Pokémon Gen 3 ACE

0) Data
0.1) Useful Pokémon to obtain
1) Glitch Moves and Boostrap Codes
2) Bootstrap Pokémon Procedure
3) Overworld Subroutine Pokémon Procedure
4) List of the main Codes to execute
5) DMA Translation check to perform ACE

  0) Data
In-game traded Pokémon :
Emerald :
Seedot : PID 0x00000084, TID 0x00009746, PID xor TID : 0x000097C2
Plusle : PID 0x0000006F, TID 0x0001210C, PID xor TID : 0x00012163
Meowth : PID 0x0000008B, TID 0x00016559, PID xor TID : 0x000165D2
Horsea : PID 0x0000007F, TID 0x0000B4CD, PID xor TID : 0x0000B4B2

Starting adresses :
Emerald :
- PC Item Slot 1 : 0x02025E98
- Pyramid Bag Slot 1 : 0x02025880
- Box 12 Slot 18 : 0x0203047C / 0x0203049C (1st byte of the 1st substructure)
Emerald Jp :
- PC Item Slot 1 : 0x02025B3C
- Pyramid Bag Slot 1 : 0x02025824
- Box 12 Slot 15 : 0x02030030 / 0x02030050 (1st byte of the 1st substructure)
FrLg (non Jp) :
- PC Item Slot 1 : 0x020257C4
- Box 12 Slot 24 : 0x02030168 / 0x02030188 (1st byte of the 1st substructure)
FrLg Jp :
- PC Item Slot 1 : 0x02025724
- Box 12 Slot 26 : 0x02030140 / 0x02030160 (1st byte of the 1st substructure)

General form of the Bootstrap Code : 03 xx yy 02 02 FF 00 08 / 02yyxx03 080FF02 (32-bit format)

-- Possible starts in PC :
-Emer US, Fr, Spa :
0x02030400 (0x1608), 0x02030208 (0x392C), 0x02030120 (0x4871), 0x02030008 (0x41A7)
-Emer Jap :
0x02330000 (0x3110)
-Fire Red US, Fr, Spa :
0x023F0084 (0x0713), 0x02030400 (0x161F), 0x023F0074 (0x1359)
-Fire Red Jap :
0x023F0084 (0x0713), 0x023F0074 (0x1359)
-Leaf Green US, Fr, Spa :
0x023F0084 (0x0713), 0x02030400 (0x161F)
-RS Fr :
0x02039360 (0x804C),(0x8053), 0x02133F00 (0x3CBE)

-- Script engine subroutine :
Emer US : 0x08098EF9 / Emer Fr : 0x08098F09 / Emer Ita : 0x08098F0D / Emer Spa : 0x08098F0D / Emer Ger : 0x08098F15 / Emer Jap : 0x08098881
FrLg US : 0x08069AE5 / FrLg Fr : 0x08069B95 / FrLg Ita : 0x08069AC1 / FrLg Spa : 0x08069BA9 / FrLg Ger : 0x08069AD5 / FrLg Jap : 0x080693A5
Ruby US : 0x080655B9 / Ruby Jap : 0x080628F9 / Ruby Fr : 0x080659E5 /
Sapp US : 0x080655BD / Sapp Jap : 0x080628FD / Sapp Fr : 0x080659E9 / Sapp Ita : 0x08065911


-/L'Exécution arbitraire de code : Introduction + Explications
-/Comment l'ACE est faite
~Quelles zones de données peuvent être manipulées (Emer, FrLg, RS)
~Stocker un morceau de code via les objets du PC, objets des Sacs Pyramide, données des Pokémon du PC
~Comment faire en sorte que la console aille lire les bonnes adresses : Bootstrap Pokémon.
~Exécuter les scripts du jeu : Appeler l'Overworld Script Subroutine.
~Exécuter l'ACE grâce au DMA : le contrôle de la valeur du DMA.
~Récapituler les étapes
-/Liste de codes exécutables
--/Plein de trucs
--/Connaître son SID
--/Débloquer toutes les îles event
--/Changer le Pokémon dans la Grotte Métamo
--/Shasser à l'Usine de Combat
--/Shasser au Parc Safari sans Safari
--/Shasser des troupeaux originaux
-/Obtenir un Pokémon Bootstrap
-/Obtenir les Objets Glitch nécessaires
-/Placer les objets dans les Sacs Pyramide (Emeraude)
-/Placer et Dupliquer les Objets dans le PC (Emeraude, RfVf)
-/Placer et Dupliquer les Objets dans le PC (RS)
-/La procédure de placement pour un ACE rapide
-/La procédure de placement pour un ACE complet
--/Obtenir un Overworld Script Subroutine Pokémon
-/Tester le décalage de l'Anti-DMA


0.1) Useful Pokémon to obtain
- Obtain the in-game traded Seedot,Horsea,Plusle.

- Corruption Initiators
https://www.youtube.com/watch?v=hBWkshUJv_8&index=25&list=PLC1Bru8sfeb7ZcIWx7SI5BhdJOa7e3uj0
If you can get in-game traded Pokémon from FrLg, you can make Corruption Initiators from in-game traded Plusle (Emerald) in-game traded Lickytung (FrLg) more easily.

