A TAS of Pokemon Emerald using Arbitrary Code Execution (ACE) to take the game where it's never gone before, faster than ever before!

Encoding

I'm working on the encoding movie, it should be linked in here soon!
Suggested screenshot(s): https://imgur.com/a/Dv5pu3M

Description

Emulator used: BizHawk 2.4 (mGBA core)
I started on 2.3.2, but it should sync on both that version and 2.4.
You'll need to set Skip BIOS to False and the RTC initial time to 1/1/2010.

Objectives

  • Starts from scratch; no save data
  • Completes the game as fast as possible
  • Heavy RNG Manipulation
  • Corrupts RAM
  • Abuses glitches
  • Executes arbitrary code

Introduction

Pokémon Emerald is the final game in the 3rd generation of Pokémon, developed by GameFreak and released in 2005 as the sequel to Ruby & Sapphire. The game features a new story where you capture and fight with Pokémon against not one but two villainous teams. It also has a few new glitches not present in the games before it.
When I started working with the Pokémon Emerald decompilation project [dead link removed], I learned about many of these glitches, including arbitrary code execution using glitch moves via the Pomeg glitch. I found out that Pomeg berries were available several minutes before the published TAS and RTA runs picked them up, and wondered why this was the case. Previous runs beat Emerald by acquiring a pokémon with a glitch Instant Victory Move, which let them win any battle, but they still had to beat the 6th gym and the Elite Four to finish the game.
ACE setups for Emerald had been researched by Metarkai and others and were known to be possible. There are a few Youtube videos around describing how to perform them, but none of the setups were fast enough to be useful for a TAS—they either require many unlikely corruptions to set up, write code via glitch items that take time to acquire, or need in-game trade pokémon that are too far out of the way to get.
If a better, more consistent ACE could be found, the game could be beaten with only 5 badges and in much less time. I became convinced that this had to be possible. But in order to find out, I had to do my own research.
I started to look for a better way, and gave it up after a few weeks out of frustration. I had been testing on the English version of Emerald, using nicknames to write code, but because of the limited character set it was painful and impractical. Eventually I tried again and found that on the Japanese version of Emerald, things were better and ACE could be a viable strategy in a TAS, and possibly even RTA. The beta version of this TAS using move ACE can be found here.
Soon afterwards, I was linked to a video of a Japanese runner performing an as-yet unknown ACE method. I reverse-engineered and improved on that method, and after several speedrunners found success with it, I decided that using it would be faster.
This TAS is the result of that research, and, I think, demonstrates a significant technical improvement, beating the game with only 5 badges using a custom payload written in Japanese PC Boxes.
The result is a 20 minute improvement over the published TAS.

Terminology

There are a few terms I'll use that are important to distinguish:
Frame
Exactly 280,896 cpu cycles or 4389/262144 of a second. Emerald runs at approximately 59.73 FPS.
Cycle
1 advancement of the RNG state.
Cycles are not in sync with frames because many things advance the RNG state:
  • In the overworld, the RNG advances once per frame
  • Each time an NPC/trainer turns or walks on their own, the RNG advances
  • In battle, the RNG advances twice per frame
  • AI/Accuracy/critical/damage calculation advances the RNG
  • Crossing encounter tiles (grass) advances the RNG 1-2 times during the encounter check
  • Running near NPC trainers (spinners) advances the RNG around twice per frame
It's important to count both cycles and frames, because some events in the game are cycle-locked but not frame-locked, meaning that they occur on a certain cycle but that cycle may possibly be reached at an earlier frame. There are many cases where frames can be saved by advancing the RNG faster than it otherwise would, such as in battles or near spinners.

RNG Manipulation

Emerald's RNG is a 32 bit LCG that uses the formula next = (current * 0x41c64e6d + 0x6073) mod 2^32. The full 32-bit state is not exposed when the RNG is used—only the high 16 bits are shifted right and returned. Throughout, rng refers only to the high 16 bits of the full 32-bit state.
Because of a programming oversight, the RNG is not seeded on soft reset, meaning that the initial seed is always zero. The only time the RNG is seeded is when starting a new game, immediately after the player confirms their name. This process is quite precise: when the naming screen is entered, the game starts one of the GBA's fast timers, which runs at a multiple of the CPU clock (much faster than the framerate). Confirming the name stops this timer and seeds the RNG with its value.

Trainer ID/Secret ID Manipulation

The visible trainer ID is set when the name is confirmed; this is also the value used to seed the RNG. The hidden, secret ID is set just before your sprite disappears after Birch's speech, using the RNG state at that time. In-game, these values are combined internally into a single 32 bit value, with the TID and SID as the low and high 16 bits respectively. Although the timer for the TID is very fast, it can be manipulated in a limited way by waiting/pressing more or fewer buttons in the naming screen, because pressing a button takes slightly more cycles. The SID can be manipulated simply by waiting for the correct cycle.

Method 1 (Mudkip) manipulation

Smogon has a good article on this. When you pick a starter, the RNG is advanced 4 times.
  • The first and second values become the low & high 16 bits of the PID, respectively.
  • The third and fourth values become the starter's IVs.

