1. Our third apparel sale is live. New design + reprint of the athletic design. Support us and get a shirt!
  2. Welcome to Smogon Forums! Please take a minute to read the rules.
  3. Welcome to Wi-Fi! Please remember to read the rules and do NOT create a new thread for simple trades or Friend Safari codes.
  4. Click here to ensure that you never miss a new SmogonU video upload!

Past Gen RNG Research

Discussion in 'Wi-Fi' started by mingot, Sep 12, 2009.

  1. ΩDonut

    ΩDonut don't glaze me bro
    is a Pokemon Researcheris a Programmer Alumnusis a Forum Moderator Alumnusis a Contributor Alumnus

    Aug 23, 2006
    Thanks for posting! Yes, you'd need to follow the instructions listed.

    If you can get a Korean game to run on an American DSi\3DS system, that should work out fine. Allegedly there's a region lock in place, but chiizu successfully used an English White on a Japanese DSi, so who knows?

    In any case, glad to hear that, by August at the latest, we'll have DSi\3DS info for Korean games. Hope you keep in touch!
  2. nick15


    May 20, 2010
    There is most definitely NO region lock on either of my Korean HG/SS and B/W games, nor when I play them on either my American DS Lite, DSi or 3DS. Presumably it also means that Korean DPP and American DS Phat have no locks on them, and likewise for non-Korean NDS games in Korean DS systems (including the 3DS). The only legitimate incompatibility/lock on the Korean games is their inability to trade with non-Korean games, but that was corrected in Gen 5; all of this I'm sure you guys know already. :)

    Anyways, if it's OK to use an American DSi/3DS for this, then I'll get cracking on getting those things to you as soon as I can. Then when I get a Korean 3DS, I'll redo this to see if Korean [N3]DS systems change anything as well.

    I'm just glad to be of service! :)
  3. Bond697

    Bond697 Dies, died, will die.
    is a Researcher Alumnus

    Jun 20, 2010
    so i know pokemon conquest isn't really worth researching, but after looking at this i had to say something. gamefreak handles seeding in this game similarly to black and white. however, there is no sha-1. they use crc32 to generate the initial seed. it works like so:

    RAM:02071CF0 ; =============== S U B R O U T I N E =======================================
    RAM:02071CF0 buildSeed__                             ; CODE XREF: sub_2071408+D8p
    RAM:02071CF0 buffer= -0x430
    RAM:02071CF0 table= -0x410
    RAM:02071CF0 STMFD   SP!, {R4-R6,LR}
    RAM:02071CF4 SUB     SP, SP, #0x420
    RAM:02071CF8 ADD     R6, SP, #0x430+buffer
    RAM:02071CFC MOV     R4, R0
    RAM:02071D00 MOV     R0, R6                          ; buffer
    RAM:02071D04 BL      OS_GetLowEntropyData__
    RAM:02071D08 ADD     R5, SP, #0x430+table
    RAM:02071D0C LDR     R1, =0x4C11DB7                  ; poly
    RAM:02071D10 MOV     R0, R5                          ; table
    RAM:02071D14 BL      MATHi_CRC32InitTable__
    RAM:02071D18 MOV     R0, R5                          ; table
    RAM:02071D1C MOV     R1, R6                          ; data
    RAM:02071D20 MOV     R2, #0x20 ; ' '                 ; dataLength
    RAM:02071D24 BL      MATH_CalcCRC32__                ; this returns a 32-bit number
    RAM:02071D28 MOV     R1, #0                          ; top half of the starting seed, always 0
    RAM:02071D2C LDR     R12, =0x6C078965
    RAM:02071D30 STMIB   R4, {R0,R1}
    RAM:02071D34 LDR     LR, =0x5D588B65
    RAM:02071D38 LDR     R2, =0x269EC3
    RAM:02071D3C MOV     R3, R1
    RAM:02071D40 STR     R12, [R4,#0xC]
    RAM:02071D44 STR     LR, [R4,#0x10]
    RAM:02071D48 STR     R2, [R4,#0x14]
    RAM:02071D4C STR     R3, [R4,#0x18]
    RAM:02071D50 ADD     SP, SP, #0x420
    RAM:02071D54 LDMFD   SP!, {R4-R6,PC}
    RAM:02071D54 ; End of function buildSeed__
    RAM:02071D54 ; ---------------------------------------------------------------------------
    RAM:02071D58 ; unsigned int poly
    RAM:02071D58 poly DCD 0x4C11DB7                      ; DATA XREF: buildSeed__+1Cr
    RAM:02071D5C dword_2071D5C DCD 0x6C078965            ; DATA XREF: buildSeed__+3Cr
    RAM:02071D60 dword_2071D60 DCD 0x5D588B65            ; DATA XREF: buildSeed__+44r
    RAM:02071D64 dword_2071D64 DCD 0x269EC3              ; DATA XREF: buildSeed__+48r
    so, they're using a 64-bit rng, but only creating a 32-bit seed via crc32. it's right there: mov r1, 0- set the top half of the 64-bit seed to 0. it's kind of strange. the initial seed can only be between 0 and 0xffffffff, not 0-0xffffffffffffffff as it should be. it's kind of ridiculous.
  4. Bond697

