Guides:TMless 0x1500 ACE (JP)

From Glitch City Wiki
Jump to navigation Jump to search


WARNING: This guide is outdated and has been replaced by a faster and easier setup. It is only kept for legacy purposes. You can find all up-to-date guides on the TimoVM's Gen 2 ACE setups article.

This is a guide on how to execute and/or exploit a glitch. For a more technical overview of the glitch involved, see 0x1500 control code arbitrary code execution.

This page serves as a repository on a 0x1500 ACE setup for the Japanese versions of Pokémon Crystal. It is part of the TimoVM's Gen 2 ACE setups set of guides.

Please make sure to fully read every step of the guide before executing them.

The setup requires catching a Spearow during day time. When starting from a new game, please set the in-game time to morning or midday..

If you encounter any issues when going through this guide or would like to provide feedback, please contact TimoVM on the Glitch City Research Institute Discord.

When playing on cartridge or emulator, it is required to have previously cleared an old save by pressing SELECT + UP + B simultaneously on the start screen at least once since obtaining the cart. Otherwise you will not be able to obtain a bad clone or an unterminated name pokémon.

General overview

Pokémon Crystal contains two important differences compared to its predecessors. Firstly, Crystal won't abort the text printing function when it encounters a $00 value, printing a '?' instead. Secondly, Crystal added new printing funtions related to the Mobile Game Boy Adapter, a Japanese exclusive peripheral that allowed internet connectivity through a mobile phone.

By obtaining a pokémon whose name does not contain the usual text terminator, we can force the game into printing much larger amounts of texts than would otherwise be possible. By abusing an illegal Mobile Adapter function and setting up memory in a specific way with help of a Spearow, we can escape the text printing function and trigger arbitrary code execution based on screen data and buffered tile data.

In practice, the initial ACE setup will be created using the following general process:

  1. Train a pokémon that can redirect the effect of 0x1500 ACE to the last read mail.
  2. Obtain an unterminated name pokémon.
  3. Set up the currently buffered memory in such a way that we can trigger 0x1500 ACE upon seeing the name of the unterminated name pokémon.

Regarding PKHex

At the moment, this guide is incompatible with saves exported from PKHex. Upon exporting a save, PKHex will fill all currently unused data for the OT name and nickname of all boxes with text terminators, making it impossible to obtain an unterminated name pokémon.

Box name jump method

Step 1: Catching a spearow

  • (optional) When starting from a new game, set the in-game time to either morning or midday. You are free to pick any starter, trainer name and/or rival name.
  • Catch or obtain a Spearow.
    • When starting from a new game, catch one on route 46 (30% spawn odds, morning and midday).
    • When using an existing save, either catch any Spearow or obtain the nicknamed Spearow from the gate guard between Goldenrod City and Route 35.

Step 2: Preparing the bad clone and remaining items

  1. Use the bad clone glitch to obtain a pokémon with an unterminated name.
    1. For this, use a box that has never been full at any point in time. It’s recommended to start with an empty box.
    2. Deposit a single pokémon. Attempt to save the game using "Move Pokémon w/o mail" but reset the game a bit just after the game has fully printed "SAVING... DON'T TURN OFF THE POWER".
    3. After rebooting the game, open and close the item pack, then check the newly deposited pokémon.
    4. If the newly deposited pokémon’s nickname was changed to a bunch of question marks, you can continue with the next step. If the pokémon wasn't saved, that means the reset too early. If the pokémon was cloned, this means the reset was too late.
    5. If the amount of pokémon in the box exceeds 15, release the cloned pokémon and save the game afterwards to set the amount of stored pokémon to 15 before repeating step 2.
  2. Now that you have an unterminated name pokémon, put it in box 5. Either release or move all other pokémon in the box so that the unterminated name pokémon is the only pokémon left in box 5.
  3. Finally, make sure to set box 5 as the active box.

Step 3: Setting up the Mail Writer

Next, we're going to both finish the setup and use it install a Mail Writer program. The Mail Writer is a small program that is written using box name codes and will allow you to easily write arbitrary data in order to achieve numerous effects.

Rename all boxes to the following names:

Upon using 0x1500 ACE, this box code will be executed and will replace the first item of the main item pocket with a TM15. Alongside that, it will install a setup so that using this TM15 will execute box name codes. Finally, it will write two values to the box #7 and box #9's names that will allow the Mail Writer to properly function.

Once that is done, you can use TM15 at any time to run the Mail Writer. More details on the Mail Writer can be found in the next guide.