Battle AI/Quick Claw manipulation

Each turn in battle, just before the game displays the FIGHT option, the opponent's AI runs, advancing the RNG a number of times (this is highly variable, and dependent on what your pokémon is, their moves, etc). A value known as the randomTurnNumber is also chosen from the RNG. This is used only for Quick Claw—if it is less than 0x3333, Quick Claw allows the holder to go first.
By timing when turns start the AI's decisions can be manipulated to choose certain moves, or allow Quick Claw to activate.

Accuracy/Critical/Damage Manipulation

Whether a move will hit is determined just before the attack string is printed. The formula is: if (rng mod 100) < move_accuracy * stages then HIT, where stages is a scaling float that is normally 1, and goes up & down with accuracy and evasion stages.
Critical and damage calculation are done just after the attack string is printed. Damage calculation happens 6 cycles after critical calculation.
The critical formula is: if (rng mod crit_mod) == 0 then CRIT; in this run crit_mod is always 16. Damage is calculated as a scaling value, from 85-100%, inclusive: scale = 100 - (rng mod 16).
Critical hits always deal double damage, and ignore any of the target's stat boosts.

Wild Pokémon/Encounter manipulation

There's an important overworld value called the tileTransitionState. This value is normally 1 while moving, 0 when standing still, and briefly 2 when the player passes over the center of a tile.
Encounters occur 1 frame/2 cycles after the frame just before this value becomes 2. If stepping between similar tiles (i.e grass into grass), the formula is: if (rng mod 2880) < rate * 16 then ENCOUNTER, where rate is the encounter rate of the area.
If an encounter occurs, the RNG is advanced several times:
  1. slot = rng mod 100. Each land area has 12 slots; the slot value determines which pokémon appears. The twelve slots together cover the entire 0-99 range.
  2. The RNG is used to calculate the encounter level.
  3. nature = rng mod 25. The RNG is rolled to pick an initial nature. Afterwards, the RNG is advanced twice at a time, forming a PID, until PID mod 25 == nature
Encounters can be manipulated by timing the cycle on which the tile transition occurs. When on the bike, the encounter rate is reduced by 20% (the rate is calculated as rate * 16 * 80 / 100). There are also fewer slots when surfing, and some other minor details that aren't too important.

Game version

Although text does move slightly faster on the Japanese version of Emerald, this is not why I chose it. Rather, the advantage of JP Emerald lies in its character set. The Japanese character set gives access to many more bytes than the English set. Because arbitrary code execution targets PC box names, having more characters available makes the assembly payload shorter and easier to write. In speedruns of English Emerald, 8 box names of code are required to beat the game. In contrast this TAS requires only 5.
Learning that JP had this property and disassembling the Japanese ROM is what inspired me to make this TAS in the first place.

Pomeg Glitch

The Pomeg glitch has been known since around 2006-2007, but it took years for its full potential to be realized. The name comes from the use of Pomeg berries. Using a Pomeg Berry on a pokémon which gained HP through EVS will decrease its HP. If the pokemon loses its last HP due to this, it will be knocked out, even if it is the last conscious pokémon. This will not force the player to white out and the totally KO-ed party allows you to battle with Eggs and perform Glitzer Popping, among other things.

Glitzer Popping

Named by Werster, this glitch works by accessing "pokémon" beyond the sixth slot of the party and modifying memory.
Bulbapedia has an article on this glitch.
The procedure in this run works as follows:
  1. In order, create a team of: 1 "sacrifice" pokémon (Poochyena), 1 pokémon at 1 HP for the Pomeg glitch (Abra), and a third pokémon you want to corrupt (Marshtomp).
  2. Enter a battle, knock out the sacrifice pokemon, and set the last used party slot to 3 (by switching in Marshtomp).
  3. Deposit the third pokémon. Now slot 3 is empty, but the player still has the conscious Pomeg pokémon.
  4. Use the Pomeg berry on the Pomeg pokémon. Now the player has no conscious pokémon but does not white out.
  5. Enter a wild battle. The game scans the player party for a conscious pokémon to send out. Since it sees none, it does not update the index, and sends out the now-empty slot 3, a ?? or "Decamark".
  6. Enter the party menu, view the summary of the sacrifice pokémon, and exit it. This refreshes the party count to zero.
  7. The party selection pointer underflows, allowing pokémon above slot 1 to be selected by repeatedly pressing Up.
  8. The selection pointer is warped into non-party memory, starting at Box 2 Slot 24 of the PC, and ascending 100 bytes with each up press.
As the pointer ascends, it treats 100-byte blocks of memory as party pokémon, and runs an anti-cheat function on them. If the checksum of this "pokémon" is invalid, which is likely, a few bits will be set or flipped corresponding to the isEgg and badEgg bits.. This minor bit-flipping allows for precise corruption of RAM.

