Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Generation III Glitch Discussion

Gen III: Access Pokémon beyond the sixth slot sub-glitches. - Page 38

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Stackout
Date: 2016-10-09 14:16:59
I'm using fasmarm: http://arm.flatassembler.net/
You can just run the fasmwarm.exe, type in some asm, hit compile from the run menu, and it'll save out the compiled code in raw .bin. Perfect for writing PIC payloads.

And by the way, I screwed up in the previous post(s), using opcodes that won't work on GBA's ARM CPU. (I hate coding arm shellcode sometimes, especially when you're used to coding PIC for some later version of the instruction set)

Here's a better version, that doesn't use such opcodes – it's smaller too, at 62 bytes (16 items)!

In fact, we shouldn't need to have to grab the DMA base address, as the payloads will actually only run at a specific DMA base address, right?
Best to do that anyway though, just in case.

[tt]
; fasmarm syntax
processor cpu32_v4t ; ARMv4t (GBA cpu)
thumb ; we don't want an ARM-mode payload
; code starts below
; all addresses / offsets are for US FireRed.

push {r0-r1, lr} ; save r0, r1, lr to stack
; is this our first time? if so, run the payload
lsrs r1,24
cmp r1,8
beq run_payload
; we're being called a second time, just remove the task
ldr r1, [move_anim_task_del]
bl _call_via_r1
pop {r0-r1, pc}

move_anim_task_del: dw 0x8072761

run_payload:
ldr r0,[saveblock1_base]
ldr r1,[pc_offset]
ldr r0,[r0]
adds r0,r0,r1
ldr r1,[bytecode_base]
movs r2,#0xff ; copy 0x1fe bytes
svc #0xb ; CpuSet
ldr r0,[bytecode_base]
ldr r1,[script_run]
bl _call_via_r1
pop {r0-r1, pc}

saveblock1_base: dw 0x03005008 ; it's 0x3005D8C in US Emerald. find this address for other versions yourself.
pc_offset: dw 0x298 ; points to PC item #1. for US Emerald this offset is 0x24C. again, find the correct offset for other versions yourself, and add whatever constant you want for starting on PC item #x where x > 1.
bytecode_base: dw 0x200D084 ; you might want to increase this value if something gets screwed by this; however anything from 0x200D084-0x201C000 should be OK.
script_run: dw 0x8069AE5

_call_via_r1:
bx r1
[/tt]

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Charmy
Date: 2016-10-09 14:17:44
Ummm should I continue the GenderDex? Answer please.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Stackout
Date: 2016-10-09 14:26:08

Ummm should I continue the GenderDex? Answer please.


Given that I personally am interested in a list of invalid genders, then sure, do it.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Metarkrai
Date: 2016-10-10 15:22:05
Okay, so as RS need that loop in order to not crash when executing code, two Pokémon will be needed to store code (probably one with the part before the payload + a jump 0x50 bytes further, and a second one with the payload)

I made a mistake in my calculation of the longest string that can be stored in a Pokémon data : its lenght is 32 bytes, not 40..
This could complicate things because even a your 62 bytes code may not fit in two Pokémon with an additional jump (I don't know if that said jump would only add 2 bytes, or more because of 4-byte alignments or something else).

Thank you for the program ! It helped me a lot when testing testing codes.
Since in EFrLg you don't need the new task induced by the code with move_anim_task_del(), I wanted to try a code without your loop to prevent the softlock in RS.
The kind of codes I tried were 28/32 bytes long like the one right below, (blending your code and thezzazz's one) but none of them worked.

[tt]
; fasmarm syntax
processor cpu32_v4t ; ARMv4t (GBA cpu)
thumb ; we don't want an ARM-mode payload
; code starts below
; all addresses / offsets are for US FireRed.


push {r0-r1, lr}
ldr r0,[block_base]
nop
ldr r1,[bytecode_base]
movs r2,#0xff ; copy 0x1fe bytes
svc #0xb ; CpuSet
ldr r0,[bytecode_base]
ldr r1,[script_run]
bx r1
pop {r0-r1, pc}

block_base: dw 0x020257F4 ;adress of PC Item #1 with a DMA translation of 22 double-words (for FrLg non Jap)
bytecode_base: dw 0x200D084 ; works well
script_run: dw 0x8069AE5
[/tt]

Would there be a similar code of similar lenght (less or equal to 32 bytes) that could work on EFrLg due to the fact they don't softlock where RS does ?
Or would additional lines be required to make such tasks work ? (and make a code that is more than 32 bytes long)

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Stackout
Date: 2016-10-10 15:48:55

Okay, so as RS need that loop in order to not crash when executing code, two Pokémon will be needed to store code (probably one with the part before the payload + a jump 0x50 bytes further, and a second one with the payload)

I made a mistake in my calculation of the longest string that can be stored in a Pokémon data : its lenght is 32 bytes, not 40..
This could complicate things because even a your 62 bytes code may not fit in two Pokémon with an additional jump (I don't know if that said jump would only add 2 bytes, or more because of 4-byte alignments or something else).

