Backdoor in Infocom's Hollywood Hijinx

#1

While working on decompiling & examining the Z-machine source code for various Infocom games, I discovered a backdoor in Hollywood Hijinx. This is found in the standard distributed version of the game (R37.861215).

There is a secret room called “Work Room” which allows a user to directly go to various other locations, bypassing the puzzles needed to get there. The room’s description (LOOK command) shows how the other locations are connected. See below:

                           Cellar                                   
                   Cannon     |     Crawl Space North                
                 Emplacement  |    /                                 
                          ____|___/                                  
                          |       |                                  
            Boat Dock ----| Work  |----Heart of Maze                 
                          | Room  |                                  
                          |_______|                                  
                         /    |    .                                
                        /     |     .                               
                    Attic  Upstairs  Bomb Shelter                    
                          Hall Middle

To get to this location, you have to be a “special” user. When the game initializes, it looks for a specific text signature in the header (“DA” for Dave Anderson, or “TOMAS”) that sets this special user flag. The other way to access this location is to change the first byte (offset #12) in the serial number of the story header to 0.

Now to get to the work room, you can type “flush 33” and you will be transported to this Work Room.

The question was should I create a patch with zcode patch and attach it here or somewhere else? I do want to add another direction from the Work Room and transport someone to the Prop Vault.

(David Griffith) #2

Using hexedit on Linux, I edited that byte (0x12) and it works! Fascinating!

What’s the specific location that “DA” or “TOMAS” should be inserted to trigger this backdoor?

(David Kinder) #3

That’s very neat. You can get this working with Windows Frotz (and possibly some other Frotz ports) - from the options dialog in Windows Frotz, set the user name in the interpreter tab to “DA” or “TOMAS” and restart the game. There are a few test versions of Infocom games floating round that have various testing features enabled by this username field, but I think that’s the only one I know of in a released game.

#4

The user/login name section of the header is at bytes $38 to $3F. I saw one Z-machine document say this was used in version 6 story files.

#5

I didn’t even notice this option in WInFrotz and surprised its even an option.

I’m searching through the code of other games for other username backdoors that might have made it to production.

(Andrew Plotkin) #6

The core Frotz engine is set up to write the username into header bytes 0x38 to 0x3F, but only in V6. Hollywood Hijinx isn’t V6, but I guess Windows Frotz can be made to do this regardless of version?

(David Kinder) #7

It will do this for any V3 or above game. As I recall, this came about from a request from Paul David Doherty, who had got hold of several test versions of Infocom games that made use of the username. Presumably this comes about from the implementors’ logins on Infocom’s DECSYSTEM-20 mainframe.

(Hanon Ondricek) #8

That’s cool! I wonder if FLUSH with a room number was their GONEAR command?

#9

GONEAR command? This is a new one to me. Other games have it?

(Andrew Plotkin) #10

GONEAR is an Inform 6/7 debugging command. It’s not normally present in released games.

#11

The number “33” does not correspond to the Work Room’s object number or any other object in that room. So I’m not sure what it means.

(Hanon Ondricek) #12

Yep. When testing in the Inform 7 IDE you can

GONEAR HALLWAY
GONEAR TREASURE CHEST
GONEAR THE BUTLER

GONEAR and all the debug commands are disabled when a game is released for publishing, but work if released for testing (a separate release command)

(David Griffith) #13

I’ll have to look into adding an option for setting this in Unix Frotz.

(Andrew Plotkin) #14

Yeah, this is enough of a use case to justify having the option in the interpreter engine.

Inform puts the I6 release number (currently “6.34”) into header bytes 0x3C to 0x3F. Using the username option in V3/5/8 will overwrite this information, but nothing pays attention to it as far as I know, so that’s not harmful.

(But it should still be an option, not something the interpreter does by default as it does in V6.)

#15

I’m trying to make my way through all the story files I have for all of the Infocom games. It can be tricky to find anything hidden. I don’t have any developmental versions though. So far, I haven’t found much in the released games except some remnant debugging related strings.