    Bond697 Dies, died, will die.
    is a Researcher Alumnus

    Jun 20, 2010
    b2w2, the rng is at 0x21FF5B8(black)/0x21FF5D8(white) and it's the same as bw, the sdk standard.

    initial seeding is next..

    initial seeding is the same as before. a sha1 hash of a buffer of entropy data. the new nazos are:




  5. Kaphotics

    Kaphotics Remodeling Kitchens
    is a Researcher Alumnusis a Contributor Alumnus

    Apr 25, 2009
  6. Slashmolder

    Slashmolder 'Ello Governor
    is a Programmer Alumnusis a Researcher Alumnus

    Mar 27, 2011
    CGear seeds are gone, whoo!
    Now instead turning on the CGear just advances the pointer into the MT Table by 2. (Basically it advances the IVRNG by 2 like usual)
    This means if you don't care about PIDs or are super good with Chatots, it's much easier to advance the IVRNG frame by turning the CGear on and off.
    It also appears to advance the PIDRNG the same as before.

    As mentioned slightly above Chatots work exactly the same as before. So does most everything else, including Pokemon generation and ID/SID generation and saving to advance the PIDRNG.

    The IVRNG now starts at frame 3 (pointer to index 2) instead of 1 (index 0).

    Initial frame calculation for PIDRNG is also different and is being looked into further.

    NPCs do make starter abuse a bit more of a pain than it should be but it can be done: http://www.pokecheck.org/?p=detail&uid=1496117 (trash bytes are either an issue with PokeGen or Pokecheck).
  7. chiizu

    is a Programmer Alumnusis a Researcher Alumnus

    Nov 12, 2010
    Some parameters from actual carts (one Black 2, one White 2) on a DS Lite:

    Black 2:
    Timer0: 1104, 1107 (only had time for a couple tests)
    VCount: 82
    VFrame: 8

    White 2:
    Timer0: 10F7, 10F8, 10F9, 10FA (also pretty sure I saw a 10F6 early on...)
    VCount: 82
    VFrame: 8

    Looks like people are going to need use an external timer if they don't want double (or more) of the Timer0 frustration of BW.

    Just to add that even with the additional values, I still hit 10F7 (on White 2) a good bit more often than the other values (sorry, no actual stats on that).
  8. Slashmolder

    Slashmolder 'Ello Governor
    is a Programmer Alumnusis a Researcher Alumnus

    Mar 27, 2011
    There have been changes as to how the starting PID frames work.
    For reference here's info on BW1 http://www.smogon.com/forums/showpost.php?p=3649544&postcount=739

    For a game with a save file which you plan to load and play from:
    First the standard BW probability table function is called once.
    Then the RNG is advanced 3 times (rand(0), rand(ffffffff), rand(ffffffff)).

    Then when you load your save data the probability table function is called 4 more times.
    Then a new function is called. This new function calls rand(15) 3 times and stores the value of an array at that random index with this data:
    {0x3E, 0x60, 0x6B, 0x196, 0x19C, 0x1CA, 0x149,0x14B, 0x151, 0x15C, 0x16D, 0x170, 0x172, 0x176, 0x17F};
    It then loops through the stored data and if it finds any duplicates between the 3 random selections it repeats.

