Main Menu
Main Page
Forums
Recent changes
Random page
Help

Databases
GlitchDex
AttackDex
ItemDex

Major Glitches
Trainer escape glitch
Old man trick
Celebi trick
Select glitches (Japan)
SRAM glitch
CoolTrainer♀ corruption
LOL glitch
Rival LOL glitch
Super Glitch
ZZAZZ glitch
Pomeg corruption glitch (Glitzer Popping)
Tweaking
Elite Four door glitch (Japan)
Pokémon merge glitch
Pokémon cloning
Time Capsule exploit
Arbitrary code execution
Coin Case glitch
More

Other Glitch Categories
Glitches by generation
Glitches between two generations
Japan-only/language specific glitches
Music glitches
Natural glitches
Non-core series glitches
Non-Pokémon glitches
Officially acknowledged glitches
Recurring glitches
Dead glitches

References
Pokémon GameShark codes
The Big HEX List
GB programming
Curiosities
Debugging features
Easter eggs
Error traps
Glitch areas
Glitch myths
Non-glitch exploits
Placeholder texts
Pokémon glitch terminology
Unused content and prerelease information

Useful Tools
8F Helper
GBz80 to Items
Old man trick name generator
PATH (Prama's Advanced Tweaking Heaven)
Save file editors
Special stat/Pokémon converter
Trainer escape Trainer Pokémon finder

Affiliates
Legendary Star Blob 2 (Hakuda)
Pokémon Speedruns wiki
PRAMA Initiative
Become an affiliate!

Search Wiki

 

Search Forums

 

Author Topic: Gen III: Access Pokémon beyond the sixth slot sub-glitches.  (Read 83304 times)

0 Members and 1 Guest are viewing this topic.

jfb1337

  • ACE trainer
  • GCLF Member
  • Offline Offline
    • View Profile
Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
« Reply #600 on: April 06, 2017, 11:53:31 am »
In some instructions for pomeg corruption I see that a specific 4th move is required. What does this 4th move do, and why does it differ between regions?

Metarkrai

  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • This is for you, Melodou !
    • View Profile
Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
« Reply #601 on: April 07, 2017, 12:50:57 pm »
In some instructions for pomeg corruption I see that a specific 4th move is required. What does this 4th move do, and why does it differ between regions?

The Pokémon's IDentifiant (PID) is used to determine the order of the Pokémon's substructures (with PID modulo 24)
The Trainer IDenfiiant (TID) and the PID are used to encrypt the values inside the substructures (encrypted double-word = double-word xor TID xor PID)
There is a checksum over the cecrypted values inside the substructures (the game sums all the uncrypted words inside the substructures and stores : checksum := sum % 0x10000 on another place inside the Pokémon's data )

When the game checks a PC/Party Pokémon, if the new checksum he calculates is different from the checksum stored in the Pokémon's data, then the Pokémon is turned into a Bad Egg.

The goal of the PC Pokémon Corruption is to corrupt a Pokémon's PID to change the odrer of the substructures of that Pokémon.

However, corrupting a Pokémon's PID or TID alters ths decryption of the values inside the substructures (there are 3*4=12 double-words that are affected), so you need specific PID/TID corruptions in order to preserve the checksum.

The two PID/TID corruptions that can be done with Pomeg Glitch are : a corruption of 0x05000000 (will always change the checksum) 0x40000000 (can preserve the checksum)

To explain why the 0x40000000 corruption can preserve the checksum, you need to see how that corruption affects the decrypted values inside the substrustures.
Due to the "decrypted double-word = crypted double-word xor PID xor TID" formula, a TID/PID corruption of 0x40000000 induces a change of 0x40000000 on every of the 12 double-words inside the substructures (either a gain of 0x40000000 or a loss of 0x40000000).

The checksum being the sum of all decrypted words, there are 12  decrypted words that will be different during the checksum calculation (these words either gained 0x4000 or lost 0x4000).
Since "stored checksum = sum of all words % 0x10000", the sum of all words needs to change by a multiple of 0x10000 in order to preserve the checksum.
And, if n is the amount of decrypted words that gain 0x4000, (this means 12-n decrypted words lose 0x4000), the checksum will change by : n. 0x4000 - (12-n) 0x4000 = (2n-12). 0x4000 = n. 0x8000 - 0x30000

Thus, a PID/TID corruption of 0x40000000 will preserve the checksum (and will be successful) if an only if n (the amount of decrypted double-words that gain 0x40000000) is even. (because 2. 0x8000 = 0x10000)


Also, when a PID/TID corruption happens, the change in the decrypted double-words that it brings affects the "Egg state" flag, as well as the identifiant of its Moves n°2 and n°4
So if the Pokémon was not inside an Egg before a corruption, it becomes an Egg after it. (and vice-versa). And the identifiant of its Moves n°2 and n°4 changes.


Thus, if you only want to permute a Pokémon's substructures, you need to corrupt both PID and TID with a 0x40000000 corruption. (Corrupting the PID alone would change the substructures order but turn the Pokémon into an Egg as well as changing a few other values)

And, as said before, you need to be sure that for both corruptions, there will be an even amount of decrypted double-words that will gain 0x40000000.


