */ u8       impactEffect; //Maybe? set on deku nut when deku nut collides with gossip stone
		/* 0xB3 */ u8       unk_0x0B3; //?
		}; //CollisionCheck common
		
		struct 
		{
		/* 0xB4 */ Rotation rot2; //updating this value changes an Entity's rotation immediately
		/* 0xBA */ 
		/* 0xBB */ u8       unk_0x0BB; //unknown byte?
		/* 0xBC */ float    unk_0x0BC; //Model y axis offset. Represents model space units. collision mesh related
		/* 0xC0 */ void*     drawDropShadow; //Draw function for Piece of Heart drop shadow?
		/* 0xC4 */ float    unk_0x0C4;
		/* 0xC8 */ u8       unk_0x0C8;
		}; //NTSC 1.0 initializes with 8001EC20
		
		/* 0xCC */ Coord_f  unk_0x0CC; //used in Link, not Deku Babas 
		/* 0xD8 */ Coord_f  unk_0x0D8; //used in Link, not Deku Babas
		/* 0xE4 */ Coord_f  unk_0x0E4; //stores result of some vector transformation involving
							// Entity xyz vector, and a matrix at Game Play + 11D60
		/* 0xF0 */ float    unk_0x0F0; //related to above
		/* 0xF4 */ float    unk_0x0F4; //unknown
		/* 0xF8 */ float    unk_0x0F8; //unknown
		/* 0xFC */ float    unk_0x0FC; //unknown
		/* 0x100 */ Coord_f Pos4; //Final Coordinates last frame (collision, NTSC 1.0 f 8002F8E0)
		/* 0x10C */ u8      unk_0x10C; //Z-Target related
		/* 0x10D */ s8      unk_0x10D; //Z-Target related
		/* 0x10E */ u16     textId; //text id to pass to link/display when interacting with an Entity (navi text, probably others)
		/* 0x110 */ s16     freezeEntity; //Used for the "Redead Freeze" attack
		/* 0x112 */ u8     unk_0x112; //Damage color effect, the higher the number the higher the color intensity, 00-1F = blue, 40-5F = red, 80-9F = white, C0-DF = white (duplicate)
		/* 0x113 */ u8     unk_0x113; //Damage color animation, goes from 01 to FF, the lower the value the faster the animation goes, crashes if 00
		/* 0x114 */ u8      unk_0x114; //Damage color effect timer, decremented toward 0 every frame
		/* 0x115 */ u8      runEntity; // Determines if Entity instance should be processed. 01 for yes, 00 for no.
		/* 0x116 */ u8      unknown; //set within a routine that deals with collision
		/* 0x117 */ u8      naviEnemyId; //sets what 0600 dialog to display when talking to navi. Default 0xFF
		
		/* 0x118 */ struct z_Entity* attachedA; //Interfacing Entity? 
		//e.g. Link holding chu, Chu instance stores ptr to Link instance here; 
		//     Anju having Link's ptr when giving an item;
		//     Volvagia Hole stores Volvagia Flying here
		
		/* 0x11C */ struct z_Entity* attachedB; //Attached to Entity (
		//e.g. Link holding chu, Link instance stores ptr to Bombchu instance here
		/* 0x120 */ struct z_Entity* Entity_prev; /* Previous z_Entity of this type */
		/* 0x124 */ struct z_Entity* Entity_next; /* Next z_Entity of this type */
		/* 0x128 */ void *Init; //Initialization Routine. Mandatory
		/* 0x12C */ void *Dest; //Entity destructor 
		/* 0x130 */ void *Main; //Main Update function, called every frame the Entity is to be updated
		/* 0x134 */ void *Draw; //Draw Routine, writes necessary display lists
		/* 0x138 */ u32 CodeEntry; //Address to source overlay file's reference in code (file)
		/* From here on, the structure and size varies for each Entity */
	} z_Entity;
	//Entitys with a poly-type collision mesh will always set this variable
	//    /* 0x13C */ s32 PolyEntityId; //Index for poly mesh

	//ActorMain, Actor Draw arguments
	//A0 = Actor Instance
	//A1 = Game Play
		
}}}