Thank you for the program ! It helped me a lot when testing testing codes.
Since in EFrLg you don't need the new task induced by the code with move_anim_task_del(), I wanted to try a code without your loop to prevent the softlock in RS.
The kind of codes I tried were 28/32 bytes long like the one right below, (blending your code and thezzazz's one) but none of them worked.

[tt]
; fasmarm syntax
processor cpu32_v4t ; ARMv4t (GBA cpu)
thumb ; we don't want an ARM-mode payload
; code starts below
; all addresses / offsets are for US FireRed.


push {r0-r1, lr}
ldr r0,[block_base]
nop
ldr r1,[bytecode_base]
movs r2,#0xff ; copy 0x1fe bytes
svc #0xb ; CpuSet
ldr r0,[bytecode_base]
ldr r1,[script_run]
bx r1
pop {r0-r1, pc}

block_base: dw 0x020257F4 ;adress of PC Item #1 with a DMA translation of 22 double-words (for FrLg non Jap)
bytecode_base: dw 0x200D084 ; works well
script_run: dw 0x8069AE5
[/tt]

Would there be a similar code of similar lenght (less or equal to 32 bytes) that could work on EFrLg due to the fact they don't softlock where RS does ?
Or would additional lines be required to make such tasks work ? (and make a code that is more than 32 bytes long)


You forgot the [tt]_call_via_r1[/tt] stuff, which is required. Without it, things would screw up upon return from [tt]script_run[/tt].

[tt]
; fasmarm syntax
processor cpu32_v4t ; ARMv4t (GBA cpu)
thumb ; we don't want an ARM-mode payload
; code starts below
; all addresses / offsets are for US FireRed.


push {r0-r1, lr}
ldr r0,[block_base]
ldr r1,[bytecode_base]
movs r2,#0xff ; copy 0x1fe bytes
svc #0xb ; CpuSet
ldr r0,[bytecode_base]
ldr r1,[script_run]
bl _call_via_r1
pop {r0-r1, pc}

_call_via_r1:
bx r1
nop

block_base: dw 0x020257F4 ;adress of PC Item #1 with a DMA translation of 22 double-words (for FrLg non Jap)
bytecode_base: dw 0x200D084 ; works well
script_run: dw 0x8069AE5
[/tt]

this is 36 bytes long; you could offset one of the constants in the code to make it read that specific constant from another Pokémon, however.

Also, you could have a bootstrap Pokémon that just jumps to PC item 1, then have this code copy from PC item 10 onwards?

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Charmy
Date: 2016-10-10 16:38:03
Aaahhh this Assembly code is so confusing to me!
Anyway, the invalid genders are interesting, a specific type of a girl NPC repeats later on the list.
I wonder which hexes you can get via Decamark names.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Metarkrai
Date: 2016-10-10 17:14:26
Yes ! After a few more tweaks, I finally got a working code :

[tt]
; fasmarm syntax
processor cpu32_v4t ; ARMv4t (GBA cpu)
thumb ; we don't want an ARM-mode payload
; code starts below
; all addresses / offsets are for US FireRed.


ldr r0,[block_base]
nop
ldr r1,[bytecode_base]
movs r2,#0xff ; copy 0x1fe bytes
svc #0xb ; CpuSet
ldr r0,[bytecode_base]
ldr r1,[script_run]
bl _call_via_r1
pop {r4-r7, r15}

_call_via_r1:
bx r1
nop

block_base: dw 0x020257F4 ;adress of PC Item #1 with a DMA translation of 22 double-words (for FrLg non Jap)
bytecode_base: dw 0x200D084 ; works well
script_run: dw 0x8069AE5
[/tt]


It is 36 bytes long, so with your idea of offsetting one of the constants, it would perfectly fit in a single Pokémon.
Can 2 constants be offseted at 2 different locations ? (like one 40 bytes further and the second one 20 bytes further)

As block_base and script_run are the only parts that change between Emer non Jap / Emer Jap / FrLg non Jap / FrLg Jap, storing these in two separate places on the data of another Pokémon would be really convenient (easy to manipulate with a double corruption, and reduces the amount of Pokémon required for ACE on different games).

block_base would be stored on the 1st double-word of EVs substructure of in-game traded Seedot (substructure n°1)
Then this Seedot would be double-corrupted, and script_run would be stored on the 1st double-word of the new EVs substructure of the corrupted Pokémon (substructure n°4).

