Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Generation III Glitch Discussion

Gen III: Access Pokémon beyond the sixth slot sub-glitches. - Page 22

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Metarkrai
Date: 2014-06-26 15:30:48
Yup, it can, but it has no use.
Almost every element of Pokemon Emerald that uses data can be altered, as adresses for PC Pokemon are among the last ones on the RAM.
But because of the nature of the glitch ; on certain bytes, Bit N°6 or Bits N°0 and 2 are set to 1, doing this on a number which value is between 0 and 2^16 - 1 (stored in two bytes) has no clear use, as you will only know that two (or one) bits of this number are set to 1, and that's all.
So for numbers, the only useful ones are Money, Identifiants (for items or Pokemon), and quantities (for items), as corrupting Feebas tiles, or your number of Random Encountered Pokemon won't be of any help at all, since it has no effect, or since you cannot use this corruption to determine the value, and make something out of this knowledge.

The fact that one bit is set to 1 or not is useful for events, whose state only depends on a list of bits called flags.
And by testing (or knowing) which event is linked to the flags that are stored in Bits 0,2, and 6 of every Byte (only the ones who are linked to events), we would know the maximal influence we could manually have on the game.

After that, you have basically 1/16 chance that the byte you wanted to alter is altered (the space bewteen each corruption doesn't seem regular, but it's at least 16 bytes between each corruption), and you would also need the right corruption between the two possible.
Knowing the adress of the byte you want to corrupt gives you a timing to respect each reset, so corrupting a certain byte does seem doable.

So the data I'm searching in is : Badges, Symbols, Fly locations, Special events, Legendaries availability, story events, Last Pkmn Center visited.

The first ones were easy to see, but for the last ones, story events, and Last Pkmn Center, I haven't completed my search on them, as I made myself another couple of boxes of Bubble Relicanth, to see (and play with) Eggs.

I haven't read the posts about item corruption yet, but corrupting money, filling Bag slots with 99 of a certain item, and waiting for an identifiant corruption seems a good option (for Rare Candy especially, whose identifiant is 0x44, and the item with a 0x04 identifiant is the Poké Ball)(for MystikTicket, its TM18, and Old Sea Map, its TM24).
It is also possible to corrupt the Battle Pyramid Bag (corrupting the quantities would be great), but since tou have to enter back to see the effects of your corruption, it's not reliable at all.

And as for the normal Eggs I've obtained, non of them were on the 23th spot, box 2.

So to recap on what I tried :

Useful :
-Badges : 8th Badge (0x02026D7C)
-Fly Location : Ever Grande City (without Pkmn League) (0x02026D7E)
-Special Islands :
Navel Rock and Faraway Island unlocks (need the Tickets) (0x02026D8C)
Southern Island event (0x02026E1A)
-Contests : Master Contest Wins (may add a Trainer Card Star) (0x02028998)
-Altering Cave : Aipom  (0x02026E18)
-Other events :
2nd Gen Starters at Birch Lab (0x02026F42)
Putting Latios in Southern Island (0x02026F46)
-PC and Bag items and quantities (0x02025E98)

Non useful :
-Fix Pokemon :
Losing Castform, Kyogre, or Rayquaza
-Chances of corrupting TM/HM Bag
-Lots of tiny thing that won't be of any use

Non tested :
Story events
Las Pkmn Center visited

I also didn't measure the time needed to go at these adresses, but since I know where they are, this won't be hard to do.

EDIT :
I confused myself a little bit with Aurora and Faraway Island, and the TM identifiants, and I also tested the bits.
So if these bits can be corrupted with the Pomeg Glitch, Navel Rock and Faraway Island will be accessible if you have the Maps in your bag. And these Maps can be obtained by corrupting TMs 18 (Rain Dance, 0x132) and 24 (Thunderbolt, 0x178).

EDIT 2 :
voltage, I have a question for you.
I've tried numerous times to alter the bytes linked to Faraway Island and Navel Rock, but I've encountered some kind of issue ; only half of the bytes seem to be able to be corrupted, and these bytes are the left bytes of every word when I use VBA's Memory Viewer in 16-bits, as you can see here :

[img]http://www.pixenli.com/images/1403/1403825312085360000.png[/img]

The strange fact is that the Mystery Card flag is on a byte at the right of a word, so I can't reach it.
But voltage was able to do it. So I'd like to know how you did the glitch, as I don't seem to be able to change the fact the I can only corrupt "left" bytes, and not the right ones.
And this annoys me, because the main things I wanted to changes were bits on "right" bytes, like items identifiants or these particular bits (I won't be able to alter some other useful bits as well).

