Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Generation II Glitch Discussion

ACE in G/S via stack corruption (compatible with all european versions and VC) - Page 2

Re: ACE in G/S via stack corruption (compatible with non-EN versions, apparently)

Posted by: ISSOtm
Date: 2017-10-02 03:54:05
As luckytyphlosion pointed out above (but somehow we completely missed it until yesterday night), the above trick will not work on VC.
(Because for some reason, it appears that trying to execute from *unlocked* SRAM still returns FFs, leading to 0039 crashes)

Crystal_ worked out a fix, though :
- Replace the "Ae" in box names with "4A".
- Have a Quagsire holding HP Up with Sleep Talk as its first move (this should be the second Quagsire in the party).
- Keep the same item setup in the PC, but put an extra [Any item] x[Any qty] before everything else.

Explanation :
- "4A" redirects execution to the 3rd Party Pokémon's data.
- Quagsire w/ HP Up & Sleep Talk redirects to PC Item 2 qty (unlike the "Ae" method which goes to item 1 qty).
- We mostly rejoin the non-VC route. Good thing it emulates Echo RAM, otherwise German and French VC would be in big trouble.



[img]http://puu.sh/xO4Ab/a3b7159786.png[/img]

Re: ACE in G/S via stack corruption (compatible with all european versions and VC)

Posted by: Crystal_
Date: 2017-10-03 12:59:36
All my attempts to adapt the memory editor code to the french version have been in vain. There's always a missing instruction or some other kind of inconvenient on whichever I try. Granted, maybe I've just had a bad day, but I've been stuck for a while…

Anyway, the idea is to load x into yz, where x is [$f8f9] + [$f8fa], y is [$f8f5] + [$f8f6], and z is [$f8f7] + [$f8f8]. These addresses belong to box 7's name, so they can easily be manipulated and each sum can yield any given value. I thought they were the most convenient since you can't access the low $f9xx addresses with box name characters. Achieving this with mostly box names would be ideal, because with only PC items it's a complete abomination. It was relatively easy in all non-french european versions, but the lack of available instructions in the french version isn't helping.

Maybe someone with more patience than me wants to pick this up? Post #3 of this thread has the documentation of everything done so far.

Re: ACE in G/S via stack corruption (compatible with all european versions and VC)

Posted by: luckytyphlosion
Date: 2017-10-03 19:50:57
[size=14pt]Memory Editor using French Box Names (does not require items in Item Pocket)[/size]

Special thanks to gifvex for contributing some ideas to the box names.

Preparation for TM09

Set Box 1's Name:
A p u' 9 é G n'
Use TM17 with Quagsire holding TM02
Give Quagsire the newly generated TM09 in the TM Pocket

Using the memory editor

Set Box 2-8's names:
p u' t' é 3 2 u' 6
é 's 2 u' 5 é 1 2
2 0 m' m' 's 1 2
é 2 's 1 2
é / 2 's 1 2 é
A n' G G G m' u' A
u' A n'

Box 1 is used to store the destination address + value to write.

Don't write to $d8f6/$f8f6 (has the return opcode for box names)

Raw Source Code (to copy into BGB debugger)

xor a
sbc $dd
ld [$f8f9], a
sbc $fc
ld d, b

ld [$f8dc], a
sbc $fb
ld [$f8f7], a
ld d, b

ld hl, sp+$f6
db $d8, $d8
call c, $f8f7
push af
ld d, b

pop af
ld [$f8f5], a
call c, $f8f7
push af
ld d, b

pop af
ld [$f8f4], a
call c, $f8f7
db $ea, $50, $80

reti
db $86
add [hl]
db $86
ret c
sbc $80
ld d, b

sbc $80
reti
ld d, b

Source code after self-modifying writes
xor a
sbc $dd
ld [$f8f9], a
sbc $fc
ld d, b

ld [$f8dc], a
sbc $fb
ld [$f8f7], a
ld d, b

ld hl, sp+$f6
ld h, $d8
call c, $f8f7
push af
ld d, b

pop af
ld [$f8f5], a
call c, $f8f7
push af
ld d, b

pop af
ld [$f8f4], a
call c, $f8f7
db $ea, $50, $80

reti
ld a, [hli]
add [hl]
inc hl
ret c
sbc $80
ld d, b

sbc $80
reti
ld d, b

I might try to optimize box names for the memory editor for other language versions.