The main part of the code would be written on a double-corrupted Horsea, starting at its 1st double-word of its 1st substructure. The double-corrupted Seedot would be placed right after it.
Thus, block_base would be 0x50 bytes after the beginning of the code, and script_run would be 0x74 bytes after the beginning of the code.


The main part of the code would be made with Items stored in Pyramid Bags, then copied over corrupted Horsea's data with the follwing ACE :

[tt]
; fasmarm syntax
processor cpu32_v4t ; ARMv4t (GBA cpu)
thumb ; we don't want an ARM-mode payload

ldr r0,[offs1]
ldr r1,[offs2]
movs r2,#0x11 ; copy 0x22 = 34 bytes (32 for code and 2 for checksum)
svc #0xb ; CpuSet
pop {r4-r7, r15}

; Origin adress at Pyramid Bag Item n°1, with a DMA translation of 4
offs1:  dw 0xXXXXXXXX
; Destination adress at checksum of Pokémon in Box . Slot ., with a DMA translation of 4
offs2: dw 0xYYYYYYYY
[/tt]


This code is 20 bytes long (5 PC Items), and it also works well.
I maybe shouldn't say well : the code is repeatedly called at every frame until the battle ends/another move animation is called.
This means that the previous code has the same behaviour, so I'll try them on console to be sure that the console handles them with no issues.


——–

Edit :


Aaahhh this Assembly code is so confusing to me!
Anyway, the invalid genders are interesting, a specific type of a girl NPC repeats later on the list.
I wonder which hexes you can get via Decamark names.


Mhhh, if you want to use Glitch Pokémon to change the trainer sprite and enjoy it, you would have a good part of the 256 values, but probably something like a half or so.
- The byte where gender is stored is affected by DMA, so one Glitch Pokémon will give you different genders depending on the DMA (so you may have to reset for some time in order to obtain some of them).

- The gender byte is after Party Pokémon, so overwriting your gender also overwrited your whole party.
Thus, you can only change your gender once. If you want to change it again, you would need to have an empty party slot and to walk to Day Care in order to withdraw another Glitch Poké to overwrite your gender, or a Glitch Poké that shortens your trainer name (to get back the use of PC).

- The species name of the Glitch Pokémon can't be too long.
Else, the coordinates of the "camera" (I'm not exactly sure if this is the coordinates of the camera or something close to it) get overwritten (oftenly to 0000 0000) and you get stuck in the building because the borders of the camera make you unable to reach the exit door, or unable to move at all.
- If the name is even longer than that, the game can freeze as soon as you take a step, or when you open and close your Pokédex/party/bag/…

But, with a previous setup that requires another Glitch Pokémon, it is possible to be in Slateport's fan club with Safari Mode.
Thus, after talking to the journalist and corrupting your gender, you can use the "Quit" option to be teleported to Safari Zone entrance.
You can still reach day care by foot, but exiting Safari Zone stores your Trainer Name in an adress a bit above Day Care Pokémon. Thus, if the species name of the Glitch Poké is too long, the Trainer name gets quite long and it will overwrite Day Care Pokémon. (You can still enjoy your glitched gender, but you can't get back a regular team).

Also, with a long trainer name, every message with your Trainer name takes 1 to 15 minutes to end, which ends up really annoying with DexNav calls.

- Lastly, if the species name of your Glitch Pokémon is even longer, it will overwrite Bag Items and story flags, which will render you unable to do anything except walking (you can also lose the trainer shoes, your Pokédex, your Party, and a whole lot of things).
This can also overwrite the bit managing Safari Mode and set it to 0, making you unable to leave the house again.


I don't exactly remember what the upper bound for a Glitch Pokémon lenght would be if you want to corrupt your trainer name/gender/.. while being able to restaure some things, but in the end not that many Pokémon have a name with such a lenght (especially if you add the condition that the overwritten party must have one empty slot).
With the requirement of an empty party slot, the amount of such Glitch Poké would count in dozens.
Without this requirement, the amount of such Glitch Poké would coun in hundreds (around 200 at most).

I'll come back with more accurate data if you are interested in pulling that off in console.
You can obtain every gender with ACE now that we have codes that work and a way to write/store them, but overwriting values with a Glitch Pokémon species name is still a good option because it is easy to perform. (some EVs and only one double corruption)


Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Stackout
Date: 2016-10-10 17:42:17

Can 2 constants be offseted at 2 different locations ? (like one 40 bytes further and the second one 20 bytes further)


Yes, that's possible:

[tt]
; fasmarm syntax
processor cpu32_v4t ; ARMv4t (GBA cpu)
thumb ; we don't want an ARM-mode payload
; code starts below
; all addresses / offsets are for US FireRed.


ldr r0,[block_base + 40]
ldr r1,[bytecode_base]
movs r2,#0xff ; copy 0x1fe bytes
svc #0xb ; CpuSet
ldr r0,[bytecode_base]
ldr r1,[script_run + 20]
bl _call_via_r1
pop {r4-r7, r15}