RAM Corruption

When the pointer selects an invalid block, two types of corruption can occur:
  • Type 1 corruptions are fixed, 20 bytes after the pointer, and set bits 0 and 2 to 1.
  • Type 2 corruptions vary depending on the PID of the block and can set bit 6 to 1 or 0 depending on "pokémon" data.
Corrupting a pokémon's PID can swap the order of its data structures, for instances, swapping EVs and moves, or (in this run) EVs and species number. If done carefully, this corruption keep the checksum legal and gives access to "glitch" moves or pokémon outside the normal move/species lists.
Another anti-cheat feature works in our favor here: PC and Item data's memory locations are randomly shifted by an offset whenever the player opens the party menu, enters a battle, etc. Since the memory location of a pokémon targeted for corruption can be manipulated, but the corruption locations are fixed, certain kinds of corruptions are always possible, you just need to roll the right memory layout.
In this run, corruption type 2 is used to set bit 6 of Marshtomp's PID, causing its EV data to turn into its growth data. This turns it into an Egg of a glitch species (0x615), which lets us trigger ACE by viewing its sprite.

Sprite ACE

In Emerald, every Pokemon has a small animation that plays when it is viewed. The pokemon species specifies the callback function that should be called. Glitch pokemon, whose species number is higher than the total number of actual pokemon, read the pointer for this callback from out-of-bounds data. By figuring out the formula for what determines the callback address, I found that there are several glitch pokemon [dead link removed] whose callback functions are in RAM, specifically in PC data which we can manipulate. In this run, we acquire glitch pokemon 0x0615 and hatch it, running code in PC Box names.

Routing

The early game is similar to previous Emerald TASes. The main differences pre-Pomeg are:
  • Marshtomp KOs a Solrock in Meteor Falls to gain 6 Attack EVs.
  • Fly is not needed and so there is no need to catch a Tailow.
  • Fewer items are used, and they are purchased at Fallarbor's Mart earlier.
  • Strength is not acquired or used; we instead backtrack through Route 113.
  • We fight different trainers in the Petalburg Gym, because of the required EVs on Marshtomp.
  • A "sacrifice" pokémon (Poochyena) is caught.
  • We buy two HP Ups from the Slateport market.
  • Pomeg berries are acquired earlier from the Berry Master, along with a Kelpsy Berry.
After getting the Pomeg berry, the route diverges significantly. Everything from the Weather Institute onwards is skipped by warping to the end of the game.

Start

The first thing to do is to disable animations to save time throughout the run, and pick a nice-looking border. I chose the kana for 'U' as my trainer name because it was short and represents 'U', the viewer. And because it seemed like it might be funny to anyone who speaks Japanese unlike me. A few extra buttons (L&R) are pressed here to manipulate trainer ID—since the RNG is seeded with the timer here, we need to pick a seed that gives us access to a good Mudkip!
Specifically, we'll be using a Rash Mudkip with PID 89613C19 and these IVs: (30, 31, 16, 28, 1, 10).
The first step we take in the truck plays a "bumping" sound, which happens when we bump into a wall and immediately turn on the next frame instead of waiting to turn. This is used throughout the run.
Once we have Mudkip, we battle Brendan, get Running Shoes, our Pokédex (not that we'll be filling it much), Poké Balls, and we're off!
After beating the Youngster, we do some furious running near the spinner girl to advance the RNG more quickly for the Ralts manipulation.

Petalburg City

We'll need to teleport back here 3 times later, so we briefly enter the Pokémon Center to set the Teleport point.
Poor Wally. He wants a Pokémon but can't figure out how to catch one!
Unfortunately for him, we manipulate his borrowed Zigzagoon and the Ralts he fights so that he KOs it instead of catching it. The game doesn't actually take this into account, but we still save time by skipping the catch animation.
This can only happen if Zigzagoon has an Attack IV of more than 25, and Ralts has a Defense-lowering Nature and less than 4 HP IVs and 6 Defense IVs. It's rare for a given RNG cycle to cause this, which necessitated advancing the RNG earlier to hit it.
We finally get away from Dad, and Wally, only for Scott to show up and stall us even more. We then head west to Petalburg Woods to find a Devon clerk looking for a Shroomish, but he's attacked by a Team Aqua Grunt! 3 critical Tackles make quick work of his Poochyena though. Mudkip's speed, which usually doesn't matter much in this run, matters here: if it doesn't have a higher enough Speed IV, this Poochyena will outspeed it and make us take 3 hits instead of 2.

Rustboro City

The first thing we do is head right to the Trainer School to get the Quick Claw, which will let us make Mudkip go first even if the foe is faster. Then we go into the Gym and battle Youngster Josh, so that we can level up and learn Water Gun.
Four Torrent boosted Water Guns later and we've beaten Roxanne and taken our first badge from under her Nosepass! We head out and chase after the Devon clerk from earlier, who tells us the Aqua Grunt stole his Devon Goods. We head onto Route 116 in pursuit. We dodge a few spinners, defeat a Hiker, and get to Rusturf Tunnel where Mr. Briney tells us the Grunt has stolen his beloved Peeko. We confront the Grunt for him and reunite Briney and his pet. We head back to Rustboro but on the way, we catch an Abra for Teleport and to use for Pomeg glitching later.
After a very long conversation with Mr. Stone, we get the Pokénav and two more delivery quests. We teleport back to Petalburg to try and avoid Brendan...but he shows up anyway at Briney's cottage! Deciding he's not worth battling, we ignore him and ask Mr. Briney to take us to Dewford.

