Guides:SRAM Glitch ACE Setups (EN): Difference between revisions
Jump to navigation
Jump to search
Content added Content deleted
No edit summary |
|||
Line 377: | Line 377: | ||
==Additional applications of the Nickname Writer== |
==Additional applications of the Nickname Writer== |
||
The Nickname Writer allows you to easily write and execute arbitrary payloads. You can either make and execute your own codes, or head to the [[Guides:Nickname Writer Codes|Nickname Writer codes]] page. This page contains a collection of assembly for nickname codes that can be used for a variety of common purposes such as editing pokémon and items, editing player stats, resetting legendaries etc.. |
The Nickname Writer allows you to easily write and execute arbitrary payloads. You can either make and execute your own codes, or head to the [[Guides:Nickname Writer Codes|Nickname Writer codes]] page. This page contains a collection of assembly for nickname codes that can be used for a variety of common purposes such as editing pokémon and items, editing player stats, resetting legendaries etc..^ |
||
=Addendum: raw text transcripts of nickname codes= |
|||
These are provided as an alternative in case images fail to load. |
|||
==Infinite Eevee Mode Nickname== |
|||
{| class="wikitable" |
|||
! Nickname |
|||
|- |
|||
!<pre> |
|||
C l l U ( ( : ; W ; |
|||
</pre> |
|||
|} |
|||
==4F Bootstrap Nicknames== |
|||
{| class="wikitable" |
|||
! List of nicknames |
|||
|- |
|||
!<pre> |
|||
g . [ X w w k Mn ( v |
|||
a Pk z q g . y y w w |
|||
a Mn ] - - ] [ [ o Mn |
|||
z q Q P w w w w w w |
|||
g . Pk X w v v u U l |
|||
</pre> |
|||
|} |
|||
==Nickname Writer== |
|||
{| class="wikitable" |
|||
! List of nicknames |
|||
|- |
|||
!<pre> |
|||
h Mn L l l L L t t ( |
|||
t v u t t v u t s t |
|||
j ? ( t v v v v ; [ |
|||
t z j ? ( ) t v v v |
|||
a q H h H Z y y p Q |
|||
S * S j a * j ? ) ) |
|||
s k l l : ; ♂ ♂ ♀ ♀ |
|||
q y [ x w v : * * Mn |
|||
Z Pk Z * * ] Y Mn Mn L |
|||
A H ] . w ; ♀ : u k |
|||
a Pk Pk J ( ) ) ) ) , |
|||
S j S s j - s k A A |
|||
j u l l u z Pk ( - ] |
|||
r p . y [ : : ; : ; |
|||
</pre> |
|||
|} |
|||
=Addendum: technical explanation of the setup= |
|||
==Nickname Converter Item Code== |
|||
===Explanation=== |
|||
The item code itself consists of two components. The first 10 items are used to write a program that takes text characters from the nicknames of characters currently within the active box, converts them, then writes the resulting values to unused memory starting from $D66A. |
|||
Pairs of text characters are converted to single values through a [(2a + b)%256] formula, where a is the value of the first character and b the value of the second. text terminators are skipped, the code will stop and execute the newly written code once it either reads a $00 value or if values are being read past $DEFF. |
|||
<pre> |
|||
11 6A D6 ld de, UNUSED_MEMORY ; Memory between $D66A and $D6EF goes unused |
|||
D5 push de |
|||
21 06 DE ld hl, wBoxNicks |
|||
.loop |
|||
2A ldi a, (hl) |
|||
03 inc bc ; Filler, no effect on flags |
|||
87 add a |
|||
0B dec bc ; Filler, compensates previous inc bc, no effect on flags |
|||
30 04 jp nc, .notChar ; Aside from space (should not be used), "add a" will only give nc if value read is not a text char |
|||
86 add a, (hl) |
|||
12 ld (de), a |
|||
2C inc l ; Affects z flag |
|||
13 inc de |
|||
.notChar |
|||
20 F4 jp nz, .loop ; loop unless l rolled over to $00 or value read was $00 |
|||
C9 ret ; Due to previous push de, this ret will cause execution to resume from $D66A onward, immediately running the newly written code |
