Guides:Fast 0x1500 ACE: Difference between revisions
Line 112: | Line 112: | ||
|} |
|} |
||
* Then, execute 0x1500 control code ACE using the method described in the [[https://glitchcity.wiki/wiki/ |
* Then, execute 0x1500 control code ACE using the method described in the [[https://glitchcity.wiki/wiki/Guides:Fast_0x1500_ACE#Using_the_ACE_setup|previous section here]]. |
||
* If the code was successfully executed, the TM/HM pocket should now be completely filled with 255 copies of every TM. Additionally, the first item in the main item pocket will have changed into a TM15. Using it will execute code in the TM/HM pocket. Make sure to save after verifying that the code worked. |
* If the code was successfully executed, the TM/HM pocket should now be completely filled with 255 copies of every TM. Additionally, the first item in the main item pocket will have changed into a TM15. Using it will execute code in the TM/HM pocket. Make sure to save after verifying that the code worked. |
Revision as of 18:18, 1 December 2023
This is a guide on how to execute and/or exploit a glitch. For a more technical overview of the glitch involved, see 0x1500 control code arbitrary code execution. |
This page serves as a repository on a 0x1500 ACE setup for the English, Italian and Spanish versions of Pokémon Crystal. It is part of the TimoVM's Gen 2 ACE setups set of guides.
The preparation is best done during morning or midday in-game. If needed, you can change the in-game clock with the help of this tool.
If you encounter any issues when going through this guide or would like to provide feedback, please contact TimoVM on the Glitch City Research Institute Discord.
When playing on cartridge or emulator, it is required to have previously cleared an old save by pressing SELECT + UP + B simultaneously on the start screen at least once since obtaining the cart. Otherwise you will not be able to obtain a bad clone or an unterminated name pokémon.
Setting up initial ACE
Pokémon Crystal contains two important differences compared to its predecessors. Firstly, Crystal won't abort the text printing function when it encounters a $00 value, instead printing a '?' instead. Secondly, Crystal added new printing funtions related to the Mobile Game Boy Adapter, a Japanese exclusive peripheral that allowed internet connectivity through a mobile phone.
By obtaining a pokémon whose name does not contain the usual text terminator, we can force the game into printing much larger amounts of texts than would otherwise be possible. By abusing an illegal Mobile Adapter function and setting up memory in a specific way, we can escape the text printing function and trigger arbitrary code execution based on the data of the last viewed party pokémon.
In practice, the initial ACE setup will be created using the following general process:
- Obtain a Spearow
- Obtain an unterminated name pokémon.
- Set up the currently buffered memory in such a way that we can trigger 0x1500 ACE upon seeing the name of the unterminated name pokémon.
This guide can be performed right after obtaining poké balls for the first time, but can be performed regardless of game progression.
Regarding PKHex
At the moment, this guide is incompatible with saves exported from PKHex. Upon exporting a save, PKHex will fill all currently unused data for the OT name and nickname of all boxes with text terminators, making it impossible to obtain an unterminated name pokémon.
Step 1: Obtaining a Spearow
- Obtain a Spearow through one of the following methods:
- Catch a Spearow in the wild. It is recommended to catch a Spearow in the south part of route 46, which is accessible from the beginning of the game. (30% encounter odds, only during morning or midday)
- Talk to the gate guard between Goldenrod City and route 35 to obtain a Spearow.
- Head to the nearest pokémon center and continue with the next step.
Step 2: Preparing the bad clone and remaining items
- Use the bad clone glitch to obtain a pokémon with an unterminated name.
- For this, use a box that has never been full at any point in time. It’s recommended to start with an empty box.
- Deposit a single pokémon. Attempt to save the game using "Move Pokémon w/o mail" but reset the game a bit just after the game has fully printed "SAVING... DON'T TURN OFF THE POWER".
- After rebooting the game, use a potion up to where the game brings up the party screen. the potion doesn't have to actually be used, you can cancel from here), then check the newly deposited pokémon.
- If the newly deposited pokémon’s nickname was changed to a bunch of question marks, you can continue with the next step. If the pokémon wasn't saved, that means the reset too early. If the pokémon was cloned, this means the reset was too late.
- If the amount of pokémon in the box exceeds 15, release the cloned pokémon and save the game afterwards to set the amount of stored pokémon to 15 before repeating step 2.
- Now that you have an unterminated name pokémon, put it in box 14. Either release or move all other pokémon in the box so that the unterminated name pokémon is the only pokémon left in box 14.
- You now have everything needed for the setup, you can continue with the next step.
