Glitch City Laboratories Forums

Lab γ: Video Games and Glitches Discussion => Pokémon Glitch Discussion => Generation III Glitch Discussion => Topic started by: luckytyphlosion on April 08, 2014, 10:20:44 pm

Title: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: luckytyphlosion on April 08, 2014, 10:20:44 pm
So I was playing Emerald and messing around with the "access pokemon beyond the 6th slot glitch" when while trying to switch to Bad EGSS, I somehow switched to my fainted Hariyama,I whited out, and when I checked my Pokemon Menu, all my Pokemon were still fainted, but my last Pokemon in the Menu was cloned! Sorry for the lack of details but I can't remember what exactly happened, but can anyone confirm or explain this?
Title: Re: Emerald possible new cloning glitch with pomeg?
Post by: VaeporSage on April 09, 2014, 03:43:01 pm
Very likely you've stumbled upon something noteworthy. For me, the glitch had great potential but I never managed to do anything major with it. While I'd love to celebrate the finding of a new important trick here, replicating this effect may prove difficult.

The detail of switching into a fainted Pokémon is a clear trigger in this instance, however. Did you have to pass by many Eggs/Decamarks in order to reach your Hariyama? Perhaps you could give a rough estimate of how many slots beyond the 6th you'd reached? It's very late now, but I'll give this a think over tomorrow and some tests and see where this gets me.

Immediately, my main hope is that a variant of this could be extrapolated to go further and distort party Pokémon into glitch data - though likely this is a pipe dream. :P

EDIT: Also, some extra information on your team itself might be helpful. For example, was it composed of any Eggs? How many fainted Pokémon? In particular, in what slot was your Hariyama at the time of the glitch? :)
Title: Re: Emerald possible new cloning glitch with pomeg?
Post by: pokechu22 on April 09, 2014, 04:42:55 pm
Not necessarily too relevant, but in firered I noticed you can have Decamarks that are also eggs.  Bad Decamarks.  Yay.

Title: Re: Emerald possible new cloning glitch with pomeg?
Post by: luckytyphlosion on April 09, 2014, 05:04:33 pm
I tried doing the glitch again, and after many tries it worked. What you have to do is scroll up after seeing the summary screen, instead of scrolling down to the half cancel button. However, I think it's based on luck since it took a long time to replicate, and there is a possibility that you need to find the Fainted Pokemon first try.

My Hariyama was the one that had negative hp, so it was in the front. When I was scrolling up, first there was a decamark, then a supposed Bad EGG (no switch screen), then many "regular" eggs, and then Bad EGGs and Decamarks. I had four fainted Pokemon, as you need so you can perform the glitch. I can't remember well how many spaces I went up because I was mashing the UP button, but I feel it was about 10-20 spaces.

What I think is that, sometimes, the glitched party data can take Pokemon data from other places (eg. once I found my Tropius in my box), so it could be that the game sometimes takes party data and puts it into the glitched party.

EDIT: Forgot to mention, after the whiteout your Pokemon are still fainted, like in the "Messing with the 7th Pokemon" Video.
Title: Re: Emerald possible new cloning glitch with pomeg?
Post by: VaeporSage on April 10, 2014, 12:39:40 am
Well, first off I can totally vouch for the validity of this glitch. After three tries yesterday, I was able to correctly attain the desired result twice in a row.  :D

For me, the Pokémon to switch into wasn't far from the Decamarks in the first slot. To give a guess, I'd say 4-8 spaces up.

However, as you've pointed out, there is likely a strong element of randomness here. For example, summary screens of all Eggs are developed differently each time, and as you've also noted, PC Pokémon will sometimes show up in summary screens (but with all stats in the 5 digits). Therefore, the correct switch option may only appear depending on luck.

I must disagree with you in that scrolling up is different to scrolling down: there never seems to be any difference in the options presented no matter which direction you've reached them from.

As a side-note, I would like to add also that the 'white Decamark' effect on the wild Pokémon can actually be triggered more easily. Instead of viewing the summary of the Pokémon 'inside the Poké ball' (I think you understand which I mean), you need only go as far as the 'Summary/Cancel' option, then return to battle.

Reviving a Pokémon and sending it out against the White Decamark causes the sent Pokémon to turn also into a White Decamark and the game freezes. I have not yet been able to test this in conjunction with your cloning effect, whereby the game may yield a different outcome (by switching out the current Pokémon first). I'm doubtful that may lead to anything, but it's worth testing.

Gotta say I'm impressed that the Pomeg glitch continues to deliver results. Great job on this find!  ;) Once I'm able to repeat the process a number of times, I'll have a good look for my camera and get a video up whenever possible.
Title: Re: Emerald possible new cloning glitch with pomeg?
Post by: luckytyphlosion on April 10, 2014, 03:03:23 pm
I assume the glitch party data comes from the next portion data in RAM, but I don't know memory addresses for Emerald. It would certainly be helpful.
Although unrelated, I wanted to know what happens when a decamark gains exp. (Through use of Memento). Does anyone know?
Title: Re: Emerald possible new cloning glitch with pomeg?
Post by: VaeporSage on April 10, 2014, 03:20:45 pm
I know as little as it is possible to know about how the game functions. (With regard to addresses, hexes, flags, etc.) I interact with Pokémon only on its surface...

That being said, I have indeed tested Decamarks vs. Memento, and the conclusion is that Decamarks cannot ever gain experience points.  :)

Title: Re: Emerald possible new cloning glitch with pomeg?
Post by: Evie ✿ on April 17, 2014, 08:19:23 am
I decided to have a go at Emerald's glitch Pokémon beyond the sixth slot glitch for the first time using VBA. Unfortunately I couldn't replicate the cloning glitch, but I did some research.

I tracked 0203CED1 (switch cursor position) to see what the values are after performing certain steps:

1) Scrolling up immediately from 00 (current Decamark) will lead you to Cancel (07) and then if you scroll up from there, you'll get to the fourth Pokémon not in battle (04). If you scrolled down from there, you go back to 00. (other Decamarks not possible)

2) Scrolling down immediately from 00 will lead you to 01 (first Pokémon not in battle). Scroll down another four times and you get to Cancel (07). If you scroll up from there, you'll get to the fourth Pokémon not in battle (04). If you scrolled down from there, you go back to 00.  (other Decamarks not possible)

Notes for (1) and (2). It is not possible to view the sixth Pokémon with these step sets.

Viewing the summary of one of your four accessible valid Pokémon will make the shift screen work differently. It also lets you view the sixth Pokémon:

3) View the summary and go up, the cursor will go to 00 (current Decamark). Scroll up from there and you'll get to Cancel (07) but then scroll up again and you get to FF, and from there you can scroll to FE and lower values by going up.

4) View the summary and go down. This will take you take a half-lit Cancel button (06). If you go up, it leads you to FF and from there you can scroll to FE and lower values by going up. If you go down, it takes you to the normal Cancel (07). If you go up from there, you get to FF and from there FE, etc. by going up If you go down after the aforementioned 07, you get back to your current Decamark (00) again.

So after testing, you go to FF when you reach the normal Cancel (07) or the half-lit Cancel button (06) and go up, after viewing the status of one of your Pokémon. If you didn't view a status, it goes to 04 (fourth Pokémon not in battle) instead.

EDIT: I have a request. Vae, since you've been having good luck with the cloning glitch, can you try it again and tell me exactly how many times you have to press up from the Cancel or half-lit Cancel button, please? I can look into the data for that glitch Pokémon and see what causes it to change.
EDIT 2: One more queston, Vae: Were you using the US version of Emerald or another version like UK English? Apparently (http://bulbapedia.bulbagarden.net/wiki/Pok%C3%A9mon_data_structure_in_Generation_III#Data Location), the starting offset for the Pokémon data structure is different between US versions and other versions, and this may mean you can't use the same Pokémon in any other, significantly different version.
EDIT 3: But actually, apparently North American and Australian versions are exactly the same (http://datomatic.no-intro.org/?page=show_record&s=23&n=1961). I wonder if anyone has dumped the UK version and found differences?
Title: Re: Emerald possible new cloning glitch with pomeg?
Post by: Evie ✿ on April 17, 2014, 12:05:16 pm
New discovery! The Pokémon at cursor position $ED (that's 19 up presses after Cancel or half-lit Cancel) has variable HP that is also used for data about  the last position of Box 1.  You can find $ED's HP using the equation 0x020244EC + (Pos.-1 * 0x64) + $56, so that's 0x020244EC + 0x5C30 + $56 =0x0202A172. If you have a Pokémon in that box position, $ED's "HP values" are used as a section of the data in the Pokémon data substructures (http://bulbapedia.bulbagarden.net/wiki/Pok%C3%A9mon_data_substructures_in_Generation_III) for that Pokémon.

It's more complicated than having the right Pokémon though, sadly. Once you've had a Pokémon in that position at least once during the game session, the values are 'randomized' every time you open and close the Pokémon menu or enter/exit Oldale Town's Pokémon Center and likely other warps. Furthermore, the values are randomized again just before battle starts.

At this point, getting a working Bad EGG is a matter of luck, but now we know we must have a Pokémon in the last position of box 1 with this particular slot. Also, I've noticed that even seemingly working HP values will cause the game to say "Bad EGG has no energy left to battle!" but use the code 0202A172:01, 0202A173:01, 0202A174:01, 0202A175:01 before battle and it will apparently always work. You will send out one of your Pokémon (probably always the first), get whited out and then your second to last Pokémon will be cloned! Note that using these codes will turn your last Box 1 Pokémon into a Bad EGG, though because according to Bulbapedia, the game generates a checksum for all the values of the 'data' substructure and compares it to the value dictated by the checksum word.

Edit: Unfortunately when I set up the glitch again the game thinks $ED is an Egg and won't let me battle with it, as it says "An EGG can't battle!"
Title: Re: Emerald possible new cloning glitch with pomeg?
Post by: VaeporSage on April 17, 2014, 01:33:13 pm
I'll be looking into your findings in a little more depth later, but first I'll address your questions.  ;)

The amount of up-presses required varies each time, unfortunately. Since the point at which I replicated the effect twice in a row, the exact slot necessary to switch has seemed to change with every new attempt.

However, I have found - so far without exception - that constantly searching upwards through all possible options eventually will lead to the right one. This could range from 30 up-presses (sometimes less) to as far as 80 or so.

With regard to my version, mine is a European version (Irish, if that matters). I have also tested the glitch as a whole on my friend's Emerald on VBA. There, I found that the seventh Pokémon doesn't seem to be able to produce the same 'White Decamarks' effect as in mine. I don't know for sure, but I assume his would be a North American ROM.
Title: Re: Emerald possible new cloning glitch with pomeg?
Post by: Evie ✿ on April 17, 2014, 01:42:38 pm
The amount of up-presses required varies each time, unfortunately. Since the point at which I replicated the effect twice in a row, the exact slot necessary to switch has seemed to change with every new attempt.

However, I have found - so far without exception - that constantly searching upwards through all possible options eventually will lead to the right one. This could range from 30 up-presses (sometimes less) to as far as 80 or so.

OK thanks. That's unfortunate, but actually, if there are many Decamarks with the Shift option, you're probably bound to find one that has the right HP and isn't an Egg, eventually.

Quote
With regard to my version, mine is a European version (Irish, if that matters). I have also tested the glitch as a whole on my friend's Emerald on VBA. There, I found that the seventh Pokémon doesn't seem to be able to produce the same 'White Decamarks' effect as in mine. I don't know for sure, but I assume his would be a North American ROM.

Oh. What is the white Decamarks effect?
Title: Re: Emerald possible new cloning glitch with pomeg?
Post by: VaeporSage on April 17, 2014, 01:54:06 pm
The White Decamarks effect is produced by clicking on the icon of FF (whose name I know only just now thanks to you :P).

By going to its 'Summary/Cancel' option and then exiting, a wild Pokémon (the effect is never manifested in trainer battles, unfortunately) will have its sprite become that of a Decamarks with inverted colour scheme.

Reviving a Pokémon and sending it out against the White Decamarks causes a game freeze akin to that of óË {é Áî.

Throwing a Poké ball at the White Decamarks causes the result of the ball throw (Aw! The Pokémon appeared to be caught! etc) to be instantly displayed, while the ball will continue to wiggle. If the wild Pokémon proceeds to hit your Decamarks (00), its HP bar will display with ??/0. Glitched pixels will gradually build up on the screen over a 20-30 minute period.

If the wild Pokémon instead uses a non-attacking move such as Growl, a coloured circle will appear above the still-wiggling Poké ball, and you will then white out. However, none of your Pokémon will be healed, and at this point the glitch may be repeated.

I've explained it all in a poor quality, unenthusiastically narrated video here: https://www.youtube.com/watch?v=1rz7Nq04pFM
Title: Re: Emerald possible new cloning glitch with pomeg?
Post by: Evie ✿ on April 17, 2014, 02:12:33 pm
Thanks. When I viewed the summary of position 255 nothing happened when I exited it. That's odd. If only things were more predictable...

Edit: Let me work out 255's starting address. OK, it's in Box 2, and part of position 21. Do you have a Pokémon there?
Title: Re: Emerald possible new cloning glitch with pomeg?
Post by: VaeporSage on April 17, 2014, 02:25:47 pm
I'm afraid I can't really help you there, as over time I've renamed all of my boxes and none of them have their original names. However, in response to your question, only one of them doesn't have a Pokémon in the 21st slot, so I'd have to say yes.
Title: Re: Emerald possible new cloning glitch with pomeg?
Post by: voltage on April 17, 2014, 02:29:43 pm
Could this work in FRLG?
Title: Re: Emerald possible new cloning glitch with pomeg?
Post by: VaeporSage on April 17, 2014, 02:33:46 pm
I'll try it later, no problem, but the glitch Pokémon found in FR/LG through this glitch are very unexciting, producing no ill effects whatsoever.

Title: Re: Emerald possible new cloning glitch with pomeg?
Post by: Evie ✿ on April 17, 2014, 02:36:33 pm
I'm afraid I can't really help you there, as over time I've renamed all of my boxes and none of them have their original names. However, in response to your question, only one of them doesn't have a Pokémon in the 21st slot, so I'd have to say yes.

OK. For what it's worth I erased my 21st Pokémon in slot 2, save and restarted. As expected, some data starting from 0x0202A824 (the start of FF's data structure) changed to 00, but apparently not all of it. I did voltage's glitch and this time I got a freeze when I viewed it (it was a Bad EGG). I don't understand how this whole data scrambling thing works. It's probably not true that never having a Pokémon in that position will cause the white Decamark glitch when you view FF, and you've likely had one there before anyway if you're using your main Emerald file, so that was a bad idea of mine.
Title: Re: Emerald possible new cloning glitch with pomeg?
Post by: VaeporSage on April 17, 2014, 02:40:07 pm
Ah, yes. I've forgotten to update my video...what I found since luckytyphlosion discovered cloning is that it's no longer (nor has it ever been) necessary to actually view the summary of FF. It's enough to only go as far as 'Summary/Cancel'.
Title: Re: Emerald possible new cloning glitch with pomeg?
Post by: Evie ✿ on April 17, 2014, 03:24:39 pm
Right, I got the white Decamark effect inadvertently. I was scrolling up (down from FF) and I got a Decamark that I could send out after a considerably long amount of time, but before that I viewed the status of a Pokémon. When I sent out the Pokémon that worked (in the A|X range?) the white Decamark appeared and the game hanged.

Luckily I had a save state in battle, so I went to the exact same Decamark that I could send out and it worked the same way. I sent out my Swampert and got whited out, and then my Mew in the fifth position got cloned.

A video is coming soon.
Title: Re: Emerald possible new cloning glitch with pomeg?
Post by: luckytyphlosion on April 17, 2014, 03:33:14 pm
Just something minor, you don't have to have the Pokémon at negative HP for the glitch to work; all you need is to make all your Party Pokémon fainted without whiting out.
Title: Re: Emerald possible new cloning glitch with pomeg?
Post by: Evie ✿ on April 17, 2014, 03:36:49 pm
Just something minor, you don't have to have the Pokémon at negative HP for the glitch to work; all you need is to make all your Party Pokémon fainted without whiting out.

Though surely in order for that to happen without cheating you have to exploit the Pomeg glitch, right? You can't deposit your sixth Pokémon if all other Pokémon are fainted. Though I wonder if the glitch would work if you had your sixth Pokémon with negative HP and healed it to 0 HP? That said, if a wild Pokémon dealt damage to it (and you have to switch to it), it would cause the HP to keep going down for a long time, unless I'm mistaken.
Title: Re: Emerald possible new cloning glitch with pomeg?
Post by: luckytyphlosion on April 17, 2014, 03:42:22 pm
What I mean is you can make the Pokémon have 1 HP and use a pomeg berry instead of using a healing item at negative hp, which would save using HP UPs/getting HP EVs.
Title: Re: Emerald possible new cloning glitch with pomeg?
Post by: Evie ✿ on April 17, 2014, 03:55:08 pm
What I mean is you can make the Pokémon have 1 HP and use a pomeg berry instead of using a healing item at negative hp, which would save using HP UPs/getting HP EVs.

Ah, OK. I think I get you, you mean having specific EVs so it just goes to 0 instead of 65535?
Title: Re: Emerald possible new cloning glitch with pomeg?
Post by: luckytyphlosion on April 17, 2014, 04:10:36 pm
Exactly.
Now, I have 2 questions:
1. Is it possible keep the "Access Pokémon beyond the sixth slot glitch" outside of battle, or to activate it in the overworld?
2. What would happen, if (hypothetically) some of the data in your glitched party translated into actual Pokémon data?
Title: Re: Emerald possible new cloning glitch with pomeg?
Post by: Evie ✿ on April 17, 2014, 04:28:15 pm
1. Is it possible keep the "Access Pokémon beyond the sixth slot glitch" outside of battle, or to activate it in the overworld?
2. What would happen, if (hypothetically) some of the data in your glitched party translated into actual Pokémon data?

1. I don't think so. You can escape from battle using a Fluffy Tail, but unfortunately this doesn't expand the glitch. Your last switch menu position isn't saved, and your party works like just before you went into battle and sent out a Decamark. In fact, you can repeat the glitch again (send out the Decamark for a second battle or more). But saving and restarting will cause it not to work again; i.e. the first Pokémon is sent out with 0 HP.
2. Haven't been able to play around with this, sorry. Maybe they would work as expected. Not sure if their experience would rise and if this would affect say an equivalent boxed Pokémon.
Title: Re: Emerald possible new cloning glitch with pomeg?
Post by: pokechu22 on April 17, 2014, 04:34:50 pm
Could this work in FRLG?
I'll try it later, no problem, but the glitch Pokémon found in FR/LG through this glitch are very unexciting, producing no ill effects whatsoever.

I've used a slightly different glitch (using walk through walls to fight with no pokemon).  I did get this (http://forums.glitchcity.info/index.php/topic,6842.0.html) once, and other times I've had glitch Pokémon that crash the game with a randomized sprite.  So there are some ill effects.  I'll look for my pictures of the random sprites. 
Title: Re: Emerald possible new cloning glitch with pomeg?
Post by: VaeporSage on April 18, 2014, 02:10:34 am
Well first off, thanks Torchickens for the videos. Since you were wondering, I discovered the summary overload trick.  ;)

Voltage: after research last night, I can confirm that the cloning trick does indeed work on FR/LG!  :D The only difference is that your Pokémon will be healed in the center afterwards. Looking for the correct switch option is very difficult and probably brings you to about the 90th up-press or so.

I must admit I was previously mistaken about the seemingly benign nature of FR/LG's data beyond the sixth slot. While perhaps those Pokémon up until the 40th slot or so give no damaging effects, there are numerous instances of more interesting specimens.  :D

Here's a bunch of stuff I discovered last night:

-From one test only (this is liable to change), the 141th slot is the final accessible slot, causing a freeze when passed.

-With high enough slots, the same messages as in Emerald are produced: "An EGG can't battle!" and "Bad EGG has no energy for battle!"

-Some Pokémon in very high slots produce this message when attempted to be switched in: "      1    has no energy" Proceeding to then scroll upwards leads you directly to the cancel button.

-One most interesting example I found was the slot that gave this message: "   ÁÁ   has no energy left for battle!" Accessing the summary screen of this Pokémon (of "ÁÁ") gave a very volatile freeze. Extremely glitchy graphics and the usual freeze sound.
Title: Re: Emerald possible new cloning glitch with pomeg?
Post by: Evie ✿ on April 18, 2014, 06:36:15 am
Well first off, thanks Torchickens for the videos. Since you were wondering, I discovered the summary overload trick.  ;)

Glad you thought they came in handy. Cool, I've updated the description for that video.

Voltage: after research last night, I can confirm that the cloning trick does indeed work on FR/LG!  :D The only difference is that your Pokémon will be healed in the center afterwards. Looking for the correct switch option is very difficult and probably brings you to about the 90th up-press or so.

I must admit I was previously mistaken about the seemingly benign nature of FR/LG's data beyond the sixth slot. While perhaps those Pokémon up until the 40th slot or so give no damaging effects, there are numerous instances of more interesting specimens.  :D

Ooh, that's great! :)

Edit: I tried it on FireRed. First time I got lucky and cloned a Pokémon successfully with very few up presses. Second time I eventually found a Pokémon I could send out, but then the game hanged with a dialogue box with no message.
Title: Re: Emerald possible new cloning glitch with pomeg?
Post by: luckytyphlosion on April 18, 2014, 07:48:23 am
It's nice to know the cloning glitch is slightly more consistent (knowing about box Pokémon).
Even though the glitch is inefficient, it can be used before the Battle Frontier, so you could duplicate TMs and Master Balls. The money loss is an annoyance though :(.

About the box Pokémon, does the box need to be full, or can it just have a Pokémon in a specific position to work?
Title: Re: Emerald possible new cloning glitch with pomeg?
Post by: Evie ✿ on April 18, 2014, 08:17:01 am
It's nice to know the cloning glitch is slightly more consistent (knowing about box Pokémon).
Even though the glitch is inefficient, it can be used before the Battle Frontier, so you could duplicate TMs and Master Balls. The money loss is an annoyance though :(.

About the box Pokémon, does the box need to be full, or can it just have a Pokémon in a specific position to work?

I would imagine some of the earlier values before cursor position $ED are from box data too. I think it's a good idea to have box 1 full and box 2 full up to position 21 in your playthrough for that reason. It won't guarantee the glitch will work due to the values being randomized, but it may ensure that they are not always 00. (we don't want Bad EGGs, etc. with no HP as you can't send them out)

As for FireRed, I haven't looked into any glitch position addresses yet.

Edit: Actually, it's likely there's a point at which the glitch position data is no longer box data relatively early on. I dunno if I made a math error or if the box structure deviates at some point, but what I did was this:

0x020244EC + (Pos.-1 * 0x64) = 0202984C. (box Pokémon 1 data start)
∴0x52487 + (Pos.-1) = 5255C
∴ Position = D6

If my calculations are correct once you get to about the early Ds ('about' because I'm not confident with Windows Calculator avoiding remainders) the data no longer depends on box data.

Please take what I say with a pinch of salt, as I'm talking without experience here (as I've only tried box 1's last position and box 2's position 21 in Emerald). I may very well be wrong.
Title: Re: Emerald possible new cloning glitch with pomeg?
Post by: pokechu22 on April 18, 2014, 04:25:12 pm
Well first off, thanks Torchickens for the videos. Since you were wondering, I discovered the summary overload trick.  ;)

Voltage: after research last night, I can confirm that the cloning trick does indeed work on FR/LG!  :D The only difference is that your Pokémon will be healed in the center afterwards. Looking for the correct switch option is very difficult and probably brings you to about the 90th up-press or so.

I must admit I was previously mistaken about the seemingly benign nature of FR/LG's data beyond the sixth slot. While perhaps those Pokémon up until the 40th slot or so give no damaging effects, there are numerous instances of more interesting specimens.  :D


Here's a bunch of stuff I discovered last night:

-From one test only (this is liable to change), the 141th slot is the final accessible slot, causing a freeze when passed.

I feel that it is partially randomized.  I haven't done many tests, but it changes.  It does remain the same if you exit and reopen the stats menu, but not if you leave the battle (to the best of my knowledge)

-With high enough slots, the same messages as in Emerald are produced: "An EGG can't battle!" and "Bad EGG has no energy for battle!"

-Some Pokémon in very high slots produce this message when attempted to be switched in: "      1    has no energy" Proceeding to then scroll upwards leads you directly to the cancel button.

-One most interesting example I found was the slot that gave this message: "   ÁÁ   has no energy left for battle!" Accessing the summary screen of this Pokémon (of "ÁÁ") gave a very volatile freeze. Extremely glitchy graphics and the usual freeze sound.

I'm going to have to predict that the changed names are just a side-effect.  The volatile freeze and the name were separate.  I've seen Decamarks with different names, such as ♀ .  They seem to randomize.  In addition, stats randomize as well.  Most of them are 0. 

Note that my research was with walk through walls, and on a new game.  So it may be slightly different. 
Title: Re: Emerald possible new cloning glitch with pomeg?
Post by: VaeporSage on April 18, 2014, 04:42:26 pm
I feel that it is partially randomized.  I haven't done many tests, but it changes.  It does remain the same if you exit and reopen the stats menu, but not if you leave the battle (to the best of my knowledge)

It most certainly is very random. I find that it may actually change after returning to the battle and back into switching in some cases.

I'm going to have to predict that the changed names are just a side-effect.  The volatile freeze and the name were separate.  I've seen Decamarks with different names, such as ♀ .  They seem to randomize.  In addition, stats randomize as well.  Most of them are 0. 

The two (strange names and freezes) seem to correlate often, but not always. So far, all crazy glitched names have caused unproductive crashes, but many summaries of seemingly normal glitch Pokémon also cause frozen blackouts and such.

With regard to stats, the Pokémon that gives the message "      1    has no energy" will display its Special ATK and Special DEF as ?35 each the first time when viewed, but if viewed again, it will revert to a normal Decamarks with 0 in each stat. (FR/LG)
Title: Re: Emerald possible new cloning glitch with pomeg?
Post by: VaeporSage on April 18, 2014, 04:44:22 pm
On the topic of the FR/LG summary overload, you may be interested (or frustrated) to know that there is no pattern apparent in the game's handling of extra-maximum health.

My Arcanine, poisoned down to near 1000 HP, will display these glitchy effects, and its summary screen is very volatile. My Chansey at 65,535 HP will also cause the same effects.

However, having calculated Chansey's HP to decrease by 100 with each use of Softboiled, many HP values crash and others are perfectly safe.  :???: At the moment, my Chansey is somewhere in the range of 49,000 HP with a fully normal summary screen.

Something else you mightn't have known: it is also possible to make the game display a small graphic outside of the summary screen through this glitch (i.e. in the party). This 8-pixel line manifests itself in between 'Summary' and 'Switch' of the 'Summary/Switch/Item/Cancel' interface. https://www.youtube.com/watch?v=zrBND5m-9dQ

What I've always wondered: if we can make such graphics appear beyond the summary and into the party, might it be possible to then go beyond the party and display glitched graphics on the overworld?  :o
Title: Re: Emerald possible new cloning glitch with pomeg?
Post by: luckytyphlosion on April 18, 2014, 06:46:42 pm
What happens when you try to battle with a Pokemon with negative HP in a link battle, or try to do the glitched party glitch in a link battle?
Title: Re: Emerald possible new cloning glitch with pomeg?
Post by: VaeporSage on April 19, 2014, 04:11:36 am
Link battles always heal both teams before the battle...  :-\
Title: Re: Emerald possible new cloning glitch with pomeg?
Post by: luckytyphlosion on April 19, 2014, 06:55:30 am
DO NOT DO THE GLITCH!!!! AFTER I DID THE GLITCH, I DID SOME OTHER STUFF AND LATER, I WENT TO MY POKEMON BOXES AND ALMOST EVERYTHING WERE BAD EGGS! (still worth it for 2 Brick Break TMs)

So apparently, the glitch has an unintended side effect of turning everything in your PC into BAD EGGs. I'll get a photo up once I find a camera.
Title: Re: Emerald possible new cloning glitch with pomeg?
Post by: VaeporSage on April 19, 2014, 07:04:56 am
Well holy crap, that sounds like a major breakthrough to me!  ;D

Of course, I certainly wouldn't appreciate it if that were to happen to my Emerald cartridge.  :o

But harnessing this glitch could bring unlimited glitching opportunity. I take it this occurred on your new run without anything valuable being erased?
Title: Re: Emerald possible new cloning glitch with pomeg?
Post by: luckytyphlosion on April 19, 2014, 07:36:08 am
Yeah, nothing bad happened to me. All that was erased were Pokemon with Bad natures. I've got the photos.
Another thing I found was that one of the BAD EGGs was a regular EGG. I wanted to know what it was, so I did the glitch, and it was a Spinda... WITH SUPER GLITCH moves. (I know what Super Glitch really is, but the moves were so similar).

http://i.imgur.com/yWYo42t.jpg
http://i.imgur.com/QhCLlmw.jpg
http://i.imgur.com/VKqknwW.jpg
http://i.imgur.com/qwwf9SK.jpg
http://i.imgur.com/88Q0QmE.jpg
Arbitrary Code anyone?
Title: Re: Emerald possible new cloning glitch with pomeg?
Post by: VaeporSage on April 19, 2014, 07:40:26 am
Very impressive indeed!  :D

...but there's no way I'm letting my prized Emerald go anywhere near this level of utter destruction.  8)

So do you have any clue as to how this all came about? What were you doing after cloning your Pokémon?
Title: Re: Emerald possible new cloning glitch with pomeg?
Post by: luckytyphlosion on April 19, 2014, 07:49:12 am
I advanced the plot (Rayquaza), I fought a lot of Trainers, then I went to my Pokémon box to withdraw a Waterfall Slave, and I saw the bad EGGs.

So I really don't know how it happened.
Title: Re: Emerald possible new cloning glitch with pomeg?
Post by: VaeporSage on April 19, 2014, 07:54:52 am
My uneducated guess is that maybe the clone is distorting data from something to do with the PC.

My Emerald and LeafGreen are very valuable to me, but I might have a go of this on my FireRed and see what I can accomplish there.

If we can figure out why your Emerald bugged out so badly, I'll work on buying a new copy of Emerald at school to mess around with.
Title: Re: Emerald possible new cloning glitch with pomeg?
Post by: Evie ✿ on April 19, 2014, 08:05:32 am
I got some Bad EGGs too. Turns out all you have to do is scroll up a considerable amount then try to run/ escape from battle with a Fluffy Tail. I don't know if viewing the Summary/Cancel or Shift/Summary/Cancel screen has any effect. I suspect only box 1/2 are affected. Scrolling up more (probably up to the early DX range max) will corrupt more Pokémon.

Edit: It seems to be at D7 your Box 1, position 2 Pokémon changes into a Bad EGG. My Bulbasaur (box 1 position 1) Pokémon was unaffected (at least there were no noticeable changes) at lower values. Now, this makes me think that the reason why your game freezes if you keep scrolling up is because simply scrolling corrupts data, and some more important data is earlier on.
Title: Re: Emerald possible new cloning glitch with pomeg?
Post by: VaeporSage on April 19, 2014, 08:15:15 am
Congratulations, everyone. Today we can finally say that the Pomeg glitch can damage your game.  :)

I'll be sure to test this on my FireRed then when I have time later.

Also, Torchickens, you might want to alert your viewers to this potential catastrophe.  ;)
Title: Re: Emerald possible new cloning glitch with pomeg?
Post by: Evie ✿ on April 19, 2014, 08:38:11 am
Congratulations, everyone. Today we can finally say that the Pomeg glitch can damage your game.  :)

I'll be sure to test this on my FireRed then when I have time later.

Also, Torchickens, you might want to alert your viewers to this potential catastrophe.  ;)

Done now. It has occurred to me that we can probably do more than corrupt the box Pokémon, clone, corrupt the background (from scrolling to $98) or get the 'white Decamark effect'. It all depends on what lies earlier than the box data. By the way, the freeze happens for me at early $6X.

But luckytyphlosion's demonstration that we can get glitch moves on Pokémon is alone interesting. Who would have thought we'd be able to do this in a Generation III game,  ha ha.  :D
Title: Re: Emerald possible new cloning glitch with pomeg?
Post by: luckytyphlosion on April 19, 2014, 08:49:27 am
Here are the effects of the Glitch Move (the really long one, top right):

The other glitch move (bottom right) has some less interesting effects:
Title: Re: Emerald possible new cloning glitch with pomeg?
Post by: Evie ✿ on April 19, 2014, 09:24:55 am
I got "u/9 α!A/wDwA", but it froze the game. :(

Video (https://www.youtube.com/watch?v=R3XreB4GLnE)
Title: Re: Emerald possible new cloning glitch with pomeg?
Post by: TheZZAZZGlitch on April 19, 2014, 09:26:30 am
Decided to check out this glitch, and it worked perfectly.

Besides that...

Quote
Arbitrary Code anyone?

We are closer to executing arbitrary code in Emerald than we might think. After opening the stat screen of one of the glitch Pokemon beyond the sixth slot my game obviously crashed. I opened the disassembly option in VBA out of curiosity, to discover that the game jumped into RAM address $D1042900. http://i3.minus.com/jbwjJSoJJ6ghnb.png (http://i3.minus.com/jbwjJSoJJ6ghnb.png)

Learning ARM assembly right now :P
Title: Re: Emerald possible new cloning glitch with pomeg?
Post by: Evie ✿ on April 19, 2014, 09:43:29 am
Hmm, nice TheZZAZZGlitch. Good luck on learning ARM assembly. :) If the Game Boy Advance has no problem with executing the memory as code, maybe some of the glitch moves you can get on Bad EGGs by escaping jump into code you can manipulate when you use them.

Edit: Though this may not be useful, here are the moves I got, confirming they are possible. I thought it would be interesting to list some of them. Note that the moves you get aren't constant and aren't necessarily on the same Pokémon even if you had the same Pokémon in the boxes before the glitch.

To track or modify the first move of your Pokémon currently in battle, change 16-bit addresses 02023068 and 02024090.

Box 1 position 11:

u/9α!A/wDwA - (Type Poison)

When used:

Enemy takes their turn first. Game 'hangs' before your turn, but you may throw a Pokéball sometime after so it doesn't necessarily hang.

Index number is 4049.

Box 1 position 25:

.:"G/giαAx0/ - (Type ED in su)

When used:

Game displays a long name that erases the old name on the screen to display the new one when it goes off the dialogue box. Eventually an arrow appears so you can see what's below it. Press it and another appears. Press it again and a weird, possibly unused sound effect will play. The game may freeze or reset itself.

Index number is $4038

Box 2 position 1:

iÀvî CE:ÀE ÀC - (type Poison)

When used:

Game says "(X) used a POISON move!" and then the game hangs.

Index number is $4081

Box 2 position 16:

|Ȇîë Ì. MN PO|É MN - (type y.)

When used:

Game hangs or may pause for a bit before your opponent's move.

Index number is $40A3
Title: Re: Emerald possible new cloning glitch with pomeg?
Post by: luckytyphlosion on April 19, 2014, 11:31:40 am
Here's another thing I found: an Invisible Bad EGG in my box. It's summary screen crashes the game instantly, and when sent into battle it backsprite is black and it's shiny. It also has no moves.

To remove the Bad Eggs, you have to do the Battle Frontier Cloning Glitch.
Title: Re: Emerald possible new cloning glitch with pomeg?
Post by: pokechu22 on April 19, 2014, 11:39:21 am
Here are the effects of the Glitch Move (the really long one, top right):
  • After using the move, look at your Party Screen and exit out. You will now be in another battle setting.
  • Once, it changed it so I was in the Battle Frontier Facility where they judge you. (forget what it's called)
  • One time, it crashed the game.

The other glitch move (bottom right) has some less interesting effects:
  • The move name is apparently "a DRAGON move" (possible placeholder?)
  • It always keeps missing, except one time where it put the foe asleep. Unfortunately, the battle animations were off so I don't know what it was really using.

I did a bit of gameshark stuff here.  The "a DRAGON move" also appears in firered. 

I used the following master code:
0000295F000A
101DC9D40007
830050000000
830050020000

After that, address 02022BC8 (not a gameshark code) shows your current pokemon's move while in the move selection screen in battle.  You can change it and then press select to force it to update. 
Title: Re: Emerald possible new cloning glitch with pomeg?
Post by: luckytyphlosion on April 19, 2014, 12:29:03 pm
More Glitch Moves!

--- (move) - (Type Normal)

"There's no PP left for this move!". Has 0/0 PP

Ñ û          Ñ Ë - (Type Normal)

Softlocks the game. Has 0/0 PP
Title: Re: Emerald possible new cloning glitch with pomeg?
Post by: Evie ✿ on April 19, 2014, 12:58:07 pm
luckytyphlosion, do you mind changing the name of this thread now that we've found more to it? I could also do it, but I wanted to know if it was fine for me to do it.

I'm thinking something like "Emerald/FRLG - harder cloning glitch, get Bad EGGs and glitch moves without cheating".
Title: Re: Emerald possible new cloning glitch with pomeg?
Post by: luckytyphlosion on April 19, 2014, 01:17:05 pm
Apparently, the Ñ û          Ñ Ë move can make Trainer Pokémon flee just by looking at it, and you can also catch Trainer Pokemon too. (Emerald Glitched category anyone?)

How do you change the title of a thread?
Title: Re: Emerald possible new cloning glitch with pomeg?
Post by: Evie ✿ on April 19, 2014, 01:24:55 pm
Apparently, the Ñ û          Ñ Ë move can make Trainer Pokémon flee just by looking at it, and you can also catch Trainer Pokemon too. (Emerald Glitched category anyone?)

How do you change the title of a thread?

Nice, do you know its index number? If you still have a state with that move, have it in the first position and look at 02023068 and 02024090 (index number of move) when the Pokémon that knows it is within battle.

For me, there is a "modify" button next to the name of your first post in the thread (and other posts). Do you have it?
Title: Re: Emerald possible new cloning glitch with pomeg?
Post by: luckytyphlosion on April 19, 2014, 01:29:55 pm
All my testing was on console, sorry. :(

However, Sky Shaymin has a video documenting the effect, but he/she used cheats to hack a decamark.

https://www.youtube.com/watch?v=if1xBot3fao
Title: Re: Pokemon FRLG/E: Clone Pokémon/get Bad EGGs/Glitch Moves using Pomeg Berry!
Post by: Evie ✿ on April 19, 2014, 01:36:32 pm
All my testing was on console, sorry. :(

However, Sky Shaymin has a video documenting the effect, but he/she used cheats to hack a decamark.

https://www.youtube.com/watch?v=if1xBot3fao

Oh, I forgot that you're using a real console. Sorry about that.

Ah yes, I've seen that video before. I'll look into that. Sky Shaymin posts here as Pawny, maybe she knows more good Generation III glitch moves?

Edit: Thanks for updating the name of the thread.
Title: Re: Pokemon FRLG/E: Clone Pokémon and get Bad EGGs/Glitch Moves using Pomeg Berry!
Post by: Wack0 on April 19, 2014, 01:58:20 pm
We need a R/S/E/FR/LG RAM map.

(I doubt a disassembly project will ever happen. Gen 3 was coded in C anyway, so there'd probably be a lot of compiler-optimised code there.)
Title: Re: Pokemon FRLG/E: Clone Pokémon and get Bad EGGs/Glitch Moves using Pomeg Berry!
Post by: VaeporSage on April 20, 2014, 03:24:15 am
I've informed PRAMA about all this. They might be able to help us too!  :D

http://forum.prama-initiative.com/viewtopic.php?f=3&t=398
Title: Re: Pokemon FRLG/E: Clone Pokémon and get Bad EGGs/Glitch Moves using Pomeg Berry!
Post by: Evie ✿ on April 20, 2014, 06:00:20 am
I found "=Ñ ;Ç  Ç Á"'s index number! It's 01CE.

It was harder than I expected. For unknown reasons, when I try to catch Rage (0x211) the game freezes on the 'do you want to give a nickname?' screen but Pawny was able to do it. I tried a new save and got the same results.

So what I did was used "Yet Another Pokémon Editor" (YAPE) to change Bulbasaur's evolution at level 16 into Deoxys (apparently it won't let you change it to most glitch Pokémon). Then, I used a program to compare what was changed, and saw at 0x325348 is the relevant word that says what species it evolves into, which was changed to Deoxys. It's stored in reverse byte order, so instead of 01 9A it's "9A 01". So I changed it to 11 02 (0x211 in reverse).

This wasn't the only thing I had to do though. When Bulbasaur evolves into Rage, it goes to level 0, but use the code 02024540:1C and it'll stay at level 28, and learn =Ñ ;Ç  Ç Á (you have to make sure it has three moves for the game not to freeze).

When I try =Ñ ;Ç  Ç Á on the Elite Four, simply entering the fight menu and exiting it will end the battle.
Title: Re: Pokemon FRLG/E: Clone Pokémon and get Bad EGGs/Glitch Moves using Pomeg Berry!
Post by: luckytyphlosion on April 20, 2014, 07:22:12 am
I've posted a video on fleeing with Bad EGG. https://www.youtube.com/watch?v=cy5Sd-Z3J4A

What happens when you go to the HoF with a Bad EGG?
Title: Re: Pokemon FRLG/E: Clone Pokémon and get Bad EGGs/Glitch Moves using Pomeg Berry!
Post by: Evie ✿ on April 20, 2014, 08:35:00 am
I've posted a video on fleeing with Bad EGG. https://www.youtube.com/watch?v=cy5Sd-Z3J4A

What happens when you go to the HoF with a Bad EGG?

Great work! Maybe glitch moves that let you escape from battle aren't that uncommon?

I'm not sure what happens when you go to the Hall of Fame with a Bad EGG. I'll try to hack 01CE on to it (not just changing the in battle moves, though 01CE does allow you to escape from battle when my Swampert used it, and it got into the Hall of Fame with no noticeable side effects) to test it. The Pokémon data substructure order depends on the personality value modulo 24, and move 1 is part of the 'A' substructure; one of four. Normally, you'd have to change the checksum, but since we're already dealing with a Bad EGG, it probably doesn't matter.
Title: Re: Pokemon FRLG/E: Clone Pokémon and get Bad EGGs/Glitch Moves using Pomeg Berry!
Post by: Pawny on April 20, 2014, 09:22:09 am
Oh my god this is the pinnacle of Gen 3 glitching!

It was harder than I expected. For unknown reasons, when I try to catch Rage (0x211) the game freezes on the 'do you want to give a nickname?' screen but Pawny was able to do it. I tried a new save and got the same results.

That's Firered right? Although I don't exactly remember it freezing (bad memory), I actually caught mine in Emerald and traded it to Firered, so I assume it was because of that freeze. Iirc it has Drizzle in Emerald, but its ability changes to Cacophony (the unused one) in FRLG.
Title: Re: Pokemon FRLG/E: Clone Pokémon and get Bad EGGs/Glitch Moves using Pomeg Berry!
Post by: Evie ✿ on April 20, 2014, 09:38:18 am
Oh my god this is the pinnacle of Gen 3 glitching!

It was harder than I expected. For unknown reasons, when I try to catch Rage (0x211) the game freezes on the 'do you want to give a nickname?' screen but Pawny was able to do it. I tried a new save and got the same results.

That's Firered right? Although I don't exactly remember it freezing (bad memory), I actually caught mine in Emerald and traded it to Firered, so I assume it was because of that freeze. Iirc it has Drizzle in Emerald, but its ability changes to Cacophony (the unused one) in FRLG.

I tried to catch it using the wild encounter modifier code in Emerald, like in your video (https://www.youtube.com/watch?v=if1xBot3fao), but had the game either freeze or reset. Thinking about it, I could have tried to see if 0x211 froze on FireRed and traded it over instead of ROM hacking. Strangely, while 0x211's ability was Drizzle as a wild Pokémon, it changed to Swift Swim when I evolved it from Bulbasaur and viewed the first page of its summary.
Title: Re: Pokemon FRLG/E: Clone Pokémon and get Bad EGGs/Glitch Moves using Pomeg Berry!
Post by: luckytyphlosion on April 20, 2014, 09:51:23 am
Now that you can get "Super Glitch" moves in Emerald, what if you had a Smeargle use sketch on the BAD EGG (like Pawny did in her "DPP Super Glitch Video") and migrated the Smeargle to Gen 4, and possibly used Poké Transfer to transfer it to Gen 5, and then to Gen 6 through Pokémon Bank???

inb4 XY glitched category
Title: Re: Pokemon FRLG/E: Clone Pokémon and get Bad EGGs/Glitch Moves using Pomeg Berry!
Post by: Evie ✿ on April 20, 2014, 10:11:00 am
Now that you can get "Super Glitch" moves in Emerald, what if you had a Smeargle use sketch on the BAD EGG (like Pawny did in her "DPP Super Glitch Video") and migrated the Smeargle to Gen 4, and possibly used Poké Transfer to transfer it to Gen 5, and then to Gen 6 through Pokémon Bank???

inb4 XY glitched category

Is it possible to get into a double battle with Bad EGG and a Smeargle? Double battle Trainers in Emerald will only battle you if you have two non-fainted Pokémon.

If you had a Skitty with Assist, maybe you could have it call a glitch move and have Smeargle Sketch it from there? I'm not sure. Even if that's possible, Sketch cannot copy Struggle (and Sketch itself I think), so maybe there's a possibility it will fail.

By the way, entering the Hall of Fame with a Bad EGG is indeed possible. I just did it with no cheats with the "| {ÀÀ Ñ À(down arrow) []" move. Simply viewing its name turns the battle mode into Prof. Birch's mode ("PROF BIRCH: Don't leave me like this!") and if you can catch your opponent's Pokémon you obtain a new Bad EGG (lol) and then the battle ends.
Title: Re: Pokemon FRLG/E: Clone Pokémon and get Bad EGGs/Glitch Moves using Pomeg Berry!
Post by: luckytyphlosion on April 20, 2014, 10:23:03 am
You can find wild Smeargle in Artisan Cave in Emerald (In the Battle Frontier)
Title: Re: Pokemon FRLG/E: Clone Pokémon and get Bad EGGs/Glitch Moves using Pomeg Berry!
Post by: Evie ✿ on April 20, 2014, 10:28:56 am
You can find wild Smeargle in Artisan Cave in Emerald (In the Battle Frontier)

Oh. That's good to know. By the way, you can escape from battle with "| {ÀÀ Ñ À(down arrow) []" using a Fluffy Tail instead of catching your opponent. The game says you "forfeited" but you can still continue. I don't know its index number yet because it was the last move and for some reason it was impossible to scroll down to it.
Title: Re: Pokemon FRLG/E: Clone Pokémon and get Bad EGGs/Glitch Moves using Pomeg Berry!
Post by: VaeporSage on April 20, 2014, 10:46:06 am
I've decided to evacuate all the valuable contents of my Emerald cartridge to Box: R/S so I can get on with glitching there.

It seems that the Bad Egg keeps the item of the Pokémon it 'morphed' from. Also, the Poké ball the Bad Egg appears in also seems to come from its former Pokémon. I have a hunch that the glitch moves appear according to the move that was there before - so maybe getting the right glitch move could be similar to item mutation in Yellow with p Pkmn p.

It could also be important to check out notable glitch moves with and without animations on - I found that "a ROCK move" hits the user and proceeds normally without animations; but with them, the game hangs, the battle music slows down gradually until a sudden freeze occurs.
Title: Re: Pokemon FRLG/E: Clone Pokémon and get Bad EGGs/Glitch Moves using Pomeg Berry!
Post by: Pawny on April 20, 2014, 10:48:59 am
Oh my god this is the pinnacle of Gen 3 glitching!

It was harder than I expected. For unknown reasons, when I try to catch Rage (0x211) the game freezes on the 'do you want to give a nickname?' screen but Pawny was able to do it. I tried a new save and got the same results.

That's Firered right? Although I don't exactly remember it freezing (bad memory), I actually caught mine in Emerald and traded it to Firered, so I assume it was because of that freeze. Iirc it has Drizzle in Emerald, but its ability changes to Cacophony (the unused one) in FRLG.

I tried to catch it using the wild encounter modifier code in Emerald, like in your video (https://www.youtube.com/watch?v=if1xBot3fao), but had the game either freeze or reset. Thinking about it, I could have tried to see if 0x211 froze on FireRed and traded it over instead of ROM hacking. Strangely, while 0x211's ability was Drizzle as a wild Pokémon, it changed to Swift Swim when I evolved it from Bulbasaur and viewed the first page of its summary.

Eh? I just caught it on Emerald (VBA-M SVN1197):
(http://i.imgur.com/tyCgBTZ.png)

Did you use the same code from the video's description? If so, did you disable every other code? I remember its (M) code (which I included together) conflicts with other codes for some reason.

Now that you can get "Super Glitch" moves in Emerald, what if you had a Smeargle use sketch on the BAD EGG (like Pawny did in her "DPP Super Glitch Video") and migrated the Smeargle to Gen 4, and possibly used Poké Transfer to transfer it to Gen 5, and then to Gen 6 through Pokémon Bank???

inb4 XY glitched category

I'm 100% sure it does not make it through bank (they have a silly hack check but it blocks obvious things). Idk about Pokétransfer, but Pal Park has no hack checks whatsoever.

WAIT. Maybe the Super Glitch videos could be done legitimately! I hadn't noticed this was Torchikens' point the whole time! (if it was, lol)
Title: Re: Pokemon FRLG/E: Clone Pokémon and get Bad EGGs/Glitch Moves using Pomeg Berry!
Post by: Evie ✿ on April 20, 2014, 10:54:44 am
Yes. I used the exact same codes and disabled every other code. It's not the first time I've seen this kind of thing though. In FireRed there was a Decamark, hex: $281D (thanks Pokechu22 for telling me about it and its summary screen glitch) that freezes before battle on my 'complete' save, but works perfectly from a fresh save.

Shall I send you my battery file so you can see if I'm just doing something wrong?
Title: Re: Pokemon FRLG/E: Clone Pokémon and get Bad EGGs/Glitch Moves using Pomeg Berry!
Post by: Pawny on April 20, 2014, 11:10:50 am
Sure. But I've uploaded my own battery, my VBA version and a save state with the codes in an archive, just in case.

https://www.dropbox.com/s/3hgrzrfz2tq0z8s/VBA%20RAGE.zip
Title: Re: Pokemon FRLG/E: Clone Pokémon and get Bad EGGs/Glitch Moves using Pomeg Berry!
Post by: Evie ✿ on April 20, 2014, 11:14:16 am
Sure. But I've uploaded my own battery, my VBA version and a save state with the codes in an archive, just in case.

https://www.dropbox.com/s/3hgrzrfz2tq0z8s/VBA%20RAGE.zip

Ta :). I'll try catching it on your save too.

https://mega.co.nz/#!AhEXiQjA!1ARmkCndV0N-DqRL3wUABIqKMuAnlRlTMvHsYPh7VRU

Edit: On your emulator, I can't get the cheats to work for some reason (nothing happens). On mine with your save I get the same problem. It registers Flygon's entry, but afterwards the game resets itself when it finishes saying "Give a nickname to the captured ???????????" It uses Flygon's picture at that stage, if that matters.
Title: Re: Pokemon FRLG/E: Clone Pokémon and get Bad EGGs/Glitch Moves using Pomeg Berry!
Post by: Pawny on April 20, 2014, 11:26:06 am
Worked fine on your file.

(http://i.imgur.com/zxjoutJ.png)
Title: Re: Pokemon FRLG/E: Clone Pokémon and get Bad EGGs/Glitch Moves using Pomeg Berry!
Post by: Evie ✿ on April 20, 2014, 11:31:06 am
Worked fine on your file.

(http://i.imgur.com/zxjoutJ.png)

OK, I guess it's the emulator then. Can you try it on this please? (it's the version I was using) https://code.google.com/p/vba-rerecording/downloads/detail?name=vba-v24m-svn-r422.7z&can=2&q= (to load the save file, put it in the 'battery' folder)
Title: Re: Pokemon FRLG/E: Clone Pokémon and get Bad EGGs/Glitch Moves using Pomeg Berry!
Post by: Pawny on April 20, 2014, 11:42:36 am
Yeah, I tested both on that one and on the v24m-480 and both reset.
Title: Re: Pokemon FRLG/E: Clone Pokémon and get Bad EGGs/Glitch Moves using Pomeg Berry!
Post by: luckytyphlosion on April 20, 2014, 12:15:20 pm
Can anyone test if you can migrate a Smeargle with a Glitch Move? I haven't beaten the game yet (on this runthrough) so I can't test it yet.
EDIT: I was about to ask: What happens when you try to face Tate&Liza with a Bad EGG? Will the game not allow you to fight them?
Title: Re: Pokemon FRLG/E: Clone Pokémon and get Bad EGGs/Glitch Moves using Pomeg Berry!
Post by: VaeporSage on April 20, 2014, 01:08:18 pm
You can only enter a double battle if you have two Pokémon able to battle beforehand.

I tried to get the Smeargle thing to work today, but of my 32 Bad Eggs, I don't think there's one that has a cool glitch move AND  can outspeed the Smeargle to get it to copy the Bad Egg.
Title: Re: Pokemon FRLG/E: Clone Pokémon and get Bad EGGs/Glitch Moves using Pomeg Berry!
Post by: luckytyphlosion on April 20, 2014, 01:14:28 pm
You can only enter a double battle if you have two Pokémon able to battle beforehand.

I know that, but does Tate&Liza have a special flag or w/e that allows you to battle them with only one Pokémon?

EDIT: I tested it. You can't battle with them as they say "Oops, you only have one Pokémon that can battle..."
Title: Re: Pokemon FRLG/E: Clone Pokémon and get Bad EGGs/Glitch Moves using Pomeg Berry!
Post by: Kelvinv on April 20, 2014, 04:12:04 pm
I wonder what the move events sleep does on Generation III (the move that is generation IV super glitch)
Title: Re: Pokemon FRLG/E: Clone Pokémon and get Bad EGGs/Glitch Moves using Pomeg Berry!
Post by: pigdevil2010 on April 20, 2014, 07:58:35 pm
Yeah, I tested both on that one and on the v24m-480 and both reset.
Sigh. I'm using VBA-RR v24 svm480 :-[ *changes emulator*

EDIT: Just got myself VBA-M svn1229 :D
Title: Re: Pokemon FRLG/E: Clone Pokémon and get Bad EGGs/Glitch Moves using Pomeg Berry!
Post by: voltage on April 21, 2014, 01:25:17 am
So I was trying to corrupt boxes 1 and 2 but I scrolled up around the second point where the last pokemon has a constantly changing status and somehow my berries, TMs and HMs all disappeared from my bag. Luckily, I didn't overwrite my save file.

EDIT:From one of my attempts at corruption, I found that the shiny animation will be retained if the pokemon was shiny prior to becoming a Bad EGG.
Title: Re: Pokemon FRLG/E: Clone Pokémon and get Bad EGGs/Glitch Moves using Pomeg Berry!
Post by: VaeporSage on April 21, 2014, 02:53:31 am
I got around my Smeargle problem with a convoluted but effective method. I made a Ditto transform into the Bad Egg, then revived my fainted Smeargle and switched into it so it could sketch the Ditto once it used the move.

So I copied the move that's responsible for the Elite Four skip ("a Water move"). I then migrated it to Pearl with no issues. However, this move is very uneventful there...

Attempting to view Smeargle (w/ glitch move)'s summary screen causes a blackout/freeze, and as soon as he is sent into battle, the game freezes also. Unproductive this time, but now I know I can test with other glitch moves in Pearl. I may also trade the Smeargle to HG/SS if I can get my hands on a copy, and once I get my Black version back in a week, I might migrate it to Gen V as well.
Title: Re: Pokemon FRLG/E: Clone Pokémon and get Bad EGGs/Glitch Moves using Pomeg Berry!
Post by: voltage on April 21, 2014, 03:13:17 am
I have HG but I haven't had any luck getting glitch moves.
Title: Re: Pokemon FRLG/E: Clone Pokémon and get Bad EGGs/Glitch Moves using Pomeg Berry!
Post by: Kelvinv on April 21, 2014, 03:21:26 am
I got around my Smeargle problem with a convoluted but effective method. I made a Ditto transform into the Bad Egg, then revived my fainted Smeargle and switched into it so it could sketch the Ditto once it used the move.

So I copied the move that's responsible for the Elite Four skip ("a Water move"). I then migrated it to Pearl with no issues. However, this move is very uneventful there...

Attempting to view Smeargle (w/ glitch move)'s summary screen causes a blackout/freeze, and as soon as he is sent into battle, the game freezes also. Unproductive this time, but now I know I can test with other glitch moves in Pearl. I may also trade the Smeargle to HG/SS if I can get my hands on a copy, and once I get my Black version back in a week, I might migrate it to Gen V as well.
you should try the move with assist
Title: Re: Pokemon FRLG/E: Clone Pokémon and get Bad EGGs/Glitch Moves using Pomeg Berry!
Post by: VaeporSage on April 21, 2014, 04:11:33 am
you should try the move with assist

Oops.  :P

On trying it with Assist, the game declared that Skitty used the move, then nothing happened and the game proceeded as normal. Still, at least no freezes this time...
Title: Re: Pokemon FRLG/E: Clone Pokémon and get Bad EGGs/Glitch Moves using Pomeg Berry!
Post by: blahpy on April 21, 2014, 04:27:34 am
https://www.youtube.com/watch?v=KME8eusvRAc

Werster seems to have found that Bad Egg's glitch move turns a trainer battle into a wild pokemon battle (just by viewing the battle menu).

Of course, that means corrupting your game pretty badly so I wouldn't suggest trying it if you care about what's on your save file

edit: is that already in this thread? i'm just reading through everything now!
Title: Re: Emerald possible new cloning glitch with pomeg?
Post by: voltage on April 21, 2014, 04:29:11 am
Here's another thing I found: an Invisible Bad EGG in my box. It's summary screen crashes the game instantly, and when sent into battle it backsprite is black and it's shiny. It also has no moves.

I have found something similar. Invisible Bad Decamark. Interestingly enough, when put in your party, its party sprite when visible is either a shiny palette of a party member or shiny Bulbasaur. Unlike the Invisible Bad EGG‚ it's safe to look at its summary.
Title: Re: Pokemon FRLG/E: Clone Pokémon and get Bad EGGs/Glitch Moves using Pomeg Berry!
Post by: VaeporSage on April 21, 2014, 04:51:21 am
So is it possible to catch trainers' Pokémon by turning the battle into a wild battle?

If so, there's a nice shiny Espeon in FR/LG's Trainer Tower I'd like to get my hands on...  :D
Title: Re: Pokemon FRLG/E: Clone Pokémon and get Bad EGGs/Glitch Moves using Pomeg Berry!
Post by: blahpy on April 21, 2014, 05:43:51 am
So is it possible to catch trainers' Pokémon by turning the battle into a wild battle?

If so, there's a nice shiny Espeon in FR/LG's Trainer Tower I'd like to get my hands on...  :D

I would have thought so!  Of course, you'll be getting a few hundred bad eggs to go with that Espeon.

edit:unedited the edit because sage is too fast at replying :P
Title: Re: Pokemon FRLG/E: Clone Pokémon and get Bad EGGs/Glitch Moves using Pomeg Berry!
Post by: VaeporSage on April 21, 2014, 05:47:12 am
I've already corrupted my Emerald. I'd only need to send over the Smeargle with the funky move once I clone it.

Google also tells me that there are some other shinies (Meowth and Seaking) to be picked up there too.  8)
Title: Re: Pokemon FRLG/E: Clone Pokémon and get Bad EGGs/Glitch Moves using Pomeg Berry!
Post by: blahpy on April 21, 2014, 05:52:21 am
I've already corrupted my Emerald. I'd only need to send over the Smeargle with the funky move once I clone it.

Google also tells me that there are some other shinies (Meowth and Seaking) to be picked up there too.  8)

Can this glitchiness write to SRAM, or will I be safe to test it so long as I don't save?
Title: Re: Pokemon FRLG/E: Clone Pokémon and get Bad EGGs/Glitch Moves using Pomeg Berry!
Post by: Zowayix on April 21, 2014, 06:04:34 am
I have a flashcart and with it the ability to back up save files and mess around with transferring emulated things into real life things, so I will endeavour to test this soon as I unpack whichever box said flashcart happens to be in. So if you don't see a post from me in at most 2 days finding out exactly what happens when you transfer glitched moves to Gen 4/5 (and Colosseum/XD/PBR as well, because why not), please feel free to organize one of them angry-type mobs to come to my apartment and demand that I do so (failing unforseen personal emergency).
Title: Re: Emerald possible new cloning glitch with pomeg?
Post by: pigdevil2010 on April 21, 2014, 07:20:58 am
Decided to check out this glitch, and it worked perfectly.

Besides that...

Quote
Arbitrary Code anyone?

We are closer to executing arbitrary code in Emerald than we might think. After opening the stat screen of one of the glitch Pokemon beyond the sixth slot my game obviously crashed. I opened the disassembly option in VBA out of curiosity, to discover that the game jumped into RAM address $D1042900. http://i3.minus.com/jbwjJSoJJ6ghnb.png (http://i3.minus.com/jbwjJSoJJ6ghnb.png)

Learning ARM assembly right now :P

Good luck on learning :P Viewing the status of decamark 0 will result like that, unfortunately, all addresses beyond 0x08000000 are where it stores the ROM it's running though :/
Title: Re: Pokemon FRLG/E: Clone Pokémon and get Bad EGGs/Glitch Moves using Pomeg Berry!
Post by: VaeporSage on April 21, 2014, 07:34:11 am
Catching Pokemon in battle turns them into Bad Eggs. The one time I then went on to battle with these caught Bad Eggs, it froze the game on opening the attack menu.

Double battling with the move that changes battle interfaces can be quite entertaining in the Battle Dome. Also, you can catch the Pokemon that attack you in the Battle Pike, but they disappear after the challenge.

Unfortunately, you can't use this glitch to complete all the Battle Frontier challenges, because catching their Pokemon and escaping via Fluffy Tail both make you forfeit/lose.

I'll be testing this effect later and tomorrow on Ruby, FireRed and XD: Gale of Darkness.
Title: Re: Pokemon FRLG/E: Clone Pokémon and get Bad EGGs/Glitch Moves using Pomeg Berry!
Post by: luckytyphlosion on April 21, 2014, 07:56:17 am
Pawny said that attempting to look at its type crashes the game, so you'd have to use Assist.
The reason some glitch moves can't be sketched is because they have negative priority, so you'd have to use a move that induces paralysis/confusion/sleep to sketch that move.

Well, VaeporSage, looks like you got your dream of Glitch Pokémon in Emerald  :).

EDIT: It's going to be soo bad if this gets to Gen 5, because random battles will be so dumb with glitch moves.  :P

EDIT2: Don't know why this glitch isn't stickyed yet, considering how much potential this has for future gens.
Title: Re: Pokemon FRLG/E: Clone Pokémon and get Bad EGGs/Glitch Moves using Pomeg Berry!
Post by: VaeporSage on April 21, 2014, 08:52:58 am
Well, VaeporSage, looks like you got your dream of Glitch Pokémon in Emerald  :).

I never could have dreamed of anything like this, frankly.

I tried to trade my Smeargle equipped with the glitch move that changes battle style, but it turned out that when I went to trade it with another Pokémon, the game freezes at the point at which the two Pokémon are placed beside each other ("Is this trade OK?"). At that point, all the Pokémon's moves are shown, and the game couldn't load this one, of course.

So this glitch is totally dead for Ruby and Sapphire. The Smeargle can't be traded, and the Bad Egg gets blocked by the trade centre. It could still work in FR/LG if you have the right Bad Egg with the move.

I have one last option here: I can try to transfer Smeargle onto Pokémon Box: Ruby and Sapphire and see if it will accept it, then hopefully I can bring it from there onto R/S.
Title: Re: Pokemon FRLG/E: Clone Pokémon and get Bad EGGs/Glitch Moves using Pomeg Berry!
Post by: Kelvinv on April 21, 2014, 09:03:19 am
What does the glitch move do on Colosseum?
Title: Re: Pokemon FRLG/E: Clone Pokémon and get Bad EGGs/Glitch Moves using Pomeg Berry!
Post by: Evie ✿ on April 21, 2014, 10:39:40 am
Catching Pokemon in battle turns them into Bad Eggs. The one time I then went on to battle with these caught Bad Eggs, it froze the game on opening the attack menu.

Double battling with the move that changes battle interfaces can be quite entertaining in the Battle Dome. Also, you can catch the Pokemon that attack you in the Battle Pike, but they disappear after the challenge.

Unfortunately, you can't use this glitch to complete all the Battle Frontier challenges, because catching their Pokemon and escaping via Fluffy Tail both make you forfeit/lose.

I'll be testing this effect later and tomorrow on Ruby, FireRed and XD: Gale of Darkness.

Just want to confirm. This is for a Smeargle that Sketched the glitch move, right? For me, taking Pokémon into the battle facilities heals them and my Bad EGG isn't allowed to enter, either because Bad EGGs aren't permitted to enter at all, or it may have 'mutated' into a banned Pokémon (it was a Wynaut before).
Title: Re: Pokemon FRLG/E: Clone Pokémon and get Bad EGGs/Glitch Moves using Pomeg Berry!
Post by: VaeporSage on April 21, 2014, 10:52:49 am
Just want to confirm. This is for a Smeargle that Sketched the glitch move, right? For me, taking Pokémon into the battle facilities heals them and my Bad EGG isn't allowed to enter, either because Bad EGGs aren't permitted to enter at all, or it may have been an 'uber' before.

Yes, of course. I should have mentioned that. And pretty much the reason why you can't enter Bad Eggs is that they really are just Eggs.  :P

Well, XD: Gale of Darkness has given very disappointing results. On a positive note, the game didn't freeze when I traded Smeargle over; but XD: GoD basically ignored the glitch move altogether...

When Smeargle was sent out, all I got for my efforts was "Smeargle has no moves left."

I've transferred another one of these Smeargles with the glitch move onto Pokémon Box: Ruby and Sapphire successfully. I'm not able to move it onto Ruby just yet because that doesn't have 100 Pokémon in the Pokédex yet, but I could bring it onto Sapphire, as much as I'd prefer to avoid risking that cartridge.

Title: Re: Pokemon FRLG/E: Clone Pokémon and get Bad EGGs/Glitch Moves using Pomeg Berry!
Post by: Evie ✿ on April 21, 2014, 11:16:47 am
Ah.

Out of curiosity, I battled with one of the Bad EGGs you get from stealing a Trainer's Pokémon, specifically Aroma Lady Rose. I got a Bad EGG in a Luxury Ball with glitch moves in all four positions! But again, the properties of the Bad EGG are random.

To do this, I had to set up the glitch up again but with five Pokémon and the Pokémon you switched to in the fifth position, because the game won't let you swap the Bad EGG with one in the box for it being your 'last Pokémon'. I was unlucky and didn't get a similar glitch move, but to make things quicker I forced 0400 in battle with codes, then captured Rose's Shroomish.

To battle with it, I had it above my other Bad EGG, but not with any fainted Pokémon below it. So it's theoretically possible for stolen other Trainer's Pokémon not to freeze the game (it wouldn't be a theory if I didn't hack back 0400). Maybe the one that froze yours was a really unstable Decamark.

(http://i.minus.com/jSt7CipSbYsz1.png)

Edit: It doesn't let me exit the fight menu/select a move to check out the glitch moves.
Title: Re: Pokemon FRLG/E: Clone Pokémon and get Bad EGGs/Glitch Moves using Pomeg Berry!
Post by: Wack0 on April 21, 2014, 11:20:55 am
I could play around with cheats and trade from Ruby to Colosseum, but I have a decent save file there and I really don't wish to risk it. Of course I could use Wii homebrew to backup the gamecube memory card contents, if such homebrew exists.

edit: Such homebrew definitely exists. (http://www.wiibrew.org/wiki/GCMM) I wonder what the Colosseum/XD savefile format is. There hasn't been that much research into those games at all, maybe I should grab the isos or dump my discs and look into them. It'd give me another excuse to look into PowerPC asm, and wiibrew has a nice article on it detailing some PPC instructions and the x86 equivilants.

edit 2: Pokemon Colosseum/XD both use 'protected savegames', meaning you can't copy them in the Wii/GC's interface, however GCMM (the homebrew I linked to above) supposedly can dump and restore them just fine.
Title: Re: Pokemon FRLG/E: Clone Pokémon and get Bad EGGs/Glitch Moves using Pomeg Berry!
Post by: Evie ✿ on April 21, 2014, 12:02:20 pm
Also, you can catch the Pokemon that attack you in the Battle Pike, but they disappear after the challenge.

If you catch more than three you'll keep the number you caught minus 3. When you go into the Battle Pike, you must use 3 Pokémon, so you have to catch 3 wild Pokémon to fill the party. Then if the next Pokémon you catch is sent to the box, you'll keep it there and it won't become a Bad EGG!

The validity of my experience is questionable as I haven't had Smeargle Sketch a battle changing move yet (I cheated to get the move on Swampert). Vae, do you have 4 Master Balls? Could you have a go at catching 4 wild Pike Pokémon for me and see if you keep a Level 95 Dusclops, etc, please? One factor that might influence things is that I used a Master Ball to catch a Trainer's Pokémon and then lost, instead of just forfeiting. I used the effect of viewing hex 0400 ("| {ÀÀ Ñ ÀV []")'s name.
Title: Re: Pokemon FRLG/E: Clone Pokémon and get Bad EGGs/Glitch Moves using Pomeg Berry!
Post by: VaeporSage on April 21, 2014, 12:35:21 pm
Good point. I actually only caught 3, then decided against catching more based on previous experiences with catching stuff that way whereby they merely disappeared. I'll give that a try and post back.

I've cloned over 500 Master Balls just to have them.  :P

Edit: Yep, worked just like you said.  ;)
Title: Re: Pokemon FRLG/E: Clone Pokémon and get Bad EGGs/Glitch Moves using Pomeg Berry!
Post by: luckytyphlosion on April 21, 2014, 01:22:34 pm
Does anyone have a Black/White copy they can test the glitch move on? Also, what happens when you use the glitch move in a link/wifi battle (via Assist)?
Title: Re: Pokemon FRLG/E: Clone Pokémon and get Bad EGGs/Glitch Moves using Pomeg Berry!
Post by: Evie ✿ on April 21, 2014, 01:37:39 pm
Does anyone have a Black/White copy they can test the glitch move on? Also, what happens when you use the glitch move in a link/wifi battle (via Assist)?

If you're using an emulator you could probably use ArtMoney (http://www.artmoney.ru/) to search for the (decimal) index number of the first move of the Fight menu, then change it and use 'filter' to search for the index number of the new move, and repeat until you get an address that manages the first move. I'm not sure if any of the newer Pokémon SAV editors support you giving Pokémon glitch moves?

Edit: But wait... I forgot for a second about the moves freezing the game when you view them. I'm not sure if you could easily use ArtMoney to get glitch moves with Assist. The moves might no longer exist when you run, and it's not easy changing the 'overworld' moves because of the data being even more encrypted than Generation III.
Title: Re: Pokemon FRLG/E: Clone Pokémon and get Bad EGGs/Glitch Moves using Pomeg Berry!
Post by: VaeporSage on April 21, 2014, 01:41:45 pm
I literally just ran to go test out the idea of catching Pokemon in link battles, thinking it would be a repeat of the Fire Spin glitch. Unfortunately, the battle system really relies on the opponent giving proper commands, and cannot proceed until everything is perfectly in order.

Turning the link battle into a wild battle in Single Link merely hung the game at the attack menu. In Doubles, it was possible to open Smeargle's attack menu (which the game immediately closed for me), but using a Fluffy Tail or Poke Ball, attacking or switching left the other game at "Link standby..." permanently.

I really thought we were onto something there... :P
Title: Re: Pokemon FRLG/E: Clone Pokémon and get Bad EGGs/Glitch Moves using Pomeg Berry!
Post by: Evie ✿ on April 21, 2014, 02:33:53 pm
I literally just ran to go test out the idea of catching Pokemon in link battles, thinking it would be a repeat of the Fire Spin glitch. Unfortunately, the battle system really relies on the opponent giving proper commands, and cannot proceed until everything is perfectly in order.

Turning the link battle into a wild battle in Single Link merely hung the game at the attack menu. In Doubles, it was possible to open Smeargle's attack menu (which the game immediately closed for me), but using a Fluffy Tail or Poke Ball, attacking or switching left the other game at "Link standby..." permanently.

I really thought we were onto something there... :P

That's a shame :/. Thanks for testing the Battle Pike thing for me and verifying it without the fight screen move code!
Title: Re: Pokemon FRLG/E: Clone Pokémon and get Bad EGGs/Glitch Moves using Pomeg Berry!
Post by: luckytyphlosion on April 21, 2014, 02:40:24 pm
Can you test in Gen 4? (Have a Smeargle sketch it, transfer it to Gen 4 and have Skitty use Assist)

Someone made some posts on the effects here: http://pastebin.com/vcaJzW6P https://twitter.com/Pointerrrr/status/458324244829462528/photo/1
Title: Re: Pokemon FRLG/E: Clone Pokémon and get Bad EGGs/Glitch Moves using Pomeg Berry!
Post by: VaeporSage on April 21, 2014, 02:53:50 pm
Can you test in Gen 4? (Have a Smeargle sketch it, transfer it to Gen 4 and have Skitty use Assist)

Yeah, I did that already. It's on page 6 of this thread.  ;)
Title: Re: Pokemon FRLG/E: Clone Pokémon and get Bad EGGs/Glitch Moves using Pomeg Berry!
Post by: luckytyphlosion on April 21, 2014, 03:10:25 pm
Wonder if any other glitch moves have a different effect, and if you'd use them in a link battle. Would it be any different if you used the move in a link battle?
Title: Re: Pokemon FRLG/E: Clone Pokémon and get Bad EGGs/Glitch Moves using Pomeg Berry!
Post by: voltage on April 21, 2014, 03:29:38 pm
When you corrupt the boxes, it not only affects them, but if you have Pokemon in the daycare, they can become Bad EGGS. This also applies if the Daycare Man will give you an egg. When the egg hatches, the game freezes but the hatching music still plays. Also, the hatched egg's sprite becomes a distorted version of the Pokemon ribbon sprites.
Title: Re: Pokemon FRLG/E: Clone Pokémon and get Bad EGGs/Glitch Moves using Pomeg Berry!
Post by: Evie ✿ on April 21, 2014, 03:55:48 pm
Ooh, nice find! You have to scroll up some more than the box corruption minimum; scrolling up to D7 (affects 2nd box Pokémon in Box 1, remember that FF affects Box 2 Pokémon 23) doesn't do it. B0 corrupted one of the Pokémon in the Daycare on my file, and when I scrolled up even more I got two Bad EGGs that had an Egg. I'm currently working on hatching the Egg, but it may take a long time...
Title: Re: Pokemon FRLG/E: Clone Pokémon and get Bad EGGs/Glitch Moves using Pomeg Berry!
Post by: voltage on April 21, 2014, 04:02:38 pm
The egg which I received said it was going to hatch soon. I also remember that the game slowed down while the Daycare Man was giving me the egg.
Title: Re: Pokemon FRLG/E: Clone Pokémon and get Bad EGGs/Glitch Moves using Pomeg Berry!
Post by: Evie ✿ on April 21, 2014, 04:03:10 pm
The egg which I received said it was going to hatch soon. I also remember that the game slowed down while the Daycare Man was giving me the egg.

Mine was one that'd take a 'long time', but with a quick Egg hatch code, the Egg hatched into a "- (http://bulbapedia.bulbagarden.net/wiki/-_(glitch_Pok%C3%A9mon))" so it seems like "-" is obtainable without cheating. Let me know if you also get it.
Title: Re: Pokemon FRLG/E: Clone Pokémon and get Bad EGGs/Glitch Moves using Pomeg Berry!
Post by: voltage on April 21, 2014, 04:04:09 pm
The game froze when it hatched. :(
Title: Re: Pokemon FRLG/E: Clone Pokémon and get Bad EGGs/Glitch Moves using Pomeg Berry!
Post by: luckytyphlosion on April 21, 2014, 04:11:27 pm
Another thing is the glitch can corrupt OT, as it changed one of my Pokémon's OT from Alan to Ala1.
So I tested one of the glitch moves and it apparently does an infinite Double-Slap. ow, ow, Owwww!
With no animations on, it skips my turn, like VaeporSage said.
Wonder when we'll find a useful Gen 4 glitch move.
I can smell the trolling on Wi-Fi.
Title: Re: Pokemon FRLG/E: Clone Pokémon and get Bad EGGs/Glitch Moves using Pomeg Berry!
Post by: voltage on April 21, 2014, 04:12:48 pm
It can also change the names of Pokemon, like my Claydol became nicknamed Claydole once and my Wingull became Win ull.
Title: Re: Pokemon FRLG/E: Clone Pokémon and get Bad EGGs/Glitch Moves using Pomeg Berry!
Post by: Evie ✿ on April 21, 2014, 04:13:13 pm
The game froze when it hatched. :(

That's a shame. Now I wonder whether the fact that I got "-" was just a side effect of the quick Egg hatch code.

Edit: Well that code doesn't mess up a normal Egg Pokémon. (Source of code (http://www.neoseeker.com/Games/Products/gba/pokemon_emerald/gameshark_codes.html))
Edit 2: I suppose I could also have been lucky, or the "-" hatch could be a thing that works on VBA but not on the real GBA, maybe.
Title: Re: Pokemon FRLG/E: Clone Pokémon and get Bad EGGs/Glitch Moves using Pomeg Berr
Post by: voltage on April 21, 2014, 04:58:55 pm
I have found something similar. Invisible Bad Decamark. Interestingly enough, when put in your party, its party sprite when visible is either a shiny palette of a party member or shiny Bulbasaur. Unlike the Invisible Bad EGG‚ it's safe to look at its summary.

 I have pictures of this now. (https://imgur.com/a/3TiUE) I apologize in advance for the poor quality...but the Bad Decamark was totally worth the Bad Eggs for me. Oddly enough, you can't view the Hall of Fame record with this Decamark from the PC.

I found it by searching for every invisible pokemon after corruption in Box 1/2 and through save scumming, I was able to figure out which one was the Bad Decamark.
Title: Pokemon FRLG/E: Clone Pokémon and get Bad EGGs/Glitch Moves using Pomeg Berry!
Post by: pokechu22 on April 21, 2014, 06:32:14 pm
I have found something similar. Invisible Bad Decamark. Interestingly enough, when put in your party, its party sprite when visible is either a shiny palette of a party member or shiny Bulbasaur. Unlike the Invisible Bad EGG‚ it's safe to look at its summary.

 I have pictures of this now. (https://imgur.com/a/3TiUE) I apologize in advance for the poor quality...but the Bad Decamark was totally worth the Bad Eggs for me. Oddly enough, you can't view the Hall of Fame record with this Decamark from the PC.

I found it by searching for every invisible pokemon after corruption in Box 1/2 and through save scumming, I was able to figure out which one was the Bad Decamark.

I've seen bad Decamarks a few times before. 

They occasionally appear in FireRed when scrolling up in the summary. 

(http://i.imgur.com/M3KRO0O.png)

Importantly, the game partially treats it as an egg: You cannot view the moves or stats page, as the game skips over them.  This also allows you to pass by it without the game crashing if you encounter one where that happens. 



EDIT: Also, this post's name is way too long.  I was getting an Over 80 characters warning, which is annoying.  It also scrolls stuff too far to fit in my feed. 
Title: Re: Pokemon FRLG/E: Clone Pokémon and get Bad EGGs/Glitch Moves using Pomeg Berry!
Post by: luckytyphlosion on April 21, 2014, 06:39:19 pm
I'll change it.
EDIT: Changed.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: VaeporSage on April 22, 2014, 05:31:58 am
Neither the Pokémon in my Daycare or the Egg they produced was distorted. I mustn't have scrolled up very far when I corrupted everything.

When viewed on its summary screen, Smeargle's glitch move is called (roughly) Ù Ñ  Ô ÑK À À Ñ À. So I'll refer to it as Unonkaana from now on.

However, while we all have this glitch move with this effect (Torchickens, luckytyphlosion and Werster have all found it), the name of this glitch move seems to vary between players. Additionally, mine was found on the Bad Egg in slot 5, Box 1, whereas Werster found his in slot 3 of Box 1. Could it be that these are a bunch of different moves that happen to cause the same effect?  :???:

Anyway, I tested out my Unonkaana a little more. Trying to delete it at the Move Deleter causes the screen to freeze violently, changing the screen's colour to pink-purple. Unonkaana does NOT want to be deleted.  :P

Unonkaana is a TOUGH move with a rating of 4 hearts, but in an actual Contest, the game freezes once it comes to your turn.  :D
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: werster on April 22, 2014, 04:53:44 pm
Adding lots of edits to this post as I go along

Different glitch moves give different results, so it makes sense they would actually be different and have different names. That much seems super obvious. The three I've come across that seem to actually change the way the battle plays is:

Changing the battle to Prof Birch's battle asking you to stay (can't flee, but can catch/Fluffy Tail) Eg: http://puu.sh/8ju7i.png | Came from Level 7 Abra with only Teleport
Changing the battle to an ordinarly wild battle (Can also flee): Eg: http://puu.sh/8jteT.png | Came from Level 5 Beldum with only Take Down
Immdiately ending the battle as soon as you close the attack menu Eg: http://puu.sh/8jueO.jpg | Came from Level 25 Tentacool with Dive/Waterfall/Acid/Bubblebeam
Edit: Here's another one that gave Instant Victory (was the first one I got, just replicated it) http://puu.sh/8jGRJ.png | Came from Level 5 Beldum with only Take Down

It also seems that very often the same Pokemon get corrupted in the same way no matter their position in the box. What I mean by that is, my box was full of clones, and if one Tentacool got distorted in that way, all 4 of them did. I do emphasis "very often" though, because I did come across one instance with Beldum where only the one in slot 30 of box 1 got a glitch move, the rest were in tact.

Other moves I have come across that actually worked:

"A FIGHTING move" put the opponent to sleep (never seems to miss?) http://puu.sh/8jtnP.png | Came from Level 25 Tentacool with Dive/Waterfall/Acid/Bubblebeam
Edit: Another exact instance with a different name http://puu.sh/8jAl0.png | Came from Level 40 Sudowoodo with Flail/Low Kick/Rock Slide/Block

"A GHOST move" acted like Explosion/Selfdestruct http://puu.sh/8juMF.jpg | Came from level 60 Metagross with Meteor Mash/Aerial Ace/Explosion/Psychic
"A GHOST move" low power, 10-20, restored half health like Absorb http://puu.sh/8jAXg.png | Came from Level 70 Groudon with Fire Blast/Rest/Fissure/Solarbeam
"A WATER move" seemed to just be a really basic attack with around 20 power http://puu.sh/8jyCs.png | Came from Level 28 Wingull with Water Gun/Supersonic/Wing Attack/Mist (Also this was the first one I tried to watch the battle animation of. The game crashed if I had animations on)
"A NORMAL move" rose attack one stage http://puu.sh/8jyVk.png | Came from Level 6 Taillow with Peck/Growl/Focus Energy/Fly
"A NORMAL move" used spikes http://puu.sh/8jAtv.png | Came from Level 40 Sudowoodo with Flail/Low Kick/Rock Slide/Block
"A POISON move" seemed to be about 100 power and could burn (maybe 30%) http://puu.sh/8jBud.png | Came from Level 25 Oddish with Poisonpowder/Stunspore/Sleeppowder/Acid
"A DRAGON move" always seemed to miss and crashed ala HJK http://puu.sh/8jE0E.png | Came from Level 7 Abra with only Teleport
Edit: Got this again but with slightly different other moves http://puu.sh/8jHnT.png | Came from Level 6 Taillow with Peck/Growl/Focus Energy/Fly. Might be able to derive where the moves are coming from from this??

