_______ __ ______ _____ | __|.-----..-----.|__|.----. |__ || \ |__ || _ || || || __| |__ || -- | |_______||_____||__|__||__||____| |______||_____/ ______ __ __ ______ | __ \| |.---.-..-----.| |_ | __| | __ <| || _ ||__ --|| _| | __ | |______/|__||___._||_____||____| |______| (Unencrypted Re-release, works on MOST emulators!) ._*--------------------------------------------------*_. There should be a .NES file in this zip. It is Sonic 3D blast 6. "But that only runs on SmyNES" I hear you say. Normally, that would be true. However SmyNES has some dirty little secrets. Upon inspection the original game ROM appeared to have some banks of data ENCRYPTED! Doing some inspection between Sonic 3D Blast 5 and the Sonic 3D Blast 6 ROM revealed that some of the 16K banks were identical between the two ROMs, while others appeared to contain random data. Attempts to compress each 16K block revealed that only certain blocks would compress. Others were uncompressable. An XOR cypher was tried and it was obvious this is now how it worked. Interestingly, only banks containing code seemd to be affected by the encryption. The banks with data in them were non-encrypted (and unchanged) for the most part. The emulator was downloaded, and some "recon" work was done to figure out how it encrypted its data. Interestingly, the Database file ("game.db") appeared to be encrypted in the same way as the Sonic ROM banks was. This gave a good starting point. The SmyNES emulator claims to be written in "100% Assembly", but this is not true. The EXE file is compressed using UPX, and when uncompressed it is 2.8 megs or so. The UPX header data was munged so it couldn't be un-UPX'd. Some l33t tools were imployed to fix this and capture the uncompressed EXE. Inspecting the file reveals it to be written in Borland Builder using Delphi and/or C++. Exhibit A: 000F:5A20 53 4F 46 54 57 41 52 45-5C 42 6F 72 6C 61 6E 64 SOFTWARE\Borland 000F:5A30 5C 44 65 6C 70 68 69 5C-52 54 4C 00 46 50 55 4D \Delphi\RTL.FPUM 000F:5A40 61 73 6B 56 61 6C 75 65-00 00 00 00 DB E3 9B D9 askValue........ 000F:8110 5C 42 6F 72 6C 61 6E 64-5C 4C 6F 63 61 6C 65 73 \Borland\Locales 000F:8120 00 00 00 00 53 6F 66 74-77 61 72 65 5C 42 6F 72 ....Software\Bor 000F:8130 6C 61 6E 64 5C 44 65 6C-70 68 69 5C 4C 6F 63 61 land\Delphi\Loca 000F:8140 6C 65 73 00 00 00 00 00-E8 0B 00 00 00 C3 90 90 les............. 0010:99C0 42 6F 72 6C 61 6E 64 20-43 2B 2B 20 2D 20 43 6F Borland C++ - Co 0010:99D0 70 79 72 69 67 68 74 20-31 39 39 39 20 49 6E 70 pyright 1999 Inp 0010:99E0 72 69 73 65 20 43 6F 72-70 6F 72 61 74 69 6F 6E rise Corporation Also, it appears the emulator has a "Drop Dead" date at which it will no longer run. The error message for this can be seen below: Exhibit B: 0010:C570 00 00 2A 2E 2A 00 5C 00-2E 00 4E 45 53 00 4E 45 ..*.*.\...NES.NE 0010:C580 5A 00 46 44 53 00 00 50-6C 65 61 73 65 20 72 65 Z.FDS..Please re 0010:C590 67 69 73 74 65 72 2C 20-74 68 61 6E 6B 27 73 21 gister, thank's! 0010:C5A0 21 21 00 57 61 72 6E 69-6E 67 00 00 00 54 68 65 !!.Warning...The 0010:C5B0 20 64 61 74 65 20 69 73-20 65 78 70 69 72 65 64 date is expired 0010:C5C0 2C 20 70 6C 65 61 73 65-20 64 6F 77 6E 6C 6F 61 , please downloa 0010:C5D0 64 20 74 68 65 20 6E 65-77 65 72 20 76 65 72 73 d the newer vers 0010:C5E0 69 6F 6E 21 21 21 00 57-61 72 6E 69 6E 67 00 5C ion!!!.Warning.