Speedrunners Break Paper Mario by Using Ocarina of Time!

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments

It amazes me that these seemingly random things (like hot plate and now this) are discovered and become the thing to do in a speedrun! What next??

👍︎︎ 8 👤︎︎ u/Tekenu 📅︎︎ Mar 31 2021 🗫︎ replies

OoT brokeness spreading to other games Agent Smith style

👍︎︎ 8 👤︎︎ u/ZenkaiZ 📅︎︎ Mar 31 2021 🗫︎ replies

"ORC ARENA"

👍︎︎ 1 👤︎︎ u/Tekenu 📅︎︎ Apr 01 2021 🗫︎ replies

Something like this was bound to spill over from the OOT speedruns. I think it was obvious to a lot of people how advanced they were compared to other runners. I mean, I basically called this myself some time ago as a comment in this sub (again, not a difficult call to make). Cheers

👍︎︎ 1 👤︎︎ u/workingtheories 📅︎︎ Apr 02 2021 🗫︎ replies
Captions
it finally happened ace has been achieved in paper mario and by the most unconventional means of any glitch in all of speedrunning already known as one of the most broken games on the nintendo 64 an ace glitch had eluded the community but that was about to change after more than two years of glitch hunting full of dead ends and roadblocks the quest for ace required perseverance determination some luck and a lot of outside the box thinking to finally realize the dream the community held dear the hope that ace could be achieved in the game this is the history of the ace discovery in paper mario 64. to understand what's going on in this video it's good to have an understanding of what ace is ace stands for arbitrary code execution and it's a type of exploit that allows you to execute code that you want the software to run in speedrunning it's typically used to execute a command to wrong warp to the end credits but it does have other uses such as this [Music] quite insane right without getting too technical here's what's happening with ace in programming there is something called the instruction pointer which the processor uses to indicate which instruction a computer will execute next in a program the important thing about the instruction pointer is that it holds the memory address of the next instruction to be executed so if you can edit this memory address you can then have the system execute pieces of code that aren't next in line this by itself doesn't get you a credits warp there's one other component required and that's writing a custom piece of code to be executed so to execute an ace exploit there are two requirements writing some custom code and then breaking the instruction pointer to execute the payload we'll look at how the custom code gets written later so for now let's start putting together the puzzle pieces of ace in paper mario [Music] when the quest began ace wasn't the goal anyone had in mind in fact there wasn't even really a quest people were just looking for new glitches in the game in particular a new wrong warp was being sought as the one runners currently used allowed them to skip most of chapters 6 and 7 by retriggering the volcano escape cutscene from chapter 5. knowing that they were possible the investigation was on if an earlier wrong warp could be found the game could be shortened significantly except all the detective work happening wasn't yielding much promise until this video surfaced the mysterious video appeared to show a wrong warp that occurs from the toadtown sewers to the whale transitional cutscene that occurs when you're being transported to chapter 5. the area in the sewers is only accessible after you have the super hammer so this would have cut out chapters 3 and 4 entirely the only problem was this wrong warp was fake when it was first posted attempts began to replicate what was occurring on screen to no avail eventually one community member named rain would suggest recreating the video with tas at which point the video mysteriously disappeared not before a copy was downloaded however and upon analysis of the audio it was found plain as day there was a splice on the transition to the chapter 5 cutscene it turns out that this video was posted not because the wrong warp was possible but in the hopes that it would attract someone with the technical know-how that could go about finding a successful wrong warp it was this event that had rain asked the question how would you go about finding these sorts of things and the resounding answer he received was learn assembly this was precisely what he set out to do and it wasn't easy for someone with no coding experience this is the most difficult language you can learn to start off it wasn't an easy path as resources for learning the assembly language specific to the n64 aren't the best rain put in a lot of effort but he failed to make much progress on his first three attempts luckily he had the determination to persevere and on his fourth go things started to fall into place and he was starting to grasp how this low-level language worked the first piece of the ace puzzle was now in place someone that understood the inner workings of the n64 programming language [Music] with his newly acquired understanding of what was going on under the hood rain started looking for leads as to where a potential exploit may lie but his initial findings weren't the most promising the assembly code for paper mario is quite complex and looking through memory addresses trying to make sense of what you're seeing while looking for an exploit is like finding a needle in a haystack it was at this point that someone suggested he look at something that was already broken and there was a glitch that was readily accessible huff crash huffenpuff is the final boss of chapter six and he has a mechanic that spawns tough puffs when you damage him equal to the damage he receives if you spawn 10 tough puffs and then use a charged up tidal wave by sushi that isn't lethal to huff and puff the game will crash as