Security code: Difference between revisions
Jump to navigation
Jump to search
m (Created page with "Pointed to by $182. From KOF96 (CD): <pre> moveq #0,d3 ;64728: 7600 tst 2580(a5) ;6472A: 4A6D0A14 bne LAB_20F3 ;6472E: 6600003C movea.l 2564(a5),a0 ;64732: 206D0A04 m…") |
mNo edit summary |
||
| (9 intermediate revisions by 4 users not shown) | |||
| Line 1: | Line 1: | ||
Pointed | Pointed from $182 (in the [[68k program header]]). This pointer '''must''' be even ! | ||
The [[System ROM]] compares this code word per word with its internal copy (which is located at $C146CA for SP-E, and $C146A2 for SP-E v2) as part of the cartridge detection routine. | |||
There is some jumps to the security code inside the system ROM but it seems to never be called (at least in SP-E v2). | |||
From the official SNK doc : | |||
<syntaxhighlight> | |||
dc.w 0x7600, 0x4A6D, 0x0A14, 0x6600 | |||
dc.w 0x003C, 0x206D, 0x0A04, 0x3E2D | |||
dc.w 0x0A08, 0x13C0, 0x0030, 0x0001 | |||
dc.w 0x3210, 0x0C01, 0x00FF, 0x671A | |||
dc.w 0x3028, 0x0002, 0xB02D, 0x0ACE | |||
dc.w 0x6610, 0x3028, 0x0004, 0xB02D | |||
dc.w 0x0ACF, 0x0606, 0xB22D, 0x0AD0 | |||
dc.w 0x6708, 0x5088, 0x51CF, 0xFFD4 | |||
dc.w 0x3607, 0x4E75, 0x206D, 0x0A04 | |||
dc.w 0x3E2D, 0x0A08, 0x3210, 0xE049 | |||
dc.w 0x0C01, 0x00FF, 0x671A, 0x3010 | |||
dc.w 0xB02D, 0x0ACE, 0x6612, 0x3028 | |||
dc.w 0x0002, 0xE048, 0xB02D, 0x0ACF | |||
dc.w 0x6606, 0xB22D, 0x0AD0, 0x6708 | |||
dc.w 0x5888, 0x51CF, 0xFFD8, 0x3607 | |||
dc.w 0x4E75 | |||
</syntaxhighlight> | |||
From KOF96 (CD): | From KOF96 (CD): | ||
< | <syntaxhighlight> | ||
moveq #0,d3 | moveq #0,d3 | ||
tst 2580(a5) ; | tst 2580(a5) ;$10FD14.w | ||
bne LAB_20F3 ; | bne LAB_20F3 ; | ||
movea.l 2564(a5),a0 ; | movea.l 2564(a5),a0 ;$10FD04.l | ||
move 2568(a5),d7 ; | move 2568(a5),d7 ;$10FD08.w | ||
LAB_20F0: | LAB_20F0: | ||
move.b d0,EXT_03E5 ; | move.b d0,EXT_03E5 ;watchdog | ||
move (a0),d1 | move (a0),d1 | ||
cmpi.b #$FF,d1 | cmpi.b #$FF,d1 | ||
beq.s LAB_20F1 ; | beq.s LAB_20F1 ;skip | ||
move 2(a0),d0 | move 2(a0),d0 | ||
cmp.b 2766(a5),d0 ; | cmp.b 2766(a5),d0 ;$10FDCE.b | ||
bne.s LAB_20F1 ; | bne.s LAB_20F1 ;skip | ||
move 4(a0),d0 | move 4(a0),d0 | ||
cmp.b 2767(a5),d0 ; | cmp.b 2767(a5),d0 ;$10FDCF.b | ||
bne.s LAB_20F1 ; | bne.s LAB_20F1 ;skip | ||
cmp.b 2768(a5),d1 ; | cmp.b 2768(a5),d1 ;$10FDD0.b | ||
beq.s LAB_20F2 | beq.s LAB_20F2 | ||
LAB_20F1: | LAB_20F1: | ||
addq.l #8,a0 | addq.l #8,a0 | ||
dbf d7,LAB_20F0 | dbf d7,LAB_20F0 | ||
move d7,d3 | move d7,d3 | ||
LAB_20F2: | LAB_20F2: | ||
