Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Generation III Glitch Discussion

Gen III: Access Pokémon beyond the sixth slot sub-glitches. - Page 36

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Stackout
Date: 2016-06-06 16:41:19
I figured it out.

Remember that animation opcode 0x03 creates a new task: it happens to call the address you give it as well.

It also increases a counter, named [tt]move_anim_active_task_count[/tt] in the FireRed IDB.

Animation opcode 0x08 is essentially a no-op if [tt]move_anim_active_task_count[/tt] >= 0.

So, you need to remove the task (otherwise, the game will keep calling the payload over and over, and will freeze as the animation will never end).

(How the game continued in FR/LG/Emerald remains a mystery to me.)

You do this by calling a function named [tt]move_anim_task_del()[/tt] in the FireRed IDB. Its location is 0x8072760 in FireRed US, 0x8075928 in Ruby US v1.2.

As for how to find it in other games, search for [tt]08 78 01 38 08 70 01 BC 00 47[/tt]; the function entry point should be the [tt]00 B5[/tt] 12 bytes before. There are two matches very close to each other: the first match is what you're looking for (the functions are identical apart from the RAM address whose value gets decremented)

Anyway, [tt]move_anim_task_del()[/tt] takes one argument: the task index to delete. Thing is, we don't know the task index, at least initially. However, the second time the payload gets called, the task index is in r0.

So, how to detect that?

It's really quite easy: the first time the payload gets called, r1 points to ROM; otherwise, it points to RAM. So, a payload like this could be used:

[tt]; fasmarm syntax
processor cpu32_v4t ; ARMv4t (GBA cpu)
thumb ; we don't want an ARM-mode payload
; code starts below
push {r0-r1, lr} ; save r0, r1, lr to stack
; is this our first time? if so, run the payload
lsrs r1,24
cmp r1,8
beq run_payload
; we're being called a second time, just remove the task
ldr r1, [move_anim_task_del]
bl _call_via_r1
pop {r0-r1, pc}
run_payload:
; actual payload here
ldr r1, [script_run]
ldr r0, [script_vmip]
bl _call_via_r1
pop {r0-r1, pc}

_call_via_r1:
bx r1

; hey, perfectly aligned now!

move_anim_task_del:
dw 0x08075929
script_run:
dw 0x080655D9
script_vmip:
dw 0x02025be4[/tt]

Hex representation:
[tt]03 B5 09 0E 08 29 03 D0 04 49 00 F0 06 F8 03 BD 03 49 04 48 00 F0 01 F8 03 BD 08 47 29 59 07 08 D9 55 06 08 E4 5B 02 02[/tt]

Remember to change the last three 32-bit integers for your game/version/language.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Spectramark
Date: 2016-08-15 15:51:35
Found another rather strange and random glitch to have fun with, this time concerning Decamark 0x1460.

When picking up 0x1460 using the orange cursor in the PC, it creates a wide variety of graphical glitches when switching between PC Boxes, often crashing the game.
Sometimes, however, it freezes the music and all other sounds stop playing, but the game can still be controlled. Leaving the area with this frozen music crashes the game though, for some reason…

I've also found that on rare occasions, the glitchy behaviour extends beyond the PC itself, as shown below:

[img]http://imgur.com/O2EaAxg.jpg[/img][img]http://imgur.com/JMgZFgX.jpg[/img]

The PC options were there as usual, but I was able to walk around! I could access the PC and move Pokemon around from anywhere in the room. I've managed to pull this off twice so far, but both times the music had also frozen, so leaving the room was not an option, as it would crash the game. Due to the random nature of this glitch, activating it without freezing the music would likely be possible.
From here, you can do some more things:



This may not be a big breakthrough, but it's nice to have fun with it :D

EDIT: I have now found that doing this can also corrupt the Pokemon in the PC, turning them into Bad EGGs with seemingly completely random glitch markings and glitch item. Other data regarding what the Pokemon was originally might have also been corrupted, but since I use actual hardware and not an emulator, I couldn't do much with them.
However, some of the glitch items looked different from the standard "?" icon, with one using the "Close Bag" icon and some being completely invisible. If someone could test this out on emulator and identify what the Hex. value of the glitch items are, who knows, one of them might be the elusive glitch item 0xFFFF. Fingers crossed… ;)