the move is executed this isn't the only crash that can happen in the fight so it seemed like a great place to start looking for potential exploits and it wouldn't take long before he figured out what was going on because data was overriding code and then getting executed there were two things required for ace to be possible the ability to execute code out of order by messing with the instruction pointer and the ability to write custom code the crash was certainly writing custom code just not the code we wanted and as rain looked into it further he came to one conclusion whatever was happening here was incredibly complex it wasn't easy to understand what was going on and since the crash was happening inside of a battle what players could do to affect the crash was very limited it appeared as though rain's only lead was a dead end [Music] with the two most promising leads appearing to be dead ends it looked like ace wasn't very likely even with one of the criteria being theoretically possible the restraints in place made it nothing but a pipe dream it was at this point the community looked to the stars for answers literally during an any percent bingo race morpheus would do three important things first he would be inside of the shooting star room then he opened the partner menu and finally he went afk when he turned his attention back to the screen he was surprised to see that he had crashed but why when you bring the partner menu up the game is supposed to pause the script that spawns shooting stars in the background using this command the problem was that the programmer who wrote this accidentally gave the star spawning script an id of zero so when the pause command was executed by bringing up the partner menu the script just kept running you'd think this isn't a big deal but the shooting stars are counted as particle effects and the game can only handle having 96 of these active in memory so when it tried to spawn the 97th during morpheus afk it then crashed rain was quick to look into this and it turns out that the game was once again executing data as code but there was a major difference this time as the particle table was filled up and approaching its maximum of 96 entries the jumbled mess of data would start to execute but it wasn't just any jumbled mess of data it was the same data that caused the huff crash rain began connecting the dots on what was going on and it turns out that this crash found by morpheus was actually a known glitch that occurred under other circumstances particle storage the investigation intensified at this point and eventually rain was able to pull off some custom instructions he had created using only this glitch and the game itself by doing certain actions and making use of this effect storage glitch he was able to execute a total of eight arbitrary instructions that told the game to execute nop or do nothing in common terms while this may seem anticlimactic that's far from the truth as these tests prove two things that arbitrary code could be created and executed in paper mario and that it could be done so without crashing the game i'd like to recap all the insane things that had to happen to get this far first we had a fake wrong warp leading to the initial investigation then we had two amazing coincidences happen morpheus went afk with the partner menu open in the only room in the game where the particle storage glitch would happen while the menu was open the stars aligned in the shooting star room the community had acquired another piece of the puzzle a method to write and execute code in the overworld which left one thing writing code that warped us to the credits [Music] with ace proven to work in the overworld by writing code and then executing it the question then became how do we write code that does something we want to happen and this is where problems start to arise it was noticed that the decimal values of mario's x y and z position from before an effect was created were getting run as code when the particle glitch was executed you're probably thinking great this solves the problem since we can just move mario to control the values well not exactly this only gave us control over six bytes and for technical reasons this meant we were limited to controlling the first instruction and half of the second instruction being executed with its end being zero zero zero zero one proposed solution was to use something called a jump instruction which is a command that allows you to jump anywhere in memory and it only costs four bytes so jumping to values set by controller inputs was on the table but there was one more issue you've likely heard of ram which stands for random access memory but there are other more specialized areas of memory that exist and it was in one of these special memory areas that the particle storage glitch was being executed to this was a problem the jump instruction couldn't take you to any memory address it could only take you to another memory address in this special space luckily there's another command called the jump register instruction which does allow you to change memory spaces the jump register requires two things at least one full instruction to load the address you want to jump to and a full four bytes to run the jump register instruction which we didn't have access to since we only had half of the second instruction meaning we couldn't just load any memory address and then jump to it this is where they decided to think outside of the toy box rain would be joined by seedborne and they decided that instead of setting up a jump register which requires four bytes they would jump to this address since it had four zeros as the latter half they didn't have to worry about the two byte limit of the second instruction but that's not the only thing special about this address it also happened to reside in