2016.01.03
"Extreme Sensation Exploit!"
I was staring to think we weren’t going to get any Snow this year, only
rain, lots and lots of rain….
However, even if there’s no snow outside, I can present you with some snow
for MAME, in this case the news that Gaelco’s SnowBoard Championship is a
step closer to being emulated.
Unlike most Gaelco games which used an evil Dallas protection device complete
with suicide battery, SnowBoard Championship instead used a less complex
device programmed to do some decryption tasks, and used as protection. The
game was passing various things to the device, like text strings, sample
numbers, and some directional direction used by the game, it expected correct
data back in order for the game to run properly.
Previously in MAME the game would display corrupt text, hang during attract
mode, play incorrect samples and have completely broken controls.
The operation of the device turned out to be simple, actually even less
complex than I was first expecting. I’d already briefed Charles MacDonald
(who purchased a PCB for running our tests) that the game writes 32-bits of
data to an address, and reads 16-bits back from another address, and that it
uses different pairs of addresses throughout execution, so naturally I was
expecting the different addresses to use different encryption schemes, one of
his first discoveries was that the address was completely irrelevant, done
only to throw off anybody trying to understand it.
With this knowledge he made a few mods to the hardware and software running
on the board to collect the 16-bit results for all possible 32-bit writes the
game could make, resulting in an 8GB table.
I hooked this 8GB table up in MAME to verify the results and the game
immediately started working.
We still need to reduce the 8GB table to actual equations, Olivier plans on
looking at this, but rest assured the game is now very close to being
playable in a public build of MAME. (RAR compression manages to reduce the
table to a 180MB file, there are clear patterns all over the place, so I
doubt even that is especially complex)
Here’s a video recorded from MAME, it’s recorded using the 2.1 parent set.
https://www.youtube.com/watch?v=McnqJYJ-lIs&feature=player_embedded
Both the 2.1 and 2.0 sets use the same encryption, so here are some
screenshots from the 2.0 set for anybody not wanting to watch the video.
http://mamedev.emulab.it/haze/pics2016/snowboard_1.png
http://mamedev.emulab.it/haze/pics2016/snowboard_9.png
http://mamedev.emulab.it/haze/pics2016/snowboard_10.png
(其他截圖請至來源處瀏覽)
來源 http://mamedev.emulab.it/haze/