Maybe this can't be done on emulator, my version of VBA is at fault, or my save (I have a somewhat stange save regarding RNG), I really don't know, but I'm glad that someone else was able to perform it ; at least its doable.

For those who want to try, I gave myself the Old Sea Map, and the MystikTicket, so I'm only checking if the bits unlocking the islands can be altered. To attain the 0x02026D8A area, you have to go up for 14 seconds.
The Delivery Man bit for Eon Ticket is in the same area, so it may be altered as well.

EDIT 3 :
That may sound stupid, but I didn't check how far I could go with the glitch, and I saw VBA freezing just after the area managing the events (around 0x02026CD2), which is under the Bag and PC data.

Is there a way to go further ?

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Kraust
Date: 2014-06-26 20:32:02
I'm sorry I'm new at this, but I've been messing around with this Glitch in Emerald for the hell of it.

So far I've noticed:

Pokemon:
- Glitch Nicknames
- Glitched Markers
- Egg Named Teddiursa (I assume that it's a pokemon that got changed into a good egg witch hatched into a Meganium
- decamark bag eggs (you can battle with them buy fight freezes the game?)

Trainer Card:
- Modified Money (Goes from 999849 -> 499849) I'm assuming some bit is flipped. I have a BCS but this isn't a strong suit of mine
- Modified Linked Contest Wins (set to 999)
- BP
- Lined Battle Wins
- Game Time (999:28)

(Can we assume anything that can be modified in the Trainer Card can be modified?)

Items:
- Random item quantities in bag and pc are changed

If you press up enough you'll get pokemon in your boxes for a status screen. That's what all of the decamarks / bad eggs are near the end (and possibly why its easier to see those status screens)

I should really start my own Emerald file to see more affects. This save has a bunch of crap in it.

Glitched Nickname on Abra:
[img]http://puu.sh/9LLzH/d0ae04c4ef.jpg[/img]

Glitched Marks on a Bad Egg
[img]http://puu.sh/9LLGA/45c3d6fb9b.jpg[/img]

Teddiursa
[img]http://puu.sh/9LLYk/5fd9748c13.png[/img]

Glitched Meganium crashed the screen because it had some glitched moves (froze after this)
[img]http://puu.sh/9LM92/8fbd762aa3.png[/img]

Bag Quantities
[img]http://puu.sh/9LMp5/ceda971246.png[/img]

Battle Points
[img]http://puu.sh/9LN36/4321d7ffce.png[/img]

Will edit with more stuff.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: voltage
Date: 2014-06-27 00:23:37
@Metarkrai: I'm actually unsure partly because I don't know which attempt activated that flag.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Metarkrai
Date: 2014-06-27 06:01:48
I made more attemps to try to go at the highest corruptible adress, and now I think I know why my game froze in the flag area, and not higher.
And I think that's because I'm French, and my Rom too, as I tested the glitch on a US Rom, and the game froze higher than the PC items area.

Here's a comparative video I made of the glitch bewteen FR and US roms :
https://www.youtube.com/watch?v=muaQglJUl5Y

In the French Rom, the cry of the ? Pokemon is Electrike's, whereas in the US Rom, it's Slowpoke's.

This surprised me because US and EU Emerald Roms have only few differences (they have nearly no differences between RAM adresses, but if I remember correctly, some ROM adresses are different), so I don't see why US Emerald can go further than EU Emerald.

But due to my exams, I don't have the time to transfer my save to my cartridge, and test it on console (maybe the difference will disappear, and I'll be able to corrupt my bag on my FR Version).

Also, even on an US Rom, the corrupted bytes I had were the left ones in every word, and I don't see what could change this fact.
I'm just using a basic US Emerald with VBA, and no cheats activated (the Anti-DMA prevents RAM adresses from moving, and will give you a single corruption pattern, so it's not useful at all).

So if someone can corrupt the right-word bytes, and repeat this, I would need to know how you did the glitch, because the right-word bytes are the most interesting ones for event / item corruption.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Kraust
Date: 2014-06-27 07:50:14
Did you guys know you don't need to actually go into the status screen for this to work? I was looking at the memory viewer and data was being changed as I scrolled up.

So I chained this a few times and it seems that.

- Pokemon modified are the first 53 Pokemon in your boxes (54th is always blank / removed?)
- You can scroll up higher after each time running this which possibly (?) allows you to modify other things.
- One time, I removed wild encounters (so you couldn't find any wild pokemon).
- I also was able to change the Trainer's name.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Torchickens
Date: 2014-06-27 08:35:14
Yes, but in order to access cursor positions FF and up you need to view the summary of one of your party Pokémon first.

