Guides:TMless 0x1500 ACE (JP): Difference between revisions

← Older edit

Guides:TMless 0x1500 ACE (JP) (view source)

Revision as of 05:00, 12 December 2023

3,025 bytes added , 6 months ago

no edit summary

VisualWikitext

TimoVM

1,540

edits

Revision as of 16:53, 8 December 2023 (view source) TimoVM (talk \| contribs) (→‎Step 3: Setting up the Mail Writer) ← Older edit		Latest revision as of 05:00, 12 December 2023 (view source) TimoVM (talk \| contribs) No edit summary
(6 intermediate revisions by the same user not shown)
Line 1: '''WARNING: This guide is outdated and has been replaced by a faster and easier setup. It is only kept for legacy purposes. You can find all up-to-date guides on the [[Guides:TimoVM's_gen_2_ACE_setups\|TimoVM's Gen 2 ACE setups]] article.''' {{Guides header\|0x1500 control code arbitrary code execution}} Line 48 ⟶ 43: ## If the newly deposited pokémon’s nickname was changed to a bunch of question marks, you can continue with the next step. If the pokémon wasn't saved, that means the reset too early. If the pokémon was cloned, this means the reset was too late. ## If the amount of pokémon in the box exceeds 15, release the cloned pokémon and save the game afterwards to set the amount of stored pokémon to 15 before repeating step 2. # Now that you have an unterminated name pokémon, '''put it in box 53'''. Either release or move all other pokémon in the box so that the unterminated name pokémon is the only pokémon left in box 53. # Finally, make sure to set box 53 as the active box. =Setting up a ACE environment= While we now have everything ready to execute box name codes using ACE, the setup will have a few drawbacks: Line 60 ⟶ 55: To do that, we're going to use a box name code that does the following: - It will alter box ~~names~~#7's name so that the Mail Writer can be used afterwards. - It will change the first item in the main item pocket to a TM15 - It will modify data to ensure that using this TM15 will allow us to use the mail writer Line 76 ⟶ 71: \|} Upon using 0x1500 ACE, this box code will be executed and will replace the first item of the main item pocket with a TM15. Alongside that, it will install a setup so that using this TM15 will execute box name codes. Finally, it will write ~~two~~a ~~values~~$38 value to ~~the~~ box #7 ~~and box #9~~'s ~~names~~name, ~~that will~~to allow the Mail Writer to properly function. Once that is done, you can use TM15 at any time to run the Mail Writer. More details on the Mail Writer can be found in the next guide. Line 87 ⟶ 82: * Slots 2-6 aren't relevant for this setup. Make sure that box 53 is set as the current active box, make sure that the unterminated name pokémon is the only pokémon present in box 53. In order to execute ACE, do the following actions: Line 103 ⟶ 98: # Open the PC. Open the withdraw screen so that the unterminated name pokémon's name would be displayed. Displaying this name will trigger ACE. If the screen stays white, press "A" a couple of times until the box view reappears. If the game doesn't crash, the setup was a success. You should now have a TM15 in the main item pocket, the ~~names~~name of box 7 ~~and box 9 have~~has now been changed. ==Step 5: Finishing the Mail Writer== Lastly, rename the names of boxes #13 through #56 so that all box names fit the following image. '''Make sure to not change the names of box #7 ~~and box #9~~.''' {\| class="wikitable" style="margin-left: auto; margin-right: auto; border: none;" Line 114 ⟶ 109: \|} Once this is done, you have completed the setup and have installed the Mail Writer. '''You can now simply use TM15 at any time to start up the Mail Writer, regardless of your location or the pokémon in your party.''' ===How the mail writer works=== Now that the ACE setup has been successfully tested and the Mail Writer program has