How are Arbitrary Code Execution (ACE) exploits discovered (such as in OoT)?

How are Arbitrary Code Execution (ACE) exploits discovered (such as in OoT)? - PHP Screengrab

Some games, such as Pokémon Yellow or Ocarina of Time, have exploits that allow you to write your own code (ACE). How were these exploits found? I want to learn how to find these exploits, for speedrunning and elsewhere.

From my current understanding, code-savvy speedrunners read through the game's code (even as low down as assembly language) in an attempt to find an exploit where they can jump to memory, where their code lays.

On a related note, I want to compile a list of games which allow for ACE; there seems to be no popular list online. Even if the ACE would require TAS-only input, I would like to keep it recorded.






Pictures about "How are Arbitrary Code Execution (ACE) exploits discovered (such as in OoT)?"

How are Arbitrary Code Execution (ACE) exploits discovered (such as in OoT)? - Black Laptop Computer Turned on Showing Computer Codes
How are Arbitrary Code Execution (ACE) exploits discovered (such as in OoT)? - Green and White Line Illustration
How are Arbitrary Code Execution (ACE) exploits discovered (such as in OoT)? - Black and Gray Laptop Computer Turned on Doing Computer Codes



How does arbitrary code execution work in games?

In order to execute arbitrary code, many exploits inject code into the process (for example by sending input to it which gets stored in an input buffer in RAM) and use a vulnerability to change the instruction pointer to have it point to the injected code. The injected code will then automatically get executed.

What is arbitrary code execution speedrun?

Arbitrary code execution allows speedrunners to force the game to load filenames as game code. Runners also used ACE to complete the game in under 13 minutes by warping to the end credits, load items into treasure chests, or change their physical positions.

How does ACE work in OoT?

Arbitrary Code Execution (ACE) is a glitch that allows the player to cause the instruction pointer to jump to a section of memory that can be written to by the player (such as the filename, the angle and position of certain actors, controller inputs, etc).

What is arbitrary code mean?

When a particular vulnerability allows an attacker to execute "arbitrary code", it typically means that the bad guy can run any command on the target system the attacker chooses. This could mean that the attacker triggers code already on the box, invoking a program or DLL by exploiting the vulnerability.



Arbitrary Code Execution in Ocarina of Time




Sources: Stack Exchange - This article follows the attribution requirements of Stack Exchange and is licensed under CC BY-SA 3.0.

Images: Pixabay, Markus Spiske, Markus Spiske, Christina Morillo