Main Menu
Main Page
Forums
New pages
Recent changes
Random page
Help

Glitches
Arbitrary code execution
Pokémon cloning
Pomeg glitch and Glitzer Popping
Tweaking and voiding
Glitches by generation
Glitch categories

References/Resources
Databases
Disassembly projects
The Big HEX List
Pokémon cheat codes
Pokémon glitch terminology
Useful tools
More

Affiliates
Legendary Star Blob 2 (Hakuda) (日本語/Japanese)
Pokémon Speedruns wiki (English)
PRAMA Initiative (Français/French)
MissingNo. Glitch City (Italiano/Italian)
Become an affiliate!

Technical
Site source code

Search Wiki

 

Search Forums

 

Author Topic: Gen III: Access Pokémon beyond the sixth slot sub-glitches.  (Read 166254 times)

0 Members and 2 Guests are viewing this topic.

VaeporSage

  • Custom Title
  • Member+
  • *
  • Offline Offline
  • Gender: Male
  • Personal Text
    • View Profile
Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
« Reply #270 on: May 20, 2014, 09:00:30 am »
All of these are the the result of when the 30th bit of PV got changed. The egg used friendship value for hatching (every 256 steps will decreases it by one and it will hatch when it reaches zero). It's in "making sounds" stage because your Pokémon friendship value is really low. And the 30th bit of origins dword is the 3rd bit of ball used value (Nest Ball have a value of 8 which means 10002)

Thanks, I understand that a bit better now.  ;)

But is the prevalence of the 23rd slot of Box 2 in corruption just my imagination? A pattern is emerging here - Torchickens and I have probably tested corruption 50 times between us. On the few times it has worked, the Jirachi/Deoxys Egg has been in that exact slot without exception.
« Last Edit: May 20, 2014, 09:01:45 am by VaeporSage »

Evie the Mother Hen ☽ ❤

  • Head Administrator
  • *****
  • Offline Offline
  • Gender: Female
  • I love My Melody. 🦋 ✿
    • View Profile
Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
« Reply #271 on: May 20, 2014, 09:04:25 am »
Alright, I have finally achieved success! Yesterday, I got my Jirachi Egg and hatched it. I cloned it and then wiped boxes 1 and 2 clean, releasing the uncorrupted Nuzleafs and erasing all the Bad Eggs. So then this morning I set up the boxes for the same with Deoxys, which succeeded after only eight tries.  ;D

Yay! I'm glad you were able to do it. :D

Discovery found by Golderzoa333 on his Twitch stream:

If you check the summary of the second Pokémon then scroll up twice without leaving the summary (to the Decamark you sent out) you'll see a 'dark' version of your first Pokémon that may be flipped. It'll disappear after a short time, unless the game happens to lock-up when it's shown.



Is that a reproducible effect?  Because in some cases some Decamarks cause weird sprite glitches to occur. 


EG this charmander

I'll also note that in that image, it says the Pokémon is a ??????????, and No000.

Yeah, it's reproducible. Different Pokémon in the first position give different results. It says it's ??????????, and No. 000 because the new Pokémon is. The game doesn't load the Pokémon's summary all at once.

It loads the data in this order:
1)Type
2)Pokédex number, species, level, gender
3)OT, ID number, ability
4)Trainer memo data (nature and location met)

Then the 'ghost picture' disappears, the Slowpoke cry plays and the game locks up.

The screenshot above was taken early in the process, which is why its type changed to normal and its Pokédex number, species name, level and gender changed, but everything else visible about the Pokémon didn't.
« Last Edit: May 20, 2014, 09:32:24 am by Torchickens »

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Here have some free flowers on every post :)
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿



(Images © Sanrio, Nintendo, Pokémon, HAL Laboratory)

✿ Hi, I'm Evie. Transgender woman but spiritually doesn't believe 'male'/'female' needs to be defined; lives more stereotypically like a woman/I'm a 'girly' nerd who discovered herself. Call me whichever pronouns you like. :)

Feel free to contact me here about anything regarding the site.

