Decided to try one of the old Smash Packs from the late 90's for shits and giggles. The first one to be precise. Thought I'd give one of my faves - Revenge of Shinobi - another go, even though I've beaten it to death like infinity times. Except curiously - despite this being a US-originated product - it's going by the name of The Super Shinobi for today. Cue the Sega logo. Dum de dum. Then almost immediately, the intro plays (no copyright screen).... but with the music from Level 1. Erm? Press Start to get to the menu. Hang about, what are those funny numbers in the corner? Do I smell........ LEVEL SELECT? Check the options. Almost straight away, I notice a new option - No Death. It appears to make you totally invincible. No kidding. Start Level 1. It plays music from one of the later levels. What. The. Fuck? Folks, I'm starting to suspect that whoever compiled this compilation back in late '98/early '99 seemingly wasn't smart enough to notice they were bundling what appears to be some kind of beta version of a classic Sega title into their set. I know Steve Snake provided the emulator, but did he choose the games as well, or was that someone else's job? Still, intriguing find - particularly as I don't believe a rom dump of this sort of revision already exists. Now if only somebody could take the time to work out how to break that KVQ format and rip the roms out. It's decade-old encryption now, so maybe we might have better luck with it? And before you ask, no I don't know how to code shit. I really wish I could.
Probably the easiest thing to do would be to take a memory dump of the program while it's running. I'm not sure how to do that on Windows, but if you run it in Wine on Linux, you should be able to force a core dump.
Is there an idiot's guide to doing a memory dump with that program? I tried using it just now and I don't see an obvious "dump memory" button. Besides that, scrolling through all that code (I did have Smash.exe running in the background with Shinobi loaded, and selected the process in CE) couldn't help me find anything resembling the code/tags you get at the start of a Mega Drive rom. Maybe I'm not doing something right.
I've never used CE, so I'd be no help there. You should upload that Smash Pack copy. The more people trying to extract the ROM, the faster it will be done.
You mean just the rom, or the whole collection? I might be able to upload it quickly before I have to go to bed, lmao.
Maybe I didn't word it right - the roms are in seperate files, just in encrypted form (with a *.kvq extension). Do you still want me to up the whole caboodle though?
Yes, upload the whole thing. That way, we can run it and use a utility to extract data from memory, where it's uncompressed / deobfuscated.
Okay, here ya go folks..... http://www.megaupload.com/?d=V3OZEVPP Little note: This was installed through its InstallShield installer, and it usually has a "Uninst.isu" file, but I chose not to include it as I'm sure it won't really matter that much to you. If you're concerned about registry changes, the only one I believe the program adds is in "HKLM\Software\Sega\Sega Smash Pack".
Found the image in memory. Extracting... EDIT: The MEMO section of the ROM header says "A0115 Sega Channel". Maybe this is a Sega Channel-specific ROM?
Sega Channel hosting a beta game? Lulz. It seems strange it crept into Smash Pack though, particularly as this was many years after the initial licensing struggle with the game that caused several revisions to pop up in the first place, and having played through it, not only is Spiderman present in his red and blue glory, but Batman as well.
Here it is: http://www.soniccenter.org/gerbilsoft/shinobi_smashpack.zip CRC32 is FA1B8AEB. (Doesn't seem to match any ROMs in GoodGen.) For the record, the actual method I used to dump the ROM was loading Smash Pack in Wine with the GDB debugger. Once the ROM was loaded, I paused GDB with Ctrl-C and entered this command: Code (Text): (gdb) dump binary memory dump.raw 0x00400000 0x01000000 This dumped all memory segments starting at 0x00400000 and ending at 0x01000000, totalling 12 MB. I then searched for the standard MD ROM header, and I found it. Extracting the ROM was relatively easy with a hex editor. EDIT: The addresses I chose were partially guesswork. Windows binaries start at 0x00400000, and I picked 0x01000000 as the ending address because it seemed like a reasonable upper bound.
Just FYI - there is no final boss. It'll load the area for a quick second, but then the screen will flash and go back to LEVEL1-1. Neat stuff. I'd like to see you get more roms out of the collection Gerbil to see if any other game is possibly different. I have the other Sega Smash Packs as well, so if you need them - let me know.
I'll take a look at them tomorrow. EDIT: The ROM files are their original size, plus 8 bytes. It looks like it might be a simple 64-bit XOR obfuscation. I'll attempt to see if it can be decoded easily tomorrow, too. EDIT 2: Maybe not XOR. Still, cracking the encryption can't be too difficult, since we have the ciphertext and the plaintext. Presumably, the key makes up those extra 8 bytes. Now all we need is the cipher.
I'm a bit late, but to get a dump with CE, open the memory view, go to File -> Save Memory Region (Ctrl+S), enter the Start (usually 00400000) and End addresses, click the Add button, check "Don't include Cheat Engine header in file", click Save, give it a .bin extension.
Thanks man! Tis' good to play this under a more superior emulator for once. I'm sorely tempted to try decoding the other roms this way myself, except I'm a Windows user, so can't use Wine. =P Do you know of another memory dumping tool I might be able to use?
Well, following your suggestion, MainMemory, I appear to come across an obstacle (I'm testing it out with Shinobi again to see if I can get an identical dump with it). CE's memory dumper appears to be restricted as to what memory range it can dump atm. I was hoping to use the range Gerbilsoft chose with his dumping technique, but I get told "Not all the memory was readable in 00400000-01000000". Indeed, it'll dump memory up to 00599999, but not 00600000. And out of the memory I was able to dump, I couldn't find the rom header inside it. Playing the game for a while doesn't make a difference, it seems.