the special area of memory that they were stuck in after using the particle storage glitch and by sheer luck it was mapped to a function that ran without crashing the other cool thing is that when a function ends it will jump to a register called the return address meaning they could now do the jump register despite their limitations let's recap they had found a way to set the value for the register address they wanted by using mario's overworld position for the first instruction and by lady luck's good graces a way to use the limited second instruction to get a jump register to run that was a bit technical so allow me to simplify it by initiating the particle storage glitch and loading the table up with effects you can then put mario in precise positions that will run as code when you close the menu to execute the ace credits orb the miracle had happened ace was possible or so they thought while the logic here is bulletproof they had one issue mario's x y and z positions are a special type of value called floating point numbers which can have very precise decimal values and as they get larger they become less precise when they set this up mario's x position was so large that it was impossible to get the decimal place value they needed to change the return address register it seemed that once again after all their hard work that the game just didn't want to be broken with ace but there was hope while they hadn't found a puzzle piece they did find an important method to obtaining one the aspirations of finding ace had one last hope [Music] the team was entirely stuck with no obvious workaround to the exposition problem and no new ideas things were looking grim this is when frey popped into the discord to ask how things were going a glitch hunter from the early days of paper mario frey stepped away to create mods for super smash brothers which funnily enough had him learn assembly on his own just like rain and he now returned with almost a decade of experience he approached the same problem as earlier getting execution out of this special memory to a place where it would be easier to manipulate and then setting up this theoretical execution jump so that it worked the solution he found was quite unique he wanted to chain six matrices together that would end with execution being jumped to controller inputs the problem then became setting this up we knew that controller inputs could already be used as memory addresses when combined with the particle storage glitch we just needed to find the x y and z coordinates that would be exact matches to the memory addresses of the instructions for the matrices you'd think we could just use tas to find this position and then execute the glitch but once again the game decided to fight back due to how mario's y coordinate worked his y position wasn't able to be manipulated freely while on the ground luckily if you could put him on a slope you could alter the y position by changing the z and x instead as if the stars hadn't aligned enough on this quest there just so happened to be a tree in this room that had a ton of different slopes which opened the floodgates for y positions literally instead of being restricted to a few y positions frey now had millions of possible y positions which all resulted from mario's x and z coordinates while on the tree he wrote a script that searched for all the spots with the correct z x coordinates with the hopes that one of them yielded a y value matching the decimal required all that was left was to run the script and wait after searching through millions of combinations it spat out some possible matches and as if the stars had aligned for the fourth time a set of positions was found the values to execute the matrices were matched the only thing left to do was to get mario into those positions but because of how precise these positions are it wasn't going to be easy even for tasks remember how mario's position coordinates were floating point numbers fpns are rounded using special math which is why they get less precise as they become larger a glitch hunter named mr cheese discovered that due to the angle of the camera in this room it was possible to use this floating point rounding to our advantage by moving mario away from his current position and then back into it with very small adjustments you could increment his positions and with some additional testing the ace credits warp was possible there was just one problem it was task only the positions you needed to reach were precise down to four significant digits and there were six of them in total the chances of a player getting into just one of them on their own were astronomical hitting all six in the proper order functionally impossible for now this method was tas only but the puzzle was almost complete ace was fully possible in paper mario we just needed a setup that could be done by a player [Music] with ace being so close to rta viable rain would once again head up the investigation and if you thought the afk crash that morpheus found was lucky this next setup is something else a spin in place then 75 hammer strikes then closing the partner menu these were the inputs rain stumbled upon accidentally so what do they do they spawn 80 particle effects and then three more when you close the menu as goombaria will move to catch up with mario that's 83 effects in the 96 slots contained in the particle table we already know that when the particle table approaches its limit it begins to execute data as code and since rain started the sequence off with a spin it's overwriting a different piece of code which means a new outcome ignoring the technical details we could now use a timer that counted how long you had not moved mario for as a memory address value but it had one unique property the lower two bytes were always four zeros once in position we only had