1. Welcome to Smogon Forums! Please take a minute to read the rules.
  2. New to the forums? Check out our Mentorship Program!
    Our mentors will answer your questions and help you become a part of the community!
  3. Welcome to Wi-Fi! Please remember to read the rules and do NOT create a new thread for simple trades or Friend Safari codes.

Past Gen RNG Research

Discussion in 'Wi-Fi' started by mingot, Sep 12, 2009.

  1. Kazo

    Kazo

    Joined:
    Dec 9, 2006
    Messages:
    228
    I don't think that is correct, I was just working on trying to find the formula and I think they are 2 32-bit RNGs.

    here is what i got so far.
    Code:
    OFFSETS BLACK (add 0x20 to offset for white)
    02216084 = SEED1
    02216088 = SEED2
    0221608C = 0x6C078965
    02216090 = 0x5D588B65
    02216094 = 0x00269EC3
    
    SEED1 = (0x6C078965 * SEED1) + 0x00269EC3;
    SEED2 = ???
    Variables and constants for SEED2 seem to include SEED2, SEED1, 0x6C078965, and 0x5D588B65.
    
    
    RNG advancements when forcing SEEDs to certain values.
    00000000 00000000
    00269EC3 00000000
    55AE9CB2 7188D00C
    A0C3B2FD 0AF528D3
    C910A194 0A8B4E34
    
    00000001 00000000
    6C2E2828 5D588B65
    5AF1DE8B E3B543E4
    0B78CE9A 3D7FCA1A
    CB968B85 3FE714A2
    
    00000000 00000001
    00269EC3 6C078965
    55AE9CB2 76CC11E5
    A0C3B2FD 75AA4470
    C910A194 0D113825
    
    
    AR codes to modify RNG variables and constants to try to crack formula.
    02216084 00000001
    02216088 00000000
    0221608C 00000001
    02216090 00000001
    02216094 00000000
    
  2. mingot

    mingot free agent
    is a Site Staff Alumnusis a Battle Server Admin Alumnusis a Researcher Alumnusis a Smogon Media Contributor Alumnusis a Contributor Alumnusis an Administrator Alumnus

    Joined:
    Jun 15, 2008
    Messages:
    3,050
    Some things that might help:

    Regarding seed 2 and the constant 0x5D588B65:

    It looks like it's a hash function.

    http://blogs.msdn.com/b/ricom/archive/2007/01/22/performance-quiz-12-the-cost-of-a-good-hash.aspx

    Regarding seed 1:

    0x6C078965 used to be part of the old ARNG.

    It really looks like this is just another LCRNG with new constants. I used the researcher function in RNG Reporter and plugged in your new constants and got the same results that you did when you forced the seed.

    Regarding something I found a few days ago:

    Check out the routine at 02019B7A. It's the old LCRNG, but I didn't see where it actually stored the value. Everything came in and out through registers and without a debugger I could not get a handle on where / when it was called.
  3. Kazo

    Kazo

    Joined:
    Dec 9, 2006
    Messages:
    228
    I think it is used for the pkm data encryption, trying to modify either 0x41C64E6D or 0x6073 caused the game to display an error message when trying to get into a battle, access the storage box, or open the party. Starting a new game with the value modified before the game generates your starter does not display the error message. Haven't tested this part yet, but I am sure if you try to import a pkm from the save file with the modified encryption to a normal save file would result in the pkm being invalid.

    The encryption routine: http://www.projectpokemon.org/wiki/Pokemon_NDS_Structure#Encryption
  4. mingot

    mingot free agent
    is a Site Staff Alumnusis a Battle Server Admin Alumnusis a Researcher Alumnusis a Smogon Media Contributor Alumnusis a Contributor Alumnusis an Administrator Alumnus

    Joined:
    Jun 15, 2008
    Messages:
    3,050
    Cool, that makes me feel like that code has a reason that doesn't necessarily have anything to do with pokemon generation. Oddly enough, that makes me feel better.

    Do you think it might be worthwhile for me to quickly release an rng reporter with a method for "SEED1 = (0x6C078965 * SEED1) + 0x00269EC3" so that we can do a quick check to see if we can find a captured pokemon?
  5. ΩDonut

    ΩDonut don't glaze me bro
    is a Programmeris a Forum Moderatoris a Community Contributoris a Pokemon Researcheris a Contributor to Smogon
    Moderator

    Joined:
    Aug 23, 2006
    Messages:
    3,727
    Both seeds are used to generated egg PIDs. I kept Seed1 constant and got changing PIDs, Seed2 constant and got changing PIDs, and when I kept both constant I got a static PID.

    Code:
    Seed1	Seed2	PID
    0x0	0x0	C0AAEBC6
    0x0	0x1	5878F4C3
    0x1	0x0	5878F4C3
    0x1	0x1	539702A7
    
    The fact that we get the same PID when Seed1 and Seed2 are reversed is promising. It might not be so hard to figure out egg PID generation, even if we don't have a debugger.

    Unfortunately, the egg IVs seem to be coming from some other RNG, one that's constantly changing in the background. I'll need some more testing to see if it advances "Emerald fast" or not.

