Give me all your demons / They don’t scare me now

The IGS027A chips are meant to be scary boxes of hell, and in most cases they are.

** If used correctly **

I was looking at Demon Front and noticed something odd. Unlike ‘The Gladiator’ and most of the other later type games the code in the external ARM rom makes no reference to the internal ROM space. There are no obvious jumps back to the internal code area anywhere.

So I did a quick mod, wrote some fake ARM code to set up the stack pointer and then jump straight to the external area, and this happened.



Now while I can’t guarantee this is perfectly emulated because it’s possible the internal ARM code should be setting up some more things before jumping to the external code it’s still a huge surprise, and looks like a massive oversight when the game was developed. I guess the biggest surprise is that it’s taken until now to notice, it’s literally an 8-word patch.

My only theory is that maybe if this is the first game with an ‘Execute Only’ area IGS wanted to contain all the internal code in that area to make it more secure, but it has the opposite effect. I guess I should probe it a bit to see if there is anything interesting there at all.


Demon Front Demon Front

Demon Front Demon Front

Demon Front Demon Front

 

42 Responses

You can follow any responses to this entry through the RSS 2.0 feed.

Both comments and pings are currently closed.

  1. Ramirez says:

    Wow!
    Totally unexpected (at least by me).
    You outdone your self (again).
    Congratulations.

    Thanks for this great accomplishment.

  2. Hammad says:

    Great work Haze !!!!
    This is just awesome

  3. JamesW says:

    Ye gods, sounds like someone implementing protection hardware without fully understanding how it’s supposed to work to me rather than a strict security thing.

  4. Bluelimbo says:

    Great Haze ! Only a question my friend.
    You wrote:Don’t ask about them
    Demon Front(now seems works), The Gladiator – Road of the Sword / Shen Jian, Oriental Legend Special/Super Plus, The Killing Blade Plus/EX, Happy 6-in-1, S.V.G. – Spectral vs Generation- but Puzzle Star destiny?
    Thanks again.

  5. gamez fan says:

    more great news thx alot Haze

  6. ben401 says:

    Very nice again! Looks like a nice Metal Slug rip-off :) 2 great updates in 2 days, you’re in top form, congrats!

  7. AnimalBear says:

    Anyways it’s playable.
    Even or not protected.

    sorry my bad english :'(

  8. Haze says:

    Dragon World 2001 is the next likely target, the same procedure as DDP2 should work for it.

    Photo Y2k2, Puzzli 2 and Puzzle Star should be possible if they have some unchecked buffers on commands, but require a different procedure.

    The later games are still going to be a problem if they contain anything significant in the first part of the ARM internal ROM. We got lucky with Demon Front, nothing more.

    Dragon World 3 isn’t ARM based so is a different problem completely.

  9. Hammad says:

    Haze, there is one more pgm game, dragon world pretty chance any idea when it will be added to the driver ?

  10. xCTx says:

    Best news form cps3 got emulated .
    When we can expect this – i cannot wait to play it

  11. Jonathan Wilson says:

    Is there a reason the external ROM cant be hacked so that it can somehow access the internal ROM of the ARM chip?
    Or is it not that simple?

  12. Haze says:

    That’s how DDP2 was dumped (and martmast, kov2..)

    For the later ones it’s not quite as simple, they’re protected against reading, attempting to read the start of the internal area just gives you whatever is on the bus instead. Either that area gets locked out very shortly after startup, or it’s set so that either a) only code can be executed from it, or b) only a certain range of PC accesses can read it.

    For the ones without external ARM rom obviously you can’t do that either ;-)

  13. AnimalBear says:

    Haze, try a quick mod and wrote some fake ARM code in the others games too. To see what will happen.

  14. Haze says:

    AnimalBear > go away.

  15. Ramirez says:

    LOL

  16. AnimalBear says:

    Haze i trying to help. Damm you!

  17. hifhy says:

    Why not get yourself way of being fired?
    Nobody likes your work.
    Even the Brazilian dumpers know better than you.
    Just lose time with other things in the MAME stands still.

  18. Haze says:

    No, AnimalBear, you are not helping. Like Hammad you’re just giving orders, even after I’ve asked people not to make requests.

    You seem incapable of understanding even the most basic things written here. The 3rd line of my post makes it very obvious I’ve already looked at other games and found Demon Front to be an exception.

  19. Ryukoken says:

    Nice job one more time Haze thank you for your work ;)

  20. AnimalBear says:

    Haze, and i’m ask you a request? No!

  21. alcoatjez says:

    Thank you for your great work :)

  22. Hammad says:

    “No, AnimalBear, you are not helping. Like Hammad you’re just giving orders, even after I’ve asked people not to make requests.”

