Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Generation III Glitch Discussion

Gen III: Access Pokémon beyond the sixth slot sub-glitches. - Page 37

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Torchickens
Date: 2016-09-29 13:04:04

EDIT :

I made AR codes for the Perfect Initiators (both of them), as well as a Cloning Glitch Pokemon 0x288A for easier use.
There's also .dmp and .vbm file to get them in previous page.

Perfect Initiators :
-SEASOR Box 1 Slot 1 :
A2C5C596 17DA2752
F45EB5FD 537687FB
19DF4333 C4F74712
A152E8EA 8D4760CA
B13788DF 3B9B3A06
C779EE6C 581A95B9
21B17AD5 DA302C1D
9D1EF466 2A6BBE89
C8B2C039 BBAF6F10
C6EBC6F3 449F849A
3E96C2CF 7A857392
E961EBF3 AB0BCF93
0C9256C3 62ECB067
CEDF2D7F 2B16ACD8
A0C9067E 5DF79155
B54DF298 D5F5CBE8
938599D1 405D3286
BC4CC3E8 1780C0E0
EBB11B21 D831516F
0E1022AE 1D878554


-Marked SEASOR Box 1 Slot 1 :
A2C5C596 17DA2752
F45EB5FD 537687FB
19DF4333 C4F74712
A152E8EA 8D4760CA
B13788DF 3B9B3A06
C779EE6C 581A95B9
FD888EEC 3BF29F9D
7ECAB9C9 836C5CE0
C8B2C039 BBAF6F10
C6EBC6F3 449F849A
3E96C2CF 7A857392
E961EBF3 AB0BCF93
70733463 A2300296
551E03CE 8008DF22
A0C9067E 5DF79155
B54DF298 D5F5CBE8
938599D1 405D3286
BC4CC3E8 1780C0E0
EBB11B21 D831516F
0E1022AE 1D878554


0X288A Cloning Pokemon Box 1 Slot 1 :
F3FF8938 F2F0E0C9
E2702D51 7857D4A2
AB71E557 19AF41CC
0FE199FA B823C7D7
0ACA1C25 59581547
10E8FBDF 66A39775
C82FFF38 70FF74BC
653F342F CD0F6A08
1F84851D BEC5B4D6
2F151FF1 1728714F
61398186 8C5F9FC5
FD9E9546 E55D0B32
A406783C 0C3177A7
5DF1F989 3FACA9DD
89CEE4A4 EB64C63B
5EB054E7 1231876C
51F13B68 9594314D
6D1A2A74 D3E004EC
1CDFF57E A9407B53
4DAC86DE 3AFEB045


I'm just going to leave a note for others that these require Anti-DMA (B2809E31 3CEF5320, 1C7B3231 B494738C).

Metarkrai, can you teach us the steps to convert a .PKM file into an Action Replay code for box 1 slot 1 (otherwise a code compatible for the Xploder Advance SP) please, as I bought one recently and would like to use it for fast cartridge glitching. Thanks!

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Spectramark
Date: 2016-10-03 16:03:50


This may be a bit old, but do you remember the thing you were mentioning here ? (the one that corrupted PC Pokémon)


I have now found that doing this can also corrupt the Pokemon in the PC, turning them into Bad EGGs with seemingly completely random glitch markings and glitch item. Other data regarding what the Pokemon was originally might have also been corrupted, but since I use actual hardware and not an emulator, I couldn't do much with them.


As I am not sure which action you were referring to (going over a Glitch Pokémon in PC, healing your party,…)



I achieved that by picking up Decamark 0x1460 with the orange cursor and moving between boxes in the PC.

The effects are seemingly completely random. Sometimes the game crashes/resets straight away, sometimes you get a loud screeching crash noise, and sometimes you can freeze the music. On rare occasions, you can get much more interesting effects, like replacing the music with the classic crash noise you usually get, but having the game still controllable.

One time I corrupted the music so much that one sound channel was frozen, a different sound channel was playing roughly an octave higher in pitch and the rest of the music was playing relatively normally. I've only been able to do that once, but I'll try to get a recording of it should it happen again… it's quite the tune.

When I viewed another glitch Pokemon's name before picking up 0x1460, I got a game crash with the screen becoming distorted… rather spooky.

