[HN Gopher] Using Ghidra and Python to reverse engineer Ecco the...
___________________________________________________________________
Using Ghidra and Python to reverse engineer Ecco the Dolphin
Author : bbayles
Score : 294 points
Date : 2024-11-07 14:25 UTC (8 hours ago)
(HTM) web link (32bits.substack.com)
(TXT) w3m dump (32bits.substack.com)
| skibz wrote:
| I'd love to see footage of the underwater soccer cheat in action.
| praptak wrote:
| QQRIQ is a phonetic abbreviation of "kukuriku", which is the
| sound of the rooster in Hungarian and in several other languages
| (Polish "kukuryku", Hebrew " qvqvryqv" etc.). Makes wonder what
| the process for choosing the passwords was.
| bt1a wrote:
| could it be that the rooster/cockadoodledoo is something
| performed like clockwork in the morning, so the showing
| framedata also being tangential to time and clocks ? probably
| not
| bbayles wrote:
| The programmers for this game were in Budapest, so this is a
| good guess!
| praptak wrote:
| I didn't know that. The QQRIQ jumped out at me because of my
| Polish background, so I googled it and found it's
| international.
| jylam wrote:
| Cocorico in french, very close :)
| rzzzt wrote:
| Kikeriki in German!
| luismedel wrote:
| Very similar to "kikiriki" in Spanish.
| matsemann wrote:
| Wonder why some went for an o-sound and others an
| i-sound. To make matters worse it's kykeliky in
| Norwegian, so both y, e, i.
| Y_Y wrote:
| See also: the town of Kakariko in Zelda which always has
| chickens
| mtlebe wrote:
| Also Gyugyu might be a reference to the Hungarian movie: "The
| Fifth Seal"
|
| "Just imagine you are about to die, but you will be
| reincarnated in to one of two people; a slave or the rich
| master. The slave suffers under the master. He has his tongue
| and an eye removed and his wife and child are killed. He goes
| on living knowing he is a good person, as he never committed
| such appalling, sadistic acts on another like his master has
| done. The rich master has no moral qualms about it at all. He
| doesn't think what he did was wrong; the slave needed to be
| punished. You have the choice, whether to be a poor and
| righteous slave or be a rich and corrupt master."
|
| Gyugyu is the name of the slave.
|
| https://www.imdb.com/title/tt0075467
| bt1a wrote:
| im curious about the process to find that initial buffer address
| - does that involve entering a few different strings and
| searching the memory snapshot for those byte patterns ?
| bbayles wrote:
| Yeah, exactly! I took a couple memory snapshots of the name
| "AAA" and then threw out all of the addresses that had values
| that didn't match the first snapshot. Then I changed it to
| "BBB" and threw out all the addresses that did match.
|
| There's a program called Cheat Engine that can make this a
| point and click thing; that's usually how people find
| GameShark-style codes.
| bitbasher wrote:
| Can we just take a moment to appreciate how incredibly odd the
| Ecco series is? For anyone that beat the games. You go from
| swimming in an ocean to flying with aliens. It's bizarre. Some
| people classify it as a horror game.
| bbayles wrote:
| It really is a game with a strange mix of aesthetics. Blue
| skies and bright colors in the early levels; suspense and dread
| and supernatural stuff in the later levels.
|
| Another Ed Annunziata game called _Three Dirty Dwarves_ is also
| stylistically unique.
| nelup20 wrote:
| My favorite aspect is the music, I regularly listen to the OST
| while working: https://youtu.be/tqMuvFEKCOk
|
| I've played a decent amount (never finished it), but I never
| understood why people say it's a horror game?
| bbayles wrote:
| A friend of mine explained that there are overlapping phobias
| of water and deep dark spaces that this game triggers; he
| said it's unbearable to play the later levels.
| nelup20 wrote:
| I just checked what the final boss looks like, combined
| with the phobias... glad I didn't finish the game as a kid.
|
| Thanks for the article, great read!
| Spoom wrote:
| I'd imagine anyone with claustrophobia would struggle with
| the last couple levels as well since they're essentially a
| battle against the screen crushing you.
