Difference between revisions of "Mega Drive Unlicensed Game Emulation Notes"
From Sega Retro
(when a clean dump comes I'll add the registers) |
ValleyBell (talk | contribs) (added Thunderbolt II, Hei Tao 2: Super Big 2, added details for 16 Zhang Ma Jiang and 777 Casino) |
||
(One intermediate revision by one other user not shown) | |||
Line 1: | Line 1: | ||
:''TODO: Is there a better category? And I have to add everything =P (plus ROM addresses, SRAM specifics, etc.)'' | :''TODO: Is there a better category? And I have to add everything =P (plus ROM addresses, SRAM specifics, etc.)'' | ||
− | Unlike official Mega Drive games, unlicensed games usually have copy protection schemes, SRAM mapping oddities, or other hardware quirks that emulator authors should take note of if they want their emulators to work with these games. sha1sums of dumps to watch out for are given; '''make sure to only apply the changes on the listed sha1sums!''' Some modifications, such as the present dump of ''[[Jiu Ji Ma Jiang II: Ye | + | Unlike official Mega Drive games, unlicensed games usually have copy protection schemes, SRAM mapping oddities, or other hardware quirks that emulator authors should take note of if they want their emulators to work with these games. sha1sums of dumps to watch out for are given; '''make sure to only apply the changes on the listed sha1sums!''' Some modifications, such as the present dump of ''[[Jiu Ji Ma Jiang II: Ye Yan Bian]]'', may not react kindly to these custom modifications (in this particular case, the register check's conditional branches are ''reversed'', meaning the game will fail if the registers match); in other cases (as with many ROMs marked [f] in the [[GoodGen]] set), the changes are simply not needed. |
Note that at present, no unlicensed game is known to use Sega's standard checksum routine, so checksum fixing should NOT be done to these games (especially since some, for example ''[[Aq Renkan Awa]]'', are known to store code at $18E). | Note that at present, no unlicensed game is known to use Sega's standard checksum routine, so checksum fixing should NOT be done to these games (especially since some, for example ''[[Aq Renkan Awa]]'', are known to store code at $18E). | ||
Line 208: | Line 208: | ||
|- | |- | ||
|[[16 Zhang Ma Jiang]] | |[[16 Zhang Ma Jiang]] | ||
− | | | + | |7857c797245b52641a3d1d4512089bccb0ed5359 |
| | | | ||
− | |$AA ( | + | |$AA (word read; $400003 ignored) |
| | | | ||
− | |$F0 ( | + | |$F0 (word read; $400007 ignored) |
+ | | | ||
+ | *$400002: check at $18EA causes a game over at the end of the round | ||
+ | *$400006: check at $15D4 skips code after putting a tile, affects CPU player? | ||
|- | |- | ||
|[[Elf Wor]] | |[[Elf Wor]] | ||
Line 228: | Line 231: | ||
|$F0 | |$F0 | ||
|The game will fade to black and freeze several seconds into gameplay. Check is at ROM $8BC. | |The game will fade to black and freeze several seconds into gameplay. Check is at ROM $8BC. | ||
+ | |- | ||
+ | |[[Hei Tao 2: Super Big 2]] | ||
+ | |e1e4c439c5c22fa5cfcecaab421c55bf1746b5de | ||
+ | |$55 | ||
+ | | colspan="3"|Read by Z80, written to 68k RAM after winning the 8th match | ||
+ | |Z80 will try to overwrite RAM when winning the 8th (last?) match, crashing the game. | ||
|- | |- | ||
|[[Meng Huan Shui Guo Pan: 777 Casino]] | |[[Meng Huan Shui Guo Pan: 777 Casino]] | ||
− | | | + | |df20a28d03a2cd481af134ef7602062636c3cc79 |
