Arbitrary Code Execution in Animal Crossing

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] [Music] arbitrary code execution or Ace for short is often seen as the Holy Grail of video game exploits as the name implies arbitrary Cod execution allows for players to quite literally run their own arbitrary code and places the game never intended in the context of video games the possibilities of being able to execute your own code in a game is near Limitless if you're familiar with Retro Game speedruns you might have heard of Ace being used in games like Ocarina of Time and Super Mario World where setups are used to write and execute code to instantly load and warp to the credits of the game while credit warps like this are useful for speedrunning the true scope of arbitrary code execution is often only limited by the creativity and knowledge of the player abusing it that is to say if you have the knowledge and capabilities to set up Ace theoretically almost anything within the Hardware's constraints is possible want to program a Flappy Bird clone into Super Mario World by writing your own code through Mario's movement you can do that or how about making your own twitch chat be rendered in your game in real time you can do that and of course all of these scenarios are possible by just abusing specific setups and exploits that allow players to write their own code solely through actions within the game so is arbitrary code execution even possible in animal crossing the short answer is actually yes and it has been possible for quite some time however the process for achieving Ace here is quite hilarious and different than any other game I've seen so today we finally dive into arbitrary code execution how the exploit Works in Animal Crossing and some cool things you can achieve with it this will be my longest and most technical video to date so I hope you enjoy first unlike other glitches and bugs in video games Ace exploits are actually more of a security vulnerability within the code itself thus understanding an exploit like this requires a bit of knowledge of computing and programming if you're not too familiar with computer science I will do my best to explain things as simply as possible so bear with me so to start unlike something like clip out of bounds which is a concept exclusive to video games Ace is actually a real world exploit that affects other applications and programs outside of games again these exploits are severe vulnerabilities that could potentially allow attackers to execute their own code on your machine sometimes even remotely if a program connects to a network naturally these vulnerabilities are quickly patched and even Hardware nowadays has evolved to make arbitrary code execution a lot more difficult but of course retro games do not have the luxury of modern-day Hardware or four patches making them quite susceptible to Ace exploits I've already talked about Super Mario World and Ocarina of Time which are two games that have a lot of documented information about ace. but now there are actually a whole host of retro games with discovered Ace exploits to begin to understand these exploits and the rest of this video I suppose it's important to explain the general concept of arbitrary code execution first it's important to note that many traditional computers including game consoles do not distinguish between stored data and actual game code what do I mean by this well all video games are of course designed with logic code that handles General gameplay for instance talking to Tom Nook here triggers dialogue code to start a conversation and render text boxes the actual game code used to do things like this is commonly loaded in the console's random access memory or Ram this is because Ram is exceptionally fast at fetching data and instructions so game designers typically load useful data into RAM to prevent slowdowns or load times in their games in fact in the case of Animal Crossing about 99% of the entire game is loaded into the gamecube's Ram at all times the one area of Animal Crossing that isn't stored in Ram is actually the NES Furniture games which is why you can notice an actual pause when loading up these games anyways apart from logic code game data is also stored within Ram to get that lightning fast read and write Speed game data in this sense refers to things like your character's coordinate position your character's facing angle the items in their inventory your character's name and so on so because both game logic and game data are stored in Ram both sets here are essentially just plain numbers sitting in memory that is in older Hardware like this when you simply look at the ram there is no clear Distinction on which set of numbers translates to logic code and which set of numbers are used for simply storing data so when a game needs to fetch logic code it actually needs to find the memory address where the logic code is stored and then convert these numbers into actual code instructions typically games have tight control on remembering where in Ram game logic is stored so the fact that logic and data cannot be differentiated in Ram is usually a non-issue but I mentioned that the game needs to find the logic code in Ram so it has to use something to keep track of where the logic instructions are stored and what if we were to somehow take control of the process that remembers where instructions are well in a traditional sense arbitrary code execution is often achieve by doing exactly that that is Ace typically involves controlling a program's instruction point through a series of oversights or glitches a program's instruction pointer also called the program counter is essentially a master register that keeps track of a program's instructions and contains the memory address of the next instruction to be executed so if a program's instruction pointer is able to be hijacked to point to a specific location of our choosing things can