(The decoded ints in the post are the constants in this CRC32).
Knowing it's a CRC32 and knowing the polynomial allows inverting the answers in log time instead of exponential time by exploiting the modular math of the polynomial rings.
byteknight 56 days ago [-]
I know some of these words!
Thaxll 56 days ago [-]
It means that using bruteforce to find all the values would be much faster.
dankwizard 56 days ago [-]
But OP did Brute Force?
Crestwave 56 days ago [-]
Yes, but more slowly. According to the GP, with the knowledge provided, it can be brute-forced in O(log n) time instead of O(n^2).
Jaxan 56 days ago [-]
Is it then still considered brute force?
Sarkie 55 days ago [-]
Brutey force
bbayles 56 days ago [-]
Thanks! I didn't clock that - should have looked at the decrypted values!
TheAdamist 56 days ago [-]
Binwalk claims to recognize crc polynomial tables i wonder if it could find this one.
Also someone needs to integrate binwalk & ghidra, they synergize too much.
SideQuark 55 days ago [-]
Binwalk wouldn't find it. The constants were xored with a value so they wouldn't show up in the binary
mirthflat83 56 days ago [-]
Do you have any tips on knowing how the value is a result of CRC32 and/or the polynomial/initial value used?
SideQuark 56 days ago [-]
In this example, the "encrypted data" is xored with the key 4 bytes at a time. The first 4 bytes in the data are the same as the key. For the next 4 and you get the constant I posted above. Plug into Google, find where it is often found, decide rest of table, see it matches.
I've learned programmers either invent their own hashes, random number generators, and crypto, in which case I usually break them, or they reuse existing algos, in which any code constants are searchable.
Plus I've written and reversed enough of all that I recognized the loop as a CRC polynomial remainder loop.
All Crc-n algos are trivially crackable/reversible/collideable. They're a remainder on division of polynomials (learn the math on how they work), so use the polynomial equivalent of extended euclidean algo and you get one answer. Now all sufficient multiples of that mod class give all possible answers, one at a time.
That should give you plenty to chase through
93po 55 days ago [-]
Is it possible to learn this power?
SideQuark 55 days ago [-]
No. It is not possible. I am a Highlander
15155 56 days ago [-]
Looking in the binary for the polynomial and knowing what the common ones are from experience is an easy way.
Normally, the polynomial is going to be found right next to a loop that is ingesting bytes incrementally.
SideQuark 50 days ago [-]
The polynomial is not present in the binary. The table was obfuscated so this approach will not work here (and it's pretty common to do this specifically to stop such a simply look at the bytes in a binary).
qingcharles 56 days ago [-]
When the original Ecco came out on the Megadrive (Genesis), I spent all my hard-earned money to buy it. That game is obscenely hard. I got frustrated, so I sat down for the afternoon with a pen and paper and somehow managed to decode the password system. I teleported to the final level and completed it the next day.
Then I was wracked with guilt about spending all my money on a game I completed in two days.
coldpie 56 days ago [-]
> I sat down for the afternoon with a pen and paper and somehow managed to decode the password system
Would love to hear more about this, if you have any recollection :)
qingcharles 55 days ago [-]
I'd love to know how I did it. There must have been a certain element of luck. I actually found the decompiled routine for the password code a couple of years ago and, IIRC, it was surprisingly more sophisticated than my teenage brain would have suspected.
Philosophically, I would argue that you did not complete the game.
You skipped several levels and saw only some percentage of the intended content, gameplay, story, etc. Games in general, and Ecco the Dolphin is no exception, are very much about the journey and not just the destination. You missed out on themes & experiences like isolation, making friends with those outside of your in-group, conservation, time travel, communing with dinosaurs and, of course, space travel.
So, you really shouldn't have felt so guilty.
schrectacular 56 days ago [-]
I wonder if this will make him feel guilty for feeling guilty
danparsonson 56 days ago [-]
And maybe @dfxm12 will feel guilty about that - it's gonna be a tough for everyone
qingcharles 55 days ago [-]
:(
nextlevelwizard 56 days ago [-]
There are plenty of people who would argue that getting to end credits means beating the game.
You can however say that skipping levels also skips the story, so they did not finish the story.
OP didn't say they "beat" the game. If you want to argue that, it's a different discussion.
snowram 56 days ago [-]
Does that mean that taking warp zones in Mario doesn't count as beating the game?
smolder 55 days ago [-]
IMO it depends, did you find the warp zones yourself or were you told about them? They're hidden. Finding them by luck doesn't feel like cheating to me, but getting outside knowledge to bypass big parts of the game kind of does.
colechristensen 55 days ago [-]
In speedrunning circles there are categories like 100%, any% (get to the end in any way), minimum percent (get to the end doing the least possible), glitchless, no major glitches, etc.
