Tuesday, January 09, 2007

CPS2 coming to MAME

I've submitted to MAMEDEV the code to replace the 4GB CHDs with 192-bit keys.
The code is here: http://xoomer.alice.it/nicola.salmoria/cps2crpt.zip
It contains all the information needed to understand the algorithm, including the s-boxes.

There is still a lot of uncertainty about the contents of the s-boxes. They do their job, but since they are different from the originals they also affect the key. Using the real s-boxes might make correlations between the key bits more apparent, if they exist (anyway, having only 7 keys to look at, there's not enough data to speculate on any kind of correlation).

I'm hoping that it will be possible to extract the s-boxes contents from photos of the decapped CPS2 chip. That would be an important step forward in the accuracy of the emulation.

Now the next challenge is finding the keys for the other CPS2 games that have XOR files but not full tables. I have some ideas, but it doesn't look simple.
We have a lot of (E,D,k) triplets for those games, but unfortunately not many once you fix k (the 96-bit key used in the second FN), and that would be the most important part.

Note that we don't have to find the whole 192-bit key all at once. Once the second 96-bit was found, then we could easily use brute force to get the 16-bit key seed at every address, and therefore easily find the first 96-bit key.

6 comments:

Ernst said...

Amazing work Nicola :)

Btw I thought the triggers for these two games were known, but they appear as unknown in your comment:

unknown Hyper Street Fighter II
unknown Jyangokushi

Charles MacDonald said...

Oops, I forgot to tell anyone what it was for Jyangokushi. :)

CMPI.L #$36521573,D0

Ernst said...

Also, why the puzloop2 and puzloop2j have the same key? Is it a typo? I thought different regions of the same game had different keys...

linzino said...

Hi!

Great work!
Maybe, if you just have the xor, you could build a non-linear (polynomial) system of equations over Z_2, where the key bits are the unknown.
This kind of works for some simplified istances of AES and maybe it also does in your case.
Then you should use some specialized
algorithm (Buchberger's alg. or Faugere's F5 alg.) to solve it.
In bocca al lupo!

Andreas Naive said...

Could you give me a better estimation on how many triplets we would have for every game?

Nicola said...

For dodtod, which is the one I'm looking at now, there are about 700,000 unique (E,D,k) triplets. For a fixed k, there are no more than 12 (E,D) pairs.