Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Generation III Glitch Discussion

Gen III: Access Pokémon beyond the sixth slot sub-glitches. - Page 29

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Metarkrai
Date: 2015-01-06 11:26:59
The PC Pokemon corruption is periodic. You'll basically have the same corruption every 5 Pokemon, so, with a single Glitzer Popping, you can do 5 different corruptions at once.
You can have a 0x40 / 0x05 Corruption in every possible adress, but you can't have all the possible positions of Both 0x40 and 0x05 Corruptions.

If you have 2 Pokemon on consecutive places, the upper Pokemon's data can interfere with the 0x40 Curruption the lower Pokemon's data can suffer.
A chosen 0x40 Corruption can happen in 4 different adresses (like the 4 substructures of a Pokemon's data), so if you want a successful PID corruption, you'll have 4 possible locations of the 0x05 Corruption.
Depending of the values of the Pokemon data on these locations, you'll be able to absorb the 0x05 corruption or not, but from here, I don't remember the exact positions or other things. I'll need to read the procedure I wrote on this.

The specificity of Place 23/24 Box 2 is that there is one less 0x05 Corruption happening, so these Pokes (Box 2 slot 24 especially) can be subject to a 0x40 PID Corruption without a 0x05 Corruption who would screw the corruption up.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Winter
Date: 2015-01-26 05:10:22
Not sure if this is useful in any way but it seemed sort of interesting. Regarding corrupting the map into a wall of trees by scrolling past the 6th slot, I was able to get the same effect while surfing. When I fled from the battle, my entire surroundings were rock, and my sprite was the Wailmer surf sprite with no one on top. I could walk one tile in any direction before it said I was in Mauville city, and kept me from moving anywhere. But the interesting part is that if I turned on walk through wall in the emulator and surfed out of the corrupted map area, the walk through walls effect would remain even if I disabled it, entered a building, or loaded a new save state. The only way to remove it was to reload the rom.

Also on an unrelated note, I've somehow managed to disable wild encounters, by using the glitch. So it seems that it's possible to affect that.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Metarkrai
Date: 2015-01-27 14:20:50
The walk through walls cheat being active even after disabling or reloading is caused by vba. This code is a ROM patch code, a special type of ARv3 code, and certain versions of VBA (as well as certain Action Replay) can have some issues with them (unable to stack these codes, or let them activated after reloading/desactivating the cheat).

The fastest and safest method to disable them is to disable all cheats (with the option and manually), save, then close and reopen vba, then unable back the cheats you want. Its better to disable all cheats manually, as the basic cheats need the Anti-DMA to be active to work properly.

For the wild encounters, you corrupted the Repel value (to 16.384 or 1280 steps), which takes a few - 15 minutes to shake off. Also, if all your Pokemon team is dead, all wild Pokemon seem to be repelled.

And as for the teleportation, your coordinates got corrupted, and you fled from the battle instead of whiting out. You'll get everytime way out of the map bounds, unable to move.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Kraust
Date: 2015-02-15 10:43:12
I found my GBA Gameshark, and set it up so I can import / export saves with it.

I'm going to try to see if I can bring over a Pomeg Glitch'd Pokemon from Emerald over to my Leaf Green Save and see if I can do anything with it (Highly unlikely I can do anything interesting but I'm bored ya know?). I'll record anything interesting that happens as I have a webcam on my notebook.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Metarkrai
Date: 2015-02-15 12:40:48
You can easily trade a 65.535 (or less) HP Pokemon to FrLg or RS, and you can perform Pomeg Glitch on FrLg as all the anti-cheat scripts that allow us to do Data corruption on Emerald are also present in FrLg.

You can basically do the same things as on Emerald, with some differences :
- When you black out, the party is healed at Pokemon Center. Thus, you can't keep a fully KO team like this. If you want to perform consecutive Pomeg Glitches, you'll have to use Fluffy Tails. (isn't really an issue for now)
- You're forced to make a trade to get a 65.535 HP Pokemon (isn't really an issue for now)
- The Corrupted Pointer is teleported on the Place 30 Box 2 (or Place 1 Box 3) Pokemon's data, instead of Box 2 Place 24.
- Glitch Pokemon and Glitch Moves are totally different
- The Pokemon Summary works differently. It seems to load the data of every different sections at once, so if you have a Glitch Move who freezes the game, it will directly freeze when you'll open the Pokemon summary.
The summary also allows you on certain conditions to scroll below the 6th Pokemon. The game freezes at some point (after like 10-20 more summaries), which isn't far enough to benefit from the potential corruption.
- The Corrupted NPC scripts have different effects, so one of them could be really interesting.
- …

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: VaeporSage
Date: 2015-02-15 13:11:17

I'm going to try to see if I can bring over a Pomeg Glitch'd Pokemon from Emerald over to my Leaf Green Save and see if I can do anything with it (Highly unlikely I can do anything interesting but I'm bored ya know?).


Besides corruption, you can also screw around with its status screen.
https://www.youtube.com/watch?v=zrBND5m-9dQ

If your Pokémon has the move Charm, you can mess with battle sprites:
https://www.youtube.com/watch?v=Ga150ViPeJo
https://www.youtube.com/watch?v=4LK7KcJ7Rsk
https://www.youtube.com/watch?v=K2y2oqzEbaE

And by using Revives or leveling up during battle, you can send out glitch Pokémon:
https://www.youtube.com/watch?v=AT29yzEGpvI
https://www.youtube.com/watch?v=ELWGlBr_3Ps
https://www.youtube.com/watch?v=ZCQX5ntMME8

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Torchickens
Date: 2015-02-15 17:06:19
I split the replies regarding this to a new thread about the Charm glitch and other sprite glitches.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Torchickens
Date: 2015-03-15 05:59:29
Metarkai made a great video on how to catch Battle Pyramid Pokémon where you use a 0x96B4 Decamark's corruption by talking to the Slateport reporter, access the hidden party from out of battle to remove the Safari Zone guard, escape from the Safari Zone, and keep its battle mode. The Safari Zone battle mode lets you capture Pokémon in the pyramid, but you have to not use all of your 500 steps and using Fly apparently breaks the glitch so Metarkai took the ferry there. https://www.youtube.com/watch?v=5aEWXdRNBwE

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: voltage
Date: 2015-03-15 14:26:23

IIRC, I previously breeded two corrupted Pokémon together and got "-" from the Egg, but I haven't tried to replicate this.