Forgiveness. I feel that the more people pray to our greatest source/God/mathematical equality for world peace, the more and more it manifests into reality (until our next spiritual death).

Thank you Nyapon for this lovely artwork. :3

pigdevil2010

  • Member+
  • Offline Offline
  • Gender: Male
  • Welcome to the 40 ERROR.
    • View Profile
Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
« Reply #272 on: May 21, 2014, 06:38:54 am »
A big discovery!

After tracing Emerald's ASLR, I finally found the address that will always correctly lead to the correct address. The address is 03005D8C. It stored the pointer to another address. This value will be changed every time ASLR is activated to keep the CPU jumps to the correct address. If you want to locate the start position of Pokemon in a box. Just simply add 3E0C to this address' value! For example, if the address 03005DBC value is 02025A30 then the data of the first Pokemon in a box address will start at 0202983C.

Proof:

TheZZAZZGlitch

  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • Unknown opcode fc at 801a
    • View Profile
Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
« Reply #273 on: May 22, 2014, 11:45:02 am »
Getting closer to executing arbitrary code without a hacked save file

In case you're not following my YouTube channel, arbitrary code execution is already possible. It requires a hacked save file though. So the next natural step is to find a way to do this without any outside tools.

The first problem is the method itself. Currently, the glitched name of decamark 0x065C is used as a gateway to arbitrary code execution. Obtaining it without cheating seems currently impossible, since it crashes the game upon hatching. Therefore, a different decamark with code-executing properties is necessary.

I further investigated the arbitrary code execution glitch I found earlier, and found its exact cause. With this knowledge, I (or at least my computer) was able to create a list of all decamarks and their possible jump locations.
Thanks to this, it was easy to find a decamark with index 0x097D - its glitched summary screen executes code starting at $E118C50 (again, save data), and does not crash the game after or before hatching.

If we're talking TAS only, there are no problems left - just luck manipulation! ...

...but things start to look bad if we want to do things without TASing:

  1. The save file in Generation III is split into 14 substructures, independent memory blocks. They once again have their order randomized. 9 of those blocks are PC boxes - so there's a good 64% chance that the execution will land in one of the Pokemon boxes (and Pokemon boxes are pretty easy to manipulate). Still, a legitly playing person won't have the certainty that the glitch will always work.

  2. Well, if the arbitrary code execution worked, good luck with returning back to the game though. After the destination is reached, the entire stack, interrupt flags and pointers, some IO registers, almost everything is irreversibly corrupted. Unlike the arbitrary code execution glitches in previous generations, this one is definitely a one way trip.

  3. ARM processor architecture is not great for us either. Each instruction in ARM mode takes 4 bytes. So to spell out a single instruction, 4 consecutive bytes need to have their values manipulated. You think it's difficult? Well, all instructions also have to be on memory addresses divisible by 4...

I'm now trying to get rid of the first problem on the list. Maybe there's a decamark that jumps to a more predictable location, like Pokemon boxes, or Pokemon in the party?

I included the previously mentioned list in the post. It is a CSV file with following fields:
 - id: Hex identifier of a decamark.
 - name_length: The length of its name (it determines if the arbitrary code execution is possible and how much RAM will be corrupted; you should not worry about this field now).
 - name_offset: The GBA memory offset where the 'name' is stored.
 - jump_offset: Memory location that will get executed once the summary screen is viewed. If filled with dashes ('--------') no arbitrary code execution occurs.

If someone finds a hatchable [!] decamark that executes arbitrary code from a fully predictable memory region, please let me know!
qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF

VaeporSage

  • Custom Title
  • Member+
  • *
  • Offline Offline
  • Gender: Male
  • Personal Text
    • View Profile
Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
« Reply #274 on: May 25, 2014, 03:19:51 am »
We're getting close to the holy grail... :D

I got my Mew via corruption of Dots with 151 HP EVs. Yet again, slot 23 of Box 2 was the one to produce this gem.

