Bad clone glitch: Difference between revisions

← Older edit

Bad clone glitch (view source)

Revision as of 07:56, 15 April 2024

3,101 bytes added , 1 month ago

→‎Obtaining a bad clone: Added a new section about whether it is possible to create useful bad clones on a save file, and adjusted the procedure.

VisualWikitext

WindyAndHikari

27

edits

Revision as of 10:16, 19 August 2019 (view source) >Torchickens (→‎Unterminated name exploits) ← Older edit		Latest revision as of 07:56, 15 April 2024 (view source) WindyAndHikari (talk \| contribs) (→‎Obtaining a bad clone: Added a new section about whether it is possible to create useful bad clones on a save file, and adjusted the procedure.)
(18 intermediate revisions by 5 users not shown)
Line 1: {{Major glitches}} {{PRAMA\|bad-clone-trick}} The '''bad clone glitch''' is a [[natural glitch]] in {{GSC}} that allows the player to obtain ana ~~[[unstable hybrid~~glitch Pokémon]] known as a '''bad clone'''., Bywhich ~~allowing~~in ~~the~~turn ~~player~~enables tomany ~~stabilize~~game-breaking ~~the~~glitches. The bad clone ~~into~~glitch ais ~~[[?????]],~~named itas issuch ~~the~~because ~~parent~~its ~~glitch~~procedure ofis ~~many~~similar ~~other~~to the [[~~glitch]]es~~Pokémon ~~such~~cloning as(Generation ~~[[?????~~II)\|Gold/Silver/Crystal ~~party~~cloning ~~overloading~~glitch]], orthe ~~[[Time~~only ~~Capsule~~essential ~~exploit]].~~difference Itbeing isthe ~~named~~reset astiming; ~~such because~~indeed, it can happen by accident when doing ~~the [[Pokémon~~"normal" cloning ~~(Generation II)\|Gold/Silver/Crystal cloning glitch]]~~. Broadly speaking, the term "bad clone" includes two kinds of glitch Pokémon: * A "real" bad clone, which is an [[unstable hybrid Pokémon]]. Such a bad clone can be stabilized into a [[?????]], enabling many other glitches such as [[????? party overloading]] or [[Time Capsule exploit]]. It also has an unterminated nickname, and thus can usually be used as a "friendly clone" if desired, although the timing window for getting a "real" bad clone is usually much tighter than that for getting a "friendly clone". * A "friendly clone" (a term from the speedrunning community<ref>[https://www.speedrun.com/pkmncrystal/guide/axd5j Pokémon Crystal any% guide] by entrpntr</ref>), which is normal in every aspect except for its [[Unterminated name Pokémon (Generation II)\|unterminated nickname]]. There is no known way to exploit a "friendly clone" in Gold/Silver, mainly due to stricter error checking for nicknames in those versions. However, in Crystal, a "friendly clone" can either be exploited for [[0x1500 control code arbitrary code execution]], or for simple buffer overflow (which can give the player a "real" bad clone). Generally, a "real" bad clone is more exploitable, but also much more difficult to obtain. Technically there are other possible kinds of bad clones, such as one with correct species bytes but no moves<ref>[https://pokemon-speedrunning.github.io/speedrun-routes/#/gen-2/gold-silver/main-any/silver-no-collision-route/ Pokemon Silver Any% No Collision Route]</ref>, although they are even more unlikely to appear. The bad clone glitch can also be used to create unstable hybrids between valid Pokémon, but such unstable hybrids are not known to be game-breaking in any way. ==Obtaining a bad clone== === Requirements === Not all save files can produce "useful" bad clones (unstable hybrids with ????? (hex 00) and/or unterminated name Pokémon). To produce "useful" bad clones: * It is ideal if the player has used the in-game clear save data feature (Select + Up + B) at least once since owning the game cartridge (otherwise, it may be unpredictable whether "useful" bad clones could be produced). * There must be at least one box that has never been full at any point. * The player should not use a save file edited by PKHex ''if the goal is to create an unterminated name Pokémon''. {{Explanation\|contents= The bad clone glitch relies on unused data in the SRAM, namely the section of box data that corresponds to empty slots in the box (e.g. if a box currently contains 10 Pokémon, then slots 11–20 are empty). * Since the relevant sections of data are not initialized when creating a new save file, the contents of SRAM ''before'' creating the save file affects possible results of the bad clone glitch. The in-game clear save data feature zeros out all of the SRAM data, which guarantees that "useful" bad clones can be produced. If the SRAM is ''never'' initialized, then its contents are unpredictable on real hardware, and handled differently by different emulators. * When a Pokémon is removed from a box, all data after its slot are shifted to the front, but the data in slot 20 is left as is (even when Pokémon 20 itself is removed, it is just its first species byte that is overwritten by the $FF party terminator, leaving most of its data intact). Therefore, if a box ''has ever been full'', even if it is emptied later, all data in unused regions will be copies of the last Pokémon in slot 20, preventing the box from producing "useful" bad clones. * When a save file is edited with PKHex, upon exporting the save, PKHex will fill all currently unused OT name and nickname data of all boxes with text terminators, making it impossible to obtain a bad clone with an unterminated name. }} === Procedure === {{researchneeded\|Verify the reset timings.