The list for Encrypted CPU prevened from hacking ROM

If you are having problems finding or using cheats for an Emulator (particularly MAME/MESS) or have found a trick that you wish to share this is the place to do it. But please read the Cheat FAQ first.
Post Reply
ShimaPong
Posts: 1063
Joined: Wed May 21, 2003 4:19 pm
Location: Japan

The list for Encrypted CPU prevened from hacking ROM

Post by ShimaPong »

On 0.101u1, the memory system update limited ROM hacking via cheat engine in several games used encrypted CPU. This is the list for encrypted CPU influenced ROM code.

You can poke an operand but never poke an opcode. For example : In case of "jr z,$1234" on $1200 on Z80, you can change the jump address oneself but never directly change "jr z" to "jr", "jp" or "ret" etc. In 0.101u1 or earlier, enable full hacking though you need to note the different ROM region between opcode and operand. Several "Non-Encrypted" sets exists and enables full hacking in the latest MAME though.

A game based on encrypted Z80 CPU

Code: Select all

4dwarrio [system1.c]
astrofl [segasyse.c]
block, blockj, blockjoy, blockbl [mitchell.c]
blockgal [system1.c]
buckrog, zoom909 [turbo.c]
bullfgt, thetogyu [system1.c]
calorie, calorieb [calorie.c]
cclimber, ccimbrj, ccboot, ccboot2 [cclimber.c]
commando, commandu, commandj, sinvasn, sinvasnb [commando.c]
crush, maketrax, maketrxb, korosuke [pacman.c]
darkmist [darkmist.c]
dorodon, dorodon2 [ladybug.c]
flicky, flickyo [system1.c]
futspy [zaxxon.c]
gardia, gardiab [system1.c]
gigasb, oigas, gigasm2b [freekick.c]
hvymetal [system1.c]
imsorry, imsorryj [system1.c]
ixion [zaxxon.c]
kchampvs, karatevs [kchamp.c]
mrviking, mrvikngj [system1.c]
monster2 [segar.c]
mouser, mouserc [mouser.c]
pbactio3 [pbaction.c]
pengo, pengo2, pengo4, pengob, penta [pacman.c]
pitfall2 [system1.c]
raflesia [system1.c]
razmataz [zaxxon.c]
regulus, reguluso [system1.c]
robowres, robowrb [appoooh.c]
seganinj, ninja, nprinces, nprinco, nprincsb [system1.c]
sindbadm [segar.c]
spatter, ssanchan [system1.c]
spcpostn [angelkds.c]
sscandal, myherok [system1.c]
starfore [senjyo.c]
stinger, stinger2 [wiz.c]
suprloco [suprloco.c]
swat [system1.c]
szaxxon [zaxxon.c]
teddybb, teddybbo [system1.c]
toprollr [yamato.c] *Encrypted ROM is banked so that you can hack fully if a code on $c000-$ffff (See invincibility code)
treahunt [jack.c]
ufosensi [system1.c]
upndown [system1.c]
wmatch [system1.c]
wbml, wbmljo [system1.c]
wboy, wboyo, wboy2, wboy3, wboysys2 [system1.c]
yamato, yamato2 [yamato.c]
zaxxonb [zaxxon.c]

...Maybe encrypted CPU but non-working
dakkochn [system1.c]
fantzn2 [segasyse.c]
opaopa [segasyse.c]
A game based on encrypted M6809 CPU

Code: Select all

circusc, circusc2, circusc3, circuscc, circusce [circusc.c]
finalizr, finalizb [finalizr.c]
gyruss, gyrussce, venus [gyruss.c] *CPU2
hyperspt, hpolym84 [hyperspt.c]
jailbrek, manhatan [jailbrek.c]
junofrst, junofstg [junofrst.c]
megazone, megazona, megazonb, megazonc, megaznik [megazone.c]
roadf, roadf2 [hyperspt.c]
rocnrope, rocnropk [rocnrope.c]
sbasketb, sbasketo [sbasketb.c]
trackfld, trackflc, hyprolym, hyprolyb, atlantol [trackfld.c]
A game based on encrypted M6502 CPU

