Chinese copy protection

[Taco]

Hey there,


If this is in the wrong area, I'm very sorry, I'm brand new. Another member suggested I sign up to ask about the game as you all would be the experts on pirates and their tech specs.

I signed up because a friend of mine picked up a rare pirate. It's SMW64, and to our understanding there's no dump out there due to mirroring or what not. We're looking to dump it and make it public if possible. We're going to attempt a dump and then share the file for analysis. If anyone is interested in it please let me know, we will be using a retrode and expect it do dump incorrectly. Hopefully someone can figure out why based on that dump.

 I'm solid with soldering and have an eprom programmer / reader and could wire something up with help. If anyone can help, please PM me.

[Azathoth]

SMW64 uses globtops so you can forget about desoldering the chips. In this case your options are to dump using a USB device like the Retrode, a regular copier, or a SCD transfer cable.

SMW64 has a unique booting method that won't let you use the SCD cable since there's no way to trigger the CD to load and bypass the cart loading. It also has protection where it hides itself from copiers so they won't detect the cartridge is inserted.

I don't own a Retrode personally but I was told it pulls header info from an on/offline database to interface with the emulator. (That may be a completely incorrect statement.) If that's the case it may not even recognize the cartridge due to it's protection schemes and non-standard header information.

If you can manage to dump the ROM, regardless of it being an outlandish inflated size, a working image can be made of it. Almost all MD games use a somewhat similar copy protection scheme and I don't see SMW64 being any different. I personally think it was just the last of it's breed from that set of developers; after that you really didn't see anything beyond crappy title screen hacks and such, and none of them bothered with any type of copy protection.

[Barver]

Are you the guy who won the recent eBay auction?

I know a guy who I just directed here from the Sonic Retro community. They also had a friend that dumped the ROM with a retrode but only managed to dump half of it before selling it off. I'm sure he'll tell you more(his name is Andlabs), but here's a copy paste of what is known, if it makes any sense to you.

Quote:

 

Here's what we know.
The custom hardware is mapped to the $6xxxxx region.
The custom hardware either does mirroring, mirroring/decryption, or access from a separate ROM. There's some large holes in the Retrode dump filled with either $00s or $FFs (alternating every 8KB); it may be this. These store GEMS (seriously), the level tiles, the level tilemaps, and the level layouts (the last three of which are all loaded from VRAM).
In addition, the hardware provides some registers. Three of these registers are used to calculate the sizes of tilemaps, specifically
(byte read from $660001) = (byte written to $600003) ^ f(byte written to $640001, 1)
where ^ is xor and f() is either shift byte left or rotate byte left (we're not sure which) and that this possibly only holds true if byte $DE is written to byte $670001.

The game steals the Sega standard init code so it does follow TMSS even though the cart hardware seems to bypass it. There's also this initailization function:

ROM:00000436 ; =============== S U B R O U T I N E =======================================
ROM:00000436
ROM:00000436
ROM:00000436 sub_436:                                ; CODE XREF: ROM:00000326p
ROM:00000436                 move.w  #9,d0
ROM:0000043A
ROM:0000043A loc_43A:                                ; CODE XREF: sub_436+Cj
ROM:0000043A                 move.b  #0,($600001).l
ROM:00000442                 dbf     d0,loc_43A
ROM:00000446                 move.b  #$80,($610003).l
ROM:0000044E                 nop
ROM:00000450                 move.b  #$DE,($670001).l
ROM:00000458                 move.b  #0,($660001).l
ROM:00000460                 move.b  #0,($600001).l
ROM:00000468                 move.b  #$38,($600003).l ; '8'
ROM:00000470                 move.b  #$A5,($640001).l
ROM:00000478                 move.b  ($670001).l,d0
ROM:0000047E                 move.b  ($660001).l,d1
ROM:00000484                 move.b  ($660003).l,d2
ROM:0000048A                 nop
ROM:0000048C                 move.b  #1,($600001).l
ROM:00000494                 move.b  #$55,($600003).l ; 'U'
ROM:0000049C                 move.b  ($660005).l,d0
ROM:000004A2                 move.b  ($660007).l,d1
ROM:000004A8                 nop
ROM:000004AA                 move.b  #$E0,($670001).l
ROM:000004B2                 move.b  #0,($660001).l
ROM:000004BA                 move.b  ($640003).l,d0
ROM:000004C0                 andi.b  #$C0,d0
ROM:000004C4                 ori.b   #$55,d0 ; 'U'
ROM:000004C8                 move.b  d0,($640003).l
ROM:000004CE                 move.b  ($670001).l,d2
ROM:000004D4                 move.b  ($660009).l,d0
ROM:000004DA                 move.b  ($66000B).l,d1
ROM:000004E0                 move.b  ($66000D).l,d2
ROM:000004E6                 move.b  ($66000F).l,d3
ROM:000004EC                 nop
ROM:000004EE                 rts
ROM:000004EE ; End of function sub_436


