Under the microscope: Ecco the Dolphin — Defender of the Future

Re-routing the encryption

In this edition:

• Ecco the Dolphin: Defender of the Future has some previously unrecognized cheat features that activate based on what you name your save file.

• Using Ghidra and Python, I reverse-engineered the encoding scheme to reveal the special names.

• One of them has been known for ages, but I found the rest! They unlock features like “immortality” and debug display.

Yes, we’re doing a Dreamcast game! Here’s the list of special names and effects:

1. Go to the VMU Menu > New game > Enter your initials screen.
2. Enter one of these sequences, making sure not to end after 3 letters.

GYUGYU+XXX : Unlock all levels
SOCCER+XXX : Unlock bonus stage*
EXBBERX+XXX: Immortality mode*
QQRIQ+XXX  : Show FPS*
XYZZYX+XXX : Show time*
POPELY+XXX : Nothing?

---

Intro

Ecco the Dolphin: Defender of the Future is the last officially released Ecco game (a later one was canceled). It has one known cheat:

• Go to the VMU screen and choose New Game

• Enter your initials as GYU, but don’t press End.

• Type in GYU again, then any three letters (GYU GYU XXX works).

• Press X to leave the menu. When you go to “Load game,” all stages will be available to play.

So, is that the only special name? Did the developers put in this functionality for one cheat? I decided to investigate…

---

Analysis with Ghidra

By analyzing a memory snapshot from the flycast emulator, I found that the buffer at 8cfffb34 holds the visible portion of the initials you type in. But if you keep typing, the characters you put in before get pushed into the buffer at 8c3abf18.

After loading the memory snapshot into Ghidra, I found that the function at 8c0334d8 reads this buffer. It performs a transformation on the buffer and then checks whether the transformed value is a list of six special ones.

GYU GYU XXX transforms into 9388D627, which is the first special value in the list:

Ghidra’s decompilation of the transformation function is pretty good. Here it is with my variable names added:

At a high level, it:

• Reads in a passphrase

• Uses the passphrase to decrypt a 1024 byte key

• Computes a checksum from the input buffer that uses the key

• Re-encrypts the key

Since it’s a checksum, it’s a one-way function; you can’t determine the inputs that produce the special values by inspection. So we’ll have to use…

---

Brute force with Python*

GYU GYU is only six characters. There are 26^6=308,915,776 possible six character values. It’s feasible to process all of them and check whether they produce any of the special values.

There are 8 billion seven character values, which is also reachable. There are 208 billion eight character values, which is pushing it on my laptop. But let’s try it!

I replicated the processing code in Python as follows:

• Copy the blocks of memory that holds the uninitialized input buffer, passphrase, and key.

• Decrypt the key with the passphrase.

• Loop over every sequence of 1, 2, 3… 8 characters and put them into the input buffer.

• Compute the checksum for the given input.

• Compare the checksum to the targets.

The full code is here.

I started writing a parallel version of this, but by the time I had it running, the single threaded version had already emitted everything I needed. Here’s the output:

NNSET 5b47c23b 1
QQRIQ 6ed996ae 3
GYUGYU 9388d627 0
POPELY 4a78edbb 5
SOCCER 5b47c23b 1
XYZZYX 89367cea 4
ADEMVSSF 5b47c23b 1
ADQUROPK 89367cea 4
AEAPWNVO 6ed996ae 3
AFTJSXOT 9388d627 0
EXBBERX 2d1ef68d 2

The last column is which special value the input matched. You can see that the mapping is not unique: NNSET, SOCCER, and ADEMVSSF will all unlock the bonus soccer game (see below). AFTJSXOT works as well as GYUGYU for unlocking all stages.

*Update: Thanks to metalliczx and SideQuark for pointing out that after decryption, this is a standard CRC32 checksum polynomial. That means there’s a more efficient way to get the target values than brute force!

---

The effects

Enter your initials as SOCCER+XXX to unlock the Bonus Game, in which you play underwater soccer. This sets the 0x2 bit on the flags at 8c3ac00c.

EXBBERX+XXX makes Immortality Enabled show up on the Options screen. As you might guess, you can’t drown or die when this cheat is in effect. This sets the 0x400 bit on the flags at 8c3abe48 and the 0x4 bit on the flags at 8c3abb00.

QQRIQ+XXX will show the game’s frame rate, plus some other debugging values. XYZZYX+XXX will show the current clock value. These change the values at addresses 8c35659c and 8c3565a4.

Both debug info flags applied

There’s one more password: POPELY+XXX. I don’t know what it does! I suspect that the answer is “nothing” and that it was meant to activate the flag at 8c3b0e44. This causes a Cheats Enabled message to appear, but doesn’t seem to have any other effect:

You can make this appear, but I don’t think it does anything

---

Outro

For another look at an Appaloosa Interactive game’s encoding scheme, see my article on Three Dirty Dwarves.

I’ve got lots of other articles on finding previously unknown cheat codes — see my archive here.

Comments

[zyrobs]

Note, some of the codes have special meanings in Hungarian:

QQRIQ is phonetic for "kukuriku" which is the Hungarian onomatopoeia for the rooster crowing.

GYUGYU may be short for the name Gyula, a Hungarian first name (I didn't check if the game has any devs with that name)

POPELY is the Hungarian name for Popeye (the Sailor Man). Perhaps it makes you stronger?

[Charley]

Could you possibly poke around the dreamcast game Pen Pen Tricelon?

The manual said there were extra maps. As a kid I even called a hotline and was told “you have to beat the game with every character to unlock bonus levels.” But i have never seen proof that they actually exist. Thanks for considering!!!

Charley.