Gen III ACE : Summary

1. --~~ Gen III ACE : Main summary for Arbitrary Code Execution ~~--
2.  
3.  
4. - Summary -
5. I) The ACE Glitch Move
6. II) The Bootstrap Pokémon
7. II.1) Bootstrap Pokémon towards PC Items/Pyramid Bag Items
8. II.2) Bootstrap Pokémon towards PC Pokémon Data
9. III) Writing a code with PC Items
10. III.1) Obtaining every Item
11. III.2) Changing the quantity of a PC Item
12. IV) Storing a piece of Code in PC Pokémon data
13. V) The DMA pattern check
14. VI) Overall process
15. VI.1) Overall process for PC Items ACE
16. VI.2) Overall process for PC Pokémon Data ACE
17. VII) Overall preparations
18. VII.1) Overall process for PC Items ACE
19. VII.2) Overall process for PC Pokémon Data ACE
20.  
21. - Summary -
22. Arbitrary Code Execution on Gen 3 is completely doable on cartridge, and exploits many techniques derivated from Pomeg Glitch or from other in-game elements.
23. Thus, several written procedures exist to cover all the steps required to perform ACE.
24. Since all these steps take some time, and use various techniques (you don't need to understand them to do them well), you may start to get confused in what you need to do or in the purpose of the step you are doing.
25.  
26. This paste is here to explain more generally how the pieces of the puzzle are tied together, and how they allow you to perform ACE in the end.
27. I will not go over every little thing, because this would just make things too long.
28.  
29.  
30. I) The ACE Glitch Move
31. The current way to perform Arbitrary Code Execution on Gen 3 is to use the animation of a Glitch Move.
32.  
33. When the game must execute the animation of a move, it checks on a table the adress where the animation of the move is stored. This adress is called the Move Animation Pointer.
34. Certain Glitch Moves happen to have a Move Animation Pointer that points towards an adress in PC Pokémon data. And at least one of them can be used. (more than 0 PPs, more than 0 accuracy, name not too long, non-glitch effect)
35. Such a Glitch Move is called an ACE Glitch Move.
36.  
37. The Move Animation procedure has a command that lets it execute code.
38. Thus, if we manipulate the data of a PC Pokémon in order to store the command that says "go execute code at this adress" to the Move Animation procedure, we can execute code.
39.  
40. II) The Bootstrap Pokémon
41. It is indeed possible to manipulate the data of a PC Pokémon and store that command.
42. A Pokémon whose data was manipulated to store the "go execute code at this adress" command is called a Bootstrap Pokémon.
43.  
44. Since the two main ways to manipulate a sequence of hexadecimal values in Pokémon are with PC Items (Identifiant and quantity) and with Pokémon data, the "adress" mentioned in the Bootstrap Pokémon data will either be the adress of PC Item #1, or an adress in PC Pokémon data.
45. You will need a different Bootstrap Pokémon to cover each case : A Bootstrap Pokémon towards PC Items, and a Bootstrap Pokémon towards PC Pokémon Data.
46. Furthermore, the Bootstrap Pokémon differ depending on your version (Emer non Jp | Emer Jp | FrLg non Jp | FrLg Jp).
47.  
48. Because most of a Pokémon's data is encrypted, we need to use an in-game traded Pokémon to create a Bootstrap Pokémon.
49. A Bootstrap Pokémon will be created from an in-game traded Horsea, with EV-training, two double corruptions, some Pokeblocks and a Glitch Item.
50.  
51. Once a Bootstrap Pokémon is made, you can store it in PC until you want to perform ACE. You will then need to place the right Bootstrap Pokémon at the right PC Slot to make things work.
52. The Bootstrap Pokémon will also be in an Egg, which conveniently allows you to do all the preparations on one version before trading all the Pokémon/Eggs to another version.
53.  
54.  
55. II.1) Bootstrap Pokémon towards PC Items
56. Since it is easy to manipulate PC Items and Pyramid Bag Items, Bootstrap Pokémon towards PC Items/Pyramid Bag Items are used to execute short codes that can easily be written with PC Items.
57.  
58. If you only want to execute 2-3 codes that are quite different, you will only need to use this Bootstrap Pokémon.
59. For example, if you only want to unlock Faraway Island/Birth Island/Navel Rock, get event dolls, change the Altering Cave Pokémon, see Mirage Island, get another starter,... you can do that with short codes stored in the PC or in Pyramid Bag.
60.  
61.  
62. II.2) Bootstrap Pokémon towards PC Pokémon Data
63. For long codes, the main part of the code will be stored in PC Pokémon data. Thus the Bootstrap Pokémon towards PC Pokémon Data will be used.
