1 2 3 4 5 6 7
Hoe
Joined: 7/31/2004
Posts: 183
Location: USA
The following is only true if I am understanding the code properly. When you kill a bad guy, you want (mem[02000008] >> 8) * 0x3243F6AD + 0x1B0cB175 to come to 1B0cB175 or a multiple of, with a psotive leway up to 8. Possibly r5 values are 3, 6, 7, or 8, depending upon some condition which is unknown. Additionaly, it's possible to get 8 more into r5 in:
804B328h:
	push r14
	mov r1,r0	;r0 always =1
	ldr r0,84F0B28h
	ldr r0,[r0]
	ldr r3,=1325Ch
	add r0,r0,r3	;r0=0201325Ch
	cmp r1,1h	;always true, in this case.
	beq +	;804B358h
	**SKIP**
804B358:
+	ldrb r2,[r0,11h]	;0201326D
	mov r0,r2
	pop r1
080684CEh:	;not real label.
	and r0,r1
	cmp r0,0h
	beq +	;80684D0h
	mov r5,7h	;luck base is 7.
+	mov r0,1h
	bl 804B328h
	[b]cmp r0,28h	;if r0=28h, gives you 8.
	bne +	;80684DCh
	add r5,8h[/b]
+	ldrb r1,[r6,12h]
Though I am not sure how that translates into the actual game- possibly an item? I'd recommend making a list of all good values for 0x02000008 (possible since the function apears extreamly static), and then waiting for it to fall into one of thouse values before you kill. Edit--- Oops, over looked a few things. The above isn't fully true.
Joined: 1/1/2022
Posts: 1716
Hoe wrote:
8000a90h is some mystery function. I'm not sure what that formula is suppose to do, but it will always operate on what ever the pointer in 0x02000008 goes to, then moves it back there, it seems. Possibly 'randomize.'
It's a PRNG alright. It's from "FORTRAN 77: An introduction to structured problem solving," I believe. Period is 2^29, so no, it's not 'extremely static'. The map was never really very good: it just dumps the top 2 tile layers for each room using its map location. Then again, if it doesn't need to look pretty...
Emulator Coder
Joined: 10/9/2004
Posts: 453
Location: Norway
attempt to convert to C :P
#define bignum1 0x6911396F
#define bignum2 0x1B0cB175

int rand_seed;

int rand() // 08000A90h
{
 rand_seed = (rand_seed >> 8) * bignum1 + bignum2;
 return rand_seed;
}

void dunno_80684ee()
{
 int rnd;