Step 4: Using the ACE setup

Before executing ACE, arrange your party as follow:

  • Slot 1 - Spearow
  • Slots 2-6 aren't relevant for this setup.

Make sure that box 5 is set as the current active box, make sure that the unterminated name pokémon is the only pokémon present in box 5.

In order to execute ACE, do the following actions:
  1. Stand in front of the PC on the second floor of any pokémon center. Take one step down, take one step left until you end up at the location indicated by the above screenshot on the left. Save the game here and reset.
  2. After reloading the save, take one step to the right and take one step up. You should now be standing right in front of the PC. (these steps need to be taken in the correct order, otherwise the setup will not work)
  3. Open the start menu, select Spearow so that you get the option to look at its summary and switch its party position as indicated by the above screenshot on the right, then exit and close the start menu.
  4. Open the PC. Open the withdraw screen so that the unterminated name pokémon's name would be displayed. Displaying this name will trigger ACE. If the screen stays white, press "A" a couple of times until the box view reappears.

If the game doesn't crash, the setup was a success. You should now have a TM15 in the main item pocket, the names of box 7 and box 9 have now been changed.

Step 5: Finishing the Mail Writer

Lastly, rename the names of boxes #1 through #5 so that all box names fit the following image. Make sure to not change the names of box #7 and box #9.

Once this is done, you have completed the setup and have installed the Mail Writer.

Now that the ACE setup has been successfully tested and the Mail Writer program has been fully installed, we can use it to arbitrarily write data to achieve various effects. Instructions on how to activate and use the Mail Writer can be found in the following link: Mail writer C (JP)

Appendix: in-depth explanation of the setup

Explanation on the 0x1500 ACE setup

This setup uses 0x1500 control code ACE. Since the page already contains an explanation on how it works, this page will focus on what the setup does to achieve its effect.

Relevant addresses for this explanation:

Address Function
$D05B Address where the names of pokémon and items are buffered.
$D0C8 Address where the current selected party pokémon’s species is buffered.
$D0C9 Address where the current selected party pokémon’s party slot is buffered (zero indexed).
  • Resetting the game clears the contents of the text buffer, which would cause an undesired early termination of the unterminated pokémon's name
  • Resetting the game also resets a bunch of nearby values that are related to selected item IDs, quantities and amounts to be tossed.
  • Selecting Spearow in the party menu will buffer its species ID ($15) to $D0C8 and party slot ($00) to $D0C9.
  • When the text printing function encounters a $15 value, it will attempt to execute a Mobile Adapter related function. The selected function depends on the next read value, but $00 is an invalid Mobile Adapter function and will instead call $CD46.
  • By opening the start menu and moving one step right and one step up at a specified location, the game will load in a $C2 9B C4 (jp nz, $C49B) at $CD64. Due to the tile contents of the 2nd floor of the pokémon center, the area between $CD46 and $CD64 will be filled with $00 values, allowing safe passage.
  • Viewing the unterminated clone through the withdraw screen will cause the game to attempt to do a lot of stuff at once.
    1. The withdrawn screen is set up and the current active box's name is displayed.
    2. The unterminated name pokémon's name will be drawn on screen, which leads to a buffer overflow.
    3. After printing the name for a while, the game will attempt to print the $15 value that is buffered at $D0C8, which causes it to enter the mobile function mode.
    4. Immediately after this, it will encounter a buffered $00 value at $D0C9, causing a call to $CD46 and activating ACE
  • After arriving at $CD46, execution will nopslide to $CD64, where it will use the buffered data to jump to $C49B, which lies right before screen data.

Effect of screen data

Once execution arrives at $C49B, execution will nopslide until it encounters the following values at $C4A0: 

79		ld a, c
7A		ld a, d
7A		ld a, d
7A		ld a, d
7A		ld a, d
7A		ld a, d
7A		ld a, d
7A		ld a, d
7B		ld a, e
79		ld a, c
7A		ld a, d
7A		ld a, d
7A		ld a, d
7A		ld a, d
7A		ld a, d
7A		ld a, d
7A		ld a, d
7A		ld a, d
7A		ld a, d
7B		ld a, e
7C		ld a, h
00		nop
07		rlca
0E 15		ld c, 15
1C		inc e
23		inc hl
2A		ldi a, (hl)
7C		ld a, h
7C		ld a, h
7F		ld a, a
7F		ld a, a
7F		ld a, a
7F		ld a, a
7F		ld a, a
7F		ld a, a
E5		push hl
7F		ld a, a
7F		ld a, a
7C		ld a, h
7C		ld a, h
01 08 0F	ld bc, $0F08
16 1D		ld d, 1D
24		inc h
2B		dec hl
7C		ld a, h
7C		ld a, h
E1		pop hl
E1		pop hl
C3 91 DB	jp $DB91	; 6th character of box name #5

