Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Generation III Glitch Discussion

It would be interesting if... - Page 1

It would be interesting if...

Posted by: Torchickens
Date: 2016-09-30 16:07:35
You used a ROM-patching code (which GBA cheating devices support) to disable part of the code that renders a Pokémon as a Bad Egg, and then used the access beyond slot six corruption glitch to corrupt Pokémon to see what you would get with without any of them turning into Bad Eggs. I wonder what it would be like, you may get a glitch Pokémon for ones which had their personality value touched perhaps.

Re: It would be interesting if...

Posted by: Charmy
Date: 2016-09-30 17:29:23
So, basicly, we need to disable all anti-cheats and anti-dma. Right?

Re: It would be interesting if...

Posted by: TheZZAZZGlitch
Date: 2016-09-30 17:39:08
Not exactly, since the anti-cheat mechanism is what allows the box corruption in the first place.
The only method to do this would be to disable all egg checks entirely. Patching the following memory addresses to the following values should do it (although I don't know how to convert this into a list of codes for any GBA cheating device):

806AAC2 -> 00
806AAC3 -> 20
806AA26 -> 00
806AA27 -> 20
806A960 -> 00
806A961 -> 21
806AACA -> 00
806AACB -> 21
806A866 -> 00
806A867 -> 21
806A920 -> 00
806A921 -> 21

Note: Only tested on Emerald US. This also disables normal eggs from working.

Re: It would be interesting if...

Posted by: Torchickens
Date: 2016-09-30 18:03:34
That works! Thanks TheZZAZZGlitch. Some of the Pokémon appeared as Horsea, while others interestingly appeared as the glitch Pokémon "-" (hex:019C)

For unencrypted GameShark Advance/Action Replay codes you can use the Code Converter/generator on Gamehacking.org.

Apparently ROM patches for GameShark Advance/Action Replay do not change much for the code (unless you want to encrypt the code), however I tried the codes below (both with endianness for the last two bytes swapped or the codes left how they were) and it didn't work, hmm.

6806AAC2 20000020
6806AA26 20000020
6806A960 20000021
6806AACA 20000021
6806A866 20000021
6806A920 20000021

Re: It would be interesting if...

Posted by: Charmy
Date: 2016-10-01 02:52:16
@TheZZAZZGlitch
At least I have partialy guessed! Right? Right?
@Torchickens
If you get a code that works, please give it to us. Shame that the first group didn't work.

Re: It would be interesting if...

Posted by: ISSOtm
Date: 2016-10-01 06:27:12

Not exactly, since the anti-cheat mechanism is what allows the box corruption in the first place.
The only method to do this would be to disable all egg checks entirely. Patching the following memory addresses to the following values should do it (although I don't know how to convert this into a list of codes for any GBA cheating device):

806AAC2 -> 00
806AAC3 -> 20
806AA26 -> 00
806AA27 -> 20
806A960 -> 00
806A961 -> 21
806AACA -> 00
806AACB -> 21
806A866 -> 00
806A867 -> 21
806A920 -> 00
806A921 -> 21

Note: Only tested on Emerald US. This also disables normal eggs from working.

If I'm correct, corruption happens when the game attempts to turn a "Pokémon" located after the sixth slot into a Bad Egg, right ?
Because when the cursor is moved, the game attempts to calculate its checksum and turn it into a Bad Egg if it doesn't match with the Mon's sum. Am I right ?

Re: It would be interesting if...

Posted by: Metarkrai
Date: 2016-11-07 06:29:43


Not exactly, since the anti-cheat mechanism is what allows the box corruption in the first place.
The only method to do this would be to disable all egg checks entirely. Patching the following memory addresses to the following values should do it (although I don't know how to convert this into a list of codes for any GBA cheating device):

806AAC2 -> 00
806AAC3 -> 20
806AA26 -> 00
806AA27 -> 20
806A960 -> 00
806A961 -> 21
806AACA -> 00
806AACB -> 21
806A866 -> 00
806A867 -> 21
806A920 -> 00
806A921 -> 21

Note: Only tested on Emerald US. This also disables normal eggs from working.

If I'm correct, corruption happens when the game attempts to turn a "Pokémon" located after the sixth slot into a Bad Egg, right ?
Because when the cursor is moved, the game attempts to calculate its checksum and turn it into a Bad Egg if it doesn't match with the Mon's sum. Am I right ?


Yeah, the Data Corruption is only made of the changes that the game does to turn the "Pokémon" in a certain party Slot into a bad Egg.
What ThezzAzzGlitch brought is a code that shuts down the script who checks if a Pokémon is an Egg/Bag Egg to make them appear as such.

This way, you would still have the data corruption caused by invalid checksum.