Anyway, if possible, would anyone be able to use an emulator to see the corrupted Pokemon and the glitch items they hold? I'm interested to see what the hex. values of the glitch items are, since some of them either have the "CLOSE BAG" sprite or have no sprite at all.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Charmy
Date: 2016-10-04 03:04:44
Ok, just from boredom, I tried to peform the trainer mutation on a Chinese Emerald ROM (that badly translated bootleg where Sootoopolis City is namee "Double Dee"). I got some unusual trainers, a guy with a trainer class of "of Girl" which crashed the game if defeated. They had the Collector's sprite. Trying JP Emerald soon.


EDIT:I tried JP Emerald and got a textbox floating around while I could still move around, something I did on English Emerald a while ago, via memory editin, and something I replicated "legit". I attached a savestate if it. How you get it to work? I don't really know.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: EarthTraveler
Date: 2016-10-06 13:24:57
Hi, I'm new here. I've been lurking for a while though, and I'm not if this has been covered, but here goes.

Last night, I managed to successfully pull off the "hatch any Pokemon" glitch on Emerald and hatched a Jirachi. I did the Day Care thing to get rid of its glitch moves, etc., and then I started trying to get rid of the Bad Eggs in my boxes. At first, I tried to use the cloning glitch, but did it wrong and failed to get rid of them (I did get 5 Master Balls off the non-glitch clones, though :)). And while I was pulling the Master Balls off of them in "Move Items" mode, I happened into one of the corrupted boxes full of Bad Eggs and saw that several were holding glitch items, represented by the white "?". There were also two invisible Pokemon, one of which appeared to be holding a Choice Band, based on the sprite.

So my question is, what do these glitch items do, and are they safe to pick up? I'm hesitant to try bagging them since I play on cartridge and don't want my save corrupted. Also, has anyone ever experienced getting a valid item off an invisible Pokemon, so that there's a chance that's a real Choice Band?

Thank you.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Charmy
Date: 2016-10-06 13:59:09
Well, the glitch items don't do anything, and they are safe to grab. Also, R/S/E has backup flash memory, it can save 2 save files, so if the first one gets corrupted, the second one will be loaded.
As far as i know, most glitch items have that "?" icon.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Spectramark
Date: 2016-10-06 17:37:47

Hi, I'm new here. I've been lurking for a while though, and I'm not if this has been covered, but here goes.

Last night, I managed to successfully pull off the "hatch any Pokemon" glitch on Emerald and hatched a Jirachi. I did the Day Care thing to get rid of its glitch moves, etc., and then I started trying to get rid of the Bad Eggs in my boxes. At first, I tried to use the cloning glitch, but did it wrong and failed to get rid of them (I did get 5 Master Balls off the non-glitch clones, though :)). And while I was pulling the Master Balls off of them in "Move Items" mode, I happened into one of the corrupted boxes full of Bad Eggs and saw that several were holding glitch items, represented by the white "?". There were also two invisible Pokemon, one of which appeared to be holding a Choice Band, based on the sprite.

So my question is, what do these glitch items do, and are they safe to pick up? I'm hesitant to try bagging them since I play on cartridge and don't want my save corrupted. Also, has anyone ever experienced getting a valid item off an invisible Pokemon, so that there's a chance that's a real Choice Band?

Thank you.


Almost all glitch items are completely useless, bringing up the "[Player]! There's a time and place for everything!" dialog when you try using them. They cannot be sold at a PokeMart either, so they pretty much sit and take up space in your Bag. It can be nice though to have one or two in your Bag for bragging rights, I guess ;)

Unfortunately, you can't take items from EGGs/Bad EGGs. A different kind of corruption is required if you want to obtain glitch items/moves and most glitch Pokemon.



To see some interesting corruptions, I'd recommend getting glitch Pokemon 0x0A0D and 0x1460. Thankfully both can be hatched with the standard EVs > Species corruption without crashing the game.

0x0A0D (EVs: 10 ATK, 13 HP) turns off a part of the music and mutes Pokemon cries when hovered over in the PC, resulting in 8-bit-style music. This effect causes no permanent corruption, and the game can even be safely saved with this in effect. Resetting the game will set the music back to normal again, so the music effect is only temporary.

