Guides:TMless 0x1500 ACE (JP): Difference between revisions

From Glitch City Wiki
Jump to navigation Jump to search
Content added Content deleted
VisualWikitext
No edit summary
Line 3: Line 3:
This page serves as a repository on a 0x1500 ACE setup for the Japanese versions of Pokémon Crystal. It is part of the [[Guides:TimoVM's_gen_2_ACE_setups|TimoVM's Gen 2 ACE setups]] set of guides.
This page serves as a repository on a 0x1500 ACE setup for the Japanese versions of Pokémon Crystal. It is part of the [[Guides:TimoVM's_gen_2_ACE_setups|TimoVM's Gen 2 ACE setups]] set of guides.


The guide is split up between guides applicable for players starting a new game or continuing from an old game. '''Please make sure to fully read every step of the guide before executing them.'''
'''Please make sure to fully read every step of the guide before executing them.'''


The setup requires catching a Spearow during day time and fighting Spinarak during night time. It is recommended to set the in-game time at the start of the game somewhere between 5:00PM-5:30PM.
The setup requires catching a Spearow during day time. When starting from a new game, please set the in-game time to morning or midday..


If you encounter any issues when going through this guide or would like to provide feedback, please contact TimoVM on the [https://discord.gg/EA7jxJ6 Glitch City Research Institute Discord].
If you encounter any issues when going through this guide or would like to provide feedback, please contact TimoVM on the [https://discord.gg/EA7jxJ6 Glitch City Research Institute Discord].
Line 13: Line 13:
=General overview=
=General overview=


Pokémon Crystal contains two important differences compared to its predecessors. Firstly, Crystal won't abort the text printing function when it encounters a $00 value, instead printing a '?' instead. Secondly, Crystal added new printing funtions related to the Mobile Game Boy Adapter, a Japanese exclusive peripheral that allowed internet connectivity through a mobile phone.
Pokémon Crystal contains two important differences compared to its predecessors. Firstly, Crystal won't abort the text printing function when it encounters a $00 value, printing a '?' instead. Secondly, Crystal added new printing funtions related to the Mobile Game Boy Adapter, a Japanese exclusive peripheral that allowed internet connectivity through a mobile phone.


By obtaining a pokémon whose name does not contain the usual text terminator, we can force the game into printing much larger amounts of texts than would otherwise be possible. By abusing an illegal Mobile Adapter function and setting up memory in a specific way, we can escape the text printing function and trigger arbitrary code execution based on the data of the last viewed party pokémon.
By obtaining a pokémon whose name does not contain the usual text terminator, we can force the game into printing much larger amounts of texts than would otherwise be possible. By abusing an illegal Mobile Adapter function and setting up memory in a specific way with help of a Spearow, we can escape the text printing function and trigger arbitrary code execution based on screen data and buffered tile data.


In practice, the initial ACE setup will be created using the following general process:
In practice, the initial ACE setup will be created using the following general process:
Line 21: Line 21:
# Obtain an [[Bad clone glitch|unterminated name pokémon]].
# Obtain an [[Bad clone glitch|unterminated name pokémon]].
# Set up the currently buffered memory in such a way that we can trigger 0x1500 ACE upon seeing the name of the unterminated name pokémon.
# Set up the currently buffered memory in such a way that we can trigger 0x1500 ACE upon seeing the name of the unterminated name pokémon.

Within these pages, you'll be able to find four different methods. These are ordered based on how early you'll be able to setup ACE:

*Methods that should be used when starting from a new game
*# Rival Name method- can be performed from Cherrygrove City onward, after acquiring poké balls. '''Requires a specific rival name to work'''. By far the fastest method.
*# Onix method - can be performed from Violet City onwards. '''Requires not yet having performed the NPC trade in Violet City for Onix.'''
*# Sandshrew method - can be performed from Goldenrod City onwards. '''Intended to be started at the Union Cave''', serves as a backup method in case the Onix method fails.
*# Wooper/Quagsire method - requires having obtained both Surf and Strenght. Requires access to TM18 RAIN DANCE, either from Slowpoke Well or from Celadon Dept. Store, second fasted methods, but best performed using older saves.


==Regarding PKHex==
==Regarding PKHex==
Line 34: Line 26:
At the moment, this guide is incompatible with saves exported from PKHex. Upon exporting a save, PKHex will fill all currently unused data for the OT name and nickname of all boxes with text terminators, making it impossible to obtain an unterminated name pokémon.
At the moment, this guide is incompatible with saves exported from PKHex. Upon exporting a save, PKHex will fill all currently unused data for the OT name and nickname of all boxes with text terminators, making it impossible to obtain an unterminated name pokémon.


=Rival Name method=
=Box name jump method=


==Step 1: Preparing the Rival's name==
==Step 1: Catching a spearow==

Start a new game, the starter you pick doesn't matter. '''Set the in-game clock either to morning or midday.'''

* Once you are giving the option to name your rival, give the rival the following name:
{| class="wikitable" style="margin-left: auto; margin-right: auto; border: none;"
|
[[File:Box Japanese C Rival.png]]
|}


* (optional) When starting from a new game, set the in-game time to either morning or midday. You are free to pick any starter, trainer name and/or rival name.
* Once you acquire poké balls, catch a Spearow on route 46 (30% spawn odds, morning and midday).
* Catch or obtain a Spearow.
** When starting from a new game, catch one on route 46 (30% spawn odds, morning and midday).
** When using an existing save, either catch any Spearow or obtain the nicknamed Spearow from the gate guard between Goldenrod City and Route 35.


==Step 2: Preparing the bad clone and remaining items==
==Step 2: Preparing the bad clone and remaining items==
Line 56: Line 43:
## If the newly deposited pokémon’s nickname was changed to a bunch of question marks, you can continue with the next step. If the pokémon wasn't saved, that means the reset too early. If the pokémon was cloned, this means the reset was too late.
## If the newly deposited pokémon’s nickname was changed to a bunch of question marks, you can continue with the next step. If the pokémon wasn't saved, that means the reset too early. If the pokémon was cloned, this means the reset was too late.
## If the amount of pokémon in the box exceeds 15, release the cloned pokémon and save the game afterwards to set the amount of stored pokémon to 15 before repeating step 2.
## If the amount of pokémon in the box exceeds 15, release the cloned pokémon and save the game afterwards to set the amount of stored pokémon to 15 before repeating step 2.
# Now that you have an unterminated name pokémon, put it in box 1. Either release or move all other pokémon in the box so that the unterminated name pokémon is the only pokémon left in box 1.
# Now that you have an unterminated name pokémon, '''put it in box 5'''. Either release or move all other pokémon in the box so that the unterminated name pokémon is the only pokémon left in box 5.
# Finally, make sure to set box 5 as the active box.