| deemster wrote:
| The name of the game probably comes from dolphins echolocation
| ability. Another explanation I like to entertain is that the
| name is a reference to John C Lilly. He was a scientist who
| believed in an alien organization called the Earth Coincidence
| Control Office or E.C.C.O. He also studied dolphin intelligence
| and communication. He gave dolphins LSD in an effort to
| communicate with them. John C Lilly is an interesting rabbit
| hole to go down.
| VyseofArcadia wrote:
| Great read!
|
| Do you have any resources on getting started with Dreamcast game
| reverse engineering? I've been wanting to do some things with
| Skies of Arcadia, and I've been hoping there exist techniques
| more systematic than "see what values change between memory
| snapshots".
| bbayles wrote:
| I've poked around a bit with that game! The main trick is to
| import the memory snapshot (various ways of dumping it to a
| file; people like Cheat Engine for this) into Ghidra.
|
| Ghidra can analyze the SuperH processor machine code natively,
| so the auto analysis will turn up lots of functions.
| coldpie wrote:
| > I've been hoping there exist techniques more systematic than
| "see what values change between memory snapshots".
|
| FWIW this is pretty much the standard method for locating value
| locations in RAM. It actually works pretty well. Some emulators
| have tools built in for that, like Dolphin for example. Even
| old game hacking tools like the Gameshark for N64 used the
| technique, with an on-console UI. I don't know if any Dreamcast
| emulators have tools for it or not.
|
| I wrote about the technique in Dolphin here (and the followup
| article is also about console game hacking with Ghidra):
| https://www.smokingonabike.com/2021/01/17/hacking-super-monk...
| AdmiralAsshat wrote:
| > Some emulators have tools built in for that, like Dolphin
| for example.
|
| This was an advertised feature of some DS flashcarts back in
| the day, too. I can't remember if it was the R4, the DSTwo,
| or what...but I recall an example video for their "Make your
| own cheats!" feature, which involved playing something like
| Super Mario Bros, turning on the "Cheats Finder" feature,
| then grabbing a coin, and maybe doing it a few times. The
| manager would then figure out the value that's changing in
| memory (presumably the sector that stores your coin amount),
| create the "cheat", and then you would enable it and watch
| your coin value go up.
| j0hnyl wrote:
| I wish there was more detail on "how" this was done as opposed to
| just the "what"
| nostoc wrote:
| It's very much the "how", what were you looking for that's not
| explained in the blog post?
| j0hnyl wrote:
| --- By analyzing a memory snapshot from the flycast emulator,
| I found that the buffer at 8cfffb34 holds the visible portion
| of the initials you type in. But if you keep typing, the
| characters you put in before get pushed into the buffer at
| 8c3abf18.
|
| After loading the memory snapshot into Ghidra, I found that
| the function at 8c0334d8 reads this buffer. It performs a
| transformation on the buffer and then checks whether the
| transformed value is a list of six special ones. ---
|
| How?
| frakt0x90 wrote:
| I don't know exactly how flycast works but I've done
| similar things with other emulators and you take an action
| in the game (take damage, type something), then search
| memory for that value. In this case the ascii code for the
| letter typed. Keep doing this until you've narrowed down a
| single block of memory that holds everything you've done
| qingcharles wrote:
| When the original Ecco came out on the Megadrive (Genesis), I
| spent all my hard-earned money to buy it. That game is obscenely
| hard. I got frustrated, so I sat down for the afternoon with a
| pen and paper and somehow managed to decode the password system.
| I teleported to the final level and completed it the next day.
|
| Then I was wracked with guilt about spending all my money on a
| game I completed in two days.
| coldpie wrote:
| > I sat down for the afternoon with a pen and paper and somehow
| managed to decode the password system
|
| Would love to hear more about this, if you have any
| recollection :)
| VyseofArcadia wrote:
| What a final level, though! Having skipped a large chunk of the
| game, were you surprised by it?
| 7bit wrote:
| You must be the only Person in the world that Beat this Game,
| cheating or otherwise.
| egypturnash wrote:
| https://youtu.be/OGVUuVjXMTA ecco the dolphin any% speedrun
| world record [17:54]
|
| which is actually _faster_ than the 20:44 TAS!
