Reach the Credits from Kokiri Forest using ACE (Ocarina of Time Glitch Explained)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

ocarina of time speedrunning has had a lot of exciting history but recently it's had one of its biggest breaks yet on the 14th of January 2020 a player called la suits successfully finished in any percent speed under the game with a final time of 13 minutes and 48 seconds beating the previous world record by over 3 minutes this new record is all thanks to a new trick called Ace or arbitrary code execution which we use to walk to the credits early in this video I'm going to talk you through the route that was used in the speedrun and show you how with the aid of some very clever glitches we can beat the game so fast but before I continue it's important to give credit to a user named mr. cheese who not only discovered this particular ace application but also help make previous advances to the current knowledge also thanks to Thoreau for helping out and thanks to Jolin 0 1 2 and Italia has died for helping to make this route even possible for a human to perform on a console the first thing to mention is that this speedrun is done on the Japanese 1.0 version of the game on the n64 the version is important for a few reasons one of them being that the speeder an actually requires a very specific file name which uses characters from the Japanese character sets but I'll get to why that's important later the run starts how you might expect watching the intro cutscenes and collecting the Kokiri sword and a Deku shield the route also makes a quick detour to get the Feria pruna by clipping through the Kokiri guard and watching the cutscene with serie the rat proceeds to head to the Deku Tree to get the slingshot and then leaves again here's where the weird stuff starts happening so I'm going to need to explain some things we're gonna use this Rock near my toes house to manipulate some data which relates to this rock near the Kokiri sword area that probably sounds pretty complicated but let me explain the game uses numbers to keep track of important information about anything that's currently spawned into the world take this rock for example it has an x coordinate a y coordinate and a Z coordinate it also has rotation and a bunch of other important numbers to the game stores these numbers in memory memory is essentially just a huge storage space full of numbers some of those storage space is free which means it's not currently being used for anything and some bits reserved which means there's currently informed information there like the rotation number of ear up if something new spawns into the world the game needs to find some space in memory to keep track of all the new numbers it's not allowed to use any of the reserved space it has to use the free space the idea is we want the rock to unload while it's in Link's hands then we want something else to load in its place since links arms are still in the air the game is still trying to write rotation data into the memory but now the place in memory that it's writing data to is used for something else instead this concept is called stale reference manipulation or SRM for short you can use it to edit the location of doors change the contents of chests and all sorts of crazy other things I discovered this trick in October 2019 and we're still finding uses for it today but how are we going to do this in the only percent speedrun well between the Deku Tree area and the Kokiri Forest area is a loading trigger when link goes through this loading trigger stuff from the next area loads in and stuff in the previous area unloads normally if link picks up something like a rock or a pot the game will set a property which means that that rock cannot unload even if you go through a loading trigger but if we pick up the rock while it's far away from the camera that property never gets set in the speedrun we use a crawl space and a sign to perform a glitch called walking while talking which gets the camera stuck in place by pulling out the ocarina we can turn the camera toward link although when we cancel out a bit the camera will go straight back to where it was pulling me ahuna next to a rock allows link to pick up the rock just as it's disappearing from being too far away from the camera now we have to navigate our way blind all the way back to the tunnel or the loading trigger is if we've done everything successfully when we go through the loading trigger the camera should snap back to link and he should have nothing in his hands so let's take a closer look when link was holding the rock the game was constantly writing numbers to the area of memory that was used to the angle of the rock then we unloaded the rock but since links arms are still in the air the games still writing numbers to this region of memory even though it's considered free when we load the Kokiri Forest area again more rocks will spawn into the world and the error in memory that was previously used for the rotation can be used for some of their properties instead but since links arms are still in the air they're still numbers being written to this area in memory which means that the property that's associated with these numbers now is being corrupted by choosing a very precise angle we choose to corrupt the memory in a very specific way but what is this property that we've tried so hard to change when a rock comes on camera it has to run some code which makes it visible in the world the code won't run if the rocks fire off camera but the moment the camera gets close enough the code will start running this code is somewhere in memory but the game doesn't automatically know where it is in order to find the code the game checks what's called a pointer which is essentially a label which tells the game hey the codes over here this pointer is exactly the thing that we've corrupted now when the rock comes on camera the games gonna check for code in the wrong place think of it like a treasure hunter with the treasure map the treasure map has an X which shows where the treasure is buried so the treasure hunter could look at the map go to that location marked by the X and dig up the treasure but what if before the treasure hunter got a chance to look at the map somebody took an eraser arrays the X and drew a new X in another location the treasure hunter might then look at the map and try to go to the new location to dig up the treasure but they'd be digging in the complete wrong place it's similar with the corrupted pointer the game will be led to a different location in memory than the intended one the game would try to interpret whatever numbers it found here as code if this is just random junk data the most of the time that will crash the game as whatever it finds isn't real code but what if at this new location we put the perfect numbers in to make it look like code that's what the slingshot comes in by readying a seed in the slingshot we