Why MissingNo Multiplies Items!

The fact, that we're in 2020 and people are still talking about Missingno makes me very happy

this is beautiful. not only are you clever for coming to the conclusion you did, but very intelligent for your ability to communicate the behavior of the bug to an audience that knows way less about it than you do.

I like the "how you could've found it yourself" approach as it teaches beginners how to get started in reverse engineering / research! Great Video!

Every video is like watching a detective series.

as my grandpa always said :always check for array out of bound

As a fluent Z80 programmer, I could follow along perfectly with the disassembly, but you still gave some insights I could not have gotten, thank you very much. This was definitely worth the 20 minute watch.

I remember hearing that the reason those right-side tiles spawn land pokemon is because the game only uses the bottom-left 8x8 graphics tile for the "is this water?" check

Don't know if you plan on continuing this series but the "beat the game in 3 minutes" glitch is also pretty interesting from a technical standpoint :-)

You're a very smart guy and very informative and great personality, i enjoy your videos.

As a pokemon fan and a software developer I must say you are an absolute madman and so admirable for exactly that, thanks for doing this!

I believe you were unable to rename variables because even though you disassembled the data, it was set as an undefined function. If you selected the address of the start of the function in ghidra and press f, that will define the function. After that you should be able to rename the function, variables, etc.

I REALLY like that you show that you're not super knowledgeable about everything, and your process in figuring it out. Very fun to watch/listen.

Totally agree with your points about seemingly "pointless" research. I first used Cheat Engine by following a tutorial for how to use it with the game Dink Smallwood. That made me feel like a badass programmer, so I continued on to learn all kinds of other tech stuff like Python, Arduino, Raspberry Pi, and more.

This made me think back to the first game I had made in C++ that had this exact problem and made the game do crazy stuff. Very cool to watch.

Hearing you being satisfied with your findings makes me satisfied as well!

Used to use this hack all the time as a kid but with this video all of it is so beautiful. If only one thing had not gone wrong it would have never happened. Seems magical.

You are the first person I’ve seen actually go into the code to explain the MissingNo glitch. I hadn’t even thought about why it duplicates items, I just knew it did. Keep up the good work!

There're so many glitches related to the workaround of hardware limitations back then, there's rarely such kind of bug now.

I love how in depth you went into the reasons the glitch effects everything. A lot of people just say "it changes these values when you talk to the old man" and didnt go into the things you can do with for instance the safari zone. I wish I knew about that years ago, would have made getting a Dratini waaaaay easier lol

7:58 The debuggers on Windows work the same way.
Set a hardware breakpoint on memory access/write, causes the target be paused AFTER the access/write instruction did something to that memory
(no IP register can be traced, so the debugger cannot determine what instruction is gonna do something to what memory without dynamic analysis).

I have absolutely no idea whats going on but it makes sense to me idk.

I like how everyone is doing game boy/Pokemon/missingno videos rn, you, stacksmashing and retro game mechanics explained

Just going to post a few more details here, don't mind me:
JR LAB_rom3__76a0 is an unconditional relative jump.
ADD L doesn't modify L. It adds L to A. The LD L, A does modify L, though.
Yes, SRL is a logical shift right.

Some people are gonna eat this up. I'm reminded why I hate assembly.
Great video and good job explaining it. It's a bit hard to follow at times because I'm not up to snuff with pointers, memory, addresses and their concepts.
Always good to see people with a lots of patience and competence.

I wish I could thumbs up this video multiple times. That little rant about playful research is really important for people to understand! If you're learning something, it's not a waste of time!

Loved the narrative and editing. Great skills of storytelling =)

I don’t really know much with assembly (much less disassembling code), but you did a fantastic job explaining it, and the end conclusion makes sense.

This is awesome work. Using a scientific approach to game hacking, you figured out exactly why a bug occurs.
I didnt know about the memory bank system, thats very cool.
Also high five to Ghidra for making hobbyist's lives easier

I'm tore between "this is awesome" and "how could you ever let this release unnoticed", but it's still a 25+ years old game so maybe not that odd... thanks for the insight, this was really interesting!

Wow, I got nerd chills when listen to this great explaintion! Thank you!

I have no knowledge of coding but I feel like I understood everything you said in both videos. I have no idea why but you just made so much sense.

I love that both of you are doing this together. Collabs like this of this nature around similar subject need to happen more because the amount of content coming out of you two is great.

I'm impressed by the details you time and time you must have spent working on this video, thanks a lot for sharing it !

Its so cool that you are able to analyse these old games by looking at their memory allocation.. must have been a cool time as a gamedev back then

I just started learning 6502 assembly like a week ago and am amazed, on how much I could follow with the code xD

That's a beautiful bug, it's so involved and has so many steps; that's what old school programming was all about!