 if (something > 0x0f) return; // (?)
 rnd = (rand() >> 2) % 0x10; // Now rnd is between 0-15
 if (rnd < comparething) get_soul(); 
}
Hoe
Joined: 7/31/2004
Posts: 183
Location: USA
The seed is 32bits and is stored at 0x02000008. It is calculated off of the past seed and the current timer. The timer is 32bits and is stored at 0x02000000. The seed is only changed when needed. Some rooms you will see it constantly changing, while in others you wount unless you use your weapon. The seed is calculated by the following function:
08000A90:
	ldr r0,=84F0B28h
	ldr r2,[r0]	;r2=[02000000]
	ldr r0,[r0,8h]	;r0=[02000008]
	ldr r1,=3243F6ADh
	mul r0,r1	;r0=3243F6AD*[02000008]
	ldr r1,=1B0CB175h
	add r0,r0,r1	r0=r0+1B0CB175
	str r0,[r2,8h]
	bx r14
mem[0x02000008] = mem[0x02000000] * (mem[0x02000008] * 0x3243F6AD) + 0x1B0CB175
Now, assuming I have it correct, the following formula determins if you get a soul or not:
(((mem[02000008] >> 8) * 0x3243F6AD + 0x1B0cB175) >> 2) % 0x1B0cB175) < r5
Emulator Coder
Joined: 10/9/2004
Posts: 453
Location: Norway
   mov r4,10h 
+   bl 8000a90h 
   lsr r0,r0,2h 
   mov r1,r4  <---
   bl MOD 
   mov r4,r0
(((mem[02000008] >> 8) * 0x3243F6AD + 0x1B0cB175) >> 2) % 0x10) < r5
Hoe
Joined: 7/31/2004
Posts: 183
Location: USA
My above formula was wrong, but the mod is not constant. 0x10 is the floor that the mod can hit, the mod is calculated by the following:
;Calculate mod
080684DC:
	ldrb r1,[r6,12h]
	lsl r1,r1,3h
	ldr r0,[sp,14h]
	add r0,0E8h
	ldrh r0,[r0]	;loads luck
	lsl r0,r0,10h
	asr r0,r0,14h
	sub r0,20h
	sub r4,r1,r0
	cmp r4,0Fh
	bgt +	;80684F4h
	mov r4,10h
	+bl PRND
I'm not too sure what the rest of the values the above code reads are. 0 luck gets you a mod of 0x5c0, and 0x7f gives you 0x5b9. The code hints that it's possible for the formula to drop below 0x10, so I'm assuming what ever thouse other values are have a bit of weight behind them.
Former player
Joined: 8/1/2004
Posts: 2687
Location: Seattle, WA
I wish I knew what all of that meant... I just need to know what exactly defines a soul/item drop, by how much said actions affect the randomness, and what value will always herald a soul. If you could translate the code into those three things, I will get back to working on Aria as if my life depended on it.
hi nitrodon streamline: cyn-chine
Emulator Coder
Joined: 10/9/2004
Posts: 453
Location: Norway
the mod is a constant 10.
  mov r4,10h  <-- r4 is set to 0x10 here.
+   bl 8000a90h 
   lsr r0,r0,2h 
   mov r1,r4  <--- r4 is now copied to r1, so r1 (the divisor) is now 0x10
   bl MOD  <-- do % 0x10
   mov r4,r0
Emulator Coder
Joined: 10/9/2004
Posts: 453
Location: Norway
Zurreco, this can be used to calculate how many frames until you get 'lucky', in theory :)
Hoe
Joined: 7/31/2004
Posts: 183
Location: USA
TNSe wrote:
the mod is a constant 10.
  mov r4,10h  <-- r4 is set to 0x10 here.
+   bl 8000a90h 
   lsr r0,r0,2h 
   mov r1,r4  <--- r4 is now copied to r1, so r1 (the divisor) is now 0x10
   bl MOD  <-- do % 0x10
   mov r4,r0
080684EEh: 
   cmp r4,0Fh 
   bgt +   ;80684F4h 
   mov r4,10h 
+   bl 8000a90h 
   lsr r0,r0,2h 
   mov r1,r4 
   bl MOD 
   mov r4,r0 
   cmp r4,r5 
   bcs 8068540h   ;if r4 < r5, get soul.
That's inside of a conditional branch. That's the final part of the code in my last post, it's simply to prevent the mod from going below 0x10.
Emulator Coder
Joined: 10/9/2004
Posts: 453
Location: Norway
bl = branch link. It puts next instruction into r14, and branches to the address. Look at it like you would JSR/CALL, except that it puts return address into a register, not on stack. bx r14 is how you return from it. (RTS/RET)
Hoe
Joined: 7/31/2004
Posts: 183
Location: USA
Let me post my full code to make sure we're all on the same page here.
#define WRAM	0x02000000
#define TIMER	0x02000000
#define SEED	0x02000008
#define WRAM_P	0x084F0B28	;adress in pool which contains WRAM.

