Retro Video Game Reverse Engineering

Oh

all right cool so this is retro game reverse engineering and that shows some sort of software stuff in Pokemon and some part where stuff kind of with fences before and also Coulthard stuff my name is a flower and this is a stump follow us on Twitter while I'm in the way that's okay and let's go you all right cool so this is my credibility I spoke at Blum Khan for the last three years and they've had it back a few times I was cool I first talked with it is lessons learned from putting away University of how I found her shell injection in Penn State's website and then hold them about it in a responsible

way I said I've taught what it is near 2018 what it was titled all the third thing you need to go hacker in 2017 because out of deke stuff and stuff I don't think that wonder is recorded the first one was and the third talk is this one but not as good we get to do it again here which is awesome and it'll be recorded that's wonderful and we have cooler stuff this time so I'm gonna talk about the El tari also Hollow I'm non-binary my pronouns are they then thank you so first I'm just want to pass this around look at that joystick get an opinion about if you think it's good or not

but anyway this story this whole thing starts with Craigslist and I love to practice because you can get cheap stuff like really low prices because a lot of people don't know what they have or what it's worth and there's a lot of different stuff like breakfast is great check it out buy stuff on it and sort of meet during daylight in like populated parking lots like at a gas station or something and you probably won't get stabbed like works for me life

all right so I've got my Atari from something on Craigslist and really I thought the joystick sucks like it feels terrible like moving it up and down I don't know if anyone in the audience like agree something after they sort of try to do the round a bit it sucks and there's sort of a hacker mantra is like I want something better I will make something better so can I have everyone say that with me I want something better I will make something better awesome at Blum Connolly one person said that so it's great all right so you also you're legally required to have a son suit quote in your slides if you're giving a

presentation at cybersecurity conference but it's not enforced so it doesn't matter but I want to know sort of what's going on with the Atari joysticks I want to make something better so over here is a screenshot from Wikipedia that I sort of cropped because the whole image it was too big and it shows the pin out of the Atari we have our pins and they do stuff and basically what I did is I just kind of connected some wires to the pins and touch them to each other sort of figure out what was going on which in hindsight was probably a bad idea but I'm not an electrical engineer so I wasn't too afraid of the electricity and

I thought again it's low voltage I won't die and I didn't die I figured out that basically if I connect any of the pins like one two three four or five four buttons at least here the digital buttons on the Atari if I connect that to ground the Atari thinks that I'm pressing the button because on the next slide we have a very good diagram that I drew in like six months ago and essentially this is the joystick and sort of a bad circuit diagram I don't know which way it is ground or purposes it really doesn't matter basically imagine that this is the firebot that I mean you press it it just sort of completes the circuit and the

Atari thanks for pressing fire and the joystick it's not actually like an analog joystick like you'd find on a modern like controller for a new console it's basically just four buttons but it's mechanically set up but that sort of design kind of and get pretty crafty pretty quickly it wears out it just doesn't have a really good tactile feel to it that's what I wanted to sort of fix and make better I have a Raspberry Pi I thought yes this is what I'm going to use it has its GPIO pins which is just a general purpose input output pins so it's like five volts and I can send digital signals or receive digital signals or analog as

well but I'm a little caring about the digital pins on the guitar right now so that's what it was using it's also just really easy to develop on you just sort of like download the like image you put it on to the SD card you like create one file so that you can actually SSH into it and it has this Python so I don't have to install it or do anything Python it's easy to just sort of quickly rapidly develop in prototype stuff with it and that's why you sort of playing around and you go with this one Python GPA Oh librarian that I'd previously used on a Raspberry Pi to control of a real controlled car when

you're trying to make an iPhone app that would control a remote controlled car I'll tell you the rover and it won second place in a hackathon and a few years ago so we just sort of connected some Raspberry Pi pinch the Atari pins I turn them on and off I think I was playing this game Star Wars Episode five it shows this game because I thought the game sucked but it uses the up-down left-right and fire so I was ok with like sort of seeing this game a lot and hearing the game a lot when I was in sort of a bad situation it's like it works I hope it works I thought you know

