SF30th Hacking Edition : A journey into Moo

Similar documents
12 Things You Didn t Know You Could Do With MAME. Aaron Giles

ASSEMBLY PROGRAMMING ON A VIRTUAL COMPUTER

ontroller LSI with Built-in High- Performance Graphic Functions for Automotive Applications

Preserving arcade games Ange Albertini - 31c3

Using the Game Boy Advance to Teach Computer Systems and Architecture

SECURE IMPLEMENTATIONS OF CONTENT PROTECTION (DRM) SCHEMES ON CONSUMER ELECTRONIC DEVICES

Central Processing Unit (CPU)

Q: Why do I get an Error Downloading Firmware message in ArcadeSD.exe

1/5/2013. Technology in Action

Solomon Systech Image Processor for Car Entertainment Application

Hellaphone: Replacing the Java in Android

User Guide 980 HDMI Protocol Analyzer

Mobile Operating Systems Lesson 05 Windows CE Part 1

Car Racing Game. Figure 1 The Car Racing Game

Introduction Computer stuff Pixels Line Drawing. Video Game World 2D 3D Puzzle Characters Camera Time steps

Why You Need the EVGA e-geforce 6800 GS

Low power GPUs a view from the industry. Edvard Sørgård

Java 7 Recipes. Freddy Guime. vk» (,\['«** g!p#« Carl Dea. Josh Juneau. John O'Conner

Freescale Semiconductor, I

Hacking Linux-Powered Devices. Stefan Arentz

Performance Optimization and Debug Tools for mobile games with PlayCanvas

Parts of a Computer. Preparation. Objectives. Standards. Materials Micron Technology Foundation, Inc. All Rights Reserved

Sample Project List. Software Reverse Engineering

FPGA Design From Scratch It all started more than 40 years ago

Optimizing AAA Games for Mobile Platforms

Lesson 10:DESIGN PROCESS EXAMPLES Automatic Chocolate vending machine, smart card and digital camera

Use of Simulator in Teaching Introductory Computer Engineering*

The Value of Physical Memory for Incident Response

Hardware Limited Artificial Intelligence: Desirability Assessment for Board Games. By Andy Matange & Michael Daly

Introduction to Reverse Engineering

ADVANCED PROCESSOR ARCHITECTURES AND MEMORY ORGANISATION Lesson-17: Memory organisation, and types of memory

Preliminary Draft May 19th Video Subsystem

Management Challenge. Managing Hardware Assets. Central Processing Unit. What is a Computer System?

Semester Thesis Traffic Monitoring in Sensor Networks

PDF Primer PDF. White Paper

Application Notes "EPCF 1%' 1SJOU &OHJOF "11&

İSTANBUL AYDIN UNIVERSITY

Adobe Certified Expert Program

Lesson 10: Video-Out Interface

GETTING STARTED WITH ANDROID DEVELOPMENT FOR EMBEDDED SYSTEMS

Von der Hardware zur Software in FPGAs mit Embedded Prozessoren. Alexander Hahn Senior Field Application Engineer Lattice Semiconductor

Game Design From Concepts To Implementation

Design and Development of Embedded Multimedia Terminal

Motorola 8- and 16-bit Embedded Application Binary Interface (M8/16EABI)

Extending the swsusp Hibernation Framework to ARM. Russell Dill

BIOS Update Release Notes

Reduce File Size. Compatibility. Contents

L11 - New Techniques to Increase Efficiency with PanelView Plus 6 Applications Wil Mattheis Commercial Engineer

Game Center Programming Guide

Q. Can an Exceptional3D monitor play back 2D content? A. Yes, Exceptional3D monitors can play back both 2D and specially formatted 3D content.

Computer Performance. Topic 3. Contents. Prerequisite knowledge Before studying this topic you should be able to:

Embedded devices as an attack vector

BIOS Update Release Notes

Fastboot Techniques for x86 Architectures. Marcus Bortel Field Application Engineer QNX Software Systems

CSCA0102 IT & Business Applications. Foundation in Business Information Technology School of Engineering & Computing Sciences FTMS College Global

Rich Internet Applications

Hypercosm. Studio.