|$55 or $63 | |$55 or $63 | ||
| colspan="3"|Read by Z80, but appear to be unused on either side (TODO) | | colspan="3"|Read by Z80, but appear to be unused on either side (TODO) | ||
− | |Z80 will try to overwrite RAM, which will cause breakage | + | |Z80 will try to overwrite RAM when playing the town theme the 3rd time, which will cause breakage and make the player unable to move. |
|- | |- | ||
− | | [[Mighty Morphin' Power Rangers: The Fighting Edition]] | + | |[[Mighty Morphin' Power Rangers: The Fighting Edition]] |
− | | 25d2d6a5ab20e16b8b42b67e5fb338421b64b29b | + | |25d2d6a5ab20e16b8b42b67e5fb338421b64b29b |
|$55 | |$55 | ||
|$F | |$F | ||
Line 249: | Line 258: | ||
| | | | ||
|It will play a high-pitched beeping sound and refuse to go past the beginning of the title screen. This check is at ROM $123E4. | |It will play a high-pitched beeping sound and refuse to go past the beginning of the title screen. This check is at ROM $123E4. | ||
+ | |- | ||
+ | |[[Thunderbolt II]] | ||
+ | |3dca68795b6c9a16cafa5e71218d5ce83aa465fc | ||
+ | |$55 | ||
+ | | | ||
+ | | | ||
+ | |$F0 | ||
+ | | | ||
+ | *Fail with $400000: It tries to show credits screen instead of playing title music. (Graphics are broken due to the title screen animation continuing to run.) | ||
+ | *Fail with $400006: Player dies on the second hit and goes game over. | ||
+ | *Due to the game copying the values to RAM and checking them later, these PAR codes can defeat the copy protection: FF0082:5500, FF007E:F000 | ||
+ | *related ROM locations are: $0003D6, $000B5E, $000468, $007114 | ||
|- | |- | ||
|[[Ya Se Chuan Shuo]] | |[[Ya Se Chuan Shuo]] |
Latest revision as of 13:12, 1 August 2016
- TODO: Is there a better category? And I have to add everything =P (plus ROM addresses, SRAM specifics, etc.)
Unlike official Mega Drive games, unlicensed games usually have copy protection schemes, SRAM mapping oddities, or other hardware quirks that emulator authors should take note of if they want their emulators to work with these games. sha1sums of dumps to watch out for are given; make sure to only apply the changes on the listed sha1sums! Some modifications, such as the present dump of Jiu Ji Ma Jiang II: Ye Yan Bian, may not react kindly to these custom modifications (in this particular case, the register check's conditional branches are reversed, meaning the game will fail if the registers match); in other cases (as with many ROMs marked [f] in the GoodGen set), the changes are simply not needed.
Note that at present, no unlicensed game is known to use Sega's standard checksum routine, so checksum fixing should NOT be done to these games (especially since some, for example Aq Renkan Awa, are known to store code at $18E).
Contents
- 1 Checklist for keeping track of what I'm doing
- 2 Games With Constant-Value Hardware Registers
- 3 Games That Use Mirrored Memory For Copy Protection
- 4 Games With Rockman X3-style ROM Banking
- 5 Games With Super Donkey Kong 99-style ROM Banking
- 6 All Realtec Games
- 7 Tiny Toon Adventures 3
- 8 Xin Qi Gai Wang Zi
Checklist for keeping track of what I'm doing
To be edited as time goes on. .gen is from GoodGen and .md is from no-intro, with the no-intro names taking precedence (I'll take care of that later)
