Arbitrary code execution
0x1500 control code arbitrary code execution (Crystal) | Cart-swap arbitrary code execution | Generation I custom map script pointer | Generation I invalid meta-map scripts | Generation I item ("8F", "ws m", "-g m", "5かい", "てへ" etc.) | Generation I move ("-", "TM42") | Generation I Trainer escape glitch text boxes | Generation II bad clone | Generation II Burned Tower Silver | Japanese Crystal Pokémon Communication Center SRAM glitches | Coin Case glitch | Generation II glitch Pokédex sortings | Pikachu off-screen glitch ACE | OAM DMA hijacking | Pikachu glitch emote | Generation III glitch Pokémon summary | Generation III glitch move animation) | Remote code execution | TM/HMs outside of the TM/HM pocket | ZZAZZ glitch Trainer FC
[hr] No further extensions
Cloning | Item duplication glitch (Generation I) | Pokémon merge glitch ("Q Glitch", Generation I) | Time Capsule exploit | Bug-Catching Contest data copy glitch (Generation II, Japan only) | Berry glitch | Battle Tower Lati@s glitch (Generation III) | (Mimic) Transform Rage glitch (Generation IV)
Transform held item glitch (Generation IV, Japan only) | Mimic glitch (Generation IV, Japan only)
[hr] Buffer overflow techniques
99 item stack glitch | LOL glitch | Rival LOL glitch | Instant LOL glitch | RAM LOL glitch | Out of bounds LOL glitch | blockoobLG | Instant encounter infinite chain glitch | LGFly | Super Glitch (Generation I) | Party remaining HP glitch | Super Glitch (Generation III) | Text pointer manipulation mart buffer overflow glitch | CoolTrainer♀-type move | Double distort CoolTrainer♀ corruption | Yami Shop glitch | Party Pokémon box data shift glitch | Unterminated name glitch item instant encounter (Japanese Red/Green)
[hr] Item stack duplication glitch (Generation I)
Generation I expanded items pack (Glitch Rocket HQ maps, Map FE (English and non-English European Yellow) | Map script pointer manipulation (arbitrary code execution | Map script pointer item ball manipulation) | Text pointer manipulation (arbitrary code execution | Item ball manipulation | Mart buffer overflow) | Trainerless instant encounter glitch
[hr] Bad clone glitch (Generation II)
????? party overloading (Type 0xD0 move glitch | ????? map corruption | Celebi trick | Celebi Egg trick | Shiny Celebi trick | Glitch move map corruption | Overloaded party map corruption | Glitch Unown (Glitch Unown map corruption) | Duplicate key items glitch (Infinite items and item creation, Expanded Balls pocket (Wrong pocket TM/HMs, Glitch Pokédex categories))
[hr] Closed menu Select glitches (Japanese Red/Green)
Dokokashira door glitch (International) | Fossil conversion glitch (international) | Second type glitch | Skip to Level 100 glitch | Trainer mutation glitch | Walk through walls (International) | Lift glitch | Badge describer glitch
[hr] Pomeg glitch (Generation III)
Pomeg data corruption glitch ("Glitzer Popping") | Charm glitch
[hr] Voiding (Generation IV)
Broken escalator glitch (Japan only) | Elite Four door glitch (Japan only)
[hr] 2x2 block encounter glitches (Generation I)
Left-facing shore tile glitch (in-game trade shore encounter trick, Old man trick, Trade link up shore encounter trick, Fight Safari Zone Pokémon trick) | Viridian Forest no encounter grass tiles glitch
[hr] Glitch City
Safari Zone exit glitch | RAM manipulation | Out of bounds Glitch City (Generation II) | Slowpoke Well out of bounds corruption (French Gold/Silver/Crystal)
[hr] Large storage box byte shift glitch
Storage box remaining HP glitch | Generation I max stat trick
[hr] Pikachu off-screen glitch
Trainer corruption glitch
[hr] SRAM glitches
Generation I save corruption | 255 Pokémon glitch | Expanded party encounter table manipulation (Generation I) | Send party Pokémon to a new game (Generation I) | Generation II save corruption | Mailbox glitches | Mystery Gift item corruption | Trainer House glitches
[hr] Trainer escape glitch
Death-warp | Ditto trick | Experience underflow glitch | Mew trick | Text box ID matching | Meta-map script activation
[hr] Walk through walls
Ledge method | Museum guy method | Rival's effect | Select glitch method (International Select glitch method), Brock Through Walls
[hr] Surf down glitch
Grass/rock Surfing glitch (Spanish/Italian only) (adaptions: Submerge glitch (international)) | 8 8 (0x7C) grass/rock surfing glitch (English Red/Blue))
(view, talk, edit)
|PRAMA Initiative a également une page sur .|
|Bulbapedia also has an article about .|
The bad clone glitch (one of the parent glitches of this trick) was documented by Paco81, as was his early methods on obtaining Celebi.
Preparations1) Obtain an Egg with a Pokémon that would know Beat Up as its third move after hatching. To do this, raise a male and female Sneasel to level 57 with the same moves and make sure Beat Up is at move position 3.
2) Obtain a bad clone:
In order to get a bad clone you should deposit more Pokémon than you have ever deposited in a box (and at least 5 or so), then change boxes and reset the game shortly after the Yes/No box disappears (Gold/Silver) or after SAVING... DON'T TURN OFF THE POWER. is fully printed (Crystal).
Getting a bad clone is normally difficult but Pokémon Stadium 2's Game Boy Tower makes it a lot easier if you reset the game after the "Saving..." message appears at one of the aforementioned moments.
