Re: [stella] Emulator detection

Subject: Re: [stella] Emulator detection
From: "B. Watson" <atari@xxxxxxxxxxxxxx>
Date: Mon, 4 Jul 2005 11:29:53 -0400
On Mon, 4 Jul 2005, atari2600 wrote:

> So, my question is -- should this 'exploit' be published and thus allow
> the emulators to more correctly emulate the hardware, or should it be
> kept private and allow authors (me! me! choose me!) to release binaries
> that can only be played on real hardware?

I'd say anything that lets code determine whether it's running on an
emulator or not, is a bug in the emulator (inaccurate emulation). Whether
or not it should be published openly... well, Stella and z26 sources
are both published openly. Share and share alike would be my preference.

As somebody else already mentioned in another mail, the emulators'
sources are available, so nothing's stopping anyone from forking an
"evil" version of either Stella or z26.

Actually, since we have no idea what the "exploit" is right now, there'd
be no need for a fork: somebody who reverse-engineered it can just report
it as a bug and send us the code snippet that causes the problem as though
he were writing a game and discovered the emulator bug by accident. We'd
see it as an emulation bug, fix it, and the "magic binary" would start
working in the emulator in the next release. This social engineering
attack would work even if the emulators were closed source.

Once a binary like that is released, the "exploit" has been published
anyway. We'd all be able to debug or just trace the binary and see exactly
what it does. Even if everyone who currently knows how to do this were
to all agree not to publish their results, it wouldn't stop new people
from reading the stelladoc, learning 6502 asm, and getting knowledgeable
enough to reverse-engineer it and publish it themselves. Most of the
point of this list is helping people learn who want to learn... but even
without the list, all the pieces are available for anyone who wants to
solve the puzzle.

I'd say the genie is already out of the bottle... I'd also say that this
is "security through obscurity" and bound to fail in the long term.

> An even better question is:  should emulators allow such detection
> so that those who want to release binaries that cannot be played on
> emulators, can do so.  My personal opinion is that emulator authors
> SHOULD include such an official hook as an encouragement for collectors
> to buy actual homebrew cartridges.  Otherwise we get into an 'arms race'
> where such exploits as found above are NOT shared with the community,
> and the emulators are therefore not as perfect as they otherwise might be.

You're right, that's a better question. A hook like that wouldn't even
have to depend on emulation bugs: we could steal one of the many JAM
instructions for the purpose, or else look for a signature at the front
of the ROM image (the ASCII bytes 'NOEMU' perhaps). Of course, anyone
could read the emulator source and comment out the protection code,
or use a hex editor to remove the protection from the cartridge. Still,
it avoids the "hey, I found this emulation bug" social exploit: we could
all agree that the official versions of the emulators would respect
whatever signature/code we agreed on. Any version that doesn't is by
definition a forked version, not the real McCoy.

With a scheme like that, it all boils down to the honor system in the
end: all the information on how to crack it is freely available from
anywhere in the world. You'd be trusting people to play along and be
good citizens... but if you're ultimately relying on trust, you might as
well go all the way and trust people enough not to feel the need for a
"magic binary".

I actually don't know which side I'm on here: I just read what I wrote
and noticed I'm arguing both sides. I guess that's what makes it such
a good question :)

Another question is: What if I bought the game, but want to play it on an
emulator for convenience. I bring my laptop with me everywhere, but not my
2600 and TV. Shall I be prevented from playing the game I paid for just
because I'm not at home sitting in front of the TV? I personally would
consider it 100% ethical to disable any such protection for that purpose
(even the DMCA has an interoperability clause). Of course, I also would
consider it 100% UNethical to give anyone a copy of the ROM... but there
are plenty of smart, unethical people out there.

Maybe the best answer is to include such protection in the emulators,
but add an --i-bought-this-game command line option to override it. That
way, people who legitimately bought the game will have a way to play it
on the emulator. People who didn't will be liars as well as thieves..
They have no honor anyway, so the honor system won't help.

Archives (includes files) at
Unsub & more at

Current Thread