\ Ho, Ho, Ho! Whats this?! Exhibit C: 0012:7310 3A 7D 52 00 01 00 00 00-6C 69 62 64 65 73 20 76 :}R.....libdes v 0012:7320 20 34 2E 30 31 20 2D 20-31 33 2D 4A 61 6E 2D 31 4.01 - 13-Jan-1 0012:7330 39 39 37 20 2D 20 65 61-79 00 44 45 53 20 70 61 997 - eay.DES pa 0012:7340 72 74 20 6F 66 20 53 53-4C 65 61 79 20 30 2E 36 rt of SSLeay 0.6 0012:7350 2E 36 20 31 34 2D 4A 61-6E 2D 31 39 39 37 00 69 .6 14-Jan-1997.i 0012:7360 64 78 00 63 69 73 63 00-34 00 69 6E 74 00 6C 6F dx.cisc.4.int.lo 0012:7370 6E 67 00 64 65 73 28 25-73 2C 25 73 2C 25 73 2C ng.des(%s,%s,%s, 0012:7380 25 73 29 00 01 01 02 02-04 04 07 07 08 08 0B 0B %s)............. Paydirt. We know now that the emulator is using DES (Data Encryption Standard) to store the encrypted things (the database and the sections of the Sonic ROM). A memory viewer program was rounded up and used to dump sections of the PC computer's memory. The emulator only runs the game for 5 minutes (all the while showing "DEMODEMO" over the MIDDLE of the fucking screen, making it impossible to play. After 5 minutes, it unloads the ROM data and game data base. The memory was snagged 5 seconds before the emulator reset :) As was surmised, the ROM code was sitting there waiting for someone to save it to disk. After doing so, it was found that the ROM had some "strange" things happening in it! Specifically, odd writes and reads to NES memory before the game's real init routine. It loaded code into NES RAM, and ran it from there, jumping back to $F500 which was wrong (and caused a crash on the test emulator.) A quick patchout of $F500 to the correct address fixed this. Exhibit D: The ROM image in this .ZIP file. It now runs on most emulators that support the common MMC3 mapper. ._*--------------------------------------------------*_. Endgame: Seems that the SmyNES author is trying to play a ruse on people to reg his shitty emulator. Why he would say it was written in 100% assembly when in fact it isn't, doesn't make much sense. Who cares what it is written in so long as it works? Also, why would he have to stoop to such low levels to: a) ENCRYPT a fucking MMC3 ROM so it ONLY works on his emulator and can never run on a real NES or any other emulator, b) use a non-standard mapper number (257) which is against the ines "standard", and the extra bit uses the Vs. unisystem designator bit, so the ROM of course craps out on most other emulators. They think it's mapper 1 and it's a Vs. unisystem ROM! of course, the "mapper" is bogus here since the game turned out to be MMC3 (mapper 4) after all, c) and Put "DEMODEMO" over the top of the playing screen, right in the middle and only let you play it for 5 minutes. I mean, sheesh! Not like there aren't 20 billion other emulators in existance that are free, and dare I say, better than this one. d) DES encrypt the game database (prolly stolen from GoodNES or similar anyways)? BTW a slice of the database appears at the end of this file. e) Maybe it should be "LieNES" instead of "SmyNES"? - Well I gotta get back to herding my sheep and milking the goats down