GameShark is how I first stumbled on to the internet. I was looking up "the codes". I was really upset when GameShark's UBB instance went dark. Years later, I returned to look at some favorites and found that I could easily use all these programming skills I've developed to directly hack games.
So things like "beat the Elite Four 16,383 times" turn out to be definitely false. Also "mash A to increase the chances of catching" is also unfortunately wrong.
But at least you can just directly look at the WRAM file to see where actual values are stored:
These can easily be converted into the old school GB/GBC gameshark codes by prepending 01, then a two-digit hex value , then a little indian (reverse) two-byte address.
So if you wanted to hack level 80 with a GameShark code you would look up and find this:
PartyMon1Level: ; dcfe
ds 1 ; just one byte
to come up with:
0150FEDC
(0x50 because 0x50 == 80)
The GameShark was a really educational device. At first I didn't know what I was looking at, but then I realized it was giving me memory dumps and byte/address search tools. And then for some reason all of the subsequent devices after N64/GBC were just terrible, and I couldn't get an address searcher without a modchip?? No clue.
Ha! Back in the day I had to exchange my Gameshark 64 four damn times. Ended up getting an off-brand device called the Xplorer/Xploder (one of those, depended on whether you were NTSC or PAL) 64 that worked a lot better.
Ah, the wonders of throwing Zelda: Majora's Mask into debug mode and L-Button Moon Jumping everywhere while dressed as Fierce Deity Link outside boss rooms.
> Also "mash A to increase the chances of catching" is also unfortunately wrong.
I remember playing the game, thinking about this. I was wondering whether I had heard it somewhere or come up with it myself, how unlikely it was to be true, and how I still found myself doing it occasionally. A small existential crisis over confirmation bias and clever design.
I'm intrigued by ROM hacking (and low-level computing in general). So far I've been limited to reading memory dumps on emulators while only making little sense of it, but I'll have to give it a better shot. Using Gameshark and checking your links is probably a good start, thanks for those.
Wow. I was involved in the game genie development and you might like to know the only reason we encrypted the codes was because the we were scared of being sued by Nintento (rightly as it turned out) and we figured naively that it would help if people couldn't make up their own codes. During the court case (nintendo did indeed sue us). Ironically the lawyers told us it was the other way round so we actually published hints on how to experiment making new codes by trial and error.
When I was in high school, I used similar techniques to hack PalmPilot shareware. I had taught myself Z80 and 68k assembly starting as a middle schooler to program my TI-83 (and later 89) graphing calculator.
I knew from experience that most responses to user input and state ultimately hinged on a single comparison instruction. For most shareware, there could be numerous checks that change the behavior of the code depending on whether it's registered or not, but the state of registration itself usually came down to a single flag stored someplace. Sometimes, developers would really obscure how this state was stored, but often, the weakpoint is at the point of registration. If you simple invert the comparison that determines if the registration code is correct, you can invert the registration approval/rejection process.
Using a disassembler, I isolated exactly where the comparison point was. Usually, this could be done by searching for code references to the success and failure screen or dialogs, and working backwards. Very often, it was as simple as using an onboard hex editor to replace a "branch if equal" opcode with a "branch if not equal". Then as long as you don't accidentally enter a correct code, you're in!
There are far more sophisticated registration schemes used back then and especially today, which require far more complicated methods to circumvent.
I did all this for two reasons. First was the fun/puzzle of it. Second was the fact that PalmPilot apps were often priced for business people, and relatively simple software would sell for $20-50; way more than my high school allowance allowed me to afford. I never did become a contributor to the whole crackz scene though. In the modern app world, the going price is like $2-5, making things way more affordable.
I pretty much discovered programming by messing around with my Action Replay as a chid. I was probably 12 years old and my family were poor so we didn't have a computer. My big brother had a Dreamcast and this could be hooked up to our phone line (56K) to get online. I was allowed to do this one hour per week, on a Saturday if I'd been behaved that week. It was terrible: it locked up my mum's phone line so it was a strict hour, and it used to take forever to connect, so I'd get maybe 30 mins to try and load codejunkies.com and post my weekly discoveries to the forum. This was tricky as I had to type using the dreamcast controller and I wrote all my codes out on pen and paper (I had a whole book of my notes).
I remember one weekend I got to use the main TV and plugged in the dreamcast. Found the codejunkies forum and there were a bunch of people doing things that I had been doing. Some random names, I remember Dr Ian, FoxDie, SubDrag, Krusha... there were a load of people with strange names doing exactly the same things I'd been doing in the back room during the week.
