Main Menu
Main Page
Forums
Recent changes
Random page
Help

Databases
GlitchDex
AttackDex
ItemDex
TypeDex
UnownDex
More

Major Glitches
Trainer escape glitch
Old man trick
Celebi trick
Select glitches (Japan)
SRAM glitch
CoolTrainer♀ corruption
LOL glitch
Rival LOL glitch
Super Glitch
ZZAZZ glitch
Pomeg corruption glitch (Glitzer Popping)
Tweaking
Elite Four door glitch (Japan)
Pokémon merge glitch
Pokémon cloning
Time Capsule exploit
Arbitrary code execution
Coin Case glitch
More

Other Glitch Categories
Glitches by generation
Glitches between two generations
Japan-only/language specific glitches
Music glitches
Natural glitches
Non-core series glitches
Non-Pokémon glitches
Officially acknowledged glitches
Recurring glitches
Dead glitches

References
Pokémon GameShark codes
The Big HEX List
GB programming
Curiosities
Debugging features
Easter eggs
Error traps
Glitch areas
Glitch myths
Non-glitch exploits
Placeholder texts
Pokémon glitch terminology
Unused content and prerelease information

Useful Tools
8F Helper
GBz80 to Items
Old man trick name generator
PATH (Prama's Advanced Tweaking Heaven)
Save file editors
Special stat/Pokémon converter
Trainer escape Trainer Pokémon finder

Affiliates
Legendary Star Blob 2 (Hakuda)
Pokémon Speedruns wiki
PRAMA Initiative
Become an affiliate!

Search Wiki

 

Search Forums

 

Author Topic: Gen III: Access Pokémon beyond the sixth slot sub-glitches.  (Read 89294 times)

0 Members and 1 Guest are viewing this topic.

clay-doll

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
« Reply #585 on: October 22, 2016, 06:54:39 am »
Alright, I did some testing if it was possible by using Metarkrais method for unlocking Faraway Island/Birth Island [http://pastebin.com/8N9sGwpb] to also set the Bit for accessing Navel Rock. As far as I understood (I have poor knowledge of programming) the game selects Ram data for your currently active battle slot at an offset that is randomized through DMA and interprets these 100 Bytes as Pokemon Data. By changing values to one of these Slots, they will overwrite as its falsely interpreted. Outside of battle they keep their usual properties and thus the Bits that were set will activate the corresponding events. In Metarkrais method this was done by loading the Byte that also stores the activation of Faraway Island/Birth Island as the Pokemons current HP. By letting your active battle slot lose a certain amount of HP it is then possible that the new value has the island Bits set.

However from what I could tell, the Byte that stores Navel Rock gets only loaded as the Pokemons status condition. I was thinking, as Bits 0-3 are responsible for sleep, and Navel Rock activtion is Bit 0, a sleep move for 1, 3, or 5 turns would set the flag. I encountered a problem there, as described in Metarkrais pastebin Bit 4 of the Navel Rock Byte is always set due to an event relatively early in game. As Bit 4 manages Burn as status condition, you cannot be put to sleep in the first place. I tried manually putting the value for all Bits to 0, so I would no longer suffer from status condition, however I still couldn`t get it to work, as status moves simply would do nothing (they will either miss or no text appears at all and the value does not update). I find this odd, as I could in fact change values of other Bytes by receiving status. But I don`t know what the exact properties there were.

So I guess this plan is destined to fail, so I wanted to ask what the current state of this is? What would be needed in order to activate Navel Rock, I guess only through ACE in the future?

Also great job you guys, with all the research and work you are doing, I check this forum every now and then and it is hugely insightful!

Metarkrai

  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • This is for you, Melodou !
    • View Profile
Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
« Reply #586 on: October 22, 2016, 09:12:54 am »
Alright, I did some testing if it was possible by using Metarkrais method for unlocking Faraway Island/Birth Island [http://pastebin.com/8N9sGwpb] to also set the Bit for accessing Navel Rock.

