Curious discovery regarding Sega Smash Pack for PC

Discussion in 'General Sega Discussion' started by MarzSyndrome, Oct 26, 2009.

  1. MarzSyndrome

    MarzSyndrome

    Everything is going to the beat. Member
    Decided to try one of the old Smash Packs from the late 90's for shits and giggles. The first one to be precise.

    Thought I'd give one of my faves - Revenge of Shinobi - another go, even though I've beaten it to death like infinity times.

    Except curiously - despite this being a US-originated product - it's going by the name of The Super Shinobi for today.


    Cue the Sega logo. Dum de dum.


    Then almost immediately, the intro plays (no copyright screen).... but with the music from Level 1. Erm?

    Press Start to get to the menu.


    Hang about, what are those funny numbers in the corner? Do I smell........ LEVEL SELECT?

    Check the options.

    Almost straight away, I notice a new option - No Death. It appears to make you totally invincible. No kidding.



    Start Level 1. It plays music from one of the later levels. What. The. Fuck?



    Folks, I'm starting to suspect that whoever compiled this compilation back in late '98/early '99 seemingly wasn't smart enough to notice they were bundling what appears to be some kind of <I>beta version</I> of a classic Sega title into their set. I know Steve Snake provided the emulator, but did he choose the games as well, or was that someone else's job?

    Still, intriguing find - particularly as I don't believe a rom dump of this sort of revision already exists. Now if only somebody could take the time to work out how to break that KVQ format and rip the roms out. It's decade-old encryption now, so maybe we might have better luck with it? And before you ask, no I don't know how to code shit. I really wish I could.
     
  2. GerbilSoft

    GerbilSoft

    RickRotate'd. Administrator
    2,893
    24
    18
    USA
    rom-properties
    Probably the easiest thing to do would be to take a memory dump of the program while it's running. I'm not sure how to do that on Windows, but if you run it in Wine on Linux, you should be able to force a core dump.
     
  3. MainMemory

    MainMemory

    Have no fear...Amy Rose is here! Tech Member
    4,413
    67
    28
    SonLVL
    Cheat Engine can do a memory dump.
     
  4. MarzSyndrome

    MarzSyndrome

    Everything is going to the beat. Member
    Is there an idiot's guide to doing a memory dump with that program? I tried using it just now and I don't see an obvious "dump memory" button. Besides that, scrolling through all that code (I did have Smash.exe running in the background with Shinobi loaded, and selected the process in CE) couldn't help me find anything resembling the code/tags you get at the start of a Mega Drive rom. Maybe I'm not doing something right.
     
  5. Afti

    Afti

    ORIGINAL MACHINE Member
    3,521
    0
    0
    I've never used CE, so I'd be no help there.

    You should upload that Smash Pack copy. The more people trying to extract the ROM, the faster it will be done.
     
  6. MarzSyndrome

    MarzSyndrome

    Everything is going to the beat. Member
    You mean just the rom, or the whole collection? I might be able to upload it quickly before I have to go to bed, lmao.
     
  7. Afti

    Afti

    ORIGINAL MACHINE Member
    3,521
    0
    0
    Whole collection; you already stated you can't extract the ROM.
     
  8. MarzSyndrome

    MarzSyndrome

    Everything is going to the beat. Member
    Maybe I didn't word it right - the roms are in seperate files, just in encrypted form (with a *.kvq extension). Do you still want me to up the whole caboodle though?
     
  9. GerbilSoft

    GerbilSoft

    RickRotate'd. Administrator
    2,893
    24
    18
    USA
    rom-properties
    <!--quoteo(post=365990:date=Oct 26 2009, 12:58 AM:name=MarzSyndrome)--><div class='quotetop'>QUOTE (MarzSyndrome @ Oct 26 2009, 12:58 AM) <a href="index.php?act=findpost&pid=365990"><img src="public/style_images/retro/snapback.png"></a></div><div class='quotemain'><!--quotec-->Maybe I didn't word it right - the roms are in seperate files, just in encrypted form (with a *.kvq extension). Do you still want me to up the whole caboodle though?<!--QuoteEnd--></div><!--QuoteEEnd-->
    Yes, upload the whole thing. That way, we can run it and use a utility to extract data from memory, where it's uncompressed / deobfuscated.
     
