Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Generation III Glitch Discussion

Gen III: Access Pokémon beyond the sixth slot sub-glitches. - Page 26

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: voltage
Date: 2014-10-26 16:41:42
I found a way to turn ordinary trainers into glitch trainers here! Prior to the video, I encountered a glitch Hiker with Decamark with my party. I don't know why this happens, but I like it.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: luckytyphlosion
Date: 2014-10-26 21:46:46
{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{

Sounds like someone doesn't know how to use wiki templates. [IMG]http://i.imgur.com/F8SQNhk.png[/img]
Congratulations on the super mass corruption discovery (seriously all that garbage text must have overflowed), and also posting in a thread that has been dead for two months [IMG]http://i.imgur.com/F8SQNhk.png[/img].
(oh yeah about the [IMG]http://i.imgur.com/F8SQNhk.png[/img] use, get used to it, because GCLF is affiliated with the PSR wiki, so we'll be experiencing about 420% more twitch memes and stuff)

On another non [IMG]http://i.imgur.com/F8SQNhk.png[/img] related note, GoddessMaria has made an Emerald Glitched TAS: http://tasvideos.org/4465S.html. The notes page explains a lot about the Pomeg Glitch, including this:


Since PC Pokemon data is stored after nearly every other data, you can corrupt most of the in-game values / identifiants / flags.


That means trainer data is stored somewhere in that area.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Torchickens
Date: 2014-10-27 08:13:23

I found a way to turn ordinary trainers into glitch trainers here! Prior to the video, I encountered a glitch Hiker with Decamark with my party. I don't know why this happens, but I like it.


Great find. I wonder exactly why that happens.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Metarkrai
Date: 2014-10-27 12:16:46
luckytyphlosion :
Well, I mostly explained the basic action of Pomeg Glitch, and the uses for the run, I didn't go further into the different possible corruptions you can make in Emerald/Fr/Lg. (but thanks for reading my overly long description).
Also, I'm still working on Pomeg Glitch, and writing down every useful application of this Glitch you can do on console, so the topic isn't this dead for now. (but I don't know when my studies will allow me to finish this work)

Torchickens :
There's a RAM area (I don't remember if it's below or higher than flags) that stores some of the NPC data when the game load a map.
EDIT : After a quick reading of my notes, it's above flags, around 0x02026670
The 3 main things that are stored are :
- The type of Sprite
- The location
- The script adress
There are other pieces of data attached to a NPC, but corrupting them with Pomeg Glitch didn't change anything.

With Pomeg Glitch, you can easily corrupt Location (the NPC will be put outside of the map) of Script Adress.
But, since the data is refreshed when you change map, you have to use a Fluffy Tail to flee if you want to see the effects of your corruption, because when you black out, you're teleported (so the map is refreshed).
In the beginning of this topic, someone accidentally experienced it by removing Twins and the Day Care man, and this is what made me try to search about this exploit (it took me some time to understand that I needed to use a Fluffy Tail and not run away), so I thank him/her.

The Location corruption is really cool since it allows you to go in Day Care Garden (in Emerald and Fr Lg) by teleporting the Day Care Man, or go back to SS.Anne by teleporting the guy in front of the entrance.
You can also go back into Origin Cave at Sootopolis by teleporting the Old Man in front of the entrance (even if the encounter rate of this area is set to 1, the lowest possible, meaning that Shinyhunting in this zone is too long).
You can also use it to teleport some NPC blocking your way on a new game, in order to make a save where most of the events aren't triggered.
There's no other useful application for this glitch, and this is quite unfortunate.
I searched through Hoenn and Kanto to see if there could be another zone where a NPC disappearance would be useful, but I had no convincing results.

The reasons are the following :
-You can only affect NPCs (cutting trees, breakable blocks are counted as NPCs) and not every script on the map (ex : the Rival fights where he appears from outscreen).
-To teleport a NPC, you need to make a fight on the same map (wild or trainer), and most of the interesting things happen in buildings with no trainer inside.


And for the NPC Script Corruption, there are two different corruptions you can achieve.
ex : 0x081F4B59 becomes 0x481F4B59 or 0x0D81F4B59

Once a NPC has its script corrupted, if you go speak to him (or into its vision radius), you'll have a reaally long glitched speech, that ends with a battle, or makes the game freeze/reset.
And this will happen even if you gad fought the trainer before (since the script adress changed, the game won't take the trainer flag into consideration).
The fight/freeze/reset depends on the script adress you corrupted first, and the version you're on, but the fights don't seem really interesting (in French Fire Red, I got a trainer with Ekans).

