Blog post on encrypted P ROMs

city41

city41

Amano's Drinking Buddy
10 Year Member
Joined
Dec 27, 2010
Posts
2,671
In the tiny spare time I have, I've been playing around with a KOF99 hack, which has encrypted P ROMs.

I wrote a blog post on them if anyone is curious. Kinda technical and dry, but as far as I know this info is only in little pockets here and there on 20 year old forum posts.

Neo Geo ROM Hacking: SMA Encrypted P ROMs

My first exposure to working with SMA encryption in a Neo Geo game
mattgreer.dev mattgreer.dev
 
Neo Alec

Neo Alec

Legendary Member?
25 Year Member
Joined
Dec 7, 2000
Posts
14,822
Very interesting; thanks for this and thanks for the shoutout on my video. Very curious to see what you're thinking of making, if it ever comes to fruition. KOF94TE is already amazing.
 
T

tcdev

Crossed Swords Squire
Joined
Aug 22, 2002
Posts
183
From prot_sma.cpp in the MAME source:

C: 
// kof99, garou, garouh, mslug3, mslug3a and kof2000 have an SMA chip which contains program code and decrypts the 68k roms

I haven't looked into it enough yet to work out exactly what's going on, but starting with that file might help you?
 
city41

city41

Amano's Drinking Buddy
10 Year Member
Joined
Dec 27, 2010
Posts
2,671
I just realized @iq_132 has an account here. Hey iq_i32, thanks for your prom decryption code, it was the key to all of this.

And yes, I know we've chatted on this forum in the past but I'm a dumbass and never put two and two together...
 
iq_132

iq_132

New Challenger
Joined
Nov 27, 2009
Posts
60
city41 said:
I just realized @iq_132 has an account here. Hey iq_i32, thanks for your prom decryption code, it was the key to all of this.

And yes, I know we've chatted on this forum in the past but I'm a dumbass and never put two and two together...
Click to expand...

Haha! Good write-up and thanks for the shout out.
I read this back when you posted it. :)
 
T

tcdev

Crossed Swords Squire
Joined
Aug 22, 2002
Posts
183
There were a handful of earlier Z80-based arcade games that used similar encryption, except with the Z80 it was slightly more complex because it had a pin that differentiated between an instruction (opcode) or data (operand fetch), and the encryption mechanisms invariably used it. Empire City 1931 is one example. Not so much a problem for emulation, as the driver just does both decryptions over the entire ROM into two copies of ROM space, and then the CPU emulation just reads from the respective copy when fetching an instruction/data. The issue arises when trying to RE and determine code/data spaces.

Similarly, the co-called 'Konami-1 CPU ' used in Juno First was a stock 6809 which internally obfuscated read data depending on both the address and whether it was an instruction/data fetch. Again, harder to RE without a custom tool.
 
You must log in or register to reply here.
Top