Edit: At least with 5 Pokémon/2 Pokémon set ups.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Metarkrai
Date: 2014-06-27 08:49:51
I'm sorry, but I don't understand what you're saying by "don't need to go into the status screen" ?
Because  if I don't see the status screen during the battle, I can't glitch the Cancel button, and corrupt data by scrolling up.

I also didn't unsterdand very well your idea of scrolling higher by doing something, as everytime I perform the glitch, the game freezes just after 0x020256F8 (the last area where I see corrupted data).
And the main data for the save file is between this adress and PC Pokemon data, so nearly every mechanism can be altered.

For your wild encounter removal, I think that you corrupted Repel steps, leaving it activated for 1280 or 16384 steps, as the step counter used in AR codes to remove them is located at 0x020375D4, which is far too high, and corrupting him does nothing.
There's maybe another value that can prevent encounters under certain conditions, but I would rather bet on Repel activation.

You can also alter Swarms data (around 0x02028590 once the mass outbreak is seen), as Swarms Pokemon are oddly generated ; instead of a fixed list of swarm Pokemon, one can choose (via memory viewer) the Pokemon, its level, its location, its %, some other things (maybe), and its moves.
So the moves adresses can be corrupted, giving glitched moves to the Pokemon (I tested some corrupted Pokemon identifiants, but the game freezes at the start of the battle)(if the location is corrupted, the Swarm won't show up anywhere).



AR codes for Swarms :
You will need to activate the Anti-DMA first, and go through a door, before activating the code.
Don't forget to desactivate it before glitching again. (Disable it, Click on Disable Cheats, Save, Close VBA, then open it up and launch everything, that'll surely desactivate the Anti-DMA)

Skitty Swarm : (Push R to see the Mass Outbreak)
9D888122 8CFB57D8
36938C4D 9E6EC29D
9D888122 8CFB57D8
94CA980A A7FB43AB
BD5BAD80 7F73D16A
5FD7A4B9 8BF2E359
45941C7C E076F9D4
627B1FC9 C541D9B2
43A6E4C9 5D42CCD7
8AB5886D F540D428

Seedot Swarm : (Push R to see the Mass Outbreak)
9D888122 8CFB57D8
36938C4D 9E6EC29D
9D888122 8CFB57D8
94CA980A A7FB43AB
0340BDBC 0C2ACBFE
3FA8DB0D 0422100D
0148F310 3A7125AF
DFC91A16 B651342A
0B92F801 A44D2BDE
173479F1 6DD31AB

Remove the Swarm (Push L+R) :
B6C5368A 08BE8FF4
8CFFC87D CCAC9AD6



EDIT :
Kraust :
I confirm, the thing that removed wild encounters was the Repel. So taking a Sweet Scent Pokemon would be a good idea for womeone who wants to corrupt events / Bag items / Pc items.


EDIT 2 :
I found a way to corrupt FR games as far as US games. To do this, you need to set up the glitch with 3,4 or 5 Pokemon ( 1 with ?35 HP, 1,2, or 3 KOs , 1 alive), and not 6 Pokemon.
I don't know why, but with the 6 Pokemon set up, FR games will freeze earlier.
So that's good, I can at least corrupt up to items with my FR Emerald.

But, looking again at the corrupted bytes, I saw that not only they were the left bytes of every word (with 16-bits Memory Viewer), but the left bytes of every double word (with 32-bits memor viewer).
I made a dozen of consecutive coruptions, and all the corrupted bytes were the left ones of every word (I did it with both FR and US roms).

Here's the comparison between uncorrupted file and corrupted file :
[img]http://www.pixenli.com/images/1403/1403884459066707000.png[/img]


So, as the adresses tend to move, and as there seems to be 32 different sets of positions (I looked at the 10 byte of the left Memory Viewer screen and made ~200 in and outs of the Pokemon Center to see all the different positions it could have), and as each set will give a certain corruption on certain adresses, there would only be 32 different corruption patterns. (on emulator at least)
This hypothesis goes well with what I saw with my boxes of Bad Eggs, as with a certain set of guinea pigs, I always saw (and remembered) 4-5 corruption patterns in the Boxes that appeared frequently.

The sad thing is that with left byte corruption only, no Bag or PC item can be corrupted (only quantities), and there will (maybe) be really few useful events that will be able to be corrupted. About the ones that I listed previously, Special Islands Events, Altering Cave and Badges aren't compatible, but the Fly Location towards Ever Grande is.
For Swarms, only two moves can be corrupted.
Berry bushes can't be corrupted.


