Under the microscope: Tony Hawk's Pro Skater 2 (PlayStation, Dreamcast)

Mounting a dictionary attack against the Tony Hawk cheat code hashing system

Dec 01, 2024

In this edition:

By analyzing Tony Hawk’s Pro Skater 2 in Ghidra, I found that it has some cheat codes that have gone unreported for 24 years.
Finding that the codes exist was the easy part. To figure out how to put them into the game, I wrote a Python script that attacks the game’s hashing function.

The article describes what the codes do, how the Python script works, and how the game applies the cheat effects. This one was fun to figure out!

Intro

Tony Hawk’s Pro Skater 2 came out for Dreamcast in late 2000. I first played it on one of the Official Dreamcast Magazine demo discs and certainly got a lot out of that preview. My neighbor later got the PlayStation version, and we played it together for the next few years. Decades later the soundtrack is still buzzing in my head.

The Internet has a a bunch of cheat codes for THPS2 — most places list more than a dozen. IGN and CheatCC have decent lists for for PlayStation, but they don’t fully overlap. By combining data from multiple sites, I found 33 distinct codes.

Experience shows that games with lots of known codes often have some unknown ones, too, so I decided to investigate. I thought it would be a breeze to figure things out after I immediately located the game’s cheat code handling functions (that’s often is a challenge by itself)1. But the search turned into one of the more ambitious reverse engineering projects I’ve done — read on for details.

The code checker

Cheat codes are entered at the pause menu.

The function loaded to address 80080fb8 (on the NTSC-U version for PlayStation) handles cheat code input. It runs when the game is paused and you’re holding L1 (L on Dreamcast).

The Ghidra decompilation of that function is kind of a mess, but here’s what it’s doing in pseudo-Python:

if HOLDING_SQUARE:
    x, y = 0x03185332, 0x80FE4187
elif HOLDING_X:
    x, y = 0xB87610DB, 0xDE098401
elif HOLDING_CIRCLE:
    x, y = 0xDEADBEEF, 0xFE3010F3
elif HOLDING_TRIANGLE:
    x, y = 0x31415926, 0x7720DE42
elif HOLDING_LEFT:
    x, y = 0x93FE1682, 0x92551072
elif HOLDING_DOWN:
    x, y = 0x776643D1, 0x0901D3E8
elif HOLDING_RIGHT:
    x, y = 0xAB432901, 0x88D3A109
elif HOLDING_UP:
    x, y = 0x01234567, 0x34859F3A

HASH_1 = (((HASH_1 ^ x) << 1 ^ (HASH_1 ^ x) >> 0x1F) * 0x209) & 0xFFFFFFFF
HASH_2 = ((((HASH_2 ^ y ^ HASH_1 >> 8) << 1) & 0xFFFFFFFF) ^ (HASH_2 ^ y) >> 0x1F) & 0xFFFFFFFF

That is: Each button you press is associated with a pair of values. Those are used to update a pair of addresses (800d81d8 and 800d81dc) using a custom hashing algorithm.

The hash outputs are then compared to various values. For example for the “Double moon physics” cheat:

if (HASH_1 = 0x943ed118) and (HASH_2 = 0xDDBA0D98):
    DAT_800d27ec ^= 1
    return 1

If there’s a match, a cheat effect is applied (that’s the XOR) and the text on the pause screen is made to shake (that happens if this function returns 1). Some cheats only look at the first hash value.

There is substantially identical code in the Dreamcast version. The Nintendo 64 version uses a slightly simpler hash2.

There are 35 hash comparisons, which implies that there are two undiscovered cheat codes:

Hash (70153315, ANY) sets a flag at 800d61e0.
Hash (D7DDA9E0, 0x8F37160D) sets a flag at 800d779c

Now the task is to find them…

Attacking the hash

Some of the cheat effects are available from the game’s menu, but not all of them.

The simplest way to find the button sequences associated with the hashes would be to:

Generate every possible button sequence
Compute the hash values associated with each sequence
Compare them to the unknown cheat hash values

This brute force approach would work for short codes, but not for long ones. To generate all of the length 10 sequences would require computing about a billion hashes (8^10). That would work on my laptop, but length 11 codes (8 billion hashes) would be take a while, and 12 (68 billion hashes) would be a stretch.

The search space can be narrowed, however. Notice that the cheat codes for PlayStation aren’t random — most of them spell out a word like RUST or STUD. We can use this to our advantage and mount a dictionary attack. That is, start with a list of words made up of U, D, L, R, S, T, C, and X; generate permutations of them; hash the permutations; and check the results.

