Cracking the Clockwork Code
Finding the missing cheat code for Clockwork Knight 2
Clockwork Knight: Pepperouchau no Fukubukuro is a Japanese game that combines both Clockwork Knight (as “Part 1”) and Clockwork Knight 2 (as “Part 2”) with some extra modes and bonus content. It came out in December of 1995 in Japan.
In February of 1996, Clockwork Knight 2 came out in the U.S. Like Fukubukuro, it included “Part 2"“ and the extra modes and bonus content. But it was missing “Part 1.”
There were hints that “Part 1” would be unlockable, however. Some magazine previews alluded to a cheat code. This 1996 trailer said it explicitly1:
Pepperouchau, the wind-up knight, is back again facing down the Bosses and protecting the lovely Chelsea. This time his faithful companion, Ginger, gives him a hand. If you know the code, the entire first game is included.
But such a code never came to light… until now! 27 years later, we’ve got it. Enter this at the title screen:
Up, down, left, up, left, down, right, up, L, R, L, RHere’s a video of the code in action:
In this article, I’ll explain the technical details of how I figured this out. We’ll also look at how Sega disabled part 1 in the first place, and develop some patches to fully restore it.
The first thing I do when I start analyzing a game is figure out where it stores input. I do this by taking multiple memory snapshots: some while holding a button, some while not. By looking at how they differ, I can get the memory addresses that change for that button.
Clockwork Knight 2 stores the “held button” at address 06046098 and the “just pressed” button at 0604609c. It uses bit flags for each button:
0001 - B
0002 - C
0004 - A
0008 - Start
0010 - Up
0020 - Down
0040 - Left
0080 - Right
0800 - Left trigger
1000 - Z
2000 - Y
4000 - X
8000 - Right triggerIf we set read break points for those addresses, we can see what the game does with our input. Doing this at the title screen will give us two locations. The first, at 06004030, to check whether you’re following the directions to “Press Start Button.”
The second, at 0600d548 is more interesting. Rather than checking for whether a single button has been pressed, it is keeping a counter of how many button presses match a sequence. Here’s some psuedo-C, adapted from Ghidra’s decompilation:
Basically, if you get a button press right, it increments a counter. If that counter reaches 12, memory address 0605d975 gets set to 01 and “Part 1” is enabled!
The sequence of button presses is stored at 0602996a. Using the table of button values above let me read it off:
So how does this get disabled in the first place? If we set a write breakpoint for the 0605d975 address, we can see that it’s being zeroed out at startup by the code at 0600d4f2.
If we patch it to insert 01 (i.e. change the instruction at 0604dee to e401) instead, we’ll get Part 1 at the mode screen. Cool!
However, it gets set back to 00 if we play either Part 1 or Part 2 and then return to the mode screen. We can work around that by telling the game to go back to the title screen first.
The code at 06003bd2 sets the “game mode” to 0d (load the title screen) when we leave one of the games. If we change it to 0a (load the title screen) instead, we’ll get the the title screen instead:
This works because the process of loading the title screen runs the (now modified) code that writes to the 0605d975 address.
You can get a patch set for the game that implements these changes at SegaXtreme.
We’ll look at more Clockwork Knight stuff in future editions! What, you thought I only knew Sonic Team games?
Please explain how you converted the RAM address 0600D4EE to 04EF to patch 01 to the A.BIN executable.