Reach the Credits from Kokiri Forest using ACE (Ocarina of Time Glitch Explained)
Вставка
- Опубліковано 21 лис 2024
- The Legend of Zelda: Ocarina of Time can now be beaten from Kokiri forest, using a trick known as “ACE” or “Arbitrary Code Execution”. This is a huge breakthrough for OoT and is the result of months of hard work from many individuals. The trick isn’t the easiest thing to understand simply from watching the gameplay - this video goes into some detail about what’s happening.
The trick uses “Stale Reference Manipulation” (SRM), a trick which allows us to edit memory values that we normally wouldn’t be able to edit. Using this, we’re able to make the game jump to some code that we’ve written to take us to the credits.
Here is the original video of the trick by MrCheeze:
• Ocarina of Time - Koki...
Here is the current fastest speedrun at the time of typing this:
• Ocarina of Time Any% i...
Here's a video guide on how to perform the speedrun by Savestate:
• OoT any% ACE: Next Cut...
Here is a reddit with an explanation by mzxrules:
/ fehg486
Here is a document outlining the route used in the speed run and how to perform it:
docs.google.co...
Fig02 made a video explaining another kind of ACE, in Goron City. The concept is similar, this video goes into a bit more technical detail if you’re interested in that: • Arbitrary Code Executi...
Here are my original videos where I discovered SRM:
• OoT/MM: Stale Referenc...
• OoT/MM: Stale Referenc...
In the speedrun, there are a few extra things that are either different from the video, or that the video doesn’t mention. These are:
The speedrun actually clips past the kokiri guard before getting the shield using a Triple-Slash Clip (TSC) instead of with the crouch stab method I showed.
After slingshot you need to savewarp back to the start, otherwise the game won’t be able to load the cutscene correctly
When heading from the deku tree to the kokiri forest area, you need to load the deku tree area again 3 times, firstly with your sword charged for a spin attack, and the next two times with a slingshot seed readied. This is so that the correct values in memory are in the correct places for the trick to work properly.
When doing the walking while talking glitch, you need to break the two signs here in order to make sure the memory is set up correctly.
After the SRM, you need to break some extra rocks so that the slingshot seed can occupy the area in memory that these rocks took up.
*Note from the video: In the clip with the chest in deku tree, I hack some values into the game to demonstrate this SRM in a way that normally wouldn’t be possible. The way we edit the chest contents here in reality is a bit more complicated, although I decided to do it this way for demonstration purposes.
Big thanks to everyone involved in this trick, the OoT glitch hunting community is as strong as ever and I can’t wait to see what crazy things we end up with next!
Be sure to ask questions!
Smb1: So imagine a bus that leaves every 21 frames...
Oot: So there's this treasure hunter...
SM64: We need to talk about parallel universes...
@@Somefurfag Half A presses.
I was pretty disappointed there was no bus analogy :D
Lol, this is rather funny to me. I've only recently (last year or so?) started diving into deeper mechanics on old games. Literally every bus reference I've heard has been, "so you all know the bus analogy, so I'm going to explain it another way." Your comment is the first time I've heard what the bus analogy actually is :P
I miss times, where a speedrunner could actually hold a world record, because he was... you know.. GOOD AT A GAME! And not good at programming or whatever the hell all this glitchy glatchy shit is.....
"Lemme just use this rock to re-program the game"
I was in a pretty bad mood then this comment made me laugh 😂😂😂
Re-program an instance of the game ;) :D
And lemme set my savefile to warp me to the end credits, normal stuff ya know
Very MacGyver-esk 😁
The true Philosopher's Stone...
Ocarina of Time as Miyamoto intended, Ganon was always optional.
The supreme art of war is to subdue the enemy without fighting
@Benjamin McCann the finest leader never leaves his home town abandoned
Yes im sure he foresaw arbitrary code execution lol
@@mathprodigy This was not a very good addition to the joke
Damnnnn fucking savaaage lmfao
The one kid in Japan that did this accidently in 1999 finally has some closure.
source?
Mid Bell it’s a joke 💀
@@mr.camsbfgr8964 source that its a joke? lol jk
They mocked young 84 _Fuubōpa_ v for his name, but only he knew the pleasure of watching part of the credits for a game he didn't even get to finish
That's me!
First OoT speedrun: Yeah, it's gonna take at least 4 hours to beat the game any%.
