Main Menu
Main Page
Forums
Recent changes
Random page
Help

Databases
GlitchDex
AttackDex
ItemDex
TrainerDex
TypeDex
UnownDex
More

Major Glitches
Trainer escape glitch
Old man trick
Celebi Egg trick
Select glitches (Japan)
SRAM glitch
CoolTrainer♀ corruption
LOL glitch
Rival LOL glitch
Super Glitch
ZZAZZ glitch
Pomeg corruption glitch (Glitzer Popping)
Tweaking
Elite Four door glitch (Japan)
Pokémon merge glitch
Pokémon cloning
Time Capsule exploit
Arbitrary code execution
Coin Case glitches
More

Other Glitch Categories
Glitches by generation
Glitches between two generations
Japan-only/language specific glitches
Music glitches
Natural glitches
Non-core series glitches
Non-Pokémon glitches
Officially acknowledged glitches
Recurring glitches
Dead glitches

References
Pokémon GameShark codes
The Big HEX List
Glitch Pokémon cries
GB programming
Curiosities
Debugging features
Easter eggs
Error traps
Glitch areas
Glitch myths
Non-glitch exploits
Placeholder texts
Pokémon glitch terminology
Unused content and prerelease information

Useful Tools
8F Helper
GBz80 to Items
Old man trick name generator
PATH (Prama's Advanced Tweaking Heaven)
Save file editors
Special stat/Pokémon converter
Trainer escape Trainer Pokémon finder

Affiliates
Legendary Star Blob 2 (Hakuda)
Pokémon Speedruns wiki
PRAMA Initiative
Become an affiliate!

Technical
Site Source Code

Search Wiki

 

Search Forums

 

Author Topic: Obtaining Arceus via the Void Glitch  (Read 38021 times)

0 Members and 1 Guest are viewing this topic.

Cryo

  • Distinguished Member
  • Offline Offline
  • Glitch Researcher
    • View Profile
Obtaining Arceus via the Void Glitch
« on: January 10, 2017, 11:20:21 pm »
By using the RETIRE trick, it is possible to obtain Arceus via the Void glitch.

The steps below must be followed exactly. The RAM values being manipulated are loaded map data, and entering any map different than the ones you'd encounter by following the steps below may overwrite the data we need.

STEPS: (from the Poketch Co. door)

=======
Step 1
=======
1 S
17 W
14 N
2015 W
512 S
Save & Reset

=======
Step 2
=======
32 E
384 S
32 W
1792 S
128 W
32 S
192 W
64 S
160 W

=======
Step 3
=======
96 S
96 E
32 S
63 E
1 N
63 E (or 64 E if you've already been to Pal Park before)
191 N
1 N

=======
Step 4
=======
192 E
66 S
1 N

=======
Step 5
=======
192 W
64 N
64 W
32 N
128 W
64 N
64 W
96 N
226 E
Start -> RETIRE

=======
Step 6
=======
34 S
33 W
128 S
160 W
160 S
160 E
31 S
1 S
64 E
166 N
1 N
Start -> RETIRE


Video: https://www.youtube.com/watch?v=VrhHXG3cuAw


EXPLANATION

Each of the steps listed above loads a desired map property into memory, which we then travel to in order to encounter that property as our current map ID (in turn loading different map properties). Below are the target maps that get loaded—as well as the map property that determines the next map ID—in order to activate the RETIRE trick.


(2) Underground
    Sprite 1:
         X Coordinate: 392 (Route 221)

(392) Route 221
    Warp 1:
        Map ID: 393 (Pal Park entrance)

(393) Route 221 R1-01
    Warp 1:
        Map ID: 251 (Pal Park)


The maps and properties below lead to the Hall of Origin.


(45) Oreburgh City
    Sprite 13:
        X Coordinate: 316 (Lake Valor cavern)

(316) Lake Valor R1-03
    Sprite 0:
        Flag: 510 (Hall of Origin)


Once Arceus is captured, the only thing left to do is to disable Pal Park mode and exit the void, which is done by using RETIRE in the Pal Park map. This is the only way to initiate the StopGreatMarsh 1 function.