Android Security Evaluation Framework

Compilers and Tools for Software Stack Optimisation

Welcome to Corel VideoStudio Pro X5

A Light-Weight Text-Based User Interface Module for Small Embedded Systems

VMware Server 2.0 Essentials. Virtualization Deployment and Management

Easy H.264 video streaming with Freescale's i.mx27 and Linux

From Firebird 1.5 to 2.5

Catalyst Software Suite Version 9.2 Release Notes

Data Transfer between Two USB Flash SCSI Disks using a Touch Screen

Using the HCS12 Serial Monitor on Wytec Dragon-12 boards. Using Motorola s HCS12 Serial Monitor on Wytec s Dragon-12 boards

Eureka Technology. Understanding SD, SDIO and MMC Interface. by Eureka Technology Inc. May 26th, Copyright (C) All Rights Reserved

Dazzle. Digital Video Creator 100 User s Guide

Optimized Mal-Ops Hack ad networks like a boss

USER S MANUAL. AXIS Media Control

CISC, RISC, and DSP Microprocessors

Safer data transmission using Steganography

Reminders. Lab opens from today. Many students want to use the extra I/O pins on

Printing Guide. MapInfo Pro Version Contents:

Chapter 8 Types of Utility Programs and Operating Systems. Discovering Computers Your Interactive Guide to the Digital World

Product Internationalization of a Document Management System

Getting Started with RemoteFX in Windows Embedded Compact 7

A Survey on ARM Cortex A Processors. Wei Wang Tanima Dey

MP3 Player CSEE 4840 SPRING 2010 PROJECT DESIGN.

XI'AN NOVASTAR TECH CO., LTD

Lab 1 Course Guideline and Review

MapInfo Professional Version Printing Guide

MICROPROCESSOR AND MICROCOMPUTER BASICS

Experiences with 2-D and 3-D Mathematical Plots on the Java Platform

Firefox, Opera, Safari for Windows BMP file handling information leak. September Discovered by: Mateusz j00ru Jurczyk, Hispasec Labs

RTOS Debugger for ecos

Chapter 3: Computer Hardware Components: CPU, Memory, and I/O

Technology in Action. Alan Evans Kendall Martin Mary Anne Poatsy. Eleventh Edition. Copyright 2015 Pearson Education, Inc.

IP Video Rendering Basics

Use Cases for Target Management Eclipse DSDP-Target Management Project

Secure My-d TM and Mifare TM RFID reader system by using a security access module Erich Englbrecht (info@eonline.de) V0.1draft

Recording Supervisor Manual Presence Software

C# and Other Languages

Reverse engineering hardware for software reversers: studying an encrypted external HDD

Chapter 12: Windows XP, Vista, and 7

Transcription:

SF30th Hacking Edition : A journey into Moo

Table of Contents 1 Introduction 2 From Moo to Arcade 3 Play additional games 4 Netcode

4

SF30th Anniversary Collection released in may 2018 on every modern platforms developed by Digital Eclipse and edited by Capcom 5

12 Street Fighter games playable offline 6

4 Street Fighter games playable online 7

Content Training mode Museum everything great but... only 12 games to play offline and fewer games with online mode : ( 8

Moo Emulator Digital Eclipse uses a custom emulator called Moo in some of their games : SF30th Anniversary Collection SNK 40th Anniversary Collection Samurai Shodown Collection (not released yet) Arcade emulator written from scratch, proprietary 9

Goal MOAR Games Instrumentalize the emulator in order to load additional games Netcode Fix SSF2X turbo speed Play different games and enjoy Capcom netcode (: 10

Why? Because Moo is really a great emulator and some games run better than in any other emulators (2x, 3.3, etc.) An online mode is provided natively and works smoothly. 11

