Guides:TMless 0x1500 ACE (JP): Difference between revisions
no edit summary
mNo edit summary |
No edit summary |
||
(13 intermediate revisions by the same user not shown) | |||
Line 1:
{{Guides header|0x1500 control code arbitrary code execution}}
Line 16 ⟶ 11:
'''When playing on cartridge or emulator, it is required to have previously cleared an old save by pressing SELECT + UP + B simultaneously on the start screen at least once since obtaining the cart. Otherwise you will not be able to obtain a bad clone or an unterminated name pokémon.'''
=Setting up initial ACE=
Pokémon Crystal contains two important differences compared to its predecessors. Firstly, Crystal won't abort the text printing function when it encounters a $00 value, printing a '?' instead. Secondly, Crystal added new printing funtions related to the Mobile Game Boy Adapter, a Japanese exclusive peripheral that allowed internet connectivity through a mobile phone.
Line 31 ⟶ 26:
At the moment, this guide is incompatible with saves exported from PKHex. Upon exporting a save, PKHex will fill all currently unused data for the OT name and nickname of all boxes with text terminators, making it impossible to obtain an unterminated name pokémon.
Setting up initial ACE and installing the Mail Writer=
==Step 1: Catching a spearow==
Line 48 ⟶ 43:
## If the newly deposited pokémon’s nickname was changed to a bunch of question marks, you can continue with the next step. If the pokémon wasn't saved, that means the reset too early. If the pokémon was cloned, this means the reset was too late.
## If the amount of pokémon in the box exceeds 15, release the cloned pokémon and save the game afterwards to set the amount of stored pokémon to 15 before repeating step 2.
# Now that you have an unterminated name pokémon, '''put it in box
# Finally, make sure to set box
=
While we now have everything ready to execute box name codes using ACE, the setup will have a few drawbacks:
* Executing ACE requires performing various specific steps, preventing us from using ACE whenever we want.
* Box name codes have a limited size, due to only having access to 9 different boxes. Effectively meaning that it's impractical to set up more complicated ACE effects.
To resolve this issue, we're going to install the Mail Writer. This is a box name program that will allow us to quickly and efficiently write and execute any arbitrary code we want. Once we've set up the Mail Writer, we'll never have to swap bpx names again.
To do that, we're going to use a box name code that does the following:
- It will alter box #7's name so that the Mail Writer can be used afterwards.
- It will change the first item in the main item pocket to a TM15
- It will modify data to ensure that using this TM15 will allow us to use the mail writer
This will allow us to easily write and execute large amounts of arbitrary code, simply by using a TM15 at any time.
==Step 3: Setting up the Mail Writer==
We're going to both finish the setup and use it install a Mail Writer program. The Mail Writer is a small program that is written using box name codes and will allow you to easily write arbitrary data in order to achieve numerous effects.
Rename all boxes to the following names:
Line 61 ⟶ 71:
|}
Upon using 0x1500 ACE, this box code will be executed and will replace the first item of the main item pocket with a TM15. Alongside that, it will install a setup so that using this TM15 will execute box name codes. Finally, it will write
Once that is done, you can use TM15 at any time to run the Mail Writer. More details on the Mail Writer can be found in the next guide.
Line 72 ⟶ 82:
* Slots 2-6 aren't relevant for this setup.
Make sure that box
In order to execute ACE, do the following actions:
Line 88 ⟶ 98:
# Open the PC. Open the withdraw screen so that the unterminated name pokémon's name would be displayed. Displaying this name will trigger ACE. If the screen stays white, press "A" a couple of times until the box view reappears.
If the game doesn't crash, the setup was a success. You should now have a TM15 in the main item pocket, the
==Step 5: Finishing the Mail Writer==
Lastly, rename the names of boxes #
{| class="wikitable" style="margin-left: auto; margin-right: auto; border: none;"
Line 99 ⟶ 109:
|}
Once this is done, you have completed the setup and have installed the Mail Writer. '''You can now simply use TM15 at any time to start up the Mail Writer, regardless of your location or the pokémon in your party.'''
===How the mail writer works===
Upon execution, the Mail writer will open the mail character entry screen where the player can write up to 32 different characters. After the player has confirmed the mail, the following actions take place:
* The Mail writer will take pairs of characters and convert them into a single combined value. These values are then sequentially written, converting the 32 letter mail into a 16 byte long line of code.
* Next, the Mail writer will display a checksum calculated from the combined value of all written bytes for the player to verify. Then the program enters a waiting state where they can either choose to write another mail, go back and correct previously written values or stop the mail writer and execute the newly written payload.
* If the player has chosen to write a new mail, the Mail writer will open a new mail entry screen. The new mail is then also converted into a 16 byte lond line of code and placed right after the code written by the previous mail(s), allowing the player to write arbitrarily long payloads.
==Step 6: Using the Mail writer==
The mail writer will open a screen that asks you to write the contents of a mail. This is where you'll need to enter mail codes. Once done, use the "END" option to finish the mail.
This will cause the mail writer to convert the newly written code into assembly. It will also '''print a checksum''' (sum of all written values) on the lower left corner of the screen. This can be used to verify if a code was entered correctly.
Assembly can easily be converted to mail codes using [https://timovm.github.io/MailConverter/ TimoVM's MailConverter]. Simply paste the assembly of the code you wish to enter here, press "run" and the converter will automatically generate mail codes requiring the least amount of button presses to write. A list of ready-to-use codes will be provided at the end of the guide.
===Controls===
Between entering mail codes, the mail writer will ask for user input.