Oh yeah, now that you talk about it, I think that I may not have clearly written that result somewhere (maybe in an old post but I don't remember it at all).
Since the paste you mentioned was mainly written to help people realazing the trick, I left little to no indications about how and why things worked (just information on flags and values required because I needed that when testing things or when trying to understand what happened for people that didn't get the expected result).

As you said, Navel Rock could have been unlockable if the sleeping turns could be changed to an odd amount. (Provided the fact that you have a Glitch Pokémon with a species name that will set the value for "currently fighting Party Slot" to 0x68 or 0x69, which is not the case on US and Jap Emerald versions)

Since the Pokémon data of the sent Pokémon is read on RAM data, you can't expect it to have a valid checksum, so it will be a Bad Egg. (unless certain specific cases)
This RAM data is also a hindrance regarding moves : you have little to no control on the 4 moves that Bad Egg would know, and you can easily have a glitch move in there that freezes the game when you open the Move menu.
 Thus, you can't use your own moves to change your status/pass turns.

 You also can't use Bag Items on your Pokémon because you can't use items on an Egg/Bad Egg.
 Since no Pokémon can cure your status, you are extremely limited in the variations of statuses with this technique (basically, either obtaining a sleep/poisoning or increasing the grave poison counter).

I also searched other flags/values that would give nice results when altered with this glitch, but the only working one I found was the value of the species of a swarm.
With a Skitty swarm, you could obtain a Masquerain or a Wailord swarm by burning some sleeping turns.
However, if you wanted the Bad Egg to have no glitch moves, you needed the TV news related to the swarm to be ordered first in the list of TV news. (else, the PID and TID of the Bad Egg were read on values that weren't 0x00000000 and the Bad Egg would have crappy glitch moves).

 And I couldn't understand how the game managed the ordering of TV news : There is a certain amount of slots that either contain an active news (that hasn't been seen yet), an old news (that has been seen), or nothing.
When the game generates a new news, it stores it in a TV news slot. If there is an old news of the same type, that old news is replaced by the new active news. Else, some news is replaced (I don't know which). Thus, an active news about a swarm may not be in the first slot when it is generated.
Sometimes, (I don't know when) the news are reordered with active news in front and old news behind. If your only active news is the swarm one, this one will be in front and you will be able to change the species of the swarm. But I wasn't able to find what triggered this reordering.


More recently, I found another use of that glitch to corrupt a PC Item's quantity : http://pastebin.com/Ke3wUsZX
Instead of corrupting a PC Item quantity with an usual Pomeg Glitch Data Corruption which corrupts some values sporadically from PC Pokémon data to PC Items, doing it by decreasing the HP of a Pokémon in a faraway party slot only corrupts 2-3 values in PC Items.
Thus, it is easier to build a code with PC Items with this technique.
The technique is also a bit faster because you only need to do one wild battle and check if the Bad Egg you sent to the fight has the correct HP amount, whereas for a Pomeg Glitch you need to make one preliminary battle.


Quote
I tried manually putting the value for all Bits to 0, so I would no longer suffer from status condition, however I still couldn`t get it to work, as status moves simply would do nothing (they will either miss or no text appears at all and the value does not update).
When you changed the value of the bits to 0 to have no status, did you do that during the battle or before it ?
Because during the battle, the game copies the RAM data of the currently fighting Pokémon somewhere, and it uses this copied data to determine the Pokémon's condition.
 So if you want to change the Pokémon's status/HP/Moves during a battle to test things, you need to change the copied values, not the original ones. (When the status/HP/Moves are changed, both the original and copied values change, though.)


Unfortunately, out of all the currently known ways to corrupt RAM data using Pomeg Glitch/Glitch Pokémon/Glitch Moves/Glitch Items/Glitch Pokémon species name, no one can safely corrupt interesting flags like Navel Rock or Altering Cave. (because these flags are not affected by some corruptions because of their location in a double-word, and because the corruptions that would change them would also change/overwrite a ton of values and freeze the game).
 It may be possible to get 1-2 interesting flags with new ways to corrupt RAM data, but that would be the limit of the possibilities of Pomeg Glitch Data Corruption outside of Pokémon Corruption and ACE.

