Main Menu
Main Page
Forums
New pages
Recent changes
Random page
Help

Glitches
Arbitrary code execution
Pokémon cloning
Pomeg glitch and Glitzer Popping
Tweaking and voiding
Glitches by generation
Glitch categories

References/Resources
Databases
Disassembly projects
The Big HEX List
Pokémon cheat codes
Pokémon glitch terminology
Useful tools
More

Affiliates
Legendary Star Blob 2 (Hakuda) (日本語/Japanese)
Pokémon Speedruns wiki (English)
PRAMA Initiative (Français/French)
MissingNo. Glitch City (Italiano/Italian)
Become an affiliate!

Technical
Site source code

Search Wiki

 

Search Forums

 

Author Topic: I can't understand how luckytyphlosion's Crystal ACE setup is supposed to work.  (Read 492 times)

0 Members and 1 Guest are viewing this topic.

tstwizby

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
I've tried PMing a few times, but they haven't been responding, so I thought I'd make an actual topic in case that helps.

After doing a lot of research, I can understand a lot of how luckytyphlosions setup for wrong pocket TM ACE in Crystal is supposed to work, but there are a couple of things that just don't make sense.

Firstly, I'm not sure what the purpose of using a potion to bring up the party menu is, especially the second time. I've seen suggestions that it might somehow prevent reading the bad clone's name from crashing the game, but I'm unsure of how.

Secondly, there are a lot of assumptions I have to make due to not having a complete RAM map. Based on what I've been able to find out, it seems very likely that the buffer containing the characters in the last-read mail starts at D002, the buffers for lost-item-count and last-viewed-item-count are at D10C/D10D. The guide doesn't say, but it seems like the three items used for the PC code need to be the only three in the PC since using TM48 rather than TM50 starts execution from the end of the balls pocket rather than from the beginning of PC items. Finally, the value stored at DAFA is extremely important to the code, and I have no idea what value is stored there, though I very strongly suspect that its value is C3. I don't know what, if anything, is stored at D001, though execution of the mail code seems to start from there.

Finally, the setup seems to rely on certain values being in the b and f registers at particular times. It seems to me like you shouldn't be able to know b's value at that point, and that the value for the f register is not the one you want. In particular, the value of af is stored to hl and later is (probably) used as the address to write a jump instruction to. The address it should be written to is DA10, but the value it's set to is instead probably DA40. This may or may not matter in the short term, depending on what values are stored in between, but definitely limits potential for writing longer code in the future unless it's corrected after the fact.

Aside from not understanding the purpose of the potion, I understand everything about the actual process. Can anyone answer any of these other questions/concerns?

Evie the Mother Hen ☽ ❤

  • Head Administrator
  • *****
  • Offline Offline
  • Gender: Female
  • I love My Melody. 🦋 ✿
    • View Profile
I think if I remember rightly the 'day control character' ACE requires having a 0x15 0x00 sequence in memory, which then leads to the arbitrary code execution. Bringing up the party menu with the Potion may be a necessary step related to that, as I remember when doing this with another method (also credited to lucky) there was another method involving an Antidote x21, going to toss it but choosing no, and exiting out after pressing A on Cancel.

I'm not sure of the details other than that though, sorry. The execution pointers for Gold/Silver and Crystal can be found here. Looking at this with a brief glance I don't know what wrong pocket TM40 is for though as it executes code in ROM in Crystal.

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Here have some free flowers on every post :)
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿



(Images © Sanrio, Nintendo, Pokémon, HAL Laboratory)

✿ Hi, I'm Evie. Transgender woman but spiritually doesn't believe 'male'/'female' needs to be defined; lives more stereotypically like a woman/I'm a 'girly' nerd who discovered herself. Call me whichever pronouns you like. :)

Feel free to contact me here about anything regarding the site.

Forgiveness. I feel that the more people pray to our greatest source/God/mathematical equality for world peace, the more and more it manifests into reality (until our next spiritual death).

Thank you Nyapon for this lovely artwork. :3

tstwizby

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
You're remembering right, and a variation on the Antidote method (using the excess Flower Mails instead) is what they use in this case as well. If I'm remembering right myself, the reason for this is that when parsing text, 0x15 tries to call a mobile function using the following byte as a parameter, and doesn't have the proper error checking when that byte is zero. Moving in the right pattern beforehand causes execution to return to right after the 0x15 0x00. The potion seems to be something unrelated, though I could see it having something to do with 'cleaning up' the RAM in the area to prevent unwanted execution of code. I think you misunderstood my point regarding the flag register- the setup does put TM 15 into the items pocket, but rather than writing a jump to PC names at DA10, if I'm properly understanding how the flag register works, it writes the jump at DA40. That said, thank you for the link! It's certainly good information to have.

luckytyphlosion

  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • JACK-flys are OP
    • View Profile
Terribly sorry for being inactive here, as I don't normally check messages here. I'll PM you my Discord handle where you can contact me there.

tstwizby

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Don't worry about it! Thanks for the info, Discord isn't something I've used before but enough things seem to have moved to it that I'll go ahead and try it out. It will likely be a day or two before I'm comfortable enough with it to actually use it though.