Cracking unlicensed SNES games/HKOs

This is an archive of a topic from NESdev BBS, taken in mid-October 2019 before a server upgrade.
View original topic
Cracking unlicensed SNES games/HKOs
by on (#37884)
Although most are virtually unknown, there are a couple of relatively recent unlicensed rip-off games out there for the SNES based on titles that originally appeared on more powerful consoles.
What all of these games have in common is the unbelievable degree of crappiness and the fact that they feature hardware copy protection.

When I was bored and didn't have something else to do in the past, I sometimes cracked one of these, just for fun.
I haven't really mentioned it before and nobody seemed to care, either, but lately, a couple of people have expressed interest in these games.
Also, I`ve been browsing south american auction sites since a couple of years in search for these games and still, some completely unknown to me recently appeared, which really surprised me.

Here's a list of the ones I currently know of:
-Tekken 2
-Picachu/Pocket Monsters
-Pokemon Stadium
-Soul Blade
-X-Men vs Street Fighter


Now I've already cracked all of these(videos available on my
youtube channel) and am looking for some new challenges.

One of the games says it's by DVS, whatever that means. Is that a known producer of unlicensed games?

This one seems to be undumped and totally unknown so far. I've contacted the guy about buying it from him, will see how that works out.

Does anyone know if any other SNES HKOs exist?

(hope this makes sense, I'm pretty tired ~_= )

by on (#37886)
Quote:
What all of these games have in common is the unbelievable degree of crappiness and the fact that they feature hardware copy protection.


Ah, what a neat coincidence. About six months ago, Nach sent me Pokemon Stadium and X-Men vs Street Fighter. I worked on Pokemon Stadium for a few minutes at work and got this:

Image

Just some simple read from ROM, expect different results crap. But what got me was after selecting a new game, it did an indirect jump off ROM again, but the value there was garbage and it crashed. I wrote a scanner to find every "rts, rtl, rti" and plugged in the addresses immediately after, and I managed to trigger a bunch of different screens in the game; but I never found the right value to give it.

I figured I'd either need to test all 32,768 possibilities, or get an actual cart and read it to see what the proper value was, so I just gave up. Never bothered with XMVSF.

I'd be really curious to see how you beat the protections, though. Did you have the actual carts to probe?

Really neat stuff, at any rate! I know Haze emulated a lot of these for the Genesis. I just didn't see much point, so I never bothered. I figure it's better to just make UPS patches to correct the games than emulate a bunch of stupid mapper tricks for various pirate carts.

I hope you'll post some patches sometime for these :D

by on (#37895)
You weren't kidding about how craptastic those "games" play. It's pretty horrifying stuff. Neat that you cracked it though. Sad that they thought that pile of crap was worth protecting. Reminds me of Final Fight 3 for NES, it has a bucnh of things to try to prevent you from hacking it to another mapper.

by on (#37907)
byuu wrote:
Quote:
What all of these games have in common is the unbelievable degree of crappiness and the fact that they feature hardware copy protection.


Ah, what a neat coincidence. About six months ago, Nach sent me Pokemon Stadium and X-Men vs Street Fighter. I worked on Pokemon Stadium for a few minutes at work and got this:

Image

Just some simple read from ROM, expect different results crap. But what got me was after selecting a new game, it did an indirect jump off ROM again, but the value there was garbage and it crashed. I wrote a scanner to find every "rts, rtl, rti" and plugged in the addresses immediately after, and I managed to trigger a bunch of different screens in the game; but I never found the right value to give it.

I figured I'd either need to test all 32,768 possibilities, or get an actual cart and read it to see what the proper value was, so I just gave up. Never bothered with XMVSF.

I'd be really curious to see how you beat the protections, though. Did you have the actual carts to probe?


You really should have had a look at xmvssf. It has the same protection as pokemon stadium, but the correct return values can be guessed and from that the correct jumps for pokemon stadium can be deduced.

