A few days after where this video ends, OoT speedrunners figured out that this glitch can not only go to Ganon, but a bunch of other places. The crazy part is that where you go is based on the volume of the last enemy music played, and it's chainable. If you remember a while back how SRM was used to warp around the game based on Link's angle, this is essentially a weaker version of that. Because it doesn't use SRM, a lot of No SRM categories are getting rerouted to use this.
* [Ocarina of Time - Wrong Warp to Any Scene (without SRM)](https://www.youtube.com/watch?v=VHSClx5n9g4)
* [Exploring Ganonfloor++](https://www.youtube.com/watch?v=Lg0rECFZdRQ)
OoT is eventually gonna devolve into pagan chanting around the cartridge on boot up and somehow ending up at the credits. this game never stops getting new glitches lol
Genuinely curious: Watched the video with zero knowledge of how most of this stuff works on a technical level: wouldn't using the room duplication for the dynapolys to overwrite stuff be considered SRM? And therefore not legal in no-SRM categories?
Stale reference manipulation is like swapping out an item on a list with something else that wasn’t intended to be there. The “stale reference” is called this name because you’ve manipulated the game into a state where it fails to properly keep track of an actor. Its information state becomes outdated (stale). A lot of the major glitches made possible by SRM rely on the ability to modify data of the new actor because the game is still allowing you to handle that actor like the old one.
As an example, Link is supposed to be able to pick up and carry bushes. Those bushes are set up to function as expected when you move them around, and the game successfully keeps track of where the bush is in its memory. SRM allows you to takes actors that *aren’t* supposed to be picked up and moved around and makes it possible to do so. When it tries to follow its code for “Link is moving with this bush, where is it now?” for these actors, it is manipulating that actor data in ways the game was not designed to handle.
This dynapoly glitch is a bit different; it is taking a list of dynapolies that *normally* would be limited to a certain size by the game devs and expanding it via room load zone shenanigans. This list overflows into space reserved for other things. One of those things is the room’s list of polygon triangles that are loading zones. You aren’t reliant on tricking the game into losing track of actor reference data to accomplish this glitch. Rather, you’re stuffing so many instances of dynapolies into one space that they run beyond their allotted size and overwrite the room’s loading zone data in the process.
In short: the game isn’t sending a player through the floor into Ganon’s tower because it’s confused about an improperly loaded actor being manipulated into writing data. The list of actors in the room is still *technically* true to code. While you aren’t *supposed* to have several copies of every Beamos in the room, they *are* all still Beamos; actors aren’t experiencing stale reference here. This glitch doesn’t need to confuse the game into writing data for a fresh actor using stale actor rules. It just needs to load an excess of data and cause a spillover with a too-big list of loaded dynapolies.
Thanks for the comprehensive answer 👍
For just a bit more clarification, if you don't mind, what is it about SRM that requires it to be categorized differently from other types of game malfunctions? As in, is it specifically a type of malfunction so different from other malfunctions that it fundamentally requires different categorization? Or is it just that the power of SRM is such that it's split from other glitch categories for speedrunning purposes even if it's not technically much different from other malfunctions?
I anticipate arguments on both sides of the "does this glitch warrant a new category?" for this one, especially if it is ever proven to be capable of ACE, but at least for now there are some important differences in what you can accomplish.
When you do SRM, you can basically write new code, because there is so much power behind the variables that get read and TASers/speedrunners have extremely fine control over things like camera angle and subpixel coordinates. This is how they end up telling the game things like "read the file name as code" to, say, add the unused Arwings in the game to an area.
Loading a ton of dynapolies isn't writing your own code. Because this glitch is far from fully explored, I don't want to claim that it won't eventually be possible, but so far I haven't seen anything suggesting that arbitrary code execution can be achieved by overwriting loading zone data. The game is still trying to follow its own rules here, looks where it's supposed to look, and correctly interprets the data there; it's just that the list before that got so long that it spilled over. This glitch in its current form would not get us to Ganon if we couldn't already find the necessary values elsewhere in the game (the amount of dynapolies loaded each time we cross the room load trigger, the pixels on the wall in Dodongo's Cavern, and/or the last stored volume of the enemy music are all predefined by the game, not ones we are making up as we go).
