Guides:Glitch Pokédex Mode ACE setup (DE): Difference between revisions
m (→German) |
m (→Appendix) |
||
Line 617:
<pre>
Lead-up to wBoxNames: $D8BE
22 ldi (hl), a
Box 1: $D8BF
Line 660:
E1 pop hl ; hl = $0080
F6 A6 or A6 ; a = $A6
EF rst28h JumpTable
EF filler
A3 filler
Line 671:
B5 filler
B8 filler ; Overwritten to C4 79 31 (call ByteFill)
(A1) 9A FA filler ; Overwritten to form 21 9A FA (ld hl, $FA9A)
A7 and a ; Reset zero flag
50 ld d, b
Line 815:
E1 pop hl ; hl = $0080
F6 A6 or A6 ; a = $A6
EF rst28h JumpTable
83 add e ; a = $42
F5 push af
|
Revision as of 00:37, 8 December 2023
This is a guide on how to execute and/or exploit a glitch. For a more technical overview of the glitch involved, see Glitch Pokédex Mode ACE. |
This page serves as a repository for a Glitch Pokédex Mode ACE setup for the German version of Pokémon Gold & Silver. It is part of the TimoVM's Gen 2 ACE setups set of guides.
Please make sure to fully read every step of the guide before executing them.
If you encounter any issues when going through this guide or would like to provide feedback, please contact TimoVM on the Glitch City Research Institute Discord.
Introduction
In the generation 2 games, the pokédex has three different modes that change the order of displayed pokémon within the pokédex. When selecting a certain mode, the game stores the value of the last selected mode in RAM, so that it will keep using this mode when you next use the pokédex. This valueis then used as part of a jump table, which returns the addresses of the functions used to determine the pokédex order.
By setting this value to an invalid pokédex mode value, the game will index this jumptable out of bounds. Some of these invalid values result in addresses that point to wram, resulting in arbitrary code execution. Since this value is in reach of the extended ball pocket, we can abuse an item swap to set such an invalid value.
By using the special properties of a $00 species pokémon, we are able to obtain duplicate key items which can then allow us to set up the extended ball pocket. One of the major components of previous ACE setups was the requirement of having to use the day care in order to obtain a $00 species pokémon. This guide introduces a setup that does not require the day care and can be set up in Violet City, once the player obtains the Togepi Egg.
In practice, the initial ACE setup will be created using the following general process:
- Obtain the necessary player name, items and pokémon for the setup.
- Obtain a bad clone.
- Increase the happiness of the bad clone by 1, then create a hybrid between the Togepi egg and the bad clone.
- Hatch the bad clone egg to obtain a $00 species pokémon.
- Use the $00 species pokémon to obtain two mystery eggs and one fast ball, then use duplicate key items glitch to activate the extended ball pocket and set up glitch pokédex mode ACE.
Things you should know prior to starting the guide
- This guide allows players to set up ACE from Violet City onward, right after obtaining the Togepi Egg. As a drawback, the player needs to perform two separate save corruptions, both of which have around between 1 frame of leeway. If this seems too daunting, alternative guides are provided on the TimoVM's Gen 2 ACE setup page that can be executed once you reach Goldenrod City.
A note on the side effects of the method described below
The method described on this page requires fairly heavy abuse of glitches that will produce a number of side effects. All these side effects can be fixed with later applications of ACE and are never permanently harmful for the game in any way:
- Obtaining duplicate key items requires obtaining a glitch pokémon that cannot be manually released.
- Hatching a $00 species pokémon sets the seen/caught flags for an pokémon species that should not exist.
- Duplicate key item swap glitch removes the CANCEL button from the key item pocket.
- Buying or obtaining additional poké balls causes issues when done with an extended ball pocket.
- Setting up glitch pokédex mode ACE disables the use of the PokéGear.
A code will be provided at the end of the guide that fixes all these issues in one execution and will allow you to choose a new player name.
Step 1: Initial setup
When playing on original cartridge or on emulator, it is absolutely required to have used the Clear Save Data feature (press SELECT + UP + B on the title screen) at least once since owning the game.
Preparing the save
First, we're going to make sure to set up the save and collect all the requirements to perform the setup.
- (optional) Hold SELECT + UP + B on the title screen to reset your save. After the save is cleared, start a new game.
- Due to technical reasons, this guide can only be performed if the following are both true for your trainer ID:
- Your trainer ID must not be equal or higher than 65280.
- The remainder after dividing your trainer ID by 256 must not be equal to 255.
- Any starter works, but Totodile is the fastest option and can be used to obtain a Flower Mail without needing a separate visit to the PokéMart.
- Make sure to start the in-game clock during morning or midday.
Collecting the requirements
Next, we'll gather the required items and pokémon for the setup.
