Unterminated name Pokémon (Generation II)

From Glitch City Wiki
Jump to navigation Jump to search

In Generation II, an unterminated name Pokémon is a Pokémon which does not have a terminating hex:50 character in its first eleven characters of its nickname.

In Pokémon Crystal, viewing such an unterminated name at some places, such as on the stats screen or in the PC, may freeze the game or corrupt data. With proper setup, though, this effect may be used to achieve some desired effects.

The most notable exploit of those is arbitrary code execution. In English Crystal [full language compatibility for non-English version details unconfirmed] (but not Gold/Silver), it is possible to set up the bytes "0x15 0x00" beyond the relevant name buffer. Then, viewing the unterminated nickname through a "dangerous" code path will trigger 0x1500 control code arbitrary code execution.

Other exploits are based on simple memory corruption with buffer overflow. It is possible to get a bad clone in this way, which is known as "turning a pseudo-bad Clone into a real bad Clone" (external link in French).

Obtaining

Bad clone glitch

The bad clones obtained from the bad clone glitch usually have unterminated nicknames. Sometimes, a Pokémon obtained from the bad clone glitch may not be a "real" bad clone because it is not an unstable hybrid of a normal Pokémon and ????? (hex 00), but it will still have an unterminated nickname. Such a Pokémon is sometimes called a "pseudo-bad clone".

This method can be performed very early in the game. The main disadvantage of this method is that the bad clone glitch is very hard to perform, sometimes with a subframe-level time window for resetting. This makes this method luck-dependent for the average human player.

Battle Tower SRAM glitch (Crystal)

The Battle Tower SRAM glitch (combined with God Egg glitch) requires obtaining the same Trainer ID on a new game as an existing save file, but with luck manipulation this is a reliable way of obtaining an unterminated name Pokémon, specifically with only 0x00 bytes in its name.

Bug-Catching Contest data copy glitch (Japanese Gold/Silver)

If the player has never had a sixth Pokémon in the party, the Bug-Catching Contest data copy glitch allows for a hybrid between one Pokémon and a ????? (0x00) with an unterminated name with only 0x00 bytes in it.

YouTube video by ChickasaurusGL


Hall of Fame SRAM glitch (Gold/Silver)

The Hall of Fame SRAM glitch is a non-luck-dependent option (except for whatever luck necessary to beat the game) for getting an unterminated name Pokémon in Generation II. It works on Pokémon Gold and Silver only, including non-English versions of the game. To trigger the glitch, the player needs to clear the save file (with Up+Select+B on the title screen) and beat the Johto story without saving. This causes the game to make a corrupted save during the Hall of Fame sequence, from which an unterminated name Pokémon could be extracted (see the Hall of Fame SRAM glitch article for the procedure).

The main exploit with unterminated name Pokémon in Generation II (0x1500 control code arbitrary code execution) only works on Crystal, but the player can simply trade the unterminated name Pokémon over.

Wrong pocket TMs and HMs

This article or section is a stub. You can help Glitch City Wiki by expanding it.

Once it is possible to use wrong pocket TMs and HMs, wrong pocket HM03 in various languages/versions will create an unterminated name Pokémon only if no Pokémon was ever deposited in the Day Care.

Additionally, exclusively to the Korean Pokémon Gold/Silver Virtual Console 비전머신03 can create copies of unterminated name Pokémon at any time.

Trade with Generation I games

If trades are allowed and you have one Red or Blue, two Generation II games (one must be Crystal), you can use either a Generation I setup-based arbitrary code execution or exploit repeated item use of 9F. This works because using 9F lots of times corrupts the stack. If Pokémon are in the box, it can corrupt their nicknames (and if it doesn't you can use it again and again until it does). Once the nicknames are corrupted, it is important to save and reset the game or you likely won't be able to withdraw it. There may also be further complications not adequately documented regarding Pokémon movesets. If you view certain Pokémon summaries directly before withdrawing the unterminated name Pokémon, certain movesets will prevent the freeze. An example (note this may be English version specific and might not work in a certain other language) is a Hitmonchan with Mega Punch and move 3 and Counter and move 4 (it was assumed the other moves don't matter, and it might work with just Counter as move 4).