- A Cloning Glitch Pokemon
Allows you to clone and anti-clone way faster than with Battle Tower. Glitch Pokémon with long species names still need to be cloned at Battle Tower.
Emer Fr : 0x2890 (40 Atk,144 HP) | Emer Us : 0x288A (40 Atk,138 HP) | Emer Spa : 0x2890 (40 Atk,144 HP) | Emer Ita : 0x2718 (39 Atk, 24 HP) | Emer Jp : 0x2660 (38 Atk, 96 HP) | FrLg FR : 0x320B (50 Atk,11 HP) | FrLg US : 0x3200 (50 Atk,00 HP) | FrLg Spa : 0x3210 (50 Atk,16 HP) | FrLg Ita : 0x320A (50 Atk,10 HP) | FrLg Ger : 0x320F (50 Atk, 15 HP) | FrLg Jap : 0x4F90 (79 Atk, 144 HP) |

- An Instant Pomeg Glitch (IPG) Pokémon
Emer Fr: 0x29C8 (41 Atk,200 HP) | Emer US : 0x29C0 (41 Atk,192 HP) | Emer Spa : 0x948C (148 Atk,140 HP) | Emer Ger : 0x29C9 (41 Atk, 201 HP) | Emer Jp : 0x4360 (67 Atk,96 HP) | Emer Ita : 0x9481 (148 Atk,129 HP) |

- Invisible Bad Eggs.
Useful for Decaswitch (https://www.youtube.com/watch?v=QB67-pKKY3Q) and Instant Pomeg Glitch. (http://pastebin.com/wsYtbzpG)


1) Glitch Moves and Boostrap Codes
-- Game : Emerald (except Jap)
Starting adress : 0x02030400 (0x1608)
Pokémon used : Horsea : PID 0x0000007F, TID 0x0000B4CD, PID xor TID : 0x0000B4B2
DMA : At Box 12 Slot 16, translation of 18 double-words. (0x48 bytes)
- Target adress : PC Items Slot 1 (0x02025EE0 with translation)
New Code : 025EE103 0800B402
XORed : 025E55B1 080000B0 - Works.

- Target adress : Box 12 Slot 18, Substructure 1 (0x020304E4 with translation)
New Code : 0304E503 0800B402
XORed : 030451B1 080000B0 - Works.

- Target adress : Pyramid Bag Items Slot 1 (0x020258C8 with translation)
New Code : 0258C903 0800B402
XORed : 02587DB1 080000B0 - Works.


-- Game : Emerald Jap
Starting adress : 0x02030000 (0x3110)
Pokémon used : Horsea : PID 0x0000007F, TID 0x0000B4CD, PID xor TID : 0x0000B4B2
DMA : At Box 12 Slot 13, translation of 17 double-words. (0x44 bytes)
- Target adress : PC Items Slot 1 (0x02025B80 with translation)
New Code : 025B8103 0800B402
XORed : 025B35B1 080000B0 - Works.

- Target adress : Box 12 Slot 15, Substructure 1 (0x02030094 with translation)
New Code : 03009503 0800B402
XORed : 030021B1 080000B0 - Works.

- Target adress : Pyramid Bag Items Slot 1 (0x02025868 with translation)
New Code : 02568903 0800B402
XORed : 02563DB1 080000B0 - Works.


-- Game : FrLg (except Jap)
Starting adress : 0x023F0084 (0x0713)
Pokémon used : Horsea : PID 0x0000007F, TID 0x0000B4CD, PID xor TID : 0x0000B4B2
DMA : At Box 12 Slot 20, translation of 12 double-words. (0x30 bytes)
- Target adress : PC Items Slot 1 (0x020257F4 with translation)
New Code : 0257F503 0800B402
XORed : 025741B1 080000B0 - Works.

- Target adress : Box 12 Slot 24, Substructure 1 (0x020301B8 with translation)
New Code : 0301B903 0800B402
XORed : 03010DB1 080000B0 - Works.


-- Game : FrLg (Jap)
Starting adress : 0x023F0084 (0x0713)
Pokémon used : Horsea : PID 0x0000007F, TID 0x0000B4CD, PID xor TID : 0x0000B4B2
DMA : At Box 12 Slot 22, translation of 22 double-words. (0x58 bytes)
- Target adress : PC Items Slot 2 (0x02025780 with translation)
New Code : 02578103 0800B402
XORed : 025735B1 080000B0 - Can be obtained.

- Target adress : Box 12 Slot 26, Substructure 1 (0x020301B8 with translation)
New Code : 0301B903 0800B402
XORed : 03010DB1 080000B0 - Can be obtained.

2) Bootstrap Pokémon Procedure
To obtain HHHHJJKK 0800LLMM (XORed form)
- Make a Pokéblock with an Oran Berry, 2 NPCs, a maximal RPM lower than 23.3 RPM. (takes 10 boring minutes to do)
Pokéblock with 08 Beauty, 00 Coolness.
- Have an in-game traded Horsea clone with no EVs and less than 65.536 exp.
- Obtain Glitch Item 0xHHHH.
- Give Horsea :
Emer US : 16 Atk, 1 HP EVs and Return as 4th Move.
Emer Fr : 16 Atk, 17 HP EVs and no 4th Move.
Emer Spa : 16 Atk, 5 HP EVs and Hidden Power as 4th Move.
Emer Ita : 16 Atk, 49 HP EVs and Waterfall as 4th Move.
Emer Ger : 16 Atk, 20 HP EVs and Surf as 4th Move.
Emer Jp : 16 Atk, 9 HP EVs and Surf as 4th Move.
- Double corrupt Horsea into a Glitch Pokémon using unmarked Caterpie as corruption initiator.
That Glitch Pokémon won't be at Lv100 with 0x05060000 exp, so he can still gain EVs.
- Give the Pokéblock to the Poké.
- Give Pomeg, Hondew, Grepa Berries to the Poké to decrease its HP, SpAtk, SpDef EVs to 0.
12 Pomeg Berries will be enough. Up to 26 Hondew and Grepa Berries can be required (depending on Horsea's exp)
- Give the Poké 0xJJ Atk, 0xKK HP EVs, 0xLL SpDef, 0xMM SpAtk. (Less than 510 in total)
- Double corrupt the Poké using Heart Caterpie as corruption initiator.
For this corruption, do it the old way (once you have an Egg, don't touch/lift it and try to corrupt that Egg only)
It becomes Glitch Pokémon 0xJJKK.
- Give Item 0xHHHH to the new Pokémon.
End.

