Please consider supporting The Cutting Room Floor on Patreon. Thanks for all your support!

Treasure Master

From The Cutting Room Floor
Jump to navigation Jump to search

Title Screen

Treasure Master

Developer: Software Creations
Publisher: American Softworks
Platform: NES
Released in US: December 1991

AreasIcon.png This game has unused areas.
DevMessageIcon.png This game has a hidden developer message.
CopyrightIcon.png This game has hidden developer credits.

Treasure Master is a game released as part of a contest run by MTV, in which players were given a password that set off a 24-hour race through the entire game – including an extra world – in order to try and win cash prizes, fantasy sports/concert events, or SNES consoles.

Unused Text

Several Software Creations games (Sky Shark, Target Renegade, Fast Break, Pictionary, Terminator 2) had their empty space padded with copyright/credits text, rather than 00 or FF, as most other games did.

Treasure Master contains the following text:

  TEL 061 236 1154
  FAX 061 236 8248

Note that there are no actual line feed symbols in the text; each line is a fixed length, padded with spaces.

Cheat Protection

Since there was a rather large cash prize associated with this game, the programmers added some code to check for cheat devices (such as the Game Genie) at startup. These devices run their own code before handing control over to the attached game, and thus end up leaving telltale signs in the system's RAM and VRAM. If the game detects any of this leftover data, it locks up with a gray screen.

Additionally, the game checks for the serial number buffer consistency with a simple checksum as well as controls the PROM's data consistency, performing the random PROM bank checksum test (each bank contains the checksum word at $BFF8-$BFF9 for the area $8000-BFF7, which is compared with the calculated checksum) while switching the areas. If the PROM bank checksum is wrong, the game won't show you the "Congratulations" and the "Warp" screens. It will immediately switch to the next stage instead. The only critical effect of this protection is that you can't play the prize level properly, because it won't initialize the rollercoaster variables, and so they will fly from and to random or incorrect locations, and you just can't advance to the next screen. Probably it was planned to be more destructible at the development stage, and protect from any device that can modify the PROM values or from hacking, but currently it's too weak. The PROM bank select is random based. So, it can test any bank at the moment of level completion. And tested bank may be fine and unmodified, so the test will pass and the game will show the "Warp" screen and even correctly initialize the rollercoaster data.

Second Prize Level

To do:
Rewrite this to be less confusing.

Treasure Master-secondprize0.pngTreasure Master-secondprize1.pngTreasure Master-secondprize2.png

The second prize level was actually made but never released to the public. To access it you need another secret password which contains the 64-bit initial vector for the xor table generator, producing the 128-byte pseudo-random sequence to decrypt the main level handler routine. The same way as it performing for the first prize level.

The pseudo-random sequence is another one protection feature, which is performing some permutations to the initial vector each time you leave the particular area. The order you access areas make sense. If you cheat and skip some levels, or jump straight to the end or play levels in a different order, the final permutation will be different, the game will not be able to decrypt the secret level handler and play it.

Since the initial vector for the second prize level is not known, you can access the second prize level only with hacking around the level index variable in RAM – $F3. Change it to $14, $15, $16, $17 or $18 (value $19 also belongs to the second prize level, but switching to it leads to the game crash) while playing the first prize level to see at least some stages and enemies. To apply the changes, enter and leave the item screen. But you still need to refresh enemies. To do it, leave the current area. There is no proper items handling, not proper level transitions, so you can't actually play and finish it without additional hacking.

The code for bruteforcing the initial vector can be found here. It performs all proper permutations to the initial vector and trying to decode the secret level handler. Unfortunately, bruteforcing of the first 32-bit of IV will take about 24 hours with current algorithm, so it will take about a 11 million years for the full 64-bit key.

Recently, the executable code for the second prize world was reverse engineered allowing a functioning version of the second prize world to be played. A playthrough video was created: The video description contains additional information about how to play the level yourself. The level is loaded from a savestate, but works for an unmodified ROM. This is not to say however that the level can be played after entering a correct passcode at the beginning of the game, a goal which is for now still out of reach.