    Since we don't care about creating an array with that data, we just call rand(15) 3 times and check for duplicates.

    For ID/SID abuse:
    One probability table is called, then two advancements, then another table. Then 3 more advancements. Once you press start at the press start screen there is another advancement. Then a table call is made. And finally 3 more advancements are made (this might be 4 I need to double check) and we're at the ID/SID generation.

    The new function is only called after the player has already finished with the introduction. This is irrelevant to ID/SID abuse.

    Another interesting change (which doesn't matter all too much) is that due to someone at GameFreak being weird now all the odd values are ignored and the even ones are the only ones looked at. Fortunately this doesn't alter the table for our purposes at all.

    This new function is located at 0x2017A34.
    The old table's outer loop is located at 0x216FCE0 and the inner loop is located at 0x216FCFC.
  9. Antar

    is a Battle Server Administratoris a Programmeris a Super Moderatoris a Community Contributor
    Official Data Miner

    Feb 17, 2010
    Seriously?!? Does this mean Entralink RNGing just became Standard method?
  10. TheMantyke

    TheMantyke what if he kicks the ghost
    is a Smogon Social Media Contributoris a Forum Moderatoris a Live Chat Contributoris a Site Staff Alumnusis a Team Rater Alumnusis a Community Contributor Alumnusis a Contributor Alumnus

    Jun 9, 2007
    First Air Slash Mantyke, now this. Oh gosh, can't wait to get my hands on some entralink Pokemon!
  11. Gothic Togekiss

    Gothic Togekiss
    is a CAP Contributor Alumnus

    Jun 1, 2007
    Considering you would have to keep the C-gear on to RNG abuse entralink Pokemon, I don't think so. I mean Slashmolder does mention it advancing the PIDRNG as before.
  12. Bond697

    Bond697 Dies, died, will die.
    is a Researcher Alumnus

    Jun 20, 2010

    the switch from arm->thumb didn't affect this at all. someone at gamefreak thought they were being clever or something. it was a manual adjustment in the table checking routine from odd to even.
  13. religiousjedi

    religiousjedi Burning 3DSes before the virus known as GSC hits.
    is a Smogon Social Media Contributoris a Forum Moderatoris a Contributor to Smogon

    Oct 9, 2010
    Makes it sound as only the PID will be the problem then. Hmm...so hit standard seed to get desired IVs, same seed must have desired nature (or cluster), then simply land on the right time to get target PID frame. It cuts off half the amount of time, from the looks of it.

    In any case, it makes the Entralink guides mostly for B/W users.
  14. Bond697

    Bond697 Dies, died, will die.
    is a Researcher Alumnus

    Jun 20, 2010
    high link pokemon still have a shiny check and are still generated in exactly the same way.

    e: it still does everything twice for no good reason, too.
  15. Bond697

    Bond697 Dies, died, will die.
    is a Researcher Alumnus

    Jun 20, 2010
    dream radar pokes are gender-locked and non-shiny. they're generated like resh/zek(no 0x80000000 OR) as soon as you say yes.

    e: when you say yes after you choose "3ds link". this is the point at which they're added to your box.
  16. Dea


    Jul 15, 2009
    I guess what I have to say goes here, if it doesn't then feel free to move/delete.

    Shiny Charm: It kinda "pulls" shiny frames to you, but doesn't "push" them back.

    1) Your initial PIDframe is 60 and there is a shiny PID on 61, 62 or 63, when you sweet scent even with no chattot flips, you will get the shiny PID.

    2) Initial PIDframe 60 and the closer shiny PID is "out of range" the initial PIDframe will just shift to 63.

    3) Your initial PIDframe is 60 and there is a shiny PID 63, you do required chatot flips anyway (i.e. without factoring the charm) you will NOT get the shiny PID. Pokemon's PID will come from frame 66.
  17. Slashmolder

    Slashmolder 'Ello Governor
    is a Programmer Alumnusis a Researcher Alumnus

    Mar 27, 2011
    Shiny charms actually works exactly like the Masuda method. It does 1 calls with no charm and not international parents, 3 calls charm and not international, 6 calls no charm international, and 8 calls charm and international.
  18. chiizu

    is a Programmer Alumnusis a Researcher Alumnus

    Nov 12, 2010
    Having gone through the actual assembly, I think the above is slightly incorrect.

