Followup: Some Reddit readers tackled this challenge and conquered it. Read up on it here.

Back in the glory days of the old 8-bit Nintendo Entertainment System, I used to read my Nintendo Power magazine issues religiously. One issue that stood out to me, and that I never forgot about, is one that briefly mentioned Treasure Master (volume 26, July 1991, Robin Hood: Prince of Thieves issue).

This will be the first NES game where you can actually win prizes by playing it to the finish! The Game Pak will be released in the fall, and everyone will have time to master it. When you finish the game, you’ll reach a point where you can enter a speical password. In February of 1992, American Softworks will reveal the password that will allow you to play a secret portion of the game. The first person to finish the secret level and call in will win a $25,000 bond. Many of those who finish later will still be eligible for prizes– the sooner you finish, the better the prize. As you can imagine, the code is top secret, and the password system has been proven uncrackable by MIT and the CIA. (emphasis added)

click for larger image

So the gimmick for this substandard, side-scrolling, run & jump game was that players would buy it, play it, and build up skill in a few months. Then, after everyone has had a chance to get really good at the game, the company would release a password that would unlock a secret stage. Play through this stage and you could win big prizes.

Naturally, the part about the uncrackable code caught my attention. I didn’t even realize the CIA provided such a vetting service. Anyway, I didn’t hear anything else about the game again. Many years passed and I saw the game in a used video game shop. I figured it was time to revisit the uncrackable code issue since I know a little more about computers and codes now. And I also know better than to accept an uncrackable code claim at face value.

How uncrackable is the code? The introductory blurb from Nintendo Power raises some questions, many of which can be answered by the Treasure Master instruction manual. The full details of the contest are provided. Apparently, the password was to be announced on MTV on April 11, 1992, probably during a commercial. Players would enter the password, along with their game cartridge’s unique serial number, in order to unlock the special levels of the game. Upon completion of the levels, the game would return a special winning number that the player could give to the operator on the other end of a 1-900 phone number to try to win a prize.

To be fair, the official manual doesn’t mention the uncrackable code nonsense. The James Bond material highlighted in the Nintendo Power preview can probably be attributed to some Marketing/PR flunkie at American Softworks working more closely with the magazine than their own engineering department.

Also, Nintendo really wants you to know that they have nothing to do with the contest:

Threat Model

What does the game need to protect against? Presumably, the game needs to prevent a determined party from playing the levels before the appointed time, and it certainly needs to keep the prize-winning code secret. A determined attacker would need to have the tools and knowledge to dump out all of the ROM data, analyze it, and perhaps modify it and run the changes. This wasn’t exactly common knowledge back in 1991, but it certainly could have been done.

One idea I had was that the unlock code to be released would be a symmetric cipher key that would decrypt the level data. However, that would only be plausible if Treasure Master were the type of NES cartridge in which all of the game’s graphic (CHR) data was stored in the code (PRG) space and shuttled the graphical data to CHR RAM on demand. According to the FCE Ultra emulator, these are the characteristics of the cartridge hardware:

 PRG ROM:    8 x 16KiB
 CHR ROM:   16 x  8KiB
 Mapper:  1
 Mirroring: Horizontal

The important point here is that the game had CHR ROMs. Still, it’s possible that the key could be used to decrypt some data from the PRG side in the NES’ 2K of work RAM, data that is necessary to present the final level. This data includes tiling information for the background layout and sprite arrangement.

Password Strength

So there are 2 inputs when playing for the grand prize: A serial number and a password. The serial number is 8 digits long and can include 0-9. The password is 24 characters long and can include 32 different characters, including 0-9, exclamation point (!), and any of the 21 English language consonants. Since each character represents 5 bits of information (2⁵ = 32), 24 * 5 = 120 bit password. That should have easily been a long enough key length to thwart even the most determined Nintendo nerd from brute forcing the password space, at least by the standards of 1991’s consumer computing strength.

Other Threats

The game’s manual warns against using game-altering devices as it might cause the game to output a bad number. The #1 game-altering device for the NES was the Galoob Game Genie.

The password entry screen also warns gravely that a misentered code can result in disqualification. I took this to mean that the game might have a battery backup and only allows players to try a certain number of codes, perhaps in a certain time frame. This could lead to all kinds of thorny technical and usability issues, which don’t arise because the game doesn’t have a battery.

Best Guess

My hypothesis is that the secret password is the public half of a public/private key pair. One application for this key could be to decrypt a block of data needed for displaying the final level, a block of data that was encrypted with the analogous secret key. When the end of the secret level is reached, the game uses the public key to encrypt the serial number and displays the resulting ciphertext to the user (encoded at 5 bits/character, just like the original password). This ciphertext is telephoned into the 1-900 winners’ hotline where the operator has a computer application that was built to decrypt the ciphertext with the private key. This yields the game’s serial number. This is then checked against the official database since participants were required to register their serial numbers in order to be eligible for the contest.

The secret password is known to be 3HDJL9DNQV2WYTV4S91RXR86. Wikipedia has a record of what the prizes were but does not discuss any other outcome from the contest. Not just any serial number will suffice, unfortunately, so there must be a validity pattern for the serial number, sort of like credit card numbers. I don’t know of any valid serial numbers, and it seems likely that the only way to find one would be to reverse engineer the game.

Using the model above would not prove completely uncrackable, per the game’s constraints. If an attacker figured out the model and knew that the serial number was just going to be encrypted using the secret key as a password run through, e.g., the RSA algorithm, he could write a program that just simulated that behavior as soon as the public key was announced. However, perhaps the game could have a secret hash algorithm that was encrypted along with the secret data which would hash the serial number and then encrypt it. Actually, at that point, the encryption with the public key might be superfluous; just call the winning phone number and tell them your game serial number along with the special number (serial number computed with secret hash algorithm) and the operator’s program could verify the number based on that information alone.

And now that I put it like that, I realize that the public key idea probably isn’t necessary. Protect the secret game data on the cartridge with a symmetric key algorithm. Many such algorithms would be much faster and lighter-weight than a public key algorithm.

Thanks for reading through all of that. I have actually been sitting on this article for many years, waiting for an opportunity to flesh it out, though I am not sure if I will ever have time to get down to reverse engineering the game’s program.