===Setting up the Mail Writer===
===Step 3: Setting up the Mail Writer===


Next, we're going to both finish the setup and use it install a Mail Writer program. The Mail Writer is a small program that is written using box name codes. This program will allow you to easily write arbitrary data in order to achieve numerous effects.
Next, we're going to both finish the setup and use it install a Mail Writer program. The Mail Writer is a small program that is written using box name codes and will allow you to easily write arbitrary data in order to achieve numerous effects.


Rename all boxes to the following names:
Rename all boxes to the following names:
{| class="wikitable" style="margin-left: auto; margin-right: auto; border: none;"
{| class="wikitable" style="margin-left: auto; margin-right: auto; border: none;"
|
|
[[File:Box Japanese C V2 Initial.png]]
[[File:Box Japanese C SetupV2.png]]
|}
|}


Line 72: Line 60:
Once that is done, you can use TM15 at any time to run the Mail Writer. More details on the Mail Writer can be found in the next guide.
Once that is done, you can use TM15 at any time to run the Mail Writer. More details on the Mail Writer can be found in the next guide.


==Step 3: Using the ACE setup==
==Step 4: Using the ACE setup==


Before executing ACE, arrange your party as follow:
Before executing ACE, arrange your party as follow:


* Slot 1 - Spearow, no held item
* Slot 1 - Spearow
* Slots 2-6 aren't relevant for this setup.
* Slots 2-6 aren't relevant for this setup.

Make sure that box 5 is set as the current active box, make sure that the unterminated name pokémon is the only pokémon present in box 5.


In order to execute ACE, do the following actions:
In order to execute ACE, do the following actions:
Line 83: Line 73:
{| class="wikitable" style="margin-left: auto; margin-right: auto; border: none;"
{| class="wikitable" style="margin-left: auto; margin-right: auto; border: none;"
|
|
[[File:JP Rival Name ACE location.png]]
[[File:JP ACE PokeSen Location.png]]
||
[[File:JP ACE Spearow menu.png]]
|}
|}


# Stand in front of the PC on the second floor of any pokémon center. Take one step down, take seven steps to the right until you end up at the location indicated by the above screenshot. '''Save the game here and reset.'''
# Stand in front of the PC on the second floor of any pokémon center. Take one step down, take one step left until you end up at the location indicated by the above screenshot on the left. '''Save the game here and reset.'''
# After reloading the save, take seven steps to the left and take one step up. You should now be standing right in front of the PC.
# After reloading the save, take one step to the right and take one step up. You should now be standing right in front of the PC. (these steps need to be taken in the correct order, otherwise the setup will not work)
# Open the start menu, then open the summary of Spearow and close it.
# Open the start menu, select Spearow so that you get the option to look at its summary and switch its party position as indicated by the above screenshot on the right, then exit and close the start menu.
# Open the PC. Open the withdraw screen so that the unterminated name pokémon's name would be displayed. Displaying this name will trigger ACE. If the screen stays white, press "A" a couple of times until the box view reappears.
# Open the PC. Open the withdraw screen so that the unterminated name pokémon's name would be displayed. Displaying this name will trigger ACE. If the screen stays white, press "A" a couple of times until the box view reappears.


If the game doesn't crash, the setup was a success. You should now have a TM15 in the main item pocket, the names of box 7 and box 9 have now been changed.
If the game doesn't crash, the setup was a success. You should now have a TM15 in the main item pocket, the names of box 7 and box 9 have now been changed.


==Step 4: Finishing the Mail Writer==
==Step 5: Finishing the Mail Writer==


Lastly, rename the names of boxes #1 through #4 so that all box names fit the following image. '''Make sure to not change the names of box #7 and box #9.'''
Lastly, rename the names of boxes #1 through #5 so that all box names fit the following image. '''Make sure to not change the names of box #7 and box #9.'''


{| class="wikitable" style="margin-left: auto; margin-right: auto; border: none;"
{| class="wikitable" style="margin-left: auto; margin-right: auto; border: none;"
Line 106: Line 98:
Now that the ACE setup has been successfully tested and the Mail Writer program has been fully installed, we can use it to arbitrarily write data to achieve various effects. Instructions on how to activate and use the Mail Writer can be found in the following link: [[Guides:Mail Writer C (JP)|Mail writer C (JP)]]
Now that the ACE setup has been successfully tested and the Mail Writer program has been fully installed, we can use it to arbitrarily write data to achieve various effects. Instructions on how to activate and use the Mail Writer can be found in the following link: [[Guides:Mail Writer C (JP)|Mail writer C (JP)]]


=Appendix: in-depth explanation of the setup=
=Onix method=


===Explanation on the 0x1500 ACE setup===
==Step 1: Preparing the Onix==


This setup uses [[0x1500 control code arbitrary code execution|0x1500 control code ACE]]. Since the page already contains an explanation on how it works, this page will focus on what the setup does to achieve its effect.
Start playing the game as you normally would, the starter doesn't matter. '''It is recommended that you don’t fight the bug catcher on route 31.'''


Relevant addresses for this explanation:
# Once you acquire poké balls, catch a Spearow on route 46 (30% spawn odds, morning and midday).
# Once you reach route 31, catch a Bellsprout (20% spawn odds, all day).
# Proceed to Violet City. In the house to the left of the pokémon center, trade your Bellsprout for Rocky the Onix. '''In case you have already traded and used Onix prior to reading this guide, an alternative setup is provided further on in the page.'''
# With Onix, defeat the following Pokémon. It is imperative that Onix is the only pokémon that gains experience during these battles:
#* Spinarak (30% spawn odds on route 31, only during nighttime)
#* Spinarak (30% spawn odds on route 31, only during nighttime)
#* Spinarak (30% spawn odds on route 31, only during nighttime)
#* Caterpie (30% spawn odds on route 30, only during morning and midday. '''The trainer on route 31 has three Caterpie you can fight''')
#* Caterpie (30% spawn odds on route 30, only during morning and midday. '''The trainer on route 31 has three Caterpie you can fight''')
# Make sure Onix doesn’t hold any item, check that Tackle is set as its first move.
# Go to Violet City’s pokémon mart. Buy a flower mail.


