- Thread starter werejag
- Start date
@brizzo thanks
then step out of routine and analyze the following code. in many cases next will be call to decrypted data read routine, sometimes followed by data check/compare code.
also, at this point, you may want to save whole 32MB RAM dump, and then load it in IDA, which makes analysis more comfortable.
in the case of mentioned game, it will be like:
run MAME with debugger enabled - "mame64.exe dybbnao -d -nodrc"
set watchpoint, in debugger console - "wps 5f7008,1,w"
run the code and wait until game boots and will try to access protection.
it will be slow as hell, because we need to run it in interpreter (-nodrc) to get debugger features fully working.
and you'll be needed wait quite long, coin it, and start the game, because it seems dybbnao does prot.checks only during actual gameplay.
also, this is very old game, iirc it is 2nd game released for NAOMI (1st was HOTD2), so I'd imagine it may have bunch of bugs, which may make it not compatible with DIMM, in one or another way.
so, it may worth to check is it at least trying to run via netboot at all.
in general, for games which uses this cart type, easiest way to find where protection used - catch encrypted data upload to on-cart RAM (in debugger set watch point at 0x5F7008 address writes)
then step out of routine and analyze the following code. in many cases next will be call to decrypted data read routine, sometimes followed by data check/compare code.
also, at this point, you may want to save whole 32MB RAM dump, and then load it in IDA, which makes analysis more comfortable.
in the case of mentioned game, it will be like:
run MAME with debugger enabled - "mame64.exe dybbnao -d -nodrc"
set watchpoint, in debugger console - "wps 5f7008,1,w"
run the code and wait until game boots and will try to access protection.
it will be slow as hell, because we need to run it in interpreter (-nodrc) to get debugger features fully working.
and you'll be needed wait quite long, coin it, and start the game, because it seems dybbnao does prot.checks only during actual gameplay.
also, this is very old game, iirc it is 2nd game released for NAOMI (1st was HOTD2), so I'd imagine it may have bunch of bugs, which may make it not compatible with DIMM, in one or another way.
so, it may worth to check is it at least trying to run via netboot at all.
so even for naomi you use mame debugger?
Finisterre
Professional
I want to point out that this is factually inaccurate. It is most certainly one approach to understanding, as a reverse engineer you can certainly appreciate learning new pieces to a puzzle may in fact help you complete it. You don't always have to assemble a puzzle in chronological order in which the pieces were produced.
Having said that, I really appreciate you taking a moment to utter some useful commentary. In the past you folks have chosen to act like @fsckewe or I or many others are simply stupid and unable to grok the things that you do. Personally... I'm no stranger to this sort of mental gymnastics. I've got about 2.5+ decades into writing exploits for a living, massaging memory, fucking around with random unknown assembly, screwing around in GDB and other debuggers simply comes with the territory. I could of course make snarky comments and imply that you could NEVER possibly grok exploitation of dyld stubs to by pass a non executable stack on x86 OSX, and how that differs from the internals of PowerPC exploitation, but the reality is I have a feeling that with proper guidance I could teach you to write exploits pretty easily. There are lots of parallels in what you guys do here.
https://www.exploit-db.com/papers/13179
https://www.exploit-db.com/exploits/1973
https://www.exploit-db.com/exploits/1962
I'm gonna guess not everyone here was solving Gera's ABO series for fun when they were 16 like @fsckewe and I were.
https://github.com/gerasdf/InsecureProgramming
So thank you for not making this the usual brow beating session that you often do. You almost couldn't resist yourself with this gem though "I don't think there is a practical way to completely answer the questions you're asking. Reverse engineering and patching games is a skill that requires a very deep knowledge on many subjects" (we both know that is a BS response lol, you legit feel too important to explain "simple" things to pleebs). I know it is hard to let other people into your sandbox... thanks for playing along a little this time.
Real talk... we aren't as stupid as you like to act like we are. I may not specialize in the exact areas of reverse engineering that you do, but I'm not dumb, and neither is @fsckewe. We simply don't have as much time staring at this specific problem set as you folks do.
Thanks for your time. I legit appreciate it and hope you don't take this constrictive feedback as a jab, I'd like to think we could have spent the last year collaborating and feeding off each other instead of exchanging unnecessary snark.
Attachments
Last edited:
Finisterre
Professional
Thank you kindly...
There is a *private* Demul version with a debugger I believe they use as well.
thank you. This is very helpful and should get me started.
You mention db being an early release that may be buggy. Could suggest another game (even one that has already been sorted) that would be a better starting point. Perhaps one you recall being less complex than the ohers?
both, Demul and MAME, depends on type of task.