0x1460 (EVs: 20 ATK, 96 HP) is a rather dangerous one. The only safe way to handle it is to use the white cursor to move it around the PC. Using the orange cursor to pick it up basically puts you in a corruption minefield; scrolling between boxes, pressing B or pressing A on a Pokemon causes a wide variety of corruptions, from graphical glitches to freezing the music. Make sure not to save your game after messing around with it, as any corruption you had caused will become permanent.
The game crashes very often in this state, so it is wise to save your game straight after you hatch this glitch Pokemon so that you can deposit it safely in your PC without causing any permanent corruption.

If you instead put the glitch Pokemon at the front of your Party and go to the news reporter at Slateport, she will read out the Pokemon's species name. Since the name is hundreds of characters long, a buffer overflow occurs and many aspects of your game will be overwritten with corrupt data, notably your name, Party, Bag, Money, Trainer Card, gender, overworld sprite, battle sprite, Options, Badges and even your play time.
In such a corrupt state, there's not an awful lot you can do other than laugh as you run around in Cycling Road.
Opening your Trainer Card will crash the game.
Viewing the summary of the Pokemon in your Party will crash the game.
Booting up the PC will crash the game. (Due to your corrupted name being too long to display on "[Player]'s PC")
Entering a Pokemon battle will crash the game. (Due to your corrupt battle sprite)
Using certain items or performing certain actions with the Acro Bike can softlock the game. (Due to your corrupt overworld sprite)
For obvious reasons, do not save the game in this state. Saving the game will render the save file unplayable.

Anyways, have fun :D

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Metarkrai
Date: 2016-10-07 11:15:45

I'm just going to leave a note for others that these require Anti-DMA (B2809E31 3CEF5320, 1C7B3231 B494738C).

Metarkrai, can you teach us the steps to convert a .PKM file into an Action Replay code for box 1 slot 1 (otherwise a code compatible for the Xploder Advance SP) please, as I bought one recently and would like to use it for fast cartridge glitching. Thanks!


Oh yeah, I forgot to say that it required Anti-DMA to work well.

Well, to obtain such codes, I look at the Pokémon's data in the Memory Viewer, then write a code for it in  Code Breaker / uncrypted ARv3  format, then I convert it in ARv3 with AR Crypt.

I know that some save editors can give you an AR code from a Pokémon, but the editors I have (RS savegame editor and Ciros Pokemon Maker) do not preserve the PID of Pokémon, which completely changes the crypted data and substructure order, so I am not using that.

With uncrypted ARv3, you need to write lines : 04aaaaaa bbbbbbbb in order to force the double-word 0xbbbbbbbb at adress 0x0a0aaaaa.
I usually take an already existing code, decrypt it with AR Crypt, then change the values to force. This saves some time as I don't have to write the adresses.

If there is no feature to let you create a code for a Pokémon at a certain PC slot from a .pkm file, you would need to inject the .pkm file in your save and use the Memory Viewer to check the Pokémon's data (unless the .pkm file only consists of the raw Pokémon data).

With my AR, it takes like 15 minutes to write such a code and it is always quite risky (hit B and you need to type everything again, touch the AR and it freezes), so I usually inject a new save file in my cartridge with it. (I don't know if Xploder can do it)


However, if you want codes to obtain certain Glitch Pokémon, you can do shorter ones, for example :

Obtain any Pokémon species at Box 1 Slot 1, Emerald (non Jap), Anti-DMA required :
0A400130 000002FF (Uncrypted ARv3 format)
04229828 0000xxxxx
0A400130 000002FF
0422982C 0000xxxxx
Change xxxx by the hexadeciman identifiant of the Pokémon you want, and convert the code in ARv3.
Hit R to make the Pokémon appear.


Similar tricks can be used to make short codes for Glitch Moves and Glitch Items or even to corrupt a Pokémon's PID/TID (provided you know it beforehand), it mostly depends on what you want to do.


——-




This may be a bit old, but do you remember the thing you were mentioning here ? (the one that corrupted PC Pokémon)


I achieved that by picking up Decamark 0x1460 with the orange cursor and moving between boxes in the PC.
[..]

Anyway, if possible, would anyone be able to use an emulator to see the corrupted Pokemon and the glitch items they hold? I'm interested to see what the hex. values of the glitch items are, since some of them either have the "CLOSE BAG" sprite or have no sprite at all.


Okay, so you were able to corrupt PC Pokémon data by only going over the name of a Glitch Pokémon. That's something new.
I'll try some things with 0x1460 and with some members of its name family.