I'm pretty sure I'm not imagining things: ~20 tries for Jirachi, 8 for Deoxys and 5 for this Mew, and the only time in each of those cases when the Pokémon corrupted right, it was the one in slot 23 of Box 2. At this point, I think it's fair to say that slot 23 of Box 2 is the only slot that will corrupt the stuff correctly.

So this afternoon, I'm going to try for my Celebi, but this time I'm only going to put Dots in slot 23 of Box 2.

Pawny

  • ༼ つ ◕‿◕ ༽つ
  • Member+
  • *
  • Offline Offline
  • Gender: Female
  • I'm sharp! :3
    • View Profile
Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
« Reply #275 on: May 25, 2014, 06:37:21 am »
That's amazing. :o

  2. Well, if the arbitrary code execution worked, good luck with returning back to the game though. After the destination is reached, the entire stack, interrupt flags and pointers, some IO registers, almost everything is irreversibly corrupted. Unlike the arbitrary code execution glitches in previous generations, this one is definitely a one way trip.

TAS talking, even if the code warped us to the Hall of Fame, the save there wouldn't "fix" it? Because otherwise, at least by TASVideos's standards, it would get rejected most likely. :(
Hug me~!

luckytyphlosion

  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • JACK-flys are OP
    • View Profile
Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
« Reply #276 on: May 25, 2014, 07:57:37 am »
  2. Well, if the arbitrary code execution worked, good luck with returning back to the game though. After the destination is reached, the entire stack, interrupt flags and pointers, some IO registers, almost everything is irreversibly corrupted. Unlike the arbitrary code execution glitches in previous generations, this one is definitely a one way trip.

What exactly would happen after corruption? What would happen if you tried to migrate Pokemon to gen 4 after corruption? Would restarting the game differ after corruption?

On another note, by hatching a #000 Decamark and performing the "access pokemon beyond the sixth slot" (this needs a shorter name), since you could potentially corrupt more data (by switching pokemon), what can you possibly corrupt? I remember Pawny messing with a Ruby Save file with that glitch, saying:

I had done these experiments before, but using a caught #000 decamark though. Unlike in Emerald, they do not vanish in Ruby/Sapphire. Switching Bad Eggs got me several glitch moves with weirder effects. Another time, attempting to save the game gave a different saving error as the adapter wasn't connected or something. But another one was like a ZZAZZ glitch: it gave me a ridiculous long name, switched my character's gender, glitched my trainer card (upon opening it it'd either show Glacia's sprite, or freeze the game, messed up the frame, and other sprite mess-ups: my character becomes an Azurill doll when using the bicycle, and in Petalburg woods my character became the unused Fat Guy sprite.

Although I don't know what bad egg caused it, I do have the savestate with the effects and could share if anyone is curious. Sadly I doubt it'd be possible to do it just with glitching since it's triggered upon moving the bad egg into your party. Unless we manage to make the decamark show up as a selectable in Pokémon, in Ruby.

However, all we've manage to corrupt is: Repel effect, Pokemon data, and Maps. Why is it different when you switch eggs around?
« Last Edit: May 25, 2014, 08:11:47 am by luckytyphlosion »

pokechu22

  • Member+
  • *
  • Offline Offline
  • Gender: Male
    • View Profile
Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
« Reply #277 on: May 25, 2014, 01:15:44 pm »
  2. Well, if the arbitrary code execution worked, good luck with returning back to the game though. After the destination is reached, the entire stack, interrupt flags and pointers, some IO registers, almost everything is irreversibly corrupted. Unlike the arbitrary code execution glitches in previous generations, this one is definitely a one way trip.

What exactly would happen after corruption? What would happen if you tried to migrate Pokemon to gen 4 after corruption? Would restarting the game differ after corruption?

I might be wrong here, but the game shouldn't be changed afterwards.  It just forces you to reboot the game (in some cases, it actualy automaticaly does so!).  So Pokemon and such are not going to be changed. 

