Pomeg Glitch Corruption :
Pomeg Glitch RAM Corruption is about the Party Pokemon Selection Pointer
that selects blocks of RAM data that isn't Party Pokemon data, and corrupts them because the checksum performed on this data gives an incorrect result.
A Party Pokemon data is a block of 25 double-words
The location of the double-words the Selection Pointer will read with Pomeg Glitch are fix.
In these blocks, you have 7 important areas
for Pomeg Glitch.
- The first ones are for the Pokemon PID and TID
These values determine the encryption of the 4 Pokemon substructures (crypted data = raw data xor PID xor TID, in double-words).
The PID also determines the order of these 4 sub structures (3 double-words each).
- You have then a byte that seems to be only used for the Legit/Bad Egg state
, between the Pokemon name and Trainer name.
This byte is usually at 0x02, and is turned into 0x07 if the Pokemon is a Bad Egg (to prevent the Egg from hatching, and giving it the name "Bad Egg"). This is performed by setting bits 0 and 2 of the byte to 1
This induces what I usually call the 0x05 corruption
, as in general you can see the 0x05 value appearing, even if a value can only gain 0x04 or 0x01 or nothing due to this corruption.
With Pokemon Corruption, this corruption has no use at all. Even worse than that, the 0x05 corruption is the main thing that can prevent a Pokemon corruption from working.
- And you have 4 bytes that represent the 4 possible locations of the Pokemon Egg state
(hatched/ non-hatched) in the Growth substructure.
The bit managing the Egg State is bit 6 (0x40)
of that byte.
Since this byte is in the data substructure, the location of the corruption will depend on the PID value modulo 24
And the effect of that corruption (forcing the bit to 1 or 0
) will depend of the PID xor TID result, (the value of bit 6 of their leftmost byte, to be accurate) since this corruption is applied to the "crypted" substructure data.
If PID and TID both have the same bit 6 value (on their leftmost byte), the corruption forces a bit to 1 (sets 0x40).
If PID and TID don't have the same bit 6 value (on their leftmost byte), the corruption forces a bit to 0 (unsets 0x40).
I generally call this corruption the 0x40 corruption to mention it faster.
The 0x40 corruption has 4 different locations related to the 0x05 corruption (who is always on the same byte on a given 25 double-words block), and can do 2 different things, all depending on the PID and TID values (or what the game wants to interprete as so).Screenshot :
Here's the location of the 7 interesting zones in a Party Pokemon data.
I bordered the 25 double-words blocks to distinguish them a bit better.
In blue (11111 and 2222), you have the PID and the TID (in that order).
In green, just below the PID, you have the 0x05 Corruption location.
In yellow, you have the 0x40 Corruption locations. They are all separated by 2 double-words.Pokemon Corruption :
In Pokemon Corruption, the goal is to abuse the anti-cheating measure that moves the adresses of many RAM values in order to have a PC Pokemon PID that is affected by a 0x40 Corruption
We want the PID to be corrupted because this affects the Pokemon substructures order, and allow us to manipulate values like species, item, xp, ogirins, IV, by knowing how its substructures order will be changed (ex : Attacks will be read on EVs).
But to make this work, the Pokemon checksum can't change, or it will turn into a Bad Egg.Bypassing the Checksum :
The checksum decrypts all the substrucutres data, cuts the double-words in words and adds them. It then stores the 4 first characters
of the sum (they could have stored the whole sum, but thanks for us, they didn't).
Since we're changing a value on the PID, the difference between corrupted PID and normal PID will be present 4*3 = 12 times (4 substructures containing 3 double-words), in the "general case"
Since checksum adds words, 0x05 and 0x40 Corruption will give differences of 0x0500 (or 0x0400,0x0100) and 0x4000 (or 0x0000 if nothing happens).
You can see that 0x4000 is the only value that won't change the checksum
result since 0xC * 0x4000 = 0x3 0000.
For the 0x05 Corruption, the checksum will be screwed, and this will always result in a Bad Egg, which is why I said it wasn't useable for Pokemon Corruption.
If the PC Pokemon PID is corrupted and its checksum stays valid, the Pokemon Corruption will be working.
Since this works with the 0x40 Corruption, the Egg State value of the Pokemon is switched
, and so does its hatched/non-hatched state.
