458 points | by bbayles1 个月前
https://web.mit.edu/freebsd/head/sys/libkern/crc32.c
(The decoded ints in the post are the constants in this CRC32).
Knowing it's a CRC32 and knowing the polynomial allows inverting the answers in log time instead of exponential time by exploiting the modular math of the polynomial rings.
Also someone needs to integrate binwalk & ghidra, they synergize too much.
I've learned programmers either invent their own hashes, random number generators, and crypto, in which case I usually break them, or they reuse existing algos, in which any code constants are searchable.
Plus I've written and reversed enough of all that I recognized the loop as a CRC polynomial remainder loop.
All Crc-n algos are trivially crackable/reversible/collideable. They're a remainder on division of polynomials (learn the math on how they work), so use the polynomial equivalent of extended euclidean algo and you get one answer. Now all sufficient multiples of that mod class give all possible answers, one at a time.
That should give you plenty to chase through
Normally, the polynomial is going to be found right next to a loop that is ingesting bytes incrementally.
Then I was wracked with guilt about spending all my money on a game I completed in two days.
Would love to hear more about this, if you have any recollection :)
You skipped several levels and saw only some percentage of the intended content, gameplay, story, etc. Games in general, and Ecco the Dolphin is no exception, are very much about the journey and not just the destination. You missed out on themes & experiences like isolation, making friends with those outside of your in-group, conservation, time travel, communing with dinosaurs and, of course, space travel.
So, you really shouldn't have felt so guilty.
You can however say that skipping levels also skips the story, so they did not finish the story.
People have different interests and finish in their own way.
If you’re really into a game you’re missing out if you don’t try to beat it in different ways.
If you’re really into one particular way you’re really kind of being a bad sport if you insist others enjoy a game in your preferred way.
If you told me you beat Mario on NES but you didn't even play 24 out of the 32 levels, and you never beat them otherwise, I don't think I'd give you the same credit as someone who beat each level.
This is why Any% speedruns (get to end credits any way possible) are their own category.
which is actually faster than the 20:44 TAS! (https://tasvideos.org/228G)
TASes are pretty much always measured from power on to last button input required to trigger the credits. With normal speedrun, timing various from game to game, but a common method is timing from selecting new game to the last hit on the final boss. So games with long openings or with interactive post-final boss sequences that have to be played before the credits start would have inflated times on the TAS.
The TAS counts about an extra 15 seconds before the game starts. The TAS reaches the point the speed run stops counting at 18:52, and continues to play out the ending. So the TAS would be measured as about 18:37 using speed run timing, so the speed run is still genuinely faster than the TAS, but less than the official numbers indicate.
It seems like the speed run uses a glitch that the TAS deliberately avoided. From the TAS description:
> At the same time, a major new glitch allowing Ecco to go through nearly any wall was not used because the frequency of its use would make the run very repetitive.
I had no idea what this was.
For people like me, after clicking through the link and some googling:
TAS = "Tool-assisted speedrun" or "tool-assisted superplay", and they are "generally created with the goal of creating theoretically perfect playthroughs".
That any% run was fun to skim through though. I had no idea what was happening.
Whole point of a TAS is to show what "perfect" speed run would look like.
Seems like a sibling comment explained this already in much more detail: https://news.ycombinator.com/item?id=42082420
"Just imagine you are about to die, but you will be reincarnated in to one of two people; a slave or the rich master. The slave suffers under the master. He has his tongue and an eye removed and his wife and child are killed. He goes on living knowing he is a good person, as he never committed such appalling, sadistic acts on another like his master has done. The rich master has no moral qualms about it at all. He doesn't think what he did was wrong; the slave needed to be punished. You have the choice, whether to be a poor and righteous slave or be a rich and corrupt master."
Gyugyu is the name of the slave.
The name "Ecco" is a reference to Lilly's ECCO (Earth Coincidence Control Office), a supernatural/extraterrestrial base which John posited existed on the other side of the moon to coordinate all earthly "coincidences". He was also one of the first to recognize how intelligent dolphins were and became obsessed with figuring out how to communicate with them, going as far as flooding half of his house in the Carribeans to cohabitate. This is just the tip of the iceberg. I'd highly recommend his autobiography The Center of the Cyclone if any of this is intriguing, he's a fascinating guy
Do you have any resources on getting started with Dreamcast game reverse engineering? I've been wanting to do some things with Skies of Arcadia, and I've been hoping there exist techniques more systematic than "see what values change between memory snapshots".
FWIW this is pretty much the standard method for locating value locations in RAM. It actually works pretty well. Some emulators have tools built in for that, like Dolphin for example. Even old game hacking tools like the Gameshark for N64 used the technique, with an on-console UI. I don't know if any Dreamcast emulators have tools for it or not.
