Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - gold55803

Pages: [1]
1
Really stupid question, but could someone explain how data substructures work? The guides on bulbapedia make no sense to me... :'(
also, how do you get a bag egg to battle? :???:


Outside of the Pokémon IDentifiant (PID), Trainer IDentifiant (TID), Pokémon's nickname, and Trainer's name, most of the Pokémon's data is separated into 4 groups called substructures.
Each one of these substructures contains certain parts of the Pokémon's data in a certain order.
They are called : Growth - Attacks - EVs & Contest stats - Miscellanous

For example, the Attacks substructure contains in that order : Move 1 identifiant - Move 2 identifiant -  Move 3 identifiant  - Move 4 identifiant - Move 1 PPs - Move 2 PPs - Move 3 PPs - Move 4 PPs
Each one of these substructures is 96 bits long (or 12 bytes, or 6 words, or 3 double-words).

But all of this data isn't stored as is, it is crypted when stored into the RAM and decrypted when the game wants to use it to check/use some values (like calculating a Pokémon's stats).

In Gen 3, the encryption is made of two mechanics :
- The order of the 4 substructures is given by the PID modulo 24 (there are 24 ways to sort 4 different elements)
- The game takes all the hexadecimal words that make the substructures and computes their sum.
The first 4 hexadecimal characters of this sum (called checksum) is stored on another part of the Pokémon's data.
Then, the game goes through every hexadecimal double-word that is contained in the substructures and modifies them with the formula : encrypted double-word = word xor TID xor PID  (XoR being a logical operation)

Thus, if you corrupt the data in the substructures directly, the checksum will be invalid and the corruption will fail (the Pokémon will turn into a Bad Egg as soon as the game computes the checksum again and finds the difference with the stored checksum).

However, if you corrupt the Pokémon's PID, you will change the order of the substructures.
So when the game will look at the Pokémon's data after the corruption, he will incorrectly read the substructures and this is where we can get very cool stuff.
(example : Growth substructure being read over the Attacks substructure, so the species of the corrupted Pokémon is read over the identifiant of the first move of the Pokémon before it corruption )
Since the PID is also used in the encryption of the substructures data, that PID corruption needs to meet a certain criteria in order to not affect that encryption.
But thankfully, one of the two possible ways to corrupt data with Pomeg Glitch meets this criteria.


Getting a Bad Egg (or an Egg/empty slot) to the battle is the matter of forcing the game to send a Pokémon from a certain party slot to the battle, even though that Pokémon is not supposed to be sent to the battle.
To do that, we exploit an oversight in the code that doesn't refresh the value "Party slot of the currently fighting Pokémon" from one battle to another if the party is fully KO.

Thus, the procedure looks like this :
- Make a wild battle and send a valid Pokémon to the fight (let's say from the 3rd party slot)
- Perform Pomeg Glitch to have a fully KO party
- Place a Bad Egg/Egg to the 3rd party slot (or leave it empty by depositing a Pokémon to the PC before killing the whole party)
- Make another battle (since the party is fully KO, the Pokémon in the 3rd party slot will be forced to the fight)

Alright, Thanks!
2
Really stupid question, but could someone explain how data substructures work? The guides on bulbapedia make no sense to me... :'(
also, how do you get a bag egg to battle? :???:
Pages: [1]