Dewford Town

Our boat is somehow briefly stopped in its tracks by a call on the Pokenav from dad, but we make it to Dewford eventually. Steven really likes rocks and so we find him deep inside Granite Cave to deliver Mr. Stone's Letter. Using the Escape Rope actually loses time here, so we head right out and enter Brawly's gym. Brawly is a tricky fight because of how easily Makuhita can KO us, but with Torrent-boosted Water Gun we acquire the Knuckle Badge and evolve our Mudkip! We then cruise onwards to Slateport.

Slateport City

Not much happens here of note except our final heal of the run from Capt. Stern. From here on every move we use counts, because we need to have enough Water Gun PP all the way through our fifth gym badge.
North on Route 110 are two annoying fights. Plusle and Minun love to use Quick Attack, which outspeeds Marshtomp even with Quick Claw and wastes time, so we manipulate the AI's move choice to get past both PokéFans.
We then run into Brendan again. This is one of the hardest fights in the game and is infamous in speedruns. To KO Grovyle we either need two max damage critical Tackles (a 1/256 chance for each), or two critical Mud Shots (Mud Shot loses time because it prints more text). We manage to get one of each, and also manipulate Grovyle's Absorb damage so that we can have enough health for later.

Mauville City

We get Rock Smash so we can smash rocks and the Mach Bike so we can go fast. Wally, his Uncle, and our stalker Scott all stall us, but we eventually get into the Gym. Does Wally's Uncle even have a name?..anyway, this gym goes by fast with Mud Shot for damage and the Quick Claw to outspeed all of Wattson's pokémon.
Next, we head north to Route 111 & 113, though we're interrupted by a call from Wally. We go southwest to Meteor Falls, picking up a Protein on the way, for the most pointless cutscene ever—both team Magma and Aqua are up to no good. We KO a Solrock for Attack EVs and pick up some items before backtracking all the way back to Mt. Chimney.

Mt. Chimney

We battle our way up the mountain and breeze through Maxie's monologue. We Tackle Mightyena to start, making sure its Bite leaves us with 22 HP at level 25. A few well-timed Water Guns later and we're ready to head back down the mountain to fight Flannery. That's also the last we'll be seeing of either villainous team this run. Since all of Flannery's pokémon are Fire types our only real challenge is getting the critical hit on Torkoal. Finally, we teleport to Petalburg for the closest thing to a final boss fight in this run.

Petalburg City Part 2

We're finally ready to fight Dad. The Gym trainers we fight are chosen to limit the EV gain on Marshtomp so that we don't go over the amount we need. We use our Super Potion to heal Marshtomp almost to full to prepare for the most difficult fight in the run. Even at +2 boosts from the X Sp. Attacks, we still need critical hits to defeat all of Norman's pokémon. Remember all that talk about managing health? If we have more than 28 HP when we get to Slaking, it will always use Facade, which always KOs us. If we have less than about 28, its weaker Faint Attack will KO us. With exactly 28 HP, we can manipulate Feint Attack to do 27 damage and let us survive, avoid activating Slaking's Sitrus Berry and KO it on the second turn. We claim our 5th badge and victory over Dad, talk to "Uncle" to get Surf, and head out to completely ignore the rest of the game's story.

Route 119

Here is where the fun really begins. We make the long trek back to Mauville and Route 119, catching a Poochyena on the way. We also detour down to Slateport's market to pick up two HP Ups, one for Abra and one for Marshtomp. Ideally, we would do this detour earlier, right before leaving Slateport for the first time, but we don't have enough money until after fighting the PokéFans, so its faster to do it now. We're then stopped by our first and only Double Battle. The events of this battle are extremely important. In it we KO Poochyena, bring Abra down to 1 health, and set our last used party slot to 3 (by sending out Marshtomp in Poochyena's place). We head east to chat with Steven and do some furious running near the blonde spinner to set up an encounter later.
Finally we get what we came for—a Pomeg Berry! We also pick up a Kelpsy Berry to finalize Marshtomp's EVs at 21 HP, 6 Attack, before teleporting back to Petalburg for the final time.

Glitzer Popping

Marshtomp needs to be placed in Box 2 slot 24 and we begin writing our payload in Box 1.
Using the Pomeg Berry on Abra knocks it out, leaving us with a totally KOed party. When we enter a battle on a precise frame, the memory layout is such so that we can corrupt Marshtomp's PID, swapping its EV and species data and turning it into species 0x0615. The game gets confused and thinks we have zero pokémon, so it just sends out the pokémon in the 3rd slot, the last slot we used which is now empty. Viewing Poochyena's summary refreshes the party count and lets us select more than 6 pokémon, and we scroll up once to corrupt the first possible address and Marshtomp's PID.