_call_via_r1:
bx r1

bytecode_base: dw 0x200D084 ; works well
block_base: dw 0x020257F4 ;adress of PC Item #1 with a DMA translation of 22 double-words (for FrLg non Jap)
script_run: dw 0x8069AE5
[/tt]

it'll output 32 bytes, just offset the last 2 int32s correctly… or just ignore offsetting them, fix the ldrs and just store the entire thing in one Pokémon, given that the extra 4 bytes have been saved now :)

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: VaeporSage
Date: 2016-10-10 18:29:01
Haha, I have no idea what's going on, but it sure looks like it's coming on great anyway. You guys make one heck of a team!  :P

God bless, keep up the good work!  :)

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Charmy
Date: 2016-10-11 00:04:42
Related to the invalid genders, I see some sort of a pattern, lots of effects repeat or are the May/Leaf variant of these.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Torchickens
Date: 2016-10-11 12:26:31


I'm just going to leave a note for others that these require Anti-DMA (B2809E31 3CEF5320, 1C7B3231 B494738C).

Metarkrai, can you teach us the steps to convert a .PKM file into an Action Replay code for box 1 slot 1 (otherwise a code compatible for the Xploder Advance SP) please, as I bought one recently and would like to use it for fast cartridge glitching. Thanks!


Oh yeah, I forgot to say that it required Anti-DMA to work well.

Well, to obtain such codes, I look at the Pokémon's data in the Memory Viewer, then write a code for it in  Code Breaker / uncrypted ARv3  format, then I convert it in ARv3 with AR Crypt.

I know that some save editors can give you an AR code from a Pokémon, but the editors I have (RS savegame editor and Ciros Pokemon Maker) do not preserve the PID of Pokémon, which completely changes the crypted data and substructure order, so I am not using that.

With uncrypted ARv3, you need to write lines : 04aaaaaa bbbbbbbb in order to force the double-word 0xbbbbbbbb at adress 0x0a0aaaaa.
I usually take an already existing code, decrypt it with AR Crypt, then change the values to force. This saves some time as I don't have to write the adresses.

If there is no feature to let you create a code for a Pokémon at a certain PC slot from a .pkm file, you would need to inject the .pkm file in your save and use the Memory Viewer to check the Pokémon's data (unless the .pkm file only consists of the raw Pokémon data).

With my AR, it takes like 15 minutes to write such a code and it is always quite risky (hit B and you need to type everything again, touch the AR and it freezes), so I usually inject a new save file in my cartridge with it. (I don't know if Xploder can do it)

(…)


Thank you very much Metarkrai! :) I gathered to try the RAW data solution where you make a Codebreaker code for the individual bytes and I converted them for my Xploder SP using a program called CBAcrypt (in which you enter the first line as the game's master code and the codes below it and click Encrypt). The only trouble was that I couldn't get Anti-DMA to work for an Xploder SP (which uses 12 digit codes), although after many soft/hard resets I was able to easily create the 0x288A Pokémon and one of the Caterpie perfect initiators.

I plan on making videos for Pomeg basics including Pokémon creation (re-done using a corruption initiator), item creation, move creation, getting obedient Mew/Deoxys and accessing Birth Island/Faraway Island on a Spanish Emerald cartridge. I'd really like to make these with some annotations (similar to your style) that explains what is going on.

On a slightly unrelated note I noticed that Pal Park didn't label the Caterpie perfect initiator holding a glitch item as invalid. I didn't choose to migrate it, but it makes me wonder whether transferring 0x1C7 (Azure Flute) is in fact possible and if that would work for obtaining Arceus in Diamond/Pearl?

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Metarkrai
Date: 2016-10-11 12:50:53
Here is a shortened summary of the current progress on Gen 3 ACE.

For that, you need :
- A Pokémon who knows an ACE Glitch Move (a move with an animation pointer that points to PC Pokémon data, and that can be safely used in battle)

- A Bootstrap Pokémon : A Pokémon who has 8 consecutive bytes of data manipulated (made from Horsea with 2 double corruptions, EVs, Pokeblocks, and Glitch Items) in order to store the bootstrap of the code.
The bootstrap indicates the game to read the code in thumb (for shorter expressions) and where it must read it.
There would be 2 Bootstrap Pokémon per category : RS / E / FrLg and Jap / Non Jap (One for basic codes that points to PC Items, and one for the usage of overworld scripts that points to the data of another PC Pokémon).

- A "basic" code (write a value at a certain adress, copy/paste a value,…) written with PC Items (Identifiant and quantities).
Any Item Identifiant can be obtained with Double Corruption from Pokémon with a specific Corruption type.
To corrupt the quantity of an Item, a structure of items must be placed in PC.

