An overview of SRM, ACE and more
HTML-код
- Опубликовано: 11 июл 2024
- This video gives a bit more of a technical explanation of Stale Reference Manipulation, Function Pointer Manipulation, and Arbitrary Code Execution. This is what the last few months of Ocarina of Time glitch hunting has been about.
Игры
new mission, rewrite all of DOOM into the filename with ACE, and the run doom in OOT
Breaking news: Speedrunners run DOOM in old Zelda games
@@tomepsilon fuck me they actually did it? Shit faster than I thought
@@DefyyourGravity103 he was kidding.
@@cDoogle not for long
Came over from lowest percent and this is an outstanding explanation of ACE and SRM!
Thank you so much for the detailed explaination! I am holding a presentation about this on Friday (if any of my classmates read this dont get spoilerd bois this presentation will be legendary)
How did the presentation go?
@@Shep-1701 got a 100% i legit had like over 120 slides on this topic and everyone was amazed and entertained by this topic which is really nice i held it in september cause covid gave me much more time :) maybe ill show you i can upload the presentation :)
Oh awesome dude!
So how did it not count as plagiarism?
@@BloxxingDinosaurus I think it's like reporting about work someone else did isn't plagiarism; you don't have to create the topic itself you present for school (people presenting about Einstein don't have to discover quantum mechanics)
I wonder how it feels to have developed a game in the late 90s and then have people exploiting your unideal code and actively seeking for even more ways to do so.
They should be very proud seeing just how dedicated people still are to learning and understanding their game, even decades later!
so glad u used the original rang example for demonstration
Awesome vid Fig, you guys are killin it lately. 2020 is the year of OoT, the beginning of a new Golden Age of OoT speedruns.
ikr its like modern day wizardry 0-0 its hella cool
Very good video! Thank you Fig
Fantastic explanation, and crazy discoveries here! Not a speedrunner but it’s clear this has gigantic implications.
This shit is so confusing yet so interesting and I absolutely love it. Great vid Fig!
Wow! I remember doing something like this a year ago in terraria eating dirt blocks by changing some of the hexidecimal and laughing hard.
I didn't know this was SRM.
I want to edit the hexidecimal of ocarina of time or majoras mask after seeing this video.
Great video, very helpful for when i need a refresher.
So cool.. can't help but wonder how adult link can use the boomerang
Would really like a video or write up about what debugging software you’re using, in depth explanations of assembly, and how you’re finding certain addresses and stuff.
Finally my classes about computer architecture have been useful for something
Hey,
At first, good Video, im rly thankful for that explanaition
My only Question is: Is that Project 64 that ur running there?
I would love to test it all by my self
Good video.
In the video you state that a hypothetical All Dungeons route with ACE would involve inputting a really long file name. But wouldn't a payload that chains together the blue warps in the way you describe consist of over a thousand characters? It would likely be faster (in real time / RTA) to just beat the category conventionally.
Zamiell probably not that much, but yeah it’s just an example of what total control could do. Point still stands that total control ruins the point of categories other than any%
I figured it wouldn't take long for ACE to reach full potential on OoT. Can't wait to mess around with SRM though. Looks like loads of fun, lol.
great vid
0:12 "I'll link that in the top right corner of the screen"
welp
Martins it’s there. Sometimes doesn’t show up on mobile browsers, but you can click the i icon
Can someone answer me why is OoT reading inputs from the controller 3 to begin with? Is it left over code from debug menu?
There is a button combination you can press on controller 3 as the game is starting up that will erase all of your save files. Not sure if it was intended to be left in the release version as a failsafe for something or not.
@@Fig02 Do you know this combination if I want to try it myself?
You have to press these buttons in 15 frames.
D-UP
D-DOWN
D-LEFT
D-RIGHT
START
B
C-DOWN
L
C-RIGHT
C-LEFT
A
C-UP
R
Z
www.reddit.com/r/speedrun/comments/2w6ep2/oot_secret_ocarina_of_time_code_discovered/
Even without executing data as code, you can execute already existing code at unexpected offsets and potentially create arbitrary new algorithms. This is called return oriented programming (ROP) and could potentially mean a different kind of ACE is possible even without touching data.
(Although interestingly I hear that on GC/VC you can't do ROP since it crashes when it tries to JIT code that doesn't start and end with returns? I'm not sure if 3DS also does this, I just know 3DS crashes if you try to execute data.)
And even if no one figures ROP out, being able to execute existing functions in their entirety is silly powerful as demonstrated in this video, and SRM should probably be considered a 'major glitch' and banned in all non-any% categories. I'd be curious to know what a hypothetical 'SRM but not ACE' restriction would look like - what specifically would be allowed/banned, and how would a viewer of your speedrun verify that nothing banned has taken place?
