Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Generation III Glitch Discussion

Gen III: Access Pokémon beyond the sixth slot sub-glitches. - Page 25

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Torchickens
Date: 2014-07-09 17:10:19

I'm a bit new to this glitch, but I was wondering how plausible it would be to corrupt a pokemon to have max contest stats (or maybe pokeblocks). Would it also be possible to corrupt ribbons onto a pokemon? Where can I look into this? I can analyze some addresses if needed


I think EVs and contest conditions as well as ribbons get wiped when the Pokémon hatches, but I may be wrong.

To start at looking into your own tricks, it's best to refer to the Bulbapedia Pokémon data substructures article and also see this.

An easier way to test things than doing the glitch is to manually change the personality value stored at 0x020244EC (for the first party Pokémon), because this glitch either adds bit 0 and bit 2 (+05) or bit 6 (+40).

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Kraust
Date: 2014-07-09 21:00:11


I'm a bit new to this glitch, but I was wondering how plausible it would be to corrupt a pokemon to have max contest stats (or maybe pokeblocks). Would it also be possible to corrupt ribbons onto a pokemon? Where can I look into this? I can analyze some addresses if needed


I think EVs and contest conditions as well as ribbons get wiped when the Pokémon hatches, but I may be wrong.

To start at looking into your own tricks, it's best to refer to the Bulbapedia Pokémon data substructures article and also see this.

An easier way to test things than doing the glitch is to manually change the personality value stored at 0x020244EC (for the first party Pokémon), because this glitch either adds bit 0 and bit 2 (+05) or bit 6 (+40).


I feel like it would be easier to Glitzer a pokemon with set EVs / IVs or Contest Stats based upon giving a Pokemon specific moves and swapping Attacks with those two substructures.

It would also be cool to see if you could do this to enable the obedience bit for Mew / Deoxys and get a "legit" one into Gen IV

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: FroggestSpirit
Date: 2014-07-09 23:56:07
If I understand this correctly, this should work with the traded plusle…
EAMG->AGME
-attack 1 becomes the species, maybe a held item too (leichi berry)
-PP up bonuses, friendship, (hopefully unknown is 0?) will set some contest stats, maxing 2, and setting feel to 0
-EV's can be manipulated to set a few moves, making contests easier to win.

After all is said and done, I can rid of the illegal moves and keep the ribbons won….

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Torchickens
Date: 2014-07-10 06:49:51

If I understand this correctly, this should work with the traded plusle…
EAMG->AGME
-attack 1 becomes the species, maybe a held item too (leichi berry)
-PP up bonuses, friendship, (hopefully unknown is 0?) will set some contest stats, maxing 2, and setting feel to 0
-EV's can be manipulated to set a few moves, making contests easier to win.

After all is said and done, I can rid of the illegal moves and keep the ribbons won….


That sounds like a good idea, but it does seem like the contest stats are wiped. I gave Pluses max happiness (255) with A-Save but it didn't max out the Smartness stat after I corrupted it and it hatched (as Krabby because its first attack was Quick Attack), unless I need to be trying another value.

I couldn't check the stats directly with A-Save because it thinks my Krabby is a Bad Egg even though it isn't and I'm not confident enough with checking the stats with memory viewer.

Edit: Yes, the conditions are indeed wiped after the Egg hatches, but this is what it would look like with 255 happiness. (You normally can't view an Egg's summary, but I changed the personality value in the middle of the menu)

[img]http://i.minus.com/jhKmwS5a4atpl.png[/img]

Lower the happiness and the Smartness stat decreases. I don't know what controls the Beauty. I thought it was the last experience byte, but changing the experience to have FF at the end wouldn't work. Furthermore, the most significant byte would be 00 for my Pluses, but I still had a Beauty stat.




I'm a bit new to this glitch, but I was wondering how plausible it would be to corrupt a pokemon to have max contest stats (or maybe pokeblocks). Would it also be possible to corrupt ribbons onto a pokemon? Where can I look into this? I can analyze some addresses if needed


I think EVs and contest conditions as well as ribbons get wiped when the Pokémon hatches, but I may be wrong.

To start at looking into your own tricks, it's best to refer to the Bulbapedia Pokémon data substructures article and also see this.

An easier way to test things than doing the glitch is to manually change the personality value stored at 0x020244EC (for the first party Pokémon), because this glitch either adds bit 0 and bit 2 (+05) or bit 6 (+40).


I feel like it would be easier to Glitzer a pokemon with set EVs / IVs or Contest Stats based upon giving a Pokemon specific moves and swapping Attacks with those two substructures.

It would also be cool to see if you could do this to enable the obedience bit for Mew / Deoxys and get a "legit" one into Gen IV


Not sure if you misunderstood me. I linked to my post (a list of Pokémon with constant personality values, substructure orders and order changes) so you could look into doing something like that (putting a value into EVs & Condition). I wasn't proposing a completely new method.

For attacks into contest stats, it would work like this:

Move 4 -> Coolness and Beauty
PP 1 -> Cuteness
PP 2 -> Smartness
PP 3 -> Toughness
PP 4 -> Feel

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: FroggestSpirit
Date: 2014-07-10 17:02:09
I got a bad egg with move ID 0x0556 (this is possibly incorrect due to encryption) I believe it was a corrupt thunderwave with 0/2 bits being set. This changes the battle type after being viewed, so that pressing the B button immediately ends the battle. This was done on real hardware, and thought it's worth mentioning for speedrunners

EDIT: After looking in an emulator, I want to say that the set bits are affected by the surrounding bytes. As for my pokemon, I'm not sure how practical it would be, seen as how if the PID is changed to change the sub-structure order, the Encryption for the pokemon will change aswell (unless I'm overlooking something) That being said.. the same bits would have to be applied to not only the PID, but the TID for the pokemon aswell (and if the set bits are affected by surrounding bytes, there may be a better way to manipulate this) Are the daycare parents easy to manipulate?

