Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Generation III Glitch Discussion

Gen III: Access Pokémon beyond the sixth slot sub-glitches. - Page 41

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: jfb1337
Date: 2017-04-06 12:53:31
In some instructions for pomeg corruption I see that a specific 4th move is required. What does this 4th move do, and why does it differ between regions?

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Metarkrai
Date: 2017-04-07 13:50:57

In some instructions for pomeg corruption I see that a specific 4th move is required. What does this 4th move do, and why does it differ between regions?


The Pokémon's IDentifiant (PID) is used to determine the order of the Pokémon's substructures (with PID modulo 24)
The Trainer IDenfiiant (TID) and the PID are used to encrypt the values inside the substructures (encrypted double-word = double-word xor TID xor PID)
There is a checksum over the cecrypted values inside the substructures (the game sums all the uncrypted words inside the substructures and stores : checksum := sum % 0x10000 on another place inside the Pokémon's data )

When the game checks a PC/Party Pokémon, if the new checksum he calculates is different from the checksum stored in the Pokémon's data, then the Pokémon is turned into a Bad Egg.

The goal of the PC Pokémon Corruption is to corrupt a Pokémon's PID to change the odrer of the substructures of that Pokémon.

However, corrupting a Pokémon's PID or TID alters ths decryption of the values inside the substructures (there are 3*4=12 double-words that are affected), so you need specific PID/TID corruptions in order to preserve the checksum.

The two PID/TID corruptions that can be done with Pomeg Glitch are : a corruption of 0x05000000 (will always change the checksum) 0x40000000 (can preserve the checksum)

To explain why the 0x40000000 corruption can preserve the checksum, you need to see how that corruption affects the decrypted values inside the substrustures.
Due to the "decrypted double-word = crypted double-word xor PID xor TID" formula, a TID/PID corruption of 0x40000000 induces a change of 0x40000000 on every of the 12 double-words inside the substructures (either a gain of 0x40000000 or a loss of 0x40000000).

The checksum being the sum of all decrypted words, there are 12  decrypted words that will be different during the checksum calculation (these words either gained 0x4000 or lost 0x4000).
Since "stored checksum = sum of all words % 0x10000", the sum of all words needs to change by a multiple of 0x10000 in order to preserve the checksum.
And, if n is the amount of decrypted words that gain 0x4000, (this means 12-n decrypted words lose 0x4000), the checksum will change by : n. 0x4000 - (12-n) 0x4000 = (2n-12). 0x4000 = n. 0x8000 - 0x30000

Thus, a PID/TID corruption of 0x40000000 will preserve the checksum (and will be successful) if an only if n (the amount of decrypted double-words that gain 0x40000000) is even. (because 2. 0x8000 = 0x10000)


Also, when a PID/TID corruption happens, the change in the decrypted double-words that it brings affects the "Egg state" flag, as well as the identifiant of its Moves n°2 and n°4
So if the Pokémon was not inside an Egg before a corruption, it becomes an Egg after it. (and vice-versa). And the identifiant of its Moves n°2 and n°4 changes.


Thus, if you only want to permute a Pokémon's substructures, you need to corrupt both PID and TID with a 0x40000000 corruption. (Corrupting the PID alone would change the substructures order but turn the Pokémon into an Egg as well as changing a few other values)

And, as said before, you need to be sure that for both corruptions, there will be an even amount of decrypted double-words that will gain 0x40000000.


This gain/loss of 0x40000000 on a decrypted double-word is determined by a certain bit on that decrypted double-word.
So you can list the 12 bits that affect this gain/loss of 0x40000000 and their importance in a Pokémon's data.
You need an even amount of these "important" bits to 1 in order to have a working PID/TID corruption.

One of these bits happens to be a bit determining the current PPs of Move n°4.


And, as when you corrupt the TID of that Pokémon then its Move n°4 idenifiant changes (the TID corruption doesn't permute the substructures, so it preserves the Move n°4 value, aside for the 0x4000 gain/loss), the PPs of the new 4th Move may change the value of the bit determining the 0x40000000 gain/loss, which would give an odd amount of "important" bits at 1. (Since the first corruption was successful, it means that you had an even amount of these "important" bits at 1)
Thus, if the PPs of the new 4th Move are not controlled, the amount of "important" bits can turn odd which will prevent the success of the second corruption on that Pokémon.

