Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Generation III Glitch Discussion

Gen III: Access Pokémon beyond the sixth slot sub-glitches. - Page 19

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: VaeporSage
Date: 2014-05-20 10:00:30
All of these are the the result of when the 30th bit of PV got changed. The egg used friendship value for hatching (every 256 steps will decreases it by one and it will hatch when it reaches zero). It's in "making sounds" stage because your Pokémon friendship value is really low. And the 30th bit of origins dword is the 3rd bit of ball used value (Nest Ball have a value of 8 which means 10002)


Thanks, I understand that a bit better now.  ;)

But is the prevalence of the 23rd slot of Box 2 in corruption just my imagination? A pattern is emerging here - Torchickens and I have probably tested corruption 50 times between us. On the few times it has worked, the Jirachi/Deoxys Egg has been in that exact slot without exception.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Torchickens
Date: 2014-05-20 10:04:25

Alright, I have finally achieved success! Yesterday, I got my Jirachi Egg and hatched it. I cloned it and then wiped boxes 1 and 2 clean, releasing the uncorrupted Nuzleafs and erasing all the Bad Eggs. So then this morning I set up the boxes for the same with Deoxys, which succeeded after only eight tries.  ;D


Yay! I'm glad you were able to do it. :D



Discovery found by Golderzoa333 on his Twitch stream:

If you check the summary of the second Pokémon then scroll up twice without leaving the summary (to the Decamark you sent out) you'll see a 'dark' version of your first Pokémon that may be flipped. It'll disappear after a short time, unless the game happens to lock-up when it's shown.

[img]http://i.minus.com/jAAZL60gPBdlt.png[/img]


Is that a reproducible effect?  Because in some cases some Decamarks cause weird sprite glitches to occur. 

[table][tr][td]
[acronym=Hosted on imgur][img]http://i.imgur.com/jcyth4u.png[/img][/acronym]
EG this charmander
[/td][/tr][/table]

I'll also note that in that image, it says the Pokémon is a ??????????, and No000.


Yeah, it's reproducible. Different Pokémon in the first position give different results. It says it's ??????????, and No. 000 because the new Pokémon is. The game doesn't load the Pokémon's summary all at once.

It loads the data in this order:
1)Type
2)Pokédex number, species, level, gender
3)OT, ID number, ability
4)Trainer memo data (nature and location met)

Then the 'ghost picture' disappears, the Slowpoke cry plays and the game locks up.

The screenshot above was taken early in the process, which is why its type changed to normal and its Pokédex number, species name, level and gender changed, but everything else visible about the Pokémon didn't.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: pigdevil2010
Date: 2014-05-21 07:38:54
A big discovery!

After tracing Emerald's ASLR, I finally found the address that will always correctly lead to the correct address. The address is 03005D8C. It stored the pointer to another address. This value will be changed every time ASLR is activated to keep the CPU jumps to the correct address. If you want to locate the start position of Pokemon in a box. Just simply add 3E0C to this address' value! For example, if the address 03005DBC value is 02025A30 then the data of the first Pokemon in a box address will start at 0202983C.

Proof:
[IMG]http://i.imgur.com/vuJcunt.png[/img]

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: TheZZAZZGlitch
Date: 2014-05-22 12:45:02
[size=11pt]Getting closer to executing arbitrary code without a hacked save file[/size]

In case you're not following my YouTube channel, arbitrary code execution is already possible. It requires a hacked save file though. So the next natural step is to find a way to do this without any outside tools.

The first problem is the method itself. Currently, the glitched name of decamark 0x065C is used as a gateway to arbitrary code execution. Obtaining it without cheating seems currently impossible, since it crashes the game upon hatching. Therefore, a different decamark with code-executing properties is necessary.

I further investigated the arbitrary code execution glitch I found earlier, and found its exact cause. With this knowledge, I (or at least my computer) was able to create a list of all decamarks and their possible jump locations.
Thanks to this, it was easy to find a decamark with index 0x097D - its glitched summary screen executes code starting at $E118C50 (again, save data), and does not crash the game after or before hatching.

If we're talking TAS only, there are no problems left - just luck manipulation! …

…but things start to look bad if we want to do things without TASing:

  1. The save file in Generation III is split into 14 substructures, independent memory blocks. They once again have their order randomized. 9 of those blocks are PC boxes - so there's a good 64% chance that the execution will land in one of the Pokemon boxes (and Pokemon boxes are pretty easy to manipulate). Still, a legitly playing person won't have the certainty that the glitch will always work.

  2. Well, if the arbitrary code execution worked, good luck with returning back to the game though. After the destination is reached, the entire stack, interrupt flags and pointers, some IO registers, almost everything is irreversibly corrupted. Unlike the arbitrary code execution glitches in previous generations, this one is definitely a one way trip.