Note: Encountering maps with IDs greater than 558 will overwrite almost all of the map data, so RAM values 0x022F - 0xFFFF should be avoided.


THE RETIRE TRICK
Using the RETIRE option in Pal Park works as expected—asking if you'd like to leave, then either warping you out or doing nothing. However, when used anywhere else, the RETIRE option will immediately run the 4th script loaded in a given map.

An important distinction to make is that this does not refer to the script at index 3 of the map data. Instead, it refers to the order that the scripts are run. For example, the Hall of Origin has only 3 scripts, but the order that the scripts are run is as follows:

  • Script 2
  • Script 3
  • Script 1
  • Script 3

Since the 3rd script is loaded twice, using the RETIRE option runs Script 3, which happens to be the encounter script for Arceus.


EDIT: After doing research into a few rare cases of the game crashing after Arceus is caught, I noticed that the cause of the freeze was caused by users hacking the Shaymin event into their game. Specifically, the data at [Base + 0x23998] is permanently changed from 0x76 to 0x7A after using the Oak's Letter key item and opening up Seabreak Path.

This can be fixed by doing these steps in place of the 1792 S:

1152 S
32 E
64 S
32 W
576 S
« Last Edit: January 25, 2017, 08:49:54 pm by Cryo »

SatoMew

  • Member+
  • *
  • Offline Offline
  • Gender: Female
    • View Profile
Re: Obtaining Arceus via the Void Glitch
« Reply #1 on: January 11, 2017, 05:34:01 am »
Wow, amazing discovery, Cryo! :) Is this for Diamond and Pearl only?

After saving at 430N and resetting, your position in RAM is set to [base] + 0x227D0. We're looking for a specific X coordinate's location in RAM, which is at [base] + 0x24A8C. There are multiple areas in RAM that hold your X coordinate, but this one in particular has a slight delay that allows us to battle Arceus in the Hall of Origin itself.

These addresses are for the English versions, correct?

Evie ✿

  • Administrator
  • *****
  • Offline Offline
  • Gender: Female
    • View Profile
Re: Obtaining Arceus via the Void Glitch
« Reply #2 on: January 11, 2017, 05:41:03 am »
Amazing find Cyro! :D Is this your work or did somebody else make the initial discovery? Nevertheless kudos to you.

So after so many years we can now get Arceus with the void glitch (but with walk through walls).

Do you think there might be a way to bypass the invisible walls by making different steps?
« Last Edit: January 11, 2017, 05:59:14 am by Torchickens »
Hi! I identify as transgender female.  She/her pronouns, please.

Online I most often use the username Torchickens or Chickasaurus.



Thank you Aeriixion for the cute sprite above! :) Roelof also made different variations of the sprite (which I animated).

Contact:

Email Youtube Twitter
Skype: Torchickens
Bulbapedia Starfy Wiki

I like to collect interesting video games.
https://www.vgcollect.com/Torchickens

The psychology of birth (including spiritual birth): pain>acceptance/courage in face of pain>embracement>unconditional love and strength

Beyond all philosophies are the things that go best for you; what makes you feel content. It's important to always follow your heart, so unless you feel perfectly happy about it don't just follow something because it is popular, fits a style or is conventional. Sometimes you may reach a point you're not sure who you are, but as things settle I'm convinced things do work out in time.

Cryo

  • Distinguished Member
  • Offline Offline
  • Glitch Researcher
    • View Profile
Re: Obtaining Arceus via the Void Glitch
« Reply #3 on: January 11, 2017, 11:17:33 am »
Wow, amazing discovery, Cryo! :) Is this for Diamond and Pearl only?
...
These addresses are for the English versions, correct?

Thanks! The steps will only work with the English editions of Diamond and Pearl, but the steps could definitely be modified to work with Platinum as well as the various languages of each!


Amazing find Cyro! :D Is this your work or did somebody else make the initial discovery? Nevertheless kudos to you.