People have different interests and finish in their own way.
If you’re really into a game you’re missing out if you don’t try to beat it in different ways.
If you’re really into one particular way you’re really kind of being a bad sport if you insist others enjoy a game in your preferred way.
hombre_fatal 56 days ago [-]
Not in this context.
If you told me you beat Mario on NES but you didn't even play 24 out of the 32 levels, and you never beat them otherwise, I don't think I'd give you the same credit as someone who beat each level.
This is why Any% speedruns (get to end credits any way possible) are their own category.
VyseofArcadia 56 days ago [-]
What a final level, though! Having skipped a large chunk of the game, were you surprised by it?
qingcharles 55 days ago [-]
LOL. I can't remember my reaction at the time. I'd only played through the first few "normal" levels before I got frustrated with the difficulty. I'm sure I was very confused :D
7bit 56 days ago [-]
You must be the only Person in the world that Beat this Game, cheating or otherwise.
Usually, speedruns aren't actually faster than the TAS, unless the speedrun used some new technique was developed after the TAS was made. Normally the biggest different is that TASes and regular speedruns use different methods of timing.
TASes are pretty much always measured from power on to last button input required to trigger the credits. With normal speedrun, timing various from game to game, but a common method is timing from selecting new game to the last hit on the final boss. So games with long openings or with interactive post-final boss sequences that have to be played before the credits start would have inflated times on the TAS.
The TAS counts about an extra 15 seconds before the game starts. The TAS reaches the point the speed run stops counting at 18:52, and continues to play out the ending. So the TAS would be measured as about 18:37 using speed run timing, so the speed run is still genuinely faster than the TAS, but less than the official numbers indicate.
It seems like the speed run uses a glitch that the TAS deliberately avoided. From the TAS description:
> At the same time, a major new glitch allowing Ecco to go through nearly any wall was not used because the frequency of its use would make the run very repetitive.
ziddoap 56 days ago [-]
>which is actually faster than the 20:44 TAS!
I had no idea what this was.
For people like me, after clicking through the link and some googling:
TAS = "Tool-assisted speedrun" or "tool-assisted superplay", and they are "generally created with the goal of creating theoretically perfect playthroughs".
That any% run was fun to skim through though. I had no idea what was happening.
nextlevelwizard 56 days ago [-]
Is that just because no one cares to create a TAS for the game? I don't know anyway a RTA would be faster than TAS other than no good TAS exists.
dezgeg 55 days ago [-]
Usually the timing rules aren't the same for TAS and RTA, as TAS timing always starts at console power-on while RTA usually when 'new game' is selected from the menu.
nextlevelwizard 55 days ago [-]
You mean "usually" in sense that for this game in particular or "usually" as in "most of the time regardless of the game"? Because I have never heard about TAS being timed differently than RTA in any other game, that doesn't even make any sense. Game is the same, why would you time TAS from different point than RTA?
Whole point of a TAS is to show what "perfect" speed run would look like.
dezgeg 55 days ago [-]
Usually as in "most of the time regardless of the game", yes.
I’d say more like the TAS is outdated, a person can discover something new that the person doing the TAS didn’t.
nextlevelwizard 55 days ago [-]
Both are a decade old. Looks to be posted within weeks of each other. If this is the best TAS there is for the game, it means that no one cares about the TAS.
praptak 56 days ago [-]
QQRIQ is a phonetic abbreviation of "kukuriku", which is the sound of the rooster in Hungarian and in several other languages (Polish "kukuryku", Hebrew " קוקוריקו" etc.). Makes wonder what the process for choosing the passwords was.
mtlebe 56 days ago [-]
Also Gyugyu might be a reference to the Hungarian movie: "The Fifth Seal"
"Just imagine you are about to die, but you will be reincarnated in to one of two people; a slave or the rich master. The slave suffers under the master. He has his tongue and an eye removed and his wife and child are killed. He goes on living knowing he is a good person, as he never committed such appalling, sadistic acts on another like his master has done. The rich master has no moral qualms about it at all. He doesn't think what he did was wrong; the slave needed to be punished. You have the choice, whether to be a poor and righteous slave or be a rich and corrupt master."