—–

Also, Decamark 0x2828 has a glitch sprite seemingly identical to 0x0000's glitch sprite, but uses the previous sprite's colour palette instead of just black.
0x2828 also causes corruption similar to 0x1460 when its name is viewed using the news reporter, corrupting the player's Name, Party, Bag, Pokedex, Options, Overworld Sprite, etc. However, the battle sprite isn't changed so you can battle with the Bad EGGs in your party.

This is the sprite of 0x2828 shown after scrolling from a Bad Egg.
[img]http://imgur.com/z2FIoBz.jpg[/img]

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Yeniaul
Date: 2016-08-15 17:19:12
I really need to learn ASM…

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Charmy
Date: 2016-08-22 12:33:03


I've also found that on rare occasions, the glitchy behaviour extends beyond the PC itself, as shown below:

[img]http://imgur.com/O2EaAxg.jpg[/img][img]http://imgur.com/JMgZFgX.jpg[/img]

The PC options were there as usual, but I was able to walk around! I could access the PC and move Pokemon around from anywhere in the room. I've managed to pull this off twice so far, but both times the music had also frozen, so leaving the room was not an option, as it would crash the game. Due to the random nature of this glitch, activating it without freezing the music would likely be possible.
From here, you can do some more things:

    [li]If you press A on the PC while selecting an option of viewing the PC, then back out again, two PC dialogs will be displayed, overlapping each other and causing some rather strange effects when selecting an option.[/li]

    [li]Pressing B or selecting "SEE YA!" makes the PC options disappear, but the dialog box remains on the screen. Pressing Start at this point opens up the menu and chops off part of the dialog box.[/li]

    [li]Interacting with the Pokemon Center Nurse, you can get her to heal your Pokemon while viewing the PC, which surprisingly works exactly as you think it does; the Pokemon are healed and, unfortunately, the game doesn't screw up.[/li]



This kinda reminds me of when i did the Trainer Mutation, a corrupt NPC showed a empty message box and i was able to move around.
I know i still have the save state somewhere on my main PC, i might upload the save state once i find it (it was on VBA 1.8 ).

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Tamagon
Date: 2016-08-29 21:59:56
I've been following ChickasaurusGL's guide to hatch a Jirachi through the Pomeg Glitch, but no matter what, whenever I get a good egg, it's always just a Horsea. The EVs are right, I'm sure, so it's just bad luck messing me over. I know the glitch has gone through some revision since 2014. Is there a more reliable way to hatch the mythical pokemon? I've read something about a "perfect initiator." Would that guarantee me the mons?

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Charmy
Date: 2016-08-30 11:29:04
Ok i found the savestate, here it its (VBA 1.8 btw).
@up A "perfect indicator"… i don't remember what it does.
But, are your Horsea's Contest stats correct?

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Tamagon
Date: 2016-08-30 11:52:57
Horsea's contest stats should be the same as it was when I first got it. I had no idea you were supposed to mess with it.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Charmy
Date: 2016-08-30 12:40:49
Actually, i just realized, It needs Waterfall (i think) as it's third or forth move.
I think just now, that contest stats haven't got anything to do with this.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Torchickens
Date: 2016-08-30 13:12:55
Yes, Metarkrai suggested that the Pokémon next to your Horsea/Dots (called an "initiator") can affect your chances of success (i.e. it can 'absorb' unwanted corruptions). Sometimes the Pokémon you find in the Egg is also a Horsea. It could be because of bad luck but it may also happen so many times it leads you to question whether the glitch works for you.