ACE Setup

Returning to the PC, we finish our box name payload and withdraw our glitched Egg. The box names are ARM assembly code that will allow us to input even more code using the buttons, one byte per frame. Unfortunately for this Egg to hatch, we need to complete the next Egg cycle, which rolls over every 255 steps meaning we have to do some biking.
When the Egg hatches, a lot happens very quickly. As soon as the glitch sprite is on screen, the animation starts and begins running the code in the Box names. This code lets us write bytes based on the buttons that are pressed, and by pressing L&R we break the input loop and run whatever we input. We're free to input any game-ending payload here, but there are good and bad options for quickly beating the game.
Timing stops at the final input after which completing the game is inevitable.
Teleporting to the Hall of Fame map is doable, and triggers full game completion. However I'd still have to press A on the text boxes and the Hall of Fame screen itself, which adds additional time.
Calling the Hall of Fame sequence itself works too. Doing that requires clearing the memory used by onscreen sprites, or the sequence will crash, but it's not a huge problem. However this doesn't set all game completion flags, it just put our save location in Littleroot. And I'd still have to press A on the "Congratulations" to trigger the end credits.
We could also call the credits directly, but this completes exactly none of the game, it just rolls the credits.
In the end I settled for something hackier than all 3 solutions. Instead of letting code execution return to the main loop of the game, I wrote my own main loop, that mimics the normal one but treats A as being pressed regardless of actual input. After that, all it takes is a hacky teleport into the map, and a return to this main loop to take away the controls. The final input is the final byte of code—everything after basically happens on autoplay. When the game resets after the credits, the custom code in RAM will be wiped, but the game is still completely beaten, and faster than ever before!

Easter Egg

All of this applies only to the movie I requested be used for encoding.
Towards the end of the development of this TAS I felt that the ending needed some more flair. To me ACE is a lot more interesting if you do something with it beyond just a credits warp. Since no GBA emulator supports subframe inputs yet, I wasn't able to do anything graphically advanced like Mr. Wint's famous Pokémon Yellow TAS, since I can only input one byte per frame. With that aside though, there are still a lot of cool things we can do!
Emerald has a section of save data commonly called the "ram script", about 1 kilobyte in size. This script was, I believe, occasionally used by event distributions for the games. It enables a custom script, complete with text and other events, to be placed into save data semi-permanently, to be activated by talking to any specific NPC.
So with total control of the game, why not put something there as basically an Easter egg?
I thought it would be fun if I put myself into the game, complete with customized text, maybe even a custom battle!
It turns out that writing data into the ram script is pretty easy. There's a checksum needed, but we can just call the game's function to calculate it.
One problem, though, is that since the script is in save data, it is randomly shifted in memory just like PC data. This would make embedding assembly code into the script and calling it difficult, if there weren't a way around it. Since save data can only be shifted by at most 128 bytes, all we need is a short stub at the start of the script to call our code, 128 bytes of zeroes, followed by the code we wanted to call. Then we have the stub jumped to a fix memory location that will either be our code, or a bunch of zeroes that do nothing until we eventually run into our code.
Ok, so we can embed code in save data! What can we use it for?
Well, firstly, we can use that code to copy the rest of the script to a fixed, unused memory location. This makes assembling the actual script easier since it knows its at a fixed location and the assembler can figure out addresses of things we want to reference, like blocks of text.
Running embedded code is also needed to trigger the custom battle. Emerald wasn't designed to allow script-triggered battles with data in RAM. There are script commands for starting battles, but they only allow us to use data from the ROM which we can't modify. To start a battle with a custom trainer and pokémon, we have to hackily call a few functions, but it only takes a hundred assembly instructions or so.
With all that figured out, I had a way to put myself, text, pokémon, and all, into the game, complete with a rare reward for winning the battle.
Now for the battle itself.
Battles in Emerald are very dependent on data being set at the right times. I had to input very little additional code to create the effects shown. I modified the input payload to let me write code to any address, or run code at any address, and I added some functions to call on demand to print text to the screen and change the RNG. Everything you see is the result of key variables being altered at precise times--strings are written into memory just before I print them, damage is modified right before its applied, move targets are changed, and an entire valid pokémon is written into RAM (The TAS Porygon2) just before I send it out. I think it's a fun demonstration of how deep knowledge of a game's inner workings can lead to things that would never be possible in normal play.