The other carts all have different protections.
I only own Tekken 2 and Soul Blade. All of them could be reverse-engineered without the cart except for Tekken 2. You gotta have the cart for that one. It's pure protection evilness.

The xmvssf/ps protection itself is very simple. I don't know the actual range where it can be accessed, cause the games only seem to use $88:8000 and $80:0000, but I guess that the protection on the real cart can be accessed either from bank $80 to $ff or from $80 to $bf.

Anyway, after guessing some correct values for xmvssf, I immediately noticed that the number of set bits for input and output are always the same. Obviously, there was some kind of hardware latch present that swapped the bits in a certain pattern.

To make a long story short, here's the bitswap pattern:
76543210 becomes 06712345

That'd mean that for example writing $f4 to $88:8000 returns $6b on $80:8000.
Pretty simple and also very cheap to implement in hardware.

Picachu might have the same protection, I'm not sure. It's been too long since I cracked that and it seems I didn't take any notes, unfortunately.

Soul Blade has another protection and was very obvious about what values it expected, so I didn't bother finding out how it worked, just gave it the values it was looking for and be done with it. Will have another look later.

Tekken 2 is a bit more complicated. It accesses the protection in a very strange way, always reading/writing the same data $f0 times.
I had a look at the cart and indeed, each access must be repeated a couple of times to be registered.(typically around 7-30 times)
At first, I was puzzled by this, because I was expecting a simple bitswap pattern.
My conclusion was that they used a microcontroller here.
It's pretty obvious that the mc sometimes misses the accesses from the s-cpu, so they have to be repeated often enough to make sure they always come through.
Also, the output pattern is too complicated to pull off with a couple of logic chips.

The protection itself is accessed in banks $80-$bf.
accessing (read/write, doesn't matter) adress lines A8,A9,A10 in these banks in a certain sequence makes the mc return a 4bit value.
$8080xx clears the sequence
$8081xx reads the result.

As an example, the access sequence $80:8000,$80:8300,$80:8400,$80:8700 first clears the previous result, then returns $c on data lines 0-3 when reading $80:8100.

I was thinking that it maybe was just xoring/adding/whatever the access results, but I couldn't spot any pattern that makes sense. Also, accessing the same region multiple times in a sequence doesn't change the result.

The way they implemented that into the s-cpu program was very evil. Apart from the usual jumps and data loads depending on the returned result from the protection(which can be guessed with ease because it just returns 4 bits), it was also using that returned data to calculate the next protection sequence adresses. I just popped the cart in and entered the sequences manually, then gave it the return values it was looking for.

Overall, I agree that patches are the way to go here. Emulating protections only one or two crappy games use isn't worth the effort.
Also, you'd probably have trouble detecting those roms in a generic way.

Phew, that was quite a rant...


[edit]
Pocket Monsters indeed uses the exact same protection as X-Men vs Street Fighter and Pokemon Stadium.

The Soul Blade protection is the weakest I've ever seen.
Adresses $xxx0-$xxx3 in banks $80-$bf always read $55, $0f, $aa, $f0
Banks $c0-$ff return open bus.

by on (#37915)
Wow, really neat info! Thanks a bunch for sharing!

Yeah, I only guessed the first read-back byte. Not enough to deduce a pattern from. Too bad I didn't mess with X-Men.

Still, very clever on your part to figure it all out :D

Tekken 2 sounds the coolest. Writing 240x to get it to register ... that's fantastic.

by on (#37951)
I play these games to look for the ending, then post 'em. I also let SpaceNinja88 know this. They're usually very short endings. :D

I beat Pokémon (which is listed as Pocket Monsters on the Title Screen) and Soul Blade. Both endings are real short, and SpaceNinja88 has posted the ending to Pocket Monsters as well. I granted him permission, because I was getting to be a willing contribuitor... that, and I knew that I could invent cheat codes in the blink of an eye. Soul Blade tricked me a little on the health part, but I eventually found a loophole: The value increased the more damage you took until 95 (in decimal), when the character falls to the ground. Normally it's the other way around, but I see the laziness here.

by on (#37952)
I was surprised myself when I noticed Pocket Monsters has an actual ending.