Step 3: Testing the setup and using ACE
Now that we have everything ready, we'll be verifying the setup by testing a code that will safely exit ACE without any additional side effects. Once we have verified the setup, we can replace the test box code with another box code to apply various effects.
In order to be able to test the setup, rename box 14 to the following names:
English | Italian | Spanish |
---|---|---|
|
|
|
Using the ACE setup
Before executing ACE, arrange your party as follow:
- Slot 1 - Spearow
- Slots 2-6 aren't relevant for this setup.
Next, make sure you set up the following:
- Make box 14 the current active box, ensure that the bad clone is the only pokémon in box 14.
- Make sure that the box name code you wish to execute was correctly entered.
Finally, in order to execute ACE, do the following actions:
- Stand in front of the PC on the second floor of any pokémon center. Take one step down, take one step left until you end up at the location indicated by the above screenshot on the left. Save the game here and reset.
- After reloading the save, take one step to the right and take one step up. You should now be standing right in front of the PC. (these steps need to be taken in the correct order, otherwise the setup will not work)
- Open the start menu, select Spearow so that you get the option to look at its summary and switch its party position as indicated by the above screenshot on the right, then exit and close the start menu.
- Open the PC. Open the withdraw screen so that the unterminated name pokémon's name would be displayed. Displaying this name will trigger ACE. If the screen stays white, press "A" a couple of times until the box view reappears.
If the game doesn't crash, the setup was a success and you can continue to the next step.
Setting up an ACE environment
While we now have a way to execute box name codes using ACE, the current setup has a few drawbacks:
- Executing ACE requires performing various specific steps, preventing us from using ACE whenever we want.
- Box name codes have a limited characterset, effectively meaning that it's difficult to set up more complicated ACE effects.
To resolve this issue, we're going to install the Mail Writer. This is a 50 byte program, installed as a series of TM quantities, that will allow us to quickly and efficiently write and execute any arbitrary code we want.
To do that, we're going to use a box name code to obtain 255 copies of all TMs, then sell them in specific quantities to write out a program. Alongside that, the box name code will also add a TM15 to the main item pocket. Using this TM15, outside of the TM/HM pocket, will allow us to execute the Mail Writer at any time without requiring additional setup.
The mail writer itself will be installed in the TM/HM pocket through the following two step process:
- Execute a box code using 0x1500 control code ACE that sets the quantities of all 50 TMs to x255, as well as placing a TM15 in the main item pocket and installing a setup so that using this TM15 will redirect execution to the start of the TM/HM pocket.
- Sell TMs in specific quantities so that the amount of TMs in the TM/HM pocket spell out a small mail writer program.
Step 4: setting all TM quantities to x255
- Rename box names to form the following language dependent codes. Please mind the differences between uppercase X (), lowercase x () and multiplication symbol ().
English | Italian | Spanish |
---|---|---|
|
|
|
- Then, execute 0x1500 control code ACE using the method described in the [section here].
- If the code was successfully executed, the TM/HM pocket should now be completely filled with 255 copies of every TM. Additionally, the first item in the main item pocket will have changed into a TM15. Using it will execute code in the TM/HM pocket. Make sure to save after verifying that the code worked.
Step 5: Selling TMs to form a program in the TM/HM pocket
Now that we have obtained x255 of every TM, we'll be selling specific amounts of these in order to form a program. This program differs slightly depending on the specific language you're using. The following table displays how many TMs of each kind you need to end up with, along with the amount of money you gain by selling them.
Once you're done selling all TMs, simply use TM15 to activate the mail writer.