Maybe, but this game was developer by a Hungarian team.
bbayles 56 days ago [-]
The programmers for this game were in Budapest, so this is a good guess!
praptak 56 days ago [-]
I didn't know that. The QQRIQ jumped out at me because of my Polish background, so I googled it and found it's international.
black-adder 55 days ago [-]
Popely with a Hungarian "ly" was a giveaway too
jylam 56 days ago [-]
Cocorico in french, very close :)
rzzzt 56 days ago [-]
Kikeriki in German!
luismedel 56 days ago [-]
Very similar to "kikiriki" in Spanish.
matsemann 56 days ago [-]
Wonder why some went for an o-sound and others an i-sound. To make matters worse it's kykeliky in Norwegian, so both y, e, i.
haltcatchfire 56 days ago [-]
…and kukeliku in Swedish, neighbour
rolandog 55 days ago [-]
I wonder if Americans are getting blocked for typing their onomatopoeia.
rzzzt 54 days ago [-]
It appears further down in a sibling thread.
Y_Y 56 days ago [-]
See also: the town of Kakariko in Zelda which always has chickens
danparsonson 56 days ago [-]
Wow I had no idea that was the origin of that name
56 days ago [-]
56 days ago [-]
bt1a 56 days ago [-]
could it be that the rooster/cockadoodledoo is something performed like clockwork in the morning, so the showing framedata also being tangential to time and clocks ? probably not
Liquix 56 days ago [-]
an interesting aside: when asked about his inspirations Ecco's developer Ed Annunziata said, "No, I never took LSD, but I did read a lot from John C. Lilly". Lilly is known for his pioneering work in the fields of animal intelligence, ketamine psychotherapy, isolation tanks, and consciousness exploration.
The name "Ecco" is a reference to Lilly's ECCO (Earth Coincidence Control Office), a supernatural/extraterrestrial base which John posited existed on the other side of the moon to coordinate all earthly "coincidences". He was also one of the first to recognize how intelligent dolphins were and became obsessed with figuring out how to communicate with them, going as far as flooding half of his house in the Carribeans to cohabitate. This is just the tip of the iceberg. I'd highly recommend his autobiography The Center of the Cyclone if any of this is intriguing, he's a fascinating guy
VyseofArcadia 56 days ago [-]
Great read!
Do you have any resources on getting started with Dreamcast game reverse engineering? I've been wanting to do some things with Skies of Arcadia, and I've been hoping there exist techniques more systematic than "see what values change between memory snapshots".
coldpie 56 days ago [-]
> I've been hoping there exist techniques more systematic than "see what values change between memory snapshots".
FWIW this is pretty much the standard method for locating value locations in RAM. It actually works pretty well. Some emulators have tools built in for that, like Dolphin for example. Even old game hacking tools like the Gameshark for N64 used the technique, with an on-console UI. I don't know if any Dreamcast emulators have tools for it or not.
> Some emulators have tools built in for that, like Dolphin for example.
This was an advertised feature of some DS flashcarts back in the day, too. I can't remember if it was the R4, the DSTwo, or what...but I recall an example video for their "Make your own cheats!" feature, which involved playing something like Super Mario Bros, turning on the "Cheats Finder" feature, then grabbing a coin, and maybe doing it a few times. The manager would then figure out the value that's changing in memory (presumably the sector that stores your coin amount), create the "cheat", and then you would enable it and watch your coin value go up.
jasomill 56 days ago [-]
Incidentally, Skies of Arcadia Legends on Dolphin is fantastic:
And old skool 'trainer' tools on PC. Someone more familiar that myself could give better information but I remember trying them out in the early 2000s and remarking how they reminded me of GameShark for PC
bbayles 56 days ago [-]
I've poked around a bit with that game! The main trick is to import the memory snapshot (various ways of dumping it to a file; people like Cheat Engine for this) into Ghidra.
Ghidra can analyze the SuperH processor machine code natively, so the auto analysis will turn up lots of functions.
mytaterskin 56 days ago [-]
I've taken to older games a lot more in recent years, they feel like they have a lot more soul if that makes any sense. Also sorry about your car! Not going to leave it idling in the driveway anymore, thanks for the warning.
bbkane 56 days ago [-]
Are you sure you don't miss modern features like mandatory network connectivity and micro transactions?
djmips 56 days ago [-]
What happened to their car? I didn't see anything about that in the post or comments.
heisenburgzero 56 days ago [-]
I always wondered where to start learning reverse-engineering. Most people will say learn Assembly first. But from there on, there seems to be not much more concrete information online.
Do people just figured it out by trial & error like common patterns in x86 / arm / arcade platforms slowly?
I can't really find much discussion on details online.
djmips 56 days ago [-]
It's like debugging.. I'm sure you must have worked on an unfamiliar code base at some point and had to figure it out. Instead of having the source you have the binary and using tools like Ghidra you can start to piece together the source but you'll still need to reason over it the very same way you did on that unfamiliar codebase and this time there's no comments at all ( which isn't uncommon in a lot of source available projects mind you )
So you're probably already half way there. Being familiar with assembly code helps of course.