    A few notes:

    - The game does not load if the time recorded at the last save matches the time when you reload the game. You'd have to re-save at a different time.
    - The egg PIDs are loaded into memory location 02234BA4 (White) when generated. I've confirmed this several times, and it spares the trouble of checking the save files under PokeGen.
  6. Kazo

    Kazo

    Joined:
    Dec 9, 2006
    Messages:
    228
    Seems like i was wrong early, it is a 64bit seed, and the formula for advancing is.
    Code:
    OFFSETS BLACK (add 0x20 to offset for white)
    02216084 = SEED
    0221608C = 0x5D588B656C078965
    02216094 = 0x0000000000269EC3
    
    SEED = (0x5D588B656C078965 * SEED) + 0x0000000000269EC3;
    
    Also what you said about the IVs being generated by another RNG, I believe that since I had matching PIDs but different IVs when I froze the RNG and captured a few Pokemon.

    Also the PID was 0A8A4E34. I think I rember seeing somthing on that one site mingot linked earlyer about XORing something by 0x10000 I think it was the PID, cause the PID seems to be the 32bit high of the 4th RNG call (0A8B4E34C910A194) XOR'd to 0x10000.

    0000000000000000
    0000000000269EC3
    7188D00C55AE9CB2
    0AF528D3A0C3B2FD
    0A8B4E34C910A194
  7. ΩDonut

    ΩDonut don't glaze me bro
    is a Programmeris a Forum Moderatoris a Community Contributoris a Pokemon Researcheris a Contributor to Smogon
    Moderator

    Joined:
    Aug 23, 2006
    Messages:
    3,727
    Is that a PID generated from a stationary legendary? I did the same thing with a Pokemon I Sweet Scented in the grass, but didn't get a similar result (PID -- 86F3A159)

    EDIT: Actually, I kinda did. 06F2A159, one of the upper 32 bits, when XOR'd with 0x10000 is 06F3A159. Add 80000000 and you get the PID result.

    Code:
    RNG calls with Sweet Scent:
    
    00000000 00000000
    00000000 00269ec3	
    7188D00C 55AE9CB2	
    0AF528D3 A0C3B2FD	
    0A8B4E34 C910A194	
    C83FB970 153A9227	
    0C45453A 2B8A2726	
    CC28FE89 36A566C1	
    22967565 4EAC71E8	
    38C7575F 507CB74B	
    67795501 267F125A	
    C0AAEBC7 A9910645	
    0[B]6F[/B]2[B]A159[/B] CA9C04FC	<-- probably where the PID came from, with some modification
    C9E3DDA4 E143722F	
    08D1DD28 EB26D24E	<-- PID was definitely generated just before here
    94CB488B 35255589	
    9D847485 1566AED0	
    36360093 ECE6E6D3	
    8B8FEA14 5C8B9B02	
    6493EA8F 4E3CD88D	
    46DD090E D5E68364	<-- RNG value at the battle start
    Additionally, I tested the PID outcomes of Pokemon Sweet Scented in grass, with fixed seed values:

    Code:
    U32	L32	PID
    0x0	0x0	10000
    0x1	0x0	EC068965
    0x0	0x1	DD598B65
    0x1	0x1	496114CA
    0x10000	0x10000	94CB6C07
    0x0	0x10000	8BCB6C07
    0x10000	0x0	09640000
    0x10000	0x1	E6BC8B65
    0x1	0x10000	776DF56C
    
    Will analyze these later, right now have to do some paying work. My girlfriend is trying to get a better translation of the Japanese RNG researcher's blog, but she hasn't had time to make much progress yet.

    Some additional notes:

    - The PID is stored at 02259DA0, 0225A410, 0226AB74, 0226B0D4, and 022A7BB4(White) when generated. Only the first two keep the PID stored immediately after the battle ends. At least for wild, Sweet Scented Pokemon. Don't know why it's stored in several locations, though.

    - Nature is no longer linked to PID in 5th gen. I'll have to test to see if the nature comes off the same RNG as the PIDs.
  8. Kazo

    Kazo

    Joined:
    Dec 9, 2006
    Messages:
    228
    I know the nature is in the RNG at 02216084 cause it is always the same for a certain SEED. Still haven't figured out wall call its from though.

    Also the Sweet Scent PID might just be XOR'd to 0x80010000

    also I noticed
    Code:
    0x0    0x0    1000
    
    Make sure you are setting the RNG and then disabling the code. The PID should be 0A8A4E34. I had the same issue when I was testing, I think it has to do with the rate the AR codes are refreshed, stuffing 0 back in to SEED as soon as the game reads it for the PID then XORing 0 with 0x10000 to get a PID of 0x10000
  9. ΩDonut

    ΩDonut don't glaze me bro
    is a Programmeris a Forum Moderatoris a Community Contributoris a Pokemon Researcheris a Contributor to Smogon
    Moderator

    Joined:
    Aug 23, 2006
    Messages:
    3,727
    Tested with an initial seed of 0x100000000 and got a PID of 28F7922A.

    Code:
    	RNG value
    0	100000000
    1	6C07896500269EC3
    2	76CC11E555AE9CB2
    3	75AA4470A0C3B2FD
    4	D113825C910A194
    5	82DDFE85153A9227
    6	1F41C3832B8A2726
    7	A95AE25636A566C1
    8	D0C90A464EAC71E8
    9	28F7D24507CB74B
    10	4409A8BA267F125A
    11	5878F4C4A9910645
    12	[B]28F6922A[/B]CA9C04FC
    13	1308B919E143722F
    14	FA010F51EB26D24E
    So sometimes it's XORing with 0x80010000, other times with 0x10000.