spawn the seed into the world so when the numbers associated with that seed of the rotation in the y axis and the x axis by aiming the slingshot perfectly we can set these numbers to pretty much whatever we want and if these numbers happen to be stored in memory in the exact position we've pointed to then we can run them as code it's important to realize that there's no real difference between game code which is the instructions that the game uses to run and game data which is the numbers that are used for properties like rotation values or position values it's all just numbers in memory so if the game goes to a particular location in memory expecting to find code it's gonna look at the numbers there and interpret them as code the speedruns sets of a particular piece of code by aiming the slingshot at the perfect position unfortunately we don't have very much freedom with a few numbers we can get out of the slingshot seed we only really give the game one instruction but we can use that one instruction to make the game jump to another piece of memory in another location of our choice and start running code there so back to our treasure hunter analogy we originally changed the location of the X on the treasure hunters map leading the treasure hunter to another location that wasn't the intended one at the new spot we've hidden another map which we just created using some numbers from the slingshot seed when the treasure hunter digs at the X on the map they won't find the treasure but they will find a new map to follow with another X marking yet another location this new location of memory is a file name remember earlier I said we had to set up our filename to be something very specific that's because the games now going to interpret the filename as code this part of the filename when today's code tells the game change the current cutscene ID to be what's in the GP register okay let me break that down there's a value in the game called the cutscene ID it's just a number that decides if a cutscene is playing on up and the GP register is just a temporary place where a number can be kept for a while by default this number is zero so when the game runs this piece of code in the filename it takes the value that's in the GP register and writes it into the cutscene ID but these are already both just 0 so nothing actually happens then the game reads this part of the filename and interpret status code this one does the same as what we did with the slingshot it diverts the game for somewhere else in memory to start executing code they're back to our treasure hunter so we changed their first map to bring them to somewhere else and then that somewhere else we planted a new map at the location in the new map they found a note that said load the cutscene from the GP register and with that they found a third map bringing them to another location this location is weather data for the current button presses on controller one controller three are stored by pressing specific button combinations on both controllers and by holding the analog sticks in the perfect position we can make this data look like code - that's right this speedrun requires using two controllers at the same time speedrunners have had to make pretty hilarious setups with their controllers in order to do this the controller inputs when interpreted as game code tell the game to set the GP register to a specific number finally the controller inputs tell the game to return to the normal game code if it didn't do this the game would keep reading garbage data and beyond the controller data and the game would most likely crash so at this point we're back in the regular game state here's how it looks in the speedrun first we ready the slingshot seed which sets up the memory location to have the right rotation data then we go and get the rock on camera which is how we run a custom code then we do the right controller inputs and suddenly everything disappears after a short while we're here the voiding out noise and when we load the credits are running why did this happen or remember I said that the important code runs every frame that the rocks on screen it's actually on the next frame where the code runs again that the magic happens on the first frame the controller inputs changed the GP register to contain a special number on the second frame the file name takes this number from the GP register and set set as the cutscene ID okay so one more time with the treasure hunter we graffiti the treasure hunters map to bring them to the wrong spot we plant a new map in that spot taking them to a second spot in the second spot we leave them a note saying load the cutscene from the GP register which doesn't do anything special and then we give them a third map following that third map the treasure hunter finds a note saying save this particular number into the GP register and another note saying go home and start again tomorrow the next day the treasure hunter goes through the same process again this time when the treasure hunter gets to the first note the cutscene gets set thanks to the GP register the cutscene we've set is actually one of the credits cutscenes that plays in kukuri forest it can't actually start yet but it moves link to be out of bounds which means eventually he voids out when he respawns at the Deku Tree the credits are able to properly start signaling the end of the game all this just to be a 22 year old game within 14 minutes pretty crazy right if you haven't already done so I recommend you go and watch a speedrun I didn't quite cover everything in this video and as a few extra steps you have to do to line up the memory like breaking signs and rocks in certain places there's also the details of how you even hold specific analog stick positions on your controller but unfortunately I don't have time in this video to explain those things but I did manage to explain the most important thing which is how we walked the credits using some custom code that we've written into the game the glitches you've seen in this video are some of the most complicated and powerful glitches that have ever been found in a career of time in the 11 years that I've been working on this game this is by far the most far-reaching and game-changing thing that we've come across many of us have been working very hard to expand the potential of what can be done in this game and I hope this video gives you at least some glimpse of what crazy things you've achieved thank you very much for watching there'll be some extra links in the description and feel free to ask any questions I'll try my best to answer them and I guess I'll see you next time [Music] you [Music]

Info

Channel: Glitches0and0stuff

Views: 233,490

Rating: undefined out of 5

Keywords: Zelda, OoT, Glitch, Trick, Bug, Speedrun, Any%, ACE, Arbitrary Code Execution, Ocarina of Time

Id: wdRJWDKb5Bo

Channel Id: undefined

Length: 13min 19sec (799 seconds)

Published: Mon Jan 20 2020