I personally learned a lot by messing in Cheat Engine, it is way more capable than I thought, specially because I mostly used it as a kid and never looked back.
It is a great tool to get started with assembly in my opinion because the disassembler is good enough and you can write what they call 'assembly scripts' which provides the foundation on doing memory patches in x86 asm. Then from that you can start writing your own utils to patch the games at your own will.
You can do crazy cheats by patching the game just with Cheat Engine!
bbayles 56 days ago [-]
I knew some from school, but stepping through a debugger with a video game that I remembered from childhood was a better education on computer engineering than anything I got in class.
skibz 56 days ago [-]
I'd love to see footage of the underwater soccer cheat in action.
fanoto 56 days ago [-]
Nice! Interesting how similar games seem to do this, checksumming to fixed integers. Pitfall: The Lost Expedition did something very similar by converting button presses into ASCII-represented strings of the input buttons that were then CRC-ed. The approach was similar to just brute-force in Python and compare to the extracted cheat hashes.
I even spy your CRC32 table hidden in the `decrypted_ints` . The pre-generated tables are so easily searchable. It leaves me curious why they are so often found obfuscated in attempt to make it more difficult compared to generating a new one with your own polynomial.
Kon-Peki 56 days ago [-]
Wow, a blog that focuses on the Sega Saturn!
Not too long ago, I found a Saturn in a closet at my parent’s house, along with a small handful of game CDs. I don’t have any recollection of owning one, so I’m guessing my little brother must have acquired it after I left for college. Anyway, I plugged it in and all the games worked! But other than that I have no idea what to do with it (obviously the trash is not an option).
wileydragonfly 56 days ago [-]
The games are worth a fortune. I gave mine away in 2005 and now I get heart palpitations when I look them up on eBay.
Kon-Peki 56 days ago [-]
Interesting. My son suggests getting a table at VCF next year and setting it up for people to play; perhaps I’ll do that and have a sign that says “make an offer”
- The Satiator, that plugs into the video card slot so you can still use original CDs.
- The Saroo, that plugs into the cartridge slot, also emulates the RAM expansion carts, and it is much cheaper (but seems to have some compatibility problems).
nanna 55 days ago [-]
Good to know. Both my Saturn and Dreamcast's optical disk drives have packed up, so I've been wondering what to do with them. The Saroo looks less invasive than the Satiator, and would leave me able to play my old games if I ever get the optical drives working. But since the Saroo blocks up the RAM expansion slot, does it also include that RAM for games that need it?
pezezin 55 days ago [-]
Yes, it also emulates the 1 MB and 4 MB RAM expansions, and if I remember correctly, even the ROM cartridges for those very few games that used them. It also emulates a per-game virtual "memory card" (again, the Saturn used special cartridges for that purpose), giving each game its own space to save games.
nanna 54 days ago [-]
Interesting, thank you.
Grazester 54 days ago [-]
How is the Satiator any more invasive than a Saroo? They both plug into expansion slots, albeit different ones.
bitbasher 56 days ago [-]
Can we just take a moment to appreciate how incredibly odd the Ecco series is? For anyone that beat the games. You go from swimming in an ocean to flying with aliens. It's bizarre. Some people classify it as a horror game.
deemster 56 days ago [-]
The name of the game probably comes from dolphins echolocation ability. Another explanation I like to entertain is that the name is a reference to John C Lilly. He was a scientist who believed in an alien organization called the Earth Coincidence Control Office or E.C.C.O. He also studied dolphin intelligence and communication. He gave dolphins LSD in an effort to communicate with them. John C Lilly is an interesting rabbit hole to go down.
I've played a decent amount (never finished it), but I never understood why people say it's a horror game?
bbayles 56 days ago [-]
A friend of mine explained that there are overlapping phobias of water and deep dark spaces that this game triggers; he said it's unbearable to play the later levels.
Spoom 56 days ago [-]
I'd imagine anyone with claustrophobia would struggle with the last couple levels as well since they're essentially a battle against the screen crushing you.
nelup20 56 days ago [-]
I just checked what the final boss looks like, combined with the phobias... glad I didn't finish the game as a kid.
Thanks for the article, great read!
56 days ago [-]
bbayles 56 days ago [-]
It really is a game with a strange mix of aesthetics. Blue skies and bright colors in the early levels; suspense and dread and supernatural stuff in the later levels.