been fully installed, we can use it to arbitrarily write data to achieve various effects. Instructions on how to activate and use the Mail Writer can be found in the following link: [[Guides:Mail Writer C (JP)\|Mail writer C (JP)]] Upon execution, the Mail writer will open the mail character entry screen where the player can write up to 32 different characters. After the player has confirmed the mail, the following actions take place: * The Mail writer will take pairs of characters and convert them into a single combined value. These values are then sequentially written, converting the 32 letter mail into a 16 byte long line of code. * Next, the Mail writer will display a checksum calculated from the combined value of all written bytes for the player to verify. Then the program enters a waiting state where they can either choose to write another mail, go back and correct previously written values or stop the mail writer and execute the newly written payload. * If the player has chosen to write a new mail, the Mail writer will open a new mail entry screen. The new mail is then also converted into a 16 byte lond line of code and placed right after the code written by the previous mail(s), allowing the player to write arbitrarily long payloads. ==Step 6: Using the Mail writer== The mail writer will open a screen that asks you to write the contents of a mail. This is where you'll need to enter mail codes. Once done, use the "END" option to finish the mail. This will cause the mail writer to convert the newly written code into assembly. It will also '''print a checksum''' (sum of all written values) on the lower left corner of the screen. This can be used to verify if a code was entered correctly. Assembly can easily be converted to mail codes using [https://timovm.github.io/MailConverter/ TimoVM's MailConverter]. Simply paste the assembly of the code you wish to enter here, press "run" and the converter will automatically generate mail codes requiring the least amount of button presses to write. A list of ready-to-use codes will be provided at the end of the guide. ===Controls=== Between entering mail codes, the mail writer will ask for user input. * '''Press B''' to immediately jump to and start executing the newly written program. '''Only use this when you've finished every mail.''' * '''Press DOWN''' to go back one byte at a time to correct errors. '''If the printed checksum doesn't match the expected checksum, press DOWN 16 times to retry the last mail.''' This will also overwrite the printed checksum with the value at the currently selected address, giving you a method to check how far back you're going. * '''Press any other button''' to open a new mail and continue writing data. '''Due to space limitations, it is not possible to exit the Mail Writer without executing the newly written code. If you accidentally start the Mail Writer, you can safely exit by writing a mail with the contents "セス" and execute it.''' =What to do with the Mail writer= The Mail writer allows you to easily write and execute arbitrary payloads. Aside from writing your own codes, we recommend the following: * [[User:TimoVM/Mail Writer Codes\|Mail codes]]: this page contains a collection of assembly for mail codes that can be used for a variety of common purposes such as editing pokémon, obtaining items, etc.. * [[User:TimoVM/RAM Writer\|RAM writer]]: (recommended for more experienced users) this page contains the assembly for a large one-size-fits all program that allows you to edit any value in RAM with a user-friendly GUI. It will also fix the side effects of the ACE setup when you first run it. =Appendix= Line 124 ⟶ 148: * 0x1500 Control Code ACE box name code <pre>がヅ　れあ　ぜめ　デゆ　ぼゆ　ろが　づぜ　にぜにゆげ　べぜ　づェ　ぼ　てオ　づま　~~に　ジ~~ぜゥョ　キに　リろ　よて　エ　~~ヌゥモ~~ ろが　れ　ぜ　デ　づ　に　セ　づ ~~ゥあろゅの~~ ~~ゅ　ゅ~~ぼ　て　ツづ　に　ろジ　ョゥ　だキ　やリだよ　！