Bad clone glitch: Difference between revisions
>Torchickens |
>Torchickens |
||
| Line 63: | Line 63: | ||
*Obtaining [[Glitch Unown]] |
*Obtaining [[Glitch Unown]] |
||
===Unterminated name exploits== |
===Unterminated name exploits=== |
||
In English Crystal [full language compatibility for non-English version details unconfirmed] (but not Gold/Silver), bad clones with unterminated names can also be used for arbitrary code execution, as long as steps are used so that [[0x1500 arbitrary code execution]] applies due to 0x15 0x00 being found beyond the relevant name buffer.{{clarify}} |
In English Crystal [full language compatibility for non-English version details unconfirmed] (but not Gold/Silver), bad clones with unterminated names can also be used for arbitrary code execution, as long as steps are used so that [[0x1500 control code arbitrary code execution]] applies due to 0x15 0x00 being found beyond the relevant name buffer.{{clarify}} |
||
In fact, it doesn't have to be a bad clone; just any Pokémon with an unterminated name (or maybe one with the 0x15 0x00 string directly in the valid name positions |
In fact, it doesn't have to be a bad clone; just any Pokémon with an unterminated name (or maybe one with the 0x15 0x00 string directly in the valid name positions) ;- |
||
1. The [[Hall of Fame SRAM glitch]] is a good alternative if you don't want to use trades; no luck is required (except for bad battle luck while you beat the game like critical hits against you; however you can just keep retrying the battle after whiting out), but you must clear your save file and beat the Johto story without saving. Finally when it does save during Hall of Fame, the save is incomplete; allowing you to have glitched box data without ever attempting the cloning glitch (however note there are some specific details about how to extract the unterminated name Pokémon once you respawn in New Bark Town provided in the article). Once you get it, there are some additional requirements in the 0x1500 arbitrary code execution article. |
1. The [[Hall of Fame SRAM glitch]] is a good alternative if you don't want to use trades; no luck is required (except for bad battle luck while you beat the game like critical hits against you; however you can just keep retrying the battle after whiting out), but you must clear your save file and beat the Johto story without saving. Finally when it does save during Hall of Fame, the save is incomplete; allowing you to have glitched box data without ever attempting the cloning glitch (however note there are some specific details about how to extract the unterminated name Pokémon once you respawn in New Bark Town provided in the article). Once you get it, there are some additional requirements in the 0x1500 arbitrary code execution article. |
||
Revision as of 10:11, 19 August 2019
0x1500 control code arbitrary code execution (Crystal) | Cart-swap arbitrary code execution | Generation I custom map script pointer | Generation I invalid meta-map scripts | Generation I item ("8F", "ws m", "-g m", "5かい", "てへ" etc.) | Generation I move ("-", "TM42") | Generation I Trainer escape glitch text boxes | Generation II bad clone | Generation II Burned Tower Silver | Japanese Crystal Pokémon Communication Center SRAM glitches | Coin Case glitch | Generation II glitch Pokédex sortings | Pikachu off-screen glitch ACE | OAM DMA hijacking | Pikachu glitch emote | Generation III glitch Pokémon summary | Generation III glitch move animation) | Remote code execution | TM/HMs outside of the TM/HM pocket | ZZAZZ glitch Trainer FC
No further extensions
Cloning | Item duplication glitch (Generation I) | Pokémon merge glitch ("Q Glitch", Generation I) | Time Capsule exploit | Bug-Catching Contest data copy glitch (Generation II, Japan only) | Berry glitch | Battle Tower Lati@s glitch (Generation III) | (Mimic) Transform Rage glitch (Generation IV)
Transform held item glitch (Generation IV, Japan only) | Mimic glitch (Generation IV, Japan only)
99 item stack glitch | LOL glitch | Rival LOL glitch | Instant LOL glitch | RAM LOL glitch | Out of bounds LOL glitch | blockoobLG | Instant encounter infinite chain glitch | LGFly | Super Glitch (Generation I) | Party remaining HP glitch | Super Glitch (Generation III) | Text pointer manipulation mart buffer overflow glitch | CoolTrainer♀-type move | Double distort CoolTrainer♀ corruption | Yami Shop glitch | Party Pokémon box data shift glitch | Unterminated name glitch item instant encounter (Japanese Red/Green)
Item stack duplication glitch (Generation I)
Generation I expanded items pack (Glitch Rocket HQ maps, Map FE (English and non-English European Yellow) | Map script pointer manipulation (arbitrary code execution | Map script pointer item ball manipulation) | Text pointer manipulation (arbitrary code execution | Item ball manipulation | Mart buffer overflow) | Trainerless instant encounter glitch
Bad clone glitch (Generation II)
????? party overloading (Type 0xD0 move glitch | ????? map corruption | Celebi trick | Celebi Egg trick | Shiny Celebi trick | Glitch move map corruption | Overloaded party map corruption | Glitch Unown (Glitch Unown map corruption) | Duplicate key items glitch (Infinite items and item creation, Expanded Balls pocket (Wrong pocket TM/HMs, Glitch Pokédex categories))