Years later: So if you roll into a bomb with the right inputs, you can start sliding like you're on ice. You can even hover by backflipping off of a bomb with ISG!
2020: So by writing code into the game with a rock and slingshot, you can put every single item into your inventory or warp to the credits. Look, I have 41 hearts.
I still remember when I did this arbitrary code execution by pure luck when I was a child, and it was a shocker because it was before even beating the game, so it was my first time seeing the credits. Nobody ever believed me so since then I always recorded my plays, but could never trigger it again. It's very cool to finally get to see what was up with that.
@@Yntec what
You arbitrarily code executed.... by random chance?
You sure it wasn't a stray cosmic or gamma ray lol
@@mathprodigy Oops, forgot it's considered lying when I don't mention it was a joke. Still, I said it with the most straight face I've had in my life! 😂
@@Yntec bro you had me for a sec, i was like "but...its far too specific and they've taken YEARS lol"
@@mathprodigy Sorry! But I'm glad I got someone! 😀
ACE is the true ending. Ganon was just there in case people sucked at the game and couldnt reach ACE.
Imagine showing up to fight Ganon only to have him turn around and say
"Really?! You literally took seven years to confront me."
OR
"Brother, my GRANDMOTHERS can wrongwarp to where they want to go faster than you can."
OR
When runners finally ACE their way to the credits, Ganon is there partying with everyone. As the final credits scroll, you HEAR him say.
"Thank you very much for playing my game!"
For speed running, perhaps, but now we can play OoT to crash Paper Mario.
AkaiAzul I know it’s random but what if there was a way to use that glitch item in Pokémon Gen 1 to beat paper Mario or crash it?
꧁༺Drakath Fenrier༻꧂ Technically possible, yes. We could use ACE in Pokémon Gen 1 to modify Pokémon Stadium to prepare for a Stop and Swoop of Paper Mario to beat / crash it.
Comments that aged well considering you can now get the Triforce using ACE as the true ending
the shop music as an analogue to the SM64 file select theme a la pannenkoek is a nice touch
exactly
@Public Alaskan ok boomer
Public Alaskan shut up weeb.
analogue
@Public Alaskan peanus and balles
Why are you so mean to the treasure Hunter man?
Because he won't dig up the damn heart piece.
Poor Dampe.
He's not mean; he's pointing the treasure hunter man to a better treasure.
He has no human right
Because we're actually being nice.
Imagine that the treasure hunter has to walk from where he begins to where the treasure is.
However, the new "X" has a bus ticket waiting. The next "X" has another bus ticket waiting, and so does every X.
Instead of walking a long way to get to the place, he's taking a few buses...which winds up being faster than walking the long way.
“Ocarina of time is dead. It’s over.”
World record is now 5 minutes faster
The 18:10 is still the best Oot speedrun ever made, this new route is nowhere near as exiting, it is impressive dont get me wrong but nowhere near as interesting to watch as previous routes.
@@ollymuirs yup, it's kinda sad that so much of the interesting stuff is gone cuz of this.
Eve Appleby Nah, this will probably be sectioned off into its own category. Also, there are plenty of other OoT speedrun categories that include tons of cool stuff.
@@eveappleby2211 its laughable to say that kak route is the most interesting run because this route cuts so much out. People held the same opinion on any% because it left out so much of the game that longer categories make use of.
I miss times, where a speedrunner could actually hold a world record, because he was... you know.. GOOD AT A GAME! And not good at programming or whatever the hell all this glitchy glatchy shit is.....
While the glitch used gets called SRM (and I suppose "stale reference manipulation" is technically a valid description), the class of memory manipulation done here is generally called a 'use-after-free' exploit.
Please explain further
@@jphataraki6764 When a data element or structure in a piece of dynamically allocated memory is freed (typically using a free() call in C) but still has active pointers pointing and writing to it, in computer security parlance this is generally called a 'use-after-free' condition. See MITRE CWE-416.
@@Lord_Nightmare thanks for the info, pretty interesting
CDi Link: "I won!"
Zelda: "You didn't even leave the damn forest!"
Still counts! And I think Link's now confused about what just happened.
@@TheBreakingBenny "Oh nothing Link." - well, story-wise it really was nothing.
"I just saved you from Ganon!"
"You did not."
