Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Generation III Glitch Discussion

Gen III: Access Pokémon beyond the sixth slot sub-glitches. - Page 32

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: ATEMVEGETA
Date: 2015-11-01 12:19:11
So, the Pomeg glitch has been proved a very interesting and promishing glitch wil many major sub-glitches, like access pkmn beyond 6th slot, hatch any pkmn, clone party pkmn, and more, and sometimes while I was messing around with it some weird things happened, like unlocking Lati@s's island event (emerald), and bag item cloning (fire red) like stacks of 452 Super Potions and ?58 Cleanse Tags.

But this thread seems to have goten too far with reaserch on the Pomeg glitch and I kinda lost the ball. So, I was hoping if any of you glitch experts that do researches on this glitch and know what's going on with it, because it seems too complicated for me (and I guess to many other readers) to understand, can summarize every sub-glitch of the Pomeg glitch that has been discovered so far and those new ones that can be exabolated from this thread with steps on how to perform each one?

Thanks in advance!

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: gangstajigglypuff
Date: 2015-11-04 08:59:47
as im trying to get back into completing my dex on emerald, theres really only a few pokemon missing. namely deoxys, mew and slowpoke. funny thing is, you can get every pokemon by combining pokemon xd, colosseum, channel (pal), fire red, ruby, sapphire and emerald, except those 3. so slowpoke confirmed as rare as mew  ;)

the discussion is really interesting, altough its getting really technical regarding memory addresses and ram data that its sometimes hard to comprehend. what i would especially be interested in is the practical use of this.

for example if its feasible to corrupt the data in such a way that you can activate events for birth island, faraway island and maybe navel rock that would be a major breakthrough, as this would allow to get deoxys and mew legitametly and trade them over and make them obey. on a spare safe file of emerald you could pull off the corruption, so all the trash data you create wont be of a concern and you just trade them over. activating southern island event is nice but not much of use if you completey alter your trainer data and cared about that save file.

so if southern island can be activated, is the issue the same for birth island, faraway island and navel rock?

can you get the tickets handed over via an activated mystery gift event or would you have to item corrupt them similarly to the gs ball in crystal when you celebi egg glitch?

if you can change the substructure so that EVs turn into species, could you change it in a way that certain substructures like EVs or moves change into held items? As those tickets probably have high index numbers might this require glitch moves to work?

mirage island corruption would be not much of interest with this method as it can be easily rng manipulated. so the risk to your save file wouldnt really pay off when theres a more efficient and faster way.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Spectramark
Date: 2015-11-19 02:09:21
as im trying to get back into completing my dex on emerald, theres really only a few pokemon missing. namely deoxys, mew and slowpoke. funny thing is, you can get every pokemon by combining pokemon xd, colosseum, channel (pal), fire red, ruby, sapphire and emerald, except those 3. so slowpoke confirmed as rare as mew  ;)


Funnily enough, Decamark 0x0000 has the cry of Slowpoke, for some reason.

You can easily get a Slowpoke by performing the EVs > Species corruption with 79 HP EVs on Seasor. Getting Mew requires 151 HP EVs and getting Deoxys requires 1 Attack EV and 130 HP EVs.
As for the event unlocking, I'm pretty sure it's already been done a couple of pages back.

On a different note, on emulator, does anyone know where the location for a viewed pokemon's type is in Memory Viewer? It'd be nice to see what Hex value certain glitch types are. :)

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Metarkrai
Date: 2015-11-21 14:03:47

But this thread seems to have goten too far with reaserch on the Pomeg glitch and I kinda lost the ball. So, I was hoping if any of you glitch experts that do researches on this glitch and know what's going on with it, because it seems too complicated for me (and I guess to many other readers) to understand, can summarize every sub-glitch of the Pomeg glitch that has been discovered so far and those new ones that can be exabolated from this thread with steps on how to perform each one?

Thanks in advance!


