Treasure Master

Treasure Master
Developer: Software Creations Publisher: American Softworks Platform: NES Released in US: December 1991 This game has unused areas. This game has a hidden developer message. This game has hidden developer credits. This game has a Data Crystal page

Treasure Master was part of a contest run by MTV, in which players were given a password that set off a 24-hour race through the entire game - including an extra world - in order to try and win cash prizes, sports/concert fantasy event packages, or SNES consoles, though it could be played separate from the contest as well.

Unused Graphics

Stored alongside the inventory screen graphics is clear evidence of a failed sponsorship deal; the Pizza Hut logoǃ The palette here is just a guess.

Unused Text

Several Software Creations games (Sky Shark, Target Renegade, Magic Johnson's Fast Break, Pictionary, Terminator 2) had their empty space padded with copyright/credits text, rather than 00 or FF, as most other games did.

Treasure Master contains the following text:

TREASURE THINGYS.
COPYRIGHT 1990 SOFTWARE CREATIONS LTD.
! PROGRAMMER   STEPHEN RUDDY.
! ARTIST   CRAIG HOUSTON.
! MUSICIAN   TIM FOLLIN.
! SOFTWARE CREATIONS LTD.
 FIRST FLOOR      204 OXFORD ROAD
  MANCHESTER      M1 5QA
  GREAT BRITAIN
  TEL 061 236 1154
  FAX 061 236 8248
     WIGAN RUGBY LEAGUE FOOTBALL CLUB

Note that there are no actual line feed symbols in the text; each line is a fixed length, padded with spaces.

Cheat Protection

Since there were real-life prizes associated with this game, including a rather large cash one, the programmers added some code to check for cheat devices (such as the Game Genie) at startup. These devices run their own code before handing control over to the attached game, and thus end up leaving telltale signs in the system's RAM and VRAM. If the game detects any of this leftover data, it locks up with a gray screen.

Additionally, the game checks for the serial number buffer consistency with a simple checksum as well as controls the PROM's data consistency, performing the random PROM bank checksum test (each bank contains the checksum word at $BFF8-$BFF9 for the area $8000-$BFF7, which is compared with the calculated checksum) while switching the areas. If the PROM bank checksum is wrong, the game won't show you the "Congratulations" or "Warp" screens; it will immediately switch to the next stage instead. The only critical effect of this protection is that you can't play the prize level properly because it won't initialize the rollercoaster variables, and so they will fly from and to random or incorrect locations, and you just can't advance to the next screen.

It was probably planned to be more destructive during development and protect from any device that can modify the PROM values or from hacking, but the end result is too weak: The PROM bank select is random-based, meaning that it can test any bank at the moment of level completion, and if the tested bank is fine and unmodified the game will act normally (showing the "Warp" screen and correctly initializing the rollercoaster data).

Second Prize Level

To do: Rewrite this to be less confusing.

A second prize level is present in the game, but the password to access it was never released to the public. American Softworks had most likely planned for there to be multiple contests centered around the game, though only one ever happened.

To access it you need another secret password which contains the 64-bit initial vector for the xor table generator, producing the 128-byte pseudo-random sequence to decrypt the main level handler routine.

The pseudo-random sequence is another protection feature, which performs some permutations to the initial vector each time you leave a particular area. The order you access areas makes sense: If you cheat and skip some levels, or jump straight to the end or play levels in a different order, the final permutation will be different, and the game will not be able to decrypt the secret level handler and play it.

Since the initial vector for the second prize level is not known, you can access the level only with hacking around the level index variable in RAM ($F3). Change it to any value between $14-$18 (value $19 also belongs to the second prize level, but switching to it causes the game to crash) while playing the first prize level to see at least some stages and enemies. To apply the changes, enter and leave the item screen. To refresh enemies, leave the current area. There is no proper item handling nor proper level transitions, so you can't actually play and finish it without additional hacking.

The code for bruteforcing the initial vector can be found here. It performs all proper permutations to the initial vector and trying to decode the secret level handler. Unfortunately, bruteforcing of the first 32-bit of IV will take about 24 hours with the current algorithm, so it will take about 11 million years for the full 64-bit key.

More recently, the executable code for the second prize world was reverse-engineered, allowing a functioning version of it to be played. A playthrough video was created, with the video description containing additional information about how to play the level yourself. The level is loaded from a savestate, but works for an unmodified ROM. This is not to say that the level can be played after entering a correct passcode at the beginning of the game, though, as that goal is still out of reach for now.