Toad Houses Disassembled

Programming stuff

Saturday, October 17. 2009

Posted by sp in NES

Comments (11)
Trackbacks (0)
142125 hits

Toad Houses Disassembled

To waste some time today I played some Super Mario Bros 3 on my Wii. I only made it trough three levels before I reached the first Toad House. Upon receiving the item from Toad I decided to investigate something I've wanted to know for, I don't know, maybe 15 years. How exactly does the game decide what item you receive? I remember as a child that people playing Super Mario Bros 3 did the weirdest stuff in Toad Houses to improve their item karma. Running around, doing weird jumps, whatever.

Anyway, I really wanted to know when the game decides what item you receive and how it decides that. Does the game already know what item you receive as soon as you enter the Toad House? Are the items placed in the boxes when you enter the Toad House? Does it do any other weird stuff?

Thanks to FCEUX and IDA Pro it did not take long to figure out what's going on. Here is the relevant code:

ROM:D19B                 LDX     byte_3EB
ROM:D19E                 DEX
ROM:D19F                 CPX     #5
ROM:D1A1                 BMI     loc_D1B1
ROM:D1A3                 LDA     byte_782
ROM:D1A6                 AND     #$F
ROM:D1A8                 TAY
ROM:D1A9                 LDA     RandomNess,Y
ROM:D1AC                 CLC
ROM:D1AD                 ADC     ToadHouseIndex,X
ROM:D1B0                 TAX
ROM:D1B1
ROM:D1B1 loc_D1B1:                               ; CODE XREF: ROM:D1A1
ROM:D1B1                 LDA     ItemArray,X
ROM:D1B4                 TAX
ROM:D1B5                 INX
ROM:D1B6                 RTS

Where the three arrays referenced in the code are

ROM:D13B ItemArray:      .BYTE  $C               ; DATA XREF: ROM:loc_D1B1
ROM:D13C                 .BYTE   8
ROM:D13D                 .BYTE   4
ROM:D13E                 .BYTE   5
ROM:D13F                 .BYTE   6
ROM:D140                 .BYTE   4
ROM:D141                 .BYTE   5
ROM:D142                 .BYTE   6
ROM:D143                 .BYTE   1
ROM:D144                 .BYTE   2
ROM:D145                 .BYTE   3
ROM:D146                 .BYTE   4
ROM:D147                 .BYTE   2
ROM:D148                 .BYTE   3
ROM:D149                 .BYTE   5
ROM:D14A ToadHouseIndex: .BYTE   2               ; DATA XREF: ROM:D1AD
ROM:D14B                 .BYTE   3
ROM:D14C                 .BYTE  $A
ROM:D14D                 .BYTE  $A
ROM:D14E                 .BYTE  $A
ROM:D14F                 .BYTE   5
ROM:D150                 .BYTE   8
ROM:D151                 .BYTE  $B
ROM:D152                 .BYTE  $E
ROM:D153                 .BYTE $11
ROM:D154 RandomNess:     .BYTE   0               ; DATA XREF: ROM:D1A9
ROM:D155                 .BYTE   1
ROM:D156                 .BYTE   2
ROM:D157                 .BYTE   0
ROM:D158                 .BYTE   1
ROM:D159                 .BYTE   2
ROM:D15A                 .BYTE   0
ROM:D15B                 .BYTE   1
ROM:D15C                 .BYTE   2
ROM:D15D                 .BYTE   0
ROM:D15E                 .BYTE   1
ROM:D15F                 .BYTE   2
ROM:D160                 .BYTE   0
ROM:D161                 .BYTE   1
ROM:D162                 .BYTE   2
ROM:D163                 .BYTE   0

Here's a pseudo-disassembly of the code:

if toadhouse_index < 6:
    item_index = toadhouse_index
else:
    randomness = PRNG[$782] % 0x03
    item_index = toadhouse_index + randomness
    
item = item_array[item_index]

So yeah, basically what happens is this. Depending on what Toad House you are in you receive different items. If the identifier of the Toad House you are in is between 1 and 5 you will always receive the same item (like the Frog Suit, no matter what box you pick, in the first Toad House of World 3). Toad Houses with higher IDs offer three random items. What item you receive is determined only after you open a box. So, in fact only the box you open is filled. The other two boxes are never touched. They are total smoke screens whose only purpose is to fool the player into believing he actually takes part in the decision what item to receive.

The RandomNess array basically simulates a module operation on the pseudo-randomly generated input value to cut down the random value to something between 0 and 2 (for the three boxes).

ItemIndex is actually longer than indicated in the disassembly above. It goes down until (and including) the three 0x0A values in ToadHouseIndex. The real ToadHouseIndex starts only after the three 0x0A values because Toad House IDs less than six are not used to index into the ToadHouseIndex array.

The ItemArray contains identifiers of the items you can receive in a Toad House. The first five values are for Toad Houses where only one item can be found. The other parts of the array form triples (starting at indices 0x05, 0x08, 0x0B, 0x0E, and 0x11 as seen in ToadHouseIndex) that define what items you can find in what Toad House. The exact meaning of the items can be found in the Data Crystal Wiki.