Since its PID was corrupted, the order of its substructures is changed
, leading to interesting results.Double Corruption :
But you can also do the same thing with the Pokemon TID
, who will have the same checksum issue as PID (since they are both involved in checksum), and who will bring the same effects minus the substructures order.
It may not seem useful to corrupt TID, but it is.
Because if you do a single PID corruption, you'll get an Egg of your desired Pokemon.
Hatching the Egg will remove its EVs, Item, Ribbons, Contest Stats, and set its Lv to 5.
Also, because of the 0x40 Corruption only being performed once, there are some 0x40 "values" that still affect the Pokemon data (like a move being move 0x4000 instead of 0x0000, or item 0x4001 instead of 0x0001 if you wanted your Egg to hold a Master Ball).
The hatching is also risky for Glitch Pokemon, as their hatching sequence can freeze (I don't know if it's related to the Glitch Pokemon sprite, the Glitch Pokemon name, a part of RNG, or all of that).
If you corrupt the Pokemon PID and then its TID, you'll have the substructures order shift, on a Pokemon that isn't in an Egg (so no hatching animation + Exp/Item/EVs/Contest Stats / Ribbons/Met Location/Met Lv/Met Version/Met Trainer kept), and you don't have the "0x4000 0000 leftovers" on the substructure data from the 0x40 Corruption anymore, since both PID and TID had their bit 6 of leftmost byte value switched.
Thus, you end up with the exact Pokemon you wanted
, without any issue even if you were to want a Glitch Pokemon/Move.
This is Double Corruption, since you corrupt both PID and TID. It was brought by someone on that topic (I don't remember who, nor the page) who I give my thanks, as this method is really useful.Bypassing checksum (more detail) :
But, there are other tiny things to deal with if you want to be sure to exactly have what you wanted.
For checksum, I mentioned a "general case" where everything goes right, but 2 things can screw up
the checksum on a 0x40 Corruption.
The first thing
is to really have 0x4000 added or subtracted
12 times (or a number of times that is a multiple of 4
, if your Pokemon was caught in a Nest/Repeat/Timer/Luxury/Premier Ball, one of its non-crypted substructure double-word will have its bit 6 of leftmost byte set to 1 (0x4000 0000 will be there).
The other bit 6 of leftmost bytes for double-words of substructures concern : Item (0x4000), Moves (0x4000), Speed Evs (0x40), Beauty (0x40), Feel (0x40), Move 4 PPs (0x40), Egg State, a Special Ribbon, Exp (0x4000 0000).
So unless your Pokemon has a good amount of Speed EVs or Contest Stats, or a Move 4 with 64 Pps, only 1 double-word of its substructure will have its bit 6 of leftmost byte set to 1.
This means that the checksum calculation after its PID corruption will differ by 11 - 1 = 10 times 0x4000 = 0x2 8000, since for 11 double-words, 0x4000 will be added, whereas it will be subtracted for the double-word containing Origins info.
And you see that the checksum difference isn't a multiple of 0x1 0000, so the checksum will be invalid, and the corruption won't work.Thus, for Pokemon Corruption, I ask to people to not have caught their Pokemon with a Nest/Repeat/Timer/Luxury/Premier Ball, nor have a Move 4 with 64 PPs, nor have between 0x40-0x7F or 0xC0-0xFF (64-127 or 192-255) in Speed EVs, Beauty, Feel.
Since some people were catching their Pokemon with a Repeat Ball (or another forbidden Ball), and since they were only giving them HP and Atk EVs for Species Corruption, they weren't able to have a working corruption.
If you want a really specific specific
corruption (on certain cases), you can set bit 6 of leftmost byte of 2 double-words
to 1 in order to have a checksum difference that won't be seen, since you'll have 8 times 0x4000, (8 is a multiple of 4, and 4*0x4000 = 0x1 0000), but don't do that for basic corruptions, that would only make the preparations more complex for nothing.Corruption Initiator :
The second thing
is the 0x05 Corruption from the 25 double-word block below.
Since everything happens in 25-double words blocks, each 0x40 Corruption is between 0x05 corruptions.
Here, we're seeing the 0x05 corruptions relatively to the 0x40 one, since we want to have the 0x40 Corruption on the PC Pokemon PID.
