Tweet
Legend of Zelda: Use After Free (TASBot glitches OoT)
Allan "dwangoAC" Cecil, keeper of TASBot, He/Him
Sauraen, Hacker, He/Him
Liam "MLink" Taylor, Speedrunner, He/Him
| Demo | 45
How can a Use After Free exploit in Ocarina of Time lead to a cute robot taking over an entire N64 to put the future (and the Triforce) in the game using only button presses? This talk dives into the technical details of how a Use After Free exploit, Arbitrary Code Execution, and multiple bootstrap stages allowed TASBot to take full control of an original, unmodified cart and console in front of a live audience during SGDQ 2022 with the help of Sauraen and Savestate, helping raise more than $228k for charity. This talk uses engaging explainer graphics courtesy of RGME to dig into how a Use After Free vulnerability can be exploited as well as a live demo showing the significant social impact of the exploit Here Together, in the past year and into the future.
Allan Cecil (dwangoAC) is the founder and BDFL of the TASBot online community. He is part of the senior staff for TASVideos.org, a website devoted to using emulators to find glitches and techniques to play video games perfectly. He is a published journal author, patent holder, and presenter with talks at DEF CON, GeekPwn, Thotcon, May Contain Hackers, and other hacker conferences. He uses his combined hacking interests for good at charity events like Games Done Quick to entertain viewers with never-before-seen glitches in games, with events he's led raising more than $1.3m for various charities.
https://twitter.com/MrTASBot
https://TAS.Bot
https://Discord.gg/TASBot
https://YouTube.com/dwangoAC
https://Twitch.tv/dwangoAC
Sauraen is a systems and low-level software engineer with experience in GPU programming, high-performance computing, and audio. He directed Triforce% and has been developing tools for the N64 community for nearly a decade. He is also an accomplished music arranger, primarily in the video game music space.
Social media: https://www.youtube.com/@sauraen
Website: https://sauraen.com
Liam Taylor (MLink) is a speedrunner who loves to challenge themselves. Liam has performed several different types of Ocarina of Time speedruns. Aside from speedrunning video games, Liam has also begun learning to solder, always looking to broaden his horizons with different types of hobbies, usually ones that tend to be difficult. He aspires to one day be able to use his talents and skills for a future career in either hardware hacking or speedrunning.
Social media: https://www.youtube.com/@MLink23
Website: https://twitch.tv/MLink23
REFERENCES:
### Primary reference resource with links to all media references, source code, and an FAQ:
https://GetTriforce.link
Full references from the above site copied here in Markdown format:
### Project Info
[FAQs](https://gettriforce.link/faq)
[Credits](https://gettriforce.link/credits)
[Retro Game Mechanics Explained explainer video, contents used with permission from IsoFrieze](https://www.youtube.com/watch?v=qBK1sq1BQ2Q)
## Source code
[Triforce% Source code release](https://github.com/triforce-percent/triforce-percent)
### Articles posted about Triforce%
[Ars Technica](https://arstechnica.com/gaming/2022/...a-vanilla-n64/)
[Forever Classic Games](https://foreverclassicgames.com/news...-link-triforce)
[Zelda Dungeon](https://www.zeldadungeon.net/ocarina...beta-showcase/)
[Zelda Universe](https://zeldauniverse.net/2022/07/05...demonstration/)
[PC Gamer](https://www.pcgamer.com/this-zelda-s...gaming-moment/)
[NintendoLife](https://www.nintendolife.com/news/20...th-of-the-wild)
[GoNintendo](https://gonintendo.com/contents/5979...th-of-the-wild)
### Setup info
[Savestate’s notes on how to do the setup by hand](https://docs.google.com/document/d/1...5652ayjR86QNDU)
[BizHawk savestate of gz macro to do setup](https://drive.google.com/file/d/1tbG...ew?usp=sharing)
[BizHawk build needed for compatibility with that savestate](https://drive.google.com/file/d/1K_L...ew?usp=sharing)
### Raw video and photo assets for Triforce%:
[Clean run video (for taking footage from)](https://www.youtube.com/watch?v=PZNywtNOe9U)
[HD partial run video (for taking screenshots for branding)](https://www.youtube.com/watch?v=NNRqK1AQ_VY)
[HD screenshots folder](https://drive.google.com/drive/folde...Cv?usp=sharing)
### Partner and reactor links
[SwankyBox](https://www.youtube.com/watch?v=1_RighmL04g)
[Hard4Games](https://www.youtube.com/watch?v=f9cCtRYMKm4)
[HMK](https://www.youtube.com/watch?v=mk1WwOu_AQQ) ([Interview](https://www.youtube.com/watch?v=buy6EcI2NKc))
[TetraBitGaming](https://www.youtube.com/watch?v=gJ1hSMClhMI)
### OST Published By SiIvaGunner
*********(https://www.youtube.com/watch?v=E1OYYi2Vzro&list=PLL0CQjrcN8D3qRiR5WUL5l_b Po2sIzdfr&index=155)
[SoundCloud](https://soundcloud.com/sauraen/sets/triforce-percent)
[SiIvaGunner wiki page](https://siivagunner.fandom.com/wiki/...ce%25_SGDQ_Run)
[SiIvaGunner joke explanations](https://gettriforce.link/siiva_jokes)
## Credits
The primary director of Triforce% was Sauraen with Savestate as the human speedrunner and dwangoAC as the Producer; over two dozen people contributed, with full credits listed at https://gettriforce.link/credits
Allan "dwangoAC" Cecil, keeper of TASBot, He/Him
Sauraen, Hacker, He/Him
Liam "MLink" Taylor, Speedrunner, He/Him
| Demo | 45
How can a Use After Free exploit in Ocarina of Time lead to a cute robot taking over an entire N64 to put the future (and the Triforce) in the game using only button presses? This talk dives into the technical details of how a Use After Free exploit, Arbitrary Code Execution, and multiple bootstrap stages allowed TASBot to take full control of an original, unmodified cart and console in front of a live audience during SGDQ 2022 with the help of Sauraen and Savestate, helping raise more than $228k for charity. This talk uses engaging explainer graphics courtesy of RGME to dig into how a Use After Free vulnerability can be exploited as well as a live demo showing the significant social impact of the exploit Here Together, in the past year and into the future.