Special Thanks

  • FractalFusion, for suggestions on the forums and overall game knowledge
  • Pidgey from PRET, for helping with disassembling the JP ROM
  • Everyone else from pret
  • GoddessMaria, for her Emerald TAS that helped me learn
  • Metarkai, for his documentation of the Pomeg glitch
  • endrift, for mGBA and fixing *two* bugs I found over the making of this TAS
  • Everyone in the Pokémon RTA Discord for their routing and spinner docs, and for letting me pester them with ACE strats

Possible Improvements

  • It's possible that there is a better seed with a different Mudkip that could be faster. The only way to really tell
would be to write a bot to try them all

GoddessMaria: Judging.
GoddessMaria: Hello, merrp, and welcome to TASVideos. Excellent work on improving the published submission. The thorough research and deep work into the game's inner workings definitely shows without sacrificing speed and showed that a previously written off method for this branch was indeed optimal. Audience response was also positive, too. Well done!
Accepting as an improvement to the previous movie.
Spikestuff: ♫ Gotta corrupt them all! Pokémon!
feos: The author requested (on Discord) that this submission is set to Delayed while a new improvement is being implemented.
feos: Reset to new.
ThunderAxe31: Judging.
ThunderAxe31: File replaced with a 02:36.69 improvement.
ThunderAxe31: Usually, I would have asked to make a new submission for such a large improvement, but in this case the movie contents appeared visually similar to the initial movie, so audience response is still relevant; also, there is no need keep the initial file for a rejection precedent either.
This movie aims to beat the game as fast as possible. For this purpose, the author developed a new strategy for making use of the Pomeg glitch, in order to execute arbitrary code that instantly triggers the game ending. The currently published movie for fastest completion is labelled "Pomeg glitch", while this submission is labelled "game end glitch", even though they both revolve around the usage of said glitch. The reason is because we prefer to use broader definitions when available, and in this case the submission manages to fall within the category of movies that reach the ending instantly via a glitch, regardless of if that glitch is making use of arbitrary code execution or not.
This movie is very optimized, as demonstrated by the extensive documentation of its development.
While there have not been posted a lot of thoughts about the entertainment feeling of the audience, I must note that this movie contains the kind of RPG TASing that people tend to like, with all the careful route planning and the unexpected plot twists. I also have to note that the submission accumulated 20 Yes votes and nothing else, which is uncommon.
With that said, accepting for Moons this movie and obsoleting the published "Pomeg glitch" movie.
Spikestuff: Publishing.
As a note: merrp doesn't have updated post input so the screenshot suggestions won't be used.


