Guides:Coin Case ACE: Difference between revisions

← Older edit

Guides:Coin Case ACE (view source)

Revision as of 23:47, 24 May 2024

2,292 bytes added , 1 month ago

m

→‎TM Quantities to sell

VisualWikitext

TimoVM

1,540

edits

Revision as of 17:33, 6 December 2023 (view source) TimoVM (talk \| contribs) m (→‎Finishing the setup) ← Older edit		Latest revision as of 23:47, 24 May 2024 (view source) TimoVM (talk \| contribs) m (→‎TM Quantities to sell)
(16 intermediate revisions by the same user not shown)
Line 64: In order to use ACE, always perform the following steps: {\| class="wikitable" style="margin-left: auto; margin-right: auto; border: none;" \| [[File:EN Coin Case ACE start.png]] \|\| [[File:EN Coin Case ACE end.png]] \|} * '''Make sure to set box 1 as the current active box.''' Line 106 ⟶ 113: {\| class="wikitable" style="margin-left: auto; margin-right: auto; border: none;" \| [[File:~~Setup~~Box ~~box~~English ~~code~~GS Setup ~~GSEN~~V2.png]] \|} * ~~Catch~~(only if you haven't done so in previous parts), catch any pokémon and nickname it "MAILWRITER". '''Put it in the ~~fifth~~third party slot'''. We'll alter this pokémon's stat experience to redirect TM25 execution to the TM/HM pocket. * Ensure that you have everything set up for Coin Case ACE: Line 204 ⟶ 211: \|TM35 SLEEP TALK \|\|x239 \|\|8000 \|- \|TM36 SLUDGE BOMB \|\|x58 \|\|~~98000~~98500 \|- \|TM37 SANDSTORM \|\|x27 \|\|228000 Line 241 ⟶ 248: # Use TM25. If everything went correctly, this will start the mail writer and open a screen asking you to input text for a mail. # From now on, you can repeat this process at any time to start the mail writer. Since we aren't planning on using the Coin Case anymore, the mail that was previously given to MAILWRITER can be removed. It is no longer relevant for the remainder of the setup. If the game crashes, first recheck if all TM quantities are correct. If all quantities are correct, you may need to redo the setup for the "MAILWRITER" pokémon. This can be done using the box codes included a bit further below. A note on the nicknamed pokémon: when running the box name code, we altered "MAILWRITER"'s stat experience data to contain a redirect to the TM/HM pocket. You can safely deposit and withdraw it from the PC. '''Please note that this pokémon must never gain experience after this point, otherwise you'll need to reapply the setup.''' ==Step 6: Using the mail writer== Line 284 ⟶ 293: # Any # Any # "~~BOXCODES~~MAILWRITER" pokémon holding mail # Any # Any # "MAILWRITER" pokémon # Any Enter the following language-specific box name. '''Please mind the differences between uppercase X ([[File:Character UCX.png]]), lowercase x ([[File:Character lcx.png]]) and multiplication symbol ([[File:Character mul.png]])'''. Line 295 ⟶ 304: \|} * Read the mail held by the "~~BOXCODES~~MAILWRITER" pokémon. * Go to ~~any~~the ~~pokémon~~Goldenrod ~~center~~Radio Tower and follow the correct steps ~~until~~to ~~you reach~~finish the ~~correct location~~setup. * Use the Coin Case to execute the code. If the game crashes, doublecheck the box name code and ensure you've performed every step of the process correctly. * If the code executes succesfully without crashing the game, the "MAILWRITER" nicknamed pokémon has now been repaired. Line 309 ⟶ 318: ! scope="row" \| Mail \|\| <pre>Ah Ah A's Az A2 APk A'l A0 A9 A♀ A. A9 APk A* A' ] A h 'd</pre> ~~A A p 'v 7 ' ] . 9 'l 'l 'l p 'm z 2</pre>~~ \|- ! scope="row" \| Test box name \|\| <pre>0 9 é A ♀ h 'd ~~[SPACE]~~</pre> \|- ! scope="row" \| Setup box name Line 322 ⟶ 331: Box 3: ? b é , 2 'v ♂ 5 Box 4: é 2 2 'v ? é 5 2 Box 5: ? E é 5) 4 'v G 5 Box 6: é ♀ 2 é 7; 4 0 9 Box 7: ♀ ♀ ♀ ♀ ♀ 's ♀5 ♀5 Box 8: ? 