Main Menu

Glitches

References/Resources

Affiliates

Technical

Search Wiki

Toolbox

Unterminated name Pokémon (Generation II)
 Page | Discussion | View source | History

From Glitch City Laboratories

Jump to: navigation, search

In Generation II, an unterminated name Pokémon is a Pokémon which does not have a terminating hex:50 character in its first eleven characters of its nickname.

In Pokémon Crystal, viewing such an unterminated name at some places, such as on the stats screen or in the PC, may freeze the game or corrupt data. With proper setup, though, this effect may be used to achieve some desired effects.

The most notable exploit of those is arbitrary code execution. In English Crystal [full language compatibility for non-English version details unconfirmed] (but not Gold/Silver), it is possible to set up the bytes "0x15 0x00" beyond the relevant name buffer. Then, viewing the unterminated nickname through a "dangerous" code path will trigger 0x1500 control code arbitrary code execution.

Other exploits are based on simple memory corruption with buffer overflow. It is possible to get a bad clone in this way, which is known as "turning a pseudo-bad Clone into a real bad Clone" (external link in French).

Obtaining

Bad clone glitch

The bad clones obtained from the bad clone glitch usually have unterminated nicknames. Sometimes, a Pokémon obtained from the bad clone glitch may not be a "real" bad clone because it is not an unstable hybrid of a normal Pokémon and ????? (hex 00), but it will still have an unterminated nickname. Such a Pokémon is sometimes called a "pseudo-bad clone".

Trade with Gold/Silver

If trades are allowed and you have one Gold or Silver, one Crystal; the Hall of Fame SRAM glitch is a good alternative if you have access to any Gold/Silver (even the latest! (Korean)); no luck is required (except you may get bad battle luck while you beat the game like critical hits against you or Pokémon with bad DVs in particular for speedruns; however you can just keep retrying the battle after whiting out), but you must clear your save file (with Up+Select+B on the title screen) and beat the Johto story without saving. Finally when it does save during Hall of Fame, the save is incomplete. It's unclear yet whether resetting just after the Hall of Fame save message completes is ideal (by this; in the sense that the save finished all the work). However, it's suggested to do it just in case until confirmation, while your Pokémon are shown before the credits that immediately follows. After you respawn in New Bark Town, this allows you to have glitched box data without ever attempting the cloning glitch (however note there are some specific details about how to extract the unterminated name Pokémon once you respawn in New Bark Town provided in the Hall of Fame SRAM glitch article). Once you get it, there are some additional requirements in the 0x1500 arbitrary code execution article.

Trade with Generation I games

If trades are allowed and you have one Red or Blue, two Generation II games (one must be Crystal), you can use either a Generation I setup-based arbitrary code execution or exploit repeated item use of 9F. This works because using 9F lots of times corrupts the stack. If Pokémon are in the box, it can corrupt their nicknames (and if it doesn't you can use it again and again until it does). Once the nicknames are corrupted, it is important to save and reset the game or you likely won't be able to withdraw it. There may also be further complications not adequately documented regarding Pokémon movesets. If you view certain Pokémon summaries directly before withdrawing the unterminated name Pokémon, certain movesets will prevent the freeze. An example (note this may be English version specific and might not work in a certain other language) is a Hitmonchan with Mega Punch and move 3 and Counter and move 4 (it was assumed the other moves don't matter, and it might work with just Counter as move 4).

Other options are to use the SRAM glitch or Super Glitch to obtain the expanded party; letting you access unterminated name Pokémon easily (a bonus is with the 255 Pokémon glitch many names of the initial 6 Pokémon (and some below?) are unterminated "999(...)s". However, if using Yellow be careful that the prevented progress glitch does not occur. The same details mentioned in the previous paragraph apply here regarding the Pokémon summaries, letting you avoid potential freezes that withdrawing the unterminated name Pokémon may cause. Alternatively, try the Rhydon named "MASTER BALL" you can catch from English Yellow's stable unstable MissingNo., as the guaranteed success steps let you obtain one, and this nickname is unterminated.

