Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Generation III Glitch Discussion

Gen III: Access Pokémon beyond the sixth slot sub-glitches. - Page 33

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Stackout
Date: 2016-02-02 06:37:11
Well, we might not even need to write the animation bytecode in a place in RAM.

I searched the ROM for "02 02", and found "03 54 4A 02 02 …." at 0x50F (0x800050F).

Unfortunately, no move has that as an animation pointer, the two closest are moves 0x94E (0x8000505), and moves 0x210F and 0x2194 (0x8000500). And at both of those addresses, is an invalid animation opcode (C0 at 0x500, CF at 0x505), which I think would freeze the game trying to call it. (because as usual, it just grabs from the array without doing index bounds checking).

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: PokeBec
Date: 2016-02-03 09:20:55
If i would create an Old Sea Map in a japanese emerald, would it be possible to go to mew? Or would it work like in the US versions?

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Metarkrai
Date: 2016-02-04 05:56:16

Wow. That sounds very neat!

I was thinking of ideas and wondered if the PC items at around 02025ECC (randomized by DMA) may be useful.

Metarkrai taught me that the PC item quantities values aren't protected unlike bag items; so something like x99 is $63 and not a hard to predict value, and you can get many (all?) glitch items with double corruption, and duplicate them with Pomeg duplication glitch to access many quantities.

If you had a Great Ball in PC item slot 1, the first byte would be 03 00. However, the closest from your list seems to be pointer A00F (0x2025301), which items-wise may be out of reach even with lucky DMA placement.

What region of the memory isn't randomized by DMA? I notice that some addresses like those around 2000000 apparently aren't.


Basically, everything before 0x02024A5A isn't affected by that DMA adress change. (for US/EU Emerald).
It basically starts off at values like ID, SID, trainer sprite, in-game time, and goes down to most of the manipulable stuff you would have.

The main thing that you can manipulate who is above that adress is Party Pokemon, in the area of 0x02024542.
You also have data related to the current (or previous) battle in 0x02024086 area, and there should also be some storage places for Pokemon data (when you multi-select them in PC, when you fight a trainer, a wild Pokemon,…) in that area.

The two main things that could be easily manipulated are Pokemon data (with in-game traded Pokemon or a known SID + RNG, and multiple double corruptions), or PC Items (identifiants and quantities).

Some values are hitting the 0x02024xxx area, so they could be used to do stuff with party pokemon data, or data about the battle (you could use the Pokemon moves and stat boost levels to do certain tiny things).

Since there seems to be a good amount of them in that area, there might be an adress that would fall off right on a manipulable byte (or in 00 before a manipulable byte).

- Else, I saw many values in 0x02020xxx and 0x02021xxx area, which I don't think can be used (unless you can manipulate values there with PC Pokemon data when multi-selecting them or with glitch Pokemon names, because nothing else related to the current save file goes there).
And values pointing to 0x02030xxx could be used with PC Pokemon data (If I'm not wrong, it goes down to that adress and further below, as it starts around 0x0202987C )

- Anyways, that research and data is really incredible and interesting !!
Thanks Wack0 for the detailed post and research, I'm sure it will bear fruit and allow some good ACE on cartridges (for small stuff like event unlocks).

- There are also many listed adresses pointing towards 0x0300xxxx.
In Emerald, there's nothing really manipulable here, but in RS, the party pokemon data is stored here (around 0x03004372).
Thus, these adresses could be used for ACE in RS.


- About the data manipulation in itself, if you're going for something as 03 xx xx xx xx FF 00 08  only, it won't be that hard to code it with PC Items (ID and quantities) or in Pokemon data. (If the lenght is less than 2 double-words, I think it can be fully manipulated on a Pokemon data. With further lenght, some cases wouldn't be possible, but a lot of them could be achieved).

The issue with PC Pokemon is that I don't know if PID, TID, and the other stuff at the start of a PC Pokemon data could avoid hindering code execution with some possible values.


- Are there some noticeable difference for animations with the urser's location on the field ? (if it is the opponent, of if it's another ally in the case of a double battle)

- Also, about the gen 3 datamining, do you know where scripts are loaded when you enter a new map ?
Because I know the adresses of the loaded NPC (with their specificities like their attached script), but I never found the same thing for the loaded scripts (like data regarding where an exit needs to teleport you to, or scripts like Safari Zone entrance).
I'll check in pokecommunity to see if they have things related to that.


- And with pointers related to glitch stuff, do you know if there's a way to make a similar list of pointers about Glitch Type sprites, or Glitch Pokemon sprites ?
As this would allow some ACE just by looking at a Pokemon's summary, which TheZzAzZ did, but I don't know if there are jumps to pointers in the same area as the one you've listed that could then be used.

- Another question : With ACE, can you tell the console to change a value located at 0x08xxxxxx ? (maybe temporarly)
Because there are some structures that I would like to alter in order to get interesting results (mainly some Battle Frontier scripts) and the sole way I see to achieve that is by patching some scripts.

- I might be able to go around that issue if I manage to find what par of the RAM manages the "Battle Frontier" type of fight (where if you forfeit, flee, or catch an opponent Pokemon, you're considered as loser), because it would allow me to steal Trainer Tower Pokemon in RS (they have the same ID/SID as the trainer, so they won't turn into Bad Eggs when stolen).



If i would create an Old Sea Map in a japanese emerald, would it be possible to go to mew? Or would it work like in the US versions?


In order to get to Faraway Island, you either need to teleport yourself there (might be possible with ACE), or to have the Ticket + the island unlocked.

On some Emerald versions, you can use Glitch Pokemon to unlock Faraway and Birth Island (works in Fr,Ita,Spa, not in US, and I'm going to check for Jap), as the delivery man script that unlocks the island isn't implemented in the game, so you can't call that script in order to easily unlock it. (it is the mystery gift card that adds it to your save)
So unfortunately no, Old Sea Map alone won't help you.

However, the Faraway Island script is fully implemented into Emerald's ROM, and it is possible to trigger that delivery man script with a simple Pomeg Glitch corruption (hold Up for 14-15 seconds and check in the Pokemon Center upper floor if the delivery man appeared).


Apart from that, I have no other technique in my pockets to trigger the event islands on RS or FrLg.
If I had a NPC that reads the species names of a party Pokemon of yours with a certain command (there's one command in Emerald that freezes the game when a glitch Pokemon name is stored, and another one that doesn't), I would be able to set up the same trick as I did in Emerald (you can find it here : https://www.youtube.com/watch?v=4lJQhF8EFQ4 ).


As a side note, I also used some Battle Pyramid mechanics related to Battle Bag and the Safari Mode start menu in order to transfer items from Bag to Battle Bag, and bring things like Smoke Ball and Master Ball in Battle Pyramid in order to shinyhunt there : https://www.youtube.com/watch?v=_Y6gfc3xBvc

It would maybe be possible to steal Pokemon in most Battle Frontier facilities if using ACE with a glitch move could trigger a command that would take the opponent Pokemon data and store it in PC once the battle ends (or maybe change a trainer script in order to trigger a "blank" fight with the same opponent Pokemon as in your previous match, which would allow you to steal Battle Factory Pokemon).