I don't know why I haven't mentioned this yet, but I managed to replicate that and got - incidentally while trying to replicate the specific freeze I experienced during that time. Also, a similar ability to the one - has can be found in Bad Eggs if you fight a Ralts with Trace. (Though it might be the same…)

Re: Gen III: Access beyond the sixth slot sub-glitches.

Posted by: voltage
Date: 2015-03-19 13:51:33
So I decided to mess around with - .

I managed to teach it Double-Edge and Metronome from the move tutors. I wonder what other move tutors will work.  I tried the ones for Dynamic Punch and Sleep Talk, but they failed.
If you go to Trainer Hill with it, the Pokémon of the trainers are at level 0. The recoil from using Double-Edge is always 3, so Level 0 Pokémon must have 9 health points.
If you use it in a contest, the sprite when you showcase your moves is borrowed from Decamark.

—-

Edit: I have a found a use for Invisible Bad Decamarks. There will be a lot of text after this point.

When one tries to withdraw an Invisible Bad Decamark and Deposit the rest of the Pokémon Party, it would fail and bring up a prompt saying "That's your last POKéMON!". There happens to be a way to bypass this prompt.  By going to the Move Pokémon option in the PC, one can grab the Invisible Bad Decamark and switch it with the remaining Pokémon/only Pokémon alive in the party. You can deposit said Pokémon and the Invisible Bad Decamark shall finally begin its reign as the sole party Pokémon. I will henceforth call this trick a "DecaSwitch", to refer to the Switch of the Invisible Bad Decamark.  DecaSwitching can lead to many of the Pomeg Glitch sub-glitches. These instructions shall resemble their classic Pomeg berry-induced counterparts, but these steps do have an advantage of convenience.

Battling with an Egg/Bad Egg via DecaSwitching
1) DecaSwitch
2) Add an egg/Bad Egg to the party.
3) Enter a battle.
4) After the battle, switch the position of the Egg/Bad Egg and the Invisible Bad Decamark. After each battle, the one that will get sent out will the one that wasn't switched out in the previous battle unless the switch occurred before the battle.

Hidden Party Glitch via DecaSwitching
1) Enter a battle with a party of A, (1-4 fainted Pokémon) and B. A is the lead Pokémon and B is the Pokémon you shall switch to during the first turn of the battle. Unlike with a Pomeg berry, both Pokémon can be at full health and do not need to be at 65535 health. The 1-4 fainted Pokémon are only necessary to access the hidden party.
2) After the battle, go to any PC in-game.
3) Deposit Pokémon B.
4) DecaSwitch with Pokémon A.
5) Enter a battle.
6) In battle, view the summary of any Pokémon in the party and the hidden party shall be available.

Trainer Tower
Though I am not 100% sure on this, but going to the Trainer Tower with a Bad Egg should make all the Trainers in the Tower have Level 100 Pokémon. Someone should look into this further.

PokéNav Condition beyond sixth slot glitch?
1) DecaSwitch. Make sure you only have a party of the Invisible Bad Decamark.
2) Go to the PokéNav. Follow the path of Condition –> Party Pokémon.
3) You should see a glitchy mess. For one, the part where a Pokémon's sprite should be is glitched(It might be a bit different looking on a different attempt) and has Pokémon glitched up at the bottom. The sections of the pentagon should all be empty. The star(s) around the glitched Pokémon sprite should have star(s) constantly shifting from yellow to green.
4) Press up/down, in a similar manner to the hidden party glitch.
5) Press B. Below the IG part of POKéMON NAVIGATOR on the PokéNav menu should be a square with glitchy moving text. The PokéNav symbol to the right of POKéMON NAVIGATOR could have multiple copies moving up and down the screen. This could carry over if you press Party Pokémon on the menu again. Alternatively, none of the buttons could be working and you would have to either soft-reset or restart the game.

I am interested in how this would look outside of Emerald.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: VaeporSage
Date: 2015-03-20 13:08:39
I love it! I'll try out some console link battles when I get home. :)

I'm too crazy tired right this second to think clearly, but I'm certain that there are plenty of neat applications for being able to have no actual Pokémon in your party. Mixing records springs to mind, actually.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Metarkrai
Date: 2015-03-25 12:26:44
Oh, this is really nice.

Thanks Torchickens for posting the Battle Pyramid video, I forgot to do it.

I'm still working on using Glitch Pokemon names to corrupt data, but I'm hitting certain difficulties.
By making the journalist in Slateport read a Glitch Pokemon name, this name is copied into RAM starting at 0x02021CC0.

Trainer Name Corruption :
If you corrupt the Trainer name (0x0202490), you can't use the PC as it can't display the whole trainer name (and the game may freeze when using a Ball in a battle).
If you corrupt the Trainer Sprite (just after the Trainer Name, near 0x0202490, 1 byte), the fights will freeze as you have an "invalid" battle sprite (certain values like FrLg trainer work though).
For the trainer name, I found a Glitch Pokemon whose name has the right lenght to give a convenient trainer name, as well as fixing the trainer sprite (not always needed).
Glitch Pokemon 0x963D does it very nicely (name lenght : 11.712) (you need trainer sprite in 0x02024A64 / timer in 0x02024A6C for it to work).
It's not the optimal one, but that's at least a Glitch Pokemon that does it.

Map Corruption :
After a certain point, you'll meet the map location (0x02025A00), and corrupting it either freezes the game when trying to move (you're outside of the map) or blocks you and prevents you from leaving the house (usually, you're placed into 0x0000 0000). The camera also becomes frozen, which delimits more "walls" you can't cross (which is why you're trapped).
By the way, using one of the 7 Secret Base Glitch Decorations (you can only obtain 7 with Pomeg Glitch) can give you this same camera effect, trapping you into the secret base (maybe removing the item with the PC debugs the situation, I don't remember).