    It works for some short tests. The PID result is generally the next RNG result XOR'd with 0x10000, or 0x80010000, or some other number. It's a quicker way of getting results, at least until RNG Reporter is updated to handle the 64-bit seeds. (Hey, don't I have access to the source code? Yes. Yes, I do.)

    Code:
    U32	L32	PID		Next RNG #	XOR'd with
    0x0	0x0	10000		0		   10000
    0x1	0x0	EC068965	6C078965	80010000
    0x0	0x1	DD598B65	5D588B65	80010000
    0x1	0x1	496114CA	C96014CA	80010000
    0x10000	0x10000	94CB6C07	14CA6C07	80010000
    0x0	0x10000	8BCB6C07	8B656C07	  AE0000
    0x10000	0x0	O9640000	89650000	80010000
    0x10000	0x1	E6BC8B65	E6BD8B65	   10000
    0x1	0x10000	776DF56C	F76CF56C	80010000
    So remember when I said that IVs and nature\PID were no longer linked, that IVs were generated by a different RNG? I've been sitting in a quiet NPC-less area in Victory Road and using Sweet Scent. I keep getting the same Gantoru every time - same stats, same nature, same PID. So they're linked after all, at least in some cases.

    The fluctuating IVs just might've been a side effect of not disabling the codes I used, like Kazo said.

    Also: the C-Gear advances the RNG at a slow and steady rate, probably once every 1 to 1.5 seconds, but needs further confirmation on an actual cart.
  10. Valkart

    Valkart

    Joined:
    Oct 23, 2009
    Messages:
    267
    I'm in front of Victini right now, can I help you guys on something? I didn't know that it respawns everytime I defeat it and I enter the room again.
  11. mattj

    mattj blatant Nintendo fanboy

    Joined:
    Mar 30, 2009
    Messages:
    4,622
    Yeah, echoing the guy above. I got my cart in. What could I do to help you guys? What do you mean by confirmation on an actual cart?
  12. Riski

    Riski

    Joined:
    Nov 11, 2009
    Messages:
    1,267
    Echoing the previous two posters. I also have my retail game in (Black) so if you need any testing done, let me know.
  13. ΩDonut

    ΩDonut don't glaze me bro
    is a Programmeris a Forum Moderatoris a Community Contributoris a Pokemon Researcheris a Contributor to Smogon
    Moderator

    Joined:
    Aug 23, 2006
    Messages:
    3,727
    Right now, nobody can help with an actual cart until we figure out a way for people to find out their initial seed. We don't even know how it's being calculated; all we about it is from a Japanese blog, and all the author knows is that it somehow involves date\time and the MAC address unique to that DS.
  14. Kaphotics

    Kaphotics Remodeling Kitchens
    is a Pokemon Researcheris a Contributor to Smogon

    Joined:
    Apr 25, 2009
    Messages:
    776
    If you are looking for the MAC address of the DS, you can check it while in game via the C-Gear.

    Show Hide
    [​IMG]



    some other RNG observations (on White) to look over, I can't analyze this to the depth you guys can ;). Don't take it as 100% true, I could have messed up writing something down (did this 2 weeks ago)

    Show Hide
    Did some testing so far on Kyuremu and Victini.
    Victini's room has no frame advancement, same with Kyuremu (even though there are some snow particles falling). Turning in Kyuremu's room changed the place by 1, just like generation 4.​

    Victini advanced the frame three times (0 changes -> 3 changes),
    Kyuremu changed twice (0 changes -> 2 changes).
    I exited Victini's main chamber many times and did not get either location to change. I did not test the entire building. Battling an NPC inside the building changed the resulting PID/Nature/IVs of the Victini. It also changed when I went back to Hiun and came back.
    It did not look like Victini's island had any moving NPCs, his room does not.​

    Additionally I tested one of the deer trios (Birijion), the one in the forest.
    I ran around over 500 steps on a bicycle and neither position advanced (CGear off). It advanced both places by 2 when encountered.

    Step counter???​

    Seeding + Spreads (Birijion)
    The positions 022160A4 and 022160A8 changed 3 times (felt like the first one had a delay in between the 2nd two, which changed faster). Was in the Spring Season.
    022160A4 started at: 9B7A6317, to 39DD22AA, D69845D5, 412A3D34
    and then when encountering: 412A3D34 to 54A2B1C6, D9E3B7E1.
    022160A8 started at: 0E6A08D2, to D3B25B59, AE9BA4EA, F5CE805A
    and then when encountering: F5CE805A to 39216839, 39016579
    The resulting Birijion was bold, (Hex 39206839) (Decimal 0958425145) PID, 18/02/20/14/24/28 (speed last) as the frame advanced twice (frame 2 pokemon? or 1 for PID, 1 for nature?)​

    Manipulating the Memory Spots
    They only changed when I restarted the game. Resetting the game changed it from 00000000, to one value, and then to another. When I entered the game at different time (and delay), I always ended up with the same values as a different time. Upon confirming the CGear to be off/on, these places changed 3 times when I "continued" (fade to season)
    Not based on time/delay anymore?​

    I've noticed saving the game (with the C-Gear off) advances the RNG.

