Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Generation II Glitch Discussion

ACE in G/S via stack corruption (compatible with all european versions and VC) - Page 1

ACE in G/S via stack corruption (compatible with all european versions and VC)

Posted by: Crystal_
Date: 2017-09-29 16:22:01
OVERVIEW / EXPLANATION (for requirements and steps see the third post in this thread)

Step by step video (with updated and organized information in comparison to the third post): https://www.youtube.com/watch?v=b2tVVeZ7Th4

I've tested this in an english Silver ROM and spanish Gold ROM and given that the essential elements and key memory addresses were the same in both games, I assumed that it would also be the same in all other localizations. However, futher testing, and of course, a lot of polishing, would be required. The english versions don't need ACE since we already have coin case, so the goal was to find a method compatible with all other localizations.

First we need a 0xFF Pokemon in order to be able to draw Pokemon beyond the sixth slot. I'm not going to get into the details of how to achieve it.

When the 30th Pokemon is withdrawn to the party, it corrupts addresses between DF9A and DFB9. In particular, when the Pokemon's data is being copied from SRAM to those WRAM addresses, the stack pointer is at DFB3, and the 3rd and 4th PP slots of the Pokemon are copied to DFB3 and DFB4, respectively. Returning from the memory copy routine will bring the game to whatever stack pointer was spelled out by those two PP fields. Using PP ups, we can come up with any given address that we want, for example one that points to somewhere in the box names buffer.

Of course, after doing this, the stack is absolutely destroyed and there are no realistic hope of restoring it to anything playable. We can still do something though. We can hack ourselves a TM into the medicine bag pocket in SRAM that we can utilize later. This may look way too complicated but it doesn't necessarily have to be. First of all, SRAM bank 1 is already opened right now. We only have to overwrite A420 (medicine pocket item 1) with the id of the desired TM and fix the checksum at AD69-AD6A. If we set a fixed item #1 as an initial requirement (e.g. a Berry), we can calculate the necessary checksum shift. If the id's are relatively close, we might even be able to skip checking the checksum's high byte to simplify the needed script and hope the low byte doesn't overflow (literally anything we do will change the checksum upon saving anyway, so we can just try again until it works). Finally, we can trigger a safe reset or freeze, and upon restarting the game, we will have our TM in the medicine pocket. Note that the SRAM addresses mentioned here refer to spanish Gold/Silver; they may be different in other localizations.

Now it's supposed to be similar to coin case ACE in concept. We find a TM that jumps to a suitable place in WRAM (I think ACE with TM33 transferred from Red/Blue has been done already), and when we have it, we create some bootstrap code that for example redirects execution to box names or PC items.

These are the TM pointers in spanish G/S:

14FE - TM01
15CD
CA31
77F6
EAAF - TM04_X
D14F
02FA
FED0
C4B1
6E1E
9921 - TM10
CBD1
21A6
7857
5ECD
FA0F
D114
FA47
D119
03FE
20CA - TM20
FA6A
D002
01FE
20CA
FA6A
D002
214F
6C73
FE2A - TM28_X
28FF
B90F - TM30
0428
2323
F418
662A
116F
698A
E9D5
02FA
FED0
789F - TM40
12CA
786A
B8E0
FF21
46D0
4E23
5623
5E23
21CB
10CB - TM50

Again, this obviously needs a lot of polishing and coming up with bootstrap codes yet, as well as adapting it to each other localization, each of which may have different SRAM addresses and different wrong pocket TM pointers, as well as a different set of assembly instructions that can be spelled out with box names. So far I haven't bothered to check beyond the english and spanish versions, but the 3rd and 4th move PP of the 30th Pokemon being written to the stack pointer (DFB3-DFB4) matched in both versions, so I assume it would also be the same in the other localizations. The other factors don't seem essential unless we're really unlucky with TM pointers.

Re: ACE in G/S via stack corruption (compatible with non-EN versions, apparently)

Posted by: ISSOtm
Date: 2017-09-29 20:45:33
Just an update to say the polishing is half done. Here's a half-hacked result (where data was memory edited where it was supposed to be, instead of properly setting up a Pokémon, etc.), in which the payload successfully edited the save file to add a TM25 there :
[img]http://puu.sh/xMejG/9bcca1f2b4.png[/img]

Re: ACE in G/S via stack corruption (compatible with non-EN versions, apparently)

Posted by: Crystal_
Date: 2017-09-30 07:18:28
[size=12pt]REQUIREMENTS AND STEPS for spanish, italian, french and german Gold/Silver[/size] - Work in progress

Emulators: Working on BGB, not working on VBA. For the 3DS Virtual Console, you also must follow the additional points colored in red; if you are not playing on the 3DS VC, ignore (skip) them. Not tested on any other emulator.