And yeah, it is possible to check the Item held by a Bad Egg, even though you can't retreive it (unless the Bad Egg knows Trick).
Glitch Item sprites are nearly always "?", the only other case being Item 0xFFFF who has the "Close Bag" sprite.

Also, trying to give/withdraw an Item from a Glitch Pokémon via the PC easily crashes the game (easier than just going over the species name).
Certain interesting things could maybe be obtained out of this, I didn't make that many attempts with this mechanic.


——


Since the name is hundreds of characters long, a buffer overflow occurs and many aspects of your game will be overwritten with corrupt data, notably your name, Party, Bag, Money, Trainer Card, gender, overworld sprite, battle sprite, Options, Badges and even your play time.


Hundreds characters isn't enough, you need at least 7-8 thousands characters to reach the Party Pokémon, trainer ID, trainer name,..
The longest name I saw in some Emerald roms were of 42.000 characters.
However, when the name goes over 20.000 characters (or less, I don't exactly remember), a part of the data managing the loaded map is overwritten and you can't make a step or open/close the party without freezing the game. So being the longest doesn't give really interesting results.

It is possible to get back a short trainer name and a non-glitched trainer sprite by bringing other glitch Pokémon to Slateport's journalist, but this requires an empty party slot and no corruption on Day Care Pokémon (they are the sole Pokémon you can withdraw with a long trainer name, as PC can't be opened).
And unfortunately, many Glitch Pokémon with names long enough to corrupt good parts of RAM data but not too long (to let you move after the corruption) do not leave an empty slot in your party.  : (


——

Regarding Arbitrary Code Execution, I fell on an issue when trying to redo the procedure from A to Z.

Obtaining a Bootstrap Pokémon is ok.
Obtaining a list of Glitch Items is ok.
Placing the Glitch Items in Pyramid Bags is ok. (E)
Duplicating and placing the Glitch Items in PC is ok. (E,Fr,Lg)
Obtaining an ACE Glitch Move is ok.
The setup for DMA Translation check is ok.
ACE Codes that do things during the battle (like rewriting a word at a certain adress) work well.

However, codes that call the "overworld script" subroutine and that use this subroutine to execute certain scripts (call credits, give a Pokémon, set some flags, warp,…) do not work well :
When the code is executed, the game only stores the adress at which the scripts must be executed, and executes them once the battle ends.
But when the battle ends, DMA is called again and the RAM data that contains the scripts is moved.
Thus, the game has a good chance to try to execute an invalid script and crash because of that, and a low chance to execute the code well.

This is quite annoying since most of the interesting codes use this "overworld script" subroutine (with it, you can trigger multiple things at once with a short code).

The only solution I found so far would be to put many "MasterBall 0x0001" right before the code, as bytes 0x00 and 0x01 are script values that don't do anything.
This would increase the chances of getting the code to work (but not to 100% because of the initial DMA translation), and it would also make things less easy to manipulate (this stack would need to be removed to duplicate new glitch items in order to create new codes, so you would also to duplicate a stack of Master Balls to create many tiny stacks and put them in front.

It is unfortunately not possible to manipulate the DMA when the battle ends. I do not know if DMA could be desactivated though (this would be a good solution)

The RAM data right before PC Items consists of some unknown/trash data, so it cannot be changed to be helpful.

If the overworld scripts could be used directly during the battle, the issue would also be solved. But I don't know if such a thing is possible (I never saw the game trigger a script like credits during a battle)


So as of now, the state of Arbitrary Code Execution with Pomeg Glitch is still not completed.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Charmy
Date: 2016-10-07 13:18:04
I have a pretty small question… where even is the player data located at? At around what address? I know that it changes, but I don't know where to look for it, I wanted to test some invalid genders.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Stackout
Date: 2016-10-07 14:33:38

However, codes that call the "overworld script" subroutine and that use this subroutine to execute certain scripts (call credits, give a Pokémon, set some flags, warp,…) do not work well :
When the code is executed, the game only stores the adress at which the scripts must be executed, and executes them once the battle ends.
But when the battle ends, DMA is called again and the RAM data that contains the scripts is moved.
Thus, the game has a good chance to try to execute an invalid script and crash because of that, and a low chance to execute the code well.

This is quite annoying since most of the interesting codes use this "overworld script" subroutine (with it, you can trigger multiple things at once with a short code).

