Rally-X Reverse Engineering
At my last workplace, the Manulife RED Lab, we had an arcade machine. It was probably powered by android and running an emulator or something along those lines. I got into a friendly competition with one of my coworkers where we fiercely competed for the highscore of Rally-X. A simple car racing game where they collect flags and avoid other cars. It got to the point where the high score was unable to be beaten after a few weeks of attempts. The next logical step was to try to write a bot to play the game in order to beat the unbeatable high score.
Rally-X is a Namco arcade game about avoiding cars and collecting flags. You start with 3 lives, and at 40,000 points you get one extra life. There is one special flag that makes all points on subsequent flags doubled (the special flag itself gets double points). One you collect all 10 flags in a level the remainder of your fuel is added to your points. It is likely 1 “unit” of fuel is 1 point however fuel is represented graphically so we must access the game’s memory to see. There is one way to stop cars, using button 1 you leave a 3 tile size smoke trail as you drive at the cost of 1 “tick” of fuel. As levels progress enemy cars become faster. There is a bonus round after the first 2 levels, then every 3 levels after that.
The ultimate goal is to be able to create an automated Rally-X playing program. Due to the intricacies and sometimes glitchy behaviour of the game attempting to recreate it and putting the AI into the rewritten game would be simpler but would lead to inaccurate score outputs and results. The other possibility is to use MAME to access key memory inside of the game (remaining lives, direction, positions, map obstacles, flags) and make calls to functions inside of the game’s memory that correspond to joystick input.
Plan of Attack
- Find addresses corresponding to health, direction, and positions of map items
- Determine the address what gets called for each controller input
- Create a fitness function with parameters: level, score, and the number of flags grabbed before the special flag
- Create bots that choose to press a direction or spray a smoke trail based on the parameters: available directions, fuel, score, level, “true” distance from nearest car
Finding The Lives Address
This is the simplest of the addresses to find. We will run MAME with the Rally-X ROM and take a stack. Immediately when the game starts, we pause it from MAME and run
dump lives0.txt, 0, 0xFFFF
We repeat the process after having lost one life and now have two files. We run a diff against our two files and manually search through the diff seeing if there is a value that changed from 4 (starting lives) to 3 (after one death). In the diff I’m providing I was going from 2 lives to 1 life.
We then set a watchpoint on that address to see if indeed every time we die it gets reduced by 1
And it does get lowered by one for every time we die, and gets written to twice after we die on our last life. This means we found our first useful variable!
I could write 1000 blog posts about the fun I have playing with memory editors, unfortunately writing does take time and over time I’ll update this post with more fun Rally-X stuff and the progress I’m making on this. This is an ongoing project.
This post was taken from my old blog and was written May 2015