And if you want to perform the fast procedure for the PC Pokémon Corruption, you need to clone the corrupted Pokémon, which means that you have to move it, which means that its PPs are refreshed.

Thus, a specific 4th move is chosen for fast double corruption procedures (especially with in-game traded Pokémon).
And the PPs of the corrupted form of regular moves depends on the version you're on, so each game has different possible 4th Moves that will allow for a fast double-corruption.


If you don't chose a specific 4th move for a fast double-corruption, then you will have to not touch the Egg obtained after the first corruption if you want the second corruption to succeed.


I made a video about this matter as if you want to corrupt a Pokémon (Smeargles in general), you need to know who are these "important" bits and how to check if you have an odd/even amount of them at 1 : https://www.youtube.com/watch?v=65e-SKeE5Ec

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: gold55803
Date: 2017-04-20 11:47:43


Really stupid question, but could someone explain how data substructures work? The guides on bulbapedia make no sense to me… :'(
also, how do you get a bag egg to battle? :???:



Outside of the Pokémon IDentifiant (PID), Trainer IDentifiant (TID), Pokémon's nickname, and Trainer's name, most of the Pokémon's data is separated into 4 groups called substructures.
Each one of these substructures contains certain parts of the Pokémon's data in a certain order.
They are called : Growth - Attacks - EVs & Contest stats - Miscellanous

For example, the Attacks substructure contains in that order : Move 1 identifiant - Move 2 identifiant -  Move 3 identifiant  - Move 4 identifiant - Move 1 PPs - Move 2 PPs - Move 3 PPs - Move 4 PPs
Each one of these substructures is 96 bits long (or 12 bytes, or 6 words, or 3 double-words).

But all of this data isn't stored as is, it is crypted when stored into the RAM and decrypted when the game wants to use it to check/use some values (like calculating a Pokémon's stats).

In Gen 3, the encryption is made of two mechanics :
- The order of the 4 substructures is given by the PID modulo 24 (there are 24 ways to sort 4 different elements)
- The game takes all the hexadecimal words that make the substructures and computes their sum.
The first 4 hexadecimal characters of this sum (called checksum) is stored on another part of the Pokémon's data.
Then, the game goes through every hexadecimal double-word that is contained in the substructures and modifies them with the formula : encrypted double-word = word xor TID xor PID  (XoR being a logical operation)

Thus, if you corrupt the data in the substructures directly, the checksum will be invalid and the corruption will fail (the Pokémon will turn into a Bad Egg as soon as the game computes the checksum again and finds the difference with the stored checksum).

However, if you corrupt the Pokémon's PID, you will change the order of the substructures.
So when the game will look at the Pokémon's data after the corruption, he will incorrectly read the substructures and this is where we can get very cool stuff.
(example : Growth substructure being read over the Attacks substructure, so the species of the corrupted Pokémon is read over the identifiant of the first move of the Pokémon before it corruption )
Since the PID is also used in the encryption of the substructures data, that PID corruption needs to meet a certain criteria in order to not affect that encryption.
But thankfully, one of the two possible ways to corrupt data with Pomeg Glitch meets this criteria.


Getting a Bad Egg (or an Egg/empty slot) to the battle is the matter of forcing the game to send a Pokémon from a certain party slot to the battle, even though that Pokémon is not supposed to be sent to the battle.
To do that, we exploit an oversight in the code that doesn't refresh the value "Party slot of the currently fighting Pokémon" from one battle to another if the party is fully KO.

Thus, the procedure looks like this :
- Make a wild battle and send a valid Pokémon to the fight (let's say from the 3rd party slot)
- Perform Pomeg Glitch to have a fully KO party
- Place a Bad Egg/Egg to the 3rd party slot (or leave it empty by depositing a Pokémon to the PC before killing the whole party)
- Make another battle (since the party is fully KO, the Pokémon in the 3rd party slot will be forced to the fight)


Alright, Thanks!

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Misdreavus
Date: 2018-01-27 12:39:26
I'm looking to use ACE to change my SID.  Does anyone know how I might be able to do this?

I found the following information in one of TheZZAZZGlitch's videos:

Bootstrap (animation script):
Item $D103 x3860
Item $FF0E x2048


Set any memory address to anything:
Item $[byte to write]20 x18689
Item $7008 x48624
Item $[address, 3rd byte][address, 4th byte]  x$[address, 1st byte][address, 2nd byte]


Still, I'm not sure how to get started.