what I already don't like this game I'm okay with hating this game because I'm I used a really good game like Missile Command but also fit my requirements I thought you know what maybe I'll hate Missile Command and I already had really loved it and didn't want to hate it sort of turn the Pinzon off Wow and I was like wow because at one point the space shift moved that's sort of figured out what I did and like all right yes it's good so what I had to do next was sort of get USB inputs and then convert that to Atari inputs but I am a good programmer or maybe a bad programmer I'm a

programmer and I thought that's scary I want to do something easy instead and so I just sort of throw an abstract code that I hope would be useful in the future and save myself time I made a sort of joystick class or it just sort of said all right these are the pins these are the numbers that go to the buttons had like a press up function I press the down function who's really good and I was like ah yes this will be useful to me I hope and it was all right so it's getting USB inputs eventually I found a Python library called a dev but the problem with it is that it doesn't just like listen to

everything sort of have to tell it hey call us function and listen to these devices and thankfully I was able to just sort of to get a list of devices I was interested a name I just doing LS dev input which is like basically every single thing that my computer is making input from and I just ran that through grep and tried to find anything with event now Pat putted that to a file called eby's because that was like three letters and easy to type and I was like yeah this is fine at the time I have Python open that up and then it can sort of see what's going on it said all right leads to the ones I care about

I took some nice sample example code of how people use the library and I mangled that and it was basically just printing out every button I pressed I was like yes this is perfect cuz I'm like thinking about oh no I need to get used to being put that's really scary but just having a sort of feed of strings that I can just parse that's that's a lot easier

goal is to associate an input string with a function call and in place on everything is an object so basically what I did is I had a dictionary of where the keys were the input strings that I wanted so I'd say all right so I'm gonna bind a key I'm gonna bind a key I'm gonna buy the key to like a different input so the way the code works is actually good my controller I just pressed sort of the buttons I want them to be in a certain order and then it'll say alright cool this input strange is going to be the key in the dictionary and a contents of the dictionary won't give me the function

and I just sort of like how functions and it's really cool and my quotes on github and I think it's mentioned in the later slide but not this one basically first it goes through binding mode every single new input from the controllers is sort of bound to a joystick function I ignore analog input because that turns out to be a huge pain in the butt to deal with and I don't wanna like I tried reading code to sort of simplify it but it just didn't work and I was like all right I'm just going to ignore a knob in place but basically after 10 unique inputs because we have player 1 and player 2 in the

Atari is going to have everything bound and it's going to go into play mode where we actually get to play the games and making a good note to myself Oh Peters left right down fire up that's the order I have to press buns and to make it work how I want I don't know why it just is that way and I don't want to change it because it works think it's time for a live demo of this Oh

all right good all right Harley it's hard capturing it oh hey that was a sound

plugged in oh my god a charge plugged in before you view them you table put in like minutes ago you

[Music] all right that's father so now all right so I need to have my phone turn on a Wi-Fi hotspot for the Raspberry Pi to connect to and I'm going to SSH into it and I have to do stuff and hopefully it does what I want

my dance play Frogger hopefully and then this thing is plugged in as well finds player to first and I want to be yeah

you

all right

you all right cool it shouldn't be running so I'm going to press down left right fire up on this controller fire it up and hopefully all right yeah cool oh all right so it was working before all right all right actually I think I can set it to the two-player mode all right all right I'm just gonna turn it off and back on

because like for my part the like mighty time I was going to come out of that talk about welcome you know this before were we gonna have an echo

oh yeah

you you all right let's try finding this one first down right fire left-right fire up turn on Frogger it reset

this one again already yeah so I'm playing Frogger with Pettis

all right so now it shouldn't be maybe in two player mode I died out of this I can play on this all right so here we go just let the Dan expand I'm using sort of hasn't folded up for a long time and it kind of sucks wants to come up and try to stamping their way across the river feel free anyone all right one person once the truck come on alright so you see it up there you can see back here