Wait.  What happens if we tried to modify the save data through this arbitrary execution?  Could we make assumptions about the current layout due to the fact that the program worked?  For sure, a TAS would be able to move the player to after the elite 4, by altering the save data.  You could change the data, then reload the game.  Hm...

On another note, by hatching a #000 Decamark and performing the "access pokemon beyond the sixth slot" (this needs a shorter name), since you could potentially corrupt more data (by switching pokemon), what can you possibly corrupt? I remember Pawny messing with a Ruby Save file with that glitch, saying:

I had done these experiments before, but using a caught #000 decamark though. Unlike in Emerald, they do not vanish in Ruby/Sapphire. Switching Bad Eggs got me several glitch moves with weirder effects. Another time, attempting to save the game gave a different saving error as the adapter wasn't connected or something. But another one was like a ZZAZZ glitch: it gave me a ridiculous long name, switched my character's gender, glitched my trainer card (upon opening it it'd either show Glacia's sprite, or freeze the game, messed up the frame, and other sprite mess-ups: my character becomes an Azurill doll when using the bicycle, and in Petalburg woods my character became the unused Fat Guy sprite.

Although I don't know what bad egg caused it, I do have the savestate with the effects and could share if anyone is curious. Sadly I doubt it'd be possible to do it just with glitching since it's triggered upon moving the bad egg into your party. Unless we manage to make the decamark show up as a selectable in Pokémon, in Ruby.

However, all we've manage to corrupt is: Repel effect, Pokemon data, and Maps. Why is it different when you switch eggs around?

I'm going to note that the effects there have been found in Firered by me.  In this case, it was a glitched TM name causing overflow.  I'm guessing that some string was broken (It could have been an ability, or a species name), and caused such an effect.  Actualy looking at that, it mentions glitched moves.  So it is very likely that one of the moves did it. 
When I underline text, that usualy means I am using the [‍acroynm] tag to provide aditional information.  Hover over it to view.
My youtube channel

VaeporSage

  • Custom Title
  • Member+
  • *
  • Offline Offline
  • Gender: Male
  • Personal Text
    • View Profile
Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
« Reply #278 on: May 26, 2014, 08:27:41 am »
the "access pokemon beyond the sixth slot" (this needs a shorter name)

I sometimes used to refer to it as the hidden team glitch.

The process of scrolling to change various aspects of the game could simply be called the 'corruption glitch'. (As well as 'Glitzer Popping' being one sub-heading.  :))

Evie the Mother Hen ☽ ❤

  • Head Administrator
  • *****
  • Offline Offline
  • Gender: Female
  • I love My Melody. 🦋 ✿
    • View Profile
Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
« Reply #279 on: May 26, 2014, 10:21:51 am »
the "access pokemon beyond the sixth slot" (this needs a shorter name)

I sometimes used to refer to it as the hidden team glitch.

The process of scrolling to change various aspects of the game could simply be called the 'corruption glitch'. (As well as 'Glitzer Popping' being one sub-heading.  :))

I think that's a cool name. When updating the Bad Egg wiki page, I referred to the scrolling glitch as the 'Generation III bit set glitch', but I said it's also called Glitzer Popping.

Two other changes I made are Trainer Ledge/Fence Collision glitch to Amazing Trainers akin Amazing Man (because it sounds nicer and easier to read, and a tuber can walk through a wall) and Zero Error to Walking lag glitch (because the page actually describes something different)

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿
Here have some free flowers on every post :)
✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿



(Images © Sanrio, Nintendo, Pokémon, HAL Laboratory)

✿ Hi, I'm Evie. Transgender woman but spiritually doesn't believe 'male'/'female' needs to be defined; lives more stereotypically like a woman/I'm a 'girly' nerd who discovered herself. Call me whichever pronouns you like. :)

Feel free to contact me here about anything regarding the site.

