WIP: Golden Axe 2 security obfuscation bypass.

    This site uses cookies. By continuing to browse this site, you are agreeing to our Cookie Policy.

    • WIP: Golden Axe 2 security obfuscation bypass.

      Soon i will be releasing a set of roms to bypass a broken security daughter card on your Golden Axe 2.
      As a proof of concept, i started to look into this a few days ago, and it turned out really easy.
      Sega used a very lazy assembler, programmer, QA checker and what have you. Read below to find out how botched up the Golden Axe 2 release was..

      I did this in October, around the 10th, and shared the info with a few people. On oct 21st, the info ended up on TCRF.net.
      Maybe a coincidence. Whoever posted there please come forward where you found this. (Rabidrabid, who are you?)

      Roms will be released around christmas, just like i did last year with the Espgaluda score save mod. Have patience :)

      Preface
      Let's explain a bit about GA2 and security the daughter card. It has a NEC V25 cpu on it, some ram, a rom (already dumped) and sits on the bus. It is designed to stop bootleggers. Sega had lots of games heavily bootlegged, and they lost revenue because of this. Previous platforms have battery backed 68K main cpu's with encryption tables that helped deter bootleggers for a looong time. Some of the System32 games have FD1149 solutions on them which today are still not fully understood. What went wrong with Golden Axe 2? It is a top-tier title with a strong IP that should be properly protected, right?

      Bootup
      The main cpu can 'talk' to the daughter card by shared ram. When the game boots, maincpu and secure v25 cpu start up. The game waits for some magic string to appear in RAM otherwise the main cpu code will stay in a loop. Other than that, there is also some sprite data reading from shared ram. If the daughter card dies, the game won't start. If you bypass the magic string check, the sprites will be looking like they are on LSD. Seems decent enough right?

      Flaws
      - Main cpu code not encrypted.
      - Expected string can be seen in main cpu code roms. (oops.)
      - Expected palletes may be guessed or even brute forced.
      - Hardware emulation in 1992 could have seen the content of the encrypted cpu ram..

      The attack
      The game is fully emulated in MAME for a long time. Source code is available. The game wants a 'WAKE UP! ...' string or it won't boot.
      The secure cpu is also fully emulated. There is just some simple opcode obfuscation going on, nothing serious. (first obvious sign of lazyness: Obfuscation is not security.)
      I started to look at the ram space for the encrypted cpu to see what the game put there, and what the security cpu was doing. It soon became clear this was going to be a boring job.

      - The security cpu creates a page of static data in the shared ram.
      - Nothing ever changes in this shared ram.
      - Then it sits there idle. Doing nothing.

      This could be easier than i thought.

      Stupid assembler
      I went to look at the rom to see if i was missing any code that the security board might jump to in special cases. There could be some triggers or events i had missed in the main cpu.
      Disassembling the obfuscated rom would allow me to see any such hidden surprises. I was really hoping for somekind of a surprise. But not like what i found.
      I saw a big issue. Sega had used an assembler that was super sloppy. It had produced a ROM and filled the emptyness with 'random data' from the pc/disk/ram.
      Except, it had picked the source code of the V25 encrypted program. Not scrambled. Nicely formatted too.
      Display Spoiler

      Removed, post over 10.000 chars. Available on request :)


      So, whoever assembled this using uPD70320 Assembler V3.10 in SEC mode on 01 Sep 92 12:30:49 on a PC98 with nickname ARAMAWARI made no QA effort.
      Also, another lazy sign: They re-used partial Arabian Fight routines, which could help de-obfuscate the sec cpu on that one, the emulation is not 100% on that game yet.

      Work done so far:
      - Moved the sprite table into ROM
      - Bypassed security string
      - Tested on real hardware (see here.)

