Friday, April 22, 2005

Easier than expected

Bryan noticed that changing a single value in the Pocket Gal Deluxe decryption (related to the address scrambling) revealed some clear text in Diet Go Go. THis means that the encryption key is almost hardcoded as I expected, but with some minor variation (maybe externally to the DE102 iself).

I have isolated the variations in just two numbers, a 16-bit one for the address scrambling and an 8-bit one (or two 4-bit ones) for the data bits permutation and xor.

Fine tuning the values to correctly decrypt data in Diet Go Go was easy enough.

Double Wings required a little more works, but it was still easy. I just needed to brute force the 16-bit parameter. Doing that was easy because I just had to decrypt the ROM using each possible value for the parameter, and count how many zeros were in the decrypted data. When their number rised from a couple of thousands to tens of thousand, I had a "good enough" value for the parameter, which I could later tweak by hand.

So, data was decrypted in all four games (the other one is Boogie Wings which decrypted with the same parameters as Pocket Gal Deluxe), but opcodes were still encrypted.

However, most of the work was already done. Even if the opcodes are encrypted differently from data, the address scrambling must of course be the same, otherwise there wouldn't be a 1:1 correlation between logical address and physical address. Therefore, only the data bits permutation and xor changes.
The obvious candidate for that variation was the 8-bit parameter. A brute force search was even easier in this case. I just had to try all possible values and count how many times 4E75 (the opcode for RTS) appeared. When it increased from a couple of times to several hundreds, I had the key.

So all four known games using this CPU (Pocket Gal Deluxe, Diet Go Go, Double Wings and Boogie Wings) should now be fully decrypted.
Non of them is working; for that, the driver will have to be finished, and possibly some more protection worked around. But the first hurdle has been overcome.

10 comments:

Anonymous said...

Great achievement!!!!
Congratualions Nicola and Bryan.

Anonymous said...

Shit smoking heorot. That's awesome. Nicola just keeps truckin'.

Anonymous said...

beautiful ...... =D just beautiful

Gatsuyobi said...

...easier. I suppose things look much easier when you are as talented as Nicola or Bryan.

Let's hope sometime Bryan can get through the nasty protection of this games.

Thanks both for your hard work in MAME!!

Anonymous said...

Great Work Keep It Up !!!!

Anonymous said...

Nicola, anyway to you try make a look on CPS 3 encryptation scheme ?

Lillymon said...

"Nicola, anyway to you try make a look on CPS 3 encryptation scheme ?"

I'm not Nicola, but I can guess the answer is no. Things MAY change if you can find a decrypted bootleg of a CPS3 game too, but the chances of that are 'not good'...

Anonymous said...

Grazie Nicola!!! sei a dir poco un genio :D ..magari riesci anche a decriptare i deco156, visto i miracoli che stai facendo. Nn finirĂ² mai di ringraziarti per avere inventato il MAME!!

Anonymous said...

Counting the occurrence of zeros and opcodes is very smart. I'd never have thought of doing that. Previous methods I've used involved manually looking at bitmapped data displayed graphically to see if it looked like anything sane. Well done.

Anonymous said...

lol