Allan Cecil (dwangoAC) is the founder and BDFL of the TASBot online community. He is part of the senior staff for TASVideos.org, a website devoted to using emulators to find glitches and techniques to play video games perfectly. He is a published journal author, patent holder, and presenter with talks at DEF CON, GeekPwn, Thotcon, May Contain Hackers, and other hacker conferences. He uses his combined hacking interests for good at charity events like Games Done Quick to entertain viewers with never-before-seen glitches in games, with events he's led raising more than $1.3m for various charities.
https://twitter.com/MrTASBot
https://TAS.Bot
https://Discord.gg/TASBot
https://YouTube.com/dwangoAC
https://Twitch.tv/dwangoAC
Sauraen is a systems and low-level software engineer with experience in GPU programming, high-performance computing, and audio. He directed Triforce% and has been developing tools for the N64 community for nearly a decade. He is also an accomplished music arranger, primarily in the video game music space.
Social media: https://www.youtube.com/@sauraen
Website: https://sauraen.com
Liam Taylor (MLink) is a speedrunner who loves to challenge themselves. Liam has performed several different types of Ocarina of Time speedruns. Aside from speedrunning video games, Liam has also begun learning to solder, always looking to broaden his horizons with different types of hobbies, usually ones that tend to be difficult. He aspires to one day be able to use his talents and skills for a future career in either hardware hacking or speedrunning.
Social media: https://www.youtube.com/@MLink23
Website: https://twitch.tv/MLink23
REFERENCES:
### Primary reference resource with links to all media references, source code, and an FAQ:
https://GetTriforce.link
Full references from the above site copied here in Markdown format:
### Project Info
[FAQs](https://gettriforce.link/faq)
[Credits](https://gettriforce.link/credits)
[Retro Game Mechanics Explained explainer video, contents used with permission from IsoFrieze](https://www.youtube.com/watch?v=qBK1sq1BQ2Q)
## Source code
[Triforce% Source code release](https://github.com/triforce-percent/triforce-percent)
### Articles posted about Triforce%
[Ars Technica](https://arstechnica.com/gaming/2022/...a-vanilla-n64/)
[Forever Classic Games](https://foreverclassicgames.com/news...-link-triforce)
[Zelda Dungeon](https://www.zeldadungeon.net/ocarina...beta-showcase/)
[Zelda Universe](https://zeldauniverse.net/2022/07/05...demonstration/)
[PC Gamer](https://www.pcgamer.com/this-zelda-s...gaming-moment/)
[NintendoLife](https://www.nintendolife.com/news/20...th-of-the-wild)
[GoNintendo](https://gonintendo.com/contents/5979...th-of-the-wild)
### Setup info
[Savestate’s notes on how to do the setup by hand](https://docs.google.com/document/d/1...5652ayjR86QNDU)
[BizHawk savestate of gz macro to do setup](https://drive.google.com/file/d/1tbG...ew?usp=sharing)
[BizHawk build needed for compatibility with that savestate](https://drive.google.com/file/d/1K_L...ew?usp=sharing)
### Raw video and photo assets for Triforce%:
[Clean run video (for taking footage from)](https://www.youtube.com/watch?v=PZNywtNOe9U)
[HD partial run video (for taking screenshots for branding)](https://www.youtube.com/watch?v=NNRqK1AQ_VY)
[HD screenshots folder](https://drive.google.com/drive/folde...Cv?usp=sharing)
### Partner and reactor links
[SwankyBox](https://www.youtube.com/watch?v=1_RighmL04g)
[Hard4Games](https://www.youtube.com/watch?v=f9cCtRYMKm4)
[HMK](https://www.youtube.com/watch?v=mk1WwOu_AQQ) ([Interview](https://www.youtube.com/watch?v=buy6EcI2NKc))
[TetraBitGaming](https://www.youtube.com/watch?v=gJ1hSMClhMI)
### OST Published By SiIvaGunner
*********(https://www.youtube.com/watch?v=E1OYYi2Vzro&list=PLL0CQjrcN8D3qRiR5WUL5l_b Po2sIzdfr&index=155)
[SoundCloud](https://soundcloud.com/sauraen/sets/triforce-percent)
[SiIvaGunner wiki page](https://siivagunner.fandom.com/wiki/...ce%25_SGDQ_Run)
[SiIvaGunner joke explanations](https://gettriforce.link/siiva_jokes)
## Credits
The primary director of Triforce% was Sauraen with Savestate as the human speedrunner and dwangoAC as the Producer; over two dozen people contributed, with full credits listed at https://gettriforce.link/credits