In this post (see the title "Caterpie the Perfect Initiator :") Metarkrai describes how to obtain a Caterpie perfect initiator, which can then be placed next to your Seasor. This doesn't guarantee success, but apparently increases your chances of succeeding.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Charmy
Date: 2016-08-30 13:35:37
Also, here's a weird thing… I decided to manually corrupt the addresses relating to Anna's script on Route 117 and i found this:
The last bit controls some other stuff, including the text and the encounter music, for example, I changed 081F3B6F to 081F3B62 and managed to get the Bug Maniac's script and the E4 Encounter theme play, sadly the game froze after the battle began.
Address around 02026898 is (at least for me) her script.
Also i got a very short glitch message.
And at last, the IEIEIEIE one writes complete garbage to the WRAM, while CEe doesn't.
And at real last, i changed the last bit of the address above to 5 and got a completely new glitch message! Different from the N loving one.
I put some screenshots of both new messages.
I can also give a save state for VBA 1.8.

MAJOR NOTE:
The battle began and he's a hiker…
The line:
PkMn TRAINER                            i iR ViS iQh          i Ri h  SVBQUVReUVie Zo  o  i Ké hAg UBQOUGROA u kkVoTiW k k:  :
would like to battle!
Is pretty good. Then He sent out a hex:0000…
Then he spams CEe's, and gives me NO MANAH :(:(:(

END OF MAJOR NOTE :D
Then i changed it to 6 and i saw nightmare fuel.
Changed to 7 and saw short garbage. Also froze after a encounter.
8 made her a E4 member spamming CEe's at everyone.
9 was a Youngster CEe spammer.
A gave no music change :(:(:( SADNESS INTENSIFIES :(:(:(
B was a Youngster spamming qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF's.
C gave normal stuff…
D resulted in a Guitarist who spams CEe's
E is same as B.
Changing bite to F's will result in a freeze with the memory being nuked by 0's.
EDIT2:Uploaded the save state of the PkMn Trainer Hiker.
EDIT4:Now i managed to change where she's facing.
EDIT5:WELL, now i can have a corrupt text box and walk around… #100%PureQualityProgramming.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Yeniaul
Date: 2016-08-30 17:38:30

i might upload the save state once i find it (it was on VBA 1.8).

Smiley parsing FOR THE WIN!!!

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Charmy
Date: 2016-09-01 07:55:49
Never mind, i already fixed that.
But i think that VBA 1. 8) MLG 8) was a good mistake.
Ok stop the off-tops.

EDIT:I decided to make a list of NPC corruption effects.
Chapter 1:Non-Trainers
1.Random PokéNav number being registered (mostly "PkMn Trainer " or "Beauty Jessica")
2.CPU hang.
3.Fade to white.
4.qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF
5.qÁF qÁF qÁF qÁF qÁF qÁF qÁF + flashing sprites (for example berry soil)
6.Game hang.
7.Random PokéNav call (Mostly filled with qÁF or ê)
8.Random PokéNav call + a YES\NO box (only if talking to corrupt berry soil). (image below)
9.Spoopy red crash.
10.Slot machine
11.DécoMart
Chapter 2:Trainers
1.êêêêêêêê
2.IEIEIEIEIEIEIE
3.Nightmare fuel (RSOD)
4.êêêêêêêê + a Gentleman

I'll update if anything comes up.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Metarkrai
Date: 2016-09-18 11:08:49

This may be a bit old, but do you remember the thing you were mentioning here ? (the one that corrupted PC Pokémon)


I have now found that doing this can also corrupt the Pokemon in the PC, turning them into Bad EGGs with seemingly completely random glitch markings and glitch item. Other data regarding what the Pokemon was originally might have also been corrupted, but since I use actual hardware and not an emulator, I couldn't do much with them.