I'm saving this video to give to anyone who asks about how ACE works in general. Your explanation and Treasure Map analogy explains the concepts behind ACE (and this particular execution) better than I've seen before.
Also check out this one -
ua-cam.com/video/14wqBA5Q1yc/v-deo.html
Well the accompanying descrip anyway
ua-cam.com/video/vAHXK2wut_I/v-deo.html
what'd be good is a video explaining how this was even discovered.
I think there was a guy that used a similar trick for Super Mario World on SNES, actually you should watch his video of that he blew his own f****** mind when he discovered it. I will have to search up the video if you want me to share it with you just reply here so I get a notification from your reply to even find this comment again later once I found it
Oh yea, and I just noticed in the video description itself you can find a couple of links where this channels Creator himself discovered SRM in this game, I'm gonna watch them myself.
But yeah the first game to discover you could do this type of thing was on Super Mario World
MondoManDevout a link to that would also be much appreciated.
ACE has been talked about for years on OOT. My guess is that many already knew how the game writes things to memory, but that data couldn't be manipulated by the user, until they discovered the trick with the rock and the far away camera. That I think was the key that started the whole thing, that trick allowed the manipulation of data in memory by the user that the game didnt intend to be manipulated, once you do that it's a matter of logic and understanding the way the game uses this data to achieve the desired result, hence the treasure map analogy.
At least that's my guess anyways.
DLC ENERGY following for link
I used some pretty old video editing software on my laptop for this one - I also rushed it a bit so it is what it is.
Still, I hope you enjoyed it and now that i've de-rusted (and got some better software) I think the next few explanation videos I make will be even better!
Who knew that everything I learned about dynamic memory allocation, overflow, and memory addresses/pointers, would all come into play while watching a random ocarina of time speedrun video on youtube???
Thanks, C.
So treasure maps are the new bus stops, I get it.
Great explanation, thanks!
jemus42 “Bus stop to the next dimension!”
I was using like 95% of my mental energy to just follow along and have a clear picture of what's actually happening in the game code just from a simple UA-cam explanation. How people actually figure this shit out in real life is beyond me
i helped too. i found the input data struct we jump to for 1.0 :D
you're saying that like Atom and Verbose and Spectrum and all your other tools weren't ridiculously important to all of this
True! I put you in the credits at the end, there wasn't enough time to say all the names lol
Just graduated computer science, so when you said "We corrupted the pointer", I just briefly closed my eyes and said "FUCK", because I have suffered what doing this can cause.
Thanks for the great video and explanation.
1:30 The route proceeds to the deku tree to get the slingshot,
*DA~ DA~ DA~ D--*
and then leaves again.
great comedic timing, not even sure if it was intentional
"There will be some *extra Links* in the description"
Oh god what glitch can do that?
Link duping, duh
majoras mask
You can do it with ace, just manipulate the model of the rocks.
Is this a Yu-Gi-Oh reference?
Actually insane how much has been discovered over years.
Treasure hunter:
What is this bs!!
Bus driver:
First time?
Next OoT category will be something like "Build a Tetrix any%"
This version of the route is already outdated, holy frick
im not surprised, i take it they found a way to point to the cutscene id faster?
Spaced Invader yep, just watch the guy’s runs on his channel
This is actually an amazing explanation. I think I finally understand a lot of how this works. Good job
Hey Glitches and Stuff! Really appreciate the video, I watched a couple others and still had basically no idea how this trick worked. The ELI5 nature of the vid was helpful and necessary for someone like me, who doesnt speedrun this or any game.
Also I loved your presence on the couch at GDQ! You've got a knack for explaining things in a concise and easy to follow way, and you made the run significantly better with your being there, imho. You and ZFG are an entertaining combo.
Thanks for the feedback, that's very kind of you!
This is a cool and accessible explanation of how arbitrary code execution works! The process also demonstrates the technique of “exploit chaining”, since with each step the user can do slightly more-first a simple jump, then a more complex jump, and then a memory write and return. As others have mentioned, both of these are the same principles that is used in computer security, just for a different purpose and on a smaller scale.
Kudos for using Nunavut and Greenland as a map, I'm from just of the south of the first location
Finally, a practical application for my Computer Science degree!
The treasure hunter metaphor is the only reason I can even pretend to understand what I just watched. this is amazing
Dang, not even OoT is safe from the recent slew of major Zelda speedrun discoveries. Crazy!
