the twilight hack, discovered in 2008, is a buffer overflow exploit present in The Legend of Zelda: Twilight Princess that uses the fact that the name chosen by the player for Epona is stored without a check for its length.

thus, editing the savefile (which requires fixing the checksum) to have Epona's name to be long enough to overwrite the saved return address when loaded lets us choose the address in which the console is reading its code to be executed!

note that the wii did not have a notion of non-executable memory that would have forced us, say, to get it to execute what we want through a ROP. that makes it easier, as we can put our own code in the savefile in place of a data that we know will have been loaded when the bug is triggered, and provide the address of this data at the point that overwrites the saved return address.

you can learn more about it on wiibrew!

this is a tool i made to load a small portion of code using this exploit, on the gamecube version. unlike the original twilight hack that included an ELF loader, it will not support long portions of code.

after loading your patched savefile, your code is going to be executed whenever Epona's name is loaded.

Choose your method

Use your own assembled code Assemble and patch

Select your region

PAL NTSC-U NTSC-J

Your savefile (.gci)

Your code, as a raw binary file

To link your code:

Patch savefile

Select your region

PAL NTSC-U NTSC-J

Your savefile (.gci)

Enter your PowerPC assembly code

Patch savefile

Thanks to AlexAltea's web port of Keystone assembler (view license)

source code