EDIT 2: I think I finally understand it now. The (only reliable) way for the corruption to prodoce something other than a bad egg, is if it's PID's most significant byte has it's 6th bit set. The corrupted bits appear to be about every 44 bytes, and alternate between setting bit 6, and bits 0/2. The reason that people get stuff that doesnt add up, is because the encryption key for the pokemon's data changes when the PID is affected. If what I said above were to happen, it should allow it to pass the checksum check, even though the data will be altered because of the encryption key changing (every 4 bytes should change). This would also make sense as to why it sets everything into an "in egg status" which I theorize that filling a box with "good" eggs to corrupt will xor the flag back to "hatched".

an example could be PID of 0x0000006F (plusle) and the corruption would have to be 0x4000006F. Even though this changes the encryption key after XORing it with the TID, it will still add up correctly in the checksum due to the bytes overflowing.

Edit 3:The thought crossed my mind of corrupting 2 times, if we can corrupt the same byte of the PID as the TID, then the encryption key would remain the same. Hitting the right byte could be determined by a nickname corruption on neighboring pokemon thanks to the "stair pattern in the box" (It should be about an 8 byte offset, since corruption is about every 44 bytes, and a pokemon in the box is 80)

EDIT 4:Apparently, the bytes that get corrupted are aligned, so the only byte of the PID that can be corrupted is the Most Significant Byte… this is very limiting. Also, with my above method with corrupting 2 times, it needs to be set up where the Pokemon wont have it's encrypted data altered during both corruptions (and dont even hover over it in the box, I think that changes a byte of experience) Though it is possible, as testing with memory editing gave me good results

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Zklosty
Date: 2014-07-23 23:43:27
I found a cool little graphical glitch using the Pokenav and looking at a pokemon's corrupted name in the status menu. I don't know how this happened, but it is noteworthy (sorry for crude pictures, I did this on cartridge w/o capture card)

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Metarkrai
Date: 2014-07-25 13:56:22
Froggestspirit :
So yeah, you found the same thing : only the leftmost byte of every double word can be corrupted, which restrains the possible corruptions.




By making an explanative video about the glitch (for french people), I worked on item corruption, and found a safe way to do it, without losing TM/HM & Berry pouches.

Due to the fact that TM/HMs and Berries are behind other Bag items, you can't try an accurate corruption (counting every "Up" action) to alter Balls / Consumables quantities only.

You have only 1/8 chance to not corrupt these pouches if you try to corrupt item quantities. Also, when it happens, only PC items quantities will be corrupted (any PC item quantity can be corrupted though).

So, the only choice is deposing lots of rare items (Rare Candy, Master Ball, Nugget,…) into the PC, and corrupt until the Pouches don't get corrupted.

There are some bytes near TM/HMs and Berries (below or above each section, I don't know) that will "hide" their content if they aren't set to 0.
However, since these bytes are in the item area, they are "crypted" by the DMA, who changes the numeration based on a random value which is generated after certain actions (making a battle, passing through a door, closing the bag,…).
Thus, the "crypted" value of these bytes can be anything (but all the bytes that are affected by this, and would originally hold the same value, 0 here, will have the same encryption everytime), and since the corruption patterns can affect 1 or 2 bits (3 different in total), you have 1/8 chance that the crypted value would be a value unaffected by the corruption, leaving TM/HMs and Berry pouches unaltered.

Also, since only the leftmost bytes are affected, even if this crypted value is a little different for items, (since the original value would be 2, 15, or 8 for example), in most of the time, this difference won't be enough to change the left bytes of the words storing items quantities.


Since I find my post really messy, and I don't know how to explain this fact in a more easier way, here's pictures to help me :

[img]http://www.pixenli.com/images/1406/1406313924060339600.png[/img]

This is a picture of Bag Items with Anti-DMA, so you can clearly see quantities (even columns), and items (odd columns).
The order of the pouches seen is : Items,  Rare Items, Balls (with lots of 0063 as I used a cheat code), TMs/HMs (with also lots of 0063 as I cheated too).

PC items are higher, and Berries are lower.

[img]http://www.pixenli.com/images/1406/1406313947052133300.png[/img]

And these are two pictures of the same area, without Anti-DMA.
You can notice the "encryption" value (I don't know its real name, so I refer it as an encryption value) that alters the value of the bytes holding the quantities.

On the left picture, this value is 3B15, so it can be corrupted into 7B15, and corruption would glitch TM/HM / Berry pouches.
On the right picture, this value is DF02, so it can't be corrupted.



Also, you can notice that even with high quantities, the crypted words for quantites have a left byte that is still 3B or DF, so it also won't change.
With an item quantity of n, we would have n/256 chances that the encryption value will be high enough to make the left byte change, allowing a possible corruption for this byte only, if it already was a "non-corruptible" byte (1/8 chance for that to happen).
Also, since the rightmost bit of a "non-corruptible byte" would be set to 1 (else it would be corruptible), if the byte's value is raised by one, it will become corruptible with a  "0 & 2 bits" corruption.
So if you already have 50 or more of some items, you have decent chances to corrput their quantities safely, along with PC items quantities.
So it's more beneficial to have your main stock in your bag, and only 1 or 2 exemplaries of some rare items in the PC, to increase your chances of corrupting the items you want.