@3:30 OMG I literally had to pause the video, I was laughing so hard. Can totally relate to that moment on so many levels - both in game and in debugging. 😆

You and StackSmashing breaking all this down is some of the most enjoyable content I've seen in a long time. Great analysis, thanks for making these!

Absolutely fantastic video. So satisfying to be able to follow along with the *why* this historic bug does what it does. You've been slowly kindling my interest in picking apart software to learn about it. I loved picking apart electronics and some mechanical devices to learn how things work or some tricks I could use even if I didn't understand the whole device or what specific or odd components did. Now as my journey into learning to code is continuing, instead of having to pressure myself into committing far enough into a big project or building some arduino gizmo in order to actually get some coding practice in (now that I don't have any coding assignments and am strictly self teaching and using online tutorials), I can now get some practice and learn something by just casually fooling around! Even with games!

I really love videos like these even if I can barely understand them sometimes. But you do the best job at explaining without over-complicating things...
Also Gen 1's spaghetti code is amazing to dissect lol.

This is such an interesting approach! Although I am not much experienced with assembly (I have simply played with the basics in a CTF), this step-by-step process really helped show me both how to investigate glitches and understand what you were saying! Should the big reveal just have been given to me, I probably couldn't make out much of it!
Really fun series, I have thoroughly enjoyed these past videos of yours! Keep doing this amazing stuff, LO!

Awesome i was waiting for this video when i found the previous yesterday c:

Loved this (and the previous) videos! Would love to see a similar one explaining the Super Mario Bros credits warp used in speedruns =P

IIRC the game will place the ending "1" into the item slot, essentially adding 128 items to item stacks that do not have 128+ items in them already. The glitch will not work on any item stack that is greater than 128, and using it on an item with a stack of 127 makes that item into a stack of 255. 255 also has the same properties as the CANCEL button which lead to some of the old Pokemon Blue any% NSC routes before easy ace with maps was discovered.

Oh boy. So far, my personal coding was some data organisation with Python and converting a few hundred text files into an Excel sheet. Still you made me (kind of) understand what was going on here. Pretty cool stuff! And pretty fascinating reverse engineering work.

Having done some SNES, N64, and PS2 ASM hacking in the past, this was an absolute joy. I audibly said... "Oh...!!" When you put together the pieces at the end. All of this time it was a simple out of bounds array, with the idea that they never intended to have 32 bytes for all possibilities of Pokemon. This was a fun mystery that you broke down. Hopefully it inspires others to follow your lead.

Pretty interesting! I wonder if you'll "tackle" some of the less well-known Glitch Pokemon! Nonetheless, thanks for uploading!

Awesome video. Enjoyed this and the corresponding MissingNo Video very much. Your explanation is very detailed and comprehensive and you really cheer one up to try to do similar research on other bugs or just simple game logic in old games. As someone who once wrote a gameboy emulator for learning purposes I can only recommend your videos for everyone who wants to become more emerged with this awesome piece of hardware.

Clever analysis. I'd just assumed it was decoding the garbage sprite and cry data that resulted in the 6th item quantity being corrupted.

So just to add to this; arithmetic functions generally use the accumulation register (a) so that's why that add doesn't have , a there. Also, HL spans two registers; H and L, the gameboy has mainly 8-bit registers but also shares those to make 16-bit registers so it can do stuff with addresses.

im genuinely happy when i see live's new video

It’s crazy I’m working on a project right now in school where we have to reconstruct a program from assembly. Very relevant and applicable stuff. Good work on finding out this bug and satisfying all of the people who wanted to know the reason behind all this madness’

This is so cool to see in action! If you didn't know, it's actually possible to duplicate TWO sets of items by replacing the already duped item with another item that has yet to have it's bit flipped during battle. When you catch missingno, that same function must be performed in the process of updating it's Pokedex entry, but instead of listing it as "seen", it gets listed as "caught". The game then forgets that you even saw missingno since the data for that would normally be referenced in the Pokedex data, which explains why this can be repeated multiple times through various wild encounters with missingno.
That's probably not 100% correct, but that's my educated guess :)

The conclusion at the end is very satisfying and pleasing! Great video!

Awesome video!! I'm so happy the time I've been spending these past two months learning about Gameboy assembly has enabled me to understand much of this video. I would have been completely lost otherwise. Really great video, thanks!!