ヌ　ズゥ　がモ　なろ　ぜゅ　ォゅ　ギのビ　ヘ　チ　チ　が　ビ　ブ　ギぜ　セ　げ　ま　き　ぐ　ァ　プよダめ　ダヤ　けろ　パダ　ダ　リ　だ　ゥえ </pre> * ~~Setting up the~~ Mail Writer <pre>が　れヅ　ぜあ　デめ　ぼゆ　ろゆ　づが　にぜ　ぜにゆげ　べぜ　づェ　ぼ　てオ　づま　~~よ　シ~~ぜきき　む　ゅ　ご　き　き　よ ~~ゥモろ　ゥあろ　よ　む~~ だぐ　ーデ　クだ　ゥガ　キご　リき　~~ゅの~~き　よキ　デ　ド　ア　ぺ　デ　ご　？だ　！　ズ　が　な　ぜ　ォ　ギビ　ヘ　チ　チレ　ッ　ド　が　ビ　ブ　ギぜ　セ　げ　ま　き　ぐ　ァ　プよダめ　ダヤ　けろ　パダ　ダ　リ　だ　ゥえ</pre> ==In-depth explanation of the setup== Line 217 ⟶ 241: 7F ld a, a 7F ld a, a E57F ~~push~~ld hla, a 7F ld a, a 7F ld a, a Line 228 ⟶ 252: 7C ld a, h 7C ld a, h AF xor a ; a = $00, name of the current active box is printed here ~~E1 pop hl~~ 3DC6 DB ~~dec~~add a$DB ; a = $04DB▼ ~~E1 pop hl~~ C3 9183 DB jp $~~DB91~~DB83 ; ~~6th~~1st character of box name #54 </pre> ===Effect of the box name code=== In the context of 0x1500 Control Code ACE, only box name #13 through box name #56 are executed. Box name #61, ~~through~~#2 ~~box~~and ~~name~~#7 through #9 are part of the Mail Writer and will be discussed in the ~~next~~ section ~~only~~after this section: <pre> Box 3: $DB7A ; Executed as part of screen data, see previous section Box 1: $DB68▼ AF xor a ; a = $00 C6 DB add $DB ; a = $DB C3 83 DB jp $DB83 26 DA ld h, $DA 2E 12 ld l, 12 Line 244 ⟶ 272: C6 50 add $50 ; a = $2B Box 4: $DB83 ; Landing point after screen data ~~Box 2: $DB71~~ C626 3DDA ~~add~~ld ~~$3D ; a =~~h, $68DA 502E 12 ld dl, b12▼ 32 ldd (hl), a C6 8D add $86 ; a = $68 32 ldd (hl), a 50 ld d, b▼ ▲Box 15: $~~DB68~~DB8C 3E C3 ld a, $C3 ; a = $C3 32 ldd (hl), a C6 0B add $0B ; a = $CE EA 86 D8 ld(wItems), a▼ 50 ld d, b Box 36: $~~DB7A~~DB95 ▲EA 86 D8 ld(wItems), a D6 96 sub $96 ; a = $38 EA A1 DB ld($DBA1), a 50E1 ldpop ~~d, b~~hl ~~Box 4: $DB83~~ ~~EA B1 DB ld($DBB1), a~~ E1 pop hl C9 ret ~~Box 5: $DB8C ; first five characters aren't executed as box names and are instead buffered to screen data.~~ ~~E1 pop hl~~ ~~E1 pop hl~~ ~~C3 91 DB jp $DB91 ; 6th character of box name #5~~ ~~AF xor a ; Reset carry flag, entry point of jump from screen data~~ ~~30 D4 jr nc, $D4 ; Will jump to $DB68, the start of box names~~ </pre> Line 288 ⟶ 311: 29 add hl, hl ; hl = $5CA0 2E EB ld l, $EB ; hl = $5CEB 3E 0584 ld a, $0584 CF rst08h ; farCall _ComposeMailMessage (a:hl = 04:5CEB), most significant bit gets ignored when changing ROM banks▼ ▲3D dec a ; a = $04 422E 50 ld bl, d$50 ▲50 ld d, b Box 3: $DB7A B7 or a B7 or a ▲CF rst08h ; farCall _ComposeMailMessage (a:hl = 04:5CEB) D1 pop de E1 pop hl ; Set both hl and de to the start of the newly written mail Line 322 ⟶ 344: Box 6: $DB95 30 E7E9 jr nc, .loop 0C inc c ; .terminator, _ComposeMailMessage sets bc to 0000, so c = 01 after this part 26 C5 ld h, $C5 Line 330 ⟶ 352: Box 7: $DB9E 1A ld a, (de) CD 90 38 call PrintBCDNumber.loop + 01h ; PrintBCDNumber.loop itself can't be reached, so we skip forward one byte. $38 is written by the previous box name code. 26 1A ld h, $1A ; .errorCorrection 1B dec de ; Calling PrintBCDNumber.loop with c = 01 advances de by 1. 06 50 ld b, $50 Box 8: $~~DBB0~~DBA7 2E 8D ld l, $F4 ; hl = $1A8D 29 add hl, hl ; hl = $351A (address of JoyTextDelay_ForcehJoyDown) Line 341 ⟶ 363: B7 or a, a ; Are any buttons pressed? if not, ask for new button states 28 E9 jr z, .terminator D6 50 sub $50 ; if down is pressed, carry is reset if any other button is pressed, carry is set ~~42 ld b, d~~ ▲50 ld d, b Box 9: $~~D8FA~~DBB0 30D2 EA A2 DB jrjp nc, .errorCorrection▼ 0F rlca ; Is the a button pressed? If yes, start a new mail▼ 0F rlca 38 B9 jr c, .loop▼ ▲0F rlca ; Is the ab button pressed? If yes, ~~start~~carry ais ~~new mail~~set ~~40 ld b, b~~ D8 ret c ; Exit and execute code if B is pressed. Else, start new mail ~~0F rlca ; Is the b button pressed? If yes, return and execute newly written program.~~ ▲3830 B9B4 jr cnc, .loop ~~D8 ret c ; If not, another button was pressed, so decrement de to allow user to correct errors~~ ▲30 EA jr nc, .errorCorrection </pre>