Exploring the Mew Glitch

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey today we will look at the infamous long-range trainer glitch or as it's more widely known the mucilage when I was in school there were a ton of rumors on how to catch mu ranging from the mysterious mu under the truck from my last video up to having 24 in-game hours with one of your pokemons in the take air naturally none of these were true and just left behind disappointed pokemon trainers but then in 2003 the long-range trainer glitch got famous a real way to get from you and it's super simple and will not crap you're safe game all you had to make sure was that you hadn't yet battled two trainers let's take a look at how the glitch works first we need to walk up to what's called a long-range trainer the trainer that is off-screen and that gets engaged as soon as he appears while walking up to him we need to press and hold the start button and then use a method such as escape rope opera's teleport or a Pokemon with flight to get away the easiest way is to use fly and then fly to use Cerulean City note that as we fly away the exclamation mark on the trainer indicating that we are engaging him he still appears interesting after we've landed our stat menu will not work anymore and we need to walk up to you out 25 here we need to battle this specific trainer but we constantly walk up to him we need to make sure that we engaged the trainer in a way where he walks up to us otherwise the game will just lock up after we've defeated the trainer we need to go back onto route 8 for example the lavender town as soon as we leave the city towards the west onto route 8 here the Start menu pops up on its own and if we close it there suddenly in encounter mu what what's cool is that the threat on game FA cues that made the guj famous is still available on archive.org and the discussion is brilliant lots of people claiming that it's fake and my favorite is this post this needs to stop now you cannot I repeat cannot get mu without either game shark or going to a Nintendo promotional event so let's just stop with the rumors already especially unbelievable ones like this and given the strange way this glitch is executed I can see where he's coming from there were also a lot of people contemplating on whether this glitch was intentional but as you will see in the next couple of minutes it absolutely wasn't now in this video we will explore the glitch in a lot of detail using poke kureta to figure out what's going on Poquette is an awesome community approach that disassembled and annotated a lot of the Gameboy Pokemon games absolutely brilliant if you want to see how you can research glitches without having access to an annotated code base check out life overflows awesome last video of our Game Boy series he explains in a lot of detail how he reverse engineered the infamous missingno glitch also in the unlikely case that you haven't subscribed to him yet do so right now and if you want to watch our other Game Boy and Pokemon related videos click on the playlist link above and in the description also if you have a safe game you would like to try this with but have already battled the trainers in the description is a link to a small Python script that will re-enable the required trainers so let's figure out what's going on step-by-step as always I'm using same way as the emulator mainly because it's open source cross-platform and has a decent debugger same bar also supports loading symbol files so if you build poker ed you can directly set breakpoints on the names from the source code super useful now let's start with the name of the glitch why do we need a long range trainer why can't we open this top menu on a regular trainer if you try to do the trick on a regular trainer you will not be able to open the Start menu why is that a lot of the material I read claims that this is because when the sprite is loaded it faces downwards and so it won't engage you because you are not in its line of sight however this turned out to be wrong to understand what's going on let's first check out how encounters work each map in Pokemon has its own list of scripts that can define custom functionality for whatever city or forest we are currently in for example when the game starts in Pallet Town the script is used to implement Professor Oak preventing you from leaving town if we check the route eight scripts file from Poquette we can see that it has three scripts check fighting map trainers display enemy trainer text and start battle and enter trainer battle these three scripts are used by most routes given that they mostly have the same functionality the index of the currently running script is stored in W route 8 current script which is a global variable that is also part of the safe game if you check w r-- m dot ASM you can see that for most maps the game stores whatever is the current script for that specific map now when we walk around on route 8 check fighting map trainers will be called all the time check fighting map trainers will iterate through all visible trainers and one is in line of sight to start the engagement whether a trainer is visible or not is checked against the range in memory starting at C 100 AKA w sprite state data here each sprite has 16 bytes and the third byte indicates whether a sprite is visible or not as you can see when the trainer becomes visible the bytes which is from FF 2 5 4 and if the trainer leaves the screen it goes back to FF now to figure out what we can open the Start menu only on Norwich trainers let's interrupt the game as we are walking towards the trainer and set a breakpoint on check fighting web trainers and also an overworld loop less delayed check if start is pressed this allows us to see at which point in time the game checks without we need to engage the trainer and whether the trainer is visible already at that point we can also see at which point the Start menu is activated let's continue the execution and as you can see we are halting almost immediately on check fighting map trainers but as you can