Crystal arbitrary code execution guide with setups for all three methods
Posted by: Krys3000
Date: 2018-01-21 14:00:11
Hello there,
Since Pokémon Crystal gets released on Virtual Console in a few days, I thought it was the right time to write a guide for newcomers who wants to perform Arbitrary Code Execution in this version. This somehow follows my previous guide to G/S ACE, and I think at some point I could merge both together in one big G/S/C ACE guide. I just didn't wanna do that at this point since this is an early work in which I hope you could contribute. Any comments are welcomed!
Many thanks to everyone who helped me writing this on Discord: Crystal_ for the Bad Clone ACE setup, luckytyphlosion for the mail buffer and the discovery of TM15, Epsilon and ISSOtm for their current work on OAM DMA Hijacking
What are the three ACE methods in Crystal?
If you are familiar with ACE in G/S, you probably have heard of Coin Case Glitch, which is an english-only ACE method available in G/S. This doesn't work in Crystal games. You also probably know that it is not the mostly used method in G/S, because Wrong Pocket TM ACE is more permissive. Well, Wrong Pocket TM ACE can also be performed in Crystal, but unfortunately not without using another ACE method before.
Another method is Bad Clone ACE. This somehow can be considered the best method to start ACE in Crystal, because it's easier to setup than other ACE methods and can be performed early in the game. However, the code execution can only be done from a PC, and this may limit your possibilities with the glitch. I would personally recommend to use this method in order to setup the Wrong Pocket TM ACE ; and this is something this guide will teach you to do.
The last method is the Glitch Pokédex ACE which I prefer over the Bad Clone ACE (although this method is clearly not as good as the Wrong Pocket TM ACE), because the code is executed by opening the Pokédex and therefore, it can be done anywhere. However, the setup I present here for this is hard to get early in the game, and this can be a problem for you…
Note that EVERY METHOD uses a Bad Clone. Before freaking out, two things should be pointed here:
- The Bad Clone ACE can use any type of Bad Clone, including Pseudo-Bad Clones (Bad Clone without names but everything else is normal) and False Bad Clones (Bad Clones without names and with every data at 0 but still keeping their original Pokédex ID)
- The two other methods won't, but it's no big deal because in Crystal, you can convert Pseudo and False Bad Clones into Bad Clones that can be used for any method. To do this, store the Bad Clone in a PC Box and store 5 other Pokémon in that same box. Then, use the withdraw option to display that box. Leave it and use the withdraw option again. All Pokémon are now Kingdra. Withdraw the Bad Clone and you can now use it (in case of trouble with getting the Kingdra, please read this).
What is important here is that you can still execute code from items, from box names, OR from the mail buffer. However, if you're playing FRENCH OR GERMAN VERSION, YOU CAN'T COMPOSE CODES WITH BOX NAMES CHARACTERS. You won't have any problem with mail characters, though.
I. Wrong Pocket TM ACE adapted for Crystal version
Much like in G/S, Wrong Pocket TM ACE relies on a TM obtained in the Balls Pocket using luckytyphlosion's Item Shifting Glitch. This glitch works in Crystal games, however in this case, the TM you would need is TM15, not 17. Therefore, you would need to keep 206 Ultra Ball instead of 208. Of course, it is also possible to use another ACE method to get yourself TM15 in the Wrong Pocket.
Then, once again much like in G/S, you will need to catch a Quagsire (or evolve any Wooper). This Pokémon must have RETURN as first move and hold TM50 (to execute from FIRST STORED ITEM), or must have SAFEGUARD as first move (this can only be taught through breeding!) and hold MIRACLE SEED or THICK CLUB (to execute from respectively FIRST OR SECOND CHARACTER IN BOX 1 NAME), or must have RAIN DANCE as first move and hold no item (to execute from mail buffer). Place this Quagsire as first in the team everytime you execute code. I recommend to prepare 3 Quagsire and change it when needed.
Now comes the catch: you need to use any other ACE method to write C3 DF FC to addresses $DA10 to $DA12. There are numerous ways to do that, and with luckytyphlosion we think of writing as soon as possible a code that does it and gives TM15 in the wrong pocket at the same time. In the meantime, here's a unergonomic yet functional box code.
PP Up x252
TM42 x18
TM27 x3
TM10 x(any quantity)
Any other items in any quantities can go from here on
After executing the code once, toss 29 PP Up and 1 TM42 and execute again. Now toss 28 PP Up and 1 TM42 and execute a third time.
With all this done, you can save and you are now ready to execute any code in Crystal using your TM15.
II. Bad Clone ACE: easy but limited
This method has been discussed on some threads here, so I thank everyone involved in it, especially luckytyphlosion and once again Crystal_
There are two different setups available for this ACE method. Crystal_'s one is quick but only works if executing code from ITEMS or BOX NAMES ; luckytyphlosion's one can be used to execute code from the MAIL BUFFER instead.