    For eggs:
    1. Generate a PID
    2. If not shiny and player has shiny charm, generate up to 2 more PIDs, stopping if a shiny is found.
    3. If still not shiny and parents are international, generate up to 5 more PIDs, stopping if a shiny is found.

    For encounters (what Dea is referring to):
    1. Generate a PID
    2. If not shiny and holding shiny charm, generate up to 2 more PIDs, stopping if a shiny is found.
  19. Slashmolder

    Slashmolder 'Ello Governor
    is a Programmer Alumnusis a Researcher Alumnus

    Mar 27, 2011
    I updated this to follow my more recent findings, I've been accurate 10/10 trials so I think it's correct. I'm not sure about the last one because it looks like reporter might be 1 too low when reporting ID/SID frames but I'm not sure.
    My bad I meant total PIDs generated, the 0 was a typo.

    Are you sure that it has no effect on International? I was under the impression that the charm was a constant +2.
  20. chiizu

    is a Programmer Alumnusis a Researcher Alumnus

    Nov 12, 2010
    rusted_coil has a post about a way to advance the PIDRNG and determine which seed you hit when picking up your Dream Radar pokes.

    When you go into the Isshu Link menu, you can access the key system and start a key transmission via IR. When you do this, it shows the spinning clock icon, and the initial position of the clock hand is set to one of 8 positions by the RNG (supposedly upper32 >>29). So, you can start the IR transmission several times in a row and watch the starting position of the clock to determine the seed (like coin flips or Elm calls), as well as use it to advance to a particular PID frame. This would be useful for checking your seed even when not getting a Dream Radar Poke.

    For the clock hand positions, 0 is 12 o'clock, 1 is up-right, 2 is right, etc.

    Also, Bond was kind enough to look into the actual Poke generation for Dream Radar and found that one additional PIDRNG frame and one additional MTRNG frame is burned before the Poke is generated.

    After some testing, it turns out that each activation of the IR transmission consumes 2 PID frames, with the second one being the one which determines the spinner position.

    It does have an effect. It tries 2 times because of shiny charm (step 2), and then if still not shiny it does the 5 tries if it's international parents (step 3).
  21. chiizu

    is a Programmer Alumnusis a Researcher Alumnus

    Nov 12, 2010
    Some test results for non-legendary Pokes from Dream Radar. Note that the IV frame numbers start counting after the initial 2 MTRNG advances at startup.

    Test Notes (open)

    Test 1:
    Munna and a berry
    Seed: 55F7EBFABB7B9E77
    0 spins
    IV frame hit: 8

    Test 2:
    Sigilyph, Drifloon, Riolo, Drifloon
    Seed: 7D904C500DAFFFB7
    9 spins
    IV frame hit: 26

    Test 3:
    Munna, Drifloon
    Seed: B7E72DDE0277B9A0
    10 spins
    IV frame hit: 28

    Test 4:
    Seed: B7E72DDE0277B9A0
    13 spins
    IV frame hit: 34

    Test 5: (Successful abuse)
    Seed: 52DF568941E21B77
    3 spins
    Timid, 31/5/31/31/31/31

    For me, the IV frame always starts on frame 8, however Bond's test started on frame 2.

    Both PID frame and IV frame advance by 2 frames for each access of the key transmission screen (i.e. each start of the spinner).

    PID frames are 5 frames apart for multiple Pokes.
    IV frame advances by 13 for each Poke.

    You want to have enough views of the spinner (3 or 4 should be enough) to know that you've hit your seed, so an IV frame of 14 or higher is recommended.
  22. chiizu

    is a Programmer Alumnusis a Researcher Alumnus

    Nov 12, 2010
    (Feel free to combine with the previous post(s) if me replying to myself is bad form)

    Generation for dream radar legendaries is different than non-legendaries.

    Unlike non-legendaries, there is additional fanfare for the special pokes, including particle effects (you can see it in the movie that plays on the Japanese AR Searcher page), and the IV frame advanced 13 additional frames before my Tornados was generated.