I posted some of the codes I had figured out, nothing major at first: Adding a timer to any Goldeneye level, modifying the character's head/body. I checked back a week later and some of these 'big names' had commented on my codes! I was ecstatic :)
I looked forward to my weekly hour online and I used all my time on Action Replay/Gameshark sites. I even wrote a tutorial on N64 hacking (using a Dreamcast controller, it sucked).
I got to the stage where I could look at the Memory Editor on a page of Goldeneye and know exactly what part of code/data it was. I knew after a while that 3F80 somehow related to a default value, and if I made it larger things in the game would usually grow. I would change a value like this and them run around for ages until I saw something bigger. Didn't always work, but once it did I would look at the memory address for the 3F80 and do a search for that address.
This (I thought at the time) would be the place that knows about the object, so I would read the hexdump and follow anything that looked like an address in the editor, modifying the value at that address and seeing what it would change.
Somehow this ended up working out well (I had never used a computer for anything but Word an Excel at this stage) and I found I could replace objects, change their sizes, colour, physics... I could replace them with objects that were no longer in the game (suitcases in Goldeneye etc).
It was fun!
Once I was comfortable with it I started looking for the big prizes. Things I would see on my weekly journey to the forums that people wanted. Connery Bond was a big one. There were rumours that you could play as the other bonds.
So I figured I would find him. I figured that since you pause the game in Goldeneye and see the arm + watch, Connery would have a white arm. So I took some time tracking the seconds hand on the watch and travelled up the memory addresses until I found a value that was near a 3F80. I switched it, paused the game and had a white suit!! Amazing!
I ended up quite with an intimate knowledge of the Goldeneye hex dumps. I found a weird level that I could load, providing I emptied it of objects and props. So I found a way to stop the game from loading anything other than level data and I could briefly see a strange silver ramp level with blue skies, but I would fall and die immediately. I later discovered that this was the Citadel level and some other clever guys managed to make it playable :)
The thing that ended for me though, was my biggest hack ever...
I read a cheat book (I collected N64 magazine) that said Banjo and Kazooie had many more cheats than released while lying on my bed. I figured that I knew a couple of the codes (you entered them in a floor of a sandcastle, but it was basically a keyboard), so if I entered a code and did a memory dump after each letter I could home in on the counter that was checking them.
So I hit take a mem dump, hit a letter, mem dump search for values greater than lat and repeat.
Found it.
Then I search for the memory address at that pointer and find something pointing at it. Repeating this I find a whole bunch of crappy values with 00 between them.
Deciding that these were the codes, but encrypted (:-|) I wrote them all down on paper, all 60ish and took them to the front room. From the codes that were released I could figure out the majority of the letters: A was 65, E was 69 etc so I went through filling those out. I gave my mum and dad a few pages each and (love them) they sat there and filled out the missing letters.
An hour later I had every code for that game in my lap :)
I waited a few days for internet access and used the entire hour typing them into an email that I sent to Official Nintendo Magazine, GamesMaster and N64 magazine (my favourite).
Next week I checked online and Nintendo Magazine got back to me asking where I found the codes. They later published a full cheat book with them (without credit) and credited me for a really crap cheat in the main magazine. I didn't care - they sent me WWF No Mercy for free (big deal for a poor kid) and my name was in a magazine!
I was walking home a few weeks later and saw N64 Magazine in the newsagents. Cover had Banjo and Kazooie on it - NEW CHEATS REVEALED: GET THE ICE KEY AND MORE...
Holy shit!
I couldn't afford it but I ran in and flicked through the pages to look for my name. This was epic!
Except it wasn't. Turned out some other hackers had found the codes at the same time and they had their name in my favourite magazine. I was gutted.
Two weeks later my parents couldn't afford the phone line and my brother sold his Dreamcast.
It was a fun time, and looking back at it now wit a computer science degree I can't help but smile.
I only wish I knew what ASCII was before me and my parents used frequency analysis to crack it haha!
> Some random names, I remember Dr Ian, FoxDie, SubDrag, Krusha
Hey wait, I know these names..
> Except it wasn't. Turned out some other hackers had found the codes at the same time and they had their name in my favourite magazine. I was gutted.
I am pretty sure that was SubDrag. You might be interested to know that he is still around, check out irc.efnet.org #n64dev -- you might have to idle for a while, but he's definitely around.
It's always great to read stories like these, thank you.
I think these types of stories just goes to show how curious some people are at a small age (maybe due to lack of tech?) and what possibly could be achieved if something like CompSci was teached earlier or having earlier access to computing. However, there is bound to be people who do have everything but don't do anything.
