Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Generation III Glitch Discussion

Gen III: Access Pokémon beyond the sixth slot sub-glitches. - Page 31

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Torchickens
Date: 2015-05-16 09:26:44
Thanks for clarifying and re-posting your finds for others to see! You are surely very diligent about Pomeg glitch.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Spoink
Date: 2015-07-06 14:03:47
If you replace the text ID of an NPC to 08160504, then talk to them, it will ask you to save, say no. You will now have access to beyond the 6th slot.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Metarkrai
Date: 2015-07-11 07:57:57
This script must be one script in Battle Frontier where your Pokemon team is stored, and where few Pokemon from your team are taken to make the team you'll have for the building.

You can trigger that in Battle Frontier with a Glitch Pokemon's name (making Slateport's journalist reading it), and when entering any Battle Frontier Building, you can be instantly considered winner/loser, and the stored team will be given back to you.
But the adress is a bit far, and by doing that you'll also corrupt the stored team, so that would work for certain specific glitch Pokemon.
However, you can directly use a Glitch Pokemon name to have an empty first party slot, which is done easier and with less corruption.

Also, this doesn't work in RS because the winner/loser scripts of the receptionist do not contain the stored team withdrawal (it is done just before that), which is quite saddening since this could have been a way to perform Pomeg Glitch corruption in RS.
However, with the "continuing streak after a pause" script, you can be taken into a Battle Tower fight with a team that can have empty slots, which allows you to make a little corruption before the game freezes.

I tried to abuse of such scripts in Emerald in order to illegally bring a Smoke Ball and Master Balls into Battle Pyramid, but it didn't work as there was no Glitch Pokemon that would trigger the "continuing streak after a pause" script while giving me at least one party Pokemon, and while taking me to a Battle Pyramid floor that doesn't freezes the game.
(when you register into a Battle Frontier building, the game stores your team, stores the slots of the Pokemon you've chosen, as well as the floor you'll be taken to (in case you would do a pause), and some other tiny things that are less important)(and in Battle Pyramid, the fleeing mechanic is different, and the fleeing chance is capped at a value which isn't 100%, regardless of Run Away. Thus, you have to kill the wild Pokemon or teleport yourself or use a Smoke Ball, Smoke Ball being more efficient, but you can't find it in Battle Pyramid as wild held items are disabled.)

This also can't be used to steal Battle Factory Pokemon or bring your own Pokemon to Battle Factory,(not like the way I tried, at least), as Battle Factory works a bit differently in terms of Pokemon selection (the game stores somewhere the PID of the selected Pokemon, and their value in the list of Battle Frontier Pokemon).
Since these values are below party pokemon and wild pokemon data, you also can't use this to be taken back into a Battle Frontier facility with one Pokemon of your previous battle, as the data of this Pokemon would be wiped in the process. (as once you go into Pyramid/Pike with a certain team, you can use Safari Mode to be warped back to Safari Zone with your current team, and thus successfully get back the Pokemon in your team during Pyramid/Pike)

However, you can use a Glitch Pokemon with 14.900-15.000 characters and corrupt the Battle Dome matches layout. It is quite funny even if you can't glitch anything with this, and even if the layout is remade after some minutes.


Also, you can't corrupt NPC scripts well with Glitch Pokemon Names, as they are refreshed once you change maps, so you could only do that into the house in Slateport that contains the Journalist, and as the adresses for NPC scripts are below the adress for player location, which means that you would need to have a nearly accurate double-word for the NPC script as well as a certain nearly accurate double-word for player location (a location that would still be in the house, so that the player can still go talk to other NPC, and can get out of the house with the door or with Safari Mode).

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Spectramark
Date: 2015-08-09 18:28:34
Apologies if this seems a bit late, but I found something weird about certain Decamarks.

I managed to hatch the Decamarks "WATERFALL", "WITHDRAW", "BSTITUTE", "SUPERPOWER" and "OAT" (Sadly, I don't know their Hex values, as the .txt file I had used to record them got corrupted). I'll get pictures up soon showing these Decamarks.

Upon seeing the amazing stats of the Lv.5 "BSTITUTE", I attempted to switch it into a battle to let it gain experience. However, upon leveling up, the game crashed after showing the level-up stat gains…
I tried putting BSTITUTE in the Day-care to let it level up that way, but once again, the game crashed after paying the Day-care lady to return it to me.

I tried levelling up all of my Decamarks, and found that WITHDRAW and BSTITUTE both froze the game, while SUPERPOWER and OAT didn't. I can remember that SUPERPOWER and OAT are a higher Hex value than the others, so I think that may be a cause of the problem.
I've yet to try WATERFALL, but it'll take a while since it needs 65,536 EXP to reach the next level, and I don't have any rare candies…

Due to this, it seems that my Decamarks will be unable to level up at all without crashing the game, and due to the four glitch moves they have, it's impossible to battle with them, make them learn any new moves, or even trade them over to my Sapphire game.
So, is it at all possible to level up these Decamarks without them freezing up the game?

