Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Generation III Glitch Discussion

Gen III: Access Pokémon beyond the sixth slot sub-glitches. - Page 34

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Metarkrai
Date: 2016-04-12 05:02:14

First question, is the Perfect Initiator a better replacement for the initiator listed in the pastebin or is the one in the pastebin specialized for that type of corruption?


The initiator given in the pastebin (in-game traded Plusle with Growl only) works perfectly with the in-game traded Pokémon.
Thus, you don't need to make Caterpies corruption initiators if you only want to corrupt the in-game traded Pokémon. (it easens the procedure)
More generally, that Plusle will be a corruption initiator for all PID / TID whose leftmost hexadecimal character is 0,1,2,3,8,9,A,B.

But for PID/TID whose leftmost hexadecimal character is 4,5,6,7,C,D,E,F, you need a second corruption initiator.
And the fastest (and only) method I have to make one in Emerald is with the in-game traded Horsea.
With this Horsea, you can obtain corruption initiators for both cases (so 2 different corruption initiators).
  I only discovered more recently that the in-game traded Plusle would fit as one corruption initiator, so I left the indications to obtain both corruption initiators from Horsea because I was used to it (to having two similar corruption initiators, one marked and one unmarked, instead of two different Pokémon acting as corruption initiators).

But if you wanted to corrupt a Pokémon of yours (like a Smeargle), that Pokémon would have your TID, and you would need one of the corruption initiators to corrupt that PID (but you won't know which one before testing it, or before knowing your Secret ID), same thing for the PID of the Pokémon (for the PID, you can still reset and catch other Pokémon with different PID).

By "perfect" corruption initiators, I meant corruption initiators that work (if you have both of them) for all PID and TID.
So don't worry, if you only want to obtain a Glitch Pokémon/Move/Item, you'll be fine with only Seedot and Plusle.
There are no "better" corruption initiators, the explanations about them aren't that clear nor that organized.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Stackout
Date: 2016-04-23 11:58:52

So I've been doing some research recently into possible getting code exec (and not needing TAS or a crafted save file).

Luckily for us, forums like pokecommunity have basically reversed gen 3 to pieces trying to do more with ROM hacking. So we can search their site for interesting things.

Moves use *two* seperate VM bytecodes. One for animation and one for move effects.

The move effects one is essentially useless, it grabs a byte as an index into an array, and so we have not that many invalid entries.

However the move animations.. It grabs a pointer from an array, using the move identifier as an index.

This array of pointers starts at 0x2C8D6C in English Emerald.

I coded some quick dumper to get any interesting info about all attacks, and plenty of attacks have animation pointers in RAM somewhere.

So, assuming we can find a way to write stuff there, how do we escape from the interpreter of this VM bytecode?

Easy.

This thread on Pokecommunity details the bytecode opcodes for the animation VM.

Notice that opcode 03 calls a native function.

Opcode 08 ends the animation, so in theory, if we can write 03 xx xx xx xx FF 00 08 at a certain place in RAM (where xx xx xx xx is a little endian pointer to our final payload, and this assumes that 0xFF is highest priority, it might not be), and use a certain glitch move, then we'd get code exec.

Here's a list of moves in English Emerald with interesting animation pointers.


In case anybody hasn't seen, TheZZAZZGlitch finally PoC'd this method of code exec! https://www.youtube.com/watch?v=1pb-6hMDQBs

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: PokeBec
Date: 2016-04-24 07:09:47
I tried to replicate it on cartridge but it does not seem possible to get the amount of items needed in the PC.

Anyone figured it out?

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Metarkrai
Date: 2016-05-06 13:24:51

I tried to replicate it on cartridge but it does not seem possible to get the amount of items needed in the PC.

Anyone figured it out?


It is possible to give a PC Item any quantity you would like (0x0000 to 0xFFFF).


Here is a rough explanation :
-If the target quantity is between 0x0001-0x4001 :
Duplicate the Item, then toss the exceeding amount (start by tossing multiples of 1.000 to make things easier)
0x0001 -> 0x4001 -> target quantity
You can also clone a Pokémon holding the Item for small quantities.

-If the target quantity is between 0x4002-0x7FFF :
Duplicate the Item, toss 2 exemplaries, then duplicate the item again.
0x0001 -> 0x4001 -> 0x3FFF -> 0x7FFF -> target quantity

-If the target quantity is 0x0000 or between 0x8000 - 0xFFFF :
Duplicate the Item, toss 1 exemplary of your desired Item.
Duplicate the Item again. (This time, to decrease its quantity by 0x4000, ending up at 0x0000).
Toss 1 exemplary of your item. (Its quantity underflows to 0xFFFF)
Toss the exceeding amount.
0x0001 -> 0x4001 -> 0x4000 -> 0x0000 -> 0xFFFF -> target quantity


I made up a procedure to obtain, duplicate, and place Items in PC for potential uses of ACE in cartridge.
http://pastebin.com/yHBhvbLh

It is quite long, and I don't have any image/video to go with for now, but I tried as much as possible to make each part understandable.
As Glitch Items have the same displayed name (??????????) and as Glitch Quantities aren't accurately displayed (only the last two digits), I had to make specific steps to minimize as much as possible the risk of doing a mistake (obtaining the wrong Glitch Item, placing a Glitch Item at a wrong slot, obtaining the incorrect quantity).