maybe it can move off the plate alright alright now it should work alright that's also sort of move side to side is those cars alright so when you get to go and then we're gonna finish this part of the talk and he's going to talk about Pokemon yes Froggers hard

you it works yay all right questions we'll do that at the end remember your questions contact me yes that's my twitter handle that's an email that's a Google Voice phone number and if you go back and find that tweet it'll probably have pretty close to these slides nice yeah oh I thought it was like dig deep into how things works on over to the hole and such and put unintended behavior things can be made to

so I quite a while ago I did a device driver and less long ago I made I put together this device here which

here's an Arduino and it's connected to a cut-off and 54 controller cable and it this is set up to bang the controller protocol that I can make interesting things happen with the out of the expansion slot of it namely reading and writing state files from our ears plugged into a transfer pack which we will be

so I'm mainly gonna be talking about some things in the first gen and put my games there are a lot of edge cases that aren't properly handled in them and we can we can explain some of them and I remain involvement in this it like with making interesting things happen here is to think is to speedrun the games and help improve the routes of them so that's the main angle

just something to anyways today but if faster as they something to exploit the game for so there was a little large the way that the popularity of the games had and people were stumbling upon things and hearing stories about them and something and this often resulted in and true legends but also

but also in things that have something that look like don't look that useful but have something a little bit deeper going on

like on the east on the passage out of pewter city the east if you have an unbeaten Brock yet there's an NPC that will forcibly talk to you and walk you over there and if you skip them which you can do by saving and reloading at a particular spot and you talk to them from the right the game tries to load the movement data out that year to follow but according to the coordinate that you talked to him from but there isn't one set for that so the game appears to be completely soft locked and not doing anything but there's still that loop going on that marketed that isn't looking for any form of Terminator

in the table because that's not supposed to happen so it continues marching through the entire address space and for something for a matching entry in that table so that also included Ram we have like where we have our own data Oh

I can bypass this

reload I mentioned whew

let's if is there you right there Oh [Music] all of you out there nice thing about 16-bit addresses you can just go right through them

you here's the the table of your coordinates ends the address of the movement data for them o X 11 X 23 use one set x1 to x2 5 use another but there was only a there were only a few titles that where that supposed to happen so there's no counting no check and no bounds checking no termination of any kind

marks right past the end of that table or in the 73 s now where there's no where it doesn't look like a table like that anymore and if we hadn't set things up set our party up in a particular way then if I continued the emulation you would just hear the music and absolutely nothing would happen if your to be happening and you would have to reset the system

Oh our coordinates are in registry BC x1 0 to 4 and in our party data which I had here

there's our coordinates and this so soon we'll find them

Alice oops whose additional jumps for when it did not match so if we continue there really see that it got to that and it matched then we start copying the data to a place where there is not enough room for what it points to and here's like the buffers around here and c-d-i then continue you'll see all a whole bunch of random data lands in the memory that's showing and we normally this is in cutscenes you can't control the character but one of the variables that gets corrupted and this gives you control and also lets end a different part of what's going on lets you walk without regard to the collision

turning what was thought to be a soft lock into something more

but that's an example of like things that the code assumes can't happen that you can got something useful to happen if you do make it happen

you

and all those links worth of code at play in the from the hominid disassembly that as for this that's one example of seven how go want to we'll go on to the best part so here's the you here's the what I the other for for the here's the code that's running one there a because of the way the little line works they actually did some cycle counted and line up large plot with inline assembly here to get the right timings but that's the rate things

you and I've got a Python drive it to extend their to write things over the over USB interface to make it write something to the cartridge you you

we'll take a five

yeah so education will occur here and [Music] it does the right operations and the n64 controller protocol to enable this transfer pack that's plugged into it and write out a new save file to it so I just put on this cartridge the save file from the first playthrough of twitch plays Pokemon so I have a way player in this game cube here so that you can see that the sag that like this really is what's one there but