2.1) Pokémon Procedure for RS ACE :
For HHHHJJKK 26E0LLMM
JJ + KK + LL + MM must be lower than 510. HHHH can be anything. E0 26 is a 50 bytes jump.
- Make the Pokéblock recipe :
Oran + 2 NPC + Normal RPM : 10 Dry, 10 Bitter, 20 Feel  x3
Oran + 2 NPC + 7-23.3 RPM : 8 Dry, 8 Bitter, 20 Feel (takes 10 boring minutes to do)
Spelon + 3 NPC + 100-109.9 RPM : 51 Spicy, 12 Bitter, 32 Feel x4
- Have an in-game traded Horsea clone with no EVs and less than 65.536 exp.
- Obtain Glitch Item 0xHHHH.
- Give Horsea :
Emer US : 16 Atk, 1 HP EVs and Return as 4th Move.
Emer Fr : 16 Atk, 17 HP EVs and no 4th Move.
Emer Spa : 16 Atk, 5 HP EVs and Hidden Power as 4th Move.
Emer Ita : 16 Atk, 49 HP EVs and Waterfall as 4th Move.
Emer Ger : 16 Atk, 20 HP EVs and Surf as 4th Move.
Emer Jap : 16 Atk, 9 HP EVs and Surf as 4th Move.
- Double corrupt Horsea into a Glitch Pokémon using unmarked Caterpie as corruption initiator.
That Glitch Pokémon won't be at Lv100 with 0x05060000 exp, so he can still gain EVs.
- Give the Pokéblock to the Poké.
- Give Pomeg, Hondew, Grepa Berries to the Poké to decrease its HP, SpAtk, SpDef EVs to 0.
12 Pomeg Berries will be enough. Up to 26 Hondew and Grepa Berries can be required (depending on Horsea's exp)
- Give the Poké 0xJJ Atk, 0xKK HP EVs, 0xLL SpDef, 0xMM SpAtk. (Less than 510 in total)
- Double corrupt the Poké using Heart Caterpie as corruption initiator.
For this corruption, do it the old way (once you have an Egg, don't touch/lift it and try to corrupt that Egg only)
It becomes Glitch Pokémon 0xJJKK.
- Give Item 0xHHHH to the new Pokémon.
End.

3) Overworld subroutine Pokémon Procedure
- Clone the in-game traded Meowth once, the in-game traded Horsea twice.
Mark the Meowth with Square + Triangle, mark one Horsea with Square + Triangle, and mark the other Horsea with Square+Circle.

 If you want to perform ACE on multiple games, clone Square+Triangle Horsea multiple times (look at the EV-training list below to see how many clones you will need) and ev-train them one by one (leave the others in the PC to not mistake them).

- EV-train Square+Triangle Horsea : (script_run) (4th substructure)
Emerald Fr : 08 Speed EVs, 09 Def EVs, 59 Atk EVs, 187 HP EVs
Emerald US : 08 Speed EVs, 09 Def EVs, 58 Atk EVs, 75 HP EVs
Emerald Ita : 08 Speed EVs, 09 Def EVs, 59 Atk EVs, 191 HP EVs
Emerald Spa : 08 Speed EVs, 09 Def EVs, 59 Atk EVs, 191 HP EVs
Emerald Ger : 08 Speed EVs, 09 Def EVs, 59 Atk EVs, 167 HP EVs
Emerald Jp : 08 Speed EVs, 09 Def EVs, 60 Atk EVs, 51 HP EVs
FrLg Fr : 08 Speed EVs, 06 Def EVs, 47 Atk EVs, 39 HP EVs
FrLg US : 08 Speed EVs, 06 Def EVs, 46 Atk EVs, 87 HP EVs
FrLg Ita : 08 Speed EVs, 06 Def EVs, 46 Atk EVs, 115 HP EVs
FrLg Spa : 08 Speed EVs, 06 Def EVs, 47 Atk EVs, 27 HP EVs
FrLg Ger : 08 Speed EVs, 06 Def EVs, 46 Atk EVs, 103 HP EVs
FrLg Jp : 08 Speed EVs, 06 Def EVs, 39 Atk EVs, 23 HP EVs

- Once a Square+Triangle Horsea is EV-trained, give a Heart mark to that Horsea in order to indicate that his EV-training is done.
Give each Square+Triangle+Heart Horsea an Item depending on the game where you want to send him :
Emer Fr : | Emer US : | Emer Ita : | Emer Spa : | Emer Ger : | Emer Jp : | FrLg Fr : | FrLg US : | FrLg Ita : | FrLg Spa : | FrLg Ger : | FrLg Jp : |
This way, you will know for which game this Horsea is destined.

