Under the microscope: Tony Hawk's Pro Skater 3 (PlayStation)
Preimage attacks reveal eight new cheat codes for Neversoft's third Tony Hawk game
In a previous edition I found some new cheat codes for Tony Hawk’s Pro Skater 2. To do that, I had to find sequences of buttons that matched particular hash values computed by the game. I thought it would be a snap to use the same trick against the next game in the series, Tony Hawk’s Pro Skater 3, but it turned out to require more effort.
One obstacle to analyzing this game’s cheat codes is that the cheat sites are very confused about this game. Some mix in codes for THPS2, others give instructions that only make sense in the PS2 version, others give almost-but-not-quite-right button sequences. Here’s the real list of the known codes:
The hash values are computed as shown in the THPS2 article — this game handles cheat codes the same way that its predecessor did.
THPS3 checks for eight hash pairs in addition to the ones shown above, meaning that there are eight unknown cheats to find. But they’re difficult to figure out because this game is less fond of using English words for its code mnemonics than THPS2 was. What’s XRXUXXURLT supposed to be? LLUUCCLS? The dictionary-style attack that worked on the earlier game doesn’t work for these sequences.
Applying brute force
Saturn translation enthusiast Malenko let me run a search of the button sequences on his spare server in exchange for some debugging services1. That came up with a couple of the new codes, both of which relate to stats:
DULLSXX: gives you 5 stat points at the end of a Career Mode run.SSXRDLXCRSR: upgrades your in-session stats to level 13.
Ryan Govostes, who saw the earlier story about THPS2, jumped in with a more efficient brute force search program. He cracked five more:
TDTRUT: Enables “Super Revert.”SSSCCSC: Unlocks all stages.RLRLSLRR: Unlocks Wolverine.TUXSUXCUX: Doesn’t actually work (see below).RCDXLSUTDX: Unlock all stages and Officer Dick (must be in Career mode).
The unlock codes are pretty useful! The Super Revert one matches the cheat effect that you can enable from the Options menu.
TUXSUXCUX (classy) would unlock all skaters, but it’s disabled. It depends on the param_1 check shown below allowing it to execute, but it never does — the only caller of this function supplies param_1 = 1.
The final code
That left one code undiscovered. The brute force searches told us that it was longer than 14 characters, but we didn’t know how much longer — the game doesn’t impose a limit, so it could be 100 or 200 or 500 characters. We tried a few different approaches:
Ryan wrote a GPU-accelerated version of his search tool.
Jeffrey Bosboom, who I successfully nerd sniped into examining this problem, wrote a program that uses the invertibility of the hashing operations to mount a meet-in-the-middle attack.
Malenko’s server ran a modified version of my dictionary-style attack and found lots of hash collisions for every code but the one we were looking for.
I looked at other versions of THPS3 (Nintendo 64, GameCube, prototypes) for inspiration.
I eventually wrote a program that found the answer. It worked like this:
CPU thread 1: restrict the “alphabet” of letters to 1, check as many sequences as possible.
CPU thread 2: restrict the “alphabet” of letters to 2, check as many sequences as possible.
CPU thread 3: …you get the picture.
The third CPU thread found the answer:
DXDX DXDX DXDX DXDX S: Unlock all stages, cheats, and Officer Dick
After you put it in, you’ll get a series of screens explaining which things got unlocked:
The code has 17 characters, which would have taken a long time to find by searching with the full 8 letter alphabet (8^17 has 15 zeros). But since there are only three unique letters, we only had to search up to 129 million.
The full code is here.
Outro
Many thanks to Ryan Govostes, Jeffrey Bosboom, and Malenko for their assistance in finding these codes!
For many more articles about new codes for old games, see my archive.
Logic Puzzle Rainbow Town is available now!
Wow, isn't that something else... why would programers leave the cheats undiscovered for so long?