    Unfortunately, until I catch the other two genies in the dream radar and make it all the way to abundant shrine in game, I can't convert Tornados back to incarnate forme (a requirement for GTS upload) so I can't verify what PID frame I hit.

    This page says that you can only get one of each genie / lengendary on your game, but you can start a new b2w2 game to get another one. It also says that since the dream radar game and save data resides entirely on the 3DS SD card, you can take a back up before sending the Poke to your game and restore it afterwards to allow multiple downloads.

    EDIT 2 (testing SD card back up behavior):
    You can take a back up of the 3DS SD card and restore it to download the same non-legendary Poke as many times as you like without having to restart your b2w2 game.

    For the legendaries, however, it's saved in your b2w2 save game file that you've downloaded the legendary, so if you try to send the same legendary a second time you won't be allowed to. You can still take a back up of the dream radar data before sending it over to the game, however, so if you have a spare game you can reset for the legendary if you have the patience to play through to the first gym so that you are able to trade to another b2w2 game (bw is out for the genies because you can't change the form until much later in the game).
  23. Slashmolder

    Slashmolder 'Ello Governor
    is a Programmer Alumnusis a Researcher Alumnus

    Mar 27, 2011
    This may be slightly redundant but I feel it's still useful information to have.

    Every single Pokemon has a set of flags which are set before every encounter is started. The game appears to use 2 bytes to store this information.
    For an example the male hidden hollow Minccino is 0x02B8 (0000 0010 1011 1000)

    At least for stationary encounters sub_021ADC54 uses sub_2154308 to load the flags.
    sub_21A11FC uses these flags to fill an array (stored at of Pokemon information which is used in the PID building subroutines (in order of call stack), sub_021A14F4, sub_21A06E8, sub_021A0E30, and sub_0201D6E0. As well as a few subroutines they call.

    The information array is filled using assembly such as the following:
    MEMORY:021A1264 MOVS    R0, #8
    MEMORY:021A1266 TST     R0, R5
    MEMORY:021A1268 BEQ     loc_21A126E
    MEMORY:021A126A MOVS    R0, #1
    MEMORY:021A126C STRB    R0, [R4,#7]
    //R5 = flags
    //R4 = infoArray
    if (! flags & 0x8) {
    	infoArray[7] = 1;
    So basically every time a bit is set to 0, something is set in the infoArray. If it isn't then the code is skipped over or the next section of code is looked at.

    Here's a list of what each bit does, in the order called in the assembly, to the info array and what that means
    Note: if nothing is done/stated the value is defaulted to be 0
    flag:		effect
    4		array[2] = FFFF
    2		check #10, else array[6] = 1
    10		array[6] = 2
    8		array[7] = 1
    20		array[10] = 1, else check 40
    40		array[10] = 2]
    200		b[c] = 5, b[8] = 6
    1		//shifts pointer of array passed into sub_2017CD4, else check 80
    80		//shifts pointer of array passed into sub_2017CD4, else don't call SR
    100		//calls sub_2017CD4
    400		//calls sub_2017CD4
    800		//calls sub_2017CD4
    0-1	National Dex # of Pokemon
    4	level of pokemon (given by input param in R2)
    5	set to the value of the top of the stack at load time (always 0?)
    6	encounter type (used for XOR 80000000), 2 = stationary, 1 = unknown (gift/egg?), 0 = wild (do XOR check)
    7	shiny lock (1 = can't be shiny, 0 = can be)
    10	gender filter, 0=genderless/no lock, 1 = male only, 2 = female only
    Further investigation is needed for the last few calls which pass a pointer into sub_2017CD4.

    I'm uncertain exactly when/why the specific hollows are generated. The only one I know is when you talk to Bianca the Miccino is generated. It could be random/key item/scripted event/RTC based/who knows?
    I do have one save file where a few have been generated but then when I go to that exact same position again but with an earlier save that area is not generated.
    When they are not generated the hollows are empty. Every Hidden Hollow uses script 1036 which deals with loading the appropriate Pokemon. Kaphotics has ripped the game data as to what can be found in each hollow Pokemon Items. The percent to the Pokemon appears to be the chance for it to be female.
  24. Bond697