TASVideoAgent
They/Them
Moderator
Joined: 8/3/2004
Posts: 15752
Location: 127.0.0.1
Spikestuff
They/Them
Editor, Publisher, Expert player (2692)
Joined: 10/12/2011
Posts: 6481
Location: The land down under.
Oh I've been waiting for this submission after the author teased about it for a while. Here's the Yes Vote and here's my shotgun for pubs.
WebNations/Sabih wrote:
+fsvgm777 never censoring anything.
Disables Comments and Ratings for the YouTube account. Something better for yourself and also others.
Skilled player (1748)
Joined: 9/17/2009
Posts: 4993
Location: ̶C̶a̶n̶a̶d̶a̶ "Kanatah"
Nice work. You mentioned real time runners have a strategy for ACE; how does that work? Just box and pokemon names only, given they probably can't do frame perfect input for instructions? Also, this is probably not going to be very useful for most people (including me), but what was the payload in THUMB? I'm really curious on how you can access any RAM addresses using a limited amount of possible opcodes.
merrp
She/Her
Player (20)
Joined: 7/31/2019
Posts: 56
Real time runners only have a strategy for ACE because I made them the strategy ;) It uses a different entrypoint, with a glitch species (specifically a glitched front sprite animation) instead of a glitch move. This is different from what's done in the TAS, and it was very recently discovered (or re-discovered; I reverse engineered and expanded on it based on a Japanese speedrunner's run) too. I likely will TAS this strategy at some point, but I don't think it will be faster. Even on JP, with its much greater access to opcodes and the ability to write THUMB, getting the glitch species requires either hatching an Egg or double corruption, neither of which are very fast. You need a way to play its front sprite animation, which you can't do unless it's hatched or corrupted twice to not be an Egg. However, the strategy I created for English is still a lot faster than the current RTA route, and they said they're Here is the payload in box names, which I use to input subsequent code: Hopefully it's at least vaguely understandable even with all the comments. 1. Setup key input 2. Write lower 8 bits 3. Loop unless L&R pressed
Box1: @ 02 4D 34 1D 05 DF 04 E0 (いぷゃへおkえl)
LDR r5,[pc,#8]  4D02 @ r5=REG_KEY_INPUT
ADD r4,r6,#4    1D34 @ r4=start of loop (SWI)
SWI #5          DF05
B Box3          E004
Box2: @ xx xx xx 30 01 00 04 (ぃぃぃぃあ え)
.space 3
.4byte 0x04000130 @ REG_KEYINPUT
Box3: @ 29 68 71 77 01 4B 04 E0 (るネムラ ゥぽ えl)
LDR r1,[r5]     6829 @ r1=keys
STRB r1,[r6]    7031 @ write keys
LDR r3,[pc,#4]  4B01 @ r3=0x300
B Box5          E004
Box4: @ xx 00 03 (  う)
.space 1
.2byte 0x300
Box5: @ 01 36 19 42 00 D0 20 47 (あょのぢ Vみび)
ADD r6,#1       3601
TST r1,r3       4219 @ Z=L&R
BEQ target      D000
BX r4           4720 @ loop to SWI
target:
I can also post the second or third stage payloads if anyone is interested, but they're a bit larger (I think about a hundred instructions or so).
TiKevin83
He/Him
Ambassador, Moderator, Site Developer, Player (156)
Joined: 3/17/2018
Posts: 358
Location: Holland, MI
Big congrats merrp. Excellent level of thoroughness for such a TAS, and I love when TASing helps RTA.
merrp
She/Her
Player (20)
Joined: 7/31/2019
Posts: 56
I'll have a temporary encode available for anyone who can't play the movie back soon!
merrp
She/Her
Player (20)
Joined: 7/31/2019
Posts: 56
Temporary encode is up, for anyone who wants to watch but can't play back the movie: https://www.youtube.com/watch?v=cY_O9nRwxc4
Joined: 8/7/2011
Posts: 166
Payload at 56 mins in. キ is broken.
merrp
She/Her
Player (20)
Joined: 7/31/2019
Posts: 56
キ is broken.
Did something break?
Editor, Expert player (2083)
Joined: 6/15/2005
Posts: 3289
merrp wrote:
キ is broken.
Did something break?
Yeah, it's the adventures of fake BAD EGG red キ. This is how broken キ is: I don't even know what move キ is trying to use here. On a more serious note, I have not forgotten you; I just have nearly no time these days to do anything TAS related, in case you were wondering whether I disappeared. I did have time to watch your TAS, and you did manage to get it below 58 minutes. I should mention that you could have used Mud Shot on Wally's Ralts to avoid the critical hit there, and switch out one of the Mud Shots on either of the Numel you would eventually use it on with Water Gun. (Also, there was no need to use Water Gun on Magnemite before then; you could have just used Mud-Slap). Either that or you could have taken the Tackle damage from Wingull to set up Torrent and do as you did before. However, I don't think it would be too appropriate right now to nitpick this anymore, especially since you already submitted this, and you are testing out a new strategy that may even be faster. I still think the strategy of glitching IVs to move (instead of EVs to move) could work. However, it would take a lot of planning to make sure everything works. Also, the results I posted last year were messed up (I made an error that reported false values), so don't use those results.
merrp
She/Her
Player (20)
Joined: 7/31/2019
Posts: 56
I don't even know what move キ is trying to use here.
Most glitch moves have really long, glitchy names that read from unintended areas of the ROM--so I'm not really sure where the name comes from exactly either!
I should mention that you could have used Mud Shot on Wally's Ralts to avoid the critical hit there
Was that mentioned in the last list you helped make of what moves to use when? I thought I copied it over and followed it pretty exactly but maybe I made a mistake.
Also, there was no need to use Water Gun on Magnemite before then; you could have just used Mud-Slap
Isn't the super effective message longer than the critical hit one?
I still think the strategy of glitching IVs to move (instead of EVs to move) could work.
It probably could but like you said, the planning and setup is huge for the relatively small payoff of skipping the vitamins. I'm not sure I'm interested in doing that right now, I've been working on trying to crack open JP Ruby lately, as well as whether sprite ACE could be faster on JP. But we'll see!
Editor, Expert player (2083)
Joined: 6/15/2005
Posts: 3289
merrp wrote:
Was that mentioned in the last list you helped make of what moves to use when? I thought I copied it over and followed it pretty exactly but maybe I made a mistake.
Oh, I assumed that you were still using Torrent strategy. But maybe I wrote something down wrong. Or I assumed that Water Gun and Mud Shot were interchangeable in a lot of places, so I left it as a puzzle for you to work out. :)
merrp wrote:
Isn't the super effective message longer than the critical hit one?
Only in English. In JP version, SE message is shorter than crit message.
merrp wrote:
I've been working on trying to crack open JP Ruby lately, as well as whether sprite ACE could be faster on JP. But we'll see!