For example, I have a TID of 47425 and need an SID of 18480 to make my desired PID shiny.  That SID in hex is 4830.  So, would I essentially be running the code twice, once writing 48 (in line 1 of the second quotation), and again writing 30?

Also, forgive my lack of knowledge of hexadecimal, but there's one other thing that I'm confused about.  I see on Bulbapedia that Trainer ID data is stored at offset 0x000A (size = 4), where the lower 16 bits represent the TID and the upper 16 bits represent the SID, but when viewing my save file in a hex editor, I found them at a different offset (0x00006000) as such:

TID upper byte: column 0B
TID lower byte: column 0A
SID upper byte: column 0D
SID lower byte: column 0C

Any help is greatly appreciated.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Tabbender
Date: 2018-02-23 05:50:34
Hey, i think i just discovered a glitch move that might be interesting

I was trying to get TheZZAZZGlitch's arbitrary code execution move (0x27A2) but it gave me this move instead. Idk if i failed the EV's or if the move's id is different on French versions…

So (at least on French versions) the move is called random garbage like " N. .h Wé" (i'm on a real GBA so i can't take screenshots) and its name is long as f**k, like most glitch moves. Its type is "chaleur", which is French for heat.

The move seems to have an "anti-priority" effect, as even much weaker enemies are able to strike first. The interesting part is that out of 2 of my Pokemon that have it, the move have two different effects.
On the latter, using the move will flood the flavor text with its awfully long name. From there, either it fails or it succeeds. If it succeeds, the game freezes. If it fails, the turn ends, and then the game freezes on the menu (i first had to hit "Fight" in order for it to freeze, but it now freezes as soon as the 4 options appear).
On the former, using the move floods the flavor text in the same way, but the text becomes way slower. Also pressing "B" will instantly end the fight. I of course tried with the other one, i didn't get this effect. It apparently works on trainer fights, and i was even able to take it to the Battle Frontier; however, using this counts as a loss there.

What i don't understand is that both of my Pokemon are pretty much clones of each other. Both are female Dragonairs, both have the same nature, and i did change their level and EVs, it didn't alter the effect of the move. None of them hold an item either. The only difference is that one was hatched while the other was directly obtained by corrupting the egg (and ended up being Lv 0).

Since i was trying to obtain the 0x27A2 move, i used the in-game obtained Plusle with 39 ATK EV and 162  PV EV (unless i failed). I learned it Flash as its first move in order to  have a Dragonair (that part did work).
On my first try i filled my box 2 with clones of this Plusle, then when i got eggs, i couldn't get a second corruption, so i decided to dispose them like one would dispose Seedots, with clones of an EV-less iteration of the Plusle, knowing only Growl. I managed to have a Lv 0 Dragonair, but it didn't know the move i wanted (and had the move i described above as its first move), so i retried.
The second time i disposed them with EV-less, Growl only Plusles for the first corruption, which worked pretty fast. Then i tried again for the second corruption, however i simply couldn't get it to work even after hours of trying, so i decided to simply hatch one of the eggs. So i obtained a Lv 5 Dragonair with a moveset similar to that of the first one.

So basically the one i obtained by double corruption allows me to instantly end any battle by using this move and pressing B, while the other's move doesn't have the same effect, even though it's the very same move. I buffed my Lv 0 Dragonair all the way to Lv 50 and gave it EVs in speed and sp atk, the move still have this effect. Could it be a matter of them having different IV's or something ? And could it potentially allow arbitrary code execution ? Idk, i honestly don't know anything about ARM, i don't even know how to convert from hex to ARMv4, so… yeah. Also, it's kind of annoying to be unable to get TheZZAZZGlitch's move. I don't know if i did anything wrong with EVs or if it's just a localization problem…

EDIT: So, i did more tests today.

Going to my Dragonair's move summary freezes the game, however by putting it on slot 1 and going to the Move Deleter i was able to get its stats. It have 4 power and 80% accuracy. It have no description. Something i forgot to mention earlier is that it have 3 PP's, but ending the fight with B doesn't cost a PP (because you technically end the fight before the move is actually used).