  3. ARM processor architecture is not great for us either. Each instruction in ARM mode takes 4 bytes. So to spell out a single instruction, 4 consecutive bytes need to have their values manipulated. You think it's difficult? Well, all instructions also have to be on memory addresses divisible by 4…

I'm now trying to get rid of the first problem on the list. Maybe there's a decamark that jumps to a more predictable location, like Pokemon boxes, or Pokemon in the party?

I included the previously mentioned list in the post. It is a CSV file with following fields:
- id: Hex identifier of a decamark.
- name_length: The length of its name (it determines if the arbitrary code execution is possible and how much RAM will be corrupted; you should not worry about this field now).
- name_offset: The GBA memory offset where the 'name' is stored.
- jump_offset: Memory location that will get executed once the summary screen is viewed. If filled with dashes ('——–') no arbitrary code execution occurs.

If someone finds a hatchable [!] decamark that executes arbitrary code from a fully predictable memory region, please let me know!

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: VaeporSage
Date: 2014-05-25 04:19:51
We're getting close to the holy grail… :D

I got my Mew via corruption of Dots with 151 HP EVs. Yet again, slot 23 of Box 2 was the one to produce this gem.

I'm pretty sure I'm not imagining things: ~20 tries for Jirachi, 8 for Deoxys and 5 for this Mew, and the only time in each of those cases when the Pokémon corrupted right, it was the one in slot 23 of Box 2. At this point, I think it's fair to say that slot 23 of Box 2 is the only slot that will corrupt the stuff correctly.

So this afternoon, I'm going to try for my Celebi, but this time I'm only going to put Dots in slot 23 of Box 2.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Tsukuu
Date: 2014-05-25 07:37:21
That's amazing. :o


  2. Well, if the arbitrary code execution worked, good luck with returning back to the game though. After the destination is reached, the entire stack, interrupt flags and pointers, some IO registers, almost everything is irreversibly corrupted. Unlike the arbitrary code execution glitches in previous generations, this one is definitely a one way trip.


TAS talking, even if the code warped us to the Hall of Fame, the save there wouldn't "fix" it? Because otherwise, at least by TASVideos's standards, it would get rejected most likely. :(

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: luckytyphlosion
Date: 2014-05-25 08:57:37

  2. Well, if the arbitrary code execution worked, good luck with returning back to the game though. After the destination is reached, the entire stack, interrupt flags and pointers, some IO registers, almost everything is irreversibly corrupted. Unlike the arbitrary code execution glitches in previous generations, this one is definitely a one way trip.


What exactly would happen after corruption? What would happen if you tried to migrate Pokemon to gen 4 after corruption? Would restarting the game differ after corruption?

On another note, by hatching a #000 Decamark and performing the "access pokemon beyond the sixth slot" (this needs a shorter name), since you could potentially corrupt more data (by switching pokemon), what can you possibly corrupt? I remember Pawny messing with a Ruby Save file with that glitch, saying:


I had done these experiments before, but using a caught #000 decamark though. Unlike in Emerald, they do not vanish in Ruby/Sapphire. Switching Bad Eggs got me several glitch moves with weirder effects. Another time, attempting to save the game gave a different saving error as the adapter wasn't connected or something. But another one was like a ZZAZZ glitch: it gave me a ridiculous long name, switched my character's gender, glitched my trainer card (upon opening it it'd either show Glacia's sprite, or freeze the game, messed up the frame, and other sprite mess-ups: my character becomes an Azurill doll when using the bicycle, and in Petalburg woods my character became the unused Fat Guy sprite.

Although I don't know what bad egg caused it, I do have the savestate with the effects and could share if anyone is curious. Sadly I doubt it'd be possible to do it just with glitching since it's triggered upon moving the bad egg into your party. Unless we manage to make the decamark show up as a selectable in Pokémon, in Ruby.


However, all we've manage to corrupt is: Repel effect, Pokemon data, and Maps. Why is it different when you switch eggs around?

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: pokechu22
Date: 2014-05-25 14:15:44


  2. Well, if the arbitrary code execution worked, good luck with returning back to the game though. After the destination is reached, the entire stack, interrupt flags and pointers, some IO registers, almost everything is irreversibly corrupted. Unlike the arbitrary code execution glitches in previous generations, this one is definitely a one way trip.


What exactly would happen after corruption? What would happen if you tried to migrate Pokemon to gen 4 after corruption? Would restarting the game differ after corruption?


I might be wrong here, but the game shouldn't be changed afterwards.  It just forces you to reboot the game (in some cases, it actualy automaticaly does so!).  So Pokemon and such are not going to be changed. 

