Main Menu
Main Page
Forums
Recent changes
Random page
Help

Databases
GlitchDex
AttackDex
ItemDex
TrainerDex
TypeDex
UnownDex
More

Major Glitches
Trainer escape glitch
Old man trick
Celebi trick
Select glitches (Japan)
SRAM glitch
CoolTrainer♀ corruption
LOL glitch
Rival LOL glitch
Super Glitch
ZZAZZ glitch
Pomeg corruption glitch (Glitzer Popping)
Tweaking
Elite Four door glitch (Japan)
Pokémon merge glitch
Pokémon cloning
Time Capsule exploit
Arbitrary code execution
Coin Case glitch
More

Other Glitch Categories
Glitches by generation
Glitches between two generations
Japan-only/language specific glitches
Music glitches
Natural glitches
Non-core series glitches
Non-Pokémon glitches
Officially acknowledged glitches
Recurring glitches
Dead glitches

References
Pokémon GameShark codes
The Big HEX List
Glitch Pokémon cries
GB programming
Curiosities
Debugging features
Easter eggs
Error traps
Glitch areas
Glitch myths
Non-glitch exploits
Placeholder texts
Pokémon glitch terminology
Unused content and prerelease information

Useful Tools
8F Helper
GBz80 to Items
Old man trick name generator
PATH (Prama's Advanced Tweaking Heaven)
Save file editors
Special stat/Pokémon converter
Trainer escape Trainer Pokémon finder

Affiliates
Legendary Star Blob 2 (Hakuda)
Pokémon Speedruns wiki
PRAMA Initiative
Become an affiliate!

Search Wiki

 

Search Forums

 

Author Topic: ACE in G/S via stack corruption (compatible with all european versions and VC)  (Read 903 times)

0 Members and 1 Guest are viewing this topic.

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Wiki Contributor
  • *
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
As luckytyphlosion pointed out above (but somehow we completely missed it until yesterday night), the above trick will not work on VC.
(Because for some reason, it appears that trying to execute from *unlocked* SRAM still returns FFs, leading to 0039 crashes)

Crystal_ worked out a fix, though :
- Replace the "Ae" in box names with "4A".
- Have a Quagsire holding HP Up with Sleep Talk as its first move (this should be the second Quagsire in the party).
- Keep the same item setup in the PC, but put an extra [Any item] x[Any qty] before everything else.

Explanation :
- "4A" redirects execution to the 3rd Party Pokémon's data.
- Quagsire w/ HP Up & Sleep Talk redirects to PC Item 2 qty (unlike the "Ae" method which goes to item 1 qty).
- We mostly rejoin the non-VC route. Good thing it emulates Echo RAM, otherwise German and French VC would be in big trouble.



"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)

Crystal_

  • Distinguished Member
  • *
  • Offline Offline
  • 39 00 39 00 39 00 39 00
    • View Profile
All my attempts to adapt the memory editor code to the french version have been in vain. There's always a missing instruction or some other kind of inconvenient on whichever I try. Granted, maybe I've just had a bad day, but I've been stuck for a while...

Anyway, the idea is to load x into yz, where x is [$f8f9] + [$f8fa], y is [$f8f5] + [$f8f6], and z is [$f8f7] + [$f8f8]. These addresses belong to box 7's name, so they can easily be manipulated and each sum can yield any given value. I thought they were the most convenient since you can't access the low $f9xx addresses with box name characters. Achieving this with mostly box names would be ideal, because with only PC items it's a complete abomination. It was relatively easy in all non-french european versions, but the lack of available instructions in the french version isn't helping.

Maybe someone with more patience than me wants to pick this up? Post #3 of this thread has the documentation of everything done so far.

luckytyphlosion

  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • JACK-flys are OP
    • View Profile
Memory Editor using French Box Names (does not require items in Item Pocket)

Special thanks to gifvex for contributing some ideas to the box names.
 
Preparation for TM09

Set Box 1's Name:
   A p u' 9 é G ♀ n'
Use TM17 with Quagsire holding TM02
Give Quagsire the newly generated TM09 in the TM Pocket

Using the memory editor

Set Box 2-8's names:
Code: [Select]
p u' t' é 3 2 u' 6
é 's 2 u' 5 é 1 2
2 0 m' m' 's 1 2 ♀
× é ♀ 2 's 1 2 ♀
× é / 2 's 1 2 é
A n' G G G m' u' A
u' A n'

Box 1 is used to store the destination address + value to write.