quickly get out of hand for instance by taking over the instruction pointer we can instead tell the game to execute stored data in Ram instead of stored game logic because game data is not differentiated from game logic in Ram these data numbers are now the ones being translated into game logic instructions and again game data typically consists of things like your coordinate position on a map your facing angle items in your inventory and so on in other words game data is almost always directly controlled and modifiable by the player by simply doing actions in the game so by combining everything we just learned we can actually set up specific data numbers in Ram by doing things like naming our player a specific name or just moving around in the world we can then hijack the game's instruction pointer and point the game to that data to trick it into thinking that it's actual game code this is the basic concept and essence of a typical Ace exploit and I want you to keep this General explanation in mind as it will be important later but for now let's finally talk about Animal Crossing for the GameCube I mentioned that Ace was technically possible in Animal Crossing so how do we go about writing and executing our own code here well the answer actually lies within the game's NES emulator and console Furniture item if you've been watching this channel for a while one of my earliest videos details how it's possible to load most official NES games onto a GameCube memory card and have Animal Crossing's NES Furniture item play these games in your town so yes you can actually load up games like Metroid Mega Man and Super Mario Brothers 3 using this NES Furniture item which can be bought like a standard item in the game this is possible because interacting with this NES Furniture item actually calls a function to scan inserted memory cards looking for an NES ROM to boot this function typically goes unused but in 2018 programmer James Chambers figured out how to structure NES ROMs on the GameCube memory card to be properly read by Animal Crossing Kyler quickly followed this up by programming his own NES ROM injection tool which automatically formats and sets up NES ROMs as GameCube memory card data which can then simply be loaded onto your memory card this is already super cool by itself but hidden within this NES ROM structuring lies the key to achieving Ace in Animal Crossing see when Animal Crossing scans the memory card for NES ROM data special functions are called searching for specific three character string tags which execute Handler code Elsewhere for example structuring a ROM to include the bbr tag can tell the emulator to save a specific area of ram as battery backup memory which is used to emulate a cartridge battery saving your progress in NES games in a similar vein using the HSC tag can tell the emulator which areas in the ROM are treated as high score data it turns out there are a ton of these three character tags that each have their own unique handling ranging from simple console logging to complex pointer offsetting in memory and if some of these NES tags can be used to point to memory offsets it's sounding awfully similar to hijacking the control pointer in the general explanation I gave earlier so can we actually abuse this NES tag system to point the game to look at specific memory addresses the answer is technically yes but it's a bit complex most NES tags have limited offset restrictions so trying to go past a 16bit integer offset or hex ffffff is typically not possible the tags qds and bbr are a little more promising in that even though their offset maximums are limited to 16 bits you can actually include multiple of these tags and their offsets get accumulated this means we can just use multiple bbr or qds tags to essentially offset to any memory value and if this is sounding a bit too convenient that's because it is unfortunately even though we can offset to any memory address using multiple tags like that the game actually calculates the total size of that offset and actually wipes the entire space to initialize it and like I mentioned before 99% of Animal Crossing is stored in the gamecube's memory so offsetting like this can actually clear the entire game from Ram of course resulting in an immediate crash so are we just out of luck then not yet hello iously enough there is actually one special NES tag that not only has a controllable memory offset but also accepts an argument to automatically write data at that offset for us in other words the developers themselves included this Pat or patch tag that basically performs all the rudimentary steps of arbitrary code execution for us this tag is a bit complex but in essence it's special because we can stack multiple of them to offset to any value between these two memory addresses without clearing the entire Ram these memory addresses happen to be where a fair amount of Animal Crossing code resides this means we can actually write our own code and Patch the game's code in real time all by just using this NES tag on our GameCube memory card so as long as you know what you're doing you can simply set up your memory card with this patch tag exploit and then interact with the NES Furniture item in game to overwrite existing game code the possibilities with this are quite robust I teased This months ago on my video about Animal Crossing's debug menu but with this exploit you can now activate the game special second debug menu on real hardware and this second debug menu includes an in-game memory hex editor and an item spawner as you can imagine patching the game to give yourself this debug menu is essentially a god mode for Animal Crossing and completely breaks the game but of course this is just patching existing data within Animal Crossing it turns out True Ace requires a bit more setup since patching actual code instructions requires a closer look as explained you can use this NES patch tag to write to