I mean, this game isn't like, total crap.
If the controls weren't so rubbish and the scrolling a bit less choppy, it would make for a mediocre to decent run-off-the-mill SNES platformer.
Or solid gold by HKO standards, so to speak. ;)

All the fighting games basically work the same with slight variations.
I think I've beaten all of them without cheats, just plain mindless button-mashing.


The Tekken 2 protection really is the most interesting and I bet it was the most expensive cart to manufacture for them.
Still, this one gave me the most trouble.
It was the first game that sparked my interest for cracking, but the last I managed to actually crack.

I'd love to talk to the guys who were in charge of developing these games. I bet they'd be proud that their protections lasted for over 10 years without being cracked, although the reason for that is most likely the lack of interest these titles generate, not the toughness of the protections. ;)

by on (#37953)
Quote:
All the fighting games basically work the same with slight variations.
I think I've beaten all of them without cheats, just plain mindless button-mashing.


I think SFA2 is the worst in that regard. It may have beautiful graphics, but damn. I absolutely suck at fighters / action games (I can usually only beat one or two characters in SNK games), and I cleared the game on my first try. So I go back, set difficulty to high, turbo on, handicap stuff off ... beat it without losing a single fight.

I can't even imagine what actual skilled players think of the machine-mode challenge.

Quote:
I bet they'd be proud that their protections lasted for over 10 years without being cracked, although the reason for that is most likely the lack of interest these titles generate, not the toughness of the protections.


Hahah, yeah. It reminds me of Star Force 3's marketing. "Our protection has never been cracked, unlike SecuROM!" -- uh huh, and what games was it used on? A couple of $3 Chinese shareware apps. Of course nobody bothered. And sure enough, once they started adding it to big titles, it got broken.

But yeah, even more ridiculous about these protections -- if you're a Chinese company making SNES cart copies, would you target the really crappy pirate games, or go after the big names like Mario and Zelda? Such a waste of effort to protect these games.

by on (#37960)
KungFuFurby wrote:
Soul Blade tricked me a little on the health part, but I eventually found a loophole: The value increased the more damage you took until 95 (in decimal), when the character falls to the ground. Normally it's the other way around, but I see the laziness here.

I don't see it as laziness. Other Nintendo first-party games that display an increasing value for more damage to your unit include Stunt Race FX and the Super Smash Bros. series.

by on (#37962)
Yeah, I recall that... sometimes it's in numerals you don't see, though, in actual gameplay. :wink:
Re: Cracking unlicensed SNES games/HKOs
by on (#102380)
Have had a look at the three protection schemes last week, here's what've found out (and some summary of d4s original findings).

d4s wrote:
... here's the bitswap pattern: 76543210 becomes 06712345

That's the most common type, used by 11 games:
- A Bug's Life
- Aladdin 2000
- Bananas de Pijamas
- Digimon Adventure
- King of Fighters 2000 (aka KOF2000)
- Pocket Monster (aka Picachu)
- Pokemon Gold Silver
- Pokemon Stadium
- Soul Edge Vs Samurai
- Street Fighter EX Plus Alpha
- X-Men vs. Street Fighter
One small detail that is unknown here is which addresses the protection ports are mirrored to.

d4s wrote:
The Soul Blade protection is the weakest I've ever seen.
Adresses $xxx0-$xxx3 in banks $80-$bf always read $55, $0f, $aa, $f0
Banks $c0-$ff return open bus.

