Best tool for password reverse engineering?

Ask anything your want about Megadrive/Genesis programming.

Moderator: BigEvilCorporation

Post Reply
Bobblen
Newbie
Posts: 3
Joined: Wed Jul 06, 2016 5:52 pm

Best tool for password reverse engineering?

Post by Bobblen » Tue Jul 19, 2016 8:43 pm

Hi guys, inspired by the cool master system password generators over at smspower, I thought it'd be fun to try to do the same for the megadrive as an intro to reverse engineering/assembly (I appreciate the learning curve for this stuff is huge, so there really is no easy place to start!). I picked Desert Strike as a game I know well from childhood that also has relatively few attributes to store in the password. 4 levels, a life counter and presumably a flag for the rescued co-pilot is all it should be dealing with, plus the usual checksums & masking.

I'm comfortable with searching the RAM to narrow down the addresses for holding the characters, but I'm finding it extremely tough to pin down the password handler code itself. The smspower tutorial I'm roughly following uses breakpoints (via the meka emulator). Is there a recommended tool for doing similar with the Megadrive? Currently I'm using Regen debugger and attempting something similar (IE trying to break when the RAM holding the password is read) but I always seem to break too early.

Thanks for your help!

KanedaFr
Administrateur
Posts: 1139
Joined: Tue Aug 29, 2006 10:56 am
Contact:

Re: Best tool for password reverse engineering?

Post by KanedaFr » Thu Jul 21, 2016 7:48 pm

If you know "almost" where the password is in ram or where is a part of the handler in rom, you could use a disassembler and look for code pointing to the RAM address.

For this kind of stuff, I use IDA aBnd mIDA or DrMefisto SMD IDA Tools
you could even use Gensida plugin, which will help you to go step by step
(viewtopic.php?f=7&t=2193)
Of course, you'll need IDA which is not a freeware.

Perhaps there is some other "free" ways, but it's the one I use myself so...

walker7
Interested
Posts: 45
Joined: Tue Jul 24, 2012 6:27 am

Re: Best tool for password reverse engineering?

Post by walker7 » Tue Jul 26, 2016 1:30 am

Bobblen wrote:Hi guys, inspired by the cool master system password generators over at smspower, I thought it'd be fun to try to do the same for the megadrive as an intro to reverse engineering/assembly (I appreciate the learning curve for this stuff is huge, so there really is no easy place to start!). I picked Desert Strike as a game I know well from childhood that also has relatively few attributes to store in the password. 4 levels, a life counter and presumably a flag for the rescued co-pilot is all it should be dealing with, plus the usual checksums & masking.

I'm comfortable with searching the RAM to narrow down the addresses for holding the characters, but I'm finding it extremely tough to pin down the password handler code itself. The smspower tutorial I'm roughly following uses breakpoints (via the meka emulator). Is there a recommended tool for doing similar with the Megadrive? Currently I'm using Regen debugger and attempting something similar (IE trying to break when the RAM holding the password is read) but I always seem to break too early.

Thanks for your help!

How about if you use Gens r57shell mod?

http://www.romhacking.net/utilities/1123/

This is a great utility. It's like the Genesis counterpart of the NES FCEUX emulator.
When programming, you can do it if you put your mind to it.

Bobblen
Newbie
Posts: 3
Joined: Wed Jul 06, 2016 5:52 pm

Re: Best tool for password reverse engineering?

Post by Bobblen » Sat Jul 30, 2016 8:38 am

Thanks for the suggestions. If I find a way to get hold of a copy of IDA I'll give it a go, but will be attempting to use Gens R57 Shell Mod first.

Bobblen
Newbie
Posts: 3
Joined: Wed Jul 06, 2016 5:52 pm

Re: Best tool for password reverse engineering?

Post by Bobblen » Mon Sep 28, 2020 2:40 pm

Hello all, a whole 4 years(!) later and with a bit more time on my hands, I decided to have another go at this. I took a different approach this time around, I found that there were some hardcoded cheat passwords which allow you to start with 5 or 10 lives, this seemed like an easier thing to track than the password entry itself, so...

With r57 shell's ram search I identified FF10B7 as the location of the lives counter
With memory hook I found that lives counter is copied over from FF100E

Then used Ghidra to generate a disassembly and found the function which did the work, and sure enough there's specific assembly code to put 5 lives or 10 lives into the counter. I was able to change a single byte to produce a version where the 10 lives password is now a 255 lives password!

I realise this is completely trivial stuff, but as a complete novice in 68k assembly, disassemblers and reverse engineering of any kind, it's good progress for me :D

Next step will be to try and work back and understand how this block of code is called in the first place. It's quite addictive once you start to get the hang of it.

cero
Very interested
Posts: 338
Joined: Mon Nov 30, 2015 1:55 pm

Re: Best tool for password reverse engineering?

Post by cero » Mon Sep 28, 2020 5:28 pm

Next thing up you'll be creating IPS patches or your own Game Genie codes to replicate your changes on cart/everdrive, and before you know it you won't be able to play anymore, hacking being more fun :D

Post Reply