1. Welcome to the Orange Islands! Please remember to read the rules. Come chat with us on our IRC channel and enjoy your stay!
  2. Welcome to Smogon Forums! Please take a minute to read the rules.
  3. Click here to ensure that you never miss a new SmogonU video upload!

Research SFMT RNG in Sun&Moon

Discussion in 'Sun and Moon' started by cs-zii, Dec 30, 2016.

  1. cs-zii

    cs-zii

    Joined:
    Dec 30, 2016
    Messages:
    7
    Discuss SFMT random number generator in Sun&Moon.

    In Sun&Moon, when decide a wild pokemon's IVs, PID, Encryption Constant, etc, it is SFMT (SIMD-oriented Fast Mersenne Twister; MEXP=19937) that be used.

    And the initial seed is a 32-bit value, used by sfmt_init_gen_rand().

    Moreover, in the QR scanner, when the message "Searching for a QR code..." is showed, "sfmt_genrand_uint64(&sfmt) % 17" is used to decide the hands of clock.

    So, you can identify the seed by brute force of 2^32 seeds. I tried it in practice, and succeeded.

    Here is a picture of the hands of clock.

    [​IMG]
    Last edited by a moderator: Dec 31, 2016
    NixHex and Edu like this.
  2. cs-zii

    cs-zii

    Joined:
    Dec 30, 2016
    Messages:
    7
    I will provide an additional explanation.

    I say, when the game calls genrand_uint64(), one frame advances.

    There are 416 417 frame advances when the game starts.

    And while the player is on the field, frame advances about 30 times per second to decide player's blinking. If NPCs exist, more advances will occur.

    Of course, in the QR scanner, there is no frame advance for blinking.
    Last edited: Jan 29, 2017
  3. MMX

    MMX

    Joined:
    Jul 6, 2007
    Messages:
    2,026
    Does this work for gift Pokémon and wondercards as well?
  4. Wrulfy

    Wrulfy

    Joined:
    Nov 1, 2016
    Messages:
    150
    This sounds cool. I haven't really done any RNG manipulation except for gen III since it was so easy to set up on VBA for getting good things to play with.
  5. ΩDonut

    ΩDonut don't glaze me bro
    is a Pokemon Researcheris a Programmer Alumnusis a Forum Moderator Alumnusis a Contributor Alumnus

    Joined:
    Aug 23, 2006
    Messages:
    3,741
    NixHex and Edu like this.
  6. Siggu

    Siggu

    Joined:
    Sep 22, 2010
    Messages:
    2,050
    Hold on, the poses are randomly chosen? I thought the same pose was always going to appear unless you 'click' on the Pokemon fast enough. Silly me...
  7. Wrulfy

    Wrulfy

    Joined:
    Nov 1, 2016
    Messages:
    150
    I guess the poses work the same way coin flips did in DPPt
  8. Kadabrium

    Kadabrium

    Joined:
    Jan 13, 2013
    Messages:
    546
    Is it now confirmed that how summary screen poses draw RNG? I noticed this early in gen6 but was told that they ''carry too little information'' to be analyzed.
  9. Kadabrium

    Kadabrium

    Joined:
    Jan 13, 2013
    Messages:
    546
  10. Siggu

    Siggu

    Joined:
    Sep 22, 2010
    Messages:
    2,050
    NixHex likes this.
  11. Kadabrium

    Kadabrium

    Joined:
    Jan 13, 2013
    Messages:
    546
    The rng for eggs only have a 127 bit internal state while this one is assumed to have the full 19937. If they actually went by the same method, this one would have required much more inputs than just 127 eggs. However, with eggs each input is from a %2 or just 1 bit which also carries far less information than a %17 would.
  12. Dragontamer

    Dragontamer

    Joined:
    Jun 9, 2007
    Messages:
    2,193
    Sounds like the "TinyMT" algorithm, which was based on the Mersenne Twister.

    http://www.math.sci.hiroshima-u.ac.jp/~m-mat/MT/TINYMT/index.html
  13. Kadabrium

    Kadabrium

    Joined:
    Jan 13, 2013
    Messages:
    546
  14. Princess Emily

    Princess Emily Fear the nice-smelling Princess!

