Post subject: How do I find RNG & questions
Skilled player (1741)
Joined: 9/17/2009
Posts: 4981
Location: ̶C̶a̶n̶a̶d̶a̶ "Kanatah"
I saw some guides, and all of them seem to somehow assume the user would know when the RNG will advance. Let's say, I made this action change after waiting a set amount of frames. 1. How do I even know if the RNG changed, or is it something else related (like a timer)? Just by seeing an enemy moved somewhere else (in games without "drops" or anything) doesn't really help. 2. I made 2 movie files that does almost the same thing, and tried using RAM Search on BizHawk. However, every time I play back another file, it clears out the search results. How do people even repeat what they did then? 3. Trace log is convoluted, plus it's not available to every single emulator. How do people find RNG for those then? Blind luck? 4. How would I even know which memory region is it in? I could be searching for hours, and for all I know it could be in some other memory region and I just wasted my time. 5. http://tasvideos.org/LuckManipulation.html Any actual examples on different consoles? This page assumes people will already know what to do, but is there some idiot's guide that basically says "Click this and click that you noob"? Especially since right now, it's easier to just blindly brute force edit addresses and somehow encounter an RNG than to follow guides.
Invariel
He/Him
Editor, Site Developer, Player (171)
Joined: 8/11/2011
Posts: 539
Location: Toronto, Ontario
1. When RNG updates itself varies from game to game. Some games have it change (multiple times) every frame, some games only have it change when an RNG value is used. 2. Transfer memory addresses that you are interested in from RAM Search to RAM Watch. Search will continue to update itself when you reload a state, but I don't know why it clears itself when you load another file (assuming you mean input file and not ROM). 3. If you're referring to the memory trace log, it's convoluted because it's spitting out assembly which requires some effort to parse. It can be relaxing though, looking up op codes and figuring out what a particular block does. 4. That likely varies by the game, but you probably want RAM for anything that changes and a ROM bank for anything static. 5. I'm not sure what you are asking here. The RNG's location, how many RNGs there are, how frequently they're polled, what they are used for, what their effects are, etc. are different for every game; investigating the game, trial and error, and recording results are likely to be your best bets for games that aren't well researched.
I am still the wizard that did it. "On my business card, I am a corporate president. In my mind, I am a game developer. But in my heart, I am a gamer." -- Satoru Iwata <scrimpy> at least I now know where every map, energy and save room in this game is
Site Admin, Skilled player (1254)
Joined: 4/17/2010
Posts: 11475
Location: Lake Char­gogg­a­gogg­man­chaugg­a­gogg­chau­bun­a­gung­a­maugg
Do the issues you list also apply to http://tasvideos.org/ReverseEngineering.html ?
Warning: When making decisions, I try to collect as much data as possible before actually deciding. I try to abstract away and see the principles behind real world events and people's opinions. I try to generalize them and turn into something clear and reusable. I hate depending on unpredictable and having to make lottery guesses. Any problem can be solved by systems thinking and acting.
Skilled player (1741)
Joined: 9/17/2009
Posts: 4981
Location: ̶C̶a̶n̶a̶d̶a̶ "Kanatah"
Invariel wrote:
1. When RNG updates itself varies from game to game. Some games have it change (multiple times) every frame, some games only have it change when an RNG value is used. 2. Transfer memory addresses that you are interested in from RAM Search to RAM Watch. Search will continue to update itself when you reload a state, but I don't know why it clears itself when you load another file (assuming you mean input file and not ROM).
1. I assume there's no easy way to determine it? As in, for all I know I could be searching for a static value, and everytime I press "different from previous value" would've been futile? 2. I'm doing that, but having hundreds of addresses there seems to slow down a lot. Also no way to filter them out like RAM Search.
feos wrote:
Do the issues you list also apply to http://tasvideos.org/ReverseEngineering.html ?
Figuring out why a certain action occurs differently is actually not that hard. But it requires using a debugger and setting breakpoints, as well as dumping the executed code to a log file (or a window).
This is not available to some emulators/cores such as GBA/DS, yet people have actually managed to reverse engineer RNG for games on those such as pokemon, or mario, etc. So I'm really curious how that's done without the tools mentioned in that page, and if possible, a guide for general cases.
Site Admin, Skilled player (1254)
Joined: 4/17/2010
Posts: 11475
Location: Lake Char­gogg­a­gogg­man­chaugg­a­gogg­chau­bun­a­gung­a­maugg
jlun2 wrote:
GBA/DS
Both have emulators linked on that page.
Warning: When making decisions, I try to collect as much data as possible before actually deciding. I try to abstract away and see the principles behind real world events and people's opinions. I try to generalize them and turn into something clear and reusable. I hate depending on unpredictable and having to make lottery guesses. Any problem can be solved by systems thinking and acting.
Invariel
He/Him
Editor, Site Developer, Player (171)
Joined: 8/11/2011
Posts: 539
Location: Toronto, Ontario
jlun2 wrote:
Invariel wrote:
1. When RNG updates itself varies from game to game. Some games have it change (multiple times) every frame, some games only have it change when an RNG value is used.