"d you like to record your battle" worked like Recover http://puu.sh/8jI5I | Came from Level 36 Zubat with Wing Attack/Confuse Ray/Air Cutter/Mean Look
"some huge string of characters that went on for 4 overflowed textboxes" acted exactly like Bide http://puu.sh/8juts.jpg | Came from level 60 Metagross with Meteor Mash/Aerial Ace/Explosion/Psychic
"String of character that went for 1 textbox" acted like Splash, "But nothing happened!" http://puu.sh/8jB6z.png (And before you ask, yes I did try to use it in Rain) | Came from Level 70 Groudon with Fire Blast/Rest/Fissure/Solarbeam

Found another move that seemed to have 0 accuracy, so I went through the trouble of getting a Smeargle to check it to see what it was. Game froze when I got to this screen http://puu.sh/8jCKZ.png

Anything with this move http://puu.sh/8jGBz.png seems to softlock the game. Can move around until you try to advance the game (A or B) then it locks up

(A few others too that I don't have pictures of, will update if anything different found)

Additionally, Bad Eggs can get various Held Items. I've seen Focus Bands and what I think was a Quick Claw, along with a bunch of ?, but none of them can be taken. Also of note: I had a Latios with Protect/Refresh/Luster Purge/Psychic that turned into this: http://puu.sh/8jtFa.png

So to me it seems like somewhere along the line it's advancing the hex number of some moves by a certain amount, which generally comes to be a glitch move (which there seem to be quite a few of, with a lot of varied effects), but occasionally come back to a regular move. I also had something similar happen with my Abra getting Scratch and Vine Whip

I can't figure out where it determines which Pokemon in the boxes get corrupted, nor their moves either. It's somewhere before you start the battle where you do the corruption, because if you reload a savestate in front of a Wild Pokemon and then scroll up, you get the same results (but how far you scroll up determines how many Pokemon get corrupted, to a certain point) I also did the same thing with the same Wild Pokemon, and got different results (scrolling up 50 times against a Level 3 Female Wurmple corrupted half my box, but scroll up 50 times against a different Level 3 Female Wurmple corrupted the other half of my box) http://puu.sh/8jwFx.jpg vs http://puu.sh/8jwGG.jpg (And as you can see from the second pic, I also had the slight name change)

So it could be the stats of that Pokemon? The tile on the map you encounter the battle? Quite possibly something else entirely I'm not thinking of, just trying to think of a way to control the outcomes

Another one I got: What seemed to be an invisible Poke http://puu.sh/8jwRQ.jpg There was no indication there was a Pokemon there, I was trying to hit B but accidently got A and the message showed up to withdraw it. It says it's a bad egg but has no sprite in the menu http://puu.sh/8jx8C.png . In battle it sparkled (think it was just an added effect with a ball, but not one I could identify) http://puu.sh/8jx1S.png But it had no moves so didn't really help much. Looking at it's summary screen for long enough reset the game http://puu.sh/8jxqR.png

Got a normal Egg instead of a Bad one http://puu.sh/8jA0v.png Came from a Level 60 Latios that was originally caught in a Master Ball http://puu.sh/8jzRF.png

Got the Repel modifier one. Seemed to go to 999 steps by my count, but that might be off by a few. Happened while scrolling up through the Pokemon, had nothing to do with the Bad Eggs
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: voltage on April 22, 2014, 05:36:22 pm
Another weird one I got: What seemed to be an invisible Poke http://puu.sh/8jwRQ.jpg There was no indication there was a Pokemon there, I was trying to hit B but accidently got A and the message showed up to withdraw it. It says it's a bad egg but has no sprite in the menu http://puu.sh/8jx8C.png . In battle it sparkled (think it was just an added effect with a ball, but not one I could identify) http://puu.sh/8jx1S.png But it had no moves so didn't really help much. Looking at it's summary screen for long enough reset the game http://puu.sh/8jxqR.png

I came across this and two similar ones (but with no sprite, not even glitch sprites) when I found my Bad Decamark.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: werster on April 22, 2014, 05:43:35 pm
Alright yeah I just got a Bed Decamark too. Seems like it comes from a Pokemon actually being in that spot, and then turning invisible, whereas the Black Bad Egg comes from seemingly nothing, as those slots were blank when I found them

Edit: Nevermind, seems more like I always get a bad decamark whenever I don't have 6 Pokmon in my party (only 4 dead, and withdraw only 1 bad egg) Also I managed to get a Black Bad Egg to have moves by withdrawing a blank with a visible Bad Egg, and could escape from trainer battles http://puu.sh/8jzIB.png
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: luckytyphlosion on April 22, 2014, 05:52:33 pm
What would happen if you try to beat a Trainer Battle mutated into a Wild battle? Would the battle end as a wild battle, or would the trainer send out another Pokémon. Same with the Battle Frontier. (To avoid whiting out, get a wild smeargle to sketch the glitch move)
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: werster on April 22, 2014, 05:55:48 pm
I'd imagine it'd end, as that's what it does in Gen 1, but I can test that out later if no one else does
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: pokechu22 on April 22, 2014, 06:41:01 pm
What would happen if you try to beat a Trainer Battle mutated into a Wild battle? Would the battle end as a wild battle, or would the trainer send out another Pokémon. Same with the Battle Frontier. (To avoid whiting out, get a wild smeargle to sketch the glitch move)

I can partially answer that: Move 0F0A (I think) caused the game to become a safari battle after switching it around a few times (in firered).  However, you had Pokémon out.  So you could attack.  If you did attack, the opponent would take damage, but you couldn't win it, as safari battles can't be won via damage. 
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: werster on April 22, 2014, 07:37:21 pm
This one seemed pretty interesting, so I'm making a new post for this. Came from a Level 29 Vulpix with Will-o-Wisp/Confuse Ray/Imprison/Flamethrower

This move http://puu.sh/8jET5.png is called "Deeply" and raised attack 2 stages.

This move http://puu.sh/8jETI.png is ..weird. It does this: http://puu.sh/8jF0J.png and then when you advance the textbox http://puu.sh/8jF3c.jpg It does indeed OHKO if it hits, but can miss. Both moves also seemed to have increased priority.

What I found more peculiar was after I opened the attack menu, I could no longer use items, which I found annoying because I was trying to catch the Smeargle after I caught it. After checking my Pokemon and coming back, this happened. http://puu.sh/8jEyo.jpg

I then had the idea to use a Revive, then go to attacks, and then switch. http://puu.sh/8jFfz.jpg Going to the Pokemon menu at anytime switches it back to this screen though http://puu.sh/8jFnf.jpg

Edit:  Trying to test Smeargle in Battle Frontier, unfortuntely the move I have has 0 accuracy so I can't kill anything. Things to note though, you don't actually lose the battle when you catch a Pokemon, it ends in a draw, which can get you the win in Battle Dome. Also The opposing Pokemon flees on turn 2, which can get you easy wins in Pyramid (and also gives you more vision from Wild Pokemon)

Edit: Welp... got the result https://www.youtube.com/watch?v=9k49yd4yw0I
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Hālian on April 22, 2014, 10:33:23 pm
Oh hey there. Didn't notice you joined. What up, Werster? :D
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: pigdevil2010 on April 23, 2014, 04:36:50 am
Seems like performing this glitch will randomly write a value into a Pokemon in PC. I discovered that performing this glitch will write a glitch move into the 20th Pokemon of Box 1. In this case, it changed my Mightyena's Take down to i ÏQ ÂAA←IÂÖÜ. (0x4024). However, this move just simply freeze the game with "Bad EGG used a DRAGON move!"

(http://i.imgur.com/nYSkjiu.png)
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: luckytyphlosion on April 23, 2014, 03:31:30 pm
Just a theory (don't criticize me if I'm wrong, I don't know programming), but I was thinking when you have the cursor over a Glitch/Box Pokemon in the glitched Party, you would be changing the value if the Pokémon was highlighted or not, which would correspond to a Pokemon Box Value, but the value wouldn't be changed back. When the value is changed, it makes a Pokémon invalid, so it becomes a Bad EGG. It also could be overwriting different values (moves, markings, OT etc.).

Just a thought though, so don't take it too seriously.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: pokechu22 on April 23, 2014, 04:06:49 pm
Just a theory (don't criticize me if I'm wrong, I don't know programming), but I was thinking when you have the cursor over a Glitch/Box Pokemon in the glitched Party, you would be changing the value if the Pokémon was highlighted or not, which would correspond to a Pokemon Box Value, but the value wouldn't be changed back. When the value is changed, it makes a Pokémon invalid, so it becomes a Bad EGG. It also could be overwriting different values (moves, markings, OT etc.).

Just a thought though, so don't take it too seriously.

Even if it was changed back, the game would set it to 0.  Which would cause corruption.  You're probably correct.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Evie ✿ on April 23, 2014, 04:30:54 pm
Welcome to the forums, werster. I know that you posted on the temporary forums before about the Generation II map distortion (party overload) glitch and it's nice to see you're still interested in sharing your findings with us.

Thanks for your research on the different moves you can get and their effects. It's good you've distinguished some ones that can let you end a Trainer battle but have different effects.

Seems like performing this glitch will randomly write a value into a Pokemon in PC. I discovered that performing this glitch will write a glitch move into the 20th Pokemon of Box 1. In this case, it changed my Mightyena's Take down to i ÏQ ÂAA←IÂÖÜ. (0x4024). However, this move just simply freeze the game with "Bad EGG used a DRAGON move!"

(http://i.imgur.com/nYSkjiu.png)

This is what luckytyphlosion, myself, VaeporSage, werster and others have been experimenting with recently. The Pokémon that receives a glitch move is random, but once you enter battle, the results are (apparently) the same from that point, as long as you scroll up to the area (one slot each from FF up to D7 or so) you want to corrupt.

I can't figure out where it determines which Pokemon in the boxes get corrupted, nor their moves either. It's somewhere before you start the battle where you do the corruption, because if you reload a savestate in front of a Wild Pokemon and then scroll up, you get the same results (but how far you scroll up determines how many Pokemon get corrupted, to a certain point) I also did the same thing with the same Wild Pokemon, and got different results (scrolling up 50 times against a Level 3 Female Wurmple corrupted half my box, but scroll up 50 times against a different Level 3 Female Wurmple corrupted the other half of my box) http://puu.sh/8jwFx.jpg vs http://puu.sh/8jwGG.jpg (And as you can see from the second pic, I also had the slight name change)

So it could be the stats of that Pokemon? The tile on the map you encounter the battle? Quite possibly something else entirely I'm not thinking of, just trying to think of a way to control the outcomes

The box data values affected are randomized a lot, apparently to validate the Pokémon. They are 'dynamic':

They are affected when you:

1) Open and close the boxes. Doing this can change where boxed Pokémon data for a specific Pokémon begins.
2) Open then close the Pokémon menu from out of battle.
3) Enter a warp
4) Open then close the Pokédex
5) Open the close the Bag
6) Open/close the PokéNav
7) Open/close the Trainer Card/Frontier Pass screen
8) Open/close the Option screen
9) Soft-reset and select Continue (this wouldn't even be helpful if it wasn't randomized, because the game wouldn't have you send out the Decamark; you have to have switched to the last Pokémon in the current session)

This is quite possibly related to what gets corrupted and what doesn't. It's a shame entering a battle itself randomizes the values.

Note that the set of values you got one time may return! If you have a save state just before getting an encounter to send out your Decamark, it's possible that you'll get the same values and therefore the same Bad EGGs/glitch moves when you enter battle and scroll up the same number of times. It's also likely that you'll get different results though. Also, getting an encounter on the same tile doesn't mean you'll get the same results.

Which values may you change indiscriminately in the Pokémon data structure without a Pokémon turning into a Bad EGG?
 
Simply messing with the personality value can turn a Pokémon into a Bad EGG. This (http://bulbapedia.bulbagarden.net/wiki/Pok%C3%A9mon_data_structure_in_Generation_III) article is written as if it must be the 48 byte 'data' section that should have a correct checksum (computed by adding all of the unencrypted values of that section one word at a time), but why would changing the personality value that is outside of that data section matter?
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: TSK on April 24, 2014, 01:58:11 am
This glitch intrigues me greatly so I've dug up my limited debug skills and have started taking a look around. So far I've only managed to reinvent the wheel and found out where box data is stored in RAM. Now that I have this though I might be able to uncover some more interesting stuff.

For those that it may help the following adress seems to hold the box data base pointer at all time: 03005d94
Box 1 slot 1 data can be found by incrementing the pointer by 4.
You can verify this by opening up a memory viewer and having a look at the pointed to location, if you move the pokemon in BOX 1 slot 1 a chunk of memory will become 0.

EDIT: I should mention this is for pokemon emerald with version string "POKEMON EMERBPEE01".
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Evie ✿ on April 24, 2014, 03:12:59 am
Thanks TSK.

I thought it'd be a good to mention; I've been using A-Save (http://projectpokemon.org/forums/showthread.php?31254-A-Save-(3rd-Generation-Save-Editor)) to get a better idea of which Pokémon were corrupted. A-Save wrongly recognizes some Pokémon as not being Bad EGGs, but for them, you can see their entire moveset, taking guess work away (that's unless the program wrongly calls a glitch move '-').

Those Pokémon that actually show up as "Bad EGG" may have glitch moves, but you can't use A-Save to view their moves. I also got a freeze on A-Save at one point when viewing a Pokémon, so keep that in mind that something about the Pokémon may cause it to freeze.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: pigdevil2010 on April 24, 2014, 09:38:04 am
Simply messing with the personality value can turn a Pokémon into a Bad EGG. This (http://bulbapedia.bulbagarden.net/wiki/Pok%C3%A9mon_data_structure_in_Generation_III) article is written as if it must be the 48 byte 'data' section that should have a correct checksum (computed by adding all of the unencrypted values of that section one word at a time), but why would changing the personality value that is outside of that data section matter?
Because personality value is a part of 48-bytes data decryption key. If you change it. The decrypted data will be  inaccurate and not matched the checksum.

The decryption process can be explained by this pseudo code (personality value, OT ID and secret OT ID are little endian) :
Code: [Select]
i = 0
s = (secret_ot_id left shift 16 bits) and 0xffff0000
key = personality_value xor (ot_id + s)
repeat
    t = readIntLE() // reads 4 bytes and stores in 32-bit integer in little endian order
    r = t xor key
    data[i * 4] = r and 0xff
    data[i * 4 + 1] = (r right shift 8 bits) and 0xff
    data[i * 4 + 2] = (r right shift 16 bits) and 0xff
    data[i * 4 + 3] = (r right shift 24 bits) and 0xff
    i = i + 1
until i = 12

Anyways, even though I change the bad egg's checksum to match what it should, the game still interpreted as a bad egg.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Wack0 on April 24, 2014, 12:13:28 pm
So I played around with my Ruby cart a few minutes ago. The one where I messed with cheats ages ago, so it has no Pokémon but can access the blank party, enabling me to access Pokémon beyond the sixth slot.

First thing I tried was scrolling up, after about 26 or so Pokémon a freeze happened.

Next thing I tried was switching: amazingly, it worked, and I put a bad egg in the front of my party (and when I B'd out of the party menu and went back in again, freeze..)

So I tried switching again. With a Bad Egg in the front of my party I got Torchic. This enabled me to have Torchic, and the Bad Egg too. Too bad that accessing the summary of that Bad Egg resulted in a freeze.

So I tried going into the summary of one of the "blank" Pokémon (everything being 0) at the end, and B'ing out of it. This removed the graphical glitches that happened when scrolling up, and I could scroll up more! So I scrolled up an arbitrary amount of Pokémon and pressed A. Which selected a Pokémon with random, improperly-terminated name (hello, some location in RAM!), and stopped a channel or two of the music. This got me scared as to what would happen when I B'd out of the party, or checked its summary, so I reset, and tried the same thing again, to get another Pokémon with a random name (I believe it was ÇÀ▲▲, though I probably got the accent on the A wrong). This time, the music remained fine. Those two were probably just nicknamed Bad Eggs or something..

For what it's worth, the Bad Egg that I switched to the front of the party was asleep.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Pawny on April 24, 2014, 12:24:16 pm
So I played around with my Ruby cart a few minutes ago. The one where I messed with cheats ages ago, so it has no Pokémon but can access the blank party, enabling me to access Pokémon beyond the sixth slot.

First thing I tried was scrolling up, after about 26 or so Pokémon a freeze happened.

Next thing I tried was switching: amazingly, it worked, and I put a bad egg in the front of my party (and when I B'd out of the party menu and went back in again, freeze..)

So I tried switching again. With a Bad Egg in the front of my party I got Torchic. This enabled me to have Torchic, and the Bad Egg too. Too bad that accessing the summary of that Bad Egg resulted in a freeze.

So I tried going into the summary of one of the "blank" Pokémon (everything being 0) at the end, and B'ing out of it. This removed the graphical glitches that happened when scrolling up, and I could scroll up more! So I scrolled up an arbitrary amount of Pokémon and pressed A. Which selected a Pokémon with random, improperly-terminated name (hello, some location in RAM!), and stopped a channel or two of the music. This got me scared as to what would happen when I B'd out of the party, or checked its summary, so I reset, and tried the same thing again, to get another Pokémon with a random name (I believe it was ÇÀ▲▲, though I probably got the accent on the A wrong). This time, the music remained fine. Those two were probably just nicknamed Bad Eggs or something..

For what it's worth, the Bad Egg that I switched to the front of the party was asleep.

I had done these experiments before, but using a caught #000 decamark though. Unlike in Emerald, they do not vanish in Ruby/Sapphire. Switching Bad Eggs got me several glitch moves with weirder effects. Another time, attempting to save the game gave a different saving error as the adapter wasn't connected or something. But another one was like a ZZAZZ glitch: it gave me a ridiculous long name, switched my character's gender, glitched my trainer card (upon opening it it'd either show Glacia's sprite, or freeze the game, messed up the frame, and other sprite mess-ups: my character becomes an Azurill doll when using the bicycle, and in Petalburg woods my character became the unused Fat Guy sprite.

Although I don't know what bad egg caused it, I do have the savestate with the effects and could share if anyone is curious. Sadly I doubt it'd be possible to do it just with glitching since it's triggered upon moving the bad egg into your party. Unless we manage to make the decamark show up as a selectable in Pokémon, in Ruby.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: TSK on April 24, 2014, 12:26:29 pm
I don't know if there are any others here interested in debugging this glitch to figure our its inner working but I'll post my progress here anyway.

I have identified a function that is responsible for part of the corruption. When disabling the writing part of the function the box corruption is greatly reduced but not gone entirely.
This function is located at 0806A6C8. I've have yet to formulate a clue as to what this function is supposed to do though.
A thing to note about this thing is that it seems to only be exectued when executing the glitch and not when regularily using the pokemon menu. Which kinda has me stumped.

Also of note is that the corruption happens while stepping back through RAM. It starts at about 0202A888 and moves back from there.

Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Wack0 on April 24, 2014, 03:37:49 pm
I don't know if there are any others here interested in debugging this glitch to figure our its inner working but I'll post my progress here anyway.

I would be interested in debugging it, but I wouldn't be any help as I don't know arm asm..
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: pokechu22 on April 24, 2014, 03:42:29 pm
So I played around with my Ruby cart a few minutes ago. The one where I messed with cheats ages ago, so it has no Pokémon but can access the blank party, enabling me to access Pokémon beyond the sixth slot.

First thing I tried was scrolling up, after about 26 or so Pokémon a freeze happened.

Next thing I tried was switching: amazingly, it worked, and I put a bad egg in the front of my party (and when I B'd out of the party menu and went back in again, freeze..)

So I tried switching again. With a Bad Egg in the front of my party I got Torchic. This enabled me to have Torchic, and the Bad Egg too. Too bad that accessing the summary of that Bad Egg resulted in a freeze.

So I tried going into the summary of one of the "blank" Pokémon (everything being 0) at the end, and B'ing out of it. This removed the graphical glitches that happened when scrolling up, and I could scroll up more! So I scrolled up an arbitrary amount of Pokémon and pressed A. Which selected a Pokémon with random, improperly-terminated name (hello, some location in RAM!), and stopped a channel or two of the music. This got me scared as to what would happen when I B'd out of the party, or checked its summary, so I reset, and tried the same thing again, to get another Pokémon with a random name (I believe it was ÇÀ▲▲, though I probably got the accent on the A wrong). This time, the music remained fine. Those two were probably just nicknamed Bad Eggs or something..

For what it's worth, the Bad Egg that I switched to the front of the party was asleep.

One thing I found a while ago: One of the major factors of freezes from bad eggs are the MARK attributes.  If you view it in a PC, it will show signs of broken marks.  Changing the marks and pressing OK seems to partially stabilize it. 

Of course, if it has another unstable feature (Bad move/type, ect), the game will still crash. 
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: luckytyphlosion on April 24, 2014, 04:05:12 pm
Wonder if it's possible to access beyond the sixth slot in the Overworld using "Invisible Shiny Bad EGGs/Bulbasaurs"

I had done these experiments before, but using a caught #000 decamark though. Unlike in Emerald, they do not vanish in Ruby/Sapphire. Switching Bad Eggs got me several glitch moves with weirder effects. Another time, attempting to save the game gave a different saving error as the adapter wasn't connected or something. But another one was like a ZZAZZ glitch: it gave me a ridiculous long name, switched my character's gender, glitched my trainer card (upon opening it it'd either show Glacia's sprite, or freeze the game, messed up the frame, and other sprite mess-ups: my character becomes an Azurill doll when using the bicycle, and in Petalburg woods my character became the unused Fat Guy sprite.

Although I don't know what bad egg caused it, I do have the savestate with the effects and could share if anyone is curious. Sadly I doubt it'd be possible to do it just with glitching since it's triggered upon moving the bad egg into your party. Unless we manage to make the decamark show up as a selectable in Pokémon, in Ruby.

VaeporSage found a glitch to faint Pokémon in the overworld in Ruby/Sapphire with the tricky use of an Evo stone/Hp Up. From there you can possibly get a #000 Decamark in RS to glitch out the game, unless you can only do this using cheats.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Pawny on April 24, 2014, 04:22:52 pm
Wonder if it's possible to access beyond the sixth slot in the Overworld using "Invisible Shiny Bad EGGs/Bulbasaurs"

I had done these experiments before, but using a caught #000 decamark though. Unlike in Emerald, they do not vanish in Ruby/Sapphire. Switching Bad Eggs got me several glitch moves with weirder effects. Another time, attempting to save the game gave a different saving error as the adapter wasn't connected or something. But another one was like a ZZAZZ glitch: it gave me a ridiculous long name, switched my character's gender, glitched my trainer card (upon opening it it'd either show Glacia's sprite, or freeze the game, messed up the frame, and other sprite mess-ups: my character becomes an Azurill doll when using the bicycle, and in Petalburg woods my character became the unused Fat Guy sprite.

Although I don't know what bad egg caused it, I do have the savestate with the effects and could share if anyone is curious. Sadly I doubt it'd be possible to do it just with glitching since it's triggered upon moving the bad egg into your party. Unless we manage to make the decamark show up as a selectable in Pokémon, in Ruby.

VaeporSage found a glitch to faint Pokémon in the overworld in Ruby/Sapphire with the tricky use of an Evo stone/Hp Up. From there you can possibly get a #000 Decamark in RS to glitch out the game, unless you can only do this using cheats.

I fainted all my pokémon using a Gameshark code instead to save time. However I couldn't prevent the 000 decamark from vanishing, not access beyond the 6th pokémon.

It'd be totally possible without cheats if we find a way to access the hidden pokémon in the overworld, which afaik, is only possible with cheat/ROM hack.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: pokechu22 on April 24, 2014, 04:28:09 pm
I had done these experiments before, but using a caught #000 decamark though. Unlike in Emerald, they do not vanish in Ruby/Sapphire. Switching Bad Eggs got me several glitch moves with weirder effects. Another time, attempting to save the game gave a different saving error as the adapter wasn't connected or something. But another one was like a ZZAZZ glitch: it gave me a ridiculous long name, switched my character's gender, glitched my trainer card (upon opening it it'd either show Glacia's sprite, or freeze the game, messed up the frame, and other sprite mess-ups: my character becomes an Azurill doll when using the bicycle, and in Petalburg woods my character became the unused Fat Guy sprite.

Although I don't know what bad egg caused it, I do have the savestate with the effects and could share if anyone is curious. Sadly I doubt it'd be possible to do it just with glitching since it's triggered upon moving the bad egg into your party. Unless we manage to make the decamark show up as a selectable in Pokémon, in Ruby.

I've done something like that in firered: I messed up my gameshark codes trying to get master balls and ended up corrupting my TM pouch.  Opening it caused the game to freak out.  I'll get some screenshots.

On exiting, I got other glitch effects.  For example, my party was BAD EGGS, and my name was (something long with lots of É É É É somewhere in it).  Going to the overworld (from mount moon, pokemon center side) caused my sprite to be something weird (I need to get another image).  Entering the Pokémon Center triggered an annoying glitch noise, but did not freeze the game.  Exiting the center did freeze the game. 
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Pawny on April 24, 2014, 05:35:34 pm
Okay, so I looked better at the savestate, and the game actually saves (so I only need the savefile for sharing purpises). What I find interesting is that it had resembled ZZAZZ for me, but it IS essentially a ZZAZZ for Gen 3. But instead of 99, the game got filled with 51A0 instead. So my name becomes a bunch of gibberish that gets beyond it's supposed to and both my ID/SID becomes 41041. But upon looking at a the "sane" savefile and other savefile of my own, the pattern of 51A0 was apparently only present in that savefile (and its sane version) but not in my own (the savefile in question is a "100%" downloaded from Gamefaqs iirc, with the OT "TERRA"), so I'm pretty sure the effects wouldn't be replicable since the pattern seems particular to the downloaded one. I put the afflicted savefile in the description anyway. If beyond-6th-slot switching becomes possible, maybe it'd be possible to do something like this, but the effects would be different.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: VaeporSage on April 26, 2014, 02:04:53 pm
VaeporSage found a glitch to faint Pokémon in the overworld in Ruby/Sapphire with the tricky use of an Evo stone/Hp Up. From there you can possibly get a #000 Decamark in RS to glitch out the game, unless you can only do this using cheats.

Unfortunately, while sending out a Decamarks in R/S is possible in this way, the game will not allow you to view Pokémon beyond the sixth slot. Additionally, the Pokémon in the sixth slot cannot be accessed whatsoever during the battle.  :(

More bad news: experimentation with glitch moves in B/W may be impossible. On attempting to migrate my Smeargle with Unonkaana (glitch move that changes trainer battles to wild battles), the migration process ended as though I had turned off the game. I tried again only to get the same result.

Perhaps different (less volatile?) moves will function differently when sent to B/W, but I wouldn't count on it.  :-\
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: luckytyphlosion on April 27, 2014, 07:24:57 am
Welp, guess we won't have glitch Gen 5 moves OR RS glitch moves :(.

Wonder what would happen if you used an AR to get a glitch move in gen 5?

EDIT: Is it possible to change IVs with Bad EGG corruption?

EDIT2: Now that I think about it, if the IVs were changed, the Pokémon would probably turn into a Bad EGG.

Well, XD: Gale of Darkness has given very disappointing results. On a positive note, the game didn't freeze when I traded Smeargle over; but XD: GoD basically ignored the glitch move altogether...

When Smeargle was sent out, all I got for my efforts was "Smeargle has no moves left."
Have you tried testing it on XD/Colosseum with more than just a glitch move to see what would happen? It could also be possible that the Glitch move has 0/0 pp or something like that, but I doubt it.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: VaeporSage on May 02, 2014, 02:26:35 am
Have you tried testing it on XD/Colosseum with more than just a glitch move to see what would happen? It could also be possible that the Glitch move has 0/0 pp or something like that, but I doubt it.

Late reply, I didn't notice the edit. :P

That's a good idea, and I'll give that a try.

~~~~~

In other news, I've found a really cool trick for everyone to play around with. After catching trainers' Pokémon and turning them into Bad Eggs, most of them will crash the game when you try to select a move. However, allowing a wild Ditto to Transform into the caught Bad Egg means that the game will not crash when the moves are used. In this way, Smeargles can then copy the glitch moves of glitched "trainers' Pokémon".

Notably, this may mean that we all could replicate the same moves on every game. For example, the one I've been testing recently is the Bad Egg that was born as Elite Four Drake's Shelgon. One of this "Shelgon"'s moves is a very long string of glitch letters that I've copied with Smeargle. It turns wild battles into Battle Frontier battles - with "Items can't be used now." and such. Another glitch move on this "Shelgon" was "u[circumflex] began growling loudly!"

If someone finds their caught Drake's Shelgon to be identical, we have just cut down on a ton of the randomness inherent in this glitch.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: VaeporSage on May 04, 2014, 08:53:50 am
I need help with something. I figure that the Bad Eggs I've caught are all holding items. I have 22 opponents' Pokemon caught and detailed that turned into Bad Eggs. However, there seems to be no wild Pokemon that know the moves Trick, Thief or Covet.  :???:

Would there be a trainer I could fight whose Pokemon could steal my Bad Egg's item, whereby I could then switch in one of my Pokemon to steal it back and keep it? If Bad Eggs' held items are as randomised as their movesets and stats, then obtaining glitched items could be a real winner.

~~~~~

Anyway, more fun stuff: almost all caught Bad Eggs come with Pokerus if you need that for whatever reason. Given that normally it is nearly three times rarer than shiny Pokemon, it's nice to be able to guarantee its appearance.  8)

If you have taught a Smeargle certain glitch moves that crash the game by looking at them on the summary screen, it's sometimes possible to crash the game in such a way that particular channels of the game's music are disabled. It's cool to hear the soundtrack 'remixed' in this way, with elements of the accompaniment strongly emphasised, for example.

Well, XD: Gale of Darkness has given very disappointing results. On a positive note, the game didn't freeze when I traded Smeargle over; but XD: GoD basically ignored the glitch move altogether...

When Smeargle was sent out, all I got for my efforts was "Smeargle has no moves left."
Have you tried testing it on XD/Colosseum with more than just a glitch move to see what would happen? It could also be possible that the Glitch move has 0/0 pp or something like that, but I doubt it.

I have now tried this, and unfortunately XD: Gale of Darkness seems perfectly immune to this style of glitching.  :P

Though when I sent the Smeargles back to Emerald, they retained the exact same glitch moves with the same effects as they had before I sent them to XD.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Pawny on May 04, 2014, 09:19:59 am
Would there be a trainer I could fight whose Pokemon could steal my Bad Egg's item, whereby I could then switch in one of my Pokemon to steal it back and keep it?

I'm pretty sure Cooltrainer Cristin's Vigoroth/Slaking has Covet. She's at west of Lilycove. Kira&Dan also have a Illumise that has Covet at their maxed rematches nevermind this one is double battle.

EDIT: there's this dump (http://www.upokecenter.com/content/pokemon-emerald-trainer-list) but it doesn't have their moves, only TMs/HMs (there's a Linoone with Thief). And there's this thing with Match Calls and their rematches (http://www.gamefaqs.com/gba/921905-pokemon-emerald-version/faqs/44825) but apparently only the ones I mentioned have Covet at their last rematches, the others are only accessible once or so. Both Psychic Jacki and Cameron have an Alakazam with Trick on their last rematch.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: VaeporSage on May 04, 2014, 09:36:27 am
I've already fought Cristin...  :-\

And my Emerald's battery has run dry, so I don't think I can rematch people via Match Call anymore. In any case, I wouldn't be able to use a Bad Egg on its own in a double battle.

If I could fix my battery, I would be able to simply make a secret base team with Thief/Covet and test items that way. But the way it is right now, I would have to go back to mixing records every time I want to face the team with each of my caught Bad Eggs - 22 of them.

Is there a 'berry glitch fix' for Emerald? I don't think what's happened to my cartridge is the berry glitch.

Edit: Those links are helpful, thanks!  8)
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: luckytyphlosion on May 04, 2014, 10:17:54 am
Is there a 'berry glitch fix' for Emerald? I don't think what's happened to my cartridge is the berry glitch.

Edit: Those links are helpful, thanks!  8)
You can still get phone calls with a dead battery, except you can only get them when you load the game.

So you could try resetting until you get a phone call.

For Trick, you could try mutating a Pokémon with trick and hope that you get a Glitch Move, but still keep Trick.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: VaeporSage on May 04, 2014, 11:25:13 am
You can still get phone calls with a dead battery, except you can only get them when you load the game.

So you could try resetting until you get a phone call.

For Trick, you could try mutating a Pokémon with trick and hope that you get a Glitch Move, but still keep Trick.

According to Bulbapedia, the R/S Trainer's Eyes feature was step-based, and Match Call is apparently just an upgrade of that. So rematching via Match Call doesn't seem to be a time-based event.  :)

I got a wild Makuhita to Knock Off the items of my first two caught Bad Eggs. As both of their items were shown to be "????????", I went ahead and made a secret base trainer with an Alakazam with Trick to see what this item does.

However, my strategy of having the opponent's Alakazam Trick the Bad Egg, then switch into my Smeargle and have Alakazam re-distribute the item onto Smeargle didn't work. After the battle, the item re-appeared on the Bad Egg and not on Smeargle.  :(