Here are pictures of Script Corruption to illustrate a bit :
[img]http://www.pixenli.com/images/1414/1414429368074336700.png[/img]
[img]http://www.pixenli.com/images/1414/1414429398086921100.png[/img]

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Torchickens
Date: 2014-10-27 16:03:39
Thanks for your detailed explanation. I really appreciate it!

You note that a Fluffy Tail must be used for "location" corruption to avoid refreshing the map. Do you also have to use a Fluffy Tail to keep "sprite" and "script address" corruptions?

Also, are any of those corruptions common?

Edit: I did this glitch. For what it's worth, I stopped scrolling a little after one of the Pokémon on the list was poisoned (I didn't come up with a minimum number of times to scroll up but that could vary).

I'm not sure if the number of times you have to scroll up for the poison status can vary too. I had five Pokémon.

After a few tries, I removed the Day Care man (fun!) and got a Trainer who loaded a red screen after a "!" appeared and they walked up to me.

[img]http://i.minus.com/jZA3t3tluMMrI.png[/img]

The red screen makes me ask is arbitrary code execution possible. But I have no idea where you could repoint the flow of code and the best thing you could probably do is write a short program with box Pokémon nicknames like what TheZZAZZGlitch did.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Torchickens
Date: 2014-10-28 05:21:38
Major find. Pomeg glitch opens up a glitch effect that will break your save file if you save, and corrupts many things.

You can freeze the game if you turn/take one step close a menu like the Pokédex, corrupt your Pokémon, your name, your items, your Pokédex data, your play time and your gender all with voltage/Metarkai's trick. I tried taking a step forward after bumping into the NPC and the game also froze, but the freeze was different (the 'registered phone number' sound effect played).

I mutated this non-Trainer on Route 111 and tried to talk to him. At first it wouldn't work, but then he said long glitch text that took ages to close, while he walked around. A Battle Frontier sound effect first played too, and after a while the text changed from qÁF(repeat) to é(repeat). My name became many qÁF, maybe the qÁF overflowed a buffer.

If you save with this effect, then you've probably black screen of deathed (BSOD)'d your game. When I tried to turn the game freezes.

Corrupted stuff

[img]http://i3.minus.com/i5yTuTnloovwF.png[/img][img]http://i3.minus.com/i7yFYqamhHbBw.png[/img][img]http://i1.minus.com/iWdWyscdEPWxC.png[/img][img]http://i5.minus.com/ie2IR45mAH5EN.png[/img][img]http://i5.minus.com/iE4lkWYvz4wCe.png[/img][img]http://i3.minus.com/ibzoyghfIFhmQ6.png[/img][img]http://i6.minus.com/ibrOjoPwvuRfsC.png[/img][img]http://i6.minus.com/ivrQOeQir6WTS.png[/img][img]http://i3.minus.com/ibyrE2BfnhtV19.png[/img][img]http://i2.minus.com/i8XfyX0Hyc8l.png[/img][img]http://i7.minus.com/ibkEnv2sUX9Hdn.png[/img][img]http://i3.minus.com/ibzPVqAh2keDOC.png[/img]

Any questions? I still have a save state after the glitch/VBM movie of the glitch.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Metarkrai
Date: 2014-10-28 05:41:50
Torchickens :
For the amount of Up Pushes, I use the Memory Viewer to see the RAM area I want to corrupt, and hold Up until I see some corruption.

For NPC Corruption, since there's easily 5-10 NPCs on a route, you have great chances to corrupt their position or Script adress.
But you can also do it manually to test the effects by hand for each NPC.

I also got this red screen one time on my Fr.

But I'm amazed that you had your RAM overflowed by a value, and could still play. Every time I see the Memory Viewer overflowed by a value (with glitch moves names, glitch types, glitched NPC Script), the game freezes or resets.
I'll test this on vba since it's a very cool effect, and easily reproductible. It's a more visual method to break a save (if someone were to save with all this corruption) than having a wrong Black out warp (sends you out of the map instead of near Pkmn Center) without a Pokemon knowing Fly/Teleport).

I also have a way to make red screens, but inoffensive ones, using a character glitched from "A". (I'll add pictures of this.)

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Torchickens
Date: 2014-10-28 06:19:17
Cool.