rts | rts | ||
LAB_20F3: | LAB_20F3: | ||
movea.l 2564(a5),a0 ; | movea.l 2564(a5),a0 ;$10FD04.l | ||
move 2568(a5),d7 ; | move 2568(a5),d7 ;$10FD08.w | ||
LAB_20F4: | LAB_20F4: | ||
move (a0),d1 | move (a0),d1 | ||
lsr #8,d1 | lsr #8,d1 | ||
cmpi.b #$FF,d1 | cmpi.b #$FF,d1 | ||
beq.s LAB_20F5 ; | beq.s LAB_20F5 ;skip | ||
move (a0),d0 | move (a0),d0 | ||
cmp.b 2766(a5),d0 ; | cmp.b 2766(a5),d0 ;$10FDCE.b | ||
bne.s LAB_20F5 ; | bne.s LAB_20F5 ;skip | ||
move 2(a0),d0 | move 2(a0),d0 | ||
lsr #8,d0 | lsr #8,d0 | ||
cmp.b 2767(a5),d0 ; | cmp.b 2767(a5),d0 ;$10FDCF.b | ||
bne.s LAB_20F5 ; | bne.s LAB_20F5 ;skip | ||
cmp.b 2768(a5),d1 ; | cmp.b 2768(a5),d1 ;$10FDD0.b | ||
beq.s LAB_20F6 | beq.s LAB_20F6 | ||
LAB_20F5: | LAB_20F5: | ||
addq.l #4,a0 | addq.l #4,a0 | ||
dbf d7,LAB_20F4 | dbf d7,LAB_20F4 | ||
move d7,d3 | move d7,d3 | ||
LAB_20F6: | LAB_20F6: | ||
rts | rts | ||
</ | </syntaxhighlight> | ||
From sp-s2.sp1 : | |||
<syntaxhighlight> | |||
Security: | |||
moveq #0, d3 | |||
tst.w 0xA14(a5) | |||
bne.w loc_C146E6 | |||
movea.l 0xA04(a5), a0 | |||
move.w 0xA08(a5), d7 | |||
loc_C146B4: | |||
move.b d0, (0x300001).l | |||
move.w (a0), d1 | |||
cmpi.b #0xFF, d1 | |||
beq.s loc_C146DC | |||
move.w 2(a0), d0 | |||
cmp.b 0xACE(a5), d0 | |||
bne.s loc_C146DC | |||
move.w 4(a0), d0 | |||
cmp.b 0xACF(a5), d0 | |||
bne.s loc_C146DC | |||
cmp.b 0xAD0(a5), d1 | |||
beq.s locret_C146E4 | |||
loc_C146DC: | |||
addq.l #8, a0 | |||
dbf d7, loc_C146B4 | |||
move.w d7, d3 | |||
locret_C146E4: | |||
rts | |||
loc_C146E6: | |||
movea.l 0xA04(a5), a0 | |||
move.w 0xA08(a5), d7 | |||
loc_C146EE: | |||
move.w (a0), d1 | |||
lsr.w #8, d1 | |||
cmpi.b #0xFF, d1 | |||
beq.s loc_C14712 | |||
move.w (a0), d0 | |||
cmp.b 0xACE(a5), d0 | |||
bne.s loc_C14712 | |||
move.w 2(a0), d0 | |||
lsr.w #8, d0 | |||
cmp.b 0xACF(a5), d0 | |||
bne.s loc_C14712 | |||
cmp.b 0xAD0(a5), d1 | |||
beq.s locret_C1471A | |||
loc_C14712: | |||
addq.l #4, a0 | |||
dbf d7, loc_C146EE | |||
move.w d7, d3 | |||
locret_C1471A: | |||
rts | |||
</syntaxhighlight> | |||
[[Category:Code]] | [[Category:Code]] | ||
Latest revision as of 10:20, 31 March 2018
Pointed from $182 (in the 68k program header). This pointer must be even !
The System ROM compares this code word per word with its internal copy (which is located at $C146CA for SP-E, and $C146A2 for SP-E v2) as part of the cartridge detection routine.
There is some jumps to the security code inside the system ROM but it seems to never be called (at least in SP-E v2).
