Cheat Engine

Demonarke · Cheater Reputation: 0 Joined: 12 Aug 2013 Posts: 31

Hi guys. How do you find rng seed in games ? Especially when the rng isn't shown to you. You know like random in general. For exemple looting.

deama1234 · Posted: Wed Aug 19, 2015 12:35 am Post subject: Re: RNG seed

Demonarke · Cheater Reputation: 0 Joined: 12 Aug 2013 Posts: 31

Redouane · Posted: Wed Aug 19, 2015 9:02 am Post subject: Re: RNG seed

deama1234 · Posted: Wed Aug 19, 2015 9:17 am Post subject: Re: RNG seed

Demonarke · Cheater Reputation: 0 Joined: 12 Aug 2013 Posts: 31

deama1234 · Posted: Wed Aug 19, 2015 10:27 am Post subject: Re: RNG seed

Demonarke · Cheater Reputation: 0 Joined: 12 Aug 2013 Posts: 31

Rydian · Posted: Wed Aug 19, 2015 1:30 pm Post subject:

Personally I don't bother with this 'cause I go one of three routes instead.

A - Play with normal drops.
B - Use a save editor.
C - Hack stats and status and junk.

Each of which is far less work and all that jazz.
Not many people have experience reversing RNG systems for these and other reasons.

Demonarke · Cheater Reputation: 0 Joined: 12 Aug 2013 Posts: 31

Gniarf · Posted: Wed Aug 19, 2015 3:07 pm Post subject:

I've seen Mersenne twisters (MT) in several (jap) games and this article ( https://jazzy.id.au/2010/09/22/cracking_random_number_generators_part_3.html ) confirms it's a pretty popular PRNG, so I'd try to see if your game uses a MT.
How?
By scanning for its specific constants (0x9908b0df, 0x9d2c5680, 0xefc60000) in executable memory (which is not CE's default setting); if I see them in bunch of code mostly made of additions/xoring/shifting/masking along with a few 623/624 (0x26F/0x270) I'll assume I found a MT. Check if this function is actually used ingame, and if it is, find the MT's state array, and the function that initializes it. Your seed is passed on to this function.

But tbh, it's not how I found the MTs I mentioned earlier; I accidentally stumbled upon them while back tracing decryption functions.

As for detecting other PRNGs, it's the same idea, just with different constants.
...Or maybe your game is simply reading how many cpu clock cycles have elapsed since the start of your computer, and uses the lower digits of that as a random number, in which case it might be simpler to start from the consequence, ie: Random chance to be detected? The enemy moves toward you when you are detected, so find position, find what changes position, find why position changed and you'll have the detected on/of flag, then find what changes detection, then find why detection changed and you'll have the output of your PRNG, then dive into it... Not the simplest hack ever, but theoretically doable, especially on small/old games.

Demonarke · Cheater Reputation: 0 Joined: 12 Aug 2013 Posts: 31

Rydian · Posted: Wed Aug 19, 2015 4:51 pm Post subject:

Well, what is your end goal?

If it's just to mess with the RNG by raising chances on things, an alternate method could be to see if the game's install folder has loot pools in some sort of editable text format like JSON or XML or something.

Demonarke · Cheater Reputation: 0 Joined: 12 Aug 2013 Posts: 31

Gniarf · Posted: Thu Aug 20, 2015 8:29 am Post subject:

Thinking again about it, every PRNG has a state stored somewhere, it can be a list of numbers (like for a MT), or it can be a single number. If there is a list, there is an additional number -the index- that tells the generator which entry it should pull out of the list.
So in theory there should be a variable (the state or the index) that changes every time the generator spits something, and only at that time, meaning you could find it with changed/unchanged scans, freeze it and always get the same results.

(There is also the case where an entry of a list would be modified after being used, there you'd have to find another variable after locking the index)

Hint: for a Mersenne twister, the index varies between 0 and 623, increasing (or decreasing) by 1 at each draw, until it reaches 623 (or 0) where it resets to 0 (or 623)