Arbitrary Code Execution in Animal Crossing

Hunter R.
Hunter R.
205,726
0
Published 2024-04-26
Arbitrary code execution, the holy grail of video game exploits… Is it possible in Animal Crossing? There may be more to it than you might think…

‣ Support on Patreon: patreon.com/hunter_r
‣ Become a channel member: youtube.com/channel/UCroqqI7XwD828o0rAvAF8iw/join
‣ Follow me on Twitter: twitter.com/ACHunterR

- Corrections -
‣ At 09:23, I mention you can go to any address with QDS/BBR tags, but realistically you are limited by the size of the structured ROM without the PAT tag.
‣ At 18:52, I mention Link's rock "despawning" with a camera exploit, but this is an oversimplification. The real way to get empty hands and abuse SRM has to do with setting up culling and loading triggers to unload the rock while it's in your hands, rather than "despawning" it.
‣ In general, multiple objects can be used to overwrite pointers in Ocarina of Time, but for the specific human-viable setup with the file select, LightNode SRM is used. This was glossed over in the video; more information can be found here: docs.google.com/document/d/1Xf0mTcGwxbuBBFX1TYhKuR…
‣ It's mentioned at 19:49 that the Japanese version of the game is required, but it is theoretically possible to use SRM to switch languages to the included Japanese within the US versions. This would allow for Japanese inputs on a US disc.

~ FURTHER READING ~
James Chambers’ NES injection discovery:
jamchamb.net/2018/07/11/animal-crossing-nes-emulat…
Cuyler’s NES patch loader:
cuyler36.github.io/2018/07/14/creating-a-nes-patch…
Ocarina of Time’s true ACE setup by MrCheeze:
   • Ocarina of Time - Setting up Total Co...  

Technical credits:
Cuyler / James Chambers / MrCheeze / Savestate / Glitches0and0stuff / FIX94

Animation credits:
Wyvarie
twitter.com/wyvarie
youtube.com/c/Wyvarie

Footage credits:
GamesDoneQuick / Savestate / MrCheeze / Sethbling

Music credits:
Starmonized / Qumu / Mesmonium / The Noble Demon / irikachana

• Rainbow Road (Remix) - Mario Kart Wii:
   • ♪ Mario Kart Wii- Rainbow Road (Remix)  
• Happy New Year! - Animal Crossing New Horizons:
   • Happy New Year Everyone! - Animal Cro...  
• 5 P.M. (Faithful Cover) - Animal Crossing:
   • 5PM (Faithful Cover) || Dōbutsu no Mo...  
• 9 A.M. - Animal Crossing:
   • 9 AM   Animal Crossing Gamecube OST 61  
• Go K.K. Rider! (Qumu Remix):
   • Animal Crossing - Go K.K. Rider! [Remix]  
• Prologue (Phase 7) - Animal Crossing New Horizons:
   • Prologue (Phase 7) - Animal Crossing:...  
• K.K. Cruisin’ (True Remix):
   • Animal Crossing - K.K. Cruisin' True ...  
• 10 P.M. - Animal Crossing New Horizons:
   • 10 PM - Animal Crossing: New Horizons...  
• Hyrule Field (Qumu Remix) - Ocarina of Time:
   • Legend of Zelda: Ocarina of Time  - H...  
• Dark World (Orchestral Remix) - Link to the Past:
   • A Link to the Past: Dark World Orches...  
• Animal Crossing Title Theme - Nintendo Sound Selection Vol. 2:
   • Nintendo Sound Selection Vol.1 ~ Peac...  