      Todo:
      - Document the rom types if you want to convert say, F1 super lap.
      - De-obfuscate the Arabian Fight sec board?
      - Add AF sec emulation to MAME?
      - Do the actual Xmas release :)

      I wanted to play Titanfall 2 but wrote this god damn wall of text.. :awe:
      And yes, there's a similar situation in Arabian Fight's sec board rom, but there is a lot less source..
      If you want to support me, sign up for Dropbox by using db.tt/05qkhkFLVC. This gets you and me an extra 500MB for hosting roms, or other arcade related files :)
    • Source in spoiler.
      Display Spoiler

      Brainfuck Source Code

      1. ;------------------------------------------------------------------------------
      2. ; SFR INITIAL
      3. ;------------------------------------------------------------------------------
      4. INIT PROC
      5. _INIT:
      6. mov aw,0
      7. mov ds0,aw
      8. mov aw,0ff00h
      9. mov ds1,aw
      10. mov cw,9
      11. ldea ix,ITDT
      12. INITLP:
      13. mov iy,word ptr ds0:[ix]
      14. mov dl,byte ptr ds0:[ix+2]
      15. mov byte ptr ds1:[iy],dl
      16. add ix,4
      17. dec cw
      18. bnz INITLP
      19. RET
      20. INIT ENDP
      21. ;------------------------------------------------------------------------------
      22. ; V25 read/write check
      23. ;------------------------------------------------------------------------------
      24. RW22 PROC
      25. _RW22:
      26. mov ch,byte ptr ds1:[ix+1]
      27. cmp ch,20h; V25 r/w start ?
      28. bne _RW22
      29. mov bw,8; counter offset (0008h)
      30. mov dh,byte ptr ds1:[ix+6h]; add data
      31. mov dl,byte ptr ds1:[ix+7h]; write start data
      32. LP_22:
      33. call AD_SET
      34. mov byte ptr ds1:[iy],dl; RAM data write
      35. mov cl,byte ptr ds1:[iy]; RAM data read
      36. cmp cl,dl
      37. bnz R22_NG
      38. add dl,dh
      39. inc bw
      40. cmp bw,7f0h;stack area (10h) keep
      41. bnz LP_22
      42. mov ch,22h; RAM OK data set
      43. call SET_ON
      44. RET
      45. R22_NG:
      46. mov ch,2ah; RAM NG data set
      47. call SET_ON
      48. RET
      49. RW22 ENDP
      50. ;------------------------------------------------------------------------------
      51. ; V25 read / V60 write check
      52. ;------------------------------------------------------------------------------
      53. RW26 PROC
      54. _RW26:
      55. mov ch,byte ptr ds1:[ix+1]
      56. cmp ch,4fh; V60 write end ?
      57. bne _RW26
      58. mov bw,8; counter offset (0008h)
      59. mov dh,byte ptr ds1:[ix+6h]; add data
      60. mov dl,byte ptr ds1:[ix+7h]; write start data
      61. LP_26:
      62. call AD_SET
      63. mov cl,byte ptr ds1:[iy]; RAM data read
      64. cmp cl,dl
      65. bnz R26_NG
      66. add dl,dh
      67. inc bw
      68. cmp bw,7f0h
      69. bnz LP_26
      70. mov ch,44h; RAM OK data set
      71. call SET_ON
      72. RET
      73. R26_NG:
      74. mov ch,4ah; RAM NG data set
      75. call SET_ON
      76. RET
      77. RW26 ENDP
      78. ;------------------------------------------------------------------------------
      79. ; V60 read / V25 write check
      80. ;------------------------------------------------------------------------------
      81. RW62 PROC
      82. _RW62:
      83. mov ch,byte ptr ds1:[ix+1]
      84. cmp ch,50h; before result write end ?
      85. bne _RW62
      86. mov bw,8; counter offset (0008h)
      87. mov dh,byte ptr ds1:[ix+6h]; add data
      88. mov dl,byte ptr ds1:[ix+7efh] ; write start data
