So, arbitrary code execution (ACE) has been achieved in Wild Arms, cutting down the game to just the three character prologues, Lolithia's tomb, a short trip to get the lighter, and a LOT of duping and apple eating. You can see speedrunner cha0s using the technique, real-time on PS3, in this video:
Link to video
To keep it at least somewhat brief, and because I'm still investigating hopefully less apple-heavy/inventory-intensive approaches, I won't do a full data dump here. If you're interested in the route above (WHY!?), or specific technical details, feel free to ask though.
This is an extension of a glitch which previously made sub-2 hour runs of Wild Arms possible. By getting to the lighter in the Mountain Pass without a full party, you end up recruiting a garbage character we've nicknamed "Hollow Man." If one thinks of Rudy, Jack, and Cecilia as characters 0, 1, and 2 respectively, then Hollow Man is the -1th character, pointing at a block of memory that precedes that of the main characters.
It turns out that by removing Hollow Man's body armor, we can corrupt the character table even further, creating what we've called "Cursed Hollow". This garbage character points at executable code - just what we want! Specifically, it points at code which is executed during the enemy morphing animations at the beginning of a battle. By duplicating and feeding stat-boosting apples to the Cursed Hollow, we can change two instructions into whatever we want.
Unfortunately, naively using jump instructions to the best ACE target candidates (item memory or magic name strings) would have required tens of thousands of apples. To achieve ACE within a reasonable time, we instead jump to item memory indirectly by combining arbitrary register values and offsets to create a valid jump target. Semi-manually searching for a valid combination was the most time-consuming task.
The payload uses the quantity values in the inventory, and is pretty straightforward. The first word (4 items/bytes) is the jump target, which will point at the next word. The next word/first instruction fixes the AT register, which was corrupted by the indirect jump process. The second instruction writes the ending scene ID, 0x60, to Jack's map location address. The last instruction jumps back to normal code execution.
And that's it! Jack has been essentially "moved" to the ending and by switching to him, the ending plays out in full. It was really fun working on this, and with some more tweaks I'm working on I hope we'll get to see a sub-hour run at some point. Remember to like and follow http://twitch.tv/cha0stwitch, for whom without his discoveries this would not be possible.