- Do the following before reaching Violet City:
- Catch one Sentret (Route 29, 40% to encounter only during morning and midday)
- Catch one Bellsprout (route 31, 20% chance to encounter throughout the day)
- Do the following after reaching Violet City:
- Defeat the gym leader and obtain TM31 (mud-slap)
- Obtain the Togepi egg
- Within the ball pocket, make sure you only have two poké ball left.
- (optional) Set the current pokédex mode to "OLD POKéDEX MODE". This adds a visual marker for a later item swap.
Step 2: Obtaining a $00 species pokémon
Using two instances of save corruption, we'll turn the starter into a $00 glitch pokémon.
Preparing the box
Before we can use save corruption with any degree of consistency, it is a good idea to fill up a box first. This will give us around 1 frame of leeway to perform save corruption.
- Using normal cloning, put 15 pokémon in a box that has never been completely full at any point in the past.
- Make sure you end up with at least 5 copies of Bellsprout.
- For safety reasons, it is recommended you make additional clones of the starter pokémon, the Togepi egg and the Sentret.
Performing the first save corruption
Using save corruption, we're going to turn the starter into a bad clone of the starter using the following process:
- Deposit the starter to the current active box.
- Go to "Move pokémon w/o mail", you will get a prompt to save the game.
- Reset the game shortly after the "saving...” text is fully printed.
- If successful, upon restarting the game you will find a level 0 female version of the deposited pokémon with a blank name.
Please note that the timing of this is very strict (around 1 frame to obtain a bad clone).
- If nothing was saved, the reset was too early. Next time, wait a little bit longer to reset.
- If the pokémon was successfully cloned, the reset was too late. next time, reset a little bit earlier.
- If the box ever gets to 19 pokémon in total, release pokémon from the box until there are only 25 pokémon present. Make sure to save normally after releasing them.
Use these guidelines and keep retrying until you've obtained a bad clone.
Preparing the bad clone for the second save corruption
Our aim is to hatch a $00 species. The bad clone gets us halfway there, but we need to adjust its happiness value so that it can hatch as soon as possible after hybridizing it to a bad clone egg.
- Withdraw the bad clone, use TM31 to teach it mud-slap. This will increase its happiness value by exactly 1.
- Deposit the bad clone back into the active box.
- Deposit enough pokémon to completely fill the box, ensure that the bad clone is at the last position inside the box.
- Withdraw the Togepi egg to your party.
- Withdraw/release pokémon other than the bad clone from the box until 15 pokémon are left in the box. Ensure that the bad clone is always in the last position.
Performing the second save corruption
Using save corruption, we're going to obtain a bad clone of the Togepi egg. Thanks to filling the box entirely and putting the bad clone in the last position within the box, all the empty slots are now filled with leftover data of the bad clone. This allows us to create an egg containing the data of the bad clone.
- Deposit the Togepi Egg to the current active box.
- Go to "Move pokémon w/o mail", you will get a prompt to save the game.
- Reset the game shortly after the "saving...” text is fully printed.
- If successful, upon restarting the game you will find an egg with a blank name. In the summary, it will report that it is making sounds and is close to hatching.
- Withdraw the bad clone egg, then walk around until it hatches into a $00 species.
Please note that the timing of this is very strict (around 1 frame to obtain a bad clone egg).
- If nothing was saved, the reset was too early. Next time, wait a little bit longer to reset.
- If the pokémon was successfully cloned, the reset was too late. next time, reset a little bit earlier.
- If the box ever gets to 20 pokémon in total, move the bad clone to the last slot, then release/move pokémon from the box (while keeping the bad clone in the last slot) until there are only 15 pokémon present. Make sure to save normally after releasing/moving them.
Step 3: Obtaining duplicate key items and setting up glitch pokédex mode ACE
Reminder: this method will only work if your trainer ID fulfills both of the following requirements:
- Your trainer ID must not be equal or higher than 65280.
- The remainder after dividing your trainer ID by 256 must not be equal to 255.
Collecting the required items and party
Have the following items in the ball pocket:
- Slot 1: Poké Ball x2
- Slot 2 and beyond: empty
Have the following items in the key item pocket:
- All key items you've obtained in your save thus far (withdraw all key items, if any, that you previously stored from the PC)
Have the following pokémon in the party:
- $00 Species that was hatched from the bad clone egg
- Sentret
- Starter pokémon
- Bellsprout
- Bellsprout
- Bellsprout
Have the following pokémon in the box:
- Two Bellsprout
- Ine normal Pokémon.
Keep in mind that all these pokémon, with the exception of the normal pokémon, will be corrupted during this process. Please make sure to obtain copies of these pokémon using normal cloning if you wish to keep any of them.
