Using Ghidra and Python to reverse engineer Ecco the Dolphin

269 points by bbayles 7 hours ago | 63 comments

skibz 7 hours ago |
I'd love to see footage of the underwater soccer cheat in action.
trlaknb 6 hours ago |
Using Ghidra (85% Java, 7% C++, ...) and a tiny Python function to reverse engineer. Great work, but what is the importance of Python here?
Python is indeed good for small throwaway scripts, but so are many other languages, including even modern C++.
batch12 6 hours ago |
Maybe the author is more comfortable with Python than the alternatives.
exe34 6 hours ago |
python is great for a lot more than small throwaway scripts.
ok123456 3 hours ago |
Depends on who you ask and to what lengths you're willing to go.
exe34 3 hours ago |
"Python is used by Intel, IBM, NASA, Pixar, Netflix, Facebook, JP Morgan Chase, Spotify, and a number of other massive companies. It's one of the four main languages at Google, while Google's YouTube is largely written in Python. Same with Reddit, Pinterest, and Instagram"
"Python is used heavily in academic research, particularly in bioinformatics, biology, and mathematics. It is the standard introductory language for many university computer science programs."
https://brainstation.io/career-guides/who-uses-python-today
Misquotation alert: I'm not claiming python is perfect for everything. There are times it makes sense to use something else. Not-short-scripts isn't it.
Brian_K_White 12 minutes ago |
It's utter garbage outside of a controlled environment. Youtube can use it because Youtube will have an official environment and there will be no such thing as a script that was written in one version or with one module installed that then breaks at run time.
The impressive size of the big users actually works against proving how great it is.
Use the official version inside Google or Netflix: ok.
Use in a package where the package manager ensures all dependencies and versions are met exactly: ok
Use by writing and immediately using and discarding today: ok
Write a random script and expect it to work in 6 months or on any other machine or god forbid another platform: forget it.
python is great for the author and miserable for everyone else
bobajeff 6 hours ago |
>Python is indeed good for small throwaway scripts
I think you just answered your own question.
bt1a 6 hours ago |
What is the importance of needing to frame Python as tiny here? The reminder that programming languages are acceptable for small throwaway scripts is appreciated
vips7L 6 hours ago |
I believe they were calling the function tiny, which it is, it’s 27 lines.
zahlman 5 hours ago |
Ghidra is an already existing piece of software; the Python script was written for the specific purpose. The title isn't about comparing the relative importance of programming languages to getting the answer, but about explaining the tools used and the effort involved in using them.
lpapez 2 hours ago |
By this logic anything meaningful anyone does is actually done with C, because no matter what you do there is 40 million lines of kernel code underneath...
"What is the importance of Django, it's only 10 thousand lines of Python, powered by millions of lines of interpreter written in C..."
throwthis817 an hour ago |
No, the kernel does not solve the major part of the reverse engineering, the Java application Ghidra does.
But Java does not need any marketing, people just quietly use it.
praptak 6 hours ago |
QQRIQ is a phonetic abbreviation of "kukuriku", which is the sound of the rooster in Hungarian and in several other languages (Polish "kukuryku", Hebrew " קוקוריקו" etc.). Makes wonder what the process for choosing the passwords was.
bt1a 6 hours ago |
could it be that the rooster/cockadoodledoo is something performed like clockwork in the morning, so the showing framedata also being tangential to time and clocks ? probably not
bbayles 6 hours ago |
The programmers for this game were in Budapest, so this is a good guess!
praptak 4 hours ago |
I didn't know that. The QQRIQ jumped out at me because of my Polish background, so I googled it and found it's international.
jylam 3 hours ago |
Cocorico in french, very close :)
rzzzt 3 hours ago |
Kikeriki in German!
luismedel an hour ago |
Very similar to "kikiriki" in Spanish.
matsemann 3 minutes ago |
Wonder why some went for an o-sound and others an i-sound. To make matters worse it's kykeliky in Norwegian, so both y, e, i.
Y_Y 3 hours ago |
See also: the town of Kakariko in Zelda which always has chickens
mtlebe an hour ago |
Also Gyugyu might be a reference to the Hungarian movie: "The Fifth Seal"
"Just imagine you are about to die, but you will be reincarnated in to one of two people; a slave or the rich master. The slave suffers under the master. He has his tongue and an eye removed and his wife and child are killed. He goes on living knowing he is a good person, as he never committed such appalling, sadistic acts on another like his master has done. The rich master has no moral qualms about it at all. He doesn't think what he did was wrong; the slave needed to be punished. You have the choice, whether to be a poor and righteous slave or be a rich and corrupt master."