But this shouldn't be true for everyone, as voltage had corrupted its Mystery Event Delivery, so the mystery is still on (I'd really like to obtain a completely legit Old Sea Map and go fight Mew on my Emerald).

There's also a memory area managing climate that makes the game freeze if we enter into a zone with a certain climate (it froze on Route 123 for me) while its corrupted. I'll try to find where this area is.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Kraust
Date: 2014-06-27 11:11:20

Yes, but in order to access cursor positions FF and up you need to view the summary of one of your party Pokémon first.

Edit: At least with 5 Pokémon/2 Pokémon set ups.


Sorry, I wasn't specific enough. After you activate this and get the half lit cancel button you can just scroll up and you don't need to view any more status screens to change anything.
(Which probably isn't new, but it was new to me).

Completely Related, I just spawned here after whiting out:
[img]http://puu.sh/9MxB8/22f8c8aed5.png[/img]

So that confirms you can actually change the spawn location with this.

(I'm uploading a video right now)
https://www.youtube.com/watch?v=kq7S2QNDYd0


I have no issues corrupting above 0x020256F8 after doing it a few times.
My method:

1. Activate the requirements for getting this glitch to work.
2. Get into a wild battle
3. Go check a status screen to activate the glitch
4. Go down to the half lit button
5. Press up for a while (right until I freezes usually)
4. Back out + Run (White out)

I then repeat 2-4 a few times without resetting my game -usually- after the 3-4th time I can go up almost indefinitely. I'm not sure how far up things change but

[img]http://puu.sh/9MzHt/397eadec01.png[/img]

I do have stuff above 0x020256F8 changing.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Metarkrai
Date: 2014-06-27 12:42:58
Well, Kraust, thanks to your question and to Torchickens' answer, I know what made my game freeze during the corruption process.
It's the number of Pokemon in the team.
On a FR (or EU I think) rom, if you have 5 Pokes (6 at the start of the glitch), your game will freeze around 0x02026CD2
Else, it will freeze around 0x020256F8

On an US  rom, if you have 5 Pokes (6 at the start of the glitch), your game will freeze around 0x020256F8
Else, it will not freeze (I used the acceleration, but no freeze showed up).
And the corruption shows up around 0x , then I don't see any trace of it, even if I can still go up.

I also found the adresses which manage the respawning location :
They are : 0x02025A22 (entrance on the map) and 0x02025A1C (map)
But, as only 0x02025A22 is on the left side of a double word, it is generally the only one that's corrupted.
And as there is 10-20 entrances on a single map, the entrance 0x40xx or 0x05xx sends us far away in the spawning map.

But, as corruption can only change one bit on a word / double word (if it is corrupted), we can't warp to everything.
Here are some Map IDs that could help for warping, if one is able to corrupt other bytes than the left one of every double word.

Odale Town : 0A00 (would send to Pacifildog)
Pacifildog : 0F00
Fallarbor Town : 0D00 (would send to Ever Grande, League Pokemon side)
Ever Grande City : 0800


EDIT :
I tested all the possible warp corruptions, and only these two are useful for a speedrun. There are few others that teleport to some Battle Tents, but that doesn't help, and the majority of the warps send you in a black wall.

I even fell on a Shiny Latios during my tests, and the capture was amazing !
This dude resisted at every one of my 502 Balls, and I was forced to throw a Master Ball to catch it !

[img]http://img15.hostingpics.net/pics/987850PokebaseEmeraude005.png[/img] [img]http://img15.hostingpics.net/pics/482934PokebaseEmeraude004.png[/img]


I also saw that my Timer Balls didn't seem to function (it always got out of them instantly, and I had 62 of them), so maybe after a certain amount of turns, their catch rate becomes undefined (when I used them, the battle was already over 1.000 turns).
I anyone has information about this fact, I'm interested, as I counted on them and their high catch rate to be sure to not throw the Master Ball, so I was a little bit trolled on that part.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: rortik
Date: 2014-06-28 22:37:16

Yeah, the current experience is compatible.

[img]http://i.minus.com/jbyqb48Mf8DLH6.png[/img]

Sad that the glitch isn't working for you.

Edit: Wait. I may have done something wrong in thinking that the experience affects it. The change is from AGME to MEAG. We want the Horsea to become a valid Egg, so what goes into "IVs, Egg and Ability" may affect it (attack data as it's A->M).

According to Bulbapedia it's bit 30 (when considering the first bit as bit 0) that determines whether a Pokémon is an Egg or not. Follow the conversion and Move 3/Move 4 become IVs, Egg and Ability data. I think then that the second byte of move 4 affects things. Mine is Smokescreen (00 6C), so the second byte is either 00 or 6C depending on how moves are stored, what's yours?