Very good story, very good read. My story is with the good old breadbox - the Commodore 64. Things are very foggy about that period in my life, I was 8, so if anyone can fill in the blanks, that could be fun.
I didn't do much programming on the c64, but things got fun when I somehow acquired a book full of SYS codes. Apparently you could cheat if you loaded the game, did a soft-reset, so the game was still in memory, and entered a SYS code.
Doing a soft-reset required a cartridge though, like the later popular Action Replays for the Amiga. I didn't have access to these fabled cartridges, so I did the next best thing; A bent paper clip, short circuiting some random holes in the cartridge slot. This caused the desired reset, sometimes, allowing me to pass in the SYS codes, and RUN the game again, various cheats applied.
Today I wish I had access to this "bible" of SYS codes, if only for the nostalgia. It provided me with many hours of fun, and breathed new life into old games. All I remember is that the front of it had a sort of robotic character on it, and some purple colours.
I did the same paperclip trick ... Worked fine until one day I hit the wrong pin and connected the power line to one of the chips ... Bang. Big deal because I grew up in rural Ireland and a new C64 or a repair meant a road trip and big expense.
Ouch, could have as easily happened for me as well. As time passed I became more careless on hitting the proper holes, and I must've ended up trying quite a lot of different combinations. I'm very happy your experience didn't happen to me, I'd have been heartbroken.
I think that he was able to gain access to hex-level memory and instructions through a GameShark (http://en.wikipedia.org/wiki/GameShark) playing on the N64, though he doesn't mention this directly.
this made me remember when I was a kid and cheated to my sibilings in MAME emulators, editing the high socores files with notepad. Many times I turn games unusable after that.. now I know why you shouldn't open binary fles as text, edit and save them.
It got to the point where I could recognize Ultima 4 terrain in Copy2+'s sector editor.
I guess I got started glitching - overwriting lots of things to see what died and by narrowing my probe, discover what smaller bits did. Then editing constants and map data, etc.
I've still got scans of notebooks where I mapped dungeons, recorded stats, etc, and then documented the memory structures once I'd found them.
It's no real surprise that I'm now a maintenance coder / reverse-engineer / re-implementor.
Hello,
I love reverse engineering and programming a lot.
I'd love to work as a "maintenance coder / reverse-engineer / re-implementor", but I've still no idea in which domain it is really needed. I do it for my own pleasure on some games / softwares at the moment.
Could you tell me what is the best way to become a "a maintenance coder / reverse-engineer / re-implementor" ?
I've took a look at the Matasano project.
It seems terribly interesting for me and it fits with my expectations.
Unfortunately, they recquire to work in their office, as an european (french) guy, I can't afford to move in America : I'd like to stay not too far from my family and friends if possible. I love programming / computer security very much, but I think I'd suffer from not seeing them anymore.
I'm looking for an french/european job, similar to the one proposed for Matasano Project. AFAIK, it doesn't exist...
I consider moving to America if it isn't possible, but I'd like to avoid that if possible.
In Europe I'd guess you'd be most at home in the Linux world. At the moment all the activity there is in virtualisation related companies, so I'd try to approach some of them and see if they've got something for you. I think NetApp is hiring in your area, but I'm not sure what exactly they do there.
You can also become a Vulnerability Reward Program bounty-hunter as a hobby for a while. If you manage to find some high-profile bugs and blog about it, work will probably also start coming to you.
Thank you for all those precious advices, it means a lot to me.
I'll start blogging as soon as I've got something new and interesting.
I need to show what I can do, I'm currently studying and I feel like I haven't a lot of opportunities to really show off my skills because the level of recquirements is not high enough, that's frustrating sometimes.
I agree that a blog could be a good solution, I also enjoy writing articles even if my English is not the best.
I'll keep you informed if you enjoy receiving news from random internet people.
I'll certainly think about some softwares I'd like to analyze during the next few days and start working on finding bugs/vulnerabilities/things interesting.
You're already do the hobby stuff that got me here, so I assume you mean the actual job part of it.
I work as a maintenance coder on a framework for a network security appliance. In a sense, everything I mentioned is just this - I often don't have any documentation and have to make things work by, at a minimum, running strace and seeing what they're trying to do and work backward - to find a system that was supposed to be creating those files, etc...
I rarely have to use what you'd call "reverse engineering" skills, but the familiarity with ASM and recognizing certain source-level idioms in the generated code, comes in handy for regular debugging all the time.
I got the job partly by chance - a manager mentioned in passing at an event that his team was hiring and I followed up, and because of what we did. We've got a tremendously wide range of deep products with a wide mix of technologies because we've been around for a long time. Because of this, and our laid-back roles I've been able to work closely with our global ops team, the malware analysts, IT, etc.