specific offsets in Ram but the GameCube Hardware actually has a special CPU instruction cache that remembers what was there before we wrote to it this means we can write new instructions to Ram but the GameCube will actually overlook this new code since it remembers what was there before due to its special instruction cache so how do we solve this problem the easiest solution would just be to find a way to clear the GameCube CPU instruction cache so it loads our new updated code but we can do one better specifically Animal Crossing has a few memory allocations and clearing functions that execute code from a specific static location in memory basically the game calls a specific function every time Animal Crossings NS emulator exits since this function points to a specific memory address we can simply overwrite that stored function pointer to instead point to our own patch code in Ram this solves the caching issue since none of the actual cached instructions are changed just the pointer that they have stored with this True Ace is now possible in Animal Crossing and this is where things can get truly nuts before I move on I should mention that all of this NES patching information comes directly from the hard work of James Chambers and Kyler I summed up their key discoveries here but if you're interested in the in-depth mechanics and more technical information behind this process I highly encourage you to check out their blog posts on this [Music] topic with Ace now possible through NES ROM structuring on the GameCube memory card what can we do with this well as mentioned in the beginning the possibilities with Ace are quite literally only limited by the GameCube hardware and your own imagination given GameCube Animal Crossing's relative unpopularity and the lack of a widespread Technical Community nothing too crazy has been accomplished with this yet although perhaps one of the coolest things that has been done with this exploit is actually using Animal Crossing as a bootloader to launch custom home brew software on your GameCube so yes you can actually softmod your entire GameCube by just interacting with an NES Furniture item in an Animal Crossing of course in-game possibilities are near Limitless as well tired of Mr resetti's rants just disable him entirely tired of plugging in your Game Boy every time you want to visit the island just remove the ocean barrier collision and walk over there yourself want to give yourself every item unlock the debug menu visit beta Maps or do whatever this is go for it with Ace achievable in Animal Crossing this is truly the biggest exploit this game has ever seen and yet if you've been following along with my technical explanations you've likely noticed one glaring issue that is the Ace Shenanigans described here all rely on getting your own structured code onto the GameCube memory card in a specific save file format in order to be executed by Animal Crossing so the question is how exactly do we get our own code onto the GameCube memory card of course the easiest way is just to write the data using a computer program and inject it onto the GameCube memory card using something like SD card on a modded Wii but if we have to do all of that external modification to unlock Ace in Animal Crossing is it really a true Ace exploit this largely depends on your definition of True Ace but since you would need to externally modify the memory card on a PC to achieve Ace in Animal Crossing it does admittedly get a bit hazy so what else can we explore for True Ace an interesting idea would be to use the standard NES Furniture games within Animal Crossing that already have Ace exploits within them to unlock Ace in Animal Crossing Crossing itself so out of animal crossings built in NES candidates The Legend of Zelda is the most promising with a documented Ace setup in the graveyard section of the game unfortunately this Ace exploit is seemingly only for the Japanese famicom disc system version of the game whereas Animal Crossing uses the NES cartridge version even then there's no guarantee we'd be able to escape the confines of Animal Crossing's NES emulator to even get to usable GameCube Ram regardless The Legend of Zelda NES Furniture item is not even obtainable in Animal Crossing without external modification anyways so we're back to square one but what if we could use Ace in another GameCube game to set up the GameCube memory card in a way to unlock Ace in Animal Crossing this may sound outlandish but the concept of using exploits in one game to set up memory in an entirely different game is not exactly foreign and yet this is a pretty tall ask for the GameCube first we need to find another GameCube game that not only has an ace exploit within it but also has a setup to use Ace to right to the gamecube's memory card preferably we'd also want this game to be well documented with years of Ace experience does such a game even exist well as luck would have it there is a game that meets this exact criteria and it's one I've already talked about before indeed The Legend of Zelda Ocarina of Time was actually blessed with a GameCube version in the form of both Master Quest and collector's edition and over the last decade or so Ocarina of Time has been completely broken by arbitrary code execution now I won't pretend to be an expert on Ocarina of Time but with some help from Mr Cheese and the game speedrunning Community pointing me in the right direction I'll try to explain Ocarina of time's a setups and why it could prove interesting in the context of Animal Crossing [Music] first it's important to note that Ocarina of Time is of course a Nintendo 64 game at heart but unlike Animal Crossing which is a direct Port the releases of Ocarina of Time on the GameCube are wrapped inside of an emulator this means that the GameCube is actually running a virtual N64 and dedicating certain parts of its own Ram to act as N64 Ram when running Ocarina of Time thus in