Edit 2: Eh, maybe the move doesn't matter. I tried some different move 4s and still got an Egg. If you give me your full Horsea move details I could check to make sure, though.


I'll give you all the information on it:


SEASOR/HORSEA
OT/SKYLAR
IDNo46285
Swift Swim
Brave Nature, obtained in a trade.
Male, level 36
48262 XP, 2391 until next LEVEL

Moves, in order:
Water Gun
Surf
Smokescreen
Leer


Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Torchickens
Date: 2014-06-29 10:28:57
It should work eventually. Don't know why it's not working for you.

You might just be really unlucky. I'm sorry to be of no help, but all I can suggest is to keep trying (without reloading a state from within battle), make sure your Seasors actually have EVs, make sure they were never corrupted before, and try as many as possible, with one in that spot that seems to be the only one that works so far (slot 23 of box 2).

I have a question for anyone experienced with how Pokémon Emerald works:

Is it possible for the first (technically last) byte of a writable personality value to never be writable after a certain point? Because Metarkai describes a problem where only the leftmost byte of a word (possibly the first byte of a dword) is writable.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Metarkrai
Date: 2014-06-29 15:04:49
Torchickens : I don't think this fact (only the leftmost byte of a double word is corruptible) can be changed on emulator.
It's maybe different on cartridge, there's no evidence of the corruption of another byte from what I read.

I first thought that voltage Eon Event Activation was a counter-example, but I was wrong, as any change to the word 0x02026E1A (or the left part of the double byte 0x02026E18) causes the appearance of the delivery guy (I first thought that there was a flag, so I only tested 0001 to see if he would appear, but it doesn't seem to work like that).

You can, for example, look at Kraust's Memory Viewer, and you'll see that every corrupted byte (the ones with the 4 and 5 in general) are all the left ones of an even row, so the leftmost ones of a double word.

Also, every changes brought to the in game events, data, or items go along with this idea.
For example, I didn't see any corrupted bag item, nor a corrupted respawn map location (only the position was corrupted, but not the map).
For the records corruption, it's either a quantity higher than 65.535, or 16.384, or 1280 (16.384 and 1280 will appear for certain records only, like BP if I remember correctly), as records are almost all stored in double words, and are not affected by the encryption mainly used for bag items quantities (the encryption removes with the Anti-DMA).
The only fly location that was removed was Ever Grande City's.

I don't know what this fact implies to the Pokemon's data corruption, but its really limitating the possible abuse of this glitch for a run.
The useful things left are : unlocking Ever Grande flying location, corrupting bag item quantities (good for Master Ball / Rare Candy abuse), unlocking Southern Island Event, unlocking 8th badge, corrupting the Swarm moves to have glitch moves, corrupting Money and records (BP especially).

There may be some story events that could be skipped thanks to the glitch, but here's only the useful things left from what I searched.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Kraust
Date: 2014-06-29 15:14:02
I haven't seen it corrupt the right part of the word yet. Typically it corrupts the left byte with a 4 or the right with a 5.

The question is where is the value coming from? If we find that out, I think we'd have a better shot and triggering certain effects.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: werster
Date: 2014-06-29 20:42:05
Kraust: Are you sure that was actually a warp and not just a tile error? I had the same thing happen several times but with trees, but if I activated Walk through walls and walked out I actually was in the right spot, the tiles on screen when I appeared there were just messed up.

Metarkrai: Good to see someone still putting in work into this glitch. I'll admit I don't 100% understand everything (I'm dumb) but from what I can see a speedrun would ideally go something like:

Pomeg as soon as you get to Fortree, corrupt swarm Pokemon's moves but not location to give a glitch move resulting in Instant victory.
Also do a corruption that changes the Fly location of Ever Grande to available (is it possible to switch this on? I've had it switch off before but never seen it go on)
Also have a corruption flag Badge 8
Power through to badges 6 & 7 with glitch move, and then Fly to Ever Grande, and power through endgame with glitch moved Pokemon from Swarm.

Maybe?? I don't know how any of that would be even remotely consistent at all but it looks like the best "theory" at the moment??

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Kraust
Date: 2014-06-29 21:06:08
Well 0x02025A22 seems to be corrupted (well it's around 0x02025A22 memory seems to jump around in the dump) I'm assuming it's the entrance tile but you guys had the issue with spawning in a bunch of tree tiles before (how did you tell you weren't spawning in a wall?)

The spawning in trees did happen when I tried to run this glitch from Fortree as far as I remember. I'll look into it.