'm é 6: 4 'v 4 5 Box 9: é y ♀ 'v - é 8 4 Box 10: 'v x é 4( 4 'd \|- ! scope="row" \| Reset box name Line 341 ⟶ 350: ===Effect of the Coin Case=== Activating the Coin Case causes arbitrary code execution from $E112 onward, which is echo ram for $C112. This region corresponds with sound data and can be manipulated by buffering pokémon cries. The effects of the Coin Case are described in more detail on the following [http://Coin%20Case%20glitches#cause wiki page]. Relevant to this setup is that the setup will redirect execution to address $FA98 (echo ram copy of $DA98), which is in the middle of party pokémon #3's stat experience data. During this redirection, the stack pointer gets incremented once and an address gets popped from the stack. The global effect is that the stack pointer is decremented once compared to when the Coin Case was used. Playing Bellsprout or Machop's cry will buffer $33 at $C117. This opcode increments the stack pointer, desyncing the stack. ~~===Effect of party pokémon #3===~~ The sound that plays when swapping item pockets clears some bad data around the $C16x region. It also places a $C1 at $C16E, popping a value from the stack to registers bc. ~~Defeating the provided list of pokémon will result in the following values at the following addresses, assuming the pokémon is in party slot #3:~~ The sound that plays when confirming the use of the Coin Case places $80 A1 D0 at $C192. Due to prior opcodes setting the value of register bc to $0000, the condition for the return will always be true. Thanks to incrementing the stack pointer and popping the stack once, the next return address will redirect execution to $EB12, echo ram for $CB12. From $CB12, the game will nopslide until $CC20 is reached. This region contains data on buffered tiles that are added when the player moves around . Due to our specific movement pattern within the Goldenrod Radio Tower, this results in the following data, starting from $CC20: <pre> At start, hl = $B2B2 and sp : $DFBC ~~DA95 00 nop~~ ~~DA96 75 ld [hl], l~~ 39 add sp ; hl = $926E ~~DA97 00 nop~~ 39 add sp ; hl = $722A ~~DA98 94 sub a, h~~ 39 add sp ; hl = $51E6 ~~DA99 00 nop~~ 39 add sp ; hl = $31A2 ~~DA9A C3~~ 39 add sp ; hl = $115E ~~DA9B 00~~ 39 add sp ; hl = $F11A ~~DA9C CF jp $CF00~~ 39 add sp ; hl = $D0D6 ~~DA9D 00 nop~~ ~~DA9E~~39 6E ldadd l,sp ; [hl] = $B092 39 add sp ; hl = $904E 39 add sp ; hl = $700A 39 add sp ; hl = $4FC6 39 add sp ; hl = $2F82, carry flag set 30 31 jr nc, $31 ; Ignore thanks to previous carry 1A ld a, (de) 1B dec de 1A ld a, (de) 1B dec de 0A ld a, (bc) 0B dec bc 01 01 01 ld bc, $0101 01 01 01 ld bc, $0101 01 01 01 ld bc, $0101 01 01 01 ld bc, $0101 01 01 01 ld bc, $0101 01 39 39 ld bc, $3939 39 add sp ; hl = $0F3E 39 add sp ; hl = $EEFA, desired result in h, zero flag set 00 nop 00 nop 00 nop 00 nop 00 nop 00 nop 00 nop 00 nop 00 nop 00 nop 00 nop 00 nop 00 nop 00 nop 00 nop 00 nop 00 nop 00 nop 00 nop 00 nop 01 01 01 ld bc, $0101 01 01 01 ld bc, $0101 01 01 01 ld bc, $0101 01 01 01 ld bc, $0101 01 01 01 ld bc, $0101 01 00 00 ld bc, $0000 00 nop 00 nop 84 add h 9B sbc e A4 and h 9B scb e ; The result of these arithmatic opcodes aren't relevant, but they do reset the zero flag C4 9B E4 call nz, $E49B ; Corresponds to lower parts of screen tile data </pre> The main result of this region is to set h to $EE, followed by a call to screen tile data. Executing Coin Case at the location described in the setup will cause execution to jump to $DA98. It will then harmlessly slide through the sub a, h and nop instructions, after which execution will jump to $CF00, which is in the middle of the last buffered mail. Before ACE is triggered, the game will already print the amount of coins on screen. In particular, a number of coins whose first