Thus, the procedure ends up being quite long in order to be easily doable on console.

I tried to provide a procedure that is already good to go, but I'm not protected from a small mistake as I nearly wrote it in one go. So please, tell me if there are incomprehensible/strange parts.


If you want to directly try certain things, here is a save with an Instant Pomeg Glitch Pokémon and PC Items already placed :
http://www.petit-fichier.fr/2016/05/06/emerald-ifg-for-ace/
Like this, you can perform Instant Pomeg Glitch and duplicate Guard Spec and Dire Hit (the first duplication in my paste, required for other duplications).


If I obtain more information about the ways to perform ACE on Gen 3 and about the kind of commands that could be executed (and the required Item/Quantities that go with it), I'll provide saves with more content.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Torchickens
Date: 2016-05-07 08:27:32
I am a bit late to this, but well done TheZZAZZGlitch and Metarkrai!

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: TheZZAZZGlitch
Date: 2016-05-07 09:26:56
For the last few weeks I didn't have enough free time to elaborate on the idea of fully controllable ACE method in Gen III. Now that I found a little bit more time, I can offer all the help I can give. Here's everything I know about the subject.

So, in case some people haven't noticed yet, a few weeks ago I uploaded a simple proof of concept video to show that ACE with glitch move animations is in fact possible. This post was the inspiration for all of my actions (also I would probably miss it if Metarkrai didn't tell me to take a look at it).

I decided to dump all the move animation pointers and see if there are any jumps to easily controllable RAM addresses - preferably PC items at around 0x02025F00 (affected by DMA, but fully controllable and unencrypted, and the DMA unpredictability can be at least partially circumvented by either predicting DMA state by scrolling past the sixth slot, or just with a nice NOP sled). The full list of animation pointers for all glitch moves can be found here. I thought there obviously needs to be a glitch move that works. Addressing on-board RAM ignores bits 18-23, which essentially means that addresses in the range (0x02000000 .. 0x02FFFFFF) loop around every 0x40000 bytes. So we only need to get a pointer like 0x02X25F00, 0x02X65F00, 0x02XA5F00 or 0x02XE5F00, and we have 65535 chances to get that.

Apparently we're unlucky, because there's no pointer like this anywhere.
So instead, maybe we can use a pointer to party/PC Pokemon data and use it to make a jump to bag items?

Well, it's possible. Let's assume there is a glitch move that will execute animation opcodes from somewhere in the PC Pokemon data or party Pokemon data - I didn't investigate if there is such a move, but it's a fair assumption, since box data is a huge chunk of RAM. We can insert some animation bytecode there to have the game execute code from PC items. 10 consecutive bytes of Pokemon data would need to be manipulated in order to make the jump to PC items. There is a way to predict DMA positioning by observing the in-battle Pokemon menu after scrolling past the sixth slot, so there would be an easy way to tell if everything's going to work or not.

In my proof of concept video, I decided to go in a different way, because I don't exactly know how to generate such a "bootstrap Pokemon" without cheating. Instead, I found a glitch move that has its animation pointer in save data, and I manipulated the save file to move PC item data into this exact position in my save.

SRAM in GBA memory map is from $E000000 to $EFFFFFF. When addressing SRAM, bits 17-23 are ignored (addresses loop around every 0x10000 bytes). So, unlike on-board RAM, where we only had 64 good pointer ranges, here we have 256 possible working pointer ranges. But wait, there's more! Since Gen III save files are split into sections, and every section can appear on 7 different addresses depending on how many times the game was saved, we have 7*256 = 1792 possible jump addresses that could work for our purposes! So it's almost certain that there's a glitch move that will meet the necessary requirements.

I settled for using move 0x27A2, which had its animation pointer at $0E0F14C0. It also had a short name (70 characters) that didn't cause any corruption, a non-crashing glitch type, and had a completely non-crashing valid effect of hitting myself with 102 power and 100% accuracy. I thought this move was perfect for my needs.

Before executing the code, the save file needs to be properly manipulated to have its PC items at address $E0F14C0, which is surprisingly easy and difficult at the same time. Gen III save files are split into 14 sections - each section contains different information about the save data, and is 0x1000 bytes long. There are two saves in total - one of them is primary, and the other functions as a backup. Sections are stored contiguously in SRAM one after another. The first save is at $E000000, the second is at $E00E000. For the exploit to work, we need the first save to contain section 1 at address $E001000. The equivalent requirement is: the first save has to have section 0 saved first.