So yeah, all mysteries solved. You open a box in the Toad House and the game randomly gives you one of the available items for that Toad House.

To finish this post, here's what the pseudo-random generator looks like:

ROM:997D ; =============== S U B R O U T I N E =======================================
ROM:997D
ROM:997D
ROM:997D sub_997D:                               ; CODE XREF: sub_B502+52
ROM:997D                 LDX     #0
ROM:997F                 LDY     #9
ROM:9981                 LDA     RandomNess
ROM:9984                 AND     #2
ROM:9986                 STA     byte_0
ROM:9988                 LDA     byte_782
ROM:998B                 AND     #2
ROM:998D                 EOR     byte_0
ROM:998F                 CLC
ROM:9990                 BEQ     loc_9993
ROM:9992                 SEC
ROM:9993
ROM:9993 loc_9993:                               ; CODE XREF: sub_997D+13
ROM:9993                                         ; sub_997D+1B
ROM:9993                 ROR     RandomNess,X
ROM:9996                 INX
ROM:9997                 DEY
ROM:9998                 BNE     loc_9993
ROM:999A                 RTS
ROM:999A ; End of function sub_997D
ROM:999A
ROM:999A ; ---------------------------------------------------------------------------

In pseudo-disassembled code:

if (RandomNess[0] & 0x02) ^ (RandomNess[1] & 0x02) == 0:
    CF = 0
else:
    CF = 1

for i := 0 to 8:
    CF_TEMP = RandomNess[i] & 0x01
    RamdonNess[i] = (RandomNess[i] ROR 1) | (CF << 7)
    CF = CF_TEMP

 Basically you have a 72 bits array that is originally seeded (at another place in code) with {0x88, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00} and then regularly re-calculated (probably on each NES interrupt) to continuously change all values of the buffer. This is a bit difficult to describe in Pseudo-Code as the Carry Flag plays a very important role in the algorithm.

Trackbacks
Trackback specific URI for this entry

No Trackbacks

Comments
Display comments as (Linear | Threaded)

And here I thought I had a system ;-) Thanks for the explanation.
#1 Jim (Homepage) on 2009-10-17 20:34 (Reply)
interesting read!

also, in other games, i remember myself jumping around to gain PRNG karma :-D
#2 x1lef on 2009-10-19 12:55 (Reply)
Cool post ;-) I was always curious to disassemble old games and see how they work, but never got to do it.
#3 lallous on 2009-10-19 16:52 (Reply)
Interesting read, thanks.
#4 brandon on 2009-10-23 23:27 (Reply)
Lol, I love those existential questions that come out of nowhere, but once you've got them in mind, you can't do nothing but (trying to) find the answer!
#5 Julien C. (Homepage) on 2009-11-12 11:54 (Reply)
I was always wondering about that, thanks for enlightening me :-)

Could you also go check Tetris PRG for giving a fair share of 1x4 bricks? Thanks in advance :-)

Jan

PS: is your trackback-url broken?
#6 Jan Gampe (Homepage) on 2009-11-21 21:19 (Reply)
Hi Jan,

the tetris thing is a pretty good idea. I might really look into that.

As for the trackback URL. Yeah, probably. I disabled trackbacks long ago because of trackback spam.
#6.1 sp on 2009-11-21 21:24 (Reply)
This is great. As I read your post many games showed up that you want to reverse.
#7 Chris (Homepage) on 2009-11-25 00:14 (Reply)
I remember looking at the prng a while back and figuring out that the highest byte (it's highest bit iirc) determined if you went into a hand trap as well. I wish I still had the GG code I made to manipulate that to see if this was affected...hmm.
#8 AWal on 2010-01-02 21:12 (Reply)
Curious, how did you go about finding the Toad House code in IDA/FCEUX?
#9 odie5533 (Homepage) on 2010-05-25 07:03 (Reply)
I can't remember the specifics but I am pretty sure it involved taking memory snapshots from before and after receiving an item. Then I compared the snapshots and worked my way back from what changed.
#9.1 sp on 2010-12-27 18:47 (Reply)

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.
BBCode format allowed
 
Submitted comments will be subject to moderation before being displayed.
 

Frontpage - Top level

Calendar

Back June '20
Mon Tue Wed Thu Fri Sat Sun
1 2 3 4 5 6 7
8 9 10 11 12 13 14
15 16 17 18 19 20 21
22 23 24 25 26 27 28
29 30          

Quicksearch

Archives

Contact

142691645
AIM StatusRiijngoud
LambdaCube
sporst

Links

Top Exits

www.the-interweb.com (219)
en.wikipedia.org (111)
www.slideshare.net (63)
www.amazon.com (60)
the-interweb.com (57)
github.com (36)
www.offensive-security.com (27)
www.zynamics.com (22)
nostarch.com (20)
www.s9y.org (19)

Syndicate This Blog

Blog Administration

Open login screen

Powered by

Serendipity PHP Weblog

Categories



All categories