so the official software for using that thing is like has some shortcomings so like some better software has been made where it called Gameboy interface but wow that's not you know not something that you can directly load through official channels so in for systems like the Gamecube which is which are like past the older cartridge era where you would run custom code by beating the cartridge I think just I heard about a flashcard or something and not but not knew enough to like have have ways to interface with things that general-purpose computers can also interface with and if you don't want to modify the console you're left with with through by exploiting an official game

for it so where did that the community has developed a whole bunch of different packaged save files to put onto your memory cards that you can that use different exploits in different games that you're likely to have at least one of and Lodha and boot some payload is in packaged in a different file so okay

you

you

we're going to use the game Super Smash was mainly because a name entry for that the way it loads from the memory card is it loads the name and then at the end is the little termination things say this is the end of the name a little bit next corner or maybe you're done or something that's useful because names are supposed to be up to four characters but if you have a name that's like a thousand characters long it'll just keep loading new character for the name and putting them into memory even if like that memory should be something else we'll just write over stuff and we can use that to sort of get our Perico execution

and this lets us do it into the Gameboy player you yeah so we booted that from the memory card that's plugged in here and we got it once it there by using by using some Wii homebrew the Wii is a useful bridge to this because it supports both GameCube memory cards and SD cards and so you can put what you want onto the SD card through whatever transfer stuff indiscriminate you between your SD cards and gave you memory cards and we play pokemon yeah and if we load the safe out here you can see that we have the final state from switch place back on so I've got another any different file to also load one to this and that's a

consequence of so like for a lot of gameboy games the save file is just directly mapped into the address space and is generally directly copied to and from some part of it and this includes pointers so you you you you so I have copy here of the payload that was used at the end of the ad agency exhibition had awesome games done quick 2016 that right yeah yes it is yep that goes through so that has been modified to have some of those liked wieners moved into into the save file and ocean who made it has a really nice right above it that is linked here but

you you yeah so there's like this is sort of also playing into like the like old myths of like different Pokemon glitches and people we should have a rumor that if you use strength on a truck and push to the way there'd be a Mew there and that is not the case that doesn't actually happen but this is a fake say file where we do that it was actually set up to demonstrate this other glitch or because Jen wanted to show that when we when this was done' night at agdq but

customizes one all that's changed is the points the new code is one that is called from the over old code every frame and so that was used to like to make it possible for there to actually be you under the truck let's kill it that's that

you yeah yeah that one actually happened because kind of modifying the party to like look like what someone might have had went back then I didn't do the I didn't change the experience in editions of the level so does that happen but it went over well with their last place that was level 40 instead but it had enough XP to be like level 100 already it just got a little bit more

yeah yeah we touched a bit on how all due to the rumors like this a lot of like more complicated setups were disbelieved like talk to a guy walk over here wait 30 minutes and walk back and you get the impossible doesn't exist Pokemon and this was the inner flower mu so-called mucilage that not even be believed by a lot of people for the first few months after that was first posted and like if we took one of our routes them somehow sent it back to two thousands would believe it I think oh no you can't have your items like and there are other cases in the games were where something is not right about

what the game does but a subtle way that causes them to not be noticed like it's matches between us the subtitle you just fit check whether you encounter something wild as opposed and the different one being used to check whether it's a land or water one which is what causes the extent which is the bronco surfing glitch that happen where you sort of talk to the old man and gives you a catching tutorial it displays a cutscene where it displays old man as your name it has to store your name somewhere and they just sort of said hey let's store it in the sort of table of wild Pokemon that you can encounter so then typically the table

for land land encounters and then off of our coast there's a few tiles you can encounter on Pokemon but there's land tiles I think yeah so then it just checks the old man table if you haven't walked in any grass recently that's why people might have said oh yeah I like I encounter a Rhyhorn in the ocean it was weird that's actually possible if you do it I'll so the text that shows up when you use the Quinn case in gold and silver is not properly terminated in the English Channel and that causes the instruction pointer to go instead of memory that is used for sound effect processing among other things it so happens that in most cases it will very