The analogy is great, I wish I had heard it when first learning about RBA a long time ago.
The actor displacement glitch works in both Ocarina of Time AND Majora's Mask which causes arbitrary code to be used for wrong warping.
Probably because Majora's Mask is the exact same engine.
Gotta say, (even though it's not used in this run) using ACE to patch the filename entry to let you enter dozens of characters is genius.
Holding items, having them unload, and reappear as different objects
Jolly Roger Bay x 0 A presses confirmed
Very fascinating how OoT continues to amaze us with what you can do with it. I still think its the greatest speedrun game of all time (SM64 is up there due to it's movement) but no other game i think has been ripped apart down to its bare code as much as OoT. I also love the fact that there's nearly 50 different categories (regular leaderboard and category extensions) that you can run in this game, so there's something for literally everybody.
Congrats to the OoT community for discovering this and working for months to make this viable, it's incredible. Keep up the good work guys!
9:33 Hold up, so this is actually a tool-assisted speedrun.
literally was about to write the same thing!
@@andr0ne_ ACE might get forbidden or seperated into its own category anyway. At least this is what most other games do, that have memory corruptions like this.
@@Gelikafkal Except that this IS the efficient Any% route. If anything, non-ACE will become its own category and this will be Any%.
The debate is about the fact that this category is tool-assisted or not. We don't care if it's called any% or any%ACE . Nor that former any% will become any%noAce. That fact is, you must modify your cuntroller (Kappa) to achieve this category. Plus, you need a software (idk the name, but OoT speedrunners use it to practice on n64. Someone may help me finding what I mean ) that will show you if the stick is held in the right exact position. It does sound a lot like TAS to me.
@@alexgagnon379 This is not a tool assisted speedrun. There are no macros being used or outside programs.
the treasure map analogy for pointers / indirection is so spot on
people in 1970: We'll have flying cars by 2020
OOT in 2020: Allow me to introduce myself.
That treasure hunter analogy is one of the most unique ways to talk about pointers I have ever heard... But then again, I didn't hear a lot of things about pointers in my life...
The article in Ars Technica brought me here. Bravo! This use-after-free vulnerability, combined with what I can only assume to be thousands of person-hours to determine how to reliably exploit it; it's just bloody genius.
I was going to ask how I'm not already subscribed to your channel, but first we've got to discuss parallel universes.
I was wondering how crazy this could be with a 13 minute video but then you just explained how memory works for several minutes
I love the way he tries to explain it for people who don't know code.
Although, don't you have to also manipulate which location in memory gets edited like you explained in your SRM video? Or does it just coincidentally work out like this?
Wow this is a classic use-after-free, but... actually inside a running game with limited input. This is just crazy!
The fact people are still discovering things is incredible.
5:46 why is the treasure in northern canada
Was waiting for somebody to realize this lol
Because northern Canada was the real treasure all along. (Seriously, check out some pictures. It's gorgeous.)
Like The Yukon?
Left side looks like a Doomer face lol
diamond
OoT speedruns officially reached parallel universe level
That was a really good explanation. Wild what people are coming up with for this game now
thanks for this video, this is a way better explanation than i could give to anyone that asks what's going on now
Crazy that this stuff is even found out. Love seeing how other speedrunners/glitchhunters break their games! Thanks for the vid
I'm honored to be in the presence of such greatness, you have truly outdid yourselves
First off, great video! Loved your ACE explanation. I gotta go educate myself some more by watching the run, but if the runner has to use rubber bands or clamps or whatever on a second controller, then to me that is encroaching on a "tool assisted speed run". Software isn't the only tool that can assist a runner.
It's a two player speedrun. Remember to credit Staples in your leaderboard submissions!
That's kind of a reach to be honest. Using that logic all speed runs would be "Tool Assisted" due to using a controller. For WiiVC and Gamecube versions, ESS adapters to simulate the same deadzone as N64 are used. So to you those would also be Tool Assisted, no?
@@xxka0tikkxx I mean I'm not qualified to say how Zelda speed running should or should not be judged. I also think this is maybe more relevant to more restrictive categories in general (any% is pretty much no holds barred). But that said, yes, I'd consider what you said as "tool assisted" because of the ESS adapter. To me, it's not an OEM-provided console or peripheral, so it's not as "pure" of a run. But again, maybe the category rules leave some room for interpretation there.
