WARNING: This portion of the guide is outdated, the contents of this guide have been merged with the main setup articles. It is only kept for legacy purposes. You can find all up-to-date guides on the TimoVM's Gen 2 ACE setups article.

This is a guide on how to execute and/or exploit a glitch. For a more technical overview of the glitch involved, see Mail writer.

The Mail writer is an arbitrary code execution program that allows the user to quickly and accurately write and execute arbitrary code payloads of up to a maximum size of 428 bytes. Payloads are written from wOtPartyCount onward, where enemy trainer's parties are usually buffered.

This guide is applicable to the Japanese versions of Gold & Silver only. It is part of the TimoVM's Gen 2 ACE setups set of guides.

Using the Mail writer requires an ACE setup, such as the one described here, that redirects execution to the start of box names.

If you encounter any issues when going through this guide or would like to provide feedback, please contact TimoVM on the Glitch City Research Institute Discord.

How the mail writer works

Upon execution, the Mail writer will open the mail character entry screen where the player can write up to 32 different characters. After the player has confirmed the mail, the following actions take place:

• The Mail writer will take pairs of characters and convert them into a single combined value. These values are then sequentially written, converting the 32 letter mail into a 16 byte long line of code.
• Next, the Mail writer will display a checksum calculated from the combined value of all written bytes for the player to verify. Then the program enters a waiting state where they can either choose to write another mail, go back and correct previously written values or stop the mail writer and execute the newly written payload.
• If the player has chosen to write a new mail, the Mail writer will open a new mail entry screen. The new mail is then also converted into a 16 byte long line of code and placed right after the code written by the previous mail(s), allowing the player to write arbitrarily long payloads.

Installation

For the Japanese versions of Gold & Silver, the mail writer can easily be installed as a set of box name codes. Write the following box codes, then use wrong pocket TM17 ACE:

Using the Mail writer

The mail writer will open a screen that asks you to write the contents of a mail. This is where you'll need to enter mail codes. Once done, use the "END" option to finish the mail.

This will cause the mail writer to convert the newly written code into assembly. It will also print a checksum (sum of all written values) on the lower left corner of the screen. This can be used to verify if a code was entered correctly.

Assembly can easily be converted to mail codes using TimoVM's MailConverter. Simply paste the assembly of the code you wish to enter here, press "run" and the converter will automatically generate mail codes requiring the least amount of button presses to write.

Controls

Between entering mail codes, the mail writer will ask for user input.

• Press A to open a new mail and continue writing data.
• Press B to immediately jump to and start executing the newly written program. Only use this when you've finished every mail.
• Press any other button to go back one byte at a time to correct errors. If the printed checksum doesn't match the expected checksum, press DOWN 16 times to retry the last mail. This will also overwrite the printed checksum with the value at the currently selected address, giving you a method to check how far back you're going.

What to do with the Mail writer

The Mail writer allows you to easily write and execute arbitrary payloads. Aside from writing your own codes, we recommend the following:

• Mail codes: this page contains a collection of assembly for mail codes that can be used for a variety of common purposes such as editing pokémon, obtaining items, etc..
• RAM writer: (recommended for more experienced users) this page contains the assembly for a large one-size-fits all program that allows you to edit any value in RAM with a user-friendly GUI. It will also fix the side effects of the ACE setup when you first run it.

Appendix: in-depth explanation of the setup

Effect of the box name code

Converting the box name code to assembly results in the following code:

Box 1: $D8B2
11 C6 DC	ld de, $DCC6
D5		push de
D5		push de		; .newMail
0E AE		ld c, $AE	; c = $AE
3E 50		ld a, $50	; a = $50

Box 2: $D8BB
D5		push de
C6 10		sub $A0		; a = $60
47		ld b, a		; bc = $60AE
C5		push bc
C6 A4		add a, $A4	; a = $04
42		ld b, d
50		ld d, b

Box 3: $D8C4
E1		pop hl		; hl = $60AE
CF		rst08H		; Farcall _ComposeMailMessage (a:hl = 04:60AE)
D1		pop de
E1		pop hl		; Set both hl and dc to the start of the newly written mail
2A		ldi a, (hl)	; .loop
B7		or a, a
B7		or a, a
D6 50		sub $50

Box 4: $D8CD
28 13		jr, .terminator
30 05		jr, .character
2A		ldi a, (hl)	; If terminator, escape loop. if newline, get new value for a and continue
B7		or a, a
B7		or a, a
D6 50		sub $50		; Ensures that new character will result in the same value when combined with the next

Box 5: $D8D6
86		add (hl)	; .character
12		ld (de), a
13		inc de
80		add a, b
47		ld b, a		; Responsible for generating checksum
12		ld (de), a
2A		ldi a, (hl)	; inc hl is not available, so this will have to do
E6 50		or $50		; Ensures that carry flag is not set

Box 6: $D8DF
30 E7		jr nc, .loop
0C		inc c		; .terminator, _ComposeMailMessage sets bc to 0000, so c = 01 after this part
26 C4		ld h, $C4
2E F4		ld l, $F4	; hl = $C4F4, bottom left screen tile
06 50		ld b, $50	; Ensures that b is consistent for the next call

Box 7: $D8E8
1A		ld a, (de)
CD 3A 33	call PrintBCDNumber.loop + 01h	; PrintBCDNumber.loop itself can't be reached, so we skip forward one byte.
26 1B		ld h, $1B	; .errorCorrection
1B		dec de		; Calling PrintBCDNumber.loop with c = 01 advances de by 1.
2E 50		ld l, $50	; hl = $1B50

Box 8: $D8F1
29		add hl, hl	; hl = $36A0
2E F4		ld l, $F4	; hl = $36F4 (address of JoyTextDelay_ForcehJoyDown)
CF		rst08H		; Farcall JoyTextDelay_ForcehJoyDown	set a = current button state
B7		or a, a		; Are any buttons pressed? if not, ask for new button states
28 E9		jr z, .terminator
42		ld b, d
50		ld d, b

Box 9: $D8FA
0F		rlca		; Is the a button pressed? If yes, start a new mail
DA B6 D8	jp c, .loop
0F		rlca		; Is the b button pressed? If yes, return and execute newly written program.
D8		ret c		; If not, another button was pressed, so decrement de to allow user to correct errors
30 EA		jr nc, .errorCorrection

Plain text transcripts of codes

Box 1:　ヅ　に　わ　ゆ　ゆ　ゾ　ュ　ぼ
Box 2:　ゆ　に　ヂ　ぺ　な　に　ヨ　プ
Box 3:　ゅ　ま　む　ゅ　ご　き　き　よ
Box 4:　ぐ　デ　だ　ガ　ご　き　き　よ
Box 5:　キ　デ　ド　ア　ぺ　デ　ご　？
Box 6:　だ　！　ズ　が　と　ぜ　ォ　ギ
Box 7:　ビ　ヘ　ば　で　が　ブ　ブ　ぜ
Box 8:　げ　ぜ　ォ　ま　き　ぐ　ァ　プ
Box 9:　ダ　れ　か　リ　ダ　リ　だ　ゥ