Ahh thank you! ;w;

But yes, I discovered the new findings utilized in the method (mostly controlled RAM jumping and the RETIRE trick) and crafted the steps to encounter the legit HoO (map ID 510) and battle Arceus.


Do you think there might be a way to bypass the invisible walls by making different steps?

Absolutely! As long as we can encounter our X and/or Y coordinate data in the void, all that would need to be altered are the steps to get there. My exact method in the original post isn't the only way to obtain Arceus though.

In practice, all that matters is the following process:
  • Obtain the Pal Park menu
  • Use RETIRE in the Hall of Origin
« Last Edit: January 23, 2017, 01:01:27 pm by Cryo »

Evie ✿

  • Administrator
  • *****
  • Offline Offline
  • Gender: Female
    • View Profile
Re: Obtaining Arceus via the Void Glitch
« Reply #4 on: January 11, 2017, 12:51:22 pm »
You're very welcome. :)

Cool, thanks for the information.
Hi! I identify as transgender female.  She/her pronouns, please.

Online I most often use the username Torchickens or Chickasaurus.



Thank you Aeriixion for the cute sprite above! :) Roelof also made different variations of the sprite (which I animated).

Contact:

Email Youtube Twitter
Skype: Torchickens
Bulbapedia Starfy Wiki

I like to collect interesting video games.
https://www.vgcollect.com/Torchickens

The psychology of birth (including spiritual birth): pain>acceptance/courage in face of pain>embracement>unconditional love and strength

Beyond all philosophies are the things that go best for you; what makes you feel content. It's important to always follow your heart, so unless you feel perfectly happy about it don't just follow something because it is popular, fits a style or is conventional. Sometimes you may reach a point you're not sure who you are, but as things settle I'm convinced things do work out in time.

Cryo

  • Distinguished Member
  • Offline Offline
  • Glitch Researcher
    • View Profile
Re: Obtaining Arceus via the Void Glitch
« Reply #5 on: January 23, 2017, 12:57:31 pm »
Do you think there might be a way to bypass the invisible walls by making different steps?

I've actually been working on this for some time now, and I've come up with a completely safe method that will always work on any version of Pokemon Diamond and Pearl, regardless of save progress. In addition, it can be performed in under 15 minutes (8,046 steps) and allows you to encounter Arceus an unlimited amount of times.

I've updated the original post with the steps. ;)

ISSOtm

  • The French Lord of Laziness (and a huge The Legend Of Zelda fan)
  • Wiki Contributor
  • *
  • Offline Offline
  • Gender: Male
  • Pewter City (B)rocks !
    • View Profile
    • My Little Website
Re: Obtaining Arceus via the Void Glitch
« Reply #6 on: January 23, 2017, 01:10:12 pm »
Wow ! Amazing. Could... could there be a way to obtain ACE using such a method ? Maybe using an invalid map to overwrite a script pointer, then adding the RETIRE option, then using the option to run some payload code in RAM ?
Not sure if that's even possible x)
"THOU SHALL NOT PASS !!"  RIVAL's effect, Gandalf.

Proudly glitching Pokémon Red and Yellow on a Black & White GB, Pocket GB, GB Color, GBA SP and new 3DS.

My Twitter (beware, I'm French)
My YouTube (same warning)

Here is an online tool to build 8F setups : GBz80 to Items !

They see me layzin', they ha-tin'...
Heavy contributor of the global augmentation of entropy (my room's is too damn high !)

Evie ✿

  • Administrator
  • *****
  • Offline Offline
  • Gender: Female
    • View Profile
Re: Obtaining Arceus via the Void Glitch
« Reply #7 on: January 23, 2017, 01:34:08 pm »
Do you think there might be a way to bypass the invisible walls by making different steps?

I've actually been working on this for some time now, and I've come up with a completely safe method that will always work on any version of Pokemon Diamond and Pearl, regardless of save progress. In addition, it can be performed in under 15 minutes (8,046 steps) and allows you to encounter Arceus an unlimited amount of times.