For Emerald, you use these Items to create a Pokémon with a valid checksum. You use a Glitch Pokémon species name to overwrite the value "Party Slot of the currently fighting Pokémon", then send the Pokémon you created to the battle thanks to that high party slot (1/32 chance). By letting the Pokémon HP fall from 0x0001 to 0x0000, you change the quantity of a PC Item. You then use an underflow to get 0xFFFF exemplaries.
For FrLg, you use Items to build a structure. Then, you perform Pomeg Glitch and corrupt PC Items quantities. With a 1/32 chance, the PC Item you want will have its quantity duplicated and the already duplicated Items won't be corrupted.
The Item's quantity goes from 0x0001 to 0x4001. You then toss one exemplary and perform a second Pomeg Glitch to make this go from 0x4000 to 0x0000. By tossing another exemplary, you get 0xFFFF exemplaries.
For RS, Pomeg Glitch Data Corruption can't be performed. You need to use an ACE to change the quantity of an Item to 0x0000, then make it underflow to 0xFFFF. [Not clearly made yet]

By placing, duplicating and tossing Glitch Items after Glitch Items, a code is built.
This code will be executed with ACE Glitch Move + Bootstrap Pokémon (towards PC Items)

-A code/string of bytes stored in Lv50 and Open Lv Pyramid Bags.
By using a Glitch Pokémon species name at Slateport to empty your 1st party slot, you can perform Pomeg Glitch anywhere from your party.
By going to Safari Zone, you can use Pomeg Glitch to despawn the entrance guard, and exit Safari Zone with Safari Mode.
By walking to Battle Pyramid, you can enter it with Safari Mode.
By using Safari Mode, you can take items from your Bag, and give them to party Pokémon. (Here, you get stuck in a loop and must use Sweet Scent to get out because the game wants to draw the item from Pyramid Bag)
By opening the party and withdrawing these Items, they go into your Pyramid Bag.

The identifiant of Items in Pyramid Bags are all next to each other, so you can write a code/string of bytes without having to manipulate the quantities.
This is a faster way to write a short code (40 bytes max) than with PC Items, but it is not easily modifiable (you would need to wipe all the Items in Lv 50/Open Lv bag and store new ones).

This also provides an auxiliary storage for manipulated bytes (you store them in Pyramid Bags, and execute a code stored in PC Items that uses the data in Pyramid Bags).

- Two Pokémons whose data has been modified to store the code to call the overworld script subroutine.
The first Pokémon would be a double-corrupted Horsea.
The code would be written with Pyramid Bag Items (with an additional Item to change the checksum), and it would be copy/pasted onto the Pokémon's data by using ACE with PC Items.
The longest code we can store this way has a lenght of 32 bytes, and the shortest functional code (on emulator, console test awaited) we currently have is 32 bytes long. This is because checksum, PPs and Happiness can't be used to store the code (PPs depend on the moves, checksum depends on PPs, and happiness can increase when going to the trade center).

The second Pokémon would be a Seedot.
By modifying its EVs, double-corrupting it, and modifying the EVs of the double-corrupted version, we would store the end of the code (which consists of two adresses that depend on the version RS / E / FrLg and Jap / Non Jap ).

Thus, the first Pokémon would be common to all games, whereas the second one would vary like the Bootstrap Pokémon and like the ACE Glitch Move.

- Some in-game traded Pokémon / Smeargles to make a DMA translation check.
With an ACE Glitch Move, a Bootstrap Pokémon, Pokémon storing the call to the overworld script subroutine, and with a code stored in PC Items, this code can only be executed if all the values are at the right adresses.
In E/FrLg, there is a DMA (Dynamic Memory Allocation) that moves the adresses of some blocks of RAM values (Wack0 gave an exhaustive detail of its way to do it).
The ACE can only work if the DMA moved the values to the right adresses. (1/32 chance)
Thus, during the battle and before using the ACE Glitch Move, we need to check if the translation of the values caused by the DMA is the one we want or not.
This check is performed by placing certain Pokémon in Box 2 and by performing a Pomeg Glitch. If the DMA translation is the one we want, there will be specific graphical effects when performing Pomeg Glitch Data Corruption. (by checking if the first party slot is highlighted in red or not at every Up push).

Each version (E / FrLg and Jap/non Jap) needs a different DMA translation, and they all have a different DMA translation check.
But it requires a minimal amount of Pokémon and is easy to perform (on the 13 first Up pushes, check the first party slot and compate what you see to what you need to see).


By having the last part of a code (either a "basic" code or overworld scripts) stored in PC Items, we can easily modify them and execute a different code, because all the constant parts are stored in Pokémon data.
This is very useful for overworld scripts because the script part is quite short and easy to store in PC.


