What's new
By:

How to decrypt a game that doesn't run on mame?

WangDrum

WangDrum

Student
Joined
Jan 8, 2021
Messages
71
Reaction score
77
Location
South korea
hello

I only patched games that can run on mame using a debugger,
I would like to get some hints on how to bypass patch for a game that won't boot.

The game I want to patch is 'Spikeout FE'.
To find the part in the main CPU's code that accesses the location (fe1a0000~fe1a001f) of the 315-5881 chip, which is a decryption chip.
This is the location of the code that came up when I searched for 'fe1a'.

7661e
7664e
7665a
76666
7666e

3521.jpg


I found the above address in the disassembly window and looked at it.
Looking at the disassembled instructions above, can't I just 'guess' where the decrypted data goes?
If the game can be run, press F11 and look at the registry value to see the data loaded from the decryption chip.
I think I can get a hint for decrypting it by tracking its movement.
But The game is frozen without even executing the above command, so I can't track it.
In this case, if anyone knows whether it is possible to decrypt it or how, I would appreciate it if you could give me a hint.
 
I don’t know of this work here (if the code is decrypted on the fly or in memory at startup etc..) but in RE x86/64 the easy way is to find and break after EP (entry point) in order to dump the decrypted part. But Sometime the code is relocated somewhere and not decrypted completely, relocation addresses is decrypted when jump occurs only and you need to trace in the fly to gather informations and decrypted code/api. this could be long.. depends on the sega protections routines.
 
The game won't boot, because MAME doesn't fully support it, right? That decryption chip probably is just for GFX, so the game code should work.

If that's the case, write down the values calculated at the end of each loop and then force it manually to a different value and see if now shows an error.

Some info about the processor here: https://www.nxp.com/docs/en/application-note/AN2491.pdf
 
Model 3's decryption chip is also used to decrypt encrypted gfx data, but spikeout FE shows 'illegal ROM' when booting without a security chip, so it probably doing verify it by comparing it with a specific phrase. I may be wrong.
 
Last edited:
Darksoft said:
The game won't boot, because MAME doesn't fully support it, right? That decryption chip probably is just for GFX, so the game code should work.

If that's the case, write down the values calculated at the end of each loop and then force it manually to a different value and see if now shows an error.

Some info about the processor here: https://www.nxp.com/docs/en/application-note/AN2491.pdf
Click to expand...
I'll try to force it to run on a different line. thank you!
 
Last edited:
You must log in or register to reply here.
Back
Top