EXE5 credits warp using crossover battle ACE

1. Requires wireless adapter to access the crossover battle option on the main menu (on emulator just patch 0x08030867 to the value 0xE0)
2. EXE5 Team Colonel only, uses Knightman, KnightmanSP and KnightmanDS chips to execute script commands
3. Video: https://www.youtube.com/watch?v=Q48WKeKkk14
4.  
5. You'll probably need a basic understanding of the related ASE (arbitrary script execution) method we're using to trigger this: https://pastebin.com/WUrekERW
6.  
7. tl;dr is we're using a JP exclusive glitch to access an area past a cutscene trigger
8. there we can talk to a dummy NPC with an invalid script pointer and start running manipulable parts of memory as script commands
9. eventually we are able to call our darksoul ai, current hp, max hp, and karma as script commands
10. the "call____" (FC 03 __) script command doesn't do any bounds checks on the function index you pass, and the table it uses to jump includes other values past what is expected, mostly addresses to various buffers and timers
11. one of the addresses you can jump to is just before the player's entered crossover battle name & description
12. this gives you 5 bytes + 11 bytes to work with which is just barely enough for up to 3 ARM instructions
13. some bytes are not possible to write using the crossover battle text entry
14. possible characters: https://pastebin.com/ZF6xHkdz
15.  
16. on the main menu choose the 3rd option to enter the crossover battle menu
17. if this is your first time in this menu you'll immediately be prompted to enter your name and description, otherwise choose the 2nd option to open this menu
18. Name: "ぞぞはむ"
19. Description: "へバうふケゆポよゃほげ"
20. 10 10 9F E5
21. ...
22. E1 02 88 E0
23. B9 E9 3F EA
24. 81 E2 0A 00
25.  
26. ldr r1, [pc, 0x10]
27. ...
28. add r0, r8, r1, ror 5
29. b 0300575C
30. .dw 0x000AE281
31.  
32. the credits function is located at 0x08005714 and is written in THUMB
33. when we jump to our crossover battle payload we'll be running in ARM, not THUMB
34. the "bx" instruction is the only way to change to THUMB from ARM
35. we can't directly write "bx" to the crossover buffers since the character 0x2F is not possible
36. luckily 0x0300575C has the instruction "bx r0", which we can easily jump to using only 1 instruction
37. we can't just do "ldr r0, [pc + ...]" to load the credits address because loading into r0 requires the byte 0x00, which is the string terminator
38. we can get around this with clever use of Op2 in the add instruction
39. 0xAE281 ROR 5 = 0x08005714
40. (the credits function is located at 0x08005714)
41. r8 has the value 1 in it when we start running our payload, so we can use it to set the THUMB bit
42. so the add instruction basically does this
43. r0 = r8 + (r1 ROR 5)
44. r0 = 1 + (0xAE281 ROR 5)
45. r0 = 1 + 0x08005714
46. r0 = 0x08005715
47.  
48. using that text entry menu writes a ton of junk in RAM that will mess up running the payload so hard reset to clear key parts of RAM
49.  
50. enter the crossover battle menu again and choose the 1st option
51. entering this menu writes your name at 0x0200B05C and description at 0x0200B06C
52. back out and continue your game
53. set up the script command "FC 03 12" and talk to shadowman to run it
54. for this script command you'll need 1020 current hp, 1042 max hp, and valid karma (ex: 486)
55. ez credits warp
56.  
57. Thanks to Prof9 and luckytyphlosion for all their help and descoveries
58. Shoutouts to Kojima for making this all possible
59.  
60. ===============================================================================================
61.  
62. so for RTA here's a rough outline of a route
63. if you use a dark chip at any point, start counting karma
64. https://forums.therockmanexezone.com/mmbn5-how-karma-works-t4332.html
65. ***keep in mind exe5 has a unique glitch where the karma & hp loss functions are called twice if you run away from a battle***
66. if at any point you lose track of karma run from battles until mega man becomes light again, then your next dark chip will set you to exactly 480
67.  
68. during lotto codes get HP+50, HP+200, HP+300, HP+400
69. play the game normally up until the drill comp revisits during the shadowman scenario
70. before heading to oran isle get knightman, knightmanSP, and knightmanDS chips, and enough zenny to buy guardian (10500z from Oran shop)
71. ***knightmanSP needs to be either 220 damage or 240 damage***
72. ***if your knightmanSP is 220 damage grab Cannon * from MainComp 1 GMD***
73.  
74. do the drill comp revists and when leaving oran isle jack into oran net
75. jack out past the cutscene trigger near where the shadowman npc is
76. head to scilab and trigger the clouds
77.  
78. jack in and head to oran and trigger the initial cutscene
79. grab the vacuum thing and go to the shop and buy guardian if you haven't already
80. backtrack to ACDC 3 and libwarp with 320 + (400+50) hp or 314 + (200) hp
81.  
82. use dark chips to drop to 308 maxHP (6 or 3 chip+run)
83. setup guardian darksoul ai combo
84. drop current hp to 244
85. raise karma to valid (486) by running away from fights and put in HP+300
86. setup knightman hand buffer with 244 currentHP, 608 maxHP, 486 karma
87. F4 00 60 02 E6 01
88. give_item(hpmem, 2)
89. end()
90. talk to shadowman a ton until you have max hpmems
91.  
92. put in HP+50
93. use dark chips to drop to 1042 maxHP (4 chip+run), while doing so get your currentHP to 1020
94. raise karma to valid (486) by running away from fights
95.  
96. save and soft reset
97. setup the crossover battle payload and hard reset after
98. enter the first option in the crossover battle menu and back out to load the payload in the buffer
99.  
100. continue and setup knightman hand buffer with 1020 currentHP, 1042 maxHP, 486 karma
101. FC 03 12 04 E6 01
102. call_func_0x12() *our crossover battle payload*
103. end()
104. talk to shadowman and credits warp