The only solution I found so far would be to put many "MasterBall 0x0001" right before the code, as bytes 0x00 and 0x01 are script values that don't do anything.
This would increase the chances of getting the code to work (but not to 100% because of the initial DMA translation), and it would also make things less easy to manipulate (this stack would need to be removed to duplicate new glitch items in order to create new codes, so you would also to duplicate a stack of Master Balls to create many tiny stacks and put them in front.

It is unfortunately not possible to manipulate the DMA when the battle ends. I do not know if DMA could be desactivated though (this would be a good solution)

The RAM data right before PC Items consists of some unknown/trash data, so it cannot be changed to be helpful.

If the overworld scripts could be used directly during the battle, the issue would also be solved. But I don't know if such a thing is possible (I never saw the game trigger a script like credits during a battle)


So as of now, the state of Arbitrary Code Execution with Pomeg Glitch is still not completed.


*some reversing later*

Seems the function at 0x8076C2C (labeled as prev_quest_set_mode_3_and_stuff in the Emerald .idb) is what does the DMA stuff.

It basically does the following:

- saves off into the stack, the int32s at 0x30022CC and 0x30022D0
- zeroes 0x30022CC and 0x30022D0
- zeroes 0x203CF5C
- copies the three DMA-translated blocks of memory away: 0xF2C bytes from the DMA-translated block pointed to by 0x3005D90 into 0x2000000, 0x3D88 bytes from the DMA-translated block pointed to by 0x3005D8C into 0x2000F2C (directly after the first block), 0x83D0 bytes from the DMA-translated block pointed to by 0x3005D94 into 0x2004CB4; a total of 0xD084 bytes.
- calls the function at 0x8076BDC, which takes a int16 "seed value" derived from adding together the int8s at 0x200000A through 0x200000D (this is actually the trainer ID and secret ID – this additional entropy is only used in Emerald, FRLG just uses RNG output for this), and adds it with some RNG output, then uses this value to set the new DMA base addresses (and then calls a couple of other functions to derive some variable pointers using the new base addresses).
- copies the data from 0x2000000/0x2000F2C/0x2004CB4 to the new base addresses
- calls a function at 0x8000B1C that basically sets the entire block of memory at 0x2000000-0x201C000 as allocatable by the internal memory management library, therefore allowing the block to be clobbered by some other gamecode
- restores the saved values of 0x30022CC and 0x30022D0
- gets an int32 from the RNG and uses this as a new XOR key: a function is called that takes a bunch of (DMA-translated) addresses, decrypts them with the saved XOR key at offset 0xAC into the DMA-translated block pointed to by 0x3005D90 (which got copied to 0x20000AC earlier) and re-encrypts them with the new XOR key
- sets the new XOR key, overwriting the saved XOR key in the DMA-translated block.

In theory, you'd be able to use this information to set up the script pointer at the place it got copied to.
In practise, other parts of the game uses this block of memory as scratch space, and it's useless to change it as the DMA-changing function will just change it right back.

I guess instead of an overworld script VM nop slide you could just copy the overworld script VM bytecode to some place in 0x200D084-0x201C000 in the payload? At least some of this block of RAM doesn't get touched at all in the overworld or in battle, it seems.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Metarkrai
Date: 2016-10-08 11:59:10

I have a pretty small question… where even is the player data located at? At around what address? I know that it changes, but I don't know where to look for it, I wanted to test some invalid genders.


In Emerald (non Jap), gender is managed by the byte at 0x02024A5C.
In FrLg (non jap), gender is managed by the byte at 0x02024590.
The rest of the player data (ID, SID,..) is in the area.
You can use an Anti-DMA code to fix the adress of that byte in order to change it more easily.

From what I remember, certain values make your character look like a NPC (the correct sprites are tied to the directions the player is facing).  Large sprites (especially Rayquaza) oddly interact with the sprites of other NPC on the map.
The sprite of another Game Freak's game is also still here, but with the wrong colors (it has the right colors in RS, though).

———–




*some reversing later*

Seems the function at 0x8076C2C (labeled as prev_quest_set_mode_3_and_stuff in the Emerald .idb) is what does the DMA stuff.