I also tried to do a 2v2 fight (i re-challenged Tate & Liza) with my Dragonair and a Ditto, with the Ditto transforming into Dragonair. I did, and i was able to use the move with Ditto. When the move hit, the game freezes as usual, however when it misses, it doesn't, but it heavily corrupts the fight in multiple ways. Pokemon and attack sprites are corrupted, enemy Pokemon are considered wild, and the game seems to think i'm fighting in the Battle Arena. I can't use the bag, and there's a referee KOing Pokemon after 3 turns and announcing matchups, albeit as you might guess, he's glitched. Trying to run will also work, but i never managed to get away safely. It basically skipped one of my 2 in-battle Pokemon's turn, and i was even able to try to get away twice in the same turn.
The way KO Pokemon were handled was glitched as well. When a Pokemon was KO'd, the game asked me weither or not i wanted to send another one (but selecting "No" would result in a failed run attempt), i didn't get to chose the next one, and the one sent could in some cases be already KO (in which case another was sent afterwards, which had the effect of "superimposing" their sprites), or even be already in battle as my second Pokemon, basically allowing me to have the same Pokemon out twice at once. Which also glitched up the HP bar since both of them were individually taking damage, but all damage was dealt to the same Pokemon. However, one using PP's didn't affect the other's PP's for some reason. And my opponent seemed to have these effects as well, as they often sent out the same Pokemon twice.  By the way, my opponent got corrupted to "YOUNGSTER UGO" (Ugo might be his french name) once and "YOUNGSTER [blank space]" then. I didn't get EXP in this fight, and got no money at the end, in fact, there wasn't even a dialogue, when i won the fight just stopped and i was back to the overworld as if nothing ever happened.

I also tried to have a wild Ditto transform into my Dragonair and then use the move. Hitting with it freezes the game as usual, but when he missed, the fight got corrupted to a trainer fight, with again the bag being unusable and the sprites being corrupted. When i attacked the game told me my "enemy Ditto" was KO, but the fight continued, and i had to KO 3 - 4 Dittos in order for it to end. Again, i gained no EXP, and the fight ended without a dialogue or anything like that.

My guess is that the move's name is so long it corrupts the fight data when used, similar to how some glitch Pokemon can corrupt data if their species name is displayed.

EDIT 2: I tried again and was very careful with EVs, got the same move. So their IDs are definitely different in the french localization.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Metarkrai
Date: 2018-03-03 09:09:50

Hey, i think i just discovered a glitch move that might be interesting

I was trying to get TheZZAZZGlitch's arbitrary code execution move (0x27A2) but it gave me this move instead. Idk if i failed the EV's or if the move's id is different on French versions…


From the information you gave, you obtained Glitch Move 0x27A2.
Its characteristics on a French Emerald are :
N° 27A2 .Lenght 110 /Effect 198 /Pow 4 /Type 217 /Acc 80 /PPs 3 /Acc2 204 /Flag 60 /Prio 195 / Animation : 0x0E0F14C0
On an US Emerald, these characteristics are :
N° 27A2 .Lenght 70 /Effect 0 /Pow 102 /Type 87 /Acc 117 /PPs 86 /Acc2 70 /Flag 84 /Prio 100 / Animation : 0x0E0F14C0

The animation pointer adress is the same, but the move's effect is different (from No effect on US to Double-Edge's effect),  as well as the priority (a priority over 128 is a negative priority).

Even though the move's name is short, the name the game uses when the move is used in battle is longer (I don't really know where he pulls the other name off), and the latter overwrites the battle type, which causes a lot of mess in the battle.
Thankfully the "flee by hitting B" mode is set, so you can always flee by hitting B.
(This "flee" also explains why you can't abuse this effect in Battle Frontier, except for the trainers in Battle Pyramid.

For the difference in effects between your two Dragonairs, I think that this may come from the fact that your first Dragonair was obtained with a single corruption and thus has different moves in Move slots n°2 and n°4 thant your double-corrupted Dragonair, these moves being glitch moves.
Considering the EVs you gave to your Plusle, you should have :
Single-Corrupted Dragonair : Move 0x27A2 / Move 0x4000 / Move 0x0000 / Move 0x4505.
Double-Corrupted Dragonair : Move 0x27A2 / Move 0x0000 / Move 0x0000 / Move 0x0505.
Even though moves 0x4000,0x0505,0x4505 have short names in Emerald FR, they may cause a change in behaviour during all the mess that happens when the game tries to call the move's animation.

