So things like "beat the Elite Four 16,383 times" turn out to be definitely false. Also "mash A to increase the chances of catching" is also unfortunately wrong.
But at least you can just directly look at the WRAM file to see where actual values are stored:
These can easily be converted into the old school GB/GBC gameshark codes by prepending 01, then a two-digit hex value , then a little indian (reverse) two-byte address.
So if you wanted to hack level 80 with a GameShark code you would look up and find this:
PartyMon1Level: ; dcfe
ds 1 ; just one byte
The GameShark was a really educational device. At first I didn't know what I was looking at, but then I realized it was giving me memory dumps and byte/address search tools. And then for some reason all of the subsequent devices after N64/GBC were just terrible, and I couldn't get an address searcher without a modchip?? No clue.
Ah, the wonders of throwing Zelda: Majora's Mask into debug mode and L-Button Moon Jumping everywhere while dressed as Fierce Deity Link outside boss rooms.
I remember playing the game, thinking about this. I was wondering whether I had heard it somewhere or come up with it myself, how unlikely it was to be true, and how I still found myself doing it occasionally. A small existential crisis over confirmation bias and clever design.
I knew from experience that most responses to user input and state ultimately hinged on a single comparison instruction. For most shareware, there could be numerous checks that change the behavior of the code depending on whether it's registered or not, but the state of registration itself usually came down to a single flag stored someplace. Sometimes, developers would really obscure how this state was stored, but often, the weakpoint is at the point of registration. If you simple invert the comparison that determines if the registration code is correct, you can invert the registration approval/rejection process.
Using a disassembler, I isolated exactly where the comparison point was. Usually, this could be done by searching for code references to the success and failure screen or dialogs, and working backwards. Very often, it was as simple as using an onboard hex editor to replace a "branch if equal" opcode with a "branch if not equal". Then as long as you don't accidentally enter a correct code, you're in!
There are far more sophisticated registration schemes used back then and especially today, which require far more complicated methods to circumvent.
I did all this for two reasons. First was the fun/puzzle of it. Second was the fact that PalmPilot apps were often priced for business people, and relatively simple software would sell for $20-50; way more than my high school allowance allowed me to afford. I never did become a contributor to the whole crackz scene though. In the modern app world, the going price is like $2-5, making things way more affordable.
I remember one weekend I got to use the main TV and plugged in the dreamcast. Found the codejunkies forum and there were a bunch of people doing things that I had been doing. Some random names, I remember Dr Ian, FoxDie, SubDrag, Krusha... there were a load of people with strange names doing exactly the same things I'd been doing in the back room during the week.
I posted some of the codes I had figured out, nothing major at first: Adding a timer to any Goldeneye level, modifying the character's head/body. I checked back a week later and some of these 'big names' had commented on my codes! I was ecstatic :)
I looked forward to my weekly hour online and I used all my time on Action Replay/Gameshark sites. I even wrote a tutorial on N64 hacking (using a Dreamcast controller, it sucked).
I got to the stage where I could look at the Memory Editor on a page of Goldeneye and know exactly what part of code/data it was. I knew after a while that 3F80 somehow related to a default value, and if I made it larger things in the game would usually grow. I would change a value like this and them run around for ages until I saw something bigger. Didn't always work, but once it did I would look at the memory address for the 3F80 and do a search for that address.
This (I thought at the time) would be the place that knows about the object, so I would read the hexdump and follow anything that looked like an address in the editor, modifying the value at that address and seeing what it would change.
Somehow this ended up working out well (I had never used a computer for anything but Word an Excel at this stage) and I found I could replace objects, change their sizes, colour, physics... I could replace them with objects that were no longer in the game (suitcases in Goldeneye etc).
It was fun!
Once I was comfortable with it I started looking for the big prizes. Things I would see on my weekly journey to the forums that people wanted. Connery Bond was a big one. There were rumours that you could play as the other bonds.
So I figured I would find him. I figured that since you pause the game in Goldeneye and see the arm + watch, Connery would have a white arm. So I took some time tracking the seconds hand on the watch and travelled up the memory addresses until I found a value that was near a 3F80. I switched it, paused the game and had a white suit!! Amazing!
I ended up quite with an intimate knowledge of the Goldeneye hex dumps. I found a weird level that I could load, providing I emptied it of objects and props. So I found a way to stop the game from loading anything other than level data and I could briefly see a strange silver ramp level with blue skies, but I would fall and die immediately. I later discovered that this was the Citadel level and some other clever guys managed to make it playable :)
The thing that ended for me though, was my biggest hack ever...
