Guides:Coin Case ACE: Difference between revisions
m
→TM Quantities to sell
(10 intermediate revisions by the same user not shown) | |||
Line 211:
|TM35 SLEEP TALK ||x239 ||8000
|-
|TM36 SLUDGE BOMB ||x58 ||
|-
|TM37 SANDSTORM ||x27 ||228000
Line 318:
! scope="row" | Mail
||
<pre>
h 'd</pre>
|-
! scope="row" | Test box name
||
<pre>0 9 é A ♀ h 'd
|-
! scope="row" | Setup box name
Line 331:
Box 3: ? b é , 2 'v ♂ 5
Box 4: é 2 2 'v ? é 5 2
Box 5: ? E é
Box 6: é ♀ 2 é
Box 7: ♀ ♀ ♀ ♀ ♀ 's
Box 8: ? 'm é
Box 9: é y ♀ 'v - é 8 4
Box 10: 'v x é
|-
! scope="row" | Reset box name
Line 350:
===Effect of the Coin Case===
Activating the Coin Case causes arbitrary code execution from $E112 onward, which is echo ram for $C112. This region corresponds with sound data and can be manipulated by buffering pokémon cries.
Playing Bellsprout or Machop's cry will buffer $33 at $C117. This opcode increments the stack pointer, desyncing the stack.
The sound that plays when swapping item pockets clears some bad data around the $C16x region. It also places a $C1 at $C16E, popping a value from the stack to registers bc.
The sound that plays when confirming the use of the Coin Case places $80 A1 D0 at $C192. Due to prior opcodes setting the value of register bc to $0000, the condition for the return will always be true. Thanks to incrementing the stack pointer and popping the stack once, the next return address will redirect execution to $EB12, echo ram for $CB12.
From $CB12, the game will nopslide until $CC20 is reached. This region contains data on buffered tiles that are added when the player moves around . Due to our specific movement pattern within the Goldenrod Radio Tower, this results in the following data, starting from $CC20:
<pre>
At start, hl = $B2B2 and sp : $DFBC
39 add sp ; hl = $926E
39 add sp ; hl = $722A
39 add sp ; hl = $51E6
39 add sp ; hl = $31A2
39 add sp ; hl = $115E
39 add sp ; hl = $F11A
39 add sp ; hl = $D0D6
39 add sp ; hl = $904E
39 add sp ; hl = $700A
39 add sp ; hl = $4FC6
39 add sp ; hl = $2F82, carry flag set
30 31 jr nc, $31 ; Ignore thanks to previous carry
1A ld a, (de)
1B dec de
1A ld a, (de)
1B dec de
0A ld a, (bc)
0B dec bc
01 01 01 ld bc, $0101
01 01 01 ld bc, $0101
01 01 01 ld bc, $0101
01 01 01 ld bc, $0101
01 01 01 ld bc, $0101
01 39 39 ld bc, $3939
39 add sp ; hl = $0F3E
39 add sp ; hl = $EEFA, desired result in h, zero flag set
00 nop
00 nop
00 nop
00 nop
00 nop
00 nop
00 nop
00 nop
00 nop
00 nop
00 nop
00 nop
00 nop
00 nop
00 nop
00 nop
00 nop
00 nop
00 nop
00 nop
01 01 01 ld bc, $0101
01 01 01 ld bc, $0101
01 01 01 ld bc, $0101
01 01 01 ld bc, $0101
01 01 01 ld bc, $0101
01 00 00 ld bc, $0000
00 nop
00 nop
84 add h
9B sbc e
A4 and h
9B scb e ; The result of these arithmatic opcodes aren't relevant, but they do reset the zero flag
C4 9B E4 call nz, $E49B ; Corresponds to lower parts of screen tile data
</pre>
The main result of this region is to set h to $EE, followed by a call to screen tile data.
Before ACE is triggered, the game will already print the amount of coins on screen. In particular, a number of coins whose first digit is equal to 1 will lead to $F7 (rst30h) being printed to $C4E1. The region between $C49B and $C4E1 is filled with harmless data consisting of blank tiles ($7F), textbox tiles ($7A-$7C) and arithmatic opcodes for the "Coins:" text ($82 AE A8 AD B2 9C). The end result is that a is set to be equal to $EE, the value stored in h, right before rst30h is activated.
rst30h is technically an unused reset vector, but accidentally contains the last three bytes of JumpTable function, usually accessed by rst28h:
<pre>
6F ld l, a ; hl = $EEEE
D1 pop de ; Pops the return address to registers de
E9 jp hl ; Jump to $EEEE, the second character of the last read mail
</pre>
This allows us to finally reach the last read mail, a region of memory that we have a good amount of control over.
===Effect of the mail===
Line 376 ⟶ 444:
<pre>
A7 and a ; Reset carry flag
D4 B9 F8 call nc, $F8B9 ; Box names start at $D8BF/F8BF, setting the active box to box 1 will ensure we can safely slide through.
E1 pop hl ; Additional pop to clear return address of call to screen data
D1 pop de ; Set de to $0075, which holds value $00. Ensures that print function will end immediately after resuming
E8 FF add sp, -1 ; Fix the effect of increasing the stack pointer
E0 9F ld ($FF9F), a ; Ensures return to ROM bank 3 after resuming execution
A7 and a ; Reset carry flag. Not strictly necessary, but added for safety for now
</pre>
Line 422 ⟶ 472:
The code overwrites part of itself to call the byteFill function. This will fill the area between $D57E and $D5AF with $FF values, setting all 50 TM quantities to 255.
Separately, this code overwrites the latter half of party pokémon #
Lastly, the value of the first item ID in the main item pocket is overwritten so that it becomes a TM25.
Line 456 ⟶ 506:
Box 5: $D8E3
E6 84 and $84 ; a = $04
EA
D6 86 sub $86 ; a = $7E
FB ei
Line 463 ⟶ 513:
Box 6: $D8EC
EA F5 F8 ld ($F8F5), a
EA
F6 FF or $FF ; a = $FF, reset carry flag
21
Line 473 ⟶ 523:
50 ld d, b
Box 8: $
E6 D2 and $D2 ; a = $D2
EA
D6 FA sub $FA ; a = $D8, TM25's item ID
FB ei
50 ld d, b
Box 9: $
EA B8 F5 ld (wItems), a ; Main item pocket, first item ID
D6 E3 sub $E3 ; a = $F5
EA
50 ld d, b
Box 10: $
D6 B7 sub $B7 ; a = 3E, reset carry flag
EA
D0 ret nc
50 ld d, b
Line 574 ⟶ 624:
C3 7E F5 jp wTMsHMs ; Carry and zero flag are both reset when using TM25
</pre>
[[Category:Guides]]
|