Again, we have 4 different locations for that 0x05 corruption (when 0x40 is on PC Poke PID) :
- On 1st double-word of 2nd substructure
- On 1st double-word of 3rd substructure
- On 1st double-word of 4th substructure
- On PID of the PC Pokemon below3 of them are a potential threat
(1/4 chance that the double-word won't be affected by the 0x05 Corruption), and 1 is completely safe.
Thus, we're totally going for that 4th location of 0x05 Corruption (when 0x40 is on PC Poke PID).
The case where the 0x40 Corruption can be on the PC Pokemon PID, and where the 0x05 Corruption will affect the PC Pokemon below is when the values that the Selection Pointer use as "PID" and "TID" are double-words 1 and 2 of substructure n°2 of the Pokemon above the PC Pokemon we want to corrupt.
That's because the 0x05 Corruption is fix, as well as the "PID" and "TID", and that it's the 0x40 that has 4 different locations.
Thus, we will need the values of the 2 mentioned double-words to have specific values in order to give a good 0x40 Corruption location, as well as a 0x40 set or unset (Since we're doing 0x40 on a Pokemon PID, only the set or the unset corruption will do something, so this has to be manipulated too to fit for every Pokemon).
And, since Double Corruption is also a thing, we can do the same thing for the PC Pokemon TID
The double-words that need specific values for a PC Pokemon TID 0x40 Corruption are double-words 2 and 3 of substructure n°2 of the Pokemon above.
By gathering both cases, we need to have a Pokemon with a specific substructure n°2
These values are made on a Pokemon I call "corruption Initiator
", as it's purpose is only to be put before the Pokemon you want to corrupt in order to ensure that a good corruption can happen on that Pokemon.
With the values wanted there, I even call the Pokemon a "perfect initiator", as it ensures you that you can corrupt any Pokemon you want (modulo tiny things to avoid).
Since we will need the 0x40 set and unset corruptions for both PID and TID, we'll need 2 Corruption Initiators
, so we'll be sure that any Pokemon will be corrupted with one of them. (One Initiator will do the 0x40 set on PID and TID, and the other the 0x40 unset on PID and TID).For the 0x40 set Corruption
, the substructure n°2 of the initiator must verify :
- double-words 1,2 and 3 have their bit 6 of leftmost byte equal (0,0,0 or 1,1,1 pattern).
- double-words 1 and 2 have a specific congruence modulo 24. (I think it's 18,19,20,21,22,23, but I'm not sure as I always do it by trial and error since there are 6 working values modulo 24).For the 0x40 unset Corruption
, the substructure n°2 of the initiator must verify :
- double-words 1,2 and 3 have their bit 6 of their leftmost byte forming a 1,0,1 or 0,1,0 pattern.
- double-words 1 and 2 have a specific congruence modulo 24. (I think it's 18,19,20,21,22,23, but I'm not sure as I always do it by trial and error since there are 6 working values modulo 24).Why using an Initiator works :
This is a tiny EDIT, but I forgot to develop about that.
The anti-cheating measure that moves the RAM adresses of most values each time you open your bag, make a fight, change locations,... can move a designed value on 32 adresses (they are adjacent).
Thus, if you put in Box 1 your Corruption Initiator followed by a Pokemon to corrupt, you only have to try using Pomeg Glitch until the data of substructure n°2 of the Corruption Initiator ends up on the adress of a "PID" and "TID" for the Party Pokemon Selection Pointer (these adresses are fix).
When this will happen, the 0x40 corruption will be forced to happen on the PID of the PC Pokemon to corrupt (with the right set/unset type), and the 0x05 Corruption below will fall right below the PC Pokemon to corrupt data.
Since the Party Pokemon data is a block of 25 double-words, there's always a certain movement of the anti-cheating measure that will put up the substructure n°2 data on one of there "PID" and "TID" adresses (as the substructure n°2 data can be placed on 32 different consecutive locations).Potential Initiators :
The only Pokemon who have substructures values that we know are Empty Slot and in-game trades Pokemon.
Empty Slot will only give a 0x40 set Corruption, and when 0x40 is on a PC Pokemon PID, the 0x05 Corruption is on its 1st double-word of 2nd substructure.
