In this edition:
- Ecco the Dolphin: Defender of the Future has some previously unrecognized cheat features that activate based on what you name your save file.
- Using Ghidra and Python, I reverse-engineered the encoding scheme to reveal the special names.
- One of them has been known for ages, but I found the rest! They unlock features like “immortality” and debug display.
Yes, we’re doing a Dreamcast game! Here’s the list of special names and effects:
1. Go to the VMU Menu > New game > Enter your initials screen.
2. Enter one of these sequences, making sure not to end after 3 letters.
GYUGYU+XXX : Unlock all levels
SOCCER+XXX : Unlock bonus stage*
EXBBERX+XXX: Immortality mode*
QQRIQ+XXX : Show FPS*
XYZZYX+XXX : Show time*
POPELY+XXX : Nothing?
Intro
Ecco the Dolphin: Defender of the Future is the last officially released Ecco game (a later one was canceled). It has one known cheat:
- Go to the VMU screen and choose New Game.
- Enter your initials as
GYU
, but don’t press End. - Type in
GYU
again, then any three letters (GYU GYU XXX
works). - Press X to leave the menu. When you go to “Load game,” all stages will be available to play.
So, is that the only special name? Did the developers put in this functionality for one cheat? I decided to investigate…
Analysis with Ghidra
By analyzing a memory snapshot from the flycast emulator, I found that the buffer at 8cfffb34
holds the visible portion of the initials you type in. But if you keep typing, the characters you put in before get pushed into the buffer at 8c3abf18
.
After loading the memory snapshot into Ghidra, I found that the function at 8c0334d8
reads this buffer. It performs a transformation on the buffer and then checks whether the transformed value is a list of six special ones.
GYU GYU XXX
transforms into 9388D627
, which is the first special value in the list:
Ghidra’s decompilation of the transformation function is pretty good. Here it is with my variable names added:
At a high level, it:
- Reads in a passphrase.
- Uses the passphrase to decrypt a 1024 byte key.
- Computes a hash of the input buffer that uses the key.
- Re-encrypts the key.
Since it’s a hash, it’s a one-way function; you can’t determine the inputs that produce the special values by inspection. So we’ll have to use…
Brute force with Python
GYU GYU
is only six characters. There are 26^6=308,915,776 possible six character values. It’s feasible to hash all of them and check whether they produce any of the special values.
There are 8 billion seven character values, which is also reachable. There are 208 billion eight character values, which is pushing it on my laptop. But let’s try it!
I replicated the hashing code in Python as follows:
- Copy the blocks of memory that holds the uninitialized input buffer, passphrase, and key.
- Decrypt the key with the passphrase.
- Loop over every sequence of 1, 2, 3… 8 characters and put them into the input buffer.
- Compute the hash for the given input.
- Compare the hash to the targets.
The full code is here.
I started writing a parallel version of this, but by the time I had it running, the single threaded version had already emitted everything I needed. Here’s the output:
NNSET 5b47c23b 1
QQRIQ 6ed996ae 3
GYUGYU 9388d627 0
POPELY 4a78edbb 5
SOCCER 5b47c23b 1
XYZZYX 89367cea 4
ADEMVSSF 5b47c23b 1
ADQUROPK 89367cea 4
AEAPWNVO 6ed996ae 3
AFTJSXOT 9388d627 0
EXBBERX 2d1ef68d 2
The last column is which special value the input matched. You can see that the mapping is not unique: NNSET
, SOCCER
, and ADEMVSSF
will all unlock the bonus soccer game (see below). AFTJSXOT
works as well as GYUGYU
for unlocking all stages.
The effects
Enter your initials as SOCCER+XXX to unlock the Bonus Game, in which you play underwater soccer. This sets the 0x2 bit on the flags at 8c3ac00c
.
EXBBERX+XXX makes Immortality Enabled show up on the Options screen. As you might guess, you can’t drown or die when this cheat is in effect. This sets the 0x400 bit on the flags at 8c3abe48
and the 0x4 bit on the flags at 8c3abb00
.
QQRIQ+XXX will show the game’s frame rate, plus some other debugging values. XYZZYX+XXX will show the current clock value. These change the values at addresses 8c35659c
and 8c3565a4
.
There’s one more password: POPELY+XXX. I don’t know what it does! I suspect that the answer is “nothing” and that it was meant to activate the flag at 8c3b0e44
. This causes a Cheats Enabled message to appear, but doesn’t seem to have any other effect:
Outro
For another look at an Appaloosa Interactive game’s encoding scheme, see my article on Three Dirty Dwarves.
I’ve got lots of other articles on finding previously unknown cheat codes — see my archive here.
This article is syndicated from Rings of Saturn, Bo’s reverse engineering blog. Yes, the Dreamcast is one of Saturn’s rings.
Be the first to comment