I'll pose a question to you though: Let's say two runners get the *exact* same time for this run (like frame-exact). Runner A uses rubber bands on the second controller and Runner B uses his/her feet to hold the buttons. In your opinion, who should have the record? (A/B/Both, no wrong answers here)
@@harvtronix Both, because the route/trick calls for those buttons to be pressed on a separate controller and while that is a requirement its what is done on Controller 1 in the setup and execution that really matters. If another runner got the same record yet used save states, frame advance etc then that would be took assisted. Or say they used some kind of controller that could be programmed to do the set up on Controller 1 perfectly everytime then I'd say TAS. I can kind of see where you are coming from but, in terms of TAS as defined in the community this is nowhere close.
Thanks for the explanation. I figured it was related to buffer overflow, but it’s actually not. Pointer manipulation. Brilliant
You did a very good job of making pointers understandable for nontechnical people. Very well done.
i absolutely love this
Thank you!
Awesome explanation! The map metaphor made it easier to understand, and it was very interesting!
Man you are a genius with this explanation for pointers, i'm gonna use that for now on
Wow. I think if I hadn't already taken college classes in data structures I would be completely lost on the pointer corruption right now. Congrats on finding this exploit!
I think there's a better analogy than the treasure map:
Consider that you gave someone directions on how to do something, for example 'how to draw this rock'. The directions are on page 200 of a large book of instructions that you wrote down (the game's code in memory), so instead of listing out all the directions (wasting memory) you can just tell them to go to page 200 in the book (a pointer to the page). However using ACE you can change the instructions on page 200 to instead say something like "go to page 400", which is the page containing instructions for playing cutscenes. Since they trust you to have pointed you to the correct page, they follow the instructions and just end the game (play the final cutscene).
I obviously haven't put all the instructions in here, but I think it's a little more intuitive
How about we just explain a pointer and why they're used. It would take about the same amount of effort.
@@skyemegakitty because assembly fucking sucks to learn
I have accidentally seen this video 3 times and still amazes me everytime i see it
In the future the game can be beaten within seconds in Link's house by pressing a certain button combination
ACE: "I am become Death, the destroyer of any% categories."
Can't tell if you're referencing something else, but I know that from the radiance in linkin park's album a thousand suns.
@@lovey0184 Originally a quote from Robert Oppenhiemer a scientist working on the Atomic bomb. After he witnessed it being tested he said "I have become death, destroyer of worlds "
This is VERY well described for the programming illiterate like myself. Thank you. This is truly fascinating!
This is a cool video, thanks for making this!
Thanks for the kind words :)
Wow. I still remember back in high school when cosmos was getting his 18 minute runs and thinking that was insane
I remember watching that 18:10 run live and OoT any% was "dead" lol little did we all know
Nobody would beat an 18:10 using his same strats from back then I'd think. The run was incredibly well executed and is kinda lost to time with all the new discoveries. Feelsbadman
@@Rocker21344 it was beaten by 4 sec by Jodenstone using the same strats a few months later.
cosmo goes by the screen name narcissa now and is currently the 2nd place holder of this record with the new run.
I remember when he said this trick would eventually happen and make Any% useless.
No one wants a shitty credit warp for OOT.
I have no idea what I just watched but I enjoyed it
I appreciate the effort you put into making an enormously complex and technical trick understandable for people (like me) without a strong programming background
Imagine looking for buried treasure and you just see a note that says "Load the cutscene from the gp register"
I like how this video alone is longer than the current wr of OoT
Link finally has unleashed the true power of the Triforce, the power that lets him create the world as he wants it, as laid out in the lore for "A Link To The Past". The Credits Warp is nothing else than future Link, from the ending of ALttP, assisting OoT Link by using that power to spare him the trials he would have to go through otherwise.
And with that, we finally know what is really canon in the lore.
Soooo....Doom programmed into OoT when?
Great video, thanks for taking the time to break down this crazy trick!
They’ve already got the jump to controller input as code, so the next step is to use that to drop a payload that allows more efficient input-as-code execution, and then a step to disable the main game loop and read in at sub-frame speeds, and then the Doom Payload can be loaded after that within a few seconds, faster if it’s less Doom and more OoT crossed with Doom gameplay (because game asset reuse). I expect a TAS to do this within the next six months and for TAS bot to be performing this at the next SGDQ, or the next AGDQ at the latest.