and an example of the mirroring/decryption(?), to get to the Z80 sound driver, which is GEMS:

ROM:00008326 ; =============== S U B R O U T I N E =======================================
ROM:00008326
ROM:00008326
ROM:00008326 sub_8326:                               ; CODE XREF: LoadGEMS+20p
ROM:00008326                 move.w  #$100,($A11100).l
ROM:0000832E                 move.w  #$100,($A11200).l
ROM:00008336
ROM:00008336 loc_8336:                               ; CODE XREF: sub_8326+1Cj
ROM:00008336                 move.b  (a0)+,d1
ROM:00008338
ROM:00008338 loc_8338:                               ; CODE XREF: sub_8326+16j
ROM:00008338                 move.b  d1,(a1)
ROM:0000833A                 cmp.b   (a1),d1
ROM:0000833C                 bne.s   loc_8338
ROM:0000833E                 addq.w  #1,a1
ROM:00008340                 subq.w  #1,d0
ROM:00008342                 bne.s   loc_8336
ROM:00008344                 rts
ROM:00008344 ; End of function sub_8326
ROM:00008344
ROM:00008346
ROM:00008346 ; =============== S U B R O U T I N E =======================================
ROM:00008346
ROM:00008346
ROM:00008346 sub_8346:                               ; CODE XREF: LoadGEMS+24p
ROM:00008346                 move.w  #0,($A11200).l
ROM:0000834E                 move.w  #0,($A11100).l
ROM:00008356                 move.w  #$100,($A11200).l
ROM:0000835E                 rts
ROM:0000835E ; End of function sub_8346
ROM:0000835E
ROM:00008360
ROM:00008360 ; =============== S U B R O U T I N E =======================================
ROM:00008360
ROM:00008360
ROM:00008360 LoadGEMS:                               ; CODE XREF: sub_38E+8Cp
ROM:00008360                 move.b  #7,($600001).l
ROM:00008368                 move.b  #$D3,($600003).l
ROM:00008370                 movea.l #$614DBC,a0
ROM:00008376                 lea     ($A00000).l,a1
ROM:0000837C                 move.w  #$2000,d0
ROM:00008380                 bsr.w   sub_8326
ROM:00008384                 bsr.w   sub_8346
ROM:00008388                 rts
ROM:00008388 ; End of function LoadGEMS


The title theme and first stage theme don't use GEMS but rather a custom sound playback system that runs off VInt; everything else does (there are three tracks for this custom playback system but I'm mostly certain the third one just silences playback) [/quote]

[andlabs]

Hi I'm one of the two in Barver's' quote, the other being Sik =P

Basically, three things are missing from the Retrode dump the two of us worked on:

• the level layouts
  
• the level art
  
• the Z80 code (GEMS)

32KB(?) blocks of 0s/$FFs (alternating, with a few differeing bytes in random places) remain in the spaces I think are left over. The final ROM is 512KB, and the Retrode produced a copy of the ROM from the 512KB-1MB point, and then filled the rest of the 4MB with $FF.

Once found, the level layouts and art are loaded into VRAM and accessed from there.

