Game corruption has become a hot topic recently due to many you tubers playing through games that have in some way had their memory corrupted.
This practise can cause the game to produce some weird and wonderful effects which can be entertaining to watch.
However game memory corruption can also be a very effective tool for reverse engineering games.
One of the troubles with reversing games is that there are no variable names so the memory is one giant blob of bytes that are unlabelled. By corrupting this memory and watching the effect on the game you can start to figure out what part of memory does what.
You can then map the memory reads/writes back to the game code to get an indication of what a function or piece of assembly code is doing for the game.
ROM Corruptors have existed since the year 2000 with many no longer being updated, however there are 2 main corruptors that are still in use today 1:
The Vinesauce ROM Corruptor was developed due to inspiration from YouTuber Vinesauce rom corruption videos. It corrupts the ROM file itself rather than memory, so technically it can be used on any file 2.
The Real Time Corruptor was developed by Phil Girard and Dan Barreiro as a way to corrupt emulated games in an easy to use manner.
There are a number of different “Engines” available in RTC, these are basically different ways to corrupt the data, the corruptors available are:
The error delay chooses how much time to wait between each blasted byte.
Memory Zones are areas of memory that are allowed to be corrupted. For example you could only select Video RAM for only graphical glitches 3.
The blast radius controls how it corrupts memory, there are a few options:
Blast type chooses how to change the bytes that are to be blasted. Basically how it selects the value to replace the old memory value. There are three blast types:
If you are looking for a specific thing in the game it is good to set the region of memory that would most likely contain that data along with setting the Blast Radius to CHUNK.
If you choose to use TimeStack it will keep creating a save state every X number of seconds (configurable).
The time map consists of a green line that represents time, orange line is fast forward and the blue line is rewinding.
This basically allows you to keep track of what is happening in the game while you corrupt, so you can go back in time to undo corruptions.
The Glitch Harvester comes as part of RTC but works in a very different manner. It works on save states, allowing you to quickly try different random corruptions and save the ones you like.
It works with RTC as it still uses the selected engine and settings from RTC, it just provides an additional interface for save state management.
Not currently available but will be very useful int he future to see the exact bytes that were corrupted and what their new value is.
This section covers techniques for corrupting games for specific consoles.
One Lone Coder on youtube has quite a fun video showing random NES memory corruption. Unfortunately it doesn’t mention any source code release of the changes made to the emulator and it doesn’t mention how much memory gets corrupted at a time.
But it is quite fun to watch as the levels get more and more corrupted as it seems the corruption happens after a set number of frames.
Nintendo 64 corruption is covered in depth on the Corrupt.Wiki site available here: Basic/Advanced ROM Corruption - Corrupt.wiki
This uses the Real Time Corruptor which is a tool for specifically corrupting the memory of emulated games 4.
