Main Menu
Main Page
Forums
Recent changes
Random page
Help

Databases
GlitchDex
AttackDex
ItemDex
TrainerDex
TypeDex
UnownDex
More

Major Glitches
Trainer escape glitch
Old man trick
Celebi trick
Select glitches (Japan)
SRAM glitch
CoolTrainer♀ corruption
LOL glitch
Rival LOL glitch
Super Glitch
ZZAZZ glitch
Pomeg corruption glitch (Glitzer Popping)
Tweaking
Elite Four door glitch (Japan)
Pokémon merge glitch
Pokémon cloning
Time Capsule exploit
Arbitrary code execution
Coin Case glitch
More

Other Glitch Categories
Glitches by generation
Glitches between two generations
Japan-only/language specific glitches
Music glitches
Natural glitches
Non-core series glitches
Non-Pokémon glitches
Officially acknowledged glitches
Recurring glitches
Dead glitches

References
Pokémon GameShark codes
The Big HEX List
Glitch Pokémon cries
GB programming
Curiosities
Debugging features
Easter eggs
Error traps
Glitch areas
Glitch myths
Non-glitch exploits
Placeholder texts
Pokémon glitch terminology
Unused content and prerelease information

Useful Tools
8F Helper
GBz80 to Items
Old man trick name generator
PATH (Prama's Advanced Tweaking Heaven)
Save file editors
Special stat/Pokémon converter
Trainer escape Trainer Pokémon finder

Affiliates
Legendary Star Blob 2 (Hakuda)
Pokémon Speedruns wiki
PRAMA Initiative
Become an affiliate!

Search Wiki

 

Search Forums

 

Author Topic: ACE in G/S via stack corruption (compatible with all european versions and VC)  (Read 904 times)

0 Members and 1 Guest are viewing this topic.

Crystal_

  • Distinguished Member
  • *
  • Offline Offline
  • 39 00 39 00 39 00 39 00
    • View Profile
OVERVIEW / EXPLANATION (for requirements and steps see the third post in this thread)

Step by step video (with updated and organized information in comparison to the third post): https://www.youtube.com/watch?v=b2tVVeZ7Th4

I've tested this in an english Silver ROM and spanish Gold ROM and given that the essential elements and key memory addresses were the same in both games, I assumed that it would also be the same in all other localizations. However, futher testing, and of course, a lot of polishing, would be required. The english versions don't need ACE since we already have coin case, so the goal was to find a method compatible with all other localizations.

First we need a 0xFF Pokemon in order to be able to draw Pokemon beyond the sixth slot. I'm not going to get into the details of how to achieve it.

When the 30th Pokemon is withdrawn to the party, it corrupts addresses between DF9A and DFB9. In particular, when the Pokemon's data is being copied from SRAM to those WRAM addresses, the stack pointer is at DFB3, and the 3rd and 4th PP slots of the Pokemon are copied to DFB3 and DFB4, respectively. Returning from the memory copy routine will bring the game to whatever stack pointer was spelled out by those two PP fields. Using PP ups, we can come up with any given address that we want, for example one that points to somewhere in the box names buffer.

Of course, after doing this, the stack is absolutely destroyed and there are no realistic hope of restoring it to anything playable. We can still do something though. We can hack ourselves a TM into the medicine bag pocket in SRAM that we can utilize later. This may look way too complicated but it doesn't necessarily have to be. First of all, SRAM bank 1 is already opened right now. We only have to overwrite A420 (medicine pocket item 1) with the id of the desired TM and fix the checksum at AD69-AD6A. If we set a fixed item #1 as an initial requirement (e.g. a Berry), we can calculate the necessary checksum shift. If the id's are relatively close, we might even be able to skip checking the checksum's high byte to simplify the needed script and hope the low byte doesn't overflow (literally anything we do will change the checksum upon saving anyway, so we can just try again until it works). Finally, we can trigger a safe reset or freeze, and upon restarting the game, we will have our TM in the medicine pocket. Note that the SRAM addresses mentioned here refer to spanish Gold/Silver; they may be different in other localizations.