How difficult is to do that? Sections within a save file are stored in a semi-randomized order. When your save data is written to SRAM for the first time, the game chooses a random number between 0 and 13, and stores the section with that number first. And every time a file is saved again, the sections are rotated by two spaces. Sections are always stored in ascending order (except for the point where the section number loops back to 0). The game alternates between writing to file 1 and file 2 every time the data is saved. We only care about file 1 for our purposes, so let's ignore it for now. This is how all the sections in a save file look like after saving X number of times:

[tt]Starting section number: 4
456789ABCD0123 (save #1 and #2)
6789ABCD012345 (save #3 and #4)
89ABCD01234567 (save #5 and #6)
ABCD0123456789 (save #7 and #8)
CD0123456789AB (save #9 and #10)
0123456789ABCD (save #11 and #12)
23456789ABCD01 (save #13 and #14)
456789ABCD0123 (save #15 and #16)
(repeat to infinity)[/tt]

Every second save is useless to us, since we only care about file 1. In this example, we were able to properly align our save file after saving 11 times. This number may vary depending on the save file's starting section. If the save file is aligned, saving 14 times will align it again. If the save becomes misaligned, it needs to be aligned again for this ACE setup to work.

However, there is a big problem with this method of code execution - it doesn't work on 50% of save files. Notice that sections only shift by two spaces - so if the save file had an odd-numbered starting section, shifting section 0 to the beginning becomes impossible and the file is permanently misaligned. It would be possible to create a similar method that works on odd-numbered saves. Still, if you try to do a multiple hour long setup on cartridge, only to find out that the save file does not align properly and you have to use a different method… that's really disappointing. Finding a setup that does not require properly aligned save data should be our priority now.

So, what's my ACE setup and what can we do with it?
Here's the setup I used in my video, along with some example code to warp me to Birch Island:

[tt]At $0E0F14C0 (box item 11):
  ; Launch task at $E0F14D1, priority 0xFF
  ; Effectively runs code at $E0F14D0 and switches CPU to THUMB mode
  dcb 0x03
  dcd 0x0E0F14D1
  dcb 0xFF, 0x00
  ; End script
  dcb 0x08
At $0E0F14D0 (box item 15):
  ; Load 0x3A to R0
  mov r0, #0x3a
  ; Shift left by 1 byte (R0 is now 0x3A00)
  lsl r0, r0, #8
  ; Add 0x26 to R0 (R0 is now 0x3A26 - that's Birch Island's map ID)
  add r0, #0x26
  ; Load the RAM address containing Escape Rope exit location to R1
  ldr r1, [r15+0x4]
  ; Stores the 32-bit value at R0 to R1, little endian. Essentially:
  ; $02065A3C = 0x26, $02065A3D = 0x3A, $02065A3E = 0x00, $02065A3F = 0x00
  str r0, [r1]
  ; Pops registers R4 through R7 from the stack and returns.
  ; (R15 is instruction pointer)
  pop {r4-r7, r15}
  ; This is where the destination RAM address is loaded from
  dcd 0x02065A3C
As items (starting from item 11):
  Item $D103 x3860
  Item $FF0E x2048
  Any item, any quantity
  Any item, any quantity
  Item $203A x512
  Item $3026 x18689
  ; (the 3A and 26 in the item IDs above can be replaced to warp to a different map!)
  Item $6008 x48624
  Item $3C5A x518[/tt]
 
The code overwrites the RAM address responsible for holding the map ID the player will be transported to after using an Escape Rope. The code should be executed in a cave (so that using Escape Rope is actually possible). After executing the code, Escape Rope should be used to warp to the desired map. The address we're changing is affected by DMA, so unless the DMA offset is predictable, the code only has a 1/32 chance of working. Writing some code that will account for DMA offset is possible, but would require lots of items and wouldn't be practical.

Quick explanation about some ARM architecture basics, because I'm sure not everyone knows this stuff.

Here are some important things to know for what we're doing. GBA processor is ARM, so:
- ARM sucks at loading 32-bit constants. There is no such thing as a 32-bit version of "ld a,$13". Since instructions can be at most 32 bits in size, there is no way to load a 32-bit constant to a register in a single instruction. You either have to load it in multiple instructions, or load it indirectly from somewhere else (most commonly by using the LDR instruction, which is similar to Z80's "ld a,($1234)").
- ARM sucks at absolute jumps. All jumps, whether you want them or not, are relative. There are register jump instructions (bx r0, bx r1, etc.), but you need to load your jump target to a register beforehand (and ARM sucks at loading 32-bit constants). In THUMB mode, the shortest code to jump to an arbitrary address is either 8 or 10 bytes long, depending on where the code is in memory.
- ARM instructions are bit-encoded. They don't have to follow the usual format of [opcode byte][operand byte(s)]. And in most cases, they don't.
- ARM (at least on GBA) has two instruction sets. More info below.

