Bad clone glitch

From Glitch City Wiki
Jump to navigation Jump to search
Major glitches of the Pokémon series


Arbitrary code execution

0x1500 control code arbitrary code execution (Crystal) | Cart-swap arbitrary code execution | Generation I custom map script pointer | Generation I invalid meta-map scripts | Generation I item ("8F", "ws m", "-g m", "5かい", "てへ" etc.) | Generation I move ("-", "TM42") | Generation I Trainer escape glitch text boxes | Generation II bad clone | Generation II Burned Tower Silver | Japanese Crystal Pokémon Communication Center SRAM glitches | Coin Case glitch | Generation II glitch Pokédex sortings | Pikachu off-screen glitch ACE | OAM DMA hijacking | Pikachu glitch emote | Generation III glitch Pokémon summary | Generation III glitch move animation) | Remote code execution | TM/HMs outside of the TM/HM pocket | ZZAZZ glitch Trainer FC


No further extensions

Cloning | Item duplication glitch (Generation I) | Pokémon merge glitch ("Q Glitch", Generation I) | Time Capsule exploit | Bug-Catching Contest data copy glitch (Generation II, Japan only) | Berry glitch | Battle Tower Lati@s glitch (Generation III) | (Mimic) Transform Rage glitch (Generation IV)

Transform held item glitch (Generation IV, Japan only) | Mimic glitch (Generation IV, Japan only)


Buffer overflow techniques

99 item stack glitch | LOL glitch | Rival LOL glitch | Instant LOL glitch | RAM LOL glitch | Out of bounds LOL glitch | blockoobLG | Instant encounter infinite chain glitch | LGFly | Super Glitch (Generation I) | Party remaining HP glitch | Super Glitch (Generation III) | Text pointer manipulation mart buffer overflow glitch | CoolTrainer♀-type move | Double distort CoolTrainer♀ corruption | Yami Shop glitch | Party Pokémon box data shift glitch | Unterminated name glitch item instant encounter (Japanese Red/Green)


Item stack duplication glitch (Generation I)

Generation I expanded items pack (Glitch Rocket HQ maps, Map FE (English and non-English European Yellow) | Map script pointer manipulation (arbitrary code execution | Map script pointer item ball manipulation) | Text pointer manipulation (arbitrary code execution | Item ball manipulation | Mart buffer overflow) | Trainerless instant encounter glitch


Bad clone glitch (Generation II)

????? party overloading (Type 0xD0 move glitch | ????? map corruption | Celebi trick | Celebi Egg trick | Shiny Celebi trick | Glitch move map corruption | Overloaded party map corruption | Glitch Unown (Glitch Unown map corruption) | Duplicate key items glitch (Infinite items and item creation, Expanded Balls pocket (Wrong pocket TM/HMs, Glitch Pokédex categories))


Closed menu Select glitches (Japanese Red/Green)

Dokokashira door glitch (International) | Fossil conversion glitch (international) | Second type glitch | Skip to Level 100 glitch | Trainer mutation glitch | Walk through walls (International) | Lift glitch | Badge describer glitch


Pomeg glitch (Generation III)

Pomeg data corruption glitch ("Glitzer Popping") | Charm glitch


Voiding (Generation IV)

Tweaking

Broken escalator glitch (Japan only) | Elite Four door glitch (Japan only)


2x2 block encounter glitches (Generation I)

Left-facing shore tile glitch (in-game trade shore encounter trick, Old man trick, Trade link up shore encounter trick, Fight Safari Zone Pokémon trick) | Viridian Forest no encounter grass tiles glitch


Glitch City

Safari Zone exit glitch | RAM manipulation | Out of bounds Glitch City (Generation II) | Slowpoke Well out of bounds corruption (French Gold/Silver/Crystal)


Large storage box byte shift glitch

Storage box remaining HP glitch | Generation I max stat trick


Pikachu off-screen glitch

Trainer corruption glitch


SRAM glitches

Generation I save corruption | 255 Pokémon glitch | Expanded party encounter table manipulation (Generation I) | Send party Pokémon to a new game (Generation I) | Generation II save corruption | Mailbox glitches | Mystery Gift item corruption | Trainer House glitches


Trainer escape glitch

Death-warp | Ditto trick | Experience underflow glitch | Mew trick | Text box ID matching | Meta-map script activation


Walk through walls

Ledge method | Museum guy method | Rival's effect | Select glitch method (International Select glitch method), Brock Through Walls


Surf down glitch

Grass/rock Surfing glitch (Spanish/Italian only) (adaptions: Submerge glitch (international)) | 8 8 (0x7C) grass/rock surfing glitch (English Red/Blue))

(view, talk, edit)
PRAMA Initiative a également une page sur Bad clone glitch.

The bad clone glitch is a natural glitch in Pokémon Gold, Silver and Crystal that allows the player to obtain a glitch Pokémon known as a bad clone, which in turn enables many game-breaking glitches. The bad clone glitch is named as such because its procedure is similar to the Gold/Silver/Crystal cloning glitch, the only essential difference being the reset timing; indeed, it can happen by accident when doing "normal" cloning.