As you tried to use the Glitch Move with battle animations ON, you got various effects when the move hit (mostly freezes, but sometimes something else) due to the fact that the ROM adress pointed by the move's animation doesn't always store the same values (the save is segmented in 15 sections whose order changes everytime you save the game and maybe when you load it), and due to the fact that the commands executed by the console when reading the move's animation code may rely on other values that can easily change.
Else, when the move missed, the battle animation script wasn't called, and you can continue the battle (although the written name overwrote a lot of values managing the battle, making it a huge mess, so that continuation may be limited to a turn or even a single A press).

While Glitch Move 0x27A2 can produce Arbitrary Code Execution with PC Items, it relies on the saved data, whose location can't be easily predicted from what I know. (and the patterns of the 15 saved data segments can vary from a save file to another too)
Thus, future Abritrary Code Execution on console will rely on Animation Pointer adresses that point to RAM data (echo RAM data of PC Pokémon), where the value at such a RAM adress can be predicted by a DMA pattern check.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Tabbender
Date: 2018-03-03 15:16:14
Thanks for the info ! So it was the same move after all.

Weird, because i did try to save twice often, and to move PC items around, i always got the same result, which was a freeze. Well actually once i got the music to slow down, so maybe it's due to that ? Not sure if i can properly exploit it though.

Also for my 2 Dragonairs, i did change the moves of the 2nd by using the Day Care, and the effect of his attack didn't change. I also now have a Charizard with the same glitch move, he have the same effect as my 1st Dragonair (text displaying at normal speed instead of slower when the move is used + impossible to end the fight with B).

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Metarkrai
Date: 2018-03-08 13:07:40
This took way longer than intended (along with a few pauses), but here is my first version of console-doable Abritrary Code Execution on Emerald, Fire Red and Leaf Green with the use of Pomeg Glitch (and variants).

Other posts about ACE should come next as I have two "easy" procedures to execute ACE, and one "general" way.
This post will only cover the "easy" ACE procedure that allows you to execute many useful codes in Emerald.
A large part of the procedure is common between all methods, but the way to store code differs.

I also don't have many codes prepared yet, as I needed to recompute many things due to changes in the procedures.
As of now, the only codes you can concretely execute are for non-Jpn Emerald versions, as well as some codes for FrLg non-Jpn.
I will rewrite and fatten up the list of ACE codes in the coming days (for Jpn Emerald and FrLg).

EDIT : Some issue on Emerald Jpn pointed its nose, so I'm back at work for this case. (for Pyramid Bag Items Code Execution).
But the Emerald non-Jpn ACE works like a charm, aside from some unwanted PC Pokémon corruptions that are in the verge of being figured out.


========================

How to perform ACE in E/Fr/Lg, super short summary :

0) Start everything on Emerald.
1) Obtain a Glitch Move with an Animation Pointer that points towards PC Pokémon Data.
2) Manipulate the data of a PC Pokémon to make the bootstrap of the code. (Bootstrap Pokémon)
This Bootstrap Pokémon will either redirect the code to PC Items, Pyramid Bag Items (Emerald only), or PC Pokémon Data (RS mainly).
Pomeg Glitch is used to manipulate the data of the Pokémon.
3) Generate many Glitch Items with Pomeg Glitch.
4) Use a sub-glitch to deposit these Glitch Items in Pyramid Bag in order to write the rest of the code in Pyramid Bag Items. (Pyramid Bag Items)
or
4) Deposit these Glitch Items in the PC and use a sub-glitch to make their quantities overflow and manipulate them in order to write the rest of the code in PC Items. (PC Items)
or
4) Train/Glitch a Pokémon to store the rest of the code in PC Pokémon Data. (PC Pokémon Data).
5) Train and clone some Pokémon.
Transfer everything you need on the version you want (FrLg or another Emerald).
Turn the Animations On.
6) Use a method that allows you to check if the current DMA pattern is the required one for the ACE you want.
7) Use the ACE Glitch Move.
8 ) Profit.