With some ACE, we could store an entire code in a part of the RAM that is unaffected by the DMA and that is also kept when saving. (I know that party pokémon data is unaffected by DMA and saved, but I don't know if there is another area that also verifies this)
Then, if we could use an ACE to corrupt an element that would trigger an ACE (I don't really know how. The best lead was the script adress of NPCs, but it is refreshed when the save file is loaded.), we could be able to perform other ACE without having to do a DMA translation check.
This is quite hypothetical, though.


As for codes, the current list is approximately this : http://pastebin.com/Db8nEkTm
The codes in themselves will be rewritten with the new method to call the overworld script subroutine. (there was also a mistake about DMA translation check on Emer non Jap, so that needs to be fixed too).
Other codes will/could be added, if you have ideas or if you know how to have a working code for a certain task. (for certain actions like teaching any move to a Pokémon, call a swarm, bring the Master Blender,changing Trainer name,… I wasn't able to figure out what script commands would work)
Some new glitched things (Glitch Items in Tm/Hm pouch) or unused scripts/assets could be explored too.

The methods for :
Obtaining a Bootstrap Pokémon : http://pastebin.com/2aEzxFU4
Obtaining any Glitch Item : http://pastebin.com/qQ91bzuM
Setting PC Items in Emerald : http://pastebin.com/Ke3wUsZX
Setting Pyramid Bag Items in Emerald : http://pastebin.com/tQSDqkdU
Setting PC Items in FrLg : http://pastebin.com/yHBhvbLh
DMA translation check : http://pastebin.com/U5ajVMp8

will not notably change (except changes in the EVs/values required at some steps), and the method to create the two Pokémon that store the call to overworld script subroutine will need to be added.

The new short code that calls the overworld script subroutine hasn't been tested in RS yet, so the method for ACE for RS is still quite blurry. Codes will need to be stored on Pokémon in order to change the quantity of PC Items, and in order to call the overworld script subroutine, but we don't know exactly how many Pokémon would be needed to that.


And I think that's it for the current situation. The main current task is about checking if the new codes work as intented on console, until we have ones that work flawlessly.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Metarkrai
Date: 2016-10-11 13:14:21


Thank you very much Metarkrai! :) I gathered to try the RAW data solution where you make a Codebreaker code for the individual bytes and I converted them for my Xploder SP using a program called CBAcrypt (in which you enter the first line as the game's master code and the codes below it and click Encrypt). The only trouble was that I couldn't get Anti-DMA to work for an Xploder SP (which uses 12 digit codes), although after many soft/hard resets I was able to easily create the 0x288A Pokémon and one of the Caterpie perfect initiators.

I plan on making videos for Pomeg basics including Pokémon creation (re-done using a corruption initiator), item creation, move creation, getting obedient Mew/Deoxys and accessing Birth Island/Faraway Island on a Spanish Emerald cartridge. I'd really like to make these with some annotations (similar to your style) that explains what is going on.

On a slightly unrelated note I noticed that Pal Park didn't label the Caterpie perfect initiator holding a glitch item as invalid. I didn't choose to migrate it, but it makes me wonder whether transferring 0x1C7 (Azure Flute) is in fact possible and if that would work for obtaining Arceus in Diamond/Pearl?


Argh, I didn't know that XPloder SP uses Code Breaker.
Unfortunately, Code Breaker doesn't have a command to temporary patch the ROM, which is the command used in the Anti-DMA code (the DMA subroutine is shut down with two temporary ROM patches).
The DMA depends on a RNG value (that you can force) and on your ID,SID. Thus, even if you force the RNG value, the resulting DMA translation will depend on your ID and SID which makes things more annoying.

However, I have a strategy to bypass this : Force the RNG value to a certain value and check the DMA translation you obtain.
Then, change the adresses used in every code by using that DMA translation (it tells you how many double-words you need to add to the adresses) (except for adresses that are not affected by DMA).

This way, and with some patience, you can rewrite the code that makes a corruption initiator appear in a PC box and have it to work.
Or (if you don't have the in-game traded Horsea anymore), you can use a code to set the flag of the trade to 0 and reobtain this Pokémon.
Then, you can use a code to corrupt the PID of a Horsea clone, as well as a clone to corrupt its TID.
This way, you can easily perform a double corruption on an in-game traded Pokémon to prepare them for a video/tests without having to create the double-corrupted Pokémon or to do the whole double corruption. (You still need to do EV training and change moves though).
Tell me what you currently have, what kind of codes you'd like, and I'll note them for you.

Also, are you forced to crypt Code Breaker codes with a Master Code ? Do they work without it ? I only have an Action Replay, so I wondered if uncrypted Code Breaker codes could be used with your cheating tool.


