List of games that use power-on state to seed RNG

Discuss technical or other issues relating to programming the Nintendo Entertainment System, Famicom, or compatible systems. See the NESdev wiki for more information.

Moderator: Moderators

User avatar
tokumaru
Posts: 12427
Joined: Sat Feb 12, 2005 9:43 pm
Location: Rio de Janeiro - Brazil

Re: List of games that use power-on state to seed RNG

Post by tokumaru »

What's that about emulator detection? Are we back in the late 90's?
User avatar
Bregalad
Posts: 8055
Joined: Fri Nov 12, 2004 2:49 pm
Location: Divonne-les-bains, France

Re: List of games that use power-on state to seed RNG

Post by Bregalad »

rainwarrior wrote: Sun Dec 20, 2020 2:13 pm We've discussed SRAM tendencies in the past here. I think some do seem to power-on all 0 or all 1, but I don't think you'd typically find those in a conventional NES (but possibly in clones). PowerPak and Everdrive also initialize large parts of RAM with their menus, though not to 0 or 1.

There are probably much better ways to try and detect an emulator, but honestly if your software is worth running whatever that test is will be defeated by a newer emulator (and/or a patch). Stuff like this tends to age pretty poorly, and I've seen several mildly embarrassing past attempts at things like that which turned out not to work correctly.
YOU ARE USING AN EMULATOR...

EMULATION
MAY NEVER BE PERFECT...

IF YOU AGREE, PRESS START
Useless, lumbering half-wits don't scare us.
strat
Posts: 409
Joined: Mon Apr 07, 2008 6:08 pm
Location: Missouri

Re: List of games that use power-on state to seed RNG

Post by strat »

Since the detection code in that demo involves reading from PPU_ADDRESS, it would probably get defeated in about 15 minutes, a little longer if they try to protect it with Earthbound-style checkpoints.
User avatar
Bregalad
Posts: 8055
Joined: Fri Nov 12, 2004 2:49 pm
Location: Divonne-les-bains, France

Re: List of games that use power-on state to seed RNG

Post by Bregalad »

strat wrote: Sun Dec 20, 2020 4:37 pm Since the detection code in that demo involves reading from PPU_ADDRESS, it would probably get defeated in about 15 minutes, a little longer if they try to protect it with Earthbound-style checkpoints.
I always got that message even when running from both NTSC and PAL hardware with a PowerPak, I came to the conclusion it is not functionning. Maybe it's the PowerPak who does some initialization leading to this screen.
Useless, lumbering half-wits don't scare us.
strat
Posts: 409
Joined: Mon Apr 07, 2008 6:08 pm
Location: Missouri

Re: List of games that use power-on state to seed RNG

Post by strat »

Here's the intended emulator-detection code from the RTC.nes demo. Even after reading about open-bus behavior on the wiki, I'm stumped here. In both FCEUX and Mesen it writes #$AA to vram address $0001 and the cmp reads from $0002 [Edit: It's actually reading the value in $1 on the read buffer - the problem here is that the emulator doesn't allow writes to chr memory if the header says chr rom]. I guess it's supposed to write #$AA to $2A00 and read it back with the cmp but the inx and the first dummy read ensure it will always hit $2A02.

As an aside, I ran the routine in SMB that reads from PPU_DATA to confirm that both FCEUX and Mesen show the correct vram address when writing to $2006 normally. However, in the routine below, on the second pair of $2006 writes (stx/sta), Mesen says T == $2A01 but the vram address is still $0001. (see vram addr and T in screencaps below)

Also, this demo clears vram before this routine so I doubt using a flashcart has anything to do with it failing to work at all.