I think I'll try getting one of my Pokemon to use Thief on Alakazam instead.

~~~~~

On a positive note, I've been having lots of fun catching opponents' Pokemon with Smeargle's Unonkaana move (identical in effect to Torchickens' "| {ÀÀ Ñ ÀV []" move).

Having wild Dittos Transform into the caught trainers' Pokemon (Bad Eggs) and watch them using all kinds of new glitch moves is pretty cool.  :)
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: pokechu22 on May 05, 2014, 07:49:32 pm
On the subject of Gen 3 glitch moves, I just noticed this wiki page titled "Cool Move" (http://glitchcity.info/wiki/index.php/Cool_Move).  Seems to be similar to the "?????????? used a FIRE move" effect. 

That page could probably be updated, though. 
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: VaeporSage on May 06, 2014, 10:46:06 am
On the subject of Gen 3 glitch moves, I just noticed this wiki page titled "Cool Move" (http://glitchcity.info/wiki/index.php/Cool_Move).  Seems to be similar to the "?????????? used a FIRE move" effect.

What kind of glitchy effects might I encounter if I find a similar move to use in contests? The page doesn't go into much detail.  :P

So far, the four glitch moves I've tested in contests just froze the game in one way or another.

I got a wild Makuhita to Knock Off the items of my first two caught Bad Eggs. As both of their items were shown to be "????????", I went ahead and made a secret base trainer with an Alakazam with Trick to see what this item does.

However, my strategy of having the opponent's Alakazam Trick the Bad Egg, then switch into my Smeargle and have Alakazam re-distribute the item onto Smeargle didn't work. After the battle, the item re-appeared on the Bad Egg and not on Smeargle.  :(

I think I'll try getting one of my Pokemon to use Thief on Alakazam instead.

This didn't work either.

I suspect that it's due to the fact that secret base battles heal your whole team afterwards, and probably reset items as well, which would explain why the Bad Egg kept the item even though my Misdreavus stole it from Alakazam. While Misdreavus held it, the summary screen clearly stated that Misdreavus was holding a "????????". (Octomarks  ;D.)

Before I go ahead and try this outside of a secret base battle (vs. Psychic Jacki or Cameron's Alakazams), could someone actually test whether items can be juggled between Pokemon in this way? I.e.

1) Send out any Pokemon with any item vs a Pokemon with Thief/Covet/Trick in-game;

2) Get the item stolen, switch into a different Pokemon, take the item back from the opponent and get outta there.

If your second Pokemon keeps the item, let me know so I can work on obtaining the Octomarks item!  :XD:
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: werster on May 06, 2014, 03:41:43 pm
I corrupted a Level 47 Kadabra such that it still had its normal moves including trick, but had a ?????? item. Went into final rematch, revived pokemon, killed Solrock, and tricked the item onto Alakazam. It said that Alakazam received ??????. But then my Bad Egg was still holding an item, and when I switched to a normal Pokemon and had Alakazam Trick me it failed =(

Edit: But then I just tricked a Ditto and caught it http://puu.sh/8C13U.png
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: luckytyphlosion on May 07, 2014, 05:26:38 am
After teaching Kadabra Trick, mutating it, tricking the glitch item to a Poochyena and transferring it to Gen 4, when I went to my box to check the item...


It wasn't even holding it :(.

So I guess the glitch item disappears when you transfer it to Gen 4. The interesting thing is that when selecting the Pokémon to transfer, it said that the Poochyena was holding a "????????", so it's still programmed into the game.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: VaeporSage on May 07, 2014, 02:53:59 pm
You guys are right on it! Good work!  ;)

Does Octomarks give any funny effects when used? In battle, in overworld, when discarded, etc.?

I'll work on getting it myself tomorrow and I'll transfer it to XD: Gale of Darkness to see if it does funky stuff there too.  :)
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: pokechu22 on May 07, 2014, 03:15:44 pm
You guys are right on it! Good work!  ;)

Does Octomarks give any funny effects when used? In battle, in overworld, when discarded, etc.?

I'll work on getting it myself tomorrow and I'll transfer it to XD: Gale of Darkness to see if it does funky stuff there too.  :)

To the best of my knowledge, none are usable and just give Professor Oak's normal omniscient "NOOOONONONONO" message (though I haven't tried all 65536 of them).  They CAN be registered to select in some cases, however.  Still can't be used. 

I haven't tried XD with them though. 
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: VaeporSage on May 07, 2014, 03:20:44 pm
So, to a certain extent, they can display some variance between different kinds?

By any chance, is this item an 'error handler' similar to ?, ?? and Bad Eggs? Octomarks sure looks pre-programmed, what with its sprite and the fact that it seems to appear on every Bad Egg.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: pokechu22 on May 07, 2014, 03:26:23 pm
So, to a certain extent, they can display some variance between different kinds?

By any chance, is this item an 'error handler' similar to ?, ?? and Bad Eggs? Octomarks sure looks pre-programmed, what with its sprite and the fact that it seems to appear on every Bad Egg.

To the best of my knowledge, yes.  All remaining hexes seem to be Octomarks. 

The only major variance I can detect is that octomarks of differing hexes do not stack



Oh yea.  If you bring a glitch item into your TM pouch, you can actually get alternate glitch items with long names that corrupt everything.  Octomark hexes there do have varying effects. 
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: luckytyphlosion on May 07, 2014, 07:18:25 pm
pokechu, what do you mean by "corrupt everything"?
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: pokechu22 on May 07, 2014, 09:03:02 pm
pokechu, what do you mean by "corrupt everything"?

The effect varies.  It's interesting.  Each hexedicimal value gives a different item.  Move 0A is a functinoal TM (Teaching a glitch move: ^u 'A).  Most others aren't, and their names cause buffer overflows.  In some cases (and I'll need to upload ANOTHER video of those), the game will break completely, overriding your name, items, and all sorts of stuff. 

Here are the codes (you need to have picked up a TM before using them, so that you have the case beforehand):

Master codes:
Code: [Select]
0000295F 0001
101DC9D4 0007
83005000 0000
83005002 0000

And the important code here is 82025A00 XXXX.  I used 0001 in this example. 



Video uploaded: here (https://www.youtube.com/watch?v=G0pIXleN6bU).  It doens't cover all of the effects, but it was just a quick test video.  I'm going to want to redo this later, surely including move 000A and some of the weirder effects. 
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: VaeporSage on May 08, 2014, 02:19:37 pm
Does Octomarks give any funny effects when used? In battle, in overworld, when discarded, etc.?

I'll work on getting it myself tomorrow and I'll transfer it to XD: Gale of Darkness to see if it does funky stuff there too.  :)

XD: Gale of Darkness won't let you trade it. Octomarks is "an untradeable item".  :o
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: werster on May 09, 2014, 04:26:11 am
So, things.

I found a glitch move that seems to turn battles into a weird mutation of the Battle Palace, Battle Arena, and Wild Pokemon battles.
https://www.youtube.com/watch?v=LEkHObY-ams
I then used that to trick the game into sending out Pokemon that...to be honest, I don't know where they were coming from
https://www.youtube.com/watch?v=-xN5SoWI318
Had a lot of fun messing around with that, managed to eventually get it onto a Smeargle tooand had some more fun with it.

Other things:
I disabled being able to Fly to Ever Grande (proving it messes with other flags: http://puu.sh/8FbTk.jpg )
I managed to delete all of my TMs and all of my Berries. I did this on more than one instance, but one of the times, I added 256 to my Ultra Ball count (1 to 257, was 3rd in the list Poke-Master-Ultra)
I managed to turn a Kadabra into a Gengar inside an Egg, with Glitch moves, that hatched.
This shows you can get glitch moves on legitimate Pokemon other than Smeargle. Sadly none of the glitch moves Gengar had were battle altering, but I'm sure they could be with the right combination.

I managed to turn a Makuhita into a ?? inside an Egg that hatched. https://www.youtube.com/watch?v=zXGLIzPlOMQ
This indicated to me that maybe you can make any Pokemon by mutating it from another? (seemed consistent, turned Makuhita into ?? 3 times, Kadabra into Gengar 4.Maybe you can make event only Pokes this way? Are there other Glitch Pokemon?

I also had some Bad Eggs hold a TM (and a Band), but none of them were my Kadabras so I couldn't Trick them off to see what they actually were.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Evie ✿ on May 09, 2014, 08:15:22 am
Quote
Are there other Glitch Pokemon?


?????????? appears in Bad EGGs, but I haven't messed around with glitching regular Eggs enough to get glitch Pokémon in them. Hex:0000 apparently has base stats of 0 in everything, but some ?????????? (named other things when not on the opponent's side) have great base stats.

If you scroll up a significant amount, like to cursor position $B0 you can corrupt your Daycare Pokémon and get Eggs that way. I got the glitch Pokémon "-" (http://bulbapedia.bulbagarden.net/wiki/-_(glitch_Pok%C3%A9mon)) this way and voltage got a Pokémon that unfortunately froze his game.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Wack0 on May 09, 2014, 10:11:16 am
I then used that to trick the game into sending out Pokemon that...to be honest, I don't know where they were coming from

Past the end of your party. Shame you eventually got a freeze trying to send out a hybrid of a bad egg and the '-' psuedo-Egg.

I can't remember if there's a way to disable entry animations at all. I wish I had a working walk through walls code for Ruby, so I could mess around more with accessing Pokémon past the end of the party by cheating to get to the Pokémon menu with no Pokémon... I guess I coulduse a code to warp elsewhere.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: luckytyphlosion on May 09, 2014, 02:17:32 pm
I'm assuming that glitch was a "YOP (Your Opponent Pokémon)" glitch, where you send out you opponent Pokémon, as with the Smeargle and two Decamarks (blank spaces in the party). I think the Bad EGG is supposed to be "ÓË e Ái" in Emerald, since the trainer no longer has any Pokémon data.

Another thing, when you catch an Opponent's Pokemon and have it turn into a Bad EGG, can you spread Pokérus with the Bad EGG?
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: VaeporSage on May 09, 2014, 02:39:04 pm
Another thing, when you catch an Opponent's Pokemon and have it turn into a Bad EGG, can you spread Pokérus with the Bad EGG?

It's perfectly normal Pokérus.  8)

All the Bad Eggs I caught in single battles carried it, but all the Bad Eggs I caught in double battles simply had the mark to show that they'd recovered from Pokérus.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Wack0 on May 09, 2014, 04:19:08 pm
Ruby results: Trying to use a couple of codes to fly, I found out the fly anywhere code made the game think I was in the safari zone. So I hit retire and got warped to the Safari Zone entrance where I could save.

(With that code turned on, btw, getting into a wild battle would put that batle into Safari Zone mode, and the game would freeze when the battle ended)

Just now, after a while of playing around (it's weird that going into Lilycove turned the weather into harsh sunlight with accompanying music, but this effect only happened in Lilycove), I decided to switch a bad egg to the front of my party and go into battle.

I opened the fight menu and some horrendously glitchy move did something. Part of the screen red, most of the rest black, text (with the correct background) still scrolling... A couple seconds of this and the screen goes completely black, a few seconds later the game freezes.

I guess that's the glitchiest Gen 3 move we've found to date...

edit: Tried again with another bad egg. Effects here include parts of the screen turning purple. And a freeze. Here, have a picture:

(http://i.imgur.com/jxOA8VG.jpg)

You may call me mad for testing on a real cart. But I never use it, and the RTC is dead. It's the first Pokémon game I ever owned, getting close to 10 years since I got it. It's been resting unloved for quite a while. And its last two save files were cheated on to get past the sixth slot. Now I have the time to play around with it more. (inb4 this is creepypasta and the next part is a decamark or bad egg so mehow escaping my GBA SP :P)

edit 2: finally got one that doesn't freeze! Shows up as 'a NORMAL move'. Too bad it always missed for me though.

(http://i.imgur.com/IUuZdsf.jpg)
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Pawny on May 10, 2014, 01:27:15 am
Okay, so I took some time to actually experiment with this.

I tried doing Torchickens' thing of corrupting the parents in Daycare, but every time they made an egg the game froze. :( Which parents did you use to get the -, Torchickens?

Then I went into trying to corrupt the boxes again and again (reloading the previous states) and changing areas, and was mostly looking at how some of them became regular eggs, like Werster did to get the ??. Apparently, at least on my save, my "lucky spots" (where I got eggs more often) are B1 5,3 and B2 3,2. But I also got one in B1 2,4 (not 100% sure if it was this spot) and B2 3,1. Something I noticed is that pokés that become EGGs in box 1 actually always advance to the same pokémon no matter what sacrifice it was and they have the same moveset: B1 5,3 was always Bulbasaur with Blaze Kick and other 3 glitch moves, B1 2,4 or whatever the spot was had Seel with moves I don't remember, but glitch ones. The ones in Box 2 kept their original pokémon but learned glitch moves (the same ones Werster's ?? has, iirc). It's possible that Werster could still get ?? or Gengar if he moved something to Makuhita's or Kadabra's spot, but it seems that what pokémon is corrupted varies on both how the box is set up, and on luck itself.

Interestingly, my bad eggs sometimes held Aurora Ticket (normally only obtainable via event) and Vs Seeker (FRLG exclusive item), but I couldn't take it from them. Also, I managed to get Repel effect, and to get Fortree corrupted (http://puu.sh/8GlU6.png) as I whited out, but upon flying back to it, it got fixed.

And then I found a shiny Lombre (http://puu.sh/8GmKL.png) completely unrelated to anything, before even corrupting the stuff. Couldn't resist and captured it, f**k my Pomeg setup lol.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Evie ✿ on May 10, 2014, 07:34:24 am
I think I just had a Ditto on its own (level 54, having grown 10 levels when I check). Eggs can appear through corruption even if the parents are incompatible.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Pawny on May 10, 2014, 08:13:15 am
Tried and got a Bad Egg couple, but most of the time the second parent that showed up of nowhere was a bad decamark, which never breeds despite the old man saying they get along very well. Otherwise, the game just locks at "Take care of EGG!" :(
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: VaeporSage on May 10, 2014, 08:35:45 am
I've got a glitch move that just about replicates the effect that Newo hacked into a battle 7 years ago: https://www.youtube.com/watch?v=uLO9UN-ytkE

The difference is that in his case the opponent's Pokémon were treated as wild Pokémon. In mine, items cannot be used and running forfeits the match. I got the glitch move from a Bad Egg that was obtained via catching Swimmer Beth's Lv26 Goldeen on Route 107: (http://pkmn.net/dex/getlocationmap.php?game=13&location=104)

I managed to turn a Makuhita into a ?? inside an Egg that hatched. https://www.youtube.com/watch?v=zXGLIzPlOMQ

Can you breed it?

I tried to morph Makuhitas in this way but only got normal Lv45 Bad Eggs with no glitch moves. I'll pay closer attention to your video to see what slot of the box you found it in when I try this again later.

Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: voltage on May 10, 2014, 07:58:17 pm
I've found three things today.

Instead of using Trick from a corrupted Pokemon, I've managed to win Octomark from the Lilycove Lottery, of all places. (https://imgur.com/a/waQrQ)

Also, after corruption,  NPCs can sometimes disappear from the overworld (https://imgur.com/a/Aqro7).This includes the Daycare Man.  They do go to their proper position after you enter and exit someplace. The area behind the Daycare is built as well as Sky Pillar and the Pokemon within that area are the same as the grass near it.

The egg which I received said it was going to hatch soon. I also remember that the game slowed down while the Daycare Man was giving me the egg.

Mine was one that'd take a 'long time', but with a quick Egg hatch code, the Egg hatched into a "- (http://bulbapedia.bulbagarden.net/wiki/-_(glitch_Pok%C3%A9mon))" so it seems like "-" is obtainable without cheating. Let me know if you also get it.

I had a wild Ditto transform into an Invisible Bad Egg from Daycare corruption when I had nothing in the Daycare prior to corruption (this image which werster posted earlier shows how it looks in battle (http://puu.sh/8jx1S.png)) and the transformation text did state that "Wild Ditto transformed into - !"! So you were right.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Wack0 on May 11, 2014, 08:21:56 am
I had a wild Ditto transform into an Invisible Bad Egg from Daycare corruption when I had nothing in the Daycare prior to corruption (this image which werster posted earlier shows how it looks in battle (http://puu.sh/8jx1S.png)) and the transformation text did state that "Wild Ditto transformed into - !"! So you were right.

Oh, so that's what that is? Last night when I was playing around with my Ruby I got a Bad Egg which looked like that in battle.

In other news, today I went into some small time game shop, and they had a few Gen 3 carts (sapphire, LeafGreen and a couple Emerald carts). Given how the rest of the carts were like £1.99 or £2.99, I thought "oh neat, I can get a few more Gen 3 carts for glitch research".

Turns out they were selling the Gen 3 carts for £19.99 each. No, that's not a typo. And I guess that explains why they had so many Gen 3 carts there.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: voltage on May 11, 2014, 10:33:40 am
This indicated to me that maybe you can make any Pokemon by mutating it from another?

I did this but with a Magikarp which only knew splash. It became an egg that hatched into Mewtwo.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Evie ✿ on May 11, 2014, 10:48:37 am
This indicated to me that maybe you can make any Pokemon by mutating it from another?

I did this but with a Magikarp which only knew splash. It became an egg that hatched into Mewtwo.

Awesome.

Someday I see a Mew/Celebi/Jirachi/Deoxys Egg trick for Emerald being discovered, but you'd have to put up with having Bad EGGs in box 1 and 2. I'm focusing on something else at the moment, so I won't be experimenting with that today, but the thought of doing something like that in Generation III without cheats is amazing.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: luckytyphlosion on May 11, 2014, 03:46:00 pm
Well, we can't call it the "Celebi Egg Glitch" for one thing :P.

One thing I want to know. When you corrupt various parts of RAM with moves, do you only need to see the move, or do you have to use it?
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Evie ✿ on May 11, 2014, 04:41:03 pm
It depends on the move. "| {ÀÀ Ñ ÀV []" (hex:0040) will cause corruption just by opening the menu with the move in it, but "=Ñ ;Ç  Ç Á" (hex: 01CE) requires you to use the move to cause corruption. Mind you, 01CE was found from Pawny's Generation III super glitch video, a possible better answer for moves you have to use is this move (https://www.youtube.com/watch?v=LEkHObY-ams) seen in werster's video.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Pawny on May 11, 2014, 05:23:11 pm
Mind you, 01CE was found from Pawny's Generation III super glitch video, a possible better answer for moves you have to use is this move (https://www.youtube.com/watch?v=LEkHObY-ams) seen in werster's video.

Actually it was found by HPokeNgMp4, I just made the video. Not that it really matters. :P
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: werster on May 11, 2014, 05:36:35 pm
Magikarp giving Mewtwo set off alarm bells, because I remember from gen 2 that Splash is the same index number as Mewtwo. And so yeah, that's exactly how this works as well.

Just forced a Level 5 Lugia out by using Makuhita with Rock Smash as its first move (both are 249), so you can make just about any Pokemon out of this.

However, the moves only go up to 354 in Gen 3, which equates to Minun, making pokemon past that harder to get. Perhaps if you breed on a glitch move and then use that, you can get Pokemon past it? Not sure about that, just got my Lugia

Also apparently only Pokemon with certain Data substructures can turn into Eggs and Alter the Pokemon, idk haven't read up on exactly what was going on but Sanquii was talking in my chat posting a bunch of stuff that basically just meant Poochenya wouldn't work and was holding a Pink Scarf because it had 1 Speed EV and 0 Defense, but Makuhita will work. And it did.

I'm just happy this is getting more and more controllable
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Sanqui on May 11, 2014, 06:17:32 pm
Here's a little more explanation.
In gen 3, each Pokémon has a random personality value (PID) which determines stuff like its nature, ability, gender, and form in the case of Pokémon like Unown or Spinda.  The Pokémon structure in gen 3 takes this PID to shuffle the Pokémon data, like species, moves, EVs etc (the pokémon substructures).  You can see those here (http://bulbapedia.bulbagarden.net/wiki/Pokémon_data_substructures_in_Generation_III).  This means every individual Pokémon has these four structures stored in a different order.

Anyway, in the case of this Makuhita, the Growth and Attacks substructures happened to get swapped.  That's why it became Lugia (same ID as Rock Smash) with Block (same ID as Makuhita).
There was also a Poochyena which kept getting a Pink Scarf as its held item - and it had 1 Speed EV and 0 Defense EVs.  Pink Scarf's ID is 0x100 so this means its Growth was getting overwritten by the EVs & Condition substructure.
The reason this works and doesn't produce a Bad Egg is that since you SWAP the two (or more) substructures, no data gets added or removed, thus the checksum stays the same.

Anyway all the save editors I've tried don't work under linux (derp) so I can't actually see which substructure order does this Makuhita have yet.  Stay tuned I guess.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Evie ✿ on May 11, 2014, 06:27:20 pm
Ah, thanks Sanqui, so the effect for werster's Makuhita was that simple? It's kind of ironic that Game Freak's own encryption system worked against them when you change the boxed Pokémon's substructure order and make legendary Pokémon possible.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Sanqui on May 11, 2014, 06:53:01 pm
I bring news!  It is not the Pokémon's data that changes...  it's the personality value itself!  Which results in the game reading the substructures in a different order.

I ended up quickly modifying my old Ruby save dumper to work with Emerald to dump the Makuhita's data.  Check this link: http://pastie.org/private/w7slper57jcg1rtmpexpg
As you can see, Makuhita's original PID was 3588162123 ( % 24 = 3) [0xd5df024b]
And it got changed to 2514420299 ( % 24 = 11) [0x95df024b]
Where did the new PID come from?  As you can see, only one bit changed from the original!  That's probably the result of the corruption.

Anyway the Makuhita's substructures were originlly Growth Effort Misc Moves.  That got changed to Moves Misc Effort Growth.
Because the most significant byte of the PID was modified, this also means that (besides the substructure shuffling) every fourth byte of each substructure will be XORed with the new byte (95), and thus effectively arbitrary.  That explains why Makuhita's second move was a glitch move, even though it should've been Pound (since it had no held item).

What amazes me is that the checksum actually matched.  It's no surprise this takes so many tries - I bet that most of the time, the substructure takes a hit (which is an instant bad egg), or the PID does and the checksum doesn't match.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: pigdevil2010 on May 12, 2014, 10:11:47 am
This is how I love Gen III substructure encryption system. Changing the PV (I called Personality Value PV) or trainer ID simply changed the whole unencrypted substructure. Like Sanqui said that just one bit changed and it will change the order and the unencrypted data. However, when I was coding my Pokémon data decoder. I had to do a reflection to make it decode the substructure data in the right order :-\

Anyways, what I discovered from performing this glitch is:
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Pawny on May 12, 2014, 10:29:30 am
But by a sheer luck (1 in 256 chance) that the checksum is still match.

So that means we can luck-manipulate to get a valid Pokémon with a glitch move? That would overcome the Tate&Liza/Steven double-battle problem in a "glitched" TAS. Though we'd still need to manipulate it further to make it speedrunning-viable. But it's awesome how manipulable this is getting, Glad to see my favorite gen getting glitched like this. :)
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: VaeporSage on May 12, 2014, 12:03:34 pm
This was once one of the most harmless glitches in the Pokémon series... :P

I trained a wild Grimer to Lv34 to learn Acid Armor (index 151), cloned it a few times after deleting all its other moves, and threw it in Box 1. Unfortunately, the one real Egg I did get was just a Lv100 Grimer that wouldn't hatch, and it certainly didn't contain a Mew. But I'll try to fill the box with it this time and see how it goes.

I'm amazed this has gotten this far.  O_o
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: camper on May 12, 2014, 12:39:36 pm
Coin Case and 8F were also thought to be harmless. They just crash/reset the game and do nothing else without the correct settings.

Does this work in FR/LG or Ruby/Sapphire?
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: voltage on May 12, 2014, 12:45:55 pm
When my Mewtwo egg hatched, I'm pretty sure the game said it was going to hatch pretty soon so I didn't have to wait that long.

I also plan to do this with Fury Swipes (Index 254) with multiple Teddiursa and the glitch move my Mewtwo knows twice. I plan on getting the glitch move via Smeargle instead of using Mewtwo directly. The glitch move is the same as the one werster's Lugia has, which I doubt is a coincidence considering they were obtained the same way.

This was once one of the most harmless glitches in the Pokémon series... :P

On a tangent, but can I quote this as my signature?

Does this work in FR/LG or Ruby/Sapphire?

Even though I haven't done this in FRLG or RS directly, to the best of my knowledge, it could work in FRLG but not RS because the half-lit cancel effect appears and the harder cloning method works in the former but not the latter.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Evie ✿ on May 12, 2014, 01:01:29 pm
The Pomeg Berry only reduces HP EVs in Emerald, so without trading (the trade center won't restore your Pokémon's health, letting you keep glitched HP) you can't have 'negative HP' Pokémon in Ruby or FireRed/LeafGreen.

In Ruby, using a healing item with 'negative HP' fully restores that Pokémon's health instead of fainting it, so this means you can't set up the access Pokémon beyond the sixth slot glitch.

In FireRed/LeafGreen, the access Pokémon beyond the sixth slot glitch indeed works, using a healing item acts like it does in Emerald, and you can corrupt box Pokémon in the first three boxes with it, but it's kind of 'nerfed'. When you white out your Pokémon get healed for real, so I don't think you can use a Bad EGG you put into your party without further trading, but then that's all theory, I haven't tested it.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: VaeporSage on May 12, 2014, 01:38:01 pm
This was once one of the most harmless glitches in the Pokémon series... :P

On a tangent, but can I quote this as my signature?

Quote away!  ;)

In Ruby, using a healing item with 'negative HP' fully restores that Pokémon's health instead of fainting it, so this means you can't set up the access Pokémon beyond the sixth slot glitch.

Healing in R/S does have this effect, but there are workarounds in the form of planned Rare Candy and evolution stone use. The Decamarks glitch can be set up in R/S like so: http://www.youtube.com/watch?v=b9v-YOv660w

However, the problem, as voltage also mentioned, is that viewing summary screens does not allow scrolling past the 6th Pokémon at all.

In FireRed/LeafGreen, the access Pokémon beyond the sixth slot glitch indeed works, using a healing item acts like it does in Emerald, and you can corrupt box Pokémon in the first three boxes with it, but it's kind of 'nerfed'.

It works on Boxes 1-3? This is different to its effects in Emerald (Boxes 1-2), is it not? Or is this a typo?  :o

When you white out your Pokémon get healed for real, so I don't think you can use a Bad EGG you put into your party without further trading, but then that's all theory, I haven't tested it.

Similar to the use of the Fluffy Tail in Emerald, the Poké Doll can be used to avoid the white-out.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: voltage on May 12, 2014, 01:51:31 pm
I should also mention that my Mewtwo had Helping Hand as its third move when it hatched for whatever reason.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Evie ✿ on May 12, 2014, 02:20:32 pm
Healing in R/S does have this effect, but there are workarounds in the form of planned Rare Candy and evolution stone use. The Decamarks glitch can be set up in R/S like so: http://www.youtube.com/watch?v=b9v-YOv660w

However, the problem, as voltage also mentioned, is that viewing summary screens does not allow scrolling past the 6th Pokémon at all.

Ah, that Rare Candy/evolution thing sounds familiar actually, but I didn't properly remember it. Thanks.

I see. With any number of Pokémon you can select the Decamark you send out (and cause weird effects when you view the description of its glitch move) and all your fainted Pokémon, except for your last (even though you can see it) and you can't get to position FF through either scrolling down first or scrolling up.

It works on Boxes 1-3? This is different to its effects in Emerald (Boxes 1-2), is it not? Or is this a typo?  :o

Yes, it corrupts box 1-3 unlike Emerald, where the corruption (working in a backwards order) begins in the middle of box 2, but I should have been more clear, the only Pokémon I was able to corrupt in box 3 was the first.

Similar to the use of the Fluffy Tail in Emerald, the Poké Doll can be used to avoid the white-out.

Ah, thanks.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: VaeporSage on May 12, 2014, 02:30:43 pm
Well, I cloned a whole box of Acid Armor Grimer, but after 6 corruption attempts, nothing worked. The corruption was never identical, but the only Egg I got was the corrupted Grimer earlier which contained a Lv100 Grimer which wouldn't hatch.

It has of course been remarked many a time, but the 'stairs' patterns are interestingly constant.

If you find that any of your corrupted Pokémon or Bad Eggs have a glitched marking pattern and crash the game on viewing their summary, all you have to do is change their markings (or don't change them at all and select 'OK'). The summary screens will become stable again.

Yes, it corrupts box 1-3 unlike Emerald, where the corruption begins in the middle of box 2, but I should have been more clear, the only Pokémon I was able to corrupt in box 3 was the first.

Have there been any other differences found yet between FR/LG and Emerald?
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Evie ✿ on May 12, 2014, 02:43:47 pm
Have there been any other differences found yet between FR/LG and Emerald?

I'm unsure. When I opened the party with a Bad Decamark in it in FireRed, the game reset itself, so that may be a change.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: luckytyphlosion on May 12, 2014, 02:48:41 pm
Does anyone know what causes the second, third and fourth move. Maybe if we could find the cause of those moves, you could swap a move with the index of Jirachi to the front to get an Jirachi EGG.

Deoxys can be gotten with the AuroraTicket (Manipulating EVs to be equivalent to the item), Mew can be gotten with the Old Sea Map or Acid Armor, Celebi can be gotten with Beat Up and Latios/Latias can be caught in the Battle Frontier.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Evie ✿ on May 12, 2014, 02:59:42 pm
The Makuhita described here (http://forums.glitchcity.info/index.php/topic,6868.msg195147.html#msg195147) (apparently with the same substructure order as wester's, see description on the video here (https://www.youtube.com/watch?v=1eT4LSacTr4)) had its substructure order (http://bulbapedia.bulbagarden.net/wiki/Pok%C3%A9mon_data_substructures_in_Generation_III) changed from 03 (GEMA) to 11 (AMEG), so for Pokémon that works the same way, this is the conversion, if I'm not missing something important:

What growth bytes do (G):

Old species -> New move 1 (Makuhita -> Block)
Old held item -> New move 2
Old experience word 1 (pair of two bytes) -> New move 3
Old experience word 2 -> New move 4
PP Bonus value ->  New PP of move 1
Friendship value -> New PP of move 2
Unknown -> New PP of move 3/4

What EV bytes do (E):

Old HP EV -> Pokérus status
Old Attack EV -> Met location
Old Defense EV -> Origins info, byte 1
Old Speed EV -> Origins info, byte 2
Old Special Attack EV -> IVs, Egg and Ability byte 1
Old Special Defense EV -> IVs, Egg and Ability byte 2
Old coolness -> IVs, Egg and Ability byte 3
Old beauty -> IVs, Egg and Ability byte 4
Old cuteness -> Ribbons and obedience byte 1
Old smartness -> Ribbons and obedience byte 2
Old toughness -> Ribbons and obedience byte 3
Old feel -> Ribbons and obedience byte 4

What 'miscellaneous' bytes do (M):

Pokérus status -> HP EV
Met location -> Attack EV
Origins info byte 1 -> Defense EV
Origins info byte 2 -> Speed EV
IVs, Egg and Ability byte 1 -> Special Attack EV
IVs, Egg and Ability byte 2 -> Special Defense EV
IVs, Egg and Ability byte 3 -> coolness
IVs, Egg and Ability byte 4 -> beauty
Ribbons and obedience byte 1 -> cuteness
Ribbons and obedience byte 2 -> smartness
Ribbons and obedience byte 3 -> toughness
Ribbons and obedience byte 4 -> feel

What attack bytes do (A):

Move 1 -> Species
Move 2 -> Item held
Move 3 -> Experience word (two bytes) 1
Move 4 -> Experience word 2
PP 1 -> PP bonuses
PP 2 -> friendship
PP 3 -> unknown byte 1
PP 4 -> unknown byte 2

Our next step is finding out what exactly happens to the personality value?

The Makuhita that Sanquii used got it changed from 0xd5df024b to 0x95df024b. That's exactly the first byte minus 0x40, a nice round figure, but the glitch still relies on luck, evident by how you don't get the same result every time even when you scroll up the same number of times.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: pigdevil2010 on May 12, 2014, 10:01:05 pm
But by a sheer luck (1 in 256 chance) that the checksum is still match.

So that means we can luck-manipulate to get a valid Pokémon with a glitch move? That would overcome the Tate&Liza/Steven double-battle problem in a "glitched" TAS. Though we'd still need to manipulate it further to make it speedrunning-viable. But it's awesome how manipulable this is getting, Glad to see my favorite gen getting glitched like this. :)

Whoops, I was too sleepy yesterday. The checksum is 2 bytes long, means that it's 1 in 65536 chance it will match.



So today, I tried to mess around this glitch again and found out that every time it changed the memory just one bit when the cursor is scrolled up 1 time and it surprisingly changed one of my Pokémon's PV from 0DDA11A1 to 4DDA11A1. Because of this, this Pokémon's data changed significantly. This is a result of decoding this Pokémon's data (http://pastebin.com/80QGjviy) and this is a video of me messing with this Pokémon (http://youtu.be/CfRYfgETmsU).

The reason why the checksum is still match and won't turn into a bad egg is because PV's 30th bit got changed and made every decrypted subdata dword's 30th bit got changed, when it is read in word to compute the checksum, the changed bit will be the 14th bit of the read data. For example:
00 19 8D 21 | 15 6C 26 03 -> 00 19 8D 61 | 15 6C 26 43 -> 00 19 | 8D 61 | 15 6C | 26 43
Since GBA read the data in little endian. If the 14th bit got changed from 0 to 1, the read value will be increased by 0x4000 and the data is 48 bytes long means that there's 12 dword got changed (assumed that every dword's 31th bit are 0) so the computed checksum will be increased by 0x4000 x 12 = 0x30000. Since 0x30000 is gone out of range for word, it will be truncated to 0x0 so this means that the computed checksum isn't changed and the Pokémon will not turn into a bad egg.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Wack0 on May 13, 2014, 02:49:59 am
changed one of my Pokémon's PV from 0DDA11A1 to 4DDA11A1

That's again the same bit that got flipped in the PV...

Could we be onto something here?
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: werster on May 13, 2014, 03:39:58 am
Well I finally found a save editor that lets me see the changes after the corruption without crashing <_<

Anyway doing some initial tests, I had a Smeargle's PID change from CCE3151D (mod 13, EGMA) to CDE3151D (mod 5, GMEA)

This turned it into one of the "invisible" pokemon, and it was holding a Pink Scarf (this came from no EVs, not 1 speed Sanqui!!), which makes sense since EVs are going into Growth.

I changed all the Pokemon in box 2 to have 9 Attack and speed EVs. As a result, I've got a Spheal to change from 34592110 (mod 16, EMGA) to 74592110 (mod 8, AEGM) and a Poochyena to change from 1F983F29 (mod 17, EMAG) to 5F983F29 (mod 9, AEMG). These had the same change as the Makuhita before it, but in reverse, and obviously stayed as their previous forms because Growth didn't change position

Had a Latios change from 9C82A5C7 (mod 23, MEGA) to 9D82A5C7 (mod 15, EAMG) and be a Bad Egg, but holding the Pink Scarf. It's consistenly showing up as the "0" item, which is strange since it should be 0x0100 from what I understand?

Repeated the Kadabra into Gengar change. Kadabra was A2E151B (mod 11, AMEG) and changed to 4A2E151B (mod 3, GEMA). Lots of similar changes happening here

Last one before I go to sleep for tonight. Had a Taillow go from A8BF63D3 (mod 3, GEMA) to E8BF63D3 (mod 19, MGEA) Because it had 9 Attack and Speed EVs I was expected regular Held item and Pokemon (Repeat Ball/Blastoise) but instead it hatched into another decamark, curiously at Level 0 when it hatched. Would only level up through Rare Candy, experience wouldn't do the job, and then it jumped to Level 6 and softlocked the game after showing me its stats (which were ass) I guess I'm misunderstanding how the EVs are being read or something I guess =(

I'll kept editing as I test more stuff
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Sanqui on May 13, 2014, 06:16:57 am
Anyway doing some initial tests, I had a Smeargle's PID change from CCE3151D (mod 13, EGMA) to CDE3151D (mod 5, GMEA)

This turned it into one of the "invisible" pokemon, and it was holding a Pink Scarf (this came from no EVs, not 1 speed Sanqui!!), which makes sense since EVs are going into Growth.
Actually, I think I can explain this now.
If you look at the Smeargle's PID, you can see only one bit changed - from CC to CD.  That's the 0th bit being *set*.  Since the PID XORs all the substructures, this means that, besides them being shuffled, every 0th bit of every 3rd byte (counting from 0) will be inverted.  That means the first four EVs - 00 00 00 00 - will turn into 00 00 00 01 as they're being put into Growth.  And 00 01 is Pink Scarf indeed.
Depending on which bit of the PID gets corrupted, the Pink Scarf can come both from from the PID corruption, or from 0 defense and 1 speed EV.

This glitch's is effects are so complicated yet fun to think about, I love it.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Evie ✿ on May 13, 2014, 08:25:28 am
I have an idea I thought of last night. Would it be viable to have an indicator of your Pokémon's personality value mod 24 by catching a certain Spinda.

Example:
(http://i.minus.com/jLZfeVLYT1gKi.png)

Here I ignored patterns with a hard to identify 4th spot (controlled by the last byte) due to the possibility of another spot taking its same place, or spots that make the 4th spot hard to identify due to overlay.

But my image is wrong. The last byte alone doesn't affect the modulo. If you had the last word as 01 9C for instance, the remainder would be 4 instead of 12, and that's assuming everything else was 00.

So just before I was going to bed, I thought about working in another base system, like base 24, without understanding much about it.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: pigdevil2010 on May 13, 2014, 09:51:01 am
So just before I was going to bed, I thought about working in another base system, like base 24, without understanding much about it.

Good luck on working. (http://en.wikipedia.org/wiki/Base_24) One of my Pokémon have a PV of G7MA3N224 and have a GAME substructure order :P
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Evie ✿ on May 13, 2014, 10:27:35 am
Thanks. I don't think this is a good thing to do on further analysis. Try changing the all digits of a base 24 number by +1 other than the last one, and the differences in spot coordinates when converted back to hexadecimal will be much different.

I thought it would be good since if you work in modulo 24, the final digit will tell you what the modulo is, regardless of the digits before it. For a few substructures where we could theoretically turn EVs into species, applicable last digits are C, D, E, F G or H.

Edit: This is my theoretical method of getting Deoxys through certain EVs.

1) Move all of the box 1/2 Pokémon up to box 2 position 23 to other boxes, or release them all.
2) Fill box 1/most of box 2 with Spinda caught from east of Fallarbor Town.
3) Now this is tedious, but it lets you find your Pokémon's personality values and modulus. Download A-Save (http://projectpokemon.org/forums/showthread.php?31254-A-Save-%283rd-Generation-Save-Editor%29) and a Pokémon Emerald save file (https://mega.co.nz/#!A5lTUYaB!EhMPKMcZEjRsyumYiyzZ2l0ekEt42TLxD0Bowh4o5Lw).
4) Load the save file, select 'Storage', right click on one of your Spinda in box 1/2 and select 'Edit'. Change the Pokémon to Spinda and click on PID. The fields not under PID like the nickname and item don't matter.
5) This is one of the hardest parts and possibly the longest: Try to recreate your Spinda's spots by clicking 'Spinda Spots'. You'll have to edit them exactly as they appear on your Game Boy Advance.
6) Check to see if A-Save says your Spinda is the same nature and gender as your Game Boy Advance cartridge says. This will likely verify that you got the spots right.
7) If you get the wrong nature and gender, try again and see if you made a mistake in placing the spots. This is easily done.
8) When you're done, click accept and look at the new personality value in A-Save. Go on Windows Calculator and switch to 'programmer' mode from 'view'.  Copy and paste the personality value (it's in decimal, so be in that mode) then click 'mod' and enter '24', then click the equals sign.
9) Check to see if your modulus is a 'good' value. Good values are 12-17 because they have 'E' as the first structure in the substructure order.
10) Repeat steps 5-9 with different Spinda. Release all other Spinda once you get a good value.
11) Now you'll want to EV train your Spinda. Give it 154 (hex:9A) HP EVs and one Attack EV, exactly. It's a good idea to buy 10 HP Ups; this will give you the first 100 EVs. The rest can be got by battling Whismur in the cave on Route 106 for 1 HP EV each (can be increased to 2 at a time with Macho Brace) and one Carvanha (1 Attack EV) on Route 119 via Super Rod.
12) Clone your Spinda using the old Pokémon Emerald cloning glitch (https://www.youtube.com/watch?v=ZRzzGBdV7bQ) until you fill box 1 and box 2 up to position 23.
13) Save at this point, after reducing a Pokémon to negative HP via Pomeg Berry and a Pokémon with enough HP EVs and make sure you have a healing item.
14) Do the 'access Pokémon beyond sixth slot glitch'. The less Pokémon you use to pull it off, the better but I can't remember if there's a minimum you need, sorry. When you view your Pokémon's status, scroll up 3 times to get to FF. Then scroll up exactly 40 times (up to D7). This will corrupt the minimum amount of data while corrupting your Spinda; your Daycare Pokémon won't get corrupted.
15) Run, then check your boxes for regular Eggs, not a Bad EGG. If you don't have any Eggs, restart the game and return to step 13.
16) Put all Eggs you can in into your party then enter a battle (switching Egg positions when necessary) to send them out to check if you have an Egg with Deoxys.
17) Use the Bicycle and go back and forth until your Deoxys hatches.

If you're using an emulator, you can just put a Pokémon in position 1 and look at memory address 020244EC to see the personality value that you'll take the modulus of.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: VaeporSage on May 13, 2014, 01:43:12 pm
What I plan to do now is breed a whole bunch of Eevee and Sneasel, fill a box full of them, and hope that one of them corrupts correctly after a couple of tries.

Then, I'll take that specimen and raise and/or evolve it to the correct level so that it will learn Acid Armor (index 151, Vaporeon) or Beat Up (index 251, Sneasel). Then I'll perform the corruption again with it and hope it works out right.

Is there any reason (beyond bad luck on my part) why this shouldn't work?
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Evie ✿ on May 13, 2014, 01:51:28 pm
What I plan to do now is breed a whole bunch of Eevee and Sneasel, fill a box full of them, and hope that one of them corrupts correctly after a couple of tries.

Then, I'll take that specimen and raise and/or evolve it to the correct level so that it will learn Acid Armor (index 151, Vaporeon) or Beat Up (index 251, Sneasel). Then I'll perform the corruption again with it and hope it works out right.

Is there any reason (beyond bad luck on my part) why this shouldn't work?

I don't see why there would. Good luck :)

Anyone see a problem with my Deoxys method? Am I missing an easier way of doing it? I have a feeling I am.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: voltage on May 13, 2014, 02:10:26 pm
Am I missing an easier way of doing it? I have a feeling I am.

Would there be a way to get Deoxys by mutating a Pokemon with Trick so it holds an Aurora Ticket?
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Evie ✿ on May 13, 2014, 03:16:30 pm
Am I missing an easier way of doing it? I have a feeling I am.

Would there be a way to get Deoxys by mutating a Pokemon with Trick so it holds an Aurora Ticket?

Maybe. Do you even need Trick? Does an Egg keeps its held item when it hatches?


On second thoughts I don't know why I came to the conclusion those substructure orders (starting with EVs & Condition) would be better. Catch Pokémon indiscriminately and give them the right EVs and there might be a better chance of success.

I'm poking in the dark because I don't know how the randomness works.

After a few tries, one of my Spinda (I had five six unique ones and cloned the rest)'s personality values changed from B8 B2 3E F1 to F8 B2 3E F1. That's a change of 0x40 like the Makuhita Sanquii describes. But the Pokémon inside the Egg was still Spinda, albeit with glitch moves.

If there's the possibility that a certain change like +0x40 will never happen, that's an obstacle, but if it can happen with any box Pokémon or group of boxed Pokémon by chance, what we could do is look at a Spinda's personality value and its structure order (either manually by placing Spinda spots on A-Save or through memory viewer), then pretend the first byte (apparently on memory viewer the bytes are stored in reverse order) increased by 0x40, then calculate the new structure order and see if Growth (G) gets put in the 'order number' EVs & Condition (E) used to be. This way, with the right old personality value and the right EVs, you might have a chance to get the change you want.

Edit: I will play around with this more, but I have a question for anyone who knows about the data sub-structures. What bit/value governs an Egg? I know that there is a section in the 'miscellaneous' substructure where "IVs, Egg and Ability" is stored in 4 bytes, but what byte controls the Egg and what minimum value would give you an Egg in it?
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: voltage on May 13, 2014, 03:47:07 pm
Catching Pokemon in battle turns them into Bad Eggs.

I was thinking about this and from my experiences of looking at the in-game summaries of Trainer Pokemon, you can notice that each Pokemon has a different ID No. This is just a guess, but do you think they are related?
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Sanqui on May 13, 2014, 04:05:23 pm
After a few tries, one of my Spinda (I had five six unique ones and cloned the rest)'s personality values changed from B8 B2 3E F1 to F8 B2 3E F1. That's a change of 0x40 like the Makuhita Sanquii describes. But the Pokémon inside the Egg was still Spinda, albeit with glitch moves.
More importantly, it's a change of a single bit.  Same with all the other Pokémon I was seeing in this topic.  And, just now I saw on werster's stream a TENTACOOL turn into TENTACOSL.  And surprise: O is one bit away from S. (0b11001001, 0b11001101).
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Evie ✿ on May 13, 2014, 04:17:32 pm
After a few tries, one of my Spinda (I had five six unique ones and cloned the rest)'s personality values changed from B8 B2 3E F1 to F8 B2 3E F1. That's a change of 0x40 like the Makuhita Sanquii describes. But the Pokémon inside the Egg was still Spinda, albeit with glitch moves.
More importantly, it's a change of a single bit.  Same with all the other Pokémon I was seeing in this topic.  And, just now I saw on werster's stream a TENTACOOL turn into TENTACOSL.  And surprise: O is one bit away from S. (0b11001001, 0b11001101).

Ah, I think I get you. B8->F8 is a change of +2^2 (or bit 2 or 3 if you include 2^0) on the most significant nybble.

In werster's case, C9 (O) gets changed to CD (S); this is +2^2 on the least significant nybble. (if it wasn't for Tiddlywinks' table (http://bulbapedia.bulbagarden.net/wiki/Character_encoding_in_Generation_III) I would have to look for an old post of mine where I found a Gen III character table online)

In werster's other case (http://forums.glitchcity.info/index.php/topic,6868.msg195191.html#msg195191), it was a change of +2^0 (bit 0 or 1) on the least significant nybble of the first personality byte.

Edit: Yay. Werster just turned Kadabra into Deoxys.
Edit 2: But it won't obey him due to the anti-cheating measure. (Apparently all Deoxys and Mew that weren't met in a 'fateful encounter' work like this)

Plus, getting the AuroraTicket won't work. Even if you hack in to your Key Items or another pocket that alone won't cause Birth Island to appear in the list of options in the Slateport Harbor house.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: luckytyphlosion on May 13, 2014, 05:34:19 pm
Can Deoxys still obey in a link battle? Does this Check occur in Gen 4+?

And never knew you needed to "activate" the event for it to work :o
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: werster on May 13, 2014, 07:11:43 pm
Alright so yea, got my Kadabra to go to Deoxys via 154 HP EVs and 1 Attack EV. What I'm still confused by is why it's item is still ??, with 1 Defense and Speed EV I was expecting Green Scarf, it seems like the 3rd and 4th bytes don't get read correctly or something? (I noticed move 2 is the one that typically becomes a glitch move, even when Growth stays in the same position)
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: camper on May 14, 2014, 12:18:36 am
In a randomized ROM, we can obtain Mew or Deoxys and they will obey. Does the randomizer remove the anti-cheating feature or is there some way bypassing it?
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: pigdevil2010 on May 14, 2014, 04:11:14 am
Alright so yea, got my Kadabra to go to Deoxys via 154 HP EVs and 1 Attack EV. What I'm still confused by is why it's item is still ??, with 1 Defense and Speed EV I was expecting Green Scarf, it seems like the 3rd and 4th bytes don't get read correctly or something? (I noticed move 2 is the one that typically becomes a glitch move, even when Growth stays in the same position)

Since the 30th bit of PV got changed, every 6th bit of bytes that mod 4 equals 3 got changed. This means that held item, experience points, 2nd move, 4th move, 4th move's PP, speed EV, beauty condition, feel condition, pokeball caught and egg status (this explains why you always got it in egg form) got changed.

In a randomized ROM, we can obtain Mew or Deoxys and they will obey. Does the randomizer remove the anti-cheating feature or is there some way bypassing it?

31th bit of Ribbons and Obedience dword (the last dword of miscellaneous section) determines the obedience of Mew and Deoxys
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Sanqui on May 14, 2014, 06:47:26 am
Since the 30th bit of PV got changed, every 6th bit of bytes that mod 4 equals 3 got changed. This means that held item, experience points, 2nd move, 4th move, 4th move's PP, speed EV, beauty condition, feel condition, pokeball caught and egg status (this explains why you always got it in egg form) got changed.
Exactly this.  And the only bits of the PID that *may* change are the top 16 ones (otherwise the checksum won't match). 
Because the PID XORs the substructures, and the bit in the PID has changed, the same bit will change every 32 bits of the substructures.
So every second or third byte (zero-indexed) of the substructures will be changed accordingly (usually resulting in stuff like the glich items or second moves).
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: TheZZAZZGlitch on May 14, 2014, 09:56:28 am
Done some research, and hereby I present the results.
Warning: It's going to be a long read.

The glitch's cause:

Ironically, the reason why scrolling past slot 6 corrupts the memory is... the anti-cheating system.

Before the game lets you do anything with a Pokemon in party, the checksum is verified. If the verification fails, the game will turn the Pokemon into a `Bad EGG` - to do this, it sets 3 bits: Bit 0 at offset 0x13, Bit 1 at offset 0x13, and bit 6 at offset 0x07 from the `Miscellaneous` substructure (which changes its location depending on the personality value - the 32-bit word at offset 0x00).

Behavior of the Pokemon beyond slot 6 hasn't changed since Generation I. As before, these Pokemon represent different memory areas in the game.
Assuming we are all playing on the US version of the ROM, party Pokemon memory block starts at address 0x020244EC. Every Pokemon uses 100 bytes of memory. So the Pokemon at slot 255 is assumed to be at address 0x020244EC + 255*100 = 0x0202A888.

The game treats whatever it finds in this address as a Pokemon structure. That means it will also try to recompute the checksum as if it was a Pokemon, and obviously it's not going to match. So the game will set the previously mentioned 3 bits to turn the 'Pokemon' into a Bad EGG. The problem is that it's no Pokemon, so the game ends up changing bits where it's not supposed to.

Here's the relevant piece of code, if anyone else besides me decided to learn ARM assembly just because of this glitch:

; (...)
ldrh  r1, [r1,#0x1C]
cmp   r0, r1             ; Check if checksum is correct
beq   _ChecksumCorrect   ; Go to _ChecksumCorrect if it is
mov   r2, r8
ldrb  r0, [r2,#0x13]     ; Load the byte from structure's offset 0x13
mov   r1, #0x00000001   
orr   r0, r1             ; Set bit 0 (Bad EGG flag)
mov   r1, #0x00000004   
orr   r0, r1             ; Set bit 2 (Normal egg flag)
strb  r0, [r2,#0x13]     
ldrb  r0, [r5,#0x07]     ; Load the byte from `Miscellaneous` substructure, offset 0x07
mov   r1, #0x00000040
orr   r0, r1             ; Set bit 6 (Yet another egg flag)
strb  r0, [r5,#0x07]
_ChecksumCorrect:
ldr   r0, [sp]           ; Continue processing
; (...)


Trying to make the glitch predictable:

As mentioned before, there are only two possible corruption patterns for a single byte: Either the 0th and 2nd bit will be set, or the 6th bit will be set.
Let's say we have a Pokemon with personality value of 0xB064AF62. Then, all its possible corruptions are:

0xB564AF62  (set bit 0 and 2 of byte 3)
0xB065AF62  (set bit 0 and 2 of byte 2)
0xB064AF62  (set bit 0 and 2 of byte 1 - has no visible effect)
0xB064AF67  (set bit 0 and 2 of byte 0)
0xF064AF62  (set bit 6 of byte 3)
0xB064AF62  (set bit 6 of byte 2 - has no visible effect)
0xB064EF62  (set bit 6 of byte 1)
0xB064AF62  (set bit 6 of byte 0 - has no visible effect)


The ability to severely corrupt Pokemon's data (severely == enough to change its species, moves or other properties) strongly depends on the binary representation of the personality value. If we say I was unlucky and my Pokemon got a personality value of 0x59F577DF - I will have hard time doing anything with this glitch, because in every byte of the personality value, bits 6, 2 and 0 are already set.
This is one of the main problems - to predict what will happen, knowing the personality value is a necessity.

But that's not the only problem that needs to be taken care of. Generation III Pokemon games have a crude implementation of something that we call ASLR (http://en.wikipedia.org/wiki/Address_space_layout_randomization) on modern machines. Basically, some of the important data blocks, like boxed Pokemon or items in bag, have their location in memory randomized. Certain in-game actions, like exiting the Pokemon menu or accessing the PC cause the randomization to happen again. So what once happens to be located at a specific memory address, next time it won't be there anymore.

The easiest solution is to keep trying over and over again. The game offsets the important data blocks by a maximum of 32 bytes in two directions from a base address - so there are 64 possible cases - about 1.5% chance that the memory ends up offset where you want to. After 30 tries you have about 50% chance of succeeding.
In case we just want to corrupt a Pokemon in the box, you can take the brute force approach, and fill the entirety of box 1 and 2 with exactly the same Pokemon. Then, at least one of them should get corrupted in the way you want it to.

Other possible corruptions:

Since we know already how the corruption pattern looks like, maybe we shouldn't limit ourselves to just corrupting Pokemon boxes?
Here's a list of addresses that are 100% certain to be affected by the glitch (have their bits 0 and 2 set):

Code: [Select]
$2024563, $20245C7, $202462B, $202468F, $20246F3, $2024757, $20247BB, $202481F, $2024883, $20248E7,
$202494B, $20249AF, $2024A13, $2024A77, $2024ADB, $2024B3F, $2024BA3, $2024C07, $2024C6B, $2024CCF,
$2024D33, $2024D97, $2024DFB, $2024E5F, $2024EC3, $2024F27, $2024F8B, $2024FEF, $2025053, $20250B7,
$202511B, $202517F, $20251E3, $2025247, $20252AB, $202530F, $2025373, $20253D7, $202543B, $202549F,
$2025503, $2025567, $20255CB, $202562F, $2025693, $20256F7, $202575B, $20257BF, $2025823, $2025887,
$20258EB, $202594F, $20259B3, $2025A17, $2025A7B, $2025ADF, $2025B43, $2025BA7, $2025C0B, $2025C6F,
$2025CD3, $2025D37, $2025D9B, $2025DFF, $2025E63, $2025EC7, $2025F2B, $2025F8F, $2025FF3, $2026057,
$20260BB, $202611F, $2026183, $20261E7, $202624B, $20262AF, $2026313, $2026377, $20263DB, $202643F,
$20264A3, $2026507, $202656B, $20265CF, $2026633, $2026697, $20266FB, $202675F, $20267C3, $2026827,
$202688B, $20268EF, $2026953, $20269B7, $2026A1B, $2026A7F, $2026AE3, $2026B47, $2026BAB, $2026C0F,
$2026C73, $2026CD7, $2026D3B, $2026D9F, $2026E03, $2026E67, $2026ECB, $2026F2F, $2026F93, $2026FF7,
$202705B, $20270BF, $2027123, $2027187, $20271EB, $202724F, $20272B3, $2027317, $202737B, $20273DF,
$2027443, $20274A7, $202750B, $202756F, $20275D3, $2027637, $202769B, $20276FF, $2027763, $20277C7,
$202782B, $202788F, $20278F3, $2027957, $20279BB, $2027A1F, $2027A83, $2027AE7, $2027B4B, $2027BAF,
$2027C13, $2027C77, $2027CDB, $2027D3F, $2027DA3, $2027E07, $2027E6B, $2027ECF, $2027F33, $2027F97,
$2027FFB, $202805F, $20280C3, $2028127, $202818B, $20281EF, $2028253, $20282B7, $202831B, $202837F,
$20283E3, $2028447, $20284AB, $202850F, $2028573, $20285D7, $202863B, $202869F, $2028703, $2028767,
$20287CB, $202882F, $2028893, $20288F7, $202895B, $20289BF, $2028A23, $2028A87, $2028AEB, $2028B4F,
$2028BB3, $2028C17, $2028C7B, $2028CDF, $2028D43, $2028DA7, $2028E0B, $2028E6F, $2028ED3, $2028F37,
$2028F9B, $2028FFF, $2029063, $20290C7, $202912B, $202918F, $20291F3, $2029257, $20292BB, $202931F,
$2029383, $20293E7, $202944B, $20294AF, $2029513, $2029577, $20295DB, $202963F, $20296A3, $2029707,
$202976B, $20297CF, $2029833, $2029897, $20298FB, $202995F, $20299C3, $2029A27, $2029A8B, $2029AEF,
$2029B53, $2029BB7, $2029C1B, $2029C7F, $2029CE3, $2029D47, $2029DAB, $2029E0F, $2029E73, $2029ED7,
$2029F3B, $2029F9F, $202A003, $202A067, $202A0CB, $202A12F, $202A193, $202A1F7, $202A25B, $202A2BF,
$202A323, $202A387, $202A3EB, $202A44F, $202A4B3, $202A517, $202A57B, $202A5DF, $202A643, $202A6A7,
$202A70B, $202A76F, $202A7D3, $202A837, $202A89B

Because there's no RAM map for Pokemon Emerald anywhere, I checked the addresses myself. The layout looks like this:

~$2029840 - Pokemon boxes
~$2028A40 - Daycare
~$2028070 - Secret base decorations
~$2025F80 - Items in bag
~$2025EF0 - Boxed items
Addresses are not constant.


This implies the following possibilities:
 - Corrupting contents of Pokemon boxes 1 and 2.
 - Corrupting the Pokemon in Daycare.
 - Obtaining glitch decorations for my secret base.
 - Item mutation/item duplication.
 
The last one sounds very interesting. Let's try it!

Pokemon Emerald: Item duplication glitch:

1. Do the standard setup to access the Pokemon beyond the sixth slot. It was described a thousand times already.
2. Once you get to the part with the half-lit cancel button, get yourself a stopwatch.
3. Start holding up and start the stopwatch at the same time.
4. Once the stopwatch gets to 17 seconds, press the B button.
5. Check your bag and hope something valuable got duplicated.

A small problem with this glitch is that in some cases it will delete everything in TM or Berries pockets. However, it does not occur every time, so at this point it's just trial and error.
One iteration of this method usually duplicates about 5 items, both in bag and in the PC.

Video: https://www.youtube.com/watch?v=OH8apzY9r0c (https://www.youtube.com/watch?v=OH8apzY9r0c)

Secret base glitch decorations:

Through the use of this glitch, it's also possible to obtain glitch decorations. This may take a lot of tries. For example, after 19 tries, I managed to turn my Thunder Mat (0x3C) into 'ÛË ▼ÛË ÀÀÚËÔÀ ÀÀCAN' (0x7C - 6th bit was changed).

(http://i.minus.com/ihJmHzYmiKHxW.png)

And it turned out to be a portable 2-square hole :P

(http://i.minus.com/iby8pIL301oq1e.png)

Arbitrary code execution!

I previously found that viewing the summary of some of the glitch Pokemon caused the game to execute code from locations it's definitely not supposed to.
Further analysis confirmed that the reason of this problem were the 'markings'.
Each Pokemon can be given a combination of the different markings, stored in Pokemon structure's markings byte. There are only 4 markings normally available, yet a byte has 8 bits. The valid markings byte only ranges from 0x00 to 0x0F. Any other byte will cause the game to draw illegible sprites, and eventually, jump to an invalid place in memory.

I checked every possible invalid markings byte for useful jumps to the game's RAM. There is only one value, 0xA6, which jumps to $20207C8 - a valid location!
(0xA6 is also the first Super Glitch move index number in Gen I - coincidence? ;p)

This will definitely not allow for hack-free controllable arbitrary code execution like 8F, but it may be possible to prepare a save file which will run the code upon loading (something like Twilight Hack).
I am really surprised that the Gameboy Advance has absolutely no problem with executing data as code.

The end!
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Evie ✿ on May 14, 2014, 10:17:50 am
Thanks so much for your research TheZZAZZGlitch! After I mess around with the Pokémon mutation via EVs part enough, I think I'm going to make a glitch decoration dex, provided a glitch decoration is stored in one byte, unless somebody beats me to it.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Wack0 on May 14, 2014, 12:28:38 pm
Ironically, the reason why scrolling past slot 6 corrupts the memory is... the anti-cheating system.

I figured this was the case, based on what happens on my glitched Ruby save (with no Pokémon, and access to the party, you can scroll past the sixth slot).

On Ruby (and I guess Sapphire too), the checksum is checked when you press A on a Pokémon in the party. And after it gets the nickname string to show in the text box. Given that A showed a longass sometimes improperly terminated nickname based on some part of RAM (and possibly causes some other interesting effects too, I've seen some locations that glitch the music), and then B, A showed "Bad EGG"...
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Kelvinv on May 14, 2014, 12:46:29 pm
i wonder  what those pokemon are if the anti-cheat mechanism could be bypassed
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: VaeporSage on May 14, 2014, 01:53:36 pm
Catching Pokemon in battle turns them into Bad Eggs.

I was thinking about this and from my experiences of looking at the in-game summaries of Trainer Pokemon, you can notice that each Pokemon has a different ID No. This is just a guess, but do you think they are related?

Are there any interesting trainer ID numbers you found? Of course if we were looking at 65535 or 00000 or 08192 or something there would be an obvious link.

With regard to trainers' Pokémon, I've caught and documented a whole bunch of them under the following categories:

Origin: what trainer they came from and the Pokémon stolen, including level;
After being stolen: whether it has Pokérus or not, the Poké Ball it is now found in as a Bad Egg, and the various glitch moves it has.

But I have no idea if the results I've got are the same as anyone else's (no-one seems have attempted a similar project yet, it would seem). I'll provide some examples if anyone would like to try to catch that same Pokémon in battle and compare the results they get.

Pokémon are caught by changing the battle mode via any "K À À Ñ À" move and throwing a Poké Ball. Then, in order to test the moveset, a wild Ditto must Transform into your Bad Egg, as the Bad Egg itself will crash the game if 'Fight' is selected.

If we all find the resultant Bad Egg produced when the trainer's Pokémon is caught to be identical, then we can all get the same glitch effects on every game and get predictable results. Here are a few distinct examples to try to copy:

Swimmer Tanya (Route 125)

Lv34 Luvdisc becomes Bad Egg in Net Ball with Pokérus. It has no moves.

Swimmer Sharon (Route 125)

Lv34 Seaking becomes Bad Egg in Poké Ball with Pokérus. It has two moves:

-"E: Judging category 3, body!" (Thunder Wave under a different name)
-"nt" (Splash under a different name)

Swimmer Stan (Route 125)

Lv34 Horsea becomes Bad Egg in Poké Ball with Pokérus. It has three moves:

-"Transformed into revents the foe's type"
-[A string of glitch letters four lines long]
-A move that freezes the game before its execution

Swimmer Leonardo (Route 126, single battle)

Lv34 Carvanha becomes Bad Egg in Premier Ball with Pokérus. It has three moves:

-"!" (Deals damage)
-"a Poison move" (hits itself)
-"u [grave accent] fled!" (Deals damage)
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: MissingNoGuy55 on May 14, 2014, 02:41:49 pm
I didn't think this was possible beforehand but holy s**t ZZAZZ I am legitimately impressed with this.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: luckytyphlosion on May 14, 2014, 02:55:03 pm
- Item mutation/item duplication.
 
The last one sounds very interesting. Let's try it!

Pokemon Emerald: Item duplication glitch:

1. Do the standard setup to access the Pokemon beyond the sixth slot. It was described a thousand times already.
2. Once you get to the part with the half-lit cancel button, get yourself a stopwatch.
3. Start holding up and start the stopwatch at the same time.
4. Once the stopwatch gets to 17 seconds, press the B button.
5. Check your bag and hope something valuable got duplicated.

A small problem with this glitch is that in some cases it will delete everything in TM or Berries pockets. However, it does not occur every time, so at this point it's just trial and error.
One iteration of this method usually duplicates about 5 items, both in bag and in the PC.
The only problem with that method is, on a real GBA/DS, you have to mash the "up" button for the game to scroll the cursor, unlike VBA, where it allows you to simply hold the up key.

Congrats on finding arbitrary code though :)!
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Evie ✿ on May 14, 2014, 03:17:34 pm
- Item mutation/item duplication.
 
The last one sounds very interesting. Let's try it!

Pokemon Emerald: Item duplication glitch:

1. Do the standard setup to access the Pokemon beyond the sixth slot. It was described a thousand times already.
2. Once you get to the part with the half-lit cancel button, get yourself a stopwatch.
3. Start holding up and start the stopwatch at the same time.
4. Once the stopwatch gets to 17 seconds, press the B button.
5. Check your bag and hope something valuable got duplicated.

A small problem with this glitch is that in some cases it will delete everything in TM or Berries pockets. However, it does not occur every time, so at this point it's just trial and error.
One iteration of this method usually duplicates about 5 items, both in bag and in the PC.
The only problem with that method is, on a real GBA/DS, you have to mash the "up" button for the game to scroll the cursor, unlike VBA, where it allows you to simply hold the up key.

Congrats on finding arbitrary code though :)!

Huh, is that really true? I haven't performed the Pokémon beyond the sixth slot glitch on a real GBA, but when I do scrolling from a normal party screen in battle with my GBA SP running a UK Emerald the game won't scroll up anymore for a bit (for like a fraction of a second) but the scrolling through holding up will happen. This same thing seems to happen on VBA.

The initial scrolling delay depends on the number of Pokémon there are on the list, with less than 6 being shorter.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Wack0 on May 14, 2014, 03:41:43 pm

Huh, is that really true? I haven't performed the Pokémon beyond the sixth slot glitch on a real GBA, but when I do scrolling from a normal party screen in battle with my GBA SP running a UK Emerald the game won't scroll up anymore for a bit (for like a fraction of a second) but the scrolling through holding up will happen. This same thing seems to happen on VBA.

The initial scrolling delay depends on the number of Pokémon there are on the list, with less than 6 being shorter.

Can confirm this also happens with my real GBA SP on my glitched Ruby save...
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: werster on May 14, 2014, 05:34:29 pm
Someone posted a really good idea in relation to getting a consistent PID of Pokemon. Use one of the ones from the in game trades, because they are consistent.

Seedot - PID of 0x00000084 (132) - Trade for Ralts at Rustboro
Plusle - PID of 0x0000006F (111) - Trade for Volbeat at Fortree
Horsea - PID of 0x0000007F (127) - Trade for Bagon on Pacifidlog
Meowth - PID of 0x0000008B (139) - Trade for Skitty at Battle Frontier

They are all exceptionally low. It also occurs to me that Emerald has very abused RNG mechanics, as it always starts from the same point after a hard reset. Because of this, you could with some accuracy be able to get the Personality value you wanted just by waiting the right amount of time before it's generated (this would be easiest with a gift Pokemon, like say Beldum)
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Evie ✿ on May 14, 2014, 06:06:05 pm
Someone posted a really good idea in relation to getting a consistent PID of Pokemon. Use one of the ones from the in game trades, because they are consistent.

Seedot - PID of 0x00000084 (132) - Trade for Ralts at Rustboro
Plusle - PID of 0x0000006F (111) - Trade for Volbeat at Fortree
Horsea - PID of 0x0000007F (127) - Trade for Bagon on Pacifidlog
Meowth - PID of 0x0000008B (139) - Trade for Skitty at Battle Frontier

They are all exceptionally low. It also occurs to me that Emerald has very abused RNG mechanics, as it always starts from the same point after a hard reset. Because of this, you could with some accuracy be able to get the Personality value you wanted just by waiting the right amount of time before it's generated (this would be easiest with a gift Pokemon, like say Beldum)

That's amazing. Lets list their substructure orders and apply what TheZZAZZGlitch/Sanqui found, because this may provide the final answer, ignoring randomness like what corruptions happen and whether the Pokémon becomes an Egg. (WIP - done-ish.)

Initial substructure orders:

Seedot: 12 (EGAM)
Plusle: 15 (EAMG)
Horsea: 7 (AGME)
Meowth: 19 (MGEA)

All possible changes for Seedot:

Bit 0 and 2 -> ON:

0x05000084 (set bit 0 and 2 of byte 4) - New mod = 20 (MAGE)
0x00050084  (set bit 0 and 2 of byte 3) - New mod = 20 (MAGE)
0x00000584  (set bit 0 and 2 of byte 2) - New mod = 20 (MAGE)
0x00000085 (set bit 0 and 2 of byte 1) - New mod = 13 (EGMA)


Bit 6 -> ON:

0x40000084 (set bit 6 of byte 4) - New mod = 4 (GMAE)
0x00400084  (set bit 6 of byte 3) - New mod = 4 (GMAE)
0x00004084  (set bit 6 of byte 2) - New mod = 4 (GMAE)
0x00000084 (set bit 6 of byte 1) - No change


All possible changes for Plusle:

Bit 0 and 2 -> ON:

0x0500006F (set bit 0 and 2 of byte 4) - New mod = 23 (MEAG)
0x0005006F  (set bit 0 and 2 of byte 3) - New mod = 23 (MEAG)
0x0000056F  (set bit 0 and 2 of byte 2) - New mod = 23 (MEAG)
0x0000006F (set bit 0 and 2 of byte 1) - No change


Bit 6 -> ON:

0x4000006F (set bit 6 of byte 4) - New mod = 7 (AGME)
0x0040006F  (set bit 6 of byte 3) - New mod = 7 (AGME)
0x0000406F  (set bit 6 of byte 2) - New mod = 7 (AGME)
0x0000006F (set bit 6 of byte 1) - No change



All possible changes for Horsea:

Bit 0 and 2 -> ON:

0x0500007F (set bit 0 and 2 of byte 4) - New mod = 15 (EAMG)
0x0005007F  (set bit 0 and 2 of byte 3) - New mod = 15 (EAMG)
0x0000057F  (set bit 0 and 2 of byte 2) - New mod = 15 (EAMG)
0x0000007F (set bit 0 and 2 of byte 1) - No change


Bit 6 -> ON:

0x4000007F (set bit 6 of byte 4) - New mod = 23 (MEAG)
0x0040007F  (set bit 6 of byte 3) - New mod = 23 (MEAG)
0x0000407F  (set bit 6 of byte 2) - New mod = 23 (MEAG)
0x0000007F (set bit 6 of byte 1) - No change


All possible changes for Meowth:

Bit 0 and 2 -> ON:

0x0500008B (set bit 0 and 2 of byte 4) - New mod = 3 (GEMA)
0x0005008B  (set bit 0 and 2 of byte 3) - New mod = 3 (GEMA)
0x0000058B  (set bit 0 and 2 of byte 2) - New mod = 3 (GEMA)
0x0000008F (set bit 0 and 2 of byte 1) - New mod = 23 (MEAG)


Bit 6 -> ON:

0x4000008B (set bit 6 of byte 4) - New mod = 11 (AMEG)
0x0040008B  (set bit 6 of byte 3) - New mod = 11 (AMEG)
0x0000408B  (set bit 6 of byte 2) - New mod = 11 (AMEG)
0x0000008B (set bit 6 of byte 1) - No change


Observations:
Note: I only listed things I thought were particularly useful.

Seedot:

*Seedot can work for EV & Condition data being read as growth data. (any Pokémon trick)
*Seedot can work for EV & Condition data being read as move data. (any move trick)
*Seedot can work for attack data being read as growth data. (any Pokémon before Minun trick provided you have the right moves)

Plusle:

*Plusle can work for EV & Condition data being read as attack data. (any move trick)
*Seedot can work for attack data being read as growth data. (any Pokémon before Minun trick provided you have the right moves)
*For the Plusle, any Pokémon trick via EVs is not possible.

Horsea:

*Horsea can work for EV & Condition data being read as growth data. (any Pokémon trick)
*Horsea can work for growth data being read as attack data. (get every non-glitch move and glitch moves up to hex:0411 trick)

Meowth:

*Meowth can work for EV & Condition data being read as attack data (any move trick)
*Meowth can work for attack data being read as growth data (any Pokémon up to Minun provided you have the right moves trick)
*For the Meowth, any Pokémon trick via EVs is not possible.

So in conclusion, we should use the Seedot or Horsea you get in a trade if we want any Pokémon. Let me know if I'm missing something important regarding how the glitch works.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: pokechu22 on May 14, 2014, 07:03:22 pm
Pardon me if I am wrong, as EVs and IVs confuse me, but aren't EVs for traded Pokémon constant? 

Also, I think you made a minor mistake here:
Meowth:

*Meowth can work for EV & Condition data being read as attack data (any move trick)
*Meowth can work for attack data being read as growth data (any Pokémon up to Minun provided you have the right moves trick)
*For the Meowth, any Pokémon trick via EVs is not possible.

So in conclusion, we should use the Seedot or Horsea you get in a trade if we want any Pokémon. Let me know if I'm missing something important regarding how the glitch works.

Shouldn't it be "For the Meowth, and Pokémon trick via moves is not possible"?
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Missing? NO! on May 14, 2014, 08:16:16 pm
Pardon me if I am wrong, as EVs and IVs confuse me, but aren't EVs for traded Pokémon constant? 
No, unless the previous trainer fully EV trained their Pokemon, but that also can be changed by giving it something such as a Pomeg Berry, which would lower EVs.
IVs are constant though, and cannot be altered under any means, whether or not that Pokemon was received in a trade.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Sanqui on May 15, 2014, 02:25:50 am
This is amazing progress and you're all great.  Thank you for the detailed explanation, ZZAZZ!

Just want to put a reminder here that the low 16 bits of the PID can't change, as that'll definitely mess up the checksum.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Evie ✿ on May 15, 2014, 06:39:00 am
Pardon me if I am wrong, as EVs and IVs confuse me, but aren't EVs for traded Pokémon constant? 

Also, I think you made a minor mistake here:
Meowth:

*Meowth can work for EV & Condition data being read as attack data (any move trick)
*Meowth can work for attack data being read as growth data (any Pokémon up to Minun provided you have the right moves trick)
*For the Meowth, any Pokémon trick via EVs is not possible.

So in conclusion, we should use the Seedot or Horsea you get in a trade if we want any Pokémon. Let me know if I'm missing something important regarding how the glitch works.

Shouldn't it be "For the Meowth, and Pokémon trick via moves is not possible"?

It was right the way it was, because if you take a look at Meowth's substructure order MGEA, and look at the following changes; GEMA, MEAG; AMEG, none of the changes have E changing into G. EVs are literally 'effort values'; they are values you can change by defeating enemy Pokémon, that affect your stats (on level up in Emerald). The EV points you get depends on the Pokémon you beat (e.g. Whismur gives 1 HP EV).

Just want to put a reminder here that the low 16 bits of the PID can't change, as that'll definitely mess up the checksum.

What do you mean by low 16 bits? There are 16 bits in the whole PID because it is four bytes. Do you mean the first 8 bits?
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Sanqui on May 15, 2014, 06:44:26 am
Just want to put a reminder here that the low 16 bits of the PID can't change, as that'll definitely mess up the checksum.

What do you mean by low 16 bits? There are 16 bits in the whole PID because it is four bytes. Do you mean the first 8 bits?
A byte is 8 bits.  The PID is 32 bits long (4 bytes).  While the checksum is 16 bits (2 bytes).  So if any the least significant 16 bits (two bytes) of the PID change, the checksum will come out differently.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Evie ✿ on May 15, 2014, 07:09:50 am
Ah, my mistake. Thanks for the clarification.

I knew that there were 8 bits in a byte, so it was just a 'silly mistake' on my side.

Now we have a good understanding of how this glitch works, methinks.

Edit: I got my own Jirachi with Seasor the Horsea, success! :D You can nickname the Egg to JIRACHI. A video should be coming soon.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: VaeporSage on May 15, 2014, 10:27:22 am
Is the process any different when already-corrupted Pokémon are corrupted again? Could that lead to further branches of outcomes, or would it revert to another of the original outcomes?
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Evie ✿ on May 15, 2014, 12:18:21 pm
Is the process any different when already-corrupted Pokémon are corrupted again? Could that lead to further branches of outcomes, or would it revert to another of the original outcomes?

It wouldn't revert to another of the original outcomes because the game won't unset the bit you affected and set the other case (i.e. bit 0, 2 or bit 6).

To directly answer your question, you may get another substructure order change, but nothing may happen. Since Bad EGGs/EGGs in this glitch are Pokémon with bit 0 and 2/bit 6 set, your chances of corrupting them again may be reduced, plus once bits 0, 2, and 6 have all been set, you can't corrupt the Pokémon's personality value anymore to my knowledge. But I don't know whether things like nickname changes, marking changes, etc will still happen if you have a bit there that hasn't been set.

Gosh... I just spent nearly 29 minutes setting up everything and getting Jirachi, and this counts skipping the particularly long parts; EV training, repeating cloning, hatching Jirachi, getting Jirachi to level 25. But I do show the first bits of those. I'll have to speed up the video. I was playing on turbo mode and played really slow if it was on normal speed, making some blunders, so speeding it up may effectively put my actions back into good speed.

Now. I heard you can try the cloning glitch in a different way to remove Pokémon, including Bad EGGs. Can anyone write the step by step instructions here, or upload a video if this is true, please?
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: VaeporSage on May 15, 2014, 01:04:26 pm
I suppose it would make sense that Bad Eggs couldn't get messed with much further... :P

Now. I heard you can try the cloning glitch in a different way to remove Pokémon, including Bad EGGs. Can anyone write the step by step instructions here, or upload a video if this is true, please?

Withdrawing a Pokémon from the PC clones it; depositing it into the PC deletes it.

So in other words, have the Pokémon you wish to delete in your party at your last save point, and in the PC when you talk to the Multi Battle woman.

I remember hearing long ago of a guy I knew deleting his Rayquaza this way by mistake in an attempt to clone it.  :XD:
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Wack0 on May 15, 2014, 02:45:07 pm
Withdrawing a Pokémon from the PC clones it; depositing it into the PC deletes it.

So in other words, have the Pokémon you wish to delete in your party at your last save point, and in the PC when you talk to the Multi Battle woman.

I remember hearing long ago of a guy I knew deleting his Rayquaza this way by mistake in an attempt to clone it.  :XD:

I deleted my legit Mew this way trying to clone it :(
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Evie ✿ on May 15, 2014, 02:55:28 pm
I suppose it would make sense that Bad Eggs couldn't get messed with much further... :P

Now. I heard you can try the cloning glitch in a different way to remove Pokémon, including Bad EGGs. Can anyone write the step by step instructions here, or upload a video if this is true, please?

Withdrawing a Pokémon from the PC clones it; depositing it into the PC deletes it.

So in other words, have the Pokémon you wish to delete in your party at your last save point, and in the PC when you talk to the Multi Battle woman.

I remember hearing long ago of a guy I knew deleting his Rayquaza this way by mistake in an attempt to clone it.  :XD:

Thanks Vae, I'll go try it and make a video about it!
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: luckytyphlosion on May 15, 2014, 03:52:26 pm
What would happen if you transfer a Pokémon with Glitched Symbols to Gen 4?
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: voltage on May 15, 2014, 05:08:42 pm
What would happen if you transfer a Pokémon with Glitched Symbols to Gen 4?
I Pal Parked a Sunflora with a glitched symbol in it and it got renamed to ?????????? in the migration screen and in Pal Park.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Evie ✿ on May 15, 2014, 05:27:38 pm
What would happen if you transfer a Pokémon with Glitched Symbols to Gen 4?

I assume both you and voltage are referring to symbols you normally can't add when nicknaming Pokémon? (sorry if you weren't)

If so, in theory a simple character conversion like this (http://forums.glitchcity.info/index.php?topic=6256.0) may also happen.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Pawny on May 15, 2014, 05:55:15 pm
Hey Torchickens, I saw your video tutorial. Amazing. The tutorial should be added do Bulbapedia later, along with the corruption stuff. Also, I'll try to get RAGE via this method later, it'll make my Super Glitch video "legit".
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Evie ✿ on May 15, 2014, 06:15:18 pm
Hey Torchickens, I saw your video tutorial. Amazing. The tutorial should be added do Bulbapedia later, along with the corruption stuff. Also, I'll try to get RAGE via this method later, it'll make my Super Glitch video "legit".

Glad you liked it. Yeah, I'm thinking of writing about it on Bulbapedia soon. I'll talk to SnorlaxMonster for his opinion on if it deserves its own article. Good luck on getting RAGE :)

The only problems other than bad luck I see is if it freezes the game when it hatches, and if it doesn't learn enough moves before it learns the Super Glitch move at level 28/if its growth rate is really slow (I can't check right now, but you may want to confirm if it does or doesn't) to erase all glitch moves with freezing names. These problems could be important.

It's nice to see hatching Decamarks without cheating being possible indeed.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Pawny on May 15, 2014, 06:25:21 pm
Are the two guaranteed glitch moves overwriteable via move relearner? Afaik it's common that it's the type that freezes, but the Move Relearner doesn't show the upside down Normal, instead some glitch letters that doesn't freeze. At least it was like that with most of the Decamark's moves.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: luckytyphlosion on May 15, 2014, 06:30:26 pm
What would happen if you transfer a Pokémon with Glitched Symbols to Gen 4?

I assume both you and voltage are referring to symbols you normally can't add when nicknaming Pokémon? (sorry if you weren't)

If so, in theory a simple character conversion like this (http://forums.glitchcity.info/index.php?topic=6256.0) may also happen.
No, I meant the Glitched Marking Symbols. Maybe we'd get arbitrary code in gen 4 :D?
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: voltage on May 15, 2014, 10:57:46 pm
No, I meant the Glitched Marking Symbols. Maybe we'd get arbitrary code in gen 4 :D?
Sorry for misunderstanding what you meant...but I just did this with Whismur and its marking reverted to normal.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: pigdevil2010 on May 16, 2014, 08:44:29 am
It's nice to see hatching Decamarks without cheating being possible indeed.
I hatched 0x151A in my last video ;)
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Evie ✿ on May 16, 2014, 09:24:14 am
It's nice to see hatching Decamarks without cheating being possible indeed.
I hatched 0x151A in my last video ;)

Niice :)
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: camper on May 16, 2014, 10:09:23 am
I guess now this trick allows hatching all 65536 Pokemon in Emerald?
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Evie ✿ on May 16, 2014, 10:49:55 am
I guess now this trick allows hatching all 65536 Pokemon in Emerald?

Yes, but from when I experimented with hacking the ROM to evolve Bulbasaur into Decamarks, some Decamarks were so unstable the evolution would not complete, so I imagine that might be a problem for hatching certain Decamarks too.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: camper on May 16, 2014, 11:19:43 am
What causes the Decamarks to be unstable when only the sprite is viewed?
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: VaeporSage on May 16, 2014, 11:34:20 am
I've tried EV Glitzer Popping with Dots the Seedot, and nine corruption attempts later I've got no valid Eggs.

According to the description of the trade exclusives on the previous page, Dots is equally as valid as Seasor for this Glitzer variant. However, on Torchickens' Pastebin describing the contents of his video on the exploit, it is explained that Seasor is the only Pokémon with which the glitch can be performed.

I in fact released my Seasor last year in a wide purge of the contents of my boxes deemed unnecessary. (How wrong I was!)

If it is the case that Dots is unviable for morphing purposes, then I will have to resort to wide-scale hatching in the hopes that one could possibly be morphed in this way. What Pokémon would hatch from an Egg if its original had 0 EVs in everything?
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Evie ✿ on May 16, 2014, 12:27:41 pm
According to the description of the trade exclusives on the previous page, Dots is equally as valid as Seasor for this Glitzer variant. However, on Torchickens' Pastebin describing the contents of his video on the exploit, it is explained that Seasor is the only Pokémon with which the glitch can be performed.

Oh... I made a stupid mistake I think, sorry.  :-[

Dots should work eventually, so you're not out of luck.

I was only reading the bits 0 and 2 being set list, so my Pastebin is wrong, and then I replicated my mistake in a later edit of the post (http://forums.glitchcity.info/index.php/topic,6868.msg195232.html#msg195232).

Dots should work but it may take a few tries (maybe try say 40 more times and tell me if it doesn't work?) because this glitch is still random; the game may set the wrong bits. If you use memory viewer to set the sixth bit of the first byte on the personality value (stored as the last here) (+$40), it will turn into an Egg, so you should get an Egg eventually. Wait. Tell me how much experience your Seedot has. That may affect whether it turns into an Egg or not. I overlooked this.

The change that makes it work is bit 6 being set and Dots' substructure order being changed from EGAM changes to GMAE (one of the changes is EVs->Growth).

What Pokémon would hatch from an Egg if its original had 0 EVs in everything?

It appears invisible on the summary screen, so I'm not sure if you'd be able to see/withdraw the Egg. That's a shame, because it lets you do the access Pokémon from beyond the sixth slot glitch outside of battle if you have it in your first position! Some may freeze the game when you bring up the 'summary/switch/item/cancel' box, and some won't, but I haven't been able to switch any around yet.

If it does hatch (probably cheat only) I guess it would hatch into the hex:0000 Decamark. I'll try to hatch it.

On the deposit screen, it takes the sprite of the second Pokémon, possibly with a glitched palette and you can't deposit it.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: VaeporSage on May 16, 2014, 01:08:32 pm
Dots should work but it may take a few tries (maybe try say 40 more times and tell me if it doesn't work?) because this glitch is still random; the game may set the wrong bits. If you use memory viewer to set the sixth bit of the first byte on the personality value (stored as the last here) (+$40), it will turn into an Egg, so you should get an Egg eventually.

Well, that's a relief! Thanks!  ;)

It would be really cool to be able to access beyond slot 6 in the overworld.  O_o

Wait. Tell me how much experience your Seedot has. That may affect whether it turns into an Egg or not.

Oooh...I may be in a spot of bother then...

I have box 1 full and box 2 nearly full of Lv20 Dots Nuzleafs. I am trying simultaneously for Jirachi and Deoxys; therefore, I have assembled the boxes in the order of 1: Jirachi Dots, 2: Deoxys Dots, 3: Jirachi Dots, 4: Deoxys Dots and so on. (J Dots has a heart marking; D Dots has a triangle marking.)

Jirachi Nuzleaf has obtained 6321 EXP points, and Deoxys Nuzleaf has earned slightly more due to its extra HP EV (6408 EXP points).
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Evie ✿ on May 16, 2014, 01:21:18 pm
You're welcome. Hope you get it to work. :)

Jirachi Nuzleaf has obtained 6321 EXP points, and Deoxys Nuzleaf has earned slightly more due to its extra HP EV (6408 EXP points).

Both should work. (It worked after I got two of Dots and changed their experience/levels with A-Save and set bit 6 with memory viewer). Experience matters because when EGAM changes to GMAE, 'growth' is going into 'miscellaneous'. Old species is interpreted as Pokérus status and Met location (likely gets overwritten once the Egg hatches), Item held goes into 'origins data' (I don't know what this is) and finally experience; a dword (4 bytes) goes into "IVs, Egg, and Ability".

But I still don't know which byte from these 4 controls whether the Pokémon is an Egg.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: pokechu22 on May 16, 2014, 04:56:24 pm
What causes the Decamarks to be unstable when only the sprite is viewed?

I can't answer that with certainty; but it isn't exclusive to just egg hatching. 

But do remember that they also have cries.  That could possibly do it, though I doubt it. 



Would it be possible that the game reads invalid data, decides that it is invalid, and then gives the (?) sprite?  Could that do stuff? 
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: VaeporSage on May 17, 2014, 03:03:36 pm
I've found that Bad Decamarks has a minor cloaking effect. I entered the Hall of Fame with it in my 5th slot, and the Pokemon in the 6th slot did not appear in the Hall of Fame.

Also, while checking the Ribbons via Pokenav, those in my party were not listed while Bad Decamarks was in my first slot. (When I moved it to the 6th, they were listed again.) I thought having it in the first slot might mask the fact that I didn't have enough Pokemon for a double battle, but t seems there's a limit to what this cloaking effect is capable of.

But this seems rather promising. (Though, admittedly, less so in light of the fact that anything is now possible in the game. :P) What else might this achieve?
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Evie ✿ on May 17, 2014, 03:09:52 pm
This is unrelated to your question, but Vae, did you get the any Pokémon trick to work with Dots? I'm starting to worry maybe I'm wrong and it's only possible with Seasor (and certain random Pokémon), but I wouldn't understand why.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: voltage on May 17, 2014, 03:47:06 pm
I've found that Bad Decamarks has a minor cloaking effect. I entered the Hall of Fame with it in my 5th slot, and the Pokemon in the 6th slot did not appear in the Hall of Fame.

Also, while checking the Ribbons via Pokenav, those in my party were not listed while Bad Decamarks was in my first slot. (When I moved it to the 6th, they were listed again.) I thought having it in the first slot might mask the fact that I didn't have enough Pokemon for a double battle, but t seems there's a limit to what this cloaking effect is capable of.

But this seems rather promising. (Though, admittedly, less so in light of the fact that anything is now possible in the game. :P) What else might this achieve?

I know from earlier that you can't view Hall of Fame data of the team you had Bad Decamarks in from the PC. Also, while attempting to migrate it, it can't show up due to its invisibility if it lacks Pokerus. I once tried to migrate one with Pokerus, and the game stated that "This Pokemon is not permitted to migrate." I'm not entirely sure if Pokerus is why it shows up visibly, though. From the migration screen, it can hold an item if it is visible. 
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: VaeporSage on May 17, 2014, 03:58:01 pm
This is unrelated to your question, but Vae, did you get the any Pokémon trick to work with Dots? I'm starting to worry maybe I'm wrong and it's only possible with Seasor (and certain random Pokémon), but I wouldn't understand why.

I've tried six times since to no avail - but to be honest I suspect that this is par for the course and that there is simply an exceptionally low probability of success.

When you successfully morphed your Seasor, how many attempts did it take you?

I know from earlier that you can't view Hall of Fame data of the team you had Bad Decamarks in from the PC. Also, while attempting to migrate it, it can't show up due to its invisibility if it lacks Pokerus. I once tried to migrate one with Pokerus, and the game stated that "This Pokemon is not permitted to migrate." I'm not entirely sure if Pokerus is why it shows up visibly, though. From the migration screen, it can hold an item if it is visible. 

For most purposes, it's treated as an Egg (contests, Battle Frontier, move relearner, etc.), so unfortunately it makes sense that it couldn't be migrated.

Do you suppose that Emerald treats it differently if it has Pokérus or not?
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Evie ✿ on May 17, 2014, 04:20:55 pm
This is unrelated to your question, but Vae, did you get the any Pokémon trick to work with Dots? I'm starting to worry maybe I'm wrong and it's only possible with Seasor (and certain random Pokémon), but I wouldn't understand why.

I've tried six times since to no avail - but to be honest I suspect that this is par for the course and that there is simply an exceptionally low probability of success.

When you successfully morphed your Seasor, how many attempts did it take you?

Just two times. I have a save file with the Seasors, the 65535 HP Pokémon, the fainted Pokémon and the 'switch Pokémon' ready, so I can try again and I'll let you know how many times it takes it to work the next time. I may have been really lucky.

Edit: I just tried for the 10th time and got no Egg, so I likely was lucky.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: VaeporSage on May 17, 2014, 04:41:56 pm
I may have been really lucky.

You have, at one point, manually changed the relevant byte with success. (Or, at least, I interpret so.)

It's simply a matter of repeating the process as many times as is necessary... :-\
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Evie ✿ on May 17, 2014, 05:43:16 pm
I may have been really lucky.

You have, at one point, manually changed the relevant byte with success. (Or, at least, I interpret so.)

It's simply a matter of repeating the process as many times as is necessary... :-\

Yep, that's right, after I successfully got a Jirachi Egg, I added $40 to the first personality byte (the only one that works, I stress) for both Seasor and Dots and they became regular Eggs and their EVs got interpreted as species.

$40 (bit 6) being added to the first personality byte is a one in eight occurrence for Dots, ignoring the actual randomness mechanics involved, as I don't know them. It would've been a one in four occurrence for Seasor, only the 'add bit 0 and 2 to first byte; i.e. +05' thing doesn't result in a regular Egg for this Horsea, so it's one in eight again.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: VaeporSage on May 18, 2014, 01:48:16 pm
In FR/LG, the Pokémon past the sixth slot are very different to those found in Emerald. They're mostly identical and non-volatile. https://www.youtube.com/watch?v=0nDwHEoqPhM

In Emerald, post-6th slot Pokémon corrupt:

-Pokémon in boxes 1 and 2
-Day Care
-Items
-Secret Base items

Could these guys corrupt anything different over in Kanto?
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Evie ✿ on May 19, 2014, 09:05:26 am
Discovery found by Golderzoa333 on his Twitch stream:

If you check the summary of the second Pokémon then scroll up twice without leaving the summary (to the Decamark you sent out) you'll see a 'dark' version of your first Pokémon that may be flipped. It'll disappear after a short time, unless the game happens to lock-up when it's shown.

(http://i.minus.com/jAAZL60gPBdlt.png)
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: pokechu22 on May 19, 2014, 04:22:39 pm
Discovery found by Golderzoa333 on his Twitch stream:

If you check the summary of the second Pokémon then scroll up twice without leaving the summary (to the Decamark you sent out) you'll see a 'dark' version of your first Pokémon that may be flipped. It'll disappear after a short time, unless the game happens to lock-up when it's shown.

(http://i.minus.com/jAAZL60gPBdlt.png)

Is that a reproducible effect?  Because in some cases some Decamarks cause weird sprite glitches to occur. 

(http://i.imgur.com/jcyth4u.png) (http://i.imgur.com/jcyth4u.png)
EG this charmander

I'll also note that in that image, it says the Pokémon is a ??????????, and No000. 
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: VaeporSage on May 20, 2014, 06:26:10 am
I have a save file with the Seasors, the 65535 HP Pokémon, the fainted Pokémon and the 'switch Pokémon' ready, so I can try again and I'll let you know how many times it takes it to work the next time. I may have been really lucky.

Edit: I just tried for the 10th time and got no Egg, so I likely was lucky.

Alright, I have finally achieved success! Yesterday, I got my Jirachi Egg and hatched it. I cloned it and then wiped boxes 1 and 2 clean, releasing the uncorrupted Nuzleafs and erasing all the Bad Eggs. So then this morning I set up the boxes for the same with Deoxys, which succeeded after only eight tries.  ;D

I have noted some details:

1) On both occasions, the valid Eggs were found in box 2, slot 23. This is the same slot in which you find your Jirachi Egg morphed from Seasor;

2) Just as described by others, the Egg was at its "making sounds!" stage when discovered;

3) And the Egg was always contained in a Nest Ball.

Numerically, box 2, slot 23 is the last slot that is affected by the corruption, but it is always the first to be corrupted. Unless the experiences of others tell otherwise, it may well be that this is the only slot that allows EV corruption - though I must say I doubt this.  :???:
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: pigdevil2010 on May 20, 2014, 07:06:26 am
2) Just as described by others, the Egg was at its "making sounds!" stage when discovered;

3) And the Egg was always contained in a Nest Ball.
All of these are the the result of when the 30th bit of PV got changed. The egg used friendship value for hatching (every 256 steps will decreases it by one and it will hatch when it reaches zero). It's in "making sounds" stage because your Pokémon friendship value is really low. And the 30th bit of origins dword is the 3rd bit of ball used value (Nest Ball have a value of 8 which means 10002)
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: VaeporSage on May 20, 2014, 09:00:30 am
All of these are the the result of when the 30th bit of PV got changed. The egg used friendship value for hatching (every 256 steps will decreases it by one and it will hatch when it reaches zero). It's in "making sounds" stage because your Pokémon friendship value is really low. And the 30th bit of origins dword is the 3rd bit of ball used value (Nest Ball have a value of 8 which means 10002)

Thanks, I understand that a bit better now.  ;)

But is the prevalence of the 23rd slot of Box 2 in corruption just my imagination? A pattern is emerging here - Torchickens and I have probably tested corruption 50 times between us. On the few times it has worked, the Jirachi/Deoxys Egg has been in that exact slot without exception.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Evie ✿ on May 20, 2014, 09:04:25 am
