25
edits
Glitzer Popping: Difference between revisions
From Bulbapedia, the community-driven Pokémon encyclopedia.
Jump to navigationJump to search
→Cause
(→Intro) |
(→Cause) |
||
| Line 8: | Line 8: | ||
==Cause== | ==Cause== | ||
Using Pomeg Glitch in a certain way, it is possible to force the game to send an empty slot in battle (it appears as Pokémon n°0 with completely blank data, and is also called Decamark). If the party is opened after that, this empty slot (who is the currently fighting Pokémon) is ordered first in the party. | |||
- Since that Decamark has completely blank stats, opening his moves, trying to flee without a Fluffy Tail, or speding a turn without reviving a team member will make the player black out. Viewing its summary can also freeze the game. | |||
By opening and closing a Pokémon summary, the party Pokémon counter is refreshed, and counts 0 Pokémon (it counts Pokémon from first party slot until he finds an empty slot). | |||
This makes the Party Pokemon Selection pointer underflow, allowing it to select 256 party slots instead of 1-6. Going over the "Quit" button directly teleports the pointer to the 256th party slot. | |||
Pushing/maintaing Up after that makes the party Pokemon Selection Pointer scroll through the party slots, from the 256th to the 1st one. This makes it select blocks of RAM data and treat them as party Pokémon data (size of 100 bytes). | |||
- The 256th party slot ends up being over PC Pokemon data (around Box 2 Slot 24 for Emerald and Box 3 Slot 1 for Fire Red/Leaf Green), and scolling up will go over Day Care data, Contest data, map data (NPCs with their location and script adress), flag data (story, trainers, events,..), Bag, PC Items, Battle Frontier data, Trainer data (name, ID, SID,..) in that order. (along with many other tiny things) | |||
Each time the Party Pokemon Selection Pointer selects a new party slot, an anti-cheating function is applied to the selected "Pokémon". If the checksum of the "Pokémon" is invalid, he is changed into a Bad Egg. This change is made by setting the Egg Status flag of the Pokémon to 1, and by setting two other bits to 1 in order to turn that Egg into a "Bad" Egg. | |||
- As the blocks of data considered as Party Pokémon aren't Party Pokémon to begin with, the checksum of a selected "Pokémon" will nearly always be invalid if it isn't empty. | |||
The Egg Status flag can be at 4 different locations in a Pokémon's data. (it belongs to one of the 4 substructures of the Pokémon and these substructures are ordered depending on the Pokémon's PID (PID modulo 24)) Since these substructures are also crypted with the Pokémon's PID and TID, setting the Egg status flag to 1 can result in either a bit set to 1 or a bit set to 0 (depending on TID xor PID). However, the two "Bad" Egg bits are at a fixed location and will always be set to 1 if the Pokémon's checksum is invalid. | |||
These bit changes are the ones who corrupt RAM data, which can induce many good things. As this corruption only changes up to 3 bits on a block of 100 bytes, only a tiny portion of RAM data is corrupted in the process. Since one of these bits isn't on a set location and can be changed to either 1 or 0, the adresses and nature of the corruption won't be fixed too. | |||
Another element of randomness is added by the DMA. The DMA is a cheat-prevention script that moves the RAM adresses of a good amount of data every time the player makes a battle, enters a door, opens its Bag,.. The DMA changes the RAM adresses of values by translating them from several double-words. A value affected by DMA can take 32 different adresses, each separated by a double-word (4 bytes). | |||
Party Pokémon aren't affected by DMA, which means that the adresses of every Party Slot is constant. However, the data read on Party Slots beyond Slot 6 is affected by DMA. Since Party Pokémon data is 25 double-words long, and since the DMA translation is at most 32 double-words long, every double-word on a Party Slot beyond slot 6 can end up on an adress where one of the bit corruptions can occur. (corruption caused by the invalid checksum of the "Pokemon" in that party Slot) | |||
- However, as both RAM values and the adresses where corruption occur can move, interferences can easily occur between these two, that can sometimes prevent a set double-word to suffer from the Egg Flag corruption. (ex : The Ever Grande Fly Location can't always be corrupted because of that) | |||
Using different strategies, it is possible to manipulate the corruption of some values and ensure that no other value in an area near them has been corrupted, allowing for a somehow pinpointed corruption. | |||
With this glitch, PC Pokémon PID and TID can be corrupted while leaving the rest of the Pokémon's data untouched. | |||
As PID and TID encrypt the 4 substructures of a Pokémon, corrupting them will heavily change the Pokémon's checksum. The two "Bad" Egg bits corruption won't preserve the checksum, making them unuseable for Pokémon corruption, but the Egg State Flag corruption can easily preserve the checksum. | |||
- The Egg State Flag corruption changes the checksum by a multiple of 0x4000. As a Pokémon's checksum is coded on a word, if that multiple is even, the checksum won't be changed. Only few things can make that multiple odd, and they can be easily prevented. | |||
{{Incomplete|section|needs=dump info from TASvideos Pokemon Emerald submission}} | {{Incomplete|section|needs=dump info from TASvideos Pokemon Emerald submission}} | ||