Bad language trade

A bad language trade might also theoretically be an option, as you can get unterminated name Pokémon this way, but doing this without proper preparation may be harmful to the save file. (Bad language trades don't necessarily corrupt the save file and the freezes can be avoided with consistent, viable requirements)

Properties

In Pokémon Crystal, when viewing the name of a Pokémon, it is usually copied to a string buffer at $d073 before printed onto the screen. The copy is limited to 11 characters, so this step will not cause memory corruption. However, when the string is printed, the subroutine will read beyond the buffer into other memory areas until a 0x50 marker is found. In this process, it may encounter control characters with various effects, or it may simply overflow the screen buffer and corrupt large areas of the RAM.

At some places, an unterminated nickname will display as a single "?". This is due to an error trap that checks a Pokémon's nickname before displaying it. This error trap is triggered:

  • On the party screen.
  • After withdrawing from or depositing into the PC ("Got <name>!", "Stored <name>!").
  • After depositing a Pokémon in the Daycare ("OK, I'll raise your <name>.").

However, at other places this error trap is not used, making memory corruption and arbitrary code execution possible:

  • In the Pokémon list in the PC (including withdrawing, depositing, and "move PkMn w/o mail").
  • On the stats screen of the Pokémon.
  • When withdrawing a Pokémon from the Daycare (all three messages).
  • In battle (this case is a little different, because the name is copied to a different string buffer at $c621).

In particular, when you try to withdraw an unterminated name Pokémon from the PC, it may become another Pokémon because the buffer used to store species of Pokémon in the current box is corrupted. The most common case is a Kingdra, because its Pokédex number is 230 (hex E6), which corresponds to a question mark, and the string printing subroutine turns all hex 00 into question marks.

Exploits

Main article: 0x1500_control_code_arbitrary_code_execution
This article or section is a stub. You can help Glitch City Laboratories wiki by expanding it. RB 234 fs crop.png

Safety

Although the memory corruption and arbitrary code execution can be useful, sometimes it may be unwanted if, for example, you just want to use the bad clone for the Celebi Egg glitch. This is especially a concern because the bad clone glitch requires a game reset, which erases 0x50 markers from the relevant memory areas. Fortunately, there are many actions that can make viewing an unterminated nickname safe.

Out of battle

Out of battle, the string buffer at $d073 is used, so all we need is to put a 0x50 marker after the first 11 characters of that buffer. Ways to do this include:

  • View the green page (moves) of the stats screen of a Pokémon whose last move has 11 or 12 characters (e.g. Smokescreen).
  • View an item list where the last visible item has 11 or 12 characters (e.g. switch PsnCureBerry to the last slot in the item pack).

Those methods use the fact that names of moves and items are 13 characters long, including the 0x50 end marker, and they are copied to the same buffer, so if their names are 11 or 12 characters long, their 0x50 markers will help terminating the unterminated Pokémon name. This may or may not work with moves and items with shorter names, because their names are copied from a 0x50 delimited list in the ROM (e.g. "LEER@BITE@GROWL@..."), so the 12th and 13th positions may or may not be 0x50.

  • Give any item to a Pokémon.
  • Buy any item at the shop, up to the point of (and including) choosing a quantity. (You don't need to actually buy it.)
  • Sell any item at the shop. (You do need to actually sell it.)

Those methods use another string buffer at $d086, which is shortly after the aforementioned buffer. Since this buffer isn't overwritten by the unterminated name, those methods work with any item.

In battle

The aforementioned methods won't work if you want to battle with an unterminated name Pokémon, because the $c621 string buffer is used instead. Immediately after that buffer is the main data of the Pokémon, so an easy way to make an unterminated name Pokémon relatively safe in battle is to give it an Ice Berry (hex 50). Watch out for burn, though!