diff options
Diffstat (limited to 'plugins/ao/eng_qsf/kabuki.c')
-rw-r--r-- | plugins/ao/eng_qsf/kabuki.c | 156 |
1 files changed, 0 insertions, 156 deletions
diff --git a/plugins/ao/eng_qsf/kabuki.c b/plugins/ao/eng_qsf/kabuki.c deleted file mode 100644 index 61100304..00000000 --- a/plugins/ao/eng_qsf/kabuki.c +++ /dev/null @@ -1,156 +0,0 @@ -/*************************************************************************** - -"Kabuki" Z80 encryption - - -The "Kabuki" is a custom Z80 module which runs encrypted code. The encryption -key is stored in some battery-backed RAM, therefore the chip has the annoying -habit of stopping working every few years, when the battery dies. -Check at the bottom of this text to see a list of all the known games which -use this chip. - - -How it works: -The base operation is a bit swap which affects couples of adjacent bits. -Each of the 4 couples may or may not be swapped, depending on the address of -the byte and on whether it is an opcode or data. -The decryption consists of these steps: -- bitswap -- ROL -- bitswap -- XOR with a key -- ROL -- bitswap -- ROL -- bitswap - -To know how to apply the bit swap, take the address of the byte to decode and: -- if the byte is an opcode, add addr_key to the address -- if the byte is data, XOR the address with 1FC0, add 1, and then add addr_key -You'll get a 16-bit word. The first two bitswaps depend on bits 0-7 of that -word, while the second two on bits 8-15. When a bit in the word is 1, swap the -two bits, oherwise don't. The exact couple of bits affected depends on the -game and is identified in this file with two keys: swap_key1 and swap_key2 -(which are just permutations of the numbers 0-7, not full 32-bit integers). - - -Key space size: -- swap_key1 8! = 40320 -- swap_key2 8! = 40320 -- addr_key 2^16 = 65536 -- xor_key 2^8 = 256 -- total 2.7274 * 10^16 - - -Weaknesses: -- 0x00 and 0xff, having all the bits set to the same value, are not affected - by bit permutations after the XOR. Therefore, their encryption is the same - regardless of the high 8 bits of the address, and of the value of - swap_key2. If there is a long stream of 0x00 or 0xff in the original data, - this can be used to find by brute force all the candidates for swap_key1, - xor_key, and for the low 8 bits of addr_key. This is a serious weakness - which dramatically reduces the security of the encryption. -- A 0x00 is always encrypted as a byte with as many 1s as xor_key; a 0xff is - always encrypted as a byte with as many 0s as xor_key has 1s. So you just - need to know one 0x00 or 0xff in the unencrypted data to know how many 1s - there are in xor_key. -- Once you have restricted the range for swap_key1 and you know the number of - 1s in the xor_key, you can easily use known plaintext attacks and brute - force to find the remaining keys. Long strings like THIS GAME IS FOR USE IN - and ABCDEFGHIJKLMNOPQRSTUVWXYZ can be found by comparing the number of 1s - in the clear and encrypted data, taking xor_key into account. When you have - found where the string is, use brute force to reduce the key space. - - -Known games: - swap_key1 swap_key2 addr_key xor_key -Mahjong Gakuen 2 Gakuen-chou no Fukushuu 76543210 01234567 aa55 a5 -Poker Ladies " " " " "" "" -Dokaben " " " " "" "" -Dokaben 2 unknown -Pang / Buster Bros / Pomping World 01234567 76543210 6548 24 -Capcom Baseball " " " " "" "" -Capcom World 04152637 40516273 5751 43 -Adventure Quiz 2 Hatena ? no Dai-Bouken 45670123 45670123 5751 43 -Super Pang 45670123 45670123 5852 43 -Super Buster Bros 45670123 45670123 2130 12 -Super Marukin-Ban 54321076 54321076 4854 4f -Quiz Tonosama no Yabou 12345670 12345670 1111 11 -Ashita Tenki ni Naare unknown -Quiz Sangokushi 23456701 23456701 1828 18 -Block Block 02461357 64207531 0002 01 - -Warriors of Fate 01234567 54163072 5151 51 -Cadillacs and Dinosaurs 76543210 24601357 4343 43 -Punisher 67452103 75316024 2222 22 -Slam Masters 54321076 65432107 3131 19 - -***************************************************************************/ - -#include "cpuintrf.h" - -static int bitswap1(int src,int key,int sel) -{ - if (sel & (1 << ((key >> 0) & 7))) - src = (src & 0xfc) | ((src & 0x01) << 1) | ((src & 0x02) >> 1); - if (sel & (1 << ((key >> 4) & 7))) - src = (src & 0xf3) | ((src & 0x04) << 1) | ((src & 0x08) >> 1); - if (sel & (1 << ((key >> 8) & 7))) - src = (src & 0xcf) | ((src & 0x10) << 1) | ((src & 0x20) >> 1); - if (sel & (1 << ((key >>12) & 7))) - src = (src & 0x3f) | ((src & 0x40) << 1) | ((src & 0x80) >> 1); - - return src; -} - -static int bitswap2(int src,int key,int sel) -{ - if (sel & (1 << ((key >>12) & 7))) - src = (src & 0xfc) | ((src & 0x01) << 1) | ((src & 0x02) >> 1); - if (sel & (1 << ((key >> 8) & 7))) - src = (src & 0xf3) | ((src & 0x04) << 1) | ((src & 0x08) >> 1); - if (sel & (1 << ((key >> 4) & 7))) - src = (src & 0xcf) | ((src & 0x10) << 1) | ((src & 0x20) >> 1); - if (sel & (1 << ((key >> 0) & 7))) - src = (src & 0x3f) | ((src & 0x40) << 1) | ((src & 0x80) >> 1); - - return src; -} - -static int bytedecode(int src,int swap_key1,int swap_key2,int xor_key,int sel) -{ - src = bitswap1(src,swap_key1 & 0xffff,sel & 0xff); - src = ((src & 0x7f) << 1) | ((src & 0x80) >> 7); - src = bitswap2(src,swap_key1 >> 16,sel & 0xff); - src ^= xor_key; - src = ((src & 0x7f) << 1) | ((src & 0x80) >> 7); - src = bitswap2(src,swap_key2 & 0xffff,sel >> 8); - src = ((src & 0x7f) << 1) | ((src & 0x80) >> 7); - src = bitswap1(src,swap_key2 >> 16,sel >> 8); - return src; -} - -static void kabuki_decode(unsigned char *src,unsigned char *dest_op,unsigned char *dest_data, - int base_addr,int length,int swap_key1,int swap_key2,int addr_key,int xor_key) -{ - int A; - int sel; - - for (A = 0; A < length; A++) - { - /* decode opcodes */ - sel = (A + base_addr) + addr_key; - dest_op[A] = bytedecode(src[A],swap_key1,swap_key2,xor_key,sel); - - /* decode data */ - sel = ((A + base_addr) ^ 0x1fc0) + addr_key + 1; - dest_data[A] = bytedecode(src[A],swap_key1,swap_key2,xor_key,sel); - } -} - -void cps1_decode(unsigned char *rom, int swap_key1,int swap_key2,int addr_key,int xor_key) -{ - int diff = (512*1024)/2; - - kabuki_decode(rom, rom+diff, rom, 0x0000, 0x8000, swap_key1, swap_key2, addr_key, xor_key); -} |