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Metarkrai
Date: 2015-08-14 16:47:30
If you want to know the hexadecimal values of the Glitch Pokemon you hatched, you can find them back with the extended 3rd Gen Pokedex (I forgot its exact name, but there is a subject on the forum where a download link is given, and I can't find it back) as they have a really clear name that you can trace back.

For the issue about levelling crashes, I don't know if this is due to the Pokemon trying to learn a new Glitch Move, its Exp curve being too glitchy, something about the stat increase he has, or the Glitch Pokemon trying to evolve, but it's something that is related either to the species or the stats increase.

Trying to obtain Glitch Pokemon with the "classic" Pomeg Glitch corruption and Egg hacthing is very tough, as the success rate is inconsistent, and as many Glitch Pokemon won't hatch.

However, by using a corruption initiator, alias HYPY the Caterpie, you can perform Pokemon Corruptions with a consistant and higher success rate, and also perform double Corruptions to remove the Egg state of the corrupted Pokemon and thus be able to obtain every Glitch Pokemon. (see at the end of the post here to have the detailled procedure to obtain HYPY the Caterpie http://forums.glitchcity.info/index.php/topic,6868.msg198505.html#msg198505 ) (a few comments after that, Tochickens made a vba file where he obtained HYPY and made a double corruption with it, if you want to directly get HYPY from it. I also made AR codes for this Pokemon a bit below on the same page.)
Also, by using the in-game traded Seedot, you'll b able to have any Gitch Pokemon with Seedots HP and Atk EVs, and its moves will be kept, so he won't have "annoying" glitch moves preventing you from trying to train a Glitch Pokemon.
And if you want a specific Glitch Move, you can use the in-game traded Plusle and its HP and Atk Evs.

However, for what you're trying to pull, Seedot wouldn't be good as its Exp would be read on EVs and Contest stats, and being an in-game traded Pokemon, he already has Contest stats, (so he would already be at Lv 100 for a good amount of Exp curves).

To be able to manipulate the Exp of the Glitch Pokemon you would like to have during the Corruption, you would need to catch Smeargles, give them one HP Up, put them in Boxes 1 and 2 with the corruption initiator, save, and try to corrupt some of them to see if they become a Caterpie in an Egg when their PID is corrupted. Thus, you would have a smeargle with no contest stats nor EVs and you could modify them to have the Glitch Pokemon you want with the Exp amount you want, which can be more helpful sometimes than a couple of Rare Candies.
(to know if the Egg you have after one Pomeg Glitch is from a corrupted PID or TID, check if he's going to hatch quickly or not. If the Pokemon has no Contest Stats, 4th Move, nor Ribbons, this will be enough to know it).

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Torchickens
Date: 2015-08-21 16:18:17

If you want to know the hexadecimal values of the Glitch Pokemon you hatched, you can find them back with the extended 3rd Gen Pokedex (I forgot its exact name, but there is a subject on the forum where a download link is given, and I can't find it back) as they have a really clear name that you can trace back.


Might it be Generation III Extended Hacking Suite?

Another way to do it might be to send the glitch Pokémon into battle (if that glitch Pokémon can be sent into battle, maybe if it cannot you cannot use this method) and check one of the addresses 02023868, 02024084, 0202499E or 03005E58.

Metarkai, do you know an easy way to edit the index number of a Pokémon in the party to any glitch Pokémon with memory viewer without having to do any glitching?

I have usually got an Egg from double corruption first then corrupted it again with Pomeg glitch or manually with memory editor to get any Pokémon (including unhatchable glitch Pokémon) based on its EVs. I couldn't locate CCD7 with cheat searcher sadly.

I would like to know of a way to manually change any Pokémon. In the Game Boy games it's relatively trivial because you could just change two memory addresses (species byte 1 and byte 2); but in Generation III with you having to take the modulo 24 of the personality value to know where the species ID address would be, and the Pokémon being protected by checksum, I don't know of a step by step way.

With anti-DMA enabled, can you tell me the addresses of the stored checksum, and the species ID for Pokémon for all four positions of "Growth" in the substructure orders please?


For the issue about levelling crashes, I don't know if this is due to the Pokemon trying to learn a new Glitch Move, its Exp curve being too glitchy, something about the stat increase he has, or the Glitch Pokemon trying to evolve, but it's something that is related either to the species or the stats increase.


Yeah, perhaps without further knowledge it may be like Generation I (a Pokémon with a glitch experience curve that can normally never stay past level 1 after battle, or a Pokémon with a glitch experience curve that has division by zero)

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Metarkrai
Date: 2015-08-24 08:49:14

Might it be Generation III Extended Hacking Suite?


Yup, exactly. It really helped me to determine the name lenght of glitch Pokemon and see what "families" had the biggest name lenght, in order to directly know approximative values of identifiants I should use if I wanted to corrupt certain values like Battle Pyramid Bag.
I also modified an US Emerald ROM in order to make it read French Pokemon names, as I wasn't able to fully modify the .ini to make it directly read a French ROM.

