API tools faq
paste
nmarkro

Crossover battle ACE

nmarkro
Mar 12th, 2021 (edited)
473
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.65 KB | None | 0 0
raw download clone embed print report
  1. Better writeup can be found here: https://pastebin.com/1NDcK9z2
  2.  
  3. Example credits warp using crossover battle ACE
  4. Requires wireless adapter to access the crossover battle option on the main menu (on emulator just patch 0x08030867 to the value 0xE0)
  5. Credits warp is possible in RTA: https://www.youtube.com/watch?v=Q48WKeKkk14
  6. EXE5 Team Colonel only, uses Knightman, KnightmanSP and KnightmanDS chips to execute script commands
  7.  
  8. You'll probably need a basic understanding of this to follow: https://pastebin.com/WUrekERW
  9.  
  10. tl;dr is we're using a JP exclusive glitch to access an area past a cutscene trigger
  11. there we can talk to a dummy NPC with an invalid script pointer and start running manipulable parts of memory as script commands
  12. eventually we are able to call our darksoul ai, current hp, max hp, and karma as script commands
  13. the "call____" (FC 03 __) script command doesn't do any bounds checks on the function index you pass, and the table it uses to jump includes other values past what is expected, mostly addresses to various buffers and timers
  14. one of the addresses you can jump to is just before the player's entered crossover battle name & description
  15. this gives you 5 bytes + 11 bytes to work with which is just barely enough for up to 3 ARM instructions
  16. we can use other script commands to write payloads elsewhere in RAM, mainly in flags
  17. flags are the only area I've found that allow you to write arbitrary values that persist between battles, save/loads, resets, ect.
  18.  
  19. set up script command "flagSetBuffered" with buffer 0xB5 ("EA 06 B5") to write an ARM payload in flags using the 2byte frames-since-power-on value as the flag_id
  20. for this script command you'll need 1770 current hp, 1973 max hp, and 486 karma
  21. this is just barely possible with 2 HP+500s if you give yourself max hpmems & 2 expand memories using other script command setups
  22.  
  23. buffer addr: 0x0200AE90 2 bytes
  24. flagSetBuffered uses: 0x020029F8 + (flag_id >> 3)
  25. talk to shadowman repeatedly to set 1 bit at a time
  26.  
  27. you can write anywhere between 0x020029F8 and 0x020049F7
  28. can only set bits, can't clear them so write in a free space
  29. be careful what menus you open
  30. if you write to your pack (which is after flags) and open your folder menu it'll mess with the flags you wrote
  31.  
  32. the downside of writing a payload to flags is you're setting 1 bit at a time using a frame counter
  33. there's also a slight delay between when you can talk to shadowman, so setting consecutive bits will require hard resetting and setting up the script command again or just waiting a little over 18min for the 2byte value to cycle through
  34. for full control ACE you would probably want to write the smallest payload possible in flags that would allow faster writes by reading the joypad or something
  35.  
  36. example flag payload:
  37. 00 00 9F E5
  38. 10 FF 2F E1
  39. 15 57 00 08
  40.  
  41. ldr r0,[r15,0x0]
  42. bx r0
  43. .dw 0x08005715
  44. for this example I will be writing this payload starting at 0x02003C00
  45. 0x08005714 is the credits function and it must be called in THUMB
  46.  
  47. in the crossover battle menu use the 2nd option to set your name to: "ざぉはむ" (0C 80 9F E5)
  48. set your description to: "ぎわひヘxxxx" where x is where you want to jump (08 F0 A0 E1 XX XX XX XX)
  49. so for this example I would use "ドピブバ" (01 3C 04 02)
  50. note: 0x00 is used as the string terminator
  51. some values are impossible to write here due to the nature of the character map or something
  52. for example the "bx/blx" instruction is impossible because 0x2F is not tied to a valid character
  53. later this will be used as a payload starting at 0x0200B05C
  54. example crossover battle payload:
  55. 0C 80 9F E5
  56. ...
  57. 08 F0 A0 E1
  58. 01 3C 04 02
  59.  
  60. ldr r8,[r15,0x0C]
  61. ...
  62. mov r15,r8
  63. .dw 0x02043C01
  64.  
  65. update: this shorter payload should work too
  66. 08 F0 9F E5
  67. ...
  68. 01 3C 04 02
  69.  
  70. ldr r15,[r15,0x08]
  71. ...
  72. .dw 0x02043C01
  73.  
  74. Name: "ぎわはむ"
  75. Description: "ドピブバ"
  76.  
  77. using that text entry menu writes a ton of junk in RAM that will mess up running the payload so hard reset to clear key parts of RAM
  78.  
  79. enter the crossover battle menu again and choose the 1st option
  80. entering this menu writes your name at 0x0200B05C and description at 0x0200B06C, both converted to a different character map
  81. probably boktai's if I had to guess
  82. 1 byte per character
  83. back out and continue your game
  84. set up the script command "FC 03 12" and talk to shadowman to run it
  85. for this script command you'll need 1020 max or current hp, we don't need to terminate the script with karma
  86. talk to shadowman, the game will jump to 0x0200B03C in ARM and eventually execute our crossover battle payload at 0x0200B05C, which will jump to our flag payload, calling the credits
  87. ez credits warp
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!