    Joined:
    Nov 15, 2009
    Messages:
    761
    This reminds me of Dream Radar RNG where we use the clock/spinner positions to find a seed, only this time there are 17 instead of 8 (0 & 16 looks a bit similar tho)
    Does this work on WCs & gift mons too?
  15. cs-zii

    cs-zii

    Joined:
    Dec 30, 2016
    Messages:
    7
    The seed is decided by the following algorithm.

    Code:
    uint64_t msg[2];
    uint32_t digest[16];
    msg[0] = GetSystemTick();
    msg[1] = getTimeInMilliseconds();
    SHA256Digest((unsigned char *)digest, (unsigned char *)msg, 16);
    seed = digest[0];
    where:
    `GetSystemTick()` means the total CPU ticks elapsed since the CPU was powered-on (see: https://www.3dbrew.org/wiki/SVC).
    `getTimeInMilliseconds()` means the milliseconds elapsed since 00:00:00, 1 Jan 2000.
    `SHA256Digest(digest, msg, len)` calculates SHA-256 digest from `msg` and store into `digest`.

    For example, if GetSystemTick() returns 0x12345678, getTimeInMilliseconds() returns 0x7d349cc000 (that means 00:00:00, 15 Jan 2016), then seed is 0xddcdcba7.
    Last edited: Jan 16, 2017
  16. cs-zii

    cs-zii

    Joined:
    Dec 30, 2016
    Messages:
    7
    There are some NPCs in pokemon center.
    So, perhaps RNG abuse for gift pokemons may be more difficult than that for legendary pokemons.
  17. Princess Emily

    Princess Emily Fear the nice-smelling Princess!

    Joined:
    Nov 15, 2009
    Messages:
    761
    But most NPCs in Pokemon centers don't move that much & are always standing still, unlike their previous gen counterparts.
    Will they still advance frames even if not moving?
  18. cs-zii

    cs-zii

    Joined:
    Dec 30, 2016
    Messages:
    7
    NPCs also do blink their eyes.
  19. Wrulfy

    Wrulfy

    Joined:
    Nov 1, 2016
    Messages:
    150
    I think kukui does not. At least he doesn't breathe
  20. Kadabrium

    Kadabrium

    Joined:
    Jan 13, 2013
    Messages:
    546
  21. cs-zii

    cs-zii

    Joined:
    Dec 30, 2016
    Messages:
    7
    Characters' blinking is decided by the following algorithm.

    When the function is called first, `state`, `dblflag`, and `count` are 0. `chr->eyes == 1` or `chr->eyes == 2` mean the character's eyes are open. `chr->eyes == 3` means the character's eyes are closed. `rand(n)` means `sfmt_genrand_uint64(&sfmt) % n`.

    This function is called 30 times per second for each character.

    Code:
    void character_blink(Character *chr) {
       switch (chr->state) {
       case 0:
         chr->eyes = 1;
         if (chr->dblflag) {
           chr->state = 1;
           return;
         }
         if (chr->count != 0) {
           chr->count--;
           if (chr->count != 0) return;
         }
         if (rand(128) == 0) {
           chr->state = 1;
         }
         return;
       case 1:
         chr->eyes = 2;
         chr->state = 2;
         return;
       case 2:
         chr->eyes = 3;
         chr->state = 3;
         return;
       case 3:
         chr->eyes = 2;
         chr->state = 4;
         return;
       case 4:
         chr->eyes = 2;
         chr->state = 5;
         return;
       case 5:
         chr->eyes = 1;
         if (chr->dblflag == 0) {
           if (rand(3) == 0) {
             chr->dblflag = 1;
             chr->count = 60;
             chr->state = 0;
             return;
           }
         }
         chr->dblflag = 0;
         chr->count = 30;
         chr->state = 0;
         return;
       }
    }
    Edu and richi3f like this.
  22. Princess Emily

    Princess Emily Fear the nice-smelling Princess!

    Joined:
    Nov 15, 2009
    Messages:
    761
  23. MurdererFight

    MurdererFight

    Joined:
    Jun 30, 2015
    Messages:
    3
    New version is up, but how we are supposed to use it?
  24. MMX

    MMX

    Joined:
    Jul 6, 2007
    Messages:
    2,026
  25. ¬N e a f 97™

    ¬N e a f 97™

    Joined:
    Mar 13, 2011
    Messages:
    37
    Guys, can you tell me which is the address in the RAM of the Seed?

Users Viewing Thread (Users: 0, Guests: 0)