EDIT :
If you're interested, and understand French here's my video about the Pomeg Corruption Glitch :
https://www.youtube.com/watch?v=0GCwqd-oSyI
It's in French, and deals with Pokemon corruption (obtain any Pokemon, even glitch ones, as well as Pokerus, and several glitch moves + Reverse Cloning Trick), and Item / Events Corruption (Bag, Records, Southern Island, Ever Grande Fly Location, and the small issues that have to be looked out for).
Since I'm mostly showing and brievly explaining, it may not be really useful, but if you have time to lose, and want to hear my scrappy explanations (If you have comments about my comments, I'd really like to hear them to improve the video).

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: FroggestSpirit
Date: 2014-07-28 11:27:51
I don't know french, but I did manage to get that Stantler I wanted. I had to corrupt a wailmer with a very specific PID 2 times correctly (so I had to use an emulator and savestates) but it ended up giving it Sacred Fire (because of my held item choice) and a glitch move. I used the daycare to rid of the glitch move (swapped it to first slot in battle). The stantler has high contest stats, and low feel, so i can hopefully max them out from there. It was also holding a leichi berry. Took a lot of calculations, but I feel it was worth it.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Metarkrai
Date: 2014-07-28 17:12:23
FroggestSpirit :
Wow, what a great idea.

It gives a new method that's faster than a 70x256 hatching Egg.
Also, we can get an item, ribbons, and contest stats out of it, which is pretty interesting.

I've tried it on a corruptible Acid Armor Smeargle (0 EVs, no item) that I had, and it gave me a Lv 0 Mew, with 7 Ribbons, no contest stats, holding a Sacred Ash, and with 4 Glitch Moves.

I'd really like to know what data determined the Lv, ribbons, held item, contest stats, and moves, as I don't see where they are coming from.

I tried some trick to avoid DayCare : Replace a Glitch Move by a TM by quickly going to the Contest Page when Moves appear.
But with 4 Glitch Moves, the game froze before reaching the Page.

So I put my Mew into Daycare until it reached Lv 11 (I'm lazy to leave it to the Daycare since I still haven't searched for the adresses holding the amount of experience given at Daycare), and tried my TM trick again.
I was able to reach the Contest page, and to replace a Glitch Move by a TM.

But then, I got a big graphical glitch, that you can see here : https://www.youtube.com/watch?v=yuUmjhYTumo
I already had one on my Fire Red version, while attempting to do the same thing : https://www.youtube.com/watch?v=X5CnkniQbUc

The color palette changes, and the changes occur when the music freezes.
On the Memory Viewer, the values are going crazy.
And about 1 min later, the game crashes.

I tested a little bit, and it appears that only certain glitch moves make the game freeze like this, as the game can't handle the move's name (or something linked to the move) when it tells you it's deleted.
The other Glitch Move my Mew had didn't pose any problem when replaced (except the long glitchy name).

So yeah, Daycare is the best way to remove Glitch Moves.




Apart from that, I focused on held item corruption to see if I could obtain some cool items with Pomeg Glitch.
So I modified my Seedot Swarm to give them Trick in 1st Move, with a 100% appearance rate.
I gave some of them a Master Ball, with an identifiant of 0x0001, and TM 01, with an identifiant of 0x0121.

Once the items corrupted, I went to fight Numels, and caught them, to see what was the item identifiant.

With Master Ball, I got items 0x0101 (Green Scarf), and 0x0501.
With TM 01, I got items 0x0021 (Revival Herb), 0x0521, 0x0421
I also got items 0x4000, 0x0100 (Pink Scarf), and 0x16A (Vs Seeker).

And as my Seedots knew Harden (0x006A) as a second move, I thought of teaching them Haze (0x0072) to see if I could get AuroraTicket (0x0172).
As this kind of corruption is like Pokemon Corruption, it worked only for two Seedots.
I also swapped their moves, and yeah, the 2nd move is interpreted as the item, with a little change of identifier.
With Trick as 2nd Move (0x010F), I got a Burn Heal (0x000F), so this is a bit 0 corruption of the left byte of the identifier.

But contrary to normal corruptions, where the bit is set to 1, here, it changes.
This fact also happens for adresses linked to flags (like Ever Grande Fly location), but don't happen in general (for records or Bag item quantities), and I don't know what are exactly the cause of this, but it doesn't seem to happen for PID corruption, so I found it strange to see it on item corruption, although it's useful.

But when I got the item I wanted with my 2nd Move, well, my Bad Egg didn't have Trick anymore.
I tried to give him 0x0F HP EV and 0x01 Atk HP to maybe obtain Trick as a move, but it didn't work so (in battle, my moves cause an instant-freeze when I see them).
I also altered the swarm to have a Numel Swarm with Trick, but it failed when they used it.
Covet didn't work too.

So, to obtain the item I want with a PID corruption, I should obtain it from the EVs, and with a corruption that doesn't swap the Moves substructure (or read Moves for Growth, and EVs for Moves, that's the same), in order to be able to Trick it to a wild Pokemon.

And FroggestSpirit appears with its method of corruption that leaves us with a hatched Pokemon, so by knowing how the item is defined, we could obtain every item.


It wouldn't be mega-useful as for special events (Southern Island, Navel Rock,…), you need items and some flags (that can't be corrupted, for now), but we could obtain back some lost items, or cool ones.
For example, one would be able to have the Mach Bike & Acro Bike combination that I really like on console, as well as the event tickets, as they are "cool".





I also tried corruption on FrLg, and I didn't found any important data to corrupt, except from item quantity (with the same restraint as in Emerald : 1/8 chance to not corrupt TM/HM and Berry Pouches) and records.
Corrupting records could allow one to have a score higher than 200 at a Island 2 Link Mini-Game, and earn a star for the Trainer Card.
Also, Battle Tower record could be altered, to give (I think), another star for Trainer Card, only leaving League and Pokedex one for the player.
Stickers could also be earned, as the counters of random encounters / fights / fishes / eggs hatched would be corrupted.

But for E-Reader events, all of them are added (the script the delivery man has) into the save when E-Reader is used (with an annoying checksum for the script), so there's no way we can unlock them this way. The Southern Island event is the only one already in the game, so we only needed a value corruption to make the delivery guy appear, since its the main special event.

I'll look at the flags, to see if a special island flag may be corruptible (and with FroggestSpirit technique, we could obtain the tickets), but I don't think so.

And since we would need to trade Pokemon to obtain one with ?35 HP, we would need to have trades towards Hoenn unlocked, or another FrLg game with Hoenn trades unlocked, and trade with it, I didn't really look at the story flags that could be useful to corrupt, since no speedrun could be done like that (with trades from a completed game).
But there are some skippable parts of the story, as we could obtain Sylph Scope or PokeFlute with corruption only.
But it would be easier to do the corruption on the completed game, and once the Pokemon holdin Pokeflute is obtained, trade it to the non completed game.

The quantity of coins in the Coin Case can't be corrupted.
Also, maybe 1 legendary / given Pokemon can be brought back with flag corruption, but that's all, since they aren't unlockable but are present since the start of the game.

There's still one thing I haven't studied that could also have a little bit of interest, the Roamers.
I'll focus on them tomorrow, if I'm not too lazy.
But I don't really see what we could pull from these Pokemon, since making a wild battle against a glitch Pokemon (identifiant of 0x413A for example, glitched Seedot identifiant) crashes the game when the screen fades to display the battle.

I've also made a lucky successful corruption attempt (first time, and with Anti-DMA activated), which corrupted my Sentret into a Caterpie (corruption through moves).

I hatched and evolved this Caterpie into a Butterfree, and contrary to Emerald, I couldn't see the Status pages of my Butterfree at all, due to its glitch moves.
So I made him lose 3, to reduce bugs, and I was able to access its Status page.
But then, when I swapped this glitch move to 2nd place, the game considered my Butterfree as an Egg, showing me an Egg status screnn, with Butterfree's sprite (and I couldn't make it hatch, so it's still fundamentally a Pokemon).
Swapping the glitch move to 3rd or 4th place caused more graphical glitches, and allowed me to scroll status screen down, showing me  Bad Eggs and Decamarks status screen.

These status screen are the interpretation of the data directly below team data, and scrolling down through the Decamarks (a limited amount of them, the game resets or i can't scroll down further after a certain point) corrupts the data in the way.
But since its full of 0000, the 4000 and 0500 aren't omnipresent, as they tend to "stick" to areas where the data isn't full of 0000. (ex : leave 3 or 4 empty spaces in your PC, and you'll find only few traces of corruption at the edges of the space's data, and you'd need numerous successive corruptions to fill that space with 0x4500 ).

But it's already something, since it may be possible to scroll down further with other glitch moves, or have different effects, as I've only got one working corruption, and all the glitches it had gave me a lot of work.
Also, if I scrolled up, I would see 1 or 2 Pokemon of my team, and lots of Bad Eggs (team was : Pidgey, Mareep, Mewtwo, Butterfree
I would see 3 Bad Eggs, then Mewtwo, then more than 4 Bad Eggs, then it would stop on Pidgey), with some Bad Eggs that reset the game.
Since I see Bad Eggs between team Pokemon, I don't know from what kind of data they come from, and there seem to oftenly have a Bad Egg resetting your game.
Also, since Pokemon Team is stored in 0x02024284 (and below), there isn't a ton of things above (time counter maybe), and the scrolling stopped at Pidgey anyway.
It's longer to set up than the usual Pomeg Glitch corruption, but we may be able to corrupt other adresses with this cursor.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Torchickens
Date: 2014-07-29 05:24:57

I don't know french, but I did manage to get that Stantler I wanted. I had to corrupt a wailmer with a very specific PID 2 times correctly (so I had to use an emulator and savestates) but it ended up giving it Sacred Fire (because of my held item choice) and a glitch move. I used the daycare to rid of the glitch move (swapped it to first slot in battle). The stantler has high contest stats, and low feel, so i can hopefully max them out from there. It was also holding a leichi berry. Took a lot of calculations, but I feel it was worth it.


That's great! Do you still have a save file with Wailmer's PID? I'd like to know what it is, and how you made it not turn into either a Bad Egg or an Egg, and what bit additions occurred.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Metarkrai
Date: 2014-07-29 08:55:02
For the double corruption to work, I think that every Pokemon that can be corrupted into an Egg can be corrupted another time into their hatched form.
As you need to corrupt the PID with the Bit 6 corruption, then you need to corrupt the TID with the same corruption.
And the Bit 6 corruption "flips" the Bit (if it was to 0, it will be set to 1, and if it was to 1, it will be set to 0),



I worked on item corruption, and I came with 2 methods to obtain every game item (one of them don't give them all).
There would be a third one with FroggestSpirit double corruption, but I don't see where the item identifiant comes from, so that'll be for later.