For specific searches of Glitch Moves effects or Glitch Pokemon specificities, TheZzAzZGlitch gave me python scripts to help me for that (they are basic scripts as it's only a matter of wanting a certain value on a certain place, but I had nothing to do that for me before).

  For now, these scripts mainly helped me testing abuses of the "N° of party Pokemon in battle" value.
My goal was to have a glitch move with a name long right enough to corrupt that value, and use healing or self-damaging moves to change the HP of my Pokemon. This would force the game to update the hp of the Pokemon "sent in battle", which would have been the Pokemon at the corrupted party slot.
Depending on the party slot values, accurate corruptions of things like special islands flags, mirage island,… could have been possible. However, this value is right at the start of a block of values managing the battle, and all the glitch moves with a good name lenght make the game crash (another adress near the concerned one gets a value that makes the game freeze or reset).

But, writing this made me think about another possible way to exploit this, through the opponent's Pokemon HP. I'll look into this.

  There's another thing I wanted to test, which was the evolution lines. Can a Glitch Pokemon with a non-glitched sprite and name evolve ? And is that evolution condition the element that makes the game freeze when you give Rare Candies to a Glitch Pokemon ?

  I also wanted to check the Move Relearner a bit more accurately, as I confirmed that the list of relearnable moves contain one exemplary of each move present into the "Learnable Move" list of the Glitch Pokemon until Move 0000 shows (whereas in Gen III Extended suite, the learnable moves list goes further than that).

  I also wanted to test the Glitch Move types, to see if there were some that could have nice effects.
I also wanted to test the effects of Glitched Special abilities, but I don't really know how to make a test for this (to know if they have an effect during a battle or outside a battle, and what that effect might be). I also don't know their full name lenght, as maybe something like Skill Swap could make new RAM overwriting cases.

  Someone on PRAMA had a good idea about testing if Glitch Pokemon names could change the NPC's script to values that would be ROM adresses with interesting scripts (like Hall of Fame, engaging a battle against a legendary, …).
However, the answer was negative. I didn't find any set of 4 bytes that would be near the end of a Glitch Pokemon's name with a certain lenght (like 18.000 characters long) that would look like a ROM adress towards NPC/events scripts.
There are maybe some other values that could be exploited like this, but I don't really know what other values I could give for a NPC script adress in order to get nice results (it has to do someting like a teleport, as a glitch Pokemon species name of that lenght corrupts the player current location and he would be outside of the building, and taking a single step crashes the game).

  While trying to check the existence of the rumoured Lotad Swarm in RSE (I found the ROM adresses managing swarms and he wasn't there, so unless someone shows it, I heavily doubt he existed), I came to think of another way to make the game read a Glitch Pokemon species name, which would be TV news.
I haven't tested it yet, but with news that display the species name of Pokemon like the name master or other ones, I think the game would read the species name of the ID stored in the adresses related to the news.
  This could maybe be useful for RAM data overwriting as it could provide another starting adress for that overwriting.
For now, I know of 2 adresses for RAM data overwriting : 0x02021CC0 (the adress where the species name is stored when you talk to Slateport's Journalist in the Pokemon Fan Club), and another adress around 0x020283E8 (the trainer name is stored there when you reload your save, exit the Safari game, and maybe with other actions).
If we had other adresses where names of Glitch Pokemon, Glitch Moves, or Glitches Trainer Name were stored, this would help into overwiting certain interesting values (0x020283E8 helps to get a NidoranM swarm, and could maybe have other uses for certain adresses, but I don't really know what yet since it's quite afar from main flag adresses).

This would also help do RAM corruptions in RS, as the storage adress of a Pokemon species name by Slateport's Journalist is really afar from other interesting adresses, (in Emerald, party pokemon data was a good thing to corrupt, but it isn't there in RS).
I also haven't tested to see where the trainer's name is stored in RS in order to see if it could be helpful to corrupt it.
This reminds me that in RS, if the player's name is too long, you can't even use the pause menu or things like that, so you're really blocked if you want to overwrite too much data.



Metarkai, do you know an easy way to edit the index number of a Pokémon in the party to any glitch Pokémon with memory viewer without having to do any glitching?

I have usually got an Egg from double corruption first then corrupted it again with Pomeg glitch or manually with memory editor to get any Pokémon (including unhatchable glitch Pokémon) based on its EVs. I couldn't locate CCD7 with cheat searcher sadly.

I would like to know of a way to manually change any Pokémon. In the Game Boy games it's relatively trivial because you could just change two memory addresses (species byte 1 and byte 2); but in Generation III with you having to take the modulo 24 of the personality value to know where the species ID address would be, and the Pokémon being protected by checksum, I don't know of a step by step way.

With anti-DMA enabled, can you tell me the addresses of the stored checksum, and the species ID for Pokémon for all four positions of "Growth" in the substructure orders please?


If you only want to create a Glitch Pokemon to see what its glitch species does, it'll be faster to recreate that Pokemon from scratch.
But, if you want to have a certain Glitch Pokemon with "more data", you only have one method to change the Pokemon EVs or species or whatever you want in its substructures.