|||
</pre> |
|||
The last item, the Rare Candies, simply form a pointer to $F328. Due to echo RAM this address is equivalent to $D328, which correspond to item #6's item ID, the start of the item code. By replacing the map script pointer with this item, we can redirect the map script routine to execute the item code instead. This routine is executed on every frame, as long as the start menu isn't open. |
|||
===Raw Assembly=== |
|||
<pre> |
|||
11 6A Max Potion x106 |
|||
D6 D5 TM14 x213 |
|||
21 06 Thunderstone x06 |
|||
DA 2A TM22 x42 |
|||
03 87 Great Ball x135 |
|||
0B 30 Antidote x48 |
|||
04 86 Poké Ball x134 |
|||
12 2C Hyper Potion x44 |
|||
13 20 Super Potion x32 |
|||
F4 C9 TM44 x201 |
|||
28 F3 Rare Candy x243 |
|||
</pre> |
|||
==Infinite Eevee Nickname== |
|||
===Explanation=== |
|||
The Infinite Eevee mode nickname writes $00 to the lower byte of wMissableObjectList, causing a misalignment in how the game applies NPC disappearance, causing Eevee's pokéball to stay permanently visible until the game is reset or the player leaves the Celadon Mansion penthouse. |
|||
<pre> |
|||
AF xor a ; a = $00 |
|||
EA CE D5 ld (wMissableObjectList), a ; Misaligns which objects are made invisible |
|||
C9 ret |
|||
</pre> |
|||
===Raw Assembly=== |
|||
<pre> |
|||
AF EA CE D5 C9 |
|||
</pre> |
|||
==4F Boostrap Nicknames== |
|||
This set of nicknames, when converted, will modify item #1's ID to be 4F and writes a bootstrap so that using it will lead to execution of the item code from $D328 onward. It requires the presence of the Infinite Eevee Mode Nickname (see previous section) to properly return. |
|||
<pre> |
|||
3E 59 ld a, $59 ; 4F's item ID |
|||
21 1E D3 ld hl, wBagItems ; item #1's ID |
|||
22 ldi (hl), a |
|||
AF xor a ; a = $00 |
|||
22 ldi (hl), a |
|||
22 ldi (hl), a |
|||
22 ldi (hl), a |
|||
22 ldi (hl), a ; clears a bunch of $FF values placed by swapping party pokémon |
|||
21 65 DA ld hl, 4F_Execution_Pointer |
|||
3E 21 ld a, $21 |
|||
22 ldi (hl), a |
|||
3E 28 ld a, $28 |
|||
22 ldi (hl), a |
|||
3E D3 ld a, $D3 |
|||
22 ldi (hl), a |
|||
36 E9 ld hl, $E9 |
|||
; The contents of the first nickname (see previous section) are written right after this, ensuring safe return. |
|||
</pre> |
|||
===Raw Assembly=== |
|||
<pre> |
|||
3E 59 21 1E D3 |
|||
22 AF 22 22 22 |
|||
22 21 65 DA 3E |
|||
21 22 3E 28 22 |
|||
3E D3 22 36 E9 |
|||
</pre> |
|||
==Using 4F== |
|||
===Explanation=== |
|||
Using 4F, an invalid item, will cause the game to index the item effects table out of bounds, leading to an invalid execution pointer. For 4F, this causes the game to execute code from $FA65 onward. Due to echo RAM, this address is equivalent to $DA65. Thanks to the bootstrap that was applied earlier, this will then cause the game to jump to $D328, corresponding to the start of the item code. |
|||
<pre> |
|||
21 28 D3 ld hl, ITEM_6_ID |
|||
E9 jp hl |
|||
</pre> |
|||
===Raw Assembly=== |
|||
<pre>21 28 D3 E9</pre> |
|||
==Nickname Writer== |
|||
===Explanation=== |
|||
The Nickname Writer is a small program that, using nicknames as input, is able to write arbitrary amounts of custom code relatively quickly. It first request a nickname as input, then converts that data to custom code, then displays a checksum of the written data and finally asks the player to provide additional input. |
|||
The value of the checksum is calculated by [($80 + the sum of all written values)%256]. Custom code is buffered and executed within enemy party data. Due to how it calls DisplayNameRaterScreen, it will also nickname a party pokémon corresponding to the item slot that 4F currently occupies. |