The first one is the quickest to do, since it seems to work with every Pokemon. You just need to corrupt the held item of your Pokemon into another one.

I saw 4 different item corruption patterns, and I'll take examples to show them, as it's easier.
Master Ball, 0x0001 turned into 0x0101, 0x4001, and 0x0501
TM 01, 0x0121 turned into 0x0021, 0x0521, and 0x0421

So the corruptions are :
Bit 6 is set
Bits 0 & 2 are flipped (which explains the 0x0421 corruption)
Bit 0 is flipped (which explains the 0x0021 coruption)
Bit 2 is flipped ??  It may also be a Bit 0 & 2 set (not flip), because that would explain the 0x0521 corruption.

Thus, you can obtain a first set of items by catching Pokemon, teaching them Trick (putting it in the 1st place seems good as it doesn't get oftenly corrupted), and giving them an item with an identifiant that differs from your wanted identifiant by the Bit 0 of the right Byte.
Once you have the desired item, you go make a battle with your Bad Egg, and use Trick, then catch the wild Pokemon, and you can take its item.

ex : You can get Master Ball (0x0001) by making a Pokemon hold Green Scarf (0x0101).

Since I was lazy, I corrupted my Seedot swarm for Trick seedots, instead of teaching it to Smeargles.
With this method, you can obtain :
All the TM (almost), RS Rare items
Arco and Mach Bike (a pretty cool and useful combination, I always use it on VBA)
The Fosiles, Master Ball, Sacred Ash, PP Max, Rare Candy
For FrLg, you can have the Amber (this item has no use in RSE) too.

I have a list of Item identifiants, but its in French, so I'll search for a link with English names.



For the second method, I corrupted the held item identifiant with Def and Spd EVs, while leaving Moves invariant, since I wanted Trick.
You can also try to corrupt held item identifiant with Moves, and corrupt Moves with EVs, to have Trick, but it's less interesting.

But when the corruption happens, there is a Bit 0 flip that appears. I don't know why, but on every of my attemps, and on the previous attempts on this topic, it was here.

So, if you want a certain item, with an identifiant of 0x0nnn you have to set your Def and Spd EVs to make the identifiant  (0x0nnn xor 0x0100).

ex :
For Old Sea Map, 0x0178, I have to make 0x0078 with my EVs, so 0 Spd EV, and 120 (=0x78) Def EVs.
For Rare Candy, 0x044, I have to make 0x0144 with my EVs, so 1 Spd EV, and 68 (=0x44) Def EVs.

This explains the appearance of Pink Ribbon, that has an identifiant of 0x0100, with 0 Def EVs and 0 Spd EVs.

I was able to correctly corrupt two Seedots that still had Trick, and obtained an Old Sea Map.
It may be unusable (for now, since we only need to corrupt a flag to use it), but it's cool to me.

This glitch can also be done in FrLg, bringing the same results.
We can also trade Pokemon holding rare items, which can be useful, but we can't put them into the PC.
The little issue would be a Rare Item Pouch being full.


I'll look at other FrLg flags, to see if we maybe can set flags for special islands.


EDIT :
Could someone explain me why RS Pokemon nearly always work for corruption ?
When I flip Bit 6 of the leftmost byte of their PID, they become an Egg, or nothing (you can't even take the Pokemon, and if you put a Pokemon on the same place, it gets overwritten).
With a real Pomeg corruption, you would also need some parts of the Pokemon's data to not be corrupted by the cursor, with the PID corruption, but that would help a lot for doing a successful Pomeg Glitch Corruption.

I tried on Ruby and Saphire, with all different parameters, and I always got one of these 2 corruptions, if I corrupt it on Emerald or RS.


EDIT 2 :
Okay, the corruption making an invisible and "untakable" Pokemon was just a successful EV corruption, and the Pokemon 000 is handled by RS with nothingness.

So yeah, every RS Pokemon can be corrupted if I alter the PID, whereas it's not the case in Emerald (now that I think of it, I war never able to corrupt an Emerald Pokemon, they always were generated from a RS game or save modifier).
Also, my games are French, so maybe it counts ??

Tomorrow, I'll catch loads of Emerald Pokemon, to see if I'm able to corrupt one of them.

EDIT 3 :
I've tired a manual (with Memory Viewer) double corruption on a Pokemon caught on Emerald, and it worked with every Pokemon, with certain conditions.
When I corrupt the PID only, for an Emerald Pokemon, it becomes a Bad Egg (never had a working case for an Emerald Pokemon).
If I go into the Box the Pokemon is, the game will change other data from the Pokemon to consider it as a "Bad Egg" (a value is changed from 02 to 07), and if I corrupt the TID, it will stay a Bad Egg.
To not make this value change from 07 to 02, and still know (if there's a way) if you corrupted the Pokemon's PID, you can watch the other boxes (and as you can corrupt 2 boxes, you can mabe check the other one to see if it worked).
Once you're sure the PID of a Pokemon was corrupted, and you didn't go on the Box the Pokemon is, you just have to corrupt its TID with a Bit 6 corruption, and it will turn into a Pokemon, everytime.