===========================

How to perform ACE in Emerald, Pyramid Bag Items / PC Items Code Execution, more detailed version :
0)
Obtain :
- You can see this paste to have a list of all the required stuff that appears during all the procedure : https://pastebin.com/0NMAtJ9j (Preparing Gen III games for ACE)
It is a bit outdated and I haven't corrected it, but it contains everything you will need for the current procedure with more details and more explanations than this post gives.
- The in-game traded Horsea,Seedot,Plusle,Skitty,  all with 0 EVs. (use EV-reducing Berries for that)
- EV-reducing Berries
- Some cash
- Balls
- A party to perform Pomeg Glitch.
- A Cloning Glitch Pokémon, and how to use it : https://www.youtube.com/watch?v=I8Mio5cA9fs
- A Pokémon for Instant Pomeg Glitch
- Corruption Initiators : https://www.youtube.com/watch?v=hBWkshUJv_8
- See how to perform a General double corruption : https://www.youtube.com/watch?v=PIAzyNTGibw
- Smeargles with Corruption Types of 7 and 4 : https://www.youtube.com/watch?v=-LgQJEHBHdA
- Know your TID Corruption : https://www.youtube.com/watch?v=9zNhX8tAQZg
- Know how to perform Decaswitch : https://www.youtube.com/watch?v=QB67-pKKY3Q
To setup Pomeg Glitches faster.
- Know how to perform Instant Pomeg Glitch : https://www.youtube.com/watch?v=PwYP6D1iTio
To setup Pomeg Glitch even faster. (can't be used for every corruption, but I always indicate it)
- Turn off the battle animations.
- Pen and paper to note what you did (glitch moves/glitch items obtained)
- Don't forget to nickname your clones of Smeargle and mark them during EV-training in order to never confuse two of them.
- Boxes 1 and 2 empty, as well as 2-3 other boxes.

1)
EV-train a Smeargle with a Corruption Type of 4, nickname it "ACE Move", and double-corrupt it to obtain a Pokémon with an ACE Glitch Move.
EVs required : Emer (non Jpn) : 0x1608 (22 Atk, 08 HP) | Emer Jpn : 0x3110 (49 Atk, 16 HP)  | FrLg (non Jpn) : 0x0713 (07 Atk, 19 HP) | FrLg Jpn : 0x0713 (07 Atk, 19 HP).

Deposit the Pokémon with the ACE Glitch Move in safety in PC (in a box different than Boxes 1 and 2)

2)
Obtain a Bootstrap Pokémon : https://pastebin.com/2aEzxFU4 (Obtain a Bootstrap Pokémon for ACE)
Here, the Bootstrap Pokémon for Pyramid Bag Code Execution on Emerald is required.
You can also make a Bootstrap Pokémon for PC Items Code Execution on Emerald/FrLg if you are interested into other codes.

3)
Choose codes that you want to execute from this list : https://pastebin.com/42RPYDQA (List of ACE codes to execute)
Pick them from 1.1) PC Items Code Execution and 1.2) Pyramid Bag Code Execution. (for now)
Note the identifiant of the Glitch Items that you will need to have in order to execute each code.

The most useful Code Executions are thought to require as less Items as possible, so you shouldn't need that much Glitch Items even if you want to execute 4-5 different codes.
Many codes also require the exact same items in the Lv 50 Pyramid Bag, so if you execute these codes back to back, the Items placed in the Lv 50 Pyramid Bag will directly be ready.

Obtain these Glitch Items with this procedure : https://pastebin.com/qQ91bzuM (Obtain Glitch Items)
If you need Item 0xFFFF, see : https://www.youtube.com/watch?v=XZFF7-VZmy8 (Obtain Item 0xFFFF)

4)
Follow this procedure to store Items in Pyramid Bags : https://pastebin.com/tQSDqkdU (Setting Pyramid Bag Items in Emerald)

or
4)
Follow this procedure to store and duplicate PC Items in Emerald : https://pastebin.com/Ke3wUsZX (Setting PC Items in Emerald)
Procedure to set up PC Items in FrLg : https://pastebin.com/yHBhvbLh (Setting PC Items in FrLg)

5)
If you're doing things on FrLg, transfer the Bootstrap Pokémon and the Pokémon with the ACE Glitch Move to your version with : https://pastebin.com/237FpUTf. (Transfer Glitch Pokémon/Moves to RSEFrLg).

6) and 7)
See this paste : https://pastebin.com/U5ajVMp8 (Trigger ACE in Emerald/FrLg)
in order to know the Pokémon you will need to perform a DMA Translation Check
Edit : New method for Emerald Non Jpn : https://forums.glitchcity.info/index.php?topic=6868.msg209366#msg209366

8 ) Profit.