#define MOD	r4
#define CHANCE	r5

;Psudo-random number generator.
PRNG:
08000A90h:
	ldr r0,=WRAM_P	
	ldr r2,[r0]	;contains 0x02000000 (wram)
	ldr r0,[r2,8h]	;this time loaded 0x4C34683F
	lsr r0,r0,8h	;now 0x004C3468
	ldr r1,=3243F6ADh
	mul r0,r1	;r0=6911396F, c
	ldr r1,=1B0cB175h
	add r0,r0,r1	;r0=0x841DEAE4, nv
	str r0,[r2,8h]	;Write this back to where we first read from.

;gets mod of r0/r1. Returns to r0.
MOD:
080D8140h:
	swi 6h	;div (r0/r1)
	mov r0,r1
	bx r14

;there's also a bunch more stuff above here which handles other CHANCE values.
080684CEh:	;not real label.
	and r0,r1
	cmp r0,0h
	beq +	;80684D0h
	mov CHANCE,7h	;CHANCE base is 7.
+	mov r0,1h
	bl 804B328h
	cmp r0,28h	;if r0==28h, gives you 8 luck.
	bne +	;80684DCh
	add CHANCE,8h
+	ldrb r1,[r6,12h]
	lsl r1,r1,3h
	ldr r0,[sp,14h]
	add r0,0E8h
	ldrh r0,[r0]	;loads luck
	lsl r0,r0,10h
	asr r0,r0,14h
	sub r0,20h
	sub MOD,r1,r0
	cmp MOD,0Fh	;make sure mod value dosn't go below 0x10
	bgt +	;80684F4h
	mov MOD,10h
+	bl PRND
	lsr r0,r0,2h
	mov r1,MOD
	bl MOD
	mov r4,r0
	cmp r4,r5
	bcs 8068540h	;if r4 < r5, get soul.
	
804B328h:
	push r14
	mov r1,r0	;r0 always =1
	ldr r0,WRAM_P
	ldr r0,[r0]
	ldr r3,=1325Ch
	add r0,r0,r3	;r0=0201325Ch
	cmp r1,1h	;always true, in this case.
	beq +	;804B358h
	**SKIP**
804B358:
+	ldrb r2,[r0,11h]	;0201326D
	mov r0,r2
	pop r1
	bx r1