(The payload explanation above is how the TASbot team has done a bunch of the total control runs seen at GDQs previously, specifically with Super Mario World and gen 1 Pokémon.)
@@Tustin2121 I can't wait! I'm torn between which would be more interesting to see, the OoT crossed with Doom gameplay would be super cool to see, but a straight up copy of Doom being run in OoT is also part of the tradition of "will x run Doom?"
Thanks for taking the time to enlighten me, it gave me something to look forward to!
Next we have Pannen talk about PU's and what not in OoT.
6:10 - Basically, the ability for ACE to work as it does (in any program) is all Alan Turing’s fault for thinking that it was a good idea for a computer to allow both code and data in the same memory space. And indeed, if the N64 (or any of these old consoles) had any concept of Data Execution Prevention, these ACE exploits wouldn’t be possible.
Great explanation, btw. It’s amusing to me how speedrunning these old games everyone loves so much, how much that’s turning more and more into hacking and programming with every passing world record.
Also if Nintendo didn't think all controller input data should be read instead of just controller 1 input data, this would be... well... probably not impossible but it would require a different setup.
@@Lovuschka OOT actually reads controller 3 to process the secret "delete all saves" code.
But there more than likely would be DEP/ASLR bypasses, it would’ve just required more exploit development work.
Funny how Link holding that gate looked just like Mario holding things while cloning, because both of those tricks use stale references.
Okay, I think I FINALLY understand. As someone who knows nothing about coding, when I first heard about this glitch, I understood the base concept, but was struggling to understand HOW you could tell the game exactly what to do. Turns out you write the code with the file name and the controller’s button inputs?? This stuff is wild
i guess you can say this trick...
Rocks!
Thank you for the actual in depth explanation on this.
Programmer here, it was nice to see
So ace is just manipulating tricks coders do to save space for more memory…. Are there newer games that still have this?
I could see this going away as technology gets better and we don’t have to do these little tricks to save tiny amounts of space.
awesome! Thanks for the vid!
Arbitrary code execution in N64 games? that's a new one!
Great video (albeit cant say I fully understood everything!). What still baffles me though is how on earth all this was figured out!
Someone must have found a way to pull up a developer mode to watch the code being written and executed
this created a new timeline branch
So like I appreciate the use of the Shop theme when explaining your analogy but if it had been the SM64 file select it would have been legendary.
That treasure hunter must be really pissed
I actually now know what memory is now by watching this video.
No you don't. This video is extremely oversimplified.
I wanna see a crazy gameboy-level ACE TAS using this approach, that runs something completely new and not found in OoT
If you guys put this much effort into solving Covid or Cancer we would eradicate them forever
Cosmo hinted about ACE in his arbitrary speech years ago.
I think an actor with a script is a better metaphor than a treasure hunter, since that's basically what a computer is, an actor with a script and a list of things to keep track of.
As a speedrun it's about as exciting as selecting "see credits" from the main menu.
Cool glitch though.
OMG can't believe that somebody actually explained this thx u
World Record is now 9 minutes 57 seconds, and will probably be lowered even further in the coming days
If these guys were in NASA we'd have colonized Mars by now
But muh strats
playing the same video game for years or decades to find glitches is not comparable to any productive profession or anything productive at all
@@sygos so then it's exactly like most of nasa lol
@@sygos yeah, haha, imagine having a hobby and a passion
@@sygos for instance, building a rocket requires spending resources, while the tools used for computer stuff don't wear out proportional to attempts
this was an amazing explanation thank you so much
This video is giving me pannenkoek vibes. I love it
Imagine doing this speedrun the year Ocarina of Time was released 😅
i can't believe that our route to DK Tree was slow for any% and it wasn't a dead run.
Yeah but have you tried just watching the credits online and not even having to boot the game? NOW THATS a speedy run.
Yeah, this needs to just be it’s own category. This would get very old
Yeah, as soon as ACE is discovered to be possible in a game it should get its own category since it is a special tier of glitch that eventually lets you do nearly anything you want.
Yes. No one wanted this to happen years ago either. But it has. Just call it ACE category.
Frame rule bus: Finally a worthy opponent