How are Arbitrary Code Execution (ACE) exploits discovered (such as in OoT)?

How are Arbitrary Code Execution (ACE) exploits discovered (such as in OoT)? - PHP Screengrab

Some games, such as Pokémon Yellow or Ocarina of Time, have exploits that allow you to write your own code (ACE). How were these exploits found? I want to learn how to find these exploits, for speedrunning and elsewhere.

From my current understanding, code-savvy speedrunners read through the game's code (even as low down as assembly language) in an attempt to find an exploit where they can jump to memory, where their code lays.

On a related note, I want to compile a list of games which allow for ACE; there seems to be no popular list online. Even if the ACE would require TAS-only input, I would like to keep it recorded.

speedrun




Pictures about "How are Arbitrary Code Execution (ACE) exploits discovered (such as in OoT)?"

How are Arbitrary Code Execution (ACE) exploits discovered (such as in OoT)? - Black Laptop Computer Turned on Showing Computer Codes
How are Arbitrary Code Execution (ACE) exploits discovered (such as in OoT)? - Green and White Line Illustration
How are Arbitrary Code Execution (ACE) exploits discovered (such as in OoT)? - Black and Gray Laptop Computer Turned on Doing Computer Codes


How does arbitrary code execution work in games?

In order to execute arbitrary code, many exploits inject code into the process (for example by sending input to it which gets stored in an input buffer in RAM) and use a vulnerability to change the instruction pointer to have it point to the injected code. The injected code will then automatically get executed.

What is arbitrary code execution speedrun?

Arbitrary code execution allows speedrunners to force the game to load filenames as game code. Runners also used ACE to complete the game in under 13 minutes by warping to the end credits, load items into treasure chests, or change their physical positions.

How does ACE work in OoT?

Arbitrary Code Execution (ACE) is a glitch that allows the player to cause the instruction pointer to jump to a section of memory that can be written to by the player (such as the filename, the angle and position of certain actors, controller inputs, etc).

What is arbitrary code mean?

When a particular vulnerability allows an attacker to execute "arbitrary code", it typically means that the bad guy can run any command on the target system the attacker chooses. This could mean that the attacker triggers code already on the box, invoking a program or DLL by exploiting the vulnerability.


Arbitrary Code Execution in Ocarina of Time



Sources: Stack Exchange - This article follows the attribution requirements of Stack Exchange and is licensed under CC BY-SA 3.0.

Images: Pixabay, Markus Spiske, Markus Spiske, Christina Morillo

Related Topics

Minecraft speedrun tips [closed]

Can you speedrun Bomberman with an emulator?

What's the longest speedrun world record?

Have there been video games for which perfect speedruns were mathematically proven?

Do speed kills work in A Hat in Time?

How was it calculated that Dream cheated on his Minecraft v1.16 glitchless speedrun?

What are the common categories for speedruns?

What is an any % speed run in Diablo 2?

Least amount of ender pearls and blaze rods to leave the nether? (speedrun)

Does a Super Mario Galaxy 100% Speedrun Count if I don't get a star with Luigi?

Do TAS runs exist that only use tricks a human could do?

Why does frame rate matter for speedruns in games with in-game timers?

Viability of quickly farming ender eyes from pre-1.8 villager trades

Why are there no DOOM 2 Nightmare 100% kill speedruns?

Long Jump Glitch Super Mario 64