      89. mov byte ptr ds1:[ix+7h],dl; write start data
      90. LP_62:
      91. call AD_SET
      92. mov byte ptr ds1:[iy],dl; RAM data write
      93. add dl,dh
      94. inc bw
      95. cmp bw,7f0h
      96. bnz LP_62
      97. mov ch,5fh; write end code set
      98. call SET_ON
      99. RET
      100. RW62 ENDP
      101. ;------------------------------------------------------------------------------
      102. ; arabian fight security routin
      103. ;------------------------------------------------------------------------------
      104. WRITE_AXE PROC
      105. _RW_AXE:
      106. ldea ix,PLCOL_AX
      107. mov iy,0;
      108. mov cw,16;loop count
      109. loop:
      110. mov dl,byte ptr ds0:[ix]
      111. mov byte ptr ds1:[iy],dl
      112. add ix,1
      113. add iy,1
      114. dec cw
      115. bnz loop
      116. RET
      117. PLAYCOL1 equ 0000000aH
      118. PLAYCOL2 equ 00000011H
      119. PLAYCOL3 equ 00000018H
      120. PLAYCOL4 equ 0000001fH
      121. ZANZOCOL1 equ 000000c5H
      122. ZANZOCOL2 equ 000000c6H
      123. PLCOL_AXE
      124. dw PLAYCOL1-- body color
      125. dw ZANZOCOL1-- zanzoh color
      126. dw PLAYCOL2-- body color
      127. dw PLAYCOL2-- zanzoh color
      128. dw PLAYCOL3-- body color
      129. dw PLAYCOL3-- zanzoh color
      130. dw PLAYCOL4-- body color
      131. dw ZANZOCOL2-- zanzoh color
      132. WRITE_AXE ENDP
      133. ;------------------------------------------------------------------------------
      134. ; event security routin
      135. ;------------------------------------------------------------------------------
      136. ;000h~3ffhwrite buff
      137. ;080h~0afh(startup function work)
      138. ;400h~7ffhread buff
      139. ;------------------------------------------------------------------------------
      140. ; start up function
      141. ;------------------------------------------------------------------------------
      142. START_FUNC PROC
      143. _ST_FU:
      144. ldea ix,MESS_ST
      145. mov iy,080h;start function write buff
      146. mov cw,16*3;loop count
      147. loop_st:
      148. mov dl,byte ptr ds0:[ix]
      149. mov byte ptr ds1:[iy],dl
      150. add ix,1
      151. add iy,1
      152. dec cw
      153. bnz loop_st
      154. RET
      155. ;0123456789abcdef
      156. MESS_ST db 'wake up! GOLDEN ';16 byte 1 group
      157. db 'AXE The Revenge ';16 byte 1 group
      158. db 'of Death-Adder! ';16 byte 1 group
      159. START_FUNC ENDP
      160. ;------------------------------------------------------------------------------
      161. ; work ram clr
      162. ;------------------------------------------------------------------------------
      163. WORK_RAM_CLR PROC
      164. _WO_RA:
      165. mov iy,0000h;work ram write adr.
      166. mov cw,0400h;loop count
      167. mov dl,0000h
      168. loop_wc:
      169. mov byte ptr ds1:[iy],dl
      170. add iy,1
      171. dec cw
      172. bnz loop_wc
      173. RET
      174. WORK_RAM_CLR ENDP
      175. ;------------------------------------------------------------------------------
      176. ; RAM check result set routine
      177. ;------------------------------------------------------------------------------
      178. SET_ON PROC
      179. _SET_ON:
      180. mov byte ptr ds1:[ix+1],ch; check result set
      181. mov cl,byte ptr ds1:[ix+1]; result set ok ?
      182. cmp ch,cl
      183. bnz _SET_ON
      184. RET
      185. SET_ON ENDP
      186. ;------------------------------------------------------------------------------