    The C-Gear being on advances the RNG at pretty much any time, even if you are at the Party Pokemon summary screen, Pokedex, or even saving.​


    Having a monster frame of 2 is weird, it could possibly do IVPID and a nature?..... just speculating :)

  15. Riski

    Riski

    Joined:
    Nov 11, 2009
    Messages:
    1,267
    Something I've noticed about breeding in B/W: Saving in front of the Day Care Man when he has an egg does not guarantee the same nature or gender. I have tested multiple times with the same save position while standing in front of the Day Care Man while he's holding an egg. I've gotten different natures and different genders on the supposedly same egg. Perhaps this is already known or has been discussed elsewhere on the forum, but I'm making a note of it here for anyone looking at the research thread with breeding min mind.
  16. Kaphotics

    Kaphotics Remodeling Kitchens
    is a Pokemon Researcheris a Contributor to Smogon

    Joined:
    Apr 25, 2009
    Messages:
    776
    Pieced it all together now. Go ahead and read!
    -----

    Did some testing for memory locations of egg PIDs. White, C-Gear off. Frame @022160A4(8) advances fairly fast at the daycare man.
    lolresearch (open)
    Started testing with the second egg, after I had received
    the message from the man that the egg was ready.

    Code:
    Searched 1 change after receiving the egg as a preliminary filter, 
    and then searched for the PID. 
    Resulted place: 02234BA4 - value: 81EFFED3 (Egg's PID) 
    -- it was set after confirming that I want it, 
             not after when I dismissed the post dialogue message.
    
    Rewatching this place over the course:
    02234BA4 - 00000000
    02234BA4 - 81EFFED3 -- (pressed yes)
    
    Resulting [PID 81EFFED3] [IVs FFF32F3F] 
    (31/25/11/6/31/31 speed 4th entry), Naughty Nature Ability 2 Male.
    	Saying no first does not set the eggs PID.
    
    So once I had the PID, I searched it for all the memory locations. 
    Taking the egg then had:
    02234BA4 - 81EFFED3
    0223EBFC - 81EFFED3
    odd... Noticed that 0223EBFC changed twice when I grabbed it (rapid)
    
    
    [b]02234BA4  0223EBFC[/b]
    00000000  02284034
    00000000  3600FEFE (could it be Nature generation? Don't think so...)
    81EFFED3  81EFFED3 egg received
    
    I could not find the value [Egg's PID] 81EFFED3 at any place 
    in the memory before initiating the ingame chat with the man.
    
    
    When the man triggers the event (Egg is available) after receiving an egg.
    [b]02234BA4  0223EBFC[/b]
    81EFFED3  81EFFED3 - start (contains old PID)
    81EFFED3  FFFFFFFF - man triggered (stepped on the line trigger)****
    81EFFED3  FFFFFFFF - walked up to man (no change), started talking **
    81EFFED3  02284034 - changed once the Yes/No option appeared.
    81EFFED3  ECEBE286 - pressed yes (part 1 of rapid change)
    81EFFED3  39FA5BBB - egg received (this is the PID)
    
    reloading from **, 02234C80 contained the new PID 
    rather than the 02234BA4 after receiving the egg.
    
    reloading from **** and waiting momentarily...
    81EFFED3  FFFFFFFF - man triggered (stepped on the line trigger)****
    81EFFED3  FFFFFFFF - walked up to man (no change), started talking
    81EFFED3  02284034 - changed once the Yes/No option appeared.
    81EFFED3  [B]72A5C151[/B] - Different PID!!!
    
    02234C80 had this same PID stored in its location. I don't have this save 
    anymore, so I can't check the rapid change of 0223EBFC.
    
    Now being a little trickier, I waited a different amount of time and got this:
    
    [b]02234C80  0223EBFC[/b]
    00000000  81EFFED3 - start (contains old PID)
    00000000  FFFFFFFF - man triggered (stepped on the line trigger)****
    00000000  FFFFFFFF - walked up to man (no change), started talking **
    00000000  02284034 - changed once the Yes/No option appeared.
    00000000  [B]72A5C152[/B] - pressed yes (part 1 of rapid change)
    BD38F73B  BD38F73B - egg received (this is the PID)
    
    what's interesting is that I saw the bolded value before 
    (but a little bit different)
    
    Further delving into this:
    
    [b]0223EBFC[/b]
    81EFFED3 - start (contains old PID or any old value)
    FFFFFFFF - man triggered (stepped on the line trigger)****
    FFFFFFFF - walked up to man (no change), started talking **
    02284034 - changed once the Yes/No option appeared.
    [B]3B41C782[/B] - pressed yes (part 1 of rapid change)
    F888399E - egg received (this is the PID)
    
    [b]0223EBFC[/b]
    81EFFED3 - start (contains old PID or any old value)
    FFFFFFFF - man triggered (stepped on the line trigger)****
    FFFFFFFF - walked up to man (no change), started talking **
    02284034 - changed once the Yes/No option appeared.
    [B]F888399F[/B] - pressed yes (part 1 of rapid change)
    3E2E1307 - egg received (this is the PID)
    
    Looking at the 022160A4(8) value (frames) of when I initiated 
    the talk with the man, they were both different.
    