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Metarkrai
Date: 2016-02-04 11:33:46
So yeah, values like 0x02024480 or 0x02024492 are right above party Pokemon (it starts on 0x020244EC).
Unfortunately, none of these adresses falls right on them.
However, the bits of data right above Party Pokemon seem to depend on something (fights maybe) and are cleared when you soft reset, leaving these adresses in a whole area full of zeroes.

I'll try to see what kind of data is written above party Pokemon.
At first glance, there are two areas where the word "ENIGMA " is written twice (absolutely no idea about that since it appears on all my savestates).
The rest seems to be mainly about wild battles, and doesn't seem to be well manipulable.

Thus, it zeroes don't bother that much (as well as PID and TID), 0x02024492 could be used.
I'll check what happens in a contest, to see if other values can be obtained.


Else, regarding in-battle data, you have 0x0202407E which is right before the stats and moves of the fighting Pokemon, as well as 0x0202406C who is right before the party slot of the currently fighting Pokemon.

- Also, the values on these adresses could be altered with a Glitch Pokemon name overflow (speaking to Slateport journalist sotres a Glitch Pokemon species name), which could maybe write something that makes a command redirecting to a more manipulable area.
I don't think a command that would do a jump to a precise adress could be achieved with this, since a Glitch Pokemon's name is based on ROM data, but if commands like "jump x bytes further" exist, they might be attained with that method.

- By combining a Glitch Pokemon overflow and data that can be refreshed (by doing a wild battle or talking to a NPC), we could maybe attain that little command to allow a jump to a more manipulable part, too.
And that technique could rely on adresses before 0x02024xxx if we can find some adresses that can be refreshed and that possess certain values we want, and if we can combine that with a glitch pokemon name that contains another part of wanted values.

- Adresses 0x02030xxx refer to Pokemon in Box 12 and 13.
Thus, this is a "reliable" set of adresses to use for ACE.
The unreliability comes from the movements of PC Pokemon data because of DMA, but I have a strategy to start managing that part.
This strategy is based on the same strategy I used to determine if a Pomeg Glitch corruption on a Day-Care Pokemon was right or not. (since you want to corrupt a day-care Pokemon while an Egg is laid, you can't know if it succeeded before taking the Egg, whereas my goal was to corrupt the Pokemon and change the Egg contents into a legendary or glitch Pokemon in order to shinyhunt them)
Roughly said :
.You put a Pokemon in Box 2 to act as dummy.
.You make a team with the required glitch move in it, then prepare it for a Pomeg Glitch.
.Set up the Pomeg Glitch and make a wild battle.
.Start pushing Up, and while you count your Up pushes, check the party slot n°1. It will sometimes be highlighted, and sometimes not. (When it is highlighted, it is because the underflown selection pointer is on a "party slot" that isn't "empty")
.Have a list of specific Up pushes that need to have a red highlight or not when the DMA repositioning is correct. (these highlights will be the ones related to the pointer reading parts of the dummy Pokemon in Box 2)
.If the higlights and non-highlights you saw with your first Up pushes (the first 10-15 Up pushes) doesn't match, reset. You know that the RAM data positioning wasn't the right one.
.Else, open the Bag, revive the Pokemon with the Glitch Move, and try to use it. This way, your chances to not be in the good RAM data positioning are really decreased.

This strategy can't bring you a complete RAM data repositioning check since the only information you can get is from these red higlights depending on the dummies you've deposited in Box 2 (for my Day-care strategy, I completed it by checking the state of the dummy after the corruption, but here you can't), but it is still a nice indicator.
I don't really know how accurate it can be, but it could for sure be useful.


As of now, I don't have other adresses from your list that I could comment on for manipulations.
But I'll check and try to see more accurately if there are other bits of data in 0x02020000 - 0x020220000 that can be used with a certain method (mostly with Glitch Pokemon names on PC, or Pokemon data being copied there).




EDIT :
By the way, I also updated the Double Corruption methods with better setups (that give higher success chances), and I will make a video and a pastebin about the complete method.
The pastebin for the short method was already updated for a bit of time : http://pastebin.com/2kJpBQCr

The two main differences on the procedure are :
- Catching Smeargles right after soft-resetting the game in order to determine the frame they were generated on with RNG Reporter (and know their PID like this, which indicates their corruption type and which initiator is required to corrupt their PID).

- Requiring a TID corruption as first corruption.
This allows an easier 4th Move PP manipulation, which allows for a fast second corruption. (using 5 clones instead of 1)
The differences between TID and PID corruption Eggs are in general easy to see by checking the Egg summary and its battle sprite (in general, if it doesn't have Pokerus (if it didn't have it previously) and if the Egg contains the same Pokemon as before the corruption, TID was corrupted).
Some corruptions where a certain 4th Move is required (IVs/contest stats manipulation), will give a bit less results, but that's the only downside.

Since you often need to perform multiple double corruptions in order to get some glitch moves and glitch Pokemon (useful for Pomeg Glitch, for your next double corruption, for fun, or for other glitches), that update is really helpful to cartridge players.



For now, I modified the SEASOR perfect initiator procedure, making it also easier to perform :
Caterpie the Perfect Initiator :
Items :
Pokeblocks with 6 Chesto Berries at Lilycove with the old man. They must be Lv 12 Blue Pokeblocks, with 22-23 in Feel.
26 Hondew, and 26 Grepa Berries.
At least 13 Pomeg Berries.
Other Pomeg, Kelpsy,Qualot, Hondew, Grepa, Tamato Berries
5 Carbos, 5 Calcium, at least 2 HP Up.
TM Protect (sold at Lilycove).
Fluffy Tails.

- Get the in-game traded Seedot.
- Get the in-game traded Horsea. He must have less than 65.536 Exp points. (Lv 40 or lower)
Horsea and Seedot (and any other Pokemon you'll train for double corruption) must not catch Pokerus during their training.
- If Seedot and Horsea already fought a bit and gained some EVs, use the Pomeg, Kelpsy, Hondew, Grepa, Tamato Berries to put them back at 0 EVs.
- Clone them both to have a safe copy.
- Give 1 Carbos and 3 Calcium to Seedot. (Now Seedot is ready)
- Give 1 HP Up to Horsea. (He'll transform into a Caterpie)
- Give 1 Carbos to Horsea, and make him fight 3 Zigzagoon (For 13 Speed EVs that will absorb the 0x05 Corruption)
- Change Horsea Moves to Waterfall, Protect, Surf, –(Fr)/Return(US). (Having a specific 4th Move is really important)
- Save and clone them 6 times. (1 copy in a safe box and 5 copies for the next steps).
- Place the 5 Seedots and Horsea in Box1 or 2 with a Seedot-Horsea-Seedot-Horsea-…-Horsea pattern (a block of 10 Pokemon + Seedot before Horsea as Seedot is the initiator for Horsea's corruption).