;Calculate seed
;mem[SEED] = mem[TIMER] * (mem[SEED] * 0x3243F6AD) + 0x1B0CB175
MAKE_SEED:
08000A90:
	ldr r0,=WRAM_P
	ldr r2,[r0]	;r2=[TIMER]
	ldr r0,[r0,8h]	;r0=[SEED]
	ldr r1,=3243F6ADh
	mul r0,r1	;r0=3243F6AD*[SEED]
	ldr r1,=1B0CB175h
	add r0,r0,r1	r0=r0+1B0CB175
	str r0,[r2,8h]
	bx r14
The following snippet from the above compairs MOD to 0x0F, and if it's lower, sets MOD to 0x10.
	cmp MOD,0Fh	;make sure mod value dosn't go below 0x10
	bgt +	;80684F4h
	mov MOD,10h
+	bl PRND
Emulator Coder
Joined: 10/9/2004
Posts: 453
Location: Norway
Your PRNG is same as MAKE_SEED btw. Yes, now that I know where the cmp/bgt branches to, it has a minimum of 0x10. So basically all that needs to be done now, is make a calculator built into the emulator that handles this for every frame you play, and tells you what random value you would receive that frame (at the final cmp r4,r5).. :P
Hoe
Joined: 7/31/2004
Posts: 183
Location: USA
TNSe wrote:
Your PRNG is same as MAKE_SEED btw.
erm, woops ;]
TNSe wrote:
So basically all that needs to be done now, is make a calculator built into the emulator that handles this for every frame you play, and tells you what random value you would receive that frame (at the final cmp r4,r5).. :P
You could modify sephiroth2ks program to do exactly that, with out fiddling with the emulators source: http://boards.pocketheaven.com/viewtopic.php?t=222&start=810#14921
Former player
Joined: 8/1/2004
Posts: 2687
Location: Seattle, WA
Essentially, I am well equipped program wise in the task of solving Aria's soul randomness. However, I will need some kind of how to guide in order to really work this. TNSe tried to explain it to me roughly, and I think I get the general concept behind this, but I'm not confident enough in myself that I will be able to use what I have right now effectively. Also, does this also affect item drops? Aside from all of this horrid soul randomness, I also need to randomise 3 drops in my quick movie.
hi nitrodon streamline: cyn-chine
Hoe
Joined: 7/31/2004
Posts: 183
Location: USA
I was attempting to find the 'drop item code' but I havn't found it. I disassembled the function which calls the soul function (which apprently also checks for level ups) but found nothing. It may be below the soul stuff, not sure yet.
;the on hit function.
0807B116:	;not real label
	add r2,2Dh
	mov r0,8h
	strb r0,[r2]
	ldrh r0,[r6,34h]
	lsl r1,r1,10h
	asr r1,r1,10h
	sub r0,r0,r1
	strh r0,[r6,34h]
	mov r0,r6
	mov r2,0h
	bl 8042BA0h
	mov r1,34h
	ldsh r0[r6,r1]
	cmp r0,0h	;find out if the monster is dead. If not, skip
	bgt +	;807B1C4h
	mov r0,r6
	bl SoulFunction ;80683D0h	;This is our soul function.
	mov r0,70h
	bl 80D7924h
	mov r0,r6
	mov r1,3h
	mov r2,0h
	mov r3,0h
	bl 803F2Dch
	mov r1,r6
	add r1,2Ch
	mov r3,r6
	add r3,5Ah
	mov r0,0Fh
	ldrb r1,[r1]
	and r1,r0
	lsl r1,r1,3h
	ldrb r2,[r3]
	mov r0,79h
	neg r0,r0
	and r0,r2
	orr r0,r1
	strb r0,[r3]
	mov r0,28h
	strb r0,[r6,-Dh]
	mov r0,1h
	strb r0,[r6,0Bh]
	bl PRNG	;8000a90h
	ldr r4,=3FFFFh
	and r0,r4
	ldr r1,[r6,40h]
	add r7,r7,r1
	ldr r1,=0FFe60000h
	add r0,r0,r1
	ldr r1,[r6,44h]
	add r2,r0,r1
	mov r0,r6
	mov r1,r7
	bl 807B26Ch
	bl PRNG	;8000a90h
	mov r1,r8
	and r0,r1
	add r7,r0,r5
	bl PRNG	;8000a90h
	and r0,r4
	ldr r1,[r6,40h]
	add r7,r7,r1
	ldr r1,=0FFE60000h
	add r0,r0,r1
	ldr r1,[r6,44h]
	add r2,r0,r1
	mov r0,r6
	mov r1,r7
	bl 807B26Ch
+	pop r3	;where the function goes if a monster didn't die.
	mov r8,r3
	pop r4-r7
	pop r0
	bx r0	;return
SoulFunction:
080683D0h:	;Soul function entry point
	push r4-r7,r14
	mov r7,r10
	mov r6,r9
	mov r5,r8
	push r5,r7
	add sp,-24h
	mov r7,r0
	add r0,36h
	ldrb r0,[r0]
	mov r8,r0
	lsl r0,r0,3h
	...skip...
0806845Ah:	;not real label.
	cmp r0,0h
	beq +	;8068464h
	ldr r0,=133h
	mul r0,r4
	lsr r4,r0,8h
+	cmp r4,0h
	beq 806848Ah
	mov r1,r9
	ldr r0,[r1,30h]
	add r0,r0,r4
	str r0,[r1,30h]
	ldr r1,=5F5E0FFh
	cmp r0,r1
	bls 806847Ah	;false if you went up a level
	...skip...
080684CEh:	;not real label.
;see other posts for the code that goes here.
Former player
Joined: 8/1/2004
Posts: 2687
Location: Seattle, WA