MAME's debugger is much much more powerful and handy to use, and also works faster than Demul's interpreter mode, so I use it for NAOMI games too, at least for the ones which boots in MAME.
marstv ? it is known to work via netboot
you may also check Dynamite Baseball NAOMI by yourself - join 4x IC22 (so it will be 8Mbyte file), append IC1-21 data, netboot it.
if everything OK - game should boot to title screen (as was said - it does protection checks only during gameplay).
otherwise, if game will just hang - better drop it, and try to play with another game.
lol, what...
naomi netboot roms
and you just had an exchange with @Finisterre about martv.
I am asking for a suggestion on one that is known to be fix (there are what, like 80 that currently netboot) that you think would be a better/easier starting point than dbnaomi.
can't agree. mainly because here is no any puzzle.
it is all about knowledge and skills, required to do some task / job.
and many of required knowledge and skills is generic (not NAOMI specific), like:
- understanding of how microprocessor-based devices usually designed and works
- know how CPUs works, and ~1-2 assembly languages
- know how to use debuggers
- able to read docs or emulator's source code, to figure out whatever device's address map
- know how to use IDA
etc etc
I'd say, in general, for whatever RE task, more than 90% of required skills/intel is generic, and only small part is platform-specific.
Cool. Can you send me a netbootable marstv bin so I can bindiff it with concat'ing the roms out of mame?
Thanks!
I've never seen it, and I only use MAME+IDA
This sums up the point I was trying to make -- A few years ago MetalliC asked me to do hardware work on Atomiswave and that is when I started working with SH4. He answered a few questions about PIO/DMA modes, G1/G2 bus differences, some topics specific to AW file system, but otherwise I learned everything else related to SH4 disasm/debugging on my own. There isn't some secret ingredient needed to do these tasks to remove soft protection; people just need to be willing to do the work and learn the skills.
@fsckewe I want to be clear that my comment in the last post was generalized for anyone reading and not an attack on you. Trust me, if I was trying to piss on your parade it would be obvious. Was just trying to give honest advice since you were straight up asking where to start. I implore you to try what I suggested at the end of the post.
@Finisterre One day I hope you can take a look in the mirror and understand how the type of comments in post #144 make you appear
Cool. I was just introduced to the Naomi platform in like August 2018. And I didn't even start thinking about SH4 until a couple of months ago. We clearly have different starting points in regards to disambling/debugging knowledge/skill. People learn in different ways and start from various skill levels. I am often reminded some of the content I post here has "already been known/discovered." Yeah, that shit is gonna happen for a while with me.
looooooool... Let me guess, pissing on my parade isn't worth you time?
If it's not blatantly apparent in my replies I'll say it now: I genuinely appreciate honest advice and replies from you and anyone else who takes the time. My personality does not provide the opportunity to ignore some of the snark and condescending tone. So you are gonna get it right back. Perhaps I'm reading to much into it.
I don't see any reason why I would want to?
110% -- I spent a solid 15 minutes thinking of the best way to try and explain it. I look at my post as trying to be helpful, but some see it as condescending. Problem is I'm trying to summarize a topic that could span several books of my own words into a paragraph or two
Finisterre
Professional
You've actually exactly described a puzzle... lol something that requires knowledge, and skills
Even if as simple as knowing that you need to put a piece in a specific spot, and have the skill to physically move your fingers to do it "many of required knowledge and skills is generic... only small part is platform-specific.", why do you think @fsckewe and I are asking you to stop brow beating us with the common "it takes years blah blah blah" like of BS we often get.
alas we digress. You've been really helpful the past few days. My intent is not to continue down pedantics we often get into...
One day brizzo... I hope you realize you are pompous. I'm gonna guess I get more PM's about YOU and your general attitude and tone vs how many you get about me. Again we digress.
See by the way I read what you just wrote, MetalliC shouldn't have even shared detail about PIO / DMA / G1 / G2 differences with you... you should have just gone and you know as you said continued with your skills building and figured it out yourself.
"people just need to be willing to do the work and learn the skills", maybe you don't have two kids and multiple jobs... some of us do. It isn't about "willing" sometimes. I have to timeslice my few hours very heavily. Again... with the light weight brow beating implying that because we ask questions, and don't have as much time on the problem set, somehow we are inferior. Somethings will never change I guess.
Thanks again for being able to share your precious time with us and educate us on these most basic of things that *obviously* we could figure out on our own if only we were "willing".
Finisterre
Professional
Real talk Briz... THAT isn't your problem