- Save, and perform Pomeg Glitch (this is why Fluffy Tails is mentioned) to corrupt the Horsea. (you have 6-7/32 chances to corrupt Horsea's TID).
- Once one of the Horsea became an Egg,  check its summary.
If the Egg doesn't have Pokerus and isn't about to hatch, keep the Egg and save. (its TID was corrupted)
If the Egg has Pokerus, reset and redo the corruption. (PID was corrupted)
(the TID corruption being first is really important because it won't screw up the 4th Move PPs and allw you to make a fast second corruption)
- Save, clone Seedot and Horsea's Egg 5 more time, and display them in the same pattern as earlier.

- Save, and perform Pomeg Glitch again to corrupt an Horsea's Egg. (here it's 6-7/32 chance to get it, as you really can't move that Egg).
- Once a Egg became a Caterpie, save.
- Give him Pomeg, Hondew, and Grepa Berries to put its EVs back at 0. (they come from Horsea species + Exp since EVs are read on Growth)
- Give him 2 Carbos and 2 Calcium, and save. (Here it is, the first perfect initiator)
- Clone the Caterpie 2-3 times. (at least one copy in a safe box)
- Give the 6 Blue Pokeblocks to another clone (72=0x48 Beauty, 138=0x8A Feel), and give that clone a Heart marking. (here comes the second perfect initiator, the heart marking allowing you to distinguish both of them easily).
- Save, and clone these 2 Caterpies (marked and unmarked) a dozen of times.


Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: PokeBec
Date: 2016-02-14 09:52:02
So today I was planning on doing a double corruption in order to get  an obediant mew.

I had a Smeargle (but with too much experience, it was level 51) with 201 attack EVs, 1 special attack EV and 158 speed EVs. It had 126 beauty and 72 feel.
It was caught in a pokeball and its 1st move was acid armor and its 2nd move was thief, 3rd and 4th was empty.

I cloned 5 of them and put them in box 2 slot 24, 22, 20, 18 and 16. In slots 23, 21, 19, 17 and 15 I had "Pluses", level 13 Plusle from the trading NPC, it had only growl, no other moves. The Plusle had 0 EVs.

I have performed plenty of double corruptions before but this time something weird happened:
On the first try (first corruption) it directly turned into a Mew, it never turned into an Egg. It had ?????? as item, which was weird since by all logics I have done before the Mew should have been holding a Liechi berry, which has index number 168.

The mew was caught in a premier ball, its origins says it was hatched at level 5 at Faraway Island. It has ?741824 Exp. 2 ribbons and the moves are glitched when I open them but what I can see is Synthesis (Index Number 235, same as Smeargle) and Low Kick (Index Number 067, not sure why).

The next step:
I wanted to see what happens if i tried to double corrupt this Mew, as I am on GBA I can not check its PID and others. So I cloned 5 copies of this Mew and put it in the same slots, with Pluses in between. The result was that after a couple of tries the mew again turned into a level 51 Smeargle, the exact one as it was from the beginning. It had Acid Armor as its first move but the second move glitched the game.

So 2 times i completely changed the pokemon directly into another pokemon, without having to change it into an Egg first.

Might be a normal thing but it has never occurred to me before.


Also, what is the purpose of the "Perfect initiator"? Seems to be working without the Caterpie for me.



EDIT: Also if I RNG for a Smeargle to be good for double corruption, how would I know if the PID is good? I know how to RNG for the exact Smeargle, but what I do not know is what is a "good Smeargle".

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Metarkrai
Date: 2016-02-15 14:07:27
- Where did you get that training part for an obedient Mew ?
Because I don't see where such an amount of Beauty might have been asked.

  And that amount of Beauty is the reason why a single corruption turned your Pokemon into another Pokemon, skipping the Egg phase.

The Smeargle you used has a corruption type of 3 (Growth on Attacks, Attacks on Growth, Evs on Misc, Misc on EVs), and you corrupted its PID first.

Thus, its Miscellanous substructure was read on its EVs substructure.
And the Egg state bit was read on a bit linked to your Beauty stat. (bit 6, to be accurate).
Since your Beauty was at 126 = 0x7E, the Egg state flag was raised to 1 by the substructure swap.

  But since you also corrupted your PID and not your TID, the encryption change flipped the 30th bit of every double-word of each substructure.
Since the Egg State flag is one of these bits, it became flipped to 0, which means that you directly ended up with a Pokemon on a single corruption.


  And since the encryption change was still there, parts of the data you wanted to have (like Held Item, Exp, Move 2 and Move 4, Ribbons,..) isn't right.
For example, your Move 2 which should have been 0x0000 (read on the held item, and you didn't have one), became 0x4000.
Your held item, which should have been 0x00A8, became 0x40A8.
And so on.

-  This is one of the reasons why a double corruption is more convenient than a single corruption :
The encryption change caused by the PID corruption only prevents you from manipulating certain parts of the Pokemon's data.
One of the main issues here is that the Pokemon ends up with glitched moves in slot 2 and slot 4, and you can't remove them with the Day Care because it's Exp makes it Lv 100 (due to an additional 0x40000000 exp).


Then, when you tried to corrupt that Mew a second time, instead of corrupting its TID, (which is maybe not possible with your ID/SID couple when using a Plusle initiator) you got a lucky PID corruption.

That PID corruption reverted Mew to its backwards form, which also changed the encryption value to its initial value.
Thus, you ended up with your Lv51 Smeargle again, but with a glitched Move 2 since you withdrew the item Mew was holding (because of the held item - move 2 change, having item 0x0000 gave your Smeargle  0x4000 as Move 2).


– Why is this PID corruption a lucky corruption ?
Because there is a single "corruption pattern" that you can use with initiators in order to corrupt a Pokemon's PID (or TID) that won't corrupt another byte in that Pokemon's data.

That byte corruption sets two bits to 1, which gives it a rough 1/4 chance to be avoided on a Pokemon when it happens. (Thus the "lucky" corruption that happened to you, because it isn't something reliable)

  The other thing that corruption initiators do is to allow you to corrupt every possible PID/TID.
Because if you focus on a certain "corruption pattern" induced by a corruption initiator (or by an empty slot), the corruption that will happen on a Pokemon's PID will set its 30th PID bit to either 1 or 0.
And since half of the PID need a 30th bit set to 0, and the other half a 30th bit set to 1 in order to be corrupted, you will need two different corruption initiators if you want both of these effects. (with the "safe" "corruption pattern" that will work on every Pokemon).