1. I assume there's no easy way to determine it? As in, for all I know I could be searching for a static value, and everytime I press "different from previous value" would've been futile?
It's a bit easier to track down these errant values by, for example, making a save state, quickly approaching an event that you know is not consistent (an enemy that jumps sometimes and walks other times; a damage value that is within a range; an enemy that sometimes drops an item, sometimes drops another item, and sometimes drop nothing) and tracking values. You know that the RNG had to have changed, because you got a different result, so you know that you can update and narrow your search.
jlun2 wrote:
Invariel wrote:
2. Transfer memory addresses that you are interested in from RAM Search to RAM Watch. Search will continue to update itself when you reload a state, but I don't know why it clears itself when you load another file (assuming you mean input file and not ROM).
2. I'm doing that, but having hundreds of addresses there seems to slow down a lot. Also no way to filter them out like RAM Search.
It's true that having a lot of RAM watch addresses slows things down, but you should only be noticing real slowdown while trying to play the game at any reasonable speed - if you're simply frame advancing, you shouldn't notice anything. If you want to play back your input file at some percentage of speed, you can minimize the window and things should play normally. Also, I wouldn't advise storing hundreds of addresses there if you can avoid it, drawing known values to the screen with Lua might be faster for you. (Yes, I realize this forces another tool into your arsenal, but it's also a very helpful thing to have. Here's a screenshot of my Faxanadu screen, which I honestly need to get back to soon. (click to go to imgur and enlarge) I've drawn the actual numbers over the health and mana bars, and for each of the eight potential enemies on the screen (E8 through E1), I am tracking their health and their three internal phase values, which correspond to behaviours. I am also tracking my X coordinate and subpixel, my Y coordinate (we don't have Y subpixels), my speed, my invincibility frames, my ointment counter, and lastly the RNG value. Below that, in faded colours, are the values from last frame. This ensures that I maintain the highest possible speed (384) whenever possible, lets me know immediately when RNG changes, and lets me ensure that I moved last frame, which is really useful when the main character is not yet drawn, or when moving after attacking. I also have hitboxes for the enemies, which makes them easier to hit or avoid than guessing. Furthermore, it means not tracking 47 (plus hitboxes, which are calculated) values in RAM Watch. Drawing all of this information on the screen doesn't slow my game down at all when re-watching at 100% speed, or even when fast forwarding.
I am still the wizard that did it. "On my business card, I am a corporate president. In my mind, I am a game developer. But in my heart, I am a gamer." -- Satoru Iwata <scrimpy> at least I now know where every map, energy and save room in this game is
Skilled player (1741)
Joined: 9/17/2009
Posts: 4981
Location: ̶C̶a̶n̶a̶d̶a̶ "Kanatah"
feos wrote:
jlun2 wrote:
GBA/DS
Both have emulators linked on that page.
Thanks. But a dump of even 1 frame gives huge amounts of results. Googling gives a bunch of results not related to emulated games. How do I approach this? @Invariel That's what I'm doing, but getting no consistent change despite changing suspected addresses. I assume I got to search this for every single memory region?
Invariel
He/Him
Editor, Site Developer, Player (171)
Joined: 8/11/2011
Posts: 539
Location: Toronto, Ontario
No, you can discard ROM because it can't be changed. Which console are you working with? If I have access to the game, we might be able to coordinate over PM.
I am still the wizard that did it. "On my business card, I am a corporate president. In my mind, I am a game developer. But in my heart, I am a gamer." -- Satoru Iwata <scrimpy> at least I now know where every map, energy and save room in this game is
Skilled player (1741)
Joined: 9/17/2009
Posts: 4981
Location: ̶C̶a̶n̶a̶d̶a̶ "Kanatah"
Invariel wrote:
No, you can discard ROM because it can't be changed. Which console are you working with? If I have access to the game, we might be able to coordinate over PM.
Sadly, I seem to constantly encounter games that have an RNG or some random behavior. Examples from published movies: DS - Grand Theft Auto Chinatown Wars (spawns of cars/civilians) GBC - Wario Land 2 (last boss behaviour) GBA - Densetsu no Stafy (npc behaviour) GBA - Legend of Zelda, The: A Link to the Past (npc behaviour, drops) GBC - Keitai Denjuu Telefang - Speed Version (spawns, npc behavior, drops) NES - Friday the 13th (many different spawns) NES - Journey to Silius (drops) GBC - Yuu Yuu Hakusho: Makai no Tobira (npc behaviour, object spawns) DS - Over the Hedge (the single safe's combination in the first set of stages in game) GBC - Tony Hawk's Pro Skater (npc behavior) NES - Jurassic Park (suspected npc behaviour; got the feeling its more to do with its id) DS - Dementium: The Ward (npc spawn based on RTC; unknown address) GBA - Monster House (drops, npc spawn in the minigame) GBC - Harry Potter and the Sorcerer's Stone (npc spawns & behaviour, drops, critical hits) Since they keep appearing on the games I play/TAS/interested in, I have a desire to learn at least one method of 1. Finding the RNG address 2. Finding how 1 value corresponds to what action/drop/thing Understanding at least 1 method would allow some progress on future games, instead of getting stuck repeatedly. Edit: Sent a PM.