Effect of the box name code

In the context of 0x1500 Control Code ACE, only box name #1 through box name #5 are executed. Box name #6 through box name #9 are part of the Mail Writer and will be discussed in the next section only: 

Box 1: $DB68
26 DA		ld h, $DA
2E 12		ld l, 12
3E DB		ld a, $DB	; a = $DB
C6 50		add $50		; a = $2B

Box 2: $DB71
C6 3D		add $3D	; a = $68
32		ldd (hl), a
3E C3		ld a, $C3	; a = $C3
32		ldd (hl), a
C6 0B		add $0B	; a = $CE
50		ld d, b

Box 3: $DB7A
EA 86 D8	ld(wItems), a
D6 96		sub $96		; a = $38
EA A1 DB	ld($DBA1), a
50		ld d, b

Box 4: $DB83
EA B1 DB	ld($DBB1), a
E1		pop hl
C9		ret

Box 5: $DB8C	; first five characters aren't executed as box names and are instead buffered to screen data.

E1		pop hl
E1		pop hl
C3 91 DB	jp $DB91	; 6th character of box name #5
AF		xor a		; Reset carry flag, entry point of jump from screen data
30 D4		jr nc, $D4	; Will jump to $DB68, the start of box names

Effect of the Mail Writer code

Converting the Mail Writer code to assembly results in the following code: 

Box 1: $DB68
11 B1 D2	ld de, $D2B1
D5		push de
D5		push de		; .newMail
26 2E		ld h, $2E
2E 50		ld l, $50	; hl = $2E50

Box 2: $DB71
D5		push de
29		add hl, hl	; hl = $5CA0
2E EB		ld l, $EB	; hl = $5CEB
3E 05		ld a, $05
3D		dec a		; a = $04
42		ld b, d
50		ld d, b

Box 3: $DB7A
B7		or a
CF		rst08h		; farCall _ComposeMailMessage (a:hl = 04:5CEB)
D1		pop de
E1		pop hl		; Set both hl and de to the start of the newly written mail
2A		ldi a, (hl)
B7		or a
B7		or a
D6 50		sub $50

Box 4: $DB83
28 12		jr, .terminator
30 05		jr, .character
2A		ldi a, (hl)	; If terminator, escape loop. if newline, get new value for a and continue
B7		or a
B7		or a
D6 50		sub $50	; Ensures that new character will result in the same value when combined with the next

Box 5: $DB8C
86		add (hl)	; .character
12		ld (de), a
13		inc de
80		add a, b
47		ld b, a		; Responsible for generating checksum
12		ld (de), a
2A		ldi a, (hl)	; inc hl is not available, so this will have to do
E6 50		or $50		; Ensures that carry flag is not set

Box 6: $DB95
30 E7		jr nc, .loop
0C		inc c		; .terminator, _ComposeMailMessage sets bc to 0000, so c = 01 after this part
26 C5		ld h, $C5
2E F4		ld l, $F4	; hl = $C4F4, bottom left screen tile
06 50		ld b, $50	; Ensures that b is consistent for the next call

Box 7: $DB9E
1A		ld a, (de)
CD 90 38	call PrintBCDNumber.loop + 01h	; PrintBCDNumber.loop itself can't be reached, so we skip forward one byte.
26 1A		ld h, $1A	; .errorCorrection
1B		dec de		; Calling PrintBCDNumber.loop with c = 01 advances de by 1.
06 50		ld b, $50

Box 8: $DBB0
2E 8D		ld l, $F4	; hl = $1A8D 
29		add hl, hl	; hl = $351A (address of JoyTextDelay_ForcehJoyDown)
CF		rst08H		; Farcall JoyTextDelay_ForcehJoyDown	set a = current button state
B7		or a, a		; Are any buttons pressed? if not, ask for new button states
28 E9		jr z, .terminator
42		ld b, d
50		ld d, b

Box 9: $D8FA
0F		rlca		; Is the a button pressed? If yes, start a new mail
38 B9	jr c, .loop
40		ld b, b
0F		rlca		; Is the b button pressed? If yes, return and execute newly written program.
D8		ret c		; If not, another button was pressed, so decrement de to allow user to correct errors
30 EA		jr nc, .errorCorrection

Explanation on the 0x1500 ACE setup

This setup uses 0x1500 control code ACE. Since the page already contains an explanation on how it works, this page will focus on what the setup does to achieve its effect.