Performing a party overload
Next, we're going to abuse the special properties of the $00 species pokémon to get over 6 pokémon simultaneously in the party.
- Using "move pokémon w/o mail", add a Bellsprout to the first party slot. This will push the glitch pokémon down to the second slot.
- Exit the PC, open the start menu and switch the glitch pokémon in the second slot with the Bellsprout in the fifth slot. Your party should be arranged as such:
- Bellsprout
- Bellsprout
- Sentret
- Starter pokémon
- $00 Species that was hatched from the bad clone egg
- Bellsprout
- Bellsprout
- Using "move pokémon w/o mail", add a second Bellsprout to last available party slot. This will result in a total of 8 party pokémon, both Bellsprouts and the Sentret now have a held item.
- Exit the PC, open the start menu. Retrieve the Mystery Eggs from the Bellsprouts, retrieve the Fast Ball from the Sentret.
- (optional) If you picked Totodile as a starter, it will now be holding a flower mail. Retrieve it and put it in the bag.
- Select "Deposit pokémon" from the PC and release the top three pokémon in your party.
- Withdraw the normal pokémon from your box using "Withdraw pokémon". This will restore the normal functionality of the party.
Setting up glitch pokédex mode ACE
- Arrange the Ball pocket as follows:
- Slot 1: Fast Ball x1
- Slot 2: Poké Ball x2
- Go to the KEY ITEM pocket. Swap the first MYSTERY EGG with the second MYSTERY EGG.
- Go to the BALL pocket, the FAST BALL has now changed into a MASTER BALL. THE POKé BALL has now changed into an ULTRA BALL. The game now believes you have a total of 161 item slots in the ball pocket, allowing you to scroll past the CANCEL button.
- Toss 184 Ultra Balls until you have only 71 Ultra Balls remaining. Swap the Ultra Ball with the item in the 65th item slot (this item slot can be easily recognized due to having a quantity of 1 if you've previously set "OLD POKéDEX MODE" in the POKéDEX).
- Go back to the start menu. Check if the PokéGear option has disappeared from the start list. If it has, you can now save the game.
This swap removes the PokéGear from the start list and will activate Glitch Pokédex Mode ACE. From this point onward, using the pokédex will trigger ACE from $F8EA onward, an address that correspond to the 8th character of the 5th box name..
Do NOT open the pokédex yet. Opening the pokédex right now will likely crash the game. We first need to set up a way to properly execute ACE in a controlled manner.
Step 4: Setting up the Mail Writer
We have successfully set up Glitch Pokédex Mode ACE, what now?
Using Glitch Pokédex Mode ACE works great for an initial setup, but there are a few drawbacks:
- At this moment, we are not able to change the Pokédex Mode. This renders the Pokédex unusable for any other purpose than ACE.
- While $F8EA is a convenient entrance point, we still need to actually read a mail every time we want to execute ACE.
Due to this, we're going to focus on building the setup in three ways:
- Our aim is to switch from Glitch Pokédex Mode ACE to Wrong Pocket TM ACE. By putting a TM25 in a pocket other than the TM/HM pocket, we can simply use TM25 to execute ACE. TM25 will trigger ACE from address $DA6A onward, which corresponds to stat experience data of the 2nd party pokémon.
- To help with making TM25 usable, we'll also modify the data of two pokémon so that they can be used with TM25. One pokémon will redirect execution to box names, while the other will redirect execution to the TM/HM pocket.
- Finally, we're going to install a program, written using TM quantities, that allows us to easily write and execute any code we want. To do that, we're going to use ACE to obtain 255 copies of all TMs, then sell them in specific quantities to write out a program.
In summary, we will proceed as follows:
- Prepare a mail and box name code that will add TM25, modify two pokémon so that they can be used with TM25 and set all TM quantities to 255.
- Sell TMs in specific quantities in order to be able to run the Mail Writer
- Use Wrong Pocket TM25 to run the Mail Writer and clean up the side-effects of the setup.
Preparing the party
For this part, it is recommended to catch any two pokémon and nickname them, you can use the Master Balls that are in the Ball pocket for this purpose. Give them the following nicknames:
- "MAILWRITER"
- "BOXCODES"
- Arrange your party like this:
- Any
- Any
- MAILWRITER
- Any
- BOXCODES
- Glitch pokémon used in step 3
- Finally, give any party pokémon a mail with the following content to hold:
|
Setting up box names to set up TM25 and give 255 of every TM
For the German version of Gold & Silver, we'll set up TM25 and obtain 255 copies of every TM using a single execution. Write the following box name codes:
|
Once this is done, make sure to save the game.
Step 5: Using Glitch Pokédex Mode ACE
Now that we have everything set up, we are going to use Glitch Pokédex Mode ACE to execute the box name code that we previously set up.
