Not All Exploits Are Bad: Script Stack Underflow
Published Date:
Last Updated:
People often assume that vulnerabilities or exploits exist solely for malicious intent. News headlines frequently report security breaches, leaked data, and software flaws that compromise systems. But not all exploits are inherently bad.
In the world of speedrunning, players use exploits to push games beyond their limits, not to break them, but to master them.
An Introduction To Speedrunning:
For those unfamiliar with speedrunning, it’s the practice of completing a game as fast as possible. What started as a niche challenge among gaming enthusiasts has grown into a massive community with over 2.3 million registered speedrunners and 46.9k different game communities on Speedrun.com, covering nearly every video game imaginable.
Not all speedruns are created equal. Some players attempt glitchless runs, completing games using only intended mechanics. Others embrace glitches, ranging from minor time-savers to full-blown game-breaking exploits. The most extreme cases involve manipulating the game’s code itself, using techniques like Script Stack Underflow (SSU) or Arbitrary Code Execution (ACE) to skip levels, warp to the credits, or even rewrite the game in real time.
What is Script Stack Underflow (SSU)?
Script Stack Underflow (SSU) is a phenomenon that occurs when a programme attempts to execute a return command while the call stack is empty. In computing, a stack is a data structure used to keep track of function calls, ensuring that a programme knows where to return after executing a subroutine. Normally, when a function or script is completed, the programme refers to the last stored return address to continue execution.
However, if there are no return addresses left in the stack and a return command is still executed, the programme attempts to retrieve a value from an unintended memory location. This can lead to unpredictable behaviour, including crashes, unintended code execution, or in some cases, controlled exploits that allow a user to manipulate programme flow.
Understanding Script Stack Underflow (SSU) in Vice City
Now we have a high-level overview of what SSU is and how it leads to unpredictable behaviour. But unpredictability doesn't always mean chaos, sometimes, it means opportunity. Let's now explore how speedrunners harnessed this behaviour with almost surgical precision, turning what might seem like randomness into record-breaking speedruns in Grand Theft Auto: Vice City.
How Speedrunners Set Up SSU in Vice City
Executing SSU isn’t as simple as pressing a button, it requires precise setup and execution. Here’s a condensed breakdown of how it works:
Manipulating the Timer & Setting Up a Replay – The runner plays the game to advance the in-game timer, which seems counterintuitive for a speedrun but is necessary for later exploits. They then record a replay while triggering a rampage mission and stopping it near a property purchase icon. This setup allows them to later trick the game into believing they are in multiple mission states at once.
Mission Duplication via Timer Desync – After restarting the game, the internal clock becomes desynced, making the replay exist in the future while the live game considers itself in the past. Using the replay system, the runner stacks multiple active missions, including rampages and pizza delivery missions, which normally wouldn’t be possible due to the game’s “one mission at a time” rule.
Setting the Return Address – By carefully despawning and respawning an NPC within an incredibly tight window (53,475 - 53,716 milliseconds), they manipulate the return address stored in memory. The precision required is extreme, there is only a 26.67% chance of getting the correct timing. If the player is off by even a fraction of a second, 73.33% of the possible timings will crash the game. This is where the SSU exploit is fully realised—if done correctly, the game will mistakenly jump to the final mission script.
Triggering the Final Mission – The runner plays the previously recorded replay, remotely purchasing a property. Immediately after, they start the police vigilante mission, which, due to the manipulated memory state—triggers the final mission instead. From here, they simply complete the final mission as intended, finishing the game in under 10 minutes.
If you would like to see the world record run (at the time of writing), click here to see PeeBee's world record run.
Why SSU is a Huge Breakthrough in Speedrunning
Before SSU was discovered, completing Grand Theft Auto: Vice City as fast as possible still required following the game's intended progression system. Players needed to acquire assets, complete key story missions, and unlock the final sequence by fulfilling specific in-game conditions.
The fastest speedrun without SSU, performed by Mhmd_FVC, held a world record time of 53 minutes. At the time, this was considered the pinnacle of optimisation, players had pushed Vice City’s mechanics to their limits while still completing the game in a structured, semi-intended way.
Then came SSU.
With SSU, speedrunners skip nearly the entire game, warping directly to the final mission within minutes. This discovery shattered previous records, cutting down the Any% world record to just 8 minutes and 11 seconds, achieved by PeeBee, an astonishing 45-minute reduction.
The impact of SSU on Vice City speedrunning cannot be overstated. What was once a race to execute missions efficiently has transformed into a test of precision glitch execution and memory manipulation. While this is the most optimal run in terms of timing, the precise execution of this run has led to only a limited amount of runners actually running this category.
Final Thoughts
While SSU is just one example, it highlights the fascinating ways gamers reverse-engineer software. Speedrunners essentially perform a technical security audit on a game’s code, discovering ways to exploit unintended behaviours, not for malicious purposes, but for competitive mastery and optimisation.
This same mindset is what drives ethical hacking and software security research. Just as speedrunners break down a game’s scripting engine, security researchers analyse software to find vulnerabilities, except instead of warping to the final mission, they help fix critical security flaws before hackers can exploit them.
In the end, SSU in Vice City is more than just a speedrun trick, it’s a testament to how deep technical knowledge and creativity can push the limits of what we think is possible in software, games, and beyond.
Speedrunning is more than just playing games fast, it’s a technical art form that blends programming, problem-solving, and frame-perfect execution. SSU in Vice City stands as one of the most impressive demonstrations of how vulnerabilities don’t have to be destructive, sometimes, they just help you skip to the good part.