A reverse-engineering of Speedball 2 for the Sega Megadrive

Overview

Reverse engineering of Speedball 2 for Sega Megadrive (Genesis)

This repo is a reverse engineering of Speedball 2, using Ghidra to reverse the assembly. Graphics, sound, etc. are extracted by with some tools I wrote in Rust.

It's an absolute classic of a game, and I'd always kinda wondered how it was put together, how the AI works, etc. So, why not find out?

I chose the Megadrive version not only because that's the version that I played, but because the image would be a direct ROM mapping, and the hardware involved looked relatively tractable. It gave me a great excuse to learn how the Megadrive hardware worked (and I'd love to give a great shout-out to the excellent "GenesisSoftwareManual.pdf" that the internet provided me with). I also didn't need to worry about any fancy disk image loading, which took away an initial hurdle.

In many ways, the ideal version would have been the Amiga version, with a nicer playing pitch, the famous "Ice cream!" sample, and generally more sensible audio. There's a bunch of code in the Megadrive sound subsystem that only makes sense in terms of a port from another platform. In other areas, there's dead code that looks like it was never removed from a porting effort. On the other hand, this is all evidence that as a 68K Speedball 2, it shares a lot of heritage with the Amiga version, so perhaps not all is lost.

This is not a perfect reversing - I wanted to get something out, after all this messing around, so here it is, with a first pass on all the (reachable) code, but not everything completely worked out.

My approach was to attack the code from a few angles - the ROM entry point, the obvious graphics resources, code that referenced hardware and/or those resources, etc. It was fun watching Ghidra trying to work out what was code and what wasn't. There aren't a huge number of function pointers, but it took quite a while to identify all the code nonetheless.

To simplify, my approach roughly proceeded in stages:

  • Work through all the accesses to the GDP that I could find, as well as other hardware accesses, interrupt handlers, etc. By understanding all the places where the code touches the outside world, you can get a handle on what it's trying to achieve. This also helped me get a start on the practical side of GDP programming.
  • Understand the title sequence, and associated splash screens/backdrops. Relatively straightforward code to ramp up on, but it includes an interesting little decompression algorithm.
  • Pull apart the sound subsystem, which includes both the sequencer and sample-player (with a short excursion into the Z80 sound coprocessor!).
  • Menus and training screens - non-game code uses its own sprite display system, so this involved reversing that, and from there the training screens and so on revealed the structures for player stats etc.
  • The core match loop. This included a second set of sprite-display routines, and the code to run the match and update the various game entities, leaving until last...
  • The player routines. I started with the user-controlled player routines; how pressing buttons on the keypad makes your selected player behave. From there I incrementally worked my way through the game's AI, which includes distinct logic for the active player and the rest of the team, and special code for the goalies.

And that, I think pulls apart the whole game. It was a fascinating journey for me, I don't know if anyone else will enjoy reading it!

The notes I made along the way are in NOTES.md. They're a bit out of date right now. Indeed, there are lots of loose ends, documented in TODOs.md. Maybe I'll tidy them up when I've recovered a bit from the first pass!

The tools I built along the way are documented in tools/README.md.

You might also like...
Provide free GPT-3.5 API service by reverse engineering the login-free ChatGPT website.

ChatGPT Free API Provide free GPT-3.5 API service by reverse engineering the login-free ChatGPT website. Note: This service requires the IP to be able

Web Browser Engineering

This is a port of Web Browser Engineering series from Python to Rust done by Korean Rust User Group.

A document-code sync tools for document engineering.

Writing A document-code sync tools for document engineering. Writing 是一个自动 “文档-代码” 同步工具。解析 Markdown 中的代码定义,读取目标代码,并嵌入到新的文档中。 Language parse support by

A realtime flight tracking program for our Software Engineering 300 class at ERAU
A realtime flight tracking program for our Software Engineering 300 class at ERAU

Flight Tracking ERAU SE300 Description Software that allows for weather and plane tracking to facilitate the user in looking at plane paths. Many peop

Map the Teenage Engineering OP-1 MIDI output to keyboard commands

OP1NPUT Maps the Teenage Engineering OP-1's MIDI output to keyboard keypresses so it may be used as a game controller. This exists because many of the

Testing out if Rust can be used for a normal Data Engineering Pipeline.

RustForDataPipelines Testing out if Rust can be used for a normal Data Engineering Pipeline. Check out the full blog post here. https://www.confession

The ultimate Data Engineering Chadstack. Apache Airflow running Rust. Bring it.

RustOnApacheAirflow The ultimate Data Engineering Chadstack. Apache Airflow running Rust. Bring it. This is part of a larger blog post trying to do so

A mono-repo for the Engineering Practice Domains of Development, Data, Infrastructure, Testing, and Platforms

Engineering Practice Domains Introduction Welcome to the Engineering Practice Domains at Fearless! This repository serves as a monorepo for our collab

An fast, offline reverse geocoder (1,000 HTTP requests per second) in Rust.