From the official SNK doc :
dc.w 0x7600, 0x4A6D, 0x0A14, 0x6600
dc.w 0x003C, 0x206D, 0x0A04, 0x3E2D
dc.w 0x0A08, 0x13C0, 0x0030, 0x0001
dc.w 0x3210, 0x0C01, 0x00FF, 0x671A
dc.w 0x3028, 0x0002, 0xB02D, 0x0ACE
dc.w 0x6610, 0x3028, 0x0004, 0xB02D
dc.w 0x0ACF, 0x0606, 0xB22D, 0x0AD0
dc.w 0x6708, 0x5088, 0x51CF, 0xFFD4
dc.w 0x3607, 0x4E75, 0x206D, 0x0A04
dc.w 0x3E2D, 0x0A08, 0x3210, 0xE049
dc.w 0x0C01, 0x00FF, 0x671A, 0x3010
dc.w 0xB02D, 0x0ACE, 0x6612, 0x3028
dc.w 0x0002, 0xE048, 0xB02D, 0x0ACF
dc.w 0x6606, 0xB22D, 0x0AD0, 0x6708
dc.w 0x5888, 0x51CF, 0xFFD8, 0x3607
dc.w 0x4E75From KOF96 (CD):
moveq #0,d3
tst 2580(a5) ;$10FD14.w
bne LAB_20F3 ;
movea.l 2564(a5),a0 ;$10FD04.l
move 2568(a5),d7 ;$10FD08.w
LAB_20F0:
move.b d0,EXT_03E5 ;watchdog
move (a0),d1
cmpi.b #$FF,d1
beq.s LAB_20F1 ;skip
move 2(a0),d0
cmp.b 2766(a5),d0 ;$10FDCE.b
bne.s LAB_20F1 ;skip
move 4(a0),d0
cmp.b 2767(a5),d0 ;$10FDCF.b
bne.s LAB_20F1 ;skip
cmp.b 2768(a5),d1 ;$10FDD0.b
beq.s LAB_20F2
LAB_20F1:
addq.l #8,a0
dbf d7,LAB_20F0
move d7,d3
LAB_20F2:
rts
LAB_20F3:
movea.l 2564(a5),a0 ;$10FD04.l
move 2568(a5),d7 ;$10FD08.w
LAB_20F4:
move (a0),d1
lsr #8,d1
cmpi.b #$FF,d1
beq.s LAB_20F5 ;skip
move (a0),d0
cmp.b 2766(a5),d0 ;$10FDCE.b
bne.s LAB_20F5 ;skip
move 2(a0),d0
lsr #8,d0
cmp.b 2767(a5),d0 ;$10FDCF.b
bne.s LAB_20F5 ;skip
cmp.b 2768(a5),d1 ;$10FDD0.b
beq.s LAB_20F6
LAB_20F5:
addq.l #4,a0
dbf d7,LAB_20F4
move d7,d3
LAB_20F6:
rtsFrom sp-s2.sp1 :
Security:
moveq #0, d3
tst.w 0xA14(a5)
bne.w loc_C146E6
movea.l 0xA04(a5), a0
move.w 0xA08(a5), d7
loc_C146B4:
move.b d0, (0x300001).l
move.w (a0), d1
cmpi.b #0xFF, d1
beq.s loc_C146DC
move.w 2(a0), d0
cmp.b 0xACE(a5), d0
bne.s loc_C146DC
move.w 4(a0), d0
cmp.b 0xACF(a5), d0
bne.s loc_C146DC
cmp.b 0xAD0(a5), d1
beq.s locret_C146E4
loc_C146DC:
addq.l #8, a0
dbf d7, loc_C146B4
move.w d7, d3
locret_C146E4:
rts
loc_C146E6:
movea.l 0xA04(a5), a0
move.w 0xA08(a5), d7
loc_C146EE:
move.w (a0), d1
lsr.w #8, d1
cmpi.b #0xFF, d1
beq.s loc_C14712
move.w (a0), d0
cmp.b 0xACE(a5), d0
bne.s loc_C14712
move.w 2(a0), d0
lsr.w #8, d0
cmp.b 0xACF(a5), d0
bne.s loc_C14712
cmp.b 0xAD0(a5), d1
beq.s locret_C1471A
loc_C14712:
addq.l #4, a0
dbf d7, loc_C146EE
move.w d7, d3
locret_C1471A:
rts