to watch the timer count until it was at the correct value which just happened to be on the 69th second all we had to do was close the menu to make umbario move to trigger the particle storage glitch which then jumped execution there was just one problem we were out of the special area of memory but we were still limited by only having access to the upper two bytes of an instruction since the timer method only provided us with values that ended in four zeros this meant that any address we could potentially jump to must have the same ending and for yet more technical reasons there were a total of 32 possible addresses that could be jumped to to make matters worse half of these 32 addresses are located in the n64 expansion pack an external piece of hardware that the game didn't even use so the solution appeared to be another dead end for the third time we hadn't found a puzzle piece but there was something else we could try if paper mario wasn't going to give us ace on its own we could always stop and swap to another [Music] this was the point that all hope seemed to be lost for making ace rta viable as every solution just ran into a new problem that seemed to be unsolvable with the tools available but mr cheese would have an idea he's not just a paper mario glitch hunter but has some really big accomplishments under his belt solving some very remarkable problems in other games and none so much as this credits warp he performed on game boy color cheese knew that on game boy color the ram isn't erased at power off but lingers for a small period of time with this knowledge he had an idea if he took a game that already had ace he could in theory write some code that another game could then use to execute a credits warp by swapping it into the game boy fast enough provided that game had a glitch that allowed you to jump execution to the code you just wrote into the ram with the previous game the reason he knew this is because he had done this with a game called magi nation on game boy color using ace in pokemon he set up a payload in ram that allowed him to perform a credits warp by switching cartridges really fast then setting up a glitch to execute the payload in the other game you probably see where i'm going with this mr cheese had the idea to try this on the n64 with paper mario but he wasn't the first to explore this method in the 1990s rare was developing a mechanic for banjo-kazooie called stop and swap which would let you unlock items and abilities in banjo-tooie using the same idea by swapping out cartridges quick enough before the ram was erased rare would abandon this mechanic but it's where the ace setup proposed by mr cheese gets its name paper mario stop and swap except it's a bit more involved than what rare had planned for the banjo games there are three pieces of the puzzle for this type of glitch to work in paper mario first we need a game that clears memory on boot second the game must also have ace and third we need a way to jump the execution in paper mario to where we've stored the code we're making with ace in the other game since the first puzzle piece requires a game with ace already possible that limits the pool quite significantly and of those three it just so happens that one of them clears ram on boot but like everything else in this video it's not so simple while oot did reset ram at boot it wasn't a perfect candidate out of the box for some technical reasons luckily these could be solved using the four additional megabytes of ram provided by the expansion pack the solution in the previous chapter involved memory addresses in the expansion pack's memory and since oot didn't require the pack to run it never made use of the extra ram this was great for our purposes because the ram inside of it was cleared on boot all the same which gives us the first piece of the puzzle almost we had ace and ram cleared on boot we just needed to write a code payload with ace in ocarina of time to use in paper mario this is easier said than done and it started in paper mario with the save files as the value being written in ocarina of time would be a jump instruction to where the file names themselves were stored in paper mario by writing in some very specific names to each file you could set up a payload that would set the room id and then save the game with the obvious room id being the end credits screen the oot part was a bit trickier as you're using ace to write code for paper mario that would use the save file payload but the team was determined and enlisted the help of save state an orchestra of time runner and glitch hunter who created the entire oot setup for them with nothing more to go off of than we need this value at this memory address this was a lot to take in so let's recap the file names in paper mario can be used to write a small payload that sets the room id to the end credits screen and then saves the game the oot ace instructions are a jump command to run that piece of code which just leaves one thing executing that jump instruction fortunately we had just the setup to do it rain's one spin 75 jump plus hammer swings then closing the partner menu after a precise amount of time had passed followed by a jump at long last everything was in place for ace to be realized in paper mario rta it was just going to come down to who could get it first the race was on [Music] shortly after the tas only method was made the setup for the stop and swap version would be explained to runners and using a game shark they were able to simulate the payload from ocarina of time j cog would start doing runs with the payload already loaded in and after struggling through some attempts this happened oh that's it that's it oh let's go the theory was proven ace was possible on console it just needed some help from ocarina of time which meant jcog had some learning to