Even if ACE has a setup that requires ~20 Glitch Items, 4-5 specific trainings, some glitch pokémon, and other specific uses of Pomeg Glitch, (which make it longer than reading a glitch pokémon species name at slateport fan club) it is far more flexible and stands out as the main way to unlock event/rare elements.
So yeah, Navel Rock in US Emerald only seems to be unlockable with ACE.

Wack0

  • Coder, reverser, beta collector [BetaArchive staff]
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • cBRH - Doing nothing since 2k7
    • View Profile
Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
« Reply #587 on: October 24, 2016, 08:07:20 am »
By the way, Metarkrai, some of your Gen III code exec payloads can be optimised..

For example, the "remove egg from daycare" one.

Use movs r0,#0 instead of ldr r0,=0, that'll save 4 bytes and you won't have to deal with the pesky item 0 quantity 0 anymore.
C H E C K E D . B U I L D S . A R E . A W E S O M E N E S S

BetaArchiveSoftHistory Forumsirc.rol.im #galaxy,#softhistory

Also known as The Distractor.

Shane, please stop telling children that there's a Mew outside under the delivery trucks. - Management

Pokémon: arbitrary code execution 1996-2016

Metarkrai

  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • This is for you, Melodou !
    • View Profile
Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
« Reply #588 on: October 26, 2016, 09:08:23 am »
By the way, Metarkrai, some of your Gen III code exec payloads can be optimised..

For example, the "remove egg from daycare" one.

Use movs r0,#0 instead of ldr r0,=0, that'll save 4 bytes and you won't have to deal with the pesky item 0 quantity 0 anymore.

Wow, it worked nicely. Thanks !

In the same topic, the code I used to rewrite a double-word at a certain adress is :
Quote
     processor cpu32_v4t ; ARMv4t (GBA cpu)
  thumb
  ldr r0, [value]
  ; The address where we want to store the value
  ldr r1, [adress]
  ; Store the value of R0 to dword at R1
  str r0, [r1]
  ; Return
  pop {r4-r7, r15}
  ; This is where the destination RAM address is loaded from     
  adress: dw 0xXXXXXXXX
  value: dw 0xYYYYYYYY   

Is it possible to adapt this code to do the same thing but only for a word or a byte ?
Since obtaining the three Pokémon to execute overworld script take some time and ~35 Glitch Items, I wanted to add codes that don't use overworld scripts for tasks like "unlocking event islands","raising this flag", "setting this variable",..
This way, people who would only be interested in a code or two would have less set up for their ACE.

So instead of using an overworld script to raise a flag or set a var, the word/byte containing the flag/var could be changed, and this would require to only change a byte/word.



I also tried to make a code that copy-pastes  a string of words from an adress to another, but I couldn't get it to work.
I worked around this code :
Quote
  processor cpu32_v4t ; ARMv4t (GBA cpu)
  thumb
  ldr r0,[adress1]
  ldr r1,[adress2]
  movs r2,#0x01 ; copy 0x02 bytes from adress 1 to adress 2
  pop {r4-r7, r15}
  ; This is where the destination RAM address is loaded from
  adress1: dw 0x02025BE8
  adress2: dw 0x0200D084   
The game doesn't crash when executing this code, but it doesn't copy-paste the data I want.
I think that I previously had a code that worked for this task, but I couldn't get my hands back on it.
This code is essential to store the code to call the Overworld Script subroutine on a Pokémon's data.
It would also be very useful to determine the Secret ID of a Pokémon's owner.


And I was wondering : with your idea of offsetting the adresses in the code to call the Overworld Script surbroutine, is it possible do to the same thing with the Bootstrap ?