So yeah, double corruption is really cool.
Also, instead of the usual corruption, where you had 1/8.192 chance that the corrupted Egg becomes Shiny, here the Shinyness is retained, since you also corrupt the TID

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: FroggestSpirit
Date: 2014-07-30 00:37:14
Torchickens:

Wailmer
PID: 0x82FD5C3F corrupted to 0x87FD5C3F
SubStructure 7 corrupted to 15
Attacks turned into EV's/Contest stats
Growl/splash/mist/raindance (all with max pp-ups except raindance to keep that feel low)

EV's to Growth (to stantler, and holding a leichi berry)

Growth to attacks (glitch move from exp or something. Sacred fire from holding lax incense)

My trainer ID also had to comply with the changed bits in the pokemon's PID (which thankfully it did)
It also took time to find one with a sub structure of 7 (because the morph I was planning would change it to 15, shuffling in the correct order)

ALSO! Since the PID and TID got corrupted as bits 0 and 2, there would be a bit 6 corruption along the data (I think it was somewhere in the attacks area). The 6th bit NEEDED to be set by default (which thanks to encryption, it was) so that the checksum wouldnt be messed with there.

All these calculations are the reason it took hours to set up

Now, I have a bigger problem… winning all ribbons possible with that stantler… battle ribbons aswell

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Metarkrai
Date: 2014-07-30 04:40:18
Phew, it took me 3-4 hours, but I finally know what prevented me from having corruptible Pokemon in my Emerald file for like 5 hours.
It was the Ball I used for the capture.
Apparently, with a Repeat Ball, a Bit 6 PID corruption turns almost everytime in a Bad Egg (I didn't see any successful Egg).
I tested this fact with other Balls, and here's what I found :
Bit 6 PID corruption turns into Bad Egg for :
Repeat Ball, Premier Ball, Timer Ball, Nest Ball, Luxury Ball

Bit 6 PID corruption turns into Egg for :
Master Ball, Dive Ball, Great Ball, Hyper Ball, Poke Ball, Net Ball, Safari Ball

The concerned Ball (those that don't seem to work) all have an identidiant equal or higher than 0x0008, so the Bit 4 of their right byte is set to 1.


However, modifying the PID for a Bits 0&2 corruption with Memory Viewer always gave me Bad Eggs.

Could someone please bring me explanations for this turning into Egg/Bad Egg that depends on the Ball used, and for the fact that only modifyins Bits 0 & 2 of the PID always ended up (for me, and with every Ball), in Bad Eggs ?

Because if there are factors that prevent or reduce chances to corrupt a Pokemon (like the Ball caught), I'd like to know a bit more, to change my ways of preparing my Pokemon.


EDIT :
Yesterday, while trying to study if obedience was kept after hatch or with a double corruption, I had an interesting result :
With a Wingull who had a GEAM (02) -> AMGE (10) transformation (Misc is read on EVs, and Growth on Attacks), I gave him Pokeblocks to see how to set the obedience, and I was able to change it directly into a Pokemon in a single corruption.
I found that the cause of this was giving to my Wingull 0x40 in Beauty and 0x40 in Feel (other bits can be set, it doesn't change the result).
Since Beauty (EVs) is at the same place than Egg (Misc), it has interfered in such a way that the game directly considered the corrupted Pokémon as hatch, sparing me a hatching or a double corruption.
Also, giving more Feel or Conditions (with Bits 6 of Beauty & Feel set) changed some data of the corrupted Pokemon (its level, special ability, and glitch moves changed a bit).

It also may be possible to do the same with Misc read on Attacks, since a 40 PP move with a PP Max has 64 (=0x40), which is exactly the value we want.
There are 4  Misc read on EVs & Growh read on Attacks combinations :
10 <-> 02 (so 8/48 = 1/6 chance to have it)
11 <-> 03
20 <-> 12
21 <-> 13

There are 4  Misc read on Attacks & Growh read on EVs combinations :
00 <-> 16 (so 8/48 = 1/6 chance to have it)
01 <-> 17
06 <-> 22
07 <-> 23


EDIT 2 :
Well, a single corruption with no Egg is easy to do, but sadly uncool for the Pokemon condition.
I reproduced it, and the only 2 bits needed are Bits 6 for Beauty and Feel (so 0x40 = 64), or 64 PPs for 2nd and 4th Move, depending on the corruption pattern.

The issue is that there are unwanted bits set to 1 all along the Pokemon data.
Thus, is will directly be at Lv 100, holding a ??? item (identifiant of 0x4nnn, so too high to be a real item), and with some glitch moves at places where it shouldn't have moves (like with the usual corruption).
But I think this is avoidable with the reverse corruption pattern that I had : Growth on EVs and Misc on Atks, because with EVs and Condition, you're able to set high bits to 1, and the unwanted Bits aren't set, but flipped (it becomes 1 if it was 0, and 0 if it was 1).
For example, with Def and Spd EVs making 0x4178, after my corruption, you would have the item 0x0178, which is Old Sea Map.
This should be the same for Xp, but I don't know what Bit(s) are set to 1 for now.

Also, I've looked at obedience, and I was able to obtain an obedient Mew.
You can only do it with Misc on EVs corruption, since you need Bit 7 of the Feel set to 1 (so 0x80, or 128 Feel) only.
Thus, for a single corruption, you need Bits 6 & 7 of Feel set to 1, (0xC0 or 192 Feel) + Bit 6 of Beauty to 1.

Setting this Bit to 1 gave me an obedient Mew for non hatched single corruption, and double corruption.
The obedience also stayed for the usual corruption.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: FroggestSpirit
Date: 2014-08-01 22:39:49
Getting a bad egg relies purely on the checksum. The ball you catch a pokemon in does not matter (though it just happened that the way your poke'mon data was encrypted resulted in it changing, based on the PID TID combo).