Here is the VBM movie (it's for VBA-RR v24 svn422). You'll have to stop it before I turn to view the corrupted Pokémon and items data, etc.

Note that when I resumed the movie and did some slightly different steps (talking to the guy from different positions and at different times) I couldn't get the text box to close when the text stopped scrolling. I don't know why.

Edit: Or maybe I forgot to try pressing A, not sure…

Edit 2: Save state.


It's a more visual method to break a save (if someone were to save with all this corruption) than having a wrong Black out warp (sends you out of the map instead of near Pkmn Center) without a Pokemon knowing Fly/Teleport).

Yeah, I experienced that too. I didn't see what happens after saving and resetting though.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Metarkrai
Date: 2014-10-28 06:48:06
If you can't close the text box after the text stops, it's because the game hanged out.
I tried it, and it happened to me.

The original script adress is 0x081F1192, and I changed it to 0x481F1192.
The NPC first gave me 2 trainers for PokeNav (this also happens with NPC corruption, and I didn't remember it), and then RAM was overflown by 0x1C101C10
There were times where the game froze (blackscreen) before showing me any text box, and others where I got the text box without the PokeNav registrations (it seems that the position of the NPC plays a role in this).
I also tried changing to 0x0D1F1192 but the game froze after the first talk.

However, the first time I did this, RAM data was only overflown at the end of the text box, and here it's overflown when it opens. I'll wait and see if this makes a difference.
I'll also look at your savestate and keep a copy of it with my favourites glitched savestates, as it's pretty cool.


Also, here's the picture for the effect of the character 0xFB.
You get it by corruption character 0xBB (letter 'A') on a Pokemon Nickname.
Only the 4th and 8th character of a Pokemon nickname can be corrupted.
[img]http://www.pixenli.com/images/1414/1414496366085848600.png[/img]
As you can see, this character is linked to the command requiring you to press A to continue the scripting. Thus, seeing this character makes the games hangs for a bit of time, or totally hang for graphical loadings during a fight.
Also, checksum doesn't applies on nicknames, so it's easy to change the characters to see their effects.
It also can be useful for ACE, because you can use more characters to make your command (the best would be using PC Items for creating a command, but I don't know how much control you have about the area whose data will be executed).

A lot of characters are blanks, so some of them must be the remainings of japanese characters since I didn't saw them anywhere during in all these glitch texts.
There's also a smiley, but I don't know its value since I see it on descriptions of Glitch Moves :
[img]http://www.pixenli.com/images/1414/1414497372099528900.png[/img]
The description of some glitch moves is werid : it changes everytime you open it (I don't know at all where it could be read).
There are also few Glitch Types that the game can handle, and whose sprite changes from time to time (for some sprites, the game can handle it for a few seconds).

EDIT :

Yeah, I experienced that too. I didn't see what happens after saving and resetting though.

If you save and reset, you're stuck on the tile forever, and you can't do anything.

Also, I launched your savestate, and wow, it's completely strange.
I can't make a step, or use something AND go back to the map, or the game freezes.
Also, the NPC got it's original script back, whereas its script adress is still corrupted, and no other RAM adress has got the value 0x081F1192.
The RAM is overflown with 0x1CAD1CAD when I do something.
Also, like I suspected, only a part of RAM is overflown, inducing the weird party Pokemon and Bag Items, and this overflow  started at 0x02022024 with 0xE55EC002, until 0x02025FC0 where the overflow value became 0x1C101C10 and stopped at 0x020266E0, just on/before Map NPC data.

When you move, RAM is overflown with 0x1CAD1CAD starting from 0x020266CC.
Sometimes, the overflow is made with 0x1C101C10 and a Battle Frontier / PokeNav sound effect is played.
The black screen you have when closing Pokedex/Party/Pokenav,…. is due to the map reloading (due to the partial RAM corruption, the console has to load other things on map, and can't), and doesn't imply the last RAM overflow.
The text box you can see when trying to use an item contains the same characters than during the NPC conversation, so I think that the RAM overflow is just a storage of the conversation you had with the NPC, and the game reused a part of it (for an unknown reason) with other text boxes, as seeing that the lenght of the glitched text is the same, with the same "scroll down" buttons.