English | French | German | Italian | Spanish |
---|---|---|---|---|
|
|
|
|
|
Language independent TMs
TM | Final Quantity | Sell value |
---|---|---|
TM01 DYNAMICPUNCH | x17 | 357000 |
TM02 HEADBUTT | x128 | 127000 |
TM03 CURSE | x210 | 67500 |
TM04 ROLLOUT | x213 | 42000 |
TM05 ROAR | x213 | 21000 |
TM06 TOXIC | x213 | 63000 |
TM07 ZAP CANNON | x33 | 222000 |
TM08 ROCK SMASH | SEE NEXT TABLE | |
TM09 PSYCH UP | x94 | 80500 |
TM10 HIDDEN POWER | x207 | 72000 |
TM11 SUNNY DAY | x225 | 30000 |
TM12 SWEET SCENT | x209 | 23000 |
TM13 SNORE | x42 | 106500 |
TM14 BLIZZARD | x254 | 1500 |
TM15 HYPER BEAM | x80 | 262500 |
TM16 ICY WIND | x56 | 298500 |
TM17 PROTECT | x251 | 6000 |
TM18 RAIN DANCE | x40 | 215000 |
TM19 GIGA DRAIN | x10 | 367500 |
TM20 ENDURE | x135 | 180000 |
TM21 FRUSTRATION | x134 | 60500 |
TM22 SOLARBEAM | x18 | 355500 |
TM23 IRON TAIL | x19 | 354000 |
TM24 DRAGONBREATH | x35 | 330000 |
TM25 THUNDER | x129 | 126000 |
TM26 EARTHQUAKE | x79 | 264000 |
TM27 RETURN | x18 | 118500 |
TM28 DIG | x24 | 231000 |
TM29 PSYCHIC | x239 | 16000 |
TM30 SHADOW BALL | x33 | 333000 |
TM31 MUD-SLAP | x1 | 381000 |
TM32 DOUBLE TEAM | x197 | 58000 |
TM33 ICE PUNCH | x77 | 267000 |
TM34 SWAGGER | x205 | 25000 |
TM35 SLEEP TALK | SEE NEXT TABLE | |
TM36 SLUDGE BOMB | x56 | 99500 |
TM37 SANDSTORM | x27 | 228000 |
TM38 FIRE BLAST | x205 | 50000 |
TM39 SWIFT | SEE NEXT TABLE | |
TM40 DEFENSE CURL | x53 | 101000 |
TM41 THUNDERPUNCH | x189 | 99000 |
TM42 DREAM EATER | x40 | 322500 |
TM43 DETECT | x217 | 19000 |
TM44 REST | x56 | 298500 |
TM45 ATTRACT | x240 | 22500 |
TM46 THIEF | x254 | 1500 |
TM47 STEEL WING | x08 | 370500 |
TM48 FIRE PUNCH | x200 | 82500 |
TM49 FURY CUTTER | x24 | 346500 |
TM50 NIGHTMARE | x242 | 13000 |
Language dependent TMs
TM | English | French | German | Italian | Spanish | |||||
---|---|---|---|---|---|---|---|---|---|---|
Final amount | Amount sold for | Final amount | Amount sold for | Final amount | Amount sold for | Final amount | Amount sold for | Final amount | Amount sold for | |
TM08 ROCK SMASH | x117 | 69000 | x122 | 66500 | x99 | 78000 | x197 | 29000 | x232 | 11500 |
TM35 SLEEP TALK | x204 | 25500 | x175 | 40000 | x182 | 36500 | x186 | 34500 | x172 | 41500 |
TM39 SWIFT | x75 | 180000 | x56 | 199000 | x53 | 202000 | x57 | 198000 | x53 | 202000 |
Once this has been done, continue to the next step.
Step 6: Using the mail writer
From now on, simply use the TM15 in the main item pocket to start up the Mail riter.
The Mail Writer will open a screen that asks you to write the contents of a mail. This is where you'll need to enter mail codes. Once done, use the "END" option to finish the mail.
This will cause the mail writer to convert the newly written code into assembly. It will also print a checksum (sum of all written values) on the screen just to the right of the lower row. This can be used to verify if a code was entered correctly.
Due to a lack of available memory in the TM/HM pocket, it is not possible to quit the RAM writer without executing the newly written code. If you ever accidentally activate the mail writer and would like to quit, simply write a mail containing "Rh" then confirm and exit the RAM writer.
Assembly can easily be converted to mail codes using TimoVM's MailConverter. Simply paste the assembly of the code you wish to enter here, press "run" and the converter will automatically generate mail codes requiring the least amount of button presses to write.
Controls
Between entering mail codes, the mail writer will ask for user input.
- Press SELECT to open a new mail and continue writing data.
- Press START to immediately jump to and start executing the newly written program. Only use this when you've finished every mail.
- Press any other button to go back one byte at a time to correct errors. If the printed checksum doesn't match the expected checksum, press DOWN 16 times to retry the last mail. This will also overwrite the printed checksum with the value at the currently selected address, giving you a method to check how far back you're going.
Enter your mail code, then press "END". | It prints the checksum and waits for input. |
What to do with the Mail writer
The Mail writer allows you to easily write and execute arbitrary payloads. Aside from writing your own codes, we recommend the following:
- Mail codes: this page contains a collection of assembly for mail codes that can be used for a variety of common purposes such as editing pokémon, obtaining items, etc..
- RAM writer: (recommended for more experienced users) this page contains the assembly for a large one-size-fits all program that allows you to edit any value in RAM with a user-friendly GUI. It will also fix the side effects of the ACE setup when you first run it.