===================

–Grouped list of pastebin/videos :
-Techniques :
Perform Pomeg Glitch : https://www.youtube.com/watch?v=ZTNJQPVOKdU
Perform Pomeg Glitch Data Corruption/Glitzer Popping : https://www.youtube.com/watch?v=uGMmIPtzd14
Obtain any Pokémon/Item/Move : https://pastebin.com/2kJpBQCr
Perform Decaswitch : https://www.youtube.com/watch?v=QB67-pKKY3Q
Clone with a Cloning Glitch Pokémon : https://www.youtube.com/watch?v=I8Mio5cA9fs
Perform Reverse Cloning : https://www.youtube.com/watch?v=GDSJY0ScjzU
Obtaining Corruption Initiators on Emerald : https://www.youtube.com/watch?v=hBWkshUJv_8
Corruption Types, How to obtain them : https://www.youtube.com/watch?v=-LgQJEHBHdA
Testing TID Corruption : https://www.youtube.com/watch?v=9zNhX8tAQZg
Specific Criteria for Double Corruption : https://www.youtube.com/watch?v=65e-SKeE5Ec
General Procedure for Double Corruption : https://www.youtube.com/watch?v=PIAzyNTGibw
Perform Instant Pomeg Glitch : https://www.youtube.com/watch?v=PwYP6D1iTio | https://pastebin.com/wsYtbzpG
Transfer Pomeg Glitch to FrLg : https://pastebin.com/UUXRJ1bA
Trade Glitch Pokémon/Glitch Moves to RSEFrLg : https://pastebin.com/237FpUTf
Make a Pokéblock with 8 Beauty only : https://www.youtube.com/watch?v=20wL2X4ixZ0
Why Pokéballs are important : https://www.youtube.com/watch?v=LskqsVgIr4g


-ACE :
Explanative summary of Gen III ACE : https://pastebin.com/B3siVSU4 (incomplete)
Various technical information for ACE : https://pastebin.com/0pU2SUXG
Preparing your games for ACE : https://pastebin.com/0NMAtJ9j
Obtain a Bootstrap Pokémon : https://pastebin.com/2aEzxFU4
Obtain a Pokémon storing a "copy-paste and overwrite" Code : – (not done yet)
List of Codes to execute : https://pastebin.com/42RPYDQA (incomplete)
Obtain Glitch Items : https://pastebin.com/qQ91bzuM
Setting Pyramind Bag Items in Emerald : https://pastebin.com/tQSDqkdU
Setting PC Items in Emerald : https://pastebin.com/Ke3wUsZX
Setting PC Items in FrLg : https://pastebin.com/yHBhvbLh
Trigger ACE : https://pastebin.com/U5ajVMp8
Trigger ACE in Emerald Non Jpn : https://forums.glitchcity.info/index.php?topic=6868.msg209366#msg209366

Pyramid Bag Items Code Execution on Emerald : – (not done yet)
PC Items Code Execution on Emerald/FrLg : – (not done yet)
PC Pokémon Code Execution on Emerald/FrLg : – (not done yet)



Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Torchickens
Date: 2018-03-08 14:00:15
Awesome job, Metarkrai!

Would personally love to see a code to activate the sound test (if you ever get it to work on Ruby/Sapphire or Japanese Emerald where the sound test wasn't removed in English versions according to Pokémon Emerald's page on TCRF).

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Stackout
Date: 2018-03-19 14:35:27

Even though the move's name is short, the name the game uses when the move is used in battle is longer (I don't really know where he pulls the other name off)


I've mentioned this in the past. This comes from some code that substitutes a placeholder name for when the move is used in battle, which is used if the move index is above the last valid move (0x162).

The code is basically something like this:
[tt]
if ( *ptrSelectedMoveIndex <= 0x162 )
  strcpy(UsedMoveName, &MoveNames[13 * *ptrSelectedMoveIndex]);
else
  strcpy(UsedMoveName, ptrGenericTypeMoveStrings[SelectedMoveType]);
[/tt]

..you should easily be able to see, how if the move type is invalid, a pointer from past the end of the array of pointers is used, and strcpy()'d over, classic buffer overflow.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Tabbender
Date: 2018-04-06 13:10:49
I'm currently trying to learn glitch moves 0xFFFF and 0x3FFF to a Smeargle so that i can corrupt them into a full 31 set of IV's

But for some reasons 0xFFFF, despite being a normal, damage-dealing move, is impossible to Sketch. Sketch will simply fail if you try to use it to get this move. As for 0x3FFF, the game softlocks as soon as the enemy Ditto tries to use it, for some reason. It doesn't freeze, as i'm still able to reset, but it softlocks.