Assets and other information were pulled from the Animal Crossing GameCube community megasheet:
docs.google.com/spreadsheets/d/13sRAcj9YbP9_i-u0Kg…

This video was recorded with an HD community texture pack for the game ran through Dolphin emulator:
forums.dolphin-emu.org/Thread-animal-crossing-hd-t…

0:00:00 Introduction
0:02:02 Explaining ACE
0:06:50 ACE in Animal Crossing
0:12:45 ACE Achievements
0:14:00 True ACE?
0:16:15 Exploiting Ocarina of Time
0:21:29 Conclusions
0:22:16 Credits
0:23:48 Hmm...
All Comments (21)
  • @Hunter-R.
    To honor a lot of people who have been super welcoming and kind since I started this channel, I've included a special credits sequence at the end of this video. Perhaps there's something after as well... 🤔 ACE is a very complicated topic, and there was quite a lot to cover with some specifics I might have glossed over. If this video piqued your interest, there are a lot of extras in the description, including some minor corrections!
  • @TheShinyFeraligatr
    The funniest thing about ACE in Ocarina of Time will always be that people keep using it to do ACE in other games. Shoutouts to the Paper Mario speedrun of course.
  • @MrCheeze
    The PAT tag is so funny. "Here's all the different tags they let us attach to a NES rom, and all the reasons it would be extremely challenging to achieve arbitrary memory modification with them.... oh wait, never mind, here's the 'make arbitrary memory modifications' one."
  • @inanestereo
    Using OOT to execute ACE in Animal Crossing is like trying to break into a car with a more broken, fucked up and stupid car... and I wouldn't have it any other way.
  • @blikthepro972
    i love how oot has essentially turned into an ace bootloader for many different games
  • @Dameentsia
    When you said 99% of the game is stored in RAM it made so much sense because I remember not owning the game as a kid and being able to play it for like a week by leaving my gamecube on after I booted up a friend's copy. He took it because he had to leave but I was stoked when it just kept working
  • @ComicBoi11
    I feel like I just watched the season finale to my favorite show
  • @Spencer_PK
    Extremely funny to hear how Gamecube OOT can theoretically be used to set up Animal Crossing ACE. This concept isn't completely new, as Paper Mario 64 got ACE and for a while, it couldn't do anything meaningful. It was then realized that you could use OOT ACE to set up memory, and then do a Banjo-Kazooie-style Stop 'n' Swop to Paper Mario, and then execute the OOT memory you wrote as Paper Mario code to save your file on the "The End" map, so loading the file again would end the game. Really cool video, and I love how you acknowledged ACE as a serious security vulnerability on modern hardware.
  • @egon3705
    funnily enough you don't even need to corrupt the instruction pointer in pokemon gen 1, there's just an item that executes code from WRAM directly
  • @Chubby_Bub
    IDEs have become obsolete, all coding will now be done using Animal Crossing and Ocarina of Time GC ports
  • @IAm18PercentCarbon
    Resetti's sitting somewhere, a grim look on his face, loading a shotgun
  • @MrMegaManFan
    “Oh Hunter, we know you’re an ACE in the hole.” Hunter: “A what now?”
  • @MetroAndroid
    Holy, the animations in the credits are phenomenal, so fluid and so cute, especially Isabelle! Please thank Wyvarie for me! This is probably a long way off, but with how well understood this game is getting, I wonder if decomp progressing will allow for mods adding in features from later games into AC. A "Perfect" version with more options for paths, more pattern storage, easier access to the island without requiring a link cable, adding in a few characters, HD texture/font mod, more K.K. songs, more events, maybe fixing and adding in unused content or version/region-exclusive content, uncapping the 2030 limit, making the forbidden NES games appear in the shop, and more... If it was open source and made right, the community could create new little content drops every few months or so, so that the game feels magical again... Just thinking about something that nice makes me smile. I've always had a soft spot for the original and would love to see it get more of the little quality fixes that later games in the series got, but without the massive expanse in scope.
  • @DogsRNice
    I love how depending on the context ACE is either extremely cool or extremely worrying
  • @Bogvalley
    Using ocarina of time as an ace setup game has also been done to do a credits warp in Paper mario, so its cool to see the same strategy applied to animal crossing to execute arbitrary code c: At least in this case it didnt rely on hot swapping a cartridge into the console before the ram got wiped x3
  • @CraftyDuck100
    Wake up guys new Hunter vid dropped. It's huntin time
  • @rdgfb
    early nintendo games do be having at least one ACE exploit... don't look at the original pokemon gen 1 games there's too many to keep track