How are you planning to crack open JP Ruby? Is there a glitch that allows potential ACE?
merrp
She/Her
Player (20)
Joined: 7/31/2019
Posts: 56
How are you planning to crack open JP Ruby? Is there a glitch that allows potential ACE?
There's this: https://glitchcity.info/wiki/Mail_and_Trick_glitches it can apparently corrupt metatiles. Which is really interesting and seems to me like it could potentially be more powerful. I've been working on disassembling and matching the ROM similar to what I did for Emerald, so that I can inspect what's actually going on. If, and it's a big if, there's a way to corrupt PC or party data, you could corrupt a PID and get a glitch species or move, and at least one of those could probably do ACE. It'd be like glitzer popping but without pomeg berries. We'll see!
Editor, Expert player (2083)
Joined: 6/15/2005
Posts: 3289
merrp wrote:
How are you planning to crack open JP Ruby? Is there a glitch that allows potential ACE?
There's this: https://glitchcity.info/wiki/Mail_and_Trick_glitches it can apparently corrupt metatiles. Which is really interesting and seems to me like it could potentially be more powerful.
Oh, I know about that! I found about it because of epicdudeguy's speedrun using this glitch on JP Any% to dupe Rare Candies: https://www.speedrun.com/pkmnrubysapphire/run/yjk2ldnm Some time ago, I tried some number of metatiles to see if it would do anything strange. So far, I haven't encountered any tiles that do something completely weird. I did find a tile (spawned by either of the two mail words ちからもち or ちくでん, under the category for abilities) that warps you to your secret base if you enter them from below. Other than that, I didn't really find anything else. But you probably know better how to manipulate these metatiles. I found a way to crash the game. If you do the tile glitch on Route 110 and then walk out through the tiles towards the left 4 tiles, the game will freeze. It works in a couple other places as well. I didn't find it to be useful though.
merrp
She/Her
Player (20)
Joined: 7/31/2019
Posts: 56
Yeah I think that having the disassembly will make inspecting the mechanics a lot easier.
I found a way to crash the game. If you do the tile glitch on Route 110 and then walk out through the tiles towards the left 4 tiles, the game will freeze. It works in a couple other places as well.
Did it freeze as in completely crash, or was the music still playing? If it completely crashed, it likely hit an invalid opcode, which means it executed something it shouldn't have, that might be exploitable. If the music still plays it's more likely it got caught in an infinite loop or a large area filled with zeroes.
Editor, Expert player (2083)
Joined: 6/15/2005
Posts: 3289
merrp wrote:
I found a way to crash the game. If you do the tile glitch on Route 110 and then walk out through the tiles towards the left 4 tiles, the game will freeze. It works in a couple other places as well.
Did it freeze as in completely crash, or was the music still playing?
The music fades out, as if going to a new area. Otherwise, the display freezes.
merrp
She/Her
Player (20)
Joined: 7/31/2019
Posts: 56
Do you remember what phrases you used to make it do that? On Route 110? I've been doing research and found out the exact area it modifies, but I haven't been able to make it crash yet.
Site Admin, Skilled player (1262)
Joined: 4/17/2010
Posts: 11556
Location: Lake Char­gogg­a­gogg­man­chaugg­a­gogg­chau­bun­a­gung­a­maugg
Any progress with this?
Warning: When making decisions, I try to collect as much data as possible before actually deciding. I try to abstract away and see the principles behind real world events and people's opinions. I try to generalize them and turn into something clear and reusable. I hate depending on unpredictable and having to make lottery guesses. Any problem can be solved by systems thinking and acting.
merrp
She/Her
Player (20)
Joined: 7/31/2019
Posts: 56
I made some progress mapping out the new route and examining the Mudkip I want to use. My finals are finally over so I plan to have this finished with the new method by June!
Editor, Expert player (2083)
Joined: 6/15/2005
Posts: 3289
merrp wrote:
Do you remember what phrases you used to make it do that? On Route 110? I've been doing research and found out the exact area it modifies, but I haven't been able to make it crash yet.
Sorry, I've been busy with real life and forgot to reply to this until now. I can't remember exactly, but any phrase that replaces a wall with something that allows you to walk through it should work (I believe such phrases are mostly located in the Pokemon name phrases). After walking through the wall in Route 110 (as well as some other areas), if you keep walking left to "leave" the area, the freeze should happen.
merrp
She/Her
Player (20)
Joined: 7/31/2019
Posts: 56
Sorry that this has taken so long, but I've more or less completed the improvement I wanted to do! This is only a partial encoding and I'll be updating the submission in the next few days: https://youtu.be/Lf4mtodATYw Link to video The time is now 54:58.
After walking through the wall in Route 110 (as well as some other areas), if you keep walking left to "leave" the area, the freeze should happen.
I was able to replicate this! But it sadly doesn't seem to be exploitable.
merrp
She/Her
Player (20)
Joined: 7/31/2019
Posts: 56
New encode of improvement! https://youtu.be/YTUgeJY9sYo Link to video
Editor, Expert player (2083)
Joined: 6/15/2005
Posts: 3289
So, I'm impressed with the improvements you made. But is there something special about species 0x0615 that triggers the glitched egg hatch into ACE? Are there other species numbers for which it works?
Reviewer, Active player (289)
Joined: 12/14/2006
Posts: 717
So this movie was accepted before, but an improvement was found. The stuff leading up to the ACE was well played. From what I saw, the route was similar to the previous movie with some new strategies. I didn't really take the time to see them side by side to catch all the little details. As for the ACE itself, the run before improvement was already a great feat and required a lot of knowledge and research. The new ACE looks a lot cleaner, though. It feels like there's less confusing actions, and it seems the code itself takes a shorter amount of time to input. There's barely any time to think before the ending is reached. I see no reason why the previous decision shouldn't carry over to this one.
Post subject: Movie published
TASVideoAgent
They/Them
Moderator
Joined: 8/3/2004
Posts: 15752
Location: 127.0.0.1
This movie has been published. The posts before this message apply to the submission, and posts after this message apply to the published movie. ---- [4278] GBA Pokémon: Emerald Version "game end glitch" by merrp in 54:54.81