Skilled player (1741)
Joined: 9/17/2009
Posts: 4981
Location: ̶C̶a̶n̶a̶d̶a̶ "Kanatah"
Invariel wrote:
2. Transfer memory addresses that you are interested in from RAM Search to RAM Watch. Search will continue to update itself when you reload a state, but I don't know why it clears itself when you load another file (assuming you mean input file and not ROM).
I just found out about this: This apparently allows just what you said. And it only took like 4 years for me to find out. Better late than never. :)
Invariel
He/Him
Editor, Site Developer, Player (171)
Joined: 8/11/2011
Posts: 539
Location: Toronto, Ontario
I was actually meaning that you can right-click on any of those addresses and choose something like, "Move to RAM Watch". But that also exists!
I am still the wizard that did it. "On my business card, I am a corporate president. In my mind, I am a game developer. But in my heart, I am a gamer." -- Satoru Iwata <scrimpy> at least I now know where every map, energy and save room in this game is
Skilled player (1741)
Joined: 9/17/2009
Posts: 4981
Location: ̶C̶a̶n̶a̶d̶a̶ "Kanatah"
I found this old post: Post #394464 I'm not sure how applicable it is to DS games in general, but it seems common enough to place here for future reference.
Skilled player (1741)
Joined: 9/17/2009
Posts: 4981
Location: ̶C̶a̶n̶a̶d̶a̶ "Kanatah"
jlun2 wrote:
I found this old post: Post #394464 I'm not sure how applicable it is to DS games in general, but it seems common enough to place here for future reference.
With the help of Invariel, we managed to get 2 formulas: NPCs and your movement make the rng go like this rand = (rand * 1103515245 + 12345) % 4294967296; and simply reloading a stage does this: rand = (rand * 2603963141 + 1051550459) % 4294967296; This was found by using the trick mentioned from the post, then plugging in x,y, and a "z" that I assumed to be 2^32 onto a script and display the next 10 results. It ended up matching. where rand is at 0x2133DF4. This was found by first finding the addresses associated with the random event, in this case the safe password. Then assumed the value keeps changing, and searched for "not equal to previous value" for each time the password changed until the search result was narrowed to < 100 results. Then froze each one and manually checked if it had any effect on the password. The steps for the formula (stage reload): 1. Set 2133DF4 to 0 2. Reload the stage (advances rng once) 3. Record the value. It was 3EAD62FB (1051550459 in decimal) 4. Set 2133DF4 to 1 5. Reload the stage 6. Record the value. It was D9E2B600 (-639453696 in decimal signed) (3655513600 in decimal unsigned) 7. The formula for LRC is rand = ((rand * x) + y)%z step 3 gave y. subtract step 6 unsigned value with step 3s to get x. This gave x = 2603963141 8. z is usually the number of bits or some power of 2. Make a script in any programming language you want. Plug in the values for x, y, z and loop it a number of times. If it matches the game it's correct. Sample:
file = io.open("test.txt", "a")
	io.output(file)
	x = 2603963141
	y = 1051550459
	z = 4294967296
	rng = 0
	for i = 0,10 do
		newrng = ((rng * x)+y)%z
		io.write(string.format('%.8x',newrng)..","..newrng.."\n")
		rng = newrng
	end
	io.close(file)
With that said, now the question is: given the RNG and the values that the RNG assigns, how does one find the formula for that? Here's a list of 10,000 values of the RNG and the password it gives https://drive.google.com/open?id=0B-2O13fpsnI4bGdJZWo1MWdDZWs The left column is the RNG value and the right column is the password. How do they relate? Thanks for all the help so far btw! :)
Joined: 9/6/2009
Posts: 24
Location: Renton, WA
jlun2 wrote:
With the help of Invariel, we managed to get 2 formulas: NPCs and your movement make the rng go like this rand = (rand * 1103515245 + 12345) % 4294967296; and simply reloading a stage does this: rand = (rand * 2603963141 + 1051550459) % 4294967296;
I'm guessing the first formula is for using a single random number. If so, then the second formula is for using 7 random numbers.
Post subject: Finding the RNG in memory
Joined: 1/16/2017
Posts: 12
Hey guys, I am really new to doing TAS' and have been trying to read as much as I can. I just started working on Inindo for the SNES and I am currently trying to find anything that might determine RNG in memory. Since the game is pretty much a black box, what are the general techniques and principles used in order to discover anything that determines RNG in memory? So far, the closest thing I have found is a value that is set when you enter a dungeon to determine how many steps until your next encounter but, I don't know what generates that value.
Amaraticando
It/Its
Editor, Player (159)
Joined: 1/10/2012
Posts: 673
Location: Brazil
It's not easy at all. Read this.