Addendum: repairing the TM15 bootstrap
In case something happens with the TM15 bootstrap that causes it to no longer function, you can repair bootstrap without having to reset TM quantities using the following procedure:
- Enter the following language-specific box names. Please mind the differences between uppercase X (), lowercase x () and multiplication symbol ().
English | French | German | Italian | Spanish |
---|---|---|---|---|
|
|
|
|
|
- Execute 0x1500 ACE using the usual steps.
- If the code executes succesfully without crashing the game, the bootstrap has now been repaired.
Appendix: In-depth explanation of the setup
Effect of Onix
Defeating the provided list of pokémon and viewing Onix's summary will result in the following values starting from the buffered species ID at $D10E, assuming the pokémon is in party slot #2:
5F ld e, a 00 nop 21 67 00 ld hl, $0067 ; Determined by Onix's moves, Tackle and Screech 00 nop BF cp a, a 1E 00 ld e, $00 ; $BF1E corresponds to Onix's OTID of 48926 01 XX 00 ld bc, $00XX ; $XX is determined by the exact level of the opponents fought D2 00 F0 jp nc, $F000
After the effect of 0x1500 ACE is triggered and execution is redirected to $D10E, execution slides harmlessly through move, OTID and experience data before jumping to $F000, which is echo RAM for $D000 and is located two bytes before the last buffered mail.
Effect of Sandshrew
Defeating the provided list of pokémon and viewing Sandshrew's summary will result in the following values starting from the buffered species ID at $D10E, assuming the pokémon is in party slot #2:
1B dec de 30 0A jr .jump XX XX XX XX XX XX XX XX XX 73 ; Move, OTID and experience is skipped over by the jr instruction 00 nop ; .jump C3 00 F0 jp $F000
After the effect of 0x1500 ACE is triggered and execution is redirected to $D10E, execution jumps over move, OTID and experience data, followed by another jump to $F000, which is echo RAM for $D000 and is located two bytes before the last buffered mail.
Effect of the mail
The last read mail is buffered from $D002 onward. Please note that viewing the bad clone in box #1 will write the value $01 to $D003 and $D004. Converting the characters from the mail to assembly results in the following, ordered by language:
English
FA 01 01 ld a, ($0101) ; a = $C3 A7 and a, a ; Reset carry flag D4 75 FB call nc, wBoxNames A7 and a, a ; Reset carry flag E1 pop hl ; After returning from 0x1500 ACE, this prevents the print function from printing text in WRAM. D0 ret nc
French
FA 01 01 ld a, ($0101) ; a = $C3 D6 F5 sub $F5 ; a = $CE, TM15's item ID EA 93 F8 ld (wItems), a ; Main item pocket, first item ID D6 F3 sub $F3 ; a = $DB EA 86 FB ld ($FB86), a EA E9 FB ld ($FBE9), a 4E ld a, a D6 BA sub $BA ; a = $21 EA 75 FB ld (wBoxNames), a D6 FF sub $FF ; a = $22 EA B7 FB ld ($FBB7), a AF xor a ; a = $00, set zero flag CC 75 DB call z, wBoxNames E1 pop hl ; After returning from 0x1500 ACE, this prevents the print function from printing text in WRAM. D0 ret nc
German
FA 01 01 ld a, ($0101) ; a = $C3 87 add a, a ; a = $86 C6 9C add $9C ; a = $22 EA A9 FB ld ($FBA9), a C6 FF add $FF ; a = $21 EA 75 FB ld (wBoxNames), a AF xor a ; a = $00 F6 4E or $4E ; a = $4E F6 80 or $80 ; a : $CE EA 93 F8 ld (wItems), a ; Main item pocket, first item ID F0 F0 ld a, ($FFF0) ; a = 0, zero flag is NOT reset C4 75 FB call z, wBoxNames E1 pop hl ; After returning from 0x1500 ACE, this prevents the print function from printing text in WRAM. C0 ret nz
Italian & Spanish
FA 01 01 ld a, ($0101) ; a = $C3 D6 A1 sub $A1 ; a = $22 EA C8 FB ld ($FBC8), a AF xor a ; a = $00 CD 75 FB call wBoxNames EA 9F FB ld ($FB9F), a ; Prevent a game crash when viewing the box name F6 4E or $4E ; a = $DE C6 F0 add $F0 ; a = $CE EA 93 F8 ld (wItems), a ; Main item pocket, first item ID E1 pop hl ; After returning from 0x1500 ACE, this prevents the print function from printing text in WRAM. C9 ret
Effect of the box name
Box name data starts from $D8BF onward. Converting the provided mail code to assembly results in the following:
English
F6 FF or $FF ; a = $FF, reset carry flag D0 ret nc ; Safely return to normal game operation
French
21 80 80 ld hl, $8080 C9 ret ; Safely return to normal game operation
German
21 80 80 ld hl, $8080 F6 FF or $FF ; a = $FF, reset carry & zero flag C0 ret nz ; Safely return to normal game operation
Italian & Spanish
C9 ret ; Safely return to normal game operation
Explanation on the 0x1500 ACE setup
This setup uses 0x1500 control code ACE. Since the page already contains an explanation on how it works, this page will focus on what the setup does to achieve its effect.
