rodolfobandeira

rodolfo bandeira

software, electronics, security, devops, thoughts

Cracking Snes games with PHP

First of all, let me say special thanks to this person which is a kind of inspiration on programming not only for me, but for tons of developers around the world. Bisqwit. I got inspired of doing this post, after watching his video “Cracking Videogame Passwords - Gremlins 2”. https://www.youtube.com/watch?v=iajgztvLxGc

So, I decided to try out with TOP GEAR. If you remember, when you were a little kid, it was very frustrating when you finally got to a level, but suddenly you lost and got the famous screen “GAME OVER” right?

Oh well, I have the emulator here and I didn’t manage to pass even from South America level (Brazil). The good point is that I got the password key:

MOONBATH

How about if we inspect the rom file and try to catch more passwords like that? How about if we get the latest password? Cool eh? Let’s to it.

Bisqwit wrote this PHP file to capture text inside binary files. I copied from his youtube video and decided to try. I did a post in my blog teaching how to crack binary files using VIM/PHP. I was using objdump. It’s actually the same idea, but using this php script, Bisqwit made this task even easier.

<?php
// Created by: Bisqwit on his video:
// https://www.youtube.com/watch?v=iajgztvLxGc

$s = file_get_contents('php://stdin');
$text = $argv[1];

for($step=1; $step<8; ++$step)
    for($offset=0; $offset<256; ++$offset)
    {
        $txt = [];
        for($a=0; $a<strlen($text); ++$a)
            $txt[] = chr( ord($text[$a]) + $offset );

        $b = strlen($s) - $step * count($txt);
        for($a=0; $a<$b; ++$a)
        {
            foreach($txt as $d => $c)
                if ($s[$a + $d*$step] != $c)
                    continue 2;
            printf('Found <%1$s> at position %2$d ($%2$X), '.
                'with offset %3$d ($%3$X), step %4$d ($%4$X)'. "\n",
                    $text, $a, $offset, $step);
        }
    }

Searching by the word MOONBATH inside the file.

php find-text-in-binary.php MOONBATH < top_gear_usa.nes

Found <MOONBATH> at position 443667 ($6C513), with offset 0 ($0), step 1 ($1)

There we go! Now, let’s open VIM and type: ESC + :%!xdd (This will enable HEX mode on VIM)

Let’s now, jump to the memory address 6c51. As you can see, the rom file I got, it’s on the line 27730.

27717 0006c440: 5320 2031 3020 5054 5320 203d 3820 5054  S  10 PTS  =8 PT                                       
27718 0006c450: 5320 203d 3620 5054 5320 203d 3420 5054  S  =6 PTS  =4 PT                                       
27719 0006c460: 5320 203d 3320 5054 5320 203d 3220 5054  S  =3 PTS  =2 PT                                       
27720 0006c470: 5320 203d 3120 5054 2020 2053 494d 4f4e  S  =1 PT   SIMON                                       
27721 0006c480: 3d3d 3d52 4954 4348 4945 3d41 5348 3d3d  ===RITCHIE=ASH==                                       
27722 0006c490: 3d3d 3d47 5245 4753 3d3d 3d43 4852 4953  ===GREGS===CHRIS                                       
27723 0006c4a0: 3d3d 3d41 4445 3d3d 3d3d 3d54 2043 3d3d  ===ADE=====T C==                                       
27724 0006c4b0: 3d3d 3d54 494d 3d3d 3d3d 3d53 495a 3d3d  ===TIM=====SIZ==                                       
27725 0006c4c0: 3d3d 3d4d 4152 4b3d 3d3d 3d42 4552 4e49  ===MARK====BERNI                                       
27726 0006c4d0: 3d3d 3d54 4f4e 593d 3d3d 3d4d 4154 543d  ===TONY====MATT=                                       
27727 0006c4e0: 3d3d 3d52 4f42 3d3d 3d3d 3d49 414e 3d3d  ===ROB=====IAN==                                       
27728 0006c4f0: 3d3d 3d4a 414d 4553 3d3d 3d53 4841 554e  ===JAMES===SHAUN                                       
27729 0006c500: 3d3d 3d50 4155 4c3d 3d3d 3d43 4f4d 5055  ===PAUL====COMPU                                       
27730 0006c510: 5445 524d 4f4f 4e42 4154 4847 4541 5242  TERMOONBATHGEARB                                       
27731 0006c520: 4f58 2043 4152 2050 4152 4b52 4f41 4420  OX CAR PARKROAD                                        
27732 0006c530: 484f 4745 4d55 4c41 544f 5241 4e41 4c59  HOGEMULATORANALY                                       
27733 0006c540: 5345 5248 4f52 495a 4f4e 5346 4f55 5220  SERHORIZONSFOUR                                        
27734 0006c550: 4d45 474c 4547 454e 4420 2054 4845 574f  MEGLEGEND  THEWO                                       
27735 0006c560: 524c 444c 4554 5352 4143 4541 4c43 4845  RLDLETSRACEALCHE                                       
27736 0006c570: 4d59 2041 204c 4f4f 5045 5253 4541 534f  MY A LOOPERSEASO                                       
27737 0006c580: 4e41 4c45 4455 4341 5445 444f 494c 434c  NALEDUCATEDOILCL                                       
27738 0006c590: 4f54 4857 5245 434b 4147 4543 4152 4143  OTHWRECKAGECARAC                                       
27739 0006c5a0: 4f4c 4545 5059 4c4c 494f 4e47 4c55 4341  OLEEPYLLIONGLUCA                                       
27740 0006c5b0: 474f 4e4b 4545 4c53 4f4e 2000 0204 0608  GONKEELSON .....                                       
27741 0006c5c0: 0a0c 0e20 2224 2628 2a2c 2e40 4244 4648  ... "$&(*,.@BDFH                                       
27742 0006c5d0: 4a4c 4e60 6264 6668 6a6c 6e80 8284 8688  JLN`bdfhjln.....                                       
27743 0006c5e0: 0004 0004 0004 0008 0008 0000 0000 000c  ................ 

Look how cool is it? All the passwords are hardcoded in the same memory area.

With a quick search on google I also got a list of passwords so we could confirm that those are indeed all passwords. http://www.gamefaqs.com/snes/588802-top-gear/cheats

Let’s try the final password which is KEELSON. Check the final result:

Final Result

See you next post!

Rodolfo

LinkedIn
WhatsApp