Patashu at the very least, gc and vc can run whole functions fine as demonstrated with the function pointer manip stuff. We haven’t tried jumping to the middle of a function yet.
3ds apparently has higher security and can’t run data as code at all, someone in another comment in this video talked about it.
As far as verifying things go, we have people in the community who would be able to dig and see what a particular SRM is doing. With how complicated this is, you kind have to know what you’re doing to discover beneficial uses for it anyway, so that’s not really a concern
Good video
I'm still interested in understanding how you guys found the memory locations for lets say the rolling goron function. The game wasn't decompiled at this point if I remember correctly. Sure you can open up a Debugger and look at the asm but I still find this to be incredible
Mainly with the use of debuggers. You can set write breakpoints (which I may or may not have showcased in this video, don’t remember). But basically if you know where a certain value is, you can trigger the debugger to show you the code that is writing (or reading) to that memory location. In this case, the Get Item Value is all you need.
As for finding the location of the get item value in memory.. this was already known for years. Lots of knowledge on the game already existed without decomp because of rom hacking mainly
7:17 "But keep that Link alive" - Yeah, I try to do that all the time I'm playing.
Great video, i have a few questions. Is it possible to use 2 bombs to setup SRM? Lets say you use one bomb to super slide off another bomb unload a room then pick-up the bomb, would that bomb unload or would it still blow up in the unloaded room before you could pick it up? And do the items link holds in his hands function in the same way pots do or can those not be edited/unloaded for SRM as well.
So for the sake of time I omitted a ton of information about how to actually get SRM to work. I plan to make a dedicated SRM video later on.
So in order for the actor to unload without the grabbed pointer being nulled, you need to cull the actor before the room changes. Culling is just keeping it off camera so that its not being drawn on the screen and not updating. This is why I mentioned very briefly that camera was important in the video.
Unfortunately, bombs cannot be culled at all. I have a video on my channel demonstrating this in MM, it is also the case in OoT. Its unfortunate because SRM anywhere would be very powerful.
The items link holds in his hand do not function the same way. Most items link holds arent even an actor.
@@Fig02 I see, so i guess the next step would be to find out what else link can copy positional data over. There has to be something else other than pots/grass/ etc, hopefully something like that can be found.
@@MLink23 probably drops like hearts and rupees also do it, since they hover over link's head briefly. but you need a way to make link "decide" to create a reference, but not actually do it until the actor's either been culled or otherwise unloaded, which seems unlikely. the reason i used drops as an example is something like that would actually be relevant for any%, and indeed other SRM contexts
@@nathanisbored im sure someday it'll be possible, at the pace ACE is going right now ya'll will eventually find something new. Keep it up!
at 9:34, you mention "when you set up SRM in such a way that the angle lines up with this draw pointer...", but that's the part I'm most curious about. How do you get the angle to write its value to specific points in memory that you want? What's that process like?
Changing a room will unload old actors into memory and load in new ones. You can do things between room loads to influence what is currently loaded (take out a bomb, drop a fish etc) to change the current state of memory. Then you change rooms on top of that to shift things around.
If you watch any speedrun with SRM theres usually always a part where the runner is doing seemingly random things and running in and out of the room, this is the heap manipulation
@@Fig02 Thanks for the quick and detailed reply! So let me know if I understand this correctly: by doing these random actions and changing rooms, you can shift around where the game is writing data. So like you change rooms and the game says "okay this area of memory isn't useful to me anymore, so I'm just gonna start writing the angle here in these two bytes." But the game doesn't zero out the data it doesn't need anymore, so if you cleverly combine a precise angle with the previously existing data in the other two bytes, you can make it read as a pointer to something you want or code you want to execute?
link to that video you played of someone making a payload to fuck with the ending?
Does this work in the North American versions or something similar to SRM in the North American versions? I see a lot of speed runners use the Japanese version of ocarina of time. So I was just wondering more about this is all so I can practice to do this.
Japanese has less text meaning it can be scrolled through faster so most speedrunners for all games use foreign languages. For botw french is fastest
where is the video of glitches and stuff where he sends the funny payloads that breaks the game a little
Okay but why does changing the pot's draw pointer turn it into a chest?
Rena Kunisaki it’s not a chest, that’s just how link reacts to negative get item values.
You change the draw pointer to the rolling goron code which sets get item based on an instance variable. Normally this is a goron instance variable, but since you’re using a pot it extends passed the pot instance. You can the. load something on the heap at that offset to set the get item value to whatever you want
@@Fig02 But then if it was the draw function does it mean the new code (get item) will get executed every frame ? Can the game handle that without side effects/crashes ?