I don't have all the sub-glitches in head, but you have :
- Near to full Pokemon manipulation (create a Pokemon with certain IVs, Evs, Species, Exp, Met Location, Moves, Ball)
- Obtain Pokerus
- Obtain every item
- Obtain every Pokemon
- Obtain every Secret Base Decoration
- Corrupt Lilycove Museum paintings (to get the Contest star easily)
- Duplicate Items
- Fast cloning
- Instant Pomeg Glitch
- Charm Glitch
- Your Opponent's Pokemon Glitch
- Unlock Southern Island
- Unlock Birth and Faraway Island (French Emerald)
- Cool graphical and audio glitches
- Catch Battle Pike and Pyramid Pokemon
- Despawn NPCs
- …

And about those that could be explored, most of the methods were explored as further as possible, and a lot of ideas were used. The main thing left is Arbitraty Code Execution : see which Glitch Pokemon/Move/Thing could trigger an easy ACE that could be performed with Bag Items or PC/Party Pokemon data.

For practice, everything starts with a Pomeg Glitch, and after that it's an interaction between Pomeg Glitch / a glitch Pokemon / a glitch move / a glitch thing and another mechanic, may it be in a battle or outside of battle.
Everything isn't interesting and the list of potential goals is limited, and for now, the main manipulable mechanics have been visited.
It really stretches in every direction, and the working techniques only come from a refinement of an interaction in order to make that console-useable.





gangstajigglypuff :
You can easily trigger Southern Island in Emerald with Pomeg Glitch, as they left the whole event in the cartridge.
You can also easily obtain all the tickets, but triggering the event islands is another matter.

As of now, I only have one technique to do that, but it only allowed me to unlock Faraway and Birth Islands in a French Emerald as you need Glitch Pokemon with really specific values (you need to corrupt the value managing the pary slot of the current fighting Pokemon with a Glitch Pokemon Name, and you can't give it every value you want).

It's alsso possible to create obedient Mew and Deoxys with PC Pokemon Corruption, but it's tedious as you can't do that easily from the in-game traded Pokemon. And you would need a Pokemon with a specific corruption type in order to create an obedient Mew/Deoxys with the right met location and lv.
My best guess for these islands would be an ACE, as for now I don't really have any more method to corrupt the RAM adresses managing these event Islands.


Spectramark : If you want to know a Glitch Pokemon's type, the Extended Gen III Pokedex is really good for that, (or a script to analyse the ROM data of Pokemon, Glitch Pokemon included). As most Glitch Pokemon will freeze the game when you open their summary, you won't be able to know their type like this.

Some glitch types are graphically interesting as they don't make the game crash, some might be interesting because they make the game crash and could potentially bring up ACE, but they don't have any other good effect as they all have a neutral interaction with all the remaining types.

The Pokemon types also aren't stored during battles, so there's no value you could easily read to get the type of a glitch Pokemon.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Spectramark
Date: 2015-11-22 07:37:50
Okay. :)
Is there any chance you could give me a link to the Extended Gen III Pokedex? It sounds like it would be really helpful.

On a different note, while playing around with Pomeg corruption, I used a certain glitch move (not sure which) which crashed the game and made the battle music slow down.
After about a minute, the music changed to a slowed-down version of FRLG's Pallet Town.

I knew there were sprites left over from FRLG, but I never expected that song.
Not sure whether or not you've seen this sort of thing happen before, but it certainly took me by surprise. :)

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Metarkrai
Date: 2015-11-23 16:34:11
I always have a hard time finding the link back on the forum, but it's there.
Be careful, it only works well with US roms.
If you want info about Glitch Pokemon on Fr/Jap/… games, you have to do tiny manipulations to make Gen III Extended suite read it.

Glitch Moves can really easily crash the game, as they don't need a really long name to overwrite the RAM data managing the fights (some values there really need to be precise or the battle crashes), as they can change the battle type (some types making you unable to flee and properly attack, or just crashing the game), and as most (if not every) glitch move animation messes up with the game.
The issue with these animations is that they sometimes won't crash the game by pure randomness (the type of crash/freeze can change too), so I didn't find any useful glitch move that would have an exploitable glitched animation.