Re: ACE in G/S via stack corruption (compatible with all european versions and VC)

Posted by: forsyz
Date: 2017-10-04 00:57:39

[size=14pt]Memory Editor using French Box Names (does not require items in Item Pocket)[/size]

Special thanks to gifvex for contributing some ideas to the box names.

Preparation for TM09

Set Box 1's Name:
A p u' 9 é G n'
Use TM17 with Quagsire holding TM02
Give Quagsire the newly generated TM09 in the TM Pocket

Using the memory editor

Set Box 2-8's names:
p u' t' é 3 2 u' 6
é 's 2 u' 5 é 1 2
2 0 m' m' 's 1 2
é 2 's 1 2
é / 2 's 1 2 é
A n' G G G m' u' A
u' A n'

Box 1 is used to store the destination address + value to write.

Don't write to $d8f6/$f8f6 (has the return opcode for box names)

Raw Source Code (to copy into BGB debugger)

xor a
sbc $dd
ld [$f8f9], a
sbc $fc
ld d, b

ld [$f8dc], a
sbc $fb
ld [$f8f7], a
ld d, b

ld hl, sp+$f6
db $d8, $d8
call c, $f8f7
push af
ld d, b

pop af
ld [$f8f5], a
call c, $f8f7
push af
ld d, b

pop af
ld [$f8f4], a
call c, $f8f7
db $ea, $50, $80

reti
db $86
add [hl]
db $86
ret c
sbc $80
ld d, b

sbc $80
reti
ld d, b

Source code after self-modifying writes
xor a
sbc $dd
ld [$f8f9], a
sbc $fc
ld d, b

ld [$f8dc], a
sbc $fb
ld [$f8f7], a
ld d, b

ld hl, sp+$f6
ld h, $d8
call c, $f8f7
push af
ld d, b

pop af
ld [$f8f5], a
call c, $f8f7
push af
ld d, b

pop af
ld [$f8f4], a
call c, $f8f7
db $ea, $50, $80

reti
ld a, [hli]
add [hl]
inc hl
ret c
sbc $80
ld d, b

sbc $80
reti
ld d, b

I might try to optimize box names for the memory editor for other language versions.


will you do one for english versions to it would be easier then getting all those items and using tm25 a bunch of times to use fmks hex editor

Re: ACE in G/S via stack corruption (compatible with all european versions and VC)

Posted by: Krys3000
Date: 2017-10-04 04:38:56
Excellent work guys!  ;D

Re: ACE in G/S via stack corruption (compatible with all european versions and VC)

Posted by: Crystal_
Date: 2017-10-04 11:51:50
Great stuff. Definitely much better than what I came up with! The setup for other language version isn't too bad although taking away the necessity to care about the bag items could be convenient.

Re: ACE in G/S via stack corruption (compatible with all european versions and VC)

Posted by: Lory94
Date: 2017-10-04 12:03:24
Hello, is possible to get any Pokémon/Make shiny or Flawless with this variant of ACE in Italian?

Re: ACE in G/S via stack corruption (compatible with all european versions and VC)

Posted by: Zowayix001
Date: 2017-10-07 14:57:12
What's preventing this from working in Japanese GSC? Does the bad clone glitch/cloning glitch not work there or something?

Re: ACE in G/S via stack corruption (compatible with all european versions and VC)

Posted by: Crystal_
Date: 2017-10-08 04:09:36
I just haven't looked into making it compatible with the japanese version, but as far as I know, most memory addresses and some aspects of the engine are different, so this method would probably require a complete rework.

Re: ACE in G/S via stack corruption (compatible with all european versions and VC)

Posted by: SatoMew
Date: 2017-10-08 09:58:40

What's preventing this from working in Japanese GSC? Does the bad clone glitch/cloning glitch not work there or something?


The addresses are different. Some can be deducted by extrapolating the difference between addresses (this is how I figured the way to do this in the Japanese versions, for example, by guessing that the Japanese address was the English address minus [tt]0xD[/tt] or close because the difference between English addresses [tt]0xCEA3-0xCEA6[/tt], which are manipulated to trigger the "walk through walls" behavior, and the Japanese addresses is exactly [tt]0xC[/tt], so why not?) but others are in completely distinct locations and thus require a deeper understanding of how the code is structured on the Japanese ROMs.