Jump to content

CPS3 encryption is broken

pepinos
 Share

Recommended Posts

pepinos Newbie

pepinos

Posted
Posted
Thursday, June 07, 2007

 

CPS-3 (6)

As he said at the end of the previous entrance, the being able to reconstruct the cycles of x' partially has allowed me, as well, to study and (at the moment solely for Jojo).

 

The first of which you occurred account is of which an operation XOR with the high part of the direction was being carried out (what it caused that the bits showed to cycles of 2^15 masks in ahead); once you applied the same mask to obtain the previous values, you found that the bits showed smaller cycles now, although no longer always with the characteristic of which second half of the cycle was just as first but invested. In addition, although the size of the cycles seemed ordered according to the order of the bits, the 4 first had the same length that last 4 and three of the bits (the number # 1, #4 # 5) showed a property (initially) amazing: in them was clear the effect of an operation XOR with certain bit of the direction (not the same one in the three cases).

 

In that state of things, the possibility existed of trying to reconstruct better the bits of x' as large as and and using the new knowledge the cycles; nevertheless, I chose to study the structure before of and, under the supposition of which, since we hoped that and were, in a certain sense, "more simple" that x', could more easily be attackable.

 

After studying a little the data, I realized of which (except for the 4 first bits) the cycles showed one of their stuffed halves with cilos of smaller size 2^4 times; along with other indications, this seemed to indicate that the own one and was generated by means of an operation of type rotate_left(a, 4) XOR (to AND B) where, in this case, b was the low part of the direction operated by means of XOR with a certain fixed number.

 

With this new knowledge, I reconstructed the cycles of a partially and tried to study its structure. These cycles yes that showed the property of which his second half was exactly like his first but invested, which, next to a visual inspection of such, already made think that they were generated of relatively simple form.

 

I tested some with more or less satisfactory results and, to little, those 3 bits that showed the surprising behavior that mentioned before finished giving the idea me of how they were being generated exactly (one of those ideas that arises just waked up like result of the work of the subconscious mind during the night): basically, an operation rotate_left(c, 2) + c was being used, where c, as well, was the low part of the direction operated by means of XOR with a fixed number.

 

After more work of analysis (quite tedious) and many simulations, I have concluded that the following scheme produces the values and that we were looking for:

 

x? ((A&0xffff)^C1)

x? rotate_left(x, 2)+x

x? rotate_left(x, 4) ^ (x & ((A&0xffff)^C2))

x? x ^ ((A>>16)^C3)

 

The values of C1, C2 and C3 that produce the result that we looked for are unique and, of fact, C2 is, in Jojo, the same number that already had appeared before in these notes like the value that was being applied by means of a final operation XOR al del fact algorithm (, is becoming the same thing: x? x ^ ((A&0xffff)^C2).

 

Now, once reconstructed (supposedly, at least) and, we can try to use the first table of CPS-3 (5) to reconstruct with more fidelity x', later to study its structure. According to my initial expectations, x' must have one more a structure more complex than and, but we will have to hope to it to have studied to draw conclusions...

 

http://andreasnaive.blogspot.com/

Link to comment
Share on other sites
  • Replies 32
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

pepinos Newbie

pepinos

Posted
  • Author
Posted

June 10th, 2007

 

Keys to the World

 

Andreas figured out the keys for the other games, giving us a bit more to work with. Of course, everything is stuck with error messages at the moment as I haven’t made much more progress with the CD-Controller emulation yet. I found that the amd / wd33c93 is supported in MESS (wd33c93.c), I don’t know how well it works tho, it’s only used by the Indy driver.. I guess I’m going to have to find out.

 

Warzard - Complains about the CD-ROM?

 

warzard.png

 

Street Fighter III: New Generation - The Same?

 

sfiii.png

 

Street Fighter III 2nd Impact: Giant Attack - Likewise

 

sfiii2.png

 

Street Fighter III 3rd Strike: Fight for the Future - Same Message as the original JoJo

 

sfiii3.png

 

JoJo’s Bizarre Adventure - Same Message as the original JoJo

 

jojoba.png

 

 

 

http://haze.mameworld.info/2007/06/10/keys-to-the-world/

 

[Edited on 6-10-2007 by pepinos]

Link to comment
Share on other sites
pepinos Newbie

pepinos

Posted
  • Author
Posted

June 15th, 2007

 

CPS3 Sound

 

No real progress on the Backgrounds / Sprites / Palette i’m afraid. Lots of things have been ruled out, but no conclusions have been made on how it actually gets/decode the data from FlashRoms into RAM yet, it seems to be some kind of external DMA but we can’t find any parameters or what triggers it right now.

 

On the good side of things, Eeprom access has been fixed, so SFIII / 2 / 3 boot without Eeprom hacks. Warzard still doesn’t boot for some reason, although ElSemi has it booting outside of MAME (it doesn’t reveal any more clues about the backgrounds/sprites work tho)

 

Also, and this is the main thing I want report here, Phil Bennett has added preliminary sound emulation (as mentioned in the comments of the previous post)

 

Here is a short OGG recorded from SF3 in MAME. As you can hear, the game is running even if you can’t really see anything apart from the health bars.

 

 

insert1.png

 

http://haze.mameworld.info/2007/06/15/cps3-sound/

Link to comment
Share on other sites
pepinos Newbie

pepinos

Posted
  • Author
Posted

the two towers are indeed folling down :punk::punk::devilboy::thumbsup1:

 

June 16th, 2007

 

CPS3 Colours

 

The Palette DMA is now emulated, so the text layer is looking a lot nicer now.

 

Note, Warzard / Red Earth still does not boot in MAME, I have no idea why, don’t worry tho, the decryption of it is fine, it’s just not booting for me.

 

Note 2, ignore the regions, most dumped sets are actually Japan.

 

Note 3, the strange outlines around the tiles are because they’re being drawn as solid, not transparent.. (mainly due to the fact that there is nothing behind them right now)

 

jojo_colours_1.png

 

jojo_colours_2.png

 

jojo_colours_3.png

 

jojo_colours_4.png

 

jojoba_colours_1.png

 

jojoba_colours_2.png

 

jojoba_colours_3.png

 

sfiii_colours_1.png

 

sfiii_colours_2.png

 

sfiii_colours_3.png

 

sfiii3_colours_1.png

 

sfiii2_colours_1.png

 

sfiii2_colours_2.png

 

sfiii2_colours_3.png

 

sfiii3_colours_1.png

 

sfiii3_colours_2.png

 

sfiii3_colours_3.png

 

http://haze.mameworld.info/2007/06/16/cps3-colours

Link to comment
Share on other sites
Wizard Newbie

Wizard

Posted
Posted

Yeah too bad I find this is a complete waste of time seeing how you can get the whole SF3 Series and Jojo series on Dreamcast already. (Or in SF3's case, PS2 also).

 

Edit: Still good work though is what I'm trying to say

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...