order to take advantage of the gamecube's function to write to the memory card we actually have to escape the wrapped emulator and find a way to actually control the gamecube's instruction pointer itself luckily the emulator that the GameCube uses to play Ocarina of Time is a dynamic recompilation emulator this means that whenever the game comes across N64 logic it actually recompiles that logic into native GameCube code before execution this approach is typically fine but a unique Quirk with this system is that return addresses are actually pointers to recompiled GameCube code rather than emulated N64 code in other words there are actually pointers to the GameCube memory stack within the emulated N64 memory stack so if there was a way to abuse these pointers we could actually escape the emulated N64 and execute actual GameCube code if you're familiar with Ocarina of Time speedruns you've probably heard of a glitch called stale reference manipulation this is a very consistent gateway to achieving Ace in Ocarina of Time and largely works by abusing memory data stored in Ram remember when I explained how data and code stored in Ram are essentially just numbers well this is why I told you to remember that as we are now coming full circle to where this is important again in acarina of time whenever link picks up an object that object is expected to stay in his hands and follow his rotation smoothly this is achieved by essentially copying the player's coordinates and rotation data in memory over to the object so for instance if link picks up a Rock that Rock and Link should have the same coordinate and rotation data until he puts it back down however if the rock were to somehow despawn while link was holding it such as by using a known camera lock glitch he actually never puts the rock back down so we're still actually writing links coordinate and rotation data to a specific space in memory of course because the rock is no longer in this space of memory since it despawned we've essentially created a stale reference where we're updating values that do not actually reference anything so with the rock despawn we can actually load new areas of the game which in turn loads data into the space of memory that we're currently writing coordinate and rotation data to and now since new object data and game code is loaded here we can actually corrupt certain values of the game by overriding these values with links movement and when certain objects are rendered in Ocarina of Time a pointer to run specific code is fetched however by abusing stale reference manipulation to corrupt this pointer to point somewhere else we can run other locations of memory as code and naturally the most controllable and useful sequence of memory we can use is our file name due to the expanded characters and the way the game works using the Japanese version of the game is necessary here to abuse this file name exploit by using specific Japanese file name characters we can actually create our own pointers and instructions when the game interprets these characters as code however you might notice an issue with this system that is if we're trying to write a lot of btes to the GameCube memory card the file name is not going to give us enough characters so what if we actually use stale reference manipulation to First essentially overwrite and disable the file name length check so we can continue writing characters on the file select screen well you actually can do this and essentially achieve true free control Ace where you use one file name to Branch to a specific location in memory and another file name to write a payload there for execution and thus by utilizing specific movement in game we can tell the game to execute our file name as code which points to the ace payload we wrote using another file name which then instructs the GameCube to create a new save on the memory card with the written bytes and from here we can swap to Animal Crossing and interact with the NES Furniture item which will then search and find our new file we wrote in Ocarina of Time and execute code written inside that save now if this is sounding absolutely insane it's because it is so many things have to come together to make this possible and it would be incredibly easy to mess this up and naturally due to the ridiculous amount of bites that would need to be written and the knowledge required to do this this would be an incredible task for a human to pull off on Console nevertheless by combining the knowledge of Ocarina of times Ace exploits it is technically possible to write the Animal Crossing Ace exploit to the GameCube memory card so yes Ace could actually be achieved in Animal Crossing by using Ace in Ocarina of Time and with that we have finally covered Animal Crossing's biggest exploit to date whether you write to your GameCube memory card externally or are crazy enough to try and use arar enough time to write it bite forbite arbitrary code execution can be achieved in Animal Crossing maybe one day A True Ace exploit will be found entirely within Animal Crossing itself but for now I still think this exploit is is one of the coolest things I've ever researched as I wrap up this video I would like to extend a huge thank you to a whole host of people that made not only this video possible but my entire Channel possible that said thank you all for watching until next time [Music] n [Music] [Music] [Music] [Music] [Music] w [Music] [Music] [Music] a e [Music]

Info

Channel: Hunter R.

Views: 212,064

Rating: undefined out of 5

Keywords: animal crossing, acnh, animal crossing gamecube, gamecube, hunter-r, hunter r., hunter r ac, hunter r animal crossing, glitches, animal crossing glitches, broken code, codebase, ACE, arbitrary code execution, stale reference manipulation, SRM, ocarina of time, ACE in animal crossing, AC ACE

Id: 4Ezg3DwpFFE

Channel Id: undefined

Length: 24min 21sec (1461 seconds)

Published: Fri Apr 26 2024