==Step 2: Preparing the bad clone and remaining items==

# Use the bad clone glitch to obtain a pokémon with an unterminated name.
## For this, use a box that has never been full at any point in time. It’s recommended to start with an empty box.
## Deposit a single pokémon. Attempt to save the game using "Move Pokémon w/o mail" but reset the game a bit just after the game has fully printed "SAVING... DON'T TURN OFF THE POWER".
## After rebooting the game, '''open and close the item pack''', then check the newly deposited pokémon.
## If the newly deposited pokémon’s nickname was changed to a bunch of question marks, you can continue with the next step. If the pokémon wasn't saved, that means the reset too early. If the pokémon was cloned, this means the reset was too late.
## If the amount of pokémon in the box exceeds 15, release the cloned pokémon and save the game afterwards to set the amount of stored pokémon to 15 before repeating step 2.
# Now that you have an unterminated name pokémon, put it in box 1. Either release or move all other pokémon in the box so that the unterminated name pokémon is the only pokémon left in box 1.
# Finally, give Spearow a mail to hold with the following text:
{| class="wikitable" style="margin-left: auto; margin-right: auto; border: none;"
{| class="wikitable" style="margin-left: auto; margin-right: auto; border: none;"
! Address !! Function
|
|-
[[File:Mail Japanese C.png]]
| $D05B || Address where the names of pokémon and items are buffered.
|-
| $D0C8 || Address where the current selected party pokémon’s species is buffered.
|-
| $D0C9 || Address where the current selected party pokémon’s party slot is buffered (zero indexed).
|}
|}


* Resetting the game clears the contents of the text buffer, which would cause an undesired early termination of the unterminated pokémon's name
===Setting up the Mail Writer===
* Resetting the game also resets a bunch of nearby values that are related to selected item IDs, quantities and amounts to be tossed.
* Selecting Spearow in the party menu will buffer its species ID ($15) to $D0C8 and party slot ($00) to $D0C9.
* When the text printing function encounters a $15 value, it will attempt to execute a Mobile Adapter related function. The selected function depends on the next read value, but $00 is an invalid Mobile Adapter function and will instead call $CD46.
* By opening the start menu and moving one step right and one step up at a specified location, the game will load in a $C2 9B C4 (jp nz, $C49B) at $CD64. Due to the tile contents of the 2nd floor of the pokémon center, the area between $CD46 and $CD64 will be filled with $00 values, allowing safe passage.
* Viewing the unterminated clone through the withdraw screen will cause the game to attempt to do a lot of stuff at once.
*# The withdrawn screen is set up and the current active box's name is displayed.
*# The unterminated name pokémon's name will be drawn on screen, which leads to a buffer overflow.
*# After printing the name for a while, the game will attempt to print the $15 value that is buffered at $D0C8, which causes it to enter the mobile function mode.
*# Immediately after this, it will encounter a buffered $00 value at $D0C9, causing a call to $CD46 and activating ACE
* After arriving at $CD46, execution will nopslide to $CD64, where it will use the buffered data to jump to $C49B, which lies right before screen data.


===Effect of screen data===
Next, we're going to both test the setup and install a Mail Writer program. The Mail Writer is a small program that is written using box name codes. This program will allow you to easily write arbitrary data in order to achieve numerous effects.


Once execution arrives at $C49B, execution will nopslide until it encounters the following values at $C4A0:
Rename all boxes to the following names:
{| class="wikitable" style="margin-left: auto; margin-right: auto; border: none;"
|
[[File:Box Japanese C Setup.png]]
|}

Upon using 0x1500 ACE, the mail code included in the setup will be executed and will replace the first item of the main item pocket with a TM15. Alongside that, it will install a setup so that using this TM15 will execute box name codes. Finally, it will write two values to the box name area that will allow the Mail Writer to properly function.

Once that is done, you can use TM15 at any time to run the Mail Writer. More details on the Mail Writer can be found in the next guide.

==Step 3: Using the ACE setup==

Before executing ACE, arrange your party as follow:

* Slot 1 - Spearow, holding mail
* Slot 2 - Onix, no held item
* Slots 3-6 aren't relevant for this setup.

In order to execute ACE, do the following actions:

# Stand in front of the PC on the second floor of any pokémon center. Save and reset the game.
# Take exactly one step down and open the start menu.
# Open the summary of Onix and close it.
# Take exactly one step up so you’re in front of the PC. Open the start menu again.
# Read the mail you've previously given to Spearow (the Spearow needs to be at the very top of your party list).
# Open the PC. Open the withdraw screen so that the unterminated name pokémon's name would be displayed. Displaying this name will trigger ACE.

If the game doesn't crash, you have completed the setup and have installed the Mail Writer.

Now that the ACE setup has been successfully tested and the Mail Writer program has been fully installed, we can use it to arbitrarily write data to achieve various effects. Instructions on how to activate and use the Mail Writer can be found in the following link: [[Guides:Mail Writer C (JP)|Mail writer C (JP)]]

=Sandshrew method=

==Step 1: Preparing the Sandshrew==

Continue playing the game as you normally would.

# Once you reach Union Cave, catch a Sandshrew (30% spawn odds, only during morning and midday). It is recommended to use TM31 to teach it Mud-slap (Obtained by beating Falkner).
# With Sandshrew, defeat the following Pokémon. It is imperative that Sandshrew is the only pokémon that gains experience during these battles:
#* Geodude (30% spawn odds in Union Cave, 20% spawn odds on route 33, entire day)
#* Geodude (30% spawn odds in Union Cave, 20% spawn odds on route 33, entire day)
#* Hoppip (15% spawn odds on route 33, only during morning and midday)
# Talk to the guard in the gate between Ilex Forest and route 34 to obtain Kenya the Spearow. If Kenya is not available, it can be substituted by any other wild Spearow.
# Once you reach Goldenrod City, go to the Goldenrod Dept. Buy one Flower Mail and one Lemonade (Lemonade can be bought from the vending machines at the top floor).
# Buy an additional Poké Ball and Great Ball. Ensure that the Poké Ball is at the bottom of the ball pocket item list.
# Give Sandshrew the Lemonade as a held item, ensure it has Scratch as its first move.

