Main Menu

Glitches

References/Resources

Affiliates

Technical

Search Wiki

Toolbox

Unterminated name Pokémon (Generation II)
 Page | Discussion | View source | History

From Glitch City Laboratories

Jump to: navigation, search

In Generation II, an unterminated name Pokémon is a Pokémon which does not have a terminating hex:50 character in its first eleven characters of its nickname.

In Pokémon Crystal, viewing such an unterminated name at some places, such as on the stats screen or in the PC, may freeze the game or corrupt data. With proper setup, though, this effect may be used to achieve some desired effect, including arbitrary code execution.

Obtaining

The bad clones obtained from the bad clone glitch usually have unterminated nicknames. Sometimes, a Pokémon obtained from the bad clone glitch may not be a "real" bad clone because it is not an unstable hybrid of a normal Pokémon and ????? (hex 00), but it will still have an unterminated nickname. Such a Pokémon is sometimes called a "pseudo-bad clone".

This article or section is a stub. You can help Glitch City Laboratories wiki by expanding it. RB 234 fs crop.png

Properties

In Pokémon Crystal, when viewing the name of a Pokémon, it is usually copied to a string buffer at $d073 before printed onto the screen. The copy is limited to 11 characters, so this step will not cause memory corruption. However, when the string is printed, the subroutine will read beyond the buffer into other memory areas until a 0x50 marker is found. In this process, it may encounter control characters with various effects, or it may simply overflow the screen buffer and corrupt large areas of the RAM.

At some places, an unterminated nickname will display as a single "?". This is due to an error trap that checks a Pokémon's nickname before displaying it. This error trap is triggered:

  • On the party screen.
  • After withdrawing from or depositing into the PC ("Got <name>!", "Stored <name>!").
  • After depositing a Pokémon in the Daycare ("OK, I'll raise your <name>.").

However, at other places this error trap is not used, making memory corruption and arbitrary code execution possible:

  • In the Pokémon list in the PC (including withdrawing, depositing, and "move PkMn w/o mail").
  • On the stats screen of the Pokémon.
  • When withdrawing a Pokémon from the Daycare (all three messages).
  • In battle (this case is a little different, because the name is copied to a different string buffer at $c621).

In particular, when you try to withdraw an unterminated name Pokémon from the PC, it may become another Pokémon because the buffer used to store species of Pokémon in the current box is corrupted. The most common case is a Kingdra, because its Pokédex number is 230 (hex E6), which corresponds to a question mark, and the string printing subroutine turns all hex 00 into question marks.

Safety

Although the memory corruption and arbitrary code execution can be useful, sometimes it may be unwanted if, for example, you just want to use the bad clone for the Celebi Egg glitch. This is especially a concern because the bad clone glitch requires a game reset, which erases 0x50 markers from the relevant memory areas. Fortunately, there are many actions that can make viewing an unterminated nickname safe.

Out of battle

Out of battle, the string buffer at $d073 is used, so all we need is to put a 0x50 marker after the first 11 characters of that buffer. Ways to do this include:

  • View the green page (moves) of the stats screen of a Pokémon whose last move has 11 or 12 characters (e.g. Smokescreen).
  • View an item list where the last visible item has 11 or 12 characters (e.g. switch PsnCureBerry to the last slot in the item pack).

Those methods use the fact that names of moves and items are 13 characters long, including the 0x50 end marker, and they are copied to the same buffer, so if their names are 11 or 12 characters long, their 0x50 markers will help terminating the unterminated Pokémon name. This may or may not work with moves and items with shorter names, because their names are copied from a 0x50 delimited list in the ROM (e.g. "LEER@BITE@GROWL@..."), so the 12th and 13th positions may or may not be 0x50.

  • Give any item to a Pokémon.
  • Buy any item at the shop, up to the point of (and including) choosing a quantity. (You don't need to actually buy it.)
  • Sell any item at the shop. (You do need to actually sell it.)

Those methods use another string buffer at $d086, which is shortly after the aforementioned buffer. Since this buffer isn't overwritten by the unterminated name, those methods work with any item.

In battle

The aforementioned methods won't work if you want to battle with an unterminated name Pokémon, because the $c621 string buffer is used instead. Immediately after that buffer is the main data of the Pokémon, so an easy way to make an unterminated name Pokémon relatively safe in battle is to give it an Ice Berry (hex 50). Watch out for burn, though!