Alright, I have finally achieved success! Yesterday, I got my Jirachi Egg and hatched it. I cloned it and then wiped boxes 1 and 2 clean, releasing the uncorrupted Nuzleafs and erasing all the Bad Eggs. So then this morning I set up the boxes for the same with Deoxys, which succeeded after only eight tries.  ;D

Yay! I'm glad you were able to do it. :D

Discovery found by Golderzoa333 on his Twitch stream:

If you check the summary of the second Pokémon then scroll up twice without leaving the summary (to the Decamark you sent out) you'll see a 'dark' version of your first Pokémon that may be flipped. It'll disappear after a short time, unless the game happens to lock-up when it's shown.

(http://i.minus.com/jAAZL60gPBdlt.png)

Is that a reproducible effect?  Because in some cases some Decamarks cause weird sprite glitches to occur. 

(http://i.imgur.com/jcyth4u.png) (http://i.imgur.com/jcyth4u.png)
EG this charmander

I'll also note that in that image, it says the Pokémon is a ??????????, and No000.

Yeah, it's reproducible. Different Pokémon in the first position give different results. It says it's ??????????, and No. 000 because the new Pokémon is. The game doesn't load the Pokémon's summary all at once.

It loads the data in this order:
1)Type
2)Pokédex number, species, level, gender
3)OT, ID number, ability
4)Trainer memo data (nature and location met)

Then the 'ghost picture' disappears, the Slowpoke cry plays and the game locks up.

The screenshot above was taken early in the process, which is why its type changed to normal and its Pokédex number, species name, level and gender changed, but everything else visible about the Pokémon didn't.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: pigdevil2010 on May 21, 2014, 06:38:54 am
A big discovery!

After tracing Emerald's ASLR, I finally found the address that will always correctly lead to the correct address. The address is 03005D8C. It stored the pointer to another address. This value will be changed every time ASLR is activated to keep the CPU jumps to the correct address. If you want to locate the start position of Pokemon in a box. Just simply add 3E0C to this address' value! For example, if the address 03005DBC value is 02025A30 then the data of the first Pokemon in a box address will start at 0202983C.

Proof:
(http://i.imgur.com/vuJcunt.png)
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: TheZZAZZGlitch on May 22, 2014, 11:45:02 am
Getting closer to executing arbitrary code without a hacked save file

In case you're not following my YouTube channel, arbitrary code execution is already possible (https://www.youtube.com/watch?v=HgN7UUpX0x0). It requires a hacked save file though. So the next natural step is to find a way to do this without any outside tools.

The first problem is the method itself. Currently, the glitched name of decamark 0x065C is used as a gateway to arbitrary code execution. Obtaining it without cheating seems currently impossible, since it crashes the game upon hatching. Therefore, a different decamark with code-executing properties is necessary.

I further investigated the arbitrary code execution glitch I found earlier, and found its exact cause. With this knowledge, I (or at least my computer) was able to create a list of all decamarks and their possible jump locations.
Thanks to this, it was easy to find a decamark with index 0x097D - its glitched summary screen executes code starting at $E118C50 (again, save data), and does not crash the game after or before hatching.

If we're talking TAS only, there are no problems left - just luck manipulation! ...

...but things start to look bad if we want to do things without TASing:

  1. The save file in Generation III is split into 14 substructures, independent memory blocks. They once again have their order randomized (http://bulbapedia.bulbagarden.net/wiki/Save_data_structure_in_Generation_III). 9 of those blocks are PC boxes - so there's a good 64% chance that the execution will land in one of the Pokemon boxes (and Pokemon boxes are pretty easy to manipulate). Still, a legitly playing person won't have the certainty that the glitch will always work.

  2. Well, if the arbitrary code execution worked, good luck with returning back to the game though. After the destination is reached, the entire stack, interrupt flags and pointers, some IO registers, almost everything is irreversibly corrupted. Unlike the arbitrary code execution glitches in previous generations, this one is definitely a one way trip.

  3. ARM processor architecture is not great for us either. Each instruction in ARM mode takes 4 bytes. So to spell out a single instruction, 4 consecutive bytes need to have their values manipulated. You think it's difficult? Well, all instructions also have to be on memory addresses divisible by 4...

I'm now trying to get rid of the first problem on the list. Maybe there's a decamark that jumps to a more predictable location, like Pokemon boxes, or Pokemon in the party?

I included the previously mentioned list in the post. It is a CSV file with following fields:
 - id: Hex identifier of a decamark.
 - name_length: The length of its name (it determines if the arbitrary code execution is possible and how much RAM will be corrupted; you should not worry about this field now).
 - name_offset: The GBA memory offset where the 'name' is stored.
 - jump_offset: Memory location that will get executed once the summary screen is viewed. If filled with dashes ('--------') no arbitrary code execution occurs.

If someone finds a hatchable [!] decamark that executes arbitrary code from a fully predictable memory region, please let me know!
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: VaeporSage on May 25, 2014, 03:19:51 am
We're getting close to the holy grail... :D

I got my Mew via corruption of Dots with 151 HP EVs. Yet again, slot 23 of Box 2 was the one to produce this gem.

I'm pretty sure I'm not imagining things: ~20 tries for Jirachi, 8 for Deoxys and 5 for this Mew, and the only time in each of those cases when the Pokémon corrupted right, it was the one in slot 23 of Box 2. At this point, I think it's fair to say that slot 23 of Box 2 is the only slot that will corrupt the stuff correctly.

So this afternoon, I'm going to try for my Celebi, but this time I'm only going to put Dots in slot 23 of Box 2.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Pawny on May 25, 2014, 06:37:21 am
That's amazing. :o

  2. Well, if the arbitrary code execution worked, good luck with returning back to the game though. After the destination is reached, the entire stack, interrupt flags and pointers, some IO registers, almost everything is irreversibly corrupted. Unlike the arbitrary code execution glitches in previous generations, this one is definitely a one way trip.

TAS talking, even if the code warped us to the Hall of Fame, the save there wouldn't "fix" it? Because otherwise, at least by TASVideos's standards, it would get rejected most likely (http://tasvideos.org/3903S.html). :(
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: luckytyphlosion on May 25, 2014, 07:57:37 am
  2. Well, if the arbitrary code execution worked, good luck with returning back to the game though. After the destination is reached, the entire stack, interrupt flags and pointers, some IO registers, almost everything is irreversibly corrupted. Unlike the arbitrary code execution glitches in previous generations, this one is definitely a one way trip.

What exactly would happen after corruption? What would happen if you tried to migrate Pokemon to gen 4 after corruption? Would restarting the game differ after corruption?

On another note, by hatching a #000 Decamark and performing the "access pokemon beyond the sixth slot" (this needs a shorter name), since you could potentially corrupt more data (by switching pokemon), what can you possibly corrupt? I remember Pawny messing with a Ruby Save file with that glitch, saying:

I had done these experiments before, but using a caught #000 decamark though. Unlike in Emerald, they do not vanish in Ruby/Sapphire. Switching Bad Eggs got me several glitch moves with weirder effects. Another time, attempting to save the game gave a different saving error as the adapter wasn't connected or something. But another one was like a ZZAZZ glitch: it gave me a ridiculous long name, switched my character's gender, glitched my trainer card (upon opening it it'd either show Glacia's sprite, or freeze the game, messed up the frame, and other sprite mess-ups: my character becomes an Azurill doll when using the bicycle, and in Petalburg woods my character became the unused Fat Guy sprite.

Although I don't know what bad egg caused it, I do have the savestate with the effects and could share if anyone is curious. Sadly I doubt it'd be possible to do it just with glitching since it's triggered upon moving the bad egg into your party. Unless we manage to make the decamark show up as a selectable in Pokémon, in Ruby.

However, all we've manage to corrupt is: Repel effect, Pokemon data, and Maps. Why is it different when you switch eggs around?
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: pokechu22 on May 25, 2014, 01:15:44 pm
  2. Well, if the arbitrary code execution worked, good luck with returning back to the game though. After the destination is reached, the entire stack, interrupt flags and pointers, some IO registers, almost everything is irreversibly corrupted. Unlike the arbitrary code execution glitches in previous generations, this one is definitely a one way trip.

What exactly would happen after corruption? What would happen if you tried to migrate Pokemon to gen 4 after corruption? Would restarting the game differ after corruption?

I might be wrong here, but the game shouldn't be changed afterwards.  It just forces you to reboot the game (in some cases, it actualy automaticaly does so!).  So Pokemon and such are not going to be changed. 

Wait.  What happens if we tried to modify the save data through this arbitrary execution?  Could we make assumptions about the current layout due to the fact that the program worked?  For sure, a TAS would be able to move the player to after the elite 4, by altering the save data.  You could change the data, then reload the game.  Hm...

On another note, by hatching a #000 Decamark and performing the "access pokemon beyond the sixth slot" (this needs a shorter name), since you could potentially corrupt more data (by switching pokemon), what can you possibly corrupt? I remember Pawny messing with a Ruby Save file with that glitch, saying:

I had done these experiments before, but using a caught #000 decamark though. Unlike in Emerald, they do not vanish in Ruby/Sapphire. Switching Bad Eggs got me several glitch moves with weirder effects. Another time, attempting to save the game gave a different saving error as the adapter wasn't connected or something. But another one was like a ZZAZZ glitch: it gave me a ridiculous long name, switched my character's gender, glitched my trainer card (upon opening it it'd either show Glacia's sprite, or freeze the game, messed up the frame, and other sprite mess-ups: my character becomes an Azurill doll when using the bicycle, and in Petalburg woods my character became the unused Fat Guy sprite.

Although I don't know what bad egg caused it, I do have the savestate with the effects and could share if anyone is curious. Sadly I doubt it'd be possible to do it just with glitching since it's triggered upon moving the bad egg into your party. Unless we manage to make the decamark show up as a selectable in Pokémon, in Ruby.

However, all we've manage to corrupt is: Repel effect, Pokemon data, and Maps. Why is it different when you switch eggs around?

I'm going to note that the effects there have been found in Firered by me.  In this case, it was a glitched TM name causing overflow.  I'm guessing that some string was broken (It could have been an ability, or a species name), and caused such an effect.  Actualy looking at that, it mentions glitched moves.  So it is very likely that one of the moves did it. 
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: VaeporSage on May 26, 2014, 08:27:41 am
the "access pokemon beyond the sixth slot" (this needs a shorter name)

I sometimes used to refer to it as the hidden team glitch.

The process of scrolling to change various aspects of the game could simply be called the 'corruption glitch'. (As well as 'Glitzer Popping' being one sub-heading.  :))
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Evie ✿ on May 26, 2014, 10:21:51 am
the "access pokemon beyond the sixth slot" (this needs a shorter name)

I sometimes used to refer to it as the hidden team glitch.

The process of scrolling to change various aspects of the game could simply be called the 'corruption glitch'. (As well as 'Glitzer Popping' being one sub-heading.  :))

I think that's a cool name. When updating the Bad Egg wiki page, I referred to the scrolling glitch as the 'Generation III bit set glitch', but I said it's also called Glitzer Popping.

Two other changes I made are Trainer Ledge/Fence Collision glitch to Amazing Trainers akin Amazing Man (because it sounds nicer and easier to read, and a tuber can walk through a wall) and Zero Error to Walking lag glitch (because the page actually describes something different)
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: luckytyphlosion on May 26, 2014, 02:39:15 pm
One thing I noticed with a poisoned Bad EGG (to avoid whiting out, revive a Pokemon), after going below 0 HP, the game stops movement every 4 steps.

I always thought of it as the "Bad EGG corruption glitch"
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: VaeporSage on May 26, 2014, 03:52:14 pm
One thing I noticed with a poisoned Bad EGG (to avoid whiting out, revive a Pokemon), after going below 0 HP, the game stops movement every 4 steps.

I always thought of it as the "Bad EGG corruption glitch"

This is the same with a normal Egg if you get it poisoned via the standard Pomeg glitch.

If you have Sacred Ash with you (I got mine from XD: Gale of Darkness), you can also revive any fainted Eggs/Bad Eggs you have in this way.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Wack0 on May 27, 2014, 11:55:44 am
Does anyone know what glitch moves with long names do in contests?
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: VaeporSage on May 27, 2014, 12:46:42 pm
I spent an hour today testing stuff out in XD: Gale of Darkness. But jeez, that game is one heck of a glitch-proof fortress.

All of my corrupted hatched stuff (Deoxys, Jirachi, Mew, Ho-Oh and a glitchy Caterpie) would not show up at all in the trading menu. A blank space was shown in its slot instead, which could not be interacted with.

Glitchy markings were erased when sent to XD: GoD, and my Sneasel with the name "Sne[down arrow]sel" was renamed "Snesel" when traded over.

XD: Gale of Darkness's GameCube vs. Gameboy battle system is even more impenetrable. My Jirachi, Deoxys, etc. (even Caterpie) showed up as Bad Eggs on the battle selection screen and Pokémon with glitch moves were unable to fight.

So XD: Gale of Darkness will not allow:

-Glitch moves to show up in battle
-Glitch moves to be used in GCN v GBA battles
-'Hacked' (or Pokémon suspected of being hacked) to be traded
-Pokémon with ?35 HP to remain at this health quantity
-Glitch markings to have any effect
-Bad Eggs
-Glitchy names

This game is the ultimate glitcher's cockblock, my friends.

Does anyone know what glitch moves with long names do in contests?

I've tested 5, and all of them have frozen the game.

There is apparently some potential here (look up 'Cool Move' to see what I mean), but it could be a while until something concrete is found.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: voltage on May 27, 2014, 07:29:15 pm
So I transferred my Mewtwo into Gen IV and the location stated it was from
---------- instead of Hoenn.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: VaeporSage on May 28, 2014, 04:23:31 am
So I transferred my Mewtwo into Gen IV and the location stated it was from
---------- instead of Hoenn.

I've found the same thing.  :)

I can't test what happens to it in Gen V at the moment, though.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Wack0 on May 28, 2014, 09:27:51 am
I spent an hour today testing stuff out in XD: Gale of Darkness. But jeez, that game is one heck of a glitch-proof fortress.

All of my corrupted hatched stuff (Deoxys, Jirachi, Mew, Ho-Oh and a glitchy Caterpie) would not show up at all in the trading menu. A blank space was shown in its slot instead, which could not be interacted with.

Glitchy markings were erased when sent to XD: GoD, and my Sneasel with the name "Sne[down arrow]sel" was renamed "Snesel" when traded over.

XD: Gale of Darkness's GameCube vs. Gameboy battle system is even more impenetrable. My Jirachi, Deoxys, etc. (even Caterpie) showed up as Bad Eggs on the battle selection screen and Pokémon with glitch moves were unable to fight.

So XD: Gale of Darkness will not allow:

-Glitch moves to show up in battle
-Glitch moves to be used in GCN v GBA battles
-'Hacked' (or Pokémon suspected of being hacked) to be traded
-Pokémon with ?35 HP to remain at this health quantity
-Glitch markings to have any effect
-Bad Eggs
-Glitchy names

This game is the ultimate glitcher's cockblock, my friends.

Yeah, Colosseum and XD both have very very VERY strict error checking. I found that out earlier playing with AR codes in Dolphin. The only thing I found was hacking party Pokémon 1 to the front yielding a blank slot enables you to get to a weird blank summary screen (weirder in Colosseum in my opinion).
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: VaeporSage on May 29, 2014, 08:48:39 am
So I found this on Bulbapedia's Decamarks page yesterday:

http://bulbapedia.bulbagarden.net/wiki/Ten_question_marks

Quote from: Bulbapedia
?????????? may hold an item. The item will be called ???????? (eight marks), with a description in the Bag of ????? (five marks). The item can only make a Pokémon that is holding it become glitched if migrated to Pokémon Diamond or Pearl.

Unless there's a specific way of doing this, Octomarks just seems to disappear when sent to Gen IV. Maybe only specific Octomarks can produce this sort of effect?

In any case, this quote to me is somewhat suspect. I wonder what it means when it says the Pokémon holding it can "become glitched". Glitch markings also seem to be out of the question in Gen IV as far as I can see.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Zklosty on June 03, 2014, 08:56:06 am
Well.. I think I maybe have discovered something. I apologize in advance for the lack of details on this. While I was doing this "Access Pokemon beyond the sixth slot" glitch, after the battle was over and I whited out, I was teleported to an area where the entire screen was covered with trees. I couldn't move anywhere. I'm not sure if it teleported me, or the game had trouble loading the town I was in after whiting out. If it was teleportation though, maybe we're able to teleport to places in the game such as, Faraway Island or Naval Rock through using this glitch.
I did last heal before using the glitch at Oldale Town and where I was sent to after whiting out, was still Oldale Town (but I saw only trees and I couldn't move). I did this glitch on cartridge, and I also did scroll up in the glitched Pokemon menu for about 20 seconds. +-3 seconds at most.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: VaeporSage on June 03, 2014, 09:09:42 am
The teleportation has been found by a few other people. I can't remember who or when exactly, but by using WTW hacks, it was found that the screen had just been covered with tree tiles, and that exiting that portion of the screen showed everywhere else to be normal.

So unless I've mistaken some details, it seems to be an issue with distorting the map at hand rather than being transported to some new map.

Regardless, it's certainly worth experimenting with outside of Oldale.  :)
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Zklosty on June 03, 2014, 02:46:48 pm
Well, I just found this video already posted by TheZZAZZGlitch (https://www.youtube.com/watch?v=OH8apzY9r0c) where it shows almost exactly what happened to me with being in that place with all the tree tiles. I guess I'll start experimenting with this map distortion, teleportation, or whatever it is in different areas.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Pawny on June 03, 2014, 02:51:35 pm
I've got it in Fortree a couple times.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: voltage on June 03, 2014, 03:34:39 pm
I had that happen to me in Route 117 once.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: VaeporSage on June 06, 2014, 02:13:43 pm
Someone asked a good question on one of the Glitzer Popping videos.

If a Pokémon has 1 ATK EV and 156 HP EVs, the Pokémon in the Egg will be...an Egg. So you hatch the Egg and get an Egg...the question of course being: what hatches from this Egg?  ;D

I'd imagine it freezes, but I really have no idea to be honest.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Pawny on June 06, 2014, 02:21:28 pm
Doesn't 19C behalve like a pokémon in that case? I'd assume it hatches normally, and then we'll have a guaranteed Pomeg faint Effect, without Pomeg (which I did back in Ruby/Sapphire to force bad eggs to fight). Torchickens hatched a 19C from a corrupted daycare couple iirc and it didn't freeze (I've had no luck with this though, every time the old man hands me the egg from corrupted parents the game softlocks. But that's not in the hatching)

But it's worth testing.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: VaeporSage on June 06, 2014, 02:25:06 pm
I'd assume it hatches normally, and then we'll have a guaranteed Pomeg faint Effect, without Pomeg (which I did back in Ruby/Sapphire to force bad eggs to fight).

I'm not sure what you mean by the 'guaranteed Pomeg faint effect'.

But it's worth testing.

Sure is! Will do ASAP. :)
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Pawny on June 06, 2014, 02:34:59 pm
I'm not sure what you mean by the 'guaranteed Pomeg faint effect'.

It's treated as an egg and pokémon at same time. You can deposit your pokés/faint your others and have it as your only "pokémon", yet, the second pokémon (or last, I dunno), will be forced to be sent out. Idk if this works like Pomeg does in Emerald for access beyond the 6th slot though, I'll test it in a few minutes and post/edit this post with the results. But it does work for forcing eggs to fight without Pomeg use.

EDIT: confirmed it does work. The 19C has to be in first slot, and the only other alive pokémon in the last like normal, just get in a wild battle, flee, deposit it, go in another wild battle, and done, you'll send out a decamark as normal, and the beyond-6th-slot is accessible. But instead of whiting out when the game realizes your decamark is dead, it just forces you to send out the 19C. Since it doesn't need further Pomeg use, you can corrupt your boxes over and over without resetting, you just have to repeat the process of sending out an alive pokémon from the 6th slot then deposit it, between each attempt.

tl;dr yes you can get Pomeg subglitches with 19C without wasting Pomegs and/or time leaving your poké with 1HP and needing HP EVs.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: voltage on June 06, 2014, 06:23:44 pm
I was looking at the back of my trainer card and it said that I had 65535 link trades despite not trading at all in that game. I'm not entirely sure, but I think it might be due to OT corruption.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Zklosty on June 06, 2014, 09:31:56 pm
I was looking at the back of my trainer card and it said that I had 65535 link trades despite not trading at all in that game. I'm not entirely sure, but I think it might be due to OT corruption.
I've had similar effects, but I've had my Hall of Fame Debut corrupted to 999:59:59; Link Battles corrupted to W:9999 L:9999; PokeBlocks W/ Friends corrupted to 65535; and lastly Won Contests W/ Friends corrupted to 999. I also noticed sometimes when you see the Link Battles stat is corrupted, the records that are found using the blue terminal in the second level in the pokemon center are corrupted too. It looks like you fought a trainer named "       " and you had a draw against him ?384 times according to these "Battle Results" records
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: voltage on June 06, 2014, 10:17:04 pm
I was looking at the back of my trainer card and it said that I had 65535 link trades despite not trading at all in that game. I'm not entirely sure, but I think it might be due to OT corruption.
I've had similar effects, but I've had my Hall of Fame Debut corrupted to 999:59:59; Link Battles corrupted to W:9999 L:9999; PokeBlocks W/ Friends corrupted to 65535; and lastly Won Contests W/ Friends corrupted to 999. I also noticed sometimes when you see the Link Battles stat is corrupted, the records that are found using the blue terminal in the second level in the pokemon center are corrupted too. It looks like you fought a trainer named "       " and you had a draw against him ?384 times according to these "Battle Results" records

I just went upstairs and you were right about that opponent, except I "won" against that trainer that number of times . I also saw the Mystery Event delivery guy and he gave me a working Eon Ticket from glitching for "activating" the Mystery Event. I really want to know why this happened, like how I got ???????? from the lottery instead obtaining of it via Trick. I wouldn't be surprised if we would be able to obtain working tickets for Deoxys/Mew/Ho-oh/Lugia now.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Evie ✿ on June 07, 2014, 08:00:36 am
Interesting, that's great! How did you obtain it? Was it simply by talking to him after doing the corruption or did you have to do something else?

I don't know if the Eon Ticket was the only thing you could get with Mystery Events. Bulbapedia doesn't have much information about it.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: voltage on June 07, 2014, 02:30:13 pm
Drat. Accidently clicked Remove instead of Modify.

Interesting, that's great! How did you obtain it? Was it simply by talking to him after doing the corruption or did you have to do something else?

I don't know if the Eon Ticket was the only thing you could get with Mystery Events. Bulbapedia doesn't have much information about it.

It was post-corruption as far I as I'm aware. Interestingly, he refers to it as a Mystery Event while giving the ticket but refers to it as a Mystery Gift if you talk to him afterward.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: pigdevil2010 on June 08, 2014, 10:30:54 pm
It looks like you fought a trainer named "       " and you had a draw against him ?384 times according to these "Battle Results" records

Is it just me or ?384 looks like 16384 (214)
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Wack0 on June 09, 2014, 02:28:51 am
It looks like you fought a trainer named "       " and you had a draw against him ?384 times according to these "Battle Results" records

Is it just me or ?384 looks like 16384 (214)

I thought the same thing.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: werster on June 14, 2014, 03:40:37 am
Messing around with this a bit more, trying to come up with some sort of route for a consistent speedrun at the moment. Came across something I hadn't seen before though...

Turned a castform into a regular Bad Egg, nothing much interesting. But when I went back to Route 119, when I go down far enough from Fortress that the Rain is meant to start, the game just froze up and I couldn't move. Not sure what made that happen, but the fact that it had overworld effects without actually looking at the Pokemon is promising I guess?
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: camper on June 14, 2014, 05:17:45 am
Messing around with this a bit more, trying to come up with some sort of route for a consistent speedrun at the moment. Came across something I hadn't seen before though...

Turned a castform into a regular Bad Egg, nothing much interesting. But when I went back to Route 119, when I go down far enough from Fortress that the Rain is meant to start, the game just froze up and I couldn't move. Not sure what made that happen, but the fact that it had overworld effects without actually looking at the Pokemon is promising I guess?
Can you try to replicate this when weather effects are everywhere? Does it still crash when you go to the desert or when it's sunny?
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: rortik on June 14, 2014, 11:04:40 pm
Well I've been trying the "hatch any pokemon" subglitch, and it just isn't working. I might just be REALLY unlucky, but I've done it over 50 times and no regular egg :/


I have SEASOR with the proper EVs for Jirichi cloned and in the boxes for me.

I have Kirlia with enough HP evs to go negative first in my party, then a fainted oddish, then Rayquaza at my save point.


I use the Pomeg berry, encounter a Pokemon, switch to Rayquaza, run.

Go to Pokemon Center, deposit Rayquaza, heal Kirlia via potion.

Encounter wild Pokemon, send out Decamark, view Kirlia's status, go up 2x to cancel button, then up 42 times.

Then I cancel, try to run, white out (pokemon stay fainted) and check my PC.


I think my count is now at 55 tries, and no luck :/

Am I doing everything right? The bad eggs appear as they're supposed to. Maybe I'm just stupid...
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: VaeporSage on June 15, 2014, 05:27:04 am
Well, you're right...it shouldn't take that many tries.  :???:

You have done the procedure correctly, but there are some small slip-ups that could still happen. Your Seasor's EXP gained may not be suitable for the experience->growth transformation. I don't know what specific values are suitable and which aren't, but if you post that here someone will be able to tell you.

Aside from that, it's possible that you've made other mistakes without noticing. It's worth checking that the Seasor you've cloned hasn't been corrupted before. It sounds silly, but last week I tried 25 times to turn my Dots Nuzleaf into a Celebi, but I later found out that the Dots I was using had its markings altered, a sure sign that I had messed with it previously. This would have changed aspects of its data, possibly including the personality value, making it unsuitable for transformation.

The only other thing I can think of is that, when EV training your Seasor, you may have let Pokérus spread to it unbeknownst to you. This would mean that when Seasor is transformed, the Pokémon in the Egg would not be a Celebi because the EVs you'd given it would be higher than 251. Then again, it seems as though you didn't get an Egg at any point.

If I were you, I think the best thing to do at this stage would be to start over. If you have a cloned copy of the original Seasor without any alterations, I'd recommend re-distributing its EVs and cloning it again. This may sound defeatist and a daunting proposition given how much time you have already devoted, but seeing as you understand the process fully and have done it before, I feel it's the best course of action in this circumstance.

There's one other thing I might add, if you are willing to restart your set-up. So far, every reported successful instance of Glitzer Popping via EVs has left the valid Egg in one specific spot: Slot 23 of Box 2. (Where top-right corner=6th and bottom-left corner=25th.) Therefore, it would be possible to skip the cloning process in your case, given that your Celebi Egg will be found there.

Best of luck, and report back with any further questions.  :)
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: VaeporSage on June 16, 2014, 04:12:21 pm
Good news: Today I've found out that it is possible to transfer Pokémon with glitch moves to Ruby and Sapphire.
Bad news: You need Pokémon Box: Ruby and Sapphire for the GameCube in order to do so. Attempting to trade from cartridge to cartridge will result in the game crashing as the "Is this trade OK?" message loads.  :P

By taking a Smeargle with the Unonkaana move into Box: R/S from Emerald and from there into Sapphire, I was able to experiment with the glitch move a little bit. It functions differently to how it does in Emerald in a number of ways, though none of them particularly interesting.

As the cursor scrolls over R/S Unonkaana, the game music goes off-key for a fraction of a second. Red patches and square patterns appear on the screen just like with other R/S glitch moves. Entering a contest with R/S Unonkaana will crash the game when it comes to your turn.

Same as in Emerald, R/S Unonkaana changes the battle style once the 'Fight' menu is opened. Here, it becomes a normal, single trainer battle. Defeating a wild Pokémon after this means that you have beaten "PKMN Trainer", who has your character's sprite, with 0 Pokédollars for winning.

If used in a double battle, the Pokémon will cram themselves into the field as it has been 'compressed' into a single battle. Kinda like this: https://www.youtube.com/watch?v=uLO9UN-ytkE

I have a few other glitch moves I could also test out. I might find something interesting, but seeing as this process requires a glitcher to possess the esoteric Pokémon Box: Ruby and Sapphire, it would ultimately be only hypothetical for most people.  :P

Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Wack0 on June 17, 2014, 03:54:42 am
Good news: Today I've found out that it is possible to transfer Pokémon with glitch moves to Ruby and Sapphire.
Bad news: You need Pokémon Box: Ruby and Sapphire for the GameCube in order to do so. Attempting to trade from cartridge to cartridge will result in the game crashing as the "Is this trade OK?" message loads.  :P

By taking a Smeargle with the Unonkaana move into Box: R/S from Emerald and from there into Sapphire, I was able to experiment with the glitch move a little bit. It functions differently to how it does in Emerald in a number of ways, though none of them particularly interesting.

As the cursor scrolls over R/S Unonkaana, the game music goes off-key for a fraction of a second. Red patches and square patterns appear on the screen just like with other R/S glitch moves. Entering a contest with R/S Unonkaana will crash the game when it comes to your turn.

Same as in Emerald, R/S Unonkaana changes the battle style once the 'Fight' menu is opened. Here, it becomes a normal, single trainer battle. Defeating a wild Pokémon after this means that you have beaten "PKMN Trainer", who has your character's sprite, with 0 Pokédollars for winning.

If used in a double battle, the Pokémon will cram themselves into the field as it has been 'compressed' into a single battle. Kinda like this: https://www.youtube.com/watch?v=uLO9UN-ytkE

I have a few other glitch moves I could also test out. I might find something interesting, but seeing as this process requires a glitcher to possess the esoteric Pokémon Box: Ruby and Sapphire, it would ultimately be only hypothetical for most people.  :P

Nice!

I've been experimenting with glitch moves on my Ruby cart but only got moves that freeze the game when you enter the fight menu, or freeze the game when you use them, or that always miss.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: rortik on June 23, 2014, 07:54:45 pm
Well, you're right...it shouldn't take that many tries.  :???:

You have done the procedure correctly, but there are some small slip-ups that could still happen. Your Seasor's EXP gained may not be suitable for the experience->growth transformation. I don't know what specific values are suitable and which aren't, but if you post that here someone will be able to tell you.

Aside from that, it's possible that you've made other mistakes without noticing. It's worth checking that the Seasor you've cloned hasn't been corrupted before. It sounds silly, but last week I tried 25 times to turn my Dots Nuzleaf into a Celebi, but I later found out that the Dots I was using had its markings altered, a sure sign that I had messed with it previously. This would have changed aspects of its data, possibly including the personality value, making it unsuitable for transformation.

The only other thing I can think of is that, when EV training your Seasor, you may have let Pokérus spread to it unbeknownst to you. This would mean that when Seasor is transformed, the Pokémon in the Egg would not be a Celebi because the EVs you'd given it would be higher than 251. Then again, it seems as though you didn't get an Egg at any point.

If I were you, I think the best thing to do at this stage would be to start over. If you have a cloned copy of the original Seasor without any alterations, I'd recommend re-distributing its EVs and cloning it again. This may sound defeatist and a daunting proposition given how much time you have already devoted, but seeing as you understand the process fully and have done it before, I feel it's the best course of action in this circumstance.

There's one other thing I might add, if you are willing to restart your set-up. So far, every reported successful instance of Glitzer Popping via EVs has left the valid Egg in one specific spot: Slot 23 of Box 2. (Where top-right corner=6th and bottom-left corner=25th.) Therefore, it would be possible to skip the cloning process in your case, given that your Celebi Egg will be found there.

Best of luck, and report back with any further questions.  :)

Started over, same result. I am aware that slot 23 is the slot to check; though I have checked every egg.

My current SEASOR's xp us lv 36, 48262 xp, 2391 till next level. I don't have pokerus on this game, so that's not the problem. Like I said, I never got any egg at all.

I never messed with the thing, I didn't even have it until I learned about this glitch. Some of the ones that are left over that didn't turn into Bad EGGs do have different markings, however.



A question unrelated to my issue: since Box 2, slot 23 is the one to check, couldn't you put the Pokemon only there? Do we really need to fill the first Box/most of the second one?
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: VaeporSage on June 24, 2014, 04:48:02 am
A question unrelated to my issue: since Box 2, slot 23 is the one to check, couldn't you put the Pokemon only there? Do we really need to fill the first Box/most of the second one?

Yes, that's what I was getting at. There is no need for wide-scale cloning when converting EVs into growth.

Unless the EXP your Seasor has won't work right (I have no idea  :P), then the only obstacle you should face from now on is luck. I do hope it works out for you eventually...
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Evie ✿ on June 24, 2014, 05:41:48 am
Yeah, the current experience is compatible.

(http://i.minus.com/jbyqb48Mf8DLH6.png)

Sad that the glitch isn't working for you.

Edit: Wait. I may have done something wrong in thinking that the experience affects it. The change is from AGME to MEAG. We want the Horsea to become a valid Egg, so what goes into "IVs, Egg and Ability" may affect it (attack data as it's A->M).

According to Bulbapedia it's bit 30 (when considering the first bit as bit 0) that determines whether a Pokémon is an Egg or not. Follow the conversion and Move 3/Move 4 become IVs, Egg and Ability data. I think then that the second byte of move 4 affects things. Mine is Smokescreen (00 6C), so the second byte is either 00 or 6C depending on how moves are stored, what's yours?

Edit 2: Eh, maybe the move doesn't matter. I tried some different move 4s and still got an Egg. If you give me your full Horsea move details I could check to make sure, though.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Metarkrai on June 26, 2014, 09:49:14 am
This glitch is completely awesome !

I quickly made two boxes of Skitty with Bubble (thanks to the Swarm structure) and 10/20/30 HP EVs, and I quickly fell on some Nidorina / Raticata / Caterpie, which was pretty cool (I didn't see any Zapdos though).

I also looked at the game data to see what events or things could be changed, and here is what I currently found.

-Flying locations :
0x02026D7E
Bit 6 unlocks Fly toward Ever Grande City
However, the FLy location towards Pokemon League can't be unlocked
Other flying locations can be unlocked, but they are towns that are already seen before Fly is obtained.


-Badges :
0x02026D7C
Byte 2 :
Bit 6 unlocks Badge 8
Bits 0 and 2 unlock Badges 2 and 4


Money (0x02025E90) can be reached.


-Event Islands :
0x02026D8C
Bit 0 and 2 unlock Navel Rock access at Lylicove (Ticket needed)

0x02026D8A
Bit 6 unlocks Faraway Island access at Lylicove (Ticket needed)

0x02026E1A
Bit 0 and 2 unlock the Delivery Man with the built-in script for unlocking Southern Island (the other events' srcipts are added through Mystery Cards)

MysteryTicket and Old Sea Map having IDs of 0x172 and 0x178, then can be obtained by corrupting TMs 18 and 24 (IDs of 0x132 and 0x138), once deposited in the PC (Rare Items on TM bag tend to crash the game).
You can clone them to keep a copy, as TM 24 is Thunderbolt.


-Battle Fontier Symbols :
0x02026D88 and 0x02026D88
Only 5 Silver Symbols can be obtained, so it's useless

Pyramid Tower Bag can also be altered (starts at 0x02025894)

Data regarding Contests Paintings (the ones which are obtained after winning in Master category)(around 0x02028998) can be altered, adding a Star to the Trainer card.


Every record can be altered, may it be on Trainer card, Contests, Making Pokeblocks, Battle Frontier, or hidden (ex :number of random encounters made).

Thus, the First Hall of Fame Star may be added to the Trainer Card. (a bit useless, as it doesn't count at all, and the Battle Frontier can't be unlocked with the glitch)


-Legendaries / Fix / Given Pokemon :
It has little use on Legendary / Given Pokemon, as they are in majority present at the start, and the bit linked to their flag is raised when they are killed/caught.
2nd Gen Starters can be unlocked. (0x02026F42)
Latios may appear at Southern island instead of Latias (0x02026F46)
Castform (0x02026C82), Kyogre (0x02026CA7) and Rayquaza (0x02026CA8) may disappear.


-Altering Cave : (0x02026E18)
With luck, a Pokemon other than Zubat may appear.

Feebas Tiles and Mirage Island value may be affected.
The Swarm Pokemon can be altered (may it be the Pokemon, the level, the moves, the frequence of appearance, or the route) (If the route is altered by a bit 6 change, the swarm will disappear as a route registered by 4x doesn't exist).


Day Care Pokemon may be affected.
Every item in the Bag or in the PC may be affected. Changes to items in TM/HM slot tend to crash the game.


I'm currently searching for the mechanics behind the respawn at a Pokemon Center, to see where it is, and what locations can be attained if it's corrupted, but I don't seem to find how it's programmed.
I also didn't check the effects on adventure flags, as its hard to know what refers to the flag, and I doubt that it would be of a great help, as only 3 flags out or 8 may be set on a certain byte, so some parts of an event would end, but not other ones.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: voltage on June 26, 2014, 01:21:32 pm
Those effects are really cool. Could you check to see if the Lilycove Lottery Lady can be altered?
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Metarkrai on June 26, 2014, 02:30:48 pm
Yup, it can, but it has no use.
Almost every element of Pokemon Emerald that uses data can be altered, as adresses for PC Pokemon are among the last ones on the RAM.
But because of the nature of the glitch ; on certain bytes, Bit N°6 or Bits N°0 and 2 are set to 1, doing this on a number which value is between 0 and 2^16 - 1 (stored in two bytes) has no clear use, as you will only know that two (or one) bits of this number are set to 1, and that's all.
So for numbers, the only useful ones are Money, Identifiants (for items or Pokemon), and quantities (for items), as corrupting Feebas tiles, or your number of Random Encountered Pokemon won't be of any help at all, since it has no effect, or since you cannot use this corruption to determine the value, and make something out of this knowledge.

The fact that one bit is set to 1 or not is useful for events, whose state only depends on a list of bits called flags.
And by testing (or knowing) which event is linked to the flags that are stored in Bits 0,2, and 6 of every Byte (only the ones who are linked to events), we would know the maximal influence we could manually have on the game.

After that, you have basically 1/16 chance that the byte you wanted to alter is altered (the space bewteen each corruption doesn't seem regular, but it's at least 16 bytes between each corruption), and you would also need the right corruption between the two possible.
Knowing the adress of the byte you want to corrupt gives you a timing to respect each reset, so corrupting a certain byte does seem doable.

So the data I'm searching in is : Badges, Symbols, Fly locations, Special events, Legendaries availability, story events, Last Pkmn Center visited.

The first ones were easy to see, but for the last ones, story events, and Last Pkmn Center, I haven't completed my search on them, as I made myself another couple of boxes of Bubble Relicanth, to see (and play with) Eggs.

I haven't read the posts about item corruption yet, but corrupting money, filling Bag slots with 99 of a certain item, and waiting for an identifiant corruption seems a good option (for Rare Candy especially, whose identifiant is 0x44, and the item with a 0x04 identifiant is the Poké Ball)(for MystikTicket, its TM18, and Old Sea Map, its TM24).
It is also possible to corrupt the Battle Pyramid Bag (corrupting the quantities would be great), but since tou have to enter back to see the effects of your corruption, it's not reliable at all.

And as for the normal Eggs I've obtained, non of them were on the 23th spot, box 2.

So to recap on what I tried :

Useful :
-Badges : 8th Badge (0x02026D7C)
-Fly Location : Ever Grande City (without Pkmn League) (0x02026D7E)
-Special Islands :
Navel Rock and Faraway Island unlocks (need the Tickets) (0x02026D8C)
Southern Island event (0x02026E1A)
-Contests : Master Contest Wins (may add a Trainer Card Star) (0x02028998)
-Altering Cave : Aipom  (0x02026E18)
-Other events :
2nd Gen Starters at Birch Lab (0x02026F42)
Putting Latios in Southern Island (0x02026F46)
-PC and Bag items and quantities (0x02025E98)

Non useful :
-Fix Pokemon :
Losing Castform, Kyogre, or Rayquaza
-Chances of corrupting TM/HM Bag
-Lots of tiny thing that won't be of any use

Non tested :
Story events
Las Pkmn Center visited

I also didn't measure the time needed to go at these adresses, but since I know where they are, this won't be hard to do.

EDIT :
I confused myself a little bit with Aurora and Faraway Island, and the TM identifiants, and I also tested the bits.
So if these bits can be corrupted with the Pomeg Glitch, Navel Rock and Faraway Island will be accessible if you have the Maps in your bag. And these Maps can be obtained by corrupting TMs 18 (Rain Dance, 0x132) and 24 (Thunderbolt, 0x178).

EDIT 2 :
voltage, I have a question for you.
I've tried numerous times to alter the bytes linked to Faraway Island and Navel Rock, but I've encountered some kind of issue ; only half of the bytes seem to be able to be corrupted, and these bytes are the left bytes of every word when I use VBA's Memory Viewer in 16-bits, as you can see here :

(http://www.pixenli.com/images/1403/1403825312085360000.png)

The strange fact is that the Mystery Card flag is on a byte at the right of a word, so I can't reach it.
But voltage was able to do it. So I'd like to know how you did the glitch, as I don't seem to be able to change the fact the I can only corrupt "left" bytes, and not the right ones.
And this annoys me, because the main things I wanted to changes were bits on "right" bytes, like items identifiants or these particular bits (I won't be able to alter some other useful bits as well).

Maybe this can't be done on emulator, my version of VBA is at fault, or my save (I have a somewhat stange save regarding RNG), I really don't know, but I'm glad that someone else was able to perform it ; at least its doable.

For those who want to try, I gave myself the Old Sea Map, and the MystikTicket, so I'm only checking if the bits unlocking the islands can be altered. To attain the 0x02026D8A area, you have to go up for 14 seconds.
The Delivery Man bit for Eon Ticket is in the same area, so it may be altered as well.

EDIT 3 :
That may sound stupid, but I didn't check how far I could go with the glitch, and I saw VBA freezing just after the area managing the events (around 0x02026CD2), which is under the Bag and PC data.

Is there a way to go further ?
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Kraust on June 26, 2014, 07:32:02 pm
I'm sorry I'm new at this, but I've been messing around with this Glitch in Emerald for the hell of it.

So far I've noticed:

Pokemon:
- Glitch Nicknames
- Glitched Markers
- Egg Named Teddiursa (I assume that it's a pokemon that got changed into a good egg witch hatched into a Meganium
- decamark bag eggs (you can battle with them buy fight freezes the game?)

Trainer Card:
- Modified Money (Goes from 999849 -> 499849) I'm assuming some bit is flipped. I have a BCS but this isn't a strong suit of mine
- Modified Linked Contest Wins (set to 999)
- BP
- Lined Battle Wins
- Game Time (999:28)

(Can we assume anything that can be modified in the Trainer Card can be modified?)

Items:
- Random item quantities in bag and pc are changed

If you press up enough you'll get pokemon in your boxes for a status screen. That's what all of the decamarks / bad eggs are near the end (and possibly why its easier to see those status screens)

I should really start my own Emerald file to see more affects. This save has a bunch of crap in it.

Glitched Nickname on Abra:
(http://puu.sh/9LLzH/d0ae04c4ef.jpg)

Glitched Marks on a Bad Egg
(http://puu.sh/9LLGA/45c3d6fb9b.jpg)

Teddiursa
(http://puu.sh/9LLYk/5fd9748c13.png)

Glitched Meganium crashed the screen because it had some glitched moves (froze after this)
(http://puu.sh/9LM92/8fbd762aa3.png)

Bag Quantities
(http://puu.sh/9LMp5/ceda971246.png)

Battle Points
(http://puu.sh/9LN36/4321d7ffce.png)

Will edit with more stuff.

Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: voltage on June 26, 2014, 11:23:37 pm
@Metarkrai: I'm actually unsure partly because I don't know which attempt activated that flag.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Metarkrai on June 27, 2014, 05:01:48 am
I made more attemps to try to go at the highest corruptible adress, and now I think I know why my game froze in the flag area, and not higher.
And I think that's because I'm French, and my Rom too, as I tested the glitch on a US Rom, and the game froze higher than the PC items area.

Here's a comparative video I made of the glitch bewteen FR and US roms :
https://www.youtube.com/watch?v=muaQglJUl5Y

In the French Rom, the cry of the ? Pokemon is Electrike's, whereas in the US Rom, it's Slowpoke's.

This surprised me because US and EU Emerald Roms have only few differences (they have nearly no differences between RAM adresses, but if I remember correctly, some ROM adresses are different), so I don't see why US Emerald can go further than EU Emerald.

But due to my exams, I don't have the time to transfer my save to my cartridge, and test it on console (maybe the difference will disappear, and I'll be able to corrupt my bag on my FR Version).

Also, even on an US Rom, the corrupted bytes I had were the left ones in every word, and I don't see what could change this fact.
I'm just using a basic US Emerald with VBA, and no cheats activated (the Anti-DMA prevents RAM adresses from moving, and will give you a single corruption pattern, so it's not useful at all).

So if someone can corrupt the right-word bytes, and repeat this, I would need to know how you did the glitch, because the right-word bytes are the most interesting ones for event / item corruption.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Kraust on June 27, 2014, 06:50:14 am
Did you guys know you don't need to actually go into the status screen for this to work? I was looking at the memory viewer and data was being changed as I scrolled up.

So I chained this a few times and it seems that.

- Pokemon modified are the first 53 Pokemon in your boxes (54th is always blank / removed?)
- You can scroll up higher after each time running this which possibly (?) allows you to modify other things.
- One time, I removed wild encounters (so you couldn't find any wild pokemon).
- I also was able to change the Trainer's name.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Evie ✿ on June 27, 2014, 07:35:14 am
Yes, but in order to access cursor positions FF and up you need to view the summary of one of your party Pokémon first.

Edit: At least with 5 Pokémon/2 Pokémon set ups.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Metarkrai on June 27, 2014, 07:49:51 am
I'm sorry, but I don't understand what you're saying by "don't need to go into the status screen" ?
Because  if I don't see the status screen during the battle, I can't glitch the Cancel button, and corrupt data by scrolling up.

I also didn't unsterdand very well your idea of scrolling higher by doing something, as everytime I perform the glitch, the game freezes just after 0x020256F8 (the last area where I see corrupted data).
And the main data for the save file is between this adress and PC Pokemon data, so nearly every mechanism can be altered.

For your wild encounter removal, I think that you corrupted Repel steps, leaving it activated for 1280 or 16384 steps, as the step counter used in AR codes to remove them is located at 0x020375D4, which is far too high, and corrupting him does nothing.
There's maybe another value that can prevent encounters under certain conditions, but I would rather bet on Repel activation.

You can also alter Swarms data (around 0x02028590 once the mass outbreak is seen), as Swarms Pokemon are oddly generated ; instead of a fixed list of swarm Pokemon, one can choose (via memory viewer) the Pokemon, its level, its location, its %, some other things (maybe), and its moves.
So the moves adresses can be corrupted, giving glitched moves to the Pokemon (I tested some corrupted Pokemon identifiants, but the game freezes at the start of the battle)(if the location is corrupted, the Swarm won't show up anywhere).



AR codes for Swarms :
You will need to activate the Anti-DMA first, and go through a door, before activating the code.
Don't forget to desactivate it before glitching again. (Disable it, Click on Disable Cheats, Save, Close VBA, then open it up and launch everything, that'll surely desactivate the Anti-DMA)

Skitty Swarm : (Push R to see the Mass Outbreak)
9D888122 8CFB57D8
36938C4D 9E6EC29D
9D888122 8CFB57D8
94CA980A A7FB43AB
BD5BAD80 7F73D16A
5FD7A4B9 8BF2E359
45941C7C E076F9D4
627B1FC9 C541D9B2
43A6E4C9 5D42CCD7
8AB5886D F540D428

Seedot Swarm : (Push R to see the Mass Outbreak)
9D888122 8CFB57D8
36938C4D 9E6EC29D
9D888122 8CFB57D8
94CA980A A7FB43AB
0340BDBC 0C2ACBFE
3FA8DB0D 0422100D
0148F310 3A7125AF
DFC91A16 B651342A
0B92F801 A44D2BDE
173479F1 6DD31AB

Remove the Swarm (Push L+R) :
B6C5368A 08BE8FF4
8CFFC87D CCAC9AD6



EDIT :
Kraust :
I confirm, the thing that removed wild encounters was the Repel. So taking a Sweet Scent Pokemon would be a good idea for womeone who wants to corrupt events / Bag items / Pc items.


EDIT 2 :
I found a way to corrupt FR games as far as US games. To do this, you need to set up the glitch with 3,4 or 5 Pokemon ( 1 with ?35 HP, 1,2, or 3 KOs , 1 alive), and not 6 Pokemon.
I don't know why, but with the 6 Pokemon set up, FR games will freeze earlier.
So that's good, I can at least corrupt up to items with my FR Emerald.

But, looking again at the corrupted bytes, I saw that not only they were the left bytes of every word (with 16-bits Memory Viewer), but the left bytes of every double word (with 32-bits memor viewer).
I made a dozen of consecutive coruptions, and all the corrupted bytes were the left ones of every word (I did it with both FR and US roms).

Here's the comparison between uncorrupted file and corrupted file :
(http://www.pixenli.com/images/1403/1403884459066707000.png)


So, as the adresses tend to move, and as there seems to be 32 different sets of positions (I looked at the 10 byte of the left Memory Viewer screen and made ~200 in and outs of the Pokemon Center to see all the different positions it could have), and as each set will give a certain corruption on certain adresses, there would only be 32 different corruption patterns. (on emulator at least)
This hypothesis goes well with what I saw with my boxes of Bad Eggs, as with a certain set of guinea pigs, I always saw (and remembered) 4-5 corruption patterns in the Boxes that appeared frequently.

The sad thing is that with left byte corruption only, no Bag or PC item can be corrupted (only quantities), and there will (maybe) be really few useful events that will be able to be corrupted. About the ones that I listed previously, Special Islands Events, Altering Cave and Badges aren't compatible, but the Fly Location towards Ever Grande is.
For Swarms, only two moves can be corrupted.
Berry bushes can't be corrupted.


But this shouldn't be true for everyone, as voltage had corrupted its Mystery Event Delivery, so the mystery is still on (I'd really like to obtain a completely legit Old Sea Map and go fight Mew on my Emerald).

There's also a memory area managing climate that makes the game freeze if we enter into a zone with a certain climate (it froze on Route 123 for me) while its corrupted. I'll try to find where this area is.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Kraust on June 27, 2014, 10:11:20 am
Yes, but in order to access cursor positions FF and up you need to view the summary of one of your party Pokémon first.

Edit: At least with 5 Pokémon/2 Pokémon set ups.

Sorry, I wasn't specific enough. After you activate this and get the half lit cancel button you can just scroll up and you don't need to view any more status screens to change anything.
(Which probably isn't new, but it was new to me).

Completely Related, I just spawned here after whiting out:
(http://puu.sh/9MxB8/22f8c8aed5.png)

So that confirms you can actually change the spawn location with this.

(I'm uploading a video right now)
https://www.youtube.com/watch?v=kq7S2QNDYd0


I have no issues corrupting above 0x020256F8 after doing it a few times.
My method:

1. Activate the requirements for getting this glitch to work.
2. Get into a wild battle
3. Go check a status screen to activate the glitch
4. Go down to the half lit button
5. Press up for a while (right until I freezes usually)
4. Back out + Run (White out)

I then repeat 2-4 a few times without resetting my game -usually- after the 3-4th time I can go up almost indefinitely. I'm not sure how far up things change but

(http://puu.sh/9MzHt/397eadec01.png)

I do have stuff above 0x020256F8 changing.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Metarkrai on June 27, 2014, 11:42:58 am
Well, Kraust, thanks to your question and to Torchickens' answer, I know what made my game freeze during the corruption process.
It's the number of Pokemon in the team.
On a FR (or EU I think) rom, if you have 5 Pokes (6 at the start of the glitch), your game will freeze around 0x02026CD2
Else, it will freeze around 0x020256F8

On an US  rom, if you have 5 Pokes (6 at the start of the glitch), your game will freeze around 0x020256F8
Else, it will not freeze (I used the acceleration, but no freeze showed up).
And the corruption shows up around 0x , then I don't see any trace of it, even if I can still go up.

I also found the adresses which manage the respawning location :
They are : 0x02025A22 (entrance on the map) and 0x02025A1C (map)
But, as only 0x02025A22 is on the left side of a double word, it is generally the only one that's corrupted.
And as there is 10-20 entrances on a single map, the entrance 0x40xx or 0x05xx sends us far away in the spawning map.

But, as corruption can only change one bit on a word / double word (if it is corrupted), we can't warp to everything.
Here are some Map IDs that could help for warping, if one is able to corrupt other bytes than the left one of every double word.

Odale Town : 0A00 (would send to Pacifildog)
Pacifildog : 0F00
Fallarbor Town : 0D00 (would send to Ever Grande, League Pokemon side)
Ever Grande City : 0800


EDIT :
I tested all the possible warp corruptions, and only these two are useful for a speedrun. There are few others that teleport to some Battle Tents, but that doesn't help, and the majority of the warps send you in a black wall.

I even fell on a Shiny Latios during my tests, and the capture was amazing !
This dude resisted at every one of my 502 Balls, and I was forced to throw a Master Ball to catch it !

(http://img15.hostingpics.net/pics/987850PokebaseEmeraude005.png) (http://img15.hostingpics.net/pics/482934PokebaseEmeraude004.png)


I also saw that my Timer Balls didn't seem to function (it always got out of them instantly, and I had 62 of them), so maybe after a certain amount of turns, their catch rate becomes undefined (when I used them, the battle was already over 1.000 turns).
I anyone has information about this fact, I'm interested, as I counted on them and their high catch rate to be sure to not throw the Master Ball, so I was a little bit trolled on that part.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: rortik on June 28, 2014, 09:37:16 pm
Yeah, the current experience is compatible.

(http://i.minus.com/jbyqb48Mf8DLH6.png)

Sad that the glitch isn't working for you.

Edit: Wait. I may have done something wrong in thinking that the experience affects it. The change is from AGME to MEAG. We want the Horsea to become a valid Egg, so what goes into "IVs, Egg and Ability" may affect it (attack data as it's A->M).

According to Bulbapedia it's bit 30 (when considering the first bit as bit 0) that determines whether a Pokémon is an Egg or not. Follow the conversion and Move 3/Move 4 become IVs, Egg and Ability data. I think then that the second byte of move 4 affects things. Mine is Smokescreen (00 6C), so the second byte is either 00 or 6C depending on how moves are stored, what's yours?

Edit 2: Eh, maybe the move doesn't matter. I tried some different move 4s and still got an Egg. If you give me your full Horsea move details I could check to make sure, though.

I'll give you all the information on it:


SEASOR/HORSEA
OT/SKYLAR
IDNo46285
Swift Swim
Brave Nature, obtained in a trade.
Male, level 36
48262 XP, 2391 until next LEVEL

Moves, in order:
Water Gun
Surf
Smokescreen
Leer


Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Evie ✿ on June 29, 2014, 09:28:57 am
It should work eventually. Don't know why it's not working for you.

You might just be really unlucky. I'm sorry to be of no help, but all I can suggest is to keep trying (without reloading a state from within battle), make sure your Seasors actually have EVs, make sure they were never corrupted before, and try as many as possible, with one in that spot that seems to be the only one that works so far (slot 23 of box 2).

I have a question for anyone experienced with how Pokémon Emerald works:

Is it possible for the first (technically last) byte of a writable personality value to never be writable after a certain point? Because Metarkai describes a problem where only the leftmost byte of a word (possibly the first byte of a dword) is writable.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Metarkrai on June 29, 2014, 02:04:49 pm
Torchickens : I don't think this fact (only the leftmost byte of a double word is corruptible) can be changed on emulator.
It's maybe different on cartridge, there's no evidence of the corruption of another byte from what I read.

I first thought that voltage Eon Event Activation was a counter-example, but I was wrong, as any change to the word 0x02026E1A (or the left part of the double byte 0x02026E18) causes the appearance of the delivery guy (I first thought that there was a flag, so I only tested 0001 to see if he would appear, but it doesn't seem to work like that).

You can, for example, look at Kraust's Memory Viewer, and you'll see that every corrupted byte (the ones with the 4 and 5 in general) are all the left ones of an even row, so the leftmost ones of a double word.

Also, every changes brought to the in game events, data, or items go along with this idea.
For example, I didn't see any corrupted bag item, nor a corrupted respawn map location (only the position was corrupted, but not the map).
For the records corruption, it's either a quantity higher than 65.535, or 16.384, or 1280 (16.384 and 1280 will appear for certain records only, like BP if I remember correctly), as records are almost all stored in double words, and are not affected by the encryption mainly used for bag items quantities (the encryption removes with the Anti-DMA).
The only fly location that was removed was Ever Grande City's.

I don't know what this fact implies to the Pokemon's data corruption, but its really limitating the possible abuse of this glitch for a run.
The useful things left are : unlocking Ever Grande flying location, corrupting bag item quantities (good for Master Ball / Rare Candy abuse), unlocking Southern Island Event, unlocking 8th badge, corrupting the Swarm moves to have glitch moves, corrupting Money and records (BP especially).

There may be some story events that could be skipped thanks to the glitch, but here's only the useful things left from what I searched.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Kraust on June 29, 2014, 02:14:02 pm
I haven't seen it corrupt the right part of the word yet. Typically it corrupts the left byte with a 4 or the right with a 5.

The question is where is the value coming from? If we find that out, I think we'd have a better shot and triggering certain effects.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: werster on June 29, 2014, 07:42:05 pm
Kraust: Are you sure that was actually a warp and not just a tile error? I had the same thing happen several times but with trees, but if I activated Walk through walls and walked out I actually was in the right spot, the tiles on screen when I appeared there were just messed up.

Metarkrai: Good to see someone still putting in work into this glitch. I'll admit I don't 100% understand everything (I'm dumb) but from what I can see a speedrun would ideally go something like:

Pomeg as soon as you get to Fortree, corrupt swarm Pokemon's moves but not location to give a glitch move resulting in Instant victory.
Also do a corruption that changes the Fly location of Ever Grande to available (is it possible to switch this on? I've had it switch off before but never seen it go on)
Also have a corruption flag Badge 8
Power through to badges 6 & 7 with glitch move, and then Fly to Ever Grande, and power through endgame with glitch moved Pokemon from Swarm.

Maybe?? I don't know how any of that would be even remotely consistent at all but it looks like the best "theory" at the moment??
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Kraust on June 29, 2014, 08:06:08 pm
Well 0x02025A22 seems to be corrupted (well it's around 0x02025A22 memory seems to jump around in the dump) I'm assuming it's the entrance tile but you guys had the issue with spawning in a bunch of tree tiles before (how did you tell you weren't spawning in a wall?)

The spawning in trees did happen when I tried to run this glitch from Fortree as far as I remember. I'll look into it.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Metarkrai on June 30, 2014, 02:35:49 am
werster : For Kraust's case, I think that the last Pokemon center he visited was Ever Grande's, and he corrupted the adress for spawning entrance (not map) location, which made him spawn into the sea (and also stuck).

Spawning in trees or water will always happen with the corruption of the spawning entrance, as its identifier will for example go from 0011 to 4011 or 0511 (for Odale Town), and the value is far too high to be affiliated with some element on the core of the map (a real buidling entrance, a PNJ, or near a wall), so we're teleported into the extremes of the map, and stuck there.

I also didn't read everything about the instant battle glitch, so I don't know what kind of moves trigger it (and what are the best Pokemon / Evs / Moves to use to obtain them quickly), as for swarms, only certain glitch moves can be obtained (like 4021, 0521, 40D5, 05D5 for Skitty).
Furthermore, the swarm has to be triggered, and I don't know how this trigger works (it seems to be a daily event, so one would need to check every day if a swarm outbreak spawned or not), but I don't think you would be able to pull one in a speedrun (as it's linked to daily events).
Obtaining a certain glitch move would be quicker with the usual Boxes corruption, because having a Swarm is long.
I don't even think you can get a Swarm before ending the game, but it may be possible as I don't really have data over their generation (contrary to the structure).

Your strategy seems good, as it is possible to activate or desactivate a bit with the corruption, so making Ever Grande flying location available is possible (I did it while mass corrupting).
The potential threat would be the freezing on weather zones, as we don't know for now where are the adresses that cause this freeze, and if a corruption for obtaining Ever Grande or the 8th Badge could also alter this adress (there is little chance for this, but it could happen).

Also, the event I should look for is the Wailord removal at Lilycove, as it is a major block for accessing to Badge 7.
Also, Badge 7 way not be useful, as the game doesn't check if every badge has been obtained, but only if important badges were obtained (6th and 8th badge I think), so the 7th badge may be skippable.

In return, I think that an issue could raise from this strategy, as Waterfall is needed in Victory Road (if I'm not wrong).
So we would also need a strategy to quicly obtain a Pokemon with Waterfall.
And, do Bad Eggs who know a HM can use them ?


EDIT :

So yup, only Badge 6 is needed (8th Badge isn't even needed).
But Waterfall is needed, so the 8th Badge is needed for something.

Bad Eggs apparently can't use HMs. I tested for Surf, and if you push A in front of the water, you hear a sound (the same pushing A during a text), but no textbox appear.

EDIT 2 :
Okay, I'm also an idiot, as I forgot that I previously said that 8th Badge was on the right word on a double word, so it can't be corrupted.
It may not be true on console, but I highly doubt it, sadly.
So yeah, there will need sereval Glitzer Popping sessions, as during the story, there are health refilling events (1 or 2 I would say).

Also, when obtaining Pomeg Berries (I don't know how much you have, 6-7 being enough), here is how I see things :
Glitzer Popping to obtain Bad Egg with useful Glitch Move, then beat Fortree Gym Leader, then teach Fly, deposit Bad Egg, Revive Swampert, do another Glitzer Popping to obtain Ever Grande Flying location.
Then, surf to Mossdeep, get Dive, beat the Gym Leader.
Teach Dive, and go to Sootopolis.
Then go to Lilycove (I think that on Wailmer's right side, you would still be considered in Lilycove), Fly to Lilycove, Buy Fluffy Tails (if you need them to flee during the Victory Road or at the League).
After that, you would need to stick with the story, so Mt Pyre, Magma Hideout, Aqua Hideout,..,get to Undersea Cave (it may also be faster to access it from Ever Grande, who knows)., get Waterfall, get 8th Badge, go to Ever Grande, do Victory Road, then League.

I'll search about event corruption, to see if some trainers or other things may be skipped, like one hideout, or something like that.
Also, Swampert would need to have a sufficient level (and suficient HP ev, but with 1-2 HP Up found on Routes 111 and/or 116 and other EV lowering Berries, it should be enough) to lose 2 HP with one Pomeg.
So you would mabe need to wait to make the first Glitzer (the earlier being the best, so before Fortree, after Fortree Gym, at Lilycove, or after Mt.Pyre).

If there aren't enough Pomeg or HP Up to repeat Glitzer Popping enough times, you can use your first two tries to duplicate Pomeg Berries and HP Up. This is also useful in the way that you can kill lots of birds with one stone, because the corruption have several patterns (I would say 32), so it is possible to place the Pomeg Berry or the HP Up (or another item like Rare Candy / Master Ball) on a certain place (Bag or PC) to get them corrupted with a pattern that would also corrupt something else, like Ever Grande Flying Location, Money, getting a good Bad Egg, or another in game event.
It is also maybe possible to corrupt 2 item quantites or more, and corrupt another interesting data, as there would be enough PC item and Bag item adresses to do so. It would then require lots of puny items to put the useful ones on precise places, but this would stil gain time, as you would reduce the number of needed Glitzer Popping (requires time for set up + success).


So now, I'll go check the story flag corruption.
Glitzer Popping will unfortunately not be as speedrun breaking as we thought earlier, but it would still save a good amount of time.


EDIT 3 :

Okay, so I've looked at the events, and here's what I found.
I still haven't searched for everything, as I would need saves during all the tiny Magma/Aqua events to see if the corruption combined qith some other flag can end everything.
I only looked at the direct effects of the flags on events.

Corruptible events :
Mt Chimney Magma Sbire (one that blocks the way towards Lavaridge)
1st Sbire of Meteo Center
1st Sbire of Mt Pyre

Archie in front of Sootopolis Gym (0x02026CD4)
Sootopolis Arena Door (0x02026C80)

So yeah, you've read it right, you can directly unlock Sootopolis Gym and go fight the Champion without having to bother about Teams Aqua/Magma.

But, and there's a big but, the two main issues are for Dive and Waterfall.
Dive is given by Steven when you beat Team Magma as Mossdeep. And that Team Magma is triggered by our win at the Gym, so Dive is easy to obtain.
The double Battle with Steven should be checked to see if it's skippable with the same Bad Egg.
Thus, we can go to Sootopolis, go to the Gym, wreck the leader, and obtain the 8th badge. (Archie isn't needed since its sprite appears at Sootopolis once you awakened Kyogre, but since you skipped Mt Pyre, Aqua Hideout, Magma Hideout, Underwater Cave, you're sure to not see him there)

The only thing left is getting Waterfall.
Waterfall is given by Wallace when Rayquaza after Groudon and Kyogre are tamed, so you have to clear underwater Cave, Magma Hideout, and Sky Pillar to obtain it.
And for underwater Cave, I don't know exactly what triggers it (what removes the Aqua guard from it), as getting Dive after preventing Team Magma from stealing fuel didn't unlock it, so maybe cleaning Aqua Hideout is also required. (I'm not sure of it, I need to test more)
But, getting the 7th Badge removed every Aqua guard in the Hideout, and as I mass cheated to test it, I'm a little lost (I also have all the badges, and all the flying locations, which may influence some little things).

There's another method to obtain Waterfall, and that would be obtaining it with a corrupted Pokemon.
The identifiant corresponding to Waterfall is 7F, which corresponds to Pinsir.
Pinsir is at 5% in one of the Nothern Zone of the Safari Zone, so it's maybe a gain of time to get the Pokeblock Case, make 2 Pokeblocks (for increased chances of capture), go to Safari Zone, catch one or two, and try to glitch him into a Pokemon that would know Waterfall, and the thing would be done.

So I have to know what are the requirements for unlocking Underwater Cave (Beating Team Magma at Mossdeep doesn't seem enough, Aqua Hideout is maybe needed), and if beating Mt Pyre + Aqua Hideout + Underwater Cave + Magma Hideout + Sky Pillar is longer than Making 2 Pokeblocks + Going to Safari Zone + Catching Pinsir (1 or 2) + Glitching it into a Waterfall Pokemon.

It is also possible to glitch Silcoon for Dive, but as there are few Team Magma grunts at Mossdeep, it isn't a gain of time.


EDIT 4 :
Beating Aqua Hideout + Team Magma at Mossdeep doesn't make the grunt go away.
So, there's another thing needed to activate his flag, and that may be clearing Mt Pyre and/or watching Team Aqua steal the submarine.
Also, the byte at 0x02026D12 can alter the last Aqua Hideout grunt, making you unable to "clear" Aqua Hideout (the Wailmer won't go away).

And there are enough Pomeg Berries to make Glitzer Popping for a run, so there's no need to corrupt their quantities.


EDIT 5 :
Yes !
I finally found a viable route !
I was blocked at the Undersea Cave because I used a cheat to have all HMs, and I needed to go to Steven's house to receive HM 08 to remove the grunt, so I thought of some inconceivable triggers where there was only a simple thing to do.
Then, things went smoothly, as I beat everyone, unsealed Kyogre, went to see Rayquaza, who cleared the issue, and Sootopolis Gym doors opened !

To sum up a little my attempts, here's the route that one can use with Glitzer Popping :
Make the way up to Route 119 / Route 123 for Pomeg Berries. (6 of them on each location).
Prepare in the PC some Pokemon that, when corrupted, would give Bad Eggs with a move corrupting the battle style for random encounter style, allowing fleeing.
Have a Swampert (the Pokemon with the upper level, and the most HP in the party) with enough HP EV and enough levels to work for GLitzer Popping.
Use Glitzer Popping to corrupt the PC Pokemon and obtain a desired Bad Egg.
Beat Fortree Gym.
Teach Fly to a Pokemon.
Do Glitzer Popping again to unlock Ever Grande City flying location (there may be a way to gain time and do it before corrupting PC Pokemon, and I'll search on this)(and this is a NO, as you have to reset and the reset needs a Glitzer set up).
Fly to Ever Grande City, then go at Mossdeep.
Beat Mossdeep Gym.
Start beating up Team Magma at Mossdeep, then revive your Pokemon for the double battle, as you have to select Pokemon to launch it, so I don't  really think you can do it with a fully KO team (I'll also search on this).
If you revived your team, KO it again, and Glitzer Popping.
Take Dive, and teach it.
Go to Undersea Cave, beat it.
Go to Sootopolis.
Go to Cave of Origin, then go to Sky Pillar (Flying to Ever Grande might be faster)
Wake Rayquaza up, leave him restaure peace.
Go peacefully to the 8th Gym, with Waterfall HM in your bag. Beat it.
Go to Ever Grande. Beat Victory Road. Beat League.

Thus, you would need to set up Glitzer 3 times in a run.
The best area for Glitzer Popping is Odale, so once Fly is obtained, you would need to Fly to Odale to make it, as you would gain time over your resets for Ever Grande Flying location.
HP Up that can be found in Routes 111 and 116 might be useful for this (don't know if Route 111 HP Up can be directly accessed though).
One would also need a strategy for the Double Battle with Steven with a weak Swampert.

Skipped areas :
Route 121
Lilycove City
Aqua Hideout
Magma Hideout
Mt Pyre


My wonders are :
Can we also glitch the battle with Steven ?
Can we do Glitzer Popping for Ever Grande FLying Location First ? As you don't have to relaunch it once you did it right.
But the answer is : It isn't useful, as I didn't think about the console factor : you can't launch savestates.
So even if you did Ever Grande Flying Location first, you would need to make a save point to reset for a good corruption pattern after that. And this save means setting Glitzer Popping up again, so yeah, this point seems done.
So there's no real wonder.


I don't know if the corrupted Pokemon will be enough to flee from every battle, or if Fluffy Tails will be needed (before Mossdeep, a turn towards Lilycove would be needed, but nothing really long).
Lilycove Shop is also useful for buying HP Ups, if a last one is needed.

I also worry about one bad thing that can happen with Glitzer Popping, which is the possible disappearance of the TM/HMs, but I'm looking about it. I think that the corruption of bytes in the TM/HM memory area cause this glitch, as the game will see an item with a quantity and no identifiant, and since the TM/HM bag uses instant arrangement, it makes the other TMs unreachable with the pointer (but they're still in the bag).
So for the ones interested in corrupting item quantities, I recommend you to store all your TMs into your PC, and to teach your HMs to lots of Pokemon (or keep a save / savestate by hand). If you use a cheat to fill up your TM/HM bag, I don't think that this bug would appear.

This wouldn't be bothersome on speedrun as the adress for Ever Grande Fly is below bag items.


Unlocking Flying towards Ever Grande City :
Adress : 0x02026050
You need to maintain up for 13 seconds to attain the adress.
Once the screen turns blue, you are just a dozen of bytes above, and you can stop.


I made some tries with Swampert to see what would be the required level for a 2 HP loss.
Mine had 3 HP IV, and it gained 2 HP one time at Lv 38 (it went from 125 HP to 127 HP with the second HP Up).
So, the level nearly matches the level of a Swampert around Fortree (it's a little higher, but only 3-4 Levels of farming would be required).
I'll try later with a 30/31 HP IV Swampert, as this kind of IV is clearly identifiable with a Lv 5 mudkip, and could decrease the level of the first 2 HP Loss. HP Ups would then be useful to trigger another 2 HP Loss, and there are 2 available on Routes 111 (requires Surf) and 116 (hidden zone of Rusturf Tunnel), so this is perfect for a 3 Glitzer Popping use. More HP UPs could be bought at Lilycove for the 3rd Glitzer if needed.

Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: werster on June 30, 2014, 04:03:11 pm
You only need to drop 1 HP, 2 isn't required. As long as you faint the Pokemon in question after you deposit all alive Pokemon including the last one you used in battle, it works as required, so HP isn't an issue.

The main "theory" that would be faster, is if you could get a good Egg with a glitch move that allowed you to skip battles, so you could use it for Mossdeep Gym and the Steven Double Battle (Mainly mossdeep Gym) - If you didn't do this, both of these fights would be extremely hard, mostly the Mossdeep one, since by the time you start Glitzer popping, you really only have a Marshtomp at 34 if done correctly. You can obviously Rare Candy to 37 or so, and it's winnable (I already routed this fight), but pretty long.

In regards to Waterfall... 127 EVs is a really bad number to work with, since you can't just get there through Vitamins. How about a more classical Approach, Goldeen can be caught up to Level 30 (via Surfing, pretty Rare, but Good Rod isn't too bad) and learns Waterfall naturally at Level 38. That might be a bit of a stretch with regular Rare Candies, but I'm pretty sure you can corrupt Rare Candy values making that task pretty easy? If you still went the Safari Zone route, you can caught level 35 Goldeens in there, along with Level 40 Seakings (who learns it at 41) with the Super Rod, meaning you wouldn't have to rely on that corruption.

Edit: In regards to instant victory glitch, there are several glitch moves that do this in a number of different ways. Some turn it into a Birch battle that you can Fluffy Tail from, some a Wild Battle you can just run from, and turns some move that turns it into a Palace/Arena hybrid. But the best one simply just ends the battle as soon as you cancel out of the attack move. I don't know what ID it is since idk how to look at that garbage (and my save editor won't show it =() but here's a savestate that has a Bad Egg with the move:
https://dl.dropboxusercontent.com/u/23821687/EmeraldIVGBadEgg.sgm
Emulator used: VBA-RR v24 snv461

As far as I can tell, that's the golden move. If you could get that onto a regular Pokemon somehow for the double battles...mmm
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Metarkrai on July 01, 2014, 03:59:29 am
Oh ! Thanks for the advice, I didn't thought at all that the normal glitchy killing with Pomeg would be enough, that simplifies things.
As I am on emulator, I directly edited my Pokemon HP so I could at will be with a full KO team or not.

I also thought that there wouldn't be any Pokemon that would normally learn Waterfall (I thought that only Salamence + Rayquaza would learn Fly, and that's all).
I looked a bit at the encounter tables, and yeah, the fastest way is Super Rod on Safari Zone, as there is :
40% Goldeen 25-30
40% Goldeen 30-35
15% Seaking 30-35
4% Seaking 35-40
1% Seaking 25-30

Chances of capture :
Goldeen : 70.66% / 79.61% (with Pokeblocks)
Seaking : 36.17% / 58.62% (with Pokeblocks)

With this, you can easily have a high level Goldeen / Seaking, and Rare Candy / train it.
I don't exactly know how much Rare Candies you can get during such a run (and not use on Marshtomp / Swampert before Fortree), but 4-5 would be great, as it would be directly posible to Level Goldeen up to Lv 38.

Glizter is interesting, but time consuming, as with Rare Candies in your Bag and PC, you would have 2/32 chances to have a corruption pattern that would corrupt the Rare Candies quantity.
I don't really know how long it takes, but 1 Battle + going to Pkmn Center do Deposit + another Battle + 17 seconds of corruption + faint + check bag and PC, that would be around a minute (roughly).
So you may need 15 minutes to obtain the corruption you want, which is time consuming.

For Rare Candies, there are 2 of them in Route 120, 1 in Route 123, 1 in Mt Pyre, 1 in Route 132, 1 in Route 119, 1 in Route 111.
The fastest to obtain seem to be : Route 120 (2 of them), Route 111, Route 123, Route 119 (need Acro Bike), Mt Pyre.

For Route 111, this one could be taken during the run, as there are no trainers to face.
Then, while going to see Steven for Devon Scope, the first one on Route 120 can also be taken.
Once Fly is acquired, the Route 119 one can also be taken (or it can be taken while going at Fortree if the Acro Bike was already taken).
I'm hesitating a bit about the fastest route from there, between Mossdeep - Lilycove by Surf, or Fortree - Route 120 South, but I think Fortree - Route 120 South is faster.
Thus, you could go from Fortree (once badge acquired) to Route 120 south to get the Rare Candy (2nd one, or 3rd one if Acro Bike was already taken). There are 2 choices here :
Route 123 (Rare Candy) - Lilycove (Pokeblock Case + Shop) - Fly to Odale + Glitzer + Fly Location Ever Grande + Fly Ever Grande + Mossdeep (Super Rod + Gym + Double) - Change for Acro Bike + Take Route 119 Rare Candy (if not already) - Fly to Lilycove - Safari Zone (a break is needed to take Super Rod)
or, you directly go to Lilycove, make your way to obtain Pokeblock Case + Super Rod, and at the end, when going for Safari Zone, you go to Route 123, take the Rare Candy, and go to Mt Pyre to take a 5th Rare Candy, then Fly to Lilycove and go back at Safari Zone or go directly back to Safari Zone (I don't know which one is faster : climbing down Mt Pyre or Flying to Lilycove and taking Route 121 again).

Thus, you could go fishing for Goldeen/Seaking with 4-5 Rare Candies, and you would need 3 Glitzer for the run (Obtain Bad Egg - Ever Grande Fly Location - ReTake Bad Egg after Steven Double Battle + Open Sootopolis Gym Doors ) instead of 4.
Ever Grande FLying Location and Sootopolis Gym Doors are the Glitzer that would require the longest time.




EDIT :

I thought about it again, and I found a way to shorten this, and corrupt Rare Candies, so the one at the North of Route 120 can be picked if you need one (really quick to obtain)(need Cut).

I tried to obtain Sootopolis Gym Door and Ever Grande Fly Location corruption, to look at the rest of the corrupted data.
Ever Grande Fly Location :
4th Bag item quantity corrupted (can't tell about quantity because of quantity encryption)
4th PC item quantity corrupted (?85 if there was originally 1)

Sootopolis Gym Door :
2nd Bag item quantity corrupted (can't tell about quantity because of quantity encryption)
2nd PC item quantity corrupted (?81 if there was originally 1)

Thus, you can corrupt Rare Candies quantity along with one of these two events, et voilà.
You can also corrupt Repel or other little things if you think you'd lack of something during the game (as I don't think you're winning money with glitched battles).


But now, I'm hesitating about catching Goldeen in Safari Zone, as :
1st case :
You take Good Rod in Route 118, and you fish on Petalburg for a 20% Lv 10-30 Goldeen. Make it so it's stored on the PC.
Before fighting Team Magma, you take it, and level up.
Everstone would be a good pickup to fasten the levelling (chance, there's an easy one in Granite Cave).
After that you can go to Sootopolis, and make the final Glitzer.

2nd case :
You take Super Rod at Mossdeep.
Once Team Magma is done, you surf to Lilycove, take Pokeblock Case, go to Safari, Catch a :
40% Goldeen 25-30
40% Goldeen 30-35
15% Seaking 30-35
4% Seaking 35-40
1% Seaking 25-30
You give them an Everstone, and you fill them up with Rare Candies.

Then, you fly to Lilycove / Mossdeep, go to Sootopolis, and make the final Glitzer.


I'm hesitating about the time needed to level up a Lv 20 Goldeen to Lv 30, and the time to go to Lilycove, and to Safari Zone, but I think that 10 Rare Candy levels are faster.


Also, I don't know if there are other corruption patterns that would corrupt PC and Bag item quantities the same way (with the same glitched quantitied for PC items), but this could be a good indicator in order to know if the Sootopolis Gym Door corruption worked or not.


I've also looked for the Pokemon corruption, to see if there would be some Pokemon that would tend to corrupt into useful Bad Eggs.
In the savestate werster gave, the Bad Egg is a corrupted Tentacool. And the glitch move replaces Bubblebeam.
So i've caught a dozen of Tentacool, and at the second try, I got a convenient Egg.
But since you're on console, this would be the longest threat for the run, as you'd need to catch 6-7 Pokemon maybe, of a certain species (or not, mass experiments would be needed to see if Moves of pokemon identifiants have any kind of influence), to obtain some Bad Eggs, and test some of them in one reset. You can only test a maximum of 4 Bad Eggs in a single reset, as you can't change them in the PC.
To do so, you have to do a 2 Pkmn Glitzer (2 Pkmn remaining), withdraw the 4 Bad Eggs, and once one is tested, swap it with another Bad Egg, as the Pokemon shown in battle is the one at the place where the last alive Pokemon seen in battle was.
The game may freeze with a Bad Egg, so you won't be able to test 4 Bad Eggs everytime.

I am also testing with another Pokemon learning Bubblebeam : Marill, as it's easier to find one with the said move while surfing.

But I don't know what causes the move to be replaced by such a glitch move, and this may come from other things, so I'm just trying to see if the moves have some influence over it.

And this kind of glitch is pretty cool, since you also instantly flee from every battle, trainer or wild, so you'll only need repel in order to not be annoyed when surfing across the seas.


Thus, here's the actual route strategy :
During the run, get Pokeballs and catch 6 Lv 21-27 Marill on Routes 102 or 117. (4th slot Bubblebeam seems to generate Insant Win Bad Eggs quickly).
Get Everstone in Granite Cave.
Get Good Rod at Route 118.

a) Get Pomeg Berries at Route 123 and make Glitzer n°1 at Mauville to get a desired Bad Egg. Then climb up to Fortree.
b) Climb up to Fortree, then Get Pomeg Berries, and make Glitzer n°1 at Fortree (faster Glitzer, but Rival + Meteo Center fights)

( a) seems faster since only few Glitzer (5-6 I would say) are needed to obtain an Instant Win Bad Egg, and the time difference between going to Route 117 grass grom Mauville with Bike and going to Route 119 grass from Fortree isn't high).

Get a Rare Candy on Route 120.
Beat Fortree Gym.
Fly to Petalburg to fish for a 20% Goldeen (pray for a >Lv 20 one). Be careful of not putting it into Box 1/2.
Fly to Odale. Put Rare Candy in PC Slot 4. (Bag Slot 4 is faster, but I have things about item quantity corruption to look at).
Put Repel in Bag Slot 4. (So you'll have enough for the rest of the run).
Do another Glitzer until Ever Grande Fly Location is unlocked. Rare Candy quantity should be corrupted.
Fly to Ever Grande. Surf towards Mossdeep.
Beat Gym.

a) Start beating Magma Team, and stop before the double fight.
Revive Marshtomp/Swampert.
Take Goldeen into team, give him Everstone.
Rare Candy Level up time for Swampert and Goldeen.
Finish Magma Team.

b) Revive Marshtomp/Swampert.
Take Goldeen into team, give him Everstone.
Rare Candy Level up time for Swampert and Goldeen.
Beat Magma Team.

(5 Grunts are in the way, and Swampert may need more levels to beat them + the double battle)
(instead, flying towards Pokemon Center / running/biking to it isn't that slow )

Pick Dive HM. Teach it.
Surf towards Sootopolis.
Fly to Odale.
Do another Glitzer for Sootopolis Door Corruption.
Get Bad Egg back to work.
Beat Sootopolis Gym.

Beat Victory Road.
Beat Pokemon League.


If you want to corrupt Bag and PC item quanty, you need to holp Up (just after closing Pokemon Summary) for at least 17 seconds. (in 17 seconds you're into PC items quantity corruption), so time 18.5-20 seconds to be good.
For Sootopolis Gym Door, you'll need to hold Up for 13 seconds, so time 14.5-16 seconds to be good.


EDIT 2 :
So yeah, using a Pokemon with Bubblebeam in last slot gives in few tries a Bad Egg that induces instant battles.
I saw two kinds of instant battles :
-ones where once you push B, the screen fades and the battle is ended
-ones where if you choose Run, the game will say that you forfeited the match, and the battle is ended

The second effet isn't what you seek for speedruns, as it seems that if the Bad Egg is too slow (slower than the opponent I think), you'll only be able to forfeit on the 2nd turn. But if you're hurt during the first turn, the game will see that you have no Poke, and you'll black out.

In my tests with 15-20 Marill, the ones who made the best results where the ones who already had Bubblebeam as their last move (Lv 21-27), whereas the others where a bit slower to corrupt as Instant Win Bad Eggs, and they were also more frequently turned into Bad Eggs that would make the forfeiting message appear.

Furthermore, Marill are extremely easy to find and catch : you can go to Route 102 or 117 (not Petalburg, as the encounter rate is too low) to find them. Depending on the side you take once Surf is acquired, you'll go near one of these Routes.
I think that 6 Lv 21-27 Marill should be good, as you can test 4 eggs at each reset, and 6 Marill should give 3-4 Bad Eggs in general.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Kraust on July 01, 2014, 12:35:28 pm
I think your over complicating the problem with getting Rare Candies when you can just get Rare Candies by random corruption and seeing what slots get frequently corrupted and switching your Rare Candy to that slot. One time running it successfully should be more than enough.

This does require a lot of items in your item bag for a higher chance of some bytes corrupting, and a chance at your entire berry and TM bags from emptying however.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: VaeporSage on July 01, 2014, 12:45:40 pm
I think your over complicating the problem with getting Rare Candies when you can just get Rare Candies by random corruption and seeing what slots get frequently corrupted and switching your Rare Candy to that slot. One time running it successfully should be more than enough.

This does require a lot of items in your item bag for a higher chance of some bytes corrupting, and a chance at your entire berry and TM bags from emptying however.

All TMs and berries 'lost' to corruption seem to re-appear whenever a new item is put in that slot. In fact, I think that even taking a TM/berry from the PC would undo the effect for you.

Quote from: A guy called Bob Udo commenting on one of the glitch videos
I have tried this, but unfortunately I haven´t managed to turn my Vaporeon into a Mew yet. All I get are Bad Eggs, no normal ones. But when I took one of the bad ones into my party and started a fight against a random wild Pokémon the Latias I had already caught once before showed up. When I checked its IVs it turned out that it´s exactly the same one. It seems like my try to get a Mew has reactivated this event.

I don't think this corruption of the roaming Pokémon has been documented yet.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: werster on July 01, 2014, 12:49:25 pm
Just a little note about the ideal Instant Victory Glitch, I also managed to get it off the Masrhtomp right as you enter Fortree. This savestate is pretty much a "what you would have" up to that point in the speedrun normally as well, with Ice Beam gotten from Abandoned Ship. It's moves were Strength/Ice Beam/Mud Shot/Surf
https://dl.dropboxusercontent.com/u/23821687/EmeraldMarshIVG.sgm

In regards to the Marill's were they seperately caught, or duplicated? My biggest worry doing this run real time was always that it was going to be majorly dependant on the substructure order and that the Personality Value was going to be too random to work, but if several worke and they were all caught seperately, so you can get that move independant of the PID, that's wonderful! I'll look into it more over the coming days I'm sure.

Quick little thing about the theory route, if you're using a Bad Egg you also need to revive before Tate & Liza, since that's also a double battle, so you'd probably fight the Mossdeep grunts normally too, as those double battles are only seperated by I think 7 other Pokemon.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Metarkrai on July 01, 2014, 02:29:02 pm
Kraust :
Yup, at first, I thought of overcomplicated stuff, before thinking about corrupting quantites.
But, there doesn't seem to be some kind of more frequent pattern, well, for the attempts I've made so far.
I would hypothetically say that there are 32 different corruption patterns, and that they only depend on the movement of adresses, which is completely random, so every pattern should appear randomly.
To get a specific corruption pattern, like Ever Grande or Sootopolis Gym Door, it took me around 10-20 tries with other things (not really relevant, as I didn't do more than 5-6 successful corruptions).

I also don't know if two corruption patterns can affect the same bits of the same byte, so if some of you are trying to obtain Ever Grande Flying Location or Sootopolis City Gym, check if the quantities of respectively the 4th and the 2nd item of your bag is corrupted.


VaeporSage :
Thanks for the tip, that's really useful. I thought that my TMs would be lost forever (or before the code activation).

I know where roaming Pokemon data is stored, so I can look a bit at it, to see what was corrupted and brought the roamer back to life.
If I remember well, there is a bit that manages the roamer, and that is set when it's killed. But only corrupting its HP may be enough, as roamer's data is limited to status, remaining HP, location, PID, IVs, Poke, LV, there's no real Pokemon structure stored somewhere, so it may even be possible to alter the roamer a little bit (if the species was corrupted, I think the new roamer would crash any encounter, as it was the case for swarms when I tested it).


werster :
Thanks for the savestate, and for the advice.
As for Mossdeep, I always went to Navel Rock to catch Ho-Oh and Lugia and beat Tate & Liza, I didn't think of it as a battle where you need at least 2 alive Pokemon.
I would say that only 5 grunts separate the two double battles, as two of them seem skippable, but that may be 6 or 7, as I'm using a walk through walls cheat to directly go to the stairs.

For the Marills, and 4-5 Tentacool, I didn't clone them, to see what would happen in normal conditions, and I was able to corrupt all the Pokemon knowing Bubblebeam in 4th position. Once they worked, I released them to see if the others could be corrupted for Instant Win Bad Eggs.
But I released some of them too soon, as when I found the "fainted" Instant Win, I didn't know that it's based on the Bad Egg speed (I was trying on the first youngster on Route 102), so I considered them as corruptible Pokemon.
For my last attempt, I counted, and it took me 6 resets to correctly corrupt one Marill out of the 6 I had caught.
It seems that the moves count, as when I corrupt my Marill, I get a limited amount of glitched moves, even though they are different Marill.
I also looked at some Bad Eggs coming from my Boxes of Shinies, but the glitched moves are completely different and I'm not getting what I want.
Also, it seems that Pokemon who don't have 4 moves are harder to corrupt. That may only be an impression, but that's the feeling it gave me.

For Marills, my longest attemps before obtaining a successful Instant Battle Bad Egg was 7 resets, on a little bit more than 18 Marills (I have more than 6 Marills to be sure of having 4 Bad Eggs, and every successful Marill is released, and when I'm low on Marills, I go catch other ones). But since Marill has a catch rate of 190, it's not that big of a deal to catch one.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: werster on July 01, 2014, 02:56:42 pm
In regards to the roamer: I actually just had a Latias show up in the water before I even triggered her the first time. Nice.

In regards to the TMs/Berries disappearing, I can't seem to get them back. I just tried to do a second Pomeg, so I got another one from the Berry Master and it's still blank. I'm not sure how to restore these, am I missing something obvious?

Bubblebeam: That's great, so it's probably just based off the move as suspected. I wonder if there's an easier one than Bubblebeam, since I think Ice Beam was the one that got it to work on that Marshtomp, if a move like Rock Smash or something similar worked would simply the catching process (though im 99% sure Rock Smash does not work)

One more thing, why not set the Sootopolis Gym and Ever Grande flags at the same time (along with getting the IVG move)? Seems possible to scroll up past 6, check bag and see slot 4 is corrupted, go back to Pokemon and scroll up  past 6 again and then see slot 2 is corrupted as well, and simultaneously getting the desired Bad Egg too?

Edit: <_> Just double checked, you don't need Waterfall for Victory Road, it just makes it faster. Any reason you can't just set the Ever Grande flag, get bad egg with Instant Victory and storm through to Elite Four?

Edit 2: I must be understanding the flags wrong, I was under the impression that if you saw the 4th item value corrupt, that the Ever Grande Fly Location would be set, but I just corrupted slot 4 in my bag, and I still can't fly to Ever Grande. (In fact it actually gave me the tree pattern back at Fortree upon reload) Does that mean you just have to keep doing it till it works?

Edit 3: Hmm, this may be because I'm getting the wrong amount, I just did it again and the amount in the Box was x?81 rather than x?85 as stated above. I just assumed it could only go to one value.

Edit 4: Nevermind, just got x?85 in slot 4 and can not Fly to Ever Grande. =(
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Kraust on July 01, 2014, 04:18:46 pm
The tree pattern means you corrupted the map entrance, That's what we found out after I got the stuck in water tiles thing a page back.
I don't think the corruptions are fixed like you're saying, the problem is that they're highly irregular and there could be a dozen different factors to consider.

The only ways to know for sure that you're setting that flag would be to check the fly locations after battle or to actually look at the memory viewer.
Is there a Ram Dump that actually lists all of these addresses? I was trying to figure this out because I honestly don't know how to otherwise.


I think I might start an Emerald game and get to Fortree. I remember it takes forever however.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Metarkrai on July 02, 2014, 12:28:37 am
werster :
Once you're in battle, the position of the adresses is fixed, so you can scrolll up, push B, and scroll up again, the second scroll will only follow the traces of the second, so nothing would happen.

And yeah, if Waterfall isn't needed for Victory Road, you just need the 6th Badge, and you'll be able to enter the League.

Also, your tests helped, as you saw that there may be a corruption for 4th PC item quantity, even if Ever Grande Fly Location isn't enlabled.
I indicated the quantity to see in the PC as ?85 as the two possible byte corruption don't give off the same quantities ine decimal as well.
But what would help most would be trying to obtain Ever Grande Fly location and see if the 4th PC and Bag item quantity is always corrupted when Ever Grande is. The 3 times I looked for it, I got this result.
To check if you did the Ever Grande corruption, you have to check your fly map.

When I got Ever Grande Fly Location corruption, it also corrupted the Map Entrance, which gave me little issues to check what exactly was corrupted.
But I'll try this some more times today.


Kraust :
Well, as what I saw, the corruptions don't seem that irregular.
There may be different patterns appearing upon reset (I'll check that, as for now I use savestates), but when I'm doing Pokemon corruption, there are frequent patterns of Bad Eggs that are corrupted the same way as before that appear, which is a clear mark of a certain pattern that repeats itself.