  If you count of two different "corruption patterns", you can effectively corrupt a Pokemon's PID with a 30th bit set to 0 or to 1, like it happened to you, but one of these bit set will have a 3/4 chance to not work, depending on the Pokemon you want to corrupt.

Whereas if you obtain both SEASOR perfect initiators, that 3/4 chance to not work completely disappears.


– Well, there is also another reason that can make a corruption fail, which is linked to these 30th bits too.
You need to have an even amount of 30th bits at 1 in the substructures of your Pokemon if you want a PID/TID corruption to work. (There are 12 double-words, so an even amount of bits at 1 is also an even amount of bits at 0)
If there is an odd amount of these said bits, the Pokemon's checksum will change by 0x8000 with either its TID or PID will be corrupted, which will change it into a Bad Egg.


The values that can affect these 30th bits are known, and only a few of them must be watched, like the Ball of capture, Speed Evs, Beauty, Feel, 4th Move PPs, Move 2 ID, move 4 ID, Held Item ID.

  If you catch a wild Pokemon using a Ball with an Id from 0x0001 to 0x0007, and don't give it Beauty nor Feel, none of its 30rh bits will be set to 1.
In your case, your Smeargle was caught on a Poke Ball (0x0001), had 158 Speed EVs (0x9E, not an issue), 126 Beauty (0x7E, sets the bit to 1), and 72 Feel (0x48, sets the bit to 1).

Thus, you had 2 of these bits set to 1, which allowed you to corrupt your Smeargle without ending with a Bad Egg.

  But, since you only had 72 Feel, you didn't reach the Obedience flag after the PID corruption (that flag is the highest one, so you needed a Feel value between 0x80 and 0xFF to get it).
(But I think you couldn't test it since your Mew had glitch moves, and since you couldn't remove them using Day Care).


–  In your case, you pulled out a corruption with the effects you wanted thanks to a good amount of luck.
Whereas the purpose of perfect initiators is to remove that luck dependency and allow you to corrupt any Pokemon you would like with TID and PID corruptions (and 30th bit set to 1 or set to 0 depending on what you need).

  For in-game traded Pokemon, their PID is something like 0x000000XXX and their TID is like 0x0000YYYY, so you can corrupt their PID and TID using a single perfect initiator, which is why the Plusle with Growl is used. (he can safely set PID and TID 30th bit to 1).

  But if you want to also safely set that 30th bit to 0, you need another perfect initiator, and the easiest one you can obtain to do that in Emerald is a SEASOR. (You can obtain both perfect initiators from SEASOR too, but if you use Plusle you will only need another one)


— For obedient Mew and Deoxys, you have 2 choices :
Growth read on Attacks  + Misc read on EVs (corruption Type 3)
Growth read on EVs + Misc read on Attacks (corruption Type 8 )

The first one is easier to set up if you want the met location and met Lv too, as you will manipuate the met location and met Lv using EVs, whereas you would be doing it with Move 2 with Corruption Type 8.

  Here, let's do it with a Corruption Type 3 Smeargle, it's the easier one to pull for Obedience.
For a Pokemon met at Faraway Island at Lv 30, you need a value of 0xB3 for Met Location, and a value of 0x0000 019E for Origin, which means 201 Atk EVs, 158 Def EVs, 1 Speed EV with Corruption 3.
For a Pokemon met at Birth Island at Lv 30, you need a value of 0xB2 for Met Location, and a value of 0x0000 019E for Origin, which means 200 Atk EVs, 158 Def EVs, 1 Speed EV with Corruption 3.
And you'll be using the Feel in order to get the Obedience flag (Feel betweem 128-191), but with a Beauty stat between 0-63/128-191 if you don't want to suffer the same issues that you met. (You can raise the other contest stats, they will influence your ribbons, which won't be problematic.)

- If you want to perform the fast double corruption method (where you clone the Egg you've obtained 5 times), you will also need to teach it Flash as 4th Move, and wait for a TID corruption as first corruption (Take the Egg in your party and make a wild battle. If it still contains a Smeargle, it will be a TID corruption. Else, its species would have changed because of its corruption type.) (6-7/32 chance to suceed)

- Else, the slow double corruption (the previous procedure) requires you to not touch the Egg once he appeared, clean the rest of Box 2, and put another corruption initiator before the Egg. (1/32 chance to suceed, and you need to use the right initiator too).
The only good point for a slow double corruption is that the Pokemon won't end at Lv 100, whereas the fast one will put it at Lv 100 because of Flash.

You will need in both cases a perfect initiator in order to make the PID and TID corruption.
You can reuse the Smeargle you've used before if you readjust its Beauty and Feel stats.
However, I don't know if its TID can be corrupted with Plusle, so you might need a SEASOR initiator to corrupt it.


—  And concerning the Smeargle capture, you don't really need to make a perfect RNG on them, you only need to use RNG Reporter in order to find back the frame they were generated on, and thus know their PID. (because it is PID that determines the corruption type)
With this process, you can easily catch Smeargles that have the mainly interesting corruption types, like Type 3, Type 8, Type 10,…

—  I have tables summarizing these corruption types, and I also made one to let you determine a corruption type based on a PID. I don't really know how to distribute them since they are part of a larger file, but here's a download link for them :
http://www.petit-fichier.fr/2016/02/15/precisions-sur-les-sous-structures-de-la-gen-iii-en/precisions-sur-les-sous-structures-de-la-gen-iii-en.html

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: PokeBec
Date: 2016-02-16 14:32:14

- Where did you get that training part for an obedient Mew ?
Because I don't see where such an amount of Beauty might have been asked.


Sorry, I might have made the mistake to read this post from the back to get an old answer, trying to catch up with this glitch is not the easiest thing ever.

I did not have 126 beauty and 72 feel, I had the opposite, the Smeargle had 126 feel and 72 beauty. I'll change it and try it again but with a "perfect" Caterpie again later.

The post was this one, from you which was dated a while back:
Getting an obedient event Mew (example) :
For example, if you were to need a Faraway Island Lv 30 Obedient Mew from Emerald, this means you need to manipulate Species, obedience, and Met Location + Met Lv + Met Game.
So you'll either do a Type 8 (Growth on Evs and Misc on Attacks) or Type 3 (Growth on Attacks and Misc on EVs) Corruptions.
Since you're not manipulating too much Miscellanous data, you can use EVs to get them all, so a Type 3 will be easier to set up.
You would need for that :
Move 0x97 (Acid Armor) as Move 1, 201 Atk EVs, 158 Speed EVs, 1 SpAtk EV, between 64-127/192-255 Feel.
Here, Speed EVs and Feel are maipulated, and Feel is in the 0x40-0x7F/0xC0-0xFF zone, but not Speed EVs, so you'll also need to have a "forbidden" Ball or 64-127 Beauty to make the Pokemon corruptible.
So use Pokeblocks that give Beauty like 4-player Blue Pokeblocks (12 Beauty, 21 Feel), so that with 6 of these Pokeblocks, you have 72 Beauty and 126 Feel.