Follow also the requirements and steps in blue if you want a "memory editor" setup for TM17. If you just want to obtain TM17, ignore (skip) them.

Initial requirements - Obtaining TM17, executing from D8C0 with TM17, D8C0 payload

- The first item of the items pocket of the bag must be Berry (any quantity)
- The second item of the items pocket of the bag must have a quantity of 36 (any item). You will lose 35 of them.
- As the third item of the items pocket of the bag, Potion x1. As the fifth item, Ylw Apricorn x1. Fourth item can be any item and items below the fifth are irrelevant.
- Box 3 and Box 4 must be renamed as show in this (spanish/italian) or this (french) or this (german) image. For 3DSVC, replace the last Ae with K4, regardless of the language.
- A specific PC item list* (items beyond the last one don't matter)
- As the first party Pokemon, a level 2 Pokemon with no status, no pokerus, with current HP and HP between 13-14, and all other stats between 6-7.
- As the second party Pokemon, a Quagsire holding TM02 with Return as the first move.
- As the third party Pokemon, a Quagsire holding HP Up with Sleep Talk as the first move.
- As the sixth party Pokemon, a bad clone (Pokemon 0x00).
- All your party Pokemon should be Pokemon that you don't care about. They will be in risk.
- A box (any) with 20 Pokemon that you don't care about. These Pokemon will be gone forever. In this box, the 20th (last) Pokemon must have a third move with 16/16 PP and a fourth move with 24/24 PP. These correspond to a 10 PP move and 15 PP move, both with 3 PP Ups applied, respectively.
- A box (any) with only 4 Pokemon that you don't care about. These Pokemon will be gone forever.
- …

*PC Item list:
Any item - any amount
Antidote x4
Fresh water x32
Parlyz Heal x34
Awakening x1
Potion x1
Dire Hit x35
Everstone x1
Pokeball x1
TM08 (Rock Smash) x1

Steps - Obtaining TM17, executing from D8C0 with TM17, D8C0 payload
- Switch to the box with 4 Pokemon.
- Select the Move PkMn w/o mail option, and move the first Pokemon of the box with 4 Pokemon to the bottom of your party.
- Withdraw all Pokemon from the box with originally 4 and now 3 Pokemon.
- Withdraw all Pokemon from the box with 20 Pokemon.
- When you withdraw the last Pokemon, the game will reset in weird colors, but you will have TM17 as the first item in the items pocket. Restart the game a game to restore the normal colors. Important: Do not toss, sell, give or deposit the newly obtained TM17. You can however do anything you want with a TM17 that has been obtained through regular gameplay and is therefore stored in the TM/HM pocket of the bag.
- Execute the following steps depending on your version of the game:
  * Spanish/Italian:
    · In the item's pocket of the bag, swap TM17 x1 (first item) with Ylw Apricorn x1 (fifth item).
    · Rename boxes 1 to 5, as shown in this image.
  * French:
  * German:
    · In the items pocket of the bag, swap TM17 x1 (first item) with Ylw Apricorn x1 (fifth item).
    · Rename boxes 1 to 5, as shown in this image.
- Rename box 7 accordingly (…).
- Important: every time that you want to use TM17, your first five items in the items pocket of the bag, the first and second party Pokemon, and the name for boxes 1-5, must be exactly like they are now.

If you can't understand the sections below, chances are you only care about the above.

Code - Obtaining TM17

BOX NAMES (SPANISH/ITALIAN): D8D0
nop | ld d, b ; box 2 terminator
or $a4
and $a4
push af
pop hl
or $d0
ld d, b ; 0x50
and $d0
call nc, $a480
ld d, b ; 0x50

BOX NAMES (FRENCH): D8D0
nop | ld d, b ; box 2 terminator
or $a4
and $a4
push af
pop hl
or $f1
ld d, b ; 0x50
and $d8
cp $fe
call c, $a480
ld d, b ; 0x50

BOX NAMES (GERMAN): D8D0
nop | ld d, b ; box 2 terminator
or $a4
and $a4
push af
and $80
or $50 ; 0x50
pop hl
call nz, $a480
ld d, b ; 0x50