I've updated the original post with the steps. ;)

Amazing! I didn't expect it to be found this quickly. Congratulations!! This is groundbreaking. :D
Hi! I identify as transgender female.  She/her pronouns, please.

Online I most often use the username Torchickens or Chickasaurus.



Thank you Aeriixion for the cute sprite above! :) Roelof also made different variations of the sprite (which I animated).

Contact:

Email Youtube Twitter
Skype: Torchickens
Bulbapedia Starfy Wiki

I like to collect interesting video games.
https://www.vgcollect.com/Torchickens

The psychology of birth (including spiritual birth): pain>acceptance/courage in face of pain>embracement>unconditional love and strength

Beyond all philosophies are the things that go best for you; what makes you feel content. It's important to always follow your heart, so unless you feel perfectly happy about it don't just follow something because it is popular, fits a style or is conventional. Sometimes you may reach a point you're not sure who you are, but as things settle I'm convinced things do work out in time.

Evie ✿

  • Administrator
  • *****
  • Offline Offline
  • Gender: Female
    • View Profile
Re: Obtaining Arceus via the Void Glitch
« Reply #8 on: January 24, 2017, 03:25:37 pm »
SM confirmed it in the Korean version.
https://www.youtube.com/watch?v=WqkKYRcOgOQ
Hi! I identify as transgender female.  She/her pronouns, please.

Online I most often use the username Torchickens or Chickasaurus.



Thank you Aeriixion for the cute sprite above! :) Roelof also made different variations of the sprite (which I animated).

Contact:

Email Youtube Twitter
Skype: Torchickens
Bulbapedia Starfy Wiki

I like to collect interesting video games.
https://www.vgcollect.com/Torchickens

The psychology of birth (including spiritual birth): pain>acceptance/courage in face of pain>embracement>unconditional love and strength

Beyond all philosophies are the things that go best for you; what makes you feel content. It's important to always follow your heart, so unless you feel perfectly happy about it don't just follow something because it is popular, fits a style or is conventional. Sometimes you may reach a point you're not sure who you are, but as things settle I'm convinced things do work out in time.

Wack0

  • Coder, reverser, beta collector [BetaArchive staff]
  • Staff
  • *****
  • Offline Offline
  • Gender: Male
  • cBRH - Doing nothing since 2k7
    • View Profile
Re: Obtaining Arceus via the Void Glitch
« Reply #9 on: January 24, 2017, 08:57:45 pm »
Now THIS looks interesting.

Any chance of a more technical writeup? I still don't fully understand why this actually works, in fact, the explanations that have been given just make more questions.

The list of steps and the current explanation, to me, seem like bits are being flipped somewhere useful, and this is being abused to gain some kind of write primitive. Is this basically correct?
C H E C K E D . B U I L D S . A R E . A W E S O M E N E S S

BetaArchiveSoftHistory Forumsirc.rol.im #galaxy,#softhistory

Also known as The Distractor.

Shane, please stop telling children that there's a Mew outside under the delivery trucks. - Management

Pokémon: arbitrary code execution 1996-2016

Krys3000

  • The frenchie
  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Head admin of the PRAMA Initiative
    • View Profile
    • PRAMA Initiative - Main french Pokémon glitch website
Re: Obtaining Arceus via the Void Glitch
« Reply #10 on: January 25, 2017, 01:50:42 am »
That IS amazing. I need to test this!

Admin of the PRAMA Initiative, the main french Pokémon glitch website
http://www.prama-initiative.com
“Anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'” - Isaac Asimov

Krys3000

  • The frenchie
  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Head admin of the PRAMA Initiative
    • View Profile
    • PRAMA Initiative - Main french Pokémon glitch website
Re: Obtaining Arceus via the Void Glitch
« Reply #11 on: January 25, 2017, 11:03:57 am »
Report working on French games


Admin of the PRAMA Initiative, the main french Pokémon glitch website
http://www.prama-initiative.com
“Anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'” - Isaac Asimov

Cryo

  • Distinguished Member
  • Offline Offline
  • Glitch Researcher
    • View Profile
Re: Obtaining Arceus via the Void Glitch
« Reply #12 on: January 25, 2017, 03:09:14 pm »
SM confirmed it in the Korean version.
https://www.youtube.com/watch?v=WqkKYRcOgOQ
Report working on French games

Oh awesome!

