CHIP8 EMULATOR

by Sandro Maffiodo

smaffer@gmail.com

www.assezeta.com/sandromaffiodo

OVERVIEW

As you can see , it is an emulator CHIP8. CHIP8 is an old virtual machine used in the 70s and 80s. It was used inside the VIP COSMAC , TELMAC 1800 and in some other microcomputer.

CHIP8 virtual machine has this features:

• 4K of RAM
• 16 8bit registers
• call stack
• single audio tone generation
• 2 programmable timers: one for sounds and one for delays
• 64x32 screen monochromatic
• 16 keys for keyboard input. This is the keyboard layout:

  1 2 3 C
  4 5 6 D
  7 8 9 E
  A 0 B F

BUILD

$(CC) prog.c -lSDL -o prog

RUN

cat BRIX | ./prog

You can try one of these games (downloaded from here):

• 15PUZZLE the game of 15
• BLINKY a Pac Man clone
• BRIX a Breakout clone
• INVADERS a Space Invaders clone
• MAZE a maze generator
• TICTAC a Tic Tac Toe game
• TETRIS a Tetris clone

(DE)OBFUSCATION

The main obfuscation tricks is to encode the instruction set inside the V string:

*V="`__m__`__mm________`_____a_____b___`_c___`ad___a_e___`_f___"
    "`ag___aag__`aag__aaag__baag__caag__daag__eaag__faag__maah_"
    "__a_i_____j_____k___`_l___bbm_hmabm_i`abn__fabn__iabn_`dab"
    "n_`gabn_`mabn_ahabn_bbabn_ddabn_eda"

This string is a simple sequence encoded in base16. If you decodes it correctly you obtain this:

*V="100E00100EE000000001000002000003000104000125000206000107000"
    "12800022800122800222800322800422800522800622800722800E2290"
    "0020A00000B00000C00010D00033E09E23E0A123F00723F00A23F01523"
    "F01823F01E23F02923F03323F05523F0652"

Each subsequence of 6 characters contain these informations:

1 00E0 0
| |__| |
|    | +-- instruction parameters format (0=_NNN, 
|    |                                    1=_XNN, 
|    |                                    2=_XY_, 
|    |                                    3=_XYN)
|    |
|    +---- instruction opcode
|
+--------- instruction mask (0=1111000000000000, 
                             1=1111111111111111, 
                             2=1111000000001111, 
                             3=1111000011111111)

With these informations is pretty simple to recognize each one of the 35 instructions of the CHIP8, by searching a match inside the V string. This solution is obviously really slow but the resulting code is pretty fun. This is the main switch used to decode one instruction, rewritten using the _ macro:

#define _ ;}else if(((o=0),(c=*n++-95),\
            k(12),k(8),k(4),k(0),\
            (f=*n++-95),1)&&(q&r[c])==o){\
                s[f]();

void instruction_set_switch() {
    if (0) {
    _ _ _ _ _ 
    _ _ _ _ _ 
    _ _ _ _ _ 
    _ _ _ _ _ 
    _ _ _ _ _ 
    _ _ _ _ _ 
    }
}

From here you can de obfuscate the rest of the program. It's pretty simple to do... don't you think? :D

NOTES

You can slow down the emulator by increasing the parameter of

SDL_Delay(3);

You can change the zoom factor of the screen by editing this variable

I=4

REMARKS

This program require SDL1.X to compile.

On Mac OS X SDLFlip is slow. SDLFlip waits the video's vertical sync and limits the speed of the emulation. To fix this problem you can modify the variable t:

t=03

The build process will generate some warnings about:

• type specifier missing, defaults to 'int'
• control reaches end of non-void function
• unsequenced modification and access to VAR
• expression result unused
• incompatible pointer types passing 'int *'