Party Corruption :
The first important (from what I know) thing that's corrupted is the party (starting at 0x020244EC).
If you want to corrupt further data, you'll lose your team. And if you were to get a long trainer name too, you'll lose PC Access, meaning that you can't trade your Bad Eggs for normal Pokemon.
I found no way to change a Bad Egg against a normal Pokemon (I didn't try trades as I thought the long trainer name would induce desynchronizations, but I should try it), apart from using Glitch Pokemon that don't give them.
To get an empty slot in party, you need at least 50 consecutive bytes = 12 double-words and 1 word full of zeroes.
The 50 byte is the minimal amount, but this also means that it can only appear on really specific adresses, which can easily become impossible due to the Name Lenght (if you have a glitch Pokemon with a name lenght of 10.000, the previous one will have a name lenght of 10.011 bytes, so you have to get the base of the zeroes X*11 bytes away from a specific adress if you want an empty slot with another Glitch Pokemon from the same family name).

But that's doable, as Glitch Pokemon 0x96B4 (lenght 10.403) does it nicely. It removes the 1st party Pokemon, and transforms the 2nd one into a Bad Egg (I didn't find a better Glitch Pokemon).

This is nice for 2 things :
- The ability to withdraw Pokemon from Day-Care, so you can get 0x963D and get a short name back + normal sprite to access PC + battles again.
- The ability to perform data Corruption as Pomeg Glitch does, and anywhere.
As yeah, the Pokemon Selection Pointer glitches out because the 1st party slot is empty when the "Party count" script is launched, making the game think that there are 0 Pokemon in party, leading to a non-intended state.
In a fight, you need to view a Pokemon Summary to update the "party count" with the empty slot in 1st position, whereas outside of battle, you can directly do it.
It's useful because you won't need Pomeg Berries anymore once you have such a Glitch Pokemon, and because you can perform Pomeg Corruption on more various places, to try and corrupt other NPC scripts/positions (like in buildings or things).

A good example of this is the Safari Zone escape, where I use this strategy to perform Pomeg Corruption into Safari Zone to make the entrance guard disappear, and exit Safari Zone without losing my Safari Mode. (useful to catch Battle Pyramid + Pike wild Pokemon)

The Pomeg Berry independence can be interesting as longer corruptions will aso corrupt the "item quantity encription value" (a part of the DMA script to prevent easy cheats for item/data quantities), emptying Berry and Tm pouches (Item 0x0000 gets a quantity that isn't null, and is then placed first, hiding every other item in the pouch).


Back at map corruption :
I don't know if there are other NPCs that read the species name of your Pokemon, but if there are (also in RS/FrLg), I'd really like to know where, as I could then test glitch Pokemon on other ROMs, or maybe get out with a map position corruption.

A possible way to get out of this would be to have a Glitch Pokemon name that makes the restarting location at 0x0000 0000 (a town in Petalburg) when you save and reset (works for only 1 reset). I don't know what part of the glitch names does it, as I rarely had it, and wasn't able to isolate the mechanic behind it (I don't know if other map values are possible or not, and why this is done sometimes and not other times).

I also tried to use the Safari Mode to escape from the house after the corruption, but this introduced another issue.
When the player exits Safari Mode, the player name is copied at 0x020283E8.
This is interesting as you can then get some more values for data corruption, but annoying as Day Care Pokemon data starts at 0x02028A2C which is shortly after the previous value.


Battle Pyramid Corruption :
Since I'm a bit of a Shinyhunter, I tried to use these corruptions for my advantage.
I tried to corrupt Battle Pyramid Bag (0x020258C4), but all glitch Pokemon that had a convenient lenght (to corrupt Battle Pyramid Bag and not map location which is a hundred bytes after) didn't give me an empty party slot + Balls into Pyramid Bag.
With Safari Mode, I can enter Battle Pyramid and use Safari balls on wild Pokemon.
This is really nice as the catch chances are quite good, and Pokeblocks are a bit bugged on US Emerald (if the first Pokeblock you throw, before approaching, makes the Pokemon curious, then its flee rate will go down to 0% instead of the 5% limit).
I made a strategy and chance calculations to see the best % one can get for shinyhunting such Pokemon.
Also, when exiting Safari Mode, the Battle Pyramid "streak" is kept (the byte saying that you are on a streak is still set to 1).

You can also set the streak bit to 1 with a Glitch Pokemon Corruption, and change the streak value too to directly access to a high level zone. (use 0x218E to trigger the streak then 0x2804 to change the streak (from Day care), then 0x963D (from Day care) to access PC, then 0x96B4 to exit Safari Zone with Safari Mode)(all of this with certain RAM data positions except for 0x96B4).

You can also do this in Battle Pike, but in Battle Pike you can use a glitch Move to get access to your Bag and directly throw balls to the Pokemon. The 3 first caught Pokemon will disappear when you'll end the Pike session, but the following caught Pokemon will be sent to PC.
In Battle Pyramid, you're stick with the Battle Bag, and I don't know what value gives the Battle Bag. Also, even if you have normal Bag access with Safari Mode, you'll get a black screen if you try to use a normal Bag item in Pyramid, as it probably tries to parse and use the item from Battle Bag.
Also, by ending Safari Mode, you'll keep every caught Pokemon, whereas by ending Pyramid streak, the 3 first caught Pokemon will be lost.

Swarm Corruption :
With my RAM adresses file, I saw that I could corrupt swarm Pokemon like that. (0x02028590)
To get a swarm, you mainly need a Road, a Pokemon (not 0x0000 nor a glitch one), and a frequency. Glitch Pokemon freeze the game when encountered.
Thus, I searched what kind of swarm I could get on accessible routes, with all the Glitch Pokemon that have a name long enough, but that don't corrupt Day care Pokemon.
I got 5-7 swarms, but with a full Bad Egg team. This means that if I catch a Pokemon, I'll only be able to take it by transferring it to 4gen / Colosseum (maybe ?). But Shinyhunting can still be done.
There's one glitch Pokemon that works, maybe 2, but I need to redo a search on them tonight to exactly see what Pkmn ID I need, as I work with Glitch Name families (I work on certain really long glitch Pkm names and slightly change the ID to put some values on the places I want).