Moo?? By looking at the classes names extracted from the RTTI information, the symbol Moo appears. 12

Let s google it If we google it, there is only one accurate occurence, a guy that talk about Moo in Arcade1up reddit 13

Arcade1Up : Cheap Arcade Cabinet ($250) 14

Arcade1up PCB 15

SF PCB nico@debian ~/WIP/r2con % file MOO-Capcom-ShipMusl-SF MOO-Capcom-ShipMusl-SF: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-musl-armhf.so.1, stripped ROM strings The Arcade1up cabinets use the Moo emulator 16

Moo author Experimented developper (+30 years of experience) 17

Table of Contents 1 Introduction 2 From Moo to Arcade 3 Play additional games 4 Netcode

19

20

21

https://www.youtube.com/watch?v=06xujsvjxee 22

https://www.youtube.com/watch?v=_vpj8fwclb4 23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

Table of Contents 1 Introduction 2 From Moo to Arcade 3 Play additional games 4 Netcode

Workflow Workflow when loading a game Init the Game object according to the chosen game. For S2HF, the following object is initialized : Game_StreetFighterII_HF : Moo_Sys_CPS1 : MooBase Parse and retrieve game assets from the filesystem Map the GFXs using bank mappers Render graphics, run the 68k emulator with the maincpu rom 43

Game assets Mbundle The game assets are located into a kind of ordered dictionnary files These ressources are neither compressed nor encrypted Loïc WydD Petit wrote a script to extract these assets a a. https://github.com/wydd/sf30ac-extractor 44

Game assets Roms By extracting the game assets, we can get the roms data. SF30th emulator do not support Mame roms, it works only with plain rom. 45

Street Fighter II Hyper Fighting roms 46

Main CPU 47

Main CPU the differences are easily visible : swap each word (2 bytes) 47

Mame CPS1 driver source code Figure 1 https://github.com/fesh0r/oldmame/blob/master/src/mame/drivers/cps1.c#l9618 48

Audio samples (oki files) Just a concatenation of the oki files (for the order : check mame CPS1 driver source code) 49

Audio CPU (z80 file) Identical 50

GFX files VROM? The VROM is a ROM chip inside the game board, it contains : pixel patterns, the colors and the metadata for assembling the tiles into the background and sprites Conversion Convert gfx from Mame to Moo : merge each files into one and reorder bytes decode gfx data 51

GFX files [1/2] 52

GFX files [2/2] Figure 2 https://github.com/fesh0r/oldmame/blob/master/src/mame/video/cps1.c#l1720 53

Mame to Moo conversion The Mame driver source code must be parsed to know what are the audio / gfx / 68k files to get the correct order when concatenating the oki files to know how to reorder the 68k files 54

Mame to Moo conversion Figure 3 https://github.com/angelkillah/moohijack/blob/master/script/mame2moo.py 55

original GFX patched in sf30th 56

Hijack Moo roms loading Now that we can convert any CPS1 roms from Mame to Moo, we need to force the game to load our freshly converted roms. Steps Locate the assets loading function Hijack the execution flow 57

Moo assets loading 58

Moo assets loading 59

Hooking To replace the loading of whatever resource, we hijack the execution flow at two different locations : the result of the first call to GetField() : to replace the original resource size the buffer filled by GetData() : to replace the resource data 60

Hooking VEH Hooking We modify the first byte of the instruction to hijack by an opcode that will cause an exception We install a vectored exception handler to catch it cons : no need to calculate the instructions size 61

Hijack assets loading 62

Results... 63

Results... 63

Game over? 64

Load Rom function Almost no differences between both functions Setup_CPS1_With_ROM_info() takes two arguments : the object of the chosen game (this) an address to a structure... 65

SF2CE_Config 66

1402bc3e8 => Dipswitches 67

Test Mode 68

1402bd090 =>?? 69

CPS Board A set of these data are copied to the StreetFighterII_CE object attributes The first 4-bytes data value (0xb71b00) is used in a method of the class Moo_Sys_CPS1. This method is used to execute the 68000 code ROM through an emulator. 70