In 3rd Gen, a Pokemon's PC data (I use PC because you don't have the stats stored with it, which makes it a bit clearer) is 20 double-words long.

To create a Glitch Pokemon with the species you want :
- use a Memory viewer in 32-bit mode (it's easier for Pokemon data to see everything with double-words)
- Stay on the Memory Viewer window during all the changes. If you get back to vba without all the changes done, the game can recheck the checkum, see an invalid one, and give you a Bad Egg.
- give him a PID (double-word 1) and TID (double-word 2) of 0x0000 0018. A nonzero PID prevents the Pokemon from disappearing when you multi-select PC Pokemon.
Its PID is equal to its TID, so the PID xor TID xor double word data crypt on its substructures won't bother you since it won't change anything between crypted and non crypted.
Its PID is a multiple of 24 in order to have the same substructure order as a PID of 0, because I have the habit of doing it with a PID/TID couple of 0.
The substructure order of that Pokemon will be : Growth - Attack - EVs - Misc. Each of these substructures is 3 double-words long, and is stored at the end of the Pokemon's data (in the case you forget the location of one of these substructures, you can track it back by starting with the end of the Pokemon's data and subtracting 3 double-words per 3 double-words)

- Get to the substructure you want to modify. Check the location of the bits/bytes you want to modify with :
http://bulbapedia.bulbagarden.net/wiki/Pok%C3%A9mon_data_substructures_in_Generation_III
and change them to your liking.
For Growth, it will be double-words 9,10 and 11.
The Pokemon ID is stored on bytes 0 and 1, which means the rightmost bytes of the first double-word. (the right half of it)
With a 32-bit view, these bytes will be in the right order (if you want Pokemon 0xCCD7, put 0000CCD7 in double-word 9), whereas with a 8-bit view the order would have been reversed (D7 CC 00 00).

- Sum all the words of the substructures, keep the first 4 characters of it (or cut it modulo 0x1 0000), and store them on the right half of double-word 8.
This gives the Pokemon a valid checksum, so he won't turn into a Bad Egg.
With few changes, it's really easy to make the checksum since you only have few things to add.

This is a procedure I use really frequently to make and test glitch pokemon, because it's fairly easy to do (I could even make a codebreaker code out of this and give you the part to change the species, but I prefer doing it by hand as you can keep trakc of things the Pokemon would get like new moves, exp, PPs,…) (if you want to put it at Lv 100, give him 0xF000 0000 exp points (double-word 10), that will do the trick).

Now, if you want to change the same data on an already existing Pokemon, you'll have to do the same procedure except that you'll have to :
- stay on the memory viewer window, with 32-bit mode.
- calculate PID mod 24 and check the substructures order this gives to find back the double-words you want to change
- uncrypt the substructures double-words you' want to change with : uncrypted double-word = crypted double-word xor PID xor TID
- write down the crypted and uncrypted double-word value
- write the double-words values you want (ex : change the species, exp, held item, evs,..)
- use the crypting formula to crypt these double-words
- write these new crypted double-words on their original place (having the crypted double-word value written down helps you remembering where you have to write the new one)
- cut all the uncrypted double-words in half, add all the modified ones, and subtract all the older ones
- add that value (mod 0x1 0000) to the ckecksum (right half of double-word 8 )

  And there you have your Pokemon modified. It's a bit trickier since it is harder to see the double-word you want to change, and since you have to write down the crypted and uncrypted values if you want to be sure that you didn't mess up a part (because if you mess up, you get a Bad Egg and you'll in general never be able to correct your mistakes, so you'll have to reload a savestate or deal with it).

  If you have issues with it or if my explanations are a bit messy, feel free to message me again and ask me any other thing you want about this. I can provide you saves, codes, dumps, or directly show it on skype or twitch for more efficiency, as I tried here to not take too much time writing down the procedure since this post is already quite long.





  Yeah, perhaps without further knowledge it may be like Generation I (a Pokémon with a glitch experience curve that can normally never stay past level 1 after battle, or a Pokémon with a glitch experience curve that has division by zero)


I doubt this comes from the experience curve as some glitch pokemon can eat their Rare Candies easily.
However, I didn't check precisely their exp curves, so there could be certain exp curves that make the game crash.
But I think there are multiple reasons behind these crashes since the game doesn't always freeze at the same time.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Torchickens
Date: 2015-08-24 16:49:20
Thank you! I will try these methods later.


Yup, exactly. It really helped me to determine the name lenght of glitch Pokemon and see what "families" had the biggest name lenght, in order to directly know approximative values of identifiants I should use if I wanted to corrupt certain values like Battle Pyramid Bag.

I also modified an US Emerald ROM in order to make it read French Pokemon names, as I wasn't able to fully modify the .ini to make it directly read a French ROM.

For specific searches of Glitch Moves effects or Glitch Pokemon specificities, TheZzAzZGlitch gave me python scripts to help me for that (they are basic scripts as it's only a matter of wanting a certain value on a certain place, but I had nothing to do that for me before).


