Wednesday, January 17, 2007

CPS2 The Fight Continues

I've finished going through all the games previously supported by MAME using XOR files, and generating keys using this attack.

The attack needs a minimum of 7 (E,D) pairs at some address in order to work, though with just 7 pairs it takes several hours to find the key.

Most of the games provided at least 8 pairs, a few 7, so the attack worked.

On 11 games the attack didn't work. Three of them only provide 2 pairs, so there's no way for the attack to work--a different approach will be needed.

The others provide 4 pairs, and I'm now trying to still perform the attack, using a new trick.

Remember the complementation property? For every address A, we know that exists another address A1 such that D(X, A) = D(X ^ 0xffff, A1) ^ 0xffff. The problem is that we don't know A1. We can search it, however, using the XOR data. Pick an address, look at the four (E,D) pairs associated to it, and then see if at another address there is a pair (E ^ 0xffff, D ^ 0xffff). That way we can put together the information from the two addresses, raising the number of pairs from 4 to 7, barely enough to run the attack.

There's a possibility of false positives when doing this, so avoid all pairs where E or D are 0x0000 or 0xffff, because those values are very common and make the probablity of a false positive much higher.

In theory this trick should work, though it will require some luck and a lot of time. The holy grail remains an attack which could use pairs from different addresses; that would be the only way to retrieve the key for the games that lack XORs.

1 comment:

Andreas Naive said...

This is the attack i have finally devised (mostly theory, although complemented by some numerical experiments):

I have been unable to reduce the number of necessary triplets below the figures given near the end.