Basically… the PID of the pokemon and your TID (including secret ID) get Xor'ed together. That result is Xor'ed throughout the 4 groups of data (GAME for example). When doing the double corrupt, the encryption needs to happen, so that NONE of the bits in that data get changed (meaning they are already set after the encryption takes place) If any of them change, it wont match the checksum anymore, and the game will turn it into a bad egg.

The double corruption will turn it into a bad egg the first time. As long as you don't look at it in the PC, (or even hover over it with the cursor) you can still use the second corruption to "fix" the checksum back, and switch the data structure.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Metarkrai
Date: 2014-08-22 13:52:30
After writing a whole article on Pomeg Glitch and its usefulness, and several tests on emulator to see if my procedures were working, I understood more tiny helpful things on corruption.

When the PID or TID are corrupted for a first time, the corrupted value is "added" to every double-word of the data (PID and TID being double-words).
And if the bits that are "added" were already set to 1 on certain areas, the Pokemon will turn into a Bad Egg.
The areas I found were : Held Item, 4th Move, PPs of 4th Move, Onctuosity, Pokemon Origins, and maybe Ribbons (the last one being tougher to test).
For a Bits 0 & 2 PID/TID corruption, I always had the Pokemon turned into a Bad Egg.
There may also be another mechanic behind to explain this transformation, but I also thought that the Pokemon Origin would count.
But I had a little Lua Script on VBA that showed me the transformation of these values.

My tests circled around Bit 6 PID/TID corruption, as its the one that can be easily done on a console.
So, for this corruption to work, you need Held Item identifiant, 2nd Move identifiant and an Origin value that don't have their 14th Bit set to 1 (0x4000) (thus, values between 0x0000 and 0x3FFF or 0x8000 and 0xBFFF work).
For the Origin Value, the Ball identifiant needs to be less than 0x08, else the value will have its 14th Bit set to 1.
This is why Pokemon caught with a Repeat Ball always gave me Bad Eggs.
The same change happens to 4th Move, but there is no 4th Move identifiant inducing a Bag Egg.
You also need 4th Move PPs and Onctuosity that don't have their 6th Bit set to 1 (0x40) (thus, values between 0x00 and 0x3F or 0x80 and 0xBF work).
The same change happens to an EV and another Condition, but their value didn't induce any Bad Egg.


All the methods in my article were focused on getting Smeargles and testing them to see if they can be corrupted, before cloning and training them in order to have a few (4-5) guinea pigs that would work for different corruptions (or for other attempts on a same corruption) instead of catching a Box of Pokemon everytime.

I also made a part on save corruption, with things like Item quantity corruption, Southern Island corruption,… and I found some more interesting stuff.
-Pokeblocks can be corrupted, and if they are, they will gain Grace (5 or 64 more points).
This leads to a recipe of 8 Pokeblocks made with ultra-rare Berries (that can be obtained with Item Corruption) that nearly give maximum condition on every stat (255 points).

-Some rare Secret Base items are available through corruption, but not all of them.
The most important ones (Regi Dolls and Glitch items) are available.
There are particular spots on the Item PC where corruption can happen, and with the automatic order of the Items, it's hard to manipulate the contents of the PC to increase our chances to obtain the item we want with corruption.

There are 7 Glitch Decorations that can be obtained.
If I remember well, 4 of them do nothing, 1 is like a Black poster, and 2 of them mess with the camera, giving you a hard time to place objects, move, find the PC, or exit the Base.


I also focused on Double Corruption, to render it accessible, with great chances of success.
To do it on console, I focused on getting Eggs with a PID/TID corruption, then corrupting the other value (PID or TID) to change the Egg into the desired Pokemon.
A new issue rose, as when you make a second corruption, the previously mentioned Bits are set to 0, and if some of them already were at 0, a Bad Egg will appear.
Thus, if PID is corrupted first, some of the previous values are concerned, as EVs, 4th Move identifiant, or Condition will go onto other data, like Held Item Identifiant, 2nd Move Identifiant, or Pokemon Origin, and if you corrupt the TID after that, you'll get a Bad Egg.
To be more accurate, a part of the previous values that changed with PID/TID corruption (Held Item, Moves 2 and 4, PPs of Move 4,…) is "refreshed" when the Pokemon is held and deposited into the PC, and this refresh is the main responsible for most of the Bad Eggs onbtained in Double Corruption.
This is an issue since not being able to move a PID corrupted Pokemon unables you to clone it.

So, I start my Double Corruptions with TID corruption.
The previously mentioned bits are changed, and I only have a single condition to respect if I want to move my Egg safely :
The corrupted 4th Move's PPs have to be bewteen 0x40 and 0x7F or 0xC0 and 0xFF (the 6th Bit of 4th Move PPs has to be set to 1), because when we move the Egg, it's PPs are recalculated, so the needed amount of PPs has to be respected with the corrupted move.
This may be kind of tricky since it's hard to tell if a certain Glitch Move has the right amount of PPs, but someone is making an application that gives details about 3rd Gen Glitch Moves (PPs, Power, Accurary, Type, Effect, other data) in order to cover this situation.

The main point of Double Corruption would be to obtain the best Pokemon, the most powerful ones, so I searched combinations of Moves or Evs & Condition to maximise IVs or EVs & Condition.
The main issues for Moves is that high identifiants moves tend to frequently crash the game when Sketch is used.
I had to look at around 300 identifiants to find moves that could be Sketched without any crash, and with the ability to Skecth other Glitch Moves.