Some nice graphical glitches :
On the way, some Glitch Pokemon induced pretty cool graphical glitches (mainly in PC), as they interferred with the background.
You can see one there : https://www.youtube.com/watch?v=kOXh7bZRlMo
I don't really know where this comes from, but it's quite nice to see (I made screenshots with multiple graphical glitches).

Also, certain Glitch Pokemon can only be grabbed with the Orange Hand (pressing Select), and might easily freeze the game if you want to move them too much once picked. So try to be really quick when you pick them up in your team to not get an unnecessary freeze.


Anyway, voltage new finding seems really interesting, as it's another technique that doesn't require Pomeg Berry to trigger the Corrupted Pointer.
It's also quite easy to do/get as you only need a first Pomeg Glitch that puts some 0x4000 / 0x0500 on pure raw data to get a 0x0000 Bad Egg (which can be deleted and taken).
And it's a gain of time as you don't need to get again another 1HP Pokemon that will eat a Pomeg Berry (it will be useful for the Emerald speedrun).

Pokenav Corruption :
Once you have Glitch Pokemon / Bad Eggs in your team, PokeNav can be really glitchy, as it firsts opens every Pokemon data before checking if they're Bad Eggs or not. Thus, if you were to get Bad Eggs into your team/PC (and didn't open the PC), you'll get big glitched/messy sprites, and a glitchy menu that easily freezes.
But I wasn't able to get anywhere with this, as in general when you try to press Up/Down/A one more time, the game freezes. It's more something you can see before quickly exiting PokeNav than something you can exploit.

Instead, in FrLg, there's a way to make some corruption with party Pokemon, as the summary isn't coded the same way as in RSE (every Move Name + type is already loaded when you open the summary, whereas the game only reads them when you open the Move Page on RSE). I was able sometimes to see summaries of Pokemon below the 6th Pokemon, but the corruption wasn't spreading quickly (as it starts below 6th party Pokemon data), and the game was freezing after 20-30 Decamark/Bad Eggs, which is far from enough to corrupt something interesting.


I'll also try the records mixing, as I'm thinking of a way to catch an Egg, and that might be cool to see.

And for the Lv100 Pokemon in Trainer Tower, this should be related to the Bad Egg level (even if it's a Bad Egg, it still has its own level). So you should check with a Lv0 Bad Egg and see the lv of the opponent Pokemon (take a Lv0 Pokemon and change its checksum to quickly make a Lv0 Bad Egg for example).


EDIT :
The 0x0000 Bad Egg can't be taken for records mixing.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Metarkrai
Date: 2015-03-27 12:39:01
I continued working about Glitch Pokemon names, by modifying the .ini of Gen32 Suite to read Glitch Pokemon names from French Emerald (and any other 3rd gen ROM).

I looked back at all the useful values for Emerald in the French ROM to see if there were different swarms I could get, or other interesting working corruptions.

I also noticed something about the Trainer name, and the way it is copied in 0x020283E8.

Glitched Trainer Name :
Stored near 0x020249C0 (don't remember the exact adress).
When the game is reset or when the player exits Safari Mode, the player name is copied at 0x020283E8 (modulo RAM adresses positioning).
A Glitched trainer name makes PC freeze as the game can't resize the textbox correctly. Using Balls in battle may freeze too.
If the player name is too long due to Glitch Pokemon, Day Care data (0x02028A2C and 0x02028B10) is corrupted, and I know no way to get a "normal" Pokemon back after overwriting a large part of RAM data with a Glitch Pokemon name.
However, it is possible to make some FF bytes appear after the trainer name (after 0x020249C0) to shorten the lenght of the overwritten data when resetting/exitin Safari.
I only found 2 ways for now :
Making the in-game time go up to 0x00FF / 0x1FF / 0x2FF hours (if it isn't higher than that).
Opening/closing Bag or Party to change the "DMA encryption value" and wait until a 0xFF byte appears in that double word. (approx 1.55% chance).
I haven't found any other thing to do that would make a 0xFF byte appear close to the trainer name adresses, as this adress is quite remote from many things.

But this could work for some very specific and long Glitch Pokemon names (a name to corrupt like event islands/mirage island, so you're forced to use Safari Mode as your map location is corrupted, and you need to get a normal team as well as the ticket back since Bag items will also be corrupted in the way).



Glitch Pokemon names in RS/FrLg :
I tried to see if I could use Glitch Pokemon names in other gen 3 games, and for now that was unsuccessful.
There are 2 possible commands used to take and store a Pokemon species name, and one of them, the bufferfirstpokemon (used for starters or other things) can't bear to read/store a Glitch Pokemon name that is some words longer than the theorical lenght.
I don't exactly know why, and if there might be some cases where this is avoidable, but with random Glitch Pokemon, the game crashed everytime, on every version (RSEFrLg) with this command.

The other command is a special command.
In Emerald, it is special 0x46, and special 0x43 in RS.
However, in RS, due to a different text displaying, certain Glitch Pokemon names can freeze the game (maybe they were way too long, I'm unsure as I tried with random Glitch Pokes).
Also, in RS, party Pokemon are stored in 0x30…., so you won't corrupt the party with this corruption, whereas most of the other values are at the same adresses (nearly) as in Emerald. Thus, the things Glitch Pokemon names can corrupt are really scarce.
The first "important" value that is corrupted is the trainer name, and this is quite annoying as in RS, the game will freeze when opening the Start Menu if the trainer name is too long.
The game still freezes when opening the PC, so there is no way to get back a Day Care Pokemon and it does so everytime the player name is displayed (or so it was with the Glitch Pokemon I used).
Thus, I can't get back another Glitch Pokemon from Day Care and place it in 1st place in your party.