    I then logged all of these values in order of occurrence.
    022160A4 022160A8 Values:
    [INDENT][B]925FACE2   67F73030[/B] --- Start for [0DDE57E0]
    5CD38A44   BB1A907D - [0DDE57E0] frame change one
    4C768F97   964D5914
    3EE61456   [B]72A5C152[/B] - Rapid for [BD38F73B] / 0DDE57E0 Frame change 2
    [B]1261AF98   21EC4FE9[/B] --- Start for [F888399E]
    74D13DBB   3B41C782 - Start [39FA5BBB] / Rapid [F888399E]
    A4DA0C8A   ECEBE286 (F888399E frame change one)
    0772097E   057793AE
    61AACB79   7F90DE7A
    1AC9CF43   F611675A
    [B]80853F32   F7210446[/B] Start 3E2E1307 
    9FC2E014   [B]39FA5BBC[/B] After Received (F888399E)] / 3E2E1307 frame change 1
    45FFA1A6   9C0E22C1 (3E2E1307 frame change 2)
    DF0D3B41   E8ADCF63
    1FDBC868   C9209EC6
    [B]BE66F37C   8E59EB27[/B]
    2F760AAF   [B]3E2E1308[/B] (3E2E1307 frame change 3)
    04397CCE   3A233868 [After Egg Received (3E2E1307)]
    88CC9D82   3C91AD54
    9FB9550D   B33169E4
    4BC701B7   7E13A588
    ......
    
    Didn't see the ending frame for 39FA5BBB, 
    probably further down the frame line or the frame didn't 
    advance consistently enough (2 times at once). I was going at 
    a very slow speed so if it appeared I would have seen it.[/INDENT]
    
    Unobserved Frame Changes F888399E
    69D047AC BBC9FDC9 -- change 2
    D5E84F7D F888399F -- change 3
    
    Unobserved Frame Changes for 0DDE57E0
    BB61F19F 0DDE57E1 -- change 3
    Unobserved Rapid For 0DDE57E0
    56B24A36
    
    Unobserved Rapid for 3E2E1307
    F888399F
    extrapolated to D5E84F7D F888399F in regular positions -- [i]yay![/i]
    
    
    There has got to be a pattern for this!
    
    ----------
    
    Opening the ingame menu wiped 0223EBFC to 0000081C, 
    saving changed it twice to some other value I won't bother checking... 
    constant values after saving/opening menu.


    Summary: [WHITE]
    Code:
    Egg PIDs are based off of a 022160A8 Value, [I][U]exactly[/U][/I] the same [B]-1[/B].
    Thus they are based off of the frame, and are not set upon "generation".
    
    0223EBFC stores the PID generated for eggs after you confirm yes. 
    It changes after certain in game interactions.
    There is another place that has the PID stored... but it's not related at all to RNG:
    edit: the other place (open)
    The PID is stored in your party too... It is in a different place according to slot, and it is not changed based on ingame progress or egg generation. Putting the pokemon in the PC wipes this location to 00000000 (derp). This was already known but just putting it here for others who don't know.

    If you want to check the PIDs of Pokemon while in game WHITE, go ahead (lol).
    Party 1: 02234834
    Party 2: 02234910
    Party 3: 022349EC
    Party 4: 02234AC8
    Party 5: 02234BA4
    Party 6: 02234C80
  17. Kaphotics

    Kaphotics Remodeling Kitchens
    is a Pokemon Researcheris a Contributor to Smogon

    Joined:
    Apr 25, 2009
    Messages:
    776
    Did a little bit of observational research using a memory analysis with cheat engine to get some opcodes and memory locations.

    observations + opcodes Using the new Cheat Engine 5.6.1 (open)


    Seed1+Seed2 Address in Memory: 022160A4 and 022160A8
    Address in Cheat Engine: 00F525A4 and 00F525A8

    Cheat Engine's memory locations are -011C3B00 off for these 2 values.

    --

    CE Addr - Bytes - Opcode

    Victini or Kyuremu Engaged (00F525A4 and 00F525A8) [022160A4 and 022160A8]
    Code:
    Reads this address when battling victini
    CE Addr  -     Bytes       -      Opcode
    004fb7e8 - 8b 81 00 c5 d3 00 - mov eax,[ecx+00d3c500]
    004fb682 - 89 81 00 c5 d3 00 - mov [ecx+00d3c500],eax
    Writes to this address when battling Victini
    004fb682 - 89 81 00 c5 d3 00 - mov [ecx+00d3c500],eax
    -

    Standing by egg man with world running and Starting the game,
    both Seed values are influenced by

    Code:
    Read by
    0043ba5f - 89 82 00 c5 d3 00 - mov [edx+00d3c500],eax
    004fb7e8 - 8b 81 00 c5 d3 00 - mov eax,[ecx+00d3c500]
    004fb682 - 89 81 00 c5 d3 00 - mov [ecx+00d3c500],eax
    Written by
    0043ba5f - 89 82 00 c5 d3 00 - mov [edx+00d3c500],eax
    004fb682 - 89 81 00 c5 d3 00 - mov [ecx+00d3c500],eax
    Automatic advancement based on NPCs/other memory locations?

    ------- Other Places

    Eggs
    Code:
    Eggs (0107B0FC) -- this is the one I saw earlier [0223EBFC]
    Read by
    004fcdbc - 89 82 00 c5 d3 00 - mov [edx+00d3c500],eax
    Written by
    0043cfb7 - 89 82 00 c5 d3 00 - mov [edx+00d3c500],eax
    004fb682 - 89 81 00 c5 d3 00 - mov [ecx+00d3c500],eax
    
    Eggs (00F71180) -- Party location (irrelevant) [2134C80]
    Read by
    004fb7e8 - 8b 81 00 c5 d3 00 - mov eax,[ecx+00d3c500]
    Written by
    004fcdbc - 89 82 00 c5 d3 00 - mov [edx+00d3c500],eax
    Looks like the egg PID is made, read and copied to the party when it is received.

