Arbitrary code execution in Animal Crossing has been something I’ve been interested in finding for some time now. After James Chambers informed me about the PAT tag for the NES emulator, which could possibly allow for arbitrary writes to RAM, I had to investigate more.

Translating Doubutsu no Mori e+ has been fairly easy so far. Even though most text had been reduced in length, almost all messages, choices, and strings were kept in a separate BMG file. Unfortunately, I ran into a problem when I decided it was finally time to translate the item list. In e+, item names had a max length of 10 characters. In Animal Crossing, the max length is 16. Resizing them would have been a simple task, if the item list wasn’t inside of forestd.rel (forest data relocation module).