Forgiveness. I feel that the more people pray to our greatest source/God/mathematical equality for world peace, the more and more it manifests into reality (until our next spiritual death).

Thank you Nyapon for this lovely artwork. :3

luckytyphlosion

  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • JACK-flys are OP
    • View Profile
Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
« Reply #280 on: May 26, 2014, 02:39:15 pm »
One thing I noticed with a poisoned Bad EGG (to avoid whiting out, revive a Pokemon), after going below 0 HP, the game stops movement every 4 steps.

I always thought of it as the "Bad EGG corruption glitch"

VaeporSage

  • Custom Title
  • Member+
  • *
  • Offline Offline
  • Gender: Male
  • Personal Text
    • View Profile
Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
« Reply #281 on: May 26, 2014, 03:52:14 pm »
One thing I noticed with a poisoned Bad EGG (to avoid whiting out, revive a Pokemon), after going below 0 HP, the game stops movement every 4 steps.

I always thought of it as the "Bad EGG corruption glitch"

This is the same with a normal Egg if you get it poisoned via the standard Pomeg glitch.

If you have Sacred Ash with you (I got mine from XD: Gale of Darkness), you can also revive any fainted Eggs/Bad Eggs you have in this way.

Wack0

  • Coder, reverser, beta collector [BetaArchive staff]
  • Distinguished Member
  • *
  • Offline Offline
  • Gender: Male
  • cBRH - Doing nothing since 2k7
    • View Profile
Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
« Reply #282 on: May 27, 2014, 11:55:44 am »
Does anyone know what glitch moves with long names do in contests?
C H E C K E D . B U I L D S . A R E . A W E S O M E N E S S

BetaArchiveSoftHistory Forumsirc.rol.im #galaxy,#softhistory

Also known as The Distractor.

Shane, please stop telling children that there's a Mew outside under the delivery trucks. - Management

Pokémon: arbitrary code execution 1996-2016

VaeporSage

  • Custom Title
  • Member+
  • *
  • Offline Offline
  • Gender: Male
  • Personal Text
    • View Profile
Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
« Reply #283 on: May 27, 2014, 12:46:42 pm »
I spent an hour today testing stuff out in XD: Gale of Darkness. But jeez, that game is one heck of a glitch-proof fortress.

All of my corrupted hatched stuff (Deoxys, Jirachi, Mew, Ho-Oh and a glitchy Caterpie) would not show up at all in the trading menu. A blank space was shown in its slot instead, which could not be interacted with.

Glitchy markings were erased when sent to XD: GoD, and my Sneasel with the name "Sne[down arrow]sel" was renamed "Snesel" when traded over.

XD: Gale of Darkness's GameCube vs. Gameboy battle system is even more impenetrable. My Jirachi, Deoxys, etc. (even Caterpie) showed up as Bad Eggs on the battle selection screen and Pokémon with glitch moves were unable to fight.

So XD: Gale of Darkness will not allow:

-Glitch moves to show up in battle
-Glitch moves to be used in GCN v GBA battles
-'Hacked' (or Pokémon suspected of being hacked) to be traded
-Pokémon with ?35 HP to remain at this health quantity
-Glitch markings to have any effect
-Bad Eggs
-Glitchy names

This game is the ultimate glitcher's cockblock, my friends.

Does anyone know what glitch moves with long names do in contests?

I've tested 5, and all of them have frozen the game.

There is apparently some potential here (look up 'Cool Move' to see what I mean), but it could be a while until something concrete is found.

voltage

  • ----------
  • Member+
  • *
  • Offline Offline
  • Gender: Male
  • ŒêŒêŒêŒêŒêŒêŒêŒêŒêŒê
    • View Profile
Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.
« Reply #284 on: May 27, 2014, 07:29:15 pm »
So I transferred my Mewtwo into Gen IV and the location stated it was from
---------- instead of Hoenn.
« Last Edit: May 27, 2014, 07:29:46 pm by voltage »
This was once one of the most harmless glitches in the Pokémon series... :P