Now it's supposed to be similar to coin case ACE in concept. We find a TM that jumps to a suitable place in WRAM (I think ACE with TM33 transferred from Red/Blue has been done already), and when we have it, we create some bootstrap code that for example redirects execution to box names or PC items.

These are the TM pointers in spanish G/S:

Code: [Select]
14FE - TM01
15CD
CA31
77F6
EAAF - TM04_X
D14F
02FA
FED0
C4B1
6E1E
9921 - TM10
CBD1
21A6
7857
5ECD
FA0F
D114
FA47
D119
03FE
20CA - TM20
FA6A
D002
01FE
20CA
FA6A
D002
214F
6C73
FE2A - TM28_X
28FF
B90F - TM30
0428
2323
F418
662A
116F
698A
E9D5
02FA
FED0
789F - TM40
12CA
786A
B8E0
FF21
46D0
4E23
5623
5E23
21CB
10CB - TM50

Again, this obviously needs a lot of polishing and coming up with bootstrap codes yet, as well as adapting it to each other localization, each of which may have different SRAM addresses and different wrong pocket TM pointers, as well as a different set of assembly instructions that can be spelled out with box names. So far I haven't bothered to check beyond the english and spanish versions, but the 3rd and 4th move PP of the 30th Pokemon being written to the stack pointer (DFB3-DFB4) matched in both versions, so I assume it would also be the same in the other localizations. The other factors don't seem essential unless we're really unlucky with TM pointers.
« Last Edit: October 13, 2017, 12:31:46 pm by Crystal_ »

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Wiki Contributor
  • *
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Just an update to say the polishing is half done. Here's a half-hacked result (where data was memory edited where it was supposed to be, instead of properly setting up a Pokémon, etc.), in which the payload successfully edited the save file to add a TM25 there :
« Last Edit: October 02, 2017, 03:09:29 am by ISSOtm »
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)

Crystal_

  • Distinguished Member
  • *
  • Offline Offline
  • 39 00 39 00 39 00 39 00
    • View Profile
REQUIREMENTS AND STEPS for spanish, italian, french and german Gold/Silver - Work in progress

Emulators: Working on BGB, not working on VBA. For the 3DS Virtual Console, you also must follow the additional points colored in red; if you are not playing on the 3DS VC, ignore (skip) them. Not tested on any other emulator.

Follow also the requirements and steps in blue if you want a "memory editor" setup for TM17. If you just want to obtain TM17, ignore (skip) them.

Initial requirements - Obtaining TM17, executing from D8C0 with TM17, D8C0 payload

- The first item of the items pocket of the bag must be Berry (any quantity)
- The second item of the items pocket of the bag must have a quantity of 36 (any item). You will lose 35 of them.
- As the third item of the items pocket of the bag, Potion x1. As the fifth item, Ylw Apricorn x1. Fourth item can be any item and items below the fifth are irrelevant.
- Box 3 and Box 4 must be renamed as show in this (spanish/italian) or this (french) or this (german) image. For 3DSVC, replace the last Ae with K4, regardless of the language.
- A specific PC item list* (items beyond the last one don't matter)
- As the first party Pokemon, a level 2 Pokemon with no status, no pokerus, with current HP and HP between 13-14, and all other stats between 6-7.
- As the second party Pokemon, a Quagsire holding TM02 with Return as the first move.
- As the third party Pokemon, a Quagsire holding HP Up with Sleep Talk as the first move.
- As the sixth party Pokemon, a bad clone (Pokemon 0x00).
- All your party Pokemon should be Pokemon that you don't care about. They will be in risk.
- A box (any) with 20 Pokemon that you don't care about. These Pokemon will be gone forever. In this box, the 20th (last) Pokemon must have a third move with 16/16 PP and a fourth move with 24/24 PP. These correspond to a 10 PP move and 15 PP move, both with 3 PP Ups applied, respectively.
- A box (any) with only 4 Pokemon that you don't care about. These Pokemon will be gone forever.
- ...