digit is equal to 1 will lead to $F7 (rst30h) being printed to $C4E1. The region between $C49B and $C4E1 is filled with harmless data consisting of blank tiles ($7F), textbox tiles ($7A-$7C) and arithmatic opcodes for the "Coins:" text ($82 AE A8 AD B2 9C). The end result is that a is set to be equal to $EE, the value stored in h, right before rst30h is activated. rst30h is technically an unused reset vector, but accidentally contains the last three bytes of JumpTable function, usually accessed by rst28h: <pre> 6F ld l, a ; hl = $EEEE D1 pop de ; Pops the return address to registers de E9 jp hl ; Jump to $EEEE, the second character of the last read mail </pre> This allows us to finally reach the last read mail, a region of memory that we have a good amount of control over. ===Effect of the mail=== Line 367 ⟶ 444: <pre> 80A7 ~~add~~and a, ; bFiller A7 and a ; Reset carry flag ~~80 add a, b~~ D4 B9 F8 call nc, $F8B9 ; Box names start at $D8BF/F8BF, setting the active box to box 1 will ensure we can safely slide through. ~~80 add a, b~~ E1 pop hl ; Additional pop to clear return address of call to screen data ~~80 add a, b~~ D1 pop de ; Set de to $0075, which holds value $00. Ensures that print function will end immediately after resuming ~~80 add a, b~~ E8 FF add sp, -1 ; Fix the effect of increasing the stack pointer ~~80 add a, b~~ 80F1 ~~add~~pop af ; a, b= $03 E0 9F ld ($FF9F), a ; Ensures return to ROM bank 3 after resuming execution ~~80 add a, b~~ A7 and a ; Reset carry flag. Not strictly necessary, but added for safety for now ~~80 add a, b~~ 80D0 ~~add~~ret ~~a, b~~nc ~~80 add a, b~~ ~~80 add a, b~~ ~~80 add a, b~~ ~~80 add a, b~~ ~~80 add a, b~~ ~~80 add a, b~~ ~~4E ld c, (hl) ; Newline control character.~~ ~~80 add a, b~~ ~~80 add a, b~~ ~~AF xor a ; Located at $CF00, all values before this address are filler and will not be executed.~~ ~~D6 FD sub $FD ; Set a to $03.~~ ~~E0 9F ld (hRomBank), a; Set current ROM bank to bank 3. This ROM bank contains item and pack data and ensures safe return.~~ ~~E8 FF add sp, $FF ; $FF is interpreted as a singed integer, stack pointer gets decremented and the stack is now properly aligned again.~~ ~~D1 pop de~~ ~~D1 pop de~~ ~~D1 pop de ; Pop text command related addresses so that returning from ACE execution will resume normal game operation.~~ ~~AF xor a ; Set a to $00, set carry flag to 0.~~ ~~D2 B9 F8 jp nc, $F8B9 ; Jump to echo ram copy of $D8B9, which lies a few bytes before box data.~~ </pre> Line 413 ⟶ 472: The code overwrites part of itself to call the byteFill function. This will fill the area between $D57E and $D5AF with $FF values, setting all 50 TM quantities to 255. Separately, this code overwrites the latter half of party pokémon #53's stat experience data, allowing it to function as a TM25 bootstrap that redirects execution to the Mail Writer. Lastly, the value of the first item ID in the main item pocket is overwritten so that it becomes a TM25. Line 447 ⟶ 506: Box 5: $D8E3 E6 84 and $84 ; a = $04 EA FB9B FA ld ($~~FAFB~~FA9B), a D6 86 sub $86 ; a = $7E FB ei Line 454 ⟶ 513: Box 6: $D8EC EA F5 F8 ld ($F8F5), a EA FD9D FA ld ($~~FAFD~~FA9D), a F6 FF or $FF ; a = $FF, reset carry flag 21 Line 464 ⟶ 523: 50 ld d, b Box 8: $~~D907~~D8FE E6 D2 and $D2 ; a = $D2 EA FC9C FA ld ($~~FAFC~~FA9C), a D6 FA sub $FA ; a = $D8, TM25's item ID FB ei 50 ld d, b Box 9: $~~D910~~D907 EA B8 F5 ld (wItems), a ; Main item pocket, first item ID D6 E3 sub $E3 ; a = $F5 EA FE9E FA ld ($~~FAFE~~FA9E), a 50 ld d, b Box 10: $~~D919~~D910 D6 B7 sub $B7 ; a = 3E, reset carry flag EA FA9A FA ld ($~~FAFA~~FA9A), a D0 ret nc 50 ld d, b Line 565 ⟶ 624: C3 7E F5 jp wTMsHMs ; Carry and zero flag are both reset when using TM25 </pre> [[Category:Guides]]