How configurable is Retrode's dumping parameters? If that won't work, there's also this, from LocalH:

Quote:

 

Might I suggest aping Chris Covell's NES dumping method, writing a ROM that would load some basic tiles into VRAM for on-screen display, loading the actual dumping code into RAM, spinning on a pad-polling loop in RAM, cart-swapping, then press Start (or whatever) and have the RAM code dump the ROM using what information is known about the mapping hardware, either sending it through the SCD transfer cable or sending it through the audio output via KCS (both slow methods but reliable).
[/quote]

[Barver]

I'm assuming this ends up like a lot of things where the thrill of sharing something you have dies off immediately and they just disappear, satisfied enough that at least they have it? :x

Pessimistic way of wording it, but it happens all too often and makes me a sad panda

[Robyn]

Barver

Sep 12 2012, 04:24:25 AM

but it happens all too often and makes me a sad panda [/quote]Accidental South Park quote.
And you're a panda?!

[Ray of Lightning]

We're bootleg enthusatics, Rob.
We're ALL got a bit of the Panda in us.  :pandaaway:

But yes, anyways, something a bit more on topic, I know how you kinda feel, Barver. I can't say I totally understand this mindset which I've been told exists where people get the game, dump the game and then hoard it to themselves or try to sell the ROM off. It just seems...well...totally against the spirit of this thing.

And it makes me a s/maaaaad panda. :pandamad:

[Pepper-98]

Ray of Lightning

Sep 12 2012, 03:01:40 PM

But yes, anyways, something a bit more on topic, I know how you kinda feel, Barver. I can't say I totally understand this mindset which I've been told exists where people get the game, dump the game and then hoard it to themselves or try to sell the ROM off. It just seems...well...totally against the spirit of this thing.

And it makes me a s/maaaaad panda. :pandamad: [/quote]I have to agree on that.  It kinda ruins the whole point of dumping the game in the first place, and it does bother me because there's seriously no real reason for it other than to be a dick.  I've made it a personal rule that if I were to actually dump or send out something to be dumped that it won't be hoarded or require payment to release it.  Now finding people who can dump stuff...That's a whole different story.

[Linkrulezall]

Step 1 - Point at the globtops and tell them that you're very angry with them (be sure to put a lot of feeling into it)
Step 2 - Using your right hand, shake your fist at the cartridge
Step 3 - If steps 1 and 2 don't work, try scaring it
Step 4 - Jam a piece of green bubble gum onto 6 of the pins
Step 5 - Using a chainsaw and pistol, destroy the globtops
Step 6 - Tell the board that you really, really love it in a Stephen Hawking voice
Step 7 - Burn cartridge out of frustration
Step 8 - Find and order another cartridge
Step 9 - Wait 4-6 weeks
Step 10 - Mix together an egg, some ice cream, and 1 tablespoon of chocolate syrup
Step 11 - Rub this mixture over the pins using a dill pickle or marshmallow hamburger
Step 12 - Try to dump again
Step 13 - Fail
Step 14 - Scream
Step 16 - Cry
Step 17 - Sulk
Step 18 - Go back to step 1


WARNING: DON'T ATTEMPT ANYTHING I JUST DESCRIBED!

[Azathoth]

On a lighter note, I'm working with another guy to see if we can get an alternate dump using some different hardware that might yield some results. He managed to get all 3 SFT releases working, so I have some faith in it.

[Barver]

I'm assuming this talk of paying for ROMs is in reference to prototypes. I'm afraid I have to disagree as I completely understand why those things require cash. Their expensive nature makes it a bit difficult to feel like giving their data away for nothing in return after what usually is lots of effort to even raise the funds to afford it yourself in the first place. And lets not also forget the effort in even building the contacts and tracking them down. I'm not sure what "the whole point of dumping" is being defined as, but the way I see it, whatever anyone does with something they bought is essentially their business and not anyone else's, as cold as that sounds. You can say it breaks the "spirit", but the fact is people have just gotten a little too use to getting everything for free when it comes to ROMs when it's never been a defined fact anywhere in life that something someone paid for should be released for free just because it's video game data. Anything that is released for free we should definitely be thankful for, but if I spent hundreds or even over a thousand dollars on a prototype, I definitely would want some compensation for the time, effort and money that went into such an expensive purchase if I was being expected to just hand it out.

And keeping in mind I've had my stuff dumped for free, I'm not a complete shrewd when it comes to this In my opinion the real problems arise if someone that bought a prototype was expecting people to donate the full amount they paid back in order for the release of the ROM. Now that I would see as a total dick move, since that would make it so they essentially got that game for free, which is in no way fair. I don't think there's been any examples of that out there though, or at least any owners that publicly admit so.