* '''Press B''' to immediately jump to and start executing the newly written program. '''Only use this when you've finished every mail.'''
* '''Press DOWN''' to go back one byte at a time to correct errors. '''If the printed checksum doesn't match the expected checksum, press DOWN 16 times to retry the last mail.''' This will also overwrite the printed checksum with the value at the currently selected address, giving you a method to check how far back you're going.
* '''Press any other button''' to open a new mail and continue writing data.
'''Due to space limitations, it is not possible to exit the Mail Writer without executing the newly written code. If you accidentally start the Mail Writer, you can safely exit by writing a mail with the contents "セス" and execute it.'''
=What to do with the Mail writer=
The Mail writer allows you to easily write and execute arbitrary payloads. Aside from writing your own codes, we recommend the following:
* [[User:TimoVM/Mail Writer Codes|Mail codes]]: this page contains a collection of assembly for mail codes that can be used for a variety of common purposes such as editing pokémon, obtaining items, etc..
* [[User:TimoVM/RAM Writer|RAM writer]]: (recommended for more experienced users) this page contains the assembly for a large one-size-fits all program that allows you to edit any value in RAM with a user-friendly GUI. It will also fix the side effects of the ACE setup when you first run it.
=Appendix=
==Plain text transcripts of codes==
* 0x1500 Control Code ACE box name code
<pre>ヅ あ め ゆ ゆ が ぜ ぜ
ゆ げ ぜ ェ ぼ オ ま ぜ
ョ に ろ て エ ろ
が れ ぜ デ づ に セ づ
ぼ て づ に ジ ゥ キ リ
よ ヌ ゥ モ ろ ゅ ゅ の
ビ ヘ チ チ が ビ ブ ギ
ぜ セ げ ま き ぐ ァ よ
め ヤ ろ ダ ダ リ だ え
</pre>
* Mail Writer
<pre>が ヅ あ め ゆ ゆ が ぜ ぜ
ゆ げ ぜ ェ ぼ オ ま ぜ
き き む ゅ ご き き よ
ぐ デ だ ガ ご き き よ
キ デ ド ア ぺ デ ご ?
だ ! ズ が な ぜ ォ ギ
ビ ヘ チ レ ッ ド が ビ ブ ギ
ぜ セ げ ま き ぐ ァ よ
め ヤ ろ ダ ダ リ だ え</pre>
==In-depth explanation of the setup==
===Explanation on the 0x1500 ACE setup===
Line 173 ⟶ 241:
7F ld a, a
7F ld a, a
7F ld a, a
7F ld a, a
Line 184 ⟶ 252:
7C ld a, h
7C ld a, h
AF xor a ; a = $00, name of the current active box is printed here
C6 DB add $DB ; a = $DB
C3
</pre>
===Effect of the box name code===
In the context of 0x1500 Control Code ACE, only box name #
<pre>
Box 3: $DB7A ; Executed as part of screen data, see previous section
AF xor a ; a = $00
C6 DB add $DB ; a = $DB
C3 83 DB jp $DB83
26 DA ld h, $DA
2E 12 ld l, 12
Line 200 ⟶ 272:
C6 50 add $50 ; a = $2B
Box 4: $DB83 ; Landing point after screen data
2E 12 ld l, 12
32 ldd (hl), a
C6 8D add $86 ; a = $68
32 ldd (hl), a
50 ld d, b
Box 5: $DB8C
3E C3 ld a, $C3 ; a = $C3
32 ldd (hl), a
C6 0B add $0B ; a = $CE
EA 86 D8 ld(wItems), a
50 ld d, b
Box
D6 96 sub $96 ; a = $38
EA A1 DB ld($DBA1), a
E1 pop hl
C9 ret
</pre>
Line 244 ⟶ 311:
29 add hl, hl ; hl = $5CA0
2E EB ld l, $EB ; hl = $5CEB
3E
CF rst08h ; farCall _ComposeMailMessage (a:hl = 04:5CEB), most significant bit gets ignored when changing ROM banks
Box 3: $DB7A
B7 or a
B7 or a
D1 pop de
E1 pop hl ; Set both hl and de to the start of the newly written mail
Line 278 ⟶ 344:
Box 6: $DB95
30
0C inc c ; .terminator, _ComposeMailMessage sets bc to 0000, so c = 01 after this part
26 C5 ld h, $C5
Line 286 ⟶ 352:
Box 7: $DB9E
1A ld a, (de)
CD 90 38 call PrintBCDNumber.loop + 01h ; PrintBCDNumber.loop itself can't be reached, so we skip forward one byte. $38 is written by the previous box name code.
26 1A ld h, $1A ; .errorCorrection
1B dec de ; Calling PrintBCDNumber.loop with c = 01 advances de by 1.
06 50 ld b, $50
Box 8: $
2E 8D ld l, $F4 ; hl = $1A8D
29 add hl, hl ; hl = $351A (address of JoyTextDelay_ForcehJoyDown)
Line 297 ⟶ 363:
B7 or a, a ; Are any buttons pressed? if not, ask for new button states
28 E9 jr z, .terminator
D6 50 sub $50 ; if down is pressed, carry is reset if any other button is pressed, carry is set
Box 9: $
D2 A2 DB jp nc, .errorCorrection
0F rlca
0F rlca ; Is the b button pressed? If yes, carry is set
D8 ret c ; Exit and execute code if B is pressed. Else, start new mail
30 B4 jr nc, .loop
</pre>
[[Category:Guides]]
|