12-in-1 (Unl) [!].gen 16 Tiles Mahjong (Unl) [b1].gen 16 Tiles Mahjong (Unl).gen 16 Tiles Mahjong (Unl) [h1C].gen 777 Casino (Unl).gen 777 Casino (Unl) [h1C].gen 777 Casino (Unl) [h2C].gen Action 52 (Unl) [a1][!].gen Action 52 (Unl) [b1].gen Action 52 (Unl) [b2].gen Action 52 (Unl) [!].gen Action 52 (Unl) [h1C].gen Action 52 (Unl) [h2C].gen Action 52 (Unl) [h3C].gen Action Replay (Unl) [!].gen Aladdin II (Unl).gen Aq Renkan Awa (Unl).gen Barver Battle Saga - The Space Fighter (Ch) [a1].gen Barver Battle Saga - The Space Fighter (Ch).gen Barver Battle Saga - The Space Fighter (V0.9) (Ch).gen Bible Adventures (Unl) [!].gen Bible Adventures (Unl) [h1C].gen Bug's Life, A (Unl) [f1].gen Bug's Life, A (Unl) [f2].gen Bug's Life, A (Unl) [!].gen Bug's Life, A (Unl) [h1C].gen CDX Pro BIOS V1.70 (Unl) [b1].gen CDX Pro BIOS V1.8I (Unl).gen CDX Pro BIOS V1.8I (Unl) [o1].gen Chaoji Dafuweng (Unl) [!].gen Chess (Unl) [!].gen Chinese Chess (Unl) [b1].gen Chinese Chess (Unl).gen Conquering the World III (Ch-Simple).gen Conquering the World III (Ch-Trad).gen Devilish Mahjong Tower (Unl) [b1].gen Devilish Mahjong Tower (Unl) [b2].gen Devilish Mahjong Tower (Unl) [b3].gen Devilish Mahjong Tower (Unl).gen Dial Q o Mawase! (Unl).gen Dial Q o Mawase! (Unl) [h1C].gen Dial Q o Mawase! (Unl) [T+Chi].gen Divine Sealing (Unl) [!].gen Divine Sealing (Unl) [h1C].gen Divine Sealing (Unl) [h2C].gen Domino (Unl).gen Earth Defend, The (Unl) [b1].gen - not sure what happened here Elf Wor (Unl) [h1C].gen - this is a header hack so still needs the copy protection; IDK if I should throw it in... Exodus (Unl) [!].gen Fengshen Yingjiechuan (Ch).gen Fido Dido (Unl) [b1].gen Fido Dido (Unl).gen FIFA Soccer 2000 Gold Edition (Unl) (M6) [!].gen Fun Car Rally (Unl) [b1].gen Fun Car Rally (Unl).gen Fun Car Rally (Unl) [h1C].gen Fun Car Rally (Unl) [h2C].gen Futbol Argentino 98 - Pasion de Multitudes (Unl).gen Gamtec Magicard (Unl) [!].gen Ghost Hunter (Unl) [b1+C].gen Ghost Hunter (Unl) [b1].gen Ghost Hunter (Unl) [b2].gen Ghost Hunter (Unl).gen Hercules 2 (Unl).gen Hercules (Unl) [!].gen - hack of [[Dahna Megami Tanjou]]; should see if we can find out if it's a Glorysun game or not Iraq War 2003 (Unl).gen Joshua & the Battle of Jericho (Unl) [!].gen King of Fighters '98, The (Unl) [!].gen King of Fighters '98, The (Unl) [p1][!].gen Link Dragon (Unl).gen Link Dragon (Unl) [h1C].gen Lion King 3 (Unl) [f1].gen Lion King 3 (Unl).gen Lion King II, The (Unl) [!].gen Lion King II, The (Unl) [p1][!].gen Magic Girl (Unl) [!].gen Magic Girl (Unl) [h1C].gen Magic Girl (Unl) [t1].gen Mahjong Lover (Unl) [!].gen Mega Bomberman - 8 Player Demo (Unl).gen Mega Bomberman - 8 Player Demo (Unl) [h1C].gen Mega Bomberman - 8 Player Demo (Unl) [h2C].gen Mega Bomberman - 8 Player Demo (Unl) [h3C].gen MK 5 - Mortal Combat - SubZero (Unl) [!].gen MK 5 - Mortal Combat - SubZero (Unl) [p1][!].gen Mulan (Unl) [f1].gen Mulan (Unl) [f2].gen Mulan (Unl) [!].gen Pocket Monsters 2 (Unl) [f1].gen Pocket Monsters 2 (Unl) [!].gen Pocket Monsters (Unl) [a1][f1].gen Pocket Monsters (Unl) [a1][!].gen Pocket Monsters (Unl) [f1].gen Pocket Monsters (Unl) [!].gen Pokemon Crazy Drummer (Unl).gen Pretty Girl Mahjongg (Ch).gen Pretty Girl Mahjongg (Ch) [h1C].gen Pretty Girl Mahjongg (Ch) [h2C].gen Pro Action Replay 2 V2.1 (Unl) [!].gen Pro Action Replay (Unl) [!].gen Rockman X3 (Unl) [b1].gen Rockman X3 (Unl) [b2].gen Rockman X3 (Unl) [f1].gen Rockman X3 (Unl) [!].gen Romance of the Three Kingdoms Part 5 (Ch).gen Sangokushi Retsuden (Ch).gen Sangokushi Retsuden (Ch) [h1C].gen