Also, while looking at flag bytes, I saw that the corruption depends (and may only depend on this) on the position of the adresses (the ones that can move can have 32 different positions), so that's why my thought was that there was 32 corruption patterns.

For Memory Viewer adresses, I have a little file that I made myself who gives some adresses, and starting from this point, I navigate to the adresses I need, so for flags for example, I only have some adresses detailling their location, and once there, I pinpoint the flag I want to study myself.
Also, you the Anti-DMA is really useful to compare the values of a cerain adress between two savestates without it being a mess, as the movement of some adresses forces you to take marks to see where the adress you were watching went, and that can be a bit annoying.
I also use AR codes to have the location of other flags, like Flying location, Badge location, records location,...
And for my tests on the effects of flag corruptions, I generally overcheat to move to the desired location / event without any issue (with the walk through walls code, teleport codes, or fly everywhere code).
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Wack0 on July 02, 2014, 12:51:54 am
And yeah, if Waterfall isn't needed for Victory Road, you just need the 6th Badge, and you'll be able to enter the League.

Aren't there NPCs in front of the league entrance that check for 8 badges?
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: werster on July 02, 2014, 10:09:57 am
werster :
Once you're in battle, the position of the adresses is fixed, so you can scrolll up, push B, and scroll up again, the second scroll will only follow the traces of the second, so nothing would happen.

Yeah, figured that out myself after a bit of testing afterwards, was just being hopeful. Luckily this doesn't matter now, should only have to do it once.

Also, your tests helped, as you saw that there may be a corruption for 4th PC item quantity, even if Ever Grande Fly Location isn't enlabled.
I indicated the quantity to see in the PC as ?85 as the two possible byte corruption don't give off the same quantities ine decimal as well.
But what would help most would be trying to obtain Ever Grande Fly location and see if the 4th PC and Bag item quantity is always corrupted when Ever Grande is. The 3 times I looked for it, I got this result.
To check if you did the Ever Grande corruption, you have to check your fly map.

Alright I guess I'll just keep trying then. Seems like the odds are really wide to get this to work then though, as though in a run it could take several
hundred times. For reference, here's a savestate that has the exact corruption mentioned, except not Ever Grande, in case there's some other requirement: https://dl.dropboxusercontent.com/u/23821687/Emeraldwhy.sgm

Aren't there NPCs in front of the league entrance that check for 8 badges?

Those people are there, but they only check for Badge 6, assuming you have to get all the other ones (which is the laziest crap)

Edit: Just got the fly to Ever Grande. Slot 4 is not corrupted. It was in fact slot 10 that got corrupted when I was allowed to Fly there (however, it was my 5th attempted, and corrupted slots 1, 6, and 12 prior to that, but I found that irrelevant)
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Kraust on July 02, 2014, 10:33:29 am
So I just made it to Fortree on a new save and started up this glitch again.

Cool thing I noticed was that if the pokrmom you switch into to activate the pomeg glitch only has 1HP you white out after the battle. I could probably make a video of this. It was weird.

And second thing I noticed was that I was running into wild pokemon on the route west of Fortree and the game froze (assuming right before a battle). This is something I haven't seen before.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Metarkrai on July 02, 2014, 10:50:07 am
werster :
Were you able to obtain Ever Grande Fly Location on the last savestate you've given ?
As I've tried, and it seems that on the large patterns, some "interferences" can happen, and some corrupted bytes might not be corrupted sometimes (depending on the value of other bytes).
And that's the casefor Ever Grande Flying Location.
There's a little byte that seems to alter the corruption pattern, and it avoids the Fly Location bytes when if should be their turn.
And there, the corruption you did for Swampert also counted, as you corrupted bytes far beyond Pokemon Boxes.

Thus, is you have a save that would be like a normal run, at Fortree, but wihtout the first Glitzer, I could try to see if Ever Grande Flying location can be corrupted, or see what bytes seem to be a threat, and how they could be managed, as I and some other people were able to corrupt this adress, with games completed or not.

This is a little strange though, as lots of other adresses are easily corruptible, but the structure of the near values are annoying us.


Kraust :
If you had tried some corruptions, I think the game froze because you made a fight with a Pokemon with an identifier of 40xx or 05xx.
It may have been a roamer, or a swarm, but since you're on a new file, it may be a roamer (if the "died" bit isn't activated, and if there is an identifier for a roamer, I think the game may activate it)(and it's easy to check if a roamer is in the place).

But see if you can obtain Ever Grande Fly location with corruption.
You can look at your fly map, or near 0x02026D24.
The byte has a value which is approximately 07DF8F87, so once you see it, you can follow it (since it only has 32 possible locations), and see how it can be corrupted. Also, the corruption will be (nearly) the same for a same position of the values, so if this value has the same place as during another attempt, you're nearly sure that it won't be corrupted.
I'm using "nearly" because if you're mass corrupting on a single savestate (without resetting), you may obtain some slight corruption changes on certain values, so, who knows.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Kraust on July 02, 2014, 11:06:44 am
Well I was manually checking to see if I could fly to Ever Grande, and I didn't see it pop up.

I'm starting to think that the patterns are seeded when you first activate the pomeg glitch (specifically when you switch to the alive Pokemon before you deposit it). There seem to be way too many oddities on how If I save my game for example (and reset) after I activate the glitch I have to do it again to send out the Decamark.

So, I'm probably going to throw my Pomegs into my PC, use beyond the sixth slot a few times and then save + reset before setting up the Pomeg glitch again and seeing if I'm getting different results.

(Although I was able to get every stat on my Trainer Card to corrupt this time through, it was harder to get map entry corrupted and name corrupted which is something I could do frequently on my other save file).

tldr (Because I tend to be bad at explaining)

I want to:

activate the Pomeg Glitch
access beyond the sixth slot a few times to corrupt as much data as possible
save my game + reset
activate the Pomeg Glitch again (Because it's not persistent)
access beyond the sixth slot a few more times and see if I can finally get the Ever Grande Fly flag to flip.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: werster on July 02, 2014, 11:33:48 am
Yeah I eventually got the Ever Grande flag with that setup, just in a different battle. I just did 5 battles in a row, and the 5th one got me the flag.

The stupidest part now I feel like is going to be the fact that the ideal time to set the flag, would be before you can use Fly (right before Fortree, you don't have the 6th Badge yet) Perhaps for ease of convience considering there seems to be no reliable check if you got the flag or not without actually checking, you should do it after the Gym (and faint all other pokemon while you're in there) and, if you're super lucky, get Swampert down to 1 health too. (or potentially just low health, and maybe lower it down catch Marills or something similar to increase the chance of a IVG Bad Egg. Getting poisoned from Oddish is the most consistent, but obviously not quite as optimised)
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Metarkrai on July 02, 2014, 03:06:45 pm
Oh, so you got a corruption, great !
This seems to go along with Kraust's idea, since when I tried to obtain Ever Grande FLy Location on your file with savestates, I didn't succeed.
So, resetting would have an impact on the corruption patterns. I don't really see why, since there's no real thing that would vary from one reset to another.

Else, corrupting Ever Grande before getting a convenient Bad Egg would save time, but it wouldn't be secure, as you would have to continue your run with the belief that the corruption worked.

As you have to corrupt the data many times in a row (without resetting), the fastest way is before the Bad Egg, but you have to save for the Bad Egg as you don't have tons of Pokemon to corrupt, so this isn't viable.
You have to make two glitzer for this to work, but the second will be faster to set than the first, as you only have to revive two Pokemon, give EVs to one (if he didn't have them), and put it to 1 HP.
So you could maybe catch a puny Pokemon with enough Base HP to gain 1 HP with a HP Up (if you can easily and quickly find one), as it would be faster to put him down to 1 HP (it would be a Pokemon with enough HP, and with a good Base Speed, so you can flee from battles in order to control the damage you're taking quickly), and you can then Glizter again for Ever Grande Fly Location.
So, 2 Revive (+1 Hp Up) + getting 1 Pokemon to 1HP would take 1-2 minutes, considering the capture of a frail Pokemon (abra of some other Pokemon could maybe do the trick).

Marill is also useful for being at 99% at wild, with a high catch rate. The useful levels diminish the real % of useful Marill, but it's still really high.
It still may work better for some other Pokemon (and moves), but the setup for all the Glitzer is for now good.
It still needs optimization and real situation tests, but the saved time is here (yeah, I'm not really familiar with techniques bringing a Pokemon to 1 HP, since you don't have many possibilities at this point in the run).
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Kraust on July 02, 2014, 04:31:15 pm
I got it to work shortly after making my post about it. It's definitely something you have to reset for.

My other idea was to corrupt the quantity of some Rare Candies and use Swampert to solo Victory Road + Elite 4. It shouldn't be that difficult being that he's Swampert and he'd be Lv 100.


That's what I was going to do with this Glitch anyways. All I did was get to Victory Road

(http://puu.sh/9UfMR/05dcbe9fee.png)

Here's the save: https://dl.dropboxusercontent.com/u/66465223/Stuff/evergrande.SAV (https://dl.dropboxusercontent.com/u/66465223/Stuff/evergrande.SAV)
The only issue is that the TM and Berry pouches are wiped / corrupted and you can't add anymore to them. I need to run this again so that doesn't happen.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Pawny on July 02, 2014, 04:40:45 pm
My other idea was to corrupt the quantity of some Rare Candies and use Swampert to solo Victory Road + Elite 4. It shouldn't be that difficult being that he's Swampert and he'd be Lv 100.

Wouldn't you use the rather common bad eggs with instant victory moves for this instead?

(EDIT: actually I forgot you'd not have any poké at the box by then. But maybe it's more viable to try to corrupt the few pokés you have than glitching Rare Candies)
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Metarkrai on July 03, 2014, 01:15:08 am
Kraust :
If you ctry to corrupt Rare Candies, there's a really good chance to corrupt TMs / Berries pockets, as their adresses are below other items' adresses.

But since Waterfall isn't needed for Victory Road, there aren't many trainers left to fight (Fortree Gym + Victory Road + League), so your idea of a Lvl 100 Swampert is good. I don't know exactly how long it would usually take to catch 6 Marill, and make 4-5 resets in order to wait for a corruption, but i seems a few minutes slower than levelling Swampert to me, and the time gained with these fights may not be enough to make the difference.
Theorically, the Bad Egg style is faster, since you would need 1 Pokemon, and 1 corruption to obtain an Instant Win Bad Egg, but that's the theory.

The issue with Rare Candy corruption would be, as you said, Berry pouch corruption, as we don't want it to happen, since you corrupt Rare Candies before Fortree Gym, and Ever Grande after Fortree Gym.
Expecting to have obtained Ever Grande before having the Fly map would be a great run killer, so that's not a good point.

Instead, I thought of something (for Bad Eggs at first) that could work well to set up another Pomeg Glitch, but I was wrong.
Thus, I'm still searching on the fastest way to bring a Pokemon down to 1 HP.
I thought of using a frail Pokemon that would gain 1 HP with a HP Up, so getting him to 1 HP would be faster than Marshtomp/Swampert, and we could use him for Pomeg glitch (Swampert would take the role of the healthy Pokemon).
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Kraust on July 03, 2014, 04:31:03 am
Well for the issue of getting a Pokemon down to 1 HP - Do we encounter any Pokemon that learn Endure before Fortree? You can probably get a Vigoroth and raise it to Lv 25 so it learns Endure. I know that I had my Swellow at that level due to getting doubles XP at that point.

As for the Rare Candies vs Glitch Pokemon. If you're able to get the Bad Egg then by all means that's probably the faster way. My suggestion is only if you don't want to go that route.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: werster on July 03, 2014, 02:15:28 pm
I'm thinking as a more consistent strat you'd probably go beat Fortree gym normally, then just keep doing the corruption until Ever Grande shows up. Check Pokemon in the box (a couple slaves) and see if you got IVG, if not, then use up the Rare Candies.

As for getting to 1 health, the most consistent method is to get Poisoned by a Wild Oddish on Route 119 just before Fortree and going down, can just be annoying cause it can use Sleep Power and Stun Spore too (you can just keep spamming energy powders till you get the right result though)

Edit: One thing I did notice about the showing up in a boxed map (Trees, Water, other trees etc) is that is repeats over and over. That is, if you do a access beyond 6, and get the trees, if you Fly back to where you are, and do it again, you keep getting trees over and over for a continuous period (or at least I seem to)
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Metarkrai on July 04, 2014, 08:24:02 am
Your tree problem is normal, since you corrupted the spawning map entrance, and you need to enter a Pokemon center to change it again to a normal map entrance.

The poison technique seems the safest strat, yup. Also, the upper Ninja on Route 119 have 2 Smogos, so it would maybe be safer and faster to fight him to be poisoned and reach 1 HP. (you only have 30% of Oddish in the grass)

For Bad Eggs, I noticed something that would also slow this strat, since Marill are too slow to outrun Route 119 Pokemon.
So for every bad egg, you'll have to take 1 or 2 turns more to flee.

Thus, the Rare Candy strat, even if more boring, seems to really gain time over the Bad Egg one.
But I don't know if it's faster to do it before or after Fortree Gym.
1) You push Swampert down to 1HP. You use Pomeg Glitch, and corrupt until Rare Candy is hit (it will happen, not like Ever Grande Fly Location). You push Swampert up to Lv X (the level where you'll OHKO / 2HKO everything with/out X Atk or X SpA for the best Pokes, if you already have X Atk / X Spa ). You beat Fortree Gym. You put another Pokemon with HP EV down to 1 HP, and you save to make multiple attemps to obtain Ever Grande Fly Location (it could also already be available).

2) You normally beat Fortree, then you put Swampert at 1 HP, save, use Pomeg, then do multiple attemps for Ever Grande, then you pursue your corruption to have Rare Candies corrupted, and you use them until Swampert reaches Lv X.

So, how much time do you need to fight every Gym trainer with your team ? Or, do you have hard fights ? since you shouldn't take too much time to use moves to bring Pokemon down.
Waiting for poison damage doesn't seem really slow too, but with 1 Smogo trainer, the 1 Pomeg Glitch strat seems better.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Kraust on July 04, 2014, 09:00:44 am
I don't know if you can corrupt the item bag without removing the TM + Berry bags. If you can't then it's a no-go because you can't fix the TM and Berry bags after afaik.

My Swampert was 39 when fighting her. Surf basically destroys everything. I don't know where he would be because I fought (almost) every trainer with Swampert and did most of the double battles with him too. I know he's going for time (I wasn't) so he could potentially be a much lower level.

I haven't really worked on it in the past couple of days. I couldn't get the item bag corrupted without ruining the other two bags which would break what I want to do. The other (bad) scenario would be to grind Victory Road with Swampert but that destroys the speed run aspect of it.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Metarkrai on July 04, 2014, 10:08:59 am
Oh, yeah, you're damn right about the berry pouch corruption, that's a litigious point (the TMs aren't needed at the point of the run).
I'll look at the number of adresses that can bring a removal, and see their frequency of appearance, and the adresses that get corrupted along with them.

So yeah, a single Pomeg corrupt after Fortree Gym seems the best choice.

In his run, werster had a Lv 34 Marshtomp at Fortree, so the differences between all the Gym Fights and the fights with IW Bad Egg  and the time needed for setting up the first Pomeg and the Marill should still be in favor of the full Gym fights.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: werster on July 06, 2014, 06:21:27 pm
I must've tried at least over 2000 times to get this damn Ever Grande flag, and so far I've only ever gotten it twice. Is it just really that hard to get it, or is it just being super duper dumb? I feel like it needs to be at least a little more consistent before doing actual runs =(
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Metarkrai on July 07, 2014, 11:16:03 am
werster : How did you proceed to try to obtain Ever Grande Fly location ?
For now, I can't make any research (still one week of exams), so I don't know what's the importance of soft resetting for corruption.
Also, on another side, when you start to chain corrupt your file, it seems (can't affirm that yet) that other values that wouldn't be corrupted if you only used a savestate tend to become corruptible (since nearly every double word isn't 0000 0000, and starts by 45xx xxx, the corruption pattern seems to differ lightly, as the value of some bytes affect it).

Thus, I'd need to see what bytes would prevent or not Ever Grande Fly Location corruption.
So, if you have some savestates at Fortree that would be like the speedrun (if you've made another try with a new route since there are items you won't need anymore), I would need it, so that I can see what kind of run condition can make the flag corruption faster (in my saves, they are full game, or without anything, as I use walk through walls cheat).
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: TheZZAZZGlitch on July 07, 2014, 01:56:37 pm
I must've tried at least over 2000 times to get this damn Ever Grande flag, and so far I've only ever gotten it twice. Is it just really that hard to get it, or is it just being super duper dumb? I feel like it needs to be at least a little more consistent before doing actual runs =(

Anti-cheating measures are killing the run.

As mentioned (http://forums.glitchcity.info/index.php/topic,6868.msg195220.html#msg195220) before (http://forums.glitchcity.info/index.php/topic,6868.msg195320.html#msg195320), Gen III Pokemon games randomize locations of most important memory blocks. They can be in 64 possible positions - so the chance of setting the desired flag is around 1.5%.

Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Metarkrai on July 08, 2014, 02:51:04 am
TheZZAZZGlitch : Do you have more data about the moving location of some adresses ?
Because there's an adress in the IRAM (a double word at 0x03xxxxxxx, but I don't remember where) that manages the adress movement, as well as the item "encryption", and with CBA, no codes can be done to alter the game, making it ignore this process, so I need to force this adress to the correct value if I want to make an Anti-DMA for CBA users. (that's a detail but I wanted to have something near complete abour 3rd Gen AR Codes, and it's the needed code to make all the CBA ones useful, and there are too much possibilities for me to try by hand).

Also, when I look with the memory viewer, I only see 32 possible positions, and they are all below the "initial" position (the one given when Anti-DMA is used). So, maybe resetting would affect this... I don't know at all.

There are also two types of corruption, but since 6th bit and 0 + 2nd bits corruption aren't so far from each other (at least, less than 32 double-words), the chances don't have to be divided by two.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: FroggestSpirit on July 09, 2014, 11:39:03 am
I'm a bit new to this glitch, but I was wondering how plausible it would be to corrupt a pokemon to have max contest stats (or maybe pokeblocks). Would it also be possible to corrupt ribbons onto a pokemon? Where can I look into this? I can analyze some addresses if needed
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Evie ✿ on July 09, 2014, 04:10:19 pm
I'm a bit new to this glitch, but I was wondering how plausible it would be to corrupt a pokemon to have max contest stats (or maybe pokeblocks). Would it also be possible to corrupt ribbons onto a pokemon? Where can I look into this? I can analyze some addresses if needed

I think EVs and contest conditions as well as ribbons get wiped when the Pokémon hatches, but I may be wrong.

To start at looking into your own tricks, it's best to refer to the Bulbapedia Pokémon data substructures (http://bulbapedia.bulbagarden.net/wiki/Pok%C3%A9mon_data_substructures_in_Generation_III) article and also see this (http://forums.glitchcity.info/index.php/topic,6868.msg195232.html#msg195232).

An easier way to test things than doing the glitch is to manually change the personality value stored at 0x020244EC (for the first party Pokémon), because this glitch either adds bit 0 and bit 2 (+05) or bit 6 (+40).
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Kraust on July 09, 2014, 08:00:11 pm
I'm a bit new to this glitch, but I was wondering how plausible it would be to corrupt a pokemon to have max contest stats (or maybe pokeblocks). Would it also be possible to corrupt ribbons onto a pokemon? Where can I look into this? I can analyze some addresses if needed

I think EVs and contest conditions as well as ribbons get wiped when the Pokémon hatches, but I may be wrong.

To start at looking into your own tricks, it's best to refer to the Bulbapedia Pokémon data substructures (http://bulbapedia.bulbagarden.net/wiki/Pok%C3%A9mon_data_substructures_in_Generation_III) article and also see this (http://forums.glitchcity.info/index.php/topic,6868.msg195232.html#msg195232).

An easier way to test things than doing the glitch is to manually change the personality value stored at 0x020244EC (for the first party Pokémon), because this glitch either adds bit 0 and bit 2 (+05) or bit 6 (+40).

I feel like it would be easier to Glitzer a pokemon with set EVs / IVs or Contest Stats based upon giving a Pokemon specific moves and swapping Attacks with those two substructures.

It would also be cool to see if you could do this to enable the obedience bit for Mew / Deoxys and get a "legit" one into Gen IV
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: FroggestSpirit on July 09, 2014, 10:56:07 pm
If I understand this correctly, this should work with the traded plusle...
EAMG->AGME
-attack 1 becomes the species, maybe a held item too (leichi berry)
-PP up bonuses, friendship, (hopefully unknown is 0?) will set some contest stats, maxing 2, and setting feel to 0
-EV's can be manipulated to set a few moves, making contests easier to win.

After all is said and done, I can rid of the illegal moves and keep the ribbons won....
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Evie ✿ on July 10, 2014, 05:49:51 am
If I understand this correctly, this should work with the traded plusle...
EAMG->AGME
-attack 1 becomes the species, maybe a held item too (leichi berry)
-PP up bonuses, friendship, (hopefully unknown is 0?) will set some contest stats, maxing 2, and setting feel to 0
-EV's can be manipulated to set a few moves, making contests easier to win.

After all is said and done, I can rid of the illegal moves and keep the ribbons won....

That sounds like a good idea, but it does seem like the contest stats are wiped. I gave Pluses max happiness (255) with A-Save but it didn't max out the Smartness stat after I corrupted it and it hatched (as Krabby because its first attack was Quick Attack), unless I need to be trying another value.

I couldn't check the stats directly with A-Save because it thinks my Krabby is a Bad Egg even though it isn't and I'm not confident enough with checking the stats with memory viewer.

Edit: Yes, the conditions are indeed wiped after the Egg hatches, but this is what it would look like with 255 happiness. (You normally can't view an Egg's summary, but I changed the personality value in the middle of the menu)

(http://i.minus.com/jhKmwS5a4atpl.png)

Lower the happiness and the Smartness stat decreases. I don't know what controls the Beauty. I thought it was the last experience byte, but changing the experience to have FF at the end wouldn't work. Furthermore, the most significant byte would be 00 for my Pluses, but I still had a Beauty stat.

I'm a bit new to this glitch, but I was wondering how plausible it would be to corrupt a pokemon to have max contest stats (or maybe pokeblocks). Would it also be possible to corrupt ribbons onto a pokemon? Where can I look into this? I can analyze some addresses if needed

I think EVs and contest conditions as well as ribbons get wiped when the Pokémon hatches, but I may be wrong.

To start at looking into your own tricks, it's best to refer to the Bulbapedia Pokémon data substructures (http://bulbapedia.bulbagarden.net/wiki/Pok%C3%A9mon_data_substructures_in_Generation_III) article and also see this (http://forums.glitchcity.info/index.php/topic,6868.msg195232.html#msg195232).

An easier way to test things than doing the glitch is to manually change the personality value stored at 0x020244EC (for the first party Pokémon), because this glitch either adds bit 0 and bit 2 (+05) or bit 6 (+40).

I feel like it would be easier to Glitzer a pokemon with set EVs / IVs or Contest Stats based upon giving a Pokemon specific moves and swapping Attacks with those two substructures.

It would also be cool to see if you could do this to enable the obedience bit for Mew / Deoxys and get a "legit" one into Gen IV

Not sure if you misunderstood me. I linked to my post (a list of Pokémon with constant personality values, substructure orders and order changes) so you could look into doing something like that (putting a value into EVs & Condition). I wasn't proposing a completely new method.

For attacks into contest stats, it would work like this:

Move 4 -> Coolness and Beauty
PP 1 -> Cuteness
PP 2 -> Smartness
PP 3 -> Toughness
PP 4 -> Feel
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: FroggestSpirit on July 10, 2014, 04:02:09 pm
I got a bad egg with move ID 0x0556 (this is possibly incorrect due to encryption) I believe it was a corrupt thunderwave with 0/2 bits being set. This changes the battle type after being viewed, so that pressing the B button immediately ends the battle. This was done on real hardware, and thought it's worth mentioning for speedrunners

EDIT: After looking in an emulator, I want to say that the set bits are affected by the surrounding bytes. As for my pokemon, I'm not sure how practical it would be, seen as how if the PID is changed to change the sub-structure order, the Encryption for the pokemon will change aswell (unless I'm overlooking something) That being said.. the same bits would have to be applied to not only the PID, but the TID for the pokemon aswell (and if the set bits are affected by surrounding bytes, there may be a better way to manipulate this) Are the daycare parents easy to manipulate?

EDIT 2: I think I finally understand it now. The (only reliable) way for the corruption to prodoce something other than a bad egg, is if it's PID's most significant byte has it's 6th bit set. The corrupted bits appear to be about every 44 bytes, and alternate between setting bit 6, and bits 0/2. The reason that people get stuff that doesnt add up, is because the encryption key for the pokemon's data changes when the PID is affected. If what I said above were to happen, it should allow it to pass the checksum check, even though the data will be altered because of the encryption key changing (every 4 bytes should change). This would also make sense as to why it sets everything into an "in egg status" which I theorize that filling a box with "good" eggs to corrupt will xor the flag back to "hatched".

an example could be PID of 0x0000006F (plusle) and the corruption would have to be 0x4000006F. Even though this changes the encryption key after XORing it with the TID, it will still add up correctly in the checksum due to the bytes overflowing.

Edit 3:The thought crossed my mind of corrupting 2 times, if we can corrupt the same byte of the PID as the TID, then the encryption key would remain the same. Hitting the right byte could be determined by a nickname corruption on neighboring pokemon thanks to the "stair pattern in the box" (It should be about an 8 byte offset, since corruption is about every 44 bytes, and a pokemon in the box is 80)

EDIT 4:Apparently, the bytes that get corrupted are aligned, so the only byte of the PID that can be corrupted is the Most Significant Byte... this is very limiting. Also, with my above method with corrupting 2 times, it needs to be set up where the Pokemon wont have it's encrypted data altered during both corruptions (and dont even hover over it in the box, I think that changes a byte of experience) Though it is possible, as testing with memory editing gave me good results
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Zklosty on July 23, 2014, 10:43:27 pm
I found a cool little graphical glitch using the Pokenav and looking at a pokemon's corrupted name in the status menu. I don't know how this happened, but it is noteworthy (sorry for crude pictures, I did this on cartridge w/o capture card)
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Metarkrai on July 25, 2014, 12:56:22 pm
Froggestspirit :
So yeah, you found the same thing : only the leftmost byte of every double word can be corrupted, which restrains the possible corruptions.




By making an explanative video about the glitch (for french people), I worked on item corruption, and found a safe way to do it, without losing TM/HM & Berry pouches.

Due to the fact that TM/HMs and Berries are behind other Bag items, you can't try an accurate corruption (counting every "Up" action) to alter Balls / Consumables quantities only.

You have only 1/8 chance to not corrupt these pouches if you try to corrupt item quantities. Also, when it happens, only PC items quantities will be corrupted (any PC item quantity can be corrupted though).

So, the only choice is deposing lots of rare items (Rare Candy, Master Ball, Nugget,...) into the PC, and corrupt until the Pouches don't get corrupted.

There are some bytes near TM/HMs and Berries (below or above each section, I don't know) that will "hide" their content if they aren't set to 0.
However, since these bytes are in the item area, they are "crypted" by the DMA, who changes the numeration based on a random value which is generated after certain actions (making a battle, passing through a door, closing the bag,...).
Thus, the "crypted" value of these bytes can be anything (but all the bytes that are affected by this, and would originally hold the same value, 0 here, will have the same encryption everytime), and since the corruption patterns can affect 1 or 2 bits (3 different in total), you have 1/8 chance that the crypted value would be a value unaffected by the corruption, leaving TM/HMs and Berry pouches unaltered.

Also, since only the leftmost bytes are affected, even if this crypted value is a little different for items, (since the original value would be 2, 15, or 8 for example), in most of the time, this difference won't be enough to change the left bytes of the words storing items quantities.


Since I find my post really messy, and I don't know how to explain this fact in a more easier way, here's pictures to help me :

(http://www.pixenli.com/images/1406/1406313924060339600.png)

This is a picture of Bag Items with Anti-DMA, so you can clearly see quantities (even columns), and items (odd columns).
The order of the pouches seen is : Items,  Rare Items, Balls (with lots of 0063 as I used a cheat code), TMs/HMs (with also lots of 0063 as I cheated too).

PC items are higher, and Berries are lower.

(http://www.pixenli.com/images/1406/1406313947052133300.png)

And these are two pictures of the same area, without Anti-DMA.
You can notice the "encryption" value (I don't know its real name, so I refer it as an encryption value) that alters the value of the bytes holding the quantities.

On the left picture, this value is 3B15, so it can be corrupted into 7B15, and corruption would glitch TM/HM / Berry pouches.
On the right picture, this value is DF02, so it can't be corrupted.




Also, you can notice that even with high quantities, the crypted words for quantites have a left byte that is still 3B or DF, so it also won't change.
With an item quantity of n, we would have n/256 chances that the encryption value will be high enough to make the left byte change, allowing a possible corruption for this byte only, if it already was a "non-corruptible" byte (1/8 chance for that to happen).
Also, since the rightmost bit of a "non-corruptible byte" would be set to 1 (else it would be corruptible), if the byte's value is raised by one, it will become corruptible with a  "0 & 2 bits" corruption.
So if you already have 50 or more of some items, you have decent chances to corrput their quantities safely, along with PC items quantities.
So it's more beneficial to have your main stock in your bag, and only 1 or 2 exemplaries of some rare items in the PC, to increase your chances of corrupting the items you want.


EDIT :
If you're interested, and understand French here's my video about the Pomeg Corruption Glitch :
https://www.youtube.com/watch?v=0GCwqd-oSyI
It's in French, and deals with Pokemon corruption (obtain any Pokemon, even glitch ones, as well as Pokerus, and several glitch moves + Reverse Cloning Trick), and Item / Events Corruption (Bag, Records, Southern Island, Ever Grande Fly Location, and the small issues that have to be looked out for).
Since I'm mostly showing and brievly explaining, it may not be really useful, but if you have time to lose, and want to hear my scrappy explanations (If you have comments about my comments, I'd really like to hear them to improve the video).
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: FroggestSpirit on July 28, 2014, 10:27:51 am
I don't know french, but I did manage to get that Stantler I wanted. I had to corrupt a wailmer with a very specific PID 2 times correctly (so I had to use an emulator and savestates) but it ended up giving it Sacred Fire (because of my held item choice) and a glitch move. I used the daycare to rid of the glitch move (swapped it to first slot in battle). The stantler has high contest stats, and low feel, so i can hopefully max them out from there. It was also holding a leichi berry. Took a lot of calculations, but I feel it was worth it.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Metarkrai on July 28, 2014, 04:12:23 pm
FroggestSpirit :
Wow, what a great idea.

It gives a new method that's faster than a 70x256 hatching Egg.
Also, we can get an item, ribbons, and contest stats out of it, which is pretty interesting.

I've tried it on a corruptible Acid Armor Smeargle (0 EVs, no item) that I had, and it gave me a Lv 0 Mew, with 7 Ribbons, no contest stats, holding a Sacred Ash, and with 4 Glitch Moves.

I'd really like to know what data determined the Lv, ribbons, held item, contest stats, and moves, as I don't see where they are coming from.

I tried some trick to avoid DayCare : Replace a Glitch Move by a TM by quickly going to the Contest Page when Moves appear.
But with 4 Glitch Moves, the game froze before reaching the Page.

So I put my Mew into Daycare until it reached Lv 11 (I'm lazy to leave it to the Daycare since I still haven't searched for the adresses holding the amount of experience given at Daycare), and tried my TM trick again.
I was able to reach the Contest page, and to replace a Glitch Move by a TM.

But then, I got a big graphical glitch, that you can see here : https://www.youtube.com/watch?v=yuUmjhYTumo
I already had one on my Fire Red version, while attempting to do the same thing : https://www.youtube.com/watch?v=X5CnkniQbUc

The color palette changes, and the changes occur when the music freezes.
On the Memory Viewer, the values are going crazy.
And about 1 min later, the game crashes.

I tested a little bit, and it appears that only certain glitch moves make the game freeze like this, as the game can't handle the move's name (or something linked to the move) when it tells you it's deleted.
The other Glitch Move my Mew had didn't pose any problem when replaced (except the long glitchy name).

So yeah, Daycare is the best way to remove Glitch Moves.




Apart from that, I focused on held item corruption to see if I could obtain some cool items with Pomeg Glitch.
So I modified my Seedot Swarm to give them Trick in 1st Move, with a 100% appearance rate.
I gave some of them a Master Ball, with an identifiant of 0x0001, and TM 01, with an identifiant of 0x0121.

Once the items corrupted, I went to fight Numels, and caught them, to see what was the item identifiant.

With Master Ball, I got items 0x0101 (Green Scarf), and 0x0501.
With TM 01, I got items 0x0021 (Revival Herb), 0x0521, 0x0421
I also got items 0x4000, 0x0100 (Pink Scarf), and 0x16A (Vs Seeker).

And as my Seedots knew Harden (0x006A) as a second move, I thought of teaching them Haze (0x0072) to see if I could get AuroraTicket (0x0172).
As this kind of corruption is like Pokemon Corruption, it worked only for two Seedots.
I also swapped their moves, and yeah, the 2nd move is interpreted as the item, with a little change of identifier.
With Trick as 2nd Move (0x010F), I got a Burn Heal (0x000F), so this is a bit 0 corruption of the left byte of the identifier.

But contrary to normal corruptions, where the bit is set to 1, here, it changes.
This fact also happens for adresses linked to flags (like Ever Grande Fly location), but don't happen in general (for records or Bag item quantities), and I don't know what are exactly the cause of this, but it doesn't seem to happen for PID corruption, so I found it strange to see it on item corruption, although it's useful.

But when I got the item I wanted with my 2nd Move, well, my Bad Egg didn't have Trick anymore.
I tried to give him 0x0F HP EV and 0x01 Atk HP to maybe obtain Trick as a move, but it didn't work so (in battle, my moves cause an instant-freeze when I see them).
I also altered the swarm to have a Numel Swarm with Trick, but it failed when they used it.
Covet didn't work too.

So, to obtain the item I want with a PID corruption, I should obtain it from the EVs, and with a corruption that doesn't swap the Moves substructure (or read Moves for Growth, and EVs for Moves, that's the same), in order to be able to Trick it to a wild Pokemon.

And FroggestSpirit appears with its method of corruption that leaves us with a hatched Pokemon, so by knowing how the item is defined, we could obtain every item.


It wouldn't be mega-useful as for special events (Southern Island, Navel Rock,...), you need items and some flags (that can't be corrupted, for now), but we could obtain back some lost items, or cool ones.
For example, one would be able to have the Mach Bike & Acro Bike combination that I really like on console, as well as the event tickets, as they are "cool".





I also tried corruption on FrLg, and I didn't found any important data to corrupt, except from item quantity (with the same restraint as in Emerald : 1/8 chance to not corrupt TM/HM and Berry Pouches) and records.
Corrupting records could allow one to have a score higher than 200 at a Island 2 Link Mini-Game, and earn a star for the Trainer Card.
Also, Battle Tower record could be altered, to give (I think), another star for Trainer Card, only leaving League and Pokedex one for the player.
Stickers could also be earned, as the counters of random encounters / fights / fishes / eggs hatched would be corrupted.

But for E-Reader events, all of them are added (the script the delivery man has) into the save when E-Reader is used (with an annoying checksum for the script), so there's no way we can unlock them this way. The Southern Island event is the only one already in the game, so we only needed a value corruption to make the delivery guy appear, since its the main special event.

I'll look at the flags, to see if a special island flag may be corruptible (and with FroggestSpirit technique, we could obtain the tickets), but I don't think so.

And since we would need to trade Pokemon to obtain one with ?35 HP, we would need to have trades towards Hoenn unlocked, or another FrLg game with Hoenn trades unlocked, and trade with it, I didn't really look at the story flags that could be useful to corrupt, since no speedrun could be done like that (with trades from a completed game).
But there are some skippable parts of the story, as we could obtain Sylph Scope or PokeFlute with corruption only.
But it would be easier to do the corruption on the completed game, and once the Pokemon holdin Pokeflute is obtained, trade it to the non completed game.

The quantity of coins in the Coin Case can't be corrupted.
Also, maybe 1 legendary / given Pokemon can be brought back with flag corruption, but that's all, since they aren't unlockable but are present since the start of the game.

There's still one thing I haven't studied that could also have a little bit of interest, the Roamers.
I'll focus on them tomorrow, if I'm not too lazy.
But I don't really see what we could pull from these Pokemon, since making a wild battle against a glitch Pokemon (identifiant of 0x413A for example, glitched Seedot identifiant) crashes the game when the screen fades to display the battle.

I've also made a lucky successful corruption attempt (first time, and with Anti-DMA activated), which corrupted my Sentret into a Caterpie (corruption through moves).

I hatched and evolved this Caterpie into a Butterfree, and contrary to Emerald, I couldn't see the Status pages of my Butterfree at all, due to its glitch moves.
So I made him lose 3, to reduce bugs, and I was able to access its Status page.
But then, when I swapped this glitch move to 2nd place, the game considered my Butterfree as an Egg, showing me an Egg status screnn, with Butterfree's sprite (and I couldn't make it hatch, so it's still fundamentally a Pokemon).
Swapping the glitch move to 3rd or 4th place caused more graphical glitches, and allowed me to scroll status screen down, showing me  Bad Eggs and Decamarks status screen.

These status screen are the interpretation of the data directly below team data, and scrolling down through the Decamarks (a limited amount of them, the game resets or i can't scroll down further after a certain point) corrupts the data in the way.
But since its full of 0000, the 4000 and 0500 aren't omnipresent, as they tend to "stick" to areas where the data isn't full of 0000. (ex : leave 3 or 4 empty spaces in your PC, and you'll find only few traces of corruption at the edges of the space's data, and you'd need numerous successive corruptions to fill that space with 0x4500 ).

But it's already something, since it may be possible to scroll down further with other glitch moves, or have different effects, as I've only got one working corruption, and all the glitches it had gave me a lot of work.
Also, if I scrolled up, I would see 1 or 2 Pokemon of my team, and lots of Bad Eggs (team was : Pidgey, Mareep, Mewtwo, Butterfree
I would see 3 Bad Eggs, then Mewtwo, then more than 4 Bad Eggs, then it would stop on Pidgey), with some Bad Eggs that reset the game.
Since I see Bad Eggs between team Pokemon, I don't know from what kind of data they come from, and there seem to oftenly have a Bad Egg resetting your game.
Also, since Pokemon Team is stored in 0x02024284 (and below), there isn't a ton of things above (time counter maybe), and the scrolling stopped at Pidgey anyway.
It's longer to set up than the usual Pomeg Glitch corruption, but we may be able to corrupt other adresses with this cursor.

Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Evie ✿ on July 29, 2014, 04:24:57 am
I don't know french, but I did manage to get that Stantler I wanted. I had to corrupt a wailmer with a very specific PID 2 times correctly (so I had to use an emulator and savestates) but it ended up giving it Sacred Fire (because of my held item choice) and a glitch move. I used the daycare to rid of the glitch move (swapped it to first slot in battle). The stantler has high contest stats, and low feel, so i can hopefully max them out from there. It was also holding a leichi berry. Took a lot of calculations, but I feel it was worth it.

That's great! Do you still have a save file with Wailmer's PID? I'd like to know what it is, and how you made it not turn into either a Bad Egg or an Egg, and what bit additions occurred.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Metarkrai on July 29, 2014, 07:55:02 am
For the double corruption to work, I think that every Pokemon that can be corrupted into an Egg can be corrupted another time into their hatched form.
As you need to corrupt the PID with the Bit 6 corruption, then you need to corrupt the TID with the same corruption.
And the Bit 6 corruption "flips" the Bit (if it was to 0, it will be set to 1, and if it was to 1, it will be set to 0),



I worked on item corruption, and I came with 2 methods to obtain every game item (one of them don't give them all).
There would be a third one with FroggestSpirit double corruption, but I don't see where the item identifiant comes from, so that'll be for later.

The first one is the quickest to do, since it seems to work with every Pokemon. You just need to corrupt the held item of your Pokemon into another one.

I saw 4 different item corruption patterns, and I'll take examples to show them, as it's easier.
Master Ball, 0x0001 turned into 0x0101, 0x4001, and 0x0501
TM 01, 0x0121 turned into 0x0021, 0x0521, and 0x0421

So the corruptions are :
Bit 6 is set
Bits 0 & 2 are flipped (which explains the 0x0421 corruption)
Bit 0 is flipped (which explains the 0x0021 coruption)
Bit 2 is flipped ??  It may also be a Bit 0 & 2 set (not flip), because that would explain the 0x0521 corruption.

Thus, you can obtain a first set of items by catching Pokemon, teaching them Trick (putting it in the 1st place seems good as it doesn't get oftenly corrupted), and giving them an item with an identifiant that differs from your wanted identifiant by the Bit 0 of the right Byte.
Once you have the desired item, you go make a battle with your Bad Egg, and use Trick, then catch the wild Pokemon, and you can take its item.

ex : You can get Master Ball (0x0001) by making a Pokemon hold Green Scarf (0x0101).

Since I was lazy, I corrupted my Seedot swarm for Trick seedots, instead of teaching it to Smeargles.
With this method, you can obtain :
All the TM (almost), RS Rare items
Arco and Mach Bike (a pretty cool and useful combination, I always use it on VBA)
The Fosiles, Master Ball, Sacred Ash, PP Max, Rare Candy
For FrLg, you can have the Amber (this item has no use in RSE) too.

I have a list of Item identifiants, but its in French, so I'll search for a link with English names.



For the second method, I corrupted the held item identifiant with Def and Spd EVs, while leaving Moves invariant, since I wanted Trick.
You can also try to corrupt held item identifiant with Moves, and corrupt Moves with EVs, to have Trick, but it's less interesting.

But when the corruption happens, there is a Bit 0 flip that appears. I don't know why, but on every of my attemps, and on the previous attempts on this topic, it was here.

So, if you want a certain item, with an identifiant of 0x0nnn you have to set your Def and Spd EVs to make the identifiant  (0x0nnn xor 0x0100).

ex :
For Old Sea Map, 0x0178, I have to make 0x0078 with my EVs, so 0 Spd EV, and 120 (=0x78) Def EVs.
For Rare Candy, 0x044, I have to make 0x0144 with my EVs, so 1 Spd EV, and 68 (=0x44) Def EVs.

This explains the appearance of Pink Ribbon, that has an identifiant of 0x0100, with 0 Def EVs and 0 Spd EVs.

I was able to correctly corrupt two Seedots that still had Trick, and obtained an Old Sea Map.
It may be unusable (for now, since we only need to corrupt a flag to use it), but it's cool to me.

This glitch can also be done in FrLg, bringing the same results.
We can also trade Pokemon holding rare items, which can be useful, but we can't put them into the PC.
The little issue would be a Rare Item Pouch being full.


I'll look at other FrLg flags, to see if we maybe can set flags for special islands.


EDIT :
Could someone explain me why RS Pokemon nearly always work for corruption ?
When I flip Bit 6 of the leftmost byte of their PID, they become an Egg, or nothing (you can't even take the Pokemon, and if you put a Pokemon on the same place, it gets overwritten).
With a real Pomeg corruption, you would also need some parts of the Pokemon's data to not be corrupted by the cursor, with the PID corruption, but that would help a lot for doing a successful Pomeg Glitch Corruption.

I tried on Ruby and Saphire, with all different parameters, and I always got one of these 2 corruptions, if I corrupt it on Emerald or RS.


EDIT 2 :
Okay, the corruption making an invisible and "untakable" Pokemon was just a successful EV corruption, and the Pokemon 000 is handled by RS with nothingness.

So yeah, every RS Pokemon can be corrupted if I alter the PID, whereas it's not the case in Emerald (now that I think of it, I war never able to corrupt an Emerald Pokemon, they always were generated from a RS game or save modifier).
Also, my games are French, so maybe it counts ??

Tomorrow, I'll catch loads of Emerald Pokemon, to see if I'm able to corrupt one of them.

EDIT 3 :
I've tired a manual (with Memory Viewer) double corruption on a Pokemon caught on Emerald, and it worked with every Pokemon, with certain conditions.
When I corrupt the PID only, for an Emerald Pokemon, it becomes a Bad Egg (never had a working case for an Emerald Pokemon).
If I go into the Box the Pokemon is, the game will change other data from the Pokemon to consider it as a "Bad Egg" (a value is changed from 02 to 07), and if I corrupt the TID, it will stay a Bad Egg.
To not make this value change from 07 to 02, and still know (if there's a way) if you corrupted the Pokemon's PID, you can watch the other boxes (and as you can corrupt 2 boxes, you can mabe check the other one to see if it worked).
Once you're sure the PID of a Pokemon was corrupted, and you didn't go on the Box the Pokemon is, you just have to corrupt its TID with a Bit 6 corruption, and it will turn into a Pokemon, everytime.

So yeah, double corruption is really cool.
Also, instead of the usual corruption, where you had 1/8.192 chance that the corrupted Egg becomes Shiny, here the Shinyness is retained, since you also corrupt the TID
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: FroggestSpirit on July 29, 2014, 11:37:14 pm
Torchickens:

Wailmer
PID: 0x82FD5C3F corrupted to 0x87FD5C3F
SubStructure 7 corrupted to 15
Attacks turned into EV's/Contest stats
Growl/splash/mist/raindance (all with max pp-ups except raindance to keep that feel low)

EV's to Growth (to stantler, and holding a leichi berry)

Growth to attacks (glitch move from exp or something. Sacred fire from holding lax incense)

My trainer ID also had to comply with the changed bits in the pokemon's PID (which thankfully it did)
It also took time to find one with a sub structure of 7 (because the morph I was planning would change it to 15, shuffling in the correct order)

ALSO! Since the PID and TID got corrupted as bits 0 and 2, there would be a bit 6 corruption along the data (I think it was somewhere in the attacks area). The 6th bit NEEDED to be set by default (which thanks to encryption, it was) so that the checksum wouldnt be messed with there.

All these calculations are the reason it took hours to set up

Now, I have a bigger problem... winning all ribbons possible with that stantler... battle ribbons aswell
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Metarkrai on July 30, 2014, 03:40:18 am
Phew, it took me 3-4 hours, but I finally know what prevented me from having corruptible Pokemon in my Emerald file for like 5 hours.
It was the Ball I used for the capture.
Apparently, with a Repeat Ball, a Bit 6 PID corruption turns almost everytime in a Bad Egg (I didn't see any successful Egg).
I tested this fact with other Balls, and here's what I found :
Bit 6 PID corruption turns into Bad Egg for :
Repeat Ball, Premier Ball, Timer Ball, Nest Ball, Luxury Ball

Bit 6 PID corruption turns into Egg for :
Master Ball, Dive Ball, Great Ball, Hyper Ball, Poke Ball, Net Ball, Safari Ball

The concerned Ball (those that don't seem to work) all have an identidiant equal or higher than 0x0008, so the Bit 4 of their right byte is set to 1.


However, modifying the PID for a Bits 0&2 corruption with Memory Viewer always gave me Bad Eggs.

Could someone please bring me explanations for this turning into Egg/Bad Egg that depends on the Ball used, and for the fact that only modifyins Bits 0 & 2 of the PID always ended up (for me, and with every Ball), in Bad Eggs ?

Because if there are factors that prevent or reduce chances to corrupt a Pokemon (like the Ball caught), I'd like to know a bit more, to change my ways of preparing my Pokemon.


EDIT :
Yesterday, while trying to study if obedience was kept after hatch or with a double corruption, I had an interesting result :
With a Wingull who had a GEAM (02) -> AMGE (10) transformation (Misc is read on EVs, and Growth on Attacks), I gave him Pokeblocks to see how to set the obedience, and I was able to change it directly into a Pokemon in a single corruption.
I found that the cause of this was giving to my Wingull 0x40 in Beauty and 0x40 in Feel (other bits can be set, it doesn't change the result).
Since Beauty (EVs) is at the same place than Egg (Misc), it has interfered in such a way that the game directly considered the corrupted Pokémon as hatch, sparing me a hatching or a double corruption.
Also, giving more Feel or Conditions (with Bits 6 of Beauty & Feel set) changed some data of the corrupted Pokemon (its level, special ability, and glitch moves changed a bit).

It also may be possible to do the same with Misc read on Attacks, since a 40 PP move with a PP Max has 64 (=0x40), which is exactly the value we want.
There are 4  Misc read on EVs & Growh read on Attacks combinations :
10 <-> 02 (so 8/48 = 1/6 chance to have it)
11 <-> 03
20 <-> 12
21 <-> 13

There are 4  Misc read on Attacks & Growh read on EVs combinations :
00 <-> 16 (so 8/48 = 1/6 chance to have it)
01 <-> 17
06 <-> 22
07 <-> 23


EDIT 2 :
Well, a single corruption with no Egg is easy to do, but sadly uncool for the Pokemon condition.
I reproduced it, and the only 2 bits needed are Bits 6 for Beauty and Feel (so 0x40 = 64), or 64 PPs for 2nd and 4th Move, depending on the corruption pattern.

The issue is that there are unwanted bits set to 1 all along the Pokemon data.
Thus, is will directly be at Lv 100, holding a ??? item (identifiant of 0x4nnn, so too high to be a real item), and with some glitch moves at places where it shouldn't have moves (like with the usual corruption).
But I think this is avoidable with the reverse corruption pattern that I had : Growth on EVs and Misc on Atks, because with EVs and Condition, you're able to set high bits to 1, and the unwanted Bits aren't set, but flipped (it becomes 1 if it was 0, and 0 if it was 1).
For example, with Def and Spd EVs making 0x4178, after my corruption, you would have the item 0x0178, which is Old Sea Map.
This should be the same for Xp, but I don't know what Bit(s) are set to 1 for now.

Also, I've looked at obedience, and I was able to obtain an obedient Mew.
You can only do it with Misc on EVs corruption, since you need Bit 7 of the Feel set to 1 (so 0x80, or 128 Feel) only.
Thus, for a single corruption, you need Bits 6 & 7 of Feel set to 1, (0xC0 or 192 Feel) + Bit 6 of Beauty to 1.

Setting this Bit to 1 gave me an obedient Mew for non hatched single corruption, and double corruption.
The obedience also stayed for the usual corruption.

Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: FroggestSpirit on August 01, 2014, 09:39:49 pm
Getting a bad egg relies purely on the checksum. The ball you catch a pokemon in does not matter (though it just happened that the way your poke'mon data was encrypted resulted in it changing, based on the PID TID combo).

Basically... the PID of the pokemon and your TID (including secret ID) get Xor'ed together. That result is Xor'ed throughout the 4 groups of data (GAME for example). When doing the double corrupt, the encryption needs to happen, so that NONE of the bits in that data get changed (meaning they are already set after the encryption takes place) If any of them change, it wont match the checksum anymore, and the game will turn it into a bad egg.

The double corruption will turn it into a bad egg the first time. As long as you don't look at it in the PC, (or even hover over it with the cursor) you can still use the second corruption to "fix" the checksum back, and switch the data structure.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Metarkrai on August 22, 2014, 12:52:30 pm
After writing a whole article on Pomeg Glitch and its usefulness, and several tests on emulator to see if my procedures were working, I understood more tiny helpful things on corruption.

When the PID or TID are corrupted for a first time, the corrupted value is "added" to every double-word of the data (PID and TID being double-words).
And if the bits that are "added" were already set to 1 on certain areas, the Pokemon will turn into a Bad Egg.
The areas I found were : Held Item, 4th Move, PPs of 4th Move, Onctuosity, Pokemon Origins, and maybe Ribbons (the last one being tougher to test).
For a Bits 0 & 2 PID/TID corruption, I always had the Pokemon turned into a Bad Egg.
There may also be another mechanic behind to explain this transformation, but I also thought that the Pokemon Origin would count.
But I had a little Lua Script on VBA that showed me the transformation of these values.

My tests circled around Bit 6 PID/TID corruption, as its the one that can be easily done on a console.
So, for this corruption to work, you need Held Item identifiant, 2nd Move identifiant and an Origin value that don't have their 14th Bit set to 1 (0x4000) (thus, values between 0x0000 and 0x3FFF or 0x8000 and 0xBFFF work).
For the Origin Value, the Ball identifiant needs to be less than 0x08, else the value will have its 14th Bit set to 1.
This is why Pokemon caught with a Repeat Ball always gave me Bad Eggs.
The same change happens to 4th Move, but there is no 4th Move identifiant inducing a Bag Egg.
You also need 4th Move PPs and Onctuosity that don't have their 6th Bit set to 1 (0x40) (thus, values between 0x00 and 0x3F or 0x80 and 0xBF work).
The same change happens to an EV and another Condition, but their value didn't induce any Bad Egg.


All the methods in my article were focused on getting Smeargles and testing them to see if they can be corrupted, before cloning and training them in order to have a few (4-5) guinea pigs that would work for different corruptions (or for other attempts on a same corruption) instead of catching a Box of Pokemon everytime.

I also made a part on save corruption, with things like Item quantity corruption, Southern Island corruption,... and I found some more interesting stuff.
-Pokeblocks can be corrupted, and if they are, they will gain Grace (5 or 64 more points).
This leads to a recipe of 8 Pokeblocks made with ultra-rare Berries (that can be obtained with Item Corruption) that nearly give maximum condition on every stat (255 points).

-Some rare Secret Base items are available through corruption, but not all of them.
The most important ones (Regi Dolls and Glitch items) are available.
There are particular spots on the Item PC where corruption can happen, and with the automatic order of the Items, it's hard to manipulate the contents of the PC to increase our chances to obtain the item we want with corruption.

There are 7 Glitch Decorations that can be obtained.
If I remember well, 4 of them do nothing, 1 is like a Black poster, and 2 of them mess with the camera, giving you a hard time to place objects, move, find the PC, or exit the Base.


I also focused on Double Corruption, to render it accessible, with great chances of success.
To do it on console, I focused on getting Eggs with a PID/TID corruption, then corrupting the other value (PID or TID) to change the Egg into the desired Pokemon.
A new issue rose, as when you make a second corruption, the previously mentioned Bits are set to 0, and if some of them already were at 0, a Bad Egg will appear.
Thus, if PID is corrupted first, some of the previous values are concerned, as EVs, 4th Move identifiant, or Condition will go onto other data, like Held Item Identifiant, 2nd Move Identifiant, or Pokemon Origin, and if you corrupt the TID after that, you'll get a Bad Egg.
To be more accurate, a part of the previous values that changed with PID/TID corruption (Held Item, Moves 2 and 4, PPs of Move 4,...) is "refreshed" when the Pokemon is held and deposited into the PC, and this refresh is the main responsible for most of the Bad Eggs onbtained in Double Corruption.
This is an issue since not being able to move a PID corrupted Pokemon unables you to clone it.

So, I start my Double Corruptions with TID corruption.
The previously mentioned bits are changed, and I only have a single condition to respect if I want to move my Egg safely :
The corrupted 4th Move's PPs have to be bewteen 0x40 and 0x7F or 0xC0 and 0xFF (the 6th Bit of 4th Move PPs has to be set to 1), because when we move the Egg, it's PPs are recalculated, so the needed amount of PPs has to be respected with the corrupted move.
This may be kind of tricky since it's hard to tell if a certain Glitch Move has the right amount of PPs, but someone is making an application that gives details about 3rd Gen Glitch Moves (PPs, Power, Accurary, Type, Effect, other data) in order to cover this situation.

The main point of Double Corruption would be to obtain the best Pokemon, the most powerful ones, so I searched combinations of Moves or Evs & Condition to maximise IVs or EVs & Condition.
The main issues for Moves is that high identifiants moves tend to frequently crash the game when Sketch is used.
I had to look at around 300 identifiants to find moves that could be Sketched without any crash, and with the ability to Skecth other Glitch Moves.

For EVs & Condition, I use Moves :
The best moves I found were :
0xFEFF, 0xB4FE, 0xFEF2, 0x8E5F.
(0xFEFF and 0xFEF2 can change positions)
The EVs & Condition value becomes :
Pv : 0xFF = 255 / Atk : 0xFE = 254 / Def : 0xFE = 254 / Spd : 0xB4 = 180 / Spe.Atk : 0xF2 = 242 / Spe.Def : 0xFE = 254
Sg-Fd : 0x5F = 95 / Beauté : 0x8E = 142 / Grâce : 245 / Intel : 24 / Robus : 225 / Onctuosity : 16 (didn't translate that)
The Spd EV value is a little low, but that's the best I could get.

For IVs, I use moves :
0xFEFF and 0x3FBF (3rd and 4th slots)
I obtain IVs of :
Pv : 31 / Atk : 23 / Def : 31 / Spd : 31 / Spe.Atk : 27 / Spe.Def : 31

For IVs, I use EVs & Condition :
255 Spe.Atk EVs, 255 Spe.Def EVs, 255 Sg-Fd, 63 Beauty, less than 191 Onctuosity
I found a combination that works well, with natures that don't boost Beauty (natures affecting Spe.Atk)
1 Pamtre Pokeblock with 4 players (100 RPM)
1 Razz Pokeblock with 2 Players (100 RPM)
4 Litchii Pokeblocks with 4 Players (100 RPM)
Adamant and Modest natures will be really bad, as they affect both Beauty and Sg-Fd.


After several tests, I was able to obtain a Mewtwo with pretty EVs (read on Growth) and IVs read on Moves, caught in a Safari Ball, at Lv 111, at Cerulean Cave, in a Fr version, holding item 0x0201 (I had 2 unwanted EVs in Spd due to a miscalculation in my training).
Its moves were glitched (read on Miscellanous), but i gave him 0 exp points, to make it at Lv 0, so he can easily learn moves to delete the others.


I quickly looked at roamers, and you can corrupt their PID, IVs, as well as the adress managing the state of the roamer (dead or alive), and its possible to make it appear (if he wasn't generated or dead).
If the roamer wasn't generated, it will appear at Lv 0.
But, since Lv 0 isn't a possible encounter level, the game will say that the roamer hatched from an Egg.


I also solved the issue with Ever Grande Fly location on Speedruns.
It was linked with the pattern of the pointer.
The pointer tries to read Pokemon data, and as the position of the Pokemon species depends on the PID, if you take a certain block of data, there will be adresses considered as "PID" by the pointer.
Thus, for a certain "PID" adress, there are 4 adresses that can host a Bit 6 (or a Bits 0 & 2) corruption.
The adress hosting the corruption will depend on the value of the "PID" adress, and the value just after, who emulates the "TID".
If the PID adress has its leftmost byte with a Bit 6 set to 1 (so 0x4xxx xxxx), there won't be a Bit 6 corruption.
If both PID and TID adresses have their leftmost byte with a Bit 6 set to 1 or set to 0 , there will be a Bit 6 corruption.

Thus, by manipulating values higher than a wanted value (Ever Grande Fly Location), we can ensure that there will be a situation where the wanted value will or won't be corrupted.

Here, all the needed values are linked to trainers.
For Ever Grande Fly Location, the main "PID" adress that would induce its corruption has Bit 6 of his leftmost byte set to 1, as this Bit manages the very first trainer of the game (the unavoidable Youngster on Route 102).
So I tried to set Bit 6 of the leftmost byte of the "TID" adress to 1, but its not a trainer we can fight on a speedrun.

I focused on the 3 other possible cases, and I found that one of them can bring an Ever Grande Fly Location corruption.

To do this, you need to fight the minimal amount of trainers (the same amount that werster did in his runs, and in the save file where I made my tests I presume) + fight the Twins at Route 103. (they have Plusle and Minun)
You can also fight the Twins at Route 104 (and not the ones at Route 103), but I don't know if one would have 2 Pokemon at this point in the run. The needed value at the adress 02026D4C (with Anti-DMA) is 0x0200 0002 or 0x0200 0008 (the 0x02 is already here, and the 8 or 2 are provided with the Twins)


Once done, there will be a 1/32 chance to corrupt Ever Grande Fly Location with a single corruption (soft-resetting after each corruption).

You can then continue the run by saving and trying to corrupt Rare Candy Quantity with consecutive corruptions (and resetting + making another Pomeg Glitch if Ever Grande Fly Location is disabled by misfortune), or putting Marills into Box 2 of the PC, making another Pomeg Glitch, and trying to obtain a Bad Egg with an Instant Victory Move.
You have 1/16 chance to corrupt Rare Candy Quantity (with Rare Candies in PC and Bag), and really higher chances to obtain a Bad Egg with an instant victory move from a Marill, so I don't know which one is in general the fastest. (I would prefer the Marill way)



EDIT :
Also, I remembered that some members made arbitrary code execution with Pomeg Glitch.
Could someone do codes for unlocking Navel Rock, Birth Island, and Faraway Island ?
Because that would be damn cool.

For this 3 flags would need to be set to 1 (1 per Island), and the tickets would be needed (they can be obtained with another Pomeg Glitch, if the necessary code is too long).
Swarms might be customizable too ! (lots of value to set to manage a swarm).

I also would have liked to unlock events like Berry Master or Sales but I don't know how they are managed.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: voltage on October 26, 2014, 03:41:42 pm
I found a way to turn ordinary trainers into glitch trainers here (https://www.youtube.com/watch?v=C8Q0qFpwrkg)! Prior to the video, I encountered a glitch Hiker with Decamark with my party. I don't know why this happens, but I like it.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: luckytyphlosion on October 26, 2014, 08:46:46 pm
{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{

Sounds like someone doesn't know how to use wiki templates. (http://i.imgur.com/F8SQNhk.png)
Congratulations on the super mass corruption discovery (seriously all that garbage text must have overflowed), and also posting in a thread that has been dead for two months (http://i.imgur.com/F8SQNhk.png).
(oh yeah about the (http://i.imgur.com/F8SQNhk.png) use, get used to it, because GCLF is affiliated with the PSR wiki, so we'll be experiencing about 420% more twitch memes and stuff)

On another non (http://i.imgur.com/F8SQNhk.png) related note, GoddessMaria has made an Emerald Glitched TAS: http://tasvideos.org/4465S.html. The notes page explains a lot about the Pomeg Glitch, including this:

Quote from: GoddessMaria
Since PC Pokemon data is stored after nearly every other data, you can corrupt most of the in-game values / identifiants / flags.

That means trainer data is stored somewhere in that area.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Evie ✿ on October 27, 2014, 07:13:23 am
I found a way to turn ordinary trainers into glitch trainers here (https://www.youtube.com/watch?v=C8Q0qFpwrkg)! Prior to the video, I encountered a glitch Hiker with Decamark with my party. I don't know why this happens, but I like it.

Great find. I wonder exactly why that happens.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Metarkrai on October 27, 2014, 11:16:46 am
luckytyphlosion :
Well, I mostly explained the basic action of Pomeg Glitch, and the uses for the run, I didn't go further into the different possible corruptions you can make in Emerald/Fr/Lg. (but thanks for reading my overly long description).
Also, I'm still working on Pomeg Glitch, and writing down every useful application of this Glitch you can do on console, so the topic isn't this dead for now. (but I don't know when my studies will allow me to finish this work)

Torchickens :
There's a RAM area (I don't remember if it's below or higher than flags) that stores some of the NPC data when the game load a map.
EDIT : After a quick reading of my notes, it's above flags, around 0x02026670
The 3 main things that are stored are :
- The type of Sprite
- The location
- The script adress
There are other pieces of data attached to a NPC, but corrupting them with Pomeg Glitch didn't change anything.

With Pomeg Glitch, you can easily corrupt Location (the NPC will be put outside of the map) of Script Adress.
But, since the data is refreshed when you change map, you have to use a Fluffy Tail to flee if you want to see the effects of your corruption, because when you black out, you're teleported (so the map is refreshed).
In the beginning of this topic, someone accidentally experienced it by removing Twins and the Day Care man, and this is what made me try to search about this exploit (it took me some time to understand that I needed to use a Fluffy Tail and not run away), so I thank him/her.

The Location corruption is really cool since it allows you to go in Day Care Garden (in Emerald and Fr Lg) by teleporting the Day Care Man, or go back to SS.Anne by teleporting the guy in front of the entrance.
You can also go back into Origin Cave at Sootopolis by teleporting the Old Man in front of the entrance (even if the encounter rate of this area is set to 1, the lowest possible, meaning that Shinyhunting in this zone is too long).
You can also use it to teleport some NPC blocking your way on a new game, in order to make a save where most of the events aren't triggered.
There's no other useful application for this glitch, and this is quite unfortunate.
I searched through Hoenn and Kanto to see if there could be another zone where a NPC disappearance would be useful, but I had no convincing results.

The reasons are the following :
-You can only affect NPCs (cutting trees, breakable blocks are counted as NPCs) and not every script on the map (ex : the Rival fights where he appears from outscreen).
-To teleport a NPC, you need to make a fight on the same map (wild or trainer), and most of the interesting things happen in buildings with no trainer inside.


And for the NPC Script Corruption, there are two different corruptions you can achieve.
ex : 0x081F4B59 becomes 0x481F4B59 or 0x0D81F4B59

Once a NPC has its script corrupted, if you go speak to him (or into its vision radius), you'll have a reaally long glitched speech, that ends with a battle, or makes the game freeze/reset.
And this will happen even if you gad fought the trainer before (since the script adress changed, the game won't take the trainer flag into consideration).
The fight/freeze/reset depends on the script adress you corrupted first, and the version you're on, but the fights don't seem really interesting (in French Fire Red, I got a trainer with Ekans).

Here are pictures of Script Corruption to illustrate a bit :
(http://www.pixenli.com/images/1414/1414429368074336700.png)
(http://www.pixenli.com/images/1414/1414429398086921100.png)
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Evie ✿ on October 27, 2014, 03:03:39 pm
Thanks for your detailed explanation. I really appreciate it!

You note that a Fluffy Tail must be used for "location" corruption to avoid refreshing the map. Do you also have to use a Fluffy Tail to keep "sprite" and "script address" corruptions?

Also, are any of those corruptions common?

Edit: I did this glitch. For what it's worth, I stopped scrolling a little after one of the Pokémon on the list was poisoned (I didn't come up with a minimum number of times to scroll up but that could vary).

I'm not sure if the number of times you have to scroll up for the poison status can vary too. I had five Pokémon.

After a few tries, I removed the Day Care man (fun!) and got a Trainer who loaded a red screen after a "!" appeared and they walked up to me.

(http://i.minus.com/jZA3t3tluMMrI.png)

The red screen makes me ask is arbitrary code execution possible. But I have no idea where you could repoint the flow of code and the best thing you could probably do is write a short program with box Pokémon nicknames like what TheZZAZZGlitch did.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Evie ✿ on October 28, 2014, 04:21:38 am
Major find. Pomeg glitch opens up a glitch effect that will break your save file if you save, and corrupts many things.

You can freeze the game if you turn/take one step close a menu like the Pokédex, corrupt your Pokémon, your name, your items, your Pokédex data, your play time and your gender all with voltage/Metarkai's trick. I tried taking a step forward after bumping into the NPC and the game also froze, but the freeze was different (the 'registered phone number' sound effect played).

I mutated this non-Trainer on Route 111 and tried to talk to him. At first it wouldn't work, but then he said long glitch text that took ages to close, while he walked around. A Battle Frontier sound effect first played too, and after a while the text changed from qÁF(repeat) to éŒ(repeat). My name became many qÁF, maybe the qÁF overflowed a buffer.

If you save with this effect, then you've probably black screen of deathed (BSOD)'d your game. When I tried to turn the game freezes.

Corrupted stuff

(http://i3.minus.com/i5yTuTnloovwF.png)(http://i3.minus.com/i7yFYqamhHbBw.png)(http://i1.minus.com/iWdWyscdEPWxC.png)(http://i5.minus.com/ie2IR45mAH5EN.png)(http://i5.minus.com/iE4lkWYvz4wCe.png)(http://i3.minus.com/ibzoyghfIFhmQ6.png)(http://i6.minus.com/ibrOjoPwvuRfsC.png)(http://i6.minus.com/ivrQOeQir6WTS.png)(http://i3.minus.com/ibyrE2BfnhtV19.png)(http://i2.minus.com/i8XfyX0Hyc8l.png)(http://i7.minus.com/ibkEnv2sUX9Hdn.png)(http://i3.minus.com/ibzPVqAh2keDOC.png)

Any questions? I still have a save state after the glitch/VBM movie of the glitch.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Metarkrai on October 28, 2014, 04:41:50 am
Torchickens :
For the amount of Up Pushes, I use the Memory Viewer to see the RAM area I want to corrupt, and hold Up until I see some corruption.

For NPC Corruption, since there's easily 5-10 NPCs on a route, you have great chances to corrupt their position or Script adress.
But you can also do it manually to test the effects by hand for each NPC.

I also got this red screen one time on my Fr.

But I'm amazed that you had your RAM overflowed by a value, and could still play. Every time I see the Memory Viewer overflowed by a value (with glitch moves names, glitch types, glitched NPC Script), the game freezes or resets.
I'll test this on vba since it's a very cool effect, and easily reproductible. It's a more visual method to break a save (if someone were to save with all this corruption) than having a wrong Black out warp (sends you out of the map instead of near Pkmn Center) without a Pokemon knowing Fly/Teleport).

I also have a way to make red screens, but inoffensive ones, using a character glitched from "A". (I'll add pictures of this.)
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Evie ✿ on October 28, 2014, 05:19:17 am
Cool.

Here (https://mega.co.nz/#!8wtnGRLb!FD2tS1SoSBVNZgHybVAPP4M0clx-Z4flK_qhx6ZhyqU) is the VBM movie (it's for VBA-RR v24 svn422 (https://code.google.com/p/vba-rerecording/downloads/detail?name=vba-v24m-svn-r422.7z&can=2&q=)). You'll have to stop it before I turn to view the corrupted Pokémon and items data, etc.

Note that when I resumed the movie and did some slightly different steps (talking to the guy from different positions and at different times) I couldn't get the text box to close when the text stopped scrolling. I don't know why.

Edit: Or maybe I forgot to try pressing A, not sure...

Edit 2: Save state (https://mega.co.nz/#!8wtnGRLb!FD2tS1SoSBVNZgHybVAPP4M0clx-Z4flK_qhx6ZhyqU).

It's a more visual method to break a save (if someone were to save with all this corruption) than having a wrong Black out warp (sends you out of the map instead of near Pkmn Center) without a Pokemon knowing Fly/Teleport).
Yeah, I experienced that too. I didn't see what happens after saving and resetting though.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Metarkrai on October 28, 2014, 05:48:06 am
If you can't close the text box after the text stops, it's because the game hanged out.
I tried it, and it happened to me.

The original script adress is 0x081F1192, and I changed it to 0x481F1192.
The NPC first gave me 2 trainers for PokeNav (this also happens with NPC corruption, and I didn't remember it), and then RAM was overflown by 0x1C101C10
There were times where the game froze (blackscreen) before showing me any text box, and others where I got the text box without the PokeNav registrations (it seems that the position of the NPC plays a role in this).
I also tried changing to 0x0D1F1192 but the game froze after the first talk.

However, the first time I did this, RAM data was only overflown at the end of the text box, and here it's overflown when it opens. I'll wait and see if this makes a difference.
I'll also look at your savestate and keep a copy of it with my favourites glitched savestates, as it's pretty cool.


Also, here's the picture for the effect of the character 0xFB.
You get it by corruption character 0xBB (letter 'A') on a Pokemon Nickname.
Only the 4th and 8th character of a Pokemon nickname can be corrupted.
(http://www.pixenli.com/images/1414/1414496366085848600.png)
As you can see, this character is linked to the command requiring you to press A to continue the scripting. Thus, seeing this character makes the games hangs for a bit of time, or totally hang for graphical loadings during a fight.
Also, checksum doesn't applies on nicknames, so it's easy to change the characters to see their effects.
It also can be useful for ACE, because you can use more characters to make your command (the best would be using PC Items for creating a command, but I don't know how much control you have about the area whose data will be executed).

A lot of characters are blanks, so some of them must be the remainings of japanese characters since I didn't saw them anywhere during in all these glitch texts.
There's also a smiley, but I don't know its value since I see it on descriptions of Glitch Moves :
(http://www.pixenli.com/images/1414/1414497372099528900.png)
The description of some glitch moves is werid : it changes everytime you open it (I don't know at all where it could be read).
There are also few Glitch Types that the game can handle, and whose sprite changes from time to time (for some sprites, the game can handle it for a few seconds).

EDIT :
Yeah, I experienced that too. I didn't see what happens after saving and resetting though.
If you save and reset, you're stuck on the tile forever, and you can't do anything.

Also, I launched your savestate, and wow, it's completely strange.
I can't make a step, or use something AND go back to the map, or the game freezes.
Also, the NPC got it's original script back, whereas its script adress is still corrupted, and no other RAM adress has got the value 0x081F1192.
The RAM is overflown with 0x1CAD1CAD when I do something.
Also, like I suspected, only a part of RAM is overflown, inducing the weird party Pokemon and Bag Items, and this overflow  started at 0x02022024 with 0xE55EC002, until 0x02025FC0 where the overflow value became 0x1C101C10 and stopped at 0x020266E0, just on/before Map NPC data.

When you move, RAM is overflown with 0x1CAD1CAD starting from 0x020266CC.
Sometimes, the overflow is made with 0x1C101C10 and a Battle Frontier / PokeNav sound effect is played.
The black screen you have when closing Pokedex/Party/Pokenav,.... is due to the map reloading (due to the partial RAM corruption, the console has to load other things on map, and can't), and doesn't imply the last RAM overflow.
The text box you can see when trying to use an item contains the same characters than during the NPC conversation, so I think that the RAM overflow is just a storage of the conversation you had with the NPC, and the game reused a part of it (for an unknown reason) with other text boxes, as seeing that the lenght of the glitched text is the same, with the same "scroll down" buttons.

Thus, by having good script adresses, and NPC on right positions, you could manipulate the lenght of the glitched text to corrupt some data, as I don't think you can really execute script with this method.
However, the first things that would get corrupted would be Party Pokemon, and some data on trainer card, so not really useful things since the value that overflows RAM data doesn't seem to be conveniently manipulable (only a few values).
You also can't corrupt too far, or the situation will be the same as the one you got : some values linked to map are corrupted, and the single step/map reloading you make freezes the game. (and if you corrupt further than that, the game would freeze during the corruption).


EDIT 2 :
I used a code to change maps, and tried out some things with this game, but all my efforts didn't yield any result.
I couldn't open my PC, sell or throw items, nor heal my Pokemons of black out in a fight.
Also, I understood a bit more of what happens after that.
The game becomes unplayable because the player name is overwritten by glitched data, and because the game will try to spell it entirely (he's waiting for a FF sequence to stop the spelling). Thus, text boxes can handle it (PokeNav calls especially), but other features can't, making the game crash.

I put an FF in the trainer ID, and some things went back to normal. I could use the PC, and find some HM Pokemon to visit things, but there still were some issues.


EDIT 3 :
I decided to play a bit with erevything, and damn, what crzay glitches I fell on !
Differents effects of Route 110 NPC Corruption on save (http://www.youtube.com/watch?v=EfqVXSob3-4)

There's a bit of everything seen before + new things.
I had to manually change my location because the player was trapped in Route 110, but it should be possible to make other NPC Corruptions that allow you to move after it, and make everything I performed in this video (even if the effects are completely random).
Now, I know where the "spinning blocks" glitch came from : it's a deformation of the Pokemon sprite with what seems to be a 3D-deforming tool.
Some cool audio effect were played, especially the one that reminded me holy water in Castelvania II.
I was also amazed at the end by the fact that I could perform another Pomeg Glitch on this glitched floor of Battle Pyramid, without having to do a single fight nor looking at a status screen.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: voltage on October 28, 2014, 04:25:04 pm
I was messing with corruption in Route 111 and I talked to a trainer. Somehow, I accessed the slots fom the Game Corner by talking to them.

Edit: The game froze through an interaction with a rock in a recent corruption.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Metarkrai on October 28, 2014, 05:36:24 pm
I tried script adress corruptions on the first Route 111 NPCs, and saw certain things :
-All the relevant data for this corruption is stored near 0x02026670. To find the script adress of a certain NPC, I use Advance Map to have the data (+ RAM watch to not lose time on Routes where a lot of NPCs are loaded), which is faster that making a ton of Pomeg Glitches to corrupt the right value.
-Each script adress can be corrupted in 3 different ways, inducing 3 different corruptions.
ex : 0x081F1410 -> 0x48... / 0x0D... / 0x4D.... (the last one requires 2 consecutive corruptions)
-The corruption is similar between trainers, and similar between non-trainers (rocks and tall trees are non-trainers).
Talking to trainers without entering their line of sight has the same effect as talking to a non-trainer. (This is useful because you can them speak to them again, and trigger a trainer battle).
-For non-trainers,you need to talk to them several times to start the corruption, and if it didn't freeze/reset the game, you will be able to talk again to the non-trainer with its normal script (even if the script adress isn't present anymore on RAM).
It's not the amount of times you talk to them that matters, but the frame where you do it (I triggered some corruptions on the first try).
-Most of the corruptions end with a battle, may it be a real trainer battle, or a completely bugged one (the bugged one can easily freeze) (I even got one with Lv 113 Bad Eggs !)
-The corruption also depends on RNG : the game sometimes hangs on/resets during the corruption whereas you could see all of it before
-The importance of the corruption depends on how far RAM data was overwritten. All the text that is said is the pure copy of the overflow, if there's no "FF" byte in the process that would stop it, meaning that the deeper the corruption, the longer the text.
-The values that overwrite RAM data are often constant (few values only), or can be big blocks of data, inducing weird texts that don't seem periodic at all. Even with constant overwrites, few values are corrupted differently, so if a "FF" appears, it may shorten the text lenght. (there are oftenly values linked to the little down arrow requiring you to push A)
-Most of the time, map data is overwritten, meaning that any refresh of the actual map induces a freeze. The best way to deal with it seems to trigger a battle, and lose, in order to be teleported to another map.
-With glitched battles, it's extremely hard to lose since you're oftenly in a position where attacking freezes the game, and where your bag is also corrupted.
-If Bag data is corrupted, it's best to not look at TM/HM pocket. Forcing the game to load the Corrupted TM names affects greatly the battle/map data, oftenly resulting in a black screen when you close the Bag. Also, if the same corrupted item occupies all the pouches, you'll have a pretty hard time to empty one slot into the main pouch (for PC slots, it's easier).
-There are corruptions where only a part of RAM data is corrupted. With the first Aroma Lady, and changing 0x081F1410 -> 0x0D81F1410, I was able to corrupt only a part of RAM data between 0x02020000 and 0x02030000 (don't know if it has a use, but it's still a good ending corruption)

-The same corruption can be done in FrLg, and the results might be in a way similar.

-Common effects : Registering Pkmn Trainer in Pokenav, Making a Battle Frontier Sound + Text Box, Red Screen (freeze), Screen fading to white (freeze),Text Box + Trainer fight,..

voltage : do you have pictures / savestate of what happened to you ?
I'm interested by these Game Corner slots (even if they're useless in RSE).


(http://www.pixenli.com/images/1414/1414540505020279700.png)
Lv 226 Bad Eggs !
Unfortunately, the game dislikes it a bit, and froze (one time, it didn't freeze, but I forgot to make a savestate).
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: voltage on October 28, 2014, 06:52:10 pm
voltage : do you have pictures / savestate of what happened to you ?
I'm interested by these Game Corner slots (even if they're useless in RSE).

I made a video showing what happened. (http://youtu.be/TGX7_nNFsKE)
...and here is a video which shows interaction with a rock noticably lacking any script. (http://youtu.be/g-Z8GTkQWC0)
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: luckytyphlosion on October 28, 2014, 09:56:40 pm
Very odd. Could it be that the script for the rock ends instantly? Have you tried using Rock Smash on the rock? (although it would be hard to find a Pokémon to teach it to with most of the party/box corrupted)

Also, I see you've changed your personal text.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: voltage on October 28, 2014, 10:42:44 pm
Very odd. Could it be that the script for the rock ends instantly? Have you tried using Rock Smash on the rock? (although it would be hard to find a Pokémon to teach it to with most of the party/box corrupted)

I'll try to replicate it again, but at that time I had no Pokémon knowing it in my party. I also moved all my Pokémon outside of Boxes 1 and 2 to avoid corruption. This also helps me get to the point I tend to scroll up to better.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Metarkrai on October 29, 2014, 10:25:15 am
A rock is the same thing as a NPC (an element added on map, who has its own script).
What Pomeg Glitch does here is that it corrupts the adress where the script of the Rock is stored.
And when we interact with it, the game will try to execute a script starting from another adress (I don't know if he really read what's at the corrupted adress, or if he goes reading something else) , inducing the glitches we're studying.
For this glitch, the game seems to have 2 differents ways of reading the script at the corrupted adress (or elsewhere) :
-If the NPC is a trainer, and if we enter into its line of sight
-All the other cases (non-trainers + talking to trainers)

Since the corrupted script adress isn't even a ROM adress (it starts by 0x48... / 0x0D.... or 0x4D....), I don't know where the game goes to read the NPC corrupted script, and finding this would be a huge help (since we could study the different values the adresses can take, and know the different effets this corruption can bring).

The corrupted script is also RNG-dependant (the effect differ if you talk to the NPC at different times)
For the basic NPCs (non-trainers + talking to trainers), the corrupted script will have no visual effect most of the time.
I don't know if the script is really empty, or if some short commands are executed (I think there are short commands executed), but nothing seems to happen.
Sometimes, there's a Pkmn Trainer PokeNav registration, or a Battle Frontier sound + RAM overflow (and the text box reading the RAM overflow).
Freezes are also frequent.
And that's it for the frequent effects. Rarer effects would be like what voltage experienced (a game corner screen opens), or what Torchickens experiences (a finished RAM overflow that would allow you to continue playing with a part of RAM completely corrupted).

Thus, for breakable rocks, it doesn't matter if you speak to them with Rock Smash or not, since it won't be their usual script that will be loaded, and it's also not the usual script that's instantly ended neither. You just need to speak repeatedly in order to have a corrupted script that does something visually (I'm sure that the times where nothing seems to happen, a short command is executed, like a special or something like that).

And since I don't know where the game goes to read the corrupted script, I don't know if it depends on the initial script adress or not.
However, the "viable" strategy for RAM overflow would be to talk to a trainer who has its script adress corrupted, get a RAM overflow that doesn't freeze the game, and talk to the trainer again in order to start a battle, and purposedly lose to get teleported to another map (the RAM corruption alters too much data linked to the loaded map, so moving the player freezes the game), and enjoy the RAM corruption.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Wack0 on October 30, 2014, 08:10:17 am
Not even a GBA RAM map helps here, as anything above 0x10000000 is unused. So, effects on real hardware may well be different. By the way, the ROM address space is at three locations: once at 08000000-09FFFFFF, once at 0A000000-0BFFFFFF, once at 0C000000-0DFFFFFF.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Metarkrai on October 31, 2014, 12:21:43 pm
Yup, RAM map isn't really useful, the "addresses" are too odd.
I wouldn't have thought that there would be ROM up to 0x0D00 0000 (I was thinking that both 0x48... and 0x0D.... were pointing to ?? things, and that the game was reading something somewhere).

Also, like voltage did, I tried the corruption on my cartridge with some AR codes to fasten things.
And the glitches resulting from talking to a NPC with a corrupted script adress are exactly the same on VBA and on console, so every result found in VBA is usable in console (even if the special sorruptions seem to depend on when you talk to the NPC).

What I'd like to know now is where the game picks data and uses it as the NPC script.
As we know now, either the values of the adress are RNG dependant, and maybe dependant on your save file, as we got slightly different corruptions on different save files (game corner page for example).
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Evie ✿ on November 01, 2014, 07:37:48 am
Also, here's the picture for the effect of the character 0xFB.
You get it by corruption character 0xBB (letter 'A') on a Pokemon Nickname.
Only the 4th and 8th character of a Pokemon nickname can be corrupted.
(http://www.pixenli.com/images/1414/1414496366085848600.png)

Metarkai, how come in your picture the FB character is on the second letter. Did you make a mistake or did you hack it in?

I want to record this glitch. Thanks.

Edit: I got corruptions to E (BF) for the 4th and 8th letters (bit 2 set), so I have a feeling this will work after time.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: VaeporSage on November 01, 2014, 09:57:09 am
Metarkai, how come in your picture the FB character is on the second letter. Did you make a mistake or did you hack it in?

It replaces the 'a' in Castform.

I'm not totally sure why this FB character is notable though. I've gotten it before on Makuhitas and Sneasels and experimented with its effects in XD, FR/LG and R/S (including link battles), but it doesn't seem to do anything interesting besides the 'bloody battle' effect.

From what Metarkrai said, I gather that it could have some use in TheZZAZZGlitch's nickname-based code execution, but I couldn't guess how.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Evie ✿ on November 01, 2014, 10:09:41 am
Metarkai, how come in your picture the FB character is on the second letter. Did you make a mistake or did you hack it in?

It replaces the 'a' in Castform.

I'm not totally sure why this FB character is notable though. I've gotten it before on Makuhitas and Sneasels and experimented with its effects in XD, FR/LG and R/S (including link battles), but it doesn't seem to do anything interesting besides the 'bloody battle' effect.

From what Metarkrai said, I gather that it could have some use in TheZZAZZGlitch's nickname-based code execution, but I couldn't guess how.

I know that, but Metarkai said you can only corrupt the 4th or 8th letter, so I was wondering how he got it on the second letter (A in Castform).

I have got it to work with Castform named "AAAAAAAAAA" (though changing the Castform's PIDs to hex:45454545 seemed to make corruption more likely), but unfortunately I couldn't get the Pokémon species to change. So I also ask, where did the wild Kabutops come from?

This glitch also works in FireRed. It doesn't work in Ruby, where the game doesn't turn the screen red, and does a line break normally. (I'll upload a video of this once my files are joined)

Vae, if you want to do this on a real cartridge, can you see if it's possible to actually trade the Castform over please? I 'pseudo-traded' them by exporting a PKM file of the Castform with A-Save and then importing it to the other versions.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: VaeporSage on November 01, 2014, 10:52:40 am
Vae, if you want to do this on a real cartridge, can you see if it's possible to actually trade the Castform over please? I 'pseudo-traded' them by exporting a PKM file of the Castform with A-Save and then importing it to the other versions.

Yeah, they go over just fine. In XD: Gale of Darkness, the character is erased (i.e. 'Snesel').
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Evie ✿ on November 01, 2014, 01:02:58 pm
Vae, if you want to do this on a real cartridge, can you see if it's possible to actually trade the Castform over please? I 'pseudo-traded' them by exporting a PKM file of the Castform with A-Save and then importing it to the other versions.

Yeah, they go over just fine. In XD: Gale of Darkness, the character is erased (i.e. 'Snesel').

Cool, thanks.

Well here's (http://youtu.be/X4KjPs1h3oo) the video. Up next on my channel will be NPC corruption stuff.

According to this (http://bulbapedia.bulbagarden.net/wiki/Character_encoding_in_Generation_III), FA-FF are control characters, so I wonder if there are more control character glitches. I'll test this.

Edit: Only FA and FB cause this glitch. For the others I couldn't immediately spot an effect other than letters being cut off/put on a new line.

Edit 2: I tried something completely different; removing the S.S. Anne guy. So far I haven't had any luck, but one time my name got changed from "RED" to "REDE". (I scrolled up for 30 seconds with online stopwatch (http://www.online-stopwatch.com/download-stopwatch/) with a party of 4)
Edit 3: I made it so I could walk past the S.S. Anne guy and re-board the S.S. Anne. Very satisfying. (Metarkai originally found this.) I will make a short bypass compilation video.
Edit 4: It's here (https://www.youtube.com/watch?v=H_78FGjzaW0).
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Metarkrai on November 01, 2014, 05:50:42 pm
Torchickens :
Yup, I manually edited my Pokemon surname as I was too lazy to make Pomeg Glitch attempts.

The wild Kabutops comes from a Randomized Emerald Rom (my only US Emerald Rom).
But yeah, I should get a clean US Rom, since a part of Pomeg Glitch relies on execution of script in adresses that can potentially be anywhere.
I tend to play on French Roms for Glitch Moves, (I have now an application that helps me pointing them out)

Also, having a Pokemon with a PID of 0x45.... has increased chances to not get corrupted, since its PID can't be normally corrupted. With a TID of 0x00.... (other possibilities, but this works) you lessen the chances even more (but they aren't null).
But yeah, since here you want a Surname corruption without corrupting anything else on the Pokemon (to avoid obtaining a Bad Egg), this is useful.

I also manually tried other characters with a similar value, but got lots of blank spaces.
Also, by seeing the description of Glitch Moves, there doesn't seem to be other characters with such "importance". The only cool one left (to me) being the smiley.

In order to alter the RAM area related to NPCs, you only have to maintain up for 16 seconds, as it's a bit below Bag Items, and you need 17 seconds of scrolling to corrupt Bag and PC items. It also means that you won't corrupt your Berry and TM/HM pouches while doing this.

You can also remove the little girl on Island 4 to see that the grass behind the house wasn't coded as a walkable area.

EDIT : I also remembered that I already had a video where I made some NPC removal.
I also tried to speak about a method to ShinyHunt legendaries like Celebi, Mew, Jirachi,Deoxys (and other rare Pokemon) with Pomeg Glitch only, but it was too hard for me to concentrate about what I needed to say and my accent, so my pronunciation sucked a lot. (but that's a damn cool shinyhunting method, though)
Here's the video (https://www.youtube.com/watch?v=eDbvXKo9S5w) though.




VaeporSage :
It's not only the 0xFA character, but all the possible caracters that could allow the use of different codes with ACE.
But I don't have any knowledge in this, so I don't know what kind of value would be useful, since we can't even obtain every character on 4th and 8th place with Pomeg Glitch.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Evie ✿ on November 02, 2014, 07:21:48 am
I see. Thanks for your reply!

I like your video :).

I tend to play on French Roms for Glitch Moves, (I have now an application that helps me pointing them out)

That sounds pretty cool, what does it do?
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Metarkrai on November 02, 2014, 07:54:58 am
It's an application that allows me to sort all 65.535 Moves in Emerald Fr depending on their effect, type, power, accuracy,effect accuracy,priority,...
Thus, I can find Glitch Moves with cool effects and priority, who have names that will interfere with the battle or not, in order to make a little list of interesting Glitch Moves to obtain with Pomeg Glitch.
I'm also using it to test how targets are determined, and also what can Glitch Effects do (normal effects have identifiants from 0x00 to 0xD2, so there are a few Glitch effects).

In my cartridge, for Battle Frontier, I've given myself a 100% Guillotine effect + priority Glitch Move (quick KO on Battle Frontier), a 100% Freeze + low damage + priority Glitch Move (useful to shinyhunting + against Sturdy Pokemon since Freezing is overpowered), a 100% Sleep + priority Glitch Move, and a Battle type changing Glitch Move in order to have free access to Bag Items.
I'm using them to ShinyHunt for a Lv 96 Milotic (and Dusclops), but I'll use them to get all the Gold Symbols.
At first, I wanted to put these moves on a Smeargle, but he's way too frail to tank out a hit or two if I make a mistake, or in Battle Palace.
Thus, I used Double Corruption to have some full 31 IV + high EVs Pokemon (I can choose the identifiant), and I found some Glitch Pokemon with incredibly high Base Stats.
Thus, my future team is completely cheap, but it's quite fun to use it.
My most problematic issue was Battle Palace though, and the best solution was to find a high damaging Steel Move (steel is physical on 3rd Gen), and Sketch it with a Glitch Pokemon who has Pure Power and ~240 Base Attack (596 in Attack at Lv 100).
The only Pokemon that I don't OHKO are Steelix, Skarmory, Suicune, and probably other bulky water type Pokemon with 31 IVs and a lot of EVs that resist Steel damage. But I can't OHKO them (only around 90% damage) because Metal Coat didn't boost my damage, and because the Glitch move isn't stabbed.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: VaeporSage on November 02, 2014, 07:59:51 am
I'd love to see this program, though I suck at using any kind of tool like that. Still, I was thinking of a way to best experiment with glitch moves, and that would be it. Did you write the program? And are the moves any different in FR/LG?
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Metarkrai on November 02, 2014, 09:57:15 am
Here's a download link (http://www.petit-fichier.fr/2014/11/02/pomeg-attack-finder/)
It's made by Megadrifter, a French guy that was kind enough to answer my request.