Other options are to use the SRAM glitch or Super Glitch to obtain the expanded party; letting you access unterminated name Pokémon easily (a bonus is with the 255 Pokémon glitch many names of the initial 6 Pokémon (and some below?) are unterminated "999(...)s". However, if using Yellow be careful that the prevented progress glitch does not occur. The same details mentioned in the previous paragraph apply here regarding the Pokémon summaries, letting you avoid potential freezes that withdrawing the unterminated name Pokémon may cause. Alternatively, try the Rhydon named "MASTER BALL" you can catch from English Yellow's stable unstable MissingNo., as the guaranteed success steps let you obtain one, and this nickname is unterminated.

Bad language trade

This article or section is a stub. You can help Glitch City Wiki by expanding it.

A bad language trade might also theoretically be an option to get unterminated name Pokémon, but doing this without proper preparation may be harmful to the save file. (Bad language trades don't necessarily corrupt the save file and the freezes can be avoided with consistent, viable requirements.)

Properties

In Pokémon Crystal, when viewing the name of a Pokémon, it is usually copied to a string buffer at $D073 before printed onto the screen. The copy is limited to 11 characters, so this step will not cause memory corruption. However, when the string is printed, the subroutine will read beyond the buffer into other memory areas until a 0x50 marker is found. In this process, it may encounter control characters with various effects, or it may simply overflow the screen buffer and corrupt large areas of the RAM.

At some places, an unterminated nickname will display as a single "?". This is due to an error trap that checks a Pokémon's nickname before displaying it. This error trap is triggered:

  • On the party screen.
  • After withdrawing from or depositing into the PC ("Got <name>!", "Stored <name>!").
  • After depositing a Pokémon in the Daycare ("OK, I'll raise your <name>.").

However, at other places this error trap is not used, making memory corruption and arbitrary code execution possible:

  • In the Pokémon list in the PC (including withdrawing, depositing, and "move PkMn w/o mail").
  • On the stats screen of the Pokémon.
  • When withdrawing a Pokémon from the Daycare (all three messages).
  • In battle (this case is a little different, because the name is copied to a different string buffer at $C621).

In particular, when the player tries to withdraw an unterminated name Pokémon from the PC, it may become another Pokémon because the buffer used to store species of Pokémon in the current box is corrupted. The most common case is a Kingdra, because its Pokédex number is 230 (hex E6), which corresponds to a question mark, and the string printing subroutine turns all hex 00 into question marks.

Exploits

Main article: 0x1500 control code arbitrary code execution
This article or section is a stub. You can help Glitch City Wiki by expanding it.

Safety

Although the memory corruption and arbitrary code execution can be useful, sometimes it may be unwanted if, for example, the player just wants to use the bad clone for the Celebi Egg glitch. This is especially a concern because the bad clone glitch requires a game reset, which erases 0x50 markers from the relevant memory areas. Fortunately, there are many actions that can make viewing an unterminated nickname safe.

Out of battle

Out of battle, the string buffer at $D073 is used, so all we need is to put a 0x50 marker after the first 11 characters of that buffer. Ways to do this include:

  • Viewing the green page (moves) of the stats screen of a Pokémon whose last move has 11 or 12 characters (e.g. Smokescreen).
  • Viewing an item list where the last visible item has 11 or 12 characters (e.g. switch PsnCureBerry to the last slot in the item pack).

Those methods use the fact that names of moves and items are 13 characters long, including the 0x50 end marker, and they are copied to the same buffer, so if their names are 11 or 12 characters long, their 0x50 markers will help terminating the unterminated Pokémon name. This may or may not work with moves and items with shorter names, because their names are copied from a 0x50 delimited list in the ROM (e.g. "LEER@BITE@GROWL@..."), so the 12th and 13th positions may or may not be 0x50.

  • Giving any item to a Pokémon.
  • Buying any item at the shop, up to the point of (and including) choosing a quantity. (It is not necessary to actually buy it.)
  • Selling any item at the shop. (It is necessary to actually sell it.)

Those methods use another string buffer at $D086, which is shortly after the aforementioned buffer. Since this buffer isn't overwritten by the unterminated name, those methods work with any item.

In battle

The aforementioned methods won't work if the player wants to battle with an unterminated name Pokémon, because the $C621 string buffer is used instead. Immediately after that buffer is the main data of the Pokémon, so an easy way to make an unterminated name Pokémon relatively safe in battle is to give it an Ice Berry (hex 50). One possible concern is that the Pokémon may consume the Ice Berry (because it becomes burned).

Retrieved from "https://glitchcity.wiki/wiki/Unterminated_name_Pokémon_(Generation_II)?oldid=35677"