In an earlier blog entry A Memory From WebTV Xband411 commented he'd like to read about behind the scenes in 1990's technology, so I thought I'd oblige...
I started with at Catapult in 1995, I was there about 5 months before I left for WebTV. I was brought on to Catapult to do game hacks, which means you take a game for the Sega Genesis (my task was Super Street Fighter 2) and use the XBAND modem hardware to modify the game on the fly to support the XBAND network and features. People could play 2 player games with an opponent over the phone lines. Hacking a game means reverse engineering it to figure out where the code reads from the joypads, where the main loop is, how the menus operate, so one can know enough how to modify the game.
The XBAND modem used technology pioneered by Game Genie type devices. It went between a genesis cartridge and the game console. When the console tries to read a word from memory, the XBAND modem could examine the adddress and substitute its own value in place of the one from the real cartridge. Game Genie used this method for game cheats, say the instruction that decrements the number of lives could be replaced by a NOP (no-op, meaning a do nothing instruction) so the player could enjoy infinite lives.
The XBAND system needed more complex modifications than just changing a single word. It had that ability, I think something like 6 different single words could be replaced with arbitrary values. But it could also map in big sections of memory on the fly, and could trap accesses to the interrupt vector tables. Using these capabilities allowed the patch writer to do just about anything to modify the game.
In 1985 I got an Amiga computer, and I got addicted to hacking on it. I wrote a 68000 debugger for it, written in 68000 assembly language. I modified the debugger to make it easy to hack games, one could use a terminal on the serial port and debug a game as it was running. A fellow named Ron Haines paid me like $50 to crack games so he could include the game hacks in his RawCopy product.
In 1995 when I joined Catapult I wanted to use my own debugger, so I modified it to work with the XBAND modem. The XBAND modem itself had 7 LED's on it that flashed and could be used to convey information during development. I got the idea to use the LED's to communicate with a debug terminal. I used 4 bits as I/O for data exchange, 2 bits for strobes (one for each direction, and one bit to signify whether the low or high nibble of a byte was being transmitted. I had a wire that went from the LED's on the XBAND modem to a bi-directional parallel port. I modified my debugger code to use this scheme for communication. I added an interface in my debugger to use the XBAND hardware for setting breakpoints. A breakpoint could be achieved by replacing an instruction with a TRAP instruction, which would trigger interrupt processing and the debugger could get control.
I hacked Super Street Fighter 2, and during the process of its development the hack got more and more refined. Some XBAND users commented about how cool it was to see a hack evolve, and features were added. They were sort of beta-testers. There was one "bug" in my hack that they found, players could hit the start button and go to the configuration menu and fix it so the other player was played by the computer, and from that point on the other player could only watch helplessly as he was defeated. We thought that was hilarious when we found out about it -- some XBAND players had complained, that's how we found out of the exploit. It was trivial to fix once we were aware of it.
There were 3 of us doing game cracks. 2 guys did the SNES cracks, and I did Genesis. We used to play Doom2 all the time. We'd stay long hours at the office, playing Doom2 late at night. Occasionally a game would start during working hours, and a fellow named Kon Othmer would mysteriously show up and lay a guilt trip on us for playing. I figured he must have installed some sniffer so he could tell when the Doom2 network packets were going around, because he had some magical way of knowing when a game was on...
While I was there a fellow named Joe Britt made a board he called the Pocky board. It plugged into either a SNES or a Genesis and let you debug games with an unmodified XBAND modem. I remember that had originally been a project Steve Roskowski had designed. Rosko's approach had a big Y-type board that plugged into the genesis, on one side you'd plug the XBAND modem and on the other you could plug a game cartridge. I thought the thing looked like a monster. In fact Rosko called it the ghidrah, after a 2 headed monster. That board was never built, the Pocky board served the purpose.
I remember Joe Britt had put a GAL (early programmable logic device) on the Pocky board and I came up with a solution to a problem using it. The Pocky board plugged into the side port of the genesis where the SegaCD would plug into. Not enough address lines came out of that port, so it wasn't certain which address range was being accessed (whether it was the cartridge ROM or some other region). I came up with a solution. By accessing a certain non-random sequence of addresses in order would could walk the GAL up through a state machine until it would unlock the memory region for some memory mapped registers we needed to access. Any incorrect address would start the state machine back at state 0. Joe Britt had said he could do the state machine with a tool he had, but he spun for many hours without success. I just wrote the state machine myself using the logic equations and some addresses I picked at random. The thing worked perfectly, there was no accidental triggering.
2005 someone interviewed me about Catapult and XBAND, here is a link to that.
Subscribe to:
Post Comments (Atom)
6 comments:
Thanks David! I just recently have taken up interest in the Xband revival project. We're also working on reviving the Xband through emulation. Redesigning the Xband in .net, patching Roms to lockout singleplayer, then watching the scores through ram streaming to award wins to the server! You guys were really ahead of the curve, and your work is still appreciated to this day. Come check it out sometime : http://www.saturnleague.com/
@Tommy
Sounds great, only for me .net == .shit.
Why not go with python or ruby or something else not the spawn of satan?
That's actually hilarious. I knew you were going to say that. The problem is I need to learn some real languages. I'm slowly getting into C#, which I hope will intern make me feel comfortable enough to go straight C++... I wish I would've never started in VB6, but it was all my school offered. I just stuck in that comfort zone. Trust me, If I knew I powerful language that wasn't so platform dependent I would jump on that shit in a second.
@Tommy
What a career path! Start with .BAT files, become MSE certified, skip j++, try out VB, get deep into .NET, try to transition to C#, and dream of getting into c++.
Except for c++ you're deep in M$ land. In Mordor where the shadows lie. Haven't you heard? The tide is going out. Get into unix. The c++ fad is fading also, c++ isn't maintainable. Even the same programmer one year later can't figure his own code out.
Your list of talents reads like my own list of What One Ought To Avoid. That's hilarious.
I appreciate the advice David. I didn't walk this path entirely. In fact, I used to be a huge Mac guy (OS 6.08 / 7.5 and AUX). :/ I even really got into BSD. Unfortunately High School I was working with early versions of NT and Citrix Meta/Video Frame (really cool shit at the time). It also unfortunately pushed me into NT 4 and Windows 2000. I will rewrite the new Xband client in Perl or Ruby, and take that as a challenge. Regardless I appreciate your advice and opinions.
-Krazystyle
So basically the way Xband worked was similar to how the hackers behind the Multi Theft Auto and San Andreas Multiplayer injected MP capability to GTA. The two programs also made use of memory manipulation and other hooking techniques, although MTA went away from pure memhacking to a more stable technique.
Post a Comment