Guides:Coin Case ACE: Difference between revisions
→Effect of the Coin Case
Line 349:
===Effect of the Coin Case===
Activating the Coin Case causes arbitrary code execution from $E112 onward, which is echo ram for $C112. This region corresponds with sound data and can be manipulated by buffering pokémon cries.
Playing Bellsprout or Machop's cry will buffer $33 at $C117. This opcode increments the stack pointer, desyncing the stack.
The sound that plays when swapping item pockets clears some bad data around the $C16x region. It also places a $C1 at $C16E, popping a value from the stack to registers bc.
The sound that plays when confirming the use of the Coin Case places $80 A1 D0 at $C192. Due to prior opcodes setting the value of register bc to $0000, the condition for the return will always be true. Thanks to incrementing the stack pointer and popping the stack once, the next return address will redirect execution to $EB12, echo ram for $CB12.
From $CB12, the game will nopslide until $CC20 is reached. This region contains data on buffered tiles that are added when the player moves around . Due to our specific movement pattern within the Goldenrod Radio Tower, this results in the following data, starting from $CC20:
<pre>
At start, hl = $B2B2 and sp : $DFBC
39 add sp ; hl = $926E
39 add sp ; hl = $722A
39 add sp ; hl = $51E6
39 add sp ; hl = $31A2
39 add sp ; hl = $115E
39 add sp ; hl = $F11A
39 add sp ; hl = $D0D6
39 add sp ; hl = $B092
39 add sp ; hl = $904E
39 add sp ; hl = $700A
39 add sp ; hl = $4FC6
39 add sp ; hl = $2F82, carry flag set
30 31 jr nc, $31 ; Ignore thanks to previous carry
1A ld a, (de)
1B dec de
1A ld a, (de)
1B dec de
0A ld a, (bc)
0B dec bc
01 01 01 ld bc, $0101
01 01 01 ld bc, $0101
01 01 01 ld bc, $0101
01 01 01 ld bc, $0101
01 01 01 ld bc, $0101
01 39 39 ld bc, $3939
39 add sp ; hl = $0F3E
39 add sp ; hl = $EEFA, desired result in h, zero flag set
00 nop
00 nop
00 nop
00 nop
00 nop
00 nop
00 nop
00 nop
00 nop
00 nop
00 nop
00 nop
00 nop
00 nop
00 nop
00 nop
00 nop
00 nop
00 nop
00 nop
01 01 01 ld bc, $0101
01 01 01 ld bc, $0101
01 01 01 ld bc, $0101
01 01 01 ld bc, $0101
01 01 01 ld bc, $0101
01 00 00 ld bc, $0000
00 nop
00 nop
84 add h
9B sbc e
A4 and h
9B scb e ; The result of these arithmatic opcodes aren't relevant, but they do reset the zero flag
C4 9B E4 call nz, $E49B ; Corresponds to lower parts of screen tile data
</pre>
The main result of this region is to set h to $EE, followed by a call to screen tile data.
Before ACE is triggered, the game will already print the amount of coins on screen. In particular, a number of coins whose first digit is equal to 1 will lead to $F7 (rst30h) being printed to $C4E1. The region between $C49B and $C4E1 is filled with harmless data consisting of blank tiles ($7F), textbox tiles ($7A-$7C) and arithmatic opcodes for the "Coins:" text ($82 AE A8 AD B2 9C). The end result is that a is set to be equal to $EE, the value stored in h, right before rst30h is activated.
rst30h is technically an unused reset vector, but accidentally contains the last three bytes of JumpTable function, usually accessed by rst28h:
<pre>
6F ld l, a ; hl = $EEEE
D1 pop de ; Pops the return address to registers de
E9 jp hl ; Jump to $EEEE, the second character of the last read mail
</pre>
This allows us to finally reach the last read mail, a region of memory that we have a good amount of control over.
===Effect of the mail===
| |||