Arbitrary Code Execution in Animal Crossing

preview_player
Показать описание
Arbitrary code execution, the holy grail of video game exploits… Is it possible in Animal Crossing? There may be more to it than you might think…

- Corrections -
‣ At 09:23, I mention you can go to any address with QDS/BBR tags, but realistically you are limited by the size of the structured ROM without the PAT tag.
‣ At 18:52, I mention Link's rock "despawning" with a camera exploit, but this is an oversimplification. The real way to get empty hands and abuse SRM has to do with setting up culling and loading triggers to unload the rock while it's in your hands, rather than "despawning" it.
‣ It's mentioned at 19:49 that the Japanese version of the game is required, but it is theoretically possible to use SRM to switch languages to the included Japanese within the US versions. This would allow for Japanese inputs on a US disc.

~ FURTHER READING ~
James Chambers’ NES injection discovery:
Cuyler’s NES patch loader:
Ocarina of Time’s true ACE setup by MrCheeze:

Technical credits:
Cuyler / James Chambers / MrCheeze / Savestate / Glitches0and0stuff / FIX94

Animation credits:
Wyvarie

Footage credits:
GamesDoneQuick / Savestate / MrCheeze / Sethbling

Music credits:
Starmonized / Qumu / Mesmonium / The Noble Demon / irikachana

• Rainbow Road (Remix) - Mario Kart Wii:
• Happy New Year! - Animal Crossing New Horizons:
• 5 P.M. (Faithful Cover) - Animal Crossing:
• 9 A.M. - Animal Crossing:
• Go K.K. Rider! (Qumu Remix):
• Prologue (Phase 7) - Animal Crossing New Horizons:
• K.K. Cruisin’ (True Remix):
• 10 P.M. - Animal Crossing New Horizons:
• Hyrule Field (Qumu Remix) - Ocarina of Time:
• Dark World (Orchestral Remix) - Link to the Past:
• Animal Crossing Title Theme - Nintendo Sound Selection Vol. 2:

Assets and other information were pulled from the Animal Crossing GameCube community megasheet:

This video was recorded with an HD community texture pack for the game ran through Dolphin emulator:

0:00:00 Introduction
0:02:02 Explaining ACE
0:06:50 ACE in Animal Crossing
0:12:45 ACE Achievements
0:14:00 True ACE?
0:16:15 Exploiting Ocarina of Time
0:21:29 Conclusions
0:22:16 Credits
0:23:48 Hmm...
  1. Hunter R.
  2. animal crossing
  3. acnh
  4. animal crossing gamecube
  5. gamecube
  6. hunter-r
Рекомендации по теме
Arbitrary Code Execution 0:24:22

Arbitrary Code Execution in Animal Crossing

The Broken Code 0:11:45

The Broken Code of Animal Crossing

Animal Crossing ACE 0:02:17

Animal Crossing ACE Demonstration

Colobot original - 0:00:32

Colobot original - arbitrary code execution exploit

RotTK2 - Arbitrary 0:01:02

RotTK2 - Arbitrary Code Execution - Photomosaic (w/ inputs)

Arbitrary Code Execution? 0:00:10

Arbitrary Code Execution?

no one’s talking 0:00:30

no one’s talking about this glitch #animalcrossing #acnh #animalcrossingnewhorizons

Give Up Robot 0:01:16

Give Up Robot Arbitrary Code Execution

DON'T scan random 0:00:17

DON'T scan random QR codes in Animal Crossing

Hunting For Bugs, 0:47:11

Hunting For Bugs, Catching Dragons - Nicolas Joly

Coding SMW on 0:01:56

Coding SMW on SMM using Arbitrary Code Execution

Legend of Zelda 0:04:32

Legend of Zelda 2nd Quest any% (arbitrary code execution) speedrun in 3:18

[Old] Generate glitch 0:27:18

[Old] Generate glitch items: Arbitrary Code Execution #3 | Pokémon Emerald

[TAS] Real Life 0:01:20

[TAS] Real Life 'arbitrary code execution' in 1:05.133

Friendly Reminder: MV 0:01:23

Friendly Reminder: MV Plugins are Arbitrary Code

Detecting attempts on 0:04:21

Detecting attempts on CVE 2020 0601

Bob Esponja en 0:15:19

Bob Esponja en Pokémon Amarillo (Rom original) | Arbitrary Code Execution

Unlocking the Secrets 0:18:21

Unlocking the Secrets of Null Byte: A Hands-On Hacking Guide

NDSS 2017: Dachshund: 0:14:53

NDSS 2017: Dachshund: Digging for and Securing (Non-)Blinded Constants in JIT Code

The Perl Jam 0:27:13

The Perl Jam 2: The Camel Strikes Back

ExamplesofZerodayExp 0:01:45

ExamplesofZerodayExp

How I was 0:01:38

How I was found broken link hijacking less than 2 minutes (bug-bounty-poc)

Burp Suite 2.0, 1:13:00

Burp Suite 2.0, DNC, and NotPetya - Paul's Security Weekly #572

Serious Microsoft crypto 0:10:44

Serious Microsoft crypto vulnerability- what to do!