- Deposit Square+Triangle+Heart Horsea in safety in PC and redo the EV-training with one of its clones (if you have other Horsea clones to EV-train).


 If you want to perform ACE on multiple games, clone Square+Triangle Meowth multiple times (look at the EV-training list below to see how many clones you will need) and ev-train them one by one (leave the others in the PC to not mistake them).

- EV-train Square+Triangle Meowth : (block_base) (3rd substructure, so 17=0x11 double-words later)
Emerald (non Jp) : 02 Speed EVs, 03 Def EVs, 59 Atk EVs, 50 HP EVs
Emerald Jp : 02 Speed EVs, 03 Def EVs, 62 Atk EVs, 82 HP EVs
FrLg (non Jp) : 02 Speed EVs, 03 Def EVs, 50 Atk EVs, 38 HP EVs
FrLg Jp : 02 Speed EVs, 03 Def EVs, 50 Atk EVs, 82 HP EVs

- Once a Square+Triangle Meowth is EV-trained, give a Heart mark to that Meowth in order to indicate that his EV-training is done.
If you wanted to perform ACE on multiple Emerald games or on multiple FrLg games, clone that Meowth.
(Ex : I want to perform ACE on Fr,US,Ita Emerald so I give 02 Speed,03 Def, 59 Atk, 50 HP EVs to Meowth and then I clone it 2 times)
Give each Square+Triangle+Heart Meowth an Item, depending on the game where you want to send him :
Emer Fr : | Emer US : | Emer Ita : | Emer Spa : | Emer Ger : | Emer Jp : | FrLg Fr : | FrLg US : | FrLg Ita : | FrLg Spa : | FrLg Ger : | FrLg Jp : |
This way, you will know for which game this Meowth is destined.

- Deposit Square+Triangle+Heart Meowth in safety in PC and redo the EV-training with one of its clones (if you have other Meowth clones to EV-train).


- Take Square+Circle Horsea and change its 4th move to :
Emer Fr : -- | Emer US : Return | Emer Spa : Hidden Power | Emer Ita : Waterfall | Emer Ger : Surf | Emer Jp : Surf |
Give it 3 HP Ups. (30 HP EVs)

- Perform a double-corruption on Square+Circle Horsea, using Unmarked Caterpie as corruption initiator for both its TID and PID.
For the first corruption :
 Once a clone of Square+Triangle Seedot became an Egg, withdraw it and make a wild battle to check the Egg's contents.
(In this after-corruption scenario, the Egg will automatically be sent to the battle)
(Do not check the Eggs moves because two of them are Glitch Moves)
If the Pokémon inside the Egg is a Nidorina, reset and try again.
If the Pokémon inside the Egg is still a Horsea, use a Fluffy Tail to flee and save. (TID got corrupted)

Clone that Egg 5 times and place it in Box 2 Slot 2,4,6,8,10. Place new Unmarked Caterpie Corruption Initiator clones at Box 2 Slot 1,3,5,7,9, and perform another Pomeg Glitch Data Corruption to corrupt one of these Eggs into a Nidorina.
(Here, Horsea has a specific 4th move so the Egg obtained after the 1st corrutpion can be moved and cloned)

- Take that Nidorina and place it at Box . Slot .
Save. Clear the stuff left in Box 2. Save again.


- Store the following glitch items in Pyramid Bags (see notes about how to obtain them and how to deposit them in Pyramid Bags)
Pyramid Bag Setup
Lv 50 Bag
Code Item | Identifiant
01 | 0x02F0C (47 Sped, 12 Def) Checksum
02 | 0x004A (Dire Hit Item) Useless
03 | 0x0042 (Carbos Item) (1) (Cured Pokérus)
04 | 0x0043 (Calcium Item) (1)
05 | 0x4811 (72 Sped, 17 Def, 1 PP Max) (1)
06 | 0x46C0 (70 Sped, 192 Def, 1 PP Max)  (1)
07 | 0x4904 (73 Sped, 04 Def, 1 PP Max)  (1)
08 | 0x2264 (34 Sped, 100 Def) (1)
09 | 0xDF0B (223 Sped, 11 Def, 1 PP Max)  (2)
10 | 0x4803 (72 Sped, 03 Def, 1 PP Max)  (2)

Open Lv Bag
Code Item | Identifiant
01 | 0x4908 (73 Sped, 08 Def, 1 PP Max)  (2)
02 | 0xF000 (240 Sped, 00 Def, 1 PP Max)  (2)
03 | 0xF801 (248 Sped, 01 Def, 1 PP Max)  (2)
04 | 0xBDF0 (189 Sped, 240 Def) (2)
05 | 0x4708 (71 Sped, 08 Def, 1 PP Max)  (3)
06 | 0x46C0 (70 Sped, 192 Def, 1 PP Max)  (3)
07 | 0xD084 (208 Sped, 132 Def, 1 PP Max)  (3)
08 | 0x0200 (02 Sped, 00 Def) (3)
09 | 0x0000 (No Item) (3)
10 | 0x0000 (No Item) (3)

Cekchsum calculation :
double-corrupted Horsea : PID xor TID = 0x0000B4B2
0x00430042 | 0x46C04811 | 0x22FF4904 | 0x4803DF0B | 0xF0004908 | 0xBDF0F801 | 0x46C04708 | 0x0200D084 | 0x00000000 |
0x0000B4AC | 0x0505B4B2 | 0x0A1EB1B7 |
Decrypted :
0X0043B4F0 | 0x46C0FCA3 | 0x22FFFDB6 | 0x48036BB9 | 0xF000FDBA | 0xBDF04CB3 | 0x46C0F3BA | 0x02006436 | 0x0000B4B2 |
0x0000001E | 0x05050000 | 0x0A1E0505 |
Checksum : 0x2F0C (Yes !)


