Guides:TMless 0x1500 ACE (JP)

From Glitch City Wiki
Jump to navigation Jump to search
This is a guide on how to execute and/or exploit a glitch. For a more technical overview of the glitch involved, see 0x1500 control code arbitrary code execution.

This page serves as a repository on a 0x1500 ACE setup for the Japanese versions of Pokémon Crystal. It is part of the TimoVM's Gen 2 ACE setups set of guides.

The guide is split up between guides applicable for players starting a new game or continuing from an old game. Please make sure to fully read every step of the guide before executing them.

The setup requires catching a Spearow during day time and fighting Spinarak during night time. It is recommended to set the in-game time at the start of the game somewhere between 5:00PM-5:30PM.

If you encounter any issues when going through this guide or would like to provide feedback, please contact TimoVM on the Glitch City Research Institute Discord.

When playing on cartridge or emulator, it is required to have previously cleared an old save by pressing SELECT + UP + B simultaneously on the start screen at least once since obtaining the cart. Otherwise you will not be able to obtain a bad clone or an unterminated name pokémon.

General overview

Pokémon Crystal contains two important differences compared to its predecessors. Firstly, Crystal won't abort the text printing function when it encounters a $00 value, instead printing a '?' instead. Secondly, Crystal added new printing funtions related to the Mobile Game Boy Adapter, a Japanese exclusive peripheral that allowed internet connectivity through a mobile phone.

By obtaining a pokémon whose name does not contain the usual text terminator, we can force the game into printing much larger amounts of texts than would otherwise be possible. By abusing an illegal Mobile Adapter function and setting up memory in a specific way, we can escape the text printing function and trigger arbitrary code execution based on the data of the last viewed party pokémon.

In practice, the initial ACE setup will be created using the following general process:

  1. Train a pokémon that can redirect the effect of 0x1500 ACE to the last read mail.
  2. Obtain an unterminated name pokémon.
  3. Set up the currently buffered memory in such a way that we can trigger 0x1500 ACE upon seeing the name of the unterminated name pokémon.

Regarding PKHex

At the moment, this guide is incompatible with saves exported from PKHex. Upon exporting a save, PKHex will fill all currently unused data for the OT name and nickname of all boxes with text terminators, making it impossible to obtain an unterminated name pokémon.

Starting from a new game

Step 1: Preparing the Onix

Start playing the game as you normally would, the starter doesn't matter. It is recommended that you don’t fight the bug catcher on route 31.

  1. Once you acquire poké balls, catch a Spearow on route 46 (30% spawn odds, morning and midday).
  2. Once you reach route 31, catch a Bellsprout (20% spawn odds, all day).
  3. Proceed to Violet City. In the house to the left of the pokémon center, trade your Bellsprout for Rocky the Onix. In case you have already traded and used Onix prior to reading this guide, an alternative setup is provided further on in the page.
  4. With Onix, defeat the following Pokémon. It is imperative that Onix is the only pokémon that gains experience during these battles:
    • Spinarak (30% spawn odds on route 31, only during nighttime)
    • Spinarak (30% spawn odds on route 31, only during nighttime)
    • Spinarak (30% spawn odds on route 31, only during nighttime)
    • Caterpie (30% spawn odds on route 30, only during morning and midday. The trainer on route 31 has three Caterpie you can fight)
    • Caterpie (30% spawn odds on route 30, only during morning and midday. The trainer on route 31 has three Caterpie you can fight)
  5. Make sure Onix doesn’t hold any item, check that Tackle is set as its first move.
  6. Go to Violet City’s pokémon mart. Buy 22 flower mails. If you’re starting from a new save, make sure that you have at least one poké ball left in the ball pocket.

Step 2: Preparing the bad clone and remaining items

  1. Use the bad clone glitch to obtain a pokémon with an unterminated name.
    1. For this, use a box that has never been full at any point in time.
    2. Fill the box with 15 pokémon. To speed up this process, it's recommended to clone the pokémon you already have. Save the game.
    3. Deposit a single pokémon. Attempt to save the game using "Move Pokémon w/o mail" but reset the game a bit just after the game has fully printed SAVING... DON'T TURN OFF THE POWER.
    4. After rebooting the game, use a potion up to where the game brings up the party screen. the potion doesn't have to actually be used, you can cancel from here), then check the newly deposited pokémon.
    5. If the newly deposited pokémon’s nickname was changed to a bunch of ????????????, you can continue with the next step. If the pokémon wasn't saved, that means the reset too early. If the pokémon was cloned, this means the reset was too late. Make sure to release the cloned pokémon and save the game afterwards to set the amount of stored pokémon to 15 before repeating step 3.
  2. Now that you have an unterminated name pokémon, put it in box 1. Either release or move all other pokémon in the box so that the unterminated name pokémon is the only pokémon left in box 1.
  3. Finally, give Spearow a mail to hold with the following text:

Setting up the Mail Writer

Next, we're going to both test the setup and install a Mail Writer program. The Mail Writer is a small program that is written using box name codes. This program will allow you to easily write arbitrary data in order to achieve numerous effects.