    Bond697 Dies, died, will die.
    is a Researcher Alumnus

    Jun 20, 2010
    might as well post this in here too:

    hidden hollows are based on footsteps. every 256 footsteps, the game checks all 20 hollows(a 20 iteration for-loop) to see if it should fill them. each has a 5% chance of filling and already filled ones don't change(as far as i know). i'm still working on what exactly passes over the gender, et al.

    it does u32 * 100 >> 32, if the result is less than 5, generate for that hollow.

    original post:


    once i knew it was every 256 steps, running through the code and figuring out the rest was easy.

    e: if anyone is interested in following along, 2181E80 runs every step and controls the hollow generation.

    e2: might as well throw the rest in since there's apparently more on that page:

    frame + 1 - pokemon/item choice
    frame + 2 - slot
    frame + 3 - gender

    and this all happens on 21C8938.

    2228B98 is the u16 just past the end of the hollow data array. it stores the number of the hollow you're entering. you can actually hard-lock it with an AR code to warp hollow to hollow.

    let's go farther in-depth:

    MEMORY:02181E80             ; =============== S U B R O U T I N E =======================================
        MEMORY:02181E80             sub_2181E80
        MEMORY:02181E80 F8 B5       PUSH    {R3-R7,LR}
        MEMORY:02181E82 04 1C       MOVS    R4, R0
        MEMORY:02181E84 95 F6 34 FD BL      derefPointerBase
        MEMORY:02181E88 05 1C       MOVS    R5, R0
        MEMORY:02181E8A 20 1C       MOVS    R0, R4
        MEMORY:02181E8C 95 F6 DC FA BL      getCurrentStepCounter__
        MEMORY:02181E90 04 1C       MOVS    R4, R0
        MEMORY:02181E92 28 1C       MOVS    R0, R5
        MEMORY:02181E94 8D F6 16 FC BL      sub_200F6C4
        MEMORY:02181E98 06 1C       MOVS    R6, R0
        MEMORY:02181E9A E2 0F       LSRS    R2, R4, #0x1F
        MEMORY:02181E9C 21 06       LSLS    R1, R4, #0x18                   ; are the last 2 digits of the step counter 00? if so, run the hollow fill
        MEMORY:02181E9E 89 1A       SUBS    R1, R1, R2
        MEMORY:02181EA0 18 20       MOVS    R0, #0x18
        MEMORY:02181EA2 C1 41       RORS    R1, R0
        MEMORY:02181EA4 50 18       ADDS    R0, R2, R1
        MEMORY:02181EA6 19 D1       BNE     locret_2181EDC
        MEMORY:02181EA8 00 25       MOVS    R5, #0
        MEMORY:02181EAA 05 27       MOVS    R7, #5
        MEMORY:02181EAC             loc_2181EAC                             ; CODE XREF: sub_2181E80+5Aj
        MEMORY:02181EAC 29 06       LSLS    R1, R5, #0x18
        MEMORY:02181EAE 30 1C       MOVS    R0, R6
        MEMORY:02181EB0 09 0E       LSRS    R1, R1, #0x18
        MEMORY:02181EB2 8D F6 CB FC BL      isHollowGenerated__
        MEMORY:02181EB6 00 28       CMP     R0, #0
        MEMORY:02181EB8 0D D1       BNE     loc_2181ED6
        MEMORY:02181EBA 38 1C       MOVS    R0, R7
        MEMORY:02181EBC 91 F6 D8 FC BL      sub_2013870
        MEMORY:02181EC0 04 1C       MOVS    R4, R0
        MEMORY:02181EC2 64 20       MOVS    R0, #0x64 ; 'd'                 ; max
        MEMORY:02181EC4 83 F6 40 FC BL      mainRand64__
        MEMORY:02181EC8 A0 42       CMP     R0, R4
        MEMORY:02181ECA C0 46       NOP
        MEMORY:02181ECC 29 06       LSLS    R1, R5, #0x18
        MEMORY:02181ECE 30 1C       MOVS    R0, R6                          ; hollowBase
        MEMORY:02181ED0 09 0E       LSRS    R1, R1, #0x18
        MEMORY:02181ED2 46 F0 61 FA BL      hollowFill__
        MEMORY:02181ED6             loc_2181ED6                             ; CODE XREF: sub_2181E80+38j
        MEMORY:02181ED6                                                     ; sub_2181E80+4Aj
        MEMORY:02181ED6 6D 1C       ADDS    R5, R5, #1
        MEMORY:02181ED8 14 2D       CMP     R5, #0x14
        MEMORY:02181EDA E7 DB       BLT     loc_2181EAC
        MEMORY:02181EDC             locret_2181EDC                          ; CODE XREF: sub_2181E80+26j
        MEMORY:02181EDC F8 BD       POP     {R3-R7,PC}
        MEMORY:02181EDC             ; End of function sub_2181E80
    this is the for-loop that handles the hollow generation. it gets the step counter each step, checks to see that the lowest 2 digits are 00 and if so, it checks to see if that iteration's hollow is still generated. if the hollow is empty, it does rand(100) to see if it's going to generate something for this given hollow. if rand(100) results in a number less than 5, hollowFill runs.