do there have been a lot of videos made about ace and ocarina of time which i'll link below as the things required to perform it are quite technical and for our purposes we're doing some slightly different things in the game since our goal isn't to warp to ocarina of times credits but to the paper mario credits all you need to know is that very specific actions in the use of some game breaking glitches are required and the oot setup takes about 30 minutes to complete which brings us to the stop and swap run itself since this is a paper mario run the runners decided that it must start with paper mario so they would begin the game and get to the point where the goomba king would retreat into his castle and then load up ocarina of time for the next 30 minutes they ran through the setup for getting the ace payload into the expansion pack's cleared memory and after completing it they performed the swap since this is on console they had no way of knowing if the swap worked until they executed the final glitch lots of things could go wrong here waiting too long on the swap a single small mistake during the oot section or an error in reigns execution method which we should look at again to initiate the glitch it's not as simple as doing a spin jump followed by the other inputs you need to trigger the particle storage glitch somehow and that's where i'm glower comes in glower is the current record holder for paper mario in all categories to say he's a master of the game is an understatement he discovered that with a specific setup at the goomba king fight involving the blue trigger block you could trick the game into opening the partner menu while you still had control in the overworld which then allowed you to create effects and fill up the particle table this is why runners took the first boot of paper mario to the goomba king fight it's the earliest known location where players can perform the particle storage glitch and once they finish the oot setup they're just one screen away from setting it up initiating the glitch isn't the easiest thing to do and you can see jay cogg's struggle and have to reset this is because it's a frame perfect trick where you're trying to open the item menu on the same frame that you interact with the blue switch in the bush after performing that glitch and winning the fight you'll want to open the partner menu right as the camera starts to zoom out as this will allow you to retain control of mario while everything else is frozen which means it's time to store some particles if you follow range setup you'll crash when you close the partner menu and perform a jump a quick reset will let you know if you've done it right as you'll be able to tell from the file select screen there are issues as i mentioned earlier you won't know if any of your previous setups across both games are wrong until you crash and reset on the final step and this certainly gave jay cogg some grief as he did attempts he ran into problem not for strike gumnut unfortunately after problem that's good what really how is that okay it's fine minor setbacks this is the only frame perfect input left after problem plate it didn't look like he was going to be able to pull it off eventually he made it all the way to the end of a setup but for some reason it just didn't work come on why didn't it work is there something we don't understand about this that looked good to me time was running out he couldn't stream forever and he wanted a sub one hour run he had time for one more attempt oh oh let's go that was it paper mario 64 had been beaten using ace with some help from ocarina of time and an abandoned banjo-kazooie mechanic glower would set the record in this stop and swap category just a few days later with the discussion currently raging about what category this should occupy on the leaderboard the biggest question is if a setup will be found that doesn't use oot as that would reduce the time significantly and make this a standalone game with ace most importantly we should remember that this all started by the efforts of one person reign who kept the dream of ace alive through determination perseverance and some help from friends along the way thanks for watching [Music] you
Info
Channel: Abyssoft
Views: 442,130
Rating: undefined out of 5
Keywords: paper mario, stop n swop, stop n swap, games done quick, gdq, GDQ, jcog, rain, fray, morpheus, ace, arbitraaary code execution, ram, ocarina of time
Id: O9dTmzRAL_4
Channel Id: undefined
Length: 29min 30sec (1770 seconds)
Published: Wed Mar 31 2021
Related Videos
History Was Just Made in Super Mario 64
Abyssoft
98K
How Speedrunners Beat SMRPG in UNDER 3 Hours | Speedruns Explained Quick
Abyssoft
123K
Why The Biggest CHEATER in Mario Kart 64 Wasn't Caught
Abyssoft
1.5M
FAKE Tetris High Scores Get Exposed
Abyssoft
383K
How Speedrunners Broke Clustertruck
yummycrayons
9.1K
How Speedrunners Beat the Brawl Ocarina of Time Demo
LunaticJ
1.3M
Pokemon Red / Blue Tool Assisted Speedrun History Explained
Abyssoft
158K
How We Used a Credits Warp to Beat TTYD in 25 Minutes
Malleo
64K
(TAS) Paper Mario: The Thousand-Year Door any% in 1:47:09.03 (Overlay, Commentary)
Malleo
553K
How The Ham Sandwich Glitch Lets Speedrunners Beat Pokemon BDSP in 15 Minutes!
Abyssoft
38K
Paper Mario by JCog in 26:12 - Summer Games Done Quick 2021 Online
Games Done Quick
173K
The History of Link's Break The Targets World Records
Abyssoft
70K
How Obama Skip Changed New Pokemon Snap
Abyssoft
239K
Paper Mario on Switch is deleting saves (and I know why)
JCog
201K
Mario Kart Speedrunners Break Their Controllers To Set Faster Records
Abyssoft
425K
Speedrunners HACK the Gameboy Zelda's With The LINK Cable!
Abyssoft
31K
The Super Mario 64 Iceberg: A Deeper Look
NEScRETRO
509K
World Record Progression: Earthbound
Abyssoft
144K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.