Rename box 1 to the following names:

This box name code will be used to test the setup. It will safely exi ACE and return the game's state back to normal.

Alongside that, the mail code included in its setup will replace the first item of the main item pocket with a TM15 and install a setup so that using this TM15 will execute box name codes. On top of that, it will write two values to the box name area that will allow the Mail Writer to properly function.

Step 3: using the ACE setup

Before executing ACE, arrange your party as follow:

  • Slot 1 - Spearow, holding mail
  • Slot 2 - Onix, no held item
  • Slots 3-6 aren't relevant for this setup.

In order to execute ACE, do the following actions:

  1. Stand in front of the PC on the second floor of any pokémon center. Save and reset the game.
  2. Take exactly one step down and open the start menu.
  3. Open the summary of Sandshrew and close it.
  4. Take exactly one step up so you’re in front of the PC. Open the start menu again.
  5. Read the mail you've previously given to Spearow (the Spearow needs to be at the very top of your party list).
  6. Open the PC. Open the withdraw screen so that the unterminated name pokémon's name would be displayed. Displaying this name will trigger ACE.

If the game doesn't crash, the setup was a success and you can continue to the end of the page.

Starting from an older save

Step 1: Preparing the Sandshrew

Continue playing the game as you normally would.

  1. Once you reach Union Cave, catch a Sandshrew (30% spawn odds, only during morning and midday). It is recommended to use TM31 to teach it Mud-slap (Obtained by beating Falkner).
  2. With Sandshrew, defeat the following Pokémon. It is imperative that Sandshrew is the only pokémon that gains experience during these battles:
    • Geodude (30% spawn odds in Union Cave, 20% spawn odds on route 33, entire day)
    • Geodude (30% spawn odds in Union Cave, 20% spawn odds on route 33, entire day)
    • Hoppip (15% spawn odds on route 33, only during morning and midday)
  3. Talk to the guard in the gate between Ilex Forest and route 34 to obtain Kenya the Spearow. If Kenya is not available, it can be substituted by any other wild Spearow.
  4. Once you reach Goldenrod City, go to the Goldenrod Dept. Store and buy 22 Flower Mails and one Lemonade (can be bought from the vending machines at the top floor).
  5. Buy an additional Poké Ball and Great Ball. Ensure that the Poké Ball is at the bottom of the ball pocket item list.
  6. Give Sandshrew the Lemonade as a held item, ensure it has Scratch as its first move.

Step 2: Preparing the bad clone and remaining items

  1. Use the bad clone glitch to obtain a pokémon with an unterminated name.
    1. For this, use a box that has never been full at any point in time.
    2. Fill the box with 15 pokémon. To speed up this process, it's recommended to clone the pokémon you already have. Save the game.
    3. Deposit a single pokémon. Attempt to save the game using "Move Pokémon w/o mail" but reset the game a bit just after the game has fully printed SAVING... DON'T TURN OFF THE POWER.
    4. After rebooting the game, use a potion up to where the game brings up the party screen. the potion doesn't have to actually be used, you can cancel from here), then check the newly deposited pokémon.
    5. If the newly deposited pokémon’s nickname was changed to a bunch of ????????????, you can continue with the next step. If the pokémon wasn't saved, that means the reset too early. If the pokémon was cloned, this means the reset was too late. Make sure to release the cloned pokémon and save the game afterwards to set the amount of stored pokémon to 15 before repeating step 3.
  2. Now that you have an unterminated name pokémon, put it in box 1. Either release or move all other pokémon in the box so that the unterminated name pokémon is the only pokémon left in box 1.
  3. Finally, give your Spearow (either Kenya or another Spearow) a mail to hold with the following text:

Setting up the Mail Writer

Next, we're going to both test the setup and install a Mail Writer program. The Mail Writer is a small program that is written using box name codes. This program will allow you to easily write arbitrary data in order to achieve numerous effects.

Rename box 1 to the following names:

This box name code will be used to test the setup. It will safely exi ACE and return the game's state back to normal.

Alongside that, the mail code included in its setup will replace the first item of the main item pocket with a TM15 and install a setup so that using this TM15 will execute box name codes. On top of that, it will write two values to the box name area that will allow the Mail Writer to properly function.

Step 3: using the ACE setup

Before executing ACE, arrange your party as follow:

  • Slot 1 - Spearow, holding mail
  • Slot 2 - Sandshrew, holding Lemonade
  • Slots 3-6 aren't relevant for this setup.