I read a cheat book (I collected N64 magazine) that said Banjo and Kazooie had many more cheats than released while lying on my bed. I figured that I knew a couple of the codes (you entered them in a floor of a sandcastle, but it was basically a keyboard), so if I entered a code and did a memory dump after each letter I could home in on the counter that was checking them.
So I hit take a mem dump, hit a letter, mem dump search for values greater than lat and repeat.
Then I search for the memory address at that pointer and find something pointing at it. Repeating this I find a whole bunch of crappy values with 00 between them.
Deciding that these were the codes, but encrypted (:-|) I wrote them all down on paper, all 60ish and took them to the front room. From the codes that were released I could figure out the majority of the letters: A was 65, E was 69 etc so I went through filling those out. I gave my mum and dad a few pages each and (love them) they sat there and filled out the missing letters.
An hour later I had every code for that game in my lap :)
I waited a few days for internet access and used the entire hour typing them into an email that I sent to Official Nintendo Magazine, GamesMaster and N64 magazine (my favourite).
Next week I checked online and Nintendo Magazine got back to me asking where I found the codes. They later published a full cheat book with them (without credit) and credited me for a really crap cheat in the main magazine. I didn't care - they sent me WWF No Mercy for free (big deal for a poor kid) and my name was in a magazine!
I was walking home a few weeks later and saw N64 Magazine in the newsagents. Cover had Banjo and Kazooie on it - NEW CHEATS REVEALED: GET THE ICE KEY AND MORE...
I couldn't afford it but I ran in and flicked through the pages to look for my name. This was epic!
Except it wasn't. Turned out some other hackers had found the codes at the same time and they had their name in my favourite magazine. I was gutted.
Two weeks later my parents couldn't afford the phone line and my brother sold his Dreamcast.
It was a fun time, and looking back at it now wit a computer science degree I can't help but smile.
I only wish I knew what ASCII was before me and my parents used frequency analysis to crack it haha!
Hey wait, I know these names..
> Except it wasn't. Turned out some other hackers had found the codes at the same time and they had their name in my favourite magazine. I was gutted.
I am pretty sure that was SubDrag. You might be interested to know that he is still around, check out irc.efnet.org #n64dev -- you might have to idle for a while, but he's definitely around.
exponent bias is 15
0011 1111 1000 0000
32 bit is 1 sign + 8 exponent + 23 significand
exponent bias is 127
0011 1111 1000 0000 0000 0000 0000 0000
I think these types of stories just goes to show how curious some people are at a small age (maybe due to lack of tech?) and what possibly could be achieved if something like CompSci was teached earlier or having earlier access to computing. However, there is bound to be people who do have everything but don't do anything.
I didn't do much programming on the c64, but things got fun when I somehow acquired a book full of SYS codes. Apparently you could cheat if you loaded the game, did a soft-reset, so the game was still in memory, and entered a SYS code.
Doing a soft-reset required a cartridge though, like the later popular Action Replays for the Amiga. I didn't have access to these fabled cartridges, so I did the next best thing; A bent paper clip, short circuiting some random holes in the cartridge slot. This caused the desired reset, sometimes, allowing me to pass in the SYS codes, and RUN the game again, various cheats applied.
Today I wish I had access to this "bible" of SYS codes, if only for the nostalgia. It provided me with many hours of fun, and breathed new life into old games. All I remember is that the front of it had a sort of robotic character on it, and some purple colours.
You'd have to look for kernal memory map with entry points or BASIC memory map.
Like, perhaps, this one here: http://unusedino.de/ec64/technical/aay/c64/krnromma.htm
It got to the point where I could recognize Ultima 4 terrain in Copy2+'s sector editor.
I guess I got started glitching - overwriting lots of things to see what died and by narrowing my probe, discover what smaller bits did. Then editing constants and map data, etc.
I've still got scans of notebooks where I mapped dungeons, recorded stats, etc, and then documented the memory structures once I'd found them.
It's no real surprise that I'm now a maintenance coder / reverse-engineer / re-implementor.
Could you tell me what is the best way to become a "a maintenance coder / reverse-engineer / re-implementor" ?
I've took a look at the Matasano project.
It seems terribly interesting for me and it fits with my expectations.
Unfortunately, they recquire to work in their office, as an european (french) guy, I can't afford to move in America : I'd like to stay not too far from my family and friends if possible. I love programming / computer security very much, but I think I'd suffer from not seeing them anymore.
I'm looking for an french/european job, similar to the one proposed for Matasano Project. AFAIK, it doesn't exist...
I consider moving to America if it isn't possible, but I'd like to avoid that if possible.
You can also become a Vulnerability Reward Program bounty-hunter as a hobby for a while. If you manage to find some high-profile bugs and blog about it, work will probably also start coming to you.
I'll start blogging as soon as I've got something new and interesting.