Executing the box name code
You can use Glitch Pokédex Mode ACE using the following process:
- In case you have more than one Key Item, make sure that the Mystery Egg is located at the top of the key item pocket.
- Read the held mail that was previously given to a party pokémon.
- Open the start menu and open the pokédex. If the mail and box name codes were written correctly, this will immediately open and automatically close the pokédex.
If the code crashes, check the following:
- Are the box name codes (or mail) correct?
- In the 65th slot of the Ball pocket, is the item quantity equal to 71?
Effect of the mail and box name code
The code that we used was fairly complicated and has a couple of separate effects.
- A TM25 was added to the Key Item pocket and has replaced the Mystery Egg that was previously there.
- The MAILWRITER nicknamed pokémon has had its stat experience data changed. When put in the 2nd party slot, using TM25 will redirect execution to the TM/HM pocket.
- The BOXCODES nicknamed pokémon has had its stat experience data changed. When put in the 2nd party slot, using TM25 will redirect execution to the last read mail. This is intentional, due to limitations with the German characterset within box names, it is often necessary to execute mail codes with help from a mail.
- The TM/HM pocket has now been filled with 255 copies of every kind of TM.
Note: From this point onward, the MAILWRITER and BOXNAMES nicknamed pokémon must never gain experience in battle, or else they will no longer function correctly. They can, however, be safely deposited and withdrawn from the PC.
Step 6: Selling TMs to set up the Mail Writer
Now that we have obtained x255 of every TM, we'll be selling specific amounts of these in order to form a program.
The image belows displays the intended final quantities of all TMs, while the table in the next section displays how many TMs of each kind you need to end up with, along with the amount of money you gain by selling them.
Graphical overview
|
TMs
TM | Final Quantity | Sell value |
---|---|---|
TM01 DYNAMICPUNCH | x17 | 357000 |
TM02 HEADBUTT | x85 | 170000 |
TM03 CURSE | x221 | 51000 |
TM04 ROLLOUT | x213 | 42000 |
TM05 ROAR | x213 | 21000 |
TM06 TOXIC | x213 | 63000 |
TM07 ZAP CANNON | x33 | 222000 |
TM08 ROCK SMASH | x34 | 110500 |
TM09 PSYCH UP | x98 | 78500 |
TM10 HIDDEN POWER | x207 | 72000 |
TM11 SUNNY DAY | x225 | 30000 |
TM12 SWEET SCENT | x209 | 23000 |
TM13 SNORE | x42 | 106500 |
TM14 BLIZZARD | x254 | 1500 |
TM15 HYPER BEAM | x80 | 262500 |
TM16 ICY WIND | x56 | 298500 |
TM17 PROTECT | x251 | 6000 |
TM18 RAIN DANCE | x40 | 215000 |
TM19 GIGA DRAIN | x10 | 367500 |
TM20 ENDURE | x135 | 180000 |
TM21 FRUSTRATION | x134 | 60500 |
TM22 SOLARBEAM | x18 | 355500 |
TM23 IRON TAIL | x19 | 354000 |
TM24 DRAGONBREATH | x35 | 330000 |
TM25 THUNDER | x129 | 126000 |
TM26 EARTHQUAKE | x79 | 264000 |
TM27 RETURN | x18 | 118500 |
TM28 DIG | x24 | 231000 |
TM29 PSYCHIC | x239 | 16000 |
TM30 SHADOW BALL | x33 | 333000 |
TM31 MUD-SLAP | x1 | 381000 |
TM32 DOUBLE TEAM | x196 | 59000 |
TM33 ICE PUNCH | x77 | 267000 |
TM34 SWAGGER | x205 | 25000 |
TM35 SLEEP TALK | x230 | 12500 |
TM36 SLUDGE BOMB | x58 | 98500 |
TM37 SANDSTORM | x27 | 228000 |
TM38 FIRE BLAST | x205 | 50000 |
TM39 SWIFT | x135 | 120000 |
TM40 DEFENSE CURL | x55 | 100000 |
TM41 THUNDERPUNCH | x189 | 99000 |
TM42 DREAM EATER | x40 | 322500 |
TM43 DETECT | x217 | 19000 |
TM44 REST | x56 | 298500 |
TM45 ATTRACT | x240 | 22500 |
TM46 THIEF | x254 | 1500 |
TM47 STEEL WING | x08 | 370500 |
TM48 FIRE PUNCH | x200 | 82500 |
TM49 FURY CUTTER | x24 | 346500 |
TM50 NIGHTMARE | x242 | 13000 |
Running the newly written program
- It is recommended to save before continuing.
- Put the pokémon that was nicknamed "MAILWRITER" into the 2nd party slot.