GBA processor has two different instruction sets - ARM and THUMB. The CPU ignores the least significant bit of the instruction pointer - this bit is instead used to exchange instruction sets. If during a branch the least significant bit of a jump address is set, the CPU will switch to THUMB instruction set. If it is unset, it will switch to ARM instruction set instead. For example, jumping to address $02021501 will cause the instruction set to switch to THUMB, and execution will resume at address $02021500. However, just jumping to $02021500 will switch the instruction set to ARM (and code will also start executing at $02021500).

What are the differences between ARM and THUMB? There are a lot of them - but most importantly for us, ARM instructions are 32 bits long, and THUMB instructions are 16-bit. For executing code within our item box, we'll want to use THUMB mode, since it has better code density (we'll be able to pack more code inside our item box). Also, all code in ROM runs in THUMB mode.

RISC architecture is gonna change everything.


So, any other ideas?
How about a piece of code that will change any RAM address to any value?

[tt]At $0E0F14C0 (box item 11):
  ; (same stuff as before)
At $0E0F14D0 (box item 15):
  ; Load whatever we want to R0
  mov r0, #0x[byte to write]
  ; Load the address we want to write to
  ldr r1, [r15+0x4]
  ; Store the value of R0 to byte at R1
  strb r0, [r1]
  ; Pops registers R4 through R7 from the stack and returns.
  ; (R15 is instruction pointer)
  pop {r4-r7, r15}
  ; This is where the destination RAM address is loaded from
  dcd 0x[address, 1st byte][address, 2nd byte][address, 3rd byte][address, 4th byte]
As items (starting from item 15):
  Item $[byte to write]20 x18689
  Item $7008 x48624
  Item $[address, 3rd byte][address, 4th byte] x$[address, 1st byte][address, 2nd byte][/tt]

This piece of code only requires 3 items (besides the bootstrap animation bytecode), and will write any byte value to any RAM address.

Here's some code that will transfer execution to a subroutine. The primary use for it would be calling the script engine subroutine to execute some script commands, calling the credits subroutine to do an early credits warp, or calling the gift Pokemon subroutine to obtain any Pokemon easily. There is no finished Pokemon Emerald disassembly/decompilation yet, so I don't know where to look for these functions though.

[tt]At $0E0F14C0 (box item 11):
  ; (same stuff as before)
At $0E0F14D0 (box item 15):
  ; Load R15 (instruction pointer) to R0
  mov r0, r14
  ; Offset the instruction pointer to create a return address
  add r0, #0x7
  ; Save the return address in the link register R14
  mov r14, r0
  ; Load the destination address
  ldr r0, [r15+0x4]
  ; Jump to the subroutine
  bx r0
  ; Return gracefully
  pop {r4-r7, r15}
  ; This is where the destination address is loaded from
  dcd 0x[address, 1st byte][address, 2nd byte][address, 3rd byte][address, 4th byte]
As items (starting from item 15):
  Item $4678 x$3007
  Item $4686 x$4801
  Item $4700 x$BDF0
  Item $[address, 3rd byte][address, 4th byte] x$[address, 1st byte][address, 2nd byte][/tt]

At this point I just decided to just search the ROM for stuff that looks like subroutines (subroutines usually start with a 'push {r14}' and its variations) and try to jump to everything I find. I got some cool glitchy effects, but nothing too useful. I will probably mess around with this some more and then upload a video for some laughs.

[img]http://i.imgur.com/jPGXKIL.png[/img]

Using the 'write anything anywhere' code along with the 'call any subroutine' code, I can write some code to some place in memory and then execute it without crashing, just like the Gen I days. In my video I used that to play some one-player Pong, because that's how I roll.

Aaand I think that's it.

TL;DR: ACE in Gen III is real. But some work is needed to:
a) create a method that works on all save files, and to
b) find addresses of subroutines necessary to create some useful payloads

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Stackout
Date: 2016-05-07 13:28:34
I knew that a PoC would eventually come out of my post. Thanks for doing all the stuff which i was too lazy to do thanks to me shitposting on reddit, hanging around on irc, reversing other stuff etc.

The disassembly may not be complete but I know there are some idbs around pokecommunity. Like I said they basically reversed lots of gen 3 already.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: TheZZAZZGlitch
Date: 2016-05-07 16:28:59

The disassembly may not be complete but I know there are some idbs around pokecommunity. Like I said they basically reversed lots of gen 3 already.