    MEMORY:021C8398             ; void __fastcall hollowFill__(void *hollowBase, int hollowNumber)
    MEMORY:021C8398             hollowFill__                            ; CODE XREF: sub_2181E80+52p
    MEMORY:021C8398             var_20= -0x20
    MEMORY:021C8398             var_1C= -0x1C
    MEMORY:021C8398             var_18= -0x18
    MEMORY:021C8398 F0 B5       PUSH    {R4-R7,LR}
    MEMORY:021C839A 83 B0       SUB     SP, SP, #0xC
    MEMORY:021C839C 00 90       STR     R0, [SP]
    MEMORY:021C839E 04 20       MOVS    R0, #4                          ; max
    MEMORY:021C83A0 01 91       STR     R1, [SP,#4]
    MEMORY:021C83A2 0A 24       MOVS    R4, #0xA
    MEMORY:021C83A4 3D F6 D0 F9 BL      mainRand64__
    MEMORY:021C83A8 00 06       LSLS    R0, R0, #0x18
    MEMORY:021C83AA 00 0E       LSRS    R0, R0, #0x18
    MEMORY:021C83AC 02 90       STR     R0, [SP,#8]
    MEMORY:021C83AE 01 20       MOVS    R0, #1
    MEMORY:021C83B0 4B F6 72 FA BL      sub_2013898
    MEMORY:021C83B4 07 1C       MOVS    R7, R0
    MEMORY:021C83B6 1D 4E       LDR     R6, =0
    MEMORY:021C83B8 1D D0       BEQ     loc_21C83F6
    MEMORY:021C83BA 01 98       LDR     R0, [SP,#4]
    MEMORY:021C83BC 1C 4A       LDR     R2, =unk_21D3F50
    MEMORY:021C83BE 01 1C       MOVS    R1, R0
    MEMORY:021C83C0 61 43       MULS    R1, R4
    MEMORY:021C83C2 55 18       ADDS    R5, R2, R1
    MEMORY:021C83C4             loc_21C83C4                             ; CODE XREF: hollowFill__+5Cj
    MEMORY:021C83C4 64 20       MOVS    R0, #0x64 ; 'd'                 ; max
    MEMORY:021C83C6 3D F6 BF F9 BL      mainRand64__
    MEMORY:021C83CA 40 1C       ADDS    R0, R0, #1
    MEMORY:021C83CC 00 06       LSLS    R0, R0, #0x18
    MEMORY:021C83CE 02 0E       LSRS    R2, R0, #0x18
    MEMORY:021C83D0 00 23       MOVS    R3, #0
    MEMORY:021C83D2 00 21       MOVS    R1, #0
    MEMORY:021C83D4             loc_21C83D4                             ; CODE XREF: hollowFill__+52j
    MEMORY:021C83D4 68 5C       LDRB    R0, [R5,R1]
    MEMORY:021C83D6 18 18       ADDS    R0, R3, R0
    MEMORY:021C83D8 00 06       LSLS    R0, R0, #0x18
    MEMORY:021C83DA 03 0E       LSRS    R3, R0, #0x18
    MEMORY:021C83DC 9A 42       CMP     R2, R3
    MEMORY:021C83DE 02 D8       BHI     loc_21C83E6
    MEMORY:021C83E0 08 06       LSLS    R0, R1, #0x18
    MEMORY:021C83E2 04 0E       LSRS    R4, R0, #0x18
    MEMORY:021C83E4 02 E0       B       loc_21C83EC
    MEMORY:021C83E6             ; ---------------------------------------------------------------------------
    MEMORY:021C83E6             loc_21C83E6                             ; CODE XREF: hollowFill__+46j
    MEMORY:021C83E6 49 1C       ADDS    R1, R1, #1
    MEMORY:021C83E8 0A 29       CMP     R1, #0xA
    MEMORY:021C83EA F3 DB       BLT     loc_21C83D4
    MEMORY:021C83EC             loc_21C83EC                             ; CODE XREF: hollowFill__+4Cj
    MEMORY:021C83EC 02 2C       CMP     R4, #2