- Use TM25. If everything went correctly, this will start the mail writer and open a screen asking you to input text for a mail.
- From now on, you can repeat this process at any time to start the mail writer.
- The next section will elaborate on the usage of the Mail Writer. Please read these instructions carefully before proceeding.
If the game crashes, first recheck if all TM quantities are correct. If all quantities are correct, you may need to redo the setup for the "MAILWRITER" pokémon. This can be done using the box codes included a bit further below.
How the mail writer works
Upon execution, the Mail writer will open the mail character entry screen where the player can write up to 32 different characters. After the player has confirmed the mail, the following actions take place:
- The Mail writer will take pairs of characters and convert them into a single combined value. These values are then sequentially written, converting the 32 letter mail into a 16 byte long line of code.
- Next, the Mail writer will display a checksum calculated from the combined value of all written bytes for the player to verify. Then the program enters a waiting state where they can either choose to write another mail, go back and correct previously written values or stop the mail writer and execute the newly written payload.
- If the player has chosen to write a new mail, the Mail writer will open a new mail entry screen. The new mail is then also converted into a 16 byte long line of code and placed right after the code written by the previous mail(s), allowing the player to write arbitrarily long payloads.
- Assembly can easily be converted to mail codes using TimoVM's MailConverter. Simply paste the assembly of the code you wish to enter here, press "run" and the converter will automatically generate mail codes requiring the least amount of button presses to write.
Mail Writer Controls
Between entering mail codes, the mail writer will ask for user input.
- Press A to open a new mail and continue writing data.
- Press B to immediately jump to and start executing the newly written program. Only use this when you've finished every mail.
- Press any other button to go back one byte at a time to correct errors. If the printed checksum doesn't match the expected checksum, press DOWN 16 times to retry the last mail. This will also overwrite the printed checksum with the value at the currently selected address, giving you a method to check how far back you're going.
Using the Mail Writer to fix the side effects of the setup
Finally, we can both test the Mail Writer and fix the side effects of the setup. Please note that, for safety reasons, this cleanup code will not disable Glitch Pokédex Mode ACE. A second code will be provided that allows you to alter the current Pokédex Mode directly.
Simply copy the assembly code that is applicable for your setup, then click the link at the top of the table to go to the MailConverter tool. Make sure to select "German" as language and "Gold/Silver" as version.
21 7A D6 2A 23 F6 84 22 AF 21 E1 D5 47 4E 09 23 36 FF 2E FC 36 01 21 03 DC CB BE 2E 23 CB BE 21 22 DA 4E 35 09 36 FF C9 |
The cleanup code has the following effects:
- Restore the previous PokéGear flags.
- Add a CANCEL button at the end of the key item list.
- Set the amount of items in the ball pocket to 1.
- Remove the seen/caught flags of the hatched $00 species.
- Remove the glitch pokémon at the end of the party.
Optional: Altering the current Pokédex Mode
This code will alter the current active Pokédex Mode. By default, it sets the Pokédex Mode to zero, making it possible to use the Pokédex normally again. By changing the value marked in bold, you can change the value that the Pokédex Mode will be set to. You can reactivate Mode 71, the Mode that executes from $F8EA onward, by changing the value in bold to $47.
3E 00 EA 7E D6 C9 |
Conclusion: What to do with the Mail writer
The Mail writer allows you to easily write and execute arbitrary payloads. Aside from writing your own codes, we recommend the following:
- Mail codes: this page contains a collection of assembly for mail codes that can be used for a variety of common purposes such as editing pokémon, obtaining items, etc..
- RAM writer: (recommended for more experienced users) this page contains the assembly for a large one-size-fits all program that allows you to edit any value in RAM with a user-friendly GUI. It will also fix the side effects of the ACE setup when you first run it.
Addendum: repairing the "MAILWRITER" pokémon
In case something happens with the "MAILWRITER" nicknamed pokémon that causes it to no longer function, you can repair the pokémon without having to reset TM quantities using the following procedure:
- Arrange the party as follows:
- Any
- "BOXCODES" pokémon
- "MAILWRITER" pokémon
- Any
- Any
- Any
Repairing the setup using Glitch Pokédex Mode ACE
- Enter the following box name. Please mind the differences between uppercase X (), lowercase x () and multiplication symbol ().
|
- Make sure to read the mail that we previously wrote:
|
- Note: as a side effect of using this set of codes, the first item in the Key item pocket will be mutated to a TM25. Make sure to put TM25 in the first slot to prevent accidentally losing important Key items.
- Open the pokédex to execute the code. If the game crashes, doublecheck the box name code and ensure you've performed every step of the process correctly
- If the code executes succesfully, the "MAILWRITER" nicknamed pokémon has now been repaired.