4) List of main codes to execute
- Bootstrap code :
; Launch task
dcb 0x03
; At address 0x02025EE0 in THUMB mode
dcd 0x02025EE0 ; adress of PC Item #1 with a DMA translation of 18 double-words (for Emer non Jap)
; Priority 180, not 255 because 180 give an easier code to store on a Pokemon
dcb 0xB4, 0x00
; End script
dcb 0x08

Code : 03 E1 5E 02 02 B4 00 08
Code : 03 V4 V3 V2 V1 B4 00 08  (Tells the game to execute code at adress 0xU1U2U3U4, with 0xU1U2U3U4 + 0x00000001 = 0xV1V2V3V4)


- Call to the Overworld Script subroutine :
; fasmarm syntax
processor cpu32_v4t ; ARMv4t (GBA cpu)
thumb ; we don't want an ARM-mode payload
; code starts below
; all addresses / offsets are for US FireRed.

ldr r0,[block_base + 100] ; the block_base value is stored 40 bytes = 10 double-words after the script
ldr r1,[bytecode_base]
movs r2,#0xff ; copy 0x1fe bytes. Less bytes can be copied if needed.
svc #0xb ; CpuSet
ldr r0,[bytecode_base]
ldr r1,[script_run + 20] ; the script_run value is stored 20 bytes = 5 double-words after the script
bl _call_via_r1
pop {r4-r7, r15}

_call_via_r1:
bx r1

bytecode_base: dw 0x200D084 ; works well
script_run: dw 0x08069AE5 ;adress of overworld script subroutine for FrLg US
block_base: dw 0x020257F4 ;adress of PC Item #1 with a DMA translation of 22 double-words (for FrLg non Jap)

Code : 11 48 C0 46 04 49 FF 22 0B DF 03 48 08 49 00 F0 01 F8 F0 BD 08 47 C0 46 84 D0 00 02 | E5 9A 06 08 | F4 57 02 02
Code : PP 48 C0 46 04 49 RR 22 0B DF 03 48 QQ 49 00 F0 01 F8 F0 BD 08 47 C0 46 S4 S3 S2 S1 | T4 T3 T2 T1 | U4 U3 U2 U1
(bytecode_base = 0xS1S2S3S4 | script_run = 0xT1T2T3T4 | block_base = 0xU1U2U3U4 )
(Copies 0xRR words from 0xU1U2U3U4 to 0xS1S2S3S4. Then calls the script at 0xT1T2T3T4 and make it execute the data at 0xS1S2S3S4.)
(0xU1U2U3U4 is stored P1 double-words after the script, and 0xPP= 0xP1+ 0x07. 0xT1T2T3T4 is stored Q1 double-words after the script, and 0xQQ=0xQ1 + 0x03.)(Ex : P1 = 10 (decimal), so 0xPP = 0x0A + 0x07 = 0x11 )
(For ACE, P1 = Q1 + 20, Q1 = )
Lenght : 28 + 4 + 4 bytes

0x4811 | 0x46C0 | 0x4904 | 0x22FF | 0xDF0B | 0x4803 | 0x4908 | 0xF000 | 0xF801 | 0xBDF0 | 0x4708 | 0x46C0 | 0xD084 | 0x0200 |
0x46C04811 | 0x22FF4904 | 0x4803DF0B | 0xF0004908 | 0xBDF0F801 | 0x46C04708 | 0x0200D084 |
Storing from 3rd Lv 50 Item : Double-corrupted : ADEC,DEAC,CDAE

Storing from 5th Lv 50 Item : Non double-corrupted :  ACDE,EADC
(DEAC double-corrupted Horsea seems better because Growth isn't in the way)
Storing from 7th Lv 50 Item : No working order


- Execute overworld scripts with an NPC :
processor cpu32_v4t ; ARMv4t (GBA cpu)
  processor cpu32_v4t ; ARMv4t (GBA cpu)
  thumb
  ldr r0,[adress2]
  ldr r1,[adress1]
  movs r2,#0xFF ; copy 0xFF words from adress 1 to adress 2 ; You can copy-paste a word or double-word by changing 0xFF to 0x01 or 0x02
  svc 0xb
  ldr r0,[adress1]
  ldr r1,[adress3]
  str r0, [r1]
  pop {r4-r7, r15}
  adress1: dw 0x020257F4 ; block_base, adress of PC Item #1 with a DMA translation of 22 double-words (for FrLg non Jp)
  adress2: dw 0x0200D084 ; bytecode_base, works well
  adress3: dw 0x020269E4 ; npc_script_adress, adress of overworld NPC Script with a DMA translation of 22 double-words (for FrLg non Jp)

(bytecode_base = 0xS1S2S3S4 | block_base = 0xT1T2T3T4 | npc_script_adress = 0xU1U2U3U4 )
Code : 03 48 04 49 FF 22 0B DF 02 48 03 49 08 60 F0 BD E8 5B 02 02 84 D0 00 02 00 5F 02 02
Code : 03 48 04 49 FF 22 0B DF 02 48 03 49 08 60 F0 BD S4 S3 S2 S1 T4 T3 T2 T1 U4 U3 U2 U1
Lenght : 28 bytes

(Copies 0xRR words from 0xU1U2U3U4 to 0xS1S2S3S4. Overwrites the double-word at 0xT1T2T3T4 with the double-word 0xS1S2S3S4.)
[...] Needs to take account of code strage in PC Pokémon data.

