Post Reply 
Thread Rating:
  • 0 Votes - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Dissecting a game's RNG using PPSSPP?
03-06-2018, 09:11 PM (This post was last modified: 03-07-2018 07:44 AM by dainegai.)
Post: #1
Dissecting a game's RNG using PPSSPP?
Hello! Not sure whether there's a better place to post this so apologies if there is.

I've been wondering whether there is a way to use the tools in PPSSPP and other potentially relevant third-party tools (e.g. Cheat Engine) to determine how a game uses its RNG for certain random actions. In particular, I'm curious about how the game Senjou no Valkyria 3: Extra Edition determines enemy placement when choosing a mission. (Want to see if a certain placement pattern is possible -- just continually trying to roll for it hasn't proven fruitful.)

I already have a few observations about its behavior:
- If you buffer the "Accept mission" button when loading a state, the game uses the same enemy placement. Doesn't seem to be based on in-game clock (wasting some frames, then using Cheat Engine to force the in-game clock to the same framecount does not produce the same enemy placement).
- The enemy placement changes substantially depending on which frame you accept the mission (there doesn't seem to be "local similarity" in adjacent frames).

I have some potentially useful files to help with this: two non-identical savestates (for the Windows 64-bit build of PPSSPP v1.5.4) which yield the same enemy placement if the confirm button is buffered when loading state.
I tried seeing if I could use Cheat Engine to see what values are identical between the two savestates (with a few subsequent searches to remove values that remain the same regardless of the frame) but I still end up with thousands of values to sift through. (I'd start my search at the start of the default load address and would have a search space of ~0x1000000000 iirc.)

I've also tried noodling around using Cheat Engine to see if I could find the memory that contains PPSSPP's RNG algorithms (so I could see what calls it/whether reverting the values will yield the same enemy placements). I see on the github repo (@ /hrydgard/ppsspp/blob/master/ext/native/util/random/rng.h) that there are two potential algorithms. I couldn't find the incrementing counter or the "magic numbers" for the Mersenne Twister implementation, and though I could find potential locations for the RNG seeds (1337 and 31337) for GMRng(), I couldn't seem to locate the actual R32() function which spits out the random numbers. (I've tried searching for a "shr *,16" or "shl *,15", but it would take a seemingly interminable amount of time on my laptop and I guess could also not exist depending on how the compiler performed its optimizations.)

I may be just going about this the wrong way. Anyone have a better idea on how to approach this? Maybe I should just clone the repo, stick some breakpoints in the rng.h file, build, and monitor/modify the values that way? Only reason why I haven't tried that yet is I remember having a lot of trouble attempting to build off the repo before.
EDIT: Have since tried this -- in-game, the emulator seems to only call GMRng() on the initial loadstate and on no frame afterward. So I guess my lack of PSP/PPSSPP knowledge is showing. Is the in-game RNG not handled by the emulator? Perhaps in a different function?

tl;dr: What would be the best way to use PPSSPP to dissect a game's RNG?
Find all posts by this user
Quote this message in a reply
Post Reply 

Forum Jump: