Pokémon Red and Blue
|Bulbapedia also has an article about Pokémon Red and Blue.|
Pokémon Red and Blue is the first Pokémon game released outside Japan. The two versions are paired and mainly differ in the wild Pokémon available and the Game Corner prizes. They use the game engine of Japanese Pokémon Blue, but the aforementioned version differences are carried over from Japanese Pokémon Red and Green.
As the first Generation I game, the pair is known as one of the most glitchy Pokémon games. Even though some glitches (notably the Select glitch) are fixed compared to Japanese Pokémon Blue, the game is still easily breakable thanks to the multiple variants of the trainer escape glitch, a save corruption glitch that can give the player an expanded party with 255 Pokémon, as well as several other major glitches. In addition, the localization also introduced some new glitches, notably the old man glitch, which is nearly as game-breaking as the trainer escape glitch: Both glitches allow the player to encounter a glitch Pokémon with Pokédex number 0 (MissingNo. or 'M (00)), and perform a series of derivative glitches, ending up with an expanded item pack.
The fastest way to break Pokémon Red and Blue is with save corruption, which can be performed as soon as the player gains control of the main character. Successfully performing save corruption will usually give the player an expanded party with 255 Pokémon, which can be exploited by switching Pokémon beyond the 6th, something similar to what the Select glitch allows the player to do in Japanese games (although the details are fairly different because of the difference in Pokémon data structures). However, this approach also has a few disadvantages: The timing for performing the save corruption is very tight, and switching Pokémon around is a complicated process involving several memory regions, which means that it is difficult to design "clean" ways to exploit the expanded party.
For players who do not want to perform save corruption, the earliest major glitch that can be performed is the death-warp method of the trainer escape glitch, because the player can death-warp in front of the last trainer in Viridian Forest. Unfortunately, this early in the game, the player cannot fight an enemy with a Special stat high enough to correspond to MissingNo. (or any other glitch Pokémon), so the best the player can do with the Special stat encounter is to experience underflow for an early level 100 Pokémon. However, there exists a speedrun route that instead exploits the meta-map script activation aspect of the trainer escape glitch for a very specific ACE involving the player's name and Trainer ID (which can be manipulated), as well as the in-game timer (where the runner would hope for "safe" values). Of course, the aforementioned strict requirements again mean that this approach is not suitable for casual players, even though the ACE itself could be adapted for purposes other than warping directly to the credit.
The most common gateway to breaking the game is therefore MissingNo. or 'M (00). MissingNo. can be encountered with the trainer escape glitch (once the player has access to enemies with higher Special stats), and either or both of them can be encountered with the old man glitch depending on the player's name (notably, at least one of them could be encountered, regardless of the player's name: If the player entered a non-default name then 'M (00) is always available, while all three default names on either version make at least one MissingNo. available). Both those glitch Pokémon duplicates the player's 6th item, allowing the player to perform the dry underflow glitch (the other method of item underflow is also possible, but almost always less convenient) to obtain an expanded item pack. The expanded item pack allows the player to modify a wide range of memory addresses, as well as to acquire various glitch items, up to and including ACE items.
Brock through walls is also a major memory corruption glitch that can be performed early. However, since the range of memory corrupted consists mostly of temporary variables, the best known utility of it is, as its name suggests, walking through walls. It is commonly used to skip to a late-game area where the player can perform the aforementioned trainer escape glitch or old man glitch to encounter MissingNo. or 'M (00).
- Main article: GlitchDex#Pokémon Red and Blue English GlitchDex
In Generation I games, there are 151 valid Pokémon species, while the species ID of a Pokémon is a byte that can take any of its 256 values. Therefore, there are 105 possible species of glitch Pokémon. Furthermore, the values of the internal IDs of valid Pokémon species are not contiguous, and instead ranges from 1 (Rhydon) to 190 (Victreebel), skipping over 39 invalid values in this range. In various data lists indexed by internal IDs, those 39 invalid IDs share the same placeholder data, including the name "MissingNo." (meaning "missing number"; this was translated from the Japanese string "けつばん" which means the same). Three of those IDs actually have a valid front sprite, that of a Kabutops fossil (ID 182), an Aerodactyl fossil (ID 183) or Pokémon Tower ghost (ID 184), and they behave a little differently from other IDs. Otherwise, MissingNo. with different IDs behave largely the same. Therefore, all IDs of MissingNo. are commonly regarded as the same species.
The other 66 invalid IDs are out of the range for any data lists indexed by internal IDs, so they take data from unrelated memory regions, and are generally more different from each other. However, for each of those glitch Pokémon species, one value that is particularly important is the Pokédex number. Valid Pokémon have Pokédex numbers ranging from 1 to 151, and MissingNo. has Pokédex number 0, but glitch Pokémon other than MissingNo. can have Pokédex numbers in either or neither of those ranges. Pokémon species sharing the same Pokédex number will also share certain traits, and are known as a glitch Pokémon family.
