Page 1 of 37

leonardoliveira & Idc's clean decrypted roms

Posted: August 30th, 2012, 6:05 am
by leonardoliveira
idc asked me to try making this game work at something around 1PM my local time... After pouring 12 hours of work in it, I had this:
Image

And this:
Image
100% clean. No fancy menus, no clutter, no dumb/odd A.I. Plays exactly like the original which has suicide battery.

If someone is worried about counterfeits being made out of this, it's up to the buyers to look for MASK ROMS, battery, CAPCOM security seals and pins.

The goal is give people freedom from the tyranny of the suicide battery.





(Posts on this thread being edited to fix picture links)

Re: CPS2 Development PCB - SFZ

Posted: August 30th, 2012, 6:48 am
by KmanSweden
Street Fighter Alfa 3? :wtf: :lol: Street Fighter just got a lot better. :D

Re: CPS2 Development PCB - SFZ

Posted: August 30th, 2012, 7:38 am
by idc
KmanSweden wrote:let's call it a remake of Razoolas hack..
I tell you what, let's not. ;)
leonardoliveira wrote:idc asked me to try making this game work at something around 1PM my local time... After pouring 12 hours of work in it, I had this:
And so the "other guy" reveals himself. Thank you, Leo. :awe:

Re: CPS2 Development PCB - SFZ

Posted: August 30th, 2012, 8:59 pm
by leonardoliveira
Who does one, does two, no ?
Image

Image

I didn't fix the memory test for this one yet.

Also, sorry about the thread hijacking ... lol

Edit: Got this one decrypted and running on the record time of five hours.

Re: CPS2 Development PCB - SFZ

Posted: September 3rd, 2012, 1:43 pm
by leonardoliveira
Let me hijack this threat a little more ... lol
Image
Image

Re: CPS2 Development PCB - SFZ

Posted: September 3rd, 2012, 2:59 pm
by leonardoliveira
Tetsuosan wrote:I know with my superx phoenix board it has a ton of odd glitches that happen that don't happen with my other super x board ie; odd slowdowns happening at strange times, hit boxes showing up and/or not showing up, etc.
That has to do with wrong data at the decryption. It's not magic. It's a very complex and detailed job.
I had exceptional results once I poured more "love" on it.

The encryption protects on the presumption that you can only have all decrypted code with mangled data or all encrypted code with correct data. You cannot "guess" what is code and what is data. You have to analyze it. So what I do is manually analyze ALL the game code on a disassembler and determine what is code/data then manually transplant what is data from the encrypted rom into the decrypted one.

Even so, after eight hours of work on the QUIZ game I had it working but there were a crash on the attract mode. Which I solved the next day by watching what the program reads from the ROM. There were a sneaky non encrypted word (yes, two bytes) in the middle of a encrypted code area which pointed into another pointer which then finally pointed to a encrypted jumptable. Nasty stuff... ;)

Also I had some oddball grahpical glitches (Sprites disappearing) on the character animations, which went away once I removed what I called "silly NOPs" from the data areas. Silly NOPs are due to CAPCOM compiler/linker (these games are made in C) usually put NOPs to separate data fields on each "chunk" and because into a universe of 65536 possible values per word there's a HIGH possibility for a clash and you get a spurious/wrongly placed NOP instruction in the middle of a data field.
I just gave up from decrypting NOPs at DATA areas. That made up for mostly perfect roms.

Also, whenever I find a glitch I investigate throughly.

Re: CPS2 Development PCB - SFZ

Posted: September 3rd, 2012, 4:00 pm
by MrSandman
leonardoliveira wrote: So what I do is manually analyze ALL the game code on a disassembler and determine what is code/data then manually transplant what is data from the encrypted rom into the decrypted one.
Simply ... WOW!
leonardoliveira wrote: There were a sneaky non encrypted word (yes, two bytes) in the middle of a encrypted code area which pointed into another pointer which then finally pointed to a encrypted jumptable. Nasty stuff... ;)
Besides the "encrypted" part, is that similar to a Z80 "JP (HL)" instruction?

Re: CPS2 Development PCB - SFZ

Posted: September 3rd, 2012, 5:48 pm
by leonardoliveira
MrSandman wrote: Simply ... WOW!
Really not that big of a deal... It's just a lot of work. Tedium extreme.
MrSandman wrote: Besides the "encrypted" part, is that similar to a Z80 "JP (HL)" instruction?
Actually it's very interesting how the encryption works, as using instructions indexed by data registers result on the decryption hardware being used. Using a instruction indexed by a address register seems to fetch a plain word from the rom, without kicking the decryption hardware. Keeping that in mind and manually analyzing the dump results on a 100% perfect rom (assuming that I don't commit mistakes during the interactive disassembly) on first try. I had Choko and Puzzloop2 work perfect out of the bat. I had a few mistakes on mighty pang japan on the test menu which I solved quickly using mame's debugger. When you have a full asm listing from the game looking at you in the disassembler it's easy to find any mistakes ... ;)

trmatthe wrote:Very cool stuff guys, both in finding the hardware and also with your investigations into the 68k encrypted opcodes/plaintext data. If you want to farm out any of the work feel free to message me.
I'll keep that in mind. Mostly I would want people to test the games and find bugs.
trmatthe wrote: Would be very very keen to see how the monitor/debugger has been wedged into this - do you know if they've added address decoding for previously unused address space, added a ROM with the monitor code and then stuck a vector into an unused slot in the TRAP jump table or does the debugger equipped game just happen to be a dev release that's not been stripped and chopped yet?
I just enable CAPCOM own debugger, which all games have.