@@SaiphxXx it is every frame yes. both the pot chest and saw example I show both work fine
Is an uaf and an srm the same thing?
Do all entities have the same size in the Heap?
Herzog Werner no not at all. Actor instances have a min size of 0x13C bytes, but other than that pretty much anything goes. Actor code files (overlays) live in this space of memory and are variable in size. Same goes for particle effects, instances, and whatever other data gets put here
@@Fig02 But how can you so precisely load arbitrary actors into a fixed spot on the Heap (where the unloaded object used to be)?
Shouldn't there be data too small or too large for the Offset?
@@Fig02 If the Heap only reserved space for a pot i.e. and I load a way bigger actor in it's place, shouldn't the bigger actor overwrite the actors which were originally past the pot? Or is this all solved using pointers? Thanks alot! ❤️
You cant arbitrarily load any actor where you want. It takes alot of work to figure out how to manipulate the actors in the scene to get things at the offset you want. We usually use simulators to do most of the work for us if possible.
When loading actors, the game will do so one at a time and scan the heap from bottom to top looking for enough contiguous space to fit whatever its trying to load. Knowing this you can spawn things of different sizes and chagn rooms to shift things around in a way that is advantageous to you.
@@Fig02 Wow, okay I mean I figured as much but I guess I didn't want to realize how much work this research actually is. As a rule of thumb - is the placement inside the Heap RNG (and may be manipulated as such)?
sooo is ACE and SRM like modding? as a newbie coder Ace sounds like adding or changing the original code. SRM sounds like using a powersaves. Are these like modifying or modding? its all reall cool but low key seems kinda like cheating.
sorry if that's too many questions just, genuinely curious.
The source code itself isn't being modified, just the output it should have is being changed to achieve the desired resulted, via memory exploits. Basically the changes come at runtime so it's not direct modification
My favorite coding language
Haha yes
Is ACE possible on 3DS?
read cheeze say in zfg's chat today that you cant run data as code in 3d. Might be something related to ARM, idk im not knowledgeable at all in that area.
Also actor code in that game is not in the same place in memory, so its not as accessible with SRM.
@@Fig02 3DS has W^X as a security measure, meaning memory can be writable or executable but not both. You'd have to somehow get your payload into an executable page, or try to do some ROP chain (string bits of existing code together by jumping to the ends of functions) to change memory permissions. Very unlikely to be possible from within the game.
Hey. So from the future. I believe srm has been figured out for the 3ds with no actual ways to use it. As for ace, I believe the memory is stored differently so you’d have to input code from an outside source which is basically just changing code but with your own resources. You could execute it with srm probably but the run is already done when you input code from an outside source not using game code or file name code.
I’m kind of just a small glitch hunter for Zelda games but I honestly don’t think I can even attempt to find glitches for this game. This is more than just inputting buttons to clip through walls. This is just coding and I’m not gonna step into that realm
I mean there are glitches in the game that arent SRM or ACE, but yea not wanting to work with this stuff if it doesnt interest you is fair lol, no one said you had to :)
@@Fig02 Oh, sorry, didn't mean to offend you on that part. I meant that it was just so crazy and it was wild to see how far the game was pushed. I think it's absolutely great that you guys have pushed the game to its limits. I just wanted to say I'd probably stick out of the game's glitch hunting because it is primarily pushed towards coding. I was watching your "learning about the environment" stream the other day and I learned a lot, but I wouldn't be able to catch up to actually start finding out glitches.
I get the boomerang way but if there's always a pot to pick up when you super slide through rooms then this would have been found way sooner? Otherwise this is just cheat codes.
A cool set of discoveries, but man what a boring speedrun
I find these videos fascinating…. from a technical standpoint. As a speed running observer, ACE and SRM just kinda sucks. You are no longer playing the game. You’ve become some kinda pseudo programmer for vintage video games. How the hell are people so supposed to relate to these “runs”? Like, I am decent at playing basketball. I can shoot the ball pretty well, can dribble, pass, you know, all the basic stuff. Because I get how to play, when I see professional athletes play at a super high level, it’s relatable. But imagine if Lebron stepped onto the court one day and started dribbling in a way that made no sense. Up the court, back tracking, passing to the other team, shooting the ball into his own basket, all while looking derpy. Then, 2 minutes into the game, the siren blares and we are told “Lakers win”. Final score, Laker: 2 points, Opponent: 4 points. You’d watch it once out of pure fascination but who the hell would watch that consistently?
It's like magic.
Also: Try to pick up a spoon while scratching your back, then precisely orient your head towards 6° north. Then open and close your door 72 times. on the 73th time, say "Zhlnghbrrrr!" precisely at the moment the door latches and then you become god, lol
EDIT: you need to record yourself with a framerate of 16,38 fps while doing this.