Don't write to $d8f6/$f8f6 (has the return opcode for box names)

Raw Source Code (to copy into BGB debugger)

Code: [Select]
xor a
sbc $dd
ld [$f8f9], a
sbc $fc
ld d, b

ld [$f8dc], a
sbc $fb
ld [$f8f7], a
ld d, b

ld hl, sp+$f6
db $d8, $d8
call c, $f8f7
push af
ld d, b

pop af
ld [$f8f5], a
call c, $f8f7
push af
ld d, b

pop af
ld [$f8f4], a
call c, $f8f7
db $ea, $50, $80

reti
db $86
add [hl]
db $86
ret c
sbc $80
ld d, b

sbc $80
reti
ld d, b

Source code after self-modifying writes
Code: [Select]
xor a
sbc $dd
ld [$f8f9], a
sbc $fc
ld d, b

ld [$f8dc], a
sbc $fb
ld [$f8f7], a
ld d, b

ld hl, sp+$f6
ld h, $d8
call c, $f8f7
push af
ld d, b

pop af
ld [$f8f5], a
call c, $f8f7
push af
ld d, b

pop af
ld [$f8f4], a
call c, $f8f7
db $ea, $50, $80

reti
ld a, [hli]
add [hl]
inc hl
ret c
sbc $80
ld d, b

sbc $80
reti
ld d, b

I might try to optimize box names for the memory editor for other language versions.

forsyz

  • GCLF Member
  • *
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Memory Editor using French Box Names (does not require items in Item Pocket)

Special thanks to gifvex for contributing some ideas to the box names.
 
Preparation for TM09

Set Box 1's Name:
   A p u' 9 é G ♀ n'
Use TM17 with Quagsire holding TM02
Give Quagsire the newly generated TM09 in the TM Pocket

Using the memory editor

Set Box 2-8's names:
Code: [Select]
p u' t' é 3 2 u' 6
é 's 2 u' 5 é 1 2
2 0 m' m' 's 1 2 ♀
× é ♀ 2 's 1 2 ♀
× é / 2 's 1 2 é
A n' G G G m' u' A
u' A n'

Box 1 is used to store the destination address + value to write.

Don't write to $d8f6/$f8f6 (has the return opcode for box names)

Raw Source Code (to copy into BGB debugger)

Code: [Select]
xor a
sbc $dd
ld [$f8f9], a
sbc $fc
ld d, b

ld [$f8dc], a
sbc $fb
ld [$f8f7], a
ld d, b

ld hl, sp+$f6
db $d8, $d8
call c, $f8f7
push af
ld d, b

pop af
ld [$f8f5], a
call c, $f8f7
push af
ld d, b

pop af
ld [$f8f4], a
call c, $f8f7
db $ea, $50, $80

reti
db $86
add [hl]
db $86
ret c
sbc $80
ld d, b

sbc $80
reti
ld d, b

Source code after self-modifying writes
Code: [Select]
xor a
sbc $dd
ld [$f8f9], a
sbc $fc
ld d, b

ld [$f8dc], a
sbc $fb
ld [$f8f7], a
ld d, b

ld hl, sp+$f6
ld h, $d8
call c, $f8f7
push af
ld d, b

pop af
ld [$f8f5], a
call c, $f8f7
push af
ld d, b

pop af
ld [$f8f4], a
call c, $f8f7
db $ea, $50, $80

reti
ld a, [hli]
add [hl]
inc hl
ret c
sbc $80
ld d, b

sbc $80
reti
ld d, b

I might try to optimize box names for the memory editor for other language versions.

will you do one for english versions to it would be easier then getting all those items and using tm25 a bunch of times to use fmks hex editor

Krys3000

  • The frenchie
  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Head admin of the PRAMA Initiative
    • View Profile
    • PRAMA Initiative - Main french Pokémon glitch website
Excellent work guys!  ;D

Admin of the PRAMA Initiative, the main french Pokémon glitch website
http://www.prama-initiative.com
“Anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'” - Isaac Asimov

Crystal_

  • Distinguished Member
  • *
  • Offline Offline
  • 39 00 39 00 39 00 39 00
    • View Profile
Great stuff. Definitely much better than what I came up with! The setup for other language version isn't too bad although taking away the necessity to care about the bag items could be convenient.

Lory94

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Hello, is possible to get any Pokémon/Make shiny or Flawless with this variant of ACE in Italian?

Zowayix001

  • GCLF Member
  • Offline Offline
    • View Profile
What's preventing this from working in Japanese GSC? Does the bad clone glitch/cloning glitch not work there or something?

Crystal_

  • Distinguished Member
  • *
  • Offline Offline
  • 39 00 39 00 39 00 39 00
    • View Profile
I just haven't looked into making it compatible with the japanese version, but as far as I know, most memory addresses and some aspects of the engine are different, so this method would probably require a complete rework.

SatoMew

  • Member+
  • *
  • Offline Offline
  • Gender: Female
    • View Profile
What's preventing this from working in Japanese GSC? Does the bad clone glitch/cloning glitch not work there or something?

The addresses are different. Some can be deducted by extrapolating the difference between addresses (this is how I figured the way to do this in the Japanese versions, for example, by guessing that the Japanese address was the English address minus 0xD or close because the difference between English addresses 0xCEA3-0xCEA6, which are manipulated to trigger the "walk through walls" behavior, and the Japanese addresses is exactly 0xC, so why not?) but others are in completely distinct locations and thus require a deeper understanding of how the code is structured on the Japanese ROMs.