Repairing the setup with Wrong Pocket TM25
- Enter the following box name. Please mind the differences between uppercase X (), lowercase x () and multiplication symbol ().
|
- Write a new mail with the following content:
|
- Before using TM25, make sure to re-read the mail.
- Use TM25 to execute the code. If the game crashes, doublecheck the box name code and ensure you've performed every step of the process correctly
- If the code executes succesfully, the "MAILWRITER" nicknamed pokémon has now been repaired.
Appendix
Plain text transcripts of codes
- Glitch Pokédex mail
Language | |
---|---|
German |
é 5 4 p E é 6 4 ë ♀ é 4 4 D E 5 é Mn ♀ T H é ß 2 ( Pk é 3 2 ä Ä 2 |
- Setup box name code
Language | Box names |
---|---|
German |
Box 1: Ä ö ß 2 W ö ß 2 Box 2: W ö ß 2 W W T 5 Box 3: ö ß 2 w G ö ß 2 Box 4: G ö ß 2 G ö ß 2 Box 5: G ö ß 2 Ü 9 2 p Box 6: ♀ Pk 0 g ♂ ♂ d J Box 7: T S v y b ( 4 h Box 8: Ä 0 9 ö * 2 ? ß Box 9: ? [SPACE] ö ß 2 ? E 5 Box 10: ö ß 2 p 0 Ü 5 5 Box 11: ö ß 2 H E ö ß 2 Box 12: p 0 ♀ ö ß 2 p D Box 13: ? Mn ♀ Pk 0 - 1 |
- Reset box name code (Glitch Pokédex Mode)
Language | Box names |
---|---|
German |
Box 1: Ä ö 3 2 p 0 ] H Box 2: ö ß 2 ? E ö ß 2 Box 3: p 0 Ü ö ß 2 H E Box 4: ö ß 2 p 0 ♀ 5 5 Box 5: ö ß 2 U ä * 2 p Box 6: ♀ Pk 0 g ♂ D ♀ Pk Box 7: 0 - 1 ( ( ( 4 Ä |
- Wrong Pocket TM mail
Language | |
---|---|
German |
A A A A A A A A A A A A A A A A A A ë y é ß 2 ë 9 é Ä 2 ä Ä 2 |
- Reset box name code (Wrong Pocket TM)
Language | Box names |
---|---|
German |
Box 1: Ä Ä ( 4 p 0 ] H Box 2: ö ß 2 ? E ö ß 2 Box 3: p 0 Ü ö ß 2 H E Box 4: ö ß 2 p 0 ♀ 5 5 Box 5: ä ß 2 |
In-depth explanation of the setup
Effect of the glitch pokédex mode
In the 2nd generation of Pokémon games, the Pokédex offers three different modes of sorting pokémon species (New, Old, A-Z). When the Pokédex is opened, the game checks which mode was last active, then launches a function to sort all species. Since the game needs to know which mode was last active, the last used Pokédex mode is stored in RAM at address $D67E.
By swapping an item stack using the extended Ball Pocket, we can directly overwrite the value for the last used mode. When the Pokédex is next opened, the game will read this value and attempt to launch an invalid sorting function depending on the value used, some of which will trigger ACE.
For the French versions of Gold & Silver, mode 25 ($19) will trigger ACE from $F8CD onward. This address is echo ram for $D8CD, which correspond to the 6th character of the 2nd box name.
When species $00 is registered to the Pokédex, opening the Pokédex after safely returning from ACE can result in regions of data (including map data) being overwritten with $D1 values. To prevent this issue from occuring, the codes included will ensure that we will be immediately forced to exit the pokédex once the code is executed.
Effect of the mail
The last read mail is buffered from $CEED onward. Converting the characters from the mail to assembly results in the following, ordered by language:
German
Mail EA FB FA ld ($FAFB), a ; a = $EA AF xor a ; a = $00 84 add h ; a = $CE EA FC FA ld ($FAFC), a C6 F5 add $F5 ; a = $C3 EA FA FA ld ($FAFA), a 83 add e ; a = $0A 84 add h ; a = $D8 FB ei 4E ld c, (hl) EA E2 F5 ld (wKeyItems), a ; Change first item in key item pocket to TM25 93 sub e ; a = $91 87 add a ; a = $22, set carry flag EA BE F8 ld ($F8BE), a 9A add a ; a = $21 E1 pop hl ; Set hl to $D8F1, return address of previous rst28h EA F9 F8 ld ($F8F9), a C3 C0 F8 jp wBoxNames + 1 h Bootstrap ($FAFA, 5th party pokémon's stat experience) C3 EA CE jr nz, wTempMail - 3h
Effect of the setup box name code
Converting the characters from box names to assembly results in the following code. Please note that the box name code overwrites part of itself, the translated assembly assumes the code was already used once.