Yes, I've also found that tool useful for choosing glitch Pokémon of suitable length.

Cool.


For now, these scripts mainly helped me testing abuses of the "N° of party Pokemon in battle" value.
My goal was to have a glitch move with a name long right enough to corrupt that value, and use healing or self-damaging moves to change the HP of my Pokemon. This would force the game to update the hp of the Pokemon "sent in battle", which would have been the Pokemon at the corrupted party slot.
Depending on the party slot values, accurate corruptions of things like special islands flags, mirage island,… could have been possible. However, this value is right at the start of a block of values managing the battle, and all the glitch moves with a good name lenght make the game crash (another adress near the concerned one gets a value that makes the game freeze or reset).

But, writing this made me think about another possible way to exploit this, through the opponent's Pokemon HP. I'll look into this.


That's interesting. As well as out of bounds in battle HP slots, might you be able to have that Pokémon gain experience? May simply sending it into battle to let the game know that the Pokémon participated set an invalid value?


There's another thing I wanted to test, which was  the evolution lines. Can a Glitch Pokemon with a non-glitched sprite and name evolve ? And is that evolution condition the element that makes the game freeze when you give Rare Candies to a Glitch Pokemon ?

Ah. Maybe there could be glitch evolution conditions that allow you to execute arbitrary code?


I also wanted to check the Move Relearner a bit more accurately, as I confirmed that the list of relearnable moves contain one exemplary of each move present into the "Learnable Move" list of the Glitch Pokemon until Move 0000 shows (whereas in Gen III Extended suite, the learnable moves list goes further than that).


Interesting.


I also wanted to test the Glitch Move types, to see if there were some that could have nice effects.
I also wanted to test the effects of Glitched Special abilities, but I don't really know how to make a test for this (to know if they have an effect during a battle or outside a battle, and what that effect might be). I also don't know their full name lenght, as maybe something like Skill Swap could make new RAM overwriting cases.


If you use No$gba Debugger, go on Debug>Define Break/Condition and enter in the box [r15]<80 (or [r15]<30 if you want search for just WRAM and BIOS executions), and also enter [r15]>90 then the emulator might be able to tell you what code it's trying to execute if you stumble across a glitch ability that executes arbitrary code. These breakpoints tell you when r15 (execution pointer) is less than 8000000, 3000000 or greater than 9000000 (past the end of the ROM).


Someone on PRAMA had a good idea about testing if Glitch Pokemon names could change the NPC's script to values that would be ROM adresses with interesting scripts (like Hall of Fame, engaging a battle against a legendary, …).
However, the answer was negative. I didn't find any set of 4 bytes that would be near the end of a Glitch Pokemon's name with a certain lenght (like 18.000 characters long) that would look like a ROM adress towards NPC/events scripts.
There are maybe some other values that could be exploited like this, but I don't really know what other values I could give for a NPC script adress in order to get nice results (it has to do someting like a teleport, as a glitch Pokemon species name of that lenght corrupts the player current location and he would be outside of the building, and taking a single step crashes the game).


Ah, that's a shame. :/


  While trying to check the existence of the rumoured Lotad Swarm in RSE (I found the ROM adresses managing swarms and he wasn't there, so unless someone shows it, I heavily doubt he existed), I came to think of another way to make the game read a Glitch Pokemon species name, which would be TV news.
I haven't tested it yet, but with news that display the species name of Pokemon like the name master or other ones, I think the game would read the species name of the ID stored in the adresses related to the news.
  This could maybe be useful for RAM data overwriting as it could provide another starting adress for that overwriting.
For now, I know of 2 adresses for RAM data overwriting : 0x02021CC0 (the adress where the species name is stored when you talk to Slateport's Journalist in the Pokemon Fan Club), and another adress around 0x020283E8 (the trainer name is stored there when you reload your save, exit the Safari game, and maybe with other actions).
If we had other adresses where names of Glitch Pokemon, Glitch Moves, or Glitches Trainer Name were stored, this would help into overwiting certain interesting values (0x020283E8 helps to get a NidoranM swarm, and could maybe have other uses for certain adresses, but I don't really know what yet since it's quite afar from main flag adresses).

This would also help do RAM corruptions in RS, as the storage adress of a Pokemon species name by Slateport's Journalist is really afar from other interesting adresses, (in Emerald, party pokemon data was a good thing to corrupt, but it isn't there in RS).
I also haven't tested to see where the trainer's name is stored in RS in order to see if it could be helpful to corrupt it.
This reminds me that in RS, if the player's name is too long, you can't even use the pause menu or things like that, so you're really blocked if you want to overwrite too much data.


I didn't know there was rumoured Lotad swarm, interesting.

Nice. I hope TV corruption works then so we have even more stuff to do with glitch Pokémon.


I doubt this comes from the experience curve as some glitch pokemon can eat their Rare Candies easily.
However, I didn't check precisely their exp curves, so there could be certain exp curves that make the game crash.
But I think there are multiple reasons behind these crashes since the game doesn't always freeze at the same time.