Glitched effects of Glitch Moves also crash the game if I remember well. There isn't many of them, but that's an eventuality.
There's also a potential issue with the "called" name of the glitch move (the name used in the textboxes when you use the glitch move), as it's oftenly different from the glitch move name, and can too rewrite the RAM data managing the fight.
There's also a certain loop of "oe" symbols that crashes the game.

About FrLg OST, it is in Emerald (maybe not all the tracks, but most of them), and is only used for Navel Rock.
The change of music only happened to me once : the game stayed stable and I got an Oak Lab track playing, but I forgot to savestate and greedily tried to use the glitch move another time. I tried to use that move again (I had a savestate right before), but I never got that music change again.


Recently, we searched a bit about Glitch Pokemon names that could interfer with the game music, as a potential ACE starter, but the search didn't really bear fruits. (We didn't really know what values put to have different interactions with the music that could go beyond that)

I also randomly fell on a glitch pokemon name that really heavily messes up with the graphics. It is on a French Emerald, and strangely doesn't produce the same effects depending on the emulators. If more stable versions of that Pokemon were to be found, that would be neat.
Its index is 0xCBB3 (Fr Emerald), and I roughly show its effects here : https://youtu.be/BNvi05UH9zk?t=1h9m46s

In general, if you want to find a Glitch Pokemon whose name will cause interferences when read in PC, use Gen III Extended Suite to find the Glitch Pokemon with the longest names on the ROM you're using. (I have the list for Fr Emerald and I always forget to do it on the US one.)
After that, it's a matter of taking a Glitch Pokemon ID on that list, increasing it, and checking if the new glitch pokemon does something neat.

I would really like to extract an area of adresses that could bring nice effects if they are given the right values, but reading a really long species name in PC seems to mess with multiple things ar once in the Memory Viewer, so it's hard to know what part of the name was the culprit.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: ATEMVEGETA
Date: 2015-12-05 07:18:57

I don't have all the sub-glitches in head, but you have :
- Near to full Pokemon manipulation (create a Pokemon with certain IVs, Evs, Species, Exp, Met Location, Moves, Ball)
- Obtain Pokerus
- Obtain every item
- Obtain every Pokemon
- Obtain every Secret Base Decoration
- Corrupt Lilycove Museum paintings (to get the Contest star easily)
- Duplicate Items
- Fast cloning
- Instant Pomeg Glitch
- Charm Glitch
- Your Opponent's Pokemon Glitch
- Unlock Southern Island
- Unlock Birth and Faraway Island (French Emerald)
- Cool graphical and audio glitches
- Catch Battle Pike and Pyramid Pokemon
- Despawn NPCs
- …

And about those that could be explored, most of the methods were explored as further as possible, and a lot of ideas were used. The main thing left is Arbitraty Code Execution : see which Glitch Pokemon/Move/Thing could trigger an easy ACE that could be performed with Bag Items or PC/Party Pokemon data.

For practice, everything starts with a Pomeg Glitch, and after that it's an interaction between Pomeg Glitch / a glitch Pokemon / a glitch move / a glitch thing and another mechanic, may it be in a battle or outside of battle.
Everything isn't interesting and the list of potential goals is limited, and for now, the main manipulable mechanics have been visited.
It really stretches in every direction, and the working techniques only come from a refinement of an interaction in order to make that console-useable.


Wow interesting list! Can you please give us a step by step walkthrough on how to perform each of these steps? It would be really awesome! Thanks!

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Metarkrai
Date: 2015-12-06 09:18:45
Most of these glitches are explained on either Chickasaurus' channel or mine :
https://www.youtube.com/user/ChickasaurusGL/playlists
https://www.youtube.com/user/zreety/playlists

There are only some tiny things like museum paintings that aren't explained in videos, the vast majority of the Pomeg Glitch exploits has been recorded on video.
The only main method that I haven't recorded yet is a complete tutorial about Double Corruption to maniuplate a lot of data on a single Pokemon at once.

Some of my videos don't have an english explanation, so if you're interested by them and don't really know what happens, drop a message here and I'll make a detailled explanation. (I don't really remember which video doesn't have english explanations).