==Step 2: Preparing the bad clone and remaining items==

# Use the bad clone glitch to obtain a pokémon with an unterminated name.
## For this, use a box that has never been full at any point in time. It’s recommended to start with an empty box.
## Deposit a single pokémon. Attempt to save the game using "Move Pokémon w/o mail" but reset the game a bit just after the game has fully printed "SAVING... DON'T TURN OFF THE POWER".
## After rebooting the game, '''open and close the item pack''', then check the newly deposited pokémon.
## If the newly deposited pokémon’s nickname was changed to a bunch of question marks, you can continue with the next step. If the pokémon wasn't saved, that means the reset too early. If the pokémon was cloned, this means the reset was too late.
## If the amount of pokémon in the box exceeds 15, release the cloned pokémon and save the game afterwards to set the amount of stored pokémon to 15 before repeating step 2.
# Now that you have an unterminated name pokémon, put it in box 1. Either release or move all other pokémon in the box so that the unterminated name pokémon is the only pokémon left in box 1.
# Finally, give your '''Spearow''' (either Kenya or another Spearow) a mail to hold with the following text:
{| class="wikitable" style="margin-left: auto; margin-right: auto; border: none;"
|
[[File:Mail Japanese C.png]]
|}

===Setting up the Mail Writer===

Next, we're going to both test the setup and install a Mail Writer program. The Mail Writer is a small program that is written using box name codes. This program will allow you to easily write arbitrary data in order to achieve numerous effects.

Rename all boxes to the following names:
{| class="wikitable" style="margin-left: auto; margin-right: auto; border: none;"
|
[[File:Box Japanese C Setup.png]]
|}

Upon using 0x1500 ACE, the mail code included in the setup will be executed and will replace the first item of the main item pocket with a TM15. Alongside that, it will install a setup so that using this TM15 will execute box name codes. Finally, it will write two values to the box name area that will allow the Mail Writer to properly function.

Once that is done, you can use TM15 at any time to run the Mail Writer. More details on the Mail Writer can be found in the next guide.

==Step 3: Using the ACE setup==

Before executing ACE, arrange your party as follow:

* Slot 1 - Spearow, holding mail
* Slot 2 - Sandshrew, holding Lemonade
* Slots 3-6 aren't relevant for this setup.

In order to execute ACE, do the following actions:

# Stand in front of the PC on the second floor of any pokémon center. Save and reset the game.
# Take exactly one step down and open the start menu.
# Open the summary of Sandshrew and close it.
# Take exactly one step up so you’re in front of the PC. Open the start menu again.
# Read the mail you've previously given to Spearow (the Spearow needs to be at the very top of your party list).
# Open the PC. Open the withdraw screen so that the unterminated name pokémon's name would be displayed. Displaying this name will trigger ACE.

If the game doesn't crash, you have completed the setup and have installed the Mail Writer.

Now that the ACE setup has been successfully tested and the Mail Writer program has been fully installed, we can use it to arbitrarily write data to achieve various effects. Instructions on how to activate and use the Mail Writer can be found in the following link: [[Guides:Mail Writer C (JP)|Mail writer C (JP)]]

=Wooper/Quagsire method=

==Step 1: Preparing the Wooper/Quagsire==

This guide assumes you have at least access to Strength and Surf, having access to Fly is not required but will speed up the process.

# From Azalea Town, enter the Union cave. Surf on the nearest water and catch either a wild Quagsire or Wooper. (If you've previously already caught Wooper/Quagsire, you can use the old one instead)
# Obtain a TM18 RAIN DANCE using one of the following methods:
#* Go to Azalea Town's Slowpoke Well and pick up TM18. It can be found on B2F and requires the use of Surf and Strength to reach.
#* Go to the Celadon Dept. Store and buy a TM18
# Talk to the guard in the gate between Ilex Forest and route 34 to obtain Kenya the Spearow. If Kenya is not available, it can be substituted by any other wild Spearow.
# Use TM18 on Wooper/Quagsire. '''Ensure that Rain Dance is in Wooper/Quagsire's first move slot.''' Ensure that Wooper/Quagsire is not holding any item.

==Step 2: Preparing the bad clone and remaining items==

# Use the bad clone glitch to obtain a pokémon with an unterminated name.
## For this, use a box that has never been full at any point in time. It’s recommended to start with an empty box.
## Deposit a single pokémon. Attempt to save the game using "Move Pokémon w/o mail" but reset the game a bit just after the game has fully printed "SAVING... DON'T TURN OFF THE POWER".
## After rebooting the game, '''open and close the item pack''', then check the newly deposited pokémon.
## If the newly deposited pokémon’s nickname was changed to a bunch of question marks, you can continue with the next step. If the pokémon wasn't saved, that means the reset too early. If the pokémon was cloned, this means the reset was too late.
## If the amount of pokémon in the box exceeds 15, release the cloned pokémon and save the game afterwards to set the amount of stored pokémon to 15 before repeating step 2.
# Now that you have an unterminated name pokémon, put it in box 1. Either release or move all other pokémon in the box so that the unterminated name pokémon is the only pokémon left in box 1.
# Finally, give your '''Spearow''' (either Kenya or another Spearow) a mail to hold with the following text:
{| class="wikitable" style="margin-left: auto; margin-right: auto; border: none;"
|
[[File:Mail Japanese C.png]]
|}

===Setting up the Mail Writer===

Next, we're going to both test the setup and install a Mail Writer program. The Mail Writer is a small program that is written using box name codes. This program will allow you to easily write arbitrary data in order to achieve numerous effects.

Rename all boxes to the following names:
{| class="wikitable" style="margin-left: auto; margin-right: auto; border: none;"
|
[[File:Box Japanese C Setup.png]]
|}

Upon using 0x1500 ACE, the mail code included in the setup will be executed and will replace the first item of the main item pocket with a TM15. Alongside that, it will install a setup so that using this TM15 will execute box name codes. Finally, it will write two values to the box name area that will allow the Mail Writer to properly function.

Once that is done, you can use TM15 at any time to run the Mail Writer. More details on the Mail Writer can be found in the next guide.

==Step 3: Using the ACE setup==

Before executing ACE, arrange your party as follow:

* Slot 1 - Spearow, holding mail
* Slot 2 - Wooper/Quagsire
* Slots 3-6 aren't relevant for this setup.