Does anyone know a way around either of these issues ? With a lucky RNG and Type 8 corruption (the best one if used well imo) i'm able to obtain basically any pokemon with any moveset, and shiny to top it off. I really wish i could corrupt the IV's as well.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Metarkrai
Date: 2018-04-06 13:35:57

I'm currently trying to learn glitch moves 0xFFFF and 0x3FFF to a Smeargle so that i can corrupt them into a full 31 set of IV's

But for some reasons 0xFFFF, despite being a normal, damage-dealing move, is impossible to Sketch. Sketch will simply fail if you try to use it to get this move. As for 0x3FFF, the game softlocks as soon as the enemy Ditto tries to use it, for some reason. It doesn't freeze, as i'm still able to reset, but it softlocks.

Does anyone know a way around either of these issues ? With a lucky RNG and Type 8 corruption (the best one if used well imo) i'm able to obtain basically any pokemon with any moveset, and shiny to top it off. I really wish i could corrupt the IV's as well.



There are several reasons that can prevent a glitch move from being Sketched :
- The move's name used in battle softlocks the game (see Wack0's post for what I'm meaning)
- The move's name used in battle overwrites battle data, which freezes/crashes the game after a few text screens/after 1 turn/when trying to flee, or forces Smeargle to miss its Sketch.
- The move's effect prevents it from being Sketched.
- Some pointer used during the skecthing subroutine gets a value that makes the game crash (the graphics shift and then the game crash, usually).
- The move's name that is read once again when the move is Sketched messes up the battle and makes it impossible to end/crashes the game.
- Something (for some glitch moves) makes the game crash if the sketcher's nickname has a certain amount of letters. (This is a bit odd and I don't know what causes it)(In general, using a shorter nickname does the trick).
- The other glitch moves that your Pokémon know mess up the battle or freeze the game and makes your Smeargle unable to use Sketch. (This can technically be circumvented by using a glitch move that turns the battle into a Battle Palace fight, in order to prevent Smeargle's moves from being displayed, but that makes things a bit more tedious)


On a French Emerald, the best Glitch moves I could get for a "Misc read on Attacks" were 0x3FBF and 0xFEFF.
0x3FBF had to be Sketched first as 0xFEFF interferes too much with the fight.
Luckily, both of these moves have a glitch type that allows them to be seen and swapped on the contest stats summary.


Making a Pokémon learn any move could be doable with ACE by calling the function that makes a Pokémon at a set party slot learn a chosen move.
Else, you would need to know your Pokémon's checksum and overwrite a part of its data with an ACE in order to manually change its moves.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Tabbender
Date: 2018-04-06 15:01:12
Would putting the wild Ditto to sleep do the trick ? I know that in gen 4 a sleeping pokemon trying to use a move will make it its last move used, but i'm not sure if it was already the case in gen 3.

Also i don't know anything about ASM so i really don't know which ACE code you would need to use in order to get this result.

EDIT: Just tried the sleep thing, somehow Sketch still fails for 0xFFFF and trying to use it on 0x3FFF is apparently enough to softlock the game.

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Misdreavus
Date: 2018-04-19 19:12:35
Props to Metarkrai for his work on ACE!  I'm definitely going to try this since I lost my enhanced trainer card when performing Glitzer Popping to unlock Faraway Island and Birth Island.

I noticed that he says the list of codes to execute is incomplete.  Is it likely that in the near future we'll have codes to:

*make Mewtwo respawn in FR/LG
*make a Pokémon shiny
*change a Pokémon's IVs
*change your ID/SID
*aid in the otherwise extremely difficult FR/LG RNG manipulation

Re: Gen III: Access Pokémon beyond the sixth slot sub-glitches.

Posted by: Tabbender
Date: 2018-04-20 15:51:57
By the way anyone got a RAM map for Emerald ? Kind of like this one

Also a GBA opcode table like this

I took interest in gen 1 ACE recently and i'm trying to "migrate" to Emerald, but it doesn't seem to be documented as much as ACE on Red and Blue is.