SpritesMind.Net

Hi guys, inspired by the cool master system password generators over at smspower, I thought it'd be fun to try to do the same for the megadrive as an intro to reverse engineering/assembly (I appreciate the learning curve for this stuff is huge, so there really is no easy place to start!). I picked Desert Strike as a game I know well from childhood that also has relatively few attributes to store in the password. 4 levels, a life counter and presumably a flag for the rescued co-pilot is all it should be dealing with, plus the usual checksums & masking.

I'm comfortable with searching the RAM to narrow down the addresses for holding the characters, but I'm finding it extremely tough to pin down the password handler code itself. The smspower tutorial I'm roughly following uses breakpoints (via the meka emulator). Is there a recommended tool for doing similar with the Megadrive? Currently I'm using Regen debugger and attempting something similar (IE trying to break when the RAM holding the password is read) but I always seem to break too early.

Thanks for your help!

If you know "almost" where the password is in ram or where is a part of the handler in rom, you could use a disassembler and look for code pointing to the RAM address.

For this kind of stuff, I use IDA aBnd mIDA or DrMefisto SMD IDA Tools
you could even use Gensida plugin, which will help you to go step by step
(viewtopic.php?f=7&t=2193)
Of course, you'll need IDA which is not a freeware.

Perhaps there is some other "free" ways, but it's the one I use myself so...

Bobblen wrote:Hi guys, inspired by the cool master system password generators over at smspower, I thought it'd be fun to try to do the same for the megadrive as an intro to reverse engineering/assembly (I appreciate the learning curve for this stuff is huge, so there really is no easy place to start!). I picked Desert Strike as a game I know well from childhood that also has relatively few attributes to store in the password. 4 levels, a life counter and presumably a flag for the rescued co-pilot is all it should be dealing with, plus the usual checksums & masking.

I'm comfortable with searching the RAM to narrow down the addresses for holding the characters, but I'm finding it extremely tough to pin down the password handler code itself. The smspower tutorial I'm roughly following uses breakpoints (via the meka emulator). Is there a recommended tool for doing similar with the Megadrive? Currently I'm using Regen debugger and attempting something similar (IE trying to break when the RAM holding the password is read) but I always seem to break too early.

Thanks for your help!

How about if you use Gens r57shell mod?

http://www.romhacking.net/utilities/1123/

This is a great utility. It's like the Genesis counterpart of the NES FCEUX emulator.

Thanks for the suggestions. If I find a way to get hold of a copy of IDA I'll give it a go, but will be attempting to use Gens R57 Shell Mod first.

Hello all, a whole 4 years(!) later and with a bit more time on my hands, I decided to have another go at this. I took a different approach this time around, I found that there were some hardcoded cheat passwords which allow you to start with 5 or 10 lives, this seemed like an easier thing to track than the password entry itself, so...

With r57 shell's ram search I identified FF10B7 as the location of the lives counter
With memory hook I found that lives counter is copied over from FF100E

Then used Ghidra to generate a disassembly and found the function which did the work, and sure enough there's specific assembly code to put 5 lives or 10 lives into the counter. I was able to change a single byte to produce a version where the 10 lives password is now a 255 lives password!

I realise this is completely trivial stuff, but as a complete novice in 68k assembly, disassemblers and reverse engineering of any kind, it's good progress for me

Next step will be to try and work back and understand how this block of code is called in the first place. It's quite addictive once you start to get the hang of it.

Next thing up you'll be creating IPS patches or your own Game Genie codes to replicate your changes on cart/everdrive, and before you know it you won't be able to play anymore, hacking being more fun