In order to execute ACE, do the following actions:

# Stand in front of the PC on the second floor of any pokémon center. Save and reset the game.
# Take exactly one step down and open the start menu.
# Open the summary of Wooper/Quagsire and close it.
# Take exactly one step up so you’re in front of the PC. Open the start menu again.
# Read the mail you've previously given to Spearow (the Spearow needs to be at the very top of your party list).
# Open the PC. Open the withdraw screen so that the unterminated name pokémon's name would be displayed. Displaying this name will trigger ACE.

If the game doesn't crash, you have completed the setup and have installed the Mail Writer.

Now that the ACE setup has been successfully tested and the Mail Writer program has been fully installed, we can use it to arbitrarily write data to achieve various effects. Instructions on how to activate and use the Mail Writer can be found in the following link: [[Guides:Mail Writer C (JP)|Mail writer C (JP)]]

=Appendix: in-depth explanation of the setup=

===Effect of the Rival Name===

Moving with the specific movement pattern that is used in the Rival Name method will place the following data at $CD46:


<pre>
<pre>
79 ld a, c
D2 8B D4 jp nc, $D48B
7A ld a, d
7A ld a, d
7A ld a, d
7A ld a, d
7A ld a, d
7A ld a, d
7A ld a, d
7B ld a, e
79 ld a, c
7A ld a, d
7A ld a, d
7A ld a, d
7A ld a, d
7A ld a, d
7A ld a, d
7A ld a, d
7A ld a, d
7A ld a, d
7B ld a, e
7C ld a, h
00 nop
07 rlca
0E 15 ld c, 15
1C inc e
23 inc hl
2A ldi a, (hl)
7C ld a, h
7C ld a, h
7F ld a, a
7F ld a, a
7F ld a, a
7F ld a, a
7F ld a, a
7F ld a, a
E5 push hl
7F ld a, a
7F ld a, a
7C ld a, h
7C ld a, h
01 08 0F ld bc, $0F08
16 1D ld d, 1D
24 inc h
2B dec hl
7C ld a, h
7C ld a, h
E1 pop hl
E1 pop hl
C3 91 DB jp $DB91 ; 6th character of box name #5
</pre>
</pre>


===Effect of the box name code===
This address corresponds to the second character of the Rival's name. The specific name that was used in the method will place the following data from $D48A onward:


In the context of 0x1500 Control Code ACE, only box name #1 through box name #5 are executed. Box name #6 through box name #9 are part of the Mail Writer and will be discussed in the next section only:
<pre>
E1 filler
E1 pop hl ; Entry point of execution
C3 83 DB jp nc, $DB83
</pre>

This address corresponds with the 1st character of box #4's name. Once it arrives here, the first 4 box names will be executed as follows:


<pre>
<pre>
Box 1: $DB68
Box 1: $DB68
26 DA ld h, $DA ; .boxNameStart
26 DA ld h, $DA
2E 12 ld l, 12
2E 12 ld l, 12
3E DB ld a, $DB ; a = $DB
3E DB ld a, $DB ; a = $DB
32 ldd (hl), a
C6 50 add $50 ; a = $2B
C6 50 add $50 ; a = $2B


Box 2: $DB71
Box 2: $DB71
C6 3D add $3D ; a = $68
C6 3D add $3D ; a = $68
32 ldd (hl), a
32 ldd (hl), a
3E C3 ld a, $C3 ; a = $C3
3E C3 ld a, $C3 ; a = $C3
32 ldd (hl), a
32 ldd (hl), a
D6 8B sub $8B ; a = $38
C6 0B add $0B ; a = $CE
50 ld d, b
50 ld d, b


Box 3: $DB7A
Box 3: $DB7A
EA 86 D8 ld(wItems), a
D6 96 sub $96 ; a = $38
EA A1 DB ld($DBA1), a
EA A1 DB ld($DBA1), a
EA B1 DB ld($DBB1), a
D6 D1 sub $D1 ; a = $67, Carry flag set
50 ld d, b
50 ld d, b


Box 4: $DB83
Box 4: $DB83
EA B1 DB ld($DBB1), a
30 E3 jr nc, .boxNameStart
87 add a ; a = $CE
EA 86 D8 ld(wItems), a
E1 pop hl
E1 pop hl
C9 ret
C9 ret
50 ld d, b
</pre>


Box #5 through box #9 are not executed as part of 0x1500 ACE and are instead part of the standard Mail Writer program. These will be elaborated on in their own section.
Box 5: $DB8C ; first five characters aren't executed as box names and are instead buffered to screen data.


===Effect of Onix===

Defeating the provided list of pokémon and viewing Onix's summary will result in the following values starting from the buffered species ID at $D10E, assuming the pokémon is in party slot #2:

<pre>
5F ld e, a
00 nop
21 67 00 ld hl, $0067 ; Determined by Onix's moves, Tackle and Screech
00 nop
BF cp a, a
1E 00 ld e, $00 ; $BF1E corresponds to Onix's OTID of 48926
01 XX 00 ld bc, $00XX ; $XX is determined by the exact level of the opponents fought
D2 00 F0 jp nc, $F000
</pre>

After the effect of 0x1500 ACE is triggered and execution is redirected to $D10E, execution slides harmlessly through move, OTID and experience data before jumping to $F000, which is echo RAM for $D000 and is located two bytes before the last buffered mail.

===Effect of Sandshrew===

Defeating the provided list of pokémon and viewing Sandshrew's summary will result in the following values starting from the buffered species ID at $D10E, assuming the pokémon is in party slot #2:

<pre>
1B dec de
30 0A jr .jump
XX XX XX XX XX XX XX XX XX 73 ; Move, OTID and experience is skipped over by the jr instruction
00 nop ; .jump
C3 00 F0 jp $F000
</pre>

After the effect of 0x1500 ACE is triggered and execution is redirected to $D10E, execution jumps over move, OTID and experience data, followed by another jump to $F000, which is echo RAM for $D000 and is located two bytes before the last buffered mail.

===Effect of Wooper/Quagsire===

Defeating the provided list of pokémon and viewing Sandshrew's summary will result in the following values starting from the buffered species ID at $D10E, assuming the pokémon is in party slot #2:

<pre>
C3 00 F0 jp $F000
</pre>

After the effect of 0x1500 ACE is triggered and execution is redirected to $D10E, execution immediately jumps to $F000, which is echo RAM for $D000 and is located two bytes before the last buffered mail.