As for FrLg, I'm searching for NPC / scripts that would store the Party Pokemon species name without using the bufferfirstpokemon command.
As for now, I only found a woman in 2 Island that uses this buffer command, and I have no idea of NPC / scripts that could possibly not use this command.
I tried to search the special command for Pokemon species name, but the index of the special command is different from Emerald (0x46) and RS (0x43) (I think so by seeing it used for Casino gambling machines), so I have no way for now to search into ROM and see how many times this command is used.

I think I'll test trades with Glitch Pokemon and glitch trainer names after that to see if there's something interesting or not happening.


EDIT :
I was able to clone Pokemon with Glitch Pokemon 0x2600

https://www.youtube.com/watch?v=I8Mio5cA9fs

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Torchickens
Date: 2015-04-28 11:19:57

And yeah, I figured out of a way to increase the chances to get a successful corruption, and to ensure that any Pokemon can be corrupted (simple or double corruption) without any trouble. The slight requirements you need are to not have certain Catch Balls, because this interferes with the 0x40 PID Corruption, and maybe others, but I don't have them in mind.

The way I did this was to get a Pokemon whose data has specific values to manipulate the position of the 0x40 Corruption that happens just next to him (once the Poke is stored in the PC) so that if it lands on the previous Pokemon's PID (the pokemon we want to corrupt), the 0x05 Corruption lands on the specific Pokemon (we don't car about this one, we can clone him and remove the Bad Eggs).

I had a bit of issues with this, but I finally created such a Pokemon with the in-game Seedot and Horsea, so anyone can make Pokemon corruption in its Emerald version with the least amount of issues (Pokemon that you can't transform into Eggs) and the least amount of preparations (catching a ton of Pokemon, resetting a ton of times).

I planned to dug out these files of their folders next week, as I want to complete the procedure I wrote about this, and test the new interesting things that were tested, so I'll provide more files/codes next week (when I'll finish my exams).


Hello Metarkai.

Are you able to share more details about the method for increasing the chance of a Horsea>EVs Egg corruption you describe above? Which Poké Balls are bad, what else do you need?

Thanks :)

Also, I have another question:

This guy asked:


How uncommon are normal eggs? I must have tried this close to 80 times and still haven't got one.


What are the odds? I know that it is certainly less likely than 1 in 8 because I seem to remember the possibility of a Pokémon becoming a Bad Egg even if it gets the 0x40 on its first personality byte (due to you corrupting other areas of its data I guess).

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Metarkrai
Date: 2015-05-02 17:03:09
Pomeg Glitch Corruption :

Pomeg Glitch RAM Corruption is about the Party Pokemon Selection Pointer that selects blocks of RAM data that isn't Party Pokemon data, and corrupts them because the checksum performed on this data gives an incorrect result.
A Party Pokemon data is a block of 25 double-words.
The location of the double-words the Selection Pointer will read with Pomeg Glitch are fix.
In these blocks, you have 7 important areas for Pomeg Glitch.

- The first ones are for the Pokemon PID and TID.
These values determine the encryption of the 4 Pokemon substructures (crypted data = raw data xor PID xor TID, in double-words).
The PID also determines the order of these 4 sub structures (3 double-words each).

- You have then a byte that seems to be only used for the Legit/Bad Egg state, between the Pokemon name and Trainer name.
This byte is usually at 0x02, and is turned into 0x07 if the Pokemon is a Bad Egg (to prevent the Egg from hatching, and giving it the name "Bad Egg"). This is performed by setting bits 0 and 2 of the byte to 1 (0x05).
This induces what I usually call the 0x05 corruption, as in general you can see the 0x05 value appearing, even if a value can only gain 0x04 or 0x01 or nothing due to this corruption.
With Pokemon Corruption, this corruption has no use at all. Even worse than that, the 0x05 corruption is the main thing that can prevent a Pokemon corruption from working.

- And you have 4 bytes that represent the 4 possible locations of the Pokemon Egg state (hatched/ non-hatched) in the Growth substructure.
The bit managing the Egg State is bit 6 (0x40) of that byte.
Since this byte is in the data substructure, the location of the corruption will depend on the PID value modulo 24.
And the effect of that corruption (forcing the bit to 1 or 0) will depend of the PID xor TID result, (the value of bit 6 of their leftmost byte, to be accurate) since this corruption is applied to the "crypted" substructure data.
If PID and TID both have the same bit 6 value (on their leftmost byte), the corruption forces a bit to 1 (sets 0x40).
If PID and TID don't have the same bit 6 value (on their leftmost byte), the corruption forces a bit to 0 (unsets 0x40).

I generally call this corruption the 0x40 corruption to mention it faster.
The 0x40 corruption has 4 different locations related to the 0x05 corruption (who is always on the same byte on a given 25 double-words block), and can do 2 different things, all depending on the PID and TID values (or what the game wants to interprete as so).


Screenshot :
[img]http://i.imgur.com/fzKw2Zk.png[/img]
Here's the location of the 7 interesting zones in a Party Pokemon data.
I bordered the 25 double-words blocks to distinguish them a bit better.
In blue (11111 and 2222), you have the PID and the TID (in that order).
In green, just below the PID, you have the 0x05 Corruption location.
In yellow, you have the 0x40 Corruption locations. They are all separated by 2 double-words.



Pokemon Corruption :
In Pokemon Corruption, the goal is to abuse the anti-cheating measure that moves the adresses of many RAM values in order to have a PC Pokemon PID that is affected by a 0x40 Corruption.
We want the PID to be corrupted because this affects the Pokemon substructures order, and allow us to manipulate values like species, item, xp, ogirins, IV, by knowing how its substructures order will be changed (ex : Attacks will be read on EVs).
But to make this work, the Pokemon checksum can't change, or it will turn into a Bad Egg.