- "Execute overworld NPC scripts" to store on a PC Pokémon data :
processor cpu32_v4t ; ARMv4t (GBA cpu)
  processor cpu32_v4t ; ARMv4t (GBA cpu)
  thumb
  ldr r0,[block_base+100]
  ldr r1,[bytecode_base]
  movs r2,#0x0A ; copy 0x0A double-words from adress 1 to adress 2 ;
  svc 0xb
  ldr r0,[bytecode_base]
  ldr r1,[npc_script_adress+200]
  str r0, [r1]
  pop {r4-r7, r15}
  bytecode_base: dw 0x0200D084 ;
  block_base: dw 0x0
  npc_script_adress: dw 0x0

Code : 1D 48 03 49 0A 22 0B DF 01 48 35 49 08 60 F0 BD 84 D0 00 02
Lenght : 20 bytes
[...] Need to change the offset for storage of bytecode_base and npc_script_adress.


- Overwrites a byte :
  processor cpu32_v4t ; ARMv4t (GBA cpu)
  thumb
  ldr r0, [adress1]
  ; The byte we want to write, in double-word format
  ldr r1, [adress2]
  ; Store the value of R0 to dword at R1
  strb r0, [r1]
  ; Return
  pop {r4-r7, r15}
  adress1: dw 0x00000078
  adress2: dw 0x0200D084  ; This is where the destination RAM address is loaded from

Code : 01 48 02 49 08 70 F0 BD 78 56 34 12 84 D0 00 02
Code : 01 48 02 49 08 70 F0 BD TT XX XX XX U4 U3 U2 U1 (0xU1U2U3U4 is the destination adress, 0xTT is the desired byte, 0xXXXXXX is whatever we want)
Lenght : 16 bytes

- Overwrites a word :
  processor cpu32_v4t ; ARMv4t (GBA cpu)
  thumb
  ldr r0, [adress1]
  ; The word we want to write, in double-word format
  ldr r1, [adress2]
  ; Store the value of R0 to dword at R1
  strh r0, [r1]
  ; Return
  pop {r4-r7, r15}
  adress1: dw 0x00005678
  adress2: dw 0x0200D084 ; This is where the destination RAM address is loaded from

Code : 01 48 02 49 08 70 F0 BD 78 56 34 12 84 D0 00 02
Code : 01 48 02 49 08 80 F0 BD T2 T1 XX XX U4 U3 U2 U1 (0xU1U2U3U4 is the destination adress, 0xT1T2 is the desired word, 0xXXXX is whatever we want)
Lenght : 16 bytes


- Overwrites a double-word :
  processor cpu32_v4t ; ARMv4t (GBA cpu)
  thumb
  ldr r0, [adress1]
  ; The double-word we want to write
  ldr r1, [adress2]
  ; Store the value of R0 to dword at R1
  str r0, [r1]
  ; Return
  pop {r4-r7, r15}
  adress1: dw 0x12345678
  adress2: dw 0x02028B4C ; This is where the destination RAM address is loaded from

Code : 01 48 02 49 08 60 F0 BD 78 56 34 12 4C 8B 02 02
Code : 01 48 02 49 08 60 F0 BD T4 T3 T2 T1 U4 U3 U2 U1 (0xU1U2U3U4 is the destination adress, 0xT1T2T3T4 is the desired double-word)
Lenght : 16 bytes


- Overwrites a double-word, Pyramid Bag stored :
  processor cpu32_v4t ; ARMv4t (GBA cpu)
  thumb
  ldr r0, [adress1+16]
  ; The double-word we want to write
  ldr r1, [adress2+8]
  ; Store the value of R0 to dword at R1
  str r0, [r1]
  ; Return
  pop {r4-r7, r15}
  adress1: dw 0x12345678
  adress2: dw 0x02028B4C ; This is where the destination RAM address is loaded from

Code : 05 48 04 49 08 60 F0 BD 78 56 34 12 4C 8B 02 02
Code : 05 48 04 49 08 60 F0 BD ... T4 T3 T2 T1 U4 U3 U2 U1 (0xT1T2T3T4 is the destination adress, 0xU1U2U3U4 is the desired double-word)
Lenght : 8+8 bytes = 4+4 Items


- Copy-paste a string of words :
  processor cpu32_v4t ; ARMv4t (GBA cpu)
  thumb
  ldr r0,[adress1]
  nop
  ldr r1,[adress2]
  movs r2,#0xFF ; copy 0xFF words from adress 1 to adress 2
;You can copy-paste a word or double-word by changing 0xFF to 0x01 or 0x02
  svc 0xb
  pop {r4-r7, r15}
  adress1: dw 0x02025BE8
  adress2: dw 0x0200D084

