Gaming the System: The Real Life of Game Programmers
Subject: General Tech | June 25, 2013 - 11:09 PM | Scott Michaud
Tagged: programming, gaming
There is a popular misconception that a good programmer is defined by their guru-status with a language. A lot of the time, however, a good programmer has a great understanding of algorithms and general problem solving skills. Some optimizations escape, even from the category of outside-the-box solutions, into the bin of dirty hacks. The final issue of Game Developer magazine takes a moment to salute some of the dirtiest found in games.
"(s)elf-exploitation", last story on the first page of GamaSutra's version (contributed by Game Developer Magazine staff), was the most entertaining, at least, in my opinion. The current lead engine programmer for Insomniac Games, Jonathan Garrett, outlined the process they underwent to update their game which shipped without an update system.
A similar exploit in Legend of Zelda: Twilight Princess save games was the first homebrew for Wii.
Image Credit: Giant Bomb
For those unfamiliar with programming: this hack is foundation of basically every worm which enters the system of those who fail to apply appropriate "Critical" or "Important" Windows Updates.
As it turns out, the End User License Agreement for Ratchet and Clank: Up Your Arsenal was refreshed from servers, owned by either Sony or Insomniac, and stored in a static memory location. This remotely served data was just a few memory items away from code which is executed in response to certain network traffic.
The team fed a much longer EULA than originally intended to overwrite all of the memory up to and including the network code. Then, when the server poked the PS2 with a specific network packet, the game would jump to the place in memory which handles that traffic... which is now whatever code Insomniac tagged at the end of their obese EULA. Now that they shoved code into a place in memory that they knew the PS2 would happen to wander through, that code loaded the patch data and fixed the damage they to the gap in memory between the EULA and the network code.
And that, dear readers, is why AMD implemented hardware support for Data Execution Prevention (DEP) found in Windows XP and later.
Although, I wonder, did they need to break the EULA when they did this? Food for thought.