Bypassing the Checksum :
The checksum decrypts all the substrucutres data, cuts the double-words in words and adds them. It then stores the 4 first characters of the sum (they could have stored the whole sum, but thanks for us, they didn't).

Since we're changing a value on the PID, the difference between corrupted PID and normal PID will be present 4*3 = 12 times (4 substructures containing 3 double-words), in the "general case".
Since checksum adds words, 0x05 and 0x40 Corruption will give differences of 0x0500 (or 0x0400,0x0100) and 0x4000 (or 0x0000 if nothing happens).
You can see that 0x4000 is the only value that won't change the checksum result since 0xC * 0x4000 = 0x3 0000.
For the 0x05 Corruption, the checksum will be screwed, and this will always result in a Bad Egg, which is why I said it wasn't useable for Pokemon Corruption.

If the PC Pokemon PID is corrupted and its checksum stays valid, the Pokemon Corruption will be working.
Since this works with the 0x40 Corruption, the Egg State value of the Pokemon is switched, and so does its hatched/non-hatched state.
Since its PID was corrupted, the order of its substructures is changed, leading to interesting results.


Double Corruption :
But you can also do the same thing with the Pokemon TID, who will have the same checksum issue as PID (since they are both involved in checksum), and who will bring the same effects minus the substructures order.
It may not seem useful to corrupt TID, but it is.
Because if you do a single PID corruption, you'll get an Egg of your desired Pokemon.
Hatching the Egg will remove its EVs, Item, Ribbons, Contest Stats, and set its Lv to 5.
Also, because of the 0x40 Corruption only being performed once, there are some 0x40 "values" that still affect the Pokemon data (like a move being move 0x4000 instead of 0x0000, or item 0x4001 instead of 0x0001 if you wanted your Egg to hold a Master Ball).
The hatching is also risky for Glitch Pokemon, as their hatching sequence can freeze (I don't know if it's related to the Glitch Pokemon sprite, the Glitch Pokemon name, a part of RNG, or all of that).


If you corrupt the Pokemon PID and then its TID, you'll have the substructures order shift, on a Pokemon that isn't in an Egg (so no hatching animation + Exp/Item/EVs/Contest Stats / Ribbons/Met Location/Met Lv/Met Version/Met Trainer kept), and you don't have the "0x4000 0000 leftovers" on the substructure data from the 0x40 Corruption anymore, since both PID and TID had their bit 6 of leftmost byte value switched.
Thus, you end up with the exact Pokemon you wanted, without any issue even if you were to want a Glitch Pokemon/Move.

This is Double Corruption, since you corrupt both PID and TID. It was brought by someone on that topic (I don't remember who, nor the page) who I give my thanks, as this method is really useful.


Bypassing checksum (more detail) :
But, there are other tiny things to deal with if you want to be sure to exactly have what you wanted.
For checksum, I mentioned a "general case" where everything goes right, but 2 things can screw up the checksum on a 0x40 Corruption.

The first thing is to really have 0x4000 added or subtracted 12 times (or a number of times that is a multiple of 4).
For example, if your Pokemon was caught in a Nest/Repeat/Timer/Luxury/Premier Ball, one of its non-crypted substructure double-word will have its bit 6 of leftmost byte set to 1 (0x4000 0000 will be there).
The other bit 6 of leftmost bytes for double-words of substructures concern : Item (0x4000), Moves (0x4000), Speed Evs (0x40), Beauty (0x40), Feel (0x40), Move 4 PPs (0x40), Egg State, a Special Ribbon, Exp (0x4000 0000).

So unless your Pokemon has a good amount of Speed EVs or Contest Stats, or a Move 4 with 64 Pps, only 1 double-word of its substructure will have its bit 6 of leftmost byte set to 1.
This means that the checksum calculation after its PID corruption will differ by 11 - 1 = 10 times 0x4000 = 0x2 8000, since for 11 double-words, 0x4000 will be added, whereas it will be subtracted for the double-word containing Origins info.
And you see that the checksum difference isn't a multiple of 0x1 0000, so the checksum will be invalid, and the corruption won't work.
Thus, for Pokemon Corruption, I ask to people to not have caught their Pokemon with a Nest/Repeat/Timer/Luxury/Premier Ball, nor have a Move 4 with 64 PPs, nor have between 0x40-0x7F or 0xC0-0xFF (64-127 or 192-255) in Speed EVs, Beauty, Feel.

Since some people were catching their Pokemon with a Repeat Ball (or another forbidden Ball), and since they were only giving them HP and Atk EVs for Species Corruption, they weren't able to have a working corruption.

If you want a really specific specific corruption (on certain cases), you can set bit 6 of leftmost byte of 2 double-words to 1 in order to have a checksum difference that won't be seen, since you'll have 8 times 0x4000, (8 is a multiple of 4, and 4*0x4000 = 0x1 0000), but don't do that for basic corruptions, that would only make the preparations more complex for nothing.


Corruption Initiator :
  The second thing is the 0x05 Corruption from the 25 double-word block below.
Since everything happens in 25-double words blocks, each 0x40 Corruption is between 0x05 corruptions.
Here, we're seeing the 0x05 corruptions relatively to the 0x40 one, since we want to have the 0x40 Corruption on the PC Pokemon PID.
Again, we have 4 different locations for that 0x05 corruption (when 0x40 is on PC Poke PID) :
- On 1st double-word of 2nd substructure
- On 1st double-word of 3rd substructure
- On 1st double-word of 4th substructure
- On PID of the PC Pokemon below
3 of them are a potential threat (1/4 chance that the double-word won't be affected by the 0x05 Corruption), and 1 is completely safe.

Thus, we're totally going for that 4th location of 0x05 Corruption (when 0x40 is on PC Poke PID).
The case where the 0x40 Corruption can be on the PC Pokemon PID, and where the 0x05 Corruption will affect the PC Pokemon below is when the values that the Selection Pointer use as "PID" and "TID" are double-words 1 and 2 of substructure n°2 of the Pokemon above the PC Pokemon we want to corrupt.
That's because the 0x05 Corruption is fix, as well as the "PID" and "TID", and that it's the 0x40 that has 4 different locations.

