1

Some games, such as Pokémon Yellow or Ocarina of Time, have exploits that allow you to write your own code (ACE). How were these exploits found? I want to learn how to find these exploits, for speedrunning and elsewhere.

From my current understanding, code-savvy speedrunners read through the game's code (even as low down as assembly language) in an attempt to find an exploit where they can jump to memory, where their code lays.

On a related note, I want to compile a list of games which allow for ACE; there seems to be no popular list online. Even if the ACE would require TAS-only input, I would like to keep it recorded.

Luke Dunn
  • 21
  • 3

1 Answers1

3

From my current understanding, code-savvy speedrunners read through the game's code (even as low down as assembly language)

This is basically the only way to do it. Arbitrary code execution bugs involve injecting machine code, often at the byte-level, so they fundamentally require a deep understanding of the game and architecture internals.

To find them, bugs where the game crashes or memory is corrupted are usually a great kicking-off point. Usually these are found by random community members, posted to some forum, and then analyzed by other community members who have the expert knowledge required to exploit the bug. In other cases, the expert will spend many many long hours stepping through the assembly code, looking for exploits.

The specifics of how buffer overflow and other exploits work is well beyond the scope of this site. We have an entire other Stackexchange for that sort of thing: ReverseEngineering.SE (RetroComputing.SE is another great resource, if you're asking about older consoles)

BlueRaja - Danny Pflughoeft
  • 47,814
  • 63
  • 226
  • 349