Gyugyu is the name of the slave.
https://www.imdb.com/title/tt0075467
bt1a 6 hours ago |
im curious about the process to find that initial buffer address - does that involve entering a few different strings and searching the memory snapshot for those byte patterns ?
bbayles 6 hours ago |
Yeah, exactly! I took a couple memory snapshots of the name "AAA" and then threw out all of the addresses that had values that didn't match the first snapshot. Then I changed it to "BBB" and threw out all the addresses that did match.
There's a program called Cheat Engine that can make this a point and click thing; that's usually how people find GameShark-style codes.
bitbasher 6 hours ago |
Can we just take a moment to appreciate how incredibly odd the Ecco series is? For anyone that beat the games. You go from swimming in an ocean to flying with aliens. It's bizarre. Some people classify it as a horror game.
bbayles 6 hours ago |
It really is a game with a strange mix of aesthetics. Blue skies and bright colors in the early levels; suspense and dread and supernatural stuff in the later levels.
Another Ed Annunziata game called Three Dirty Dwarves is also stylistically unique.
nelup20 5 hours ago |
My favorite aspect is the music, I regularly listen to the OST while working: https://youtu.be/tqMuvFEKCOk
I've played a decent amount (never finished it), but I never understood why people say it's a horror game?
bbayles 5 hours ago |
A friend of mine explained that there are overlapping phobias of water and deep dark spaces that this game triggers; he said it's unbearable to play the later levels.
nelup20 5 hours ago |
I just checked what the final boss looks like, combined with the phobias... glad I didn't finish the game as a kid.
Thanks for the article, great read!
Spoom 4 hours ago |
I'd imagine anyone with claustrophobia would struggle with the last couple levels as well since they're essentially a battle against the screen crushing you.
deemster 5 hours ago |
The name of the game probably comes from dolphins echolocation ability. Another explanation I like to entertain is that the name is a reference to John C Lilly. He was a scientist who believed in an alien organization called the Earth Coincidence Control Office or E.C.C.O. He also studied dolphin intelligence and communication. He gave dolphins LSD in an effort to communicate with them. John C Lilly is an interesting rabbit hole to go down.
VyseofArcadia 5 hours ago |
Great read!
Do you have any resources on getting started with Dreamcast game reverse engineering? I've been wanting to do some things with Skies of Arcadia, and I've been hoping there exist techniques more systematic than "see what values change between memory snapshots".
bbayles 5 hours ago |
I've poked around a bit with that game! The main trick is to import the memory snapshot (various ways of dumping it to a file; people like Cheat Engine for this) into Ghidra.
Ghidra can analyze the SuperH processor machine code natively, so the auto analysis will turn up lots of functions.
coldpie 5 hours ago |
> I've been hoping there exist techniques more systematic than "see what values change between memory snapshots".
FWIW this is pretty much the standard method for locating value locations in RAM. It actually works pretty well. Some emulators have tools built in for that, like Dolphin for example. Even old game hacking tools like the Gameshark for N64 used the technique, with an on-console UI. I don't know if any Dreamcast emulators have tools for it or not.
I wrote about the technique in Dolphin here (and the followup article is also about console game hacking with Ghidra): https://www.smokingonabike.com/2021/01/17/hacking-super-monk...
AdmiralAsshat 4 hours ago |
> Some emulators have tools built in for that, like Dolphin for example.
This was an advertised feature of some DS flashcarts back in the day, too. I can't remember if it was the R4, the DSTwo, or what...but I recall an example video for their "Make your own cheats!" feature, which involved playing something like Super Mario Bros, turning on the "Cheats Finder" feature, then grabbing a coin, and maybe doing it a few times. The manager would then figure out the value that's changing in memory (presumably the sector that stores your coin amount), create the "cheat", and then you would enable it and watch your coin value go up.
j0hnyl 5 hours ago |
I wish there was more detail on "how" this was done as opposed to just the "what"
nostoc 5 hours ago |
It's very much the "how", what were you looking for that's not explained in the blog post?
j0hnyl 4 hours ago |
--- By analyzing a memory snapshot from the flycast emulator, I found that the buffer at 8cfffb34 holds the visible portion of the initials you type in. But if you keep typing, the characters you put in before get pushed into the buffer at 8c3abf18.