As much as I hate bumping and/or egging people on, I need to know if there has been any luck in isolating the drop code. Also, I'm still interested if anyone wants to explain in layman's terms how to use sephiroth2k's program to determine soul drops. TNSe had initially said 'just run it along with VBA and pay attention to the number it gives you on the frame that you kill the monster on. If it it at or below the soul's base number, you will get the soul.' That's good and all, although I still don't have an index of soul/item code base numbers or how to run the application alongside VBA.
hi nitrodon streamline: cyn-chine
Joined: 1/9/2005
Posts: 219
Location: The Netherlands
C'mon people! :) Anyone with the knowledge to help this good man out?
http://www.megazpeed.com - THE site for the ultimate MegaMan Zero superplay movies.
Former player
Joined: 8/1/2004
Posts: 2687
Location: Seattle, WA
As of tomorrow, I will be at my new place with not a whole lot to do. I guess, since I won't have internet for a bit, I'll just be doing some random tests with stuff further on in the game. Hopefully, by the time that my connection there is established, someone will have at least released an FAQ or something on the soul program. Also, the item drop calculator would be an awesome help as well.
hi nitrodon streamline: cyn-chine
Hoe
Joined: 7/31/2004
Posts: 183
Location: USA
To my knowledge, there is no AoS program right now. The program I linked to, my Seph2k, is a SNES tracer that works for SNESAdvance. The reason why I linked to it is because that program could be modified to read values from AoS and generate statistics on future randomness. It would definately be wiser/easier to program it inside of VBA-rerecord, but then the source diff would need to be applied to each additional version for future AoS runners. I may/may not attempt at making an AoS specific version of VBA-rerecord, but I will need to find the time and effort to bother. The basic idea is to calculate future outcomes of the PRNG to let the ranner known how many additional frames until the next soul or item drop, but there is a large problem on the grounds that it can be called once or more per frame due to the PRNG being used for non-drops.
Joined: 1/9/2005
Posts: 219
Location: The Netherlands
So you're trying to run along a program that will allow you to get a soul on command. Why not use a codebreaker code? I saw a CBC on website, where the "badguys always drop souls". You can activate it when you want a soul and deactivate it when you don't (slows down ,etc) You can find a "drop soul" CBC here; (bottom) http://blitz.phpwebhosting.com/content/Castlevania:_Aria_of_Sorrow
http://www.megazpeed.com - THE site for the ultimate MegaMan Zero superplay movies.
Wren
He/Him
Joined: 4/11/2005
Posts: 196
Location: Michigan
Well, that would be cheating and the code doesn't work anyway.
<i>A little rudeness and disrespect can elevate a meaningless interaction to a battle of wills and add drama to an otherwise dull day.</i>
Editor, Reviewer, Experienced player (978)
Joined: 4/17/2004
Posts: 3109
Location: Sweden
>So you're trying to run along a program that will allow you to get a soul on command. No. He's trying to run along a program that can predict wether he will get a soul or not (without testing every time). At least that's what I think this is about. If he runs a program that changes the code of the game, the stream of keypresses he produces won't play back correctly for everyone else, since they're not modifiying their game in the same way.
Player (206)
Joined: 5/29/2004
Posts: 5712
If it told you how to get a soul, that would be really nice...
put yourself in my rocketpack if that poochie is one outrageous dude
Hoe
Joined: 7/31/2004
Posts: 183
Location: USA
Wren wrote:
Well, that would be cheating and the code doesn't work anyway.
That's my web site, I am aware that that code does work. It's for the eur version of the game, and VBA decided to break some aspects of it's cheating system at some point past 1.5- vba and the rom are out of my hands. We're talking about making a program which will predict how many more calls to the PRNG will need to occure for a soul drop. Meaning, it's a bit more tool assisted then attempting at every frame until the results are in your favor.
1 2 3 4 5 6 7