Another Ed Annunziata game called Three Dirty Dwarves is also stylistically unique.
butz 56 days ago [-]
You should look into PS2 version of this game, it seems to have same code for level unlock. Maybe it will be easier to reverse engineer and figure out what all codes do?
j0hnyl 56 days ago [-]
I wish there was more detail on "how" this was done as opposed to just the "what"
nostoc 56 days ago [-]
It's very much the "how", what were you looking for that's not explained in the blog post?
j0hnyl 56 days ago [-]
---
By analyzing a memory snapshot from the flycast emulator, I found that the buffer at 8cfffb34 holds the visible portion of the initials you type in. But if you keep typing, the characters you put in before get pushed into the buffer at 8c3abf18.
After loading the memory snapshot into Ghidra, I found that the function at 8c0334d8 reads this buffer. It performs a transformation on the buffer and then checks whether the transformed value is a list of six special ones.
---
How?
frakt0x90 56 days ago [-]
I don't know exactly how flycast works but I've done similar things with other emulators and you take an action in the game (take damage, type something), then search memory for that value. In this case the ascii code for the letter typed. Keep doing this until you've narrowed down a single block of memory that holds everything you've done
bt1a 56 days ago [-]
im curious about the process to find that initial buffer address - does that involve entering a few different strings and searching the memory snapshot for those byte patterns ?
bbayles 56 days ago [-]
Yeah, exactly! I took a couple memory snapshots of the name "AAA" and then threw out all of the addresses that had values that didn't match the first snapshot. Then I changed it to "BBB" and threw out all the addresses that did match.
There's a program called Cheat Engine that can make this a point and click thing; that's usually how people find GameShark-style codes.
wileydragonfly 56 days ago [-]
Anyone else never beat the second level? Yes, we all eventually figured out that we had to jump over the rock wall… but after that… then what?
kadoban 55 days ago [-]
The next parts I vaguely remember: swim _very_ slow past an octopus arms (there's a hint but it's not necessarily clear that you have to be barely moving at all), hit key crystals and then the corresponding ~door crystals, and push a rock to drop and follow after them to avoid getting pushed back by the current.
It's generally a series of puzzles of that form and there's some ~light combat stuff.
jimmaswell 56 days ago [-]
The 3DS version was very cool. I plan on completing it there eventually. I wonder if those devs had source access.
n0id34 56 days ago [-]
I wish more people knew how to change to Ghidra's dark theme and change the font.
chungy 56 days ago [-]
Maybe the author likes it this way. People can have preferences that differ from your own.
trlaknb 56 days ago [-]
[flagged]
bobajeff 56 days ago [-]
>Python is indeed good for small throwaway scripts
I think you just answered your own question.
zahlman 56 days ago [-]
Ghidra is an already existing piece of software; the Python script was written for the specific purpose. The title isn't about comparing the relative importance of programming languages to getting the answer, but about explaining the tools used and the effort involved in using them.
thatguy102 56 days ago [-]
[flagged]
ziddoap 56 days ago [-]
This is a fun little post about reversing a dreamcast game.
No one is being a zealot.
skinner_ 56 days ago [-]
Interesting, as a very frequent HN reader, I do not associate this pattern with Python zealots at all. Rust, Swift, Go, more like.
56 days ago [-]
exe34 56 days ago [-]
I bet if you used pen and paper occasionally in the process you'd boast "I solved it using pen and paper!"
batch12 56 days ago [-]
Maybe the author is more comfortable with Python than the alternatives.
lpapez 56 days ago [-]
By this logic anything meaningful anyone does is actually done with C, because no matter what you do there is 40 million lines of kernel code underneath...
"What is the importance of Django, it's only 10 thousand lines of Python, powered by millions of lines of interpreter written in C..."
throwthis817 56 days ago [-]
No, the kernel does not solve the major part of the reverse engineering, the Java application Ghidra does.
But Java does not need any marketing, people just quietly use it.
bt1a 56 days ago [-]
What is the importance of needing to frame Python as tiny here? The reminder that programming languages are acceptable for small throwaway scripts is appreciated
vips7L 56 days ago [-]
I believe they were calling the function tiny, which it is, it’s 27 lines.
exe34 56 days ago [-]
python is great for a lot more than small throwaway scripts.
ok123456 56 days ago [-]
Depends on who you ask and to what lengths you're willing to go.
exe34 56 days ago [-]
"Python is used by Intel, IBM, NASA, Pixar, Netflix, Facebook, JP Morgan Chase, Spotify, and a number of other massive companies. It's one of the four main languages at Google, while Google's YouTube is largely written in Python. Same with Reddit, Pinterest, and Instagram"
"Python is used heavily in academic research, particularly in bioinformatics, biology, and mathematics. It is the standard introductory language for many university computer science programs."