Thus, by having good script adresses, and NPC on right positions, you could manipulate the lenght of the glitched text to corrupt some data, as I don't think you can really execute script with this method.
However, the first things that would get corrupted would be Party Pokemon, and some data on trainer card, so not really useful things since the value that overflows RAM data doesn't seem to be conveniently manipulable (only a few values).
You also can't corrupt too far, or the situation will be the same as the one you got : some values linked to map are corrupted, and the single step/map reloading you make freezes the game. (and if you corrupt further than that, the game would freeze during the corruption).


EDIT 2 :
I used a code to change maps, and tried out some things with this game, but all my efforts didn't yield any result.
I couldn't open my PC, sell or throw items, nor heal my Pokemons of black out in a fight.
Also, I understood a bit more of what happens after that.
The game becomes unplayable because the player name is overwritten by glitched data, and because the game will try to spell it entirely (he's waiting for a FF sequence to stop the spelling). Thus, text boxes can handle it (PokeNav calls especially), but other features can't, making the game crash.

I put an FF in the trainer ID, and some things went back to normal. I could use the PC, and find some HM Pokemon to visit things, but there still were some issues.


EDIT 3 :
I decided to play a bit with erevything, and damn, what crzay glitches I fell on !
Differents effects of Route 110 NPC Corruption on save

There's a bit of everything seen before + new things.
I had to manually change my location because the player was trapped in Route 110, but it should be possible to make other NPC Corruptions that allow you to move after it, and make everything I performed in this video (even if the effects are completely random).
Now, I know where the "spinning blocks" glitch came from : it's a deformation of the Pokemon sprite with what seems to be a 3D-deforming tool.
Some cool audio effect were played, especially the one that reminded me holy water in Castelvania II.
I was also amazed at the end by the fact that I could perform another Pomeg Glitch on this glitched floor of Battle Pyramid, without having to do a single fight nor looking at a status screen.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: voltage
Date: 2014-10-28 17:25:04
I was messing with corruption in Route 111 and I talked to a trainer. Somehow, I accessed the slots fom the Game Corner by talking to them.

Edit: The game froze through an interaction with a rock in a recent corruption.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Metarkrai
Date: 2014-10-28 18:36:24
I tried script adress corruptions on the first Route 111 NPCs, and saw certain things :
-All the relevant data for this corruption is stored near 0x02026670. To find the script adress of a certain NPC, I use Advance Map to have the data (+ RAM watch to not lose time on Routes where a lot of NPCs are loaded), which is faster that making a ton of Pomeg Glitches to corrupt the right value.
-Each script adress can be corrupted in 3 different ways, inducing 3 different corruptions.
ex : 0x081F1410 -> 0x48… / 0x0D… / 0x4D…. (the last one requires 2 consecutive corruptions)
-The corruption is similar between trainers, and similar between non-trainers (rocks and tall trees are non-trainers).
Talking to trainers without entering their line of sight has the same effect as talking to a non-trainer. (This is useful because you can them speak to them again, and trigger a trainer battle).
-For non-trainers,you need to talk to them several times to start the corruption, and if it didn't freeze/reset the game, you will be able to talk again to the non-trainer with its normal script (even if the script adress isn't present anymore on RAM).
It's not the amount of times you talk to them that matters, but the frame where you do it (I triggered some corruptions on the first try).
-Most of the corruptions end with a battle, may it be a real trainer battle, or a completely bugged one (the bugged one can easily freeze) (I even got one with Lv 113 Bad Eggs !)
-The corruption also depends on RNG : the game sometimes hangs on/resets during the corruption whereas you could see all of it before
-The importance of the corruption depends on how far RAM data was overwritten. All the text that is said is the pure copy of the overflow, if there's no "FF" byte in the process that would stop it, meaning that the deeper the corruption, the longer the text.
-The values that overwrite RAM data are often constant (few values only), or can be big blocks of data, inducing weird texts that don't seem periodic at all. Even with constant overwrites, few values are corrupted differently, so if a "FF" appears, it may shorten the text lenght. (there are oftenly values linked to the little down arrow requiring you to push A)
-Most of the time, map data is overwritten, meaning that any refresh of the actual map induces a freeze. The best way to deal with it seems to trigger a battle, and lose, in order to be teleported to another map.
-With glitched battles, it's extremely hard to lose since you're oftenly in a position where attacking freezes the game, and where your bag is also corrupted.
-If Bag data is corrupted, it's best to not look at TM/HM pocket. Forcing the game to load the Corrupted TM names affects greatly the battle/map data, oftenly resulting in a black screen when you close the Bag. Also, if the same corrupted item occupies all the pouches, you'll have a pretty hard time to empty one slot into the main pouch (for PC slots, it's easier).
-There are corruptions where only a part of RAM data is corrupted. With the first Aroma Lady, and changing 0x081F1410 -> 0x0D81F1410, I was able to corrupt only a part of RAM data between 0x02020000 and 0x02030000 (don't know if it has a use, but it's still a good ending corruption)

-The same corruption can be done in FrLg, and the results might be in a way similar.