Code: Select all

btime, btime2, btimem, cookrace [btime.c]
lnc [btime.c]
brubber, bnj, caractn [btime.c]
disco, discof [btime.c]
shootout, shootouj, shootoub [shootout.c]

All deco cassette system games [decocass.c] *Enabled to hack ROM by poking a code loaded on RAM region.
The above list is incomplete.
ShimaPong
Posts: 1063
Joined: Wed May 21, 2003 4:19 pm
Location: Japan

Post by ShimaPong »

<< Impossible hacking ROM >>
You can NEVER poke a program code (opcode, operand) via current cheat engine. A lot of games based on Sega System 16A, 16B, 18 , X-board, segaorun used encrypted 68000 CPU are pertinent.

Code: Select all

abcop [segaxbd.c]
aceattck [segas16b.c]
afighter [segas16a.c]
alexkid1 [segas16a.c]
aliensy2, aliensy1, aliensy3 [segas16a.c/segas16b.c]
altbeaj3, altbeaj1 [sega16b.c]
astorm, astorm3, astormu, astormj [segas18.c]
aurail1, aurailj [segas16b.c]
bayroute, bayroutj [segas16b.c]
bloxeed [segas18.c]
cltchitr, cltchtrj [segas18.c]
cotton, cottonu, cottonj [segas16b.c]
ddcrew, ddcrewu, ddcrew2, ddcrew1, ddcrewj [segas18.c]
ddux [segas16b.c]
desertbr [segas18.c]
dunkshot [segas16b.c]
eswat, eswatu, eswatj [segas16b.c]
fpoint, fpoint1 [segas16b.c]
goldnaxu, goldnaxj, goldnax3, goldnax1 [segas16b.c]
gprider, gprider1 [segaxbd.c]
lghost, lghostu [segas18.c]
loffire, loffireu, loffirej [segaxbd.c]
mwalk, mwalku, mwalkj [segas18.c]
mvp, mvpj [segas16b.c]
passsht, passshta, passshtj [segas16b.c]
pontoon [segas18.c]
rachero [segaxbd.c]
ryukyu [segas16b.c]
sdi, defense, sdib [segas16a.c/segas16b.c]
shangon3, shangon2, shangon1 [segaorun.c]
shinobi1, shinobi2 [segas16a.c/segas16b.c]
sjryuko, sjryuko1 [segas16a.c/segas16b.c]
smgp, smpg6, smgp5, smgpu, smgpu1, smgpu2, smgpu3, smgpj [segaxbd.c]
sonicbom [segas16b.c]
tetris, tetris3, tetris2, tetris1 [segas16a.c/segas16b.c]
thndrbld [segaxbd.c]
timesca1 [segas16.c]
toutrun, toutrun2, toutrun1 [segaorun.c]
wb34, wb33, wb32, wp31 [segas16a.c/segas16b.c]
wrestwa2, wrestwa1 [segas16b.c]
wwallyj, wwallyja [segas18.c]
User avatar
ianpatt
Posts: 336
Joined: Sat Sep 22, 2001 1:00 am
Location: San Francisco, CA

Post by ianpatt »

Thanks for the list, but all of these problems are caused by use of the new decrypted CPU memory system (memory_set_decrypted_region and related functions). Right now there is no API set up for writing to these regions, so there isn't any way for the cheat engine to modify the data there. I plan to create an API for this at some point in the future, but first there are some higher-priority issues to complete (primarily the UI rewrite).

Luckily, most of these drivers use static encryption - the code is decrypted once when the game starts up, and it never changes. However, the FD1094 games are dynamic, so there are actually several different sets of decrypted opcodes. This may cause instability when doing a ROM hack, for example:

1. CPU is initialized and set to state 0
2. VBlank is reached and cheat engine patches the ROM
3. CPU changes to state 1, redecrypting all of the opcodes and wiping out the ROM patch
4. CPU executes the unpatched opcodes
5. VBlank is reached and cheat engine repatches the ROM
6. CPU executes the patched opcodes

There isn't anything I can do about this short of driver-specific hacks that don't belong in the MAME core.
Post Reply