Sangokushi Retsuden (Ch) [h2C].gen Sega Subor System Cartridge (Unl).gen Smart Mouse (Unl) [h1C].gen - this is a header hack so still needs the copy protection; IDK if I should throw it in... Sonic Jam 6 (Unl) [f1].gen Sonic Jam 6 (Unl) [f1][o1].gen Sonic Jam 6 (Unl) [f2].gen Sonic Jam 6 (Unl) [!].gen Sonic Jam 6 (Unl) [p1][!].gen Soul Blade (Unl) [!].gen Spiritual Warfare (Unl) [!].gen Spiritual Warfare (Unl) [h1C].gen Spiritual Warfare (Unl) [h2C].gen Super Chinese Tycoon (Unl) [f1].gen Super Donkey Kong 99 (Unl) [f1].gen Super Donkey Kong 99 (Unl) [!].gen Super Donkey Kong 99 (Unl) [h1C].gen Super King Kong 99 (Unl) [!].gen Super Mario 2 1998 (Unl) [f1].gen Super Mario 2 1998 (Unl) [!].gen Super Mario 2 1998 (Unl) [o1][f1].gen Super Mario 2 1998 (Unl) [o1].gen Super Mario Bros. (Unl) [f1].gen Super Mario Bros. (Unl) [!].gen Super Mario World (Unl) [f1].gen Super Mario World (Unl) [!].gen Super Mario World (Unl) [p1][!].gen Taiwan Tycoon (Unl) [b1].gen Taiwan Tycoon (Unl).gen Tekken 3 Special (Unl).gen Tiger Hunter Hero Novel (Ch).gen Top Fighter 2000 MK VIII (Unl) [f1].gen Top Fighter 2000 MK VIII (Unl) [!].gen Top Shooter (Unl).gen TotoTek Multi-Game Menu V1.00 (Unl).gen Unknown Chinese Game 1 (Ch).gen - Feng Shen Ying Jie Chuan; not sure if different Unknown Chinese Game 2 (Ch).gen - Shui Hu Zhuan; not sure if different Virtua Fighter 2 vs Tekken 2 (Unl) [b1].gen Virtua Fighter 2 vs Tekken 2 (Unl) [b2].gen Virtua Fighter 2 vs Tekken 2 (Unl).gen Virtua Fighter 2 vs Tekken 2 (Unl) [h1C].gen World Pro Baseball 94 (Unl).gen Yang Warrior Family, The (Ch).gen 16 Zhang Ma Jiang (China) (Unl).md Action 52 (USA) (Alt) (Unl).md Action 52 (USA) (Unl).md Adventurous Boy - Mao Xian Xiao Zi (China) (Unl).md Aq Renkan Awa (China) (Unl).md Barver Battle Saga - Tai Kong Zhan Shi (China) (Unl).md Bible Adventures (USA) (Unl).md Chao Ji Da Fu Weng (China) (Unl).md Dial Q o Mawase! (Japan) (Unl).md Divine Sealing (Japan) (Unl).md Exodus - Journey to the Promised Land (USA) (Unl).md Feng Kuang Tao Hua Yuan (China) (Unl).md Feng Shen Ying Jie Chuan (China) (Unl).md Hei Tao 2 - Super Big 2 (China) (Unl).md Hua Mu Lan - Mulan (China) (Unl).md Jiu Ji Ma Jiang II - Ye Yan Bian (China) (Unl).md Joshua & The Battle of Jericho (USA) (Unl).md Long (China) (Unl).md Ma Jiang Qing Ren - Ji Ma Jiang Zhi (China) (Unl).md Ma Qiao E Mo Ta - Devilish Mahjong Tower (China) (Unl).md Meng Huan Shui Guo Pan - 777 Casino (China) (Unl).md San Guo Zhi V (China) (Unl).md Shi Jie Zhi Bang Zheng Ba Zhan - World Pro Baseball 94 (China) (Unl).md Shui Hu - Feng Yun Zhuan (China) (Unl).md Shui Hu Zhuan (China) (Unl).md Spiritual Warfare (USA) (Unl).md Squirrel King (China) (Unl).md Taiwan Daheng (China) (Unl).md Tun Shi Tian Di III (China) (Simple Chinese) (Unl).md Tun Shi Tian Di III (China) (Unl).md Wu Kong Wai Zhuan (China) (Unl).md Xiao Monv - Magic Girl (China) (Unl).md Yang Jia Jiang - Yang Warrior Family (China) (Unl).md Zhuo Gui Da Shi - Ghost Hunter (China) (Unl).md
Games With Constant-Value Hardware Registers
- TODO many, many, many more
- TODO perhaps this section should be changed to include the phrase "MD Compatible" (with quotes) as Creaton Softech's Ma Jiang Qing Ren: Ji Ma Jiang Zhi, though it uses a similar method, has different registers
A large number of unlicensed games merely read various constant byte values stored at specific addresses in the $400000 region as copy protection.