This changes things.

lol credits
(aka execute any overworld script)

[tt]Bootstrap (at $E0F14C0):
  ; Same as before
Code (at $E0F14D0):
  ; Previous setup to execute a subroutine
  mov r0, r15
  add r0, #0x9
  mov r14, r0
  ; Pointer to the script engine subroutine
  ldr r1, =RunScriptOffset
  ; The script engine subroutine takes the pointer to a script in R0
  ldr r0, =ScriptDataOffset
  ; Do some magic
  bx r1
  pop {r4-r7, r15}
  ; This nop is necessary because 4 byte alignment for ldr
  nop
RunScriptOffset:
  ; Pointer to the script engine subroutine
  dcd 0x08098EF9
ScriptDataOffset:
  ; Pointer to the script data
  dcd 0x0E0F14E8
The overworld script to execute (at $E0F14E8):
  ; lol credits
  special 0x0113
  ; yes, we're officially executing three types of bytecode in this setup
  end
As items (starting from box item 15):
  $4678 x$3009
  $4686 x$4903
  $4801 x$4708
  $BDF0 x(Any quantity)
  $14E8 x$0E0F
  $8EF9 x$0809
  $1325 x$0201[/tt]

The code can obviously be adapted to execute any overworld script (overworld scripts are those fancy commands that ROM hackers use because ASM is too difficult for them). The script will execute immediately after exiting the battle.

Interesting things to try in overworld scripts:
  - Predefined commands ('special')
  - givepokemon for all dem legendaries
  - applymovement for some walk through walls action
  - pokemart command for some nice items

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Metarkrai
Date: 2016-05-07 17:04:45
This is splendid !

I am really impatient to see ACE being doable on console, that would be neat !

But for now, I have some questions/comments regarding all of that.


1) Pyramid Bag Items can be manipulated and contrary to PC/Bag Items, the identifiants are separated from their quantities.
This gives 20 words to manipulate but only with Item IDs (and not quantities).
Lv 50 Pyramid Bag Items stat at 0x02025880. (so 0x02025880 - 0x020258FC with the 32 DMA positions).

Would there exist a Glitch Move with an animation pointer on 0x02X25YYY/0x02X65YYY/0x02XA5YYY/0x02XE5YYY (YYY between 880-8FC) ?

- Unlike Glitch Moves with animation pointers on PC Pokémon data, I doubt that every Emerald version would have pointers towards these Items (or towards PC Items in RAM), but they could be a good way to set things up.


2) With an animation pointer towards PC Pokémon data, what would be the value of the 8-10 consecutive bytes for a "bootstrap" Pokémon ?

Since there is a jump towards PC Items to do, I believe that would depend on the size of the jump.
With a glitch move like 0x0D1D with an animation pointer of 0x020304C0, a jump towards 0x02025E9C (beginning of PC Items) would be A624 bytes long.
Would you be able to provide (if it doesn't bother you) the values of these 8-10 consecutive bytes for that "bootstrap" Pokémon ?

There are multiple ways to manipulate Pokémon data, and using Double Corruptions allows you to make some "combinations".
Thus, without knowing the values in advance, I can't tell if a/the desired combination can be obtained or not.


3) I was about to ask for script commands, but you already answered it.
Thus, I have two side-questions :

3.a) Do you know if a more "native" way to execute overworld scripts using the move animation procedure would be possible ?
(Having something shorter than 2+3 PC Items to execute the subroutine)

Regarding the amount of slots for PC Items, it's not that much of an issue, but that would make the setup procedure less long (less items to generate then duplicate).

3.b) Would it take less code to make the console execute overworld script from a certain ROM adress (like execute the script of a special NPC to unlock something cool instead of recreating the unlock command) than making it execute overworld script as you've shown in your last post ?

I doubt it, but I wanted to know for curiosity.


And thanks for your informations, they already were quite useful for me. : )

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: TheZZAZZGlitch
Date: 2016-05-08 00:49:11
Would there exist a Glitch Move with an animation pointer on 0x02X25YYY/0x02X65YYY/0x02XA5YYY/0x02XE5YYY (YYY between 880-8FC) ?


Nope.
Move 0xA00F comes close with an animation pointer at $02025301. This could potentially work if there are around 0x600 bytes of non-crashing data before the target address, but I doubt this is possible.

With an animation pointer towards PC Pokémon data, what would be the value of the 8-10 consecutive bytes for a "bootstrap" Pokémon ?


Assuming the game would start executing an animation script starting from somewhere in Pokemon data, we would need the exact same 'bootstrap bytecode' as before, except the task address should be replaced.

[tt]; Launch task
dcb 0x03
; At address 0x02025E9C in THUMB mode
dcd 0x02025E9D
; Priority 255
dcb 0xFF, 0x00
; End script
dcb 0x08

Hex: 03 9D 5E 02 02 FF 00 08
(8 bytes)[/tt]

The address where the code begins execution can be modified by just changing the underlined bytes.
Just remember to add 1 to the address, so the CPU will switch instruction sets to THUMB (which we always want; I can't think of a use case where we'd use ARM mode to execute code in the PC item box).

3.a) Do you know if a more "native" way to execute overworld scripts using the move animation procedure would be possible ?
(Having something shorter than 2+3 PC Items to execute the subroutine)


Not really, the code I presented is probably the shortest possible one that could execute arbitrary overworld scripts on demand.
We could execute overworld scripts with less items by not using a subroutine and just directly writing into RAM, replacing the script of a person/object in the overworld. This could bring the item count down to 3 (not counting the script itself, so if the script we want to execute isn't anywhere in the ROM, we'd need additional items to store the script).

[tt]Code (at $E0F14D0):
  ; Pointer to the script
  ldr r1, =ScriptPtr
  ; Pointer to some place in RAM where a script pointer for some person on the map is stored.
  ; Make sure that it's aligned to 4 bytes.
  ldr r0, =ScriptTarget
  ; Yay
  str r1, [r0]
  pop {r4-r7, r15}
ScriptPtr:
  ; Let's pretend this is a pointer to a script
  dcd 0x0822950F
ScriptTarget:
  ; RAM address where a script pointer for some person on the map is stored
  ; The address below is not real, it's just an example
  dcd 0x0202370C[/tt]

3.b) Would it take less code to make the console execute overworld script from a certain ROM adress (like execute the script of a special NPC to unlock something cool instead of recreating the unlock command) than making it execute overworld script as you've shown in your last post ?


Absolutely. If the script is in the ROM, we don't need extra items to store it. So the subroutine method would then take 6 items, and the "just write to RAM, who needs subroutines anyway" method would take 3 items.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Metarkrai
Date: 2016-05-08 13:08:49

Assuming the game would start executing an animation script starting from somewhere in Pokemon data, we would need the exact same 'bootstrap bytecode' as before, except the task address should be replaced.

[tt]; Launch task
dcb 0x03
; At address 0x02025E9C in THUMB mode
dcd 0x02025E9D
; Priority 255
dcb 0xFF, 0x00
; End script
dcb 0x08

Hex: 03 9D 5E 02 02 FF 00 08
(8 bytes)[/tt]

The address where the code begins execution can be modified by just changing the underlined bytes.
Just remember to add 1 to the address, so the CPU will switch instruction sets to THUMB (which we always want; I can't think of a use case where we'd use ARM mode to execute code in the PC item box).


After few hours at calculations, I noticed that I was doing it in the wrong way.
First, I need to choose a Glitch Move with an animation pointer on PC Pokémon data.
Then, I look at in-game traded Pokémon.
Since the part of their data that will be manipulated depends on the in-game traded Pokémon, the DMA position will also change, which changes the adress of PC Item N°1, which changes the 8 bytes we want.

Starting adresses :
PC Item Slot 1 : 0x02025E98
Code : 03 99 5E 02 02 FF 00 08 / 025E9903 0800FF02 (32-bit format)

Pyramid Bag Slot 1 : 0x02025880
Code : 03 81 58 02 02 FF 00 08 / 02588103 0800FF02 (32-bit format)

General form : 03 xx yy 02 02 FF 00 08 / 02yyxx03 080FF02 (32-bit format)
yy is either 5E or 98
xx is higher than 0x80

Possible starts in PC :
Emer US :
0x02030400 (0x1608)
0x02030208 (0x392C)
0x02030120 (0x4871)
0x02030008 (0x41A7)

Emer Fr : (In 4 days)
Emer Spa :
Emer Jap :

In-game traded Pokémon :
Seedot : PID 0x00000084, TID 0x00009746, PID xor TID : 0x000097C2
Plusle : PID 0x0000006F, TID 0x0001210C, PID xor TID : 0x00012163
Meowth : PID 0x0000008B, TID 0x00016559, PID xor TID : 0x000165D2
Horsea : PID 0x0000007F, TID 0x0000B4CD, PID xor TID : 0x0000B4B2

Doable Methods :
- Seedot : None
Growth, Miscellanous substructures can't be used.
EVs substructure can't be used because of these damn Contest stats.
Attacks substructure can't be used because 0800FF02 xor 000097C2 = 080068C0  and both 0x0800, 0x68C0 can't be sketched.

- Plusle : Two (one long, one shorter)
0800FF02 xor 00012163 = 0801DE61
02yyxx03 xor 00012163 = 02yyxx60
Miscellanous substructure can't be used.
Growth substructure can't be used (Growth -> EVs -> Growth) because 1FE - (DE+61+60) = 5F. And xx xor 21 is always higher than 5F. (510 EVs are not enough to get the right values)

Attacks substructure can be used. (Attacks -> Growth -> Attacks)
This is the long method.

EVs substructure can be used. (EVs -> Attacks -> EVs)


- Meowth : One (long)
Miscallanous, Growth, EVs substructures can't be used.

Attacks substructure can be used. (Attacks -> Growth -> Attacks)
The method is the same as Plusle.

- Horsea :  One
Miscallanous and Attacks substructures can't be used.
EVs substructure can't be used because of the contest stats.

Growth substructure can be used. (Growth -> EVs -> Growth)


— Procedure n°1, Pyramid Bag :
PC Start : 0x02030008 (0x41A7)
Horsea's Growth used : (Growth -> EVs -> Growth)
DMA : Translation of 0x10 bytes at Box 12 Slot 3. (DMA n°4)
Start : Pyramid Bag Slot 1. (0x02025890 with translation)

New Code : 02589103 0800FF02
XORed : 025825B1 08004BB0 - Works.