Regarding Pal Park, the item identifiants in Gen 3 and 4 are quite different. Thus, the game manages things with a conversion table.
However, certain Glitch Items are forbidden to the import, some are not recognized, and a few of them are able to be imported (treaded as non-glitch items).
I was able to transfer a Glitch Item once, but at the end of the Pal Park show I told the guy to place the hold Items in my Bag and directly saved after that. Thus, I couldn't determine the Item that originated from my Glitch Item.

I don't exactly remember the things I tried (if I find my ds lite again, I'll try to set up many Pal Parks), so I don't really know the extent of the possibilities of Glitch Item transfer.
I was also curious about transferring Glitch Items to Colosseum/XD in order to get some Rare Items inherent to these versions (if one of them could be useful in a certain way).

Glitch Moves can all go through Pal Park, but no Glitch Pokémon can (theoretically, based on what I tried).

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Torchickens
Date: 2016-10-11 14:13:19
Yes, I think on emulators using a Master Code is not required but on my Xploder SP the cheating device won't let you proceed when you try to use a code without a Master Code.

In case this helps, my player ID on cartridge is 36241 but I don't currently know my SID. The Master Code I use is 9266FA6C97BD 905B5ED35F81 B76A68E5FAB1.

It's OK thanks re: making the double corruption easier as I'm willing to go through many attempts until it works. :) I have Dots, Seasor and I'm able to get Pluses the Plusle.

These are the non-encrypted codes I used:

Quick clone Pokémon 0x288A:

8202980C 0000
8202980E 0000
82029810 0000
82029812 0000
82029814 ECA1
82029816 A9A3
82029818 BBA9
8202981A FFFF
8202981C FFFF
8202981E 0202
82029820 DDBD
82029822 D9E0
82029824 B3E3
82029826 00FF
82029828 288A
8202982A 0000
8202982C 288A
8202982E 0000
82029830 0000
82029832 0000
82029834 0000
82029836 0000
82029838 0000
8202983A 0000
8202983C 0000
8202983E 0000
82029840 0000
82029842 0000
82029844 0000
82029846 0000
82029848 0000
8202984A 0000
8202984C 0000
8202984E 0000
82029850 0000
82029852 0000
82029854 0000
82029856 0000
82029858 0000
8202985A 0000


Caterpie PI 1

8202985C 007F
8202985E 4000
82029860 B4CD
82029862 4000
82029864 D3C2
82029866 D3CA
82029868 00FF
8202986A 0000
8202986C 0000
8202986E 0203
82029870 CFC6
82029872 C9BE
82029874 C3D0
82029876 00BD
82029878 E82E
8202987A 0000
8202987C B4CD
8202987E 00B6
82029880 B48B
82029882 0000
82029884 34BD
82029886 BF0F
82029888 B4B2
8202988A 1400
8202988C B4A6
8202988E 0000
82029890 E8B2
82029892 0000
82029894 4AB2
82029896 2185
82029898 A437
8202989A 0852
8202989C B4B2
8202989E 0100
820298A0 B4B8
820298A2 0D00
820298A4 B4B2
820298A6 0505
820298A8 56B7
820298AA 0A1E

Caterpie PI 2

820298AC 007F
820298AE 4000
820298B0 B4CD
820298B2 4000
820298B4 D3C2
820298B6 D3CA
820298B8 00FF
820298BA 0000
820298BC 0000
820298BE 0203
820298C0 CFC6
820298C2 C9BE
820298C4 C3D0
820298C6 08BD
820298C8 C539
820298CA 0000
820298CC B4CD
820298CE 00B6
820298D0 B48B
820298D2 0000
820298D4 34BD
820298D6 BF0F
820298D8 B4B2
820298DA 1400
820298DC B4A6
820298DE 4800
820298E0 E8B2
820298E2 950B
820298E4 4AB2
820298E6 2185
820298E8 A437
820298EA 0852
820298EC B4B2
820298EE 0100
820298F0 B4B8
820298F2 0D00
820298F4 B4B2
820298F6 0505
820298F8 56B7
820298FA 0A1E

SEASOR, 1 HP EV 0 other EVs

820298FC 007F
820298FE 0000
82029900 B4CD
82029902 0000
82029904 BFCD
82029906 CDBB
82029908 CCC9
8202990A 00FF
8202990C 0000
8202990E 0202
82029910 C5CD
82029912 C6D3
82029914 CCBB
82029916 00FF
82029918 2F85
8202991A 0000
8202991C B4CD
8202991E 00B6
82029920 B48B
82029922 0000
82029924 BEBD
82029926 000F
82029928 B4C6
8202992A 0000
8202992C DD55
8202992E 0000
82029930 D9B2
82029932 0000
82029934 4AB2
82029936 219E
82029938 A437
8202993A 0852
8202993C B4B2
8202993E 0000
82029940 B4B3
82029942 0000
82029944 B4B2
82029946 0505
82029948 B1B7
8202994A 0A1E

As encrypted codes, these are:


Quick clone Pokémon 0x288A:

F20AD461 FC48
F40AD463 7C58
7B926065 DC0E
7D926067 5C1E
02B72BD1 9CEB
02B7AAD1 9CE2
0BA72AD5 1DAA
02BD3E98 33E2
0DBDBE9E B3B2
F212C061 5C40
E22302D0 99ED
6DB8770F 369A
64B9B69B A6F7
EB71039C 93A1
1DEE7E47 3D92
9D0E5C67 6C18
14EEFE43 3DD2
940EDC63 6C58
1B966865 CC0E
1D966867 4C1E
1296E861 CC4E
1496E863 4C5E
9B164865 CC08
9D164867 4C18
9216C861 CC48
9416C863 4C58
7B887425 F60F
7D887427 761F
7288F421 F64F
7488F423 765F
FB085425 F609
FD085427 7619
F208D421 F649
F408D423 7659
7B906025 D60F
7D906027 561F
7290E021 D64F
7490E023 565F
FB104025 D609
FD104027 5619

Caterpie PI 1:

0D8F3DFE 6936
F410C023 5658
923F1FD9 B9E8
1D8C7C27 661E
14BEFF4B ACD7
923EDF49 2DC1
64F3A3DA 19F6
9D0C5C27 6619
920CDC21 E649
920D9DB1 6661
14B66B4B 88D3
E228D700 B3C4
12AEFF48 2CCF
ED691796 33B9
64D0E023 4352
9D144827 4619
1BA7ABDD 99AE
EB685604 B281
FD5B95F7 2D30
7DEA7647 7C9E
8B0789F4 9928
FB3B96D5 69A4
8D46C866 1C10
FD7AD647 7C98
8D5EDC67 3810
F46AD643 7CD8
0DCE7C66 3C13
7DF26247 5C9E
048EFC62 AC53
7D9320F7 083E
842F1FD2 78F0
FB68560C F685
845E5C62 3C50
F472C343 5CD8
EB42C064 8D08
1DEEFF47 6C9A
64C26062 0C56
1DEFBED7 68BE
E40301F2 9871
12F6EA40 49C2

Caterpie PI 2:

6DF1239E 53B7
946EDE43 6CD9
924509B9 9369
1DF66A47 4C9F
14C4E92B 8656
9244C929 0740
6489B5BA 3377
9D764A47 4C98
9276CA41 CCC8
92778BD1 4CE0
74CA756B B853
8254C920 8344
72D2E168 1C4F
8D1509B6 033D
0BB5AA94 C7AE
FD685607 7699
7BDBB5FD A92E
8B144824 8201
FD4181B7 0731
7DF06207 569F
8B1D9DB4 B329
FB218295 43A5
8D5CDC26 3611
FD60C207 5699
8D44C827 1211
F470C203 56DC
6DD06026 0612
9B3D9E95 E7A1
6490E022 9652
1D8D3CB7 323F
E4310392 42F1
9B764A4C CC84
E4404022 0651
946CDF03 66D9
EB58D424 A709
1DF4EB07 469B
64D87422 2657
1DF5AA97 42BF
E41915B2 B270
12ECFE00 63C3

SEASOR 1 HP EVs, 0 other EVs:

6DEB37DE 79B6
9474CA03 46D9
F2395699 A3E9
7D8A3567 7C1E
FB39D79D 23AD
82374BD0 8DE5
7BA9F69D B7AA
02F5EA98 83E7
F20A9561 FC48
F20A9561 7C40
F2314399 93E8
7BA9F69C 36A6
842F5ED2 2DF5
8B6D5E9C A3A1
F27343D1 08EC
FD120167 5C18
7BA1E29D 83AF
8B6E1F44 A880
9D3FDED7 3DB0
1D8E3D67 6C1E
EB23C2D4 09AC
9B0F5CF5 E920
943C1F0B 32D1
9D0E1D67 6C18
9B45C9BC C22C
940E9D63 6C58
6DBA3646 3C93
1D962967 4C1E
64EAB742 BCD3
9B6E1E44 B980
E44B54F2 6870
9B0C1D2C E605
E43A1742 2CD0
94168963 4C58
0DA5EA96 16B7
7D883527 761F
04A42B02 16D7
7D89F5B7 723F
8425CB92 12F1
7290A120 5343

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Charmy
Date: 2016-10-11 14:15:24

On a slightly unrelated note I noticed that Pal Park didn't label the Caterpie perfect initiator holding a glitch item as invalid. I didn't choose to migrate it, but it makes me wonder whether transferring 0x1C7 (Azure Flute) is in fact possible and if that would work for obtaining Arceus in Diamond/Pearl?

This will not work. You need to set the correct flag via ACE in gen 4 or getting it from a PokéMart. Getting just the item will not do anything.