soon encounter return instructions so nothing appears that have happened in this cases but if you had certain sequences of sound effects played recently they're convenient increment stack winner instruction in there which causes all sorts of fun things to happen remember hearing a rumor about if you like talk to a certain the Pokemon had heard its cry and did that it would crash the game

and for the rest of the school yeah

so one of the things that yellow hat is the red and blue don't is the Iike cube found around the overworld and there are some places where

where she was just need to go somewhere and not move for a little bit if you got a wash screen then your steps are buffered

and this isn't cleared out because because she wasn't being made to move and this can go out over memory after it

you if we scroll down to our ass face here we go and if we step into this building he could use fast left area and goes over to talk to it and if we move around a bunch you can see that I want you to ones and to this representing are the directions of our steps God written me out there and actually will go over other variables

and crash the either crash the game where make worse off locket but we can instead target what we're corrupting with it

cause there to be a sign that you can read in that room that doesn't exist

Oh to do that

you

yes there's the it's the number of signs on the current map that is there are seven different ones in million city and if we walk inside there are no signs inside here

Oh buddy carefully counting her steps

and Pikachu on screen again who 3:10 so we wrote a four to the number of signs we had to do to that place because to get that for we had to step right which brings Pikachu back one screen so we had to go from the end and work back to that but then it created an invisible sign after the title that I am now facing and because the because the text pointer has never got didn't get cleared because there normally wouldn't be any need to do it

you now have the text event index that would be invoked if I talk to this tile go past the end of the text table that's where this ends and do text instructions from Graham which we have which we have set up to contain

the Catana come in to execute code after it so if we do that we will to that and will I put a break put in there I thought with this this had to be put into the the experience field of our fifth if it's Pokemon being up here I had to there was a lot of finding a rail through the part of the game that would give you the exact amount of sad experience you would need to get there to be that command to execute code followed by a jump instruction whose destination is also in RAM which ended up being the focus flags so we had to make sure you saw things that would not what is there to be

instructions there that would crash the game you end up going into the item list so you had so I had to construct code in that item list without would get the that would give you a sack of 255 of an item and with the and then return to the game so you could actually continue playing I had to get to do this within the in-game budget but you would have by that point and then you can use you you

if you move that stack of items up you can then start throwing away items

right here is the number is the length of that list but it's not just counted but also has a terminator of weight so only the bottom only the first bit of it is actually getting moved off and if we get that counter down to one that's the highlighted buddy to the other there and

we can then do a little sequence here that tricks the game into decrementing it when it's already 0 by emerging stacks of the same item you can use that to the scroll out into the memory that's tested and you can swap pairs of weights around so essentially even pokemon red inventories only supposed to be so long we made the game think that it was much longer than that speaking this sort of go down and do stuff Anna wants us there lettuce which I have done our inventory to sort of keep it organized if we want this lets us also switch around likes because actually there's a bite of what item is and then a bite of how many

stuff is in the bite yeah you can also decrease every other bite by tossing items as long as the game doesn't consider that to be a key I don't wear fur that is so

so if we twist that

then we've rewritten the war but the bottom of this to go directly to

here did not hear what I didn't do that quite right but that was going to go to the like directly the the hall of famer than the game which was like just getting a setup for doing that as as fast as possible was the reason why I did this this route has been significantly improved many times since then but for a while something derived from it was the like for a few months of early 2015 is something like this was the route for the pokemon yellow 80% new speed no safe corruption category and that was a thing but that's that's the community the phret who made the team that made the content of the same

please also too tas bot who that's like that team uh accomplishes all sorts of fun things by eating a bite reconstructed input to different games and systems and the head of a team I see did a great clock at DEFCON 24 about about that and I recommend watching that and there are various locks at different speed events that they've been to - yes I have that's Hey set of questions

all right [Applause]