Just on a side note: Pokémon red/ blue had Pokémon from gen 2 (gold/ silver) in the Code but they were never really put in. No sprites etc. There is a list online that shows you every Pokémon that’s in the code and where it’s placed. Early on in the video, you said that you hit the value 135. That’s probably the actual Pokédex number (or shifted by one because of starting from zero) but it is a Pokémon that never made it into the game, so showing a missing no. I’m not a nerd in this coding stuff but I’m a nerd for Pokémon :D ps: most of these gen 2 Pokémon are above the index of 100 for some reason

I personally found a bug along time ago to give your pokemen unlimited hp. It could be used to further this research, if you're interested. And this bug has possibly never been released, until now. As I'm the one whobpersonally discovered this bug by pure accident back in grade 6. Though I'm not sure, this bug is probably already, but here it is; I can't remember exactly how to do it because it was like 2 decades ago, but I think the trick was a Lil sumthin like this. 1. You need to start by doing this same missing no glitch (as most of us know each save file gets its own randomly selected pokemen that can be a lvl that is over 100.) 2. Catch the bugged lvl pokemen. 3. Lvl the bugged pokemen to max lvl. (THIS IS WHERE EVERYONE THOUGHT THE GLITCHES STOPPED) 4. (this next part is the part I accidentally discovered) After steps 1-3 are done: trade the pokemen to a different game via the ol link cable, then trade it back. The pokemon will lose lots of lvls after the trades, but the hp will remain as if it didn't unlvl. 5. Lvl the pokemon back to max lvl then repeat step 4... Everytime you lvl then do the trade and trade back it allows you to infinitly?? Keep increasing the hp everytime steps 4+5 are repeated. I never knew this random bug I found 20 years ago could possibly be useful for awesome research like this my dude..

Summary at the end explains the missingno bug well. Great video!

I'm a Java code architect. Recently, I've been working with systems that involve working with files containing raw data. This series has inspired me to jump into the ROM modding community. Keep up the excellent work 👍 Have any recommendations for those interested in studying assembly?

I just discovered your channel even though i dont understand anything i still enjoy it

This video makes me really want to learn assembly... Thank you for that

I understand the concept of it , but I don't understand all this programming stuff , but still I love that kind of videos Thank you :)

You can configure your assembly listing window to show Ghidra's IR by clicking on that window's configuration, choosing PCode ops, and "enable field". The breakdown can help you figure out what the labeled mnemonics mean without resorting to a manual.
You can also right-click on the mnemonic and jump to the instruction specification in the processor manual included with Ghidra.

man I'm actually really glad for my computer organization and architecture class now. I actually understand what's going on for the most part

Because of this serie, I started looking at the Pokemon disassembly from Pokemon red (pokered on github) and I started to learn assembly for the GB. Gbz80 assembly.

“The seventy tooth bit”

For anybody else who has the source code for Pokémon gen 1 and are following along: You can find the code shown at 11:18 in Tools.dmg at around line 3925. It's in the "bit_control" routine.

I think you should check out Zelda Ocarina of Time related glitches, there are a ton of really interesting glitches like inventory manipulation or abusing cutscene pointers to warp to unintended locations.
Even a few months ago, they discovered how to execute arbitrary code and functions in the game to basically do anything they like.
I think it'd be really amazing if you took a look at this game!

You explain this very well, you lost me in parts, but I sort of understand what's going on. I lasted until around 18:00 before I couldn't follow anymore. GG

This was great! I know it's a while ago you did this, but I would LOVE more research-perspective game bug investigations. Perhaps you could consider doing something similar with the Ocarina of Time Wrong Warp bug? It's also pretty crazy.

Stunned! You made this so interesting!
Thank you for your amazing work! I'm having lots of fun watching these videos!

The old man glitch was incredibly strange and interesting to me as a child. I knew about game genie and understood that it changed the data of the game, so that wasn't mysterious or strange at all, it only got a bit fascinating when random codes sometimes would do unexpected things to the game. But talking to the old man, rewatching his tutorial, flying to some arbitrary yet specific locale, and then surfing, but only on the ledge, and then weird encounters would start, and somehow a single item slot would get multiplied? That was so frikkin weird. I'm not an expert of processors or programming at all, but I have a certain interest and I think it stems from that very glitch

As always great analysis, couldn't agree more with you, that time spent fiddling around with something is worth it, since you learn so many things on your way, that otherwise only seem like abstract ideas.
Nothing explains raceconditions better than injecting code into some process and having it crash hard ...sometimes...
Keep it up

Nice luck I'm having. This got uploaded when I finished watching part 1!

Hey, at 01:16 there's on the screen that 0xff = 256, but 0xff = 255, just wanted to point that out :)

Great video! I have always wondered why it was the 6th item when I found missingNo. Thanks guys!!

I was trying to find a good answer to this the other day! thanks for the upload

The Game Boy (and Game Boy Color) uses an instruction-set that is mostly like the 8080 and z80. This family uses 8-bit registers (except PC and SP, which are 16-bit), but for some instructions you can use 16-bit pairs (AF, HL, ...)

It's such an elegant bug... Thanks for this extremely enjoyable explanation!

did he mention that he has never seen this assembly

I like that after all of this desassembly you make me feel like a nerd knowing that arrays start at 0.