That's apparently used only by Soul Blade. The above specs with the 4-byte pattern and open-bus stuff are looking fine. The Soul Blade game seems to be working even when outputting plain FFh bytes (but maybe there's some further protectection check deeper in the game, so using the 4-byte pattern should be more accurate than just using FFh bytes).
One odd thing that I've noticed is that the patched and unpatched Soul Blade ROM images are also differing by data that isn't protection related. For example, the unpatched version (CRC32=C97D1D7Bh, maybe a bad dump) is showing some black lines in the middle of the main menu screen; the cracked version is not having that dirt effect.

d4s wrote:
Tekken 2 is a bit more complicated. It accesses the protection in a very strange way, always reading/writing the same data $f0 times.
I had a look at the cart and indeed, each access must be repeated a couple of times to be registered.(typically around 7-30 times)
My conclusion was that they used a microcontroller here.
Also, the output pattern is too complicated to pull off with a couple of logic chips...
result from the protection(which can be guessed with ease because it just returns 4 bits)

I don't know how complicated the pattern can get (when feeding more/other data to it than the Tekken game does), but I've rev-engineered d4s's guessed values, which don't look that complicated:
Code:
  Addr    <----function---->  <--result, as guessed by d4s-->
  00:826B CLR +4   +reg7      = 8
  00:B584 CLR +...?...        = unknown
  00:B7A9 CLR                 = 1
  00:B7D6 CLR +1   +reg6+reg7 = 0
  00:D20E CLR +8+4 +reg6+reg7 = 6
  00:D64B CLR      +reg6      = F
  00:D669 CLR +2+4      +reg7 = C
  00:D68A CLR +1..6 ?         = 2..7
  00:D68A CLR +6    ?         = 7

Addr=Program code ROM Address, CLR=Port 808xxxh, 1/2/4/8=Port 8082xxxh/8083xxxh/8084xxxh/8085xxxh, reg6/reg7=Port 8086xxxh/8087xxxh. Guessed result=Port 8081xxxh.read.

As it's possible to repeat the writes without changing the result, it seems most likely that the writes are just setting/clearing bits (rather than doing more complex math which would change the result after each write). Following that theory, the guessed values could be reproduced like so:
Code:
  [80-BF:80xx]=0Fh,00h Clear all 6 bits
  [80-BF:81xx]=xxh     Probably "No Change" (unused, except for Reading)
  [80-BF:82xx]=FFh,00h Set Data bit0
  [80-BF:83xx]=FFh,00h Set Data bit1
  [80-BF:84xx]=FFh,00h Set Data bit2
  [80-BF:85xx]=FFh,00h Set Data bit3
  [80-BF:86xx]=FFh,00h Set ALU Direction bit (0=Up/Left, 1=Down/Right)
  [80-BF:87xx]=FFh,00h Set ALU Function bit  (0=Count, 1=Shift)
  X=[80-BF:81xx]       Return "4bitData plus/minus/shl/shr 1"

If the theory is right, then one could program exactly 64 combinations into the 6bit register, and the result could be calculated as shown above. If somebody wants to verify it on real hardware: Go ahead! Would be nice to know if it's really as so.

Above is assuming that the write order would be don't care; ie. writing 82xxh and then 83xxh would be same as vice-versa. A slightly more complex theory would be that, for example, 82xxh might set DataBit0=1 and DataBit3=0, or doing something like DataBit0=Not(DataBit2), in such cases the write order would be relevant.

The written 2x8bit pairs (0Fh,00h for first port) and (FFh,00h for other ports) (as how they are written by tekken2) are probably don't care (as d4s said that the ports do even react on reading).
Re: Cracking unlicensed SNES games/HKOs
by on (#189855)
What do these games do for lockout defeat? Donor CIC, SuperCIC, or something else?
Re: Cracking unlicensed SNES games/HKOs
by on (#189864)
tepples wrote:
What do these games do for lockout defeat? Donor CIC, SuperCIC, or something else?


I can't comment on those games, but I'm pretty sure that at least the Game Doctor copier had a custom-marked chip to replace the CIC. It seems that SNES CIC clones have existed for quite a while.
Re: Cracking unlicensed SNES games/HKOs
by on (#189887)
Here's a list of CIC clones for NES and SNES: http://problemkaputt.de/fullsnes.htm#sn ... icversions
Another example would be the "GS74LS161" 16pin CIC clone used in Campeonato Brasileiro 2 bootleg carts: viewtopic.php?f=12&t=15510