The code overwrites part of itself to call the byteFill function. This will fill the area between $D57E and $D5AF with $FF values, setting all 50 TM quantities to 255. Separately, this code overwrites the latter half of party pokémon #5's stat experience data, allowing it to function as a TM25 bootstrap that redirects execution to the Mail Writer.
German
Lead-up to wBoxNames: $D8BE 22 ldi (hl), a ; Due to mail, set hl to $D8F1 Box 1: $D8BF C0 C4 BE F8 call nz, $F8BE ; Due to mail, a = $21 96 sub (hl) ; a = $7E C4 BE F8 call nz, $F8BE 50 ld d, b Box 2: $D8C8 96 sub (hl) ; a = $F5 C4 BE F8 call nz, $F8BE 96 sub (hl) 96 sub (hl) 93 sub e ; a = $0E FB ei 50 ld d; b Box 3: $D8D1 C4 BE F8 call nz, $F8BE B6 or (hl) ; a = $9F 86 add (hl) ; a = $32 C4 BE F8 call nz, $F8BE 50 ld d, b Box 4: $D8DA 86 add (hl) ; a = $C3 C4 BE F8 call nz, $F8BE 86 add (hl) ; a = $79 C4 BE F8 call nz, $F8BE 50 ld d, b Box 5: $D8E3 86 add (hl) ; a = $31 C4 BE F8 call nz, $F8BE C2 FF F8 jp nz, $F8FF AF xor a ; a = $00, entry point for mode 71 50 ld d, b Box 6: $D8EC F5 push af E1 pop hl ; hl = $0080 F6 A6 or A6 ; a = $A6 EF rst28h JumpTable; Due to ROM header structure, call $CEEA, three bytes before the last read mail EF filler A3 filler 89 filler ; Overwritten to 21 7E F5 (ld hl, wTMsHMs) 50 filler Box 7: $D8F5 93 filler ; Overwritten to 0E 32 (ld e, $32) 92 filler B5 filler B8 filler ; Overwritten to C4 79 31 (call ByteFill) (A1) 9A FA filler ; Overwritten to form 21 9A FA (ld hl, $FA9A) A7 and a ; Reset zero flag 50 ld d, b Box 8: $D8FE C0 ret nz F6 FF or $FF ; a = $FF C4 F1 F8 call nz, $F8F1 E6 BE and $BE ; a = $BE 50 ld d, b Box 9: $D907 E6 7F and $7F ; a = $3E C4 BE F8 call nz, $F8BE E6 84 and $84 ; a = $04 FB ei 50 ld d, b Box 10: $D910 C4 BE F8 call nz, $F8BE AF xor a ; a = $00 F6 C2 or $C2 ; a = $C2 FB ei FB ei 50 ld d, b Box 11: $D919 C4 BE F8 call nz, $F8BE 87 add a 84 add h ; a = $7E C4 BE F8 call nz, $F8BE 50 ld d, b Box 12: $D922 AF xor a ; a = $00 F6 F5 or $F5 ; a = $F5 C4 BE F8 call nz, $F8BE AF xor a ; a = $00 83 add e 50 ld d, b Box 13: $D92B E6 E2 and $E2 ; a = $42 F5 push af E1 pop hl ; h = $42 F6 E3 or $E3 ; a = $E3 F7 rst30h ; Jump to $10:42E3, final bytes of Pokedex_ReinitDexEntryScreen. This will set $CE63 to $FF, causing immediate exit of Pokédex after return Party pokémon #3's stat experience, starting from $DA9A 3E 04 ld a, $04 C2 7E F5 jp nz, wTMsHMs ; Carry and zero flag are both reset when using TM25
Effect of the TM code
Converting the TM quantities to assembly results in the following code. Please note that this code requires a value of $04 in register a in order to properly work.
German
11 55 DD ld de, $DD55 D5 push de D5 push de ; .nextMail D5 push de 21 22 62 ld hl, _ComposeMailMessage CF rst08h, FarCall a:hl E1 pop hl D1 pop de 2A ldi a, (hl) ; .continue FE 50 cp $50 38 FB jr c, .continue 28 0A jr z, .terminator 87 add a, a 86 add a, (hl) 12 ld (de), a 13 inc de 23 inc hl 81 add a, c 4F ld c, a 12 ld (de), a 18 EF jr .continue 21 01 C4 ld hl, $C401 ; .screenLoop 4D ld c, l CD E6 3A call PrintBCDNumber.loop - 1 1B dec de ; .goBack CD 87 37 call JoyTextDelay_ForcehJoyDown BD cp a, l ; l = $04 28 D9 jr z, .nextMail 38 F0 jr c, .displayLoop FE 08 cp $08 C8 ret z 18 F2 jr .goBack
Effect of the reset box name code (Glitch Pokédex Mode)
Converting the characters from box names to assembly results in the following code. This code overwrites the latter half of party pokémon #3's stat experience data, allowing it to function as a TM25 bootstrap that redirects execution to the Mail Writer.