In order to execute ACE, do the following actions:

  1. Stand in front of the PC on the second floor of any pokémon center. Save and reset the game.
  2. Take exactly one step down and open the start menu.
  3. Open the summary of Sandshrew and close it.
  4. Take exactly one step up so you’re in front of the PC. Open the start menu again.
  5. Read the mail you've previously given to Spearow (the Spearow needs to be at the very top of your party list).
  6. Open the PC. Open the withdraw screen so that the unterminated name pokémon's name would be displayed. Displaying this name will trigger ACE.

If the game doesn't crash, the setup was a success and you can now continue.

What to do with this ACE setup

Now that the ACE setup has been succesfully tested and the Mail Writer program has been fully installed, we can use it to arbitrarily write data to achieve various effects. Instructions on how to activate and use the Mail Writer can be found in the following link: Mail writer C (JP)

Appendix: in-depth explanation of the setup

Effect of Onix

Defeating the provided list of pokémon and viewing Onix's summary will result in the following values starting from the buffered species ID at $D10E, assuming the pokémon is in party slot #2: 

5F		ld e, a
00		nop
21 67 00	ld hl, $0067	; Determined by Onix's moves, Tackle and Screech
00		nop
BF		cp a, a
1E 00		ld e, $00	; $BF1E corresponds to Onix's OTID of 48926
01 XX 00	ld bc, $00XX	; $XX is determined by the exact level of the opponents fought
D2 00 F0	jp nc, $F000

After the effect of 0x1500 ACE is triggered and execution is redirected to $D10E, execution slides harmlessly through move, OTID and experience data before jumping to $F000, which is echo RAM for $D000 and is located two bytes before the last buffered mail.

Effect of Sandshrew

Defeating the provided list of pokémon and viewing Sandshrew's summary will result in the following values starting from the buffered species ID at $D10E, assuming the pokémon is in party slot #2: 

1B		dec de
30 0A		jr .jump
XX XX XX XX XX XX XX XX XX 73	; Move, OTID and experience is skipped over by the jr instruction
00		nop		; .jump
C3 00 F0	jp $F000

After the effect of 0x1500 ACE is triggered and execution is redirected to $D10E, execution jumps over move, OTID and experience data, followed by another jump to $F000, which is echo RAM for $D000 and is located two bytes before the last buffered mail.

Effect of the mail

The last read mail is buffered from $D002 onward. Please note that viewing the bad clone in box #1 will write the value $01 to $D003 and $D004. Converting the characters from the mail to assembly results in the following, ordered by language: 

3E 01		ld a, $01
01 8D A6	ld bc, $A68D
26 DA		ld h, $DA
2E 12		ld l, 12
84		add a, h	; a = $DB
32		ldd (hl), a
81		add a, c	; a = $68
32		ldd (hl), a
90		sub a, b	; a = $C3
32		ldd (hl), a
F6 4E		or $4E		; a = $CE
EA 86 D8	ld(wItems), a
D6 96		sub $96		; a = $38
EA A1 DB	ld($DBA1), a
EA B1 DB	ld($DBB1), a
E1		pop hl
C9		ret

Effect of the box name code

Converting the box name code to assembly results in the following code: 

Box 1: $DB68
11 B1 D2	ld de, $D2B1
D5		push de
D5		push de		; .newMail
26 2E		ld h, $2E
2E 50		ld l, $50	; hl = $2E50

Box 2: $DB71
D5		push de
29		add hl, hl	; hl = $5CA0
2E EB		ld l, $EB	; hl = $5CEB
3E 05		ld a, $05
3D		dec a		; a = $04
42		ld b, d
50		ld d, b

Box 3: $DB7A
B7		or a
CF		rst08h		; farCall _ComposeMailMessage (a:hl = 04:5CEB)
D1		pop de
E1		pop hl		; Set both hl and de to the start of the newly written mail
2A		ldi a, (hl)
B7		or a
B7		or a
D6 50		sub $50

Box 4: $DB83
28 12		jr, .terminator
30 05		jr, .character
2A		ldi a, (hl)	; If terminator, escape loop. if newline, get new value for a and continue
B7		or a
B7		or a
D6 50		sub $50	; Ensures that new character will result in the same value when combined with the next

Box 5: $DB8C
86		add (hl)	; .character
12		ld (de), a
13		inc de
80		add a, b
47		ld b, a		; Responsible for generating checksum
12		ld (de), a
2A		ldi a, (hl)	; inc hl is not available, so this will have to do
E6 50		or $50		; Ensures that carry flag is not set

Box 6: $DB95
30 E7		jr nc, .loop
0C		inc c		; .terminator, _ComposeMailMessage sets bc to 0000, so c = 01 after this part
26 C5		ld h, $C5
2E F4		ld l, $F4	; hl = $C4F4, bottom left screen tile
06 50		ld b, $50	; Ensures that b is consistent for the next call