It basically does the following:

- saves off into the stack, the int32s at 0x30022CC and 0x30022D0
- zeroes 0x30022CC and 0x30022D0
- zeroes 0x203CF5C
- copies the three DMA-translated blocks of memory away: 0xF2C bytes from the DMA-translated block pointed to by 0x3005D90 into 0x2000000, 0x3D88 bytes from the DMA-translated block pointed to by 0x3005D8C into 0x2000F2C (directly after the first block), 0x83D0 bytes from the DMA-translated block pointed to by 0x3005D94 into 0x2004CB4; a total of 0xD084 bytes.
- calls the function at 0x8076BDC, which takes a int16 "seed value" derived from adding together the int8s at 0x200000A through 0x200000D (this is actually the trainer ID and secret ID – this additional entropy is only used in Emerald, FRLG just uses RNG output for this), and adds it with some RNG output, then uses this value to set the new DMA base addresses (and then calls a couple of other functions to derive some variable pointers using the new base addresses).
- copies the data from 0x2000000/0x2000F2C/0x2004CB4 to the new base addresses
- calls a function at 0x8000B1C that basically sets the entire block of memory at 0x2000000-0x201C000 as allocatable by the internal memory management library, therefore allowing the block to be clobbered by some other gamecode
- restores the saved values of 0x30022CC and 0x30022D0
- gets an int32 from the RNG and uses this as a new XOR key: a function is called that takes a bunch of (DMA-translated) addresses, decrypts them with the saved XOR key at offset 0xAC into the DMA-translated block pointed to by 0x3005D90 (which got copied to 0x20000AC earlier) and re-encrypts them with the new XOR key
- sets the new XOR key, overwriting the saved XOR key in the DMA-translated block.

In theory, you'd be able to use this information to set up the script pointer at the place it got copied to.
In practise, other parts of the game uses this block of memory as scratch space, and it's useless to change it as the DMA-changing function will just change it right back.

I guess instead of an overworld script VM nop slide you could just copy the overworld script VM bytecode to some place in 0x200D084-0x201C000 in the payload? At least some of this block of RAM doesn't get touched at all in the overworld or in battle, it seems.


Wow, this is really nice stuff. Thank you for the explanation.
After looking at it, values stored in 0x02000000-0x0200D084 get indeed rewritten to store the data contained in the memory blocks the game wants to translate, but they quickly get overwritten by other values (mainly from functions managing graphics and other things, as DMA is nearly always called during a screen transition (door, closing party, ending a battle, closing pc,…))
PC Items data is in particular always overwritten, so changing the adress of the stored script to the adress of its copy in 0x02000000-0x0200D084 won't work.

Party Pokémon data would have been perfect to use there, because they are not affected by DMA, but they are not manipulable enough to store codes with more than 8-10 consecutive bytes.


I guess instead of an overworld script VM nop slide you could just copy the overworld script VM bytecode to some place in 0x200D084-0x201C000 in the payload?

If I understood well, you would like to copy a part of the code in that area in order to make it easily executable.
How long would be a code that does such a thing ? (copy n bytes from 0xaaaaaaaa to 0xbbbbbbbb).

I checked on emulator, and data at these adresses unfortunately doesn't stay when saving/resetting.
Thus, another area unaffected by DMA and not frequently used (or used for event things) would be needed first to make things work. (Unless both the copy of the bytes and the call to the overworld script subroutine can be done with a single code execution)

If a code to copy bytes from an adess to another isn't that long to write, then it could be used to create a Pokémon whose data contains the copied string of bytes.
Then, by placing such a Pokémon in a party slot, their data wouldn't move during all the procedure (because party pokémon data isn't affected by DMA).
This would need some refinement in order to see how to store the code in the Pokémon's data (or to see which in-game traded Pokémon could have its data modified to store code), but it would solve the issue on E/Fr/Lg.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Stackout
Date: 2016-10-08 12:21:16

I guess instead of an overworld script VM nop slide you could just copy the overworld script VM bytecode to some place in 0x200D084-0x201C000 in the payload?

If I understood well, you would like to copy a part of the code in that area in order to make it easily executable.
How long would be a code that does such a thing ? (copy n bytes from 0xaaaaaaaa to 0xbbbbbbbb).