Broadly speaking, the term "bad clone" includes two kinds of glitch Pokémon:

  • A "real" bad clone, which is an unstable hybrid Pokémon. Such a bad clone can be stabilized into a ?????, enabling many other glitches such as ????? party overloading or Time Capsule exploit. It also has an unterminated nickname, and thus can usually be used as a "friendly clone" if desired, although the timing window for getting a "real" bad clone is usually much tighter than that for getting a "friendly clone".
  • A "friendly clone" (a term from the speedrunning community[1]), which is normal in every aspect except for its unterminated nickname. There is no known way to exploit a "friendly clone" in Gold/Silver, mainly due to stricter error checking for nicknames in those versions. However, in Crystal, a "friendly clone" can either be exploited for 0x1500 control code arbitrary code execution, or for simple buffer overflow (which can give the player a "real" bad clone).

Generally, a "real" bad clone is more exploitable, but also much more difficult to obtain. Technically there are other possible kinds of bad clones, such as one with correct species bytes but no moves[2], although they are even more unlikely to appear. The bad clone glitch can also be used to create unstable hybrids between valid Pokémon, but such unstable hybrids are not known to be game-breaking in any way.

Obtaining a bad clone

Requirements

Not all save files can produce "useful" bad clones (unstable hybrids with ????? (hex 00) and/or unterminated name Pokémon). To produce "useful" bad clones:

  • It is ideal if the player has used the in-game clear save data feature (Select + Up + B) at least once since owning the game cartridge (otherwise, it may be unpredictable whether "useful" bad clones could be produced).
  • There must be at least one box that has never been full at any point.
  • The player should not use a save file edited by PKHex if the goal is to create an unterminated name Pokémon.
Explanation

The bad clone glitch relies on unused data in the SRAM, namely the section of box data that corresponds to empty slots in the box (e.g. if a box currently contains 10 Pokémon, then slots 11–20 are empty).

  • Since the relevant sections of data are not initialized when creating a new save file, the contents of SRAM before creating the save file affects possible results of the bad clone glitch.
    • The in-game clear save data feature zeros out all of the SRAM data, which guarantees that "useful" bad clones can be produced.
    • If the SRAM is never initialized, then its contents are unpredictable on real hardware, and handled differently by different emulators.
  • When a Pokémon is removed from a box, all data after its slot are shifted to the front, but the data in slot 20 is left as is (even when Pokémon 20 itself is removed, it is just its first species byte that is overwritten by the $FF party terminator, leaving most of its data intact). Therefore, if a box has ever been full, even if it is emptied later, all data in unused regions will be copies of the last Pokémon in slot 20, preventing the box from producing "useful" bad clones.
  • When a save file is edited with PKHex, upon exporting the save, PKHex will fill all currently unused OT name and nickname data of all boxes with text terminators, making it impossible to obtain a bad clone with an unterminated name.

Procedure

More research is needed for this article.

Reason given: Verify the reset timings.


  1. Deposit at least one Pokémon in a box.
    • To obtain a "useful" bad clone, the box must never have been full, and the number of Pokémon in the box after depositing must be larger than the number of Pokémon in the box in the current save file. (If either condition is not satisfied, then the glitch will only produce unstable hybrids between valid Pokémon.)
    • The more Pokémon there are in the box after depositing, the larger the timing window, and thus the more likely the glitch will succeed. However, to avoid completely filling the box by accident, it may be ideal to just use 15–18 Pokémon.
  2. Change boxes and reset the game at the following exact timing:
    • Shortly after the Yes/No box disappears (Gold/Silver)
    • After SAVING... DON'T TURN OFF THE POWER. is fully printed (Crystal)

If the Pokémon was not cloned, the reset was too early, and the player can deposit another Pokémon and try again. If the Pokémon was cloned successfully ("good" clone), the reset was too late, and the player should release the clone, save the game, and then deposit a Pokémon and try again.

To identify a bad clone, the bad clone may be female with a glitched name and become level 1 after you withdraw it from the PC. Contrary to the belief of some, if the original Pokémon was female it is still possible for the bad clone to be female (not male), although it is a good idea to use a male Pokémon in order to more easily identify a bad clone in case there are other male Pokémon in the box.

On the Game Boy Player

Notice that on the Game Boy Player (common for speedruns), the reset fadeout delay applies, so the timing to press the reset button is different:

  • Immediately after pressing A on "Yes" (Gold/Silver)
  • After the second "F" in "SAVING ... DON'T TURN OFF THE POWER." (Crystal)

On Pokémon Stadium 2

It has been reported that Pokémon Stadium 2's Game Boy Tower can make the glitch easier if the player resets the game after the "Saving..." message appears at one of the aforementioned moments, although the details of how much easier are unclear.

On emulators

On advanced emulators that support instruction-level breakpoints (such as BGB), the player can use breakpoints to help time the reset.