Code: Select all

01:ED9D:A2 00     LDX #$00
 01:ED9F:8E 00 20  STX PPU_CTRL = #$00
 01:EDA2:8E 01 20  STX PPU_MASK = #$00
 
 01:EDA5:AD 02 20  LDA PPU_STATUS = #$00
 01:EDA8:A9 AA     LDA #$AA
 01:EDAA:EE 06 20  INC PPU_ADDRESS = #$00
 01:EDAD:8E 06 20  STX PPU_ADDRESS = #$00
 01:EDB0:E8        INX
 01:EDB1:8D 07 20  STA PPU_DATA = #$00
 
 01:EDB4:8E 06 20  STX PPU_ADDRESS = #$00
 01:EDB7:8D 06 20  STA PPU_ADDRESS = #$00
 01:EDBA:AE 07 20  LDX PPU_DATA = #$00
 01:EDBD:CD 07 20  CMP PPU_DATA = #$00
 
 ; if not equal this is an emulator
 01:EDC0:D0 01     BNE $EDC3
Attachments
mesen0.png
mesen1.png
Last edited by strat on Mon Dec 21, 2020 7:59 pm, edited 1 time in total.
lidnariq
Posts: 11429
Joined: Sun Apr 13, 2008 11:12 am

Re: List of games that use power-on state to seed RNG

Post by lidnariq »

strat wrote: Mon Dec 21, 2020 5:39 pm 01:EDAA:EE 06 20 INC PPU_ADDRESS = #$00
Hm.
Normally that would read the PPU internal open bus (pre-seeded to 0 by the above STX), then write 0, then write 1. That would make the following
01:EDAD:8E 06 20 STX PPU_ADDRESS = #$00
not have any effect yet.
01:EDB4:8E 06 20 STX PPU_ADDRESS = #$00
01:EDB7:8D 06 20 STA PPU_ADDRESS = #$00
Once again, that A=$AA STA is misleading, only the X=0 STX abs above and X=1 STX abs should matter.
01:EDBA:AE 07 20 LDX PPU_DATA = #$00
01:EDBD:CD 07 20 CMP PPU_DATA = #$00
So the first read primes the PPU read buffer, the second returns the result that was at address $1. Which should be $AA.

I dunno, makes sense to me?
strat
Posts: 409
Joined: Mon Apr 07, 2008 6:08 pm
Location: Missouri

Re: List of games that use power-on state to seed RNG

Post by strat »

I forgot T is copied into V only on the 2nd write, though just learned for the first time RMW instructions write both the original and modified value (meaning the INC $2006 already sets vram to $0001 which totally went over my head). Though the dummy PPU_DATA read still increments the vram address so I still don't get how the CMP PPU_DATA could land on $0001.

Also, there's no copying of graphics to chr memory so it doesn't look like this was meant for a cart where chr would be ram (would a flashcart allow a program to use its chr memory like ram even if it's a chr-rom game?).
lidnariq
Posts: 11429
Joined: Sun Apr 13, 2008 11:12 am

Re: List of games that use power-on state to seed RNG

Post by lidnariq »

strat wrote: Mon Dec 21, 2020 7:00 pm Though the dummy PPU_DATA read still increments the vram address so I still don't get how the CMP PPU_DATA could land on $0001.
Because the read returns the previous value. The LDX PPU_DATA returns the current value of the holding register, and schedules a read-and-then-increment from the current address (1). Then CMP PPU_DATA returns that value, and schedules a read &c.
(would a flashcart allow a program to use its chr memory like ram even if it's a chr-rom game?).
Depends on the flashcart. Some do lock CHR RAM.
strat
Posts: 409
Joined: Mon Apr 07, 2008 6:08 pm
Location: Missouri

Re: List of games that use power-on state to seed RNG

Post by strat »

OK, it checks out. I just resorted to forcing $AA into PPU addr $1 and it passes the test. It's still a mystery what kind of cart this was supposed to work on and it leaves an unsightly bunch of pixels in that tile. :?
tepples
Posts: 22705
Joined: Sun Sep 19, 2004 11:12 pm
Location: NE Indiana, USA (NTSC)
Contact:

Re: List of games that use power-on state to seed RNG

Post by tepples »

This inc PPUADDR to reuse the PPU's I/O data bus value as a VRAM address is beautiful.