As I am not sure which action you were referring to (going over a Glitch Pokémon in PC, healing your party,…)

—-



EDIT:I decided to make a list of NPC corruption effects.
Chapter 1:Non-Trainers
1.Random PokéNav number being registered (mostly "PkMn Trainer " or "Beauty Jessica"
2.CPU hang.
3.Fade to white.
4.qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF qÁF
5.qÁF qÁF qÁF qÁF qÁF qÁF qÁF + flashing sprites (for example berry soil)
6.Game hang.
7.Random PokéNav call (Mostly filled with qÁF or ê)
8.Random PokéNav call + a YES\NO box (only if talking to corrupt berry soil). (image below)
9.Spoopy red crash.
10.Slot machine
11.DécoMart
Chapter 2:Trainers
1.êêêêêêêê
2.IEIEIEIEIEIEIE
3.Nightmare fuel (RSOD)
4.êêêêêêêê + a Gentleman


Only a handful corruptions can be obtained on NPC script adresses, mainly : +0x40000000 (bit 6 of the leftmost byte switched to 1) and +0x05000000 (bits 0 and 3 of the leftmost byte set to 1).
Thus, instead of reading other ROM adresses managing scripts, it reads things in 0xCxxxxxxx or 0x85xxxxxx, and some of the behaviours you found may not be doable. (Unfortunately, no interesting behaviour has been found from corrupting NPC scripts and the corruption you get from talking to a NPC sometimes are RNG-dependant)


—-


In this post (see the title "Caterpie the Perfect Initiator :") Metarkrai describes how to obtain a Caterpie perfect initiator, which can then be placed next to your Seasor. This doesn't guarantee success, but apparently increases your chances of succeeding.


To be a bit more accurate about that, if you want to corrupt a Pokémon, you need two things.
- The first is corruption initiators (two of them) that will alter the adresses where the corruption occur.
I have now a video along with the written procedure : https://www.youtube.com/watch?v=hBWkshUJv_8
- The second is a specific criteria. If the Pokémon doesn't verify that criteria, then corrupting its PID or TID will change its checksum, which will turn it into a Bad Egg.
Here is a video about that criteria : https://www.youtube.com/watch?v=65e-SKeE5Ec
This criteria is usually verified, but on certain occasions it isn't, and you can spend hours trying to corrupt a Pokémon without success.

With these two elements, the chance of succeeding in a Pokémon corruption is 1/32 (or 6-7/32 if you use 5 clones of the Pokémon you want to corrupt)


—-


After a quite long time (and some recent pauses), the written procedure for ACE in Gen 3 is nearly complete !
Here are all the files I completed :
Obtain Glitch Items : http://pastebin.com/qQ91bzuM
Obtain a Bootstrap Pokémon : http://pastebin.com/2aEzxFU4
Setting PC Items in Emerald : http://pastebin.com/Ke3wUsZX
Setting Pyramid Bag Items in Emerald : http://pastebin.com/tQSDqkdU
Setting PC Items in FrLg : http://pastebin.com/yHBhvbLh
Trigger Code Execution in E/FrLg : http://pastebin.com/U5ajVMp8

A few things are left to be done :
- Make a paste with a list of Code to perform.
I already made a good amount of codes thanks to ThezzazzGlitch's help (and someone else too) on the structure they need to have, but there are some codes for which I don't know what their structure would be, and if they can be done.

- Know if a code to rewrite many consecutive words/double words is doable.
Mainly to create from A to Z a PC Pokémon, or at least most of a PC Pokémon. This would allow for Code Execution in RS (it can't be done with other methods than having a Pokémon with 20+ manipulated bytes, unfortunately).
Would also be useful to have codes that mdify multiple words at once (triggering multiple interesting things at once or completing Pokedex in one code).

-Know if a code that reads a word and rewrites it elsewhere is doable.
Mainly to display the Secret ID.

-Make videos showing the DMA Translation check.
I have savestates for each case and I need to record that for clearer procedures.

I will also try to make videos for each paste, as they end up being quite long due to the iterative procedures, but this will be for I-don't-know-when, so for now the written parts are at least readable.



  Anyways, ACE is doable on every Emerald and FrLg cartridge (Fr/Eng/Spa/Ita/Ger/Jap), with procedures and values detailled for each version.


The global way to do this is :
Use a Glitch Move whose animation pointer falls in PC Pokémon data.
Manipulate some bytes on a certain Pokémon (Bootstrap Pokémon) to make a jump towards PC Items / Pyramid Bag Items.
Manipulate PC Items / Pyramid Bag Items to write your code.