Thus, we will need the values of the 2 mentioned double-words to have specific values in order to give a good 0x40 Corruption location, as well as a 0x40 set or unset (Since we're doing 0x40 on a Pokemon PID, only the set or the unset corruption will do something, so this has to be manipulated too to fit for every Pokemon).

And, since Double Corruption is also a thing, we can do the same thing for the PC Pokemon TID.
The double-words that need specific values for a PC Pokemon TID 0x40 Corruption are double-words 2 and 3 of substructure n°2 of the Pokemon above.
By gathering both cases, we need to have a Pokemon with a specific substructure n°2.

These values are made on a Pokemon I call "corruption Initiator", as it's purpose is only to be put before the Pokemon you want to corrupt in order to ensure that a good corruption can happen on that Pokemon.

With the values wanted there, I even call the Pokemon a "perfect initiator", as it ensures you that you can corrupt any Pokemon you want (modulo tiny things to avoid).
Since we will need the 0x40 set and unset corruptions for both PID and TID, we'll need 2 Corruption Initiators, so we'll be sure that any Pokemon will be corrupted with one of them. (One Initiator will do the 0x40 set on PID and TID, and the other the 0x40 unset on PID and TID).

For the 0x40 set Corruption, the substructure n°2 of the initiator must verify :
- double-words 1,2 and 3 have their bit 6 of leftmost byte equal (0,0,0 or 1,1,1 pattern).
- double-words 1 and 2 have a specific congruence modulo 24. (I think it's 18,19,20,21,22,23, but I'm not sure as I always do it by trial and error since there are 6 working values modulo 24).

For the 0x40 unset Corruption, the substructure n°2 of the initiator must verify :
- double-words 1,2 and 3 have their bit 6 of their leftmost byte forming a 1,0,1 or 0,1,0 pattern.
- double-words 1 and 2 have a specific congruence modulo 24. (I think it's 18,19,20,21,22,23, but I'm not sure as I always do it by trial and error since there are 6 working values modulo 24).


Why using an Initiator works :
This is a tiny EDIT, but I forgot to develop about that.
The anti-cheating measure that moves the RAM adresses of most values each time you open your bag, make a fight, change locations,… can move a designed value on 32 adresses (they are adjacent).

Thus, if you put in Box 1 your Corruption Initiator followed by a Pokemon to corrupt, you only have to try using Pomeg Glitch until the data of substructure n°2 of the Corruption Initiator ends up on the adress of a "PID" and "TID" for the Party Pokemon Selection Pointer (these adresses are fix).
When this will happen, the 0x40 corruption will be forced to happen on the PID of the PC Pokemon to corrupt (with the right set/unset type), and the 0x05 Corruption below will fall right below the PC Pokemon to corrupt data.
Since the Party Pokemon data is a block of 25 double-words, there's always a certain movement of the anti-cheating measure that will put up the substructure n°2 data on one of there "PID" and "TID" adresses (as the substructure n°2 data can be placed on 32 different consecutive locations).


Potential Initiators :
The only Pokemon who have substructures values that we know are Empty Slot and in-game trades Pokemon.

Empty Slot will only give a 0x40 set Corruption, and when 0x40 is on a PC Pokemon PID, the 0x05 Corruption is on its 1st double-word of 2nd substructure.
Thus, leaving an empty slot before the PC Pokemon won't work well at all (half of your Pokemon won't have their PID corrupted, and 1/4 of them will suffer from the 0x05 Corruption, so only 1/8 of your PC Pokemon "could" work).

You have 4 in-game trades Pokemon in Emerald :
Seedot : substructure order : EGAM -> GMAE (the second substructure order is the one after a 0x40 PID Corruption)
Plusle : substructure order : EAMG -> AGME
Horsea : substructure order : AGME -> MEAG
Meowth : substructure order : MGEA -> AMEG

- Growth can be manipulated for congruence modulo 24, but since it contains Experience, it would be hard to have a general procedure to do that on console (since the Lv of these Pokemon can be drastically different).
The 0x40 unset Corruption couldn't be done. (there's one of the 3 leftmost bytes you can't manipulate, and you can't have 0x4XXX XXXX Exp)
- Attacks can be manipulated for congruence modulo 24, but the 0x40 unset Corruption couldn't be done. (you'd need a 0x4XXX Glitch Move).
- Growth can't be manipulated for congruence modulo 24 nor 0x40 unset Corruption.
- EVs and Contest stats can be manipulated for both congruence modulo 24 and 0x40 set/unset corruptions.

But as you can see, none of the traded Pokemon have EVs as their substructure n°2.
However, a 0x40 corrupted Horsea has EVs as substructure n°2.

To perform a 0x40 Corruption on Horsea, I use the Seedot as a Corruption initiator.
Seedot won't be a perfect initiator, but with slight changes on him and Horsea, he'll work perfectly.
Here's the setup :


Caterpie the Perfect Initiator :
Items :
Pokeblocks with 6 Chesto Berries at Lilycove with the old man. They must be Lv 12 Blue Pokeblocks, with 22-23 in Feel.
26 Hondew, and 26 Grepa Berries.
At least 13 Pomeg Berries.
Other Pomeg, Kelpsy,Qualot, Hondew, Grepa, Tamato Berries
5 Carbos, 5 Calcium, at least 2 HP Up.
TM Protect (sold at Lilycove).
Fluffy Tails.