Misquotation alert: I'm not claiming python is perfect for everything. There are times it makes sense to use something else. Not-short-scripts isn't it.
Brian_K_White 56 days ago [-]
It's utter garbage outside of a controlled environment. Youtube can use it because Youtube will have an official environment and there will be no such thing as a script that was written in one version or with one module installed that then breaks at run time.
The impressive size of the big users actually works against proving how great it is.
Use the official version inside Google or Netflix: ok.
Use in a package where the package manager ensures all dependencies and versions are met exactly: ok
Use by writing and immediately using and discarding today: ok
Write a random script and expect it to work in 6 months or on any other machine or god forbid another platform: forget it.
python is great for the author and miserable for everyone else
exe34 56 days ago [-]
I assume the last time you used python was during the transition from 2 to 3?
I haven't had any problems with versions over the last 5 years. conda is a really good way of ensuring you get the same environment if you need to freeze versions.
ok123456 56 days ago [-]
conda is a non-standard python tooling with canned environments with packages that are years out of date, a constraint solver in its package manager that randomly seems to run forever, and it's a commercial product.
Of all the Python packaging solutions, it's the worst.
The fact that so many people use it, as a matter of course, is further evidence of the fragility and complexity of maintaining Python tooling and codebases in general. The fragility of Python packaging is how we arrived at the current status quo of needing a CD/CI setup for hello-world.py. My statically-linked Fortran executables? I could keep copying around the same binaries until people switched architecture.
exe34 56 days ago [-]
hello-world.py works out of the box!
Brian_K_White 56 days ago [-]
It was true long before 3 was even started. But assume as you please. Enjoy your python, I'm not taking it from you.
exe34 56 days ago [-]
that's what I mean, they haven't had any massive break in backwards compatibility for a while. I did get annoyed by it before and attempted to create my own language/platform - if need be, I have a basic setup of imgui/chibi/c-ffi that I could expand into something useful for scripting that isn't likely to break, but honestly it's such a massive amount of work compared to a conda env so I don't mind sticking with python for now. there's also micromamba which is a lot faster for the solver.
Brian_K_White 54 days ago [-]
I can't hear you over the sound of pycache directories getting created just anywhere a .py file happens to exist. What genius thought that was even remotely sane? :) You can't hear but I'm being more lighthearted now but really I have no use at all for that shit language.
(yes I know it's configurable, but it also only behaves reasonably when & where that config is in place, not by default. It's opt-out vs opt-in)
exe34 53 days ago [-]
I don't really like reinventing the wheel in yet another shiny language, so I'll stick with what works for now. and if I do decide to migrate, it won't be to anything other than C/lisp.
Brian_K_White 39 days ago [-]
I am literally sitting at a console login because upgrading ubuntu from mantic to noble yesterday destroyed my entire system...because of python 3.12.
The apt output had a ton of errors about py scripts with invalid syntax, and those scripts failing apparently broke everything else and half the system basically got uninstalled, and most of what's left doesn't work, half the services other startup actions failed. Even the login message is broken with python syntax errors. Don't even have network to fix it, even wired let alone wifi. It's reinstall time.
This is today 2024, not during some 15 years ago big transition, and the scripts that broke are all fully packaged and package-managed parts of the os, not even random normal end user written.
This is not remotely a problem of the past and it's all better now and "have you used it lately?".
The one you get when you start it for the first time
ptek 56 days ago [-]
> Is this not against the Ghidra EULA?
He's not trying to reverse engineer a serial or key file.
It's being used for private use.
He's not making $$$$ at SEGA's loss.
It's not going to destroy SEGA's reputation.
and finally they are a hacker so the dopamine hit from being curious will be a big pay off.
nextlevelwizard 56 days ago [-]
Even if he was, then what? Quick glance at the repo does not show any kind of End-User License and even if it had what's the NSA going to do? Revoke his license? Sue him?
immibis 56 days ago [-]
In the real world, no one cares, unless they're on the receiving end of a lawsuit.
nextlevelwizard 56 days ago [-]
citation needed
Rendered at 20:35:31 GMT+0000 (Coordinated Universal Time) with Vercel.
https://web.mit.edu/freebsd/head/sys/libkern/crc32.c
(The decoded ints in the post are the constants in this CRC32).
Knowing it's a CRC32 and knowing the polynomial allows inverting the answers in log time instead of exponential time by exploiting the modular math of the polynomial rings.
Also someone needs to integrate binwalk & ghidra, they synergize too much.
I've learned programmers either invent their own hashes, random number generators, and crypto, in which case I usually break them, or they reuse existing algos, in which any code constants are searchable.