Thus, leaving an empty slot before the PC Pokemon won't work well at all (half of your Pokemon won't have their PID corrupted, and 1/4 of them will suffer from the 0x05 Corruption, so only 1/8 of your PC Pokemon "could" work).
You have 4 in-game trades Pokemon in Emerald :
Seedot : substructure order : EGAM -> GMAE (the second substructure order is the one after a 0x40 PID Corruption)
Plusle : substructure order : EAMG -> AGME
Horsea : substructure order : AGME -> MEAG
Meowth : substructure order : MGEA -> AMEG
can be manipulated for congruence modulo 24, but since it contains Experience, it would be hard to have a general procedure to do that on console (since the Lv of these Pokemon can be drastically different).
The 0x40 unset Corruption couldn't be done. (there's one of the 3 leftmost bytes you can't manipulate, and you can't have 0x4XXX XXXX Exp)
can be manipulated for congruence modulo 24, but the 0x40 unset Corruption couldn't be done. (you'd need a 0x4XXX Glitch Move).
can't be manipulated for congruence modulo 24 nor 0x40 unset Corruption.
and Contest stats can be manipulated for both congruence modulo 24 and 0x40 set/unset corruptions.
But as you can see, none of the traded Pokemon have EVs as their substructure n°2.However
, a 0x40 corrupted Horsea has EVs as substructure n°2.
To perform a 0x40 Corruption on Horsea, I use the Seedot as a Corruption initiator.
Seedot won't be a perfect initiator, but with slight changes on him and Horsea, he'll work perfectly.
Here's the setup :Caterpie the Perfect Initiator :
Pokeblocks with 6 Chesto Berries at Lilycove with the old man. They must be Lv 12 Blue Pokeblocks, with 22-23 in Feel.
26 Hondew, and 26 Grepa Berries.
At least 13 Pomeg Berries.
Other Pomeg, Kelpsy,Qualot, Hondew, Grepa, Tamato Berries
5 Carbos, 5 Calcium, at least 2 HP Up.
TM Protect (sold at Lilycove).
- Get the in-game traded Seedot.
- Get the in-game traded Horsea. He must have less than 65.536 Exp points. (Lv 40 or lower)
Horsea and Seedot (and any other Pokemon you'll train for double corruption) must not catch Pokerus during their training.
- If Seedot and Horsea already fought a bit and gained some EVs, use the Pomeg, Kelpsy, Hondew, Grepa, Tamato Berries to put them back at 0 EVs.
- Clone them both to have a safe copy.
- Give 1 Carbos and 3 Calcium to Seedot. (Now Seedot is ready)
- Give 1 HP Up to Horsea. (He'll transform into a Caterpie)
- Give 1 Carbos to Horsea, and make him fight 3 Zigzagoon (For 13 Speed EVs that will absorb the 0x05 Corruption)
- Change Horsea Moves to Waterfall, Protect, Surf, --(Fr)/Return(US). (Having a specific 4th Move is really important)
- Save and clone them 6 times. (1 copy in a safe box and 5 copies for the next steps).
- Place the 5 Seedots and Horsea in Box1 or 2 with a Seedot-Horsea-Seedot-Horsea-...-Horsea pattern (a block of 10 Pokemon + Seedot before Horsea as Seedot is the initiator for Horsea's corruption).
- Save, and perform Pomeg Glitch (this is why Fluffy Tails is mentioned) to corrupt the Horsea. (you have 6-7/32 chances to corrupt Horsea's TID).
- Once one of the Horsea became an Egg, check its summary.
If the Egg doesn't have Pokerus and isn't about to hatch, keep the Egg and save. (its TID was corrupted)
If the Egg has Pokerus, reset and redo the corruption. (PID was corrupted)
(the TID corruption being first is really important because it won't screw up the 4th Move PPs and allw you to make a fast second corruption)
- Save, clone Seedot and Horsea's Egg 5 more time, and display them in the same pattern as earlier.
- Save, and perform Pomeg Glitch again to corrupt an Horsea's Egg. (here it's 6-7/32 chance to get it, as you really can't move that Egg).
- Once a Egg became a Caterpie, save.