Комментарии
Автор

To honor a lot of people who have been super welcoming and kind since I started this channel, I've included a special credits sequence at the end of this video. Perhaps there's something after as well... 🤔

ACE is a very complicated topic, and there was quite a lot to cover with some specifics I might have glossed over. If this video piqued your interest, there are a lot of extras in the description, including some minor corrections!

Hunter-R.
Автор

The funniest thing about ACE in Ocarina of Time will always be that people keep using it to do ACE in other games. Shoutouts to the Paper Mario speedrun of course.

TheShinyFeraligatr
Автор

i love how oot has essentially turned into an ace bootloader for many different games

blikthepro
Автор

Using OOT to execute ACE in Animal Crossing is like trying to break into a car with a more broken, fucked up and stupid car... and I wouldn't have it any other way.

inanestereo
Автор

The PAT tag is so funny. "Here's all the different tags they let us attach to a NES rom, and all the reasons it would be extremely challenging to achieve arbitrary memory modification with them.... oh wait, never mind, here's the 'make arbitrary memory modifications' one."

MrCheeze
Автор

When you said 99% of the game is stored in RAM it made so much sense because I remember not owning the game as a kid and being able to play it for like a week by leaving my gamecube on after I booted up a friend's copy. He took it because he had to leave but I was stoked when it just kept working

Dameentsia
Автор

IDEs have become obsolete, all coding will now be done using Animal Crossing and Ocarina of Time GC ports

Chubby_Bub
Автор

1:40 imagine if he said no and the video just ended there

zamininc
Автор

13:51 THEY ADDED DEATH TO ANIMAL CROSSING

CalDavid-xxzo
Автор

funnily enough you don't even need to corrupt the instruction pointer in pokemon gen 1, there's just an item that executes code from WRAM directly

egon
Автор

Resetti's sitting somewhere, a grim look on his face, loading a shotgun

IAmPercentCarbon
Автор

Extremely funny to hear how Gamecube OOT can theoretically be used to set up Animal Crossing ACE. This concept isn't completely new, as Paper Mario 64 got ACE and for a while, it couldn't do anything meaningful. It was then realized that you could use OOT ACE to set up memory, and then do a Banjo-Kazooie-style Stop 'n' Swop to Paper Mario, and then execute the OOT memory you wrote as Paper Mario code to save your file on the "The End" map, so loading the file again would end the game.

Really cool video, and I love how you acknowledged ACE as a serious security vulnerability on modern hardware.

Spencer_PK
Автор

I feel like I just watched the season finale to my favorite show

ComicBoi
Автор

That's wild. It's like a turducken of ACE.

memyselfishness
Автор

There should be an ACE no-skip category of speedruns for various games. Imagine how it cool it would be to see a runner essentially modding the game in real time but not being allowed to skip levels.

D_YellowMadness
Автор

Some additional technical context for those interested! The reason the PAT tag can only write to thru is because that's the size of RAM on the N64. This same PAT tag exploit is usable on the N64 version albeit you can't do nearly as much since you're limited to 32K of space on the controller pak data (still a lot though!)

Additionally, when we overwrite my_free, we *could* encounter a similar issue as to trying to overwrite code directly. The GC also has a data cache but the caches only store the most recent commonly used addresses in them. Thankfully due to my_free's infrequent referencing, it doesn't get cached. That's a small piece of the puzzle that James and I spent a bit of time figuring out lol...

It was really fun to mess with this back in 2018! I wrote a fully working hex editor for use in game among other neat little proof of concepts!

Great video as always Hunter :)

Cuyler
Автор

I love how depending on the context ACE is either extremely cool or extremely worrying

DogsRNice
Автор

Holy, the animations in the credits are phenomenal, so fluid and so cute, especially Isabelle! Please thank Wyvarie for me!
This is probably a long way off, but with how well understood this game is getting, I wonder if decomp progressing will allow for mods adding in features from later games into AC. A "Perfect" version with more options for paths, more pattern storage, easier access to the island without requiring a link cable, adding in a few characters, HD texture/font mod, more K.K. songs, more events, maybe fixing and adding in unused content or version/region-exclusive content, uncapping the 2030 limit, making the forbidden NES games appear in the shop, and more... If it was open source and made right, the community could create new little content drops every few months or so, so that the game feels magical again... Just thinking about something that nice makes me smile. I've always had a soft spot for the original and would love to see it get more of the little quality fixes that later games in the series got, but without the massive expanse in scope.

MetroAndroid
Автор

Awesome video!
Funny enough, Animal Crossing: New Leaf has an ACE exploit, which is also a RCE exploit. The function responsible for receiving packets for the games bulletin board can be used to send payloads to other 3DS consoles due to a buffer overflow trick. Such as giving them mod menus, editing their memory, basically anything you want really.
I learned a lot from this video, it's so cool what fans in the community are capable of!

Bidziilla
Автор

I love the sequence at 19:57

Using ACE in Ocarina of Time to set up more ACE in Ocarina of Time just to set up ACE in Animal Crossing.

pheldsparr
join shbcf.ru