  10. MarzSyndrome

    MarzSyndrome

    Everything is going to the beat. Member
    Okay, here ya go folks..... <a href="http://www.megaupload.com/?d=V3OZEVPP" target="_blank">http://www.megaupload.com/?d=V3OZEVPP</a>


    Little note: This was installed through its InstallShield installer, and it usually has a "Uninst.isu" file, but I chose not to include it as I'm sure it won't really matter that much to you. If you're concerned about registry changes, the only one I believe the program adds is in "HKLM\Software\Sega\Sega Smash Pack".
     
  11. GerbilSoft

    GerbilSoft

    RickRotate'd. Administrator
    2,893
    24
    18
    USA
    rom-properties
    Found the image in memory. Extracting...

    EDIT: The MEMO section of the ROM header says "A0115 Sega Channel". Maybe this is a Sega Channel-specific ROM?
     
  12. MarzSyndrome

    MarzSyndrome

    Everything is going to the beat. Member
    Sega Channel hosting a beta game? Lulz.


    It seems strange it crept into Smash Pack though, particularly as this was many years after the initial licensing struggle with the game that caused several revisions to pop up in the first place, and having played through it, not only is Spiderman present in his red and blue glory, but Batman as well.
     
  13. GerbilSoft

    GerbilSoft

    RickRotate'd. Administrator
    2,893
    24
    18
    USA
    rom-properties
    Here it is: <a href="http://www.soniccenter.org/gerbilsoft/shinobi_smashpack.zip" target="_blank">http://www.soniccenter.org/gerbilsoft/shinobi_smashpack.zip</a>

    CRC32 is FA1B8AEB. (Doesn't seem to match any ROMs in GoodGen.)

    For the record, the actual method I used to dump the ROM was loading Smash Pack in Wine with the GDB debugger. Once the ROM was loaded, I paused GDB with Ctrl-C and entered this command:

    Code (Text):
    1. (gdb) dump binary memory dump.raw 0x00400000 0x01000000
    This dumped all memory segments starting at 0x00400000 and ending at 0x01000000, totalling 12 MB. I then searched for the standard MD ROM header, and I found it. Extracting the ROM was relatively easy with a hex editor.

    EDIT: The addresses I chose were partially guesswork. Windows binaries start at 0x00400000, and I picked 0x01000000 as the ending address because it seemed like a reasonable upper bound.
     
  14. evilhamwizard

    evilhamwizard

    Researcher
    1,331
    150
    43
    Just FYI - there is no final boss. It'll load the area for a quick second, but then the screen will flash and go back to LEVEL1-1.

    Neat stuff. I'd like to see you get more roms out of the collection Gerbil to see if any other game is possibly different. I have the other Sega Smash Packs as well, so if you need them - let me know.
     
  15. GerbilSoft

    GerbilSoft

    RickRotate'd. Administrator
    2,893
    24
    18
    USA
    rom-properties
    <!--quoteo(post=366002:date=Oct 26 2009, 01:41 AM:name=evilhamwizard)--><div class='quotetop'>QUOTE (evilhamwizard @ Oct 26 2009, 01:41 AM) <a href="index.php?act=findpost&pid=366002"><img src="public/style_images/retro/snapback.png"></a></div><div class='quotemain'><!--quotec-->Neat stuff. I'd like to see you get more roms out of the collection Gerbil to see if any other game is possibly different. I have the other Sega Smash Packs as well, so if you need them - let me know.<!--QuoteEnd--></div><!--QuoteEEnd-->
    I'll take a look at them tomorrow.

    EDIT: The ROM files are their original size, plus 8 bytes. It looks like it might be a simple 64-bit XOR obfuscation. I'll attempt to see if it can be decoded easily tomorrow, too.