CPS Board A set of these data are copied to the StreetFighterII_CE object attributes The first 4-bytes data value (0xb71b00) is used in a method of the class Moo_Sys_CPS1. This method is used to execute the 68000 code ROM through an emulator. Clock frequency 0xb71b00 == 12000000 = 12Mhz The processor Motorola 68000 used for SF2CE runs at 12Mhz 70

CPS-B Registers The original arcade board of CPS1 games contains several registers : priority mask : used to set the tiles priority levels palette control register : indicates which palette pages to copy from gfxram to dedicated ram test register : used for self test checks etc. 71

CPS-B Registers Figure 4 https://github.com/mamedev/mame/blob/master/src/mame/video/cps1.cpp Luckily, the values to set in CPS-B registers for each game are listed in mame cps1 video source code 72

CPS-B Registers for SF2CE Figure 5 name, CPSB, gfx mapper, in2 73

CPSB-21-DEF 74

Makes more sense! 75

GFX Mapper 76

GFX Mapper Figure 6 https://github.com/mamedev/mame/blob/master/src/mame/video/cps1.cpp 77

GFX Mapper 78

GFX Mapper 79

Summarize How to load an additional game? Convert the rom to Moo compatible one Hijack the roms loading with the converted ones Patch the CPSB data with the ones from the new game Patch the GFX mapper 80

Demo 81

Specific roms cases I wish I could play Ghouls n Ghost :( Some games can be set to freeplay through their dipswitches (no coins needed) What about the games that do not have freeplay available? 82

How to fix in a generic way Patch emulator game memory Get the address of the coins through the cheat engine included in Mame debugger Hijack the handler of an opcode that is used to read a word value from the game VRAM to set some coins Enjoy moar games (: 83

Enjoy moar games Figure 7 before VRAM patching 84

Enjoy moar games Figure 8 after VRAM patching 85

Summarize [updated] How to load an additional game? Convert the rom to Moo compatible one Hijack the roms loading with the converted ones Patch the CPSB data with the ones from the new game Patch the GFX mapper Either patch dipswitches to set freeplay game mode or patch game VRAM if freeplay not available 86

Table of Contents 1 Introduction 2 From Moo to Arcade 3 Play additional games 4 Netcode 87

SSF2X speed problem What s the problem? The online version of ssf2x is not running at the correct speed The problem exists since launch day and hasn t been fixed until now 88

Workflow when running ssf2x online Init the following object : Game_SuperStreetFighterII_Turbo : Moo_Sys_CPS2 : MooBase Parse and retrieve game assets from the filesystem Load save state from assets to avoid desynch Map the GFXs using bank mappers Render graphics, run the 68k emulator with the maincpu rom 89

Save state Save state? Moo supports memory save state (emulator snapshot memory) When playing offline mode, it is used to save game progress For online mode, it is used for both players to start the game at the same state For the four games available to play online, there are four saved state files embedded in the mbundle files 90

Solution : patch and hijack save state Steps RE the save state format and patch the turbo value with the correct one Hijack the save state loading with the patched one Enjoy 91

SSF2X online speed FIX 92

Play a different game online Netplay When reversing the netplay code to fix the ssf2x speed problem, we noticed something interesting... the roms are loaded LOCALLY for both players!!!! 93

Enable netplay for MOAR games How to play additional games online Convert the rom to Moo compatible one Hijack the roms loading with the converted ones Patch the CPSB data with the ones from the new game Patch the GFX mapper Play the additional game offline, at the menu, select two players and save a memory snapshot Take out the new save state from the memory and write it to a file Hijack the save state loading with the new one Either patch dipswitches to set freeplay game mode or patch game VRAM if freeplay not available 94

Demo 95

Source code https://github.com/angelkillah/moohijack 96

QUESTIONS? Thank you for your attention

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information