Relevant addresses for this explanation:
Address | Function |
---|---|
$D002 | Address where the last read mail is stored. |
$D073 | Address where the names of pokémon are buffered. |
$D086 | Address where the names of used items are buffered. |
$D108 | Address where the current selected party pokémon’s species is buffered. |
$D109 | Address where the current selected party pokémon’s party slot is buffered. |
$D10C | Address where the amount of items tossed is buffered. |
$D10D | Address where the amount of the last selected item is buffered. |
$D10E | Address where the data of the last viewed pokémon is buffered. |
- Attempting to toss 21 items will buffer $15 at $D10C.
- For a list at the highest size it has ever been, the "Quantity" of the CANCEL button will be $00, which will be buffered at $D10D when the CANCEL button is used with A. This forms the required $1500 to start executing ACE.
- By opening the start menu and moving one step up at the specified location, the game will load in a $C0 (ret nz) at $CD70, allowing safe return from the effects of $1500. The game will resume executing from $D10E onward.
- The last pokémon viewed is buffered from $D10E onward. Setting Tackle ($21) as its first move allows safe passage over Screech ($67).
- Rocky’s trainer ID is fixed and will be $BF (cp a, which resets the carry flag) and $1E. Both values are safe to pass.
- Rocky’s XP total will end up between 326 and 350. This is always interpreted as $01 and $XX. since the high HP stat exp byte is always $00, the total is interpreted as ld bc, $00XX. This means that exp is always safe to pass.
- Due to the specific pokémon defeated, the data in the stat experience fields will be read as $D2 $00 $F0. This is interpreted as jp nc $F000, due to echo ram this will redirect execution to $D000, which is where the last read mail was buffered. The nc condition is always fulfilled thanks to the previous $BF (cp a) in Onix’s Trainer ID.
- At this point, the mail will redirect execution to $FB75. Due to echo ram, this will effectively redirect execution to $DB75, the start of box name 1. Please note that $D003 and $D004 are overwritten by opening the withdraw screen to the values of the current box and slot of the currently selected stored pokémon. These values are taken care of by setting the first character of the mail to $FA, which is interpreted along with the next two values as ld a, (YYXX).
- Afterwards, the game will simply execute the box name code.
- For the alternative method, selecting Spearow to read its mail will buffer both its species and party slot to $D108 and $D109. By putting a Spearow in the topmost party slot, this will buffer a $15 and $00 respectively. One drawback of this approach is that these RAM values are more volatile and are immediately overwritten after executing ACE. Luckily, Onix’s species ID ($5F) acts as a text terminator, preventing users from accidentally crashing the game if they forget to reset these values.
Additional note: $D086 isn’t actually relevant to the setup. The reason it’s mentioned here is because using an item buffers the item’s name to this location, placing a $50 terminator just a bit after where the pokémon’s name is normally buffered. Having this terminator in place will allow you to safely view an unterminated pokémon’s name.
Plain text transcript for codes
Language | Mail content |
---|---|
English | 4 4 4 h ‘s … 5 h Pk ‘d |
French | 4 4 4 j' ♀ é T 2 j' / é G 5 é & 5 j' à é ... 5 j' 9 é x 5 p î ... s' Pk ô |
German | 4 4 4 H ë : é j 5 ë 9 é ... 5 p 0 0 A é T 2 $ $ ö ... 5 Pk Ä |
Italian | 4 4 4 ° b é Ì 5 p Ù ... 5 é ] 5 0 È $ é T 2 Pk Í |
Spanish | 4 4 4 ° b é Ì 5 p Ù ... 5 é ] 5 0 È $ é T 2 Pk Í |
"..." refers to a single ellipsis character, “pk” refers to a single pk symbol. |
- Test box code
English | French | German | Italian | Spanish |
---|---|---|---|---|
0 9 'd |
A A A ô |
A A A 0 9 Ä |
Í |
Í |