I checked on emulator, and data at these adresses unfortunately doesn't stay when saving/resetting.
Thus, another area unaffected by DMA and not frequently used (or used for event things) would be needed first to make things work. (Unless both the copy of the bytes and the call to the overworld script subroutine can be done with a single code execution)

If a code to copy bytes from an adess to another isn't that long to write, then it could be used to create a Pokémon whose data contains the copied string of bytes.
Then, by placing such a Pokémon in a party slot, their data wouldn't move during all the procedure (because party pokémon data isn't affected by DMA).
This would need some refinement in order to see how to store the code in the Pokémon's data (or to see which in-game traded Pokémon could have its data modified to store code), but it would solve the issue on E/Fr/Lg.


Your code would just copy your script bytecode to some other location, then set up the overworld script to use that location. Saving and resetting doesn't matter, the only thing that matters is if it gets clobbered between the time you get code exec, and when the script executes back at the overworld. Which it doesn't seem to be if you put it at 0x200D084 as far as I can tell.

A quick memcpy would even be game-agnostic, as you could use the GBA BIOS call to do that (you could find the ASLR base address for your game, get the location of your payload from that into r0, put 0x200D084 into r1, put 0x100 in r2 to always copy 0x200 bytes (this should be enough, yes?), and svc 0xb (CpuSet)).

So, something like this… (please note: untested.)

[tt]
; fasmarm syntax
thumb ; we don't want an ARM-mode payload
; code starts below

; not shown: payload prologue.
ldr r0,[saveblock1_base]
ldrh r1,[pc_offset]
ldr r0,[r0]
adds r0,r0,r1
ldr r1,[bytecode_base]
movs r2,#0x100
svc #0xb ; CpuSet
; now call script_run with r0=bytecode_base
; not sure if the bios call clobbers any registers.

saveblock1_base: dw 0x03005008 ; this is in US FireRed. it's 0x3005D8C in US Emerald. find this address for other versions yourself.
pc_offset: dh 0x298 ; this is for US FireRed and points to PC item #1. for US Emerald this offset is 0x24C. again, find the correct offset for other versions yourself, and add whatever constant you want for starting on PC item #x where x > 1.
bytecode_base: dw 0x200D084 ; you might want to increase this value if something gets screwed by this; however anything from 0x200D084-0x201C000 should be OK.
[/tt]

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Charmy
Date: 2016-10-08 14:12:34
Oh, thanks Metarkrai. I will test some invalid genders tomorrow. Do I need to make a separate thread for that?

Moved the list to a new thread.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Metarkrai
Date: 2016-10-09 11:56:55


Your code would just copy your script bytecode to some other location, then set up the overworld script to use that location. Saving and resetting doesn't matter, the only thing that matters is if it gets clobbered between the time you get code exec, and when the script executes back at the overworld. Which it doesn't seem to be if you put it at 0x200D084 as far as I can tell.

A quick memcpy would even be game-agnostic, as you could use the GBA BIOS call to do that (you could find the ASLR base address for your game, get the location of your payload from that into r0, put 0x200D084 into r1, put 0x100 in r2 to always copy 0x200 bytes (this should be enough, yes?), and svc 0xb (CpuSet)).

So, something like this… (please note: untested.)


0x200 bytes is more than enough as the size of PC Items block is 200 bytes. (0xF0 bytes could be used, if that can shorten the code)
In practice, the part stored in PC Items for codes that use overworld scripts don't go further than 40-50 bytes (in the case you would like to use 2-3 of them at once).


Would your code be shorter if instead of using the saveblock_base + pc_offset, the adress of the 1st PC Item was directly used ? (considering a certain DMA translation that has been determined prior to the execution)

If the "concatenation" of your code and Thezzazz's code (calling the overworld script subroutine) takes less than 40 bytes, then it can be stored in Pyramid Bags, which would be extremely useful for practical use in Emerald.



; fasmarm syntax
thumb ; we don't want an ARM-mode payload
; code starts below

; not shown: payload prologue.
ldr r0,[saveblock1_base] |
ldrh r1,[pc_offset]            | replaced (if possible) with the use of pcitem_adress
ldr r0,[r0]                        |
adds r0,r0,r1
ldr r1,[bytecode_base]
movs r2,#0x100 (0xF0 is enough)
svc #0xb ; CpuSet
; now call script_run with r0=bytecode_base
; not sure if the bios call clobbers any registers.