For EVs & Condition, I use Moves :
The best moves I found were :
0xFEFF, 0xB4FE, 0xFEF2, 0x8E5F.
(0xFEFF and 0xFEF2 can change positions)
The EVs & Condition value becomes :
Pv : 0xFF = 255 / Atk : 0xFE = 254 / Def : 0xFE = 254 / Spd : 0xB4 = 180 / Spe.Atk : 0xF2 = 242 / Spe.Def : 0xFE = 254
Sg-Fd : 0x5F = 95 / Beauté : 0x8E = 142 / Grâce : 245 / Intel : 24 / Robus : 225 / Onctuosity : 16 (didn't translate that)
The Spd EV value is a little low, but that's the best I could get.

For IVs, I use moves :
0xFEFF and 0x3FBF (3rd and 4th slots)
I obtain IVs of :
Pv : 31 / Atk : 23 / Def : 31 / Spd : 31 / Spe.Atk : 27 / Spe.Def : 31

For IVs, I use EVs & Condition :
255 Spe.Atk EVs, 255 Spe.Def EVs, 255 Sg-Fd, 63 Beauty, less than 191 Onctuosity
I found a combination that works well, with natures that don't boost Beauty (natures affecting Spe.Atk)
1 Pamtre Pokeblock with 4 players (100 RPM)
1 Razz Pokeblock with 2 Players (100 RPM)
4 Litchii Pokeblocks with 4 Players (100 RPM)
Adamant and Modest natures will be really bad, as they affect both Beauty and Sg-Fd.


After several tests, I was able to obtain a Mewtwo with pretty EVs (read on Growth) and IVs read on Moves, caught in a Safari Ball, at Lv 111, at Cerulean Cave, in a Fr version, holding item 0x0201 (I had 2 unwanted EVs in Spd due to a miscalculation in my training).
Its moves were glitched (read on Miscellanous), but i gave him 0 exp points, to make it at Lv 0, so he can easily learn moves to delete the others.


I quickly looked at roamers, and you can corrupt their PID, IVs, as well as the adress managing the state of the roamer (dead or alive), and its possible to make it appear (if he wasn't generated or dead).
If the roamer wasn't generated, it will appear at Lv 0.
But, since Lv 0 isn't a possible encounter level, the game will say that the roamer hatched from an Egg.


I also solved the issue with Ever Grande Fly location on Speedruns.
It was linked with the pattern of the pointer.
The pointer tries to read Pokemon data, and as the position of the Pokemon species depends on the PID, if you take a certain block of data, there will be adresses considered as "PID" by the pointer.
Thus, for a certain "PID" adress, there are 4 adresses that can host a Bit 6 (or a Bits 0 & 2) corruption.
The adress hosting the corruption will depend on the value of the "PID" adress, and the value just after, who emulates the "TID".
If the PID adress has its leftmost byte with a Bit 6 set to 1 (so 0x4xxx xxxx), there won't be a Bit 6 corruption.
If both PID and TID adresses have their leftmost byte with a Bit 6 set to 1 or set to 0 , there will be a Bit 6 corruption.

Thus, by manipulating values higher than a wanted value (Ever Grande Fly Location), we can ensure that there will be a situation where the wanted value will or won't be corrupted.

Here, all the needed values are linked to trainers.
For Ever Grande Fly Location, the main "PID" adress that would induce its corruption has Bit 6 of his leftmost byte set to 1, as this Bit manages the very first trainer of the game (the unavoidable Youngster on Route 102).
So I tried to set Bit 6 of the leftmost byte of the "TID" adress to 1, but its not a trainer we can fight on a speedrun.

I focused on the 3 other possible cases, and I found that one of them can bring an Ever Grande Fly Location corruption.

To do this, you need to fight the minimal amount of trainers (the same amount that werster did in his runs, and in the save file where I made my tests I presume) + fight the Twins at Route 103. (they have Plusle and Minun)
You can also fight the Twins at Route 104 (and not the ones at Route 103), but I don't know if one would have 2 Pokemon at this point in the run. The needed value at the adress 02026D4C (with Anti-DMA) is 0x0200 0002 or 0x0200 0008 (the 0x02 is already here, and the 8 or 2 are provided with the Twins)


Once done, there will be a 1/32 chance to corrupt Ever Grande Fly Location with a single corruption (soft-resetting after each corruption).

You can then continue the run by saving and trying to corrupt Rare Candy Quantity with consecutive corruptions (and resetting + making another Pomeg Glitch if Ever Grande Fly Location is disabled by misfortune), or putting Marills into Box 2 of the PC, making another Pomeg Glitch, and trying to obtain a Bad Egg with an Instant Victory Move.
You have 1/16 chance to corrupt Rare Candy Quantity (with Rare Candies in PC and Bag), and really higher chances to obtain a Bad Egg with an instant victory move from a Marill, so I don't know which one is in general the fastest. (I would prefer the Marill way)



EDIT :
Also, I remembered that some members made arbitrary code execution with Pomeg Glitch.
Could someone do codes for unlocking Navel Rock, Birth Island, and Faraway Island ?
Because that would be damn cool.

For this 3 flags would need to be set to 1 (1 per Island), and the tickets would be needed (they can be obtained with another Pomeg Glitch, if the necessary code is too long).
Swarms might be customizable too ! (lots of value to set to manage a swarm).

I also would have liked to unlock events like Berry Master or Sales but I don't know how they are managed.