===Effect of the mail===

The last read mail is buffered from $D002 onward. Please note that viewing the bad clone in box #1 will write the value $01 to $D003 and $D004. Converting the characters from the mail to assembly results in the following, ordered by language:

<pre>
3E 01 ld a, $01
01 8D A6 ld bc, $A68D
26 DA ld h, $DA
2E 12 ld l, 12
84 add a, h ; a = $DB
32 ldd (hl), a
81 add a, c ; a = $68
32 ldd (hl), a
90 sub a, b ; a = $C3
32 ldd (hl), a
F6 4E or $4E ; a = $CE
EA 86 D8 ld(wItems), a
D6 96 sub $96 ; a = $38
EA A1 DB ld($DBA1), a
EA B1 DB ld($DBB1), a
E1 pop hl
E1 pop hl
E1 pop hl
C9 ret
C3 91 DB jp $DB91 ; 6th character of box name #5
AF xor a ; Reset carry flag, entry point of jump from screen data
30 D4 jr nc, $D4 ; Will jump to $DB68, the start of box names
</pre>
</pre>


===Effect of the box name code===
===Effect of the Mail Writer code===


Converting the box name code to assembly results in the following code:
Converting the Mail Writer code to assembly results in the following code:


<pre>
<pre>

Revision as of 12:07, 27 November 2023

This is a guide on how to execute and/or exploit a glitch. For a more technical overview of the glitch involved, see 0x1500 control code arbitrary code execution.

This page serves as a repository on a 0x1500 ACE setup for the Japanese versions of Pokémon Crystal. It is part of the TimoVM's Gen 2 ACE setups set of guides.

Please make sure to fully read every step of the guide before executing them.

The setup requires catching a Spearow during day time. When starting from a new game, please set the in-game time to morning or midday..

If you encounter any issues when going through this guide or would like to provide feedback, please contact TimoVM on the Glitch City Research Institute Discord.

When playing on cartridge or emulator, it is required to have previously cleared an old save by pressing SELECT + UP + B simultaneously on the start screen at least once since obtaining the cart. Otherwise you will not be able to obtain a bad clone or an unterminated name pokémon.

General overview

Pokémon Crystal contains two important differences compared to its predecessors. Firstly, Crystal won't abort the text printing function when it encounters a $00 value, printing a '?' instead. Secondly, Crystal added new printing funtions related to the Mobile Game Boy Adapter, a Japanese exclusive peripheral that allowed internet connectivity through a mobile phone.

By obtaining a pokémon whose name does not contain the usual text terminator, we can force the game into printing much larger amounts of texts than would otherwise be possible. By abusing an illegal Mobile Adapter function and setting up memory in a specific way with help of a Spearow, we can escape the text printing function and trigger arbitrary code execution based on screen data and buffered tile data.

In practice, the initial ACE setup will be created using the following general process:

  1. Train a pokémon that can redirect the effect of 0x1500 ACE to the last read mail.
  2. Obtain an unterminated name pokémon.
  3. Set up the currently buffered memory in such a way that we can trigger 0x1500 ACE upon seeing the name of the unterminated name pokémon.

Regarding PKHex

At the moment, this guide is incompatible with saves exported from PKHex. Upon exporting a save, PKHex will fill all currently unused data for the OT name and nickname of all boxes with text terminators, making it impossible to obtain an unterminated name pokémon.

Box name jump method

Step 1: Catching a spearow

  • (optional) When starting from a new game, set the in-game time to either morning or midday. You are free to pick any starter, trainer name and/or rival name.
  • Catch or obtain a Spearow.
    • When starting from a new game, catch one on route 46 (30% spawn odds, morning and midday).
    • When using an existing save, either catch any Spearow or obtain the nicknamed Spearow from the gate guard between Goldenrod City and Route 35.

Step 2: Preparing the bad clone and remaining items

  1. Use the bad clone glitch to obtain a pokémon with an unterminated name.
    1. For this, use a box that has never been full at any point in time. It’s recommended to start with an empty box.
    2. Deposit a single pokémon. Attempt to save the game using "Move Pokémon w/o mail" but reset the game a bit just after the game has fully printed "SAVING... DON'T TURN OFF THE POWER".
    3. After rebooting the game, open and close the item pack, then check the newly deposited pokémon.
    4. If the newly deposited pokémon’s nickname was changed to a bunch of question marks, you can continue with the next step. If the pokémon wasn't saved, that means the reset too early. If the pokémon was cloned, this means the reset was too late.
    5. If the amount of pokémon in the box exceeds 15, release the cloned pokémon and save the game afterwards to set the amount of stored pokémon to 15 before repeating step 2.
  2. Now that you have an unterminated name pokémon, put it in box 5. Either release or move all other pokémon in the box so that the unterminated name pokémon is the only pokémon left in box 5.
  3. Finally, make sure to set box 5 as the active box.

Step 3: Setting up the Mail Writer

Next, we're going to both finish the setup and use it install a Mail Writer program. The Mail Writer is a small program that is written using box name codes and will allow you to easily write arbitrary data in order to achieve numerous effects.

Rename all boxes to the following names:

Upon using 0x1500 ACE, this box code will be executed and will replace the first item of the main item pocket with a TM15. Alongside that, it will install a setup so that using this TM15 will execute box name codes. Finally, it will write two values to the box #7 and box #9's names that will allow the Mail Writer to properly function.

Once that is done, you can use TM15 at any time to run the Mail Writer. More details on the Mail Writer can be found in the next guide.

Step 4: Using the ACE setup

Before executing ACE, arrange your party as follow:

  • Slot 1 - Spearow
  • Slots 2-6 aren't relevant for this setup.

Make sure that box 5 is set as the current active box, make sure that the unterminated name pokémon is the only pokémon present in box 5.

In order to execute ACE, do the following actions:
  1. Stand in front of the PC on the second floor of any pokémon center. Take one step down, take one step left until you end up at the location indicated by the above screenshot on the left. Save the game here and reset.
  2. After reloading the save, take one step to the right and take one step up. You should now be standing right in front of the PC. (these steps need to be taken in the correct order, otherwise the setup will not work)
  3. Open the start menu, select Spearow so that you get the option to look at its summary and switch its party position as indicated by the above screenshot on the right, then exit and close the start menu.
  4. Open the PC. Open the withdraw screen so that the unterminated name pokémon's name would be displayed. Displaying this name will trigger ACE. If the screen stays white, press "A" a couple of times until the box view reappears.