64.  
65. One type of code that uses this idea is a code that calls the function who manages overworld scripts and then uses this function to execute a script. (give a Pokémon, hatch an Egg, warp the player to another map, unlock an event island, start a battle, launch credits,....)
66. The main part of the code (calling the function who manages overworld scripts) is stored in PC Pokémon data.
67. Then, the overworld script to execute (ex : get back the Battle Frontier party, warp to Safari Zone, trigger credits) is written with PC Items. (Only a few PC Items needed)
68.  
69. When you want to execute different overworld scripts, you only need to change the PC Items ; the part of the code stored in PC Pokémon data doesn't need to be changed.
70. This way, you can execute many codes that rely on overworld scripts just by changing a smaller part of the code.
71.  
72. If you want to warp to Safari Zone, shinyhunt in Battle Factory,... you will need to use this Bootstrap Pokémon (and the first one too).
73.  
74.  
75. III) Writing a code with PC Items
76. III.1) Obtaining every Item
77. To write a code with PC Items, we need to manipulate the identifier and the quantity of the said PC Items.
78.  
79. Every Item identifier can be obtained with Pomeg Glitch.
80. For that, a Smeargle with a specific PID (Pokémon IDentifiant) will be caught. It will learn certain moves, then receive a very specific amount of EVs. (Def and Speed EVs will determine the identifier of the Item that will be obtained)
81. This Smeargle will also be nicknamed in order to know which Item will be obtained from him.
82. Then, this Smeargle will go through a double corruption, and the Item will be obtained.
83. As Glitch Items all have the same name, giving a nickname to each Smeargle is important to remember the Identifier of the Item they are holding.
84.  
85. Every Item except Rare Items and Item 0x0000 can be stored in PC.
86.  
87. III.2) Changing the quantity of a PC Item
88. Once we have stored an Item with a specific Identifier in the PC, we need to manipulate its quantity.
89. If the needed quantity is lower than 99, we can use a Cloning Glitch Pokémon to clone the Item as many times as the needed quantity.
90. If the needed quantity if higher than 100 (or way way higher), we will need to use Pomeg Glitch (or a technique derivated from Pomeg Glitch) to corrupt the quantity of the PC Item in order to increase it to a very high value.
91.  
92. In FrLg, a Pomeg Glitch is used to corrupt the quantity of a PC Item.
93. In Emerald, an easier procedure is done with a Glitch Pokémon who has a very specific species name. (such a Glitch Pokémon is called a Duplication Glitch Pokémon, but I will not enter into more details for that)
94.  
95. Since we want to have a sequence of Items with a specific identifier and a specific quantity, these procedures must preserve the quantity of every Item that has already been placed in the PC.
96. Since every Glitch Item has the same name, we also need to keep track of the Glitch Item that we are currently duplicating.
97.  
98. Thus, these procedures involve placing a specific list of Items in the PC (a specific structure of Items), and then adding every Item needed for the Code Execution one by one.
99. Each time an Item for the Code Execution is deposited in PC, its quantity will be changed. Then, it will be moved to a specific spot, and the next Item will only be deposited after that.
100.  
101. Once a Code has been written with PC Items, it is quite easy to change a certain part (if you want to write a code that only differs by one or two PC Items) or to remove it completely.
102.  
103.  
104. IV) Storing a piece of Code in PC Pokémon data
105. It is interesting to break long codes into shorter parts that can be stored more easily on PC Pokémon data (and PC Items).
106. If the part of the Code to store is very tiny, giving certain EVs to an in-game traded Seedot will be enough.
107.  
108. If the part of the Code to store is not very tiny, then we will not be able to manipulate the Pokémon's data to write that part of the Code.
109. To overcome this, we will store the long part on a certain place (Pyramid Bag Items mainly), then perform a Code Execution to copy-paste that part on the data of a PC Pokémon.
110. With "tiny" code executions we will then write all the parts of the long code we want on PC Pokémon data in order to execute it.
111.  
112. The Pokémon that will receive this part of code in its data is chosen beforehand in order to not obtain an Egg after the corruption (which can be traded) and not a Bad Egg (which can't be traded).
113.  
114. As of now, this strategy only needs to be done once (if you want to call the function that manages overworld scripts) so it is not that tedious.
115.  
116.  
117. V)The DMA pattern check
118. DMA stands for Dynamic Memory Allocation, an algorithm introduced in Emerald and FrLg as an anti-cheating procedure by Game Freak.