Re: CPS2 Development PCB - SFZ

Posted: September 7th, 2012, 12:35 am
by Tetsuosan
How much would you charge for your services? I wish there was a way to send you the chips by mail for you to program, but I have family in Brazil, and I know as soon as I send the stuff over to you it'll get "lost" in the mail lol. My Super Street Fighter II Turbo board has a phoenix set that doesn't work too well, and I would like to not have the phoenix logo when I boot up the board.

Re: CPS2 Development PCB - SFZ

Posted: September 7th, 2012, 12:34 pm
by richy13
Razoola as upload pictures of security system used to upload keys to CPS2 B boards

http://cps2shock.emu-france.info/"

if you download the pictures you can see there's a different card for each game set.

richard

Re: CPS2 Development PCB - SFZ

Posted: September 7th, 2012, 1:48 pm
by CPS2
richy13 wrote:Razoola as upload pictures of security system used to upload keys to CPS2 B boards

http://cps2shock.emu-france.info/"

if you download the pictures you can see there's a different card for each game set.

richard
That PDA reminds me of an old scientific calculator I used to use a school. :awe:

Re: CPS2 Development PCB - SFZ

Posted: September 7th, 2012, 2:02 pm
by kernow
Looks like the cards/software are written in BASIC too? Man, it'd be fun to get hold of those and have a look at the code.

Re: CPS2 Development PCB - SFZ

Posted: September 7th, 2012, 2:03 pm
by cools
The cards themselves require a battery? :awe:

Re: CPS2 Development PCB - SFZ

Posted: September 7th, 2012, 3:54 pm
by idc
The cards hold a CR2032 type battery and I believe that the software is indeed written in BASIC. Interface with the CPS2 B-board is likely SPI.

Edit: Here's the "last piece of hardware" to which Razoola refers (sorry for crappy iPad pics):
Image
Image
Image

Re: CPS2 Development PCB - SFZ

Posted: September 7th, 2012, 6:09 pm
by richy13
idc wrote:The cards hold a CR2032 type battery and I believe that the software is indeed written in BASIC. Interface with the CPS2 B-board is likely SPI.

Edit: Here's the "last piece of hardware" to which Razoola refers (sorry for crappy iPad pics):
Image
Image
Image
Whats inside the metal box ian??did it come with any cables for the J-tag connector or for the communication connector (for boards without the J-tag)?

Re: CPS2 Development PCB - SFZ

Posted: September 7th, 2012, 6:28 pm
by idc
richy13 wrote:Whats inside the metal box ian??did it come with any cables for the J-tag connector or for the communication connector (for boards without the J-tag)?
More pics will follow soon. Check CPS2Shock now, more of my pics have just appeared there.

Inside are a couple of TDK-branded PCBs which form a switching (~ 120/240 VAC) PSU, and a Capcom PCB which does the business. There are bunch of switches and some wires too. The top has a segmented LED-display. It is "booby trapped", i.e. keys are erased if the case is opened, but I suspect that these are just re-written using the PDA.

Interface is suspected to be SPI, not JTAG, but it came without cables.

It does power on, displaying an error code, followed by "init" if one of the buttons is pressed, which I expect means it's waiting for data from the PDA (which I don't have).

Re: CPS2 Development PCB - SFZ

Posted: September 7th, 2012, 7:01 pm
by crunchywasp
Wow! All this hardware that's surfacing is so incredibly cool :ugeek: 8-)

Re: CPS2 Development PCB - SFZ

Posted: September 7th, 2012, 7:10 pm
by leonardoliveira
One last hijack on this thread ...

This one requires no explanation:

Image
Image
Image

Re: CPS2 Development PCB - SFZ

Posted: September 7th, 2012, 7:11 pm
by CPS2
leonardoliveira wrote:One last hijack on this thread ...

This one requires no explanation:

Image
Image
Image
:eh:

Please explain.

Re: CPS2 Development PCB - SFZ

Posted: September 7th, 2012, 7:18 pm
by idc
CPS2 wrote:Please explain.
Decrypted Rockman 1. If you look, you can see that it's running using SFA3 decrypted driver, it's what Leo uses to test his ROMs. ;)