- Make a Pokéblock with an Oran Berry, 2 NPCs, a maximal RPM lower than 23.3 RPM. (takes 10 boring minutes to do) (Pokéblock with 00 Coolness, 08 Beauty)
- Have an in-game traded Horsea clone with no EVs and less than 65.536 exp.
- Obtain Glitch Item 0x0258.
- Give Horsea 0x10 Atk, 0x01 HP EVs.
- Double corrupt Horsea into Glitch Poké 0x1001.
Its experience curve leaves it at Lv 0 with 0x05060000 exp, so he can still gain EVs.
- Give the Pokéblock to the Poké.
- Give Pomeg, Hondew, Grepa Berries to the Poké to decrease its HP, SpAtk, SpDef EVs to 0.
12 Pomeg Berries will be enough. Up to 26 Hondew and Grepa Berries can be required (depending on Horsea's exp)
- Give the Poké 0x4B SpDef, 0xB0 SpAtk, 0x25 Def, 0xB1 HP EVs. (Total 465)
- Double corrupt the Poké.
It becomes Glitch Pokémon 0x25B1.
- Give Item 0x0258 to the new Poké.
End.


— Procedure n°1, PC Items :
PC Start : 0x02030008 (0x41A7)
Horsea's Growth used : (Growth -> EVs -> Growth)
DMA : Translation of 0x10 bytes at Box 12 Slot 3. (DMA n°4)
Start : PC Items Slot 1. (0x02025EA8 with translation)

New Code : 025EA903 0800FF02
XORed : 025E1DB1 08004BB0 - Works.

- Same method, but with Glitch Item 0x25E instead of 0x258, and with 0x1D Def EVs instead of 0x25 Def EVs.



— Procedure n°2, PC Items :
PC Start : 0x02030400 (0x1608)
Plusle's EVs subsructure used : (Evs -> Attacks -> EVs)
DMA : Translation of 0x4 bytes required at Box 12 Slot 16. (DMA n°1)
Start : PC Item Slot 3. (0x02025EA4 with translation)

New Code : 025EA503 0800FF02
XORed : 025F8460 0801DE61. - Works.

- Obtain the in-game traded Plusle and Horsea.
- Obtain both unmarked Caterpie and Heart Caterpie corruption initiators.
- Give a Plusle clone 0x60 HP EVs and 0x84 Atk EVs. Teach it Flash as 4th Move.
- Give a Plusle clone 0x16 HP EVs and 0x04 Atk EVs. Teach it Flash as 4th Move.
- Give a Plusle clone 0x13 HP EVs, 0x06 Atk EVs, 0x5F Def EVs, 0x02 Speed EVs, 0x01 SpDef EVs, 0x08 SpAtk EVs.
Teach it Flash as 4th Move. (for a good double corruption on US Emerald)
- Double corrupt these Plusles using unmarked Caterpie as corruption initiator.
The first Plusle will become a Pokémon knowing 0x8460 and 0x0505.
The second Plusle will become a Pokémon knowing 0x0416  and 0x0505.
Glitch Move 0x0416 changes the battle type into a wild battle with Battle Palace mechanics when seen.
The third Plusle will become a Poké that knows 0x613, 0x025F, 0x0801, 0x0505. (0x0505 is because of the contest stats)
Glitch Move 0x613 has the same effect as Sketch (but takes less EVs to obtain)

- Make a wild battle with Poké (the one from the third Plusle) and swap 0x0801 with 0x0505.
Flee.
Make Poké eat a Pomeg Berry.
- Double corrupt Poké using Heart Caterpie as corruption initiator.
Here, you might need to use an older double corruption strategy where you don't move the Egg obtained after the first corruption, because the 4th move can't be changed.
Poké becomes a Walrein. (for easier identification)
That Walrein has 0x05 SpAtk EVs and 0x05 SpDef EVs.
- Give Walrein 1 Hondew and 1 Grepa Berries.
- Give Walrein 0x61 SpAtk EVs and 0xDE SpDef EVs.

- Double corrupt Walrein using unmarked Caterpie as corruption initiator.
Walrein becomes a Poké that knows 0x0613, 0x025F, 0xDE61, 0x0801.

- Take the three Pokés with you.
- Go to Desert Underpass and fight a wild Ditto.
Switch to the first Poké that knows 0x8460 to let Ditto use Morphing.
Switch to the second Poké that knows 0x0416 and look at its moves to change the battle type into a Battle Palace Battle.
Switch to the third Poké. Attack and pray that he uses 0x0613 to sketch 0x8460. (If not, reset and try again)
Flee.



— Procedure n°2, Pyramid Bag :
PC Start : 0x02030400 (0x1608)
Plusle's EVs subsructure used : (Evs -> Attacks -> EVs)
DMA : Translation of 0x4 bytes required at Box 12 Slot 16. (DMA n°1)
Start : Pyramid Bag Slot 1. (0x02025884 with translation)

New Code : 02588503 0800FF02
XORed : 0259A460 0801DE61. - Works.

