Reverse Engineering Game Code from the Neutral Zone

I'm impressed. This is a very thoughtful and intricate analysis. I also love the irony that the code responsible for displaying the neutral zone is also the graphics for the neutral zone. I must say, though I always thought I had made it extremely tough to ascertain the code from the display, I'm both glad and relieved to see it passed a very stringent test here. Thank you so much for this! Yars truly, :) HSW

Ironically for Atari, just dumping the rom would be easier than reverse-engineering the code using an image.

25:45 "It's about to get pretty technical, and if you don't have a good grasp on how assembly and machine code works, it might be a little difficult to follow." Man, you lost me like three years ago, at this point I'm just here for the flashing lights while my brain tickles my ear as it drips on the floor.

If you squint, the Neutral Zone being the game's entire world blown open for all to see lines up with the in-universe lore of it being the remains of one of the Yars' home planets. In a meta sort of way.

I love how all the text in this video looks like it was actually drawn on the Atari 2600. Love little details like that.

The "neutral zone" is sometimes not visible in 30fps on YouTube because of the flicker

I've happily spent 40 minutes of my life appreciating every explanations that a very talented person makes by trying to decipher what is, in the end, nothing more than a very fun and elegant way to make a random number generator. Fun fact, the "last level" of Pacman is also made of the game code, albeit not voluntarily :P

A good way to get the clean data from the neutral zone using late 70s early 80s tech would be to flip the BW switch on the Atari and feed the video output into an oscilloscope. From there you know the neutral zone will be rendered every line in the same place. Edit: Turns out the BW switch doesn't work in Yar's Revenge. Still considering each pixel is made of two dots it would still create a meaningful signal even with color.

I always thought the odd look of the canon when the Neutral Zone wasn't in the level was a stylistic choice. Amazing to discover it was the only way to display it!

Ever since I learned the neutral zone is the game's code, I've always wanted to see a programmer take a crack at deciphering it. Dream come true. Now if only we can get HSW to react to this, my life would be complete.

My biggest takeaway from this video is that Howard Scott Warshaw was a damn genius. Which I already knew but it's always nice to see another display of his prowess. Also, making this video takes another genius, always a pleasure to watch.

33:27 There is a flaw in this logic; the just-greyed box could be a JMP instruction, in which case what comes next need not be a valid instruction. Any bytes immediately after an unconditional jump could be data from some data table, so anything is potentially valid.

i was watching on data at 30 fps and the entire neutral zone at around 2:01 is completely invisible! I didnt even notice you were talking about that til you mentioned some of it was offscreen while zooming into seemingly nothing! the beginning of the video requires 60 fps to see the whole thing haha

I love the idea of checking which interpretation of the binary code results in the most valid/common opcodes! Reminds me of reading gene sequences, where a sequence can be interpreted 3 ways depending on where you start reading it. (DNA is made of codons, which are kind of like opcodes made out of 3 base pairs. Starting on a different base pair results in wildly different codons, and you can check which interpretation is the most likely to be valid by checking how long it takes you to run into a STOP codon.)

I heavily suspect that the fact that only half of the rows were drawn was pure coincidence, and the guy didn't realize his reversal method mapped it to the same bytes.

Up until now, I thought that I was King of "Going Down The Rabbit Hole." I now humbly transfer that crown to you. This project you undertook required patience of unimagable amount. This is something that reminds me of my High School days when I had Atari 400 and 800 computers. I figured out how to copy cartridges to disk as binary files. Some games would not run, and I had to reverse engineer the code to figure out why. Usually there was some code that would write back to ROM memory space that would not do any harm if it was a legit cartridge installed. However if the game was running in RAM, it would kill it by overwriting itself. I was able to replace all that "anti-piracy" code with NOP instructions. Wow, good memories come back thanks to your video.

Oh man....that bit at the end about the code that draws the neutral zone...this is a fantastic example of a "strange loop" as defined by Tom7

Absolutely excellent. I'm still wondering why Atari management was worried about game code being copied this way, though. Just dumping the ROM on the cartridge would be way easier, and people did that.

These skills are going to be real useful for hardware archaeology, when we recover damaged firmware developed centuries in the past and need to get them working again.

A small change in the ROM should allow for the neutral zone to be rendered every frame whilst the quotile shield is never rendered, giving us access to all of the data in the ROM minus the least significant bit. If the Atari had the equivalent of a game genie the branch instruction could be changed to always draw the neutral zone. Building off of this if you run this in an emulator and change address $FAF3 from 0x9003 (bcc $FAF8) to 0x3A3A (NOP x2) then the game will draw the neutral zone every frame and every piece of code can be seen.