*PC Item list:
Any item - any amount
Antidote x4
Fresh water x32
Parlyz Heal x34
Awakening x1
Potion x1
Dire Hit x35
Everstone x1
Pokeball x1
TM08 (Rock Smash) x1

Steps - Obtaining TM17, executing from D8C0 with TM17, D8C0 payload
- Switch to the box with 4 Pokemon.
- Select the Move PkMn w/o mail option, and move the first Pokemon of the box with 4 Pokemon to the bottom of your party.
- Withdraw all Pokemon from the box with originally 4 and now 3 Pokemon.
- Withdraw all Pokemon from the box with 20 Pokemon.
- When you withdraw the last Pokemon, the game will reset in weird colors, but you will have TM17 as the first item in the items pocket. Restart the game a game to restore the normal colors. Important: Do not toss, sell, give or deposit the newly obtained TM17. You can however do anything you want with a TM17 that has been obtained through regular gameplay and is therefore stored in the TM/HM pocket of the bag.
- Execute the following steps depending on your version of the game:
  * Spanish/Italian:
    · In the item's pocket of the bag, swap TM17 x1 (first item) with Ylw Apricorn x1 (fifth item).
    · Rename boxes 1 to 5, as shown in this image.
  * French:
  * German:
    · In the items pocket of the bag, swap TM17 x1 (first item) with Ylw Apricorn x1 (fifth item).
    · Rename boxes 1 to 5, as shown in this image.
- Rename box 7 accordingly (...).
- Important: every time that you want to use TM17, your first five items in the items pocket of the bag, the first and second party Pokemon, and the name for boxes 1-5, must be exactly like they are now.

If you can't understand the sections below, chances are you only care about the above.

Code - Obtaining TM17

BOX NAMES (SPANISH/ITALIAN): D8D0
nop | ld d, b ; box 2 terminator
or $a4
and $a4
push af
pop hl
or $d0
ld d, b ; 0x50
and $d0
call nc, $a480
ld d, b ; 0x50

BOX NAMES (FRENCH): D8D0
nop | ld d, b ; box 2 terminator
or $a4
and $a4
push af
pop hl
or $f1
ld d, b ; 0x50
and $d8
cp $fe
call c, $a480
ld d, b ; 0x50

BOX NAMES (GERMAN): D8D0
nop | ld d, b ; box 2 terminator
or $a4
and $a4
push af
and $80
or $50 ; 0x50
pop hl
call nz, $a480
ld d, b ; 0x50

PC ITEMS (ALL FOUR LANGUAGES): A480 (entry point A481)
db $09
inc b
ld l, $20
dec c
ld [hli], a
inc c
ld bc, 0112
inc l
inc hl
ld [hl], b
ld bc, 0105
rst $00
db $01

Code -  Executing from D8C0 with TM17

PARTY POKEMON #2 (ALL FOUR LANGUAGES): DA5A
jp $d8c0

Code -  D8C0 payload

BOX NAMES (SPANISH/ITALIAN): D8C0 (box 1, char 2)
ld a, [$f8f5]
push af
ld a, [$f8f6]
ld d, b
pop hl
add h
push af
ld a, [$f8f7]
push af
pop hl
ld d, b
ld a, [$f8f8]
add h
push af
ld a, [$f8f9]
ld d, b
push af
ld a, [$f8fa]
pop hl
add h
pop hl
bit 2, b
pop de
and a
call $f5b8
ret
ld d, b

BOX NAMES (GERMAN): D8C0 (box 1, char 2)
ld a, [$f8f5]
push af
ld a, [$f8f6]
ld d, b
pop hl
add h
push af
ld a, [$f8f7]
push af
pop hl
ld d, b
ld a, [$f8f8]
add h
push af
ld a, [$f8f9]
ld d, b
push af
ld a, [$f8fa]
pop hl
add h
pop hl
pop bc
ld d, b
and a
jp $f5b8
ld d, b

ITEMS POCKET (SPANISH/ITALIAN): F5B8 (item 1)
ld e, h
ld bc, ?
ld [de], a
ld bc, ?
ret nc
ld bc, ?
« Last Edit: October 03, 2017, 10:21:00 am by Crystal_ »

luckytyphlosion

  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • JACK-flys are OP
    • View Profile
If you want an alternate ACE method for non-English versions, you could just underflow the bag with Key Items glitch to be able to create any item possible, including TM25 and others. I don't have a setup that works on any arbitrary save, but you can use this video as a reference.