    Outside Daycare at man, npcs move -- observing RNG Seeds 1+2 (00F525A4 and 00F525A8)
    Code:
    Read by (both locations are)
    004d8e51 - 8a 80 00 c5 d3 00 - mov al,[eax+00d3c500]
    004fb7e8 - 8b 81 00 c5 d3 00 - mov eax,[ecx+00d3c500]
    004fb682 - 89 81 00 c5 d3 00 - mov [ecx+00d3c500],eax
    Written by (Both again)
    004fb682 - 89 81 00 c5 d3 00 - mov [ecx+00d3c500],eax
    All of these memory locations in context:
    Code:
    http://dl.dropbox.com/u/12206225/Debugger/0043BA5F.png
    http://dl.dropbox.com/u/12206225/Debugger/004FB682.png
    http://dl.dropbox.com/u/12206225/Debugger/004FB7E8.png
    http://dl.dropbox.com/u/12206225/Debugger/004FCDBC.png


    other things I have noticed about PID locations:

    dumped PID locations to check PID on encounter (open)

    When encountering a Pokemon the PID is stored before you even catch it.
    These are off by 12C3B00 in CE instead of 11C3B00...

    Encountering Kyuremu, PID is stored on encounter at:
    00F99660 (0225D160)
    00F99CD0 (0225D7D0)

    Encountering Victini, PID is stored on encounter at:
    00F998C8 (0225D3C8)
    00F99F38 (0225DA38)

    Possible differences for all the legends?

    Encountering a Wild Pokemon Tile not scenting(At Kyuremu and Forest), PID is at:
    00F96158 (02259C58)
    00F967C8 (0225A2C8)
    Also has the PID for for the shaking tile Pokemon (forest +etc??)

    Interesting that the interval between all of these is 670 hex...

    Setting and Freezing these values (or changing them) and then encountering the respective Pokemon results in the blue screen error. (tested Kyuremu, set the 2 to E2D36280). Setting and freezing them after the Sprite appears during battle will not change the PID from what it was originally calculated as.


    When the game freezes you and starts the battle scene (after any encounter text), the PID for the Pokemon is already set (as in gen 4)
  18. ΩDonut

    ΩDonut don't glaze me bro
    is a Programmeris a Forum Moderatoris a Community Contributoris a Pokemon Researcheris a Contributor to Smogon
    Moderator

    Joined:
    Aug 23, 2006
    Messages:
    3,727
    Zoroark's PID is stored in 0225DE74 and 0225D804 when you encounter it.

    At this point we can manipulate the RNG for shininess on most Pokemon, though IVs are off the table. The PID is derived directly from the upper 32 bits of one of the main RNG results, but in most cases it is modified as follows:

    Show Hide

    Wild Pokemon: XOR'd with 0x8001000 or 0x10000
    bred Pokemon: XOR'd with 0x1, or possibly just -0x1 as Kaphotics noted
    Urgamosu: XOR'd with 0x8001000 or 0x10000
    Zekrom\Reshiram: PID completely unaltered
    Zoroark: XOR'd with 0x100??, changes for every frame
    Victini: not tested
    Kyuremu: not tested
    Borutorusu\Torunerosu: not tested

    The nature of Zoroark's PID modification means we cannot control its shininess at this time. But it can be bred, so that's not much of an issue.


    IVs are generated by a separate RNG, the same Mersenne Twister used for generating egg PIDs last gen. (Or so says one Japanese blog on RNG research.) We don't know how it's seeded, so we don't have much control at this time. We've found through trial and error that advancing the main RNG by walking in an area with wild Pokemon does not advance the RNG for IVs.

    However the C-Gear does, at a steady rate. So with LOTS of trial and error I could get the IVs I wanted, turn off the C-Gear to lock them in, and then advance the main RNG to the point I got a shiny Pokemon. The Pokemon would then have the IVs I wanted.

    But for all of this, I would need an emulator to watch the RNG, and to use save states to see which IVs were locked in.

    tl;dr: We can control shininess on an emulator, but getting good IVs is still just a lot of trial and error. However, at least we can get decent and\or shiny Pokemon that should pass the Wi-Fi and VGC hack checks.

    NOTE: I'd like to remind readers that any Pokemon generated through an emulator must be VERY clearly labeled if you plan on trading them here on the Wi-Fi boards. This label must stick even if you receive the Pokemon in a trade and are allowed to redistribute them, no Pokélaundering.
  19. Kaphotics

    Kaphotics Remodeling Kitchens
    is a Pokemon Researcheris a Contributor to Smogon

    Joined:
    Apr 25, 2009
    Messages:
    776
    Egg PIDs are based off of a 022160A8 Value, exactly the same, but -1. I tested with a female parent having a dream world ability flagged. This might influence it just like international Dittos did in gen 4.

    They aren't based off of the 022160A8 value at the point the egg is received, it's based off of another value from that place further down the line.

    ctrl F in my egg Hide: Start [39FA5BBB] / Rapid [F888399E]

    The pattern I noticed:
    Show Hide
    There's a rapid change at 0223EBFC for Egg A with an ending frame of XXXXXXXX YYYYYYYYY
    -- (egg is received, X-X being seed 1, Y-Y being seed 2)
    Receiving an egg in which the starting frame was the rapid of A becomes YYYYYYYY-00000001 as the PID for the egg.

    I tried logging all of the 1+2 seed values and placed them, but I'd assume it skips over some during regular uninterrupted advancement just like gen 4 did.