Also a thought, to make the obedient Mew work for everyone, couldn't you make seasor learn Acid Armor by double corruption, then switch it into first move and do another corruption with the right amount of  feel?

Also some more thoughts.

@Metarkrai, you talked previously about a NidoranM swarm, how do you activate swarms, and more exactly what glitch pokemon did you use, and does that battery have to work for the swarms to start?

Also I wondered about one of your previous posts somewhere, you mentioned shinyhunting "ghost", is that by having a pokemon with glitch move 1077 (0x0435 if my maths are correct) in fire red before the ghost, and then if shiny, change the battle and catch it?

Thanks for helping me keep up with the glitch!


EDIT: is the Caterpie meant to be level 100, holding "?????"?

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Metarkrai
Date: 2016-02-16 19:38:52


- Where did you get that training part for an obedient Mew ?
Because I don't see where such an amount of Beauty might have been asked.


Sorry, I might have made the mistake to read this post from the back to get an old answer, trying to catch up with this glitch is not the easiest thing ever.


Don't be sorry, it's normal. This topic goes pretty much from the first discussions about the glitch to the current uses we have of it, so numerous explanations and attempts are present and a lot of them evolved significantly.

I thought that the instruction about EVs and Contest stat was from me, but I didn't remember where and when.
As you have seen, I gave incorrect EVs for the Met Lv and Met Game (right values but not at the right place).
I absolutely don't know why I gave an incorrect amount of Feel, but I did, sorry.

I'll redo the Pokeblock strategies for that in order to increase Coolness and Cuteness instead of Beauty.




Also a thought, to make the obedient Mew work for everyone, couldn't you make seasor learn Acid Armor by double corruption, then switch it into first move and do another corruption with the right amount of  feel?


You could use a double double corruption in order to get convenient things from Horsea, but in fact it wouldn't work.
That's because in-game traded Pokemon already have some Contest stats.
When Horsea is double corrupted, its Growth substructure is read on EVs substructure, and its Exp becomes at least 0x05050000 (=84213760), so he would become a Lv 100 Pokemon.
And since its Attacks substructure is read on its Miscellanous substructure, Horsea gains 4 glitch moves from a double corruption.
Since he is at Lv 100, you have no way to remove these glitch moves.

Some Glitch Pokemon would still be at Lv 0 with this amount of exp (due to their glitch experience curve), but you wouldn't be able to make them level up in day care due to the enormous amount of exp required.

That unremovable Contest stat on in-game traded Pokemon (and the fact that they aren't Smeargles) is the thing that doesn't make them convenient for advanced double corruptions (where you try to manipulate more data in a single double corruption).
You can't manipulate a lot of data with one double corruption, and the contest stat is a hindrance for a second double corruption.


Also some more thoughts.

@Metarkrai, you talked previously about a NidoranM swarm, how do you activate swarms, and more exactly what glitch pokemon did you use, and does that battery have to work for the swarms to start?


The swarm corruption for that NidoranM swarm was made with a Glitch Pokemon name overflow. (You put a Glitch Pokemon first in your party, and go talk to the journalist in Slateport Poke Fan Club. The Glitch Pokemon species name is then written in RAM, starting from 0x02021CC0, and overwrites everything in its way.) (I don't really have a convenient name for that method yet.)

The goal here was to overwrite a part of the RAM adresses managing the active swarm of the version.
These adresses are far from 0x02021CC0 (they are in 0x02028xxxx, a bit before Day Care data and PC Pokemon data).
But I also found that when you save and reset your game (or do some actions like quitting Safari Zone), your Trainer name is written in adresses at 0x02027yyyy.

Thus, by using a Glitch Pokemon with a species name long enough to overwrite the Trainer name (and make it longer than usual), it was possible to overwrite RAM data located at 0x02028xxxx with this method.

If you wanted to overwrite a swarm and be able to hunt the Pokemon, you need to have specific values regarding the location and frequency of the swarm Pokemon (else you won't find it).
Since there isn't that many in-game locations with wild grass, there is only a few combinations that work with this method.
(There were none on a French Emerald, and one for a NidoranM in US Emerald).

Once the swarm is corrupted, it will still last as long as the normal swarm, since the only thing that was corrupted was the swarm "contents". Thus, if you remove the internal battery of your Emerald version, (or unable Real Time Clock in vba), the swarm will never disappear.

But this method isn't efficient at all because overwriting the Trainer's name also means that :
- You need to use a strategy to get a short Trainer name back (else you can't use your PC), as well as a valid trainer sprite.
For this,  the Glitch Pokemon species name must leave an empty party slot, so that you can withdraw a Day Care glitch Pokemon, go back to Slateport, and overwrite your trainer name again. (This is another reason that diminishes the amount of working Glitch Pokemon for that procedure)
- You lose your Trainer name, ID, and SID (they are all overwritten)
- Your Berry and Tm/Hm Pouches become unuseable and can't be recovered.
The value that manages the encryption of Bag quantities is right near the Trainer name. If you corrupt it, all the empty slot in these 2 pouches will have non-zero quantities, and will be ordered first when you will open them, making you unable to see nor select a Berry/Tm/Hm.
It is possible to make these corrupted empty slots disappear by withdrawing/buying Tms or Berries, but there are more empty slots in these pouches than the amount of different Berries (or different Tm/Hm), so you can't remove all the corrupted empty slots in these pouches.

I also wanted to use overwriting strategies like this one for Battle Frontier facilities and other things, but losing these things is too detrimental for your save, so I tried to focus on different methods.


And more recently, I found another way to change the swarm Pokemon.
This method uses the same procedure as the Faraway Island + Birth Island unlock :
- Use a Glitch Pokemon species name to overwrite the party slot of the last fighting Pokemon (ex : 0x2C)
- Kill all your party with Pomeg Glitch.
- Make a wild battle. The "Pokemon" from the overwritten party slot is sent (ex : "Pokemon" at party slot 0x2C)
A "Pokemon" is here a block of 100 bytes, treated as Party Pokemon data.
- Use a Revive. (In order to not black out on the first turn)
- Abuse HP variations in some ways in order to change the "remaining HP" of the "Pokemon".
Since that "Pokemon" will nearly always be a Bad Egg, the only data you can change about him during a battle is : Remaining HP, Statuses (giving one if he doesn't have one, or Bad Poison ticks/Sleeping turns), Move order (unsure about this one since most of the time you have a freeze when seeing them).
(Stat boosts are stored elsewhere, and the stats aren't recalculated from the Pokemon's data.)
- Try to make a battle where the "remaining HP" value will be read on a word you'd like to corrupt.
Half of the words can't be treated as "remaining HP", since the RAM adress variations caused by DMA are always a certain number of double-words.
Thus, you can't use that strategy to corrupt any value you'd like.
- Manipulate other things in order to be sure that everything will go well.


