I was perusing my old Nintendo Power issues today, as I am wont to do for no good reason, and I stumbled upon a forgotten bonus that the magazine shipped to its subscribers once upon a time– Top Secret Passwords:
Click for a larger image, and to guess which game is covered by the level 8 password on the sticky note
Now I’m playing with power. They put a tremendous amount of work into that cover. Passports for not only the Principality of NES but also the Republic of SNES. I guess in the early 1990s, nothing said “top secret” quite like a portable phone. Luckily, the book features passwords for Solar Jetman, the present object of my password infatuation. I wonder if the official password validator accepts the secret password comprised of all ‘Q’s, or if that’s handled by a special case.
Not only is Solar Jetman covered in the book but when I opened the book a carefully folded piece of paper slid out. It contained a number of very neatly written passwords, including ones for every world in Solar Jetman! It doesn’t look like my handwriting, plus the paper includes passwords for games that I never would have been caught dead playing. What a mystery. It’s almost like someone meant for me to find these clues and take up the cause of researching these ancient Nintendo password systems.
The password book contains passwords for a number of games where the only information carried in the password is what level the player was on. For a number of such games, I did a quick string check through the respective ROM data for the passwords. It looks like no coders bothered to use straight string comparison techniques for password validation.
One can only guess what sort of international espionage thrillers influenced the book’s artists, but their conceptualization of incognito (and airplane markings) involved a lot of pink:
Click for larger image of Codename: Pink Gamer
That wacky ‘Q’ passwords is fully legal. As well as any other, constructed in form
aaaaaabbbbbb (where a may be (or may be not) equal b). However, some checks additionally performed, rejecting many passwords where a or b greater than Q (Q forms ‘9’ nibble and many state variables may not exceed 9).
This all works due to weak checksum checking, performed as
checksum = scratch[0];
checksum ^= scratch[1];
checksum += scratch[2];
checksum ^= scratch[4];
checksum += scratch[5] // + extra carry here, not shown
if(scratch[3] == (checksum & 0xFF)) {accepted}
As you can see, supplying scratch[] filled with same bytes will cause this check always pass.
If you still curious, search rom dump for A2 05 BD F4 06 hex sequence – it’s the beginning of the password verification routine.