|||
<pre> |
|||
11 9C D8 ld de, $D89C ; location written to |
|||
D5 push de |
|||
.newMail |
|||
D5 push de |
|||
06 01 ld b, 01 |
|||
21 5C 65 ld hl, DisplayNameRaterScreen |
|||
CD D6 35 call BankSwitch ; Change rom banks and call b:hl |
|||
0E 80 ld c, $80 ; Ensure checksum consistency |
|||
21 4B CF ld hl, wStringBuffer ; Address where new name gets written to |
|||
D1 pop de ; Continue writing from last saved de |
|||
.newChar |
|||
2A ld a, (hli) |
|||
87 add a |
|||
30 09 jp nc, .terminator ; If blank space as first character of pair, only terminator $50 will result in a nc result |
|||
86 add a, (hl) |
|||
12 ld (de), a |
|||
13 inc de |
|||
23 inc hl |
|||
81 add a, c ; Current checksum total is buffered in c |
|||
12 ld (de), a |
|||
4F ld c, a |
|||
18 F3 jp .newChar |
|||
.terminator |
|||
21 29 C4 ld hl, $C429 ; Corresponds to screen tile |
|||
0E 01 ld c, 01 |
|||
D5 push de |
|||
CD DF 15 call PrintBCDNumber.loop ; Prints c amount of bytes at de to hl in binary coded decimal format, prints checksum |
|||
CD 31 38 call JoypadLowSensitivity ; Halt execution until frame has passed, get joypad status and store result in hJoy5 |
|||
D1 pop de |
|||
F0 B5 ld a, (hJoy5) |
|||
A7 and a ; Check if no buttons are pressed |
|||
28 EE jp z, .terminator ; If no buttons pressed, keep displaying checksum |
|||
1F rra ; Shift all bits to the right, transfer former bit 7 to bit 1 and store status of this bit in c flag |
|||
38 CF jp c, .loop ; Is A is pressed, start new nickname |
|||
1B dec de ; If another button outside of A is pressed, either we're using the correction function, executing or stopping |
|||
1F rra ; is B pressed? |
|||
38 E7 jp c, .terminator If B is pressed, de has been decremented once so continue just displaying the new value de points towards |
|||
1F rra |
|||
1F rra ; Is START pressed? |
|||
D8 ret c ; Jump to $D89C, which was pushed to the stack at the start of the code and execute newly written code |
|||
1B dec de |
|||
1B dec de |
|||
1B dec de |
|||
1B dec de ; de's value has been decremented a total of 5 times, equal to a full nickname's worth of data |
|||
17 rla ; Shift all bits to the left, transfer former bit 7 to bit 1 and store status of this bit in c flag. Is SELECT pressed? |
|||
30 C1 jp nc, loop ; If SELECT NOT pressed and dpad pressed instead, start new mail after de has been decremented a total of 5 times. Basically undoes a full nickname's worth of data |
|||
E1 pop hl ; Otherwise, pop the stored address of $D89C from the stack |
|||
C9 ret ; Since $D89C was popped, return to normal execution without executing newly written code |
|||
</pre> |
|||
===Raw Assembly=== |
|||
<pre> |
|||
11 9C D8 D5 D5 |
|||
06 01 21 5C 65 |
|||
CD D6 35 0E 80 |
|||
21 4B CF D1 2A |
|||
87 30 09 86 12 |
|||
13 23 81 12 4F |
|||
18 F3 21 29 C4 |
|||
0E 01 D5 CD DF |
|||
15 CD 31 38 D1 |
|||
F0 B5 A7 28 EE |
|||
1F 38 CF 1B 1F |
|||
38 E7 1F 1F D8 |
|||
1B 1B 1B 1B 17 |
|||
30 C1 E1 C9 00 |
|||
</pre> |
|||
==Cleanup Code (new save)== |
|||
===Explanation=== |
|||
This code cleans up every negative side effect brought on by the setup and allows the player to continue the story as intended, with the exception of 4F being added to the item bag, enabling use of the Nickname Writer. |
|||
The negative effects targeted are: |
|||
* By picking up Eevee, we have flagged its poké ball as "obtained" |
|||
* The current active box is filled with nicknamed Eevees |
|||
* The item pack currently has 255 items |
|||
* The item code is currently still required to run the Nickname Writer |