    MEMORY:021C83EE 02 D9       BLS     loc_21C83F6
    MEMORY:021C83F0 76 1C       ADDS    R6, R6, #1
    MEMORY:021C83F2 BE 42       CMP     R6, R7
    MEMORY:021C83F4 E6 D3       BCC     loc_21C83C4
    MEMORY:021C83F6             loc_21C83F6                             ; CODE XREF: hollowFill__+20j
    MEMORY:021C83F6                                                     ; hollowFill__+56j
    MEMORY:021C83F6 00 98       LDR     R0, [SP]
    MEMORY:021C83F8 01 99       LDR     R1, [SP,#4]
    MEMORY:021C83FA 22 1C       MOVS    R2, R4
    MEMORY:021C83FC 47 F6 00 FA BL      setSlot
    MEMORY:021C8400 00 98       LDR     R0, [SP]
    MEMORY:021C8402 01 99       LDR     R1, [SP,#4]
    MEMORY:021C8404 02 9A       LDR     R2, [SP,#8]
    MEMORY:021C8406 47 F6 07 FA BL      setSubslot
    MEMORY:021C840A 64 20       MOVS    R0, #0x64 ; 'd'                 ; max
    MEMORY:021C840C 3D F6 9C F9 BL      mainRand64__
    MEMORY:021C8410 02 1C       MOVS    R2, R0
    MEMORY:021C8412 12 06       LSLS    R2, R2, #0x18
    MEMORY:021C8414 00 98       LDR     R0, [SP]
    MEMORY:021C8416 01 99       LDR     R1, [SP,#4]
    MEMORY:021C8418 12 0E       LSRS    R2, R2, #0x18
    MEMORY:021C841A 47 F6 3D FA BL      setGender
    MEMORY:021C841E 00 98       LDR     R0, [SP]
    MEMORY:021C8420 01 99       LDR     R1, [SP,#4]
    MEMORY:021C8422 01 22       MOVS    R2, #1
    MEMORY:021C8424 47 F6 04 FA BL      enableHollow
    MEMORY:021C8428 03 B0       ADD     SP, SP, #0xC
    MEMORY:021C842A F0 BD       POP     {R4-R7,PC}
    MEMORY:021C842A             ; End of function hollowFill__
    MEMORY:021C842A             ; ---------------------------------------------------------------------------
    MEMORY:021C842C 00 00 00 00 dword_21C842C DCD 0                     ; DATA XREF: hollowFill__+1Er
    MEMORY:021C8430 50 3F 1D 02 off_21C8430 DCD unk_21D3F50             ; DATA XREF: hollowFill__+24r
    hollowFill calls for 3 more random numbers, the first determines item(rand(4)) and the other 2 rand(100)s are slot and gender, respectively. the 200F8XX functions take the results of these calculations and create the u16 element in the hollow array for the given iteration of the hollow generation function.
  25. chiizu

    is a Programmer Alumnusis a Researcher Alumnus

    Nov 12, 2010
    If I'd stopped for a moment to think, I might have realized that the additional 13 IV frame advancements was the same as happens between each Poke when receiving multiple Pokes at the same time.

    Legendaries are generated as if another Poke is received before them, i.e. 5 additional PIDRNG advances and 13 additional IV frame advances. The particle effects when receiving them have no effect on either RNG (before they are received, anyway).

    Also, I edited my previous post, but it was a day later, so I'll just quote the edit regarding SD Card file backup in case it was missed.

Users Viewing Thread (Users: 0, Guests: 0)