As you can't corrupt everything with this method, the only interesting things I found corruptible were Faraway Island, Birth Island unlock flags (as well as Southern Island, but you can directly trigger the delivery man script with a Pomeg Glitch corruption), and some values like Item quantities, or TV news.

You can't directly corrupt the species of a swarm, but you can corrupt the species in the TV news that will trigger the swarm.

I have forgotten some parts of the details (I think I'll look back into it), but my strategy was to make the Swarm Pokemon value read as "current status", and try to attack in order to burn sleeping turns, thus modifying the Swarm Pokemon.
Using Swarm Pokemon like Skitty or Surskit, you could get Pokemon like Wailord, Masquerain, or Ludicolo.

However, this TV news method has an issue : there are multiple slots where TV news are ordered, and you can only make a successul corruption if the Swarm TV News is placed first (because the data above it will always be the same, whereas data of other TV News vary).
But I never figured out how these TV News slots worked. Sometimes, a previous TV News disappears and a "to come"/current TV News is placed in the first slot, but sometimes not (TV News that were already seen are still taking some slots).
Thus, as I don't have a strategy to efficiently move a set TV News (a swarm one) to the first slot, this technique can't be efficiently used on console.



Also I wondered about one of your previous posts somewhere, you mentioned shinyhunting "ghost", is that by having a pokemon with glitch move 1077 (0x0435 if my maths are correct) in fire red before the ghost, and then if shiny, change the battle and catch it?

Thanks for helping me keep up with the glitch!


Yup, the GHOST in Lavander Town are only made with a different battle type.
So if you use a Glitch Move to change the battle type to a normal one, the Pokémon becomes normal again (it keeps its GHOST nickname though).
And if the Pokemon was shiny, you will be able to see its shiny sprite (whereas the GHOST doesn't have a shiny animation nor shiny sprite).

I don't remember for what version that glitch move was, because a battle modifier glitch move will be different depending on the version (R/S/E/Fr/Lg) and language (Fr/US/Spa/Ita/Jap/..), but I have now algorithms that make the search of such a glitch move way easier.



EDIT: is the Caterpie meant to be level 100, holding "?????"?

Yeah, the corrupted SEASOR will be at Lv 100 because of the contest stats, and will hold ???? because of the Speed EVs.
You need to leave him with the item though, as it's part of SEASOR's data.

If you're unsure about something on SEASOR, you can watch Chickasaurus' vbm file where he gets it and makes a double corruption with it on page 29 or 30.
The double corruption process is outdated, but you have the steps to obtain a working SEASOR, and its characteristics.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Metarkrai
Date: 2016-02-18 11:40:24

Well, we might not even need to write the animation bytecode in a place in RAM.

I searched the ROM for "02 02", and found "03 54 4A 02 02 …." at 0x50F (0x800050F).

Unfortunately, no move has that as an animation pointer, the two closest are moves 0x94E (0x8000505), and moves 0x210F and 0x2194 (0x8000500). And at both of those addresses, is an invalid animation opcode (C0 at 0x500, CF at 0x505), which I think would freeze the game trying to call it. (because as usual, it just grabs from the array without doing index bounds checking).


Could you give details or examples about commands that could be entered on Emerald versions ?

  I would really like to try some examples and see what kind of training is required in order to create these commands on a Pokemon's data, and I need your help (or someone's help) about knowledge in code execution.
I don't really know how long a command like (write value xx at 02yy yyyy) could be (with the 03 and 08 to start and end the animation), and this could cause issues if it is too long.

Could we also call built-in commands, like givepokemon, setwildbattle, warp, special,…. ?

  I also don't really know if some variables like Feebas Tile, Mirage Island value, Battle Frontier selected Pokemon,… can be directly called and modified, instead of making a command to rewrite a value at a certain adress.
This could also easen the DMA issue with RAM adresses not being fix, and provide help in order to make short commands with an interesting impact on the game.



I worked up a way to predict the RAM adress position, in order to know if they are well positioned for a certain code execution or not. (mainly, if the RAM adress that will be called by a glitch move animation will fall on the desired value or not)

It would work like this :
RAM adress position determination : (using Pomeg Glitch)
- Prepare a Pokemon with a certain ACE Glitch Move (with a battle animation on Bag Items, or PC Pokemon).
Take it in your Party.
- Prepare a Pokemon/list of items in order to make a working command.
Deposit that Pokemon in a certain PC Slot / Make the list of items start from a certain PC slot.
- Place 2 Pokémon in Box 2 at 2 specific slots. (The slots depending on the relative position of the adress of the Glitch Move animation with the command starting adress.)

- Take a Pokemon to set up a Pomeg Glitch. (Give it HP Ups until he gains 1 Max HP, and leave it at 1 Remaining HP. KO the rest of the team, and put the 1 HP Pokémon last.)
Bring a Revive.

- Save.
This is where the attempts restart if the RAM adress positioning isn't good.

- Perform a Pomeg Glitch.

- During the Up press phase, take a close look at the first party slot. At some Up pushes, a red higlight can appear.
This red highlight means that the Pokemon Selection Pointer selected something that isn't an "empty slot" (The selected block, if seen as Pokemon data, is not a Pokemon with a species of 0, or not a Pokemon with a valid checksum)

If you see red highlights / non-red highlights at specific Up pushes during that Pomeg Glitch, then the RAM adress positioning is the good one (out of the 32 possible).
Else, reset.
You can also flee, clean Box 2 from the Bad Eggs and "invisible data" that appeared, and set things up again (which allows you to perform the ACE without soft-resetting).

- If the RAM adress positioning is the good one, use a Revive on the Pokemon with the ACE Glitch Move, and use it.


This strategy can also be done outside of a Battle using an Instant Pomeg Glitch if we want to perform ACE with a Glitch Pokemon summary, for example. (similarly to what TheZzAzZGlitch did, but with data other than nicknames to create commands)
A glitch type sprite could also work. (provided that one of them allows for code execution)


- I have a hard time for now to explain how it works, and especially how it can always (or nearly always, which becomes always with some fixes using in-game traded Pokemon) indicate if you have a specific RAM adress positioning or not, as it involves multiple blocks of data (PC Pokemon data blocks, and party Pokemon data blocks), the RAM adress position induced by DMA, and a relative position of that RAM adress positioning with the starting adress of the Pokemon selection pointer.

I used it partially here, as an update in my method to corrupt a Day Care Pokemon. : https://youtu.be/0b-2EgSZI8o?t=14m38s
This "red highlight" strategy was quite useful because you didn't have to alays perform the whole corruption and go back to the PC in order to know if the RAM adress positioning was right or not.