- Give him Pomeg, Hondew, and Grepa Berries to put its EVs back at 0. (they come from Horsea species + Exp since EVs are read on Growth)
- Give him 2 Carbos and 2 Calcium, and save. (Here it is, the first perfect initiator)
- Clone the Caterpie 2-3 times. (at least one copy in a safe box)
- Give the 6 Blue Pokeblocks to another clone (72=0x48 Beauty, 138=0x8A Feel), and give that clone a Heart marking. (here comes the second perfect initiator, the heart marking allowing you to distinguish both of them easily).
- Save, and clone these 2 Caterpies (marked and unmarked) a dozen of times.Using Caterpies :
- Now, every time you want to perform a Pokemon Corruption, once you've prepared your Pokemon, clone it 10 times.
Place 5 clones with a Caterpie before each (Caterpie-clone-....-clone chain), and place the 5 remaining clones with a Marked Caterpie before each (M Caterpie-clone-...-clone chain). (if you knew beforehand what type of Caterpie would work with this Pokemon, you can only place this very type)
- Then, save and perform Pomeg Glitch to corrupt PC Pokemon, and if your Pokemon doesn't have the slight issues mentioned earlier (Balls, Beauty, Feel, Move 4 PPs,Item, Move2,....), you'll be sure to have 6 or 7/32 chances to corrupt the PID of one of your clones (and same chances for its TID).
- And if you want to go for a Double Corruption (because it's a very strong and useful corruption), you'll need to know beforehand if your TID can be corrupted with a 0x40 set or unset Corruption, as well as if your Pokemon's PID, because once a clone will turn into an Egg, you'll need to know what type of Caterpie you need to place before the Egg to perform the second corruption. (Remember to never take the Egg with the hand, or reset if you do so)
You can also try both of them, but since the second corruption only has a 1/32 working chance, this could be longer.
- If you test your Pokemon beforehand to know what type of Caterpie corrupts him well, you can give a mark to that Pokemon to easily remember that (and also mark the Pokemon to distinguish its Corruption type).Caterpie data screenshot :
The orange upper part is Caterpie's data. I cut it to directly start at its substructure n°2 data.
Below Caterpie, you have the traded Horsea, who had its PID corrupted (0x4000 007F instead of 0x0000 007F, and who became an Egg. The part I circled is Horsea's data as a PC Pokemon (20 double-words only).
In green, you have the 3 double-words of substructure n°2.
The 2 first double-words are equal to 18 and 22 mod 24, and the Bit 6 of the leftmost byte of the 3 double-words has a 0,0,0 pattern (none of them have that bit set to 1), so we'll have a 0x40 set corruption that will perfectly work.
And in Blue, you have the locations of the 0x05 and 0x40 Corruptions.
When one 0x40 fell on Horsea's PID, you have the 0x05 above on Caterpie's data, and the 0x05 below right below Horsea's data, showing that Horsea was corrupted well.Caterpie file :
If you're on VBA, here's a .dmp file of Seedot + Horsea untouched + both Caterpies + 0x288A Glitch Pokemon to make easy clones : http://www.petit-fichier.fr/2015/05/02/horseaseedotcartepies0x288a/
I made a video on fast cloning before : http://www.youtube.com/watch?v=I8Mio5cA9fs
(RAM adresses for PC Pokemon are below 0x0202987C on Fr/US Emerald)
The Marked Caterpie doesn't have the same Feel as the one described there, as the one I did is older, and I had a flaw for the Feel value, so I had to give him a Yellow Pokeblock to increase it over 0x7F.Pomeg Glitch Lua Script :
- Since I'm there, here's also the link of the .lua script I'm using to have useful information on PC/Party/Wild Pokemon on Emerald :http://www.petit-fichier.fr/2015/05/02/emer-pomeg-glitch/
It's untranslated, but there's only a little bit of text (apart from the Pokemon moves and natures), and I think it's easy to understand who does what.
This script gives EVs, Contest stats, Moves, PPs, PID, TID, IVs, Nature, HP, Item, Pokerus, Shinyness, PID mod 24, obedience (if Mew or Deoxys), and substructure order (now and after a 0x40 Corruption) of a Pokemon by holding it in the PC or seeing its summary.
When you have a glitch Pokemon, Bad Egg, or Glitch Moves, it's always nice to have a quick look at the data without freezing the game.
(for the substructure order, E=EVs, A=Attack, C=Croissance=Growth, D=Divers=Miscellanous)