Quote
; Launch task
dcb 0x03
; At address 0x02025E9C in THUMB mode
dcd 0x02025E9D
; Priority 255
dcb 0xFF, 0x00
; End script
dcb 0x08

If the jumping adress could be offset, this could make the creation of a couple Bootstrap Pokémon quite easier than the current one. (The current one is not that hard, but it still requires ev training and two double-corruptions, whereas the potential new one would only be Ev-training and would be more handy).


Wack0

  • Coder, reverser, beta collector [BetaArchive staff]
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • cBRH - Doing nothing since 2k7
    • View Profile
Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
« Reply #589 on: October 26, 2016, 04:47:29 pm »
In the same topic, the code I used to rewrite a double-word at a certain adress is :
Quote
     processor cpu32_v4t ; ARMv4t (GBA cpu)
  thumb
  ldr r0, [value]
  ; The address where we want to store the value
  ldr r1, [adress]
  ; Store the value of R0 to dword at R1
  str r0, [r1]
  ; Return
  pop {r4-r7, r15}
  ; This is where the destination RAM address is loaded from     
  adress: dw 0xXXXXXXXX
  value: dw 0xYYYYYYYY   

Is it possible to adapt this code to do the same thing but only for a word or a byte ?

Use strh (for int16) or strb (for int8). I'd however continue loading an entire int32 just for alignment purposes, but if that really needs to be shortened, use ldrh r0,[value] ... value: dh 0xYYYY or ldrb r0,[value] ... db 0xYY

I also tried to make a code that copy-pastes  a string of words from an adress to another, but I couldn't get it to work.
I worked around this code :
Quote
  processor cpu32_v4t ; ARMv4t (GBA cpu)
  thumb
  ldr r0,[adress1]
  ldr r1,[adress2]
  movs r2,#0x01 ; copy 0x02 bytes from adress 1 to adress 2
  pop {r4-r7, r15}
  ; This is where the destination RAM address is loaded from
  adress1: dw 0x02025BE8
  adress2: dw 0x0200D084   
The game doesn't crash when executing this code, but it doesn't copy-paste the data I want.
I think that I previously had a code that worked for this task, but I couldn't get my hands back on it.
This code is essential to store the code to call the Overworld Script subroutine on a Pokémon's data.
It would also be very useful to determine the Secret ID of a Pokémon's owner.

Simple.. you forgot to call into the BIOS CpuSet() function with svc 0xb after setting up the registers!

And I was wondering : with your idea of offsetting the adresses in the code to call the Overworld Script surbroutine, is it possible do to the same thing with the Bootstrap ?

Quote
; Launch task
dcb 0x03
; At address 0x02025E9C in THUMB mode
dcd 0x02025E9D
; Priority 255
dcb 0xFF, 0x00
; End script
dcb 0x08

Unfortunately, that's not possible, as this is animation VM bytecode, and the address is given as an operand of animation VM opcode 0x03.
C H E C K E D . B U I L D S . A R E . A W E S O M E N E S S

BetaArchiveSoftHistory Forumsirc.rol.im #galaxy,#softhistory

Also known as The Distractor.

Shane, please stop telling children that there's a Mew outside under the delivery trucks. - Management

Pokémon: arbitrary code execution 1996-2016

Metarkrai

  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • This is for you, Melodou !
    • View Profile
Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
« Reply #590 on: October 27, 2016, 03:36:52 pm »

Use strh (for int16) or strb (for int8). I'd however continue loading an entire int32 just for alignment purposes, but if that really needs to be shortened, use ldrh r0,[value] ... value: dh 0xYYYY or ldrb r0,[value] ... db 0xYY

Quote
Simple.. you forgot to call into the BIOS CpuSet() function with svc 0xb after setting up the registers!

Quote
Unfortunately, that's not possible, as this is animation VM bytecode, and the address is given as an operand of animation VM opcode 0x03.

Well, many thanks !
The codes to change a single word/byte work perfectly, as well as the code to copy-paste a string of words (I though that svc 0xb was only needed to call the subroutine).
It is a bit unfortunate that the Bootstrap code can't be easened for storage, but this gives additonal information on how optimal things are, and the current procedure is not that complicated too (a bit long, but no step is extra hard to perform or to follow).

