Guides:TMless 0x1500 ACE (JP): Difference between revisions
→Appendix: in-depth explanation of the setup
Line 297:
30 EA jr nc, .errorCorrection
</pre>
===Explanation on the 0x1500 ACE setup===
This setup uses [[0x1500 control code arbitrary code execution|0x1500 control code ACE]]. Since the page already contains an explanation on how it works, this page will focus on what the setup does to achieve its effect.
Relevant addresses for this explanation:
{| class="wikitable" style="margin-left: auto; margin-right: auto; border: none;"
! Address !! Function
|-
| $D002 || Address where the last read mail is stored.
|-
| $D05B || Address where the names of pokémon and items are buffered.
|-
| $D0C8 || Address where the current selected party pokémon’s species is buffered.
|-
| $D0C9 || Address where the current selected party pokémon’s party slot is buffered (zero indexed).
|-
| $D0CE || Address where the data of the last viewed pokémon is buffered.
|}
* Resetting the game clears the contents of the text buffer, which would cause an undesired early termination of the unterminated pokémon's name
* Resetting the game also resets a bunch of nearby values that are related to selected item IDs, quantities and amounts to be tossed.
* When the text printing function encounters a $15 value, it will attempt to execute a Mobile Adapter related function. The selected function depends on the next read value, but $00 is an invalid Mobile Adapter function and will instead call $CD64. Once returned from this address, the game will continue executing ACE instead of printing ACE.
* By opening the start menu and moving one step up at a specified location, the game will load in a $C0 (ret nz) at $CD64, allowing immediate safe return from the effects of $1500. The game will resume executing from $D0CA onward.
* The last pokémon viewed (ブルブル) is buffered from $D0CE onward. Due to resetting the game, the region between $D0CA and $D0CE is mostly empty and allows safe passage.
* $Setting Tackle ($21) as ブルブル's first move allows safe passage over Screech ($67).
* Rocky’s trainer ID is fixed and will be $BF (cp a, which resets the carry flag) and $1E. Both values are safe to pass.
* Rocky’s XP total will end up between 326 and 350. This is always interpreted as $01 and $XX. since the high HP stat exp byte is always $00, the total is interpreted as ld bc, $00XX. This means that exp is always safe to pass.
* Due to the specific pokémon defeated, the data in the stat experience fields will be read as $D2 $00 $F0. This is interpreted as jp nc $F000, due to echo ram this will redirect execution to $D000, which is where the last read mail was buffered. The nc condition is always fulfilled thanks to the previous $BF (cp a) in Onix’s Trainer ID.
* Viewing the unterminated clone through the withdraw screen will set both $D003 and $D004 to $01.
* At this point, the mail will redirect execution to $FB75. Due to echo ram, this will effectively redirect execution to $DB75, the start of box name 1. Please note that $D003 and $D004 are overwritten by opening the withdraw screen to the values of the current box and slot of the currently selected stored pokémon. These values are taken care of by setting the first character of the mail to $FA, which is interpreted along with the next two values as ld a, (YYXX).
* Afterwards, the game will simply execute the box name code.
* Once returned, the mail code pops hl before returning. Returning from the mail will cause the game to continue printing text, popping hl ensures that text will be printed to harmless locations in ROM. (Future angle for research: alternatives to ensure safe return without possible memory corruption)
* Additional note: the setup with Sandshrew works practically identical, with the exception of the Lemonade. This Lemonade will combine with Scratch to form a jr nc, $0A allowing a safe jump over move data, trainer ID data and experience data.
==Plain text transcripts of codes==
| |||