here in Funny Mexico, so enjoy this NES file on your emulator of choice, and remember: hacking up NES ROMs so they only work on your emu, and so you can get registrations is Not Nice. Friend is visiting. You gotta listen since he is really quiet. Us tested some more ROMS that the SmyNES author released at the same time. Hmm, they use weird mappers too. Maybe Guido will have to see if they use encryption too. They are: Y2K Pikachu - A hack of Felix the Cat Duobao Xiao Yinghao - Guangming yu Anhei Chuanshuo Yongzhe Dou Elong - These are Chinese translations of the DQ games I belive. Yongzhe Dou Elong - Dragon Quest 5 Yongzhe Dou Elong - Dragon Quest 7 Chu Han Zhengba - The War between Chu and Han Bingkuang Jidanzi - Flighty Chicken - An egg simulator? Seems to be. Yinhe Shidai - FF1 in Chinese. Yuzhou Zhanjiang - Space General - FF2 in Chinese. Zhanguo Qunxiong Zhuan Jijia Zhanshi Xingji Wushi - Super Fighter Shuihu Zhuan Sonic 3D Blast 6 - A decent sonic clone. Yang Jiajiang - Yang's Troops Dongfang de Chuanshuo - The Hyrule Fantasy - Zelda (Chinese) ._*--------------------------------------------------*_. Refs: Database piece: 0000:AE10 01 00 00 00 12 00 00 00-41 64 76 65 6E 74 75 72 ........Adventur 0000:AE20 65 73 20 6F 66 20 4C 6F-6C 6F 00 A2 2A 00 00 00 es of Lolo..*... 0000:AE30 01 00 00 00 18 00 00 00-83 41 83 68 83 78 83 93 .........A.h.x.. 0000:AE40 83 60 83 83 81 5B 83 59-83 49 83 75 83 8D 83 8D .`...[.Y.I.u.... 0000:AE50 00 C5 C7 EF 2A 00 00 00-01 00 00 00 18 00 00 00 ....*........... 0000:AE60 C7 7C C7 C5 C7 D5 C7 EF-C7 BD C7 DF C6 E3 C7 B6 .|.............. 0000:AE70 C7 A6 C7 D2 C7 E9 C7 E9-00 38 2E 30 1A 00 00 00 .........8.0.... 0000:AE80 01 00 00 00 0A 00 00 00-31 39 39 30 2E 30 31 2E ........1990.01. 0000:AE90 30 36 00 25 40 07 8C 01-38 71 8A 01 10 00 00 00 06.%@...8q...... 0000:AEA0 10 00 00 00 1B 00 00 00-01 00 00 00 0A 00 00 00 ................ 0000:AEB0 31 39 39 30 2E 31 31 2E-32 39 00 00 36 00 00 00 1990.11.29..6... 0000:AEC0 01 00 00 00 24 00 00 00-46 75 73 68 69 67 69 6E ....$...Fushigin 0000:AED0 61 20 42 6C 6F 62 79 3C-20 2D 20 42 6C 6F 62 61 a Bloby< - Bloba 0000:AEE0 6E 69 61 20 6E 6F 20 4B-69 6B 69 3E 00 00 00 00 nia no Kiki>.... 0000:AEF0 22 00 00 00 01 00 00 00-10 00 00 00 82 D3 82 B5 "............... 0000:AF00 82 AC 82 C8 83 75 83 8D-83 72 81 5B 00 00 00 00 .....u...r.[.... - game list above taken from "JAPAN": http://adam.spu.edu/~nixon/ (posted on 5/12/00) ._*--------------------------------------------------*_. ________ ____ ________ \______ \ ____ ____ / _ \ \______ \ __ __ _____ ______ | | \ / _ \_/ ___\ > _ ) \___ / <_\ \/ | ` \ | / Y Y \ |_> > /_______ /\____/ \___ > \_____\ \ /_______ /____/|__|_| / __/ \/ \/ \/ \/ \/|__| ._*----------------------BY--------------------------*_. ___ ___ ___ /\__\ /\ \ _____ /\ \ /:/ _/_ \:\ \ ___ /::\ \ /::\ \ /:/ /\ \ \:\ \ /\__\ /:/\:\ \ /:/\:\ \ /:/ /::\ \ ___ \:\ \ /:/__/ /:/ \:\__\ /:/ \:\ \ /:/__\/\:\__\ /\ \ \:\__\ /::\ \ /:/__/ \:|__| /:/__/ \:\__\ \:\ \ /:/ / \:\ \ /:/ / \/\:\ \__ \:\ \ /:/ / \:\ \ /:/ / \:\ /:/ / \:\ /:/ / ~~\:\/\__\ \:\ /:/ / \:\ /:/ / \:\/:/ / \:\/:/ / \::/ / \:\/:/ / \:\/:/ / \::/ / \::/ / /:/ / \::/ / \::/ / \/__/ \/__/ \/__/ \/__/ \/__/ ._*EOF*_.