bytecode_base: dw 0x0200D084 ; you might want to increase this value if something gets screwed by this; however anything from 0x200D084-0x201C000 should be OK.
pcitem_adress : dw  0x(Adress of Pc Item #1) (considering a certain game and a certain DMA translation)

and

Code (at $E0F14D0):
  ; Setup to execute a subroutine
  mov r0, r15
  add r0, #0x9
  mov r14, r0
  ; Pointer to the script engine subroutine
  ldr r1, =RunScriptOffset
  ; The script engine subroutine takes the pointer to a script in R0
  ldr r0, =bytecode_base (adress where the previous 0x100 words were copied)
  ; Do some magic
  bx r1
  pop {r4-r7, r15}
  ; This nop is necessary because 4 byte alignment for ldr
  nop
RunScriptOffset:
  ; Pointer to the script engine subroutine
  dcd 0x08098EF9


For FrLg, this whole code would still need to be written with PC Items. If this "concatenated" code isn't too long, it would not be a big hindrance because this code + an owerworld script would only tak up to 15-20 PC Items.

Copying strigs of bytes on Pokémon data ended up being harder than I thought because I forgot about friendship.
Basically : (EDIT : Ok, it may work well)
- If the Pokémon becomes a Bad Egg, it can't be traded. (Hindrance because we want to trade this Pokémon to FrLg or RS)
Thus, the checksum must stay valid, and the bit managing the "Bad Egg state" must not be at 1.
- There are only 7 double-words before the checksum (PID, TID, Nickname, Trainer name, markings,…) and the bit managing the "Bad Egg state" is in there.
Furthermore, changing the PID or TID is a sure way to get an invalid checksum.
- There are 12 double-words after the checksum (the 4 substructures)
Attacks substructure is a hindrance because of PPs (they are recalculated when the Pokémon is deposited in PC)
Growth substructure is a hindrance because of friendship/egg cycles (they increase/decrease each 255 step cycle)
With a substructure order of : Misc - EVs - Attacks - Growth, we could store a string of 10 double-words (40 bytes) in the Pokémon's data.

Thankfully, a double-corrupted version of an in-game traded Horsea (PID of 0x4000007F) has this substructure order.
This will minimize the amount of data to change in order to store a string of 40 bytes and keep a Pokémon with a valid checksum. (In this case, we would only need to change the checksum along with Misc, EVs, and Attacks substructures).


Well, 40 bytes is exactly the same size as Pyramid Bag size, so if the aftermentioned code holds in 40 bytes, this would work well for both FrLg and Emerald.
Also, 40 bytes would maybe be enough to store the code to call the overworld script function in RS ( it needs an extra loop to prevent crashing, but doesn't need a part to prevent DMA issues).

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Stackout
Date: 2016-10-09 12:24:18
The entire code, assuming this works, (and again I'm using FireRed addresses/offsets), is 76 bytes long, ie, 19 items:
(I fixed a bug in it too, by the way.)

[tt]
; fasmarm syntax
thumb ; we don't want an ARM-mode payload
; code starts below

push {r0-r1, lr} ; save r0, r1, lr to stack
; is this our first time? if so, run the payload
lsrs r1,24
cmp r1,8
beq run_payload
; we're being called a second time, just remove the task
ldr r1, [move_anim_task_del]
bl _call_via_r1
pop {r0-r1, pc}
run_payload:
ldr r0,[saveblock1_base]
ldr r1,[pc_offset]
ldr r0,[r0]
adds r0,r0,r1
ldr r1,[bytecode_base]
movs r2,#0x100
svc #0xb ; CpuSet
ldr r0,[bytecode_base]
ldr r1,[script_run]
bl _call_via_r1
pop {r0-r1, pc}

_call_via_r1:
bx r1

saveblock1_base: dw 0x03005008 ; this is in US FireRed. it's 0x3005D8C in US Emerald. find this address for other versions yourself.
pc_offset: dw 0x298 ; this is for US FireRed and points to PC item #1. for US Emerald this offset is 0x24C. again, find the correct offset for other versions yourself, and add whatever constant you want for starting on PC item #x where x > 1.
bytecode_base: dw 0x200D084 ; you might want to increase this value if something gets screwed by this; however anything from 0x200D084-0x201C000 should be OK.
move_anim_task_del: dw 0x8072761 ; US FireRed again
script_run: dw 0x8069AE5 ; US FireRed *again*
[/tt]

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Metarkrai
Date: 2016-10-09 13:10:33
I may ask a stupid question, but what program do you use to turn that code in hexadecimal format ?