Friday, September 2, 2011

Wonder Cheat 3

Recently I had a major nostalgic emotional burst which took me all the way to the Sega Master System ™ I had in my childhood. One of the games I remember the most from this 22 years old console is the Wonder Boy III, the Dragon’s Curse. So I fired up the Meka emulator and downloaded the ROM, and sat down for few hours of unlimited fun.

During the search for the ROM I found out that there was another version of the game with slightly better graphics for the TurboGrafx-16 console (AKA PC-Engine) which is called the Dragon’s Curse.

For the readers who never heard of WB3 or the Sega Master System, I shall explain, in short, the game’s look n’ feel. The game is some kind of a combination of RPG with a platforming action game. You need to get different kinds of swords, shields and armors by either finding them in treasure chests throughout the game, or buying them in shops found in the city. Besides the gear, the player has to collect gold, potions, magics and power ups. The game has about 6 levels that the player has to finish, while at the end of each one there is a boss that has to be destroyed. When a boss is beaten, the character in the game transforms into some kind of a new animal-human creature that possesses a special ability that helps him get to the next level. The characters are Hu-man, Lizard-man (Can shoot fire), Mouse-man (Very short, and able to climb some walls), Piranha-man (Can swim), Lion-man (Can punch up), Hawk-man (Can fly).


The part that I find interesting about this game is the way save games were implemented in time before Flash memory. During the game there was a place in town where the player could get a 14 characters long code that if entered in the main menu, would take him back to the same status as he was in the time of getting the code.

Meaning these 14 characters encode the full status of the game, including amount of Gold, Lives, Potions, Gear and more. The characters are either numbers 0 to 9, or capital ABC, excluding few characters such as I, O & Q, for the reason that they look too much like 1 and O, which could be quite confusing. Besides that, not every combination of characters is valid, meaning there must be some kind of a checksum. I remember that many years ago, every time I got bored playing the game I was trying to brute-force codes, with very little success. I was always very curious about this mechanism, and I had a belief that somewhere, there is some kind of a very special code that would turn the game upside down.
During the last week I decided to finally cope with this old craving, and finally reverse engineer the secret behind this coding system. First I had to find out which CPU is used by the Sega Master System to know how to load the game in IDA. Wikipedia mentioned, rightfully, that the Z80 is the main CPU of the console, and loading the ROM file into address zero seemed to work just fine. Second, I had to find the relevant code, so I searched the Internet for some special codes that might lead me to the right place. I found out that there is one very special code that is WE5T 0NE 0000 000, which is the name of the company who made the game. This special code could not possible encode a game status, so it must get a special treatment in the code. Searching for the string (without the spaces) through the entire file took me to the following code:

Xrefs took me to:

From reversing I found that every character tributes exactly five bits to the data, that comes to be total of 70 bits (5 * 14) which turn into total of 9 bytes of data. Two bits of the 9 bytes are index to a xoring table that is then xored to the 9 bytes. After the xoring, all the bytes are added together to form a checksum that is compared to the first 7 bits (which are not used in the addition). If the first 7 bits match, the code is valid and is passed to another function that sets the game state.
I’ve written a full functional code decoder / encoder in Python, and is available for download from the following link:

For more information about Wonder Boy III and The Draogon’s Curse follow the links below.
I would like to thank them for the pictures I took from these sites without asking for permission, hope it’s ok.


The Dragon’s Curse has something different in the coding system, I would have to reverse it too. Does anyone know how to reverse the PC-Engine’s ROMs?