Game | sha1sum | $400000 | $400002 | $400004 | $400006 | On Failure |
---|---|---|---|---|---|---|
16 Zhang Ma Jiang | 7857c797245b52641a3d1d4512089bccb0ed5359 | $AA (word read; $400003 ignored) | $F0 (word read; $400007 ignored) |
| ||
Elf Wor | 5fc4591fbb1acc64e184466c7b6287c7f64e0b7a | $55 | $F | $C9 | $18 | |
Huan Le Tao Qi Shu: Smart Mouse | df7a2527875317406b466175f0614d343dd32117 | $55 | $F | $AA | $F0 | The game will fade to black and freeze several seconds into gameplay. Check is at ROM $8BC. |
Hei Tao 2: Super Big 2 | e1e4c439c5c22fa5cfcecaab421c55bf1746b5de | $55 | Read by Z80, written to 68k RAM after winning the 8th match | Z80 will try to overwrite RAM when winning the 8th (last?) match, crashing the game. | ||
Meng Huan Shui Guo Pan: 777 Casino | df20a28d03a2cd481af134ef7602062636c3cc79 | $55 or $63 | Read by Z80, but appear to be unused on either side (TODO) | Z80 will try to overwrite RAM when playing the town theme the 3rd time, which will cause breakage and make the player unable to move. | ||
Mighty Morphin' Power Rangers: The Fighting Edition | 25d2d6a5ab20e16b8b42b67e5fb338421b64b29b | $55 | $F | $C9 (TODO will $AA work too?) | $18 | |
Super Bubble Bobble MD | 03f40c14624f1522d6e3105997d14e8eaba12257 | $55 | $F | It will play a high-pitched beeping sound and refuse to go past the beginning of the title screen. This check is at ROM $123E4. | ||
Thunderbolt II | 3dca68795b6c9a16cafa5e71218d5ce83aa465fc | $55 | $F0 |
| ||
Ya Se Chuan Shuo |
|
$63 | $98 | $C9 | $18 | Major sound failure; some unknown 68000-side effects too |
Additional Game Specifics
Elf Wor
The game checksums the two that do the copy protection check and will refuse to boot if the checksums do not match:
ROM:000003EC lea ($5166).l,a0 ; what this routine does is presently unknown (TODO) ROM:000003F2 move.w #$2FF,d7 ROM:000003F6 move.w #0,d0 ROM:000003FA ROM:000003FA loc_3FA: ; CODE XREF: ROM:000003FC�j ROM:000003FA add.b (a0)+,d0 ROM:000003FC dbf d7,loc_3FA ROM:00000400 cmpi.b #$5E,d0 ROM:00000404 beq.w loc_40E ; next check ROM:00000408 jmp (loc_300).l ; back to entry point == no boot ROM:0000040E ; --------------------------------------------------------------------------- ROM:0000040E ROM:0000040E loc_40E: ; CODE XREF: ROM:00000404�j ROM:0000040E lea ($1AAE).l,a0 ; this is the player event handling routine ROM:00000414 move.w #$1FF,d7 ROM:00000418 move.w #0,d0 ROM:0000041C ROM:0000041C loc_41C: ; CODE XREF: ROM:0000041E�j ROM:0000041C add.b (a0)+,d0 ROM:0000041E dbf d7,loc_41C ROM:00000422 cmpi.b #$94,d0 ROM:00000426 beq.w sub_430 ; boot! ROM:0000042A jmp (loc_300).l ; back to entry point == no boot
Mighty Morphin' Power Rangers: The Fighting Edition
As with Elf Wor, there are routines to checksum the routines that do the copy protection:
ROM:000693B6 ; =============== S U B R O U T I N E ======================================= ROM:000693B6 ROM:000693B6 ROM:000693B6 sub_693B6: ; CODE XREF: sub_65AA2+3AE�p ROM:000693B6 cmpi.w #$14,($FF064A).l ROM:000693BE bne.w locret_693EA ROM:000693C2 lea (loc_661DE).l,a3 ROM:000693C8 clr.l d0 ROM:000693CA moveq #$1A,d1 ROM:000693CC ROM:000693CC loc_693CC: ; CODE XREF: sub_693B6+18�j ROM:000693CC add.w (a3)+,d0 ROM:000693CE dbf d1,loc_693CC ROM:000693D2 cmpi.w #$46D2,d0 ROM:000693D6 beq.w locret_693EA ROM:000693DA move.w #$EEEF,($FF020A).l ; on failure, this happens; not sure what the effect is ROM:000693E2 move.w #$EEEF,($FF040A).l ROM:000693EA ROM:000693EA locret_693EA: ; CODE XREF: sub_693B6+8�j ROM:000693EA ; sub_693B6+20�j ROM:000693EA rts ROM:000693EA ; End of function sub_693B6 ROM:000693EA ROM:000693EA ; ---------------------------------------------------------------------------
Furthermore, at $65DD4, some code is copied to ROM space to (presumably) cause the game to reboot. This is designed to thwart copiers who run games off RAM mapped where the ROM would be.
(TODO cleanup this part) According to Eke, author of Genesis Plus GX:
00065D3A:070A ; fixes internal checksum so it matches original value
TODO find out where this other internal checksum is checked
Super Bubble Bobble MD
The game also stores stuff in the $200000-$3FFFFF range and reads stuff back from it; exactly what this should be is unknown (TODO).
Games That Use Mirrored Memory For Copy Protection
- TODO not as many: Tiny Toon Adventures 3, Barver Battle Saga, Shui Hu Zhuan, Feng Shen Ying Jie Chuan, and Squirrel King are the only five I know of so far
Some games store memory instead of constant values at the $400000 area, writing byte values to one address and expecting to read them back from a different address. While each game uses different pairs of addresses (some even switching between pairs), all of them will still work if the expected value is read back from all addresses, which would be the safest option for emulator authors.
Additional Game Specifics
Games With Rockman X3-style ROM Banking
- TODO this one will hurt
Games With Super Donkey Kong 99-style ROM Banking
- TODO so will this
All Realtec Games
- TODO: wikify this
Affected ROMs:
- Whac-a-Critter: 4b45801b112a641fee936e41a31728ee7aa2f834
- Funny World & Balloon Boy: 17481c8327433bfce8f7bae493fc044194e400a4
- Earth Defense: 9bf4cda850495d7811df578592289018862df575
- Zhong Guó Xiàng Qí: presently undumped
All Realtec games use a custom mapper format documented by TascoDLX.
Tiny Toon Adventures 3
Affected ROMs:
- Tiny Toon Adventures 3: 6c68e4c7a5a14f926dc69ea5d5a452d9ead29a8e
The game writes byte $55 to $400000 (this address is stored in memory by a calculation at $673E and the byte is stored in the function starting at $2C0C) and expects to read that byte back from $400002; otherwise, the game will reset itself (function with this check is at $2C26).
The game also appears to write to the upper 64KB of ROM (from $F0000 on), but doesn't appear to actually use that area (TODO).
Xin Qi Gai Wang Zi
Affected ROMs:
- Xin Qi Gai Wang Zi: presently undumped
- Dumps of pirate versions: 75f8003a6388814c1880347882b244549da62158, 4a7494d8601149f43ba7e3595a0b2340cde2e9ba
The game is 4MB storing SRAM above the $400000 mark. (TODO get specifics)