This gave me an idea to simplify the PC Item duplication procedure on Emerald, but it turned out that I already had it and had a better solution.
Still, the paste had some issues and I was able to fix them.

 Letting the quantity of a PC Item be read as Remaining HP/4th word of Miscellanous substructure of Party Pokémon n°67 is the best way I have to corrupt that quantity. (http://pastebin.com/Ke3wUsZX)
 With the Remaining HP, you can decrease the quantity to 0 and then make it underflow to 0xFFFF.
 With the 4th word of Miscellanous substructure, the quantity increases by 0x4000 (due to Egg Flag being set), which makes quantities below 0x4001 easier to obtain. (you need to toss less Items)
 24 Items are used for the structure, but they are all common Items to buy.
 You can manipulate and store 25 consecutive PC Items with it. (I used Party Poké n°66 before and I realized that it only allowed a manipulation of 6 consecutive items instead of the 12 I was thinking of, so I changed that.)

In FrLg, since there is no NPC that reads Glitch Pokémon species name like Slateport's journalist (to my knowledge), this trick can't be done, and the initial method has to be used : (http://pastebin.com/yHBhvbLh)
 You need to transfer a Cloning Glitch Pokémon from Emer to FrLg (http://pastebin.com/237FpUTf)
 Using a raw Pomeg Glitch Data Corruption to corrupt the quantity of a certain PC Item.
 The first corruption increases the quantity from 0x0001 to 0x4001.
 Then, you can toss an exemplary (0x4000) and perform a second corruption to decrease the quantity from 0x4000 to 0x0000, and then obtain every possible quantity with an underflow.
 However, you need to take care of Berry/Tm Pouches, you need a preliminary corruption (required for the corruption that decreases the quantity of 0x4000), and the corruption takes longer since you need to perform a Pomeg Glitch Data Corruption.
 You can manipulate 28 consecutive PC Items with this method.
 Also, after 13 consecutive Items manipulated, you need to tweak the structure in order to avoid corrupting the quantity of a PC Item that was already manipulated.


With the new changes, there is still plenty of things to change/write, but it's nice to fix the existing stuff.

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Wiki Contributor
  • *
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
« Reply #591 on: October 27, 2016, 03:55:06 pm »
Whew, that's a lot of trouble to set up ACE... We'll be writing a wiki article someday - if you ever manage to make a complete method that can fit in less than 1 million characters :P
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)

Metarkrai

  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • This is for you, Melodou !
    • View Profile
Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
« Reply #592 on: October 28, 2016, 04:48:58 am »
Whew, that's a lot of trouble to set up ACE... We'll be writing a wiki article someday - if you ever manage to make a complete method that can fit in less than 1 million characters :P

Yeah, this method of using the data of a Pokémon from a distant party slot always takes some time to explain, and you also have certain things to look for (more than one value are changed/corrupted whereas you only want to change one, so you need to know where the other changes happen and to make them harmless).

The procedure to transfer Items from the Bag to a Pyramid Bag and the one to check the DMA value are also tricky to explain, because you kind of stack some methods and because there are mant tiny things that need to be done in a certain way to not have issues later on (ex : having 3 or 4 party Pokémon only for Instant Pomeg Glitch else the game can freeze very soon when scrolling Up / having 3 party pokémon for the duplication trick because you can end up stuck in a loop /..)

Even explaining the mechanics of Pomeg Glitch is tough. (It takes some paragraphs on the wiki page, who looks now really nice by the way : http://bulbapedia.bulbagarden.net/wiki/Glitzer_Popping :) )

But when you only follow the procedure, the more complex things are at the level of giving the correct EVs, keeping track of your EV-trained Pokémon (by noting what you do and what nicknames/markings correspond to on your Pokémon), keeping track of the glitch Items you have in your Bag (when transferring them to PC or to Pyramid Bags), tossing the right amount of Items (by stacks of 1.000), not forgetting a step, being patient in Pomeg Glitches.

