lundi 22 août 2016

Reverse-Engineering PRNG Algorithm

I don't actually code outside of a paper/rock/scissors game I wrote in a Python class. But I try to get very deep into the games I play and frequently end up digging through the code or learning very precise mechanics. I abuse the Random Number Generator in Pokemon games with the help of a program called RNG Reporter. I've recently hit a snag and the community has been at a loss to help me.

The games use Mersenne Twister to generate the PRNG state from an initial seed. The seed is determined by the date and time. I'm starting to get a little over my own head, but here are some things I do know, but can't figure out how to apply:

1) There is an 8-digit (32 bit) hex number XXXXYYYY, where XXXX and YYYY are two numbers in game 0-65536 converted to hex. This hex number is based on the initial seed. 2) The initial seed is another 8-digit hex value determined by the date, time (to the second), delay (time between turning the game on and actually entering the game) and an algorithm that I don't know. But RNG Reporter can work backwards, giving me the initial seed needed to generate XXXXYYYY. It can then work backwards again, giving me the dates and times that would generate the initial seed.

I tried to find a specific value for XXXXYYYY, and the only option available requires an insanely high delay (almost two hours when 4 or 5 minutes is virtually unheard of).

The problem is, after giving me the initial seed (7F1FE242 if it helps), Reporter tells me that the seed is invalid when calculating dates and times. I think some sort of overflow is happening, but I can't be sure. Plugging the initial seed back into the first step gives me the proper XXXXYYYY.

I have access to the source code (it's on github), but I can't read it. Here is a link to the section that handles Seed to Time calculation, I think: http://ift.tt/2byJSST

I can also provide these examples of seeds and dates, if that's helpful at all:

1) These dates and times all produce an initial seed of 580F11B3 (with a delay of 4515, or about two minutes)

  • 2016 01 29 15:59:00
  • 2016 01 30 15:58:00
  • 2016 01 01 15:28:59
  • 2016 01 01 15:29:58
  • 2016 01 01 15:30:57

The patterns are obvious, but I have no idea how to get to a hex value from them.

Any help would be greatly appreciated.




Publié par à
Libellés :

Aucun commentaire:

Enregistrer un commentaire

Inscription à : Publier les commentaires (Atom)