12. February 2019

Dissecting the Ganondoor Glitch – How do Wrong Warps work ?

The Ganondoor Glitch might be the most infamous glitch in The Legend Of Zelda: Ocarina Of Time. But how does it work?

Let’s go on a journey through cyberspace back in the golden age of the Nintendo 64 and find out how this all works.

But first, let’s enjoy the glitch here:

Phase 1: The Research – aka LMGTFY

In our journey to find out, how the ganondoor glitch works, we will stumble upon Google as our primary search engine. If we type in “20 min OOT run”, we will find out that there is a question asked about this topic over at gaming.stackexchange.com. Because everything needs its own stack overflow for some reason.

We can also see, that the question was asked in the year 2015, which tells me, that it’s probably not a trending topic, and I should write about something else.

But nevertheless. Let’s continue!

The Ancient Saints of Game Developing and the Art of Memory (Miss-)Management

Bildergebnis für you're a wizard harry meme

In the olden days, consoles didn’t have all the RAM, GPUS, HDMI and other fancy things like wireless controllers. Memory was sparse, and the game developers had to literally be some kind of wizards to pull of what they did.

They had to manage their memory well, and they had to do it by hand. Which is a real pain in the a** and leads to a couple of errors. Nowadays you can just create a new object and the garbage collector of your runtime handles the memory management.

But in languages like C you have to manage the memory yourself with fancy commands like malloc() and pointers. F*cking pointers.

They’re a kind of “variable” that stores the address of another variable. So you don’t have to move things in your memory but instead can point to them via pointers.

Bildergebnis für pointers C

For those of you not familiar with C, it’s an ancient programming language, used to punish developers who write ugly code, by letting them use it. It’s basically the Latin or Greek of programming;

Literally dead, but for some reason we still have it.

However, C is still used for low- level programming (like in Arduino and other microcontrollers). And at that time, game developer had no choice, but to use it. Sadness intensifies

So it would be safe to say, that developers had no choice but to use the same pointers for different purposes, because of the sparse memory. Which is a pretty unsafe method of using pointers. Basically the foundation of the ganondoor glitch.

What’s in the GLITCH??!?

The post of the gaming- StackOverflow website, does tell us, what happens “step by step”:

  1. You kill the boss. A warp point appears.
  2. At this point, the game uses a pointer (we’ll call it Pointer A) to store the data that tells the game what area to warp to.
  3. You take out a bottle of bugs and empty it.
  4. Pointer A is re-assigned in the code and repurposed so that the game can properly handle this event — I could not tell you what its exact purpose is because I do not have access to the OoT source code, but I can tell you that it was used for something else (that’s the only way seemingly-innocuous glitches like this can have such profound effects).
  5. You walk into the warp point. Cutscene of you leaving happens.
  6. The game completes the warp sequence and decides which transition in the game to take you to based on what’s in Pointer A. By inputting what is normally garbage data into Pointer A with our previous actions, the game interprets the data anyway and discovers that it is actually a transition in Ganon’s castle. Not one to ask questions, the game complies.

Source: Some guy of gaming- stack overflow.

But we need to find out how they implemented it! We need more details!

The “source” of Knowledge – bedum tss**

Lucky for us, I was able to find out the source code via my hacker connections:

So I pulled up one of my 15 black hoodies, took out my sunglasses and took a deep hit from my vape. Hiding in my vape cloud I went into the dark web over 37 TOR Proxies and connected to 5 IRC channels.

There I met a guy, let’s call him D4rk L0nK. We met under the night sky, both hiding behind vape- clouds and exchanged money for Source Code.

Bildergebnis für hackerman

Just kidding, the guys over at cloudmodding.com somehow got the source code of Ocarina Of Time. Or parts of it. Which we will be basing our “explanation” on.

This website is like a paradise for us. Not only does it have parts of the code. It also has a lot of comments and explanations to it.

But it has so much information. So from there, I had to dig deeper and find out what would be relevant, and what is just interesting.

So I googled for ganondoor glitch explained and found some old videos from 2015 or something (which again tells me to stop because it won’t be searched for) explaining how these transition work and what you need to know.

Together with my super intelligence and the videos I combine what could be useful from the wiki for the ganondoor glitch:

Most of the code on the website is assembler code. Now if C is Latin or Greek, Assembler is like freaking hieroglyphics. I mean, just look at it:

Bildergebnis für assembler

Aaannddd… SCENE!

In order to know how the ganondoor glitch is possible, we need to understand how scene transitions are made in Ocarina of time. From the cloudmodding wiki we get the following information:

A somewhat confusing aspect of the entrance table is that the developers use a routine that indirectly looks up the entrance table based on 4 different variables: a “base” index, Link’s age, the time of day, and variable used to load cutscene setups (we’ll call it the cutscene number).

The base index can be thought of as being the starting point to an array of possible entrances.

  • If the cutscene number’s value is 0x0000, the look-up index = base index, +1 if night, +2 if Link is an adult
  • If the cutscene number’s value is 0xFFF0-0xFFFF, the look-up index = base index, +4, + the rightmost hex digit in the cutscene number.

This means that for every spawn location, you will need 4 sequential records on the entrance table. If you wish to trigger a cutscene stored within a scene setup, you will also need additional records for each cutscene you want to spawn at. Nintendo conserves space by using the same base index (which ends up being the entrance with the lowest index) for all cutscenes within a scene.

Source: My hacker connections.

In the ganondoor glitch, we’re neither adult nor night.

For the glitch, we need to trigger the scene/ entrance transition and overwrite the pointer with the right Entrance ID. It sounds real hard, but basically, it’s easy.

Act 2: The ganondoor glitch

In order to trigger the entrance transition, we have to use the blue warp thingy that comes after you defeat a boss. But without actually triggering the scene!

We can make use of another glitch. If you equip the right items (like a bottle for example. WICH YOU GET WITH YET ANOTHER GLITCH!) and want to equip/ wear them, while you’re doing a backflip, it somehow triggers the Ocarina Item?!? o.O

If you do this trick right on the blue warp thing, the transition will be triggered, but you won’t be warped.

Internally, the warping is causing a timer to tick, but if you’re out of frame, the timer stops. So you hop sideways and make sure to not see the blue warp thing the whole time. Because if the timer reaches a certain count, it will actually warp you in front of the Deku Tree.

If you made it this far and you exit the door, the base index, mentioned before will be 0252 or something, which is the room before Gohma. But the Entrance transition has been triggered, and the game wants to execute it. So it takes the base index and adds 4 to it plus the rightmost hex digit of the current location, which is Ganondorf’s Castle.

It’s basically a Memory Corruption attack.

Chapter 3: The video

In the video, I show you how I combined my magic research skills, together with a debugger and some (lack) of gaming skills to show you what happens in memory. The video is currently not finished yet. So stay tuned and subscribe to my channel to be notified, when I upload the video:

Conclusion

The ganondoor glitch is interesting to research because it consists of so many different glitches. In this article, we focused on the “main glitch” which is a “memory corruption” exploit.

We got to see how the developers with limited tools, but infinite fantasy and trickery were even able to pull off such a stunt. With all their errors.

They didn’t catch this bug, but how could they. If you look at the listing of the sources, you will find a ton of source files, that were used in this project.

So we should be glad, they were able to create this game, with all its (technical) flaws, that make it even more enjoyable.

Share

Zanidd

I build and hack stuff.

You may also like...

Leave a Reply