Pokémon Gold and Silver
|Bulbapedia also has an article about Pokémon Gold and Silver.|
Pokémon Gold and Silver is the first Generation II Pokémon game. The two versions are paired and mainly differ in the wild Pokémon available. Compared to Generation I games, Pokémon Gold and Silver has not only introduced new Pokémon, moves, items, etc., but also had the game engine almost entirely revamped, with many gameplay differences.
Pokémon Gold and Silver has a large number of glitches, both in the battle engine and in the overworld. However, the vast majority of those are minor glitches with little to no lasting effects or exploit potential, such as various catch rate glitches. One of the few exploitable major glitches is Pokémon cloning, which is a relatively easy-to-perform save corruption glitch that allows the player to duplicate Pokémon (and thus held items too). It also has a variant, the bad clone glitch, which is significantly harder to perform (due to a very tight frame window), but also game-breaking and thus more powerful, allowing the player to obtain the glitch Pokémon ????? and use it to manipulate party and box data for various exploits, most famously the Celebi Egg trick.
Another glitch that turns out to be highly exploitable is the Coin Case glitch. Although a significant amount of setup is needed for it to do anything nontrivial, the payoff is the most powerful kind of exploit possible, arbitrary code execution (ACE). Another popular ACE mechanism in Gold and Silver is wrong pocket TMs and HMs, but they are relatively difficult to obtain: Even though they can be obtained using the bad clone, due to the difficulty of getting the bad clone, many players would rather first set up Coin Case ACE, and get wrong pocket TMs and HMs that way instead.
For most players looking to break the game in Pokémon Gold and Silver, the Coin Case glitch is the go-to technique, as it does not require any precise input (on the controller or the power button), and directly leads to arbitrary code execution. However, the bootstrap is a bit involved:
- The direct jump destination of the Coin Case glitch is $E112 (Echo RAM address, equivalent to $C112), which points to some variables used by the audio engine, more specifically by audio channel 6. The values at $C112 can be controlled by listening to Pokémon cries, and by listening to the cry of Bellsprout or Machop (among other options), the game eventually jumps to $EB12.
- $EB12 (equivalent to $CB12) slides to some overworld data that can be manipulated in some complicated but consistent way. Known manipulation methods jump to either $FA98 or $FA99.
- $FA98–$FA99 (equivalent to $DA98–$DA99) falls in the main data of party Pokémon 3, more specifically the second byte of its Attack stat experience and the first byte of its Defense stat experience, respectively. As data in this memory region is mostly difficult to see and awkward to manipulate, the most popular approach is to use a "slide Pokémon" as party Pokémon 3, making the game run mostly inconsequential instructions before naturally reaching the main data of party Pokémon 4.
- Party Pokémon 4 is usually a Quagsire, since its species ID (195 = 0xC3) corresponds to the "jp $xxyy" instruction. The jump destination is controlled by the held item and first move of the Quagsire, and there are multiple possible destinations suitable for writing an ACE payload.
To simplify the bootstrap, many players would use this initial Coin Case ACE to prepare another more convenient and more robust ACE setup involving a wrong pocket TM or HM.
An alternative starting point for breaking the game is the bad clone glitch. If performed successfully, the bad clone glitch will give the player a Pokémon with all of its main data, importantly the second species byte, being 0x00. This "bad clone" can be easily stabilized into a ????? (0x00). The game engine, especially the Pokémon storage system, is not designed to be robust against the invalid species IDs 0x00 or 0xFF, and breaks down rather easily. In particular, ????? party overloading can allow the player to add a seventh Pokémon into the party, which in turn allows removing the 0xFF party list terminator. Without the party terminator, removing Pokémon from the party or inserting (with "move PkMn w/o mail") Pokémon into the party will corrupt the player's entire party data, and potentially beyond, by shifting everything up or down a byte until a 0xFF byte is found. With carefully designed exploit procedures such as the Celebi Egg trick, the player can basically create any Pokémon, item, etc. with this techniques.
With the above techniques, the player can even create Key items as held items, which enables the duplicate Key items glitch, allowing the player to access an expanded Balls pocket and set up wrong pocket TM/HM ACE. However, the biggest problem with this route of breaking the game is the bad clone glitch itself, which is dependent on sub-frame timing and also possibly missable (needs a box that has never been full, and also depends on SRAM data that is not necessarily initialized unless the player clears the save data beforehand). An alternative method to obtain a "bad clone", and thus follow the same route without executing the actual bad clone glitch, is the Hall of Fame SRAM glitch, but that glitch can hardly be considered practical in any scenario: It involves entering the Hall of Fame without a save file, meaning that it does not work with any existing save file, and is too much work for breaking a brand-new save file, especially since the Coin Case route is always available.
There is a save corruption technique even harder than the bad clone glitch, checksum collision. Due to its dependence on both subframe-level timing and minor details of the save file, this technique is considered speedrun-only, and in fact it was thought to be TAS-only until the speedrunning circle came up with a route with some leeway (namely, 1/3 of a frame).
- Documentation of bugs and glitches in Gold and Silver in the pokegold disassembly project