- Same method as Procedure n°2, but with 0x259 instead of 0x25F and 0xA460 instead of 0x8460



Here is a save file with a Pokémon made from Procedure n°2 for PC Items Slot 1 : http://www.petit-fichier.fr/2016/05/08/emer-us-bootstrap-poke-1/
I also provided a Pidgey with Glitch Move 0x1608.
There is also Glitch Pokémon 0x0600 in the same box. Putting the hand over it has a nice effect I haven't studied yet.



EDIT :
I probably had other things in mind this morning, but I completely forgot it for now.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Spectramark
Date: 2016-05-10 18:09:51
Just letting you guys know, but do NOT give glitch pokemon 0x0A0D (the one that makes the music glitch) the heart marking. For some reason, it produces an EXTREMELY loud, continuous noise, louder than anything I've heard come out of a GBA. The noise stops when you either remove the marking or hover over a pokemon which doesn't have a heart marking.
Also, giving 0x0A0D the triangle marking makes the game glitch and stutter. Again, the effect stops when you hover over a pokemon which doesn't have the triangle marking. The game eventually crashes if left in this stuttery state for more than a few seconds.
Why the markings do all this is unknown.

A rather unrelated question, but do glitch moves in Pokemon Platinum have the same effects as in Diamond & Pearl? If not, has anyone tried experimenting with glitch moves in Platinum?

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Spoink
Date: 2016-05-11 14:56:37

Just letting you guys know, but do NOT give glitch pokemon 0x0A0D (the one that makes the music glitch) the heart marking. For some reason, it produces an EXTREMELY loud, continuous noise, louder than anything I've heard come out of a GBA. The noise stops when you either remove the marking or hover over a pokemon which doesn't have a heart marking.


Did it sound like this? https://youtu.be/e6rt1Zd2xsA?t=9s

If not, try to record it.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Spectramark
Date: 2016-05-11 15:20:55
Well, I'm happy to report it sounds almost nothing like that. I'll get a recording when I have the chance.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Metarkrai
Date: 2016-05-12 16:14:46
I'm back with a few more questions that came during work on other Gen 3 versions.


1) Pomeg Glitch data corruption can't be performed on RS (and even if it could it wouldn't be useful).
Thus, PC Item quantities can't be manipulated.
1.a) Is it possible to make the console read code from only one word every double-word ?
Would there be a method (mainly having a certain quantity for every Code Item) to create code from PC Items in RS ?

Due to the absence of encryption of many values, Bag Items (stored right after PC Items) can also be used to execute code.
This would give up to 50+42 = 92 Items that could be used for ACE in RS.


1.b)  Else, the only way to store code in RS that I see is with Pokémon data (8 bytes per 8 bytes).
What would the 8 bytes of code look like ? (If it doesn't bother too much to work on that)

From what I understood, the last 2 bytes would be used to make a jump of 0x50 bytes (towards the data of the next PC Pokémon).
The method I have to obtain the bootstrap Pokémon with Horsea ended up working quite well, and I would like to use it as much as possible. (thanks to HP,Atk,SpAtk,SpDef EVs + Held Item, many combinations for the 6 first bytes can be obtained)
The main downside of it is that the last 2 bytes must be obtained with Exp(2 higher bytes)/Contest stats (Coolness, Beauty), and Contest Stats really can't take that many values with Pokéblocks.
This is why I would like to know the values of these last 2 bytes in order to know if Horsea can be used or not for that task.


2) I tried your setup to execute overworld scripts, but things didn't work well.
Instead of having credits executed / an item obtained / nothing, I got a message box full of OE (RAM was overwritten by 0x101C).

For that, I used Glitch Move 0x1608 (pointer at 0x02030400), with a jump towards 0x02025E98 (03 99 5E 02 02 FF FF 08), then copied your code to use overworld scripts at 0x02025E98.
I tried it with 25 01 13 02 (special 0x113, end)), a paste of the script to get an item, 02 (end), and it always ended up with a message box and RAM being overwritten.

Here is a save ready to perform ACE : http://www.petit-fichier.fr/2016/05/12/emer-test-ace-issue/
(Use an Anti-DMA code to have everything at the right adresses)




Just letting you guys know, but do NOT give glitch pokemon 0x0A0D (the one that makes the music glitch) the heart marking. For some reason, it produces an EXTREMELY loud, continuous noise, louder than anything I've heard come out of a GBA. The noise stops when you either remove the marking or hover over a pokemon which doesn't have a heart marking.


Did it sound like this?
If not, try to record it.


Here is a recording of the effect : https://www.youtube.com/watch?v=M7ckrA2vxEA
It really differs from the other sound oddities I heard with 0x0A0D or by toying with the part of 0x0A0D's name that alters the music.