PC ITEMS (ALL FOUR LANGUAGES): A480 (entry point A481)
db $09
inc b
ld l, $20
dec c
ld [hli], a
inc c
ld bc, 0112
inc l
inc hl
ld [hl], b
ld bc, 0105
rst $00
db $01

Code -  Executing from D8C0 with TM17

PARTY POKEMON #2 (ALL FOUR LANGUAGES): DA5A
jp $d8c0

Code -  D8C0 payload

BOX NAMES (SPANISH/ITALIAN): D8C0 (box 1, char 2)
ld a, [$f8f5]
push af
ld a, [$f8f6]
ld d, b
pop hl
add h
push af
ld a, [$f8f7]
push af
pop hl
ld d, b
ld a, [$f8f8]
add h
push af
ld a, [$f8f9]
ld d, b
push af
ld a, [$f8fa]
pop hl
add h
pop hl
bit 2, b
pop de
and a
call $f5b8
ret
ld d, b

BOX NAMES (GERMAN): D8C0 (box 1, char 2)
ld a, [$f8f5]
push af
ld a, [$f8f6]
ld d, b
pop hl
add h
push af
ld a, [$f8f7]
push af
pop hl
ld d, b
ld a, [$f8f8]
add h
push af
ld a, [$f8f9]
ld d, b
push af
ld a, [$f8fa]
pop hl
add h
pop hl
pop bc
ld d, b
and a
jp $f5b8
ld d, b

ITEMS POCKET (SPANISH/ITALIAN): F5B8 (item 1)
ld e, h
ld bc, ?
ld [de], a
ld bc, ?
ret nc
ld bc, ?

Re: ACE in G/S via stack corruption (compatible with non-EN versions, apparently)

Posted by: luckytyphlosion
Date: 2017-09-30 18:50:55
If you want an alternate ACE method for non-English versions, you could just underflow the bag with Key Items glitch to be able to create any item possible, including TM25 and others. I don't have a setup that works on any arbitrary save, but you can use this video as a reference.

Re: ACE in G/S via stack corruption (compatible with non-EN versions, apparently)

Posted by: Crystal_
Date: 2017-10-01 04:26:49
Looking at this, the whole process to achieve ACE looks a bit too complicated. My own method requires to discard nearly 30 Pokemon though, so whatever. The attempt to obtain TM17 using box names ACE was a disaster anyway, I'm going to see if I can make it work reasonably with PC items.

Re: ACE in G/S via stack corruption (compatible with non-EN versions, apparently)

Posted by: Caveat
Date: 2017-10-01 05:56:44
This is more of a "because you can" thing in the English versions, since the easiest way to get an ????? (FF) is through ACE already.

In other languages, though, this could be very useful! Although, the destroyed stack might make it impossible to continue playing…

Re: ACE in G/S via stack corruption (compatible with non-EN versions, apparently)

Posted by: Crystal_
Date: 2017-10-01 06:17:42

Although, the destroyed stack might make it impossible to continue playing…


We were aware of this, so we proceeded differently. We use this ACE method to edit the save file to give ourselves a TM17 in the items pocket, which can trigger ACE more reliably. Then, just reseting the game restores everything to normal, except for the convenient save file hack.

Re: ACE in G/S via stack corruption (compatible with non-EN versions, apparently)

Posted by: Krys3000
Date: 2017-10-01 06:56:27
The known methods for ACE as far as I know are:
- Bug-Catching Contest ACE, only working in japanese games
- Coin Case ACE, only working in English games
- TM33/25 ACE, working in all games and that in G/S, could theorically be achieved without the help of any other game, although it would be hard. In Crystal though, requires a second game at least.
- Bad Clone name ACE, not currently tested in non-english games (although should work) and not super hard to perform, but Crystal only.
- Move 00 Type ACE, not currently tested in non-english games (although should work) nor in english Crystal, but this move can only be obtained by using a 1G game or maybe using the Bad Clone Trick? Research to be done.
- Glitch Pokédex Mode ACE, whose proof of concept exists only in Crystal to my knowledge, but has never been fully setup (probably something that someone should work on)

So yeah in any ways, even though Move 00 and Glitch Pokédex are not fully exploited, the development of a more friendly ACE method especially in G/S would be great.

Re: ACE in G/S via stack corruption (compatible with non-EN versions, apparently)

Posted by: ISSOtm
Date: 2017-10-01 10:06:45
I would like to bring up a small adjustment : the Pokémon's fourth move PP can be 24 (16 PP + 3 PP Up).