Plus I've written and reversed enough of all that I recognized the loop as a CRC polynomial remainder loop.
All Crc-n algos are trivially crackable/reversible/collideable. They're a remainder on division of polynomials (learn the math on how they work), so use the polynomial equivalent of extended euclidean algo and you get one answer. Now all sufficient multiples of that mod class give all possible answers, one at a time.
That should give you plenty to chase through
Normally, the polynomial is going to be found right next to a loop that is ingesting bytes incrementally.
Then I was wracked with guilt about spending all my money on a game I completed in two days.
Would love to hear more about this, if you have any recollection :)
https://eccothedolphin.online/ecco-password-generator/
You skipped several levels and saw only some percentage of the intended content, gameplay, story, etc. Games in general, and Ecco the Dolphin is no exception, are very much about the journey and not just the destination. You missed out on themes & experiences like isolation, making friends with those outside of your in-group, conservation, time travel, communing with dinosaurs and, of course, space travel.
So, you really shouldn't have felt so guilty.
You can however say that skipping levels also skips the story, so they did not finish the story.
People have different interests and finish in their own way.
If you’re really into a game you’re missing out if you don’t try to beat it in different ways.
If you’re really into one particular way you’re really kind of being a bad sport if you insist others enjoy a game in your preferred way.
If you told me you beat Mario on NES but you didn't even play 24 out of the 32 levels, and you never beat them otherwise, I don't think I'd give you the same credit as someone who beat each level.
This is why Any% speedruns (get to end credits any way possible) are their own category.
which is actually faster than the 20:44 TAS! (https://tasvideos.org/228G)
TASes are pretty much always measured from power on to last button input required to trigger the credits. With normal speedrun, timing various from game to game, but a common method is timing from selecting new game to the last hit on the final boss. So games with long openings or with interactive post-final boss sequences that have to be played before the credits start would have inflated times on the TAS.
The TAS counts about an extra 15 seconds before the game starts. The TAS reaches the point the speed run stops counting at 18:52, and continues to play out the ending. So the TAS would be measured as about 18:37 using speed run timing, so the speed run is still genuinely faster than the TAS, but less than the official numbers indicate.
It seems like the speed run uses a glitch that the TAS deliberately avoided. From the TAS description:
> At the same time, a major new glitch allowing Ecco to go through nearly any wall was not used because the frequency of its use would make the run very repetitive.
I had no idea what this was.
For people like me, after clicking through the link and some googling:
TAS = "Tool-assisted speedrun" or "tool-assisted superplay", and they are "generally created with the goal of creating theoretically perfect playthroughs".
That any% run was fun to skim through though. I had no idea what was happening.
Whole point of a TAS is to show what "perfect" speed run would look like.
Seems like a sibling comment explained this already in much more detail: https://news.ycombinator.com/item?id=42082420
"Just imagine you are about to die, but you will be reincarnated in to one of two people; a slave or the rich master. The slave suffers under the master. He has his tongue and an eye removed and his wife and child are killed. He goes on living knowing he is a good person, as he never committed such appalling, sadistic acts on another like his master has done. The rich master has no moral qualms about it at all. He doesn't think what he did was wrong; the slave needed to be punished. You have the choice, whether to be a poor and righteous slave or be a rich and corrupt master."
Gyugyu is the name of the slave.
https://www.imdb.com/title/tt0075467
The name "Ecco" is a reference to Lilly's ECCO (Earth Coincidence Control Office), a supernatural/extraterrestrial base which John posited existed on the other side of the moon to coordinate all earthly "coincidences". He was also one of the first to recognize how intelligent dolphins were and became obsessed with figuring out how to communicate with them, going as far as flooding half of his house in the Carribeans to cohabitate. This is just the tip of the iceberg. I'd highly recommend his autobiography The Center of the Cyclone if any of this is intriguing, he's a fascinating guy
Do you have any resources on getting started with Dreamcast game reverse engineering? I've been wanting to do some things with Skies of Arcadia, and I've been hoping there exist techniques more systematic than "see what values change between memory snapshots".
FWIW this is pretty much the standard method for locating value locations in RAM. It actually works pretty well. Some emulators have tools built in for that, like Dolphin for example. Even old game hacking tools like the Gameshark for N64 used the technique, with an on-console UI. I don't know if any Dreamcast emulators have tools for it or not.
I wrote about the technique in Dolphin here (and the followup article is also about console game hacking with Ghidra): https://www.smokingonabike.com/2021/01/17/hacking-super-monk...
