Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Generation II Glitch Discussion

I can't understand how luckytyphlosion's Crystal ACE setup is supposed to work. - Page 1

I can't understand how luckytyphlosion's Crystal ACE setup is supposed to work.

Posted by: tstwizby
Date: 2018-07-28 10:34:08
I've tried PMing a few times, but they haven't been responding, so I thought I'd make an actual topic in case that helps.

After doing a lot of research, I can understand a lot of how luckytyphlosions setup for wrong pocket TM ACE in Crystal is supposed to work, but there are a couple of things that just don't make sense.

Firstly, I'm not sure what the purpose of using a potion to bring up the party menu is, especially the second time. I've seen suggestions that it might somehow prevent reading the bad clone's name from crashing the game, but I'm unsure of how.

Secondly, there are a lot of assumptions I have to make due to not having a complete RAM map. Based on what I've been able to find out, it seems very likely that the buffer containing the characters in the last-read mail starts at D002, the buffers for lost-item-count and last-viewed-item-count are at D10C/D10D. The guide doesn't say, but it seems like the three items used for the PC code need to be the only three in the PC since using TM48 rather than TM50 starts execution from the end of the balls pocket rather than from the beginning of PC items. Finally, the value stored at DAFA is extremely important to the code, and I have no idea what value is stored there, though I very strongly suspect that its value is C3. I don't know what, if anything, is stored at D001, though execution of the mail code seems to start from there.

Finally, the setup seems to rely on certain values being in the b and f registers at particular times. It seems to me like you shouldn't be able to know b's value at that point, and that the value for the f register is not the one you want. In particular, the value of af is stored to hl and later is (probably) used as the address to write a jump instruction to. The address it should be written to is DA10, but the value it's set to is instead probably DA40. This may or may not matter in the short term, depending on what values are stored in between, but definitely limits potential for writing longer code in the future unless it's corrected after the fact.

Aside from not understanding the purpose of the potion, I understand everything about the actual process. Can anyone answer any of these other questions/concerns?

Re: I can't understand how luckytyphlosion's Crystal ACE setup is supposed to work.

Posted by: Torchickens
Date: 2018-07-29 16:16:37
I think if I remember rightly the 'day control character' ACE requires having a 0x15 0x00 sequence in memory, which then leads to the arbitrary code execution. Bringing up the party menu with the Potion may be a necessary step related to that, as I remember when doing this with another method (also credited to lucky) there was another method involving an Antidote x21, going to toss it but choosing no, and exiting out after pressing A on Cancel.

I'm not sure of the details other than that though, sorry. The execution pointers for Gold/Silver and Crystal can be found here. Looking at this with a brief glance I don't know what wrong pocket TM40 is for though as it executes code in ROM in Crystal.

Re: I can't understand how luckytyphlosion's Crystal ACE setup is supposed to work.

Posted by: tstwizby
Date: 2018-07-29 16:56:24
You're remembering right, and a variation on the Antidote method (using the excess Flower Mails instead) is what they use in this case as well. If I'm remembering right myself, the reason for this is that when parsing text, 0x15 tries to call a mobile function using the following byte as a parameter, and doesn't have the proper error checking when that byte is zero. Moving in the right pattern beforehand causes execution to return to right after the 0x15 0x00. The potion seems to be something unrelated, though I could see it having something to do with 'cleaning up' the RAM in the area to prevent unwanted execution of code. I think you misunderstood my point regarding the flag register- the setup does put TM 15 into the items pocket, but rather than writing a jump to PC names at DA10, if I'm properly understanding how the flag register works, it writes the jump at DA40. That said, thank you for the link! It's certainly good information to have.

Re: I can't understand how luckytyphlosion's Crystal ACE setup is supposed to work.

Posted by: luckytyphlosion
Date: 2018-07-30 12:24:00
Terribly sorry for being inactive here, as I don't normally check messages here. I'll PM you my Discord handle where you can contact me there.

Re: I can't understand how luckytyphlosion's Crystal ACE setup is supposed to work.

Posted by: tstwizby
Date: 2018-07-31 19:57:34
Don't worry about it! Thanks for the info, Discord isn't something I've used before but enough things seem to have moved to it that I'll go ahead and try it out. It will likely be a day or two before I'm comfortable enough with it to actually use it though.