As long as you are ready to spend a couple hours on a few afternoons to complete every part of the procedure, you don't really need a deep understanding of the multiple mechanics involved to make it through. So even if it is harsh to describe the whole mechanics, doing it on console is available to anyone.

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Wiki Contributor
  • *
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
« Reply #593 on: October 28, 2016, 05:41:27 am »
And yet that wiki article is still labelled a "stub" :D
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)

Metarkrai

  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • This is for you, Melodou !
    • View Profile
Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
« Reply #594 on: October 28, 2016, 12:20:07 pm »

Quote
; Launch task
dcb 0x03
; At address 0x02025E9C in THUMB mode
dcd 0x02025E9D
; Priority 255
dcb 0xFF, 0x00
; End script
dcb 0x08

Unfortunately, that's not possible, as this is animation VM bytecode, and the address is given as an operand of animation VM opcode 0x03.

Do you know what kind of things could happen if I were to lower the priority a bit (to 0xB4 = 180, exactly) ?
I tried it with a few ACE and nothing different seemed to happen, but I don't exactly know if this (in the case of executing ACE during a battle with a Glitch Move animation) would always be safe.
I think that it would be, considering that we are just trying to execute a move animation in a normal battle (not many things happening at the same time), but I lack knowledge on that kind of things.

Since the Bootstrap is mainly written with EVs, the 510 EV limit can be a hindrance. And with the fixed DMA translation on Emerald (DMA translation of 18 double-words, and not 1 double-word as erroneously calculated), the adress of PC Item #1 can't be reached because of that EV limit.
But if the priority was lowered to 0xB4 ( once xored with SEASOR's PID xor TID, that would require 0x00 SpDef EVs, which is the minimal amount), then a quite larger amount of adresses could be reachable with the Bootstrap code.

With the current procedure (priority of 0xFF), ACE would start on PC Item #2 on Emerald (non Jap), which doesn't look that great (and could be a source of mistakes).
By lowering the priority, we could start a code from PC Item #1,  and this would also make the procedure to obtain a Bootstrap Pokémon easier.
« Last Edit: October 28, 2016, 12:50:29 pm by Metarkrai »

Wack0

  • Coder, reverser, beta collector [BetaArchive staff]
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • cBRH - Doing nothing since 2k7
    • View Profile
Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
« Reply #595 on: October 28, 2016, 03:34:48 pm »
Do you know what kind of things could happen if I were to lower the priority a bit (to 0xB4 = 180, exactly) ?

I'm actually not sure. I think the priority might only need to be higher than every other task, so..
C H E C K E D . B U I L D S . A R E . A W E S O M E N E S S

BetaArchiveSoftHistory Forumsirc.rol.im #galaxy,#softhistory

Also known as The Distractor.

Shane, please stop telling children that there's a Mew outside under the delivery trucks. - Management

Pokémon: arbitrary code execution 1996-2016

That Guy

  • GCLF Member
  • Offline Offline
  • CHARIZRAD 'M ROXORX or is it.
    • View Profile
Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
« Reply #596 on: October 28, 2016, 05:54:04 pm »
I tried Glitzer Popping on a physical copy of Emerald. I didn't have any setup for the pokemon in the first couple boxes, I just wanted to see what would happen. Obviously, the boxes were full of bad eggs. One of them had its markings appear 'broken'. When I looked at the stats page, I expected a crash, but the game instead soft reset in the middle of the egg sprite's animation. Unfortunately, I don't have a recording or any other details.
« Last Edit: October 28, 2016, 05:54:50 pm by That Guy »

Metarkrai

  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • This is for you, Melodou !
    • View Profile
Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
« Reply #597 on: October 29, 2016, 11:33:01 am »
I tried Glitzer Popping on a physical copy of Emerald. I didn't have any setup for the pokemon in the first couple boxes, I just wanted to see what would happen. Obviously, the boxes were full of bad eggs. One of them had its markings appear 'broken'. When I looked at the stats page, I expected a crash, but the game instead soft reset in the middle of the egg sprite's animation. Unfortunately, I don't have a recording or any other details.