      187. ; V25 address chenge & set routine ix : 0
      188. ;aw : chenge address
      189. ;bw : address counter
      190. ;------------------------------------------------------------------------------
      191. AD_SET PROC
      192. AST_LP:
      193. mov byte ptr ds1:[ix+2],bl; lower address set (10002h)
      194. mov byte ptr ds1:[ix+3],bh; upper address set (10004h)
      195. mov cl,byte ptr ds1:[ix+2]; lower set ok ?
      196. mov ch,byte ptr ds1:[ix+3]; upper set ok ?
      197. cmp bw,cw
      198. bnz AST_LP
      199. mov iy,bw
      200. RET
      201. AD_SET ENDP
      202. RMCK ENDS
      203. ;------------------------------------------------------------------------------
      204. ; data table
      205. ;------------------------------------------------------------------------------
      206. RMCK SEGMENT
      207. org 1000h
      208. ;xxf01=00 --pm0
      209. ;xxf02=00 --pmc0
      210. ;xxf09=00 --pm1
      211. ;xxf0a=08 --pmc1
      212. ;xxf11=00 --pm2
      213. ;xxf12=00 --pmc2
      214. ;xxfe8=00 --wtc
      215. ;xxfe9=00 --???
      216. ;xxfeb=00 --prc
      217. ITDT dw 0f01h,0,0f02h,0,0f09h,0,0f0ah,8,0f11h,0,0f12h,0
      218. dw 0fe8h,1001h,0fe9h,0,0febh,4ch
      219. RMCK ENDS
      220. ;------------------------------------------------------------------------------
      221. ; reset vecter
      222. ;------------------------------------------------------------------------------
      223. RMCK SEGMENT
      224. org 0fff0h
      225. br FAR PTR START
      226. RMCK ENDS
      227. END
      228. ST_LP:
      229. mov byte ptr ds1:[ix+2],bl; lower address set (10002h)
      230. mov byte ptr ds1:[ix+3],bh; upper address set (10004h)
      231. mov cl,byte ptr ds1:[ix+2]; lower set ok ?
      232. mov ch,byte ptr ds1:[ix+3]; upper set ok ?
      233. cmp bw,cw
      234. bnz AST_LP
      235. mov iy,bw
      236. RET
      237. AD_SET ENDP
      238. RMCK ENDS
      239. ;------------------------------------------------------------------------------
      240. ; data table
      241. ;------------------------------------------------------------------------------
      242. RMCK SEGMENT
      243. org 1000h
      244. ;xxf01=00 --pm0
      245. ;xxf02=00 --pmc0
      246. ;xxf09=00 --pm1
      247. ;xxf0a=08 --pmc1
      248. ;xxf11=00 --pm2
      249. ;xxf12=00 --pmc2
      250. ;xxfe8=00 --wtc
      251. ;xxfe9=00 --???
      252. ;xxfeb=00 --prc
      253. ITDT dw 0f01h,0,0f02h,0,0f09h,0,0f0ah,8,0f11h,0,0f12h,0
      254. dw 0fe8h,1001h,0fe9h,0,0febh,4ch
      255. RMCK ENDS
      256. -- Sprite table, from the assembly part:
      257. 07AF 73696E62617420202020 374 MESS_EV3 db 'sinbat ' ;16 byte 1 group
      258. 202020202020
      259. 07BF 72616D61796120202020 375 db 'ramaya ' ;16 byte 1 group
      260. 202020202020
      261. 07CF 676F6C646F7220202020 376 db 'goldor ' ;16 byte 1 group
      262. 202020202020
      263. 07DF 64617461202020202020 377 db 'data ' ;16 byte 1 group
      264. 202020202020
      265. 07EF 20202020202020202020 378 db ' ' ;16 byte 1 group
      266. 202020202020
      267. 07FF 20202020202020202020 379 db ' ' ;16 byte 1 group
      268. 202020202020
      269. 080F 20202020202020202020 380 db ' ' ;16 byte 1 group
      270. 202020202020
      271. 081F 20202020202020202020 381 db ' ' ;16 byte 1 group
      272. 202020202020
      Display All
      If you want to support me, sign up for Dropbox by using db.tt/05qkhkFLVC. This gets you and me an extra 500MB for hosting roms, or other arcade related files :)
    • Asure wrote:

      Soon i will be releasing a set of roms to bypass a broken security daughter card on your Golden Axe 2.
      As a proof of concept, i started to look into this a few days ago, and it turned out really easy.
      Sega used a very lazy assembler, programmer, QA checker and what have you. Read below to find out how botched up the Golden Axe 2 release was..

      I did this in October, around the 10th, and shared the info with a few people. On oct 21st, the info ended up on TCRF.net.
      Maybe a coincidence. Whoever posted there please come forward where you found this. (Rabidrabid, who are you?)

      Roms will be released around christmas, just like i did last year with the Espgaluda score save mod. Have patience :)

      Preface
      Let's explain a bit about GA2 and security the daughter card. It has a NEC V25 cpu on it, some ram, a rom (already dumped) and sits on the bus. It is designed to stop bootleggers. Sega had lots of games heavily bootlegged, and they lost revenue because of this. Previous platforms have battery backed 68K main cpu's with encryption tables that helped deter bootleggers for a looong time. Some of the System32 games have FD1149 solutions on them which today are still not fully understood. What went wrong with Golden Axe 2? It is a top-tier title with a strong IP that should be properly protected, right?

      Bootup
      The main cpu can 'talk' to the daughter card by shared ram. When the game boots, maincpu and secure v25 cpu start up. The game waits for some magic string to appear in RAM otherwise the main cpu code will stay in a loop. Other than that, there is also some sprite data reading from shared ram. If the daughter card dies, the game won't start. If you bypass the magic string check, the sprites will be looking like they are on LSD. Seems decent enough right?

      Flaws
      - Main cpu code not encrypted.
      - Expected string can be seen in main cpu code roms. (oops.)
      - Expected palletes may be guessed or even brute forced.
      - Hardware emulation in 1992 could have seen the content of the encrypted cpu ram..

      The attack
      The game is fully emulated in MAME for a long time. Source code is available. The game wants a 'WAKE UP! ...' string or it won't boot.
      The secure cpu is also fully emulated. There is just some simple opcode obfuscation going on, nothing serious. (first obvious sign of lazyness: Obfuscation is not security.)
      I started to look at the ram space for the encrypted cpu to see what the game put there, and what the security cpu was doing. It soon became clear this was going to be a boring job.

      - The security cpu creates a page of static data in the shared ram.
      - Nothing ever changes in this shared ram.
      - Then it sits there idle. Doing nothing.

      This could be easier than i thought.

      Stupid assembler
      I went to look at the rom to see if i was missing any code that the security board might jump to in special cases. There could be some triggers or events i had missed in the main cpu.
      Disassembling the obfuscated rom would allow me to see any such hidden surprises. I was really hoping for somekind of a surprise. But not like what i found.
      I saw a big issue. Sega had used an assembler that was super sloppy. It had produced a ROM and filled the emptyness with 'random data' from the pc/disk/ram.
      Except, it had picked the source code of the V25 encrypted program. Not scrambled. Nicely formatted too.
      Display Spoiler

      Removed, post over 10.000 chars. Available on request :)


      So, whoever assembled this using uPD70320 Assembler V3.10 in SEC mode on 01 Sep 92 12:30:49 on a PC98 with nickname ARAMAWARI made no QA effort.
      Also, another lazy sign: They re-used partial Arabian Fight routines, which could help de-obfuscate the sec cpu on that one, the emulation is not 100% on that game yet.

      Work done so far:
      - Moved the sprite table into ROM
      - Bypassed security string
      - Tested on real hardware (see here.)

      Todo:
      - Document the rom types if you want to convert say, F1 super lap.
      - De-obfuscate the Arabian Fight sec board?
      - Add AF sec emulation to MAME?
      - Do the actual Xmas release :)

      I wanted to play Titanfall 2 but wrote this god damn wall of text.. :awe:
      And yes, there's a similar situation in Arabian Fight's sec board rom, but there is a lot less source..
      Great stuff as usual Asure. I think this deserves its own section. Definitely a must know for all system32 fans. What would you release exactly? Romsets that will work in any system32 PCB?

      I'm glad to see this happening :thumbsup: :thumbsup: :thumbsup:
      * Arcade-projects, the site where you get the most of your arcade games.
      * If you want Drama go to Neo-Geo forum ---Darksoft
    • I will release a set of program roms and information how to make a conversion from say, F1 super lap.

      This is not a cheap conversion to do. From the top of my head, 4x 27C080, 2x 27C1024, 8x27C160 (or 27C322) + cost of a rom board/donor. Bordering on $200 when an original is $250 average.
      It's usefull if you have rom boards around. The game itself is not a really great belt scroller, but Spiderman and this are the most decent releases on this platform.
      If you want to support me, sign up for Dropbox by using db.tt/05qkhkFLVC. This gets you and me an extra 500MB for hosting roms, or other arcade related files :)
    • Asure wrote:

      The game itself is not a really great belt scroller, but Spiderman and this are the most decent releases on this platform.
      Indeed, I still own a Spider-man System32... But I traded my USA Golden Axe 2 for a CPS3 (Darksoft SuperBIOS) setup, and now I need to remedy this/get another one. ;)
      BTW you want to talk expensive conversions, I paid 350$ for a Galaga 88' then another 150$ to convert into Splatterhouse... WORTH IT, that game is freaking awesome!