Closed menu Select glitches (Japanese Red/Green)
Dokokashira door glitch (International) | Fossil conversion glitch (international) | Second type glitch | Skip to Level 100 glitch | Trainer mutation glitch | Walk through walls (International) | Lift glitch | Badge describer glitch
Pomeg glitch (Generation III)
Pomeg data corruption glitch ("Glitzer Popping") | Charm glitch
Voiding (Generation IV)
Broken escalator glitch (Japan only) | Elite Four door glitch (Japan only)
2x2 block encounter glitches (Generation I)
Left-facing shore tile glitch (in-game trade shore encounter trick, Old man trick, Trade link up shore encounter trick, Fight Safari Zone Pokémon trick) | Viridian Forest no encounter grass tiles glitch
Safari Zone exit glitch | RAM manipulation | Out of bounds Glitch City (Generation II) | Slowpoke Well out of bounds corruption (French Gold/Silver/Crystal)
Large storage box byte shift glitch
Storage box remaining HP glitch | Generation I max stat trick
SRAM glitches
Generation I save corruption | 255 Pokémon glitch | Expanded party encounter table manipulation (Generation I) | Send party Pokémon to a new game (Generation I) | Generation II save corruption | Mailbox glitches | Mystery Gift item corruption | Trainer House glitches
Death-warp | Ditto trick | Experience underflow glitch | Mew trick | Text box ID matching | Meta-map script activation
Ledge method | Museum guy method | Rival's effect | Select glitch method (International Select glitch method), Brock Through Walls
Grass/rock Surfing glitch (Spanish/Italian only) (adaptions: Submerge glitch (international)) | 8 8 (0x7C) grass/rock surfing glitch (English Red/Blue))
| PRAMA Initiative a également une page sur Bad clone glitch. |
The bad clone glitch is a natural glitch in Pokémon Gold, Silver and Crystal that allows the player to obtain an unstable hybrid Pokémon known as a bad clone. By allowing the player to stabilize the bad clone into a ?????, it is the parent glitch of many other glitches such as ????? party overloading or Time Capsule exploit. It is named as such because it can happen when doing the Gold/Silver/Crystal cloning glitch.
Obtaining a bad clone
More research is needed for this article.
| |
|
Reason given: Verify the reset timings. |
In order to get a bad clone you should deposit more Pokémon than you have ever deposited in a box (and at least 5 or so), then change boxes and reset the game at the following exact timing:
- Shortly after the Yes/No box disappears (Gold/Silver)
- After SAVING... DON'T TURN OFF THE POWER. is fully printed (Crystal)
Notice that on the Game Boy Player (common for speedruns), the reset fadeout delay applies, so the timing to press the reset button is different:
- Immediately after pressing A on "Yes" (Gold/Silver)
- After the second "F" in "SAVING ... DON'T TURN OFF THE POWER." (Crystal)
Getting a bad clone can normally be very difficult without Pokémon Stadium 2, but Pokémon Stadium 2's Game Boy Tower makes it a lot easier if you reset the game after the "Saving..." message appears at one of the aforementioned moments.
Another way to get a bad clone in BGB emulator in English Pokémon Gold, Crystal is to do it with five Pokémon deposited into box 4, set a breakpoint for de=AD6D (Gold) or de=AD11 (Crystal), advance the execution flow with F7 and then reset the game.
To identify a bad clone, the bad clone may be female with a glitched name and become level 1 after you withdraw it from the PC. Contrary to the belief of some, if the original Pokémon was female it is still possible for the bad clone to be female (not male), although it is a good idea to use a male Pokémon in order to more easily identify a bad clone in case there are other male Pokémon in the box.
Properties of the bad clone
A "real" bad clone is an unstable hybrid between the cloned Pokémon and a ????? (hex 00). It is sometimes referred to as a glitched version of the original Pokémon; for example, a "glitched Sneasel".
The bad clone will usually have a nickname with a large amount of glitch text. It usually is female and level 0 in the PC, but will become level 1 after you withdraw it. It usually has no moves, but sometimes may have glitched moves, and on rare occasions cannot be withdrawn from the PC [clarification needed].
Explanation
The bad clone glitch happens when the game is reset in the middle of saving the contents of a box. The Gen II box data structure is as follows:
Box Pokémon count (1 byte) Box Pokémon 1 species (1 byte) Box Pokémon 2 species (1 byte) ... Box Pokémon 20 species (1 byte) Extra space used for end-of-box marker (1 byte) Box Pokémon 1 data (32 bytes) Box Pokémon 2 data (32 bytes) ... Box Pokémon 20 data (32 bytes) Box Pokémon 1 OT name (11 bytes) Box Pokémon 2 OT name (11 bytes) ... Box Pokémon 20 OT name (11 bytes) Box Pokémon 1 nickname (11 bytes) Box Pokémon 2 nickname (11 bytes) ... Box Pokémon 20 nickname (11 bytes) Unused (2 bytes)
Of course, the species list is usually redundant since the species information is stored in the 32-byte Box Pokémon data struct (one exception is when the Pokémon is an egg, the species list will have EGG (hex FD) while the data struct has the real species). Such a redundancy occurs similarly in the party data structure. Hybrid Pokémon happens when those two species bytes disagree with each other.