Well, a soft reset is a frequent ending with Glitch Pokémon/Sprites/Names (I consider it as a crash).
The sprites of invalid markings seem to oftenly do that on the summary page, which is unfortunately not useful in any way.

gold55803

  • I will never remain a memory
  • GCLF Member
  • Offline Offline
  • Gender: Male
  • Nyeh heh heh
    • View Profile
    • Imgur Profile
Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
« Reply #598 on: March 22, 2017, 08:20:05 am »
Really stupid question, but could someone explain how data substructures work? The guides on bulbapedia make no sense to me... :'(
also, how do you get a bag egg to battle? :???:
« Last Edit: March 22, 2017, 08:33:20 am by gold55803 »

Metarkrai

  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • This is for you, Melodou !
    • View Profile
Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
« Reply #599 on: March 31, 2017, 10:06:05 am »
Really stupid question, but could someone explain how data substructures work? The guides on bulbapedia make no sense to me... :'(
also, how do you get a bag egg to battle? :???:


Outside of the Pokémon IDentifiant (PID), Trainer IDentifiant (TID), Pokémon's nickname, and Trainer's name, most of the Pokémon's data is separated into 4 groups called substructures.
Each one of these substructures contains certain parts of the Pokémon's data in a certain order.
They are called : Growth - Attacks - EVs & Contest stats - Miscellanous

For example, the Attacks substructure contains in that order : Move 1 identifiant - Move 2 identifiant -  Move 3 identifiant  - Move 4 identifiant - Move 1 PPs - Move 2 PPs - Move 3 PPs - Move 4 PPs
Each one of these substructures is 96 bits long (or 12 bytes, or 6 words, or 3 double-words).

But all of this data isn't stored as is, it is crypted when stored into the RAM and decrypted when the game wants to use it to check/use some values (like calculating a Pokémon's stats).

In Gen 3, the encryption is made of two mechanics :
- The order of the 4 substructures is given by the PID modulo 24 (there are 24 ways to sort 4 different elements)
- The game takes all the hexadecimal words that make the substructures and computes their sum.
The first 4 hexadecimal characters of this sum (called checksum) is stored on another part of the Pokémon's data.
Then, the game goes through every hexadecimal double-word that is contained in the substructures and modifies them with the formula : encrypted double-word = word xor TID xor PID  (XoR being a logical operation)

Thus, if you corrupt the data in the substructures directly, the checksum will be invalid and the corruption will fail (the Pokémon will turn into a Bad Egg as soon as the game computes the checksum again and finds the difference with the stored checksum).

However, if you corrupt the Pokémon's PID, you will change the order of the substructures.
So when the game will look at the Pokémon's data after the corruption, he will incorrectly read the substructures and this is where we can get very cool stuff.
(example : Growth substructure being read over the Attacks substructure, so the species of the corrupted Pokémon is read over the identifiant of the first move of the Pokémon before it corruption )
Since the PID is also used in the encryption of the substructures data, that PID corruption needs to meet a certain criteria in order to not affect that encryption.
But thankfully, one of the two possible ways to corrupt data with Pomeg Glitch meets this criteria.


Getting a Bad Egg (or an Egg/empty slot) to the battle is the matter of forcing the game to send a Pokémon from a certain party slot to the battle, even though that Pokémon is not supposed to be sent to the battle.
To do that, we exploit an oversight in the code that doesn't refresh the value "Party slot of the currently fighting Pokémon" from one battle to another if the party is fully KO.

Thus, the procedure looks like this :
- Make a wild battle and send a valid Pokémon to the fight (let's say from the 3rd party slot)
- Perform Pomeg Glitch to have a fully KO party
- Place a Bad Egg/Egg to the 3rd party slot (or leave it empty by depositing a Pokémon to the PC before killing the whole party)
- Make another battle (since the party is fully KO, the Pokémon in the 3rd party slot will be forced to the fight)