Today, we have something very special and unusual! Yacht Club Games did some tracking down of Ricky Filion, aka Sparktail, aka the man responsible for unearthing our 300+ cheat codes to the internet and took the gaming world by storm! We got him to agree to something fun – a post describing his experience decrypting our game!
Enjoy what he has to say below!
Hello, Shovelers and Shovelettes!
Ever wondered how the world came to know about the wonders of Butt Mode, gigantic heroes and near god-like cheating abilities? Today is your lucky day, because, as the man who unearthed all those precious cheat codes buried deep within the game, I will explain to you how I managed to extract and deliver those codes.
Before I begin, I want to thank Yacht Club Games for their wonderful little gem of a game and to give me the opportunity to talk to you today. I bought the game for my 3DS the day it came out, having waited for it eagerly for months, and I had a lot of pleasure beating it… again… and again… and again… until no Feat stood in my way. After that glorious conquest, there was nothing left to dig up, or so I thought. My curiosity and an unhealthy amount of Internet lurking led me to the knowledge that there were, apparently, over 300 cheat codes in the game, waiting to be found. As a Software Engineer and video game enthusiast, I simply couldn’t let those codes rest underground. So I took up the shovel again and embarked on a new quest for justice… shovel justice!
The hard part isn’t to dig… it’s to know where to dig
Wanting to find the cheat codes was a nice goal and all, but I immediately hit a wall when I realized that the 3DS files on my SD card were encrypted, and thus of no use to me. At that point, only three codes were known to the public and my first idea had been to look through the game files to find them, and then, logically, the other codes would be close and ripe for the taking. With the 3DS files unusable, I turned to the PC version of the game, which was thankfully left unencrypted.
Unfortunately, an hour of search through the files on my PC rewarded me with nothing but a chest full of dirt. If those cheat codes were somewhere in the game, they weren’t to be found in text form anywhere. My second hypothesis was that the codes were encrypted in the game files, and when the game code is executed, it would decrypt those codes and compare them to the name you enter in your profile. At that point, most people would probably have given up, but I had a few relics at my disposal to help my find the codes and push the matter further.
How do you look at a game’s code? When it’s executed on a game console, you can’t really do that, but when it’s executed on a PC, it’s actually very easy to do, using a program called a debugger. The debugger takes any piece of software made to run on a PC and allows one to run through the code as it’s being executed on the PC, line by line. The debugger I use is called OllyDbg. A debugger looks like this:
As you can see, it’s not very pretty. What is shown isn’t the human readable code the developers wrote, but rather the machine code run on the computer, called the disassembly. One needs a lot of computer knowledge to understand what it all means, and even then, it’s a lot like trying to solve a puzzle. All the pieces are there, except someone was a big ol’ meanie and decided to make all the pieces look the same. There were literally tens of thousands of those lines, so where does one start?
Fortunately, OllyDbg offers a few tools to help with that task. It can analyse the executable file to show what is code and what is data, it shows calls to known system functions and can list all the text referenced in the code. Since I wanted to find the cheat codes, I tried to find any reference to the word ‘cheat’ or any reference to the text that is displayed on the screen when you unlock a cheat code. Most of the text in the game was completely useless, but one bit of text got my undivided attention: cheatConfirm. That was the location in the game code where the game chose which menu to display to the player, such as the profiles, the name menu or the activate cheat menu. That was a good starting point. I will spare you the details of the next four hours, as they contain a lot of frustration and hitting dead ends associated with trying to find a needle in a haystack, while dealing with a fullscreen game that didn’t want to play nice with my debugger. At all. To the point I had to reboot my computer a few times. No one said treasure digging didn’t come with a few hitches along the way.
In the end though, I finally found the exact location where the game checks the name you enter to see if it’s a valid cheat code. I thought I had finally won… until it dawned on me that the game never actually stored any cheat code, rather, it generated them on the fly! Talk about a mood breaker!
Sometime, you need to build from the ground up
Four hours of search, and I was back to square one. I knew where the codes were, or rather, where they weren’t. Instead of storing the password in text, the game did something really crafty. In fact, it is the same technique used by most websites to store your password. When you enter a password on a website, any respectable website isn’t going to store your password as you typed it in their database. It wouldn’t be very secure, and any encryption used could be easily defeated by anyone with total access to the database. Worse, any hacker able to exploit website vulnerabilities would be able to get your password with enough effort!
To counter that, there exist a special kind of ‘encryption’ called hashing. Hashing is an ensemble of technique that transform a piece of information (a word, a password, a sentence) into a fixed-length number. The transformation is one-way, with enough information lost in the transformation that it would be near impossible for a hacker who somehow acquired that number to transform it back into your password. That number is also large enough to ensure that trying random passwords until you get one that works is a fruitless effort, as it could take billions of years for a super-computer to find one password with the current level of technology.