So one thing i remember, is if you got to the east side of seafoam islands coming from fuchsia city it does the same thing. While it does take longer to reach. It does work as well

It's always the array out of bounds that gets ya

This is amazing. Hits right in the childhood

If you also want to read the assembly for the mentioned functions (in a commented and somewhat structured form), here are some links to PokeRed:
LoadEnemyMonData: (handles the pokemon encounter, calls the Flag function below)
github.com/pret/pokered/blob/606df6a317df7c8d076410e8189f7e0a7782b530/engine/battle/core.asm#L6200
here's the code that handles the IndexToPokedex-conversion and set's the flag:
github.com/pret/pokered/blob/606df6a317df7c8d076410e8189f7e0a7782b530/engine/battle/core.asm#L6337
IndexToPokedex:
github.com/pret/pokered/blob/606df6a317df7c8d076410e8189f7e0a7782b530/engine/menu/pokedex.asm#L649
Flagging-Function (also takes in a 3rd input value, the B register, which contains clear, set or read)
github.com/pret/pokered/blob/606df6a317df7c8d076410e8189f7e0a7782b530/engine/flag_action.asm#L1
predef seems to be the bank-switching function, which is structured as a macro (?) in Pokered:
github.com/pret/pokered/blob/6ba3765c5932996f5da6417ae703794ff10bb1cb/home/predef.asm
Thanks for these two great videos! I had a lot of fun watching and now reading the assembly.

Hey, would you like to do a follow up, that shows why the Save data gets corupted, when catching a missingno and saving the game.

Who here is old enough to have played Pokemon Red and Blue when it first came out and use the Missingno item duplication glitch to duplicate rare candies to level all of your pokemon to max level?

17:28 "Seventy-twoth" :P
...Or is "Seventy-Tooth" a new Pokemon? :O

Fighting a certain Super Nerd on the glitched Route 8 (Lavender Town-Saffron City) of my German copy of Yellow causes the first item to be changed into a TM of Dragon Rage, IIRC, and to have an out of bounds inventory. It got glitched because I did the Mew glitch incorrectly and saved. It has glitched music, slower movement (I have to press A or B often there), crashes, etc. Sometimes I can't even reach the Super Nerd to do the glitch, since he's at the more unstable Saffron side. For his battle, the first one is normal but it does the battle again.

I don’t know anything about coding, or about pokemon... but this is fascinating

Epic videos my dude. You have just educated my inner child. Thank you

That border in the beginning made me think my screen was broken lol

My Brain crapped out at 16:00. But amazing video

Hello. I am currently reverse engineering and annotating minish cap in ghidra. These are some of the methods I use to analyze the program :)
Gb and gba use a lot of bitwise functions since space was so tight back then; bitfields are used all the time! It can be frustrating trying to understand all of the shifts ands and ors etc.

10:51 I think you weren't able to rename symbols because the function was undefined. You should be able to define a function in the disassembly window by right clicking the start of the function and clicking "Create Function" :-)

Woo! Z-80 instructions! I remember my graphing calculator back in highschool used that CPU, and I used to do assembly stuff. Using an op code table and some graph paper to get hexadecimal machine code since I didn't have access to an assembler while sitting in class. Oh, and since the calculator did not have any non-volatile memory, just RAM and ROM, nor any concept of protected memory, any mistake in my programs would almost certainly crash the calculator and force a hard reset via removing batteries, which was literally a factory reset. Yay.
...Come to think of it, I actually had spare calculators that I won at math competitions. I wonder why I never thought to bring them along and use the link cable to back stuff up so I wouldn't have to reenter everything by hand. Although I think maybe the time when I was doing the assembly stuff was before I had won them?

I remember this trick from my childhood

imagine this would had been found during playtesting of original japanese 1st gen - maybe MissingNo would had never become such a meme ...
I remember back in primary school - about 20 years ago - someone came up with that very crazy way to abuse safari zone to get to "sunny town" (it's basically raw game data / memory) and although we didn't knew what it is or what it may could be used for we did it over and over and over again
a similar bug is possible on certain casio calculators (there're a few models which work) - it takes forever to set it up and requires a lot of precision - but in the end it freaks out completely - one can change a few inputs during the setup which, in combination with how much time has passed since last power on (I asume a very simple counter that keeps getting counted up the longer its powered on) + number of inputs and/or operations, does affect the output a bit
search for "casio fx-85ms matrix" (or fx-82ms - which is the same but without the solar hybrid) and you'll find some videos - impressive how a simple school calculator can go full ham when you overload its firmware - would like an analyze of whats goin on with that party - but has to be some sort of inifite loop caused by some overflow ...

This was a lot of fun! Thank you!

Amazing! Thank you so much for this!