Make wild battles and wait for a certain DMA value in order to have all the adresses aligned well.
Use the ACE Glitch Move.
Profit.


Of course, the procedure to store and execute code changed quite a lot but the current one is, I think, one of the least time-consuming and one of the easiest to pull out on cartridge. (it still takes quite some time to do everything, but no part is difficult)

But if you have any questions regarding the procedure or regarding some codes that I could add, I would gladly answer you.



Oh, and once the paste for the codes will be done, I'll update this post with it and with some saves where everything is ready.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Charmy
Date: 2016-09-18 11:34:07

This may be a bit old, but do you remember the thing you were mentioning here ? (the one that corrupted PC Pokémon)

I have now found that doing this can also corrupt the Pokemon in the PC, turning them into Bad EGGs with seemingly completely random glitch markings and glitch item. Other data regarding what the Pokemon was originally might have also been corrupted, but since I use actual hardware and not an emulator, I couldn't do much with them.


As I am not sure which action you were referring to (going over a Glitch Pokémon in PC, healing your party,…)


Ehh, were you asking me?

Only a handful corruptions can be obtained on NPC script adresses, mainly : +0x40000000 (bit 6 of the leftmost byte switched to 1) and +0x05000000 (bits 0 and 3 of the leftmost byte set to 1).
Thus, instead of reading other ROM adresses managing scripts, it reads things in 0xCxxxxxxx or 0x85xxxxxx, and some of the behaviours you found may not be doable. (Unfortunately, no interesting behaviour has been found from corrupting NPC scripts and the corruption you get from talking to a NPC sometimes are RNG-dependant)

I sort of knew that RNG is engaged, so i just save-stated right after i scrolled, then went to the berry field, started talking and got these… I used Torchickens save if you want to know.

(Unfortunately, no interesting behaviour has been found from corrupting NPC scripts and the corruption you get from talking to a NPC sometimes are RNG-dependant)

I think that the DécoMart might be useful for getting glitch decorations if you can get around the freeze.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Metarkrai
Date: 2016-09-18 11:57:27


This may be a bit old, but do you remember the thing you were mentioning here ? (the one that corrupted PC Pokémon)

I have now found that doing this can also corrupt the Pokemon in the PC, turning them into Bad EGGs with seemingly completely random glitch markings and glitch item. Other data regarding what the Pokemon was originally might have also been corrupted, but since I use actual hardware and not an emulator, I couldn't do much with them.


As I am not sure which action you were referring to (going over a Glitch Pokémon in PC, healing your party,…)


Ehh, were you asking me?

Sorry, that part of the post was referring to Spectramark's post where he obtained data corruption on PC Pokémon. The way he did that isn't very clear to me, so I wanted to have more details about that.



I think that the DécoMart might be useful for getting glitch decorations if you can get around the freeze.

I never got DecoMart from NPC script corruption, but seeing how it behaves when you get a trainer battle or an overwtiring with qAF, things mainly end up badly with it.

You can get 7 glitch decorations with a Pomeg Glitch data corruption, and you can get all of them with ACE (either with the script to get it, or with a direct change of the ram adresses managing decorations).

I tested many glitch decorations, and even if they mess up with the camera location and with the decorations list (when their name is too long), there doesn't seem to be anything really useable from them.
If you are able to place a glitch decorations and get out of the secret base (it is oftenly tough to get out with the decoration placed), you can't seem to interact with the decoration once you get back (except when you want to withdraw it).

A glitch decoration name can mess up the decorations list (with the used/unused decorations), but you can't really duplicate a decoration or replace an already placed decoration.

With the script to obtain a decoration, the decoration's name is read and it can crash the game if it overflows too much.
Some glitch decorations also freeze the game when placed, if I remember well (something like a whole black screen).


I would have also liked to directly manipulate the decorations placed (ID and location) in order to have many dolls in the player's house, but I couldn't find that in the memory viewer.
I also wanted to manipulate a tile in order to be able to walk/bike from land to water, but I didn't find the right property for a tile to do so (I used ACE with an overworld script that changes a map tile).