    EDIT 2: Maybe not XOR. Still, cracking the encryption can't be too difficult, since we have the ciphertext and the plaintext. Presumably, the key makes up those extra 8 bytes. Now all we need is the cipher.
     
  16. Rika Chou

    Rika Chou

    Tech Member
    5,253
    115
    43
    :O

    So I guess this is on of the Sega Channel "test drive" games? Very interesting.
     
  17. MainMemory

    MainMemory

    Have no fear...Amy Rose is here! Tech Member
    4,413
    67
    28
    SonLVL
    I'm a bit late, but to get a dump with CE, open the memory view, go to File -> Save Memory Region (Ctrl+S), enter the Start (usually 00400000) and End addresses, click the Add button, check "Don't include Cheat Engine header in file", click Save, give it a .bin extension.
     
  18. MarzSyndrome

    MarzSyndrome

    Everything is going to the beat. Member
    <!--quoteo(post=365997:date=Oct 26 2009, 05:31 AM:name=GerbilSoft)--><div class='quotetop'>QUOTE (GerbilSoft @ Oct 26 2009, 05:31 AM) <a href="index.php?act=findpost&pid=365997"><img src="public/style_images/retro/snapback.png"></a></div><div class='quotemain'><!--quotec-->Here it is: <a href="http://www.soniccenter.org/gerbilsoft/shinobi_smashpack.zip" target="_blank">http://www.soniccenter.org/gerbilsoft/shinobi_smashpack.zip</a>

    CRC32 is FA1B8AEB. (Doesn't seem to match any ROMs in GoodGen.)

    For the record, the actual method I used to dump the ROM was loading Smash Pack in Wine with the GDB debugger. Once the ROM was loaded, I paused GDB with Ctrl-C and entered this command:

    Code (Text):
    1. (gdb) dump binary memory dump.raw 0x00400000 0x01000000
    This dumped all memory segments starting at 0x00400000 and ending at 0x01000000, totalling 12 MB. I then searched for the standard MD ROM header, and I found it. Extracting the ROM was relatively easy with a hex editor.

    EDIT: The addresses I chose were partially guesswork. Windows binaries start at 0x00400000, and I picked 0x01000000 as the ending address because it seemed like a reasonable upper bound.<!--QuoteEnd--></div><!--QuoteEEnd-->
    Thanks man! Tis' good to play this under a more superior emulator for once.

    I'm sorely tempted to try decoding the other roms this way myself, except I'm a Windows user, so can't use Wine. =P Do you know of another memory dumping tool I might be able to use?
     
  19. MainMemory

    MainMemory

    Have no fear...Amy Rose is here! Tech Member
    4,413
    67
    28
    SonLVL
    <!--quoteo(post=366081:date=Oct 26 2009, 09:10 AM:name=MarzSyndrome)--><div class='quotetop'>QUOTE (MarzSyndrome @ Oct 26 2009, 09:10 AM) <a href="index.php?act=findpost&pid=366081"><img src="public/style_images/retro/snapback.png"></a></div><div class='quotemain'><!--quotec-->I'm sorely tempted to try decoding the other roms this way myself, except I'm a Windows user, so can't use Wine. =P Do you know of another memory dumping tool I might be able to use?<!--QuoteEnd--></div><!--QuoteEEnd-->
    Try my post directly above you.
    Find Cheat Engine at <a href="http://www.cheatengine.org" target="_blank">http://www.cheatengine.org</a>
     
  20. MarzSyndrome

    MarzSyndrome

    Everything is going to the beat. Member
    Well, following your suggestion, MainMemory, I appear to come across an obstacle (I'm testing it out with Shinobi again to see if I can get an identical dump with it). CE's memory dumper appears to be restricted as to what memory range it can dump atm. I was hoping to use the range Gerbilsoft chose with his dumping technique, but I get told <I>"Not all the memory was readable in 00400000-01000000"</I>. Indeed, it'll dump memory up to 00599999, but not 00600000. And out of the memory I was able to dump, I couldn't find the rom header inside it.

    Playing the game for a while doesn't make a difference, it seems.