To identify a bad clone, the bad clone may be female with a glitched name and become level 1 after you withdraw it from the PC.
Main steps1) Deposit the bad clone into Day Care and out to stabilize it into a ?????.
2) Put the bad clone at the top of the party.
3) Use move PkMn w/o mail (other methods do not work) to move a seventh Pokémon to the top of the party.
4) Don't touch the party, and ask the Day Care lady to raise the ????? again. This time don't take the ????? out of the Day Care yet.
5) Deposit the first Pokémon and then the second Pokémon, and use move PkMn w/o mail to move the Egg to the top of the party.
6) Deposit Pokémon 2-5, which may shift back bytes for the Egg's name each time. After the depositing, Beat Up [0xFB] (move 3) will shift into the Pokémon species byte 2, allowing you to obtain Celebi after hatching the Egg.
7) Use the Bicycle to cycle around until the Egg hatches into a Celebi.
8) If the Celebi is level 0, raise its level through taking it into Day Care and out, a battle, or a Rare Candy. Ideally raising it to level 1 will allow it to learn its starting moves Leech Seed, Confusion, Heal Bell and Recover.
NotesThe Celebi/Pokémon will be holding an item based on the ID of move 4.
If possible, this glitch can be used with another move as move 3 to obtain a Pokémon other than Celebi. This depends on the ID of the move, which will be converted into a Pokémon ID. For example, Flail (hex:AF) would result into Togepi (also hex:AF).
To see which IDs correspond with which moves, Pokémon and items, refer to The Big HEX List.
ExplanationIn Gen II, the party Pokémon data are stored in the wram as follows:
Party count (1 byte) Party Pokémon 1 species (1 byte) Party Pokémon 2 species (1 byte) ... Party Pokémon 6 species (1 byte) Extra space used for end-of-party marker (1 byte) Party Pokémon 1 data (48 bytes) Party Pokémon 2 data (48 bytes) ... Party Pokémon 6 data (48 bytes) Party Pokémon 1 OT name (11 bytes) Party Pokémon 2 OT name (11 bytes) ... Party Pokémon 6 OT name (11 bytes) Party Pokémon 1 nickname (11 bytes) Party Pokémon 2 nickname (11 bytes) ... Party Pokémon 6 nickname (11 bytes) Unused (22 bytes) Pokédex caught flags (16 bytes) Pokédex seen flags (16 bytes) ...
Of course, the species list is usually redundant since the species information is stored in the 48-byte Party Pokémon data struct (one exception is when the Pokémon is an egg, the species list will have EGG (hex FD) while the data struct has the real species). The list is terminated with an FF end-of-party marker, which is completely redundant since the party count is stored in the first byte, but the code uses the end-of-party marker in many places because it is faster to check for a FF marker than it is to keep track of numbers. The key to this glitch is to corrupt this FF marker.
To this end, a ????? (hex 00) is put at the top of the party, then a seventh Pokémon is moved into the party, which is possible because Bill's PC recognizes both FF and 00 as end-of-party markers, and thus thinks the player only has 0 Pokémon in the party.
When a Pokémon is inserted into the party with the "move PkMn w/o mail" option, it is first inserted into the species list (according to the FF end-of-party marker), then inserted into the nickname list, OT name list, and Pokémon data list in that order (according to the party count byte). The insertion into the species list bumps the FF marker to the first byte of "Party Pokémon 1 data" (the data of ?????), then the insertion to the Pokémon data list bumps it to the second Pokémon data slot, in sync with the species list.
Now the ????? is removed from the party by depositing it in the Day Care (necessary because it is "invisible" to Bill's PC), which removes it first from the species list (again, according to the FF end-of-party marker), then from the OT name list, the Pokémon data list, the nickname list (by shifting the entire chunk of data under the removed Pokémon, up to Pokémon slot 6, up a slot). Now, removal from the species list finds the first FF marker in the first byte of "Party Pokémon 2 data", so it corrupts "Party Pokémon 1 data" by shifting everything up a byte, and setting the last byte to FF. Then the FF marker in the first byte of "Party Pokémon 2 data" is removed.
Depositing the first Pokémon into the PC will similarly only corrupt its own data (which doesn't even matter, because depositing a Pokémon into the PC first copies it into the box, then removes it from the party), but when depositing the second Pokémon, there is probably no more FF mark in the Pokémon data, which means the corruption extends to the OT names, nicknames, Pokédex flags, and possibly beyond that. This is visible in the linked video, as the nicknames of the Sudowoodos become "UDOWOODO".
Moving the egg to the top of the party, as mentioned above, inserts into the species list and thus also causes corruption, but it just reverses the corruption caused by removing the second Pokémon (which is probably a good thing, as we are not left with more unprintable characters on the screen). Now depositing four Pokémon will corrupt again in the "shift up" direction, and this time the corruption touches the data of the egg, which is our real goal, shifting the third move up 4 bytes to become the species. (Interestingly, the reason the game allows you to deposit all four Pokémon, leaving only the egg, isn't that Bill's PC thinks you have 6 Pokémon, but that due to data corruption, the egg doesn't have 0 current HP like normal eggs do.)
Last but not least, we must restore the end-of-party marker to avoid any further corruption when inserting into or removing from the party. Fortunately this is as easy as appending a Pokémon into the party. This can be done by withdrawing one from the Day Care, withdrawing one from the PC, catching one... Basically, any method of adding a Pokémon to the party will do, except "move PkMn w/o mail". Since the egg (or the hatched Celebi) would be the only Pokémon in the party, it is only natural to do one of those things before giving the Celebi to the Day Care or otherwise trying to remove it from the party.