For instance, this Pidgey works.
[img]http://puu.sh/xNphc/db9c007eaa.png[/img]

This Pidgey can be found in the save file I attached, which works for the purpose of obtaining TM17 (but not afterwards), just as a proof that the payload to obtain it works.


Big shoutouts to Crystal_ because it took some effort to make a viable setup.

Re: ACE in G/S via stack corruption (compatible with non-EN versions, apparently)

Posted by: luckytyphlosion
Date: 2017-10-01 14:58:27

Looking at this, the whole process to achieve ACE looks a bit too complicated. My own method requires to discard nearly 30 Pokemon though, so whatever. The attempt to obtain TM17 using box names ACE was a disaster anyway, I'm going to see if I can make it work reasonably with PC items.


The complications exist because of some additional conditions in Crystal. Firstly, the 0x00 item (?) has a description which crashes the game, which requires item swaps to avoid the game printing the item description. As such, underflowing the Key Items Pocket also requires additional steps to prevent the cursor viewing a 0x00 item. In Gold/Silver, the 0x00 item is completely safe so we only need 2 Key Items to generate, and by swapping both, depositing both of them in the PC, and swapping two 0x00 items, we can underflow our inventory to 254 items (as 255 forces the cursor to the top of the menu).

The additional complications to achieve ACE are because we don't have a bootstrap Pokémon to use in the (old) Crystal Any% speedrun. You could easily just generate a TM25 by depositing 216 of an item, which you can find an item with a quantity greater than 216 by scrolling down to the PC Items portion of the underflowed bag, and as there are no quantities in the Key Items pocket, the quantities of PC items will represent items.

Also, it's worth mentioning that the setup to create the 3 Itemfinders is slightly outdated; a much safer and easier setup exists which was used for the video I linked earlier.

Also, the 3DSVC emulator does not allow execution of SRAM for whatever reason (even when enabled), so calling box names in SRAM would definitely not work. I don't think a bootstrap with PC items would work well; you have plenty enough resources with the characters provided with box names that they're much easier to work with anyway.

Re: ACE in G/S via stack corruption (compatible with non-EN versions, apparently)

Posted by: ISSOtm
Date: 2017-10-01 15:08:01
Another update : the box names are actually version-dependent, due to charset differences.
Crysta_ and I worked out setups for all four localizations, see below for your language.

Names for the Spanish and Italian versions :
[img]https://i.imgur.com/2stA9Ll.png[/img]

nop | ld d, b ; box 2 terminator
or $a4
and $a4
push af
pop hl
or $d0
ld d, b ; 0x50
and $d0
call nc, A480
ld d, b ; 0x50


Names for the French version :
[img]http://puu.sh/xNBNP/40dfab6a3d.png[/img]

ld d,b
or $A4
and $A4
push af
pop hl
; $A4
or $F1
; $F5
ld d,b
; $F5
and $D8
; $D0
cp $FE ; To set the carry
call c, A480
ld d,b


Names for the German version :
[img]http://puu.sh/xNC8L/828a997d4d.png[/img]

ld d,b
or $A4
and $A4
push af
and $80
or $50
pop hl
call nz, A480
ld d,b

Re: ACE in G/S via stack corruption (compatible with non-EN versions, apparently)

Posted by: Krys3000
Date: 2017-10-01 15:19:46
Great job guyz!

Re: ACE in G/S via stack corruption (compatible with non-EN versions, apparently)

Posted by: Stackout
Date: 2017-10-01 16:16:23
Might as well just sticky this now.

Re: ACE in G/S via stack corruption (compatible with non-EN versions, apparently)

Posted by: luckytyphlosion
Date: 2017-10-01 18:45:42
I made a list of the new box name characters, and their respective opcodes and hex values, for EU versions of Gold/Silver: https://pastebin.com/dW4dPyGp

Spanish and Italian have the holy grail of opcodes, adding 18 new opcodes. French has approximately the same usefulness of box name characters as English version. German is hit the hardest, as there is no opcode to arbitrarily add or subtract, forcing the creative use of "or x" and "and x" to get specific values.

Re: ACE in G/S via stack corruption (compatible with non-EN versions, apparently)

Posted by: Torchickens
Date: 2017-10-02 03:02:31
Thanks lucky!

@Crystal_, ISSOtm: Great work, I'm looking forward to giving this a go one day.