I need to show what I can do, I'm currently studying and I feel like I haven't a lot of opportunities to really show off my skills because the level of recquirements is not high enough, that's frustrating sometimes.
I agree that a blog could be a good solution, I also enjoy writing articles even if my English is not the best.
I'll keep you informed if you enjoy receiving news from random internet people.
I'll certainly think about some softwares I'd like to analyze during the next few days and start working on finding bugs/vulnerabilities/things interesting.
I work as a maintenance coder on a framework for a network security appliance. In a sense, everything I mentioned is just this - I often don't have any documentation and have to make things work by, at a minimum, running strace and seeing what they're trying to do and work backward - to find a system that was supposed to be creating those files, etc...
I rarely have to use what you'd call "reverse engineering" skills, but the familiarity with ASM and recognizing certain source-level idioms in the generated code, comes in handy for regular debugging all the time.
I got the job partly by chance - a manager mentioned in passing at an event that his team was hiring and I followed up, and because of what we did. We've got a tremendously wide range of deep products with a wide mix of technologies because we've been around for a long time. Because of this, and our laid-back roles I've been able to work closely with our global ops team, the malware analysts, IT, etc.
I think it probably helps to find a company with complex enough tasks, where you have a slightly under-specified role (I maintain the framework ...), and there are a lot of different engineering/ops/support teams under one roof so there's always something fun going on. Then, be the person who handles what other people would call annoyances like requests from other teams.
Let me know if I missed the mark, or could elaborate.
I think I'll aim a maintenance coder job in a company using low level languages (C would be good) and see what opportunities I can get from there.
I enjoy finding and fixing bugs, and as you said, even if it's not always necessary, reverse engineering is often a good ally for fighting bugs.
one of the good thing growing up without a game console i guess,,
Ahhh the good ol' days when games were physically held and you had to blow the *ish out of them to make em' work.
I'm currently writing an emulator for the gameboy (as an educational exercise) and I can definitely understand how this would work
So to create (e.g.) an infinite-ammo code, you would reload so that you had a full magazine of 30 rounds, and press the button. Then you'd have the GameShark search for addresses with a value of 30. Usually it'd return a huge amount of mostly garbage, so then you'd return to the game, shoot once or twice to change the number of rounds, and go back and tell it to narrow the results down by showing only the addresses that had changed to 29 or whatever.
After doing that two or three times, you'd have a working code that you could save to the device or share with people.
Sometimes it wasn't obvious what the value of a variable was, so you'd have to do a 'not equals' search. So to get weapon values, you would equip a knife, do a search, change to a hand gun, do a 'not equals' search, usually repeat that many times (because there are always going to be things changing) until you finally end up with an address that specifies the weapon (and sometimes one or two accompanying addresses).
Firstly, by watching the value of these addresses (you could always return to the results screen and see what the new value was), you would find out which values correspond to which guns. The knife might be 01, the hand gun 02, the rocket launcher 0A, and so on. That would allow you to take the address and create many codes for different weapons by adjusting the values.
More humorously: In some games, like Resident Evil, the address for the weapon function would be accompanied by another address for the weapon ammo. You could adjust the two values so that they differed from each other — for example, set the function to 01 and the ammo to 0A — and then you would end up with a knife that shoots rockets.
The codes that were the most challenging to create, and also probably the most fun, were what i used to call 'abusive codes'. Abusive codes were usually more humorous than practical — instead of giving you useful things like infinite ammo or lives, abusive codes would screw with the game's display or physics.
One of my favourite abusive codes was roller-skate mode for Silent Hill. Silent Hill is an extremely frightening and morbid horror game (i still can't play it alone), and enabling roller-skate mode completely changed the dynamic. First of all, during game-play, Harry's legs wouldn't move — he would just scoot around like he was sliding on ice. What was funnier, though, was that the sliding would persist into the game's cut scenes (which usually involved the discovery of something gruesome). So for example Harry would come across some mutilated corpse, the music would get all shrieky and he would exclaim how terrible it was, and all the while he would be scooting all over the screen. It turned the game from something frightening into something hilarious.
Most of the other abusive codes that i and my friends experimented with had similar effects on the physics. For example, in Resident Evil 2, we created a code where, if you pressed a certain button on the controller, the characters legs would shoot around like a helicopter and, if you held it long enough, they would gradually 'fly' up through the ceiling and off the screen.
Other games would allow you to alter aspects of the display. You could make the characters into giants, or make specific body parts extremely large or small, or make all of the doors turn into different objects. This was 'after my time', so to speak, but one of the Resident Evil games for GameCube allowed you to adjust the main character's breast size. If you cranked the value high enough, you could make her boobs fill the entire screen.