Now THIS looks interesting.

Any chance of a more technical writeup? I still don't fully understand why this actually works, in fact, the explanations that have been given just make more questions.

The list of steps and the current explanation, to me, seem like bits are being flipped somewhere useful, and this is being abused to gain some kind of write primitive. Is this basically correct?

Sure thing!

It (unfortunately) doesn't provide any form of arbitrary write capabilities; rather, it forces known values to be loaded into RAM for chained exploitation.


BACKGROUND

Pokemon D/P uses dynamic addressing, so the base address and most associated memory offsets will be different across each localization of D/P. For consistency, I'll be using the addresses and offsets for the US version of D/P.

All maps in the game have 4 main event properties associated with them: Furniture (statues, plants, etc.), Objects (sprites), Warps (doors, cave entrances, etc.), and Triggers (automatic script-triggering tiles). Below is a table of the base address and memory offsets that will come into play later.
Code: [Select]
Base Address      = [0x02106FC0]

Map Matrix Height = Base + 0x22AD8
Map Matrix Width  = Base + 0x22AD9
Map Matrix Layout = Base + 0x22ADA
Map Data          = Base + 0x23C6E

Furniture Count   = Map Data + 0x20
Object Count      = Map Data + 0x24
Warp Count        = Map Data + 0x28
Trigger Count     = Map Data + 0x2C

Furniture Address = Map Data + 0x30
Object Address    = Map Data + 0x34
Warp Address      = Map Data + 0x38
Trigger Address   = Map Data + 0x3C

Furniture Data    = [Furniture Address]
Object Data       = [Object Address]
Warp Data         = [Warp Address]
Trigger Data      = [Trigger Address]


MAP MATRIX LAYOUT

At offset 0x22ADA from the base address, we've got the layout of the map matrix. This is an 1800-byte section that defines which map ID you'll enter when you travel a certain distance in that map. In Sinnoh, this takes up much of the 1800-byte space, whereas indoor areas take up hardly any of it.

The reasoning behind the 1800-byte length comes from the maximum matrix height and width allowed—30x30. Let's use Sinnoh as an example, which has matrix dimensions 30x30. This means that the layout of map IDs contained within this area wrap around every 30 map IDs, or every 60 bytes. It may be hard to visualize by just looking at a stream of map IDs, so I've placed the 1800-byte map matrix layout over the Town Map so you can see just how it all fits together.

Hex view with padded zeroes: http://i.imgur.com/zOn4ZHR.png
Decimal view without padding: http://i.imgur.com/OCFVokR.png

Visually, traveling downwards from Jubilife City into Route 202 is simply going from map ID 3 to map ID 343, which is true, but what's also happening is that your position in RAM is being offset by a number of map IDs equal to the value of the matrix width—30 in this case. This means that traveling downwards by 1 map ID is the same as traveling to the right 30 map IDs. Since each map ID takes up 2 bytes, it can be more accurately said that traveling downwards by 1 map ID (32 steps) actually seeks 60 bytes forward in RAM.

Following the map matrix layout is a 900-byte section that defines the border map height. Following that is another 1800-byte section that defines the actual map data indices (which contain movement permissions, 3D model data, terrain information, etc.), but we're only concerned with the data after all of the previous 4500 bytes.


MAP DATA

The previous 4500 bytes are all determined upon loading your saved game. As long as you don't initiate a warp (such as entering a doorway or triggering an automated warp like the Vista Lighthouse elevator), the aforementioned bytes will remain unchanged. The bytes concerned with map data, however, will predictably change depending on which map you're currently in.

