Reviving this to detail my research with JP Ruby glitches.
I wanted to understand how the mail glitch worked, so I disassembled the ROM and have been looking at the functions involved.
JP R/S lacks a check used in the localizations for Thief and Trick, that is supposed to check if a pokemon has mail and if so cause the Thief or Trick to fail. It's literally probably 10 assembly instructions missing that makes this possible. However I haven't see any other differences in how mail works meaning that if only that check were missing from the other R/S/E versions, this would be possible in all of them.
Basically, the game has space for 16 mail slots. The first 6 are meant to be stored on party pokemon, the last 10 are for mail in the PC. Each mail slot contains some easy chat words, the player name, trainer TID&SID, a 2 byte species value for the pokemon holding the mail, and a 2 byte item ID for the actual mail item.
When you give a pokemon mail, one of these slots is filled, and the pokemon's mail field is set to the index of that slot. This is normally fine, because you can't go above 6 within the party because you wouldn't be able to give any more mail.
Using Trick or Thief bypasses this. It changes the item the pokemon is holding
but does not clear the mail slot. This makes the game think that slot is still full, semi-permanently.
So what happens if you fill up all 6 slots but can still give mail to a pokemon holding an item?
Normally when giving mail, the game calls a function that counts up to 6, looking for an open slot.
It can only count up to 6, so if all 6 slots are filled, it returns early, which means that the mail is not given. But, the game still thinks an item swap occurred, so it gives you back whatever the pokemon is holding, duplicating the item.
On to tile corruption. Each party pokemon has a mail field which I mentioned earlier. In normal play, this can only be the values 0-5 inclusive, corresponding to the 6 mail slots, or 0xff, for pokemon that have had mail taken away/have never held mail. There is no function in the game that can assign any other value to this field.
If all 6 mail slots are full, and you give mail to a pokemon without an item whose mail field is 0-5, it will bring up the easy chat words that were last written to that slot. If, however, you do this to a pokemon whose mail field is 0xff, the area of memory that's accessed in memory is way out of bounds of the mail slots. Specifically, it's a fixed location that lies right in the middle of map metatiles. Changing the easy chat words changes whatever metatiles (if any) are at that memory location. And this can be repeated many times because the mail is never actually given.
The reason the tiles changed on each map differ is because they're stored with some padding that depends on the width of the map.
There is no known way to change the metatiles that are accessed. If you could somehow get a pokemon whose mail field was any other value, different tiles could be accessed, but I'm pretty sure that isn't possible. That being said there are a few maps where the tiles you can change are walkable (Slateport City, Mossdeep, Route 110, Route 118 to name a few), but in my testing, none of them allow for sequence breaks.
The tiles on Route 118 fall exactly one tile short of being able to cross the water and access Route 119 early, without Surf. It's kind of depressing.
Now that I understand this better, I think I'm going to work on a JP Ruby TAS that does item duplication after Slateport. I'm not sure how much faster cloning rare candies would be though.
I also investigated the cause of
https://www.glitchcity.info/wiki/Excessive_doll_arrangement_glitch
and can post that if people are interested :D