I see.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Metarkrai
Date: 2015-08-26 16:29:28
I don't think you could have the invalid slot Pokemon gain experience as this slot would be (nearly everytime) a Bad Egg, and Bad Eggs can't gain exp.

What you're saying about the "participation" seems interesting. I don't think it could really do super things as the value for battle participation is beween the values managing the battle, and far away from other elements, but I'll look for that.

I planned to answer all your remarks today, as I finally progressed in the speedrun route, but it looks like I won't be able to.
You made me rethink the "slot of battling pokemon" idea and I finally have a way to make it work !

The way to make it work is relatively similar of Pomeg Glitch RAM corruption :
- Set a certain party slot for "last pokemon sent in battle".
- Kill all your party with Pomeg Berries.
- Make a wild battle.

The "last Pokemon sent in battle" byte, located at 0x0202406E is easily corruptible with Glitch Pokemon species names at Slateport, as you have around 2.000 bytes between that adress and the adress managing the trainer name and sprite.

With the rough setup mentioned above, what the game does is that he sends in battle the data located at party slot "slot of last battling Pokemon", whatever might be in that slot.
This will be in general either an empty slot (Decamark) or a Bad Egg.
In both cases, if you look at the Pokemon's moves, bad things will result (blacking out or freezing the game), so don't do it.

I haven't tested many things with a Decamark since I directly went for data corruption, which gave me party slots containing Bad Eggs.
What happens for Bad Eggs is that when they take a hit, their HP are updated in the block of data managing the "party slot" where they came from. (You can't heal them yourself as they are Bad Eggs and they can't heal themselves as they have glitched moves)

If your Bad Egg has 0 current HP, you won't be able to take a hit and black out.
If your Bad Egg has 0 Max HP, the game will softlock when you'll take a hit.
If the Bad Egg has less current HP than Max HP, then he'll take a hit like in a normal battle (I haven't checked what certain effects like poison would do), and the value managing its current HP will be updated.
If the Bad Egg has more current HP than Max HP, his current HP will start by decreasing down to its Max HP before being updated as if they took the hit normally. The decreasing speed of the HP depends on the Max HP value, and if you have 0 Max HP, it doesn't decrease at all. Thus, this waiting phase can be more or less long depending on the HP you have to lose, and the speed of the HP decrease.

And after that, you're free to flee using a Fluffy Tail, the fact that you battle with an Egg doesn't bother the game much more than that.

Regarding the party slot values, if you use values from 6 to 11, you'll end up with an opponent's Pokemon, and I haven't tested that, in the case there would be something funny/nice to do by battling with the opponent's Pokemon.

The adresses for "Remaining HP" of every party slot are bytes on the left side of double-words, so you can't corrupt every byte you want.
Since you also need the Remaining HP and Max HP adresses to not be at 0x0000 beforehand, there are also adresses you can't corrupt because of this.

Here is for now the list of corruptible elements that would be interesting to corrupt :
-Duplicate a PC/Bag Item. Duplicate Battle Bag items.
-Change the Feebas Tile value (well no, it finally isn't that interesting as you'll only change the value compared to the first value)
-Corrupt Repel Steps. (for approximately 65.000 repel steps)
-Get 2nd gen starters from Pr Birch.
-Get some Golden Symbols.
-Unlock Southern, Faraway, and Birth Islands.

Yeah, this corruption is the easy door through Mew and Deoxys Islants unlock !
I already knew this method would work as I tried it a different way, and all it was needing was a working procedure.

For now, I only have the Glitch Pokemon values for French Emerald, as I directly tried to see if a good party slot was available on French Emerald in order to get the Islands.

Glitch Pokemon 0x94F8 gives a party slot of 0x68, whose Remaining HP are at 0x02026DE2 (and current HP at 02026DE4), which is a bit below the adresses for Islands event flags.
The byte for Faraway and Birth Islands flags is at 0x0000, so you'll first need to do a Pomeg Glitch in order to corrupt it for 0x0500, but this isn't hard to do (using an in-game trader Pokemon in PC to tell if the corruption was good or not, and maintaining UP for a certain amount of time).
Once this is done, here's the setup :
-Have a fully KO Party with : 0x94F8, Fly, (Surf for Faraway and Birth Islands)
Have many Fluffy Tails, as well as the event tickets in your Bag. (obtainable with a Double Corruption)
- Fly at Slateport and save in front of the journalist.
- Speak to the journalist to change the "last battling Pokemon" value to 0x68.
- For Southern Island, go at Route 101, and make a wild battle.
Once the Bad Egg is sent in Battle, look if he has 0x8500 current HP and 0x0001 Max HP. (look for ???/ 1 HP)(1/32 chance)
If this isn't the good HP amount, use a Fluffy Tail and make another encounter.
If his is the good HP amount, use X Attack,Speed,Accuracy until the wild Pokemon hits you.
Wait. (Here, this will be very long, a few hours at least, maybe something like 10-20 hours or even more)
Once your HP bar has finally decreased to 1, use a Fluffy Tail.
Fly at Lilycove, and check if you've unlocked Southern Island.
If not, reset or go back to Route 101. (the ???/1 HP wasn't the right one)
If yes, enjoy.