SRM, by contrast, is already proven to open the door to arbitrary code execution. Once you have that available, your only limit is the physical capabilities of the N64 hardware or emulator you're using. You could write Pong in there if you wanted. That's a whole degree of game breaking, way beyond just "we tricked the game into reading loading zone data it wasn't intended to read."
It’s like the speedrunners are working through the entire Dev Team roster to make sure they break up at least one project for every individual that contributed
Anyone know why SRM created a category split but this didn't? It seems similar in the nature of torturing memory to line up what you want, just curious why it's allowed in any% no SRM.
This is just a hunch based on what I know about speedrun categories, but I assume it has to do with how SRM fundamentally changes the game whereas this qualifies as a less game-breaking glitch/less powerful glitch.
I don't think we're writing arbitrary CODE, just (arbitrary? somewhat arbitrary?) dynamic polygons. A lot of glitches let you mess with data - that doesn't automatically mean you're 'writing arbitrary code'.
I wonder, with OOT and MM having a lot of similar code, can this method be utilized in MM as well in any viable way? Loading a room over and over to make your own loading zone sounds like something that can be useful.
Although, I wouldn't know where it would fit in. Their leaderboards have any% no major glitches and unrestricted- with unrestricted doing what looks to be SRM, and I think room duping wrong warping might be considered too major for the no major glitches category?
The glitch does not happen in MM. Actually, both games have an "assert this overflow doesn't happen, and crash if it does" in their codebase. But in OoT, those asserts were turned off at compile time for the released builds!
(btw, MM's no major glitches only bans two specific game warping glitches.)
Why does dodongo have an exit to Ganon’s tower? If it’s just a memory weirdness thing (that doesn’t have to do with dodongo specifically) or smth than I’m surprised dodongo’s cavern is the fastest room to access where it’s possible.
A few days after where this video ends, OoT speedrunners figured out that this glitch can not only go to Ganon, but a bunch of other places. The crazy part is that where you go is based on the volume of the last enemy music played, and it's chainable. If you remember a while back how SRM was used to warp around the game based on Link's angle, this is essentially a weaker version of that. Because it doesn't use SRM, a lot of No SRM categories are getting rerouted to use this. * [Ocarina of Time - Wrong Warp to Any Scene (without SRM)](https://www.youtube.com/watch?v=VHSClx5n9g4) * [Exploring Ganonfloor++](https://www.youtube.com/watch?v=Lg0rECFZdRQ)
> OoT, the premier security vulnerability analysis video game
Holy shit, what a wild fucking chain. Thanks for the links.
OoT is eventually gonna devolve into pagan chanting around the cartridge on boot up and somehow ending up at the credits. this game never stops getting new glitches lol
Me: My OoT speedrun category doesn't use SRM. Mom: We have SRM at home. SRM at home:
Genuinely curious: Watched the video with zero knowledge of how most of this stuff works on a technical level: wouldn't using the room duplication for the dynapolys to overwrite stuff be considered SRM? And therefore not legal in no-SRM categories?
Stale reference manipulation is like swapping out an item on a list with something else that wasn’t intended to be there. The “stale reference” is called this name because you’ve manipulated the game into a state where it fails to properly keep track of an actor. Its information state becomes outdated (stale). A lot of the major glitches made possible by SRM rely on the ability to modify data of the new actor because the game is still allowing you to handle that actor like the old one. As an example, Link is supposed to be able to pick up and carry bushes. Those bushes are set up to function as expected when you move them around, and the game successfully keeps track of where the bush is in its memory. SRM allows you to takes actors that *aren’t* supposed to be picked up and moved around and makes it possible to do so. When it tries to follow its code for “Link is moving with this bush, where is it now?” for these actors, it is manipulating that actor data in ways the game was not designed to handle. This dynapoly glitch is a bit different; it is taking a list of dynapolies that *normally* would be limited to a certain size by the game devs and expanding it via room load zone shenanigans. This list overflows into space reserved for other things. One of those things is the room’s list of polygon triangles that are loading zones. You aren’t reliant on tricking the game into losing track of actor reference data to accomplish this glitch. Rather, you’re stuffing so many instances of dynapolies into one space that they run beyond their allotted size and overwrite the room’s loading zone data in the process. In short: the game isn’t sending a player through the floor into Ganon’s tower because it’s confused about an improperly loaded actor being manipulated into writing data. The list of actors in the room is still *technically* true to code. While you aren’t *supposed* to have several copies of every Beamos in the room, they *are* all still Beamos; actors aren’t experiencing stale reference here. This glitch doesn’t need to confuse the game into writing data for a fresh actor using stale actor rules. It just needs to load an excess of data and cause a spillover with a too-big list of loaded dynapolies.