}} # Deposit at least one Pokémon in a box. ~~{{clr}}~~ #* To obtain a "useful" bad clone, the box must never have been full, and the number of Pokémon in the box after depositing must be larger than the number of Pokémon in the box in the current save file. (If either condition is not satisfied, then the glitch will only produce unstable hybrids between valid Pokémon.) ~~In order to get a bad clone you should deposit more Pokémon than you have ever deposited in a box (and at least 5 or so), then change boxes and reset the game at the following exact timing:~~ #* The more Pokémon there are in the box after depositing, the larger the timing window, and thus the more likely the glitch will succeed. However, to avoid completely filling the box by accident, it may be ideal to just use 15–18 Pokémon. * Shortly after the Yes/No box disappears (Gold/Silver)▼ # Change boxes and reset the game at the following exact timing: * After SAVING... DON'T TURN OFF THE POWER. is fully printed (Crystal)▼ ▲#* Shortly after the Yes/No box disappears (Gold/Silver) ▲#* After SAVING... DON'T TURN OFF THE POWER. is fully printed (Crystal) If the Pokémon was not cloned, the reset was too early, and the player can deposit another Pokémon and try again. If the Pokémon was cloned successfully ("good" clone), the reset was too late, and the player should release the clone, save the game, and then deposit a Pokémon and try again. To identify a bad clone, the bad clone may be female with a glitched name and become level 1 after you withdraw it from the PC. Contrary to the belief of some, if the original Pokémon was female it is still possible for the bad clone to be female (not male), although it is a good idea to use a male Pokémon in order to more easily identify a bad clone in case there are other male Pokémon in the box.▼ ==== On the Game Boy Player ==== Notice that on the Game Boy Player (common for speedruns), the [[reset fadeout delay]] applies, so the timing to press the reset button is different: * Immediately after pressing A on "Yes" (Gold/Silver) * After the second "F" in "SAVING ... DON'T TURN OF'''F''' THE POWER." (Crystal) ==== On Pokémon Stadium 2 ==== ~~Getting~~It ahas ~~bad~~been ~~clone~~reported ~~can normally be '''very''' difficult without Pokémon Stadium 2, but~~that Pokémon Stadium 2's Game Boy Tower ~~makes~~can itmake athe ~~lot~~glitch easier if ~~you~~the ~~reset~~player resets the game after the "Saving..." message appears at one of the aforementioned moments, although the details of how much easier are unclear. ==== On emulators ==== Another way to get a bad clone in BGB emulator in English Pokémon Gold, Crystal is to do it with five Pokémon deposited into box 4, set a breakpoint for de=AD6D (Gold) or de=AD11 (Crystal), advance the execution flow with F7 and then reset the game.▼ On advanced emulators that support instruction-level breakpoints (such as BGB), the player can use breakpoints to help time the reset. ▲~~Another~~One ~~way~~of tothe ~~get~~early areported ~~bad~~methods ~~clone~~that inworks ~~BGB emulator in~~with English Pokémon Gold, and Crystal is toas follows: In BGB, do itthe glitch with five Pokémon deposited into box 4, ~~set~~with a breakpoint set for de=AD6D (Gold) or de=AD11 (Crystal), ~~advance the execution flow with F7~~ and then reset the game when the breakpoint is hit. ▲To identify a bad clone, the bad clone may be female with a glitched name and become level 1 after you withdraw it from the PC. Contrary to the belief of some, if the original Pokémon was female it is still possible for the bad clone to be female (not male), although it is a good idea to use a male Pokémon in order to more easily identify a bad clone in case there are other male Pokémon in the box. ==== Alternative method with different reset timing ==== In the above method, the player triggers a game save by changing boxes (which is necessary in the [[Pokémon cloning (Generation II)\|normal cloning glitch]] for a relatively large timing window), and then interrupts the save by resetting. In fact, for the bad clone glitch, the player can also trigger the save through the "Move Pokémon w/o mail" feature (or presumably through saving manually in the Start menu), instead of changing boxes. An important difference is that, when using this method, the player should reset after "SAVING... DON'T TURN OFF THE POWER." is fully printed, regardless of whether the game is Gold/Silver or Crystal. The length of the timing window should remain the same as the original method in theory, although it has been reported that in specific cases (namely, German Gold on VC), this method seems to work much better than the original method (the original method seems to always fail, whereas this method seems to have a "standard" chance of success). ==Properties of the bad clone== A "real" bad clone is an [[unstable hybrid Pokémon\|unstable hybrid]] between the cloned Pokémon and a ????? (hex 00). It is sometimes referred to as a glitched version of the original Pokémon; for example, a "glitched Sneasel". The bad clone will usually have a nickname with a large amount of [[glitch text]] in Pokémon Crystal. It usually is female and level 0 in the PC, but will become level 1 after you withdraw it. It usually has no moves, but sometimes may have glitched moves, and on rare occasions cannot be withdrawn from the PC {{clarify}}. In Pokémon Gold and Silver, the bad clone's name should appear blank. In Pokémon Crystal, the high amount of glitch text may be problematic, and could cause a crash. This is because in Gold and Silver, Null characters simply cause the function PlaceString to exit, whereas in Crystal, for some reason a change was made to PlaceString in which a question mark is printed to the screen upon reading a null char, and the function will continue to read characters. To avoid crashing from this, you can use a potion to open the Pokémon menu (without actually using the potion) to put a 0x50 terminator farther into wStringBuffer1, which should make the bad clone's name safe to view in the box. ==Explanation== Line 64 ⟶ 104: ===Unterminated name exploits=== {{main\|Unterminated name Pokémon (Generation II)}} In English Crystal [full language compatibility for non-English version details unconfirmed] (but not Gold/Silver), bad clones with unterminated names can also be used for arbitrary code execution, as long as steps are used so that [[0x1500 control code arbitrary code execution]] applies due to 0x15 0x00 being found beyond the relevant name buffer.{{clarify}} Bad clones with unterminated names can also be used for various other exploits, notably [[0x1500 control code arbitrary code execution]]. ~~In fact, it doesn't have to be a bad clone; just any Pokémon with an unterminated name (or maybe one with the 0x15 0x00 string directly in the valid name positions) ;-~~ 1. If trades are allowed and you have one Gold or Silver, one Crystal; the [[Hall of Fame SRAM glitch]] is a good alternative if you have access to any Gold/Silver (even the latest! (Korean)); no luck is required (except you may get bad battle luck while you beat the game like critical hits against you [http://wiki.pokemonspeedruns.com/index.php/Main_Page in particular for speedruns]; however you can just keep retrying the battle after whiting out), but you must clear your save file and beat the Johto story without saving. Finally when it does save during Hall of Fame, the save is incomplete; allowing you to have glitched box data without ever attempting the cloning glitch (however note there are some specific details about how to extract the unterminated name Pokémon once you respawn in New Bark Town provided in the article). Once you get it, there are some additional requirements in the 0x1500 arbitrary code execution article. 2. If trades are allowed and you have one Red or Blue, two Generation II games (one must be Crystal), you can use either a Generation I setup-based arbitrary code execution or exploit repeated item use of [[ItemDex/RB:094\|9F]]. This works because using 9F lots of times corrupts the stack. If Pokémon are in the box, it can corrupt their nicknames (and if it doesn't you can use it again and again until it does). Once the nicknames are corrupted, it is important to save and reset the game or you likely won't be able to withdraw it. There may also be further complications not adequately documented regarding Pokémon movesets. If you view certain Pokémon summaries directly before withdrawing the unterminated name Pokémon, certain movesets will prevent the freeze. An example (note this may be English version specific and might not work in a certain other language) is a Hitmonchan with Mega Punch and move 3 and Counter and move 4 (it was assumed the other moves don't matter, and it might work with just Counter as move 4). 2i. Other options are to use the [[SRAM glitch]] or [[Super Glitch (Generation I)\|Super Glitch]] to obtain the [[expanded party]]; letting you access unterminated name Pokémon easily (a bonus is with the [[255 Pokémon glitch]] many names of the initial 6 Pokémon (and some below?) are unterminated "999(...)s". However, if using Yellow be careful that the [[prevented progress glitch]] does not occur. The same details mentioned in the previous paragraph apply here regarding the Pokémon summaries, letting you avoid potential freezes that withdrawing the unterminated name Pokémon may cause. Alternatively, try the Rhydon named "MASTER BALL" you can catch from English Yellow's [[stable unstable MissingNo.]], as the guaranteed success steps let you obtain one, and this nickname is unterminated. == References == 3. A bad language trade might also theoretically be an option, as you can get unterminated name Pokémon this way, but doing this without proper preparation may be harmful to the save file. (Bad language trades don't necessarily corrupt the save file and the freezes can be avoided with consistent, viable requirements) <references /> [[Category:Generation II glitches]]