|||
* We currently have two badges set as obtained |
|||
* Our pokédex currently has 152 pokémon species caught, preventing the story from continuing |
|||
* Setting up SRAM glitch has given us a party of 255 pokémon |
|||
* We are currently located in the Celadon Pokémon center, while we need to return to Pallet Town to pick up the starter pokémon |
|||
<pre> |
|||
21 AE D5 ld hl, $D5AE ; Part of wMissableObjectFlags |
|||
CB AE res 5, (hl) ; Reenable Eevee's poké ball |
|||
AF xor a ; a = $00 |
|||
EA 56 D3 ld (wObtainedBadges), a ; Reset badges |
|||
21 80 DA ld hl, wBoxCount |
|||
22 ldi (hl), a ; Set amount of pokémon in box to 0 |
|||
3D dec a ; a = $FF |
|||
22 ldi (hl), a ; Add proper terminator to wBoxSpecies |
|||
AF xor a ; a = $00 |
|||
01 26 00 ld bc, 0026 |
|||
21 F7 D2 ld hl, wPokedexOwned |
|||
.loop |
|||
22 ldi (hl), a |
|||
0D dec c |
|||
20 FC jp nz, .loop ; Fully clear all Pokédex flags |
|||
2E B1 ld l, $B1 ; hl = $D3B1, within wWarpEntries |
|||
22 ldi (hl), a |
|||
22 ldi (hl), a |
|||
23 inc hl |
|||
23 inc hl |
|||
22 ldi (hl), a |
|||
22 ldi (hl), a ; Changes first two warp tiles to lead to Pallet Town instead |
|||
EA 63 D1 ld (wPartyCount), a ; Set amount of pokémon in party to 0 |
|||
EA 1D D3 ld (wNumBagItems), a ; Set amount of items to 0 |
|||
01 01 59 ld bc, $5901 |
|||
CD 2E 3E call GiveItem ; Gives c amount of b item, giving 1 copy of 4F. |
|||
21 66 DA ld hl, $DA66 ; Part of 4F bootstrap |
|||
36 6A ld (hl), $6A |
|||
23 inc hl |
|||
36 D6 ld (hl), $D6 ; 4F now redirects directly to Nickname Writer |
|||
C9 ret |
|||
</pre> |
|||
===Raw Assembly=== |
|||
<pre> |
|||
21 AE D5 CB AE |
|||
AF EA 56 D3 21 |
|||
80 DA 22 3D 22 |
|||
AF 01 26 00 21 |
|||
F7 D2 22 0D 20 |
|||
FC 2E B1 22 22 |
|||
23 23 22 22 EA |
|||
63 D1 EA 1D D3 |
|||
01 01 59 CD 2E |
|||
3E 21 66 DA 36 |
|||
6A 23 36 D6 C9 |
|||
</pre> |
|||
==Cleanup Code (existing save)== |
|||
===Explanation=== |
|||
This code cleans up every negative side effect brought on by the setup and allows the player to continue the story as intended, with the exception of 4F being added to the item bag, enabling use of the Nickname Writer. |
|||
The negative effects targeted are: |
|||
* By picking up Eevee, we have flagged its poké ball as "obtained" |
|||
* The current active box is filled with nicknamed Eevees |
|||
* The item pack currently has 255 items |
|||
* The item code is currently still required to run the Nickname Writer |
|||
Since existing saves do not have to set up SRAM glitch, there are a lot less side effects that need to be addressed by the cleanup code. |
|||
<pre> |
|||
21 AE D5 ld hl, $D5AE ; Part of wMissableObjectFlags |
|||
CB AE res 5, (hl) ; Reenable Eevee's poké ball |
|||
AF xor a ; a = $00 |
|||
21 80 DA ld hl, wBoxCount |
|||
22 ldi (hl), a ; Set amount of pokémon in box to 0 |
|||
3D dec a ; a = $FF |
|||
22 ldi (hl), a ; Add proper terminator to wBoxSpecies |
|||
AF xor a ; a = $00 |
|||
EA 1D D3 ld (wNumBagItems), a ; Set amount of items to 0 |
|||
01 01 59 ld bc, $5900 |
|||
CD 2E 3E call GiveItem ; Gives c amount of b item, giving 1 copy of 4F. |
|||
21 66 DA ld hl, $DA66 ; Part of 4F bootstrap |
|||
36 6A ld (hl), $6A |
|||
23 inc hl |
|||
36 D6 ld (hl), $D6 ; 4F now redirects directly to Nickname Writer |
|||
01 01 59 ld bc, $5901 |
|||
C3 2E 3E jp GiveItem ; Gives c amount of b item, giving 1 copy of 4F. |
|||
</pre> |
|||
===Raw Assembly=== |
|||
<pre> |
|||
21 AE D5 CB AE |
|||
AF 21 80 DA 22 |
|||
3D 22 AF EA 1D |
|||
D3 21 66 DA 36 |
|||
6A 23 36 D6 01 |
|||
01 59 C3 2E 3E |
|||
</pre> |