I used the /usr/share/dict/words file as a starting place:

subset_words = set()
letters = set('UDLRSTCX')
with open('/usr/share/dict/words', 'rt') as f:
    for word in f:
        word = word.strip().upper()
        if set(word) <= letters:
            subset_words.add(word)

The Python itertools module can generate the needed permutations:

from itertools import permutations

MAX_WORDS = 4
MAX_REPEATS = 3

def get_button_stream():
    for perm_length in range(1, MAX_WORDS  + 1):
        for perm in permutations(subset_words * MAX_REPEATS, perm_length):
            yield ''.join(perm)

When combined with the hashing code above, this script generated several of the values associated with cheat codes! But neither of the two unknown ones were revealed.

The word list doesn’t have some of the strings that the known codes like: XXX and XTC don’t appear, for example. I put those into the word list, and…

Hash 1   | Hash 2   | Buttons
---------|----------|--------
70153315 | 00000000 | XXXTUTUXTC

Hey, it’s one of the new ones!

The “no shadows” code

This new code turns off player shadows. On PlayStation, pause the game and hold L1 while entering X, X, X, Triangle, Up, Triangle, Up, X, Triangle, Circle.

Left: Shadows are on by default. Right: No shadows after entering the code.

I’m not sure why you would want to do this, but maybe it’s a leftover from debugging?

It works by setting the address at 800d61e0 from a value of 0 to 1. The function at 800756ec checks whether the value is nonzero and bails out early if it is — so it’s presumably shadow-related code.

Alas, the effect doesn’t work on Dreamcast. The corresponding button sequence is A, A, A, Y, Up, Y, Up, A, Y, B (while holding L) is recognized — it makes the screen shake and sets a flag — but your shadow persists.

The “10x score” code

There’s still one code that my dictionary attack didn’t reveal. I tried a bunch of things to try to figure it out, but still couldn’t come up with it. I enlisted help from the SegaXtreme Discord, and several people there jumped into assist.

After lots of failed attempts, I noticed that the prototype versions of THPS2 (e.g.) have shorter versions of the codes. For example, “Skater gains" weight” code is XXXXL in the prototype and XXXXL XXXXL XXXXL in the final game.

With that in mind, I put all of the prototype code words into my dictionary. When I tried the attack again, the answer came out!

Hash 1   | Hash 2   | Buttons
---------|----------|--------
D7DDA9E0 | 8F37160D | TXTUDUTXTUDUTXTUDU

So the code is:

PlayStation: (Holding L1) Enter “Triangle, X, Triangle, Up, Down, Up” three times
Dreamcast: (Holding L) Enter “Y, A, Y, Up, Down, Up” three times

This sequence is a repeated version of the prototype’s TXT UDU “Score times 10” code.

Here’s a video showing how things look without the cheat and then with the cheat:

On PlayStation the cheat sets the flag at 800d779c. On Dreamcast its flag is at 8c1b5ce0.

Outro

There were lots of contributors to this article — thanks to Vindico for identifying the effect of the “No shadow” cheat. And thanks to purist, Malenko, celeriyacc, erik, Knight0fDragon, Hassmaschine, and supahfly for contributing ideas, code, and number crunching power.

My Python code is here. I’m sure there’s a way to attack the hash function based on its lack of cryptographic strength. If you have an idea for that, do let me know.

For previous adventures in code finding, see my archive. Send me suggestions for other games to examine!

As usual I did this by comparing diffing memory snapshots and then loading one of the snapshots into Ghidra. You can easily do before-and-after memory comparisons with Cheat Engine.

The Nintendo 64 version recognizes 11 different cheat codes, all of which are already documented.

foxx

Apr 5

Bo, I need your help with the game Tony Hawk's Pro Skater 2 (DC).

1 All hidden characters:

Pause the game, then hold L and press X, B, Right, Y, B, Right, B, Y, Right, X, Right, Up(2), Left, Up, X. If you entered the code correctly, the pause screen will shake - the cheat code worked, but the hidden characters did not appear. How to open them with this cheat code, help?

2 I found 2 more cheat codes on the Internet, but when I enter these cheats, the pause screen does not shake:

a)Blinking ramps :

Press Start to pause game play, then hold L and press Down, Up, X, B, Up, A.

b)Neversoft skaters :

Press Start to pause game play, then hold L and press Up, X(2), Y, Right, Up, B, Y.

Maybe I need to press some more buttons?

3 How to unlock this secret character? (Image in red square).

https://ibb.co/Zp511Dqx

4 Bo, is this a full-fledged debug menu (mode) or code remnants?

https://ibb.co/Q204Q0T

Expand full comment

2 replies by Bo and others

2 more comments...

Rings of Saturn

Discussion about this post