see in the memory view and also on the display the gambler is not yet visible and so will not be engaged let's continue and here's the check whether the start button is pressed which it is in our case if we continue we can see that the Start menu and the trainer appears but check fighting macaronis is not called again yet but as we fly away we can see that check fighting map trainers is called one more time and this time indeed a trainer is inside and so check fighting map trainers will think that the trainer was engaged this has a couple of interesting side effects that we need to keep track of first trainer engages called which sets bit zero of CD 6-0 this flag stalls whether the players engaged by a trainer this is done so the player cannot be engaged by multiple trainers at the same time then the function trainer walk up to player which makes the trainer as the name suggests walk up to the player sets with zero of wd7 3-0 which stores where than NPC is currently being moved finally the map script for route 8 is changed from 0 make a check fighting map trainers to 1 so pointing to display enemy trainer text and start battle let's keep the two bits and also the route 8 script in mind and continuing with the glitch we fly to his Cerulean City and walk up the Nugget bridge towards the youngster the reason the Start menu is not working at this point in time is that they despite a lock code checks whether the player is engaged by trainer the global 4 which was just one by the Czech fighting lab transcript now next we need to engage the youngster but as mentioned before we need to let the youngster walk up to us why is that now just as on route 8 route 25 has the same three script and if we engage the youngster the current script for route 25 changes from Czech fighting map trainers to display enemy trainer text and start battle and if we look at the code for it we can see that it will immediately return if the SNP see moving flag is set this puts the game into a lock-up it's waiting for the flag to be cleared but as no NPC is actually moving it will never get cleared and so the fight will never start however if we engage the youngster in a way where he has to walk up to us the walk-up routine will clear the NPC moving flag and thus start the fight now esta fight starts the game copies the unmodified stats of the youngsters engaging Pokemon such as level maximum HP attack defense and so on 2w enemy mon on modified level the copy is 11 bytes long and if we check out that area in WR MDOT ASM we can see that parts of this memory are used for multiple purposes for example the second byte of the special stat is also used in other functions to keep something called engaged trainer class normally this will not be of interest but for our glitch it's quite important and so let's keep track of this byte as engaged trainer class and go back to the fight after we have defeated the youngster the route 25 map script is set to you and trainer battle this will reset the engage by trainer flag and so most of the memory values are back to their non glitched state except the map script for rotate and the engaged trainer class which was just set by our fight against slowpoke now it's time to go back to rotate and so let's fly to 11 the city and go to the west as we cross the border from 11 the city to route 8 suddenly our start menu pops up this happens because now that we are on route 8 the script that W route 8 current script points to gets executed display enemy trainer text and start better this script calls display text ID which would normally display the text of the engaging trainer however as the text ID is set to null by the previous map script it thinks that we want to show the Start menu as we close the Start menu display enemy trainer text and start battle will call start trainer battle this function will eventually call with some other functions in between in but her common in that battle common is interesting as this code gets called both for traina encounters as well as for white Pokemon encounters the way it differentiates between both is by checking the opponent ID if it's over to 100 it starts a trainer battle and if it's under 200 it starts a Pokemon battle and guess which number it chooses to select the Pokemon to encounter a value that is copied from the engaged trainer class so the value that slowpoke said 215 and take a wild guess which Pokemon has the idea x-15 correct mu and so in a battle common we'll start an encounter with mu this is also why when we battle a different trainer than the youngster we get a different Pokemon there's even a whole map showing where to find which Pokemon now let's recap what exactly is going on we encounter a long-range trainer which will set the engage by trainer but the NPC is moving with and changed the current map script to 1 then we go to a different map encounter a trainer let him walk up to us to clear the NPC is moving bit and start a battle the special value of the trainers Pokemon gets copied into a byte that is also used as engaged trainer class and after we've defeated the trainer the engaged by trainer bit gets reset as we go back to the map where we encountered the long-range trainer the map script will open the Start menu as the text ID is set to 0 then as we exit the submenu we get an encounter with whatever Pokemon or trainer is stored in the engage trainer class bite awesome I hope you enjoyed this tool through the long-range trainer village and if you want to see more check out life overflows and mind other videos on the Game Boy and Pokemon thank you for watching and I hope to see you on this channel again soon

Info

Channel: stacksmashing

Views: 127,943

Rating: 4.935833 out of 5

Keywords: retro, reverse engineering, hacking, GameBoy, nintendo, ghidra, reversing, Retrogaming, Gaming, Consoles, FPGA, Security, game boy, ROM, ROM Hacking, ROM hacks, Patching, pokemon, pokemon red, mew, glitch, mew glitch, long range trainer, trainer fly glitch

Id: U8fWTDUdWGA

Channel Id: undefined

Length: 10min 30sec (630 seconds)

Published: Sun May 03 2020