Arbitrary Code Execution, dayum !

ACE is almost putting you on the same level as the game developers ! Because you are controlling exactly what instructions the CPU is running.
And if that isn't total control over the Game Boy, I don't know what is, seriously.


Click the tabs to see stuff !

How to perform ACE

As I said, there are sooo many ways of performing ACE on Pokémon Red, Blue and Yellow. However, ACE methods are different in Yellow, yet somewhat similar ; I will thus focus on Red & Blue.

In Poémon Red and Blue, there exists a cool invalid item that's named 8F. Smart people will notice that you see it, in the Silph. Co elevator floor choice.
But, even though it exists as an item (since elevator floor choices are implemented as special item lists), you're never supposed to have it in your item pack !

The first thing is to obtain 8F. That's not quite that complicated, actually ! What you need to do is perform the Celadon Looping Map Trick and walk right (and down when needed) until you have a 8F in your bag.
Here is how to do this, just so that I mirror the information contained there :P
I also recommend that you save before doing this. Messing up can be usually fixed by resetting ; whenever you doubt you're doing it right, start over again.

  1. Set up your item pack as such :
    ItemQuantity
    Trash item #1x[Any]
    Trash item #2x[Any]
    Any item #1x[Any]
    X Specialx1
    Any item #2x[Any]
    Any item #3x1
    CANCEL
  2. Encounter MissingNo to duplicate the item in the sixth inventory slot.
  3. Toss and/or use 2 of these items.
  4. Encounter MissingNo again.
  5. Get a Pokémon with either Fly, Dig or Teleport. Be careful with Fly : you also need Misty's Badge.
  6. Go to this spot east of Celadon City.
  7. Swap the third and sixth item slots ; the pack should look like this :
    ItemQuantity
    Trash item #1x[Any]
    Trash item #2x[Any]
    Any item #3x255 (appears as [glitch blob]5)
    X Specialx1
    Any item #2x[Any]
    Any item #1x[Any]
    CANCEL
  8. Deposit all the fifth and sixth items in the PC. You can also use them or toss them, that doesn't matter.
  9. Do the same with the first item slot, but three times (trust me, I know what I'm saying). The pack should look like
    ItemQuantity
    Any item #3x255
    Any item #3x255
    Any item #3x255
    X Specialx1
    CANCEL
    But you can't scroll past the second item slot, which closes the menu when you press A on. If that's the case, you're on the right track. Otherwise, remember what I said : reset and start over again. You don't wanna mess up your save file.
  10. Now, deposit/use/toss 253 of the first item slot. To do this, select TOSS, then press Down four times, then confirm. You should have only two items in the first slot.
  11. Press SELECT on the first item slot, then on the second item slot. Repeat, and the pack should be
    ItemQuantity
    Any item #3x0 (yeah, that's a thing)
    X Specialx1
    CANCEL
    AND you should be able to scroll past the CANCEL, and through a bunch of glitched stuff.
    Congratulations on performing Dry Item Underflow ! You can save now.
  12. Press SELECT on the X Special x1, and begin to scroll down.
  13. At some point, the cursor might freeze and stop responding. If that happens, press B enough times that the problem goes away. Be careful not to mash the button, as closing the menu will require you to press SELECT again on the X Special... and you'll have to start all over again.
  14. Once you stumble on a Nugget x1, press SELECT on it to swap it with the X Special. To facilitate things later, don't move the cursor.
  15. Close all menus, and begin walking right. You can also walk up or down when you need it, it's not an issue at all. It's horizontal movement that matters.
  16. You will enter Celadon City again, but from the left. It will also be devoid of any NPCs, warps and text. Open your ITEM menu regularly until you see a "8F" item on your cursor. If the quantity is "x0", walk one more step right to have it become "x1".
    The sequence of item that will appear before 8F will be 1F, 2F, 3F, etc. If you have 9F, 10F, 11F, etc., walk left a few steps until you have 8F.
  17. Once your ITEM cursor is over 8F, we need to get it out of this glitched zone. To do so, press SELECT on it, and begin scrolling up. Use B when the cursor stop responding.
  18. When you find the Nugget x1 again, press SELECT on it to swap it with 8F. You're almost done ! You now need to use Fly, Dig or Teleport to go to any Pokémon Center.
  19. Go to any PC, and open the item storage system. Deposit 8F, then retrieve any item three times. Note that they will be lost ! You can retrieve, for example, Moon Stone x1 then Moon Stone x1 then Moon Stone x1. Yep, it'll work.
  20. You can then safely get 8F ! Hooray !

Now that you have 8F, you can try to USE it... but if the game doesn't crash, then you might as well drop reading this an go gamble for a bit. 8F isn't magical, so we need some setup to make it work. How do we do this ? By having a specific Pokémon party ! Read this article for some good and simple setups.
Advice : don't use any 3-Poké setup ! For technical reasons, this setup causes lotsa problems. Please, unless you know what you're doing, don't use it.

Now, if you use 8F... you will also almost certainly crash. "Again !?" I hear you say. Yep, but you're waaay closer to making 8F do whatever you want. You see, when you have a correct party setup, your bag items, starting from the third, are read by the CPU and interpreted as code ! Yes, you're basically writing code using your items. Pretty mind-blowing, huh ?
Well, now it's time to make it useful.

Making 8F useful

Ahhh... the part where we can play God.

8F's inner workings

I really recommend that you have some knowledge of the Game Boy's circuitry and CPU assembly.
How does 8F make this magic possible ? Why and how the setups ?
So many questions. And they all have answers !

8F is an item with identifier 5D. That's all ! That's all its magic : being an invalid item. Now, let's take a look at the routine called by the game when using an item.

ROM offset : D5C7
GB offset : ROM03:55C7

UseItem_:
	ld a,1
	ld [CD6A],a       ; initialise output to success value
	ld a,[CF91]       ; contains the ID of the item being used
	cp a,HM_01        ; HM_01 equals 196
	jp nc,ItemUseTMHM ; TMs and HMs have a special script
	
	ld hl,ItemUsePtrTable
	dec a
	add a
	ld c,a
	ld b,0
	add hl,bc
	ld a,[hli]
	ld h,[hl]
	ld l,a
	jp [hl]
ItemUsePtrTable has ROM offset D5E1, and GB offset ROM03:55E1. Let's follow what happens with CF91 containing 5D : what happens when using 8F.

The game doesn't jump to ItemUseTMHM, so :

	ld hl,ItemUsePtrTable ; HL = $55E1
	dec a                 ; A = $5C
	add a                 ; A = $B8
	ld c,a                ; C = $B8
	ld b,0                ; BC = $00B8
	add hl,bc             ; HL = $5699
At this point, we need to know what is at ROM03:5699. And this is where we were over-lucky. Because at ROM03:5698 is a ld a,[$D163] instruction in the middle of the ItemUseBall routine. Which means that ROM03:5699-569A contains the address $D163.
	ld a,[hli] ; A = $63
	ld h,[hl]  ; HL = $D199
	ld l,a     ; HL = $D163
	jp [hl]    ; PC = $D163
The game actually read the operand of the "ld a,[addr]" instruction as an address, and by sheer luck they use the same formats. Alleluia ! ACE.
And so CPU execution continues at $D163, where everything begins...

 
Back to dem top