119. Basically, the DMA is an algorithm that will take a big part of RAM data and move it slightly in the memory. The E/Fr/Lg DMA has 32 different possible patterns, which means 32 different adresses possible for a value affected by it.
120. And you have no direct clue to know which one of the 32 DMA patterns you have in front of you.
121. Furthermore, the DMA is used very often in game (when you close the party/Bag, when you enter a building, when you start a battle,...), and it relies on too many variables to be preticted with RNG.
122.  
123. It is possible to check if a certain DMA pattern is occurring during a battle by using a certain graphical effect that occur when you perform Pomeg Glitch Data Corruption/Glitzer Popping. (The red highlight of the first party slot)
124. By placing specific Pokémon at specific PC slots in Box 2 and by performing a Glitzer Popping, you can tell if the current DMA pattern is the one you want or not quite easily.
125. Then, if the current DMA pattern is the one you are looking for (which has a 1/32 chance to happen), you can perform the Arbitrary Code Execution by using the ACE Glitch Move.
126.  
127. Since DMA is also used at the end of a battle, and since overworld scripts are only executed at the end of a battle (and after the DMA), the ACE to execute overworld scripts (Warp to Safari Zone, Trigger credits,....) need an extra piece of code to bypass this issue.
128. This kind of code especially needs to be stored on PC Pokémon data instead of PC Items.
129.  
130.  
131. VI) Overall process
132. Now that all the steps in the Arbitrary Code Execution have been introduced, let me put them back into order.
133. Thus, you will see how things go when an ACE is done in Gen III.
134.  
135. - Set up everything. (see VII )
136. Put "Battle animations" on, have a party set up for Pomeg Glitch Data Corruption/Glitzer Popping.
137. - Save.
138. - Make a wild battle and perform the DMA pattern check.
139. If the DMA pattern is wrong, reset and try again.
140. If the DMA pattern is right, use a Revive and send the Pokémon with the ACE Glitch Move to the battle. (1/32 chance)
141. - Use the ACE Glitch Move. (In FrLg you need to try multiple times until the move hits)
142. - The game wants to display the animation of the ACE Glitch Move.
143. The game looks in the ROM the adress for the Move's animation.
144. The game looks at the data stored at this adress, and ends up looking at the Bootstrap Pokémon data. (Because of the choice of the ACE Glitch Move)
145. The Bootstrap Pokémon data tells the game that for the move's animation, he needs to treat all the data it will read next as code, and that he needs to go read the data from another specific adress. (The adress of PC Item N°1 or Pyramid Bag Item N°1 or to the data of a PC Pokémon)
146. The game reads the data from PC Items/Pyramid Bag Item/PC Pokémon, interpretes it as code, and executes it.
147. (Thanks to the specific DMA pattern, every piece of code was aligned correctly.)
148. - The code is executed.
149. You can now end the battle and enjoy the results of the code. (Navel Rock unlocked, Birth Island unlocked, Legendary re-obtainable, TID/SID changed,Altering Cave Pokémon, roamer re-huntable,...)
150.  
151. VII) Overall preparations
152. VII.1) Overall process for PC Items ACE
153.  
154. - ACE Glitch Move :
155. Use a Double corruption to obtain a Pokémon with the ACE Glitch Move.
156. If you want to get the ACE Glitch Move on different versions, either use the trade in wireless room or trade an Egg of the Pokémon that knows the ACE Glitch Move. (See Notes)
157. - DMA translation check :
158. Use specific in-game traded Pokémon/Smeargle, clone them.
159. When everything else if ready, dispose them in Box 2 in specific slots.
160. Use a pastebin to see what graphical glitches you need to see to know if you have the right DMA pattern or not. (1/32 chance)
161. - Obtain every PC Item :
162. Use Double corruption to obtain them. (See notes)
163. - Duplicate a PC Item :
164. Deposit a list of Items in the PC in a certain order.
165. (Emerald) Use a Glitch Pokémon and Lilycove's Poké Fan Club journalist to corrupt the quantity of a specific PC Item. (1/32 chance per duplication)
166. (Fr/Lg) Use a Glitzer Popping to corrupt the quantity of a specific PC Item. (1/16 chance per duplication)
167. - Obtain a Boostrap Pokémon :
168. Train an in-game traded Pokémon.
169. Double-corrupt it, train it again.
170. Double-corrupt it again, train it again.
171. Corrupt it once more to turn it into an Egg. [..]
172. - Deposit Items in Pyramid Bags : See Notes
173.  
174.  
175. VII.2) Overall process for PC Pokémon Data ACE
176. [...]