Glitch Pokémon with an internal ID less than or equal to 199 can be encountered and caught with the trainer escape glitch or the old man glitch. (Glitch Pokémon with an internal ID greater than 199 cannot be directly encountered with those glitches, because the game will interpret the encounter as a trainer battle instead.) The old man glitch is further limited by the characters available for naming the player character, and usually needs planning ahead if the player wants a specific glitch Pokémon. Meanwhile, the trainer escape glitch has the limitation of not being able to trigger an encounter with a Pokémon with internal ID 0, so 'M (00) cannot be obtained this way; but otherwise, the Ditto trick can help the player to set up an encounter with any Pokémon with an internal ID in the range 1 to 199.
In cases where the above two methods are impossible or inconvenient for any reason, other methods may exist, such as evolving another glitch Pokémon, equivalent trade from Yellow if the glitch Pokémon with the same ID happens to be easier to obtain there, Time Capsule exploit, or in-battle corruption techniques like the LOL glitch. In any case, arbitrary code execution always exists as a relatively easy way to obtain an arbitrary glitch Pokémon.
- Main article: ItemDex#English versions
Similar to Pokémon species, in Generation I games the ID of an item can take any of its 256 values, while valid item IDs range either from 1 (Master Ball) to 83 (Max Elixer), or from 196 (HM01) to 250 (TM50). Furthermore, some IDs in the "valid" range do not correspond to items intended to appear in the game. However, most of them have distinct names and/or effects, and some of them are designed to play a role in gameplay:
- ????? (ID 7) is usually known as the "Surfboard", because it acts identically to the move Surf outside of battle. In fact, the field move Surf internally "uses" this item (i.e. calls the "item use" subroutine with this item's ID), just like the field move Dig does with Escape Rope.
- Safari Ball (ID 8) exists as an item, even though it is never supposed to appear in the player's inventory. Again, throwing a ball in a Safari Zone battle actually "uses" this item.
- Pokédex (ID 9) exists as an item, even though it is never supposed to appear in the player's inventory. It is functional, but not actually "used" when the player accesses the Pokédex from the Start menu.
- Items with ID 21–28 have the names of the Gym Badges, from "BoulderBadge" to "EarthBadge". Those names are used to display a list of all badges when the player talks to Cerulean City's badge describer.
- Furthermore, the first two of those, BoulderBadge and CascadeBadge, are also "used" in a Safari Zone battle when throwing some bait or throwing a rock, respectively. Those glitch items are also functional in normal wild battles.
- The rest of those items are designed to be unusable anywhere, just like some valid items that are supposed to be checked rather than directly used from the menu (e.g. the Helix Fossil), or exist just to be sold (i.e. the Nugget).
- ????? (ID 44) is an unusable glitch item.
- PP Up (ID 50) is an unusable glitch item; the actual PP Up has ID 79.
- Coin (ID 59) is an unusable glitch item.
In addition, all items with IDs greater or equal to 196 are considered HMs or TMs, and are handled in a special way. This means that the items with ID 251–255 are named TM51–TM55, and act as TMs. They actually teach exactly the same moves as HM01–HM05, to exactly the same Pokémon, because even though the valid HM items have IDs before the TM items, for all other purposes, the HM moves come after the TM moves in the game's internal data. However, since TM51–TM55 are considered as TMs rather than HMs, they are not key items (i.e. their quantities are displayed in the inventory, and they can be tossed or sold), and are consumed when used. (TM55 has some further quirks because it has ID 255, which is also used as the terminator of item lists. Most notably, its name is rendered as "Cancel" in the inventory, and while on-screen it hides the items below it, although it can still be used, tossed, or sold because in those cases the game uses the item count byte to determine whether the player chose the Cancel button.)
Apart from the above glitch items, other glitch items have IDs outside of the valid range, i.e. either 0 or 84–195. They take data from mostly unrelated memory regions, as detailed below.
The names of all valid items, except for TMs and HMs, are stored in a list separated by the 0x50 string terminator. In order to get the name of an item, the game scans through the list, keeping track of the entry index (which increases by 1 whenever a 0x50 byte is encountered), and stop when the entry index corresponds to the item ID. For the glitch item with ID 0, since there is no entry with index 0, the game has to keep scanning until the entry index overflows and wraps around to 0, which happens on the 256th entry.
Immediately after the names of the valid items are the names of some floors: "B2F", "B1F", "1F" to "11F", and finally "B4F". This is by design: When the player takes an elevator in the Celadon Department Store, the Rocket Hideout, or Silph Co., the game gets the names for elevator destinations in the same way it gets names for items. Despite the valid names, those glitch items have various glitchy effects (see below), and the famous ACE item 8F also belongs to this group.
