Mail writer
The Mail writer is an arbitrary code execution program for pokémon Gold, Silver and Crystal, created by TimoVM.
It is a 50 byte program, installed in the TM/HM pocket by having specific TM quantities, that allows the user to quickly and accurately write and execute arbitrary code payloads of up to a maximum size of 428 bytes. Payloads are written from wOtPartyCount onward, where enemy trainer's parties are usually buffered. Using the Mail writer requires an ACE setup that both redirects execution to the start of the TM/HM pocket and sets the value of register a to $04.
The Mail writer is currently supported for all language releases of Gold, Silver and Crystal, both VC and cartridge, with the exception of the Japanese releases.
How the mail writer works
Upon execution, the Mail writer will open the mail character entry screen where the player can write up to 32 different characters. After the player has confirmed the mail, the following actions take place:
- The Mail writer will take pairs of characters and convert them into a single combined value. These values are then sequentially written, converting the 32 letter mail into a 16 byte long line of code.
- Next, the Mail writer will display a checksum calculated from the combined value of all written bytes for the player to verify. Then the program enters a waiting state where they can either choose to write another mail, go back and correct previously written values or stop the mail writer and execute the newly written payload.
- If the player has chosen to write a new mail, the Mail writer will open a new mail entry screen. The new mail is then also converted into a 16 byte lond line of code and placed right after the code written by the previous mail(s), allowing the player to write arbitrarily long payloads.
Mail codes can be automatically calculated using Scotteh's mail code tool. This tool will accept a code written in hexadecimal values and automatically convert them to mail codes. These mails are optimized to require the least amount of button presses possible. The following values were determined from converting a 288 byte long RAM writer code:
| Language | Button presses |
|---|---|
| English | 5.0 |
| German | 4.9 |
| French | 4.3 |
| Spanish | 4.2 |
| Italian | 4.2 |
| Korean | 10.7 |
TODO: ADD LANGUAGE SPECIFIC TM AMOUNTS
General assembly
11 XX XX ld de, wOTPartyCount D5 push de .loop D5 push de D5 push de 21 XX XX ld hl, _ComposeMailMessage CF Farcall ; assumes a = $04 E1 pop hl D1 pop de .nextChar 2A ldi a, (hl) FE 50 cp 50 38 FB jr c, .nextchar 28 0A jp z, .@ 87 add a 86 add (hl) 12 ld (de), a 13 inc de 23 81 add c 4F ld c, a 12 ld (de), a 18 EF jr nz, .nextChar .@ 21 01 C4/C5 ld hl, C401/C501 ; corresponds to a screen tile location. C401 for Gold/Silver, C501 for Crystal. 4D ld c, l CD XX XX call PrintBCDNumber.loop (-$01) ; if language ends BCD with $, jump to PrintBCDNumber.loop. else, jump to one byte before PrintBCDNumber.loop .DownPressed 1B dec DE CD XX XX call JoyTextDelay_ForcehJoyDown BD cp l; Due to the effects of PrintBCDNumber.loop, l = $04 28 D9 jr z, .loop 38 F0 jr c, .@ FE 08 cp 08 C8 ret z 18 F2 jr .DownPressed