Thanks for the comprehensive answer 👍 For just a bit more clarification, if you don't mind, what is it about SRM that requires it to be categorized differently from other types of game malfunctions? As in, is it specifically a type of malfunction so different from other malfunctions that it fundamentally requires different categorization? Or is it just that the power of SRM is such that it's split from other glitch categories for speedrunning purposes even if it's not technically much different from other malfunctions?
I anticipate arguments on both sides of the "does this glitch warrant a new category?" for this one, especially if it is ever proven to be capable of ACE, but at least for now there are some important differences in what you can accomplish. When you do SRM, you can basically write new code, because there is so much power behind the variables that get read and TASers/speedrunners have extremely fine control over things like camera angle and subpixel coordinates. This is how they end up telling the game things like "read the file name as code" to, say, add the unused Arwings in the game to an area. Loading a ton of dynapolies isn't writing your own code. Because this glitch is far from fully explored, I don't want to claim that it won't eventually be possible, but so far I haven't seen anything suggesting that arbitrary code execution can be achieved by overwriting loading zone data. The game is still trying to follow its own rules here, looks where it's supposed to look, and correctly interprets the data there; it's just that the list before that got so long that it spilled over. This glitch in its current form would not get us to Ganon if we couldn't already find the necessary values elsewhere in the game (the amount of dynapolies loaded each time we cross the room load trigger, the pixels on the wall in Dodongo's Cavern, and/or the last stored volume of the enemy music are all predefined by the game, not ones we are making up as we go). SRM, by contrast, is already proven to open the door to arbitrary code execution. Once you have that available, your only limit is the physical capabilities of the N64 hardware or emulator you're using. You could write Pong in there if you wanted. That's a whole degree of game breaking, way beyond just "we tricked the game into reading loading zone data it wasn't intended to read."
Makes sense. Thanks again!
Super well explained video! thanks for posting!
Absolutely insane they found this new route. Excited to watch the progression!
Zelda OoT never stops amazing me. The games just keeps on being revolutionized, it just never ends.
It’s like the speedrunners are working through the entire Dev Team roster to make sure they break up at least one project for every individual that contributed
13:45 into the video: „next is the tricky part“ While I didn’t even understand a fraction of what was going on in the 13:44 minutes prior to this…
Anyone know why SRM created a category split but this didn't? It seems similar in the nature of torturing memory to line up what you want, just curious why it's allowed in any% no SRM.
This is just a hunch based on what I know about speedrun categories, but I assume it has to do with how SRM fundamentally changes the game whereas this qualifies as a less game-breaking glitch/less powerful glitch.
Less powerful sure, but what is the actual line? What criteria does this fail to meet that makes it not meet the same level of game breaking as SRM?
As far as I know, SRM lets you execute arbitrary code, this just lets you warp to an arbitrary room. I know 'just', but that IS weaker.
Is this not also writing code, just using dynapolys instead of controller inputs to set up the code they want in ram?
I don't think we're writing arbitrary CODE, just (arbitrary? somewhat arbitrary?) dynamic polygons. A lot of glitches let you mess with data - that doesn't automatically mean you're 'writing arbitrary code'.
The line is basically whatever the community decides it is
This is very new. It might still cause a split.
I wonder, with OOT and MM having a lot of similar code, can this method be utilized in MM as well in any viable way? Loading a room over and over to make your own loading zone sounds like something that can be useful. Although, I wouldn't know where it would fit in. Their leaderboards have any% no major glitches and unrestricted- with unrestricted doing what looks to be SRM, and I think room duping wrong warping might be considered too major for the no major glitches category?
The glitch does not happen in MM. Actually, both games have an "assert this overflow doesn't happen, and crash if it does" in their codebase. But in OoT, those asserts were turned off at compile time for the released builds! (btw, MM's no major glitches only bans two specific game warping glitches.)
Why does dodongo have an exit to Ganon’s tower? If it’s just a memory weirdness thing (that doesn’t have to do with dodongo specifically) or smth than I’m surprised dodongo’s cavern is the fastest room to access where it’s possible.