This gain/loss of 0x40000000 on a decrypted double-word is determined by a certain bit on that decrypted double-word.
So you can list the 12 bits that affect this gain/loss of 0x40000000 and their importance in a Pokémon's data.
You need an even amount of these "important" bits to 1 in order to have a working PID/TID corruption.

One of these bits happens to be a bit determining the current PPs of Move n°4.


And, as when you corrupt the TID of that Pokémon then its Move n°4 idenifiant changes (the TID corruption doesn't permute the substructures, so it preserves the Move n°4 value, aside for the 0x4000 gain/loss), the PPs of the new 4th Move may change the value of the bit determining the 0x40000000 gain/loss, which would give an odd amount of "important" bits at 1. (Since the first corruption was successful, it means that you had an even amount of these "important" bits at 1)
Thus, if the PPs of the new 4th Move are not controlled, the amount of "important" bits can turn odd which will prevent the success of the second corruption on that Pokémon.

And if you want to perform the fast procedure for the PC Pokémon Corruption, you need to clone the corrupted Pokémon, which means that you have to move it, which means that its PPs are refreshed.

Thus, a specific 4th move is chosen for fast double corruption procedures (especially with in-game traded Pokémon).
And the PPs of the corrupted form of regular moves depends on the version you're on, so each game has different possible 4th Moves that will allow for a fast double-corruption.


If you don't chose a specific 4th move for a fast double-corruption, then you will have to not touch the Egg obtained after the first corruption if you want the second corruption to succeed.


I made a video about this matter as if you want to corrupt a Pokémon (Smeargles in general), you need to know who are these "important" bits and how to check if you have an odd/even amount of them at 1 : https://www.youtube.com/watch?v=65e-SKeE5Ec

gold55803

  • I will never remain a memory
  • GCLF Member
  • Offline Offline
  • Gender: Male
  • Nyeh heh heh
    • View Profile
    • Imgur Profile
Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
« Reply #602 on: April 20, 2017, 10:47:43 am »
Really stupid question, but could someone explain how data substructures work? The guides on bulbapedia make no sense to me... :'(
also, how do you get a bag egg to battle? :???:


Outside of the Pokémon IDentifiant (PID), Trainer IDentifiant (TID), Pokémon's nickname, and Trainer's name, most of the Pokémon's data is separated into 4 groups called substructures.
Each one of these substructures contains certain parts of the Pokémon's data in a certain order.
They are called : Growth - Attacks - EVs & Contest stats - Miscellanous

For example, the Attacks substructure contains in that order : Move 1 identifiant - Move 2 identifiant -  Move 3 identifiant  - Move 4 identifiant - Move 1 PPs - Move 2 PPs - Move 3 PPs - Move 4 PPs
Each one of these substructures is 96 bits long (or 12 bytes, or 6 words, or 3 double-words).

But all of this data isn't stored as is, it is crypted when stored into the RAM and decrypted when the game wants to use it to check/use some values (like calculating a Pokémon's stats).

In Gen 3, the encryption is made of two mechanics :
- The order of the 4 substructures is given by the PID modulo 24 (there are 24 ways to sort 4 different elements)
- The game takes all the hexadecimal words that make the substructures and computes their sum.
The first 4 hexadecimal characters of this sum (called checksum) is stored on another part of the Pokémon's data.
Then, the game goes through every hexadecimal double-word that is contained in the substructures and modifies them with the formula : encrypted double-word = word xor TID xor PID  (XoR being a logical operation)

Thus, if you corrupt the data in the substructures directly, the checksum will be invalid and the corruption will fail (the Pokémon will turn into a Bad Egg as soon as the game computes the checksum again and finds the difference with the stored checksum).

However, if you corrupt the Pokémon's PID, you will change the order of the substructures.
So when the game will look at the Pokémon's data after the corruption, he will incorrectly read the substructures and this is where we can get very cool stuff.
(example : Growth substructure being read over the Attacks substructure, so the species of the corrupted Pokémon is read over the identifiant of the first move of the Pokémon before it corruption )
Since the PID is also used in the encryption of the substructures data, that PID corruption needs to meet a certain criteria in order to not affect that encryption.
But thankfully, one of the two possible ways to corrupt data with Pomeg Glitch meets this criteria.


Getting a Bad Egg (or an Egg/empty slot) to the battle is the matter of forcing the game to send a Pokémon from a certain party slot to the battle, even though that Pokémon is not supposed to be sent to the battle.
To do that, we exploit an oversight in the code that doesn't refresh the value "Party slot of the currently fighting Pokémon" from one battle to another if the party is fully KO.

Thus, the procedure looks like this :
- Make a wild battle and send a valid Pokémon to the fight (let's say from the 3rd party slot)
- Perform Pomeg Glitch to have a fully KO party
- Place a Bad Egg/Egg to the 3rd party slot (or leave it empty by depositing a Pokémon to the PC before killing the whole party)
- Make another battle (since the party is fully KO, the Pokémon in the 3rd party slot will be forced to the fight)

Alright, Thanks!