One of the early reported methods that works with English Pokémon Gold and Crystal is as follows: In BGB, do the glitch with five Pokémon deposited into box 4, with a breakpoint set for de=AD6D (Gold) or de=AD11 (Crystal), and then reset the game when the breakpoint is hit.

Alternative method with different reset timing

In the above method, the player triggers a game save by changing boxes (which is necessary in the normal cloning glitch for a relatively large timing window), and then interrupts the save by resetting. In fact, for the bad clone glitch, the player can also trigger the save through the "Move Pokémon w/o mail" feature (or presumably through saving manually in the Start menu), instead of changing boxes.

An important difference is that, when using this method, the player should reset after "SAVING... DON'T TURN OFF THE POWER." is fully printed, regardless of whether the game is Gold/Silver or Crystal. The length of the timing window should remain the same as the original method in theory, although it has been reported that in specific cases (namely, German Gold on VC), this method seems to work much better than the original method (the original method seems to always fail, whereas this method seems to have a "standard" chance of success).

Properties of the bad clone

A "real" bad clone is an unstable hybrid between the cloned Pokémon and a ????? (hex 00). It is sometimes referred to as a glitched version of the original Pokémon; for example, a "glitched Sneasel".

The bad clone will usually have a nickname with a large amount of glitch text in Pokémon Crystal. It usually is female and level 0 in the PC, but will become level 1 after you withdraw it. It usually has no moves, but sometimes may have glitched moves, and on rare occasions cannot be withdrawn from the PC [clarification needed].

In Pokémon Gold and Silver, the bad clone's name should appear blank. In Pokémon Crystal, the high amount of glitch text may be problematic, and could cause a crash. This is because in Gold and Silver, Null characters simply cause the function PlaceString to exit, whereas in Crystal, for some reason a change was made to PlaceString in which a question mark is printed to the screen upon reading a null char, and the function will continue to read characters. To avoid crashing from this, you can use a potion to open the Pokémon menu (without actually using the potion) to put a 0x50 terminator farther into wStringBuffer1, which should make the bad clone's name safe to view in the box.

Explanation

The bad clone glitch happens when the game is reset in the middle of saving the contents of a box. The Gen II box data structure is as follows:

   Box Pokémon count (1 byte)
   Box Pokémon 1 species (1 byte)
   Box Pokémon 2 species (1 byte)
   ...
   Box Pokémon 20 species (1 byte)
   Extra space used for end-of-box marker (1 byte)
   Box Pokémon 1 data (32 bytes)
   Box Pokémon 2 data (32 bytes)
   ...
   Box Pokémon 20 data (32 bytes)
   Box Pokémon 1 OT name (11 bytes)
   Box Pokémon 2 OT name (11 bytes)
   ...
   Box Pokémon 20 OT name (11 bytes)
   Box Pokémon 1 nickname (11 bytes)
   Box Pokémon 2 nickname (11 bytes)
   ...
   Box Pokémon 20 nickname (11 bytes)
   Unused (2 bytes)

Of course, the species list is usually redundant since the species information is stored in the 32-byte Box Pokémon data struct (one exception is when the Pokémon is an egg, the species list will have EGG (hex FD) while the data struct has the real species). Such a redundancy occurs similarly in the party data structure. Hybrid Pokémon happens when those two species bytes disagree with each other.

In the simplest form of the bad clone glitch, one more Pokémon (say, Pokémon 18) is added to the box, then the saving of the box is interrupted by a hard reset. If the reset happens after the box count and the species byte of that Pokémon is written, but before the main data of that Pokémon are written (for example, it happens right in the middle of "Box Pokémon 15 data"), then the PC will recognize the existence of a 18th Pokémon and know its species, but its main data, OT name, and nickname will remain uninitialized. (In this case, no other Pokémon's data is corrupted, not even Pokémon 15 — the game is interrupted when overwriting the "Box Pokémon 15 data" with the exact same data.)

Uninitialized SRAM data on a real cartridge can be non-deterministic, and emulators also have different behaviors in this regard. However, one way to be sure of the data is to clear the save data (by Select + Up + B on the title screen) before playing the game, which fills the entire SRAM with 00. If we do this, then those uninitialized data is guaranteed to be 00 — even if we put Pokémon in the box then withdraw them, the 00 sections under them will "shift up" — with the exception that if a box has ever been completely full, then when withdrawing from it, the last Pokémon's data will "shift up" instead of 00 sections. This is why such boxes are unsuitable for getting bad clones (although they may be useful in getting other hybrids).

Anyway, in this case, the Pokémon will have all of its main data, including the second species byte, be 00. Such a Pokémon will exhibit all the properties of a typical bad clone: Female, level 0, stabilizes into a ????? (hex 00), etc.

Exploits

A "real" bad clone can be taken into the Day Care and out to become a ????? (hex 00). Using the ????? party overloading trick will allow the player to perform various glitches, including:

Unterminated name exploits

Main article: Unterminated name Pokémon (Generation II)

Bad clones with unterminated names can also be used for various other exploits, notably 0x1500 control code arbitrary code execution.

References