I wrote about the technique in Dolphin here (and the followup article is also about console game hacking with Ghidra): https://www.smokingonabike.com/2021/01/17/hacking-super-monk...
This was an advertised feature of some DS flashcarts back in the day, too. I can't remember if it was the R4, the DSTwo, or what...but I recall an example video for their "Make your own cheats!" feature, which involved playing something like Super Mario Bros, turning on the "Cheats Finder" feature, then grabbing a coin, and maybe doing it a few times. The manager would then figure out the value that's changing in memory (presumably the sector that stores your coin amount), create the "cheat", and then you would enable it and watch your coin value go up.
https://www.youtube.com/playlist?list=PLwH1xJhcXG0dBlmWL_DTu...
Ghidra can analyze the SuperH processor machine code natively, so the auto analysis will turn up lots of functions.
Do people just figured it out by trial & error like common patterns in x86 / arm / arcade platforms slowly?
I can't really find much discussion on details online.
So you're probably already half way there. Being familiar with assembly code helps of course.
It is a great tool to get started with assembly in my opinion because the disassembler is good enough and you can write what they call 'assembly scripts' which provides the foundation on doing memory patches in x86 asm. Then from that you can start writing your own utils to patch the games at your own will.
You can do crazy cheats by patching the game just with Cheat Engine!
I even spy your CRC32 table hidden in the `decrypted_ints` . The pre-generated tables are so easily searchable. It leaves me curious why they are so often found obfuscated in attempt to make it more difficult compared to generating a new one with your own polynomial.
Not too long ago, I found a Saturn in a closet at my parent’s house, along with a small handful of game CDs. I don’t have any recollection of owning one, so I’m guessing my little brother must have acquired it after I left for college. Anyway, I plugged it in and all the games worked! But other than that I have no idea what to do with it (obviously the trash is not an option).
- The Satiator, that plugs into the video card slot so you can still use original CDs.
- The Saroo, that plugs into the cartridge slot, also emulates the RAM expansion carts, and it is much cheaper (but seems to have some compatibility problems).
I've played a decent amount (never finished it), but I never understood why people say it's a horror game?
Thanks for the article, great read!
Another Ed Annunziata game called Three Dirty Dwarves is also stylistically unique.
After loading the memory snapshot into Ghidra, I found that the function at 8c0334d8 reads this buffer. It performs a transformation on the buffer and then checks whether the transformed value is a list of six special ones. ---
How?
There's a program called Cheat Engine that can make this a point and click thing; that's usually how people find GameShark-style codes.
It's generally a series of puzzles of that form and there's some ~light combat stuff.
I think you just answered your own question.
No one is being a zealot.
"What is the importance of Django, it's only 10 thousand lines of Python, powered by millions of lines of interpreter written in C..."
But Java does not need any marketing, people just quietly use it.
"Python is used heavily in academic research, particularly in bioinformatics, biology, and mathematics. It is the standard introductory language for many university computer science programs."
https://brainstation.io/career-guides/who-uses-python-today
Misquotation alert: I'm not claiming python is perfect for everything. There are times it makes sense to use something else. Not-short-scripts isn't it.
The impressive size of the big users actually works against proving how great it is.
Use the official version inside Google or Netflix: ok.
Use in a package where the package manager ensures all dependencies and versions are met exactly: ok
Use by writing and immediately using and discarding today: ok
Write a random script and expect it to work in 6 months or on any other machine or god forbid another platform: forget it.
python is great for the author and miserable for everyone else
I haven't had any problems with versions over the last 5 years. conda is a really good way of ensuring you get the same environment if you need to freeze versions.
Of all the Python packaging solutions, it's the worst.
The fact that so many people use it, as a matter of course, is further evidence of the fragility and complexity of maintaining Python tooling and codebases in general. The fragility of Python packaging is how we arrived at the current status quo of needing a CD/CI setup for hello-world.py. My statically-linked Fortran executables? I could keep copying around the same binaries until people switched architecture.
(yes I know it's configurable, but it also only behaves reasonably when & where that config is in place, not by default. It's opt-out vs opt-in)
The apt output had a ton of errors about py scripts with invalid syntax, and those scripts failing apparently broke everything else and half the system basically got uninstalled, and most of what's left doesn't work, half the services other startup actions failed. Even the login message is broken with python syntax errors. Don't even have network to fix it, even wired let alone wifi. It's reinstall time.
This is today 2024, not during some 15 years ago big transition, and the scripts that broke are all fully packaged and package-managed parts of the os, not even random normal end user written.
This is not remotely a problem of the past and it's all better now and "have you used it lately?".
He's not trying to reverse engineer a serial or key file. It's being used for private use. He's not making $$$$ at SEGA's loss. It's not going to destroy SEGA's reputation.
and finally they are a hacker so the dopamine hit from being curious will be a big pay off.