Starting at offset 0x23C80 from the base address is the loaded data for the current map ID. When a new map is entered, such as when traveling downwards from Jubilife City to Route 202, the previous 4500-byte section will remain the same while the map data after it will change depending on what furniture, objects, warps, and triggers are present.

What's even more interesting is that old data will only ever be overwritten by new data. Even if a new area is loaded, if the previous map contained more map data than the new map, then the old map data will still remain there. For example, traveling downwards from Jubilife City to Route 202 will cause many of the sprites that Jubilife City loaded to remain in memory since Jubilife City loads many more sprites than Route 202.

This is the data that we'll be manipulating in order to successfully exploit this mechanism to load any location we want.


HOW IT WORKS

With all the necessary background information out of the way, it's time to explain what's really going on from start to finish.

Since the Poketch Co.'s map matrix is only 1x1, traveling down or right will seek 2 bytes forward in memory, while traveling left or up will seek 2 bytes backward in memory. That being said, the first 5 steps before the Save/Reset will seek 126 bytes backward in memory, then 32 bytes forward in memory.

This places us 94 bytes behind the beginning of the map matrix layout, which happens to be a map whose ID is greater than 558. Map IDs above that point default to the properties of Jubilife City, making them safe to save in, but they also overwrite nearly all of the current map data due to how many objects it loads.

After saving and resetting, however, our position in RAM is vastly different; instead of being 94 bytes behind the beginning map matrix layout, we're now 834 bytes into the map matrix layout. This is because of how the game recalculates your current offset in relation to your current X/Y coordinates.

Upon saving the game, the map matrix layout data associated with that map ID is written to your save file. After resetting at this point, our position in RAM was recalculated to conform to the new map matrix dimensions, which are now 30x30.

This recalculation can be described in the following pseudocode:
Code: [Select]
x_offset = floor(x / 32) * 2
y_offset = floor(y / 32) * (2 * matrix_width)

current_offset = matrix_layout_start + x_offset + y_offset

The 32 E and 32 W steps before and after the 384 S are to bypass an area that contains map IDs between 176 and 188, which will guarantee a crash when an action that redraws the entire screen (such as exiting a battle or returning from the Pokedex, bag, etc.) is performed.

The 1792 S is to get through the entirety of the map matrix layout, placing us in the actual map data. At step 1664 S, we actually encounter an Underground area (map ID 2), which loads all of its map data; Sprite 1 of the Underground is located at X coordinate 392, which is the map ID for Route 221.

If we can encounter that X coordinate data for Sprite 1 in RAM, then the map data for Route 221 will load, immediately changing every piece of data around us and opening up new avenues of map loading and map resource loading—effectively allowing a form of controlled teleporting in the void. The 160 W steps at the end of Step 2 put us at that very address, and the map data for Route 221 loads around us.

Route 221 happens to contain a warp whose destination is map ID 393, which is the Pal Park entrance. Repeating the previous methodology, that first 1 N step in Step 3 lands us at that address and loads the map data for the Pal Park entrance.

The Pal Park entrance understandably contains a warp to map ID 251, which is Pal Park itself. We use the same method to travel to the address containing that warp destination data, and that second 1 N step in Step 3 is what loads the map data for Pal Park and also puts us into Pal Park mode.

Step 4 is short, but the 66 S step does two important things. The 65 S step loads the map data for map ID 45, Oreburgh City.  Sprite 13 in this data has an X coordinate of 316, which is the map ID for Lake Valor cavern. Funny enough, this destination is loaded in the exact spot that we traveled to for Oreburgh City (map ID 45) just immediately before. The last final step of those 66 S steps loads the map data for Lake Valor cavern. The 1 N step afterwards is to correct for the previous 1 S needed to get to Lake Valor cavern.

Sprite 0 in Lake Valor cavern has a flag value of 510, which is the map ID for the Hall of Origin.

Even now the Hall of Origin would be impossible to access, since every single movement would end up in that particular address being impossible to access. The only mechanism that saves this method is that entering a Mystery Zone area clears out the first few dozen bytes where the addresses and furniture, object, warp, and trigger counts are stored, since Mystery Zones all have a value of 0 for these.