German
Lead-up to wBoxNames: $D8BE 22 ldi (hl), a Box 1: $D8BF C0 ret nz C4 F9 F8 call nz, $F8F9 ; Sets hl to $FA9A AF xor a ; a = $00 F6 9F or $9F ; a = BF 87 and a ; a = $3E 50 ld d, b Box 2: $D8C8 C4 BE F8 call nz, $F8BE E6 84 and $84 ; a = $04 C4 BE F8 call nz, $F8BE Box 3: $D8D1 AF xor a ; a = $00 F6 C2 or $C2 ; a = $C2 C4 BE F8 call nz, $F8BE 87 add a ; a = $84 84 add a, h ; a = $7E 50 ld d, b Box 4: $D8DA C4 BE F8 call nz, $F8BE AF xor a ; a = $00 F6 F5 or $F5 ; a = $F5 FB ei FB ei 50 ld d, b Box 5: $D8E3 C4 BE F8 call nz, $F8BE 94 sub h ; a = $FB C3 F1 F8 jp $F8F1 AF xor a ; a = $00 50 ld d, b Box 6: $D8EC F5 push af E1 pop hl ; hl = $0080 F6 A6 or A6 ; a = $A6 EF rst28h JumpTable; Due to ROM header structure, call $CEEA, three bytes before the last read mail 83 add e ; a = $42 F5 push af E1 pop hl ; h = $42 50 ld d, b Box 7: $D8F5 F6 E3 or $E3 ; a = $E3 F7 rst30h ; Jump to $10:42E3, final bytes of Pokedex_ReinitDexEntryScreen. This will set $CE63 to $FF, causing immediate exit of Pokédex after return 9A (9A) 9A FA filler ; Overwritten to 21 9A FA (ld hl, $FA9A) C0 ret nz Party pokémon #3's stat experience, starting from $DA9A 3E 04 ld a, $04 C2 7E F5 jp wTMsHMs ; carry and zero flag are both reset when using TM25
Effect of the mail
The last read mail is buffered from $CEED onward. Converting the characters from the mail to assembly results in the following, ordered by language:
German
80 add a, b 80 add a, b 80 add a, b 80 add a, b 80 add a, b 80 add a, b 80 add a, b 80 add a, b 80 add a, b 80 add a, b 80 add a, b 80 add a, b 80 add a, b 80 add a, b 80 add a, b 80 add a, b 4E ld c, (hl) ; Newline control character. 80 add a, b 80 add a, b C6 B8 add $B8 ; Located at $CF00, all values before this address are filler and will not be executed. a = $22 EA BE F8 ld (F8BE), a ; One byte before the start of wBoxNames C6 FF add $FF ; a = $21 EA C0 F8 ld (F8C0), a ; One byte after the start of wBoxNames C3 C0 F8 jp F8C0 ; Jump to second character of box name #1
Effect of the reset box name code (Wrong Pocket TM)
Converting the characters from box names to assembly results in the following code. This code overwrites the latter half of party pokémon #3's stat experience data, allowing it to function as a TM25 bootstrap that redirects execution to the Mail Writer.
This code requires a bootstrap pokémon in the 2nd party slot that redirects execution to box names.
German
Lead-up to wBoxNames: $D8BE 22 ldi (hl), a Box 1: $D8BF C0 ret nz 21 9A FA hl hl, FA9A AF xor a ; a = $00 F6 9F or $9F ; a = $9F 87 add a ; a = $3E 50 ld d, b Box 2: $D8C8 C4 BE F8 call nz, $F8BE E6 84 or $84 ; a = $04 C4 BE F8 call nz, $F8BE 50 ld d, b Box 3: $D8D1 AF xor a ; a = $00 F6 C2 or $C2 ; a = $C2 C4 BE F8 call nz, $F8BE 87 add a ; a = $84 84 add a, h ; a = $7E 50 ld d, b Box 4: $D8DA C4 BE F8 call nz, $F8BE AF xor a ; a = $00 F6 F5 or $F5 ; a = $F5 FB ei FB ei 50 ld d, b Box 5: $D8E3 C3 BE F8 call nz, $F8BE Party pokémon #3's stat experience, starting from $DA9A 3E 04 ld a, $04 C2 7E F5 jp wTMsHMs ; carry and zero flag are both reset when using TM25