Now I can see those little hamsters in your head going crazy, asking “Wait, if the game uses the same method to protect their cheat code, how did you find them?” That would be a very good question, indeed. In theory, a good hash provides the aforementioned protection against hacking, but a bad hash can render that protection moot. In Shovel Knight, your password is transformed into a 32-bits number, which is a number between 0 and roughly 4 billions. It may seem like a big number, but in the world of computers, it’s actually a very small number. A secure hash has 128-bits and some have 256-bits. One may think that would be only 4 or 8 times more secure, but actually, each time you add one bit, you double the number of possibilities. A 128-bit hash has about 3.4e38 possibilities (on a piece of paper, you would write 34 followed by 37 zeros!). Suddenly, 4 billions seem like an extremely tiny number in comparison! Still, I had 321 codes to try and over 4 billions possible matches. It was certainly feasible, but how would I do it?
The excavation begins!
The answer came to me the very next day. I wrote a piece of code that was about the same length as the one-way hashing code found in the game and ran it. To my surprise, it ran 60 millions times every seconds! I did some calculations and it dawned on me that, given the random nature of hashes, that any code entered had a random chance in 4 billions to be a valid hash. Since I could in theory run 60 millions of them every second, it would only take 100 seconds to find one code, on average. Certainly a far cry from billions of years it would take with a certified hashing method. That evening, I wrote a program that did exactly what the one-way encryption did, then ran it in a loop trying codes from AAAAAAAA to ZZZZZZZZ. Why that range? For a few reasons, but mostly because it made for the fastest loop code and because parts of the hashing code changed depending on the length of the name used. Those crafty devs at Yacht Club Games.
After a few experiments, I finally wielded the first cheat code I had generated myself, a replacement for the Iron Man of Gaming code. I tried it on my 3DS and… it worked! I had done it! I finalized my program, put a fan at the highest speed right next to my laptop (my program made my computer heat up like crazy, because it ran the fastest it could) and let it write all 321 codes overnight in a text file. I held in my digital hands the St-Graal of Shovelry. But what did all those codes do?
On a side note, for anyone who has been wondering why the passwords I found look nothing like the official ones, the answer is simple. One of the weaknesses of hashing is that, since it loses information during the transformation, there exist many, many passwords that generate the same hash number. My program only found one possible password for each cheat code, but I could have found many more. I could publish a completely different list of passwords tomorrow, and they would still work, but you’re unlikely to find a password yourself by manually entering random letters as a name in the game, unless you can somehow enter 60,000,000 names per second. That’s the beauty of hashing.
Sharing is caring
I didn’t have to go very far to figure out what the codes did. I wasn’t about to sit down and enter all 321 codes manually, it would take forever. I took a page from Google Maps Pokemon April Fools, where people cooperated to find all 151 Pokemon hidden throughout the world, using a publicly shared Google document. I placed my codes in a spreadsheet, then I posted them all online, advertising them on Gamefaqs. Within a few hours, things exploded. My list ended up on my sites, linked through news articles and the code sheet was getting filled up at a speed I hadn’t even imagined. Within 24 hours, most of the codes had been tried, and at the time of this writing, only 3 of them still haven’t been understood.
Then… Butt Mode happened. I had been one of the first ones to find it (It was the first code on the list, after all), and I had found it quite funny, but I had no idea just how big it would become. Within the day, the Internet was filled with news and blogs entries glorifying Butt Mode, to the point where our friends here at Yacht Club Games had to reveal the official code.
I learned a very important lesson that day. It doesn’t matter if you can cover the screen with fire balls, pogo off the ground, be a titan or laugh in the face of your enemy as you smash it unharmed while walking on endless pits, as long as you can steel thy butt, the world is a far better place.
It has been a few weeks now since all of this happened, and looking back at it, I do have to apologize to the 300+ backers who are to receive a nice bag of dirt along with an official cheat code. I may, in a way, have ruined the fun, in a way that was unworthy of true shovelry. I may also have caused waves, and possibly have upset some people, although probably far less than those those enjoyed those cheat codes I released. To those I say, don’t despair. For each of my codes were only one of the 400,000 unique profile names that could have unlocked them. Each of those codes are as random as the next, a bunch of fake gathered through the slave work of one big calculator. Only you backers, have or shall have the true codes, and the honor of sharing a part of the game that won’t be found in any manual, or any piece of relevant piece of code. For that, you are the true heroes of this tale. Without you, this game wouldn’t have existed in the first place. You have my gratitude and my thanks.
Strike the Earth, For Shovel Justice!
That’s it for today everyone! How about that cool piece from Sparktail? You should definitely leave comments as usual asking questions, complaining, praising Sparktail, etc. Here’s some more info on Sparktail if you’d like to get in touch
Email: [email protected]
And for the super nerdy, be sure to check out his code file for how he ripped the cheats!