- For Faraway Island and Birth Island, enter Mt Pyre and stay in the first section. Make a wild Battle.
Once the Bad Egg is sent in Battle, look if he has 0x0500 current HP and 0x0010 Max HP. (look for ?80/ 16 HP)(1/32 chance)
If this isn't the good HP amount, use a Fluffy Tail and make another encounter.
If his is the good HP amount, use X Attack,Speed,Accuracy until the wild Shuppet hits you with Night Shade.
If he uses Curse first, it isn't good, reset.
Once he has used Night Shade, wait. (this will take 2-3 minutes)
Once your HP bar has finally decreased to 16, use a Fluffy Tail.
Fly at Lilycove, and unlock Faraway and Birth Islands.
Enjoy.

I'm really happy about that since one of the last remaining goals of Pomeg Glitch has fallen, and since a method I previously worked on was finally useable.


I'll look for a Glitch Pokemon that puts party slot 0x68 (or 0x69) in US Emerald Roms too, and maybe some other things for Pokeblocks and Battle Bag since they are on a hot topic for me.



Move Relearner won't be of any help.
It appears the main cases for Glitch Pokemon are :
- Not able to relearn any move.
- Able to learn Karate Chop.
- Able to learn a full list of Peck.

Also, TV news might be tricky to use, as the main source of Pokemon Species Name reading, the Name Rater, can't be used for Glitch Pokemon (the game mainly freezes when you try to rename them).
Maybe certain news related to Pokemon contests or wins at Battle Frontier could tell the species name of one of our Pokemon, but I'm not sure of that (I think it would be the surname).
Thus, this method will most likely stay for now as I'd need more data about these news to know if some could work.


My initial idea of using a Glitch Move to change the "party slot of opponent's battling Pokemon" won't work, the value is right next to the other one, and no Glitch Move is able to change them without altering other values related to the fight that make the game freeze/reset.

As for learnt moves, I saw quite a lot of Ice Punches, so Glitch Pokemon might only learn certain "generic" sets of Moves from levelling.
I was able to level out a Glitch Pokemon with a normal experience curve by using an Exp Share. It turns out that he wanted to learn a glitch move right after Ice Punch, so I suppose that it was this move who froze the game right on Ice Punch message.
Yeah, it's definitely that Glitch Move, now I'm able to level the Pokemon normally.
What seems to freeze the game is the learning of a Glitch Move as new move in the party screen.
As the glitch move by itself has a short name and a non-freezing type sprite, who allow it bo be seen in the summary or removed.

I used Pokemon 0x1015, who, according to Gen III Suite, can evolve via friendship.
However, that didn't happen. This might be because there are multiple friendship evolutions, or because the first evolution entries are empty. I'll test more things to sort this out.
I've tried to evolve 0x101A and 0x101B who have a first evolution condition of Friendship at Day and Night, and it didn't work for both.
I put 0x102B who's supposed to "evolve by breeding" into a Forretress in Day Care, but there was no Forretress in the end.


It's strange, I have this memory of the learnable move list stopping at the first 0000, but what I saw there is different.
I'll try some things on my French Emerald version.


And thanks for the help on code execution. I'll try to familiarize with this and see if certain freezes can be exploited.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Metarkrai
Date: 2015-08-29 12:02:04
Well, after more analysis, a god part of my previous post was quite erroneous.

I was able to unlock Faraway and Birth Islands, but that was way tougher than I originally thought.

First, there is no Glitch Pokemon in US Emerald that would safely give you a value of 0x68 or 0x69 at 0x0202406E (party slot of fighting Pokemon), who are the required slots in order to get the word managing the Event Islands unlock treated as remaining HP.

Secondly, the Bad Egg can have statuses, and when his remaining HP will be the word for islands unlock, he will, as its status word is read on some flags about visiting areas, completing the story, and talking to certain NPCs.
Thus, the Bad Egg suffers from Poison, Sever Poison, and Burn.

If you went into Trainer Hill, the Max HP word will have a value of 0x14 = 20 at that time (unless you visited Navel Rock).
Thus, Poison does 2 damage, Burn 2, and Severe Poison does 1 to 15 damage depending on a counter.

In the word for Remaining HP, you also have the flag for the advanced Trainer card (with Battle Frontier symbols and other things) amoungst the lowest bits, and as you can't get it again, you need to keep it.
Flags for Pyramid symbols are also some low bits of that word.
And this changes the amount of damage you'd like to take in order to get flags for Islands unlocks while keeping the Trainer card.

Also, if the party is still KO when Bad Egg suffers from Poison (or any indirect form of damage I think), the game makes you black out, so you have to use a Revive in order to revive one of your Party Pokemon.

After that, it was a matter of searching the effect of all the flags in order to get everyone to the same values and to make them able to unlock both islands with a single HP loss on a fight.