After loading the memory snapshot into Ghidra, I found that the function at 8c0334d8 reads this buffer. It performs a transformation on the buffer and then checks whether the transformed value is a list of six special ones. ---
How?
frakt0x90 4 hours ago |
I don't know exactly how flycast works but I've done similar things with other emulators and you take an action in the game (take damage, type something), then search memory for that value. In this case the ascii code for the letter typed. Keep doing this until you've narrowed down a single block of memory that holds everything you've done
qingcharles 5 hours ago |
When the original Ecco came out on the Megadrive (Genesis), I spent all my hard-earned money to buy it. That game is obscenely hard. I got frustrated, so I sat down for the afternoon with a pen and paper and somehow managed to decode the password system. I teleported to the final level and completed it the next day.
Then I was wracked with guilt about spending all my money on a game I completed in two days.
coldpie 4 hours ago |
> I sat down for the afternoon with a pen and paper and somehow managed to decode the password system
Would love to hear more about this, if you have any recollection :)
VyseofArcadia 3 hours ago |
What a final level, though! Having skipped a large chunk of the game, were you surprised by it?
7bit 3 hours ago |
You must be the only Person in the world that Beat this Game, cheating or otherwise.
dfxm12 2 hours ago |
Philosophically, I would argue that you did not complete the game.
You skipped several levels and saw only some percentage of the intended content, gameplay, story, etc. Games in general, and Ecco the Dolphin is no exception, are very much about the journey and not just the destination. You missed out on themes & experiences like isolation, making friends with those outside of your in-group, conservation, time travel, communing with dinosaurs and, of course, space travel.
So, you really shouldn't have felt so guilty.
29athrowaway 5 hours ago |
Is not this against the Ghidra EULA?
immibis 4 hours ago |
In the real world, no one cares, unless they're on the receiving end of a lawsuit.
yjftsjthsd-h 4 hours ago |
What EULA? It looks like https://github.com/NationalSecurityAgency/ghidra says it's Apache 2.0
mytaterskin 4 hours ago |
I've taken to older games a lot more in recent years, they feel like they have a lot more soul if that makes any sense. Also sorry about your car! Not going to leave it idling in the driveway anymore, thanks for the warning.
bbkane 4 hours ago |
Are you sure you don't miss modern features like mandatory network connectivity and micro transactions?
fanoto 4 hours ago |
Nice! Interesting how similar games seem to do this, checksumming to fixed integers. Pitfall: The Lost Expedition did something very similar by converting button presses into ASCII-represented strings of the input buttons that were then CRC-ed. The approach was similar to just brute-force in Python and compare to the extracted cheat hashes.
I even spy your CRC32 table hidden in the `decrypted_ints` . The pre-generated tables are so easily searchable. It leaves me curious why they are so often found obfuscated in attempt to make it more difficult compared to generating a new one with your own polynomial.
jimmaswell 4 hours ago |
The 3DS version was very cool. I plan on completing it there eventually. I wonder if those devs had source access.
SideQuark 3 hours ago |
The hash is merely a CRC32; exactly this one (polynomial 0x77073096, code is wrong)
https://web.mit.edu/freebsd/head/sys/libkern/crc32.c
(The decoded ints in the post are the constants in this CRC32).
Knowing it's a CRC32 and knowing the polynomial allows inverting the answers in log time instead of exponential time by exploiting the modular math of the polynomial rings.
byteknight 3 hours ago |
I know some of these words!
Thaxll an hour ago |
It means that using bruteforce to find all the values would be much faster.
bbayles 3 hours ago |
Thanks! I didn't clock that - should have looked at the decrypted values!
mirthflat83 2 hours ago |
Do you have any tips on knowing how the value is a result of CRC32 and/or the polynomial/initial value used?
15155 2 hours ago |
Looking in the binary for the polynomial and knowing what the common ones are from experience is an easy way.
Normally, the polynomial is going to be found right next to a loop that is ingesting bytes incrementally.
butz 32 minutes ago |
You should look into PS2 version of this game, it seems to have same code for level unlock. Maybe it will be easier to reverse engineer and figure out what all codes do?
Liquix 22 minutes ago |
an interesting aside: when asked about his inspirations Ecco's developer Ed Annunziata said, "No, I never took LSD, but I did read a lot from John C. Lilly". Lilly is known for his pioneering work in the fields of animal intelligence, ketamine psychotherapy, isolation tanks, and consciousness exploration.
The name "Ecco" is a reference to Lilly's ECCO (Earth Coincidence Control Office), a supernatural/extraterrestrial base which Lilly posited existed on the other side of the moon to coordinate all earthly "coincidences". He's also known for his work with dolphins, recognizing their intelligence and attempting to communicate with them by flooding part of his house in the Carribeans and cohabitating. This is just the tip of the iceberg. I'd recommend his autobiography The Center of the Cyclone if any of this is intriguing, he's a really fascinating guy