Me personally, if I were releasing a prototype that cost me a lot of money, I'd expect an even half of what I originally paid minus a few odd dollars, just to justify me being the one that keeps the cartridge/cd/whatever while everyone else has done their part in helping get it preserved on the internet. It seems fair enough, but of course not everyone has the same opinions.

Just how I see it. I might mention I'm getting a Retrode myself soon for a little "preservation" btw  cool:

[Ray of Lightning]

Linkrulezall

Sep 12 2012, 10:22:53 PM

WARNING: DON'T ATTEMPT ANYTHING I JUST DESCRIBED![/quote]Awwh. What a shame. I was going to print it off and put it on my wall as ROM dumping tips.

...In fact, I'm STILL going to do that.  > Anyways, back on topic once again, eh?

This is a bit of a tricky post for me to make in all honesty, Barver, because I admit I might be suffering from a full-on bout of 'well meaning naivety'. There might very well be good reasons for people asking for all that money, though admittedly I was more talking about pirate ROMs then prototypes. I mean, atop of the reasons you described, they might need to feed themselves, pay for rent, or cover another one of life's many expenses.  >_<

But I dunno, it's for the very same reasons, that I'd RELEASE a ROM for free. Video games, let's admit it, are damn expensive these days. I mean, y'can buy the actual cartridges and the consoles but that's expensive too. Till you can afford those things yourself, I'll be damned if I keep a rare game from you. Emulators and ROMs allow us to test a game out before we buy, to entertain us when we've no money to spare on entertainment and, for me, to introduce you to things you never thought existed. If I were to ask for money, it'd be a donation box and that'd be that.

I suppose that's all I have to say as I pretty much agree with everything else you say, man, though I do have a few things to finish up with:

1. Yes, I can agree people generally don't give ROMs the appreciation they deserve. Especially when they can't be arsed to do try a simple Google search before asking if we could just send them the ROM. :facepalm:
2. As for preservation, well, I suppose I myself believe a ROM can be better preserved if it's shared out among many resources rather then just being stored in my hard drive or cloud storage.  :\

So yep, that's all I can say about the subject. Feel free to disagree of course, as you said, we're free to have our own opinions. :thumb:  But I must say, it's been nice to have the opportunity to stretch my debating muscles there.  

[Barver]

Ah, you were thinking of ROMs of pirates? Can't say I can recall a single pirate release that's ever been distributed only after the dumper got money. It's a prototype-only thing, as far as I know. And with how cheap pirates generally are, it'd be a bit pointless if anyone did do that unless they were inflating the price because they think they're the only ones that can obtain it.

And I agree about preservation, I never said I'd keep anything to myself =p Just that if it were a very expensive item I also wouldn't want to outright give it away for free after all the money and trouble it took to get it. This applies most to prototypes as their one-of-a-kind items, as opposed to all other games out there where anyone can obtain a copy for cheap enough.

Anyway, my debating muscles suck =p On the topic of dumping pirates, besides Mario World 64 I have a bunch of undumped GBC and a couple GBA games I'd dump for free if anyone knew how to actually get the damned things dumped properly I'll have to try dumping my Mario World 64 with my Retrode whenever I get it, though it will be a bit. Obviously this person bit the dust and won't be seen again..

[Ray of Lightning]

Hmm, well, I'll have to check up with the guy who told me that kinda stuff goes on. It was brought up when I mentioned I was going to try and dump some ROMs myself. Lol, I was kinda told to keep the ROMs to myself to keep the price of the pirates high. Urm, no. I want the damn things to be cheap as chips for people to enjoy so I'll dump away, thankyouverymuchgoodsir.  :dance:

But yes, as protos go, I agree with you. Hell, I praticially squeed when I eventually got a chance to play the Sonic 2 Betas and that, I believe, wasn't anywhere near cheap at all.

Anyways, to wrap up this little discussion, all I can say is good luck with dumping that pirate! I think we'd all like to play that one. I know I sure would.

[Pepper-98]

I was just referring to pirate stuff before, but I see Barver's side of the arguement as well.  Also, I'm crossing my fingers that Azathoth will have some better luck with dumping the game this time.  It'd be nice to play beyond that horrible second level...