However, this is not doable on real hardware because the only code format that manages ROM patch is ARv3, and the Action Replays can only manage up to 4 ROM patch commands (and there are more than 4 bytes to patch here).
Also, this wouldn't be very interesting because you would just have a "corrupted" version of the normal double-corruption result.

Well, to be clearer, the data in a Pokémon's substructures is crypted with a xor function (crypted double-word = double-word xor PID xor TID).
So if you only corrupt the PID or TID of a PC Pokémon with Pomeg Glitch Data Corruption, the encryption key will change ( new encryption key = old encryption key xor 0x40000000, to be accurate).
Thus, every uncrypted (with the new encryption key) double-word of the Pokémon's substructure will be slightly different. (Bit 6 of the leftmost byte of the double-word is flipped)


The goal in Pokémon Corruption is to obtain some values in certain substructures by writing them in another substructure, and then permuting the substructures.
That change of encryption key from a single corruption only alters the initial data, which will not help you.

Ex : Your Seedot has 0x12 Speed EVs, 0x34 Def EVs, 0,00 Atk EVs, 0x01 HP EVs. You corrupt its PID and use Thezzazz's Code to not see the Egg form of the corrupted Seedot.
Due to the change in encryption key caused by the single corruption, you will see a Bulbasaur (0x0001) holding Item 0x5234, and not Item 0x1234.
So if you wanted to obtain Item 0x1234 with a single corruption, you would have needed 0x52 Speed, 0x34 Def EVs beforehand.

Whereas if you perform a double corruption, corrupting both PID and TID preserves "PID xor TID", so the uncrypted data of the double-corrupted Pokémon is the exact same as the uncorrupted Pokémon (except that the substructure order is different).
Thus, if you want Item 0x1234, you need 0x12 Speed Evs and 0x34 Def EVs on your Seedot, which makes things easier to understand for people, and also easier in terms of execution.


In fact, this "PID xor TID"  (encryption key) change is the reason why a Pokémon that suffers a single corruption turns into an Egg : The Egg State flag is one of the bits that gets flipped when "PID xor TID" changes in a Pokémon corruption. (when PID or TID gets corrupted)
Since performing a double-corruption restaures "PID xor TID" to its initial value, the Egg State flag is also restaured to its initial value, so the Egg you had after the first corruption magically turns into a Pokémon.

It is possible to not turn a Pokémon into an Egg in a single corruption, but it isn't interesting.
ex : Take a Smeargle whose corruption type verifies (Miscellanous read on EVs). Give it a 4th Move with 64 PPs (a move with 40 PPs + 3 PP Ups). Give it 7 Carbos to have 70 Speed EVs (between 64-127 or 192-255) (to verify the specific criteria and get a valid checksum once the PID is corrupted).
Corrupt its PID. Smeargle's Miscellanous substructure is read on its EVs substructure. Due to the Speed EVs being 70 = 0x46, the  new value of the Egg State Flag (in the Miscellanous substructure) should be 1.
But because PID was the only value corrupted, "PID xor TID" has changed, so the Egg State Flag value is flipped. Thus, it becomes 0.
Thus, you go from a Smeargle (not in an Egg) to another Pokémon (not in an Egg) in a single corruption.

However, as I said before, since "PID xor TID" is slightly different, the uncrypted data has a slight noise caused by it, so even if you obtained a Pokémon (and not an Egg) in a single corruption, you will not have an exact correspondance between the uncrypted data of the corrupted Pokémon and the uncorrupted Smeargle.
If this Smeargle had "Growth read on Attacks" as well as "Miscellanous read on EVs", and if Smeargle's 2nd Move was 0x0001, 3rd Move was 0x0010, 4th Move was 0x0002, then the corrupted Pokémon would have an Exp of 0x400200010 and it would hold Item 0x4001 instead of having an Exp of 0x00020010 and holding Item 0x0001
Thus, you would have needed other Moves to "fight" against the little data change caused by the "PID xor TID" change. And this would also have complicated the corruption because the Specific Criteria is also based on the bits that you are looking at.


tl;dr : Making a single corruption changes the value of "PID xor TID". "PID xor TID" is used to encrypt the data in a Pokémon's substructures. This change causes "noise" in the uncrypted data. (This noise is also the reason why a corrupted Pokémon turns into an Egg; the Egg State flag is corrupted)
If you really wanted to make single corruptions, you would need to fight off against this noise, which would be tedious and which would bring the same (or less) results as a double corruption. (and double corruption is easier to do)
That's why double corruptions are the way to go, and single corruption is only here for Pokédex entries or for having an Egg form (to trade a Glitch Pokémon/Move to another version safely).