It's not finished thouh : there's no correspondance for effects and targets, and there's no explanation file, nor a list of non glitch moves.
Also, it's only for French Emerald, since Glitch Moves data is read on ROM. So yeah, it's different between versions and languages, but I should ask him to include a version selection option (as there's just ROM data to provide, since the application structure is made).


I've also searched the value managing Battle Frontier pauses, and unfortunately it's not a value that can be corrupted with Pomeg Glitch (with direct corruption).
My idea was to make a Battle Frontier fight, to have a Battle Frontier team saved in RAM, then corrupt the value managing the pauses, and go to another facility (like Battle Factory), in order to start matches again, but with the previously saved team (the Battle Frontier team isn't refreshed to 0 until you reset).
The adress for the pause managing value is 020256FC and you need Bit 1 to be set (0x0..02) to be able to restart matches immediately.
I don't know where the Battle Frontier team is stored (if it's upper or below this value), but if it's below, it may be possible to corrupt it without corrupting the Battle Frontier team with NPC corruption.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Crystalame on November 03, 2014, 12:49:29 pm
Hopefully this isn't a stupid question and I really hope it wasn't answered and I just didn't notice, but Metarkrai, your Mew video made me really curious. If I'm remembering right, there's an obedience flag for Mew (and Deoxys?) in FR/LG/E (and maybe R/S). Doesn't that mean a Mew obtained through this method wouldn't obey?

It's an awesome trick, but if it doesn't obey it's a bummer since you wouldn't be able to do much with it. :(

Also, my apologies for not having much else to contribute. I actually haven't dabbled much into messing around with Gen 3, maybe I should try sometime.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Metarkrai on November 03, 2014, 05:41:57 pm
You're completely right. I was more focused on Jirachi and Celebi, and I already had some protocol made for obedience, so I didn't think about this.
So yeah, an hatched Mew / Deoxys wouldn't have its obedience flag set, since Egg generation doesn't raises it.

This method, since you need Emerald + Fr or Lg to do it, was dealing more with Shinyhunting than a basic Pokemon Corruption, as the setup is tougher to make than the normal one (you can only make a single corruption at a time, have to wait for the full hatching, and have lower chances to achieve the right corruption).
In a ShinyHunting point of view, it's a quite fast egg hunting method (since Battling with an Egg trick is used), and I would be pleased to hunt any legendary, or any rare Pokemon (ones that would need lots of steps, or have harsh reproduction rate), even if for the later ones you just need Battling with an Egg trick to get up with something. So yeah, it would be at least the 2nd gen roamers, Ho-Oh, Lugia, Jirachi, Celebi, the Lati@s you miss (you can get the missed one on Southern Island with Pomeg Glitch too), and Mew+Deoxys (if you transfer them into 4th gen, would they obey ?)

The advantage it has over a basic corruption is that the Egg IVs are completely random, compared to a corruption where the IVs are directly depending on the dummy (you can manipulate them though, and have near perfect IVs with the classic corruption, but it's again a matter of how long you want the setup to be).

You can also pull the same technique on Emerald : corrupting the 2nd parent in Day Care, but since the whole PID is determined when the Day Care man steps forward, the Shinyness is determined once and for all, so you can't ShinyHunt the Pokemon (you still have random IVs though).
Even if there are fewer in-game trades, with some clones, you can have enough data-determined Pokemon to use them as a corruption indicator (and nullify the amount of Bad Eggs you need to delete with reverse cloning trick).
But the setup I have for the basic Corruption is now way more stable than before, so if you want for example all the legendaries, you'll gain a lot of time and execution sweetness by performing it (the initial setup is longer, but you can pull way more manipulations, and increase your chances of making a good corruption).

With basic corruption, you can use some specific dummies with specific training to set the obedience flag, so obedient Mew/Deoxys isn't an issue at all.

Here, you could render an hatched Mew/Deoxys obedient with some specific data substructures order (the comparison between the order before corruption, and after corruption).
I think you'd need at least EVs or Attacks read on Miscellanous (and maybe another condition).
The way to do it would be to make a double corruption / corruption (with double corruption, I'm sure there would be no problem, but with a basic corruption, there may have one or two) to have a new Pokemon.
This new Pokemon, once corrupted again, would transform into a Mew/Deoxys, and since its Miscellanous data would be read on EVs / Attacks (the second corruption is the reverse of the first one), you could manipulate them to get an Obedience flag.
Also, the PID and TID after this double double corruption (or double basic corruption) wouldn't change, so Shinyness is retained.
It seems a bit tricky, but stacking corruptions can be done without any major issue (before, you needed to make a ton of clones, and hope that a random one would be corrupted after some time ; it was a bit too messy for me since when you'd try more manipulated corruptions, there would have been a lot of cases where things would mess up).
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: VaeporSage on November 07, 2014, 11:20:19 am
Trainer script corruption is neat. I was wondering some things:

-As signposts, rocks, and maybe the notices on Pokémon Centres/Marts all count as NPCs, could they ever become trainers and walk up to you somehow? That would be really cool to watch.

-When you corrupt the script of a trainer in an area, how far does this area extend to? Is it the entire map of that area (e.g. all of Route 104)? For example, if you entered Victory Road from the League entrance and corrupted trainers there, could all trainers on that floor be affected, or just the trainers on a certain portion of the floor (within a certain radius, perhaps)?

I also managed to obtain the Eon Ticket, so I read up on this thread's analysis of whether or not Faraway Island/Navel Rock could be accessed. I'm not sure I understand fully: it involves corruption of TMs 18 and 24 to obtain the relevant key items in some way, and then there is an extra flag to be checked? It really would be cool to get to those islands through glitching. ^_^

There wasn't any mention of Birth Island. Is there a possibility of reaching there either? :3
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Evie ✿ on November 07, 2014, 03:04:14 pm
-When you corrupt the script of a trainer in an area, how far does this area extend to? Is it the entire map of that area (e.g. all of Route 104)? For example, if you entered Victory Road from the League entrance and corrupted trainers there, could all trainers on that floor be affected, or just the trainers on a certain portion of the floor (within a certain radius, perhaps)?

I don't think you can go out of the route at most (and entering a building/ladder and exit(?)/blacking out also fixes the script).

When I did script corruption in the desert, I could go up a slope and talk to a corrupted karate guy even though he was out of the desert (though he was in the same Hoenn Map square). I saved a state before talking to him.

After I reloaded the state and went up a bit more. I can't remember what I did, but I probably went out of the route. His script returned to normal.

Later I did this in Route 111 (two squares up from Mauville City). I went one square up and there was still an NPC with a corrupted script, so going out of a square doesn't matter, but I'm not sure if the script will come back to normal if you go out of loads of squares without changing the route.

I also managed to obtain the Eon Ticket, so I read up on this thread's analysis of whether or not Faraway Island/Navel Rock could be accessed. I'm not sure I understand fully: it involves corruption of TMs 18 and 24 to obtain the relevant key items in some way, and then there is an extra flag to be checked? It really would be cool to get to those islands through glitching. ^_^

There wasn't any mention of Birth Island. Is there a possibility of reaching there either? :3

Yeah, having the items alone isn't enough.

-As signposts, rocks, and maybe the notices on Pokémon Centres/Marts all count as NPCs, could they ever become trainers and walk up to you somehow? That would be really cool to watch.

I love that idea. I've seen it happen with an item ball in Generation I before when experimenting with text pointer manipulation. (Not really that, I changed another script; which was the level-script pointer according to my notes).
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: voltage on November 20, 2014, 09:00:59 pm
Major find. Pomeg glitch opens up a glitch effect that will break your save file if you save, and corrupts many things.

You can freeze the game if you turn/take one step close a menu like the Pokédex, corrupt your Pokémon, your name, your items, your Pokédex data, your play time and your gender all with voltage/Metarkai's trick. I tried taking a step forward after bumping into the NPC and the game also froze, but the freeze was different (the 'registered phone number' sound effect played).

I mutated this non-Trainer on Route 111 and tried to talk to him.

So I was playing with trainer script corruption last night and found a couple of things. I mutated that same non-trainer on Route 111 and a menu with BUY and QUIT displayed. If you select BUY, a bunch of the same items, which appear to be glitch decorations(they get sent to the Player's PC once you purchase them, for one), showed up. The displayed price was around 8000ish Pokedollars but in actuality, buying them made the game display their actual value, which was about double that. Much to my dismay, selecting quit froze the game, and I believe the sound made when the player goes on teleporters play.

I also managed to experience that mass corruption found by Torchickens, albeit differently. I experienced it in Route 117, by talking to the Day Care Man. After I talked to him, I got a call on my PokéNav full of repeating Œê. After the call finally ended, a text box displayed as if I was in Petalburg City and then the game believed I was in a very glitchy Safari Game. Like the corruption, my name changed, but into repeating Œê. I then retired from the Glitch Safari Game and found myself unsurprisingly, in the Safari Game entrance. After that, the game seemed to be mass corrupted in the same way as Torchickens' corruption. I tried to use the PC, but the game froze. I think I should play around with this on my other Emerald cartridge, after replaying it.

EDIT: I have been wondering if there is any specific reason why Glitch Trainer encounter music is either the Pokémaniac Encounter theme...
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: VaeporSage on November 21, 2014, 11:00:54 am
So I was playing with trainer script corruption last night and found a couple of things. I mutated that same non-trainer on Route 111 and a menu with BUY and QUIT displayed. If you select BUY, a bunch of the same items, which appear to be glitch decorations(they get sent to the Player's PC once you purchase them, for one), showed up. The displayed price was around 8000ish Pokedollars but in actuality, buying them made the game display their actual value, which was about double that. Much to my dismay, selecting quit froze the game, and I believe the sound made when the player goes on teleporters play.

Having read this, I tried to replicate it myself on Route 111 half an hour ago and was about to quit, but decided to explore the upper half of the Route just in case I had corrupted any NPCs that way.

Surprise, surprise, I got exactly the same result you did - from the first male Cooltrainer above the smashable rocks. I scrolled down through his inventory, but all of his stock appeared to be the same - a Poké Ball table entitled "û". As you mentioned, its shown cost was 8965 Pokédollars, but actually cost 18443 Pokédollars. The amount of money I had was also corrupted, so I could buy as many as I liked (up until the point at which it said "There is no more space for û."). If I exited the purchase frame and returned, my money was re-corrupted.

However, quitting also gave me a freeze, so any further effects of this particular strain of corruption remain a mystery.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: voltage on November 21, 2014, 10:15:43 pm
However, quitting also gave me a freeze, so any further effects of this particular strain of corruption remain a mystery.

I manage to replicate it in Route 117 and found it to not freeze when you quit in this particular route. Oddly, the NPC in this situation is a Item Ball, which would normally be the location of a Great Ball on the side of the route closer to Verdanturf. In fact, leaving and entering the route makes it appear as a Great Ball again. Unfortunately, actually going to your PC fails to show "û". However, the shop once showed items described as a Zigzagoon cushion, but I haven't confirmed if those actually end up in the PC. I think it seems unlikely. I haven't scrolled to bottom of the shop list yet, but random letters tend to show up in the item names. Also, exiting and entering BUY can corrupt the appearance of MONEY in the top-left corner.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Evie ✿ on December 07, 2014, 07:24:32 pm
Here's a minor thing I want to add, as I think someone asked what would happen if an Egg hatched from an Egg with Glitzer Popping.

You should be able to hatch a "-" (hex:019C) with Glitzer Popping, and it will be at level 45, not 5; with glitch moves as usual.

(http://i5.minus.com/ib0uLnSpSsSU4d.png)(http://i1.minus.com/ibfRfzDyPMrR8d.png)

IIRC, I previously breeded two corrupted Pokémon together and got "-" from the Egg, but I haven't tried to replicate this.

I'm interested in its glitch ability. Could someone experienced with GBA language and Emerald check what it does, please?
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Wack0 on December 09, 2014, 09:30:23 am
I know some Decamarks have glitch abilities too.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: voltage on December 13, 2014, 05:17:10 pm
I forgot to mention this, but in the glitch safari zone corruption I experienced, Brendan's overworld sprite became Red's and not just in-battle like how Torchickens was.

I experienced a corruption similar to the store one I had previously. However talking to the trainer displayed my Pokemon party and canceling out brings up the prompt, "Do you want to cancel participation?". Which sounds like it's either a battle facility or contests.

And the quotes of the glitch double trainers after the battle are "??? ??? ??? ??? ??? ???" and "I AM STRONG AREN'T I". You can't really do anything after a glitch battle with them though, as the game freezes.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Evie ✿ on December 19, 2014, 06:54:11 pm
I hatched a "SONG" Decamark (hex:0283) at level 0 using EVs of 2 Attack, 131 HP.

(http://i1.minus.com/ibfrh6IJxbP4KW.png)

SONG was discovered by Lauryn the Arisen (see this post (http://forums.glitchcity.info/index.php/topic,2094.msg61598.html#msg61598)).

(http://i259.photobucket.com/albums/hh317/GlitchHunterMutouYami/SONG.png)

This Decamark needed 1024 experience to level 1. It had four glitch moves, as expected.

I put it in the Day Care and it eventually had an Egg with Ditto, letting me get another SONG Egg and it hatched at level 0 again, but this time with no moves, so you could view its moves without a freeze. I tried Rare Candying it to to level 1, but the game locked up after it learned Ice Punch. If I let it learn Ice Punch by Day Care or battle the game wouldn't freeze, however.

I used another Rare Candy and it jumped from level 1 to 100; I have seen something like that before with the "-" glitch Pokémon (http://bulbapedia.bulbagarden.net/wiki/-_(glitch_Pok%C3%A9mon)) (hex:019C). It had a really good Special Attack stat, so I taught it a few TM moves (Shock Wave was helpful for Glacia) and swept the Elite Four with it solo. It looked like Lapras in the Hall of Fame induction sequence.

I'm going to try more Decamarks soon, because I want one with Spoink's corruption effect, even though it might be something unique to more unstable Decamarks.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Comatose on December 25, 2014, 09:39:58 pm
The getting any pokemon isn't working for me anymore for some reason. I tried so many times with new seasors and all im getting is seasor in regular pokeballs as bad egg. Very arely I get them in nestballs but when I try to use it in battle to see what's inside, when I press fight the game crashes :s
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: danny on December 27, 2014, 10:36:09 am
Here's a minor thing I want to add, as I think someone asked what would happen if an Egg hatched from an Egg with Glitzer Popping.

You should be able to hatch a "-" (hex:019C) with Glitzer Popping, and it will be at level 45, not 5; with glitch moves as usual.

(http://i5.minus.com/ib0uLnSpSsSU4d.png)(http://i1.minus.com/ibfRfzDyPMrR8d.png)

IIRC, I previously breeded two corrupted Pokémon together and got "-" from the Egg, but I haven't tried to replicate this.

I'm interested in its glitch ability. Could someone experienced with GBA language and Emerald check what it does, please?

I don't know what it does, but I have decoded it's name into 3:

A8 C6 2E 08 51 F4 04 08
THUMB:
stmia r6!, {r3, r5, r7}
lsr r6, r5, #0x00
bl $02c51030
(Doesn't show for some reason:  lsr, r4, r0, #0x00)
ARM (more likely:
stmeqda lr! {r3,r5,r7,r10,lr,...(cuts off)}
stmeqda r4, {r0,r4,r6,r10,r12-pc}
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Wack0 on December 27, 2014, 05:29:28 pm
G3EH tells me it has ability 0xFF. In fact, both of them are 0xFF, so it always has that ability.

As for its Tough/Cute typing, if anyone's interested, that's 0x16/0x14.

Dark type is 0x11. So I'm going to guess 0x12-13, and 0x15 are the other contest types. I wonder if there's any Decamark that has those types.

EDIT: Apparently, Emerald 0x19D ("POUND") has the same typing and ability as "-".

0x1A7 ("DERPUNCH") has 0x12/0x26 typing.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Evie ✿ on January 04, 2015, 02:00:36 pm
Regarding using the hidden party glitch with Seasor.

I figured out that a successful corruption happens when 7F 00 00 00 is at 0202A8B8 in battle and becomes 7F 00 00 40. As you may know, the locations of memory addresses are randomized when you do things such as open the Pokémon menu and start a battle.

Since RNG abuse in Emerald is viable, I wonder if it's also viable to guarantee that your Seasor gets corrupted into the correct good Egg in some way?

I believe GoddessMaria may know this, because GM is good at manipulating the RNG and did it in her Pokémon Emerald glitched TAS.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: voltage on January 05, 2015, 01:59:02 am
I figured out the way to battle the glitch Hiker, named "[emptyspace] yOCZ"!
You have to corrupt Triathlete Maria in Route 117. As far as I know, this trainers lacks a post-game quote as the game froze once I revived my lead pokemon to "win" against the trainer's Decamark.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Metarkrai on January 06, 2015, 02:16:10 am
Regarding using the hidden party glitch with Seasor.

I figured out that a successful corruption happens when 7F 00 00 00 is at 0202A8B8 in battle and becomes 7F 00 00 40. As you may know, the locations of memory addresses are randomized when you do things such as open the Pokémon menu and start a battle.

Since RNG abuse in Emerald is viable, I wonder if it's also viable to guarantee that your Seasor gets corrupted into the correct good Egg in some way?

The value you have is Seasor's PID.
To corrupt a Pokemon into an Egg of another glitch Pokemon, you can only do it with a 0x40 corruption on its PID (or PID + TID for a double corruption, which is good for testing glitch pokemon as you don't need to hatch them).

You can remove the adress randomization with an AR Code, but this would block the Ram Corruption into a single pattern, so you can't perform a successful corruption with this, but you can manually corrupt anything you want more easily.

And yeah, I figured out of a way to increase the chances to get a successful corruption, and to ensure that any Pokemon can be corrupted (simple or double corruption) without any trouble. The slight requirements you need are to not have certain Catch Balls, because this interferes with the 0x40 PID Corruption, and maybe others, but I don't have them in mind.

The way I did this was to get a Pokemon whose data has specific values to manipulate the position of the 0x40 Corruption that happens just next to him (once the Poke is stored in the PC) so that if it lands on the previous Pokemon's PID (the pokemon we want to corrupt), the 0x05 Corruption lands on the specific Pokemon (we don't car about this one, we can clone him and remove the Bad Eggs).

I had a bit of issues with this, but I finally created such a Pokemon with the in-game Seedot and Horsea, so anyone can make Pokemon corruption in its Emerald version with the least amount of issues (Pokemon that you can't transform into Eggs) and the least amount of preparations (catching a ton of Pokemon, resetting a ton of times).

I planned to dug out these files of their folders next week, as I want to complete the procedure I wrote about this, and test the new interesting things that were tested, so I'll provide more files/codes next week (when I'll finish my exams).


I believe GoddessMaria may know this, because GM is good at manipulating the RNG and did it in her Pokémon Emerald glitched TAS.

For GoddessMaria TAS, I provided her a short lua script that displayed a RAM adress to indicate when RAM data positioning would be good to get the Ever Grande Fly Location with a RAM Corruption, as well as one to display the PID of the given Castform, as the leftmost byte of its PID needed specific values to be able to become corrupted along with the Ever Grande Fly Location.
Thus, there wasn't that much time spent into the dummy selection and RAM positioning, once I knew what values would work with her save.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Evie ✿ on January 06, 2015, 06:27:40 am
Yeah, I knew that re: it being the personality value (and how you must set bit 6 of the most significant byte).

What I didn't know was that the value had to be specifically there (after memory randomization) at 0202A8B8 (for box 2 slot 23 corruption).

Do you know of any other randomized box personality value memory addresses (after you enter battle) for Dots or Seasor that you can corrupt with? I'd also like to know if you can Seasor or Dots corrupt for one that isn't in box 2 slot 23. You probably can but I've never seen it.

Thanks for your reply.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Metarkrai on January 06, 2015, 11:26:59 am
The PC Pokemon corruption is periodic. You'll basically have the same corruption every 5 Pokemon, so, with a single Glitzer Popping, you can do 5 different corruptions at once.
You can have a 0x40 / 0x05 Corruption in every possible adress, but you can't have all the possible positions of Both 0x40 and 0x05 Corruptions.

If you have 2 Pokemon on consecutive places, the upper Pokemon's data can interfere with the 0x40 Curruption the lower Pokemon's data can suffer.
A chosen 0x40 Corruption can happen in 4 different adresses (like the 4 substructures of a Pokemon's data), so if you want a successful PID corruption, you'll have 4 possible locations of the 0x05 Corruption.
Depending of the values of the Pokemon data on these locations, you'll be able to absorb the 0x05 corruption or not, but from here, I don't remember the exact positions or other things. I'll need to read the procedure I wrote on this.

The specificity of Place 23/24 Box 2 is that there is one less 0x05 Corruption happening, so these Pokes (Box 2 slot 24 especially) can be subject to a 0x40 PID Corruption without a 0x05 Corruption who would screw the corruption up.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Winter on January 26, 2015, 05:10:22 am
Not sure if this is useful in any way but it seemed sort of interesting. Regarding corrupting the map into a wall of trees by scrolling past the 6th slot, I was able to get the same effect while surfing. When I fled from the battle, my entire surroundings were rock, and my sprite was the Wailmer surf sprite with no one on top. I could walk one tile in any direction before it said I was in Mauville city, and kept me from moving anywhere. But the interesting part is that if I turned on walk through wall in the emulator and surfed out of the corrupted map area, the walk through walls effect would remain even if I disabled it, entered a building, or loaded a new save state. The only way to remove it was to reload the rom.

Also on an unrelated note, I've somehow managed to disable wild encounters, by using the glitch. So it seems that it's possible to affect that.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Metarkrai on January 27, 2015, 02:20:50 pm
The walk through walls cheat being active even after disabling or reloading is caused by vba. This code is a ROM patch code, a special type of ARv3 code, and certain versions of VBA (as well as certain Action Replay) can have some issues with them (unable to stack these codes, or let them activated after reloading/desactivating the cheat).

The fastest and safest method to disable them is to disable all cheats (with the option and manually), save, then close and reopen vba, then unable back the cheats you want. Its better to disable all cheats manually, as the basic cheats need the Anti-DMA to be active to work properly.

For the wild encounters, you corrupted the Repel value (to 16.384 or 1280 steps), which takes a few - 15 minutes to shake off. Also, if all your Pokemon team is dead, all wild Pokemon seem to be repelled.

And as for the teleportation, your coordinates got corrupted, and you fled from the battle instead of whiting out. You'll get everytime way out of the map bounds, unable to move.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Kraust on February 15, 2015, 10:43:12 am
I found my GBA Gameshark, and set it up so I can import / export saves with it.

I'm going to try to see if I can bring over a Pomeg Glitch'd Pokemon from Emerald over to my Leaf Green Save and see if I can do anything with it (Highly unlikely I can do anything interesting but I'm bored ya know?). I'll record anything interesting that happens as I have a webcam on my notebook.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Metarkrai on February 15, 2015, 12:40:48 pm
You can easily trade a 65.535 (or less) HP Pokemon to FrLg or RS, and you can perform Pomeg Glitch on FrLg as all the anti-cheat scripts that allow us to do Data corruption on Emerald are also present in FrLg.

You can basically do the same things as on Emerald, with some differences :
- When you black out, the party is healed at Pokemon Center. Thus, you can't keep a fully KO team like this. If you want to perform consecutive Pomeg Glitches, you'll have to use Fluffy Tails. (isn't really an issue for now)
- You're forced to make a trade to get a 65.535 HP Pokemon (isn't really an issue for now)
- The Corrupted Pointer is teleported on the Place 30 Box 2 (or Place 1 Box 3) Pokemon's data, instead of Box 2 Place 24.
- Glitch Pokemon and Glitch Moves are totally different
- The Pokemon Summary works differently. It seems to load the data of every different sections at once, so if you have a Glitch Move who freezes the game, it will directly freeze when you'll open the Pokemon summary.
The summary also allows you on certain conditions to scroll below the 6th Pokemon. The game freezes at some point (after like 10-20 more summaries), which isn't far enough to benefit from the potential corruption.
- The Corrupted NPC scripts have different effects, so one of them could be really interesting.
- ...
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: VaeporSage on February 15, 2015, 01:11:17 pm
I'm going to try to see if I can bring over a Pomeg Glitch'd Pokemon from Emerald over to my Leaf Green Save and see if I can do anything with it (Highly unlikely I can do anything interesting but I'm bored ya know?).

Besides corruption, you can also screw around with its status screen.
 https://www.youtube.com/watch?v=zrBND5m-9dQ

If your Pokémon has the move Charm, you can mess with battle sprites:
https://www.youtube.com/watch?v=Ga150ViPeJo
https://www.youtube.com/watch?v=4LK7KcJ7Rsk
https://www.youtube.com/watch?v=K2y2oqzEbaE

And by using Revives or leveling up during battle, you can send out glitch Pokémon:
https://www.youtube.com/watch?v=AT29yzEGpvI
https://www.youtube.com/watch?v=ELWGlBr_3Ps
https://www.youtube.com/watch?v=ZCQX5ntMME8
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Evie ✿ on February 15, 2015, 05:06:19 pm
I split the replies regarding this to a new thread (http://forums.glitchcity.info/index.php/topic,7208.0.html) about the Charm glitch and other sprite glitches.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Evie ✿ on March 15, 2015, 04:59:29 am
Metarkai made a great video on how to catch Battle Pyramid Pokémon where you use a 0x96B4 Decamark's corruption by talking to the Slateport reporter, access the hidden party from out of battle to remove the Safari Zone guard, escape from the Safari Zone, and keep its battle mode. The Safari Zone battle mode lets you capture Pokémon in the pyramid, but you have to not use all of your 500 steps and using Fly apparently breaks the glitch so Metarkai took the ferry there. https://www.youtube.com/watch?v=5aEWXdRNBwE
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: voltage on March 15, 2015, 01:26:23 pm
IIRC, I previously breeded two corrupted Pokémon together and got "-" from the Egg, but I haven't tried to replicate this.

I don't know why I haven't mentioned this yet, but I managed to replicate that and got - incidentally while trying to replicate the specific freeze I experienced during that time. Also, a similar ability to the one - has can be found in Bad Eggs if you fight a Ralts with Trace. (Though it might be the same...)
Title: Re: Gen III: Access beyond the sixth slot sub-glitches.
Post by: voltage on March 19, 2015, 12:51:33 pm
So I decided to mess around with - .

I managed to teach it Double-Edge and Metronome from the move tutors. I wonder what other move tutors will work.  I tried the ones for Dynamic Punch and Sleep Talk, but they failed.
If you go to Trainer Hill with it, the Pokémon of the trainers are at level 0. The recoil from using Double-Edge is always 3, so Level 0 Pokémon must have 9 health points.
If you use it in a contest, the sprite when you showcase your moves is borrowed from Decamark.

----

Edit: I have a found a use for Invisible Bad Decamarks. There will be a lot of text after this point.

When one tries to withdraw an Invisible Bad Decamark and Deposit the rest of the Pokémon Party, it would fail and bring up a prompt saying "That's your last POKéMON!". There happens to be a way to bypass this prompt.  By going to the Move Pokémon option in the PC, one can grab the Invisible Bad Decamark and switch it with the remaining Pokémon/only Pokémon alive in the party. You can deposit said Pokémon and the Invisible Bad Decamark shall finally begin its reign as the sole party Pokémon. I will henceforth call this trick a "DecaSwitch", to refer to the Switch of the Invisible Bad Decamark.  DecaSwitching can lead to many of the Pomeg Glitch sub-glitches. These instructions shall resemble their classic Pomeg berry-induced counterparts, but these steps do have an advantage of convenience.

Battling with an Egg/Bad Egg via DecaSwitching
1) DecaSwitch
2) Add an egg/Bad Egg to the party.
3) Enter a battle.
4) After the battle, switch the position of the Egg/Bad Egg and the Invisible Bad Decamark. After each battle, the one that will get sent out will the one that wasn't switched out in the previous battle unless the switch occurred before the battle.

Hidden Party Glitch via DecaSwitching
1) Enter a battle with a party of A, (1-4 fainted Pokémon) and B. A is the lead Pokémon and B is the Pokémon you shall switch to during the first turn of the battle. Unlike with a Pomeg berry, both Pokémon can be at full health and do not need to be at 65535 health. The 1-4 fainted Pokémon are only necessary to access the hidden party.
2) After the battle, go to any PC in-game.
3) Deposit Pokémon B.
4) DecaSwitch with Pokémon A.
5) Enter a battle.
6) In battle, view the summary of any Pokémon in the party and the hidden party shall be available.

Trainer Tower
Though I am not 100% sure on this, but going to the Trainer Tower with a Bad Egg should make all the Trainers in the Tower have Level 100 Pokémon. Someone should look into this further.

PokéNav Condition beyond sixth slot glitch?
1) DecaSwitch. Make sure you only have a party of the Invisible Bad Decamark.
2) Go to the PokéNav. Follow the path of Condition --> Party Pokémon.
3) You should see a glitchy mess. For one, the part where a Pokémon's sprite should be is glitched(It might be a bit different looking on a different attempt) and has Pokémon glitched up at the bottom. The sections of the pentagon should all be empty. The star(s) around the glitched Pokémon sprite should have star(s) constantly shifting from yellow to green.
4) Press up/down, in a similar manner to the hidden party glitch.
5) Press B. Below the IG part of POKéMON NAVIGATOR on the PokéNav menu should be a square with glitchy moving text. The PokéNav symbol to the right of POKéMON NAVIGATOR could have multiple copies moving up and down the screen. This could carry over if you press Party Pokémon on the menu again. Alternatively, none of the buttons could be working and you would have to either soft-reset or restart the game.

I am interested in how this would look outside of Emerald.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: VaeporSage on March 20, 2015, 12:08:39 pm
I love it! I'll try out some console link battles when I get home. :)

I'm too crazy tired right this second to think clearly, but I'm certain that there are plenty of neat applications for being able to have no actual Pokémon in your party. Mixing records springs to mind, actually.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Metarkrai on March 25, 2015, 11:26:44 am
Oh, this is really nice.

Thanks Torchickens for posting the Battle Pyramid video, I forgot to do it.

I'm still working on using Glitch Pokemon names to corrupt data, but I'm hitting certain difficulties.
By making the journalist in Slateport read a Glitch Pokemon name, this name is copied into RAM starting at 0x02021CC0.

Trainer Name Corruption :
If you corrupt the Trainer name (0x0202490), you can't use the PC as it can't display the whole trainer name (and the game may freeze when using a Ball in a battle).
If you corrupt the Trainer Sprite (just after the Trainer Name, near 0x0202490, 1 byte), the fights will freeze as you have an "invalid" battle sprite (certain values like FrLg trainer work though).
For the trainer name, I found a Glitch Pokemon whose name has the right lenght to give a convenient trainer name, as well as fixing the trainer sprite (not always needed).
Glitch Pokemon 0x963D does it very nicely (name lenght : 11.712) (you need trainer sprite in 0x02024A64 / timer in 0x02024A6C for it to work).
It's not the optimal one, but that's at least a Glitch Pokemon that does it.

Map Corruption :
After a certain point, you'll meet the map location (0x02025A00), and corrupting it either freezes the game when trying to move (you're outside of the map) or blocks you and prevents you from leaving the house (usually, you're placed into 0x0000 0000). The camera also becomes frozen, which delimits more "walls" you can't cross (which is why you're trapped).
By the way, using one of the 7 Secret Base Glitch Decorations (you can only obtain 7 with Pomeg Glitch) can give you this same camera effect, trapping you into the secret base (maybe removing the item with the PC debugs the situation, I don't remember).

Party Corruption :
The first important (from what I know) thing that's corrupted is the party (starting at 0x020244EC).
If you want to corrupt further data, you'll lose your team. And if you were to get a long trainer name too, you'll lose PC Access, meaning that you can't trade your Bad Eggs for normal Pokemon.
I found no way to change a Bad Egg against a normal Pokemon (I didn't try trades as I thought the long trainer name would induce desynchronizations, but I should try it), apart from using Glitch Pokemon that don't give them.
To get an empty slot in party, you need at least 50 consecutive bytes = 12 double-words and 1 word full of zeroes.
The 50 byte is the minimal amount, but this also means that it can only appear on really specific adresses, which can easily become impossible due to the Name Lenght (if you have a glitch Pokemon with a name lenght of 10.000, the previous one will have a name lenght of 10.011 bytes, so you have to get the base of the zeroes X*11 bytes away from a specific adress if you want an empty slot with another Glitch Pokemon from the same family name).

But that's doable, as Glitch Pokemon 0x96B4 (lenght 10.403) does it nicely. It removes the 1st party Pokemon, and transforms the 2nd one into a Bad Egg (I didn't find a better Glitch Pokemon).

This is nice for 2 things :
- The ability to withdraw Pokemon from Day-Care, so you can get 0x963D and get a short name back + normal sprite to access PC + battles again.
- The ability to perform data Corruption as Pomeg Glitch does, and anywhere.
As yeah, the Pokemon Selection Pointer glitches out because the 1st party slot is empty when the "Party count" script is launched, making the game think that there are 0 Pokemon in party, leading to a non-intended state.
In a fight, you need to view a Pokemon Summary to update the "party count" with the empty slot in 1st position, whereas outside of battle, you can directly do it.
It's useful because you won't need Pomeg Berries anymore once you have such a Glitch Pokemon, and because you can perform Pomeg Corruption on more various places, to try and corrupt other NPC scripts/positions (like in buildings or things).

A good example of this is the Safari Zone escape, where I use this strategy to perform Pomeg Corruption into Safari Zone to make the entrance guard disappear, and exit Safari Zone without losing my Safari Mode. (useful to catch Battle Pyramid + Pike wild Pokemon)

The Pomeg Berry independence can be interesting as longer corruptions will aso corrupt the "item quantity encription value" (a part of the DMA script to prevent easy cheats for item/data quantities), emptying Berry and Tm pouches (Item 0x0000 gets a quantity that isn't null, and is then placed first, hiding every other item in the pouch).


Back at map corruption :
I don't know if there are other NPCs that read the species name of your Pokemon, but if there are (also in RS/FrLg), I'd really like to know where, as I could then test glitch Pokemon on other ROMs, or maybe get out with a map position corruption.

A possible way to get out of this would be to have a Glitch Pokemon name that makes the restarting location at 0x0000 0000 (a town in Petalburg) when you save and reset (works for only 1 reset). I don't know what part of the glitch names does it, as I rarely had it, and wasn't able to isolate the mechanic behind it (I don't know if other map values are possible or not, and why this is done sometimes and not other times).

I also tried to use the Safari Mode to escape from the house after the corruption, but this introduced another issue.
When the player exits Safari Mode, the player name is copied at 0x020283E8.
This is interesting as you can then get some more values for data corruption, but annoying as Day Care Pokemon data starts at 0x02028A2C which is shortly after the previous value.


Battle Pyramid Corruption :
Since I'm a bit of a Shinyhunter, I tried to use these corruptions for my advantage.
I tried to corrupt Battle Pyramid Bag (0x020258C4), but all glitch Pokemon that had a convenient lenght (to corrupt Battle Pyramid Bag and not map location which is a hundred bytes after) didn't give me an empty party slot + Balls into Pyramid Bag.
With Safari Mode, I can enter Battle Pyramid and use Safari balls on wild Pokemon.
This is really nice as the catch chances are quite good, and Pokeblocks are a bit bugged on US Emerald (if the first Pokeblock you throw, before approaching, makes the Pokemon curious, then its flee rate will go down to 0% instead of the 5% limit).
I made a strategy and chance calculations to see the best % one can get for shinyhunting such Pokemon.
Also, when exiting Safari Mode, the Battle Pyramid "streak" is kept (the byte saying that you are on a streak is still set to 1).

You can also set the streak bit to 1 with a Glitch Pokemon Corruption, and change the streak value too to directly access to a high level zone. (use 0x218E to trigger the streak then 0x2804 to change the streak (from Day care), then 0x963D (from Day care) to access PC, then 0x96B4 to exit Safari Zone with Safari Mode)(all of this with certain RAM data positions except for 0x96B4).

You can also do this in Battle Pike, but in Battle Pike you can use a glitch Move to get access to your Bag and directly throw balls to the Pokemon. The 3 first caught Pokemon will disappear when you'll end the Pike session, but the following caught Pokemon will be sent to PC.
In Battle Pyramid, you're stick with the Battle Bag, and I don't know what value gives the Battle Bag. Also, even if you have normal Bag access with Safari Mode, you'll get a black screen if you try to use a normal Bag item in Pyramid, as it probably tries to parse and use the item from Battle Bag.
Also, by ending Safari Mode, you'll keep every caught Pokemon, whereas by ending Pyramid streak, the 3 first caught Pokemon will be lost.

Swarm Corruption :
With my RAM adresses file, I saw that I could corrupt swarm Pokemon like that. (0x02028590)
To get a swarm, you mainly need a Road, a Pokemon (not 0x0000 nor a glitch one), and a frequency. Glitch Pokemon freeze the game when encountered.
Thus, I searched what kind of swarm I could get on accessible routes, with all the Glitch Pokemon that have a name long enough, but that don't corrupt Day care Pokemon.
I got 5-7 swarms, but with a full Bad Egg team. This means that if I catch a Pokemon, I'll only be able to take it by transferring it to 4gen / Colosseum (maybe ?). But Shinyhunting can still be done.
There's one glitch Pokemon that works, maybe 2, but I need to redo a search on them tonight to exactly see what Pkmn ID I need, as I work with Glitch Name families (I work on certain really long glitch Pkm names and slightly change the ID to put some values on the places I want).

Some nice graphical glitches :
On the way, some Glitch Pokemon induced pretty cool graphical glitches (mainly in PC), as they interferred with the background.
You can see one there : https://www.youtube.com/watch?v=kOXh7bZRlMo
I don't really know where this comes from, but it's quite nice to see (I made screenshots with multiple graphical glitches).

Also, certain Glitch Pokemon can only be grabbed with the Orange Hand (pressing Select), and might easily freeze the game if you want to move them too much once picked. So try to be really quick when you pick them up in your team to not get an unnecessary freeze.


Anyway, voltage new finding seems really interesting, as it's another technique that doesn't require Pomeg Berry to trigger the Corrupted Pointer.
It's also quite easy to do/get as you only need a first Pomeg Glitch that puts some 0x4000 / 0x0500 on pure raw data to get a 0x0000 Bad Egg (which can be deleted and taken).
And it's a gain of time as you don't need to get again another 1HP Pokemon that will eat a Pomeg Berry (it will be useful for the Emerald speedrun).

Pokenav Corruption :
Once you have Glitch Pokemon / Bad Eggs in your team, PokeNav can be really glitchy, as it firsts opens every Pokemon data before checking if they're Bad Eggs or not. Thus, if you were to get Bad Eggs into your team/PC (and didn't open the PC), you'll get big glitched/messy sprites, and a glitchy menu that easily freezes.
But I wasn't able to get anywhere with this, as in general when you try to press Up/Down/A one more time, the game freezes. It's more something you can see before quickly exiting PokeNav than something you can exploit.

Instead, in FrLg, there's a way to make some corruption with party Pokemon, as the summary isn't coded the same way as in RSE (every Move Name + type is already loaded when you open the summary, whereas the game only reads them when you open the Move Page on RSE). I was able sometimes to see summaries of Pokemon below the 6th Pokemon, but the corruption wasn't spreading quickly (as it starts below 6th party Pokemon data), and the game was freezing after 20-30 Decamark/Bad Eggs, which is far from enough to corrupt something interesting.


I'll also try the records mixing, as I'm thinking of a way to catch an Egg, and that might be cool to see.

And for the Lv100 Pokemon in Trainer Tower, this should be related to the Bad Egg level (even if it's a Bad Egg, it still has its own level). So you should check with a Lv0 Bad Egg and see the lv of the opponent Pokemon (take a Lv0 Pokemon and change its checksum to quickly make a Lv0 Bad Egg for example).


EDIT :
The 0x0000 Bad Egg can't be taken for records mixing.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Metarkrai on March 27, 2015, 11:39:01 am
I continued working about Glitch Pokemon names, by modifying the .ini of Gen32 Suite to read Glitch Pokemon names from French Emerald (and any other 3rd gen ROM).

I looked back at all the useful values for Emerald in the French ROM to see if there were different swarms I could get, or other interesting working corruptions.

I also noticed something about the Trainer name, and the way it is copied in 0x020283E8.

Glitched Trainer Name :
Stored near 0x020249C0 (don't remember the exact adress).
When the game is reset or when the player exits Safari Mode, the player name is copied at 0x020283E8 (modulo RAM adresses positioning).
A Glitched trainer name makes PC freeze as the game can't resize the textbox correctly. Using Balls in battle may freeze too.
If the player name is too long due to Glitch Pokemon, Day Care data (0x02028A2C and 0x02028B10) is corrupted, and I know no way to get a "normal" Pokemon back after overwriting a large part of RAM data with a Glitch Pokemon name.
However, it is possible to make some FF bytes appear after the trainer name (after 0x020249C0) to shorten the lenght of the overwritten data when resetting/exitin Safari.
I only found 2 ways for now :
Making the in-game time go up to 0x00FF / 0x1FF / 0x2FF hours (if it isn't higher than that).
Opening/closing Bag or Party to change the "DMA encryption value" and wait until a 0xFF byte appears in that double word. (approx 1.55% chance).
I haven't found any other thing to do that would make a 0xFF byte appear close to the trainer name adresses, as this adress is quite remote from many things.

But this could work for some very specific and long Glitch Pokemon names (a name to corrupt like event islands/mirage island, so you're forced to use Safari Mode as your map location is corrupted, and you need to get a normal team as well as the ticket back since Bag items will also be corrupted in the way).



Glitch Pokemon names in RS/FrLg :
I tried to see if I could use Glitch Pokemon names in other gen 3 games, and for now that was unsuccessful.
There are 2 possible commands used to take and store a Pokemon species name, and one of them, the bufferfirstpokemon (used for starters or other things) can't bear to read/store a Glitch Pokemon name that is some words longer than the theorical lenght.
I don't exactly know why, and if there might be some cases where this is avoidable, but with random Glitch Pokemon, the game crashed everytime, on every version (RSEFrLg) with this command.

The other command is a special command.
In Emerald, it is special 0x46, and special 0x43 in RS.
However, in RS, due to a different text displaying, certain Glitch Pokemon names can freeze the game (maybe they were way too long, I'm unsure as I tried with random Glitch Pokes).
Also, in RS, party Pokemon are stored in 0x30...., so you won't corrupt the party with this corruption, whereas most of the other values are at the same adresses (nearly) as in Emerald. Thus, the things Glitch Pokemon names can corrupt are really scarce.
The first "important" value that is corrupted is the trainer name, and this is quite annoying as in RS, the game will freeze when opening the Start Menu if the trainer name is too long.
The game still freezes when opening the PC, so there is no way to get back a Day Care Pokemon and it does so everytime the player name is displayed (or so it was with the Glitch Pokemon I used).
Thus, I can't get back another Glitch Pokemon from Day Care and place it in 1st place in your party.

As for FrLg, I'm searching for NPC / scripts that would store the Party Pokemon species name without using the bufferfirstpokemon command.
As for now, I only found a woman in 2 Island that uses this buffer command, and I have no idea of NPC / scripts that could possibly not use this command.
I tried to search the special command for Pokemon species name, but the index of the special command is different from Emerald (0x46) and RS (0x43) (I think so by seeing it used for Casino gambling machines), so I have no way for now to search into ROM and see how many times this command is used.

I think I'll test trades with Glitch Pokemon and glitch trainer names after that to see if there's something interesting or not happening.


EDIT :
I was able to clone Pokemon with Glitch Pokemon 0x2600

https://www.youtube.com/watch?v=I8Mio5cA9fs
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Evie ✿ on April 28, 2015, 10:19:57 am
And yeah, I figured out of a way to increase the chances to get a successful corruption, and to ensure that any Pokemon can be corrupted (simple or double corruption) without any trouble. The slight requirements you need are to not have certain Catch Balls, because this interferes with the 0x40 PID Corruption, and maybe others, but I don't have them in mind.

The way I did this was to get a Pokemon whose data has specific values to manipulate the position of the 0x40 Corruption that happens just next to him (once the Poke is stored in the PC) so that if it lands on the previous Pokemon's PID (the pokemon we want to corrupt), the 0x05 Corruption lands on the specific Pokemon (we don't car about this one, we can clone him and remove the Bad Eggs).

I had a bit of issues with this, but I finally created such a Pokemon with the in-game Seedot and Horsea, so anyone can make Pokemon corruption in its Emerald version with the least amount of issues (Pokemon that you can't transform into Eggs) and the least amount of preparations (catching a ton of Pokemon, resetting a ton of times).

I planned to dug out these files of their folders next week, as I want to complete the procedure I wrote about this, and test the new interesting things that were tested, so I'll provide more files/codes next week (when I'll finish my exams).

Hello Metarkai.

Are you able to share more details about the method for increasing the chance of a Horsea>EVs Egg corruption you describe above? Which Poké Balls are bad, what else do you need?

Thanks :)

Also, I have another question:

This guy asked:

Quote
How uncommon are normal eggs? I must have tried this close to 80 times and still haven't got one.

What are the odds? I know that it is certainly less likely than 1 in 8 because I seem to remember the possibility of a Pokémon becoming a Bad Egg even if it gets the 0x40 on its first personality byte (due to you corrupting other areas of its data I guess).
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Metarkrai on May 02, 2015, 04:03:09 pm
Pomeg Glitch Corruption :

Pomeg Glitch RAM Corruption is about the Party Pokemon Selection Pointer that selects blocks of RAM data that isn't Party Pokemon data, and corrupts them because the checksum performed on this data gives an incorrect result.
A Party Pokemon data is a block of 25 double-words.
The location of the double-words the Selection Pointer will read with Pomeg Glitch are fix.
In these blocks, you have 7 important areas for Pomeg Glitch.

- The first ones are for the Pokemon PID and TID.
These values determine the encryption of the 4 Pokemon substructures (crypted data = raw data xor PID xor TID, in double-words).
The PID also determines the order of these 4 sub structures (3 double-words each).

- You have then a byte that seems to be only used for the Legit/Bad Egg state, between the Pokemon name and Trainer name.
This byte is usually at 0x02, and is turned into 0x07 if the Pokemon is a Bad Egg (to prevent the Egg from hatching, and giving it the name "Bad Egg"). This is performed by setting bits 0 and 2 of the byte to 1 (0x05).
This induces what I usually call the 0x05 corruption, as in general you can see the 0x05 value appearing, even if a value can only gain 0x04 or 0x01 or nothing due to this corruption.
With Pokemon Corruption, this corruption has no use at all. Even worse than that, the 0x05 corruption is the main thing that can prevent a Pokemon corruption from working.

- And you have 4 bytes that represent the 4 possible locations of the Pokemon Egg state (hatched/ non-hatched) in the Growth substructure.
The bit managing the Egg State is bit 6 (0x40) of that byte.
Since this byte is in the data substructure, the location of the corruption will depend on the PID value modulo 24.
And the effect of that corruption (forcing the bit to 1 or 0) will depend of the PID xor TID result, (the value of bit 6 of their leftmost byte, to be accurate) since this corruption is applied to the "crypted" substructure data.
If PID and TID both have the same bit 6 value (on their leftmost byte), the corruption forces a bit to 1 (sets 0x40).
If PID and TID don't have the same bit 6 value (on their leftmost byte), the corruption forces a bit to 0 (unsets 0x40).

I generally call this corruption the 0x40 corruption to mention it faster.
The 0x40 corruption has 4 different locations related to the 0x05 corruption (who is always on the same byte on a given 25 double-words block), and can do 2 different things, all depending on the PID and TID values (or what the game wants to interprete as so).


Screenshot :
(http://i.imgur.com/fzKw2Zk.png)
Here's the location of the 7 interesting zones in a Party Pokemon data.
I bordered the 25 double-words blocks to distinguish them a bit better.
In blue (11111 and 2222), you have the PID and the TID (in that order).
In green, just below the PID, you have the 0x05 Corruption location.
In yellow, you have the 0x40 Corruption locations. They are all separated by 2 double-words.



Pokemon Corruption :
In Pokemon Corruption, the goal is to abuse the anti-cheating measure that moves the adresses of many RAM values in order to have a PC Pokemon PID that is affected by a 0x40 Corruption.
We want the PID to be corrupted because this affects the Pokemon substructures order, and allow us to manipulate values like species, item, xp, ogirins, IV, by knowing how its substructures order will be changed (ex : Attacks will be read on EVs).
But to make this work, the Pokemon checksum can't change, or it will turn into a Bad Egg.


Bypassing the Checksum :
The checksum decrypts all the substrucutres data, cuts the double-words in words and adds them. It then stores the 4 first characters of the sum (they could have stored the whole sum, but thanks for us, they didn't).

Since we're changing a value on the PID, the difference between corrupted PID and normal PID will be present 4*3 = 12 times (4 substructures containing 3 double-words), in the "general case".
Since checksum adds words, 0x05 and 0x40 Corruption will give differences of 0x0500 (or 0x0400,0x0100) and 0x4000 (or 0x0000 if nothing happens).
You can see that 0x4000 is the only value that won't change the checksum result since 0xC * 0x4000 = 0x3 0000.
For the 0x05 Corruption, the checksum will be screwed, and this will always result in a Bad Egg, which is why I said it wasn't useable for Pokemon Corruption.

If the PC Pokemon PID is corrupted and its checksum stays valid, the Pokemon Corruption will be working.
Since this works with the 0x40 Corruption, the Egg State value of the Pokemon is switched, and so does its hatched/non-hatched state.
Since its PID was corrupted, the order of its substructures is changed, leading to interesting results.


Double Corruption :
 But you can also do the same thing with the Pokemon TID, who will have the same checksum issue as PID (since they are both involved in checksum), and who will bring the same effects minus the substructures order.
It may not seem useful to corrupt TID, but it is.
Because if you do a single PID corruption, you'll get an Egg of your desired Pokemon.
Hatching the Egg will remove its EVs, Item, Ribbons, Contest Stats, and set its Lv to 5.
Also, because of the 0x40 Corruption only being performed once, there are some 0x40 "values" that still affect the Pokemon data (like a move being move 0x4000 instead of 0x0000, or item 0x4001 instead of 0x0001 if you wanted your Egg to hold a Master Ball).
The hatching is also risky for Glitch Pokemon, as their hatching sequence can freeze (I don't know if it's related to the Glitch Pokemon sprite, the Glitch Pokemon name, a part of RNG, or all of that).


If you corrupt the Pokemon PID and then its TID, you'll have the substructures order shift, on a Pokemon that isn't in an Egg (so no hatching animation + Exp/Item/EVs/Contest Stats / Ribbons/Met Location/Met Lv/Met Version/Met Trainer kept), and you don't have the "0x4000 0000 leftovers" on the substructure data from the 0x40 Corruption anymore, since both PID and TID had their bit 6 of leftmost byte value switched.
Thus, you end up with the exact Pokemon you wanted, without any issue even if you were to want a Glitch Pokemon/Move.

This is Double Corruption, since you corrupt both PID and TID. It was brought by someone on that topic (I don't remember who, nor the page) who I give my thanks, as this method is really useful.


Bypassing checksum (more detail) :
 But, there are other tiny things to deal with if you want to be sure to exactly have what you wanted.
For checksum, I mentioned a "general case" where everything goes right, but 2 things can screw up the checksum on a 0x40 Corruption.

 The first thing is to really have 0x4000 added or subtracted 12 times (or a number of times that is a multiple of 4).
For example, if your Pokemon was caught in a Nest/Repeat/Timer/Luxury/Premier Ball, one of its non-crypted substructure double-word will have its bit 6 of leftmost byte set to 1 (0x4000 0000 will be there).
The other bit 6 of leftmost bytes for double-words of substructures concern : Item (0x4000), Moves (0x4000), Speed Evs (0x40), Beauty (0x40), Feel (0x40), Move 4 PPs (0x40), Egg State, a Special Ribbon, Exp (0x4000 0000).

So unless your Pokemon has a good amount of Speed EVs or Contest Stats, or a Move 4 with 64 Pps, only 1 double-word of its substructure will have its bit 6 of leftmost byte set to 1.
This means that the checksum calculation after its PID corruption will differ by 11 - 1 = 10 times 0x4000 = 0x2 8000, since for 11 double-words, 0x4000 will be added, whereas it will be subtracted for the double-word containing Origins info.
And you see that the checksum difference isn't a multiple of 0x1 0000, so the checksum will be invalid, and the corruption won't work.
Thus, for Pokemon Corruption, I ask to people to not have caught their Pokemon with a Nest/Repeat/Timer/Luxury/Premier Ball, nor have a Move 4 with 64 PPs, nor have between 0x40-0x7F or 0xC0-0xFF (64-127 or 192-255) in Speed EVs, Beauty, Feel.

Since some people were catching their Pokemon with a Repeat Ball (or another forbidden Ball), and since they were only giving them HP and Atk EVs for Species Corruption, they weren't able to have a working corruption.

If you want a really specific specific corruption (on certain cases), you can set bit 6 of leftmost byte of 2 double-words to 1 in order to have a checksum difference that won't be seen, since you'll have 8 times 0x4000, (8 is a multiple of 4, and 4*0x4000 = 0x1 0000), but don't do that for basic corruptions, that would only make the preparations more complex for nothing.


Corruption Initiator :
  The second thing is the 0x05 Corruption from the 25 double-word block below.
Since everything happens in 25-double words blocks, each 0x40 Corruption is between 0x05 corruptions.
Here, we're seeing the 0x05 corruptions relatively to the 0x40 one, since we want to have the 0x40 Corruption on the PC Pokemon PID.
Again, we have 4 different locations for that 0x05 corruption (when 0x40 is on PC Poke PID) :
 - On 1st double-word of 2nd substructure
 - On 1st double-word of 3rd substructure
 - On 1st double-word of 4th substructure
 - On PID of the PC Pokemon below
3 of them are a potential threat (1/4 chance that the double-word won't be affected by the 0x05 Corruption), and 1 is completely safe.

Thus, we're totally going for that 4th location of 0x05 Corruption (when 0x40 is on PC Poke PID).
The case where the 0x40 Corruption can be on the PC Pokemon PID, and where the 0x05 Corruption will affect the PC Pokemon below is when the values that the Selection Pointer use as "PID" and "TID" are double-words 1 and 2 of substructure n°2 of the Pokemon above the PC Pokemon we want to corrupt.
That's because the 0x05 Corruption is fix, as well as the "PID" and "TID", and that it's the 0x40 that has 4 different locations.

Thus, we will need the values of the 2 mentioned double-words to have specific values in order to give a good 0x40 Corruption location, as well as a 0x40 set or unset (Since we're doing 0x40 on a Pokemon PID, only the set or the unset corruption will do something, so this has to be manipulated too to fit for every Pokemon).

And, since Double Corruption is also a thing, we can do the same thing for the PC Pokemon TID.
The double-words that need specific values for a PC Pokemon TID 0x40 Corruption are double-words 2 and 3 of substructure n°2 of the Pokemon above.
By gathering both cases, we need to have a Pokemon with a specific substructure n°2.

These values are made on a Pokemon I call "corruption Initiator", as it's purpose is only to be put before the Pokemon you want to corrupt in order to ensure that a good corruption can happen on that Pokemon.

With the values wanted there, I even call the Pokemon a "perfect initiator", as it ensures you that you can corrupt any Pokemon you want (modulo tiny things to avoid).
Since we will need the 0x40 set and unset corruptions for both PID and TID, we'll need 2 Corruption Initiators, so we'll be sure that any Pokemon will be corrupted with one of them. (One Initiator will do the 0x40 set on PID and TID, and the other the 0x40 unset on PID and TID).

For the 0x40 set Corruption, the substructure n°2 of the initiator must verify :
- double-words 1,2 and 3 have their bit 6 of leftmost byte equal (0,0,0 or 1,1,1 pattern).
- double-words 1 and 2 have a specific congruence modulo 24. (I think it's 18,19,20,21,22,23, but I'm not sure as I always do it by trial and error since there are 6 working values modulo 24).

For the 0x40 unset Corruption, the substructure n°2 of the initiator must verify :
- double-words 1,2 and 3 have their bit 6 of their leftmost byte forming a 1,0,1 or 0,1,0 pattern.
- double-words 1 and 2 have a specific congruence modulo 24. (I think it's 18,19,20,21,22,23, but I'm not sure as I always do it by trial and error since there are 6 working values modulo 24).


Why using an Initiator works :
This is a tiny EDIT, but I forgot to develop about that.
The anti-cheating measure that moves the RAM adresses of most values each time you open your bag, make a fight, change locations,... can move a designed value on 32 adresses (they are adjacent).

 Thus, if you put in Box 1 your Corruption Initiator followed by a Pokemon to corrupt, you only have to try using Pomeg Glitch until the data of substructure n°2 of the Corruption Initiator ends up on the adress of a "PID" and "TID" for the Party Pokemon Selection Pointer (these adresses are fix).
 When this will happen, the 0x40 corruption will be forced to happen on the PID of the PC Pokemon to corrupt (with the right set/unset type), and the 0x05 Corruption below will fall right below the PC Pokemon to corrupt data.
 Since the Party Pokemon data is a block of 25 double-words, there's always a certain movement of the anti-cheating measure that will put up the substructure n°2 data on one of there "PID" and "TID" adresses (as the substructure n°2 data can be placed on 32 different consecutive locations).


Potential Initiators :
The only Pokemon who have substructures values that we know are Empty Slot and in-game trades Pokemon.

Empty Slot will only give a 0x40 set Corruption, and when 0x40 is on a PC Pokemon PID, the 0x05 Corruption is on its 1st double-word of 2nd substructure.
Thus, leaving an empty slot before the PC Pokemon won't work well at all (half of your Pokemon won't have their PID corrupted, and 1/4 of them will suffer from the 0x05 Corruption, so only 1/8 of your PC Pokemon "could" work).

You have 4 in-game trades Pokemon in Emerald :
Seedot : substructure order : EGAM -> GMAE (the second substructure order is the one after a 0x40 PID Corruption)
Plusle : substructure order : EAMG -> AGME
Horsea : substructure order : AGME -> MEAG
Meowth : substructure order : MGEA -> AMEG

 - Growth can be manipulated for congruence modulo 24, but since it contains Experience, it would be hard to have a general procedure to do that on console (since the Lv of these Pokemon can be drastically different).
The 0x40 unset Corruption couldn't be done. (there's one of the 3 leftmost bytes you can't manipulate, and you can't have 0x4XXX XXXX Exp)
 - Attacks can be manipulated for congruence modulo 24, but the 0x40 unset Corruption couldn't be done. (you'd need a 0x4XXX Glitch Move).
 - Growth can't be manipulated for congruence modulo 24 nor 0x40 unset Corruption.
 - EVs and Contest stats can be manipulated for both congruence modulo 24 and 0x40 set/unset corruptions.

But as you can see, none of the traded Pokemon have EVs as their substructure n°2.
However, a 0x40 corrupted Horsea has EVs as substructure n°2.

To perform a 0x40 Corruption on Horsea, I use the Seedot as a Corruption initiator.
Seedot won't be a perfect initiator, but with slight changes on him and Horsea, he'll work perfectly.
Here's the setup :


Caterpie the Perfect Initiator :
Items :
Pokeblocks with 6 Chesto Berries at Lilycove with the old man. They must be Lv 12 Blue Pokeblocks, with 22-23 in Feel.
26 Hondew, and 26 Grepa Berries.
At least 13 Pomeg Berries.
Other Pomeg, Kelpsy,Qualot, Hondew, Grepa, Tamato Berries
5 Carbos, 5 Calcium, at least 2 HP Up.
TM Protect (sold at Lilycove).
Fluffy Tails.

- Get the in-game traded Seedot.
- Get the in-game traded Horsea. He must have less than 65.536 Exp points. (Lv 40 or lower)
Horsea and Seedot (and any other Pokemon you'll train for double corruption) must not catch Pokerus during their training.
- If Seedot and Horsea already fought a bit and gained some EVs, use the Pomeg, Kelpsy, Hondew, Grepa, Tamato Berries to put them back at 0 EVs.
- Clone them both to have a safe copy.
- Give 1 Carbos and 3 Calcium to Seedot. (Now Seedot is ready)
- Give 1 HP Up to Horsea. (He'll transform into a Caterpie)
- Give 1 Carbos to Horsea, and make him fight 3 Zigzagoon (For 13 Speed EVs that will absorb the 0x05 Corruption)
- Change Horsea Moves to Waterfall, Protect, Surf, --(Fr)/Return(US). (Having a specific 4th Move is really important)
- Save and clone them 6 times. (1 copy in a safe box and 5 copies for the next steps).
- Place the 5 Seedots and Horsea in Box1 or 2 with a Seedot-Horsea-Seedot-Horsea-...-Horsea pattern (a block of 10 Pokemon + Seedot before Horsea as Seedot is the initiator for Horsea's corruption).

- Save, and perform Pomeg Glitch (this is why Fluffy Tails is mentioned) to corrupt the Horsea. (you have 6-7/32 chances to corrupt Horsea's TID).
- Once one of the Horsea became an Egg,  check its summary.
If the Egg doesn't have Pokerus and isn't about to hatch, keep the Egg and save. (its TID was corrupted)
If the Egg has Pokerus, reset and redo the corruption. (PID was corrupted)
(the TID corruption being first is really important because it won't screw up the 4th Move PPs and allw you to make a fast second corruption)
- Save, clone Seedot and Horsea's Egg 5 more time, and display them in the same pattern as earlier.

- Save, and perform Pomeg Glitch again to corrupt an Horsea's Egg. (here it's 6-7/32 chance to get it, as you really can't move that Egg).
- Once a Egg became a Caterpie, save.
- Give him Pomeg, Hondew, and Grepa Berries to put its EVs back at 0. (they come from Horsea species + Exp since EVs are read on Growth)
- Give him 2 Carbos and 2 Calcium, and save. (Here it is, the first perfect initiator)
- Clone the Caterpie 2-3 times. (at least one copy in a safe box)
- Give the 6 Blue Pokeblocks to another clone (72=0x48 Beauty, 138=0x8A Feel), and give that clone a Heart marking. (here comes the second perfect initiator, the heart marking allowing you to distinguish both of them easily).
- Save, and clone these 2 Caterpies (marked and unmarked) a dozen of times.


Using Caterpies :
- Now, every time you want to perform a Pokemon Corruption, once you've prepared your Pokemon, clone it 10 times.
Place 5 clones with a Caterpie before each (Caterpie-clone-....-clone chain), and place the 5 remaining clones with a Marked Caterpie before each (M Caterpie-clone-...-clone chain). (if you knew beforehand what type of Caterpie would work with this Pokemon, you can only place this very type)
- Then, save and perform Pomeg Glitch to corrupt PC Pokemon, and if your Pokemon doesn't have the slight issues mentioned earlier (Balls, Beauty, Feel, Move 4 PPs,Item, Move2,....), you'll be sure to have 6 or 7/32 chances to corrupt the PID of one of your clones (and same chances for its TID).
- And if you want to go for a Double Corruption (because it's a very strong and useful corruption), you'll need to know beforehand if your TID can be corrupted with a 0x40 set or unset Corruption, as well as if your Pokemon's PID, because once a clone will turn into an Egg, you'll need to know what type of Caterpie you need to place before the Egg to perform the second corruption. (Remember to never take the Egg with the hand, or reset if you do so)
You can also try both of them, but since the second corruption only has a 1/32 working chance, this could be longer.

- If you test your Pokemon beforehand to know what type of Caterpie corrupts him well, you can give a mark to that Pokemon to easily remember that (and also mark the Pokemon to distinguish its Corruption type).


Caterpie data screenshot :
(http://i.imgur.com/UqmUfje.png)
 The orange upper part is Caterpie's data. I cut it to directly start at its substructure n°2 data.
Below Caterpie, you have the traded Horsea, who had its PID corrupted (0x4000 007F instead of 0x0000 007F, and who became an Egg. The part I circled is Horsea's data as a PC Pokemon (20 double-words only).
 In green, you have the 3 double-words of substructure n°2.
The 2 first double-words are equal to 18 and 22 mod 24, and the Bit 6 of the leftmost byte of the 3 double-words has a 0,0,0 pattern (none of them have that bit set to 1), so we'll have a 0x40 set corruption that will perfectly work.
 And in Blue, you have the locations of the 0x05 and 0x40 Corruptions.
When one 0x40 fell on Horsea's PID, you have the 0x05 above on Caterpie's data, and the 0x05 below right below Horsea's data, showing that Horsea was corrupted well.



Caterpie file :
If you're on VBA, here's a .dmp file of Seedot + Horsea untouched + both Caterpies + 0x288A Glitch Pokemon to make easy clones : http://www.petit-fichier.fr/2015/05/02/horseaseedotcartepies0x288a/
I made a video on fast cloning before : http://www.youtube.com/watch?v=I8Mio5cA9fs
(RAM adresses for PC Pokemon are below 0x0202987C on Fr/US Emerald)

The Marked Caterpie doesn't have the same Feel as the one described there, as the one I did is older, and I had a flaw for the Feel value, so I had to give him a Yellow Pokeblock to increase it over 0x7F.

Pomeg Glitch Lua Script :
 - Since I'm there, here's also the link of the .lua script I'm using to have useful information on PC/Party/Wild Pokemon on Emerald :
http://www.petit-fichier.fr/2015/05/02/emer-pomeg-glitch/
It's untranslated, but there's only a little bit of text (apart from the Pokemon moves and natures), and I think it's easy to understand who does what.
This script gives EVs, Contest stats, Moves, PPs, PID, TID, IVs, Nature, HP, Item, Pokerus, Shinyness, PID mod 24, obedience (if Mew or Deoxys), and substructure order (now and after a 0x40 Corruption) of a Pokemon by holding it in the PC or seeing its summary.
When you have a glitch Pokemon, Bad Egg, or Glitch Moves, it's always nice to have a quick look at the data without freezing the game.
(for the substructure order, E=EVs, A=Attack, C=Croissance=Growth, D=Divers=Miscellanous)



Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Evie ✿ on May 03, 2015, 06:13:27 am
Great research, thanks for sharing this Metarkai. 6-7/32 chance to get your EVs>species corruption(?). That sounds much better. I'll try to get the Caterpie perfect initiator. Thanks for teaching us about fast cloning too.

Is 0x2600 a fast clone glitch Pokémon on English Emerald too? If not, do you know of a fast clone glitch Pokémon on English Emerald?

Edit: Got fast cloning to work with 0x2600 in the English version.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Metarkrai on May 03, 2015, 10:49:04 am
Well, that was something I should have written quite some time ago.
The 6-7 chances come from the 5 clones of the Pokemon you want to Corrupt.
As the Party Pokemon Selection Pointer select blocks of 25 double-words, and as PC Pokemon are stored in blocks of 20 double-words, with the initiator-Poke-initiator-Poke-...-Poke setup, you'll have a Corruption pattern that is periodic every 5 Pokemon.
And each of these 5 Corruption will also be different, so that makes at least 5/32 chances to have one Pokemon that has its PID corrupted (same for TID).
And, since the DMA can move a RAM double-word on 32 different consecutive adresses, if you take a certain double-word, you have either 1 or 2 positions of that double-word that will induce a good Corruption.
And with 5 clones, you have either 1 or 2 of them that will have 2/32 chances to be well corrupted, and the working corruptions are all with different RAM positionings from DMA, so you can sum all the cases to have a 6-7/32 total chance.

A lot of Glitch Pokemon can do fast cloning, as they mostly need to have a long name, but a large majority of them will generate a Bad Egg in the way.
0x288A has the specificity to generate a Bad Egg of 0x0000 that you can release, so it's easier to clone with it.
There's a setup I randomly fell on after the video to not generate any Bad Egg, which is the following :
- Open PC with Move Pokemon.
- Go over the Glitch Pokemon.
- Open your party, grab a Pokemon, and deposit it right after that (leave him in the party). (this changes the glitched data stored for "grabbed Pokemon" into the data of a normal Pokemon)
- Go over the Pokemon you want to clone without going again over the Glitch Pokemon.
- Try to grab the Pokemon once, then trade the "invisible" Pokemon the hand grabbed with the Pokemon you wanted to clone. (the "invisible Pokemon" being the party Pokemon you grabbed earlier, so you'll be able to release it) (swapping Pokemon refreshed the "grabbed Pkmn" data)
- Deposit the Pokemon you wanted to clone elsewhere.
- Try to grab that Pokemon again, and deposit the "invisible Pokemon" on an empty PC slot. (now that's a clone of the Pokemon you want to clone)
- Repeat the last step until you've got enough clones.

The only difference with the video is that you go and grab a party Pokemon to change the "grabbed Pokemon" data, as for a certain reason, you can grab Party Pokemon without any issue, but not PC Pokemon.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Evie ✿ on May 03, 2015, 11:22:10 am
Oh, I wasn't aware. It's the first time I've seen it though and you post clear steps. :)

I have made two VBMs for VBA-RR v24 svn422 (this emulator I think (https://code.google.com/p/vba-rerecording/downloads/detail?name=vba-v24m-svn-r422.7z&can=2&q=)). Please check them.

In my first VBM I do all of what you said up to obtaining perfect initiator Caterpie clones (marked [fed Pokéblocks] and unmarked) and cloning them. I had good luck with getting the initial Horsea Egg; a sign that Seedot initator was working(?). It took a while for me to get the perfect initiator Caterpie; but I am satisfied that I did my first direct Egg>Pokémon conversion.

Question 1: Though you don't regard Seedot as a "perfect initiator", if I gave the Horsea something other than 10 HP EVs could I use that to get Pokémon other than Caterpie? I have great luck with Seedot initiator, I hope it wasn't just me being particularly lucky though.

For my second VBM I used A-Save to prepare a Deoxys Horsea (1 Attack, 154 HP) and cloned it 10 times. I arranged my Pokémon in box 2 in the unmarked Caterpie clone>Seasor (x5) and marked Caterpie clone>Seasor (x5).

I tried having those Pokémon in order from box 1 but I actually didn't have much luck getting normal Eggs. However, when leaving three spaces before the first Caterpie I got a Deoxys Egg after only a few tries.

(http://i.minus.com/ibpZzX3Hfzph2j.png)

Question 2: Was I doing everything correctly (in the VBM files) to maximize my chances? As I don't have full technical knowledge of what I'm doing yet I'm not sure.

Question 3: Did I do a bad thing by leaving three spaces?

Thanks in advance.

Links to my VBM files:
Movie 1 - https://mega.co.nz/#!M51hnJ4B!BM2kXlMmw2hYNUjjadAhCosZ9eVrxNDrySHzj3Q0u5U
Movie 2 - https://mega.co.nz/#!V9FHHB6K!7dtW9dr7woG-HQMWCJdsyYC9sJw-t8bCA3HWXfy-Vrk
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Metarkrai on May 03, 2015, 02:09:11 pm
1) Yeah, the 10 HP Ev is just there to not have 0 HP & Atk EVs so that Horsea doesn't turn into 0x0000 which is considered as a blank space (you can't grab him nor see him after the corruption), and it's the first easy to get EV amount that came to my mind as I preferred using items than fights.

As long as you prepare the Corrupted Pokemon well (the last phase with specific EVs and Beauty), things will be ok.


2) The spaces you leave before the first Caterpie in Box 1 or 2 don't count.
You just need to have them placed in consecutively between Box 1 Slot 1 and Box 2 Slot 24, so that they can be corrupted with 5 clones each suffering a different corruption.
You could do other placements, like Caterpie - clone - space, which wouldn't change anything (since we're dealing with events that have a period of 5, the lenght of our Pokemon sequence can be 2,3 or 4 (or higher), that won't change the periodicity of the effects).
Apart from that, since I suppose that the Caterpie were finely made, and since the Horsea has the right EVs, the pattern and things should be working.

Also, certain 3rd gen save editors can change the PID of your Pokemon since they don't really care about it (as long as it gives nature, gender and shinyness), so I don't know if A-save also does this, and if that preserves the substructure order or not.
This could be a hindrance regarding the Corruption type of your Pokemon that could change if you modify its EVs/Moves/... with a save editor, and I don't really have info about that as I'm manually editing the stats of my Pokemon with Memory Viewer to skip some trainings.
EDIT : Apparently, A-save doesn't do that.


For the Double Corruption :
Once the preparations are done, the corruption in itself is just about the luck to have a good RAM positioning.
A tiny saddening thing is that on French Emerald versions, you can (most of the time) grab and clone the Eggs after the first corruption (or if the Pokemon TID was corrupted), as Glitch Move 0x4000 has a PP amount with its bit 6 set to 1, allowing you to keep high success chance for the second corruption phase.
In US Emerald, 0x4000 doesn't have a convenient amount of PPs to do that.
But you can find moves ID who will become convenient Glitch Moves (the PP byte has its Bit 6 set to 1) after the Move ID xor 0x4000 corruption (in general with the TID corruption as the PID corruption will nearly always swap the Attacks substructure because it's the best to manipulate with Smeargle) and do the same thing (being allowed to grab and clone the Egg).
However, I don't have a tool to see the properties of Glitch Moves on US Emerald (I have one for FR Emerald), but with manual corruptions (you change the TID with Memory Viewer) and my lua script, or Sketch + PP amount adress for the leading Poke during fights, you should be able to see what move Horsea (or another Pokemon you would use for Corruptions) could learn to allow you to go faster on the second corruption.


About the .vbm :
I watched the .vbm (that was my first time seeing ones, these things are so nice !), and the whole thing was well made.
Thanks to voltage, you can now skip the long Swampert poisoning phases (for me that was Banette using Curse with an odd amount of HP) with the Decaswitch.
 - You just have to get an Invisible Bad Egg from a Pokemon Corruption (that's a Decamark Bad Egg), and with a precise selection, you can switch this Invisible Bad Egg with your last alive Party Pokemon. (I didn't write the exact procedure, but it's like grabbing and depositing a PC Pokemon, then grabbing the invisible Bad Egg and switching it with the Party Pokemon, but that may not be exactly that so you might have to try out a few times before the game will alow you to switch these Pokemon).

The values for Caterpie are the good ones (1400B4B2 0000B4A6 000.... for 2nd substructure on first Caterpie, and 1400B4B2 4800B4A6 8A0... for 2nd substructure on Marked Caterpie).

But yeah, you did the good things to be sure that you have a chance that the Pomeg Corruption will work, and have great chances of success.

About Deoxys Obedience :
Also, Deoxys isn't obedient and couldn't have been so, because by corrupting Horsea, Miscellanous was read on Attacks, so the Obedience Flag was read on Move 4 PPs.
However, you would have needed a Double Corruption (I don't remember if it's mandatory or not for this), and a Move with 64 PPs, and Horsea doesn't learn such a move.

About Double Corruption possibilities :
But with Smeargles and Glitch Moves, it's easy to pull off a manipulation like this.
(To obtain any Glitch Move you want, use the in-game Plusle as it has Attacks read on EVs when corrupted)
(For Glitch Items, use Horsea again with Def and Spd EVs)
You can't do all the data manipulations you want with Smeargles and Double Corruption, as there are only 10 substructure permutations available with the 0x40 Corruption, and as you can't fully manipulate Smeargle EVs or Moves (you can't Sketch every Glitch Move as they may freeze the game when doing so), but you can go quite far with this.

The biggest manipulation I did was for a Mewtwo :
Lv 0, caught in a Safari Ball at Lv 111 in Cerulean Cave, holding a Master Ball,
IVs : 31/23/31/27/31/31 ,  EVs : 235/0/255/255/255/191

He had Glitch Moves (removed with Day Care) because I focused on manipulating Growth, Miscellanous, and EVs.

As for the 10 possible substructure permutations, that I call Corruption types (because it determines what your Pokemon will turn into), I have reported them in a list, and here's a quick translation of that list :
(http://i.imgur.com/LKR8RVG.png)


For example, Horsea's Corruption type is GE AM EG MA (Type 8 ).
This is quite useful because when you're farming for Smeargles for Double Corruption manipulations, you only need one Smeargle of each Corruption type (a bit less since some types are useless, and some have nearly the same uses), and you can check that either by testing (you give the smeargles certain tiny characteristics and corrupt them to see what type they are), or by using my lua script (if doesn't directly give the type, but you can deduce it from the substructure orders before and after Corruption).


Getting an obedient event Mew (example) :
For example, if you were to need a Faraway Island Lv 30 Obedient Mew from Emerald, this means you need to manipulate Species, obedience, and Met Location + Met Lv + Met Game.
So you'll either do a Type 8 (Growth on Evs and Misc on Attacks) or Type 3 (Growth on Attacks and Misc on EVs) Corruptions.
Since you're not manipulating too much Miscellanous data, you can use EVs to get them all, so a Type 3 will be easier to set up.
You would need for that :
Move 0x97 (Acid Armor) as Move 1, 201 Atk EVs, 158 Speed EVs, 1 SpAtk EV, between 64-127/192-255 Feel.
Here, Speed EVs and Feel are maipulated, and Feel is in the 0x40-0x7F/0xC0-0xFF zone, but not Speed EVs, so you'll also need to have a "forbidden" Ball or 64-127 Beauty to make the Pokemon corruptible.
So use Pokeblocks that give Beauty like 4-player Blue Pokeblocks (12 Beauty, 21 Feel), so that with 6 of these Pokeblocks, you have 72 Beauty and 126 Feel.
Or use 6 Blue Pokeblocks then Red/Yellow/Green ones to make Feel higher than 192 and you'll be fine. (this will influence the Ribbons and IVs, so that won't really matter).
Also, be sure not to have any Move 3 and 4 so that the Mew will be at Lv 0 and you'll be able to remove its glitch moves from DayCare (or you can manipulate its Exp and Held Item to have specific moves like Sketch with 0x00A6 Item or 0x XXXX 00A6 Exp).
You could also we more picky about the Ball, IVs, and other stuff, but this will do the trick.

It takes a bit of time to search and plan the Pokemon you need, and the preparations you need, but once you have your Smeargles, the rest is quite easy to do (teaching moves, making EVs, giving specific Exp, specific PP bonuses, specific Contest stats, specific Held Item) (with the help of Pomeg Glitch for certain values), and a Double Corruption finishes things off.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: ▒h POKé▓░ on May 06, 2015, 05:27:28 am
Not sure if this has been posted already, but I found something pretty interesting.
After scrolling past the 6th slot and using a fluffy tail, I attempted to talk to the Day-care man. However, when I pressed A, the game would freeze for a fraction of a second. Upon attempting to talk to him several times, I suddenly got a call on the Pokénav which spouted an insanely long line of ŒêŒêŒêŒêŒêŒêŒêŒêŒêŒê which lasted several minutes.

Upon ending the call, a variety of things happened:

I was in a Safari game.
My name was changed to ΐΐΐΐΐΐΐΐΐΐΐΐΐΐΐΐΐΐΐΐ.
My play time became ?84:43.
I now have 3 badges.
My gender changed to female.
My party became six Bad EGGs, all burned.
I have seen 50 and caught 50 Pokémon in the Pokédex.
Everything in my Bag became ????????, which I apparently had zero of.
My "No. of battles" counter on Match Call became ?????.

Upon exiting the Safari game, my sprite became Red's sprite, of all things.

At this point, attempting to use the PC, checking my Trainer Card or entering a battle all crashed the game.

If I can find the pictures I took, I'll post them. This seems so similar to the ZZaZZ Glitch from R/B...
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Evie ✿ on May 06, 2015, 05:34:43 am
Metarkai and I encountered the same effect but I haven't got name corruption with the Day Care man before. That's cool.

Here is a video.

https://youtu.be/QaPs2KZ7F70?t=802 (13:22)
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: ▒h POKé▓░ on May 06, 2015, 05:42:05 am
Metarkai and I encountered the same effect but I haven't got name corruption with the Day Care man before. That's cool.

Here is a video.

https://youtu.be/QaPs2KZ7F70?t=802 (13:22)

There's just a grey box with ellipsis on it where the video should be...
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Zowayix on May 06, 2015, 06:08:43 am
Metarkai and I encountered the same effect but I haven't got name corruption with the Day Care man before. That's cool.

Here is a video.

https://youtu.be/QaPs2KZ7F70?t=802 (13:22)

There's just a grey box with ellipsis on it where the video should be...

Did you click where the video should be to play it?
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: ▒h POKé▓░ on May 06, 2015, 06:47:41 am
Metarkai and I encountered the same effect but I haven't got name corruption with the Day Care man before. That's cool.

Here is a video.

https://youtu.be/QaPs2KZ7F70?t=802 (13:22)

There's just a grey box with ellipsis on it where the video should be...

Did you click where the video should be to play it?

I did try earlier, but it didn't work. It seems to work now, however. Thanks.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: ▒h POKé▓░ on May 06, 2015, 08:34:53 am
Another thing: Can anyone help me out with this? I've been trying to get a Gengar egg with the EVs -> Species corruption but it's just not working, or I'm just unlucky.

I have Box 2 of my PC filled with Seasors with (I think, it's hard to calculate EVs on the cartridge version) 94 HP EVs and 0 Attack EVs.
I'm at about 20 tries now, and every time they've just turned into Bad EGGS.

If this matters, here's Seasor's info:

Name:SEASOR
Lv:35
Ability:Swift Swim
Brave Nature
No held item
No ribbons
EXP:43,296 - 3,360 to next Lv.

Moves:
Smokescreen
Leer
Water Gun
Twister
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Metarkrai on May 06, 2015, 12:12:53 pm
Not sure if this has been posted already, but I found something pretty interesting.
After scrolling past the 6th slot and using a fluffy tail, I attempted to talk to the Day-care man. However, when I pressed A, the game would freeze for a fraction of a second. Upon attempting to talk to him several times, I suddenly got a call on the Pokénav which spouted an insanely long line of ŒêŒêŒêŒêŒêŒêŒêŒêŒêŒê which lasted several minutes.

Upon ending the call, a variety of things happened:

I was in a Safari game.
My name was changed to ΐΐΐΐΐΐΐΐΐΐΐΐΐΐΐΐΐΐΐΐ.
My play time became ?84:43.
I now have 3 badges.
My gender changed to female.
My party became six Bad EGGs, all burned.
I have seen 50 and caught 50 Pokémon in the Pokédex.
Everything in my Bag became ????????, which I apparently had zero of.
My "No. of battles" counter on Match Call became ?????.

Upon exiting the Safari game, my sprite became Red's sprite, of all things.

At this point, attempting to use the PC, checking my Trainer Card or entering a battle all crashed the game.

If I can find the pictures I took, I'll post them. This seems so similar to the ZZaZZ Glitch from R/B...

What happened here is that you corrupted the RAM value storing the Day Care man script adress (once you enter a map, locations and script adresses of NPC are copied into RAM).
The script adress becomes totally invalid (0x0DXX XXX or 0x48XX XXXX instead of 0x08XX XXXX), and that makes the game store a huge amount of values that overwrite a large part of RAM data when stored.
The read values depend a bit on RNG, since you can obtain certain different results depending on the time when you talk to the NPC.

However, since the overwriting is brutal, there's for now no exploit of this method since it always (or nearly always ?) overwrites data related to current map data. And this makes the game freeze if you were to refresh the map by walking or opening&closing party/bag/pokedex/..
A good amount of times, the script ends with a trainer battle, and losing it allow us to be teleported to another location. However, I don't remember any of these battle going well (if we were able to lose and black out without any freeze).


Another thing: Can anyone help me out with this? I've been trying to get a Gengar egg with the EVs -> Species corruption but it's just not working, or I'm just unlucky.

I have Box 2 of my PC filled with Seasors with (I think, it's hard to calculate EVs on the cartridge version) 94 HP EVs and 0 Attack EVs.
I'm at about 20 tries now, and every time they've just turned into Bad EGGS.

Yeah, this is an issue that can happen (and frequetly) due to the fact that the corruption a PC Pokemon will suffer depends on some part of the data of the PC Pokemon before him.
And in a certain amount of cases, this makes it impossible to have a working corruption (you won't see any Pokemon turn into an Egg with its PID corrupted).
Since you trained 1 Horsea and cloned it, for each Horsea (except the first one), the data of the Pokemon before him is always the same.
Thus, if this data makes it impossible to corrupt one Horsea, all your Horsea won't be corrupted.

This is one of the 2 main flaws of the "basic" Pokemon corruption : if has non-negligeable chances to not work with the Pokemon you're using.

 What you could try here is to only use 1 Horsea and put him into Box 2 Slot 24.
This slot is a bit more specific than the others as it's the Slot where RAM Corruption stats, so the Pokemon in that very slot will suffer from less corruption than other PC Pokemon (in general, there will be no 0x05 Corruption on its data, so once the 0x40 Corruption goes onto its PID, he should be corrupted well).
You should have 1-2/32 chances to make the corruption work and have a Gengar like this.


If you want to do other corruptions and other things, I recommend you to read the post I made last page (most of the technical stuff isn't that important, but the procedure is), and to download the nice .vbm Torchickens did, where he created its own corruption initiator and used it to get a Deoxys with 100% chance to succeed.
And if you can do trades, you'll be able to get a corruption initiator with this.



EDIT :

I made AR codes for the Perfect Initiators (both of them), as well as a Cloning Glitch Pokemon 0x288A for easier use.
There's also .dmp and .vbm file to get them in previous page.

Perfect Initiators :
-SEASOR Box 1 Slot 1 :
A2C5C596 17DA2752
F45EB5FD 537687FB
19DF4333 C4F74712
A152E8EA 8D4760CA
B13788DF 3B9B3A06
C779EE6C 581A95B9
21B17AD5 DA302C1D
9D1EF466 2A6BBE89
C8B2C039 BBAF6F10
C6EBC6F3 449F849A
3E96C2CF 7A857392
E961EBF3 AB0BCF93
0C9256C3 62ECB067
CEDF2D7F 2B16ACD8
A0C9067E 5DF79155
B54DF298 D5F5CBE8
938599D1 405D3286
BC4CC3E8 1780C0E0
EBB11B21 D831516F
0E1022AE 1D878554


-Marked SEASOR Box 1 Slot 1 :
A2C5C596 17DA2752
F45EB5FD 537687FB
19DF4333 C4F74712
A152E8EA 8D4760CA
B13788DF 3B9B3A06
C779EE6C 581A95B9
FD888EEC 3BF29F9D
7ECAB9C9 836C5CE0
C8B2C039 BBAF6F10
C6EBC6F3 449F849A
3E96C2CF 7A857392
E961EBF3 AB0BCF93
70733463 A2300296
551E03CE 8008DF22
A0C9067E 5DF79155
B54DF298 D5F5CBE8
938599D1 405D3286
BC4CC3E8 1780C0E0
EBB11B21 D831516F
0E1022AE 1D878554


0X288A Cloning Pokemon Box 1 Slot 1 :
F3FF8938 F2F0E0C9
E2702D51 7857D4A2
AB71E557 19AF41CC
0FE199FA B823C7D7
0ACA1C25 59581547
10E8FBDF 66A39775
C82FFF38 70FF74BC
653F342F CD0F6A08
1F84851D BEC5B4D6
2F151FF1 1728714F
61398186 8C5F9FC5
FD9E9546 E55D0B32
A406783C 0C3177A7
5DF1F989 3FACA9DD
89CEE4A4 EB64C63B
5EB054E7 1231876C
51F13B68 9594314D
6D1A2A74 D3E004EC
1CDFF57E A9407B53
4DAC86DE 3AFEB045

Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: ▒h POKé▓░ on May 06, 2015, 12:44:52 pm
What you could try here is to only use 1 Horsea and put him into Box 2 Slot 24.

I'll give that a few tries, thanks.

EDIT: My 11th attempt got me an egg, but it was unhatchable and it contained the Horsea...

EDIT 2: My 14th attempt got me an egg again, but this time containing the Gengar! It worked!
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Evie ✿ on May 14, 2015, 10:11:50 am
About the .vbm :
I watched the .vbm (that was my first time seeing ones, these things are so nice !), and the whole thing was well made.
Thanks to voltage, you can now skip the long Swampert poisoning phases (for me that was Banette using Curse with an odd amount of HP) with the Decaswitch.
 - You just have to get an Invisible Bad Egg from a Pokemon Corruption (that's a Decamark Bad Egg), and with a precise selection, you can switch this Invisible Bad Egg with your last alive Party Pokemon. (I didn't write the exact procedure, but it's like grabbing and depositing a PC Pokemon, then grabbing the invisible Bad Egg and switching it with the Party Pokemon, but that may not be exactly that so you might have to try out a few times before the game will alow you to switch these Pokemon).

The values for Caterpie are the good ones (1400B4B2 0000B4A6 000.... for 2nd substructure on first Caterpie, and 1400B4B2 4800B4A6 8A0... for 2nd substructure on Marked Caterpie).

But yeah, you did the good things to be sure that you have a chance that the Pomeg Corruption will work, and have great chances of success.

I'm glad you liked my VBM. Thank you for the tip, I'll use a Curse Pokémon next time and try Decaswitching.

I want to get this (https://www.youtube.com/watch?v=nedYzxCi3UM) to work but FFFF always freezes the game for me when it hatches. Any advice?

Edit: Never mind, I realized it is 0x0A0D and successfully hatched one.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Evie ✿ on May 16, 2015, 07:36:36 am
I'm trying to get the groovy Pomeg glitch effect caused by 0xCCD7 (who is presumably unhatchable). I forced it with memory viewer so I know this glitch Pokémon has the same effect in English Emerald.

If the Horsea becomes an Egg due to the highest 0x40 being set on its personality value (thus transforming it into 0xCCD7 early) instead of becoming a normal Horsea Egg, is it still possible to get a double corruption?
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Metarkrai on May 16, 2015, 08:03:59 am
I'll write here what I answered to Torchickens about 0xFFFF since it's a key point of Double Corruption.

Double Corruption directly gives the wanted Pokemon in a non-Egg state, so you don't have to worry about the hatching sequence if you're going for a Glitch Pokemon.

And here's also one fast Pokemon Corruption setup if you just want to get a specific Glitch Pokemon.
- Get the species of the desired Pokemon and the in-game traded Horsea.
- Train Horsea in HP and Atk EVs to make them match the species (species = Atk Evs + 256*(HP Evs) )
- Place Horsea in Box 2 Slot 24, and empty Box 2 Slot 23.
- Perform a first Pomeg Glitch to change Horsea into an Egg. Don't take that Egg with the hand.
- Perform a second Pomeg Glitch to change the Egg into the desired Glitch Pokemon.

Here, the 0x05 Corruption on Horsea's data is avoided by placing it in Box 2 Slot 24, the first Slot where Pomeg Glitch happens. It's the easiest preparation to make, but you can't have more than 1/32 chance to get a working corruption.
You can also manually change Horsea's TID and PID with Memory Viewer, that'll do the same thing.


And for the Glitch Pokemon on the video, who was 0x0A0D and not 0xFFFF (the author mistook the Egg for a 0xFFFF one), I isolated the sequence that induces the audio mess.
It is 28 8E 9B B4 03, and the first value (28) must be the 87th letter of the Glitch Pokemon's name for this to work.
I tried changing certain characters to see the effects, but I was only able to get a horrible audio mess.
If someone knows what kind of code can be executed like this, it would be interesting to check all the possible ones with Glitch Pokemon (since the name must only be more than 100 characters long, a large amount of Glitch Pokemon will interfere).


EDIT :
Torchickens :
Yeah, for Double Corruption, the order in which TID or PID are corrupted have no influence since the goal is to corrupt both of them, and since the Egg (after the first corruption) isn't touched (it's data concerning PPs isn't refreshed).

EDIT 2 :
Here's the video (http://www.youtube.com/watch?v=KVj23HYUiL0) of the messy audio (obtained with 28 8E 9A B4 03)
I think it's best if you don't listen to it because it's really horrible.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Evie ✿ on May 16, 2015, 08:26:44 am
Thanks for clarifying and re-posting your finds for others to see! You are surely very diligent about Pomeg glitch.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: danny on July 06, 2015, 01:03:47 pm
If you replace the text ID of an NPC to 08160504, then talk to them, it will ask you to save, say no. You will now have access to beyond the 6th slot.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Metarkrai on July 11, 2015, 06:57:57 am
This script must be one script in Battle Frontier where your Pokemon team is stored, and where few Pokemon from your team are taken to make the team you'll have for the building.

You can trigger that in Battle Frontier with a Glitch Pokemon's name (making Slateport's journalist reading it), and when entering any Battle Frontier Building, you can be instantly considered winner/loser, and the stored team will be given back to you.
But the adress is a bit far, and by doing that you'll also corrupt the stored team, so that would work for certain specific glitch Pokemon.
However, you can directly use a Glitch Pokemon name to have an empty first party slot, which is done easier and with less corruption.

Also, this doesn't work in RS because the winner/loser scripts of the receptionist do not contain the stored team withdrawal (it is done just before that), which is quite saddening since this could have been a way to perform Pomeg Glitch corruption in RS.
However, with the "continuing streak after a pause" script, you can be taken into a Battle Tower fight with a team that can have empty slots, which allows you to make a little corruption before the game freezes.

I tried to abuse of such scripts in Emerald in order to illegally bring a Smoke Ball and Master Balls into Battle Pyramid, but it didn't work as there was no Glitch Pokemon that would trigger the "continuing streak after a pause" script while giving me at least one party Pokemon, and while taking me to a Battle Pyramid floor that doesn't freezes the game.
(when you register into a Battle Frontier building, the game stores your team, stores the slots of the Pokemon you've chosen, as well as the floor you'll be taken to (in case you would do a pause), and some other tiny things that are less important)(and in Battle Pyramid, the fleeing mechanic is different, and the fleeing chance is capped at a value which isn't 100%, regardless of Run Away. Thus, you have to kill the wild Pokemon or teleport yourself or use a Smoke Ball, Smoke Ball being more efficient, but you can't find it in Battle Pyramid as wild held items are disabled.)

This also can't be used to steal Battle Factory Pokemon or bring your own Pokemon to Battle Factory,(not like the way I tried, at least), as Battle Factory works a bit differently in terms of Pokemon selection (the game stores somewhere the PID of the selected Pokemon, and their value in the list of Battle Frontier Pokemon).
Since these values are below party pokemon and wild pokemon data, you also can't use this to be taken back into a Battle Frontier facility with one Pokemon of your previous battle, as the data of this Pokemon would be wiped in the process. (as once you go into Pyramid/Pike with a certain team, you can use Safari Mode to be warped back to Safari Zone with your current team, and thus successfully get back the Pokemon in your team during Pyramid/Pike)

However, you can use a Glitch Pokemon with 14.900-15.000 characters and corrupt the Battle Dome matches layout. It is quite funny even if you can't glitch anything with this, and even if the layout is remade after some minutes.


Also, you can't corrupt NPC scripts well with Glitch Pokemon Names, as they are refreshed once you change maps, so you could only do that into the house in Slateport that contains the Journalist, and as the adresses for NPC scripts are below the adress for player location, which means that you would need to have a nearly accurate double-word for the NPC script as well as a certain nearly accurate double-word for player location (a location that would still be in the house, so that the player can still go talk to other NPC, and can get out of the house with the door or with Safari Mode).
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: ▒h POKé▓░ on August 09, 2015, 05:28:34 pm
Apologies if this seems a bit late, but I found something weird about certain Decamarks.

I managed to hatch the Decamarks "WATERFALL", "WITHDRAW", "BSTITUTE", "SUPERPOWER" and "OAT" (Sadly, I don't know their Hex values, as the .txt file I had used to record them got corrupted). I'll get pictures up soon showing these Decamarks.

Upon seeing the amazing stats of the Lv.5 "BSTITUTE", I attempted to switch it into a battle to let it gain experience. However, upon leveling up, the game crashed after showing the level-up stat gains...
I tried putting BSTITUTE in the Day-care to let it level up that way, but once again, the game crashed after paying the Day-care lady to return it to me.

I tried levelling up all of my Decamarks, and found that WITHDRAW and BSTITUTE both froze the game, while SUPERPOWER and OAT didn't. I can remember that SUPERPOWER and OAT are a higher Hex value than the others, so I think that may be a cause of the problem.
I've yet to try WATERFALL, but it'll take a while since it needs 65,536 EXP to reach the next level, and I don't have any rare candies...