- Get the in-game traded Seedot.
- Get the in-game traded Horsea. He must have less than 65.536 Exp points. (Lv 40 or lower)
Horsea and Seedot (and any other Pokemon you'll train for double corruption) must not catch Pokerus during their training.
- If Seedot and Horsea already fought a bit and gained some EVs, use the Pomeg, Kelpsy, Hondew, Grepa, Tamato Berries to put them back at 0 EVs.
- Clone them both to have a safe copy.
- Give 1 Carbos and 3 Calcium to Seedot. (Now Seedot is ready)
- Give 1 HP Up to Horsea. (He'll transform into a Caterpie)
- Give 1 Carbos to Horsea, and make him fight 3 Zigzagoon (For 13 Speed EVs that will absorb the 0x05 Corruption)
- Change Horsea Moves to Waterfall, Protect, Surf, –(Fr)/Return(US). (Having a specific 4th Move is really important)
- Save and clone them 6 times. (1 copy in a safe box and 5 copies for the next steps).
- Place the 5 Seedots and Horsea in Box1 or 2 with a Seedot-Horsea-Seedot-Horsea-…-Horsea pattern (a block of 10 Pokemon + Seedot before Horsea as Seedot is the initiator for Horsea's corruption).

- Save, and perform Pomeg Glitch (this is why Fluffy Tails is mentioned) to corrupt the Horsea. (you have 6-7/32 chances to corrupt Horsea's TID).
- Once one of the Horsea became an Egg,  check its summary.
If the Egg doesn't have Pokerus and isn't about to hatch, keep the Egg and save. (its TID was corrupted)
If the Egg has Pokerus, reset and redo the corruption. (PID was corrupted)
(the TID corruption being first is really important because it won't screw up the 4th Move PPs and allw you to make a fast second corruption)
- Save, clone Seedot and Horsea's Egg 5 more time, and display them in the same pattern as earlier.

- Save, and perform Pomeg Glitch again to corrupt an Horsea's Egg. (here it's 6-7/32 chance to get it, as you really can't move that Egg).
- Once a Egg became a Caterpie, save.
- Give him Pomeg, Hondew, and Grepa Berries to put its EVs back at 0. (they come from Horsea species + Exp since EVs are read on Growth)
- Give him 2 Carbos and 2 Calcium, and save. (Here it is, the first perfect initiator)
- Clone the Caterpie 2-3 times. (at least one copy in a safe box)
- Give the 6 Blue Pokeblocks to another clone (72=0x48 Beauty, 138=0x8A Feel), and give that clone a Heart marking. (here comes the second perfect initiator, the heart marking allowing you to distinguish both of them easily).
- Save, and clone these 2 Caterpies (marked and unmarked) a dozen of times.


Using Caterpies :
- Now, every time you want to perform a Pokemon Corruption, once you've prepared your Pokemon, clone it 10 times.
Place 5 clones with a Caterpie before each (Caterpie-clone-….-clone chain), and place the 5 remaining clones with a Marked Caterpie before each (M Caterpie-clone-…-clone chain). (if you knew beforehand what type of Caterpie would work with this Pokemon, you can only place this very type)
- Then, save and perform Pomeg Glitch to corrupt PC Pokemon, and if your Pokemon doesn't have the slight issues mentioned earlier (Balls, Beauty, Feel, Move 4 PPs,Item, Move2,….), you'll be sure to have 6 or 7/32 chances to corrupt the PID of one of your clones (and same chances for its TID).
- And if you want to go for a Double Corruption (because it's a very strong and useful corruption), you'll need to know beforehand if your TID can be corrupted with a 0x40 set or unset Corruption, as well as if your Pokemon's PID, because once a clone will turn into an Egg, you'll need to know what type of Caterpie you need to place before the Egg to perform the second corruption. (Remember to never take the Egg with the hand, or reset if you do so)
You can also try both of them, but since the second corruption only has a 1/32 working chance, this could be longer.

- If you test your Pokemon beforehand to know what type of Caterpie corrupts him well, you can give a mark to that Pokemon to easily remember that (and also mark the Pokemon to distinguish its Corruption type).


Caterpie data screenshot :
[img]http://i.imgur.com/UqmUfje.png[/img]
The orange upper part is Caterpie's data. I cut it to directly start at its substructure n°2 data.
Below Caterpie, you have the traded Horsea, who had its PID corrupted (0x4000 007F instead of 0x0000 007F, and who became an Egg. The part I circled is Horsea's data as a PC Pokemon (20 double-words only).
In green, you have the 3 double-words of substructure n°2.
The 2 first double-words are equal to 18 and 22 mod 24, and the Bit 6 of the leftmost byte of the 3 double-words has a 0,0,0 pattern (none of them have that bit set to 1), so we'll have a 0x40 set corruption that will perfectly work.
And in Blue, you have the locations of the 0x05 and 0x40 Corruptions.
When one 0x40 fell on Horsea's PID, you have the 0x05 above on Caterpie's data, and the 0x05 below right below Horsea's data, showing that Horsea was corrupted well.



Caterpie file :
If you're on VBA, here's a .dmp file of Seedot + Horsea untouched + both Caterpies + 0x288A Glitch Pokemon to make easy clones : http://www.petit-fichier.fr/2015/05/02/horseaseedotcartepies0x288a/
I made a video on fast cloning before : http://www.youtube.com/watch?v=I8Mio5cA9fs
(RAM adresses for PC Pokemon are below 0x0202987C on Fr/US Emerald)

The Marked Caterpie doesn't have the same Feel as the one described there, as the one I did is older, and I had a flaw for the Feel value, so I had to give him a Yellow Pokeblock to increase it over 0x7F.

Pomeg Glitch Lua Script :
- Since I'm there, here's also the link of the .lua script I'm using to have useful information on PC/Party/Wild Pokemon on Emerald :
http://www.petit-fichier.fr/2015/05/02/emer-pomeg-glitch/
It's untranslated, but there's only a little bit of text (apart from the Pokemon moves and natures), and I think it's easy to understand who does what.
This script gives EVs, Contest stats, Moves, PPs, PID, TID, IVs, Nature, HP, Item, Pokerus, Shinyness, PID mod 24, obedience (if Mew or Deoxys), and substructure order (now and after a 0x40 Corruption) of a Pokemon by holding it in the PC or seeing its summary.
When you have a glitch Pokemon, Bad Egg, or Glitch Moves, it's always nice to have a quick look at the data without freezing the game.
(for the substructure order, E=EVs, A=Attack, C=Croissance=Growth, D=Divers=Miscellanous)