| (https://tasvideos.org/228G)
| dfxm12 wrote:
| Philosophically, I would argue that you did not complete the
| game.
|
| You skipped several levels and saw only some percentage of the
| intended content, gameplay, story, etc. Games in general, and
| Ecco the Dolphin is no exception, are very much about the
| journey and not just the destination. You missed out on themes
| & experiences like isolation, making friends with those outside
| of your in-group, conservation, time travel, communing with
| dinosaurs and, of course, space travel.
|
| So, you really shouldn't have felt so guilty.
| 29athrowaway wrote:
| Is not this against the Ghidra EULA?
| immibis wrote:
| In the real world, no one cares, unless they're on the
| receiving end of a lawsuit.
| yjftsjthsd-h wrote:
| What EULA? It looks like
| https://github.com/NationalSecurityAgency/ghidra says it's
| Apache 2.0
| mytaterskin wrote:
| I've taken to older games a lot more in recent years, they feel
| like they have a lot more soul if that makes any sense. Also
| sorry about your car! Not going to leave it idling in the
| driveway anymore, thanks for the warning.
| bbkane wrote:
| Are you sure you don't miss modern features like mandatory
| network connectivity and micro transactions?
| fanoto wrote:
| Nice! Interesting how similar games seem to do this, checksumming
| to fixed integers. Pitfall: The Lost Expedition did something
| very similar by converting button presses into ASCII-represented
| strings of the input buttons that were then CRC-ed. The approach
| was similar to just brute-force in Python and compare to the
| extracted cheat hashes.
|
| I even spy your CRC32 table hidden in the `decrypted_ints` . The
| pre-generated tables are so easily searchable. It leaves me
| curious why they are so often found obfuscated in attempt to make
| it more difficult compared to generating a new one with your own
| polynomial.
| jimmaswell wrote:
| The 3DS version was very cool. I plan on completing it there
| eventually. I wonder if those devs had source access.
| SideQuark wrote:
| The hash is merely a CRC32; exactly this one (polynomial
| 0x77073096, code is wrong)
|
| https://web.mit.edu/freebsd/head/sys/libkern/crc32.c
|
| (The decoded ints in the post are the constants in this CRC32).
|
| Knowing it's a CRC32 and knowing the polynomial allows inverting
| the answers in log time instead of exponential time by exploiting
| the modular math of the polynomial rings.
| byteknight wrote:
| I know some of these words!
| Thaxll wrote:
| It means that using bruteforce to find all the values would
| be much faster.
| bbayles wrote:
| Thanks! I didn't clock that - should have looked at the
| decrypted values!
| mirthflat83 wrote:
| Do you have any tips on knowing how the value is a result of
| CRC32 and/or the polynomial/initial value used?
| 15155 wrote:
| Looking in the binary for the polynomial and knowing what the
| common ones are from experience is an easy way.
|
| Normally, the polynomial is going to be found right next to a
| loop that is ingesting bytes incrementally.
| butz wrote:
| You should look into PS2 version of this game, it seems to have
| same code for level unlock. Maybe it will be easier to reverse
| engineer and figure out what all codes do?
| Liquix wrote:
| an interesting aside: when asked about his inspirations Ecco's
| developer Ed Annunziata said, "No, I never took LSD, but I did
| read a lot from John C. Lilly". Lilly is known for his pioneering
| work in the fields of animal intelligence, ketamine
| psychotherapy, isolation tanks, and consciousness exploration.
|
| The name "Ecco" is a reference to Lilly's ECCO (Earth Coincidence
| Control Office), a supernatural/extraterrestrial base which John
| posited existed on the other side of the moon to coordinate all
| earthly "coincidences". He was also one of the first to recognize
| how intelligent dolphins were and became obsessed with figuring
| out how to communicate with them, going as far as flooding half
| of his house in the Carribeans to cohabitate. This is just the
| tip of the iceberg. I'd highly recommend his autobiography _The
| Center of the Cyclone_ if any of this is intriguing, he 's a
| fascinating guy
| n0id34 wrote:
| I wish more people knew how to change to Ghidra's dark theme and
| change the font.
___________________________________________________________________
(page generated 2024-11-07 23:00 UTC)