After the floor names, there are some Japanese strings that are unused and left untranslated. Since the English games do not contain Japanese fonts, and the encoding for Japanese characters overlap with the encoding for the English alphabet anyway, those Japanese strings become mojibake when displayed in the English game, and the Western Pokémon glitching community often call them according to the few readable characters in the name. For example, the full name of -gm, another famous ACE item, looks like . It comes from the Japanese string "ゴールドバッヂ" (GoldBadge), with "-", "g", and "m" corresponding to "ー", "ル", and "ッ" respectively.
The final untranslated Japanese string, "エクセレント" (Excellent), is also not terminated with a 0x50 character, and what follows is some unrelated assembly code, where a 0x50 byte is relative unlikely to appear. This gives rise to the first unterminated name glitch item (which actually only requires that a 0x50 terminator does not appear in the first 20 characters in the name, due to how the game handles names), ItemDex/RB:116. Since just viewing an unterminated name could result in memory corruption that may lead to game freezes, etc., it may be hard to make use of an unterminated name glitch item for purposes other than exploiting exactly this corruption.
It turns out that, even though 0x50 bytes are relatively uncommon, there are enough of them such that even the 256th entry of the list, the name of j. (ID 0), falls inside bank 1 of the ROM, mostly thanks to the 0x50 terminators of strings and text scripts scattered throughout the ROM. (Ending with an intended 0x50 terminator does not necessarily mean a name is short or legible: The intended string needs to also be preceded by a 0x50 byte, usually because there is another intended string before it. In addition, many 0x50-terminated sequences are text scripts, which usually stores a pointer to texts stored on other banks of the ROM, and are illegible when printed as a string.)
With the exception of TMs and HMs, when an item is used from the menu, the game finds the effect pointer of said item, and jumps there. Each effect pointer is 2-byte long, and they are stored in a contiguous table. Some valid items, such as all kinds of balls, share the same effect pointer, and the code there will determine exactly which one of them is being used by checking the item ID, which is stored at $CF91.
When finding the address of the effect pointer, the game computes (item ID - 1) * 2 to find out the byte offset first, and makes an assumption that this calculation does not underflow or overflow the byte. This assumption is sound for valid non-TM, non-HM items, but not for glitch items with ID 0 or 129–195. This has the effect of "wrapping" the item ID to the 1–128 range by adding or subtracting 128, for the purpose of finding the effect pointer only. As a result, the glitch items with ID 129–195 have the same effect pointers, and thus similar effects, as the corresponding items with ID 1–67. The effects may not be completely the same because they may check the exact item ID, or the Rival's effect (see below) may happen.
As for glitch items with ID 84–128, their effect pointers are actually the code of the function ItemUseBall, split into 2-byte words and interpreted as pointers. Some of those 2-byte words are actually pointers: They are the operand of a 3-byte instruction, such as
ld a, [$xxyy],
ld hl, $xxyy, or
jp z, $xxyy. This is why the aforementioned 8F and -gm always jump to the party count and the Safari Ball count respectively, even on various European versions of the game where the RAM layout is slightly different, as well as why ws m in Red and Blue always print the "box is full" message.
Other glitch items' effect pointers consist of two separate bytes with usually different meanings in assembly. For example, the effect pointer of 4F is $FA65, which comes from two assembly instructions
jp nz, $658B and
ld a, [$D05A], encoded as the byte sequence "C2 8B 65 FA 5A D0", and the middle two bytes decoded as a 2-byte pointer in little-endian. This address happens to be in the Echo RAM, and "echos" the WRAM address $DA65, leading to another relatively popular ACE exploit.
- Main article: Rival's effect
There is a hardcoded list of non-TM, non-HM items that may open the party menu when used, such as potions, evolutionary stones, etc. When an item in this list is used from the Start menu, after the party menu is closed, some code is executed to properly reload the overworld sprites.
Certain glitch items will also open the party menu when used, usually because they share the effect pointer of one of the abovementioned items (since the item IDs differ by 128). However, since they are not in the hardcoded list, when the party menu is closed, the overworld sprites are not properly loaded. This glitched game state can be exploited, giving the player a limited ability to walk through walls.
In most cases, glitch items are obtained from the expanded item pack. Putting the game into certain states will cause certain items to appear in the expanded item pack, which can either be used from there or switched into valid item slots to preserve them, although care must be taken because modifying the expanded item pack also changes the game state. The Celadon looping map trick can help the player obtain any item, except Cancel/TM55, as long as the player knows its internal ID. Alternatively, in both Red and Blue, it is possible to find all glitch items in the game as roaming items, although it is not a trivial task to find out which map has a specific roaming item.
Other methods to obtain glitch items include item mutation through certain glitch Pokédex flags, as well as arbitrary code execution, which, once set up, may again be the most convenient method to manipulate the player's inventory, including item types and item quantities.
- The unused strings in the disassembly
- The relevant section of ROM layout, and the piece of assembly code following the "エクセレント" string
- The table of effect pointers
- The function ItemUseBall, which appears just below the effect pointer table