Due to this, it seems that my Decamarks will be unable to level up at all without crashing the game, and due to the four glitch moves they have, it's impossible to battle with them, make them learn any new moves, or even trade them over to my Sapphire game.
So, is it at all possible to level up these Decamarks without them freezing up the game?
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Metarkrai on August 14, 2015, 03:47:30 pm
If you want to know the hexadecimal values of the Glitch Pokemon you hatched, you can find them back with the extended 3rd Gen Pokedex (I forgot its exact name, but there is a subject on the forum where a download link is given, and I can't find it back) as they have a really clear name that you can trace back.

For the issue about levelling crashes, I don't know if this is due to the Pokemon trying to learn a new Glitch Move, its Exp curve being too glitchy, something about the stat increase he has, or the Glitch Pokemon trying to evolve, but it's something that is related either to the species or the stats increase.

Trying to obtain Glitch Pokemon with the "classic" Pomeg Glitch corruption and Egg hacthing is very tough, as the success rate is inconsistent, and as many Glitch Pokemon won't hatch.

However, by using a corruption initiator, alias HYPY the Caterpie, you can perform Pokemon Corruptions with a consistant and higher success rate, and also perform double Corruptions to remove the Egg state of the corrupted Pokemon and thus be able to obtain every Glitch Pokemon. (see at the end of the post here to have the detailled procedure to obtain HYPY the Caterpie http://forums.glitchcity.info/index.php/topic,6868.msg198505.html#msg198505 ) (a few comments after that, Tochickens made a vba file where he obtained HYPY and made a double corruption with it, if you want to directly get HYPY from it. I also made AR codes for this Pokemon a bit below on the same page.)
Also, by using the in-game traded Seedot, you'll b able to have any Gitch Pokemon with Seedots HP and Atk EVs, and its moves will be kept, so he won't have "annoying" glitch moves preventing you from trying to train a Glitch Pokemon.
And if you want a specific Glitch Move, you can use the in-game traded Plusle and its HP and Atk Evs.

However, for what you're trying to pull, Seedot wouldn't be good as its Exp would be read on EVs and Contest stats, and being an in-game traded Pokemon, he already has Contest stats, (so he would already be at Lv 100 for a good amount of Exp curves).

To be able to manipulate the Exp of the Glitch Pokemon you would like to have during the Corruption, you would need to catch Smeargles, give them one HP Up, put them in Boxes 1 and 2 with the corruption initiator, save, and try to corrupt some of them to see if they become a Caterpie in an Egg when their PID is corrupted. Thus, you would have a smeargle with no contest stats nor EVs and you could modify them to have the Glitch Pokemon you want with the Exp amount you want, which can be more helpful sometimes than a couple of Rare Candies.
(to know if the Egg you have after one Pomeg Glitch is from a corrupted PID or TID, check if he's going to hatch quickly or not. If the Pokemon has no Contest Stats, 4th Move, nor Ribbons, this will be enough to know it).
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Evie ✿ on August 21, 2015, 03:18:17 pm
If you want to know the hexadecimal values of the Glitch Pokemon you hatched, you can find them back with the extended 3rd Gen Pokedex (I forgot its exact name, but there is a subject on the forum where a download link is given, and I can't find it back) as they have a really clear name that you can trace back.

Might it be Generation III Extended Hacking Suite (http://forums.glitchcity.info/index.php/topic,7127.msg197034.html#msg197034)?

Another way to do it might be to send the glitch Pokémon into battle (if that glitch Pokémon can be sent into battle, maybe if it cannot you cannot use this method) and check one of the addresses 02023868, 02024084, 0202499E or 03005E58.

Metarkai, do you know an easy way to edit the index number of a Pokémon in the party to any glitch Pokémon with memory viewer without having to do any glitching?

I have usually got an Egg from double corruption first then corrupted it again with Pomeg glitch or manually with memory editor to get any Pokémon (including unhatchable glitch Pokémon) based on its EVs. I couldn't locate CCD7 with cheat searcher sadly.

I would like to know of a way to manually change any Pokémon. In the Game Boy games it's relatively trivial because you could just change two memory addresses (species byte 1 and byte 2); but in Generation III with you having to take the modulo 24 of the personality value to know where the species ID address would be, and the Pokémon being protected by checksum, I don't know of a step by step way.

With anti-DMA enabled, can you tell me the addresses of the stored checksum, and the species ID for Pokémon for all four positions of "Growth" in the substructure orders please?

For the issue about levelling crashes, I don't know if this is due to the Pokemon trying to learn a new Glitch Move, its Exp curve being too glitchy, something about the stat increase he has, or the Glitch Pokemon trying to evolve, but it's something that is related either to the species or the stats increase.

Yeah, perhaps without further knowledge it may be like Generation I (a Pokémon with a glitch experience curve that can normally never stay past level 1 after battle, or a Pokémon with a glitch experience curve that has division by zero (http://forums.glitchcity.info/index.php/topic,6588.msg196436.html#msg196436))
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Metarkrai on August 24, 2015, 07:49:14 am
Might it be Generation III Extended Hacking Suite (http://forums.glitchcity.info/index.php/topic,7127.msg197034.html#msg197034)?

Yup, exactly. It really helped me to determine the name lenght of glitch Pokemon and see what "families" had the biggest name lenght, in order to directly know approximative values of identifiants I should use if I wanted to corrupt certain values like Battle Pyramid Bag.
I also modified an US Emerald ROM in order to make it read French Pokemon names, as I wasn't able to fully modify the .ini to make it directly read a French ROM.

For specific searches of Glitch Moves effects or Glitch Pokemon specificities, TheZzAzZGlitch gave me python scripts to help me for that (they are basic scripts as it's only a matter of wanting a certain value on a certain place, but I had nothing to do that for me before).

  For now, these scripts mainly helped me testing abuses of the "N° of party Pokemon in battle" value.
My goal was to have a glitch move with a name long right enough to corrupt that value, and use healing or self-damaging moves to change the HP of my Pokemon. This would force the game to update the hp of the Pokemon "sent in battle", which would have been the Pokemon at the corrupted party slot.
Depending on the party slot values, accurate corruptions of things like special islands flags, mirage island,... could have been possible. However, this value is right at the start of a block of values managing the battle, and all the glitch moves with a good name lenght make the game crash (another adress near the concerned one gets a value that makes the game freeze or reset).

 But, writing this made me think about another possible way to exploit this, through the opponent's Pokemon HP. I'll look into this.

  There's another thing I wanted to test, which was the evolution lines. Can a Glitch Pokemon with a non-glitched sprite and name evolve ? And is that evolution condition the element that makes the game freeze when you give Rare Candies to a Glitch Pokemon ?

  I also wanted to check the Move Relearner a bit more accurately, as I confirmed that the list of relearnable moves contain one exemplary of each move present into the "Learnable Move" list of the Glitch Pokemon until Move 0000 shows (whereas in Gen III Extended suite, the learnable moves list goes further than that).

  I also wanted to test the Glitch Move types, to see if there were some that could have nice effects.
I also wanted to test the effects of Glitched Special abilities, but I don't really know how to make a test for this (to know if they have an effect during a battle or outside a battle, and what that effect might be). I also don't know their full name lenght, as maybe something like Skill Swap could make new RAM overwriting cases.

  Someone on PRAMA had a good idea about testing if Glitch Pokemon names could change the NPC's script to values that would be ROM adresses with interesting scripts (like Hall of Fame, engaging a battle against a legendary, ...).
However, the answer was negative. I didn't find any set of 4 bytes that would be near the end of a Glitch Pokemon's name with a certain lenght (like 18.000 characters long) that would look like a ROM adress towards NPC/events scripts.
 There are maybe some other values that could be exploited like this, but I don't really know what other values I could give for a NPC script adress in order to get nice results (it has to do someting like a teleport, as a glitch Pokemon species name of that lenght corrupts the player current location and he would be outside of the building, and taking a single step crashes the game).

  While trying to check the existence of the rumoured Lotad Swarm in RSE (I found the ROM adresses managing swarms and he wasn't there, so unless someone shows it, I heavily doubt he existed), I came to think of another way to make the game read a Glitch Pokemon species name, which would be TV news.
I haven't tested it yet, but with news that display the species name of Pokemon like the name master or other ones, I think the game would read the species name of the ID stored in the adresses related to the news.
  This could maybe be useful for RAM data overwriting as it could provide another starting adress for that overwriting.
For now, I know of 2 adresses for RAM data overwriting : 0x02021CC0 (the adress where the species name is stored when you talk to Slateport's Journalist in the Pokemon Fan Club), and another adress around 0x020283E8 (the trainer name is stored there when you reload your save, exit the Safari game, and maybe with other actions).
If we had other adresses where names of Glitch Pokemon, Glitch Moves, or Glitches Trainer Name were stored, this would help into overwiting certain interesting values (0x020283E8 helps to get a NidoranM swarm, and could maybe have other uses for certain adresses, but I don't really know what yet since it's quite afar from main flag adresses).

 This would also help do RAM corruptions in RS, as the storage adress of a Pokemon species name by Slateport's Journalist is really afar from other interesting adresses, (in Emerald, party pokemon data was a good thing to corrupt, but it isn't there in RS).
 I also haven't tested to see where the trainer's name is stored in RS in order to see if it could be helpful to corrupt it.
This reminds me that in RS, if the player's name is too long, you can't even use the pause menu or things like that, so you're really blocked if you want to overwrite too much data.
 

Metarkai, do you know an easy way to edit the index number of a Pokémon in the party to any glitch Pokémon with memory viewer without having to do any glitching?

I have usually got an Egg from double corruption first then corrupted it again with Pomeg glitch or manually with memory editor to get any Pokémon (including unhatchable glitch Pokémon) based on its EVs. I couldn't locate CCD7 with cheat searcher sadly.

I would like to know of a way to manually change any Pokémon. In the Game Boy games it's relatively trivial because you could just change two memory addresses (species byte 1 and byte 2); but in Generation III with you having to take the modulo 24 of the personality value to know where the species ID address would be, and the Pokémon being protected by checksum, I don't know of a step by step way.

With anti-DMA enabled, can you tell me the addresses of the stored checksum, and the species ID for Pokémon for all four positions of "Growth" in the substructure orders please?

If you only want to create a Glitch Pokemon to see what its glitch species does, it'll be faster to recreate that Pokemon from scratch.
But, if you want to have a certain Glitch Pokemon with "more data", you only have one method to change the Pokemon EVs or species or whatever you want in its substructures.

In 3rd Gen, a Pokemon's PC data (I use PC because you don't have the stats stored with it, which makes it a bit clearer) is 20 double-words long.

To create a Glitch Pokemon with the species you want :
- use a Memory viewer in 32-bit mode (it's easier for Pokemon data to see everything with double-words)
- Stay on the Memory Viewer window during all the changes. If you get back to vba without all the changes done, the game can recheck the checkum, see an invalid one, and give you a Bad Egg.
- give him a PID (double-word 1) and TID (double-word 2) of 0x0000 0018. A nonzero PID prevents the Pokemon from disappearing when you multi-select PC Pokemon.
Its PID is equal to its TID, so the PID xor TID xor double word data crypt on its substructures won't bother you since it won't change anything between crypted and non crypted.
Its PID is a multiple of 24 in order to have the same substructure order as a PID of 0, because I have the habit of doing it with a PID/TID couple of 0.
The substructure order of that Pokemon will be : Growth - Attack - EVs - Misc. Each of these substructures is 3 double-words long, and is stored at the end of the Pokemon's data (in the case you forget the location of one of these substructures, you can track it back by starting with the end of the Pokemon's data and subtracting 3 double-words per 3 double-words)

- Get to the substructure you want to modify. Check the location of the bits/bytes you want to modify with :
http://bulbapedia.bulbagarden.net/wiki/Pok%C3%A9mon_data_substructures_in_Generation_III
and change them to your liking.
For Growth, it will be double-words 9,10 and 11.
The Pokemon ID is stored on bytes 0 and 1, which means the rightmost bytes of the first double-word. (the right half of it)
 With a 32-bit view, these bytes will be in the right order (if you want Pokemon 0xCCD7, put 0000CCD7 in double-word 9), whereas with a 8-bit view the order would have been reversed (D7 CC 00 00).

- Sum all the words of the substructures, keep the first 4 characters of it (or cut it modulo 0x1 0000), and store them on the right half of double-word 8.
This gives the Pokemon a valid checksum, so he won't turn into a Bad Egg.
With few changes, it's really easy to make the checksum since you only have few things to add.

This is a procedure I use really frequently to make and test glitch pokemon, because it's fairly easy to do (I could even make a codebreaker code out of this and give you the part to change the species, but I prefer doing it by hand as you can keep trakc of things the Pokemon would get like new moves, exp, PPs,...) (if you want to put it at Lv 100, give him 0xF000 0000 exp points (double-word 10), that will do the trick).

Now, if you want to change the same data on an already existing Pokemon, you'll have to do the same procedure except that you'll have to :
- stay on the memory viewer window, with 32-bit mode.
- calculate PID mod 24 and check the substructures order this gives to find back the double-words you want to change
- uncrypt the substructures double-words you' want to change with : uncrypted double-word = crypted double-word xor PID xor TID
- write down the crypted and uncrypted double-word value
- write the double-words values you want (ex : change the species, exp, held item, evs,..)
- use the crypting formula to crypt these double-words
- write these new crypted double-words on their original place (having the crypted double-word value written down helps you remembering where you have to write the new one)
- cut all the uncrypted double-words in half, add all the modified ones, and subtract all the older ones
- add that value (mod 0x1 0000) to the ckecksum (right half of double-word 8 )

  And there you have your Pokemon modified. It's a bit trickier since it is harder to see the double-word you want to change, and since you have to write down the crypted and uncrypted values if you want to be sure that you didn't mess up a part (because if you mess up, you get a Bad Egg and you'll in general never be able to correct your mistakes, so you'll have to reload a savestate or deal with it).

  If you have issues with it or if my explanations are a bit messy, feel free to message me again and ask me any other thing you want about this. I can provide you saves, codes, dumps, or directly show it on skype or twitch for more efficiency, as I tried here to not take too much time writing down the procedure since this post is already quite long.




  Yeah, perhaps without further knowledge it may be like Generation I (a Pokémon with a glitch experience curve that can normally never stay past level 1 after battle, or a Pokémon with a glitch experience curve that has division by zero (http://forums.glitchcity.info/index.php/topic,6588.msg196436.html#msg196436))

I doubt this comes from the experience curve as some glitch pokemon can eat their Rare Candies easily.
However, I didn't check precisely their exp curves, so there could be certain exp curves that make the game crash.
But I think there are multiple reasons behind these crashes since the game doesn't always freeze at the same time.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Evie ✿ on August 24, 2015, 03:49:20 pm
Thank you! I will try these methods later.

Yup, exactly. It really helped me to determine the name lenght of glitch Pokemon and see what "families" had the biggest name lenght, in order to directly know approximative values of identifiants I should use if I wanted to corrupt certain values like Battle Pyramid Bag.

I also modified an US Emerald ROM in order to make it read French Pokemon names, as I wasn't able to fully modify the .ini to make it directly read a French ROM.

For specific searches of Glitch Moves effects or Glitch Pokemon specificities, TheZzAzZGlitch gave me python scripts to help me for that (they are basic scripts as it's only a matter of wanting a certain value on a certain place, but I had nothing to do that for me before).

Yes, I've also found that tool useful for choosing glitch Pokémon of suitable length.

Cool.

For now, these scripts mainly helped me testing abuses of the "N° of party Pokemon in battle" value.
My goal was to have a glitch move with a name long right enough to corrupt that value, and use healing or self-damaging moves to change the HP of my Pokemon. This would force the game to update the hp of the Pokemon "sent in battle", which would have been the Pokemon at the corrupted party slot.
Depending on the party slot values, accurate corruptions of things like special islands flags, mirage island,... could have been possible. However, this value is right at the start of a block of values managing the battle, and all the glitch moves with a good name lenght make the game crash (another adress near the concerned one gets a value that makes the game freeze or reset).

 But, writing this made me think about another possible way to exploit this, through the opponent's Pokemon HP. I'll look into this.

That's interesting. As well as out of bounds in battle HP slots, might you be able to have that Pokémon gain experience? May simply sending it into battle to let the game know that the Pokémon participated set an invalid value?

There's another thing I wanted to test, which was  the evolution lines. Can a Glitch Pokemon with a non-glitched sprite and name evolve ? And is that evolution condition the element that makes the game freeze when you give Rare Candies to a Glitch Pokemon ?
Ah. Maybe there could be glitch evolution conditions that allow you to execute arbitrary code?

I also wanted to check the Move Relearner a bit more accurately, as I confirmed that the list of relearnable moves contain one exemplary of each move present into the "Learnable Move" list of the Glitch Pokemon until Move 0000 shows (whereas in Gen III Extended suite, the learnable moves list goes further than that).

Interesting.

I also wanted to test the Glitch Move types, to see if there were some that could have nice effects.
I also wanted to test the effects of Glitched Special abilities, but I don't really know how to make a test for this (to know if they have an effect during a battle or outside a battle, and what that effect might be). I also don't know their full name lenght, as maybe something like Skill Swap could make new RAM overwriting cases.

If you use No$gba Debugger (http://www.emuparadise.me/Nintendo_DS_Emulators/Windows/No$gba_Debugger/80), go on Debug>Define Break/Condition and enter in the box [r15]<80 (or [r15]<30 if you want search for just WRAM and BIOS executions), and also enter [r15]>90 then the emulator might be able to tell you what code it's trying to execute if you stumble across a glitch ability that executes arbitrary code. These breakpoints tell you when r15 (execution pointer) is less than 8000000, 3000000 or greater than 9000000 (past the end of the ROM).

Someone on PRAMA had a good idea about testing if Glitch Pokemon names could change the NPC's script to values that would be ROM adresses with interesting scripts (like Hall of Fame, engaging a battle against a legendary, ...).
However, the answer was negative. I didn't find any set of 4 bytes that would be near the end of a Glitch Pokemon's name with a certain lenght (like 18.000 characters long) that would look like a ROM adress towards NPC/events scripts.
There are maybe some other values that could be exploited like this, but I don't really know what other values I could give for a NPC script adress in order to get nice results (it has to do someting like a teleport, as a glitch Pokemon species name of that lenght corrupts the player current location and he would be outside of the building, and taking a single step crashes the game).

Ah, that's a shame. :/

  While trying to check the existence of the rumoured Lotad Swarm in RSE (I found the ROM adresses managing swarms and he wasn't there, so unless someone shows it, I heavily doubt he existed), I came to think of another way to make the game read a Glitch Pokemon species name, which would be TV news.
I haven't tested it yet, but with news that display the species name of Pokemon like the name master or other ones, I think the game would read the species name of the ID stored in the adresses related to the news.
  This could maybe be useful for RAM data overwriting as it could provide another starting adress for that overwriting.
For now, I know of 2 adresses for RAM data overwriting : 0x02021CC0 (the adress where the species name is stored when you talk to Slateport's Journalist in the Pokemon Fan Club), and another adress around 0x020283E8 (the trainer name is stored there when you reload your save, exit the Safari game, and maybe with other actions).
If we had other adresses where names of Glitch Pokemon, Glitch Moves, or Glitches Trainer Name were stored, this would help into overwiting certain interesting values (0x020283E8 helps to get a NidoranM swarm, and could maybe have other uses for certain adresses, but I don't really know what yet since it's quite afar from main flag adresses).

 This would also help do RAM corruptions in RS, as the storage adress of a Pokemon species name by Slateport's Journalist is really afar from other interesting adresses, (in Emerald, party pokemon data was a good thing to corrupt, but it isn't there in RS).
 I also haven't tested to see where the trainer's name is stored in RS in order to see if it could be helpful to corrupt it.
This reminds me that in RS, if the player's name is too long, you can't even use the pause menu or things like that, so you're really blocked if you want to overwrite too much data.

I didn't know there was rumoured Lotad swarm, interesting.

Nice. I hope TV corruption works then so we have even more stuff to do with glitch Pokémon.

I doubt this comes from the experience curve as some glitch pokemon can eat their Rare Candies easily.
However, I didn't check precisely their exp curves, so there could be certain exp curves that make the game crash.
But I think there are multiple reasons behind these crashes since the game doesn't always freeze at the same time.

I see.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Metarkrai on August 26, 2015, 03:29:28 pm
I don't think you could have the invalid slot Pokemon gain experience as this slot would be (nearly everytime) a Bad Egg, and Bad Eggs can't gain exp.

What you're saying about the "participation" seems interesting. I don't think it could really do super things as the value for battle participation is beween the values managing the battle, and far away from other elements, but I'll look for that.

I planned to answer all your remarks today, as I finally progressed in the speedrun route, but it looks like I won't be able to.
You made me rethink the "slot of battling pokemon" idea and I finally have a way to make it work !

The way to make it work is relatively similar of Pomeg Glitch RAM corruption :
- Set a certain party slot for "last pokemon sent in battle".
- Kill all your party with Pomeg Berries.
- Make a wild battle.

The "last Pokemon sent in battle" byte, located at 0x0202406E is easily corruptible with Glitch Pokemon species names at Slateport, as you have around 2.000 bytes between that adress and the adress managing the trainer name and sprite.

With the rough setup mentioned above, what the game does is that he sends in battle the data located at party slot "slot of last battling Pokemon", whatever might be in that slot.
This will be in general either an empty slot (Decamark) or a Bad Egg.
In both cases, if you look at the Pokemon's moves, bad things will result (blacking out or freezing the game), so don't do it.

I haven't tested many things with a Decamark since I directly went for data corruption, which gave me party slots containing Bad Eggs.
What happens for Bad Eggs is that when they take a hit, their HP are updated in the block of data managing the "party slot" where they came from. (You can't heal them yourself as they are Bad Eggs and they can't heal themselves as they have glitched moves)

If your Bad Egg has 0 current HP, you won't be able to take a hit and black out.
If your Bad Egg has 0 Max HP, the game will softlock when you'll take a hit.
If the Bad Egg has less current HP than Max HP, then he'll take a hit like in a normal battle (I haven't checked what certain effects like poison would do), and the value managing its current HP will be updated.
If the Bad Egg has more current HP than Max HP, his current HP will start by decreasing down to its Max HP before being updated as if they took the hit normally. The decreasing speed of the HP depends on the Max HP value, and if you have 0 Max HP, it doesn't decrease at all. Thus, this waiting phase can be more or less long depending on the HP you have to lose, and the speed of the HP decrease.

And after that, you're free to flee using a Fluffy Tail, the fact that you battle with an Egg doesn't bother the game much more than that.

Regarding the party slot values, if you use values from 6 to 11, you'll end up with an opponent's Pokemon, and I haven't tested that, in the case there would be something funny/nice to do by battling with the opponent's Pokemon.

The adresses for "Remaining HP" of every party slot are bytes on the left side of double-words, so you can't corrupt every byte you want.
Since you also need the Remaining HP and Max HP adresses to not be at 0x0000 beforehand, there are also adresses you can't corrupt because of this.

Here is for now the list of corruptible elements that would be interesting to corrupt :
-Duplicate a PC/Bag Item. Duplicate Battle Bag items.
-Change the Feebas Tile value (well no, it finally isn't that interesting as you'll only change the value compared to the first value)
-Corrupt Repel Steps. (for approximately 65.000 repel steps)
-Get 2nd gen starters from Pr Birch.
-Get some Golden Symbols.
-Unlock Southern, Faraway, and Birth Islands.

Yeah, this corruption is the easy door through Mew and Deoxys Islants unlock !
I already knew this method would work as I tried it a different way, and all it was needing was a working procedure.

For now, I only have the Glitch Pokemon values for French Emerald, as I directly tried to see if a good party slot was available on French Emerald in order to get the Islands.

Glitch Pokemon 0x94F8 gives a party slot of 0x68, whose Remaining HP are at 0x02026DE2 (and current HP at 02026DE4), which is a bit below the adresses for Islands event flags.
The byte for Faraway and Birth Islands flags is at 0x0000, so you'll first need to do a Pomeg Glitch in order to corrupt it for 0x0500, but this isn't hard to do (using an in-game trader Pokemon in PC to tell if the corruption was good or not, and maintaining UP for a certain amount of time).
Once this is done, here's the setup :
-Have a fully KO Party with : 0x94F8, Fly, (Surf for Faraway and Birth Islands)
Have many Fluffy Tails, as well as the event tickets in your Bag. (obtainable with a Double Corruption)
- Fly at Slateport and save in front of the journalist.
- Speak to the journalist to change the "last battling Pokemon" value to 0x68.
- For Southern Island, go at Route 101, and make a wild battle.
Once the Bad Egg is sent in Battle, look if he has 0x8500 current HP and 0x0001 Max HP. (look for ???/ 1 HP)(1/32 chance)
If this isn't the good HP amount, use a Fluffy Tail and make another encounter.
If his is the good HP amount, use X Attack,Speed,Accuracy until the wild Pokemon hits you.
Wait. (Here, this will be very long, a few hours at least, maybe something like 10-20 hours or even more)
Once your HP bar has finally decreased to 1, use a Fluffy Tail.
Fly at Lilycove, and check if you've unlocked Southern Island.
If not, reset or go back to Route 101. (the ???/1 HP wasn't the right one)
If yes, enjoy.

- For Faraway Island and Birth Island, enter Mt Pyre and stay in the first section. Make a wild Battle.
Once the Bad Egg is sent in Battle, look if he has 0x0500 current HP and 0x0010 Max HP. (look for ?80/ 16 HP)(1/32 chance)
If this isn't the good HP amount, use a Fluffy Tail and make another encounter.
If his is the good HP amount, use X Attack,Speed,Accuracy until the wild Shuppet hits you with Night Shade.
If he uses Curse first, it isn't good, reset.
Once he has used Night Shade, wait. (this will take 2-3 minutes)
Once your HP bar has finally decreased to 16, use a Fluffy Tail.
Fly at Lilycove, and unlock Faraway and Birth Islands.
Enjoy.

I'm really happy about that since one of the last remaining goals of Pomeg Glitch has fallen, and since a method I previously worked on was finally useable.


I'll look for a Glitch Pokemon that puts party slot 0x68 (or 0x69) in US Emerald Roms too, and maybe some other things for Pokeblocks and Battle Bag since they are on a hot topic for me.



 Move Relearner won't be of any help.
It appears the main cases for Glitch Pokemon are :
- Not able to relearn any move.
- Able to learn Karate Chop.
- Able to learn a full list of Peck.

 Also, TV news might be tricky to use, as the main source of Pokemon Species Name reading, the Name Rater, can't be used for Glitch Pokemon (the game mainly freezes when you try to rename them).
Maybe certain news related to Pokemon contests or wins at Battle Frontier could tell the species name of one of our Pokemon, but I'm not sure of that (I think it would be the surname).
Thus, this method will most likely stay for now as I'd need more data about these news to know if some could work.


 My initial idea of using a Glitch Move to change the "party slot of opponent's battling Pokemon" won't work, the value is right next to the other one, and no Glitch Move is able to change them without altering other values related to the fight that make the game freeze/reset.

As for learnt moves, I saw quite a lot of Ice Punches, so Glitch Pokemon might only learn certain "generic" sets of Moves from levelling.
I was able to level out a Glitch Pokemon with a normal experience curve by using an Exp Share. It turns out that he wanted to learn a glitch move right after Ice Punch, so I suppose that it was this move who froze the game right on Ice Punch message.
Yeah, it's definitely that Glitch Move, now I'm able to level the Pokemon normally.
What seems to freeze the game is the learning of a Glitch Move as new move in the party screen.
As the glitch move by itself has a short name and a non-freezing type sprite, who allow it bo be seen in the summary or removed.

I used Pokemon 0x1015, who, according to Gen III Suite, can evolve via friendship.
However, that didn't happen. This might be because there are multiple friendship evolutions, or because the first evolution entries are empty. I'll test more things to sort this out.
I've tried to evolve 0x101A and 0x101B who have a first evolution condition of Friendship at Day and Night, and it didn't work for both.
I put 0x102B who's supposed to "evolve by breeding" into a Forretress in Day Care, but there was no Forretress in the end.


It's strange, I have this memory of the learnable move list stopping at the first 0000, but what I saw there is different.
I'll try some things on my French Emerald version.


And thanks for the help on code execution. I'll try to familiarize with this and see if certain freezes can be exploited.

Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Metarkrai on August 29, 2015, 11:02:04 am
Well, after more analysis, a god part of my previous post was quite erroneous.

I was able to unlock Faraway and Birth Islands, but that was way tougher than I originally thought.

First, there is no Glitch Pokemon in US Emerald that would safely give you a value of 0x68 or 0x69 at 0x0202406E (party slot of fighting Pokemon), who are the required slots in order to get the word managing the Event Islands unlock treated as remaining HP.

Secondly, the Bad Egg can have statuses, and when his remaining HP will be the word for islands unlock, he will, as its status word is read on some flags about visiting areas, completing the story, and talking to certain NPCs.
Thus, the Bad Egg suffers from Poison, Sever Poison, and Burn.

If you went into Trainer Hill, the Max HP word will have a value of 0x14 = 20 at that time (unless you visited Navel Rock).
Thus, Poison does 2 damage, Burn 2, and Severe Poison does 1 to 15 damage depending on a counter.

In the word for Remaining HP, you also have the flag for the advanced Trainer card (with Battle Frontier symbols and other things) amoungst the lowest bits, and as you can't get it again, you need to keep it.
Flags for Pyramid symbols are also some low bits of that word.
And this changes the amount of damage you'd like to take in order to get flags for Islands unlocks while keeping the Trainer card.

Also, if the party is still KO when Bad Egg suffers from Poison (or any indirect form of damage I think), the game makes you black out, so you have to use a Revive in order to revive one of your Party Pokemon.

After that, it was a matter of searching the effect of all the flags in order to get everyone to the same values and to make them able to unlock both islands with a single HP loss on a fight.

There's more details about that at the end of the pastebin for that method : http://pastebin.com/8N9sGwpb



I have for now two more things to check with that "battling Pokemon" method, as I want to see how party Pokemon are managed when you open the party while the battling Pokemon comes from a slot higher than 5 (slots starting at 0), as it did strange things to my party, and I want to check if an empty slot could gain Exp and Evs from a fight (by fighting a Secret Base Pokemon who uses Memento), as this could have some (tiny) uses.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: ▒h POKé▓░ on September 01, 2015, 01:53:11 pm
I hatched EARTHQUAKE (Hex:0205) at Level 5 and boy, this Decamark learns so many moves.

Upon using Rare Candies, EARTHQUAKE tried to learn Guillotine and Pay Day at Level 6, Mud Sport at Level 7, A glitch move at Level 8 and Barrier at Level 9. The game crashed upon reaching Level 10. Sadly, the type of the glitch move crashed the game on both the Battle Moves and Contest Moves screens.

With the Move Tutor, I could teach it Waterfall, Skull Bash and a different glitch move.

I'll test the effects of these moves in battle and in a contest and get back to you on the results tomorrow.

On a different note, two of the four glitch moves my Pokémon get when they hatch have turned out to be pretty useful, one being possible to use in battle and in contests with no negative effects, and one that appears to give instant victory in battles when used. I'll get pictures of these tomorrow.

Oh, and just to clarify, I'm doing all this on a cartridge. :)

-----

EDIT: Unfortunately, both glitch moves proved uneventful in battle as they both seem to have 0 accuracy (Always missed) and both crash the game before you can select your move in contests...

The glitch move EARTHQUAKE learns at Level 8: [Attachment 1]

The glitch move at the Move Tutor: [Attachment 2 & 3]


As for the four glitch moves my Pokémon hatch with, here they are: [Attachment 4 & 5]

The move "[]ÏΠ BLPOÉ" can be used in battle and in contests with (from what I've seen so far) no negative effects, and "MNPOPOPOPOPOPOPO" seems to give instant victory in battle when used, but it must be placed first on the moves list for it to work.
Below is a list of the effects and stats of the moves that I have found so far.

MNPOPOPOPOPOPOPO
-----
Type: [Glitch type; crashes game] - Cool
PP: ?1
Power: 70
Accuracy: 1
Battle description: <blank>
Appeal: 4
Jam: 0
Contest description: "A highly appealing move."
Effect in battle: "[Pokémon] used [Long line of text; wraps around screen 3 times]!" [Attachment 6] - Always misses, due to having 1 accuracy. Turns battle into a Battle Tent match. Selecting "RUN" afterward will say "[Trainer] forfeited the match!". The trainer you just battled will act as if you had beaten them.
Effect in contest: Crashes game.

[]ÏΠ BLPOÉ
-----
Type: Normal - Cool
PP: 8
Power: 243
Accuracy: 29
Battle description: <blank>
Appeal: 3
Jam: 0
Contest description: "The next appeal can be made earlier next turn."
Effect in battle: "[Pokémon] used a NORMAL move!" - Damages the target significantly.
Effect in contest: "[Pokémon] appealed with COOL move!" - Animation looks like Pound.

C     Ç ì ♂À  ú
-----
Type: Normal - Cool
PP: 0
Power: ---
Accuracy: ---
Battle description: <blank>
Appeal: 2
Jam: 1
Contest description: "Badly startles POKéMON that made SMART appeals."
Effect in battle: Softlocks game when "FIGHT" is selected.
Effect in contest: Crashes game.

↑Ú↑Ú↑Ú↑Ú↑Ú↑
-----
Type: Normal - Cool
PP: 0
Power: ---
Accuracy: ---
Battle description: "qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF"
Appeal: 8
Jam: 4
Contest description: <blank>
Effect in battle: Crashes game when "FIGHT" is selected.
Effect in contest: Crashes game.

I'm not too sure if this info will help you guys in any way, but I just thought I'd share it anyway. :)
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Wack0 on September 02, 2015, 02:09:49 pm
About your "effect in battle" and "effect in contest" lines: remember (or discover, since I assume you don't know about it yet) this effect that I and Torchickens researched (http://forums.glitchcity.info/index.php/topic,7156.0.html).
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: ATEMVEGETA on October 13, 2015, 09:51:21 pm
Can you enable Mew's island flag with this glitch?

Edit: Or enable the ticket event so you can travel there the normal way? Once I enabled Latios/Latias ticket event by doing the glitcher popping glitch.

Also, what about Mirage Island?
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Krys3000 on October 14, 2015, 06:17:46 am
Hey!

Metarkrai did a video to unlock Mew on Faraway Island : https://www.youtube.com/watch?v=4lJQhF8EFQ4

But I'm not sure it works for english games. And he was trying something about Mirage Island, I think.

I dropped a message for him on PRAMA's Skype Group. Maybe he'll see and come answer personally  ;D
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Calhaora on October 14, 2015, 09:11:14 am
I dont know if its worth posting it and if I should do it here  :-[  but..mh I found some things, when I leave without any Pokemon using wtw. oxo

Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: ATEMVEGETA on November 01, 2015, 12:19:11 pm
So, the Pomeg glitch has been proved a very interesting and promishing glitch wil many major sub-glitches, like access pkmn beyond 6th slot, hatch any pkmn, clone party pkmn, and more, and sometimes while I was messing around with it some weird things happened, like unlocking Lati@s's island event (emerald), and bag item cloning (fire red) like stacks of 452 Super Potions and ?58 Cleanse Tags.

But this thread seems to have goten too far with reaserch on the Pomeg glitch and I kinda lost the ball. So, I was hoping if any of you glitch experts that do researches on this glitch and know what's going on with it, because it seems too complicated for me (and I guess to many other readers) to understand, can summarize every sub-glitch of the Pomeg glitch that has been discovered so far and those new ones that can be exabolated from this thread with steps on how to perform each one?

Thanks in advance!
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: gangstajigglypuff on November 04, 2015, 08:59:47 am
as im trying to get back into completing my dex on emerald, theres really only a few pokemon missing. namely deoxys, mew and slowpoke. funny thing is, you can get every pokemon by combining pokemon xd, colosseum, channel (pal), fire red, ruby, sapphire and emerald, except those 3. so slowpoke confirmed as rare as mew  ;)

the discussion is really interesting, altough its getting really technical regarding memory addresses and ram data that its sometimes hard to comprehend. what i would especially be interested in is the practical use of this.

for example if its feasible to corrupt the data in such a way that you can activate events for birth island, faraway island and maybe navel rock that would be a major breakthrough, as this would allow to get deoxys and mew legitametly and trade them over and make them obey. on a spare safe file of emerald you could pull off the corruption, so all the trash data you create wont be of a concern and you just trade them over. activating southern island event is nice but not much of use if you completey alter your trainer data and cared about that save file.

so if southern island can be activated, is the issue the same for birth island, faraway island and navel rock?

can you get the tickets handed over via an activated mystery gift event or would you have to item corrupt them similarly to the gs ball in crystal when you celebi egg glitch?

if you can change the substructure so that EVs turn into species, could you change it in a way that certain substructures like EVs or moves change into held items? As those tickets probably have high index numbers might this require glitch moves to work?

mirage island corruption would be not much of interest with this method as it can be easily rng manipulated. so the risk to your save file wouldnt really pay off when theres a more efficient and faster way.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: ▒h POKé▓░ on November 19, 2015, 02:09:21 am
Quote
as im trying to get back into completing my dex on emerald, theres really only a few pokemon missing. namely deoxys, mew and slowpoke. funny thing is, you can get every pokemon by combining pokemon xd, colosseum, channel (pal), fire red, ruby, sapphire and emerald, except those 3. so slowpoke confirmed as rare as mew  ;)

Funnily enough, Decamark 0x0000 has the cry of Slowpoke, for some reason.

You can easily get a Slowpoke by performing the EVs > Species corruption with 79 HP EVs on Seasor. Getting Mew requires 151 HP EVs and getting Deoxys requires 1 Attack EV and 130 HP EVs.
As for the event unlocking, I'm pretty sure it's already been done a couple of pages back.

On a different note, on emulator, does anyone know where the location for a viewed pokemon's type is in Memory Viewer? It'd be nice to see what Hex value certain glitch types are. :)
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Metarkrai on November 21, 2015, 02:03:47 pm
But this thread seems to have goten too far with reaserch on the Pomeg glitch and I kinda lost the ball. So, I was hoping if any of you glitch experts that do researches on this glitch and know what's going on with it, because it seems too complicated for me (and I guess to many other readers) to understand, can summarize every sub-glitch of the Pomeg glitch that has been discovered so far and those new ones that can be exabolated from this thread with steps on how to perform each one?

Thanks in advance!

I don't have all the sub-glitches in head, but you have :
- Near to full Pokemon manipulation (create a Pokemon with certain IVs, Evs, Species, Exp, Met Location, Moves, Ball)
- Obtain Pokerus
- Obtain every item
- Obtain every Pokemon
- Obtain every Secret Base Decoration
- Corrupt Lilycove Museum paintings (to get the Contest star easily)
- Duplicate Items
- Fast cloning
- Instant Pomeg Glitch
- Charm Glitch
- Your Opponent's Pokemon Glitch
- Unlock Southern Island
- Unlock Birth and Faraway Island (French Emerald)
- Cool graphical and audio glitches
- Catch Battle Pike and Pyramid Pokemon
- Despawn NPCs
- ...

And about those that could be explored, most of the methods were explored as further as possible, and a lot of ideas were used. The main thing left is Arbitraty Code Execution : see which Glitch Pokemon/Move/Thing could trigger an easy ACE that could be performed with Bag Items or PC/Party Pokemon data.

For practice, everything starts with a Pomeg Glitch, and after that it's an interaction between Pomeg Glitch / a glitch Pokemon / a glitch move / a glitch thing and another mechanic, may it be in a battle or outside of battle.
Everything isn't interesting and the list of potential goals is limited, and for now, the main manipulable mechanics have been visited.
It really stretches in every direction, and the working techniques only come from a refinement of an interaction in order to make that console-useable.





gangstajigglypuff :
You can easily trigger Southern Island in Emerald with Pomeg Glitch, as they left the whole event in the cartridge.
You can also easily obtain all the tickets, but triggering the event islands is another matter.

As of now, I only have one technique to do that, but it only allowed me to unlock Faraway and Birth Islands in a French Emerald as you need Glitch Pokemon with really specific values (you need to corrupt the value managing the pary slot of the current fighting Pokemon with a Glitch Pokemon Name, and you can't give it every value you want).

It's alsso possible to create obedient Mew and Deoxys with PC Pokemon Corruption, but it's tedious as you can't do that easily from the in-game traded Pokemon. And you would need a Pokemon with a specific corruption type in order to create an obedient Mew/Deoxys with the right met location and lv.
My best guess for these islands would be an ACE, as for now I don't really have any more method to corrupt the RAM adresses managing these event Islands.


Spectramark : If you want to know a Glitch Pokemon's type, the Extended Gen III Pokedex is really good for that, (or a script to analyse the ROM data of Pokemon, Glitch Pokemon included). As most Glitch Pokemon will freeze the game when you open their summary, you won't be able to know their type like this.

Some glitch types are graphically interesting as they don't make the game crash, some might be interesting because they make the game crash and could potentially bring up ACE, but they don't have any other good effect as they all have a neutral interaction with all the remaining types.

The Pokemon types also aren't stored during battles, so there's no value you could easily read to get the type of a glitch Pokemon.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: ▒h POKé▓░ on November 22, 2015, 07:37:50 am
Okay. :)
Is there any chance you could give me a link to the Extended Gen III Pokedex? It sounds like it would be really helpful.

On a different note, while playing around with Pomeg corruption, I used a certain glitch move (not sure which) which crashed the game and made the battle music slow down.
After about a minute, the music changed to a slowed-down version of FRLG's Pallet Town.

I knew there were sprites left over from FRLG, but I never expected that song.
Not sure whether or not you've seen this sort of thing happen before, but it certainly took me by surprise. :)
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Metarkrai on November 23, 2015, 04:34:11 pm
I always have a hard time finding the link back on the forum, but it's there.
Be careful, it only works well with US roms.
If you want info about Glitch Pokemon on Fr/Jap/... games, you have to do tiny manipulations to make Gen III Extended suite read it.

Glitch Moves can really easily crash the game, as they don't need a really long name to overwrite the RAM data managing the fights (some values there really need to be precise or the battle crashes), as they can change the battle type (some types making you unable to flee and properly attack, or just crashing the game), and as most (if not every) glitch move animation messes up with the game.
The issue with these animations is that they sometimes won't crash the game by pure randomness (the type of crash/freeze can change too), so I didn't find any useful glitch move that would have an exploitable glitched animation.

Glitched effects of Glitch Moves also crash the game if I remember well. There isn't many of them, but that's an eventuality.
There's also a potential issue with the "called" name of the glitch move (the name used in the textboxes when you use the glitch move), as it's oftenly different from the glitch move name, and can too rewrite the RAM data managing the fight.
There's also a certain loop of "oe" symbols that crashes the game.

About FrLg OST, it is in Emerald (maybe not all the tracks, but most of them), and is only used for Navel Rock.
The change of music only happened to me once : the game stayed stable and I got an Oak Lab track playing, but I forgot to savestate and greedily tried to use the glitch move another time. I tried to use that move again (I had a savestate right before), but I never got that music change again.


Recently, we searched a bit about Glitch Pokemon names that could interfer with the game music, as a potential ACE starter, but the search didn't really bear fruits. (We didn't really know what values put to have different interactions with the music that could go beyond that)

I also randomly fell on a glitch pokemon name that really heavily messes up with the graphics. It is on a French Emerald, and strangely doesn't produce the same effects depending on the emulators. If more stable versions of that Pokemon were to be found, that would be neat.
Its index is 0xCBB3 (Fr Emerald), and I roughly show its effects here : https://youtu.be/BNvi05UH9zk?t=1h9m46s

In general, if you want to find a Glitch Pokemon whose name will cause interferences when read in PC, use Gen III Extended Suite to find the Glitch Pokemon with the longest names on the ROM you're using. (I have the list for Fr Emerald and I always forget to do it on the US one.)
After that, it's a matter of taking a Glitch Pokemon ID on that list, increasing it, and checking if the new glitch pokemon does something neat.

I would really like to extract an area of adresses that could bring nice effects if they are given the right values, but reading a really long species name in PC seems to mess with multiple things ar once in the Memory Viewer, so it's hard to know what part of the name was the culprit.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: ATEMVEGETA on December 05, 2015, 07:18:57 am
I don't have all the sub-glitches in head, but you have :
- Near to full Pokemon manipulation (create a Pokemon with certain IVs, Evs, Species, Exp, Met Location, Moves, Ball)
- Obtain Pokerus
- Obtain every item
- Obtain every Pokemon
- Obtain every Secret Base Decoration
- Corrupt Lilycove Museum paintings (to get the Contest star easily)
- Duplicate Items
- Fast cloning
- Instant Pomeg Glitch
- Charm Glitch
- Your Opponent's Pokemon Glitch
- Unlock Southern Island
- Unlock Birth and Faraway Island (French Emerald)
- Cool graphical and audio glitches
- Catch Battle Pike and Pyramid Pokemon
- Despawn NPCs
- ...

And about those that could be explored, most of the methods were explored as further as possible, and a lot of ideas were used. The main thing left is Arbitraty Code Execution : see which Glitch Pokemon/Move/Thing could trigger an easy ACE that could be performed with Bag Items or PC/Party Pokemon data.

For practice, everything starts with a Pomeg Glitch, and after that it's an interaction between Pomeg Glitch / a glitch Pokemon / a glitch move / a glitch thing and another mechanic, may it be in a battle or outside of battle.
Everything isn't interesting and the list of potential goals is limited, and for now, the main manipulable mechanics have been visited.
It really stretches in every direction, and the working techniques only come from a refinement of an interaction in order to make that console-useable.

Wow interesting list! Can you please give us a step by step walkthrough on how to perform each of these steps? It would be really awesome! Thanks!
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Metarkrai on December 06, 2015, 09:18:45 am
Most of these glitches are explained on either Chickasaurus' channel or mine :
https://www.youtube.com/user/ChickasaurusGL/playlists
https://www.youtube.com/user/zreety/playlists

There are only some tiny things like museum paintings that aren't explained in videos, the vast majority of the Pomeg Glitch exploits has been recorded on video.
The only main method that I haven't recorded yet is a complete tutorial about Double Corruption to maniuplate a lot of data on a single Pokemon at once.

Some of my videos don't have an english explanation, so if you're interested by them and don't really know what happens, drop a message here and I'll make a detailled explanation. (I don't really remember which video doesn't have english explanations).
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: ▒h POKé▓░ on December 07, 2015, 05:51:43 pm
Is there any way you could explain how to set up and perform a double corruption? I never really understood how to do it, as it either looks like a very complicated and tedious procedure... or I'm just being a derp :-\
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Metarkrai on December 08, 2015, 05:02:14 am
If my memory is right, I made a an explanation about the method with steps to get the perfect initiator on that page : http://forums.glitchcity.info/index.php/topic,6868.420.html

There are good chunks of explanations as I'm detailling different corruptions and things, so you don't have to read everything to be ok with the double corruption procedure.

Torchickens also made a vbm movie file showing how he obtained a perfect initiator and how he used it to corrupt a Pokemon (in case you're on vba. You can also always download vba, an Emerald ROM, and watch the movie file), and I also provided codes for the initiators in case this would be needed. (These two posts are on page 30).

Torchickens also made a Double Corruption in one of his videos : https://www.youtube.com/watch?v=HhHlANrnOCI
And I also did a video about using Double Corruption on in-game traded Pokemon in order to obtain any Pokemon/Move/Item : https://www.youtube.com/watch?v=BNvi05UH9zk (there's an english pastebin in the description).

Double Corruption isn't really hard to do. It's just that it involves a good amount of different mechanics to get an interesting result, which means that the procedure to get it done has a certain amount of steps that are different and required.

But all in all, if you follow them well, you won't have any issue.

As I haven't completed for now my file on the complere double corruption (doing it on an arbitrary Pokemon and not an in-game traded Pokemon), I have no translation for that, and the best use you'll have of Double Corruption will be with the in-game traded Pokemon.

For these Pokemon, you can use another perfect initiator (instead of SEASOR the Horsea), as the in-game traded Plusle can do the trick (check the pastebin on my video about it, or my pastebin about shinyhunting in battle pyramid, or ask me if you don't find it written in them).

Once you have an initiator, it's just a matter of choosing what you want (Pokemon, Item, Move), taking the in-game traded Pokemon that will give you what you want, ev-train it until it has the required EVs to make the corruption work, and double-corrupt it with the written procedure (with a high chance to succed per attempt, meaning a quick corruption).

Oh, well, I'm seeing that my pastebin for the "Obtain any Pokemon/Item/Move" doesn't have the new fastest strategy implemented, so I'll check today where the hell I wrote the procedure to have an initiator from Plusle, and I'll paste the reworked procedure here.

I'll maybe skip some details/explanations, so you can for now read them on the mentioned links/videos, and you can also make a perfect initiator from an Horsea.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: ▒h POKé▓░ on December 08, 2015, 03:52:42 pm
Okay, I'll take another look at the steps.

Also, one more question: When it says to not take the EGG with the hand, is it okay to look at its summary, to make sure it got corrupted into a "hatchable" egg and not an egg that retained Seasor?
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Evie ✿ on December 08, 2015, 04:56:53 pm
Okay, I'll take another look at the steps.

Also, one more question: When it says to not take the EGG with the hand, is it okay to look at its summary, to make sure it got corrupted into a "hatchable" egg and not an egg that retained Seasor?

It must not be picked up at all, or you will most likely get a Bad Egg regardless of second corruption. If you did take the Egg and brought it into battle, it may look like either a retained Seasor (or I think[?] if I remember rightly from what Metarkrai taught me it could look like the 'EVs Pokémon' too) and you still have a chance of the Egg converting into the EVs Pokémon without it hatching.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Metarkrai on December 09, 2015, 12:56:26 pm
Okay, I'll take another look at the steps.

Also, one more question: When it says to not take the EGG with the hand, is it okay to look at its summary, to make sure it got corrupted into a "hatchable" egg and not an egg that retained Seasor?

Yeah, looking as the summary is the main way to get information on the Egg.
And as Torchickens said, you must really follow the "don't take until I say it" rule.
Taking the Egg refreshes the PPs of its moves.
But as the Egg has a different 4th move, the new 4th Move PPs can take a value that will make the second corruption fail.


I've now remade the explanations for the quick Double Corruption procedure.
Here it is : http://pastebin.com/2kJpBQCr

It only covers the obtention of any Pokemon/Move/Item, as I've said previously, but it's a really convenient procedure and it will allow you to have the main useful Glitch Pokemon, Moves  to make nice things after that.

The complete Double Corruption procedure is very similar.
You use Horsea as a corruption initiator instead of Plusle. (you need to double corrupt it to turn it into a perfect corruption initiator) This is because Plusle only works for Pokemon with a PID and TID who have a highest hexadecimal character of 0,1,2,3,8,9,A,B., whereas Horsea works with any PID and TID (you have two Horsea for that).

Instead of Seedot/Plusle, you catch Smeargles.
By catching Smeargles right after resetting the game, you are able to determine their PID with their IVs and nature (their high level allows you to have a good approximation of their IVs).
Knowing the PID of the Smeargles allows you to know their Corruption type. (determined by the highest hexadecimal character of the PID and by PID mod 24)

Then, knowing the Corruption type, you choose what kind of results you want, and write down the training that will be required. Next is the training phase. It's longer than simply training EVs, but not that longer.

And lastly, the Double Corruption phase is the same.
You can Double Corrupt multiple Pokemon at the same time by cloning each of them 5 times, and placing them in the PC with the same pattern as the one in the pastebin. (You place a clone of the first Pokemon to corrupt in Box 2 slot 24. You put one initiator one slot before it. You place one Pokemon to corrupt before that initiator. ... You continue until you have placed 5 clones of a Pokemon to corrupt and 5 clones of the initiator. Then you place a clone of the second Pokemon to corrupt one slot before the last placed initiator, and go on.)

This allows you to double corrupt 5 Pokemon at the same time (5 clones + 5 initiators = 10 slots required, and there are 54 PC Slots that can be corrupted with Pomeg Glitch).


The long part with the complete procedure is the detail of all the possibilities, with the formulas, the required trainings, and the cumulated things you can achieve.
I'll also need to rewrite the other parts because they were using slower strategies.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Wack0 on January 19, 2016, 09:38:21 am
So I've been doing some research recently into possible getting code exec (and not needing TAS or a crafted save file).

Luckily for us, forums like pokecommunity have basically reversed gen 3 to pieces trying to do more with ROM hacking. So we can search their site for interesting things.

Moves use *two* seperate VM bytecodes. One for animation and one for move effects.

The move effects one is essentially useless, it grabs a byte as an index into an array, and so we have not that many invalid entries.

However the move animations.. It grabs a pointer from an array, using the move identifier as an index.

This array of pointers starts at 0x2C8D6C in English Emerald.

I coded some quick dumper to get any interesting info about all attacks, and plenty of attacks have animation pointers in RAM somewhere.

So, assuming we can find a way to write stuff there, how do we escape from the interpreter of this VM bytecode?

Easy.

This thread on Pokecommunity (http://www.pokecommunity.com/showthread.php?t=354621) details the bytecode opcodes for the animation VM.

Notice that opcode 03 calls a native function.

Opcode 08 ends the animation, so in theory, if we can write 03 xx xx xx xx FF 00 08 at a certain place in RAM (where xx xx xx xx is a little endian pointer to our final payload, and this assumes that 0xFF is highest priority, it might not be), and use a certain glitch move, then we'd get code exec.

Here's a list of moves in English Emerald with interesting animation pointers. (http://pastebin.com/vwqm16kc)
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Evie ✿ on February 01, 2016, 08:49:42 am
Wow. That sounds very neat!

I was thinking of ideas and wondered if the PC items at around 02025ECC (randomized by DMA) may be useful.

Metarkrai taught me that the PC item quantities values aren't protected unlike bag items; so something like x99 is $63 and not a hard to predict value, and you can get many (all?) glitch items with double corruption, and duplicate them with Pomeg duplication glitch to access many quantities.

If you had a Great Ball in PC item slot 1, the first byte would be 03 00. However, the closest from your list seems to be pointer A00F (0x2025301), which items-wise may be out of reach even with lucky DMA placement.

What region of the memory isn't randomized by DMA? I notice that some addresses like those around 2000000 apparently aren't.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Wack0 on February 02, 2016, 06:37:11 am
Well, we might not even need to write the animation bytecode in a place in RAM.

I searched the ROM for "02 02", and found "03 54 4A 02 02 ...." at 0x50F (0x800050F).

Unfortunately, no move has that as an animation pointer, the two closest are moves 0x94E (0x8000505), and moves 0x210F and 0x2194 (0x8000500). And at both of those addresses, is an invalid animation opcode (C0 at 0x500, CF at 0x505), which I think would freeze the game trying to call it. (because as usual, it just grabs from the array without doing index bounds checking).
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: PokeBec on February 03, 2016, 09:20:55 am
If i would create an Old Sea Map in a japanese emerald, would it be possible to go to mew? Or would it work like in the US versions?
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Metarkrai on February 04, 2016, 05:56:16 am
Wow. That sounds very neat!

I was thinking of ideas and wondered if the PC items at around 02025ECC (randomized by DMA) may be useful.

Metarkrai taught me that the PC item quantities values aren't protected unlike bag items; so something like x99 is $63 and not a hard to predict value, and you can get many (all?) glitch items with double corruption, and duplicate them with Pomeg duplication glitch to access many quantities.

If you had a Great Ball in PC item slot 1, the first byte would be 03 00. However, the closest from your list seems to be pointer A00F (0x2025301), which items-wise may be out of reach even with lucky DMA placement.

What region of the memory isn't randomized by DMA? I notice that some addresses like those around 2000000 apparently aren't.

Basically, everything before 0x02024A5A isn't affected by that DMA adress change. (for US/EU Emerald).
It basically starts off at values like ID, SID, trainer sprite, in-game time, and goes down to most of the manipulable stuff you would have.

The main thing that you can manipulate who is above that adress is Party Pokemon, in the area of 0x02024542.
You also have data related to the current (or previous) battle in 0x02024086 area, and there should also be some storage places for Pokemon data (when you multi-select them in PC, when you fight a trainer, a wild Pokemon,...) in that area.

The two main things that could be easily manipulated are Pokemon data (with in-game traded Pokemon or a known SID + RNG, and multiple double corruptions), or PC Items (identifiants and quantities).

Some values are hitting the 0x02024xxx area, so they could be used to do stuff with party pokemon data, or data about the battle (you could use the Pokemon moves and stat boost levels to do certain tiny things).

Since there seems to be a good amount of them in that area, there might be an adress that would fall off right on a manipulable byte (or in 00 before a manipulable byte).

- Else, I saw many values in 0x02020xxx and 0x02021xxx area, which I don't think can be used (unless you can manipulate values there with PC Pokemon data when multi-selecting them or with glitch Pokemon names, because nothing else related to the current save file goes there).
And values pointing to 0x02030xxx could be used with PC Pokemon data (If I'm not wrong, it goes down to that adress and further below, as it starts around 0x0202987C )

- Anyways, that research and data is really incredible and interesting !!
Thanks Wack0 for the detailed post and research, I'm sure it will bear fruit and allow some good ACE on cartridges (for small stuff like event unlocks).

- There are also many listed adresses pointing towards 0x0300xxxx.
In Emerald, there's nothing really manipulable here, but in RS, the party pokemon data is stored here (around 0x03004372).
Thus, these adresses could be used for ACE in RS.


- About the data manipulation in itself, if you're going for something as 03 xx xx xx xx FF 00 08  only, it won't be that hard to code it with PC Items (ID and quantities) or in Pokemon data. (If the lenght is less than 2 double-words, I think it can be fully manipulated on a Pokemon data. With further lenght, some cases wouldn't be possible, but a lot of them could be achieved).

The issue with PC Pokemon is that I don't know if PID, TID, and the other stuff at the start of a PC Pokemon data could avoid hindering code execution with some possible values.


- Are there some noticeable difference for animations with the urser's location on the field ? (if it is the opponent, of if it's another ally in the case of a double battle)

- Also, about the gen 3 datamining, do you know where scripts are loaded when you enter a new map ?
Because I know the adresses of the loaded NPC (with their specificities like their attached script), but I never found the same thing for the loaded scripts (like data regarding where an exit needs to teleport you to, or scripts like Safari Zone entrance).
I'll check in pokecommunity to see if they have things related to that.


- And with pointers related to glitch stuff, do you know if there's a way to make a similar list of pointers about Glitch Type sprites, or Glitch Pokemon sprites ?
As this would allow some ACE just by looking at a Pokemon's summary, which TheZzAzZ did, but I don't know if there are jumps to pointers in the same area as the one you've listed that could then be used.

- Another question : With ACE, can you tell the console to change a value located at 0x08xxxxxx ? (maybe temporarly)
Because there are some structures that I would like to alter in order to get interesting results (mainly some Battle Frontier scripts) and the sole way I see to achieve that is by patching some scripts.

- I might be able to go around that issue if I manage to find what par of the RAM manages the "Battle Frontier" type of fight (where if you forfeit, flee, or catch an opponent Pokemon, you're considered as loser), because it would allow me to steal Trainer Tower Pokemon in RS (they have the same ID/SID as the trainer, so they won't turn into Bad Eggs when stolen).


If i would create an Old Sea Map in a japanese emerald, would it be possible to go to mew? Or would it work like in the US versions?

In order to get to Faraway Island, you either need to teleport yourself there (might be possible with ACE), or to have the Ticket + the island unlocked.

On some Emerald versions, you can use Glitch Pokemon to unlock Faraway and Birth Island (works in Fr,Ita,Spa, not in US, and I'm going to check for Jap), as the delivery man script that unlocks the island isn't implemented in the game, so you can't call that script in order to easily unlock it. (it is the mystery gift card that adds it to your save)
So unfortunately no, Old Sea Map alone won't help you.

However, the Faraway Island script is fully implemented into Emerald's ROM, and it is possible to trigger that delivery man script with a simple Pomeg Glitch corruption (hold Up for 14-15 seconds and check in the Pokemon Center upper floor if the delivery man appeared).


Apart from that, I have no other technique in my pockets to trigger the event islands on RS or FrLg.
If I had a NPC that reads the species names of a party Pokemon of yours with a certain command (there's one command in Emerald that freezes the game when a glitch Pokemon name is stored, and another one that doesn't), I would be able to set up the same trick as I did in Emerald (you can find it here : https://www.youtube.com/watch?v=4lJQhF8EFQ4 ).


As a side note, I also used some Battle Pyramid mechanics related to Battle Bag and the Safari Mode start menu in order to transfer items from Bag to Battle Bag, and bring things like Smoke Ball and Master Ball in Battle Pyramid in order to shinyhunt there : https://www.youtube.com/watch?v=_Y6gfc3xBvc

It would maybe be possible to steal Pokemon in most Battle Frontier facilities if using ACE with a glitch move could trigger a command that would take the opponent Pokemon data and store it in PC once the battle ends (or maybe change a trainer script in order to trigger a "blank" fight with the same opponent Pokemon as in your previous match, which would allow you to steal Battle Factory Pokemon).
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Metarkrai on February 04, 2016, 11:33:46 am
So yeah, values like 0x02024480 or 0x02024492 are right above party Pokemon (it starts on 0x020244EC).
Unfortunately, none of these adresses falls right on them.
However, the bits of data right above Party Pokemon seem to depend on something (fights maybe) and are cleared when you soft reset, leaving these adresses in a whole area full of zeroes.

I'll try to see what kind of data is written above party Pokemon.
At first glance, there are two areas where the word "ENIGMA " is written twice (absolutely no idea about that since it appears on all my savestates).
The rest seems to be mainly about wild battles, and doesn't seem to be well manipulable.

Thus, it zeroes don't bother that much (as well as PID and TID), 0x02024492 could be used.
I'll check what happens in a contest, to see if other values can be obtained.


Else, regarding in-battle data, you have 0x0202407E which is right before the stats and moves of the fighting Pokemon, as well as 0x0202406C who is right before the party slot of the currently fighting Pokemon.

- Also, the values on these adresses could be altered with a Glitch Pokemon name overflow (speaking to Slateport journalist sotres a Glitch Pokemon species name), which could maybe write something that makes a command redirecting to a more manipulable area.
I don't think a command that would do a jump to a precise adress could be achieved with this, since a Glitch Pokemon's name is based on ROM data, but if commands like "jump x bytes further" exist, they might be attained with that method.

- By combining a Glitch Pokemon overflow and data that can be refreshed (by doing a wild battle or talking to a NPC), we could maybe attain that little command to allow a jump to a more manipulable part, too.
And that technique could rely on adresses before 0x02024xxx if we can find some adresses that can be refreshed and that possess certain values we want, and if we can combine that with a glitch pokemon name that contains another part of wanted values.

- Adresses 0x02030xxx refer to Pokemon in Box 12 and 13.
Thus, this is a "reliable" set of adresses to use for ACE.
The unreliability comes from the movements of PC Pokemon data because of DMA, but I have a strategy to start managing that part.
 This strategy is based on the same strategy I used to determine if a Pomeg Glitch corruption on a Day-Care Pokemon was right or not. (since you want to corrupt a day-care Pokemon while an Egg is laid, you can't know if it succeeded before taking the Egg, whereas my goal was to corrupt the Pokemon and change the Egg contents into a legendary or glitch Pokemon in order to shinyhunt them)
Roughly said :
 .You put a Pokemon in Box 2 to act as dummy.
 .You make a team with the required glitch move in it, then prepare it for a Pomeg Glitch.
 .Set up the Pomeg Glitch and make a wild battle.
 .Start pushing Up, and while you count your Up pushes, check the party slot n°1. It will sometimes be highlighted, and sometimes not. (When it is highlighted, it is because the underflown selection pointer is on a "party slot" that isn't "empty")
 .Have a list of specific Up pushes that need to have a red highlight or not when the DMA repositioning is correct. (these highlights will be the ones related to the pointer reading parts of the dummy Pokemon in Box 2)
 .If the higlights and non-highlights you saw with your first Up pushes (the first 10-15 Up pushes) doesn't match, reset. You know that the RAM data positioning wasn't the right one.
 .Else, open the Bag, revive the Pokemon with the Glitch Move, and try to use it. This way, your chances to not be in the good RAM data positioning are really decreased.

This strategy can't bring you a complete RAM data repositioning check since the only information you can get is from these red higlights depending on the dummies you've deposited in Box 2 (for my Day-care strategy, I completed it by checking the state of the dummy after the corruption, but here you can't), but it is still a nice indicator.
I don't really know how accurate it can be, but it could for sure be useful.


As of now, I don't have other adresses from your list that I could comment on for manipulations.
But I'll check and try to see more accurately if there are other bits of data in 0x02020000 - 0x020220000 that can be used with a certain method (mostly with Glitch Pokemon names on PC, or Pokemon data being copied there).




EDIT :
By the way, I also updated the Double Corruption methods with better setups (that give higher success chances), and I will make a video and a pastebin about the complete method.
The pastebin for the short method was already updated for a bit of time : http://pastebin.com/2kJpBQCr

The two main differences on the procedure are :
- Catching Smeargles right after soft-resetting the game in order to determine the frame they were generated on with RNG Reporter (and know their PID like this, which indicates their corruption type and which initiator is required to corrupt their PID).

- Requiring a TID corruption as first corruption.
This allows an easier 4th Move PP manipulation, which allows for a fast second corruption. (using 5 clones instead of 1)
The differences between TID and PID corruption Eggs are in general easy to see by checking the Egg summary and its battle sprite (in general, if it doesn't have Pokerus (if it didn't have it previously) and if the Egg contains the same Pokemon as before the corruption, TID was corrupted).
Some corruptions where a certain 4th Move is required (IVs/contest stats manipulation), will give a bit less results, but that's the only downside.

Since you often need to perform multiple double corruptions in order to get some glitch moves and glitch Pokemon (useful for Pomeg Glitch, for your next double corruption, for fun, or for other glitches), that update is really helpful to cartridge players.



For now, I modified the SEASOR perfect initiator procedure, making it also easier to perform :
Caterpie the Perfect Initiator :
Items :
Pokeblocks with 6 Chesto Berries at Lilycove with the old man. They must be Lv 12 Blue Pokeblocks, with 22-23 in Feel.
26 Hondew, and 26 Grepa Berries.
At least 13 Pomeg Berries.
Other Pomeg, Kelpsy,Qualot, Hondew, Grepa, Tamato Berries
5 Carbos, 5 Calcium, at least 2 HP Up.
TM Protect (sold at Lilycove).
Fluffy Tails.

- Get the in-game traded Seedot.
- Get the in-game traded Horsea. He must have less than 65.536 Exp points. (Lv 40 or lower)
Horsea and Seedot (and any other Pokemon you'll train for double corruption) must not catch Pokerus during their training.
- If Seedot and Horsea already fought a bit and gained some EVs, use the Pomeg, Kelpsy, Hondew, Grepa, Tamato Berries to put them back at 0 EVs.
- Clone them both to have a safe copy.
- Give 1 Carbos and 3 Calcium to Seedot. (Now Seedot is ready)
- Give 1 HP Up to Horsea. (He'll transform into a Caterpie)
- Give 1 Carbos to Horsea, and make him fight 3 Zigzagoon (For 13 Speed EVs that will absorb the 0x05 Corruption)
- Change Horsea Moves to Waterfall, Protect, Surf, --(Fr)/Return(US). (Having a specific 4th Move is really important)
- Save and clone them 6 times. (1 copy in a safe box and 5 copies for the next steps).
- Place the 5 Seedots and Horsea in Box1 or 2 with a Seedot-Horsea-Seedot-Horsea-...-Horsea pattern (a block of 10 Pokemon + Seedot before Horsea as Seedot is the initiator for Horsea's corruption).

- Save, and perform Pomeg Glitch (this is why Fluffy Tails is mentioned) to corrupt the Horsea. (you have 6-7/32 chances to corrupt Horsea's TID).
- Once one of the Horsea became an Egg,  check its summary.
If the Egg doesn't have Pokerus and isn't about to hatch, keep the Egg and save. (its TID was corrupted)
If the Egg has Pokerus, reset and redo the corruption. (PID was corrupted)
(the TID corruption being first is really important because it won't screw up the 4th Move PPs and allw you to make a fast second corruption)
- Save, clone Seedot and Horsea's Egg 5 more time, and display them in the same pattern as earlier.

- Save, and perform Pomeg Glitch again to corrupt an Horsea's Egg. (here it's 6-7/32 chance to get it, as you really can't move that Egg).
- Once a Egg became a Caterpie, save.
- Give him Pomeg, Hondew, and Grepa Berries to put its EVs back at 0. (they come from Horsea species + Exp since EVs are read on Growth)
- Give him 2 Carbos and 2 Calcium, and save. (Here it is, the first perfect initiator)
- Clone the Caterpie 2-3 times. (at least one copy in a safe box)
- Give the 6 Blue Pokeblocks to another clone (72=0x48 Beauty, 138=0x8A Feel), and give that clone a Heart marking. (here comes the second perfect initiator, the heart marking allowing you to distinguish both of them easily).
- Save, and clone these 2 Caterpies (marked and unmarked) a dozen of times.


Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: PokeBec on February 14, 2016, 09:52:02 am
So today I was planning on doing a double corruption in order to get  an obediant mew.

I had a Smeargle (but with too much experience, it was level 51) with 201 attack EVs, 1 special attack EV and 158 speed EVs. It had 126 beauty and 72 feel.
It was caught in a pokeball and its 1st move was acid armor and its 2nd move was thief, 3rd and 4th was empty.

I cloned 5 of them and put them in box 2 slot 24, 22, 20, 18 and 16. In slots 23, 21, 19, 17 and 15 I had "Pluses", level 13 Plusle from the trading NPC, it had only growl, no other moves. The Plusle had 0 EVs.

I have performed plenty of double corruptions before but this time something weird happened:
On the first try (first corruption) it directly turned into a Mew, it never turned into an Egg. It had ?????? as item, which was weird since by all logics I have done before the Mew should have been holding a Liechi berry, which has index number 168.

The mew was caught in a premier ball, its origins says it was hatched at level 5 at Faraway Island. It has ?741824 Exp. 2 ribbons and the moves are glitched when I open them but what I can see is Synthesis (Index Number 235, same as Smeargle) and Low Kick (Index Number 067, not sure why).

The next step:
I wanted to see what happens if i tried to double corrupt this Mew, as I am on GBA I can not check its PID and others. So I cloned 5 copies of this Mew and put it in the same slots, with Pluses in between. The result was that after a couple of tries the mew again turned into a level 51 Smeargle, the exact one as it was from the beginning. It had Acid Armor as its first move but the second move glitched the game.

So 2 times i completely changed the pokemon directly into another pokemon, without having to change it into an Egg first.

Might be a normal thing but it has never occurred to me before.


Also, what is the purpose of the "Perfect initiator"? Seems to be working without the Caterpie for me.



EDIT: Also if I RNG for a Smeargle to be good for double corruption, how would I know if the PID is good? I know how to RNG for the exact Smeargle, but what I do not know is what is a "good Smeargle".
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Metarkrai on February 15, 2016, 02:07:27 pm
- Where did you get that training part for an obedient Mew ?
Because I don't see where such an amount of Beauty might have been asked.

  And that amount of Beauty is the reason why a single corruption turned your Pokemon into another Pokemon, skipping the Egg phase.

The Smeargle you used has a corruption type of 3 (Growth on Attacks, Attacks on Growth, Evs on Misc, Misc on EVs), and you corrupted its PID first.

Thus, its Miscellanous substructure was read on its EVs substructure.
And the Egg state bit was read on a bit linked to your Beauty stat. (bit 6, to be accurate).
Since your Beauty was at 126 = 0x7E, the Egg state flag was raised to 1 by the substructure swap.

  But since you also corrupted your PID and not your TID, the encryption change flipped the 30th bit of every double-word of each substructure.
Since the Egg State flag is one of these bits, it became flipped to 0, which means that you directly ended up with a Pokemon on a single corruption.


   And since the encryption change was still there, parts of the data you wanted to have (like Held Item, Exp, Move 2 and Move 4, Ribbons,..) isn't right.
For example, your Move 2 which should have been 0x0000 (read on the held item, and you didn't have one), became 0x4000.
Your held item, which should have been 0x00A8, became 0x40A8.
And so on.

-  This is one of the reasons why a double corruption is more convenient than a single corruption :
The encryption change caused by the PID corruption only prevents you from manipulating certain parts of the Pokemon's data.
One of the main issues here is that the Pokemon ends up with glitched moves in slot 2 and slot 4, and you can't remove them with the Day Care because it's Exp makes it Lv 100 (due to an additional 0x40000000 exp).


 Then, when you tried to corrupt that Mew a second time, instead of corrupting its TID, (which is maybe not possible with your ID/SID couple when using a Plusle initiator) you got a lucky PID corruption.

 That PID corruption reverted Mew to its backwards form, which also changed the encryption value to its initial value.
Thus, you ended up with your Lv51 Smeargle again, but with a glitched Move 2 since you withdrew the item Mew was holding (because of the held item - move 2 change, having item 0x0000 gave your Smeargle  0x4000 as Move 2).


-- Why is this PID corruption a lucky corruption ?
Because there is a single "corruption pattern" that you can use with initiators in order to corrupt a Pokemon's PID (or TID) that won't corrupt another byte in that Pokemon's data.

That byte corruption sets two bits to 1, which gives it a rough 1/4 chance to be avoided on a Pokemon when it happens. (Thus the "lucky" corruption that happened to you, because it isn't something reliable)

   The other thing that corruption initiators do is to allow you to corrupt every possible PID/TID.
Because if you focus on a certain "corruption pattern" induced by a corruption initiator (or by an empty slot), the corruption that will happen on a Pokemon's PID will set its 30th PID bit to either 1 or 0.
And since half of the PID need a 30th bit set to 0, and the other half a 30th bit set to 1 in order to be corrupted, you will need two different corruption initiators if you want both of these effects. (with the "safe" "corruption pattern" that will work on every Pokemon).

   If you count of two different "corruption patterns", you can effectively corrupt a Pokemon's PID with a 30th bit set to 0 or to 1, like it happened to you, but one of these bit set will have a 3/4 chance to not work, depending on the Pokemon you want to corrupt.

Whereas if you obtain both SEASOR perfect initiators, that 3/4 chance to not work completely disappears.


-- Well, there is also another reason that can make a corruption fail, which is linked to these 30th bits too.
You need to have an even amount of 30th bits at 1 in the substructures of your Pokemon if you want a PID/TID corruption to work. (There are 12 double-words, so an even amount of bits at 1 is also an even amount of bits at 0)
If there is an odd amount of these said bits, the Pokemon's checksum will change by 0x8000 with either its TID or PID will be corrupted, which will change it into a Bad Egg.


The values that can affect these 30th bits are known, and only a few of them must be watched, like the Ball of capture, Speed Evs, Beauty, Feel, 4th Move PPs, Move 2 ID, move 4 ID, Held Item ID.

  If you catch a wild Pokemon using a Ball with an Id from 0x0001 to 0x0007, and don't give it Beauty nor Feel, none of its 30rh bits will be set to 1.
In your case, your Smeargle was caught on a Poke Ball (0x0001), had 158 Speed EVs (0x9E, not an issue), 126 Beauty (0x7E, sets the bit to 1), and 72 Feel (0x48, sets the bit to 1).

Thus, you had 2 of these bits set to 1, which allowed you to corrupt your Smeargle without ending with a Bad Egg.

  But, since you only had 72 Feel, you didn't reach the Obedience flag after the PID corruption (that flag is the highest one, so you needed a Feel value between 0x80 and 0xFF to get it).
(But I think you couldn't test it since your Mew had glitch moves, and since you couldn't remove them using Day Care).


--  In your case, you pulled out a corruption with the effects you wanted thanks to a good amount of luck.
Whereas the purpose of perfect initiators is to remove that luck dependency and allow you to corrupt any Pokemon you would like with TID and PID corruptions (and 30th bit set to 1 or set to 0 depending on what you need).

  For in-game traded Pokemon, their PID is something like 0x000000XXX and their TID is like 0x0000YYYY, so you can corrupt their PID and TID using a single perfect initiator, which is why the Plusle with Growl is used. (he can safely set PID and TID 30th bit to 1).

  But if you want to also safely set that 30th bit to 0, you need another perfect initiator, and the easiest one you can obtain to do that in Emerald is a SEASOR. (You can obtain both perfect initiators from SEASOR too, but if you use Plusle you will only need another one)


--- For obedient Mew and Deoxys, you have 2 choices :
Growth read on Attacks  + Misc read on EVs (corruption Type 3)
Growth read on EVs + Misc read on Attacks (corruption Type 8 )

The first one is easier to set up if you want the met location and met Lv too, as you will manipuate the met location and met Lv using EVs, whereas you would be doing it with Move 2 with Corruption Type 8.

  Here, let's do it with a Corruption Type 3 Smeargle, it's the easier one to pull for Obedience.
For a Pokemon met at Faraway Island at Lv 30, you need a value of 0xB3 for Met Location, and a value of 0x0000 019E for Origin, which means 201 Atk EVs, 158 Def EVs, 1 Speed EV with Corruption 3.
For a Pokemon met at Birth Island at Lv 30, you need a value of 0xB2 for Met Location, and a value of 0x0000 019E for Origin, which means 200 Atk EVs, 158 Def EVs, 1 Speed EV with Corruption 3.
And you'll be using the Feel in order to get the Obedience flag (Feel betweem 128-191), but with a Beauty stat between 0-63/128-191 if you don't want to suffer the same issues that you met. (You can raise the other contest stats, they will influence your ribbons, which won't be problematic.)

- If you want to perform the fast double corruption method (where you clone the Egg you've obtained 5 times), you will also need to teach it Flash as 4th Move, and wait for a TID corruption as first corruption (Take the Egg in your party and make a wild battle. If it still contains a Smeargle, it will be a TID corruption. Else, its species would have changed because of its corruption type.) (6-7/32 chance to suceed)

- Else, the slow double corruption (the previous procedure) requires you to not touch the Egg once he appeared, clean the rest of Box 2, and put another corruption initiator before the Egg. (1/32 chance to suceed, and you need to use the right initiator too).
The only good point for a slow double corruption is that the Pokemon won't end at Lv 100, whereas the fast one will put it at Lv 100 because of Flash.

 You will need in both cases a perfect initiator in order to make the PID and TID corruption.
You can reuse the Smeargle you've used before if you readjust its Beauty and Feel stats.
However, I don't know if its TID can be corrupted with Plusle, so you might need a SEASOR initiator to corrupt it.


---  And concerning the Smeargle capture, you don't really need to make a perfect RNG on them, you only need to use RNG Reporter in order to find back the frame they were generated on, and thus know their PID. (because it is PID that determines the corruption type)
With this process, you can easily catch Smeargles that have the mainly interesting corruption types, like Type 3, Type 8, Type 10,...

---  I have tables summarizing these corruption types, and I also made one to let you determine a corruption type based on a PID. I don't really know how to distribute them since they are part of a larger file, but here's a download link for them :
http://www.petit-fichier.fr/2016/02/15/precisions-sur-les-sous-structures-de-la-gen-iii-en/precisions-sur-les-sous-structures-de-la-gen-iii-en.html
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: PokeBec on February 16, 2016, 02:32:14 pm
- Where did you get that training part for an obedient Mew ?
Because I don't see where such an amount of Beauty might have been asked.

Sorry, I might have made the mistake to read this post from the back to get an old answer, trying to catch up with this glitch is not the easiest thing ever.

I did not have 126 beauty and 72 feel, I had the opposite, the Smeargle had 126 feel and 72 beauty. I'll change it and try it again but with a "perfect" Caterpie again later.

The post was this one, from you which was dated a while back:
Getting an obedient event Mew (example) :
For example, if you were to need a Faraway Island Lv 30 Obedient Mew from Emerald, this means you need to manipulate Species, obedience, and Met Location + Met Lv + Met Game.
So you'll either do a Type 8 (Growth on Evs and Misc on Attacks) or Type 3 (Growth on Attacks and Misc on EVs) Corruptions.
Since you're not manipulating too much Miscellanous data, you can use EVs to get them all, so a Type 3 will be easier to set up.
You would need for that :
Move 0x97 (Acid Armor) as Move 1, 201 Atk EVs, 158 Speed EVs, 1 SpAtk EV, between 64-127/192-255 Feel.
Here, Speed EVs and Feel are maipulated, and Feel is in the 0x40-0x7F/0xC0-0xFF zone, but not Speed EVs, so you'll also need to have a "forbidden" Ball or 64-127 Beauty to make the Pokemon corruptible.
So use Pokeblocks that give Beauty like 4-player Blue Pokeblocks (12 Beauty, 21 Feel), so that with 6 of these Pokeblocks, you have 72 Beauty and 126 Feel.

Also a thought, to make the obedient Mew work for everyone, couldn't you make seasor learn Acid Armor by double corruption, then switch it into first move and do another corruption with the right amount of  feel?

Also some more thoughts.

@Metarkrai, you talked previously about a NidoranM swarm, how do you activate swarms, and more exactly what glitch pokemon did you use, and does that battery have to work for the swarms to start?

Also I wondered about one of your previous posts somewhere, you mentioned shinyhunting "ghost", is that by having a pokemon with glitch move 1077 (0x0435 if my maths are correct) in fire red before the ghost, and then if shiny, change the battle and catch it?

Thanks for helping me keep up with the glitch!


EDIT: is the Caterpie meant to be level 100, holding "?????"?
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Metarkrai on February 16, 2016, 07:38:52 pm
- Where did you get that training part for an obedient Mew ?
Because I don't see where such an amount of Beauty might have been asked.

Sorry, I might have made the mistake to read this post from the back to get an old answer, trying to catch up with this glitch is not the easiest thing ever.

Don't be sorry, it's normal. This topic goes pretty much from the first discussions about the glitch to the current uses we have of it, so numerous explanations and attempts are present and a lot of them evolved significantly.

I thought that the instruction about EVs and Contest stat was from me, but I didn't remember where and when.
As you have seen, I gave incorrect EVs for the Met Lv and Met Game (right values but not at the right place).
I absolutely don't know why I gave an incorrect amount of Feel, but I did, sorry.

I'll redo the Pokeblock strategies for that in order to increase Coolness and Cuteness instead of Beauty.



Also a thought, to make the obedient Mew work for everyone, couldn't you make seasor learn Acid Armor by double corruption, then switch it into first move and do another corruption with the right amount of  feel?

You could use a double double corruption in order to get convenient things from Horsea, but in fact it wouldn't work.
That's because in-game traded Pokemon already have some Contest stats.
When Horsea is double corrupted, its Growth substructure is read on EVs substructure, and its Exp becomes at least 0x05050000 (=84213760), so he would become a Lv 100 Pokemon.
And since its Attacks substructure is read on its Miscellanous substructure, Horsea gains 4 glitch moves from a double corruption.
Since he is at Lv 100, you have no way to remove these glitch moves.

Some Glitch Pokemon would still be at Lv 0 with this amount of exp (due to their glitch experience curve), but you wouldn't be able to make them level up in day care due to the enormous amount of exp required.

That unremovable Contest stat on in-game traded Pokemon (and the fact that they aren't Smeargles) is the thing that doesn't make them convenient for advanced double corruptions (where you try to manipulate more data in a single double corruption).
You can't manipulate a lot of data with one double corruption, and the contest stat is a hindrance for a second double corruption.

Also some more thoughts.

@Metarkrai, you talked previously about a NidoranM swarm, how do you activate swarms, and more exactly what glitch pokemon did you use, and does that battery have to work for the swarms to start?

The swarm corruption for that NidoranM swarm was made with a Glitch Pokemon name overflow. (You put a Glitch Pokemon first in your party, and go talk to the journalist in Slateport Poke Fan Club. The Glitch Pokemon species name is then written in RAM, starting from 0x02021CC0, and overwrites everything in its way.) (I don't really have a convenient name for that method yet.)

The goal here was to overwrite a part of the RAM adresses managing the active swarm of the version.
These adresses are far from 0x02021CC0 (they are in 0x02028xxxx, a bit before Day Care data and PC Pokemon data).
But I also found that when you save and reset your game (or do some actions like quitting Safari Zone), your Trainer name is written in adresses at 0x02027yyyy.

Thus, by using a Glitch Pokemon with a species name long enough to overwrite the Trainer name (and make it longer than usual), it was possible to overwrite RAM data located at 0x02028xxxx with this method.

If you wanted to overwrite a swarm and be able to hunt the Pokemon, you need to have specific values regarding the location and frequency of the swarm Pokemon (else you won't find it).
Since there isn't that many in-game locations with wild grass, there is only a few combinations that work with this method.
(There were none on a French Emerald, and one for a NidoranM in US Emerald).

Once the swarm is corrupted, it will still last as long as the normal swarm, since the only thing that was corrupted was the swarm "contents". Thus, if you remove the internal battery of your Emerald version, (or unable Real Time Clock in vba), the swarm will never disappear.

But this method isn't efficient at all because overwriting the Trainer's name also means that :
- You need to use a strategy to get a short Trainer name back (else you can't use your PC), as well as a valid trainer sprite.
For this,  the Glitch Pokemon species name must leave an empty party slot, so that you can withdraw a Day Care glitch Pokemon, go back to Slateport, and overwrite your trainer name again. (This is another reason that diminishes the amount of working Glitch Pokemon for that procedure)
- You lose your Trainer name, ID, and SID (they are all overwritten)
- Your Berry and Tm/Hm Pouches become unuseable and can't be recovered.
The value that manages the encryption of Bag quantities is right near the Trainer name. If you corrupt it, all the empty slot in these 2 pouches will have non-zero quantities, and will be ordered first when you will open them, making you unable to see nor select a Berry/Tm/Hm.
It is possible to make these corrupted empty slots disappear by withdrawing/buying Tms or Berries, but there are more empty slots in these pouches than the amount of different Berries (or different Tm/Hm), so you can't remove all the corrupted empty slots in these pouches.

I also wanted to use overwriting strategies like this one for Battle Frontier facilities and other things, but losing these things is too detrimental for your save, so I tried to focus on different methods.


And more recently, I found another way to change the swarm Pokemon.
This method uses the same procedure as the Faraway Island + Birth Island unlock :
- Use a Glitch Pokemon species name to overwrite the party slot of the last fighting Pokemon (ex : 0x2C)
- Kill all your party with Pomeg Glitch.
- Make a wild battle. The "Pokemon" from the overwritten party slot is sent (ex : "Pokemon" at party slot 0x2C)
A "Pokemon" is here a block of 100 bytes, treated as Party Pokemon data.
- Use a Revive. (In order to not black out on the first turn)
- Abuse HP variations in some ways in order to change the "remaining HP" of the "Pokemon".
Since that "Pokemon" will nearly always be a Bad Egg, the only data you can change about him during a battle is : Remaining HP, Statuses (giving one if he doesn't have one, or Bad Poison ticks/Sleeping turns), Move order (unsure about this one since most of the time you have a freeze when seeing them).
(Stat boosts are stored elsewhere, and the stats aren't recalculated from the Pokemon's data.)
- Try to make a battle where the "remaining HP" value will be read on a word you'd like to corrupt.
Half of the words can't be treated as "remaining HP", since the RAM adress variations caused by DMA are always a certain number of double-words.
Thus, you can't use that strategy to corrupt any value you'd like.
- Manipulate other things in order to be sure that everything will go well.


As you can't corrupt everything with this method, the only interesting things I found corruptible were Faraway Island, Birth Island unlock flags (as well as Southern Island, but you can directly trigger the delivery man script with a Pomeg Glitch corruption), and some values like Item quantities, or TV news.

You can't directly corrupt the species of a swarm, but you can corrupt the species in the TV news that will trigger the swarm.

I have forgotten some parts of the details (I think I'll look back into it), but my strategy was to make the Swarm Pokemon value read as "current status", and try to attack in order to burn sleeping turns, thus modifying the Swarm Pokemon.
Using Swarm Pokemon like Skitty or Surskit, you could get Pokemon like Wailord, Masquerain, or Ludicolo.

However, this TV news method has an issue : there are multiple slots where TV news are ordered, and you can only make a successul corruption if the Swarm TV News is placed first (because the data above it will always be the same, whereas data of other TV News vary).
But I never figured out how these TV News slots worked. Sometimes, a previous TV News disappears and a "to come"/current TV News is placed in the first slot, but sometimes not (TV News that were already seen are still taking some slots).
Thus, as I don't have a strategy to efficiently move a set TV News (a swarm one) to the first slot, this technique can't be efficiently used on console.


Also I wondered about one of your previous posts somewhere, you mentioned shinyhunting "ghost", is that by having a pokemon with glitch move 1077 (0x0435 if my maths are correct) in fire red before the ghost, and then if shiny, change the battle and catch it?

Thanks for helping me keep up with the glitch!

Yup, the GHOST in Lavander Town are only made with a different battle type.
So if you use a Glitch Move to change the battle type to a normal one, the Pokémon becomes normal again (it keeps its GHOST nickname though).
And if the Pokemon was shiny, you will be able to see its shiny sprite (whereas the GHOST doesn't have a shiny animation nor shiny sprite).

I don't remember for what version that glitch move was, because a battle modifier glitch move will be different depending on the version (R/S/E/Fr/Lg) and language (Fr/US/Spa/Ita/Jap/..), but I have now algorithms that make the search of such a glitch move way easier.


EDIT: is the Caterpie meant to be level 100, holding "?????"?
Yeah, the corrupted SEASOR will be at Lv 100 because of the contest stats, and will hold ???? because of the Speed EVs.
You need to leave him with the item though, as it's part of SEASOR's data.

If you're unsure about something on SEASOR, you can watch Chickasaurus' vbm file where he gets it and makes a double corruption with it on page 29 or 30.
The double corruption process is outdated, but you have the steps to obtain a working SEASOR, and its characteristics.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Metarkrai on February 18, 2016, 11:40:24 am
Well, we might not even need to write the animation bytecode in a place in RAM.

I searched the ROM for "02 02", and found "03 54 4A 02 02 ...." at 0x50F (0x800050F).

Unfortunately, no move has that as an animation pointer, the two closest are moves 0x94E (0x8000505), and moves 0x210F and 0x2194 (0x8000500). And at both of those addresses, is an invalid animation opcode (C0 at 0x500, CF at 0x505), which I think would freeze the game trying to call it. (because as usual, it just grabs from the array without doing index bounds checking).

Could you give details or examples about commands that could be entered on Emerald versions ?

   I would really like to try some examples and see what kind of training is required in order to create these commands on a Pokemon's data, and I need your help (or someone's help) about knowledge in code execution.