Relevant addresses for this explanation:

Address Function
$D002 Address where the last read mail is stored.
$D05B Address where the names of pokémon and items are buffered.
$D0C8 Address where the current selected party pokémon’s species is buffered.
$D0C9 Address where the current selected party pokémon’s party slot is buffered (zero indexed).
$D0CE Address where the data of the last viewed pokémon is buffered.
  • Resetting the game clears the contents of the text buffer, which would cause an undesired early termination of the unterminated pokémon's name
  • Resetting the game also resets a bunch of nearby values that are related to selected item IDs, quantities and amounts to be tossed.
  • When the text printing function encounters a $15 value, it will attempt to execute a Mobile Adapter related function. The selected function depends on the next read value, but $00 is an invalid Mobile Adapter function and will instead call $CD46. Once returned from this address, the game will continue executing ACE instead of printing text.
  • By opening the start menu and moving one step up at a specified location, the game will load in a $C0 (ret nz) at $CD64, allowing immediate safe return from the effects of $1500. The game will resume executing from $D0CA onward.
  • While reading Spearow's mail, its species ID ($15) is written to $D0C8 and its current party slot ($00 if it's in the first party slot) is written to $D0C9.
  • Walking upwards will modify the value that is in $D0C9. By reading Spearow's mail while standing in front of the PC, we assure that a value of $00 is buffered at $D0C9.
  • The last pokémon viewed (ブルブル) is buffered from $D0CE onward. Due to resetting the game, the region between $D0CA and $D0CE is mostly empty and allows safe passage.
  • $Setting Tackle ($21) as ブルブル's first move allows safe passage over Screech ($67).
  • Rocky’s trainer ID is fixed and will be $BF (cp a, which resets the carry flag) and $1E. Both values are safe to pass.
  • Rocky’s XP total will end up between 326 and 350. This is always interpreted as $01 and $XX. since the high HP stat exp byte is always $00, the total is interpreted as ld bc, $00XX. This means that exp is always safe to pass.
  • Due to the specific pokémon defeated, the data in the stat experience fields will be read as $D2 $00 $F0. This is interpreted as jp nc $F000, due to echo ram this will redirect execution to $D000, which is where the last read mail was buffered. The nc condition is always fulfilled thanks to the previous $BF (cp a) in Onix’s Trainer ID.
  • Viewing the unterminated clone through the withdraw screen will set both $D003 and $D004 to $01.
  • At this point, the mail will redirect execution to $FB75. Due to echo ram, this will effectively redirect execution to $DB75, the start of box name 1. Please note that $D003 and $D004 are overwritten by opening the withdraw screen to the values of the current box and slot of the currently selected stored pokémon. These values are taken care of by setting the first character of the mail to $FA, which is interpreted along with the next two values as ld a, (YYXX).
  • Afterwards, the game will simply execute the box name code.
  • Once returned, the mail code pops hl before returning. Returning from the mail will cause the game to continue printing text, popping hl ensures that text will be printed to harmless locations in ROM. (Future angle for research: alternatives to ensure safe return without possible memory corruption)
  • Additional note: the setup with Sandshrew works practically identical, with the exception of the Lemonade. This Lemonade will combine with Scratch to form a jr nc, $0A allowing a safe jump over move data, trainer ID data and experience data.

Plain text transcripts of codes

  • 0x1500 Control Code ACE box name code
が れ ぜ デ ぼ ろ づ に
に べ づ ぼ て づ に ジ
ゥ キ リ よ ヌ ゥ モ ろ
ゥ あ ろ ゅ の
ゅ ゅ て ツ ろ ョ だ や
だ ! ズ が な ぜ ォ ギ
ビ ヘ チ チ が ビ ブ ギ
ぜ セ げ ま き ぐ ァ プ
ダ ダ け パ ダ リ だ ゥ
  • Setting up the Mail Writer
が れ ぜ デ ぼ ろ づ に
に べ づ ぼ て づ よ シ
ゥ モ ろ ゥ あ ろ よ む
だ ー ク ゥ キ リ ゅ の 
キ デ ド ア ぺ デ ご ?
だ ! ズ が な ぜ ォ ギ
ビ ヘ チ チ が ビ ブ ギ
ぜ セ げ ま き ぐ ァ プ
ダ ダ け パ ダ リ だ ゥ
Retrieved from "https://glitchcity.wiki/wiki/Guides:TMless_0x1500_ACE_(JP)?oldid=43361"