      Miss you GA2 :(
      Darksoft: CPS3, CPS2, F3, MVS
      RGB: RECO v2, HAS v3
      invzim: Jammafier v1.6b
      XianXi: JNX Raiden, SC Taito Classic, SC Sega System 16/24
      Frank_fjs: JAMMA Extender (Special Edition)

      The post was edited 2 times, last by jassin000 ().

    • jassin000 wrote:

      Asure wrote:

      The game itself is not a really great belt scroller, but Spiderman and this are the most decent releases on this platform.
      Indeed, I still own a Spider-man System32... But I traded my USA Golden Axe 2 for a CPS3 (Darksoft SuperBIOS) setup, and now I need to remedy this/get another one. ;) BTW you want to talk expensive conversions, I paid 350$ for a Galaga 88' then another 150$ to convert into Splatterhouse... WORTH IT, that game is freaking awesome!

      Miss you GA2 :(

      Wow I didn't know you could convert a Galaga into Splatter House 2 so easily?

      Maybe you want to showcase your conversion in a thread? :whistling:
      * Arcade-projects, the site where you get the most of your arcade games.
      * If you want Drama go to Neo-Geo forum ---Darksoft
    • Darksoft wrote:

      Maybe you want to showcase your conversion in a thread?
      I kinda showed it off in my Vewlix to JAMMA and beyond thread...
      Truth is I didn't make it, or I would have been bragging about it more. ;)
      You actually know the person who made it for me, but I was told not to advertise that he makes conversions so I can't name drop.

      What a strange world "hard core" arcade gaming can be huh?
      Just look at Arcade-Otaku's rules... Can't sell more than X conversions a year...
      Uh guys I love your site and everything, but I'll sell whatever the fuck I please, and fuck you for telling me otherwise (Jason is done with AO now)!
      Darksoft: CPS3, CPS2, F3, MVS
      RGB: RECO v2, HAS v3
      invzim: Jammafier v1.6b
      XianXi: JNX Raiden, SC Taito Classic, SC Sega System 16/24
      Frank_fjs: JAMMA Extender (Special Edition)
    • jassin000 wrote:

      BTW you want to talk expensive conversions, I paid 350$ for a Galaga 88' then another 150$ to convert into Splatterhouse... WORTH IT, that game is freaking awesome!
      Paid around the same price for my Galaga '88

      Darksoft wrote:

      Wow I didn't know you could convert a Galaga into Splatter House 2 so easily?

      jassin000 wrote:

      I kinda showed it off in my Vewlix to JAMMA and beyond thread...
      Truth is I didn't make it, or I would have been bragging about it more.
      You actually know the person who made it for me, but I was told not to advertise that he makes conversions so I can't name drop.
      Would also be nice to convert Galaga '88 into Dragon Spirit (if that's even possible that is) :rolleyes: Or give Mike (Vector-Labs) the ability to flash it into his marvelous 4 in 1 Namco kit. This is my pure egoistic greedy end gamer point of view of course (as always!) ^^
      Darksoft: CPS2, ST-V, F3, MVS
      RGB: HAS v2.1
      Undamned: 2x DB15 USB dec
      marqs: OSSC v1.5 (audiomod)
      superg: GSCART switch v3.4
      Vector-Labs: NAMCO SYS1 4 in 1 (vert)
    • K405 wrote:

      Would also be nice to convert Galaga '88 into Dragon Spirit (if that's even possible that is)
      I'm told the problem with Dragon Spirit is it has not been converted properly and this is the reason why it won't run/boot.
      If someone with the skills wants to take a look at it, I'm 99.9% sure we can convert Galaga 88 into DS with a proper set.
      Darksoft: CPS3, CPS2, F3, MVS
      RGB: RECO v2, HAS v3
      invzim: Jammafier v1.6b
      XianXi: JNX Raiden, SC Taito Classic, SC Sega System 16/24
      Frank_fjs: JAMMA Extender (Special Edition)