This was an advertised feature of some DS flashcarts back in the day, too. I can't remember if it was the R4, the DSTwo, or what...but I recall an example video for their "Make your own cheats!" feature, which involved playing something like Super Mario Bros, turning on the "Cheats Finder" feature, then grabbing a coin, and maybe doing it a few times. The manager would then figure out the value that's changing in memory (presumably the sector that stores your coin amount), create the "cheat", and then you would enable it and watch your coin value go up.
https://www.youtube.com/playlist?list=PLwH1xJhcXG0dBlmWL_DTu...
Ghidra can analyze the SuperH processor machine code natively, so the auto analysis will turn up lots of functions.
Do people just figured it out by trial & error like common patterns in x86 / arm / arcade platforms slowly?
I can't really find much discussion on details online.
So you're probably already half way there. Being familiar with assembly code helps of course.
It is a great tool to get started with assembly in my opinion because the disassembler is good enough and you can write what they call 'assembly scripts' which provides the foundation on doing memory patches in x86 asm. Then from that you can start writing your own utils to patch the games at your own will.
You can do crazy cheats by patching the game just with Cheat Engine!
I even spy your CRC32 table hidden in the `decrypted_ints` . The pre-generated tables are so easily searchable. It leaves me curious why they are so often found obfuscated in attempt to make it more difficult compared to generating a new one with your own polynomial.
Not too long ago, I found a Saturn in a closet at my parent’s house, along with a small handful of game CDs. I don’t have any recollection of owning one, so I’m guessing my little brother must have acquired it after I left for college. Anyway, I plugged it in and all the games worked! But other than that I have no idea what to do with it (obviously the trash is not an option).
https://terraonion.com/en/producto/terraonion-mode/
- The Satiator, that plugs into the video card slot so you can still use original CDs.
- The Saroo, that plugs into the cartridge slot, also emulates the RAM expansion carts, and it is much cheaper (but seems to have some compatibility problems).
I've played a decent amount (never finished it), but I never understood why people say it's a horror game?
Thanks for the article, great read!
Another Ed Annunziata game called Three Dirty Dwarves is also stylistically unique.
After loading the memory snapshot into Ghidra, I found that the function at 8c0334d8 reads this buffer. It performs a transformation on the buffer and then checks whether the transformed value is a list of six special ones. ---
How?
There's a program called Cheat Engine that can make this a point and click thing; that's usually how people find GameShark-style codes.
It's generally a series of puzzles of that form and there's some ~light combat stuff.
I think you just answered your own question.
No one is being a zealot.
"What is the importance of Django, it's only 10 thousand lines of Python, powered by millions of lines of interpreter written in C..."
But Java does not need any marketing, people just quietly use it.
"Python is used heavily in academic research, particularly in bioinformatics, biology, and mathematics. It is the standard introductory language for many university computer science programs."
https://brainstation.io/career-guides/who-uses-python-today
Misquotation alert: I'm not claiming python is perfect for everything. There are times it makes sense to use something else. Not-short-scripts isn't it.
The impressive size of the big users actually works against proving how great it is.
Use the official version inside Google or Netflix: ok.
Use in a package where the package manager ensures all dependencies and versions are met exactly: ok
Use by writing and immediately using and discarding today: ok
Write a random script and expect it to work in 6 months or on any other machine or god forbid another platform: forget it.
python is great for the author and miserable for everyone else
I haven't had any problems with versions over the last 5 years. conda is a really good way of ensuring you get the same environment if you need to freeze versions.
Of all the Python packaging solutions, it's the worst.
The fact that so many people use it, as a matter of course, is further evidence of the fragility and complexity of maintaining Python tooling and codebases in general. The fragility of Python packaging is how we arrived at the current status quo of needing a CD/CI setup for hello-world.py. My statically-linked Fortran executables? I could keep copying around the same binaries until people switched architecture.
(yes I know it's configurable, but it also only behaves reasonably when & where that config is in place, not by default. It's opt-out vs opt-in)
The apt output had a ton of errors about py scripts with invalid syntax, and those scripts failing apparently broke everything else and half the system basically got uninstalled, and most of what's left doesn't work, half the services other startup actions failed. Even the login message is broken with python syntax errors. Don't even have network to fix it, even wired let alone wifi. It's reinstall time.
This is today 2024, not during some 15 years ago big transition, and the scripts that broke are all fully packaged and package-managed parts of the os, not even random normal end user written.
This is not remotely a problem of the past and it's all better now and "have you used it lately?".
He's not trying to reverse engineer a serial or key file. It's being used for private use. He's not making $$$$ at SEGA's loss. It's not going to destroy SEGA's reputation.
and finally they are a hacker so the dopamine hit from being curious will be a big pay off.