Even more dastardly would be inc PPUDATA to exploit the reported inability to write to video memory on consecutive M2 cycles.
User avatar
gravelstudios
Posts: 159
Joined: Mon Mar 13, 2017 5:21 pm
Contact:

Re: List of games that use power-on state to seed RNG

Post by gravelstudios »

rainwarrior wrote: Sun Dec 20, 2020 2:13 pm
We've discussed SRAM tendencies in the past here. I think some do seem to power-on all 0 or all 1, but I don't think you'd typically find those in a conventional NES (but possibly in clones). PowerPak and Everdrive also initialize large parts of RAM with their menus, though not to 0 or 1.

There are probably much better ways to try and detect an emulator, but honestly if your software is worth running whatever that test is will be defeated by a newer emulator (and/or a patch). Stuff like this tends to age pretty poorly, and I've seen several mildly embarrassing past attempts at things like that which turned out not to work correctly.
Since I'm writing a custom emulator for my game, I was thinking I could have the emulator write specific values to specific addresses in RAM at boot-up, then the game could check for those values and know whether it's running on MY emulator or not. I'm not sure, it could be a useful.

Scope creep is so wonderful.
User avatar
Dwedit
Posts: 4922
Joined: Fri Nov 19, 2004 7:35 pm
Contact:

Re: List of games that use power-on state to seed RNG

Post by Dwedit »

Bregalad wrote: Sun Dec 20, 2020 3:11 pm YOU ARE USING AN EMULATOR...

EMULATION
MAY NEVER BE PERFECT...

IF YOU AGREE, PRESS START
It's better than "Piss off you all! No boy, no demo!" on a GBC demo. Granted, that demo did require extreme amounts of accuracy to function...
Here come the fortune cookies! Here come the fortune cookies! They're wearing paper hats!
tepples
Posts: 22705
Joined: Sun Sep 19, 2004 11:12 pm
Location: NE Indiana, USA (NTSC)
Contact:

Re: List of games that use power-on state to seed RNG

Post by tepples »

"NO BOY! NO DEMO!" comes from Demotronic by Megaboys. I've been told in the gbdev Discord server that its emulator detection is just whether or not wave RAM ($FF30-$FF3F) can be read while a note is playing on the wave channel. A Game Boy returns either $FF or the currently playing pair of nibbles (with exact timing depending on model and revision). I'm assuming it was added so that viewers using emulators of the time wouldn't assume the demo is broken, so as to give emulator developers a slap on the rear to fix the parts that affect the demo.
Fiskbit
Posts: 890
Joined: Sat Nov 18, 2017 9:15 pm

Re: List of games that use power-on state to seed RNG

Post by Fiskbit »

tepples wrote: Mon Dec 21, 2020 7:45 pm This inc PPUADDR to reuse the PPU's I/O data bus value as a VRAM address is beautiful.

Even more dastardly would be inc PPUDATA to exploit the reported inability to write to video memory on consecutive M2 cycles.
INC on $2007 is unfortunately not nearly as simple as just ignoring a write. I looked into this some earlier this year for both rendering and nonrendering cases and had wanted to produce a pass/fail test ROM for emulators, but results were not consistent enough for that. This isn't fresh on my mind anymore, but if I recall correctly, outside of rendering, INC on $2007 can perform 1 read and up to 3 writes. These are:

- Read value from the current address and increment address
- Then, write <address to address and increment address
- Then, write value+1 to address and to ((address & $FF00) | value) and increment address

I'd like to reiterate that these results are not consistent, and behavior during rendering is different (eg I think there were only 2 increments). I should probably do some more testing and write up results at some point.
lidnariq
Posts: 11429
Joined: Sun Apr 13, 2008 11:12 am

Re: List of games that use power-on state to seed RNG

Post by lidnariq »

And testing the same thing in visual2c02 doesn't clarify anything, because there there's no collision between ALE and /WR and it just writes the later value twice.
(i.e. R 7 / W 7 11 / W 7 22 writes $22 to both locations 1 and 2)

(this was my 9999th post by the counter on the side, or my 9996th post by sr=posts&author_id=3512 ?)
Post Reply