That final 226 E in Step 5 traverses this now-cleared space in order to arrive at Sprite 0's flag value and, as a result, load the map data for the Hall of Origin.

Unfortunately, the Hall of Origin itself doesn't have any event properties with a value of 510, meaning that we only have 1 tile (the tile we're currently on) in which to encounter Arceus. This does mean that we have to battle and catch Arceus in the Mystery Zone, since Arceus's script moves us up 2 spaces, but that's a sacrifice made in the interest of catching Arceus for the first time ever in under 15 minutes.

After the battle is over, we repeat the same method for the first few steps—Route 221, then the Pal Park entrance, and finally Pal Park. Using the RETIRE option in Pal Park is literally the only way to get out of the void and Pal Park mode both at once.


OTHER STUFF
I've attached dumps of all of the scripts and event properties for every map in the US version of D/P for convenience. (mostly for looking up usable map properties for map data loading purposes)

Also, it is possible to catch Arceus in the Hall of Origin, but it involves an 11k trek downwards and utilizes the (quite chaotic) loading of 3D models in order to spawn a map that contains a model with ID 510 (which itself is a broken pillar). Ironically, the only map in the game to contain this specific 3D model happens to be Spear Pillar. I chose this method because it's much shorter and much easier to predict what data is going to be loaded.
« Last Edit: January 25, 2017, 09:03:31 pm by Cryo »

Krys3000

  • The frenchie
  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Head admin of the PRAMA Initiative
    • View Profile
    • PRAMA Initiative - Main french Pokémon glitch website
Re: Obtaining Arceus via the Void Glitch
« Reply #13 on: January 26, 2017, 02:59:17 am »
Thank you for these explanations Cryo, makes it very easier to understand.
I am interested in the 11k path you mention to get Arceus in the HoO. Could you explain how to do that theorically? Thanks :)

Admin of the PRAMA Initiative, the main french Pokémon glitch website
http://www.prama-initiative.com
“Anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'” - Isaac Asimov

Cryo

  • Distinguished Member
  • Offline Offline
  • Glitch Researcher
    • View Profile
Re: Obtaining Arceus via the Void Glitch
« Reply #14 on: January 26, 2017, 11:02:28 am »
Thank you for these explanations Cryo, makes it very easier to understand.
I am interested in the 11k path you mention to get Arceus in the HoO. Could you explain how to do that theorically? Thanks :)

Sure!

Whenever you load Spear Pillar (map ID 220), the value at [Base + 0x2A576] becomes 510. This area is preceded by a ton of other data though, so it's extremely difficult to get to, if not impossible. It would require loading areas that replaced the data in front of it such that it was made safe.

A more efficient method, however, may be loading the Battle Tower's WiFi Battle Room (map ID 331), since that's located at [Base + 0x2974D], which is very near the start of that data section. It might be doable, but it's definitely a better shot than the Spear Pillar one.

Here are my personal notes on the path, for reference:

Model Path
==========

Bypass softlock zone (176-188)
    32 E
    384 S
    32 W

Bypass minefield and hit 0x2 (Underground)
    1792 S

Get to map 0x188 (Route 221)
    128 S
    128 W
    32 S
    192 W
    64 S
    160 W

Get to map 0x189 (Pal Park Entrance)
    96 S
    96 E
    32 S
    63 E
    1 N

Get to map 0x251 (Pal Park)
    64 E
    191 N
    1 N

Get to map 0xA7 (Snowpoint Gym)
    416 S
    128 E

Get to map 0xA5 (Snowpoint City)
    128 N
    160 E
    32 S
    224 E
    32 N

Get to map 0x41 (Eterna City)
    224 E
    32 N
    64 E
    32 S
    96 E
    320 N
    96 E

Get to map 0x14B (Wi-Fi Battle Room)
    32 W
    32 N
    128 W
    128 N
    384 W
    64 S
    32 E
    64 S

Get to the Hall of Origin
    320 S
    32 E
    11520 S
    ...