Crystal_'s setup for ITEMS OR BOX CODES
[li]Have a Bad Clone stored in the PC, the same way you would have obtained one for Item Shifting Glitch or a simple Bad Clone Trick. The best is not having any other Pokémon in the box, so they don't get corrupted.[/li]
[li]Have a Max Elixer or TM21 (FRUSTRATION, giveaway if your first Pokémon is sad at Goldenrod Store), in the bag.[/li]
[li]Catch a Quagsire (or evolve any Wooper). This Pokémon must have RETURN as first move (to execute from FIRST STORED ITEM), or must have SAFEGUARD as first move (to execute from respectively from BOX 1 NAME - this can only be taught through breeding!). Put it in the first slot of your team.[/li]
[li]Catch a Spearow and make it hold TM50 (NIGHTMARE, obtained on Route 31, after completing the mail quest) to execute code from FIRST STORED ITEM or make it hold MIRACLE SEED or THICK CLUB to execute from respectively character 1 or 2 in BOX 1 NAME. This Pokémon must be second in the team.[/li]
The code execution is then performed this way:
[li]Save and reset in front of a Pokémon Center.[/li]
[li]Enter the Center, go up until reaching the healing machine, go right until hitting the wall, go up to the PC. These steps are very precise, don't do any other pattern.[/li]
[li]Open the bag, place the cursor on the Max Elixer or TM21 but DON'T CLICK ON IT. Leave the bag.[/li]
[li]Use the deposit option on Bill's PC to view Quagsire's profile. Go to its moves page, then exit Quagsire's profile and hit down to display Spearow's sprite. Don't click on it.[/li]
[li]Exit the deposit menu, and use the withdraw option to view the box containing the Bad Clone. You'll see a bunch of "?" but it will also execute code![/li]
luckytyphlosion's setup for MAIL CODES
Here's a pastebin that roughly explains this setup: https://pastebin.com/DaWmYHLF
Please note that you must introduce "4AA" before starting your mail code. Otherwise, s**t will happen.
III. Glitch Pokédex ACE: hard but powerful
You will see that this method is not perfect, but once it's setup the first time, it's practical. In fact, if you intend to setup the TM15 for Wrong Pocket TM ACE, don't bother using this - Bad Clone ACE is way faster.
First, you must perform luckytyphlosion's Item Shifting Glitch in a certain way that I coined 'Double Item Shifting Glitch'. The catch here is that you want to get 255 items (Expanded Balls Pocket) but item 00 ("?") freezes the game when you place the cursor on it, so you need to make sure that there won't be an item 00 before stored items in the Expanded Balls Pocket. In order to avoid this,
[li]Have 3 Mystery Egg in the Key Items, instead of 2 (the pocket must still be filled)[/li]
[li]Have Ultra Ball x1 followed Poké Ball x2 in the Balls Pocket[/li]
[li]Place 2 Mystery Eggs at the bottom and swap them[/li]
[li]Go to the Balls Pocket and swap Master Ball x5 with Ultra Ball x255[/li]
[li]Fill your Balls Pocket by any mean[/li]
[li]Store the bottom-most Mystery Egg, then take it back[/li]
[li]Do the trick again with the 2 remaining Mystery Egg[/li]
[li]Store the remaining Mystery Egg, then take it back[/li]
While doing this, you will also need three stored items:
[li]TM19 (GIGA DRAIN, obtained at the Radio Tower or at Celadon's store)[/li]
[li]TM29 (PSYCHIC, given by some NPC in Saffron City or obtained at Celadon's Game Corner)[/li]
[li]Any item with a quantity of 9[/li]
You will then need to catch a Quagsire (or evolve any Wooper). This Pokémon must have RETURN as first move and hold TM50 (to execute from FIRST STORED ITEM), or must have SAFEGUARD as first move (this can only be taught through breeding!) and hold MIRACLE SEED or THICK CLUB (to execute from respectively FIRST OR SECOND CHARACTER IN BOX 1 NAME), or must have RAIN DANCE as first move and hold no item (to execute from mail buffer). Place this Quagsire as second in the team everytime you execute code. I recommend to prepare 3 Quagsire and change it when needed.
Unlike the other methods and much like in G/S, you will need a 'Slide Pokémon' in first position of party. To get it, catch either:
- a Bellsprout in Violet City that you raise at lvl5 then trade for Rocky the Onix with the NPC in Violet City.
- an Abra that you raise at lvl13 then trade for Muscle the Machop with the NPC in Goldenrod Departement Store.
- a lvl2 Sentret in Route 29, that doesn't have a 6 in its SP. DEF. stat (if so, catch another - this stat value appears in 31.25% of lvl2 Sentret).
Onix, Abra or Sentret must then never win any battle, or you won't be able to use it anymore.
Open the Balls Pocket and slide down, you will see the PC Items after the CANCEL that follows the last ball (although only the description might show up). Using SELECT, place the x9 item at position 65, the TM19 at position 165, and the TM29 at position 166.
With this done, everytime you use the Pokédex, code gets executed!
Redirect an execution from items to box names
If you don't feel like breeding a Wooper to get SAFEGUARD or get one of the two crap items that are used to execute box codes, you can also use this item code which will act as a redirection to box names.
Awakening x3
Paralyz Heal x3
Poké Ball x38
TM28 x3
Ultra Ball x46
Ragecandybar x44
X Attack x35
TM41 x(any quantity)
Code will now be executed from character 1 of box name 1.
Can I use a G/S code on my Crystal
Depends. I won't provide box codes translation, but here are translations for some item codes of the the G/S guide.
[li]In the INCREASE/DECREASE THE QUANTITY OF AN ITEM CODE, change the quantity of Fresh Water to 7. The first two items must be Awakening x3 and Paralyz Heal x3[/li]
[li]In the GET ANY ITEM CODE, change the quantity of Fresh Water to 6. The first two items must be Awakening x3 and Paralyz Heal x3[/li]
[li]In the MEMORY EDITOR CODE, A.K.A. GAMESHARK SIMULATOR, the first two items must be Awakening x3 and Paralyz Heal x3[/li]
[li]In the MAKE THE SIXTH POKEMON IN PARTY SHINY CODE, change the quantity of X Accuracy to 228, and the TM28 x62 to a TM29 x62. The first two items must be Awakening x3 and Paralyz Heal x3.[/li]
How to trigger the Celebi Event
Here is the code.
Great Ball x62
TM02 x38
TM27 x46
Carbos x45
Leaf Stone x04
TM10 x(any quantity)
Then, talk to Kurt to receive the GS Ball. You can now go to Ilex Forest and trigger the event!