There's more details about that at the end of the pastebin for that method : http://pastebin.com/8N9sGwpb



I have for now two more things to check with that "battling Pokemon" method, as I want to see how party Pokemon are managed when you open the party while the battling Pokemon comes from a slot higher than 5 (slots starting at 0), as it did strange things to my party, and I want to check if an empty slot could gain Exp and Evs from a fight (by fighting a Secret Base Pokemon who uses Memento), as this could have some (tiny) uses.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Spectramark
Date: 2015-09-01 14:53:11
I hatched EARTHQUAKE (Hex:0205) at Level 5 and boy, this Decamark learns so many moves.

Upon using Rare Candies, EARTHQUAKE tried to learn Guillotine and Pay Day at Level 6, Mud Sport at Level 7, A glitch move at Level 8 and Barrier at Level 9. The game crashed upon reaching Level 10. Sadly, the type of the glitch move crashed the game on both the Battle Moves and Contest Moves screens.

With the Move Tutor, I could teach it Waterfall, Skull Bash and a different glitch move.

I'll test the effects of these moves in battle and in a contest and get back to you on the results tomorrow.

On a different note, two of the four glitch moves my Pokémon get when they hatch have turned out to be pretty useful, one being possible to use in battle and in contests with no negative effects, and one that appears to give instant victory in battles when used. I'll get pictures of these tomorrow.

Oh, and just to clarify, I'm doing all this on a cartridge. :)

—–

EDIT: Unfortunately, both glitch moves proved uneventful in battle as they both seem to have 0 accuracy (Always missed) and both crash the game before you can select your move in contests…

The glitch move EARTHQUAKE learns at Level 8: [glow=red,2,300][Attachment 1][/glow]

The glitch move at the Move Tutor: [glow=red,2,300][Attachment 2 & 3][/glow]


As for the four glitch moves my Pokémon hatch with, here they are: [glow=red,2,300][Attachment 4 & 5][/glow]

The move "[]Ï  BLPO" can be used in battle and in contests with (from what I've seen so far) no negative effects, and "MNPOPOPOPOPOPOPO" seems to give instant victory in battle when used, but it must be placed first on the moves list for it to work.
Below is a list of the effects and stats of the moves that I have found so far.

MNPOPOPOPOPOPOPO
—–
Type: [Glitch type; crashes game] - Cool
PP: ?1
Power: 70
Accuracy: 1
Battle description: <blank>
Appeal: 4
Jam: 0
Contest description: "A highly appealing move."
Effect in battle: "[Pokémon] used [Long line of text; wraps around screen 3 times]!" [glow=red,2,300][Attachment 6][/glow] - Always misses, due to having 1 accuracy. Turns battle into a Battle Tent match. Selecting "RUN" afterward will say "[Trainer] forfeited the match!". The trainer you just battled will act as if you had beaten them.
Effect in contest: Crashes game.

[]Ï  BLPO
—–
Type: Normal - Cool
PP: 8
Power: 243
Accuracy: 29
Battle description: <blank>
Appeal: 3
Jam: 0
Contest description: "The next appeal can be made earlier next turn."
Effect in battle: "[Pokémon] used a NORMAL move!" - Damages the target significantly.
Effect in contest: "[Pokémon] appealed with COOL move!" - Animation looks like Pound.

C    ì   ú
—–
Type: Normal - Cool
PP: 0
Power:
Accuracy:
Battle description: <blank>
Appeal: 2
Jam: 1
Contest description: "Badly startles POKéMON that made SMART appeals."
Effect in battle: Softlocks game when "FIGHT" is selected.
Effect in contest: Crashes game.


—–
Type: Normal - Cool
PP: 0
Power:
Accuracy:
Battle description: "qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF"
Appeal: 8
Jam: 4
Contest description: <blank>
Effect in battle: Crashes game when "FIGHT" is selected.
Effect in contest: Crashes game.

I'm not too sure if this info will help you guys in any way, but I just thought I'd share it anyway. :)

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Stackout
Date: 2015-09-02 15:09:49
About your "effect in battle" and "effect in contest" lines: remember (or discover, since I assume you don't know about it yet) this effect that I and Torchickens researched.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: ATEMVEGETA
Date: 2015-10-13 22:51:21
Can you enable Mew's island flag with this glitch?

Edit: Or enable the ticket event so you can travel there the normal way? Once I enabled Latios/Latias ticket event by doing the glitcher popping glitch.

Also, what about Mirage Island?

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Krys3000
Date: 2015-10-14 07:17:46
Hey!

Metarkrai did a video to unlock Mew on Faraway Island : https://www.youtube.com/watch?v=4lJQhF8EFQ4

But I'm not sure it works for english games. And he was trying something about Mirage Island, I think.

I dropped a message for him on PRAMA's Skype Group. Maybe he'll see and come answer personally  ;D

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Thanathan
Date: 2015-10-14 10:11:14
I dont know if its worth posting it and if I should do it here  :-[  but..mh I found some things, when I leave without any Pokemon using wtw. oxo