Wait.  What happens if we tried to modify the save data through this arbitrary execution?  Could we make assumptions about the current layout due to the fact that the program worked?  For sure, a TAS would be able to move the player to after the elite 4, by altering the save data.  You could change the data, then reload the game.  Hm…


On another note, by hatching a #000 Decamark and performing the "access pokemon beyond the sixth slot" (this needs a shorter name), since you could potentially corrupt more data (by switching pokemon), what can you possibly corrupt? I remember Pawny messing with a Ruby Save file with that glitch, saying:


I had done these experiments before, but using a caught #000 decamark though. Unlike in Emerald, they do not vanish in Ruby/Sapphire. Switching Bad Eggs got me several glitch moves with weirder effects. Another time, attempting to save the game gave a different saving error as the adapter wasn't connected or something. But another one was like a ZZAZZ glitch: it gave me a ridiculous long name, switched my character's gender, glitched my trainer card (upon opening it it'd either show Glacia's sprite, or freeze the game, messed up the frame, and other sprite mess-ups: my character becomes an Azurill doll when using the bicycle, and in Petalburg woods my character became the unused Fat Guy sprite.

Although I don't know what bad egg caused it, I do have the savestate with the effects and could share if anyone is curious. Sadly I doubt it'd be possible to do it just with glitching since it's triggered upon moving the bad egg into your party. Unless we manage to make the decamark show up as a selectable in Pokémon, in Ruby.


However, all we've manage to corrupt is: Repel effect, Pokemon data, and Maps. Why is it different when you switch eggs around?


I'm going to note that the effects there have been found in Firered by me.  In this case, it was a glitched TM name causing overflow.  I'm guessing that some string was broken (It could have been an ability, or a species name), and caused such an effect.  Actualy looking at that, it mentions glitched moves.  So it is very likely that one of the moves did it. 

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: VaeporSage
Date: 2014-05-26 09:27:41
the "access pokemon beyond the sixth slot" (this needs a shorter name)


I sometimes used to refer to it as the hidden team glitch.

The process of scrolling to change various aspects of the game could simply be called the 'corruption glitch'. (As well as 'Glitzer Popping' being one sub-heading.  :))

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Torchickens
Date: 2014-05-26 11:21:51

the "access pokemon beyond the sixth slot" (this needs a shorter name)


I sometimes used to refer to it as the hidden team glitch.

The process of scrolling to change various aspects of the game could simply be called the 'corruption glitch'. (As well as 'Glitzer Popping' being one sub-heading.  :))


I think that's a cool name. When updating the Bad Egg wiki page, I referred to the scrolling glitch as the 'Generation III bit set glitch', but I said it's also called Glitzer Popping.

Two other changes I made are Trainer Ledge/Fence Collision glitch to Amazing Trainers akin Amazing Man (because it sounds nicer and easier to read, and a tuber can walk through a wall) and Zero Error to Walking lag glitch (because the page actually describes something different)

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: luckytyphlosion
Date: 2014-05-26 15:39:15
One thing I noticed with a poisoned Bad EGG (to avoid whiting out, revive a Pokemon), after going below 0 HP, the game stops movement every 4 steps.

I always thought of it as the "Bad EGG corruption glitch"

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: VaeporSage
Date: 2014-05-26 16:52:14

One thing I noticed with a poisoned Bad EGG (to avoid whiting out, revive a Pokemon), after going below 0 HP, the game stops movement every 4 steps.

I always thought of it as the "Bad EGG corruption glitch"


This is the same with a normal Egg if you get it poisoned via the standard Pomeg glitch.

If you have Sacred Ash with you (I got mine from XD: Gale of Darkness), you can also revive any fainted Eggs/Bad Eggs you have in this way.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Stackout
Date: 2014-05-27 12:55:44
Does anyone know what glitch moves with long names do in contests?

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: VaeporSage
Date: 2014-05-27 13:46:42
I spent an hour today testing stuff out in XD: Gale of Darkness. But jeez, that game is one heck of a glitch-proof fortress.

All of my corrupted hatched stuff (Deoxys, Jirachi, Mew, Ho-Oh and a glitchy Caterpie) would not show up at all in the trading menu. A blank space was shown in its slot instead, which could not be interacted with.

Glitchy markings were erased when sent to XD: GoD, and my Sneasel with the name "Sne[down arrow]sel" was renamed "Snesel" when traded over.

XD: Gale of Darkness's GameCube vs. Gameboy battle system is even more impenetrable. My Jirachi, Deoxys, etc. (even Caterpie) showed up as Bad Eggs on the battle selection screen and Pokémon with glitch moves were unable to fight.

So XD: Gale of Darkness will not allow:

-Glitch moves to show up in battle
-Glitch moves to be used in GCN v GBA battles
-'Hacked' (or Pokémon suspected of being hacked) to be traded
-Pokémon with ?35 HP to remain at this health quantity
-Glitch markings to have any effect
-Bad Eggs
-Glitchy names

This game is the ultimate glitcher's cockblock, my friends.


Does anyone know what glitch moves with long names do in contests?


I've tested 5, and all of them have frozen the game.

There is apparently some potential here (look up 'Cool Move' to see what I mean), but it could be a while until something concrete is found.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: voltage
Date: 2014-05-27 20:29:15
So I transferred my Mewtwo into Gen IV and the location stated it was from
———- instead of Hoenn.