How are Arbitrary Code Execution (ACE) exploits discovered (such as in OoT)?

speedrun

Solution 1:

From my current understanding, code-savvy speedrunners read through the game's code (even as low down as assembly language)

This is basically the only way to do it. Arbitrary code execution bugs involve injecting machine code, often at the byte-level, so they fundamentally require a deep understanding of the game and architecture internals.

To find them, bugs where the game crashes or memory is corrupted are usually a great kicking-off point. Usually these are found by random community members, posted to some forum, and then analyzed by other community members who have the expert knowledge required to exploit the bug. In other cases, the expert will spend many many long hours stepping through the assembly code, looking for exploits.

The specifics of how buffer overflow and other exploits work is well beyond the scope of this site. We have an entire other Stackexchange for that sort of thing: ReverseEngineering.SE (RetroComputing.SE is another great resource, if you're asking about older consoles)

Related

What do the gray exclamation points on the map mean?
How do I set off a chain of command blocks if a players health goes to a certain health. (Java, 1.17)
I have Destiny, including the Taken King, downloaded on PS3. What is the least I must buy to play it on PS4?
Will I lose my on-hand coins or elixir?
Multiple minecraft accounts and cost?
Can Blood-Kin steal freely from Orc strongholds
How many kids can I have?
can my children play multiplayer?
Which ingredients can be used to create Navy Dye?
Periodic FPS drops in CS:GO
NEU like feature to find where mobs can spawn for Minecraft version 1.16.5 [closed]
PS4 Controller Making False Inputs