I don't really know how long a command like (write value xx at 02yy yyyy) could be (with the 03 and 08 to start and end the animation), and this could cause issues if it is too long.

Could we also call built-in commands, like givepokemon, setwildbattle, warp, special,.... ?

   I also don't really know if some variables like Feebas Tile, Mirage Island value, Battle Frontier selected Pokemon,... can be directly called and modified, instead of making a command to rewrite a value at a certain adress.
This could also easen the DMA issue with RAM adresses not being fix, and provide help in order to make short commands with an interesting impact on the game.



I worked up a way to predict the RAM adress position, in order to know if they are well positioned for a certain code execution or not. (mainly, if the RAM adress that will be called by a glitch move animation will fall on the desired value or not)

It would work like this :
RAM adress position determination : (using Pomeg Glitch)
- Prepare a Pokemon with a certain ACE Glitch Move (with a battle animation on Bag Items, or PC Pokemon).
Take it in your Party.
- Prepare a Pokemon/list of items in order to make a working command.
Deposit that Pokemon in a certain PC Slot / Make the list of items start from a certain PC slot.
- Place 2 Pokémon in Box 2 at 2 specific slots. (The slots depending on the relative position of the adress of the Glitch Move animation with the command starting adress.)

- Take a Pokemon to set up a Pomeg Glitch. (Give it HP Ups until he gains 1 Max HP, and leave it at 1 Remaining HP. KO the rest of the team, and put the 1 HP Pokémon last.)
Bring a Revive.

- Save.
This is where the attempts restart if the RAM adress positioning isn't good.

- Perform a Pomeg Glitch.

- During the Up press phase, take a close look at the first party slot. At some Up pushes, a red higlight can appear.
This red highlight means that the Pokemon Selection Pointer selected something that isn't an "empty slot" (The selected block, if seen as Pokemon data, is not a Pokemon with a species of 0, or not a Pokemon with a valid checksum)

If you see red highlights / non-red highlights at specific Up pushes during that Pomeg Glitch, then the RAM adress positioning is the good one (out of the 32 possible).
Else, reset.
You can also flee, clean Box 2 from the Bad Eggs and "invisible data" that appeared, and set things up again (which allows you to perform the ACE without soft-resetting).

- If the RAM adress positioning is the good one, use a Revive on the Pokemon with the ACE Glitch Move, and use it.


This strategy can also be done outside of a Battle using an Instant Pomeg Glitch if we want to perform ACE with a Glitch Pokemon summary, for example. (similarly to what TheZzAzZGlitch did, but with data other than nicknames to create commands)
A glitch type sprite could also work. (provided that one of them allows for code execution)


- I have a hard time for now to explain how it works, and especially how it can always (or nearly always, which becomes always with some fixes using in-game traded Pokemon) indicate if you have a specific RAM adress positioning or not, as it involves multiple blocks of data (PC Pokemon data blocks, and party Pokemon data blocks), the RAM adress position induced by DMA, and a relative position of that RAM adress positioning with the starting adress of the Pokemon selection pointer.

I used it partially here, as an update in my method to corrupt a Day Care Pokemon. : https://youtu.be/0b-2EgSZI8o?t=14m38s
This "red highlight" strategy was quite useful because you didn't have to alays perform the whole corruption and go back to the PC in order to know if the RAM adress positioning was right or not.



 -  However, this strategy has some flaws regarding the ACE Glitch Move.
In order for the battle animation to trigger, the Glitch Move must have :
- More than 0 PPs
- An effect that isn't a glitch effect (I think these freeze/crash the game)
- A name that isn't too long (After a certain lenght, like 2000 bytes, the battle managing data is overwritten and the game crashes. With a lesser lenght, 432 bytes or more, the battle type can also be affected and could cause some issues.)
- An effect that doesn't make the move miss for some specific reasons (most of them can be triggered, like Boost, Sleep Talk,...)
- An accuracy higher than 0. (Certain effects make the move hit without taking accuracy into calculation, but a large part of them doesn't.)

Thus, not every Glitch Move can be chosen for that task.
 


-   Another strategy that wouldn't need most of these restrictions would be to use the move in a Pokemon Contest.
I don't remember if the Move Name can screw up things or not. (I'll look into it), but the other characteristics don't matter at all.
However, there's no way to predict RAM data positioning while on a contest.


-  But it is also true that by knowing the hexadecimal values of the Pokemon/Items used to make our commands, we will also know if some unwanted commands with nasty effects could be triggered if the RAM adress position isn't right on the spot.
If I understood things well, the game would crash most of the times, which isn't an issue. The only big issue would be a corruption in 0x0E00 0000 that would corrupt the save file.
  So if we are sure that the save file can't be lost in these attempts to get the code execution, the Pokemon contest strategy is also viable.



- I wanted to manipulate the Battle Frontier data in order to set the "selected Pokemon" to Pokemon n°7,8,9 (three first opposing Pokemon), and then to set the value managing the receptionist script to 0x02 (triggers the "take the challenge back after a pause" script, which gives you a fighting party from the "selected Pokemon" party slots).

I wanted these two manipulations in order to steal an opponent's Pokemon.
- Set the "selected Pokemon" to 07,08,09 and the receptionist script to 0x02. Go into a Battle Frontier facility.
If you're going into Battle Facroty, you don't need to set the receptionist script now.
The procedure written as is doesn't work in Battle Pike. (The receptionist has a different script there)
- Make battles until you find a Pokemon you want to steal, and forfeit.
The "selected Pokemon" values won't change, but the receptionist script will.
- Use an ACE to set the receptionist script to 0x02.
- Use an Instant Pomeg Glitch Pokemon in order to set up an Instant Pomeg Glitch.
- Go into Safari Zone and despawn the guard with Instant Pomeg Glitch in order to leave with Safari Mode on.
- Walk to Battle Frontier, and enter Battle Pyramid.
- The receptionist will bring you to the Pyramid and give you the Pokemon from the "selected Pokemon" slots.
- Exit the Pyramid from the Safari Mode menu.
This way, you will keep your team.
Since there were no captures involved here, the stolen Pokemon don't become Bad Eggs, because their ID/SID wasn't changed to match yours.


This procedure is interesting because it would only use small commands (write a byte on a certain adress) in order to have a good result, but I saw that it had a flaw : with ACE from Glitch Move animations, wild battles are required if you want to force a certain RAM adress position and make your ACE work.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Wack0 on February 20, 2016, 06:29:30 am
Well, we might not even need to write the animation bytecode in a place in RAM.

I searched the ROM for "02 02", and found "03 54 4A 02 02 ...." at 0x50F (0x800050F).

Unfortunately, no move has that as an animation pointer, the two closest are moves 0x94E (0x8000505), and moves 0x210F and 0x2194 (0x8000500). And at both of those addresses, is an invalid animation opcode (C0 at 0x500, CF at 0x505), which I think would freeze the game trying to call it. (because as usual, it just grabs from the array without doing index bounds checking).

Could you give details or examples about commands that could be entered on Emerald versions ?

   I would really like to try some examples and see what kind of training is required in order to create these commands on a Pokemon's data, and I need your help (or someone's help) about knowledge in code execution.
I don't really know how long a command like (write value xx at 02yy yyyy) could be (with the 03 and 08 to start and end the animation), and this could cause issues if it is too long.

Hopefully, we just need to find a move with an animation script that points to "03 xx xx xx xx", where xx xx xx xx is little endian for the address that gets jumped to. If we managed to find a move with such an animation script, and we could easily manipulate RAM contents starting at "xx xx xx xx", we'd just need to put some ARM code there, and use that move. (and somehow figure out how to fix things up so we can return back to the game easily)

But again, this is only in theory, I haven't even tested it with modifying RAM directly yet.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Metarkrai on February 21, 2016, 02:38:51 pm

Hopefully, we just need to find a move with an animation script that points to "03 xx xx xx xx", where xx xx xx xx is little endian for the address that gets jumped to. If we managed to find a move with such an animation script, and we could easily manipulate RAM contents starting at "xx xx xx xx", we'd just need to put some ARM code there, and use that move. (and somehow figure out how to fix things up so we can return back to the game easily)

But again, this is only in theory, I haven't even tested it with modifying RAM directly yet.

There are Glitch Moves pointing to 0x0203xxx with a convenient name lenght (more than a dozen), so we can get a "03 xx xx xx ..." value from PC Pokemon data at the pointed adress using the Pomeg Glitch "test" I talked about few posts before.

Since you gave pointer adresses, I'd like to test it (see if some basic ARM commands can be executed, and make a proper setup to perform this using PC Pokemon data and Pomeg Glitch).

And if the lenght of PC Pokemon data that can be well manipulated isn' enough, we could manipulate them in order to make a jump towards PC Item data (or Battle Bag data), and make longer commands.

- Battle Bag is interesting because the items identifiants are all lined up, the quantities being a bit further.
Thus, even if you're limited to 10 items, this makes 20 bytes you can easily manipulate. (maybe more using both Battle Bags for Lv 50 and Open Lv categories).
The manipulation is done by bringing Safari Mode in Battle Pyramid, and isn't hard to pull off (http://pastebin.com/R5ppR91x ).

-  PC Item manipulation is also doable, but manipulating quantities would take more time. But I don't know ARM code, so I don't know if you could do some things like leaving a 0x00 / low value that wouldn't do anything.
But with 50 PC Slots, that leaves us to ~150-160 manipulable bytes (at least), by using a strategy to increase the quantity of a certain PC item without interfering the with quantity of previously manipulated PC items.
I'll do a more accurate calculation of the amount of Item Slots you can't manipulate (as they are needed to perform the strategy), and recheck my old posts to find back the one where I was talking about PC Item manipulation.


I would like to test it, but I don't know much about ARM. Do you have a link explaining things about ARM in GBA / 3rd Gen games ?



EDIT 1 :
As I thought, I can't increase the quantity of a PC Item that is over 999 by depositing items.
Thus, the maximal quantity attainable is 0x7FFF. (0x0001 -> 0x4001 -> 0x3FFF -> 0x7FFF)
Unless I had a strategy to go around this limitation, I'll check on that.

I also wrote up a more accurate setup, and this would only require 6 specific items to work well, leaving for a "full" corruption of 44 PC Items + quantities. (You can have the same item multiple times.)

The restrictions you would have on these 44*4 = 179 bytes are :
 - The leftmost byte of every double word can only take values between 0x00-0x7F ( between 00 xx xx xx and 7F xx xx xx )
 - Some bytes can't be at 0x00 at the same time (you can't have 00 00 xx xx nor xx xx 00 00 on a double-word, but the other combinations, like xx 00 00 xx or 00 xx xx 00 are possible).
 - Rare Items ID can't be obtained (0x00FE-0x010A, 0x010C-0x0120, 0x0153-0x015A, 0x015D-0x0178, for a total of 70 identifiants) (you can't have a double-word with xx xx 00 FE for example).


EDIT 2 :
After viewing TheZzazZGlitch video about ACE in Emerald, I now understand that pointer jumps can be used and are short to write.
Thus, an important amount of PC Pokemon can be used to make long commands, with different possibilities, and other potential values for double-words.

Using Seedot or Plusle, a near-total control of their 4 Moves is possible (8 bytes), with a little control over PPs (4 bytes), and some control over EVs (6 bytes).
Thus, the 8 bytes from the 4 Moves would (and could) be used, with potential help from Pokemon nicknames (to reduce the time required preparing the Pokemon).

After that, it's a case by case test to see how conveniently said commands can be written into PC Pokemon data (with jumps), since tests with Glitch moves are required.

Jumps could also allow to make commands using Battle Pyramid Battle Bags (Lv 50 and Open Lv) and PC Items.


Other potential methods to execute code :
- Using a Glitch Pokemon's summary
Not that viable since ThezZazZ said that it messed up with a lot of data, making the use of a return command non-viable.
But some Glitch Pokemon summary might mess with less data than others and still allow for code execution.
The DMA positioning can be checked using an Instant Pomeg Glitch outside of battle, and dummies in Box 2.

- Using invalid Move effects
Low amount of invalid effets. Launched during a battle. The DMA positioning  can be checked using Pomeg Glitch and dummies in Box 2.

- Glitch Move types
There isn't a lot of them too, but could still allow for code execution.
The DMA positioning can be checked using an Instant Pomeg Glitch outside of battle, and dummies in Box 2.

- Glitch Pokemon species names in PC
Some of them can heavily affect the game, but it seems to be mainly graphically. On French versions, I fell on a Glitch Pokemon that heavily messed up with the graphics, producing really strange things.

- Glitch Move / Pokemon name overflow
When deleting a Glitch Move, or when speaking to some NPC that read the species name of party Pokemon (using a certain command), freezes happen very easily. This could be a source for code execution (or at least a source of some abuses).
The concerned NPCs I know of are : Slateport woman about a Pokemon's happiness (or is it EV training) in RSE, Two Island woman for the ultimate Fire/Grass/Water moves in FrLg.

- Glitch Special abilities
I never saw them do anything, but they may have a use.


EDIT 3 :
I forgot to remention it, but a long time ago I fell on a Glitch Move whose animation changed the battle music.
The battle was still running fine after that, and I was quite surprised since it was a FrLg song (Oak Lab theme I think).

It was a Glitch Move with an animation that could do different things (many of them being different crashes/freezes), probably because its animation led to an adress that's updated every frame, so I couldn't reproduce that effect.

But it shows that some code executions can be done with this method without ending with a crash.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Wack0 on February 24, 2016, 06:30:29 pm
That's some luck if you used a glitch move with an animation pointer that points to changing data which just happened to be at a value that changed the music then returned gracefully.

Makes me wonder if such a glitch move could give a quicker speedrun technique, if luck manipulation could be used to get arbitrary code execution .
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Metarkrai on February 25, 2016, 05:26:56 am
That's some luck if you used a glitch move with an animation pointer that points to changing data which just happened to be at a value that changed the music then returned gracefully.

Makes me wonder if such a glitch move could give a quicker speedrun technique, if luck manipulation could be used to get arbitrary code execution .

Unforutnately, the glitches currently used in the speedrun are hardly optimizable because the after-Fortree part doesn't take that much time (get the Fly badge, make a pomeg glitch for Ever Grande Fly Location, make a second Pomeg Glitch for an IFG Glitch Move, and end the game).
Since you can't clone, nor easily obtain an in-game trade Pokemon (unless you make a try for a 4% Ralts/ 1% Volbeat), ou can't easily make a Pomeg Glitch Corruption to obtain a certain Glitch Move/Item/Pokemon.

Manipulating the DMA positioning is also quite tedious, because it depends on ID/SID, and other things.
You could also try to generate a Pokemon with a certain PID and a certain amount of exp points (or IVs), in order to obtain a desired Glitch Move through a Pomeg Glitch corruption.
This makes at least 3 precise RNG manipulations (ID/SID, Pokemon, DMA positioning), that would give you an Egg with a certain Glitch Move/Item/Pokemon.
If this corruption is made to obtain an Instant Glitch Move, that would be faster than the current speedrun since the catches + corruption parts would be fastened (the strategy would look more like the one used in the TAS).

If you wanted to obtain an ACE Glitch Move, then you would also need to set up RAM values for that ACE, which could be for example doable with Pokemon data + Pokemon nicknames + Pokemon data (you start with Pokemon data to have a valid 03, then jump to Pokemon nicknames to teleport to Hall of Fame or something, then jump to Pokemon data in order to have a "return" command).
This requires you then to generate 2 more Pokémon (with a precise PID) in order to have the Pokemon data you want, and catch 4-5 other Pokemon in order to have the required nicknames.

If the ACE part can be set up like this, then it would be theorically doable in speedrun, even if having 6-7 RNG manipulations could be quite heavy for the speedrunners, atop of having a good beginning.

Else, I think that this would take too much time compared to a Fly to Ever Grande + Use IFG Move strategy.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Fullmetal5 on April 11, 2016, 07:10:29 pm
Hi, I was trying to learn the best method for preforming a double corruption to obtain items, moves, and pokemon described here (http://pastebin.com/2kJpBQCr).
At the beginning of the instructions listed in that pastebin it says that you can have higher success chances if you use a Corruption Initiator. As I understand it the instructions for making an initiator in that pastebin are just for a rough one that still has a lower chance of success. However Metarkrai posted instructions for a Perfect Initiator here on the forum.

First question, is the Perfect Initiator a better replacement for the initiator listed in the pastebin or is the one in the pastebin specialized for that type of corruption?

Second question, if the Perfect Initiator is a better replacement then which one do you use (the one with the heart mark or the one with the one without)? It says in Metarkrai's instructions that it depends on the pokemon you are corrupting so for the Seedot and Plusle from the pastebin which would you use for each?

Thanks!
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Krys3000 on April 12, 2016, 12:14:55 am
I saw a lot of discussions ongoing on PRAMA's skype group about this recently. Couldn't take much part in it, but nice to see you come up with new stuff, Metarkrai  ;)
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Metarkrai on April 12, 2016, 04:02:14 am
First question, is the Perfect Initiator a better replacement for the initiator listed in the pastebin or is the one in the pastebin specialized for that type of corruption?

The initiator given in the pastebin (in-game traded Plusle with Growl only) works perfectly with the in-game traded Pokémon.
Thus, you don't need to make Caterpies corruption initiators if you only want to corrupt the in-game traded Pokémon. (it easens the procedure)
More generally, that Plusle will be a corruption initiator for all PID / TID whose leftmost hexadecimal character is 0,1,2,3,8,9,A,B.

But for PID/TID whose leftmost hexadecimal character is 4,5,6,7,C,D,E,F, you need a second corruption initiator.
And the fastest (and only) method I have to make one in Emerald is with the in-game traded Horsea.
With this Horsea, you can obtain corruption initiators for both cases (so 2 different corruption initiators).
  I only discovered more recently that the in-game traded Plusle would fit as one corruption initiator, so I left the indications to obtain both corruption initiators from Horsea because I was used to it (to having two similar corruption initiators, one marked and one unmarked, instead of two different Pokémon acting as corruption initiators).

But if you wanted to corrupt a Pokémon of yours (like a Smeargle), that Pokémon would have your TID, and you would need one of the corruption initiators to corrupt that PID (but you won't know which one before testing it, or before knowing your Secret ID), same thing for the PID of the Pokémon (for the PID, you can still reset and catch other Pokémon with different PID).

By "perfect" corruption initiators, I meant corruption initiators that work (if you have both of them) for all PID and TID.
So don't worry, if you only want to obtain a Glitch Pokémon/Move/Item, you'll be fine with only Seedot and Plusle.
There are no "better" corruption initiators, the explanations about them aren't that clear nor that organized.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Wack0 on April 23, 2016, 10:58:52 am
So I've been doing some research recently into possible getting code exec (and not needing TAS or a crafted save file).

Luckily for us, forums like pokecommunity have basically reversed gen 3 to pieces trying to do more with ROM hacking. So we can search their site for interesting things.

Moves use *two* seperate VM bytecodes. One for animation and one for move effects.

The move effects one is essentially useless, it grabs a byte as an index into an array, and so we have not that many invalid entries.

However the move animations.. It grabs a pointer from an array, using the move identifier as an index.

This array of pointers starts at 0x2C8D6C in English Emerald.

I coded some quick dumper to get any interesting info about all attacks, and plenty of attacks have animation pointers in RAM somewhere.

So, assuming we can find a way to write stuff there, how do we escape from the interpreter of this VM bytecode?

Easy.

This thread on Pokecommunity (http://www.pokecommunity.com/showthread.php?t=354621) details the bytecode opcodes for the animation VM.

Notice that opcode 03 calls a native function.

Opcode 08 ends the animation, so in theory, if we can write 03 xx xx xx xx FF 00 08 at a certain place in RAM (where xx xx xx xx is a little endian pointer to our final payload, and this assumes that 0xFF is highest priority, it might not be), and use a certain glitch move, then we'd get code exec.

Here's a list of moves in English Emerald with interesting animation pointers. (http://pastebin.com/vwqm16kc)

In case anybody hasn't seen, TheZZAZZGlitch finally PoC'd this method of code exec! https://www.youtube.com/watch?v=1pb-6hMDQBs
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: PokeBec on April 24, 2016, 06:09:47 am
I tried to replicate it on cartridge but it does not seem possible to get the amount of items needed in the PC.

Anyone figured it out?
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Metarkrai on May 06, 2016, 12:24:51 pm
I tried to replicate it on cartridge but it does not seem possible to get the amount of items needed in the PC.

Anyone figured it out?

It is possible to give a PC Item any quantity you would like (0x0000 to 0xFFFF).


Here is a rough explanation :
-If the target quantity is between 0x0001-0x4001 :
Duplicate the Item, then toss the exceeding amount (start by tossing multiples of 1.000 to make things easier)
0x0001 -> 0x4001 -> target quantity
You can also clone a Pokémon holding the Item for small quantities.
 
-If the target quantity is between 0x4002-0x7FFF :
Duplicate the Item, toss 2 exemplaries, then duplicate the item again.
0x0001 -> 0x4001 -> 0x3FFF -> 0x7FFF -> target quantity
 
-If the target quantity is 0x0000 or between 0x8000 - 0xFFFF :
Duplicate the Item, toss 1 exemplary of your desired Item.
Duplicate the Item again. (This time, to decrease its quantity by 0x4000, ending up at 0x0000).
Toss 1 exemplary of your item. (Its quantity underflows to 0xFFFF)
 Toss the exceeding amount.
0x0001 -> 0x4001 -> 0x4000 -> 0x0000 -> 0xFFFF -> target quantity


I made up a procedure to obtain, duplicate, and place Items in PC for potential uses of ACE in cartridge.
http://pastebin.com/yHBhvbLh

It is quite long, and I don't have any image/video to go with for now, but I tried as much as possible to make each part understandable.
As Glitch Items have the same displayed name (??????????) and as Glitch Quantities aren't accurately displayed (only the last two digits), I had to make specific steps to minimize as much as possible the risk of doing a mistake (obtaining the wrong Glitch Item, placing a Glitch Item at a wrong slot, obtaining the incorrect quantity).

Thus, the procedure ends up being quite long in order to be easily doable on console.

I tried to provide a procedure that is already good to go, but I'm not protected from a small mistake as I nearly wrote it in one go. So please, tell me if there are incomprehensible/strange parts.


If you want to directly try certain things, here is a save with an Instant Pomeg Glitch Pokémon and PC Items already placed :
http://www.petit-fichier.fr/2016/05/06/emerald-ifg-for-ace/
Like this, you can perform Instant Pomeg Glitch and duplicate Guard Spec and Dire Hit (the first duplication in my paste, required for other duplications).


If I obtain more information about the ways to perform ACE on Gen 3 and about the kind of commands that could be executed (and the required Item/Quantities that go with it), I'll provide saves with more content.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Evie ✿ on May 07, 2016, 07:27:32 am
I am a bit late to this, but well done TheZZAZZGlitch and Metarkrai!
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: TheZZAZZGlitch on May 07, 2016, 08:26:56 am
For the last few weeks I didn't have enough free time to elaborate on the idea of fully controllable ACE method in Gen III. Now that I found a little bit more time, I can offer all the help I can give. Here's everything I know about the subject.

So, in case some people haven't noticed yet, a few weeks ago I uploaded a simple proof of concept video to show that ACE with glitch move animations is in fact possible (https://www.youtube.com/watch?v=1pb-6hMDQBs). This post (http://forums.glitchcity.info/index.php/topic,6868.msg199627.html#msg199627) was the inspiration for all of my actions (also I would probably miss it if Metarkrai didn't tell me to take a look at it).

I decided to dump all the move animation pointers and see if there are any jumps to easily controllable RAM addresses - preferably PC items at around 0x02025F00 (affected by DMA, but fully controllable and unencrypted, and the DMA unpredictability can be at least partially circumvented by either predicting DMA state by scrolling past the sixth slot, or just with a nice NOP sled (https://en.wikipedia.org/wiki/NOP_slide)). The full list of animation pointers for all glitch moves can be found here (http://zzazz.ml/zzazz/AnimationPointers.txt). I thought there obviously needs to be a glitch move that works. Addressing on-board RAM ignores bits 18-23, which essentially means that addresses in the range (0x02000000 .. 0x02FFFFFF) loop around every 0x40000 bytes. So we only need to get a pointer like 0x02X25F00, 0x02X65F00, 0x02XA5F00 or 0x02XE5F00, and we have 65535 chances to get that.

Apparently we're unlucky, because there's no pointer like this anywhere.
So instead, maybe we can use a pointer to party/PC Pokemon data and use it to make a jump to bag items?

Well, it's possible. Let's assume there is a glitch move that will execute animation opcodes from somewhere in the PC Pokemon data or party Pokemon data - I didn't investigate if there is such a move, but it's a fair assumption, since box data is a huge chunk of RAM. We can insert some animation bytecode there to have the game execute code from PC items. 10 consecutive bytes of Pokemon data would need to be manipulated in order to make the jump to PC items. There is a way to predict DMA positioning by observing the in-battle Pokemon menu after scrolling past the sixth slot, so there would be an easy way to tell if everything's going to work or not.

In my proof of concept video, I decided to go in a different way, because I don't exactly know how to generate such a "bootstrap Pokemon" without cheating. Instead, I found a glitch move that has its animation pointer in save data, and I manipulated the save file to move PC item data into this exact position in my save.

SRAM in GBA memory map is from $E000000 to $EFFFFFF. When addressing SRAM, bits 17-23 are ignored (addresses loop around every 0x10000 bytes). So, unlike on-board RAM, where we only had 64 good pointer ranges, here we have 256 possible working pointer ranges. But wait, there's more! Since Gen III save files are split into sections, and every section can appear on 7 different addresses depending on how many times the game was saved, we have 7*256 = 1792 possible jump addresses that could work for our purposes! So it's almost certain that there's a glitch move that will meet the necessary requirements.

I settled for using move 0x27A2, which had its animation pointer at $0E0F14C0. It also had a short name (70 characters) that didn't cause any corruption, a non-crashing glitch type, and had a completely non-crashing valid effect of hitting myself with 102 power and 100% accuracy. I thought this move was perfect for my needs.

Before executing the code, the save file needs to be properly manipulated to have its PC items at address $E0F14C0, which is surprisingly easy and difficult at the same time. Gen III save files are split into 14 sections - each section contains different information about the save data, and is 0x1000 bytes long. There are two saves in total - one of them is primary, and the other functions as a backup. Sections are stored contiguously in SRAM one after another. The first save is at $E000000, the second is at $E00E000. For the exploit to work, we need the first save to contain section 1 at address $E001000. The equivalent requirement is: the first save has to have section 0 saved first.

How difficult is to do that? Sections within a save file are stored in a semi-randomized order. When your save data is written to SRAM for the first time, the game chooses a random number between 0 and 13, and stores the section with that number first. And every time a file is saved again, the sections are rotated by two spaces. Sections are always stored in ascending order (except for the point where the section number loops back to 0). The game alternates between writing to file 1 and file 2 every time the data is saved. We only care about file 1 for our purposes, so let's ignore it for now. This is how all the sections in a save file look like after saving X number of times:

Starting section number: 4
456789ABCD0123 (save #1 and #2)
6789ABCD012345 (save #3 and #4)
89ABCD01234567 (save #5 and #6)
ABCD0123456789 (save #7 and #8)
CD0123456789AB (save #9 and #10)
0123456789ABCD (save #11 and #12)
23456789ABCD01 (save #13 and #14)
456789ABCD0123 (save #15 and #16)
(repeat to infinity)


Every second save is useless to us, since we only care about file 1. In this example, we were able to properly align our save file after saving 11 times. This number may vary depending on the save file's starting section. If the save file is aligned, saving 14 times will align it again. If the save becomes misaligned, it needs to be aligned again for this ACE setup to work.

However, there is a big problem with this method of code execution - it doesn't work on 50% of save files. Notice that sections only shift by two spaces - so if the save file had an odd-numbered starting section, shifting section 0 to the beginning becomes impossible and the file is permanently misaligned. It would be possible to create a similar method that works on odd-numbered saves. Still, if you try to do a multiple hour long setup on cartridge, only to find out that the save file does not align properly and you have to use a different method... that's really disappointing. Finding a setup that does not require properly aligned save data should be our priority now.

So, what's my ACE setup and what can we do with it?
Here's the setup I used in my video, along with some example code to warp me to Birch Island:

At $0E0F14C0 (box item 11):
  ; Launch task at $E0F14D1, priority 0xFF
  ; Effectively runs code at $E0F14D0 and switches CPU to THUMB mode
  dcb 0x03
  dcd 0x0E0F14D1
  dcb 0xFF, 0x00
  ; End script
  dcb 0x08
At $0E0F14D0 (box item 15):
  ; Load 0x3A to R0
  mov r0, #0x3a
  ; Shift left by 1 byte (R0 is now 0x3A00)
  lsl r0, r0, #8
  ; Add 0x26 to R0 (R0 is now 0x3A26 - that's Birch Island's map ID)
  add r0, #0x26
  ; Load the RAM address containing Escape Rope exit location to R1
  ldr r1, [r15+0x4]
  ; Stores the 32-bit value at R0 to R1, little endian. Essentially:
  ; $02065A3C = 0x26, $02065A3D = 0x3A, $02065A3E = 0x00, $02065A3F = 0x00
  str r0, [r1]
  ; Pops registers R4 through R7 from the stack and returns.
  ; (R15 is instruction pointer)
  pop {r4-r7, r15}
  ; This is where the destination RAM address is loaded from
  dcd 0x02065A3C
As items (starting from item 11):
  Item $D103 x3860
  Item $FF0E x2048
  Any item, any quantity
  Any item, any quantity
  Item $203A x512
  Item $3026 x18689
  ; (the 3A and 26 in the item IDs above can be replaced to warp to a different map!)
  Item $6008 x48624
  Item $3C5A x518

 
The code overwrites the RAM address responsible for holding the map ID the player will be transported to after using an Escape Rope. The code should be executed in a cave (so that using Escape Rope is actually possible). After executing the code, Escape Rope should be used to warp to the desired map. The address we're changing is affected by DMA, so unless the DMA offset is predictable, the code only has a 1/32 chance of working. Writing some code that will account for DMA offset is possible, but would require lots of items and wouldn't be practical.

Quote
Quick explanation about some ARM architecture basics, because I'm sure not everyone knows this stuff.

Here are some important things to know for what we're doing. GBA processor is ARM, so:
- ARM sucks at loading 32-bit constants. There is no such thing as a 32-bit version of "ld a,$13". Since instructions can be at most 32 bits in size, there is no way to load a 32-bit constant to a register in a single instruction. You either have to load it in multiple instructions, or load it indirectly from somewhere else (most commonly by using the LDR instruction, which is similar to Z80's "ld a,($1234)").
- ARM sucks at absolute jumps. All jumps, whether you want them or not, are relative. There are register jump instructions (bx r0, bx r1, etc.), but you need to load your jump target to a register beforehand (and ARM sucks at loading 32-bit constants). In THUMB mode, the shortest code to jump to an arbitrary address is either 8 or 10 bytes long, depending on where the code is in memory.
- ARM instructions are bit-encoded. They don't have to follow the usual format of [opcode byte][operand byte(s)]. And in most cases, they don't.
- ARM (at least on GBA) has two instruction sets. More info below.

GBA processor has two different instruction sets - ARM and THUMB. The CPU ignores the least significant bit of the instruction pointer - this bit is instead used to exchange instruction sets. If during a branch the least significant bit of a jump address is set, the CPU will switch to THUMB instruction set. If it is unset, it will switch to ARM instruction set instead. For example, jumping to address $02021501 will cause the instruction set to switch to THUMB, and execution will resume at address $02021500. However, just jumping to $02021500 will switch the instruction set to ARM (and code will also start executing at $02021500).

What are the differences between ARM and THUMB? There are a lot of them - but most importantly for us, ARM instructions are 32 bits long, and THUMB instructions are 16-bit. For executing code within our item box, we'll want to use THUMB mode, since it has better code density (we'll be able to pack more code inside our item box). Also, all code in ROM runs in THUMB mode.

RISC architecture is gonna change everything.

So, any other ideas?
How about a piece of code that will change any RAM address to any value?

At $0E0F14C0 (box item 11):
  ; (same stuff as before)
At $0E0F14D0 (box item 15):
  ; Load whatever we want to R0
  mov r0, #0x[byte to write]
  ; Load the address we want to write to
  ldr r1, [r15+0x4]
  ; Store the value of R0 to byte at R1
  strb r0, [r1]
  ; Pops registers R4 through R7 from the stack and returns.
  ; (R15 is instruction pointer)
  pop {r4-r7, r15}
  ; This is where the destination RAM address is loaded from
  dcd 0x[address, 1st byte][address, 2nd byte][address, 3rd byte][address, 4th byte]
As items (starting from item 15):
  Item $[byte to write]20 x18689
  Item $7008 x48624
  Item $[address, 3rd byte][address, 4th byte] x$[address, 1st byte][address, 2nd byte]


This piece of code only requires 3 items (besides the bootstrap animation bytecode), and will write any byte value to any RAM address.

Here's some code that will transfer execution to a subroutine. The primary use for it would be calling the script engine subroutine to execute some script commands, calling the credits subroutine to do an early credits warp, or calling the gift Pokemon subroutine to obtain any Pokemon easily. There is no finished Pokemon Emerald disassembly/decompilation yet, so I don't know where to look for these functions though.

At $0E0F14C0 (box item 11):
  ; (same stuff as before)
At $0E0F14D0 (box item 15):
  ; Load R15 (instruction pointer) to R0
  mov r0, r14
  ; Offset the instruction pointer to create a return address
  add r0, #0x7
  ; Save the return address in the link register R14
  mov r14, r0
  ; Load the destination address
  ldr r0, [r15+0x4]
  ; Jump to the subroutine
  bx r0
  ; Return gracefully
  pop {r4-r7, r15}
  ; This is where the destination address is loaded from
  dcd 0x[address, 1st byte][address, 2nd byte][address, 3rd byte][address, 4th byte]
As items (starting from item 15):
  Item $4678 x$3007
  Item $4686 x$4801
  Item $4700 x$BDF0
  Item $[address, 3rd byte][address, 4th byte] x$[address, 1st byte][address, 2nd byte]


At this point I just decided to just search the ROM for stuff that looks like subroutines (subroutines usually start with a 'push {r14}' and its variations) and try to jump to everything I find. I got some cool glitchy effects, but nothing too useful. I will probably mess around with this some more and then upload a video for some laughs.

(http://i.imgur.com/jPGXKIL.png)

Using the 'write anything anywhere' code along with the 'call any subroutine' code, I can write some code to some place in memory and then execute it without crashing, just like the Gen I days. In my video I used that to play some one-player Pong, because that's how I roll.

Aaand I think that's it.

TL;DR: ACE in Gen III is real. But some work is needed to:
 a) create a method that works on all save files, and to
 b) find addresses of subroutines necessary to create some useful payloads
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Wack0 on May 07, 2016, 12:28:34 pm
I knew that a PoC would eventually come out of my post. Thanks for doing all the stuff which i was too lazy to do thanks to me shitposting on reddit, hanging around on irc, reversing other stuff etc.

The disassembly may not be complete but I know there are some idbs around pokecommunity. Like I said they basically reversed lots of gen 3 already.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: TheZZAZZGlitch on May 07, 2016, 03:28:59 pm
The disassembly may not be complete but I know there are some idbs around pokecommunity. Like I said they basically reversed lots of gen 3 already.

This changes things.

lol credits
(aka execute any overworld script)

Bootstrap (at $E0F14C0):
  ; Same as before
Code (at $E0F14D0):
  ; Previous setup to execute a subroutine
  mov r0, r15
  add r0, #0x9
  mov r14, r0
  ; Pointer to the script engine subroutine
  ldr r1, =RunScriptOffset
  ; The script engine subroutine takes the pointer to a script in R0
  ldr r0, =ScriptDataOffset
  ; Do some magic
  bx r1
  pop {r4-r7, r15}
  ; This nop is necessary because 4 byte alignment for ldr
  nop
RunScriptOffset:
  ; Pointer to the script engine subroutine
  dcd 0x08098EF9
ScriptDataOffset:
  ; Pointer to the script data
  dcd 0x0E0F14E8
The overworld script to execute (at $E0F14E8):
  ; lol credits
  special 0x0113
  ; yes, we're officially executing three types of bytecode in this setup
  end
As items (starting from box item 15):
  $4678 x$3009
  $4686 x$4903
  $4801 x$4708
  $BDF0 x(Any quantity)
  $14E8 x$0E0F
  $8EF9 x$0809
  $1325 x$0201


The code can obviously be adapted to execute any overworld script (overworld scripts are those fancy commands that ROM hackers use because ASM is too difficult for them). The script will execute immediately after exiting the battle.

Interesting things to try in overworld scripts:
  - Predefined commands ('special')
  - givepokemon for all dem legendaries
  - applymovement for some walk through walls action
  - pokemart command for some nice items
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Metarkrai on May 07, 2016, 04:04:45 pm
This is splendid !

I am really impatient to see ACE being doable on console, that would be neat !

But for now, I have some questions/comments regarding all of that.


1) Pyramid Bag Items can be manipulated and contrary to PC/Bag Items, the identifiants are separated from their quantities.
This gives 20 words to manipulate but only with Item IDs (and not quantities).
Lv 50 Pyramid Bag Items stat at 0x02025880. (so 0x02025880 - 0x020258FC with the 32 DMA positions).

Would there exist a Glitch Move with an animation pointer on 0x02X25YYY/0x02X65YYY/0x02XA5YYY/0x02XE5YYY (YYY between 880-8FC) ?

- Unlike Glitch Moves with animation pointers on PC Pokémon data, I doubt that every Emerald version would have pointers towards these Items (or towards PC Items in RAM), but they could be a good way to set things up.


2) With an animation pointer towards PC Pokémon data, what would be the value of the 8-10 consecutive bytes for a "bootstrap" Pokémon ?

Since there is a jump towards PC Items to do, I believe that would depend on the size of the jump.
With a glitch move like 0x0D1D with an animation pointer of 0x020304C0, a jump towards 0x02025E9C (beginning of PC Items) would be A624 bytes long.
Would you be able to provide (if it doesn't bother you) the values of these 8-10 consecutive bytes for that "bootstrap" Pokémon ?

There are multiple ways to manipulate Pokémon data, and using Double Corruptions allows you to make some "combinations".
Thus, without knowing the values in advance, I can't tell if a/the desired combination can be obtained or not.


3) I was about to ask for script commands, but you already answered it.
Thus, I have two side-questions :

3.a) Do you know if a more "native" way to execute overworld scripts using the move animation procedure would be possible ?
(Having something shorter than 2+3 PC Items to execute the subroutine)

Regarding the amount of slots for PC Items, it's not that much of an issue, but that would make the setup procedure less long (less items to generate then duplicate).

3.b) Would it take less code to make the console execute overworld script from a certain ROM adress (like execute the script of a special NPC to unlock something cool instead of recreating the unlock command) than making it execute overworld script as you've shown in your last post ?

I doubt it, but I wanted to know for curiosity.


And thanks for your informations, they already were quite useful for me. : )
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: TheZZAZZGlitch on May 07, 2016, 11:49:11 pm
Quote
Would there exist a Glitch Move with an animation pointer on 0x02X25YYY/0x02X65YYY/0x02XA5YYY/0x02XE5YYY (YYY between 880-8FC) ?

Nope.
Move 0xA00F comes close with an animation pointer at $02025301. This could potentially work if there are around 0x600 bytes of non-crashing data before the target address, but I doubt this is possible.

Quote
With an animation pointer towards PC Pokémon data, what would be the value of the 8-10 consecutive bytes for a "bootstrap" Pokémon ?

Assuming the game would start executing an animation script starting from somewhere in Pokemon data, we would need the exact same 'bootstrap bytecode' as before, except the task address should be replaced.

; Launch task
dcb 0x03
; At address 0x02025E9C in THUMB mode
dcd 0x02025E9D
; Priority 255
dcb 0xFF, 0x00
; End script
dcb 0x08

Hex: 03 9D 5E 02 02 FF 00 08
(8 bytes)


The address where the code begins execution can be modified by just changing the underlined bytes.
Just remember to add 1 to the address, so the CPU will switch instruction sets to THUMB (which we always want; I can't think of a use case where we'd use ARM mode to execute code in the PC item box).

Quote
3.a) Do you know if a more "native" way to execute overworld scripts using the move animation procedure would be possible ?
(Having something shorter than 2+3 PC Items to execute the subroutine)

Not really, the code I presented is probably the shortest possible one that could execute arbitrary overworld scripts on demand.
We could execute overworld scripts with less items by not using a subroutine and just directly writing into RAM, replacing the script of a person/object in the overworld. This could bring the item count down to 3 (not counting the script itself, so if the script we want to execute isn't anywhere in the ROM, we'd need additional items to store the script).

Code (at $E0F14D0):
  ; Pointer to the script
  ldr r1, =ScriptPtr
  ; Pointer to some place in RAM where a script pointer for some person on the map is stored.
  ; Make sure that it's aligned to 4 bytes.

  ldr r0, =ScriptTarget
  ; Yay
  str r1, [r0]
  pop {r4-r7, r15}
ScriptPtr:
  ; Let's pretend this is a pointer to a script
  dcd 0x0822950F
ScriptTarget:
  ; RAM address where a script pointer for some person on the map is stored
  ; The address below is not real, it's just an example

  dcd 0x0202370C


Quote
3.b) Would it take less code to make the console execute overworld script from a certain ROM adress (like execute the script of a special NPC to unlock something cool instead of recreating the unlock command) than making it execute overworld script as you've shown in your last post ?

Absolutely. If the script is in the ROM, we don't need extra items to store it. So the subroutine method would then take 6 items, and the "just write to RAM, who needs subroutines anyway" method would take 3 items.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Metarkrai on May 08, 2016, 12:08:49 pm
Assuming the game would start executing an animation script starting from somewhere in Pokemon data, we would need the exact same 'bootstrap bytecode' as before, except the task address should be replaced.

; Launch task
dcb 0x03
; At address 0x02025E9C in THUMB mode
dcd 0x02025E9D
; Priority 255
dcb 0xFF, 0x00
; End script
dcb 0x08

Hex: 03 9D 5E 02 02 FF 00 08
(8 bytes)


The address where the code begins execution can be modified by just changing the underlined bytes.
Just remember to add 1 to the address, so the CPU will switch instruction sets to THUMB (which we always want; I can't think of a use case where we'd use ARM mode to execute code in the PC item box).

After few hours at calculations, I noticed that I was doing it in the wrong way.
First, I need to choose a Glitch Move with an animation pointer on PC Pokémon data.
Then, I look at in-game traded Pokémon.
Since the part of their data that will be manipulated depends on the in-game traded Pokémon, the DMA position will also change, which changes the adress of PC Item N°1, which changes the 8 bytes we want.

Starting adresses :
PC Item Slot 1 : 0x02025E98
Code : 03 99 5E 02 02 FF 00 08 / 025E9903 0800FF02 (32-bit format)

Pyramid Bag Slot 1 : 0x02025880
Code : 03 81 58 02 02 FF 00 08 / 02588103 0800FF02 (32-bit format)

General form : 03 xx yy 02 02 FF 00 08 / 02yyxx03 080FF02 (32-bit format)
yy is either 5E or 98
xx is higher than 0x80

Possible starts in PC :
Emer US :
0x02030400 (0x1608)
0x02030208 (0x392C)
0x02030120 (0x4871)
0x02030008 (0x41A7)

Emer Fr : (In 4 days)
Emer Spa :
Emer Jap :

In-game traded Pokémon :
Seedot : PID 0x00000084, TID 0x00009746, PID xor TID : 0x000097C2
Plusle : PID 0x0000006F, TID 0x0001210C, PID xor TID : 0x00012163
Meowth : PID 0x0000008B, TID 0x00016559, PID xor TID : 0x000165D2
Horsea : PID 0x0000007F, TID 0x0000B4CD, PID xor TID : 0x0000B4B2

Doable Methods :
- Seedot : None
Growth, Miscellanous substructures can't be used.
EVs substructure can't be used because of these damn Contest stats.
Attacks substructure can't be used because 0800FF02 xor 000097C2 = 080068C0  and both 0x0800, 0x68C0 can't be sketched.

- Plusle : Two (one long, one shorter)
0800FF02 xor 00012163 = 0801DE61
02yyxx03 xor 00012163 = 02yyxx60
Miscellanous substructure can't be used.
Growth substructure can't be used (Growth -> EVs -> Growth) because 1FE - (DE+61+60) = 5F. And xx xor 21 is always higher than 5F. (510 EVs are not enough to get the right values)

Attacks substructure can be used. (Attacks -> Growth -> Attacks)
This is the long method.

EVs substructure can be used. (EVs -> Attacks -> EVs)


- Meowth : One (long)
Miscallanous, Growth, EVs substructures can't be used.

Attacks substructure can be used. (Attacks -> Growth -> Attacks)
The method is the same as Plusle.

- Horsea :  One
Miscallanous and Attacks substructures can't be used.
EVs substructure can't be used because of the contest stats.

Growth substructure can be used. (Growth -> EVs -> Growth)


--- Procedure n°1, Pyramid Bag :
PC Start : 0x02030008 (0x41A7)
Horsea's Growth used : (Growth -> EVs -> Growth)
DMA : Translation of 0x10 bytes at Box 12 Slot 3. (DMA n°4)
Start : Pyramid Bag Slot 1. (0x02025890 with translation)

New Code : 02589103 0800FF02
XORed : 025825B1 08004BB0 - Works.

- Make a Pokéblock with an Oran Berry, 2 NPCs, a maximal RPM lower than 23.3 RPM. (takes 10 boring minutes to do) (Pokéblock with 00 Coolness, 08 Beauty)
- Have an in-game traded Horsea clone with no EVs and less than 65.536 exp.
- Obtain Glitch Item 0x0258.
- Give Horsea 0x10 Atk, 0x01 HP EVs.
- Double corrupt Horsea into Glitch Poké 0x1001.
Its experience curve leaves it at Lv 0 with 0x05060000 exp, so he can still gain EVs.
- Give the Pokéblock to the Poké.
- Give Pomeg, Hondew, Grepa Berries to the Poké to decrease its HP, SpAtk, SpDef EVs to 0.
12 Pomeg Berries will be enough. Up to 26 Hondew and Grepa Berries can be required (depending on Horsea's exp)
- Give the Poké 0x4B SpDef, 0xB0 SpAtk, 0x25 Def, 0xB1 HP EVs. (Total 465)
- Double corrupt the Poké.
It becomes Glitch Pokémon 0x25B1.
- Give Item 0x0258 to the new Poké.
End.


--- Procedure n°1, PC Items :
PC Start : 0x02030008 (0x41A7)
Horsea's Growth used : (Growth -> EVs -> Growth)
DMA : Translation of 0x10 bytes at Box 12 Slot 3. (DMA n°4)
Start : PC Items Slot 1. (0x02025EA8 with translation)

New Code : 025EA903 0800FF02
XORed : 025E1DB1 08004BB0 - Works.

- Same method, but with Glitch Item 0x25E instead of 0x258, and with 0x1D Def EVs instead of 0x25 Def EVs.



--- Procedure n°2, PC Items :
PC Start : 0x02030400 (0x1608)
Plusle's EVs subsructure used : (Evs -> Attacks -> EVs)
DMA : Translation of 0x4 bytes required at Box 12 Slot 16. (DMA n°1)
Start : PC Item Slot 3. (0x02025EA4 with translation)

New Code : 025EA503 0800FF02
XORed : 025F8460 0801DE61. - Works.

- Obtain the in-game traded Plusle and Horsea.
- Obtain both unmarked Caterpie and Heart Caterpie corruption initiators.
- Give a Plusle clone 0x60 HP EVs and 0x84 Atk EVs. Teach it Flash as 4th Move.
- Give a Plusle clone 0x16 HP EVs and 0x04 Atk EVs. Teach it Flash as 4th Move.
- Give a Plusle clone 0x13 HP EVs, 0x06 Atk EVs, 0x5F Def EVs, 0x02 Speed EVs, 0x01 SpDef EVs, 0x08 SpAtk EVs.
Teach it Flash as 4th Move. (for a good double corruption on US Emerald)
- Double corrupt these Plusles using unmarked Caterpie as corruption initiator.
 The first Plusle will become a Pokémon knowing 0x8460 and 0x0505.
 The second Plusle will become a Pokémon knowing 0x0416  and 0x0505.
Glitch Move 0x0416 changes the battle type into a wild battle with Battle Palace mechanics when seen.
 The third Plusle will become a Poké that knows 0x613, 0x025F, 0x0801, 0x0505. (0x0505 is because of the contest stats)
Glitch Move 0x613 has the same effect as Sketch (but takes less EVs to obtain)

- Make a wild battle with Poké (the one from the third Plusle) and swap 0x0801 with 0x0505.
Flee.
Make Poké eat a Pomeg Berry.
- Double corrupt Poké using Heart Caterpie as corruption initiator.
Here, you might need to use an older double corruption strategy where you don't move the Egg obtained after the first corruption, because the 4th move can't be changed.
Poké becomes a Walrein. (for easier identification)
That Walrein has 0x05 SpAtk EVs and 0x05 SpDef EVs.
- Give Walrein 1 Hondew and 1 Grepa Berries.
- Give Walrein 0x61 SpAtk EVs and 0xDE SpDef EVs.

- Double corrupt Walrein using unmarked Caterpie as corruption initiator.
Walrein becomes a Poké that knows 0x0613, 0x025F, 0xDE61, 0x0801.

- Take the three Pokés with you.
- Go to Desert Underpass and fight a wild Ditto.
Switch to the first Poké that knows 0x8460 to let Ditto use Morphing.
Switch to the second Poké that knows 0x0416 and look at its moves to change the battle type into a Battle Palace Battle.
Switch to the third Poké. Attack and pray that he uses 0x0613 to sketch 0x8460. (If not, reset and try again)
Flee.



--- Procedure n°2, Pyramid Bag :
PC Start : 0x02030400 (0x1608)
Plusle's EVs subsructure used : (Evs -> Attacks -> EVs)
DMA : Translation of 0x4 bytes required at Box 12 Slot 16. (DMA n°1)
Start : Pyramid Bag Slot 1. (0x02025884 with translation)

New Code : 02588503 0800FF02
XORed : 0259A460 0801DE61. - Works.

- Same method as Procedure n°2, but with 0x259 instead of 0x25F and 0xA460 instead of 0x8460



Here is a save file with a Pokémon made from Procedure n°2 for PC Items Slot 1 : http://www.petit-fichier.fr/2016/05/08/emer-us-bootstrap-poke-1/
I also provided a Pidgey with Glitch Move 0x1608.
There is also Glitch Pokémon 0x0600 in the same box. Putting the hand over it has a nice effect I haven't studied yet.



EDIT :
I probably had other things in mind this morning, but I completely forgot it for now.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: ▒h POKé▓░ on May 10, 2016, 05:09:51 pm
Just letting you guys know, but do NOT give glitch pokemon 0x0A0D (the one that makes the music glitch) the heart marking. For some reason, it produces an EXTREMELY loud, continuous noise, louder than anything I've heard come out of a GBA. The noise stops when you either remove the marking or hover over a pokemon which doesn't have a heart marking.
Also, giving 0x0A0D the triangle marking makes the game glitch and stutter. Again, the effect stops when you hover over a pokemon which doesn't have the triangle marking. The game eventually crashes if left in this stuttery state for more than a few seconds.
Why the markings do all this is unknown.

A rather unrelated question, but do glitch moves in Pokemon Platinum have the same effects as in Diamond & Pearl? If not, has anyone tried experimenting with glitch moves in Platinum?
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: danny on May 11, 2016, 01:56:37 pm
Just letting you guys know, but do NOT give glitch pokemon 0x0A0D (the one that makes the music glitch) the heart marking. For some reason, it produces an EXTREMELY loud, continuous noise, louder than anything I've heard come out of a GBA. The noise stops when you either remove the marking or hover over a pokemon which doesn't have a heart marking.

Did it sound like this? https://youtu.be/e6rt1Zd2xsA?t=9s

If not, try to record it.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: ▒h POKé▓░ on May 11, 2016, 02:20:55 pm
Well, I'm happy to report it sounds almost nothing like that. I'll get a recording when I have the chance.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Metarkrai on May 12, 2016, 03:14:46 pm
I'm back with a few more questions that came during work on other Gen 3 versions.


1) Pomeg Glitch data corruption can't be performed on RS (and even if it could it wouldn't be useful).
Thus, PC Item quantities can't be manipulated.
1.a) Is it possible to make the console read code from only one word every double-word ?
 Would there be a method (mainly having a certain quantity for every Code Item) to create code from PC Items in RS ?

Due to the absence of encryption of many values, Bag Items (stored right after PC Items) can also be used to execute code.
This would give up to 50+42 = 92 Items that could be used for ACE in RS.


1.b)  Else, the only way to store code in RS that I see is with Pokémon data (8 bytes per 8 bytes).
What would the 8 bytes of code look like ? (If it doesn't bother too much to work on that)

From what I understood, the last 2 bytes would be used to make a jump of 0x50 bytes (towards the data of the next PC Pokémon).
The method I have to obtain the bootstrap Pokémon with Horsea ended up working quite well, and I would like to use it as much as possible. (thanks to HP,Atk,SpAtk,SpDef EVs + Held Item, many combinations for the 6 first bytes can be obtained)
The main downside of it is that the last 2 bytes must be obtained with Exp(2 higher bytes)/Contest stats (Coolness, Beauty), and Contest Stats really can't take that many values with Pokéblocks.
This is why I would like to know the values of these last 2 bytes in order to know if Horsea can be used or not for that task.


2) I tried your setup to execute overworld scripts, but things didn't work well.
Instead of having credits executed / an item obtained / nothing, I got a message box full of OE (RAM was overwritten by 0x101C).

For that, I used Glitch Move 0x1608 (pointer at 0x02030400), with a jump towards 0x02025E98 (03 99 5E 02 02 FF FF 08), then copied your code to use overworld scripts at 0x02025E98.
I tried it with 25 01 13 02 (special 0x113, end)), a paste of the script to get an item, 02 (end), and it always ended up with a message box and RAM being overwritten.

Here is a save ready to perform ACE : http://www.petit-fichier.fr/2016/05/12/emer-test-ace-issue/
(Use an Anti-DMA code to have everything at the right adresses)


Just letting you guys know, but do NOT give glitch pokemon 0x0A0D (the one that makes the music glitch) the heart marking. For some reason, it produces an EXTREMELY loud, continuous noise, louder than anything I've heard come out of a GBA. The noise stops when you either remove the marking or hover over a pokemon which doesn't have a heart marking.

Did it sound like this?
If not, try to record it.

Here is a recording of the effect : https://www.youtube.com/watch?v=M7ckrA2vxEA
It really differs from the other sound oddities I heard with 0x0A0D or by toying with the part of 0x0A0D's name that alters the music.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: TheZZAZZGlitch on May 12, 2016, 04:58:06 pm
Quote
1.a) Is it possible to make the console read code from only one word every double-word ?
 Would there be a method (mainly having a certain quantity for every Code Item) to create code from PC Items in RS ?

Kind of. It's possible to write code with only x1 item quantities, because the opcode '0001' corresponds to a completely valid instruction 'lsl r0, r0, #0x4', which would have no effect if r0 is never used.
The problem would be storing data. The easy way of storing pointers/addresses in PC items would be gone. Loading any 32-bit constant would take 8 items (8 instructions - 4 8-bit loads and 4 shifts). The item count (and the amount of work to prepare the necessary items) would increase dramatically.

We should probably get consistent ACE on Emerald before trying R/S.

Quote
1.b)  Else, the only way to store code in RS that I see is with Pokémon data (8 bytes per 8 bytes).
What would the 8 bytes of code look like ? (If it doesn't bother too much to work on that)

The bytes would obviously vary depending on what we want to do. But the last two bytes would always be:

E0 26.

The instruction is "b $+0x50". It just jumps 0x50 bytes forward.
If this sequence of bytes happened to be hard to obtain, some other instructions would work as well: D3 26 (bcc $+0x50 - jumps on unset carry flag), D9 26 (bls $+0x50 - jumps on unset carry flag or set zero flag), D7 26 (bvc $+0x50 - jump on no overflow).

Quote
2) I tried your setup to execute overworld scripts, but things didn't work well.
Instead of having credits executed / an item obtained / nothing, I got a message box full of OE (RAM was overwritten by 0x101C).

For that, I used Glitch Move 0x1608 (pointer at 0x02030400), with a jump towards 0x02025E98 (03 99 5E 02 02 FF FF 08), then copied your code to use overworld scripts at 0x02025E98.
I tried it with 25 01 13 02 (special 0x113, end)), a paste of the script to get an item, 02 (end), and it always ended up with a message box and RAM being overwritten.

The code probably attempted to execute a garbage script. The script pointer in my example was hardcoded to 0x0E0F14E8 - did you remember to change that?
The underlined part should be changed to where the script is stored (it could be in ROM, in RAM, or in the save data):

78 46 09 30 86 46 03 49 01 48 08 47 F0 BD XX XX E8 14 0F 0E F9 8E 09 08 25 13 01 02

Also, in order to work, the code has to be 4-byte aligned (it must start at an address ending with either 0, 4, 8 or C).
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Wack0 on May 12, 2016, 06:13:31 pm
Well, if someone ever finds a way to get past the sixth slot in battle in R/S, the memory corruption does occur there too, but for me it froze after only 26 pushes of the Up button (from Cancel). Probably something to do with having 0 Pokémon.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Metarkrai on May 13, 2016, 09:12:32 am
Well, if someone ever finds a way to get past the sixth slot in battle in R/S, the memory corruption does occur there too, but for me it froze after only 26 pushes of the Up button (from Cancel). Probably something to do with having 0 Pokémon.

You can perform ACE in RS by altering the values that manage the hostess script at Trainer Tower.
- Enter Trainer Tower with Party Pokémon 4,5,6.
- Empty party slots 4,5,6.
- Alter the hostess script with ACE (put 0x02 at  0x020253FB)
- Enter Trainer Tower again.
The hostess will take you right back to matches with Pokémon from the party slots chosen on the previous attempt (4,5,6, who are empty).
You end up with a fully empty party, the Party Pokémon counter counts 0 Pokémon, this makes the Party Pokémon Selection pointer underflow, and you can scroll past 6th party slot.

But as Wack0 said, the game freezes after a few dozen of Up pushes, so you can't go far at all.
Furthermore, Party Pokémon are stored near 0x03004372 in RS, and I don't know any other interesting value that would be stored in 0x0300xxxx, so you can't even corrupt something interesting.
Even if there were interesting values to poentially corrupt, there would be a pretty high chance that they couldn't be corrupted because of the lack of DMA in RS.


Quote
2) I tried your setup to execute overworld scripts, but things didn't work well.
Instead of having credits executed / an item obtained / nothing, I got a message box full of OE (RAM was overwritten by 0x101C).

For that, I used Glitch Move 0x1608 (pointer at 0x02030400), with a jump towards 0x02025E98 (03 99 5E 02 02 FF FF 08), then copied your code to use overworld scripts at 0x02025E98.
I tried it with 25 01 13 02 (special 0x113, end)), a paste of the script to get an item, 02 (end), and it always ended up with a message box and RAM being overwritten.

The code probably attempted to execute a garbage script. The script pointer in my example was hardcoded to 0x0E0F14E8 - did you remember to change that?
The underlined part should be changed to where the script is stored (it could be in ROM, in RAM, or in the save data):

78 46 09 30 86 46 03 49 01 48 08 47 F0 BD XX XX E8 14 0F 0E F9 8E 09 08 25 13 01 02

Also, in order to work, the code has to be 4-byte aligned (it must start at an address ending with either 0, 4, 8 or C).

Oh, ok, I didn't understand that part of your instructions this way.
After spending long minutes trying to understand what the "script pointer" was referring to, things worked !

With this, every small code should fit in Battle Pyramid Items, and it is possible to store the main part of the code there in order to manage the rest of the code with PC Items.
Using 00 as a null script, PC Items can be easily used to execute small script commands like special or setflags, which will be useful to make a multi-task code.


I found suitable Glitch Moves for every Emerald and FrLg version. (to execute code in PC Items or Pyramid Bag Items, except Jap Emerald Pyramid Bag)
I'll focus on RS today, as the lack of DMA could be annoying.

 Regarding the method I had in mind to tell the DMA translation using Pomeg Glitch, it doesn't work as nicely as planned.
(for now, I only have like 10 different patterns for the 32 DMA translations)
I found an alternative strategy for Emerald (it uses the same idea I used to unlock Faraway and Birth Islands, but this time with Party Slot 0x47 and the 32+6 first Tms), but that strategy can't be applied to FrLg.

On FrLg (except Jap), I have 13 different patterns.
The DMA translation I want to use is the 12 double-words one, and it unfortunately shares its pattern with 3 other DMA translations (so 1/4 chance to get it right).
But since these patterns also have patterns in themselves, with different placements of the PC Pokémon in Box 2, I could obtain what I want.

I will also try to do the same thing on Emerald because I prefer doing that than the other strategy who requires the 38 first TMs (even if that strategy is still nice).

EDIT : Nope, there are no Glitch Moves that could make my initial DMA detection fully work.
This method will give a 1/4 chance to have the right DMA translation for an ACE.

EDIT 2 : I found a way thanks to in-game traded Meowth.
I added the method to that paste :  http://pastebin.com/sVHSwgSn

I'll check for the same methods in Emer Jap, FrLG Jap, FrLg (except Jap).

The bytes would obviously vary depending on what we want to do. But the last two bytes would always be:

E0 26.

0xE0 was easy but 0x26 was tougher to obtain.

A double-corrupted Horsea will have a Lonely nature (+ Atk, - Def). This gives a bonus in Coolness and a malus in Toughness.

Here is the Pokéblock recipe :
Oran + 2 NPC + Normal RPM : 10 Dry, 10 Bitter, 20 Feel  x3
Oran + 2 NPC + 7-23.3 RPM : 8 Dry, 8 Bitter, 20 Feel
Spelon + 3 NPC + 100-109.9 RPM : 51 Spicy, 12 Bitter, 32 Feel x4
Total : 4*(51+5) = 224 = 0xE0 Spicy (Coolness), 38=0x26 Dry (Beauty) 52*4 = 208 Sheen.

That jump can be coded in RS with Horsea, which is great for a large manipulation of the 6 other bytes (2 of them can have any value, and 4 others must have a sum lower than 510).
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Metarkrai on May 26, 2016, 05:04:44 am
In preparation for a video on all the possibilities of Double Corruption, and on ACE on Gen III, I made videos on little techniques that are either required or really useful to fasten the procedures.

Obtain Smeargles with various Corruption Types :
https://www.youtube.com/watch?v=-LgQJEHBHdA

Perfrming Instant Pomeg Glitch :
https://www.youtube.com/watch?v=PwYP6D1iTio

Obtaining the Caterpie Corruption Initiators :
https://www.youtube.com/watch?v=hBWkshUJv_8


Regarding ACE :
- I found a way to check for a DMA translation of 12 double-words on FrLg.
This allows ACE on FrLg (except Jap) to be conveniently performed, using Glitch Move 0x0713 (animation pointer at 0x023F0084), a Bootstrap Pokémon, and PC Items.

- For RS, Glitch Moves 0x804C and 0x8053 have an animation pointer of 0x02039360 who points to the beginning of the second substructure of a certain PC Pokémon.
As the substructure of the easiest Bootstrap Pokémon to make is the second one, these glitch moves will perfectly work with it.

One way to make a code in RS could be :
- Make a code using PC Pokémon to duplicate the first/last PC Item. (setting one of the highest bit to 1, or setting the quantity to 0).
Use this code to duplicate Glitch Items.
- Make the code you want with PC Items, and trigger it with another Bootstrap Pokémon.

This way, the limited size of manipulable Pokémon data wouldn't be that much of a bother for storing codes.


- The overworld script subroutine has different ROM adresses depending on the version.
I was able to find it for all Emer/R/S versions, but I can't find it for FrLg. (I searched for similar values in the ROM but I either had no or many results).
Does someone know the ROM adress of the overworld script subroutine in FrLg ?


  Item $203A x512
  Item $3026 x18689
  ; (the 3A and 26 in the item IDs above can be replaced to warp to a different map!)
  Item $6008 x48624
  Item $3C5A x518
 
The code overwrites the RAM address responsible for holding the map ID the player will be transported to after using an Escape Rope.

  Item $[byte to write]20 x18689
  Item $7008 x48624
  Item $[address, 3rd byte][address, 4th byte] x$[address, 1st byte][address, 2nd byte]

This piece of code only requires 3 items (besides the bootstrap animation bytecode), and will write any byte value to any RAM address.

Your first code requires 4 PC Items to change 2 consecutive bytes (xx yy), but it also changes the 2 consecutive bytes to 00 and requires the 00 00 xx yy double-word to be 4-byte aligned , whereas your second one requires 3 PC Items to change 1 byte.

- Would there be a shorter code to only change 2 consecutive bytes (a word) than using the "change 1 byte" code twice ? (something that would take less than 6 PC Items) (That word being 2-byte aligned.)

- And in the same line, would there be a code to change 4 consecutive bytes (a double-word) shorter than 4 times the "change 1 byte" code ? (something that would take less than 12 PC Items).
(That double-word being 4-byte aligned.)

I'm asking this because certain interesting values can't be changed with the same command you used for the Escape Rope warp location, and the 00 00 is also a hindrance for certain values that are stored contiguously.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Wack0 on May 31, 2016, 11:54:59 am
Metarkrai, if you still want to know where the FR/LG script_run() (US Emerald 0x8098EF8) is, it's at 0x8069AE4 in US FireRed; in the FireRed .idb it's named script_env_12_start_and_stuff().
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Metarkrai on June 01, 2016, 09:28:36 am
Metarkrai, if you still want to know where the FR/LG script_run() (US Emerald 0x8098EF8) is, it's at 0x8069AE4 in US FireRed; in the FireRed .idb it's named script_env_12_start_and_stuff().

Yup, I'm still working on procedures for console ACE on Gen 3, and overworld script execution can't be passed over. Many thanks for the adress !

With this, I completed the list of subroutine adresses I have.
Quote
-- Script engine subroutine adresses :
Emer US : 0x08098EF9 / Emer Fr : 0x08098F09 / Emer Ita : 0x08098F0D / Emer Spa : 0x08098F0D / Emer Jap : 0x08098881
FrLg US : 0x08069AE5 / FrLg Fr : 0x08069B95 / FrLg Ita : 0x08069AC1 / FrLg Spa : 0x08069BA9 / FrLg Jap : 0x080693A5
Ruby US : 0x080655B9 / Ruby Fr : 0x080659E5 / Ruby Ita : 0x0806590B / Ruby Jap : 0x080628F9
Sapp US : 0x080655BD / Sapp Fr : 0x080659E9 / Sapp Ita : 0x08065911 / Sapp Jap : 0x080628FD


- I could execute code and overworld script on all Emerald and all FrLg (Jap or non Jap), but it didn't successfully work in RS.
The game executes the code, but softlocks right after that.

There may be an additional command that is required to end an animation for RS. Do you have any information about that ?


As of now, ACE on Emerald is ok, all the setup procedures are made.
For FrLg, I need to adapt the PC Item procedure from Emerald.
For RS, I would like to use PC Pokémon data to perform an ACE that sets the quantity of PC Item n°1 to 0x0000. This way, PC Items could be duplicated like in Emerald and FrLg.

I'm still trying to find some improvements in order to make the storage of multiple codes, and I haven't made the list of all potentially interesting codes yet, but the overall thing looks good to me.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Wack0 on June 01, 2016, 09:53:24 am
Your script_run() list is still incomplete, as in Ruby US v1.2, 0x80655B8 is in the middle of a function... (from what I see, it's at 0x80655D8 in v1.2)

Maybe setting a breakpoint on 0x8075CD0 will help with finding the softlock issue (again, Ruby US v1.2 offset). This is the handler for animation VM opcode 0x08.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Metarkrai on June 01, 2016, 02:55:40 pm

Oh damn, I didn't think that there would be changes of adresses for different versions of the same game.
I found a ROM that may be a 1.2 US Ruby (at least, the overworld script subroutine starts at 0x080655D8).
There doesn't seem to be too many important changes in glitch move animation pointers, but there seem to be some changes in glitch move names/effects.

On that ROM, I tried again two code executions (changing a word, using special 0x0113), but the game froze for one code and soft-resetted for the other code.

Here is a save file of that : http://www.petit-fichier.fr/2016/06/01/ruby-us-code-execution/ruby-us-code-execution.sav
The first party Pokémon knows Glitch Move 0x1626 , who has an animation pointer at 0x02030400.
At 0x02030400, you have : 025BCD03 0800FF02 (use the 03 for move animations, then jump to 0x02025BCC)
At 0x02025BCC you have : 30094678 49034686 47084801 0001BDF0 02025BE4 080655D9 (use the subroutine at 0x080655D9, and make it execute the code at 0x02025BE4)
At 0x02025BE4, you have : 02011325 (special 0x0113, end)

At 0x02025C0C, you also have : 0200023A 49013026 BDF06008 02025BE8 (writes 0x00003A26 at 0x02025BE8)
You can change the values at 0x02030400 to 025C0D03 0800FF03 to execute that code.

These codes are fully functional in Emerald and FrLg (modulus the change in the jump adresses).

I searched the overworld script subroutine in RS by using the values it started with on Emerald, so the subroutine may not be the good one (since the game freezes/resets before executing the scripts, I can't tell).
Even without that, the game freezes with the code that changes a double-word in RAM.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Wack0 on June 01, 2016, 05:54:57 pm
I got bit by different versions having different offsets myself, so..

Thanks for the save file, I'll work on figuring out the issue when I get time.

(I got confused a bit because you posted the byte streams as arrays of 32bit little-endian integers.)
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Wack0 on June 03, 2016, 02:18:29 pm
Finally got time to look.

In no$gba, when the move is used, before the animation even happens (still on the move selection screen after pressing A), a jump to 0xA02004E2 happens. (tried 3 or 4 times with same result.) Obviously this move is too unstable, and can't even reach the animation part.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Metarkrai on June 04, 2016, 08:35:01 am
Damn it, the save that was extracted from vba has glitch move 0x162C who indeed freezes the game before executing code on Ruby 1.2 US (on the other US Ruby it executes the code, but it has a long name who messes up a lot with the graphics and the move menu). Sorry, I messed up.

For Glitch Move 0x1626 (or 0x1620), you can edit the moves of the currently fighting Pokémon at 0x02024A8C.
Could you try your test again with one of these moves, please ? (I can do another save if you want)






Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Wack0 on June 04, 2016, 02:44:59 pm
I tried with 0x1626, couldn't get the move to hit (it can hit the user or the opponent, but every time i tried attacking, the Pokémon evaded the move...)

So I tried with 0x1620, and it takes a few tries (one attempt it took 5 or so tries) but eventually the move hits and the payload executes.

After the payload finishes execution, it does some other stuff and then jumps.. back into the payload?! Anyway, this causes a return to 0x3002A460. Still figuring things out.

EDIT: ok, so if I patch the payload to contain a "bx lr" to allow it to return gracefully, it doesn't screw up.

The payload should really start with push {r0, lr} and end with pop {r0, pc} (instead of pop {r4-r7, pc} which i think actually returns to the caller's caller!).
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Metarkrai on June 06, 2016, 10:26:27 am
EDIT: ok, so if I patch the payload to contain a "bx lr" to allow it to return gracefully, it doesn't screw up.

The payload should really start with push {r0, lr} and end with pop {r0, pc} (instead of pop {r4-r7, pc} which i think actually returns to the caller's caller!).

That's good news !

So, how would Thezzazz's code executions change ?



Code (at $0E0F14D0):
  ; Load whatever we want to R0
  mov r0, #0x[byte to write]
  ; Load the address we want to write to
  ldr r1, [r15+0x4]
  ; Store the value of R0 to byte at R1
  strb r0, [r1]
  ; Pops registers R4 through R7 from the stack and returns.
  ; (R15 is instruction pointer)
  pop {r4-r7, r15}
  ; This is where the destination RAM address is loaded from
  dcd 0x[address, 1st byte][address, 2nd byte][address, 3rd byte][address, 4th byte]

As code :
20 [byte to write] 01 49 08 70 F0 BD [address, 4th byte] [address, 3rd byte] [address, 2nd byte] [address, 1st byte]

Code (at $E0F14D0):
  ; Previous setup to execute a subroutine
  mov r0, r15
  add r0, #0x9
  mov r14, r0
  ; Pointer to the script engine subroutine
  ldr r1, =RunScriptOffset
  ; The script engine subroutine takes the pointer to a script in R0
  ldr r0, =ScriptDataOffset
  ; Do some magic
  bx r1
  pop {r4-r7, r15}
  ; This nop is necessary because 4 byte alignment for ldr
  nop
RunScriptOffset:
  ; Pointer to the script engine subroutine
  dcd 0x08098EF9
ScriptDataOffset:
  ; Pointer to the script data
  dcd 0x0E0F14E8
The overworld script to execute (at $E0F14E8):
  ; lol credits
  special 0x0113
  end
As hexadecimal data :
78 46 09 30 86 46 03 49 01 48 08 47 F0 BD XX XX E8 14 0F 0E F9 8E 09 08[/tt]


Also, what would be the structure of a code that changes multiple RAM values before returning ?
(I'm still a non-initiated to ARM and I can't find what hexadecimal values correspond to pop {r4-r7, r15} in the code.)

Since setting up PC Items takes time (it becomes more tedious if you have to remove PC Items to write another code), codes that perform multiple useful commands at once would gain time in the writing procedure (like unlocking all islands, repop most of the legendaries, set multiple event flags, get mirage island and .., setting a swarm,...).

I'll look back into RS Glitch Moves to find ones that have a convenient Animation Pointer for RS 1.2 (and that doesn't mess up the fight), because the pointer should point towards the second substructure of a PC Pokémon for the Bootstrap code.
Else, we would need an ACE on Emerald to write the Bootstrap code on anoter area of a in-game traded Pokémon data.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: TheZZAZZGlitch on June 06, 2016, 11:15:03 am
In US Emerald, 'bx lr' does not return gracefully at all:

(http://i.imgur.com/LLUoUIe.png)

Either the calling conventions change between versions, or I'm doing something wrong. It looks like it tried to return to a RAM address, so something's probably pushed on the stack after all.

The code to change a full 4-byte aligned dword would be this:
At $0E0F14C0 (box item 11):
  ; (same stuff as before)
At $0E0F14D0 (box item 15):
  ; This is the data to write
  ldr r0, [r15+0x8]
  ; The address where we want to store the value
  ldr r1, [r15+0x4]
  ; Store the value of R0 to dword at R1
  str r0, [r1]
  ; Return
  pop {r4-r7, r15}
  ; This is where the destination RAM address is loaded from
  dcd 0xXXXXXXXX
  ; This is where the value to write is loaded from
  dcd 0xYYYYYYYY


Hex:
02 48 01 49 08 60 F0 BD XX XX XX XX YY YY YY YY
The code has to be 4-byte aligned.

Also, bx lr is 70 47
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Wack0 on June 06, 2016, 11:30:09 am
I made such a payload with those changes (and same code size):

; fasmarm syntax
processor cpu32_v4t ; ARMv4t (GBA cpu)
thumb ; we don't want an ARM-mode payload
; code starts below
push {r0, lr} ; save r0, lr to stack
ldr r1, [script_run] ; r1 = ptr to script_run()
ldr r0, [script_vmip] ; r0 = ptr to script bytecode
bl _call_via_r1 ; let the CPU set up lr itself
pop {r0, pc} ; restore r0, and return

_call_via_r1:
bx r1

nop ; for alignment

script_run:
dw 0x080655D9
script_vmip:
dw 0x02025be4


hex representation:
01 B5 03 49 03 48 00 F0 01 F8 01 BD 08 47 C0 46 D9 55 06 08 E4 5B 02 02
(where D9 55 06 08 is the offset of script_run() as little endian and E4 5B 02 02 is where your script is)

and it seemed to work, at least it didn't call into the payload again then return back to some part of RAM; but it still essentially froze.

Some investigation later, it seems that it's getting into an infinite loop.. calling the payload...

Not sure what else to try.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Wack0 on June 06, 2016, 03:41:19 pm
I figured it out.

Remember that animation opcode 0x03 creates a new task: it happens to call the address you give it as well.

It also increases a counter, named move_anim_active_task_count in the FireRed IDB.

Animation opcode 0x08 is essentially a no-op if move_anim_active_task_count >= 0.

So, you need to remove the task (otherwise, the game will keep calling the payload over and over, and will freeze as the animation will never end).

(How the game continued in FR/LG/Emerald remains a mystery to me.)

You do this by calling a function named move_anim_task_del() in the FireRed IDB. Its location is 0x8072760 in FireRed US, 0x8075928 in Ruby US v1.2.

As for how to find it in other games, search for 08 78 01 38 08 70 01 BC 00 47; the function entry point should be the 00 B5 12 bytes before. There are two matches very close to each other: the first match is what you're looking for (the functions are identical apart from the RAM address whose value gets decremented)

Anyway, move_anim_task_del() takes one argument: the task index to delete. Thing is, we don't know the task index, at least initially. However, the second time the payload gets called, the task index is in r0.

So, how to detect that?

It's really quite easy: the first time the payload gets called, r1 points to ROM; otherwise, it points to RAM. So, a payload like this could be used:

; fasmarm syntax
processor cpu32_v4t ; ARMv4t (GBA cpu)
thumb ; we don't want an ARM-mode payload
; code starts below
push {r0-r1, lr} ; save r0, r1, lr to stack
; is this our first time? if so, run the payload
lsrs r1,24
cmp r1,8
beq run_payload
; we're being called a second time, just remove the task
ldr r1, [move_anim_task_del]
bl _call_via_r1
pop {r0-r1, pc}
run_payload:
; actual payload here
ldr r1, [script_run]
ldr r0, [script_vmip]
bl _call_via_r1
pop {r0-r1, pc}

_call_via_r1:
bx r1

; hey, perfectly aligned now!

move_anim_task_del:
dw 0x08075929
script_run:
dw 0x080655D9
script_vmip:
dw 0x02025be4


Hex representation:
03 B5 09 0E 08 29 03 D0 04 49 00 F0 06 F8 03 BD 03 49 04 48 00 F0 01 F8 03 BD 08 47 29 59 07 08 D9 55 06 08 E4 5B 02 02

Remember to change the last three 32-bit integers for your game/version/language.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: ▒h POKé▓░ on August 15, 2016, 02:51:35 pm
Found another rather strange and random glitch to have fun with, this time concerning Decamark 0x1460.

When picking up 0x1460 using the orange cursor in the PC, it creates a wide variety of graphical glitches when switching between PC Boxes, often crashing the game.
Sometimes, however, it freezes the music and all other sounds stop playing, but the game can still be controlled. Leaving the area with this frozen music crashes the game though, for some reason...

I've also found that on rare occasions, the glitchy behaviour extends beyond the PC itself, as shown below:

(http://imgur.com/O2EaAxg.jpg)(http://imgur.com/JMgZFgX.jpg)

The PC options were there as usual, but I was able to walk around! I could access the PC and move Pokemon around from anywhere in the room. I've managed to pull this off twice so far, but both times the music had also frozen, so leaving the room was not an option, as it would crash the game. Due to the random nature of this glitch, activating it without freezing the music would likely be possible.
From here, you can do some more things:


This may not be a big breakthrough, but it's nice to have fun with it :D

EDIT: I have now found that doing this can also corrupt the Pokemon in the PC, turning them into Bad EGGs with seemingly completely random glitch markings and glitch item. Other data regarding what the Pokemon was originally might have also been corrupted, but since I use actual hardware and not an emulator, I couldn't do much with them.
However, some of the glitch items looked different from the standard "?" icon, with one using the "Close Bag" icon and some being completely invisible. If someone could test this out on emulator and identify what the Hex. value of the glitch items are, who knows, one of them might be the elusive glitch item 0xFFFF. Fingers crossed... ;)

-----

Also, Decamark 0x2828 has a glitch sprite seemingly identical to 0x0000's glitch sprite, but uses the previous sprite's colour palette instead of just black.
0x2828 also causes corruption similar to 0x1460 when its name is viewed using the news reporter, corrupting the player's Name, Party, Bag, Pokedex, Options, Overworld Sprite, etc. However, the battle sprite isn't changed so you can battle with the Bad EGGs in your party.

This is the sprite of 0x2828 shown after scrolling from a Bad Egg.
(http://imgur.com/z2FIoBz.jpg)
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Yeniaul on August 15, 2016, 04:19:12 pm
I really need to learn ASM...
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Charmy on August 22, 2016, 11:33:03 am
...
I've also found that on rare occasions, the glitchy behaviour extends beyond the PC itself, as shown below:

(http://imgur.com/O2EaAxg.jpg)(http://imgur.com/JMgZFgX.jpg)

The PC options were there as usual, but I was able to walk around! I could access the PC and move Pokemon around from anywhere in the room. I've managed to pull this off twice so far, but both times the music had also frozen, so leaving the room was not an option, as it would crash the game. Due to the random nature of this glitch, activating it without freezing the music would likely be possible.
From here, you can do some more things:
  • If you press A on the PC while selecting an option of viewing the PC, then back out again, two PC dialogs will be displayed, overlapping each other and causing some rather strange effects when selecting an option.
  • Pressing B or selecting "SEE YA!" makes the PC options disappear, but the dialog box remains on the screen. Pressing Start at this point opens up the menu and chops off part of the dialog box.
  • Interacting with the Pokemon Center Nurse, you can get her to heal your Pokemon while viewing the PC, which surprisingly works exactly as you think it does; the Pokemon are healed and, unfortunately, the game doesn't screw up.
...
This kinda reminds me of when i did the Trainer Mutation, a corrupt NPC showed a empty message box and i was able to move around.
I know i still have the save state somewhere on my main PC, i might upload the save state once i find it (it was on VBA 1.8 ).
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Tamagon on August 29, 2016, 08:59:56 pm
I've been following ChickasaurusGL's guide to hatch a Jirachi through the Pomeg Glitch, but no matter what, whenever I get a good egg, it's always just a Horsea. The EVs are right, I'm sure, so it's just bad luck messing me over. I know the glitch has gone through some revision since 2014. Is there a more reliable way to hatch the mythical pokemon? I've read something about a "perfect initiator." Would that guarantee me the mons?
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Charmy on August 30, 2016, 10:29:04 am
Ok i found the savestate, here it its (VBA 1.8 btw).
@up A "perfect indicator"... i don't remember what it does.
But, are your Horsea's Contest stats correct?
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Tamagon on August 30, 2016, 10:52:57 am
Horsea's contest stats should be the same as it was when I first got it. I had no idea you were supposed to mess with it.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Charmy on August 30, 2016, 11:40:49 am
Actually, i just realized, It needs Waterfall (i think) as it's third or forth move.
I think just now, that contest stats haven't got anything to do with this.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Evie ✿ on August 30, 2016, 12:12:55 pm
Yes, Metarkrai suggested that the Pokémon next to your Horsea/Dots (called an "initiator") can affect your chances of success (i.e. it can 'absorb' unwanted corruptions). Sometimes the Pokémon you find in the Egg is also a Horsea. It could be because of bad luck but it may also happen so many times it leads you to question whether the glitch works for you.

In this post (http://forums.glitchcity.info/index.php?topic=6868.msg198505#msg198505) (see the title "Caterpie the Perfect Initiator :") Metarkrai describes how to obtain a Caterpie perfect initiator, which can then be placed next to your Seasor. This doesn't guarantee success, but apparently increases your chances of succeeding.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Charmy on August 30, 2016, 12:35:37 pm
Also, here's a weird thing... I decided to manually corrupt the addresses relating to Anna's script on Route 117 and i found this:
The last bit controls some other stuff, including the text and the encounter music, for example, I changed 081F3B6F to 081F3B62 and managed to get the Bug Maniac's script and the E4 Encounter theme play, sadly the game froze after the battle began.
Address around 02026898 is (at least for me) her script.
Also i got a very short glitch message.
And at last, the IEIEIEIE one writes complete garbage to the WRAM, while CEe doesn't.
And at real last, i changed the last bit of the address above to 5 and got a completely new glitch message! Different from the N loving one.
I put some screenshots of both new messages.
I can also give a save state for VBA 1.8.

MAJOR NOTE:
The battle began and he's a hiker...
The line:
PkMn TRAINER                             i iR ViS iQh          i Ri h   SVBQUVReUVie Zo  o  i Ké hAg UBQOUGROA u kkVoTiW k k:  :
would like to battle!
Is pretty good. Then He sent out a hex:0000...
Then he spams CEe's, and gives me NO MANAH :(:(:(

END OF MAJOR NOTE :D
Then i changed it to 6 and i saw nightmare fuel.
Changed to 7 and saw short garbage. Also froze after a encounter.
8 made her a E4 member spamming CEe's at everyone.
9 was a Youngster CEe spammer.
A gave no music change :(:(:( SADNESS INTENSIFIES :(:(:(
B was a Youngster spamming qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF's.
C gave normal stuff...
D resulted in a Guitarist who spams CEe's
E is same as B.
Changing bite to F's will result in a freeze with the memory being nuked by 0's.
EDIT2:Uploaded the save state of the PkMn Trainer Hiker.
EDIT4:Now i managed to change where she's facing.
EDIT5:WELL, now i can have a corrupt text box and walk around... #100%PureQualityProgramming.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Yeniaul on August 30, 2016, 04:38:30 pm
i might upload the save state once i find it (it was on VBA 1.8).
Smiley parsing FOR THE WIN!!!
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Charmy on September 01, 2016, 06:55:49 am
Never mind, i already fixed that.
But i think that VBA 1. 8) MLG 8) was a good mistake.
Ok stop the off-tops.

EDIT:I decided to make a list of NPC corruption effects.
Chapter 1:Non-Trainers
1.Random PokéNav number being registered (mostly "PkMn Trainer " or "Beauty Jessica")
2.CPU hang.
3.Fade to white.
4.qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF
5.qÁF qÁF qÁF qÁF qÁF qÁF qÁF + flashing sprites (for example berry soil)
6.Game hang.
7.Random PokéNav call (Mostly filled with qÁF or Œê)
8.Random PokéNav call + a YES\NO box (only if talking to corrupt berry soil). (image below)
9.Spoopy red crash.
10.Slot machine
11.DécoMart
Chapter 2:Trainers
1.ΐΐΐΐΐΐΐΐ
2.IEIEIEIEIEIEIE
3.Nightmare fuel (RSOD)
4.ΐΐΐΐΐΐΐΐ + a Gentleman

I'll update if anything comes up.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Metarkrai on September 18, 2016, 10:08:49 am

This may be a bit old, but do you remember the thing you were mentioning here ? (the one that corrupted PC Pokémon)

I have now found that doing this can also corrupt the Pokemon in the PC, turning them into Bad EGGs with seemingly completely random glitch markings and glitch item. Other data regarding what the Pokemon was originally might have also been corrupted, but since I use actual hardware and not an emulator, I couldn't do much with them.

As I am not sure which action you were referring to (going over a Glitch Pokémon in PC, healing your party,...)

----


EDIT:I decided to make a list of NPC corruption effects.
Chapter 1:Non-Trainers
1.Random PokéNav number being registered (mostly "PkMn Trainer " or "Beauty Jessica"
2.CPU hang.
3.Fade to white.
4.qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF
5.qÁF qÁF qÁF qÁF qÁF qÁF qÁF + flashing sprites (for example berry soil)
6.Game hang.
7.Random PokéNav call (Mostly filled with qÁF or Œê)
8.Random PokéNav call + a YES\NO box (only if talking to corrupt berry soil). (image below)
9.Spoopy red crash.
10.Slot machine
11.DécoMart
Chapter 2:Trainers
1.ΐΐΐΐΐΐΐΐ
2.IEIEIEIEIEIEIE
3.Nightmare fuel (RSOD)
4.ΐΐΐΐΐΐΐΐ + a Gentleman

Only a handful corruptions can be obtained on NPC script adresses, mainly : +0x40000000 (bit 6 of the leftmost byte switched to 1) and +0x05000000 (bits 0 and 3 of the leftmost byte set to 1).
Thus, instead of reading other ROM adresses managing scripts, it reads things in 0xCxxxxxxx or 0x85xxxxxx, and some of the behaviours you found may not be doable. (Unfortunately, no interesting behaviour has been found from corrupting NPC scripts and the corruption you get from talking to a NPC sometimes are RNG-dependant)


----

In this post (http://forums.glitchcity.info/index.php?topic=6868.msg198505#msg198505) (see the title "Caterpie the Perfect Initiator :") Metarkrai describes how to obtain a Caterpie perfect initiator, which can then be placed next to your Seasor. This doesn't guarantee success, but apparently increases your chances of succeeding.

To be a bit more accurate about that, if you want to corrupt a Pokémon, you need two things.
- The first is corruption initiators (two of them) that will alter the adresses where the corruption occur.
I have now a video along with the written procedure : https://www.youtube.com/watch?v=hBWkshUJv_8
- The second is a specific criteria. If the Pokémon doesn't verify that criteria, then corrupting its PID or TID will change its checksum, which will turn it into a Bad Egg.
Here is a video about that criteria : https://www.youtube.com/watch?v=65e-SKeE5Ec
This criteria is usually verified, but on certain occasions it isn't, and you can spend hours trying to corrupt a Pokémon without success.

With these two elements, the chance of succeeding in a Pokémon corruption is 1/32 (or 6-7/32 if you use 5 clones of the Pokémon you want to corrupt)


----


After a quite long time (and some recent pauses), the written procedure for ACE in Gen 3 is nearly complete !
Here are all the files I completed :
Obtain Glitch Items : http://pastebin.com/qQ91bzuM
Obtain a Bootstrap Pokémon : http://pastebin.com/2aEzxFU4
Setting PC Items in Emerald : http://pastebin.com/Ke3wUsZX
Setting Pyramid Bag Items in Emerald : http://pastebin.com/tQSDqkdU
Setting PC Items in FrLg : http://pastebin.com/yHBhvbLh
Trigger Code Execution in E/FrLg : http://pastebin.com/U5ajVMp8

A few things are left to be done :
- Make a paste with a list of Code to perform.
I already made a good amount of codes thanks to ThezzazzGlitch's help (and someone else too) on the structure they need to have, but there are some codes for which I don't know what their structure would be, and if they can be done.

- Know if a code to rewrite many consecutive words/double words is doable.
Mainly to create from A to Z a PC Pokémon, or at least most of a PC Pokémon. This would allow for Code Execution in RS (it can't be done with other methods than having a Pokémon with 20+ manipulated bytes, unfortunately).
Would also be useful to have codes that mdify multiple words at once (triggering multiple interesting things at once or completing Pokedex in one code).

-Know if a code that reads a word and rewrites it elsewhere is doable.
Mainly to display the Secret ID.

-Make videos showing the DMA Translation check.
I have savestates for each case and I need to record that for clearer procedures.

I will also try to make videos for each paste, as they end up being quite long due to the iterative procedures, but this will be for I-don't-know-when, so for now the written parts are at least readable.

---

  Anyways, ACE is doable on every Emerald and FrLg cartridge (Fr/Eng/Spa/Ita/Ger/Jap), with procedures and values detailled for each version.


The global way to do this is :
Use a Glitch Move whose animation pointer falls in PC Pokémon data.
Manipulate some bytes on a certain Pokémon (Bootstrap Pokémon) to make a jump towards PC Items / Pyramid Bag Items.
Manipulate PC Items / Pyramid Bag Items to write your code.

Make wild battles and wait for a certain DMA value in order to have all the adresses aligned well.
Use the ACE Glitch Move.
Profit.


Of course, the procedure to store and execute code changed quite a lot but the current one is, I think, one of the least time-consuming and one of the easiest to pull out on cartridge. (it still takes quite some time to do everything, but no part is difficult)

But if you have any questions regarding the procedure or regarding some codes that I could add, I would gladly answer you.

--

Oh, and once the paste for the codes will be done, I'll update this post with it and with some saves where everything is ready.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Charmy on September 18, 2016, 10:34:07 am
This may be a bit old, but do you remember the thing you were mentioning here ? (the one that corrupted PC Pokémon)
I have now found that doing this can also corrupt the Pokemon in the PC, turning them into Bad EGGs with seemingly completely random glitch markings and glitch item. Other data regarding what the Pokemon was originally might have also been corrupted, but since I use actual hardware and not an emulator, I couldn't do much with them.

As I am not sure which action you were referring to (going over a Glitch Pokémon in PC, healing your party,...)

Ehh, were you asking me?
Only a handful corruptions can be obtained on NPC script adresses, mainly : +0x40000000 (bit 6 of the leftmost byte switched to 1) and +0x05000000 (bits 0 and 3 of the leftmost byte set to 1).
Thus, instead of reading other ROM adresses managing scripts, it reads things in 0xCxxxxxxx or 0x85xxxxxx, and some of the behaviours you found may not be doable. (Unfortunately, no interesting behaviour has been found from corrupting NPC scripts and the corruption you get from talking to a NPC sometimes are RNG-dependant)
I sort of knew that RNG is engaged, so i just save-stated right after i scrolled, then went to the berry field, started talking and got these... I used Torchickens save if you want to know.
(Unfortunately, no interesting behaviour has been found from corrupting NPC scripts and the corruption you get from talking to a NPC sometimes are RNG-dependant)
I think that the DécoMart might be useful for getting glitch decorations if you can get around the freeze.
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Metarkrai on September 18, 2016, 10:57:27 am
This may be a bit old, but do you remember the thing you were mentioning here ? (the one that corrupted PC Pokémon)
I have now found that doing this can also corrupt the Pokemon in the PC, turning them into Bad EGGs with seemingly completely random glitch markings and glitch item. Other data regarding what the Pokemon was originally might have also been corrupted, but since I use actual hardware and not an emulator, I couldn't do much with them.

As I am not sure which action you were referring to (going over a Glitch Pokémon in PC, healing your party,...)

Ehh, were you asking me?
Sorry, that part of the post was referring to Spectramark's post where he obtained data corruption on PC Pokémon. The way he did that isn't very clear to me, so I wanted to have more details about that.


I think that the DécoMart might be useful for getting glitch decorations if you can get around the freeze.
I never got DecoMart from NPC script corruption, but seeing how it behaves when you get a trainer battle or an overwtiring with qAF, things mainly end up badly with it.

You can get 7 glitch decorations with a Pomeg Glitch data corruption, and you can get all of them with ACE (either with the script to get it, or with a direct change of the ram adresses managing decorations).

I tested many glitch decorations, and even if they mess up with the camera location and with the decorations list (when their name is too long), there doesn't seem to be anything really useable from them.
If you are able to place a glitch decorations and get out of the secret base (it is oftenly tough to get out with the decoration placed), you can't seem to interact with the decoration once you get back (except when you want to withdraw it).

A glitch decoration name can mess up the decorations list (with the used/unused decorations), but you can't really duplicate a decoration or replace an already placed decoration.

With the script to obtain a decoration, the decoration's name is read and it can crash the game if it overflows too much.
Some glitch decorations also freeze the game when placed, if I remember well (something like a whole black screen).


I would have also liked to directly manipulate the decorations placed (ID and location) in order to have many dolls in the player's house, but I couldn't find that in the memory viewer.
I also wanted to manipulate a tile in order to be able to walk/bike from land to water, but I didn't find the right property for a tile to do so (I used ACE with an overworld script that changes a map tile).
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: Evie ✿ on September 29, 2016, 12:04:04 pm
EDIT :

I made AR codes for the Perfect Initiators (both of them), as well as a Cloning Glitch Pokemon 0x288A for easier use.
There's also .dmp and .vbm file to get them in previous page.

Perfect Initiators :
-SEASOR Box 1 Slot 1 :
A2C5C596 17DA2752
F45EB5FD 537687FB
19DF4333 C4F74712
A152E8EA 8D4760CA
B13788DF 3B9B3A06
C779EE6C 581A95B9
21B17AD5 DA302C1D
9D1EF466 2A6BBE89
C8B2C039 BBAF6F10
C6EBC6F3 449F849A
3E96C2CF 7A857392
E961EBF3 AB0BCF93
0C9256C3 62ECB067
CEDF2D7F 2B16ACD8
A0C9067E 5DF79155
B54DF298 D5F5CBE8
938599D1 405D3286
BC4CC3E8 1780C0E0
EBB11B21 D831516F
0E1022AE 1D878554


-Marked SEASOR Box 1 Slot 1 :
A2C5C596 17DA2752
F45EB5FD 537687FB
19DF4333 C4F74712
A152E8EA 8D4760CA
B13788DF 3B9B3A06
C779EE6C 581A95B9
FD888EEC 3BF29F9D
7ECAB9C9 836C5CE0
C8B2C039 BBAF6F10
C6EBC6F3 449F849A
3E96C2CF 7A857392
E961EBF3 AB0BCF93
70733463 A2300296
551E03CE 8008DF22
A0C9067E 5DF79155
B54DF298 D5F5CBE8
938599D1 405D3286
BC4CC3E8 1780C0E0
EBB11B21 D831516F
0E1022AE 1D878554


0X288A Cloning Pokemon Box 1 Slot 1 :
F3FF8938 F2F0E0C9
E2702D51 7857D4A2
AB71E557 19AF41CC
0FE199FA B823C7D7
0ACA1C25 59581547
10E8FBDF 66A39775
C82FFF38 70FF74BC
653F342F CD0F6A08
1F84851D BEC5B4D6
2F151FF1 1728714F
61398186 8C5F9FC5
FD9E9546 E55D0B32
A406783C 0C3177A7
5DF1F989 3FACA9DD
89CEE4A4 EB64C63B
5EB054E7 1231876C
51F13B68 9594314D
6D1A2A74 D3E004EC
1CDFF57E A9407B53
4DAC86DE 3AFEB045

I'm just going to leave a note for others that these require Anti-DMA (B2809E31 3CEF5320, 1C7B3231 B494738C).

Metarkrai, can you teach us the steps to convert a .PKM file into an Action Replay code for box 1 slot 1 (otherwise a code compatible for the Xploder Advance SP) please, as I bought one recently and would like to use it for fast cartridge glitching. Thanks!
Title: Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
Post by: ▒h POKé▓░ on October 03, 2016, 03:03:50 pm

This may be a bit old, but do you remember the thing you were mentioning here ? (the one that corrupted PC Pokémon)

I have now found that doing this can also corrupt the Pokemon in the PC, turning them into Bad EGGs with seemingly completely random glitch markings and glitch item. Other data regarding what the Pokemon was originally might have also been corrupted, but since I use actual hardware and not an emulator, I couldn't do much with them.

As I am not sure which action you were referring to (going over a Glitch Pokémon in PC, healing your party,...)


I achieved that by picking up Decamark 0x1460 wit