Wednesday, May 04, 2005

Snowball effect

As you might already have seen on Haze's WIP, yesterday I succeeded in decrypting Gardia and Space Position.

This was an interesting case of pieces falling into place rapidly one after another.

The first piece was the decryption of Calorie Kun, thanks to a decrypted bootleg which was recently found. This didn't look like a particolarly interesting breakthrough at the moment: the encryption algorythm was already known, the key would have been difficult to find by hand but with the reference of the bootleg it could be derived automatically in a few minutes - just the time to write a program.

This renewed my interest in the remaining Sega encrypted games that use this algorithm, in particular Gardia. David Widel revealed that he had decrypted a portion of it months ago, but got stuck and put aside the results without publishing them. Believe it or not, he decrypted most of the code by comparing it with My Hero - even if that's a completely different game, it shares a lot of almost identical code with Gardia.

The data David provided was very useful to get started. Another really useful coincidence was that we have two sets of Gardia (one supposedly being a bootleg, but still encrypted). The two sets are different versions, with code shifted by a few bytes in places. This is an ideal situation when decrypting games that use simple algorithms like this one. When you have decrypted a portion of code in one set, you can use it to decrypt the same portion of code in the other set; but this way you also automatically decrypt some more code in the second set, which is still encrypted in the first set, so you can go back to the first set and decrypt even more code, and so on - you slowly build up the two keys in parallel.

While I was doing this, I rapidly noticed that the key used by the second set for opcodes was identical to the one used by the first set for data. Shortly afterwards, I also noticed that the key used by the second set for data was identical to the one used by the first set for opcodes - just shifted by one byte.

At that point I was on the lookout; I have to admit that I didn't notice it immediately, but eventually I discovered that the keys were actually the same as Calorie Kun, apart from the shift. When I found that, I just copied the whole Calorie Kun keys and I was almost finished - Gardia booted but had some problems. I just had to find a few more bytes at the end of the key to fix them.

Space Position was the easiest of all. At that point I was almost sure it would have used the same key. I checked some bytes of the partial key I had manually derived years ago, matched them with the known key, copied over the data with the appropriate shift, launched the game, and it was already working, on the first try - apart from the emulation issues which Haze later fixed.

This completes the decryption of all currently known Sega games using the "easy" Z80 encryptions. Unfortunately there are a few encrypted Z80 games left, using the suicide MC8123 CPU, which might be lost forever: all boards using the CPU seem to be dead, and the key is just about impossible to find without an hardware attack.

13 comments:

Anonymous said...

Hi Nicola,
can you please tell us wich games use the MC8123 CPU?

Anonymous said...

There's a list of MC8123-protected games at \machine\mc8123.c

Anonymous said...

See here online: http://www.mameworld.net/maws/mamesource/src/machine/mc8123.c

Anonymous said...

the protections are strange, but, it's possible "find" in other cpu, fo example: Kaneko games (dj boys, B rap boys)?

Anonymous said...

My little piece of uninformed speculation: as the System E hardware basically is the same as a Sega Master System, couldn't the SMS versions of the System E games (such as "Fantasy Zone the Maze") be used as comparison to work out the encryption?

Anonymous said...

What's up with Shooting Master? Is that encrypted or undumped or what? That's the one I'd like to see most.

The system E games are a little different from the SMS versions from what I've seen. I'd really like to see a working arcade Fantasy Zone 2.

Anonymous said...

Shooting Master needs the MCU protection emulated.

Anonymous said...

Which games use the MC8123 CPU are unemulated/lost? And does that mean there aren't going to be any Shinobi or Altered Beast with sound in the near future?

Anonymous said...

Hey Nicola, what are you up to these days? Long time no update!

Anonymous said...

Nicola,
grazie per tutto lo sbattimento, รจ sempre un piacere rigiocare i grandi arcade games!
Kokko

Anonymous said...

While we are on the subject of Sega decryption, I'm trying to decrypt the Pengo roms so I can use them on MAME v.0261 & prior. Using the decryption methods in the driver source, I end up with 64K of decrypted data, which is twice the size of the program roms. Anyone have advice on how to approach this? I'm certain the two data areas need to be merged somehow.

Anonymous said...

Another Shooting Master fan here. What is the MCU and how difficult is it expected to be to emulate its protection? Are any of the devs interested in doing this in the forseeable future? (I know Nicola has worked on Shooting master in the past - thanks for all your great work in MAME!)

Anonymous said...

Hi Nicola,

I'm writing a big feature on Mame for PC Zone Magazine in the UK. Spoken to everyone, from developers and publishers, fans and foes, but have yet to get a response from anyone in the Mame community.

Would you be available this evening if I emailed you a few questions or conducted a telephone interview? This feature wouldn't be the same without you!

Best,
Pavel
PC Zone
www.pczone.co.uk
pavelbarter@eircom.net
++353-872473579