I think it probably helps to find a company with complex enough tasks, where you have a slightly under-specified role (I maintain the framework ...), and there are a lot of different engineering/ops/support teams under one roof so there's always something fun going on. Then, be the person who handles what other people would call annoyances like requests from other teams.
Let me know if I missed the mark, or could elaborate.
ahh,,, good ol' cheating... trying to cheat in computer games was how i got into programming. it all began with simple memory editing, then learned c++ to write some trainers, then got into disassembler and play around more.
one of the good thing growing up without a game console i guess,,
I was really really into the GameShark during the PSX days. The original one was nice, but the best thing was the GameShark Pro, which allowed you to (amongst other things) generate your own codes via a rudimentary hex editor/comparison tool that could be invoked by pressing a button on the device. (You could also connect it to a Windows PC via a parallel port on the back, which was tedious, but the accompanying software was easier to work with.)
So to create (e.g.) an infinite-ammo code, you would reload so that you had a full magazine of 30 rounds, and press the button. Then you'd have the GameShark search for addresses with a value of 30. Usually it'd return a huge amount of mostly garbage, so then you'd return to the game, shoot once or twice to change the number of rounds, and go back and tell it to narrow the results down by showing only the addresses that had changed to 29 or whatever.
After doing that two or three times, you'd have a working code that you could save to the device or share with people.
Sometimes it wasn't obvious what the value of a variable was, so you'd have to do a 'not equals' search. So to get weapon values, you would equip a knife, do a search, change to a hand gun, do a 'not equals' search, usually repeat that many times (because there are always going to be things changing) until you finally end up with an address that specifies the weapon (and sometimes one or two accompanying addresses).
Firstly, by watching the value of these addresses (you could always return to the results screen and see what the new value was), you would find out which values correspond to which guns. The knife might be 01, the hand gun 02, the rocket launcher 0A, and so on. That would allow you to take the address and create many codes for different weapons by adjusting the values.
More humorously: In some games, like Resident Evil, the address for the weapon function would be accompanied by another address for the weapon ammo. You could adjust the two values so that they differed from each other — for example, set the function to 01 and the ammo to 0A — and then you would end up with a knife that shoots rockets.
The codes that were the most challenging to create, and also probably the most fun, were what i used to call 'abusive codes'. Abusive codes were usually more humorous than practical — instead of giving you useful things like infinite ammo or lives, abusive codes would screw with the game's display or physics.
One of my favourite abusive codes was roller-skate mode for Silent Hill. Silent Hill is an extremely frightening and morbid horror game (i still can't play it alone), and enabling roller-skate mode completely changed the dynamic. First of all, during game-play, Harry's legs wouldn't move — he would just scoot around like he was sliding on ice. What was funnier, though, was that the sliding would persist into the game's cut scenes (which usually involved the discovery of something gruesome). So for example Harry would come across some mutilated corpse, the music would get all shrieky and he would exclaim how terrible it was, and all the while he would be scooting all over the screen. It turned the game from something frightening into something hilarious.
Most of the other abusive codes that i and my friends experimented with had similar effects on the physics. For example, in Resident Evil 2, we created a code where, if you pressed a certain button on the controller, the characters legs would shoot around like a helicopter and, if you held it long enough, they would gradually 'fly' up through the ceiling and off the screen.
Other games would allow you to alter aspects of the display. You could make the characters into giants, or make specific body parts extremely large or small, or make all of the doors turn into different objects. This was 'after my time', so to speak, but one of the Resident Evil games for GameCube allowed you to adjust the main character's breast size. If you cranked the value high enough, you could make her boobs fill the entire screen.
https://github.com/kanzure/pokecrystal
So things like "beat the Elite Four 16,383 times" turn out to be definitely false. Also "mash A to increase the chances of catching" is also unfortunately wrong.
But at least you can just directly look at the WRAM file to see where actual values are stored:
https://github.com/kanzure/pokecrystal/blob/master/wram.asm
These can easily be converted into the old school GB/GBC gameshark codes by prepending 01, then a two-digit hex value , then a little indian (reverse) two-byte address.
So if you wanted to hack level 80 with a GameShark code you would look up and find this:
to come up with: (0x50 because 0x50 == 80)The GameShark was a really educational device. At first I didn't know what I was looking at, but then I realized it was giving me memory dumps and byte/address search tools. And then for some reason all of the subsequent devices after N64/GBC were just terrible, and I couldn't get an address searcher without a modchip?? No clue.