Crystal_

  • Distinguished Member
  • *
  • Offline Offline
  • 39 00 39 00 39 00 39 00
    • View Profile
Looking at this, the whole process to achieve ACE looks a bit too complicated. My own method requires to discard nearly 30 Pokemon though, so whatever. The attempt to obtain TM17 using box names ACE was a disaster anyway, I'm going to see if I can make it work reasonably with PC items.

Caveat

  • The Metropolitan Mutant of Ark
  • GCLF Member
  • *
  • Offline Offline
  • Wrrrooooooaaaar! Peeko!
    • View Profile
This is more of a "because you can" thing in the English versions, since the easiest way to get an ????? (FF) is through ACE already.

In other languages, though, this could be very useful! Although, the destroyed stack might make it impossible to continue playing...
HOLD ME, I'M A PALE MACHINE
LIFE IS JUST OKAY OUT HERE, ANYONE CAN SEE
I'M LONELY, WITH MY PALE MACHINE
EYES WILL RUN WITH TIRED TEARS, LIVING LIKE A DREAM


Japanese Glitchdex
Petscop Thread

Twitter
(warning: contains bad grammar and copious rambling)

Crystal_

  • Distinguished Member
  • *
  • Offline Offline
  • 39 00 39 00 39 00 39 00
    • View Profile
Although, the destroyed stack might make it impossible to continue playing...

We were aware of this, so we proceeded differently. We use this ACE method to edit the save file to give ourselves a TM17 in the items pocket, which can trigger ACE more reliably. Then, just reseting the game restores everything to normal, except for the convenient save file hack.

Krys3000

  • The frenchie
  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Head admin of the PRAMA Initiative
    • View Profile
    • PRAMA Initiative - Main french Pokémon glitch website
The known methods for ACE as far as I know are:
- Bug-Catching Contest ACE, only working in japanese games
- Coin Case ACE, only working in English games
- TM33/25 ACE, working in all games and that in G/S, could theorically be achieved without the help of any other game, although it would be hard. In Crystal though, requires a second game at least.
- Bad Clone name ACE, not currently tested in non-english games (although should work) and not super hard to perform, but Crystal only.
- Move 00 Type ACE, not currently tested in non-english games (although should work) nor in english Crystal, but this move can only be obtained by using a 1G game or maybe using the Bad Clone Trick? Research to be done.
- Glitch Pokédex Mode ACE, whose proof of concept exists only in Crystal to my knowledge, but has never been fully setup (probably something that someone should work on)

So yeah in any ways, even though Move 00 and Glitch Pokédex are not fully exploited, the development of a more friendly ACE method especially in G/S would be great.

Admin of the PRAMA Initiative, the main french Pokémon glitch website
http://www.prama-initiative.com
“Anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'” - Isaac Asimov

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Wiki Contributor
  • *
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
I would like to bring up a small adjustment : the Pokémon's fourth move PP can be 24 (16 PP + 3 PP Up).

For instance, this Pidgey works.


This Pidgey can be found in the save file I attached, which works for the purpose of obtaining TM17 (but not afterwards), just as a proof that the payload to obtain it works.


Big shoutouts to Crystal_ because it took some effort to make a viable setup.
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)

luckytyphlosion

  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • JACK-flys are OP
    • View Profile
Looking at this, the whole process to achieve ACE looks a bit too complicated. My own method requires to discard nearly 30 Pokemon though, so whatever. The attempt to obtain TM17 using box names ACE was a disaster anyway, I'm going to see if I can make it work reasonably with PC items.

The complications exist because of some additional conditions in Crystal. Firstly, the 0x00 item (?) has a description which crashes the game, which requires item swaps to avoid the game printing the item description. As such, underflowing the Key Items Pocket also requires additional steps to prevent the cursor viewing a 0x00 item. In Gold/Silver, the 0x00 item is completely safe so we only need 2 Key Items to generate, and by swapping both, depositing both of them in the PC, and swapping two 0x00 items, we can underflow our inventory to 254 items (as 255 forces the cursor to the top of the menu).