-  However, this strategy has some flaws regarding the ACE Glitch Move.
In order for the battle animation to trigger, the Glitch Move must have :
- More than 0 PPs
- An effect that isn't a glitch effect (I think these freeze/crash the game)
- A name that isn't too long (After a certain lenght, like 2000 bytes, the battle managing data is overwritten and the game crashes. With a lesser lenght, 432 bytes or more, the battle type can also be affected and could cause some issues.)
- An effect that doesn't make the move miss for some specific reasons (most of them can be triggered, like Boost, Sleep Talk,…)
- An accuracy higher than 0. (Certain effects make the move hit without taking accuracy into calculation, but a large part of them doesn't.)

Thus, not every Glitch Move can be chosen for that task.



-  Another strategy that wouldn't need most of these restrictions would be to use the move in a Pokemon Contest.
I don't remember if the Move Name can screw up things or not. (I'll look into it), but the other characteristics don't matter at all.
However, there's no way to predict RAM data positioning while on a contest.


-  But it is also true that by knowing the hexadecimal values of the Pokemon/Items used to make our commands, we will also know if some unwanted commands with nasty effects could be triggered if the RAM adress position isn't right on the spot.
If I understood things well, the game would crash most of the times, which isn't an issue. The only big issue would be a corruption in 0x0E00 0000 that would corrupt the save file.
  So if we are sure that the save file can't be lost in these attempts to get the code execution, the Pokemon contest strategy is also viable.



- I wanted to manipulate the Battle Frontier data in order to set the "selected Pokemon" to Pokemon n°7,8,9 (three first opposing Pokemon), and then to set the value managing the receptionist script to 0x02 (triggers the "take the challenge back after a pause" script, which gives you a fighting party from the "selected Pokemon" party slots).

I wanted these two manipulations in order to steal an opponent's Pokemon.
- Set the "selected Pokemon" to 07,08,09 and the receptionist script to 0x02. Go into a Battle Frontier facility.
If you're going into Battle Facroty, you don't need to set the receptionist script now.
The procedure written as is doesn't work in Battle Pike. (The receptionist has a different script there)
- Make battles until you find a Pokemon you want to steal, and forfeit.
The "selected Pokemon" values won't change, but the receptionist script will.
- Use an ACE to set the receptionist script to 0x02.
- Use an Instant Pomeg Glitch Pokemon in order to set up an Instant Pomeg Glitch.
- Go into Safari Zone and despawn the guard with Instant Pomeg Glitch in order to leave with Safari Mode on.
- Walk to Battle Frontier, and enter Battle Pyramid.
- The receptionist will bring you to the Pyramid and give you the Pokemon from the "selected Pokemon" slots.
- Exit the Pyramid from the Safari Mode menu.
This way, you will keep your team.
Since there were no captures involved here, the stolen Pokemon don't become Bad Eggs, because their ID/SID wasn't changed to match yours.


This procedure is interesting because it would only use small commands (write a byte on a certain adress) in order to have a good result, but I saw that it had a flaw : with ACE from Glitch Move animations, wild battles are required if you want to force a certain RAM adress position and make your ACE work.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Stackout
Date: 2016-02-20 06:29:30


Well, we might not even need to write the animation bytecode in a place in RAM.

I searched the ROM for "02 02", and found "03 54 4A 02 02 …." at 0x50F (0x800050F).

Unfortunately, no move has that as an animation pointer, the two closest are moves 0x94E (0x8000505), and moves 0x210F and 0x2194 (0x8000500). And at both of those addresses, is an invalid animation opcode (C0 at 0x500, CF at 0x505), which I think would freeze the game trying to call it. (because as usual, it just grabs from the array without doing index bounds checking).


Could you give details or examples about commands that could be entered on Emerald versions ?

  I would really like to try some examples and see what kind of training is required in order to create these commands on a Pokemon's data, and I need your help (or someone's help) about knowledge in code execution.
I don't really know how long a command like (write value xx at 02yy yyyy) could be (with the 03 and 08 to start and end the animation), and this could cause issues if it is too long.


Hopefully, we just need to find a move with an animation script that points to "03 xx xx xx xx", where xx xx xx xx is little endian for the address that gets jumped to. If we managed to find a move with such an animation script, and we could easily manipulate RAM contents starting at "xx xx xx xx", we'd just need to put some ARM code there, and use that move. (and somehow figure out how to fix things up so we can return back to the game easily)

But again, this is only in theory, I haven't even tested it with modifying RAM directly yet.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Metarkrai
Date: 2016-02-21 14:38:51


Hopefully, we just need to find a move with an animation script that points to "03 xx xx xx xx", where xx xx xx xx is little endian for the address that gets jumped to. If we managed to find a move with such an animation script, and we could easily manipulate RAM contents starting at "xx xx xx xx", we'd just need to put some ARM code there, and use that move. (and somehow figure out how to fix things up so we can return back to the game easily)

But again, this is only in theory, I haven't even tested it with modifying RAM directly yet.


There are Glitch Moves pointing to 0x0203xxx with a convenient name lenght (more than a dozen), so we can get a "03 xx xx xx …" value from PC Pokemon data at the pointed adress using the Pomeg Glitch "test" I talked about few posts before.

Since you gave pointer adresses, I'd like to test it (see if some basic ARM commands can be executed, and make a proper setup to perform this using PC Pokemon data and Pomeg Glitch).

And if the lenght of PC Pokemon data that can be well manipulated isn' enough, we could manipulate them in order to make a jump towards PC Item data (or Battle Bag data), and make longer commands.

- Battle Bag is interesting because the items identifiants are all lined up, the quantities being a bit further.
Thus, even if you're limited to 10 items, this makes 20 bytes you can easily manipulate. (maybe more using both Battle Bags for Lv 50 and Open Lv categories).
The manipulation is done by bringing Safari Mode in Battle Pyramid, and isn't hard to pull off (http://pastebin.com/R5ppR91x ).

-  PC Item manipulation is also doable, but manipulating quantities would take more time. But I don't know ARM code, so I don't know if you could do some things like leaving a 0x00 / low value that wouldn't do anything.
But with 50 PC Slots, that leaves us to ~150-160 manipulable bytes (at least), by using a strategy to increase the quantity of a certain PC item without interfering the with quantity of previously manipulated PC items.
I'll do a more accurate calculation of the amount of Item Slots you can't manipulate (as they are needed to perform the strategy), and recheck my old posts to find back the one where I was talking about PC Item manipulation.


I would like to test it, but I don't know much about ARM. Do you have a link explaining things about ARM in GBA / 3rd Gen games ?



EDIT 1 :
As I thought, I can't increase the quantity of a PC Item that is over 999 by depositing items.
Thus, the maximal quantity attainable is 0x7FFF. (0x0001 -> 0x4001 -> 0x3FFF -> 0x7FFF)
Unless I had a strategy to go around this limitation, I'll check on that.

I also wrote up a more accurate setup, and this would only require 6 specific items to work well, leaving for a "full" corruption of 44 PC Items + quantities. (You can have the same item multiple times.)