-Common effects : Registering Pkmn Trainer in Pokenav, Making a Battle Frontier Sound + Text Box, Red Screen (freeze), Screen fading to white (freeze),Text Box + Trainer fight,..

voltage : do you have pictures / savestate of what happened to you ?
I'm interested by these Game Corner slots (even if they're useless in RSE).


[img]http://www.pixenli.com/images/1414/1414540505020279700.png[/img]
Lv 226 Bad Eggs !
Unfortunately, the game dislikes it a bit, and froze (one time, it didn't freeze, but I forgot to make a savestate).

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: voltage
Date: 2014-10-28 19:52:10

voltage : do you have pictures / savestate of what happened to you ?
I'm interested by these Game Corner slots (even if they're useless in RSE).


I made a video showing what happened.
...and here is a video which shows interaction with a rock noticably lacking any script.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: luckytyphlosion
Date: 2014-10-28 22:56:40
Very odd. Could it be that the script for the rock ends instantly? Have you tried using Rock Smash on the rock? (although it would be hard to find a Pokémon to teach it to with most of the party/box corrupted)

Also, I see you've changed your personal text.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: voltage
Date: 2014-10-28 23:42:44

Very odd. Could it be that the script for the rock ends instantly? Have you tried using Rock Smash on the rock? (although it would be hard to find a Pokémon to teach it to with most of the party/box corrupted)


I'll try to replicate it again, but at that time I had no Pokémon knowing it in my party. I also moved all my Pokémon outside of Boxes 1 and 2 to avoid corruption. This also helps me get to the point I tend to scroll up to better.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Metarkrai
Date: 2014-10-29 11:25:15
A rock is the same thing as a NPC (an element added on map, who has its own script).
What Pomeg Glitch does here is that it corrupts the adress where the script of the Rock is stored.
And when we interact with it, the game will try to execute a script starting from another adress (I don't know if he really read what's at the corrupted adress, or if he goes reading something else) , inducing the glitches we're studying.
For this glitch, the game seems to have 2 differents ways of reading the script at the corrupted adress (or elsewhere) :
-If the NPC is a trainer, and if we enter into its line of sight
-All the other cases (non-trainers + talking to trainers)

Since the corrupted script adress isn't even a ROM adress (it starts by 0x48… / 0x0D…. or 0x4D….), I don't know where the game goes to read the NPC corrupted script, and finding this would be a huge help (since we could study the different values the adresses can take, and know the different effets this corruption can bring).

The corrupted script is also RNG-dependant (the effect differ if you talk to the NPC at different times)
For the basic NPCs (non-trainers + talking to trainers), the corrupted script will have no visual effect most of the time.
I don't know if the script is really empty, or if some short commands are executed (I think there are short commands executed), but nothing seems to happen.
Sometimes, there's a Pkmn Trainer PokeNav registration, or a Battle Frontier sound + RAM overflow (and the text box reading the RAM overflow).
Freezes are also frequent.
And that's it for the frequent effects. Rarer effects would be like what voltage experienced (a game corner screen opens), or what Torchickens experiences (a finished RAM overflow that would allow you to continue playing with a part of RAM completely corrupted).

Thus, for breakable rocks, it doesn't matter if you speak to them with Rock Smash or not, since it won't be their usual script that will be loaded, and it's also not the usual script that's instantly ended neither. You just need to speak repeatedly in order to have a corrupted script that does something visually (I'm sure that the times where nothing seems to happen, a short command is executed, like a special or something like that).

And since I don't know where the game goes to read the corrupted script, I don't know if it depends on the initial script adress or not.
However, the "viable" strategy for RAM overflow would be to talk to a trainer who has its script adress corrupted, get a RAM overflow that doesn't freeze the game, and talk to the trainer again in order to start a battle, and purposedly lose to get teleported to another map (the RAM corruption alters too much data linked to the loaded map, so moving the player freezes the game), and enjoy the RAM corruption.