Code : 02 48 C0 46 02 49 FF 22 0B DF F0 BD E8 5B 02 02 84 D0 00 02
Code : 02 48 C0 46 02 49 SS 22 0B DF F0 BD T4 T3 T2 T1 U4 U3 U2 U1	 (Copies 0xSS words from 0xT1T2T3T4 to 0xU1U2U3U4)
Lenght : 20 bytes


5) DMA Translation check to perform ACE

Emerald (except Jap) : A check for a DMA Translation of 18 double-words is required.
- Obtain in-game traded Meowth.
Clone it and keep a clone in safety. (like every other in-game traded Pokémon)
- Make 5 clones of Meowth.
- Give 5 Def and 5 Speed EVs to a clone of Meowth.
- Place the non EV-trained clones at Box 2 Slots 11,14,17,20.
Place the EV-trained clone at Box 2 Slot 23.
- Prepare yourself for ACE.
Obtain a Pokémon with Glitch Move 0x1608. (Plusle with 22 Atk, 8 HP EVs)
Obtain the Bootstrap Pokémon from in-game traded Horsea.
Set up PC Items / Pyramid Bag Items.
- Prepare yourself for Pomeg Glitch.
Don't do Instant Pomeg Glitch, a Pomeg Glitch with a wild battle is required.
Include a Pokémon with Glitch Move 0x1608 between Fly Pokémon and 1 HP Pokémon.
( Poké - KO Fly Poké - KO Poké with Glitch Move - 1 HP Poké)
For more convenience, perform Decaswitch.
Once you are prepared, save.
- Perform Pomeg Glitch.
- After hitting B to close the summary of the Fly Pokémon (the Pokémon in the second party slot), count your Up pushes.
At each Up push, look closely at the first party slot for red highlights.
You need to see :
Up Push N°1 : NO red highlight
Up Push N°2 : Red highlight on the Quit button
Up Push N°3 : The Pokéball behind the Fly Pokémon (Pokémon in the second party slot) must not be bright and opened a bit.
That Pokéball must look like the other Pokéballs behind the Pokémon in party slot 3.
Up Push N°4 : Red highlight on first party slot
Up Push N°5 : NO red highlight on first party slot
Up Push N°6 : Red highlight on first party slot
Up Push N°7 : NO red highlight on first party slot
Up Push N°8 : Red highlight on first party slot
Up Push N°9 : Red highlight on first party slot
Up Push N°10 : Red highlight on first party slot
Up Push N°11 : NO red highlight on first party slot
Up Push N°12 : NO red highlight on first party slot
Up Push N°13 : Red highlight on first party slot
Up Push N°14 : NO red highlight on first party slot
- If you saw the exact same highlights/things as described, your DMA translation if of 18 double-words.
If you are unsure of your Up pushes, you can hit B and retry. (open party, open Fly Pokémon summary, hit B,..)
Check the video related to the procedure in order to clearly see what you need to see.
- Hit B.
Use a Revive on the Pokémon with Glitch Move 0x1608.
Use Glitch Move 0x1608 to perform ACE.


FrLg (except Jap) : A check for a DMA Translation of 12 double-words is required.
- Obtain in-game traded Horsea and Seedot in Emerald.
Clone them and keep a clone in safety.
- Obtain a cloning Glitch Pokémon for your FrLg version :
- On Emerald, fly to Artisan Cave.
Save.
Reset and make a wild encounter. Catch the Smeargle you've met.
Calculate Smeargle's IVs : http://www.psypokes.com/dex/iv.php
Find the frame that generated Smeargle using RNG Reporter (Method 2, Max Results 10.000, Starting Frame 1, Seed 0)
With that generating frame, you obtain Smeargle's PID. Convert that value in decimal.
Calculate the remainder of Smeargle's PID in the euclidian division by 24.
That value must be 1,5,6,11,12,17,18 or 23. If not, reset and try again.
- Trade Horsea, Seedot, Cloning Glitch Pokémon for FrLg, Smeargle to your FrLg game.
- Using the Cloning Glitch Pokémon, make a clone of everyone and put it in safety.
Horsea, Seedot, Smeargle will be corrupted during the procedure.
- Clone Horsea once, Smeargle once, Seedot three times.
- Place a Horsea clone at Box 2 Slot 18.
Place Seedot clones at Box 2 Slots 21,24,30.
Place a Smeargle clone at Box 2 Slot 27.
- Prepare yourself for ACE.
Obtain a Pokémon with Glitch Move 0x0713. (Plusle with 7 Atk, 19 HP EVs)
Obtain the Bootstrap Pokémon from in-game traded Horsea.
Set up PC Item.
- Prepare yourself for Pomeg Glitch.
Include a Pokémon with Glitch Move 0x0713 between Fly Pokémon and 1 HP Pokémon.
( Poké - KO Fly Poké - KO Poké with Glitch Move - 1 HP Poké)
For more convenience, perform Decaswitch.
Once you are prepared, save.
- Perform Pomeg Glitch.
- After hitting B to close the summary of the Fly Pokémon (the Pokémon in the second party slot), count your Up pushes.
At each Up push, look closely at the first party slot for red highlights.
You need to see :
Up Push N°1 : NO red highlight
Up Push N°2 : Red highlight on the Quit button
Up Push N°3 : The Pokéball behind the Fly Pokémon (Pokémon in the second party slot) must not be bright and opened a bit.
That Pokéball must look like the other Pokéballs behind the Pokémon in party slot 3.
Up Push N°4 : NO Red highlight on first party slot
Up Push N°5 : Red highlight on first party slot
Up Push N°6 : NO red highlight on first party slot
Up Push N°7 : NO red highlight on first party slot
Up Push N°8 : Red highlight on first party slot
Up Push N°9 : NO red highlight on first party slot
Up Push N°10 : Red highlight on first party slot
Up Push N°11 : NO red highlight on first party slot
Up Push N°12 : NO red highlight on first party slot
Up Push N°13 : Red highlight on first party slot
Up Push N°14 : NO red highlight on first party slot
- If you saw the exact same highlights/things as described, your DMA translation if of 12 double-words.
If you are unsure of your Up pushes, you can hit B and retry. (open party, open Fly Pokémon summary, hit B,..)
Check the video related to the procedure in order to clearly see what you need to see.
- Hit B.
Use a Revive on the Pokémon with Glitch Move 0x0713.
Use Glitch Move 0x0713 to perform ACE.


