Under the Microscope: Ecco the Dolphin — Defender of the Future

In this edition:

  • Ecco the Dolphin: Defender of the Future has some previously unrecognized cheat features that activate based on what you name your save file.
  • Using Ghidra and Python, I reverse-engineered the encoding scheme to reveal the special names.
  • One of them has been known for ages, but I found the rest! They unlock features like “immortality” and debug display.

Yes, we’re doing a Dreamcast game! Here’s the list of special names and effects:

1. Go to the VMU Menu > New game > Enter your initials screen.
2. Enter one of these sequences, making sure not to end after 3 letters.

GYUGYU+XXX : Unlock all levels
SOCCER+XXX : Unlock bonus stage*
EXBBERX+XXX: Immortality mode*
QQRIQ+XXX  : Show FPS*
XYZZYX+XXX : Show time*
POPELY+XXX : Nothing?

Intro

Ecco the Dolphin: Defender of the Future is the last officially released Ecco game (a later one was canceled). It has one known cheat:

  • Go to the VMU screen and choose New Game.
  • Enter your initials as GYU, but don’t press End.
  • Type in GYU again, then any three letters (GYU GYU XXX works).
  • Press X to leave the menu. When you go to “Load game,” all stages will be available to play.

So, is that the only special name? Did the developers put in this functionality for one cheat? I decided to investigate…


Analysis with Ghidra

By analyzing a memory snapshot from the flycast emulator, I found that the buffer at 8cfffb34 holds the visible portion of the initials you type in. But if you keep typing, the characters you put in before get pushed into the buffer at 8c3abf18.

After loading the memory snapshot into Ghidra, I found that the function at 8c0334d8 reads this buffer. It performs a transformation on the buffer and then checks whether the transformed value is a list of six special ones.

GYU GYU XXX transforms into 9388D627, which is the first special value in the list:

Ghidra’s decompilation of the transformation function is pretty good. Here it is with my variable names added:

At a high level, it:

  • Reads in a passphrase.
  • Uses the passphrase to decrypt a 1024 byte key.
  • Computes a hash of the input buffer that uses the key.
  • Re-encrypts the key.

Since it’s a hash, it’s a one-way function; you can’t determine the inputs that produce the special values by inspection. So we’ll have to use…


Brute force with Python

GYU GYU is only six characters. There are 26^6=308,915,776 possible six character values. It’s feasible to hash all of them and check whether they produce any of the special values.

There are 8 billion seven character values, which is also reachable. There are 208 billion eight character values, which is pushing it on my laptop. But let’s try it!

I replicated the hashing code in Python as follows:

  • Copy the blocks of memory that holds the uninitialized input buffer, passphrase, and key.
  • Decrypt the key with the passphrase.
  • Loop over every sequence of 1, 2, 3… 8 characters and put them into the input buffer.
  • Compute the hash for the given input.
  • Compare the hash to the targets.

The full code is here.

I started writing a parallel version of this, but by the time I had it running, the single threaded version had already emitted everything I needed. Here’s the output:

NNSET 5b47c23b 1
QQRIQ 6ed996ae 3
GYUGYU 9388d627 0
POPELY 4a78edbb 5
SOCCER 5b47c23b 1
XYZZYX 89367cea 4
ADEMVSSF 5b47c23b 1
ADQUROPK 89367cea 4
AEAPWNVO 6ed996ae 3
AFTJSXOT 9388d627 0
EXBBERX 2d1ef68d 2

The last column is which special value the input matched. You can see that the mapping is not unique: NNSET, SOCCER, and ADEMVSSF will all unlock the bonus soccer game (see below). AFTJSXOT works as well as GYUGYU for unlocking all stages.


The effects

Enter your initials as SOCCER+XXX to unlock the Bonus Game, in which you play underwater soccer. This sets the 0x2 bit on the flags at 8c3ac00c.

EXBBERX+XXX makes Immortality Enabled show up on the Options screen. As you might guess, you can’t drown or die when this cheat is in effect. This sets the 0x400 bit on the flags at 8c3abe48 and the 0x4 bit on the flags at 8c3abb00.

QQRIQ+XXX will show the game’s frame rate, plus some other debugging values. XYZZYX+XXX will show the current clock value. These change the values at addresses 8c35659c and 8c3565a4.

Both debug info flags applied

There’s one more password: POPELY+XXX. I don’t know what it does! I suspect that the answer is “nothing” and that it was meant to activate the flag at 8c3b0e44. This causes a Cheats Enabled message to appear, but doesn’t seem to have any other effect:

You can make this appear, but I don’t think it does anything

Outro

For another look at an Appaloosa Interactive game’s encoding scheme, see my article on Three Dirty Dwarves.

I’ve got lots of other articles on finding previously unknown cheat codes — see my archive here.

This article is syndicated from Rings of Saturn, Bo’s reverse engineering blog. Yes, the Dreamcast is one of Saturn’s rings.

About the author

Be the first to comment

Leave a comment

Your email address will not be published.


*