If the game doesn't crash, the setup was a success. You should now have a TM15 in the main item pocket, the names of box 7 and box 9 have now been changed.

Step 5: Finishing the Mail Writer

Lastly, rename the names of boxes #1 through #5 so that all box names fit the following image. Make sure to not change the names of box #7 and box #9.

Once this is done, you have completed the setup and have installed the Mail Writer.

Now that the ACE setup has been successfully tested and the Mail Writer program has been fully installed, we can use it to arbitrarily write data to achieve various effects. Instructions on how to activate and use the Mail Writer can be found in the following link: Mail writer C (JP)

Appendix: in-depth explanation of the setup

Explanation on the 0x1500 ACE setup

This setup uses 0x1500 control code ACE. Since the page already contains an explanation on how it works, this page will focus on what the setup does to achieve its effect.

Relevant addresses for this explanation:

Address Function
$D05B Address where the names of pokémon and items are buffered.
$D0C8 Address where the current selected party pokémon’s species is buffered.
$D0C9 Address where the current selected party pokémon’s party slot is buffered (zero indexed).
  • Resetting the game clears the contents of the text buffer, which would cause an undesired early termination of the unterminated pokémon's name
  • Resetting the game also resets a bunch of nearby values that are related to selected item IDs, quantities and amounts to be tossed.
  • Selecting Spearow in the party menu will buffer its species ID ($15) to $D0C8 and party slot ($00) to $D0C9.
  • When the text printing function encounters a $15 value, it will attempt to execute a Mobile Adapter related function. The selected function depends on the next read value, but $00 is an invalid Mobile Adapter function and will instead call $CD46.
  • By opening the start menu and moving one step right and one step up at a specified location, the game will load in a $C2 9B C4 (jp nz, $C49B) at $CD64. Due to the tile contents of the 2nd floor of the pokémon center, the area between $CD46 and $CD64 will be filled with $00 values, allowing safe passage.
  • Viewing the unterminated clone through the withdraw screen will cause the game to attempt to do a lot of stuff at once.
    1. The withdrawn screen is set up and the current active box's name is displayed.
    2. The unterminated name pokémon's name will be drawn on screen, which leads to a buffer overflow.
    3. After printing the name for a while, the game will attempt to print the $15 value that is buffered at $D0C8, which causes it to enter the mobile function mode.
    4. Immediately after this, it will encounter a buffered $00 value at $D0C9, causing a call to $CD46 and activating ACE
  • After arriving at $CD46, execution will nopslide to $CD64, where it will use the buffered data to jump to $C49B, which lies right before screen data.

Effect of screen data

Once execution arrives at $C49B, execution will nopslide until it encounters the following values at $C4A0: 

79		ld a, c
7A		ld a, d
7A		ld a, d
7A		ld a, d
7A		ld a, d
7A		ld a, d
7A		ld a, d
7A		ld a, d
7B		ld a, e
79		ld a, c
7A		ld a, d
7A		ld a, d
7A		ld a, d
7A		ld a, d
7A		ld a, d
7A		ld a, d
7A		ld a, d
7A		ld a, d
7A		ld a, d
7B		ld a, e
7C		ld a, h
00		nop
07		rlca
0E 15		ld c, 15
1C		inc e
23		inc hl
2A		ldi a, (hl)
7C		ld a, h
7C		ld a, h
7F		ld a, a
7F		ld a, a
7F		ld a, a
7F		ld a, a
7F		ld a, a
7F		ld a, a
E5		push hl
7F		ld a, a
7F		ld a, a
7C		ld a, h
7C		ld a, h
01 08 0F	ld bc, $0F08
16 1D		ld d, 1D
24		inc h
2B		dec hl
7C		ld a, h
7C		ld a, h
E1		pop hl
E1		pop hl
C3 91 DB	jp $DB91	; 6th character of box name #5

Effect of the box name code

In the context of 0x1500 Control Code ACE, only box name #1 through box name #5 are executed. Box name #6 through box name #9 are part of the Mail Writer and will be discussed in the next section only: 

Box 1: $DB68
26 DA		ld h, $DA
2E 12		ld l, 12
3E DB		ld a, $DB	; a = $DB
C6 50		add $50		; a = $2B

Box 2: $DB71
C6 3D		add $3D	; a = $68
32		ldd (hl), a
3E C3		ld a, $C3	; a = $C3
32		ldd (hl), a
C6 0B		add $0B	; a = $CE
50		ld d, b

Box 3: $DB7A
EA 86 D8	ld(wItems), a
D6 96		sub $96		; a = $38
EA A1 DB	ld($DBA1), a
50		ld d, b

Box 4: $DB83
EA B1 DB	ld($DBB1), a
E1		pop hl
C9		ret

Box 5: $DB8C	; first five characters aren't executed as box names and are instead buffered to screen data.

E1		pop hl
E1		pop hl
C3 91 DB	jp $DB91	; 6th character of box name #5
AF		xor a		; Reset carry flag, entry point of jump from screen data
30 D4		jr nc, $D4	; Will jump to $DB68, the start of box names

Effect of the Mail Writer code

Converting the Mail Writer code to assembly results in the following code: 

Box 1: $DB68
11 B1 D2	ld de, $D2B1
D5		push de
D5		push de		; .newMail
26 2E		ld h, $2E
2E 50		ld l, $50	; hl = $2E50

Box 2: $DB71
D5		push de
29		add hl, hl	; hl = $5CA0
2E EB		ld l, $EB	; hl = $5CEB
3E 05		ld a, $05
3D		dec a		; a = $04
42		ld b, d
50		ld d, b

Box 3: $DB7A
B7		or a
CF		rst08h		; farCall _ComposeMailMessage (a:hl = 04:5CEB)
D1		pop de
E1		pop hl		; Set both hl and de to the start of the newly written mail
2A		ldi a, (hl)
B7		or a
B7		or a
D6 50		sub $50

Box 4: $DB83
28 12		jr, .terminator
30 05		jr, .character
2A		ldi a, (hl)	; If terminator, escape loop. if newline, get new value for a and continue
B7		or a
B7		or a
D6 50		sub $50	; Ensures that new character will result in the same value when combined with the next

Box 5: $DB8C
86		add (hl)	; .character
12		ld (de), a
13		inc de
80		add a, b
47		ld b, a		; Responsible for generating checksum
12		ld (de), a
2A		ldi a, (hl)	; inc hl is not available, so this will have to do
E6 50		or $50		; Ensures that carry flag is not set