5) -- Procedure :
Emerald :
- Obtain an ACE Glitch Move for your version
- Obtain a Bootstrap Pokémon for your version
- Set up Pyramid Bag Items (Glitch Items)
- Set up PC Items (Glitch Items + Duplications)
- Set up PC for Anti-DMA translation check
- Perform ACE using the Anti-DMA translation check

RS :
- Obtain an ACE Glitch Move for your version
- Obtain a Bootstrap Pokémon for your version
- Obtain Pokémon to duplicate PC Items for your version
- Obtain the Glitch Items to place in PC.
Trade everyone from Emerald to RS.
- Set up PC Items (Glitch Items + Duplications)
- Perform ACE

FrLg :
- Obtain an ACE Glitch Move for your version.
- Obtain a Bootstrap Pokémon for your version.
- Obtain the Glitch Items to place in PC.
Trade everyone from Emerald to FrLg.
- Set up PC Items (Glitch Items + Duplications)
- Perform ACE.


- EV-training data :
 - Macho Brace : Doubles the EVs won in a battle.
 - Exp.Share : The holder also receives EVs when Pokémon are KOed.
 - PokéRus : Doubles the EVs won in a battle. /!\ AVOID IT /!\ (Obtaining odd EVs with PokéRus is a problem)
  - HP : HP Up : +10 HP (Up to 100 HP) | Marill (Route 102,111) : +2 HP | Wishmur (Rusturf Tunnel) : +1 HP.
  - Attack : Protein : +10 Atk (Up to 100 Atk) | Mighthyena (Route 120,121) : +2 Atk | Poochyena (Route 101,102,120,121) : +1 Atk.
  - Defense : Iron :+10 Def (Up to 100 Def) | Graveler & Torkoal (Magma Hideout) : +2 Def | Silcoon & Cascoon (Petalburg Woods) : +2 Def | Geodude (Magma Hideout) : +1 Def. | Clamperl (Underwater) : +1 Def.
  - Speed : Carbon : +10 Spd (Up to 100 Speed) | Linoone (Route 119) : +2 Spd | Magikarp (Old Rod, Route 102) : +1 Spd | Zigzagoon (Route 103,119) : +1 Spd | Wingull (Route 103) : +1 Spd.
  - Special Attack : Calcium : +10 SpAtk (Up to 100 SpAtk) | Spinda & Slugma (Route 113) : +1 SpAtk.
  - Special Defense : Zinc : +10 SpDef (Up to 100 SpDef) | Lombre (Route 114) : +2 SpDef | Swablu & Lotad (Route 114) : +1 SpDef | Tentacool (Route 103) : +1 SpDef.

-4th Move for a Fast Double Corruption :
Emer Fr : --/Frustration | Emer Us : Flash/Return | Emer Spa : Hidden Power | Emer Ita : Nature Power/Waterfall | Emer Jp : Rock Smash/Thunder Wave/Surf | Emer Ger : Flash/Surf | Fr US,Fr,Ger,Ita,Spa : Growth | Lg US,Fr,Ger,Ita,Spa : Hidden Power | FrLg Jap : Frustration |

- Cloning Glitch Pokémon :
Emer Fr : 0x2890 (40 Atk,144 HP) | Emer Us : 0x288A (40 Atk,138 HP) | Emer Spa : 0x2890 (40 Atk,144 HP) | Emer Ita : 0x2718 (39 Atk, 24 HP) | Emer Jp : 0x2660 (38 Atk, 96 HP) | Emer Ger : 0x2891 (40 Atk,145HP) | FrLg FR : 0x320B (50 Atk,11 HP) | FrLg US : 0x3200 (50 Atk,00 HP) | FrLg Spa : 0x3210 (50 Atk,16 HP) | FrLg Ita : 0x320A (50 Atk,10 HP) | FrLg Ger : 0x320F (50 Atk, 15 HP) | FrLg Jap : 0x4F90 (79 Atk, 144 HP) |

- Instant Pomeg Glitch Pokémon :
Emer Fr: 0x29C8 (41 Atk,200 HP) | Emer US : 0x29C0 (41 Atk,192 HP) | Emer Spa : 0x948C (148 Atk,140 HP) | Emer Ger : 0x29C9 (41 Atk, 201 HP) | Emer Jp : 0x4360 (67 Atk,96 HP) | Emer Ita : 0x9481 (148 Atk,129 HP) |