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Spectramark
Date: 2015-12-07 17:51:43
Is there any way you could explain how to set up and perform a double corruption? I never really understood how to do it, as it either looks like a very complicated and tedious procedure… or I'm just being a derp :-\

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Metarkrai
Date: 2015-12-08 05:02:14
If my memory is right, I made a an explanation about the method with steps to get the perfect initiator on that page : http://forums.glitchcity.info/index.php/topic,6868.420.html

There are good chunks of explanations as I'm detailling different corruptions and things, so you don't have to read everything to be ok with the double corruption procedure.

Torchickens also made a vbm movie file showing how he obtained a perfect initiator and how he used it to corrupt a Pokemon (in case you're on vba. You can also always download vba, an Emerald ROM, and watch the movie file), and I also provided codes for the initiators in case this would be needed. (These two posts are on page 30).

Torchickens also made a Double Corruption in one of his videos : https://www.youtube.com/watch?v=HhHlANrnOCI
And I also did a video about using Double Corruption on in-game traded Pokemon in order to obtain any Pokemon/Move/Item : https://www.youtube.com/watch?v=BNvi05UH9zk (there's an english pastebin in the description).

Double Corruption isn't really hard to do. It's just that it involves a good amount of different mechanics to get an interesting result, which means that the procedure to get it done has a certain amount of steps that are different and required.

But all in all, if you follow them well, you won't have any issue.

As I haven't completed for now my file on the complere double corruption (doing it on an arbitrary Pokemon and not an in-game traded Pokemon), I have no translation for that, and the best use you'll have of Double Corruption will be with the in-game traded Pokemon.

For these Pokemon, you can use another perfect initiator (instead of SEASOR the Horsea), as the in-game traded Plusle can do the trick (check the pastebin on my video about it, or my pastebin about shinyhunting in battle pyramid, or ask me if you don't find it written in them).

Once you have an initiator, it's just a matter of choosing what you want (Pokemon, Item, Move), taking the in-game traded Pokemon that will give you what you want, ev-train it until it has the required EVs to make the corruption work, and double-corrupt it with the written procedure (with a high chance to succed per attempt, meaning a quick corruption).

Oh, well, I'm seeing that my pastebin for the "Obtain any Pokemon/Item/Move" doesn't have the new fastest strategy implemented, so I'll check today where the hell I wrote the procedure to have an initiator from Plusle, and I'll paste the reworked procedure here.

I'll maybe skip some details/explanations, so you can for now read them on the mentioned links/videos, and you can also make a perfect initiator from an Horsea.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Spectramark
Date: 2015-12-08 15:52:42
Okay, I'll take another look at the steps.

Also, one more question: When it says to not take the EGG with the hand, is it okay to look at its summary, to make sure it got corrupted into a "hatchable" egg and not an egg that retained Seasor?

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Torchickens
Date: 2015-12-08 16:56:53

Okay, I'll take another look at the steps.

Also, one more question: When it says to not take the EGG with the hand, is it okay to look at its summary, to make sure it got corrupted into a "hatchable" egg and not an egg that retained Seasor?


It must not be picked up at all, or you will most likely get a Bad Egg regardless of second corruption. If you did take the Egg and brought it into battle, it may look like either a retained Seasor (or I think[?] if I remember rightly from what Metarkrai taught me it could look like the 'EVs Pokémon' too) and you still have a chance of the Egg converting into the EVs Pokémon without it hatching.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Metarkrai
Date: 2015-12-09 12:56:26

Okay, I'll take another look at the steps.

Also, one more question: When it says to not take the EGG with the hand, is it okay to look at its summary, to make sure it got corrupted into a "hatchable" egg and not an egg that retained Seasor?


Yeah, looking as the summary is the main way to get information on the Egg.
And as Torchickens said, you must really follow the "don't take until I say it" rule.
Taking the Egg refreshes the PPs of its moves.
But as the Egg has a different 4th move, the new 4th Move PPs can take a value that will make the second corruption fail.