    Do note that I did get the Rapid of egg A to be the start of B only once because the frame advanced multiple times instead of 1 by 1.


    other stationary legends to test for PID locations that you can get to after the elite four:
    Birijion Kobaruon Terakion (the trio) [I'll be finding these and updating this post later today]
    Randorosu
  20. ΩDonut

    ΩDonut don't glaze me bro
    is a Programmeris a Forum Moderatoris a Community Contributoris a Pokemon Researcheris a Contributor to Smogon
    Moderator

    Joined:
    Aug 23, 2006
    Messages:
    3,727
    True. Later today I'll document which RNG value down the line the PID comes from for each type of encounter. This what I have for now:

    Zekrom\Reshiram - 2 advances
    Sweet Scent in cave - 4 advances
    Sweet Scent in (normal) grass - 12 advances
  21. Kaphotics

    Kaphotics Remodeling Kitchens
    is a Pokemon Researcheris a Contributor to Smogon

    Joined:
    Apr 25, 2009
    Messages:
    776
    Egg PIDs aren't saved when you save the game, nor are they saved when the man yells that you have an egg. They are entirely seed dependent and get their PIDs from the upper seed. (if that clears anything up)


    ----------

    Looked for more PID locations upon encountering the Pokemon, did some seed freezing as well

    long code wrapped (open)
    Code:
    Birijion 
    00F99608 (0225D108)
    00F99C78 (0225D778)
    
    Kobaruon
    00F99B48 (0225D648)
    00F9A1B8 (0225DCB8)
    
    Terakion
    00F99608 (0225D108)
    00F99C78 (0225D778)
    
    Freezing the 1+2 RNG Seeds resulted in the same PID
    for Birijion and Terakion. Didn't test IVs, didn't test for Kobaruon.
    
    Note how Terakion and Birijion have the same places. 
    Kobaruon has a small dialogue with a man like the Embedded tower in HGSS.
    ^Implied difference?
    
    Freezing the PID Memory locations to a foreign value caused a blue screen
    Code:
    Zekrom
    00F9B0DC (0225EBDC)
    00F9B74C (0225F24C)
    and
    00FA7074 (0226AB74)
    00FA75D4 (0226B0D4)
    and 00FE40B4
    
    The first set is set upon talking to Zekrom for the battle intro, 
    the 2nd set appears when zekrom's sprite does.
    The 3rd appears after a slight delay of the 2nd.
    
    Could possibly pertain to Zekrom and Reshiram?
    
    I think the first location is the one that is the correct one, 
    just leaving the others there as additional info.
    ---

    Code:
    Boltros (White Roamer)
    Read below all the code wrapped for why I can't check this.
    C918519E PID when I caught it
    Seen at:
    00F58BAC (0221C6AC) -- Box 1, Spot 17 (heh I could map this)
    00F871F4 (0224ACF4)
    
    Not the same place when sent out. Inconclusive.
    I need a state before he is sent out, after he is sent out, 
    and the PID he is caught with.
    ---

    Code:
    Zorua
    00F99848 (0225D348) (changes after you can continue text so look quick)
    02C281EC (not viewable in ARM9 emu)
    
    Thus you must pause. It might be a different based on initial seed, 
    since there is only 1 location...

    The game resets the memory locations on restart, so caught legend PIDs are not part of the save file.


    The memory locations for Party PIDs are insanely useful with RAM Watch or with Cheat Engine to get a PID to find other locations.

    Going to test freezing of the upper seed (022160A8) and its effects on the egg PID.

    ---

    Tested Seed relationships to the PID
    Stated at the man with Yes/No, no C-Gear, stable seeds.
    Code:
    Pressed yes, Received egg. Froze the 2 seeds, and rewound to the previous state.
    Pressed yes, Received egg. Froze the 2 seeds, and rewound the previous state.
    
    Basically I just set my own values for the RNG. Got different PIDs every time.
    
    Did it again but only froze the 2nd seed. Different PIDs every time.
    
    Setting the rapid location [02234BA4 (White)] to 01010101 for lols
    resulted in blue screen errors rarely when I reloaded the state fast enough
    so the game could not update other locations related to it.
    It's related to both of the 2 seeds for sure, and relies on 02234BA4 (White) for setting the PID.
  22. Kaphotics

    Kaphotics Remodeling Kitchens
    is a Pokemon Researcheris a Contributor to Smogon

    Joined:
    Apr 25, 2009
    Messages:
    776
    Did some memory location lookings with the new Mystery Gift Wondercards from the 10/10/2010 Event.

    PIDs generated for Mystery Gift/Wondercards are stored at: (White) (open)

    PIDs generated for Mystery Gift/Wondercards are stored at
    0225CCF8 (00F991F8 in Cheat Engine)

    Engaging the talk with the man:
    Code:
    The location did not change until pressing A to advance after the message
    	with the Exclamation Mark (!), before you receive the Pokemon. 
    It then advances twice more after you advance past the message 
    	that you received the gift just like Generation 4. 
    
    The PID is then [B]XXXXYYYY[/B].
    
    It persists only momentarily, once you dismiss his final message 
    	(We hope to see you again/blah blah) the location then 
    	adjusted to [B]003BYYYY[/B] for the next gift.


    --------------

    Also, recapping Party/PC Box PID locations (other data is encrypted) for those who want to check without saving.
    Party PID Locations (White) (open)

    Party 1: 02234834
    Party 2: 02234910
    Party 3: 022349EC
    Party 4: 02234AC8
    Party 5: 02234BA4
    Party 6: 02234C80
    Box PID Locations (White) (open)

    Box X, Slot Y PID Location = (0221ADA4+X*1000+Y*88)
    Calculate it in hex, not decimal.