Box 6: $DB95
30 E7		jr nc, .loop
0C		inc c		; .terminator, _ComposeMailMessage sets bc to 0000, so c = 01 after this part
26 C5		ld h, $C5
2E F4		ld l, $F4	; hl = $C4F4, bottom left screen tile
06 50		ld b, $50	; Ensures that b is consistent for the next call

Box 7: $DB9E
1A		ld a, (de)
CD 90 38	call PrintBCDNumber.loop + 01h	; PrintBCDNumber.loop itself can't be reached, so we skip forward one byte.
26 1A		ld h, $1A	; .errorCorrection
1B		dec de		; Calling PrintBCDNumber.loop with c = 01 advances de by 1.
06 50		ld b, $50

Box 8: $DBB0
2E 8D		ld l, $F4	; hl = $1A8D 
29		add hl, hl	; hl = $351A (address of JoyTextDelay_ForcehJoyDown)
CF		rst08H		; Farcall JoyTextDelay_ForcehJoyDown	set a = current button state
B7		or a, a		; Are any buttons pressed? if not, ask for new button states
28 E9		jr z, .terminator
42		ld b, d
50		ld d, b

Box 9: $D8FA
0F		rlca		; Is the a button pressed? If yes, start a new mail
38 B9	jr c, .loop
40		ld b, b
0F		rlca		; Is the b button pressed? If yes, return and execute newly written program.
D8		ret c		; If not, another button was pressed, so decrement de to allow user to correct errors
30 EA		jr nc, .errorCorrection

Explanation on the 0x1500 ACE setup

This setup uses 0x1500 control code ACE. Since the page already contains an explanation on how it works, this page will focus on what the setup does to achieve its effect.

Relevant addresses for this explanation:

Address Function
$D002 Address where the last read mail is stored.
$D05B Address where the names of pokémon and items are buffered.
$D0C8 Address where the current selected party pokémon’s species is buffered.
$D0C9 Address where the current selected party pokémon’s party slot is buffered (zero indexed).
$D0CE Address where the data of the last viewed pokémon is buffered.
  • Resetting the game clears the contents of the text buffer, which would cause an undesired early termination of the unterminated pokémon's name
  • Resetting the game also resets a bunch of nearby values that are related to selected item IDs, quantities and amounts to be tossed.
  • When the text printing function encounters a $15 value, it will attempt to execute a Mobile Adapter related function. The selected function depends on the next read value, but $00 is an invalid Mobile Adapter function and will instead call $CD46. Once returned from this address, the game will continue executing ACE instead of printing text.
  • By opening the start menu and moving one step up at a specified location, the game will load in a $C0 (ret nz) at $CD64, allowing immediate safe return from the effects of $1500. The game will resume executing from $D0CA onward.
  • While reading Spearow's mail, its species ID ($15) is written to $D0C8 and its current party slot ($00 if it's in the first party slot) is written to $D0C9.
  • Walking upwards will modify the value that is in $D0C9. By reading Spearow's mail while standing in front of the PC, we assure that a value of $00 is buffered at $D0C9.
  • The last pokémon viewed (ブルブル) is buffered from $D0CE onward. Due to resetting the game, the region between $D0CA and $D0CE is mostly empty and allows safe passage.
  • $Setting Tackle ($21) as ブルブル's first move allows safe passage over Screech ($67).
  • Rocky’s trainer ID is fixed and will be $BF (cp a, which resets the carry flag) and $1E. Both values are safe to pass.
  • Rocky’s XP total will end up between 326 and 350. This is always interpreted as $01 and $XX. since the high HP stat exp byte is always $00, the total is interpreted as ld bc, $00XX. This means that exp is always safe to pass.
  • Due to the specific pokémon defeated, the data in the stat experience fields will be read as $D2 $00 $F0. This is interpreted as jp nc $F000, due to echo ram this will redirect execution to $D000, which is where the last read mail was buffered. The nc condition is always fulfilled thanks to the previous $BF (cp a) in Onix’s Trainer ID.
  • Viewing the unterminated clone through the withdraw screen will set both $D003 and $D004 to $01.
  • At this point, the mail will redirect execution to $FB75. Due to echo ram, this will effectively redirect execution to $DB75, the start of box name 1. Please note that $D003 and $D004 are overwritten by opening the withdraw screen to the values of the current box and slot of the currently selected stored pokémon. These values are taken care of by setting the first character of the mail to $FA, which is interpreted along with the next two values as ld a, (YYXX).
  • Afterwards, the game will simply execute the box name code.
  • Once returned, the mail code pops hl before returning. Returning from the mail will cause the game to continue printing text, popping hl ensures that text will be printed to harmless locations in ROM. (Future angle for research: alternatives to ensure safe return without possible memory corruption)
  • Additional note: the setup with Sandshrew works practically identical, with the exception of the Lemonade. This Lemonade will combine with Scratch to form a jr nc, $0A allowing a safe jump over move data, trainer ID data and experience data.

Plain text transcripts of codes

Rival name method

  • Rival's name
ゅ ゅ て エ ろ
  • Setting up the Mail Writer
が れ ぜ デ ぼ ろ づ に
に べ づ ぼ て づ よ シ
ゥ モ ろ ゥ あ ろ よ む
だ ー ク ゥ キ リ ゅ の 
キ デ ド ア ぺ デ ご ?
だ ! ズ が な ぜ ォ ギ
ビ ヘ チ チ が ビ ブ ギ
ぜ セ げ ま き ぐ ァ プ
ダ ダ け パ ダ リ だ ゥ

All other methods

  • Mail
ぼ ほ ほ セ ル が れ ぜ デ オ づ イ づ チ づ 0
ゥ キ リ よ ヌ ゥ モ ろ ゥ あ ろ ゅ の
  • Test box code
ヅ あ め ゆ ゆ が ぜ ぜ
ゆ げ ぜ ェ ぼ ガ べ プ
き ま む ゅ ご き き よ
ぐ デ だ ガ ご き き よ
キ デ ド ア ぺ デ ご ?
だ ! ズ が な ぜ ォ ギ
ビ ヘ チ チ が ビ ブ ギ
ぜ セ げ ま き ぐ ァ プ
ダ け け パ ダ リ だ ゥ
Retrieved from "https://glitchcity.wiki/wiki/Guides:TMless_0x1500_ACE_(JP)?oldid=43155"