Box 7: $DB9E
1A		ld a, (de)
CD 90 38	call PrintBCDNumber.loop + 01h	; PrintBCDNumber.loop itself can't be reached, so we skip forward one byte.
26 1A		ld h, $1A	; .errorCorrection
1B		dec de		; Calling PrintBCDNumber.loop with c = 01 advances de by 1.
06 50		ld b, $50

Box 8: $DBB0
2E 8D		ld l, $F4	; hl = $1A8D 
29		add hl, hl	; hl = $351A (address of JoyTextDelay_ForcehJoyDown)
CF		rst08H		; Farcall JoyTextDelay_ForcehJoyDown	set a = current button state
B7		or a, a		; Are any buttons pressed? if not, ask for new button states
28 E9		jr z, .terminator
42		ld b, d
50		ld d, b

Box 9: $D8FA
0F		rlca		; Is the a button pressed? If yes, start a new mail
38 B9	jr c, .loop
40		ld b, b
0F		rlca		; Is the b button pressed? If yes, return and execute newly written program.
D8		ret c		; If not, another button was pressed, so decrement de to allow user to correct errors
30 EA		jr nc, .errorCorrection

Explanation on the 0x1500 ACE setup

This setup uses 0x1500 control code ACE. Since the page already contains an explanation on how it works, this page will focus on what the setup does to achieve its effect.

Relevant addresses for this explanation:

Address Function
$D002 Address where the last read mail is stored.
$D05B Address where the names of pokémon and items are buffered.
$D0C8 Address where the current selected party pokémon’s species is buffered.
$D0C9 Address where the current selected party pokémon’s party slot is buffered (zero indexed).
$D0CE Address where the data of the last viewed pokémon is buffered.
  • Resetting the game clears the contents of the text buffer, which would cause an undesired early termination of the unterminated pokémon's name
  • Resetting the game also resets a bunch of nearby values that are related to selected item IDs, quantities and amounts to be tossed.
  • When the text printing function encounters a $15 value, it will attempt to execute a Mobile Adapter related function. The selected function depends on the next read value, but $00 is an invalid Mobile Adapter function and will instead call $CD64. Once returned from this address, the game will continue executing ACE instead of printing ACE.
  • By opening the start menu and moving one step up at a specified location, the game will load in a $C0 (ret nz) at $CD64, allowing immediate safe return from the effects of $1500. The game will resume executing from $D0CA onward.
  • The last pokémon viewed (ブルブル) is buffered from $D0CE onward. Due to resetting the game, the region between $D0CA and $D0CE is mostly empty and allows safe passage.
  • $Setting Tackle ($21) as ブルブル's first move allows safe passage over Screech ($67).
  • Rocky’s trainer ID is fixed and will be $BF (cp a, which resets the carry flag) and $1E. Both values are safe to pass.
  • Rocky’s XP total will end up between 326 and 350. This is always interpreted as $01 and $XX. since the high HP stat exp byte is always $00, the total is interpreted as ld bc, $00XX. This means that exp is always safe to pass.
  • Due to the specific pokémon defeated, the data in the stat experience fields will be read as $D2 $00 $F0. This is interpreted as jp nc $F000, due to echo ram this will redirect execution to $D000, which is where the last read mail was buffered. The nc condition is always fulfilled thanks to the previous $BF (cp a) in Onix’s Trainer ID.
  • Viewing the unterminated clone through the withdraw screen will set both $D003 and $D004 to $01.
  • At this point, the mail will redirect execution to $FB75. Due to echo ram, this will effectively redirect execution to $DB75, the start of box name 1. Please note that $D003 and $D004 are overwritten by opening the withdraw screen to the values of the current box and slot of the currently selected stored pokémon. These values are taken care of by setting the first character of the mail to $FA, which is interpreted along with the next two values as ld a, (YYXX).
  • Afterwards, the game will simply execute the box name code.
  • Once returned, the mail code pops hl before returning. Returning from the mail will cause the game to continue printing text, popping hl ensures that text will be printed to harmless locations in ROM. (Future angle for research: alternatives to ensure safe return without possible memory corruption)
  • Additional note: the setup with Sandshrew works practically identical, with the exception of the Lemonade. This Lemonade will combine with Scratch to form a jr nc, $0A allowing a safe jump over move data, trainer ID data and experience data.

Plain text transcripts of codes

  • Mail
ぼ ほ ほ セ ル が れ ぜ デ オ づ イ づ チ づ 0
ゥ キ リ よ ヌ ゥ モ ろ ゥ あ ろ ゅ の
  • Test box code
Retrieved from "https://glitchcity.wiki/wiki/Guides:TMless_0x1500_ACE_(JP)?oldid=43007"