PoC || GTFO

Adventure Book

Rare Candy Hack: How and Why MissingNo is triggered in Pokemon Red/Blue.

When I was a kid, EVERYONE had a gameboy and the game Pokemon Red or Pokemon Blue. These were essentials in my life, as well as many other 90s children. You could train your pokemon, trade them with others, and even battle other kids. It brought the world of gaming, mobile. A great feat that wasn't really explored until the 90s.

pokemon_red_blue_main_169.jpg

While on the school, I played this one kid, who had all his Pokemon at lvl 100, the max level any Pokemon could be. HOW?! How did this happen? There's no way he spent the time battling until he got all his Pokemon there. He explained me this 'cheat' that allowed you to duplicate any item in your inventory. The trick, was to duplicate what's called a "rare candy", which increases the level of your Pokemon once you give it to them. So, naturally, duplicating rare candies would give you the desire result of having a copious amount of rare candies, and thereby giving you much ammo to increase your Pokemon's levels. But how does this process actually work? I'll start by explaining it from my view as a child, then I'll explain the technical feat behind it.

Game Requirements:

  • A Pokemon that knows HM02: Fly
  • A Pokemon that knows HM03: Swim
  • Able to get to Cinnabar Island
  • Be able to kill MissingNo (not hard)

In Game Steps


 1. Go to Viridian City

1. Go to Viridian City

 2. Set your 6th item to Rare Candy.

2. Set your 6th item to Rare Candy.

 3. Talk to the Bald Man That is on the Path. When he asks if you're in a hurry, say "NO".

3. Talk to the Bald Man That is on the Path. When he asks if you're in a hurry, say "NO".

 4. Fly to Cinnabar Island

4. Fly to Cinnabar Island

 5. Swim along the east coast of the island to run into MissingNo.

5. Swim along the east coast of the island to run into MissingNo.

 7. Victory! Tons of Rare Candies!

7. Victory! Tons of Rare Candies!

 6. KILL MissingNo. Don't capture it or you'll have a bad time.

6. KILL MissingNo. Don't capture it or you'll have a bad time.


Wait, what? But what is REALLY happening? For this, we have to go deeper.
My first assumption was that maybe it's a buffer overflow where some hex value is replacing the value of item 6. I was wrong. What happens, is actually much more in depth and cooler!


The Game Boy and Z80


My first questions were, what is the architecture of this device, then learn about the games and how they're programmed. Their language, etc. 

History:
In 1989, Nintendo released their first 8-bit handheld game console named Game Boy. The introductory price was set for $89.95 and sold 118.69M units worldwide. This also included their other versions such as Game Boy Pocket, Game Boy Color, etc. The media input are called ROM cartridges. The Game Boy has the Sharp LR35902 core @ 4.19 MHz CPU. This CPU was based on the 8-bit Zilog Z80. This means the assembly language is that of Z80.

 Game Boy Color motherboard. I see the LR35902!

Game Boy Color motherboard.
I see the LR35902!

 "An opened  Game Boy  cartridge with battery-backed  volatile memory  for game saves. Measures 2.2" × 2.56" × 0.32" (or 56 mm × 65 mm × 8 mm)" -wiki

"An opened Game Boy cartridge with battery-backed volatile memory for game saves. Measures 2.2" × 2.56" × 0.32" (or 56 mm × 65 mm × 8 mm)" -wiki


Screen Shot 2017-11-11 at 9.15.43 PM.png

You've probably also used Z80 assembly without even knowing it. The assembly language is also used in the Texas Instruments TI-73x, TI-81, TI-82, TI-83x, TI-84x, TI-85, and TI-86 calculators. Unlike Intel's x86-64 architecture which has a total of 64-bit registers , Z80 has only 8-bit registers. Two registers like BC can create a 16-bit register though. 

 

 

 

 

 

But how does all this relate to MissingNo? Well, MissingNo is actually triggered via a subroutine after a set of events happen. When I first read this, I thought, okay, so it's just like an if-then statement. But I didn't know it's what is referred to as Delegation. So I did a bit more research into this.

A common variant in object-oriented programming is the delegate event model, which is provided by some graphic user interfaces. This model is based on three entities:

* a control, which is the event source
* listeners, also called event handlers, that receive the event notification from the source
* interfaces (in the broader meaning of the term) that describe the protocol by which the event is to be communicated.
Furthermore, the model requires that:

* every listener must implement the interface for the event it wants to listen to
* every listener must register with the source to declare its desire to listen to the event
* every time the source generates the event, it communicates it to the registered listeners, following the protocol of the interface.
C# uses events as special delegates that can only be fired by the class that declares it. This allows for better abstraction.
— https://en.wikipedia.org/wiki/Event_(computing)

The following is an example via the same wiki.

delegate void Notifier (string sender);

class Model {
    public event Notifier notifyViews;
    public void Change() { ... notifyViews("Model"); }
}

class View1 {
    public View1(Model m) {
        m.notifyViews += new Notifier(this.Update1);
    }

    void Update1(string sender) {
        Console.WriteLine(sender + " was changed during update"); 
    }
}

class View2 {
    public View2(Model m) {
        m.notifyViews += new Notifier(this.Update2); 
    }

    void Update2(string sender) {
        Console.WriteLine(sender + " was changed"); 
    }
}

class Test {
    static void Main() {
        Model model = new Model();

        new View1(model);
        new View2(model);
        model.Change();
    }
}

Programmatic Events that Trigger MissingNo.


250px-GUI_-_Delegate_Event_Model.png
array-declaraction-in-c.jpg
Missingno.png

So the question arrises, what programmatic events has to take place for the player to encounter MissingNo? The first event, is the game's random battle encounter system. Every area where you can encounter a Pokemon will assign values to Pokemon in a data buffer, which the game uses for the player's encounter with a wild Pokemon. But, along the coast of Cinnabar and Seafoam Island, there are no values assigned to the buffer! The previous visited area is used. This brings us to our next event, the in-game tutorial. In the 3rd in-game step when to speak to the bald gentleman, he shows you the ropes. He's been around the block for awhile, and wants to teach your little 10 y/o punk ass how to catch Pokemon. When he does though, the player's name is temporarily stored in the data buffer. The game accesses the hexadecimal values of the player's name, and places that into the data buffer. When you fly to Cinnabar Island and surf the coast, upon running into a Pokemon, it triggers the game's error handling system. For those who are unfamiliar with error handling, these are usually placed in programming to debug and find holes in programs. They are intentionally placed, but are not meant for players to actually encounter. I have no idea if error handlings are removed (suppose to be removed) post production of a game, but this one stayed in. When looking up the values in the buffer, the game can't determine what Pokemon has the hex value of your names (none exist), so MissingNo (short for "Missing Number") appears.


 I have yet to determine why it's the 6th item, but will be tearing about a rom to find out. ;) If anyone has more details on this, please let me know!

I have yet to determine why it's the 6th item, but will be tearing about a rom to find out. ;)
If anyone has more details on this, please let me know!


Conclusion


The CPU for the Game Boy Color uses an assembly language that isn't OOP, but Delegation Event Models. Pokemon was create with this programming model. The game's random battle encounter system reads the data buffer of the area you are located at. When you do the in-game tutorial, it sets the buffer to your name. Cinnabar Coast has a NULL value, which triggers reading the data buffer, which doesn't result into a Pokemon number, and triggers an exception which allows for MissingNo to come out. Killing MissingNo allows for the 6th item in your inventory to be duplicated multiple times.

If any of this in inaccurate or more information should be supplied, please feel free to contact me!


Chris MagistradoComment