This is a split board - You can return to the Split List for other boards.

Notable Breakpoints

#1tsanthPosted 1/2/2008 12:53:53 PM
Perhaps someone else can use these to help grok the code. These breakpoints are applicable for Pokemon Pearl under the no$gba hobbyist version:

0205E40C: PokeRadar routine
0201B9EC: PRNG
020EBC80: Division routine; performs R0 / R1
0223C1EE: Pokeball catching routine

I'm still working through these myself; it's slow going since I don't have professional tools to properly map the code, but perhaps someone else does and can do something with these breakpoints.
---
Where the fear has gone there will be nothing.
Only I will remain.
#2tsanth(Topic Creator)Posted 1/2/2008 1:25:44 PM
Finally decided to code the PRNG today. Here it is in Perl:

my $input = [insert seed here];
my $randomizer = 0x41C64E6D;
my $intermediate = ($randomizer * $input) & 0xFFFFFFFF;
my $final = $intermediate + 0x6073;


$final contains the next value generated by the PRNG. You can verify this with no$gba. I'm still not sure how this feeds the actual pokemon generation routine. Methinks I'm missing a critical step somewhere...
---
Where the fear has gone there will be nothing.
Only I will remain.
#3tsanth(Topic Creator)Posted 1/2/2008 4:57:36 PM
One more notable breakpoint:

0223BAD4: Wild Encounter Check

Setting the following jump at 0223BAD6 to an unconditional jump results in never having wild encounters; I'll make an AR code out of that one later, for future use. Note that even if you short-circuit that check, you can still force encounters with the PokeRadar.

I think I'm slowly getting closer to that pokemon generation routine.
---
Where the fear has gone there will be nothing.
Only I will remain.
#4tsanth(Topic Creator)Posted 1/2/2008 5:39:44 PM
...and I guess that's it for now. There's an interesting location where Pokemon initializes a register to 0xBEEFCAFE. I'm unsure of the significance of that particular subroutine, but maybe further examination will reveal something useful. I still have to spelunk in around 10-15 subroutines to find the generation routine. If all goes well and if tonight's not busy, I may find it tonight.

Here's hoping.
---
Where the fear has gone there will be nothing.
Only I will remain.
#5gbchaosmasterPosted 1/2/2008 5:43:58 PM
My brain exploded.
---
gbchaosmaster
#6Jeffmaz2001Posted 1/2/2008 8:49:31 PM
I hearby crown Tsanth to be the only true hacker I know of on this board. He is actually delving into the code, dis-assembling it, and figuring out how it works. This is an honorable and notable skill, and the rest of the "hackers" on this board can probably not match that.

Tsanth, I certainly hope you are doing more with your talent than just hacking video games. That kind of understanding is highly marketable on the job market, used properly, you have a bright future.

That register you mentioned sounds like a "magic number". Are you familiar with those? The first time I encountered those was in early computer systems, when they needed to know the difference between a soft-reset and a power-up reset. On power up, memory is pretty much randomized, (though it usually ends up all 0x00 or 0xFF), and that "magic location would be similarly scrambled. The processor checks it, sees that it is not 0xBEEFCAFE, and determines that it is a power-up reset that it is doing. So it then initializes that location to 0xBEEFCAFE and continues powering up. If you do a soft-reset, it will check that location again and see that it has already been powered up, so it will perform the soft-reset function and leave some initializations alone this time. If you were to write gibberish into that location and then do a soft-reset on the DS, you would probably get a cold-start out of oyur DS.
---
Any idiot can hack, many do.
I am playing 2 copies each of Diamond and Pearl.
#7Jeffmaz2001Posted 1/2/2008 8:53:00 PM
One more thing about 0xBEEFCAFE, since almost any value can be used as the "magic number", programmers often use their sense of humor in selecting the number. In the 16-bit days I knew a programmer that used 0xCAFE and laughed about it. I guess a similar sense of humor is being used by some Nintendo programmer in the 32-bit world.
---
Any idiot can hack, many do.
I am playing 2 copies each of Diamond and Pearl.
#8tsanth(Topic Creator)Posted 1/3/2008 10:08:54 AM
I'm actually a programmer by vocation, although I find my hobby programming far more interesting than what I do for work. Then again, isn't that the case for the great majority of hobbies?

I've seen a few magic numbers in my time, as well; in fact, no$gba initializes R0 to 0CA5h if you set a flag to do it. Thanks for the refresher.

It looks like work's winding up today, so I may not have time to trace through more code. In any case, I decided that my system needed revamping: I was tracing randomly through parts of code for stuff that looked "interesting," and that's a rather poor way to do it. I'm currently going function-by-function through the encounter code, so I guess I'll see if I have time after work to get to it.

I found a few sites which explain the theory of encoding raw patches to AR codes. I used it for the last code I created, but realized now that I wasn't being safe enough. Methinks I'm going to have to do some rewriting later.

Reference: http://doc.kodewerx.net/hacking_nds.html
---
Where the fear has gone there will be nothing.
Only I will remain.
#9tsanth(Topic Creator)Posted 1/3/2008 2:52:14 PM
Okay, finally. They sent me home from work today (pink eye-like symptoms, coughing, etc.), so I got more time to work on the code.

I narrowed down my search, and I've definitely found a few more interesting breakpoints:

0223BA10: Movement Handler START
0223BD1C: Movement Handler END
0223BB2E: Pair-battle (NPC partner) check
0223BA46: "Am I on grass?" check

The movement handler is called whenever you move. I'm eager to see where all the little animation steps take place. The pair-battle check can force a pair battle if you set the flag correctly or jump to the correct part of the code. The on-grass check forces an early return, so you can actually force that flag and avoid any of the encounter code completely. I need to see what the trade-offs are with either method (force-failing the encounter check versus force-failing the grass-check).

I'll put up more interesting stuff later, but for now I need to get my oil changed. Hurray for small successes!
---
Where the fear has gone there will be nothing.
Only I will remain.
#10tsanth(Topic Creator)Posted 1/3/2008 8:00:26 PM
Here's something that you all probably know, but that you may find interesting to have verified: the move handler is called up to twice in a square:

1) Once if you're turning to a different direction in the square, and
2) Once as you're moving into another square.

This means that turning once will proc the move handler, while turning-and-walking will proc the move handler twice. Each time the move handler is procced, it can possibly generate a wild pokemon encounter if you're in grass.

More to come later. It gets easier to read the code after you've marked out all the function calls and return points.
---
Where the fear has gone there will be nothing.
Only I will remain.