In the simplest form of the bad clone glitch, one more Pokémon (say, Pokémon 18) is added to the box, then the saving of the box is interrupted by a hard reset. If the reset happens after the box count and the species byte of that Pokémon is written, but before the main data of that Pokémon are written (for example, it happens right in the middle of "Box Pokémon 15 data"), then the PC will recognize the existence of a 18th Pokémon and know its species, but its main data, OT name, and nickname will remain uninitialized. (In this case, no other Pokémon's data is corrupted, not even Pokémon 15 — the game is interrupted when overwriting the "Box Pokémon 15 data" with the exact same data.)
Uninitialized SRAM data on a real cartridge can be non-deterministic, and emulators also have different behaviors in this regard. However, one way to be sure of the data is to clear the save data (by Select + Up + B on the title screen) before playing the game, which fills the entire SRAM with 00. If we do this, then those uninitialized data is guaranteed to be 00 — even if we put Pokémon in the box then withdraw them, the 00 sections under them will "shift up" — with the exception that if a box has ever been completely full, then when withdrawing from it, the last Pokémon's data will "shift up" instead of 00 sections. This is why such boxes are unsuitable for getting bad clones (although they may be useful in getting other hybrids).
Anyway, in this case, the Pokémon will have all of its main data, including the second species byte, be 00. Such a Pokémon will exhibit all the properties of a typical bad clone: Female, level 0, stabilizes into a ????? (hex 00), etc.
Exploits
A "real" bad clone can be taken into the Day Care and out to become a ????? (hex 00). Using the ????? party overloading trick will allow the player to perform various glitches, including:
- Celebi trick, Celebi Egg trick, Shiny Celebi trick, etc. (a result of removing an FF terminator from the party and performing data shifts).
- Converting a ????? (hex 00) into a ????? (hex FF) for use with the Time Capsule exploit.
- ????? map corruption
- Obtaining Glitch Unown
Unterminated name exploits
In English Crystal [full language compatibility for non-English version details unconfirmed] (but not Gold/Silver), bad clones with unterminated names can also be used for arbitrary code execution, as long as steps are used so that 0x1500 control code arbitrary code execution applies due to 0x15 0x00 being found beyond the relevant name buffer.[clarification needed]
In fact, it doesn't have to be a bad clone; just any Pokémon with an unterminated name (or maybe one with the 0x15 0x00 string directly in the valid name positions) ;-
1. The Hall of Fame SRAM glitch is a good alternative if you don't want to use trades; no luck is required (except for bad battle luck while you beat the game like critical hits against you; however you can just keep retrying the battle after whiting out), but you must clear your save file and beat the Johto story without saving. Finally when it does save during Hall of Fame, the save is incomplete; allowing you to have glitched box data without ever attempting the cloning glitch (however note there are some specific details about how to extract the unterminated name Pokémon once you respawn in New Bark Town provided in the article). Once you get it, there are some additional requirements in the 0x1500 arbitrary code execution article.
2. If trades are allowed and you have one Red or Blue, two Generation II games, you can use either a Generation I setup-based arbitrary code execution or exploit repeated item use of 9F. This works because using 9F lots of times corrupts the stack. If Pokémon are in the box, it can corrupt their nicknames (and if it doesn't you can use it again and again until it does). Once the nicknames are corrupted, it is important to save and reset the game or you likely won't be able to withdraw it. There may also be further complications not adequately documented regarding Pokémon movesets. If you view certain Pokémon summaries directly before withdrawing the unterminated name Pokémon, certain movesets will prevent the freeze. An example (note this may be English version specific and might not work in a certain other language) is a Hitmonchan with Mega Punch and move 3 and Counter and move 4 (it was assumed the other moves don't matter, and it might work with just Counter as move 4).
2i. Other options are to use the SRAM glitch or Super Glitch to obtain the expanded party; letting you access unterminated name Pokémon easily (a bonus is with the 255 Pokémon glitch many names of the initial 6 Pokémon (and some below?) are unterminated "999(...)s". However, if using Yellow be careful that the prevented progress glitch does not occur. The same details mentioned in the previous paragraph apply here regarding the Pokémon summaries, letting you avoid potential freezes that withdrawing the unterminated name Pokémon may cause. Alternatively, try the Rhydon named "MASTER BALL" you can catch from English Yellow's stable unstable MissingNo., as the guaranteed success steps let you obtain one, and this nickname is unterminated.
3. A bad language trade might also theoretically be an option, as you can get unterminated name Pokémon this way, but doing this without proper preparation may be harmful to the save file. (Bad language trades don't necessarily corrupt the save file and the freezes can be avoided with consistent, viable requirements)