Rust Reverse Geocoder A fast reverse geocoder in Rust. Inspired by Python reverse-geocoder. Links Crate 2.0.0 Docs 1.0.1 Docs Description rrgeo takes

Sōzu HTTP reverse proxy, configurable at runtime, fast and safe, built in Rust. It is awesome! Ping us on gitter to know more

Sōzu · Sōzu is a lightweight, fast, always-up reverse proxy server. Why use Sōzu? Hot configurable: Sozu can receive configuration changes at runtime

Utility for working with reverse DNS

RDNS RDNS is a small Rust CLI utility for performing single and bulk reverse DNS (PTR) lookups. Usage RDNS 0.1.0 Joe Banks [email protected] Utilities for

 RedLizard - A Rust TCP Reverse Shell with SSL
RedLizard - A Rust TCP Reverse Shell with SSL

RedLizard - A Rust TCP Reverse Shell with SSL RedLizard Rust TCP Reverse Shell Server/Client This is a reverse shell in Rust called RedLizard, basical

A rust implementation of the reverse-engineered Glorious mouse protocol

gloryctl This project is an implementation of the vendor-specific HID protocol in use by Glorious mice used to configure parameters such as DPI profil

A high performence Socks5 proxy server with bind/reverse support implementation by Rust.

rsocx A high performence Socks5 proxy server with bind/reverse support implementation by Rust Features Async-std No unsafe code Single executable Linu

Interactive bind/reverse PTY shell with Windows&Linux support implementation by Rust.
Interactive bind/reverse PTY shell with Windows&Linux support implementation by Rust.

Cliws Lightweight interactive bind/reverse PTY shell with Windows&Linux support implementation by Rust. Features WebSocket Full pty support: VIM, SSH,

A firewall reverse proxy for preventing Log4J (Log4Shell aka CVE-2021-44228) attacks.
A firewall reverse proxy for preventing Log4J (Log4Shell aka CVE-2021-44228) attacks.

log4jail 🛡️ A fast firewall reverse proxy with TLS (HTTPS) and swarm support for preventing Log4J (Log4Shell aka CVE-2021-44228) attacks. 📖 Table of

A fast and stable reverse proxy for NAT traversal, written in Rust
A fast and stable reverse proxy for NAT traversal, written in Rust

rathole A fast and stable reverse proxy for NAT traversal, written in Rust rathole, like frp, can help to expose the service on the device behind the

This article is about the unsound api which I found in owning_ref. Owning_ref is a library that has 11 million all-time downloads and 60 reverse dependencies.

Unsoundness in owning_ref This article is about the unsound api which I found in owning_ref. Owning_ref is a library that has 11 million all-time down

Eldrow: Wordle in Reverse

Eldrow: Wordle in Reverse Setup First you are gonna have to get Rust at rust-lang.org. Then, you will need to have nodejs installed. For the WebAssemb

Owner
Simon Frankau
Simon Frankau
Provide free GPT-3.5 API service by reverse engineering the login-free ChatGPT website.

ChatGPT Free API Provide free GPT-3.5 API service by reverse engineering the login-free ChatGPT website. Note: This service requires the IP to be able

null 21 May 5, 2024
Testing out if Rust can be used for a normal Data Engineering Pipeline.

RustForDataPipelines Testing out if Rust can be used for a normal Data Engineering Pipeline. Check out the full blog post here. https://www.confession

Daniel B 7 Feb 17, 2023
A mono-repo for the Engineering Practice Domains of Development, Data, Infrastructure, Testing, and Platforms

Engineering Practice Domains Introduction Welcome to the Engineering Practice Domains at Fearless! This repository serves as a monorepo for our collab

Fearless 7 Apr 29, 2024
Implemented reverse-engineered signature algorithm to successfully register with Apple's caching server.

View as English 项目描述 本项目通过逆向得到苹果缓存服务器的签名算法,并可以成功注册缓存服务。算法分为两种运行模式。 运行模式 直接运行(x64): 效率较高,但只支持64位CPU。已测试可运行在Windows/Linux/macOS上。 模拟器运行: 兼容性极高,支持所有CPU架构

null 6 Oct 27, 2023
A tracing profiler for the Sega MegaDrive/Genesis

md-profiler, a tracing profiler for the Sega MegaDrive/Genesis This program, meant to be used with this fork of BlastEm, helps you finding bottlenecks

null 15 Nov 3, 2022
Easy c̵̰͠r̵̛̠ö̴̪s̶̩̒s̵̭̀-t̶̲͝h̶̯̚r̵̺͐e̷̖̽ḁ̴̍d̶̖̔ ȓ̵͙ė̶͎ḟ̴͙e̸̖͛r̶̖͗ë̶̱́ṉ̵̒ĉ̷̥e̷͚̍ s̷̹͌h̷̲̉a̵̭͋r̷̫̊ḭ̵̊n̷̬͂g̵̦̃ f̶̻̊ơ̵̜ṟ̸̈́ R̵̞̋ù̵̺s̷̖̅ţ̸͗!̸̼͋

Rust S̵̓i̸̓n̵̉ I̴n̴f̶e̸r̵n̷a̴l mutability! Howdy, friendly Rust developer! Ever had a value get m̵̯̅ð̶͊v̴̮̾ê̴̼͘d away right under your nose just when

null 294 Dec 23, 2022
Haylou Smart Watch 2 (LS02) reverse-engineering project

Haywatch Haywatch Hello Haylou Watch features Device communication General command structure Pairing Unpairing Battery Firmware Date and time Pulses U

XorTroll 5 Dec 16, 2022
A comprehensive and FREE Online Rust hacking tutorial utilizing the x64, ARM64 and ARM32 architectures going step-by-step into the world of reverse engineering Rust from scratch.

FREE Reverse Engineering Self-Study Course HERE Hacking Rust A comprehensive and FREE Online Rust hacking tutorial utilizing the x64, ARM64 and ARM32

Kevin Thomas 98 Jun 21, 2023
Reverse engineering Vercel's bot protection

vercel-anti-bot Reverse engineering and analysis of Vercel's bot protection used on https://sdk.vercel.ai (and potentially more of their platforms). U

Levi 16 Aug 22, 2023
decoder (and encoder) for quaternions sent from a joycon. Based heavily on reverse engineering done by hexkyz.

joycon-quat decoder (and encoder) for quaternions sent from a joycon. Based heavily on reverse engineering done by hexkyz. for those who want to use i

Kitlith 3 Feb 28, 2024