I've now remade the explanations for the quick Double Corruption procedure.
Here it is : http://pastebin.com/2kJpBQCr

It only covers the obtention of any Pokemon/Move/Item, as I've said previously, but it's a really convenient procedure and it will allow you to have the main useful Glitch Pokemon, Moves  to make nice things after that.

The complete Double Corruption procedure is very similar.
You use Horsea as a corruption initiator instead of Plusle. (you need to double corrupt it to turn it into a perfect corruption initiator) This is because Plusle only works for Pokemon with a PID and TID who have a highest hexadecimal character of 0,1,2,3,8,9,A,B., whereas Horsea works with any PID and TID (you have two Horsea for that).

Instead of Seedot/Plusle, you catch Smeargles.
By catching Smeargles right after resetting the game, you are able to determine their PID with their IVs and nature (their high level allows you to have a good approximation of their IVs).
Knowing the PID of the Smeargles allows you to know their Corruption type. (determined by the highest hexadecimal character of the PID and by PID mod 24)

Then, knowing the Corruption type, you choose what kind of results you want, and write down the training that will be required. Next is the training phase. It's longer than simply training EVs, but not that longer.

And lastly, the Double Corruption phase is the same.
You can Double Corrupt multiple Pokemon at the same time by cloning each of them 5 times, and placing them in the PC with the same pattern as the one in the pastebin. (You place a clone of the first Pokemon to corrupt in Box 2 slot 24. You put one initiator one slot before it. You place one Pokemon to corrupt before that initiator. … You continue until you have placed 5 clones of a Pokemon to corrupt and 5 clones of the initiator. Then you place a clone of the second Pokemon to corrupt one slot before the last placed initiator, and go on.)

This allows you to double corrupt 5 Pokemon at the same time (5 clones + 5 initiators = 10 slots required, and there are 54 PC Slots that can be corrupted with Pomeg Glitch).


The long part with the complete procedure is the detail of all the possibilities, with the formulas, the required trainings, and the cumulated things you can achieve.
I'll also need to rewrite the other parts because they were using slower strategies.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Stackout
Date: 2016-01-19 09:38:21
So I've been doing some research recently into possible getting code exec (and not needing TAS or a crafted save file).

Luckily for us, forums like pokecommunity have basically reversed gen 3 to pieces trying to do more with ROM hacking. So we can search their site for interesting things.

Moves use *two* seperate VM bytecodes. One for animation and one for move effects.

The move effects one is essentially useless, it grabs a byte as an index into an array, and so we have not that many invalid entries.

However the move animations.. It grabs a pointer from an array, using the move identifier as an index.

This array of pointers starts at 0x2C8D6C in English Emerald.

I coded some quick dumper to get any interesting info about all attacks, and plenty of attacks have animation pointers in RAM somewhere.

So, assuming we can find a way to write stuff there, how do we escape from the interpreter of this VM bytecode?

Easy.

This thread on Pokecommunity details the bytecode opcodes for the animation VM.

Notice that opcode 03 calls a native function.

Opcode 08 ends the animation, so in theory, if we can write 03 xx xx xx xx FF 00 08 at a certain place in RAM (where xx xx xx xx is a little endian pointer to our final payload, and this assumes that 0xFF is highest priority, it might not be), and use a certain glitch move, then we'd get code exec.

Here's a list of moves in English Emerald with interesting animation pointers.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Torchickens
Date: 2016-02-01 08:49:42
Wow. That sounds very neat!

I was thinking of ideas and wondered if the PC items at around 02025ECC (randomized by DMA) may be useful.

Metarkrai taught me that the PC item quantities values aren't protected unlike bag items; so something like x99 is $63 and not a hard to predict value, and you can get many (all?) glitch items with double corruption, and duplicate them with Pomeg duplication glitch to access many quantities.

If you had a Great Ball in PC item slot 1, the first byte would be 03 00. However, the closest from your list seems to be pointer A00F (0x2025301), which items-wise may be out of reach even with lucky DMA placement.

What region of the memory isn't randomized by DMA? I notice that some addresses like those around 2000000 apparently aren't.