    Other data is still encrypted, so you can't view the IVs in a specific location.

    --------------

    Mystery Gift IVPID/Nature Generation Patterns
    lolresearch (open)
    The pokecenter at the elite four has no moving NPCs, but has a Blue Man when there is a gift. There is no advancement of 022160A4 or 022160A8.

    See Summary, I've given this updated pattern and frame calls along with how Nature is generated to OmegaDonut.


    Summary of Mystery Gift IVNPID Patterns:
    oh lawd legality issues (open)
    Code:
    PID and Nature are calculated in the second 3 calls.
    
    The Nature and PID are generated with the same RNG at different frames.
    	Thus NPID is untied (not like the old decimal 1-25 natures) but ^, 
    	IV-PID is still completely untied.
    
    The IV RNG is updated by the NPID RNG changing.
    
    The 8 Gifts from the 10/10/10 Event are Dynamic PIDs.
  23. Kaphotics

    Kaphotics Remodeling Kitchens
    is a Pokemon Researcheris a Contributor to Smogon

    Joined:
    Apr 25, 2009
    Messages:
    776
    Looked back at my Egg PID generation notes, and remembered that SEED1's advancement was already known. I added in the missing frames that the game didn't show me, and I arrived at this pattern for every egg I generated:

    Mind you this was with a female parent with a Dream World ability, if that possibly had any influence. I can check to see without.

    Code:
    Frame 0  -- Starting SEED1/SEED2 (Frame)
    Frame 1  -- Not Displayed (SEED2's would be value appears in 0223EBFC)
    Frame 2  -- Shown in SEED1 and SEED2
    Frame 3  -- Never Displayed
    Frame 4  -- Shown in SEED1 and SEED2
    Frame 5  -- Never Displayed
    Frame 6  -- Never Displayed
    Frame 7  -- Never Displayed
    Frame 8  -- Never Displayed
    Frame 9  -- Never Displayed
    Frame 10 -- Never Displayed
    Frame 11 -- Shown in SEED1 SEED1 and (SEED2)------------\
    Frame 12 -- Shown in SEED1 and SEED2 			|
    	 -- ^^^Ending Frame -> Egg has been generated!	|
    		    .-----------------------------------/
    PID = Frame 11's [SEED2-00000001] 
    PID Generation for Normal Dream World Egg Offspring is the same for Normal Egg PID Generation, except the Normal generation PID is stored at 0233EFBC instead of 0233EBFC.

    International Breeding follows a different generation pattern. Still testing. Taken from a different frame, same XOR (0x1).
    PID is stored at 0233EFBC, like DW Breeding. So far the pattern is not constant.

    International Breeding relies on some other value that is separate from the RNG but is not the IRNG(IV). Freezing to different values from one seed to another produces one pattern, while starting at the same one without codes produces a different pattern. The patterns contradicted eachother, so it's not exclusively calculated from the RNG/IRNG only.

    ---

    Wondercards still have a shiny check. I found the SID location of the new Wondercard file standard and changed the SID to make it shiny based off of a seed spread I already knew (the one I tested with).

    Since the PID is Initial Frame 0's Frame 32 upper half XOR'd with 0x10000, if it comes out shiny it is then XOR'd with 0x10000000 to become nonshiny.

    The only available gift wondercards are of random non-Dream World Abilities. In the data for the card there are flags for what the ability should be. Since there are restrictions on ability based on PID, there must be some limit on the results for the PID if it is a set ability.

    -----

    Passive Seed Advancement while Breeding:
    Other than the set path Moving Pokemon, there are 5 moving NPCs with a non-set path in the area that advance the frame.

    (one in top left corner, one girl in the play area, 1 man in grass, 1 girl in the lower half of the route, girl on the bridge)
  24. ΩDonut

    ΩDonut don't glaze me bro
    is a Programmeris a Forum Moderatoris a Community Contributoris a Pokemon Researcheris a Contributor to Smogon
    Moderator

    Joined:
    Aug 23, 2006
    Messages:
    3,727
    I've just located the lookup table generated by the Mersenne Twister RNG. It starts at 022151D4 and ends at 02215B90 (in White).

    The very first 32-bit value in that table is the seed used to generate IVs. Plug that seed into RNG Reporter's Researcher feature, set it to right-shift the result 27 bits, and the next six values are the IVs of the next Pokemon you catch.

    [​IMG]

    Once I figure out a way to advance this RNG, we can catch flawless and\or shiny Pokemon that pass Wi-Fi and VGC hack checks - on an emulator. (Not sure about breeding yet, but it should be a lot easier.)

    The big challenge is still figuring out how the initial seeds are generated. Without that info, it won't be possible to manipulate the RNG on a cartridge.
  25. mattj

    mattj blatant Nintendo fanboy

    Joined:
    Mar 30, 2009
    Messages:
    4,622
    Actually, as long as we can determine what seed we happen to have hit, with enough patience (especially if advancement is anything like 4th Gen) we'd be able to look down the list and abuse for acceptable IVs/nature on non-breedables. In my experience with FR/LG abuse, that's basically what we had to do. It's not as nice as being able to hit any seed you choose, but it's usable. Is there any way to figure out what seed you happen to have hit yet? Kind of like the Seed finder in Gen 4?

Users Viewing Thread (Users: 0, Guests: 0)