The additional complications to achieve ACE are because we don't have a bootstrap Pokémon to use in the (old) Crystal Any% speedrun. You could easily just generate a TM25 by depositing 216 of an item, which you can find an item with a quantity greater than 216 by scrolling down to the PC Items portion of the underflowed bag, and as there are no quantities in the Key Items pocket, the quantities of PC items will represent items.

Also, it's worth mentioning that the setup to create the 3 Itemfinders is slightly outdated; a much safer and easier setup exists which was used for the video I linked earlier.

Also, the 3DSVC emulator does not allow execution of SRAM for whatever reason (even when enabled), so calling box names in SRAM would definitely not work. I don't think a bootstrap with PC items would work well; you have plenty enough resources with the characters provided with box names that they're much easier to work with anyway.

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Wiki Contributor
  • *
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Another update : the box names are actually version-dependent, due to charset differences.
Crysta_ and I worked out setups for all four localizations, see below for your language.

Names for the Spanish and Italian versions :

Code: [Select]
nop | ld d, b ; box 2 terminator
or $a4
and $a4
push af
pop hl
or $d0
ld d, b ; 0x50
and $d0
call nc, A480
ld d, b ; 0x50

Names for the French version :

Code: [Select]
ld d,b
or $A4
and $A4
push af
pop hl
; $A4
or $F1
; $F5
ld d,b
; $F5
and $D8
; $D0
cp $FE ; To set the carry
call c, A480
ld d,b

Names for the German version :

Code: [Select]
ld d,b
or $A4
and $A4
push af
and $80
or $50
pop hl
call nz, A480
ld d,b
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)

Krys3000

  • The frenchie
  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Head admin of the PRAMA Initiative
    • View Profile
    • PRAMA Initiative - Main french Pokémon glitch website
Great job guyz!

Admin of the PRAMA Initiative, the main french Pokémon glitch website
http://www.prama-initiative.com
“Anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'” - Isaac Asimov

Wack0

  • Coder, reverser, beta collector [BetaArchive staff]
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • cBRH - Doing nothing since 2k7
    • View Profile
Might as well just sticky this now.
C H E C K E D . B U I L D S . A R E . A W E S O M E N E S S

BetaArchiveSoftHistory Forumsirc.rol.im #galaxy,#softhistory

Also known as The Distractor.

Shane, please stop telling children that there's a Mew outside under the delivery trucks. - Management

Pokémon: arbitrary code execution 1996-2016

luckytyphlosion

  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • JACK-flys are OP
    • View Profile
I made a list of the new box name characters, and their respective opcodes and hex values, for EU versions of Gold/Silver: https://pastebin.com/dW4dPyGp

Spanish and Italian have the holy grail of opcodes, adding 18 new opcodes. French has approximately the same usefulness of box name characters as English version. German is hit the hardest, as there is no opcode to arbitrarily add or subtract, forcing the creative use of "or x" and "and x" to get specific values.

Torchickens

  • Administrator
  • *****
  • Offline Offline
  • Gender: Female
    • View Profile
Thanks lucky!

@Crystal_, ISSOtm: Great work, I'm looking forward to giving this a go one day.
« Last Edit: October 02, 2017, 02:13:49 am by Torchickens »
Hello. I actually identify as gender questioning, but nowadays feel more firmly that I identify as female. My sex is male but I like to express myself as female.  She/her pronouns, please.


Thank you Aeriixion for the cute sprite above! :) Roelof also made different variations of the sprite (which I animated).

Contact:

Email Youtube Twitter
Skype: Torchickens
Bulbapedia Starfy Wiki

Beyond all philosophies are the things that go best for you; what makes you feel content. It's important to always follow your heart, so unless you feel perfectly happy about it don't just follow something because it is popular, fits a style or is conventional. Sometimes you may reach a point you're not sure who you are, but as things settle I'm convinced things do work out in time.