The restrictions you would have on these 44*4 = 179 bytes are :
- The leftmost byte of every double word can only take values between 0x00-0x7F ( between 00 xx xx xx and 7F xx xx xx )
- Some bytes can't be at 0x00 at the same time (you can't have 00 00 xx xx nor xx xx 00 00 on a double-word, but the other combinations, like xx 00 00 xx or 00 xx xx 00 are possible).
- Rare Items ID can't be obtained (0x00FE-0x010A, 0x010C-0x0120, 0x0153-0x015A, 0x015D-0x0178, for a total of 70 identifiants) (you can't have a double-word with xx xx 00 FE for example).


EDIT 2 :
After viewing TheZzazZGlitch video about ACE in Emerald, I now understand that pointer jumps can be used and are short to write.
Thus, an important amount of PC Pokemon can be used to make long commands, with different possibilities, and other potential values for double-words.

Using Seedot or Plusle, a near-total control of their 4 Moves is possible (8 bytes), with a little control over PPs (4 bytes), and some control over EVs (6 bytes).
Thus, the 8 bytes from the 4 Moves would (and could) be used, with potential help from Pokemon nicknames (to reduce the time required preparing the Pokemon).

After that, it's a case by case test to see how conveniently said commands can be written into PC Pokemon data (with jumps), since tests with Glitch moves are required.

Jumps could also allow to make commands using Battle Pyramid Battle Bags (Lv 50 and Open Lv) and PC Items.


Other potential methods to execute code :
- Using a Glitch Pokemon's summary
Not that viable since ThezZazZ said that it messed up with a lot of data, making the use of a return command non-viable.
But some Glitch Pokemon summary might mess with less data than others and still allow for code execution.
The DMA positioning can be checked using an Instant Pomeg Glitch outside of battle, and dummies in Box 2.

- Using invalid Move effects
Low amount of invalid effets. Launched during a battle. The DMA positioning  can be checked using Pomeg Glitch and dummies in Box 2.

- Glitch Move types
There isn't a lot of them too, but could still allow for code execution.
The DMA positioning can be checked using an Instant Pomeg Glitch outside of battle, and dummies in Box 2.

- Glitch Pokemon species names in PC
Some of them can heavily affect the game, but it seems to be mainly graphically. On French versions, I fell on a Glitch Pokemon that heavily messed up with the graphics, producing really strange things.

- Glitch Move / Pokemon name overflow
When deleting a Glitch Move, or when speaking to some NPC that read the species name of party Pokemon (using a certain command), freezes happen very easily. This could be a source for code execution (or at least a source of some abuses).
The concerned NPCs I know of are : Slateport woman about a Pokemon's happiness (or is it EV training) in RSE, Two Island woman for the ultimate Fire/Grass/Water moves in FrLg.

- Glitch Special abilities
I never saw them do anything, but they may have a use.


EDIT 3 :
I forgot to remention it, but a long time ago I fell on a Glitch Move whose animation changed the battle music.
The battle was still running fine after that, and I was quite surprised since it was a FrLg song (Oak Lab theme I think).

It was a Glitch Move with an animation that could do different things (many of them being different crashes/freezes), probably because its animation led to an adress that's updated every frame, so I couldn't reproduce that effect.

But it shows that some code executions can be done with this method without ending with a crash.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Stackout
Date: 2016-02-24 18:30:29
That's some luck if you used a glitch move with an animation pointer that points to changing data which just happened to be at a value that changed the music then returned gracefully.

Makes me wonder if such a glitch move could give a quicker speedrun technique, if luck manipulation could be used to get arbitrary code execution .

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Metarkrai
Date: 2016-02-25 05:26:56

That's some luck if you used a glitch move with an animation pointer that points to changing data which just happened to be at a value that changed the music then returned gracefully.

Makes me wonder if such a glitch move could give a quicker speedrun technique, if luck manipulation could be used to get arbitrary code execution .


Unforutnately, the glitches currently used in the speedrun are hardly optimizable because the after-Fortree part doesn't take that much time (get the Fly badge, make a pomeg glitch for Ever Grande Fly Location, make a second Pomeg Glitch for an IFG Glitch Move, and end the game).
Since you can't clone, nor easily obtain an in-game trade Pokemon (unless you make a try for a 4% Ralts/ 1% Volbeat), ou can't easily make a Pomeg Glitch Corruption to obtain a certain Glitch Move/Item/Pokemon.

Manipulating the DMA positioning is also quite tedious, because it depends on ID/SID, and other things.
You could also try to generate a Pokemon with a certain PID and a certain amount of exp points (or IVs), in order to obtain a desired Glitch Move through a Pomeg Glitch corruption.
This makes at least 3 precise RNG manipulations (ID/SID, Pokemon, DMA positioning), that would give you an Egg with a certain Glitch Move/Item/Pokemon.
If this corruption is made to obtain an Instant Glitch Move, that would be faster than the current speedrun since the catches + corruption parts would be fastened (the strategy would look more like the one used in the TAS).

If you wanted to obtain an ACE Glitch Move, then you would also need to set up RAM values for that ACE, which could be for example doable with Pokemon data + Pokemon nicknames + Pokemon data (you start with Pokemon data to have a valid 03, then jump to Pokemon nicknames to teleport to Hall of Fame or something, then jump to Pokemon data in order to have a "return" command).
This requires you then to generate 2 more Pokémon (with a precise PID) in order to have the Pokemon data you want, and catch 4-5 other Pokemon in order to have the required nicknames.

If the ACE part can be set up like this, then it would be theorically doable in speedrun, even if having 6-7 RNG manipulations could be quite heavy for the speedrunners, atop of having a good beginning.

Else, I think that this would take too much time compared to a Fly to Ever Grande + Use IFG Move strategy.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Fullmetal5
Date: 2016-04-11 20:10:29
Hi, I was trying to learn the best method for preforming a double corruption to obtain items, moves, and pokemon described here (http://pastebin.com/2kJpBQCr).
At the beginning of the instructions listed in that pastebin it says that you can have higher success chances if you use a Corruption Initiator. As I understand it the instructions for making an initiator in that pastebin are just for a rough one that still has a lower chance of success. However Metarkrai posted instructions for a Perfect Initiator here on the forum.

First question, is the Perfect Initiator a better replacement for the initiator listed in the pastebin or is the one in the pastebin specialized for that type of corruption?

Second question, if the Perfect Initiator is a better replacement then which one do you use (the one with the heart mark or the one with the one without)? It says in Metarkrai's instructions that it depends on the pokemon you are corrupting so for the Seedot and Plusle from the pastebin which would you use for each?

Thanks!

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Krys3000
Date: 2016-04-12 01:14:55
I saw a lot of discussions ongoing on PRAMA's skype group about this recently. Couldn't take much part in it, but nice to see you come up with new stuff, Metarkrai  ;)