    Didn’t you look at b.rap boys because a friends of yours requested you to give it a shot……..
    Secondly you said that dragon world 2001 is the next likely target that’s why I asked you about dragon world pretty chance, this game is not dumped yet but is available at sophia-corp’s site so i just asked if it will be purchased and dumped because it is similar to dragon world 2001 from what i have heard……i am extremely sorry haze if i have said anything to offend you……

  23. Hammad says:

    I forgot to add in my last comment that I remember requesting you to look at Legionnaire and Zero team on mameitalia…..if that has made you upset then i apologise for that too, the reason for requesting was that there was good progress made on those games in beginning of 2011…..

  24. xCTx says:

    “Hammad
    March 24, 2012 at 08:24″
    “Hammad
    March 24, 2012 at 08:27″

    Looks like kiddo wake ups with more “request”

  25. Haze says:

    Well I can’t tell you what the protection is on an undumped game, nor can I look at a game which isn’t even dumped. This is actually the first time I’ve even heard of the title. It still reads like a request tho, the PGM games will happen when they happen. I’ve asked if anybody knows anything else about this game, it might just be another name for DW2001 or something (alt region?)

    It MIGHT just be the Subtitle on the Japanese Dragon World 3, even if their year is off for that.

  26. Haze says:

    Ok, looks like a unique game then

  27. Hammad says:

    xCTx it would be better if you mind your own business

  28. Hammad says:

    Haze you can check out here that the game was released in 2001
    http://www.sophia-corp.jp/list/igs.htm

  29. Jameson says:

    Just a question – how come (since a few years ago now) there is a version of Oriental Legend Super working in Final Burn Alpha but not mame?

    Some kind of quick and dirty emulation hack to make it work?

  30. Haze says:

    There are protection sims for both Oriental Legend Super and Super Plus in MAME, you can coin up and start both games, although I don’t know how well either functions (last time I tried them there were random crashes in both MAME and FBA)

  31. Haze says:

    (next release is likely to be tomorrow, and there are still some pending changes to go in for that, so you’re best waiting)

  32. AnimalBear says:

    Hammad, by chance I am giving orders to someone? I honestly do not.
    I just wanted to ask Haze, if this game was a clone of the two versions that are within the mame emulator (ver. 102) and (ver. 105).
    As he made a false ARM code, if he tries to do the same ace 2 other versions of MAME could run properly.
    Please calm down. I came not to offend anyone or order anyone, it could even be a big step for the other versions work.
    If this is a new version of a pcb, it is clear that the problem is not the same, and that other versions have other protection.
    That is all I wanted to clarify anything. I’m not going to force anything.
    And suddenly the game is emulated without the protection of the ARM?
    : |

  33. CGR says:

    Which Metal Slug version is that?

  34. AnimalBear says:

    The question I asked Haze is already answered in the new version of MAME.
    Thank you for your work :)

  35. nxst says:

    Haze, thank you for your work!

  36. Merlin says:

    Great to see this game finally being emulated so a lot more people can enjoy it. Many thanks Haze for this and your previous work with PGM games.

    I noticed a few of you talking about Dragon World Pretty Chance. It’s basically an adult version of Dragon World and features topless women. Each time you clear a set of tiles you get to see some digitized breasts! After a few stages you get to choose between a few different women. There are moaning/sighing type sound effects too!

    Has Pretty Chance been dumped yet? If it hasn’t and no-one else has sent in their cart to be dumped I’d be willing to send my one in. Who do I send it to? Should I contact ‘Guru’ about that?

  37. Haze says:

    Pretty Chance hasn’t been dumped, although we were thinking of buying one.

    Smitdogg of the dumping union is who you should contact about it. You can contact him at Mameworld

    Can you tell me what protection device is inside the cartridge? There should be a chip (possibly with a holographic sticker on) IGS027A ? I’m hoping it’s a 55857F type, if so, we should be able to read out the data the same way as DDP2. If you don’t want to open it up, don’t worry, just curious as to what we’ll be dealing with. If it’s a ‘55857G’ type we probably can’t dump it.

  38. Merlin says:

    I opened the cart and took a couple of photos. I couldn’t see IGS027A, 55857F or 55857G written anywhere. There’s a chip with a holographic label but it just has ‘E6′ written on it. The game is from 2001. Perhaps the protection will be similar to that used in Dragon World 2001.

    Ok I’ll get in touch with Smitdogg and make arrangements to send my cart.

    http://imageshack.us/f/716/p1010122e.jpg/

    http://imageshack.us/f/191/p1010123xe.jpg/

  39. Haze says:

    The actual label is under the holographic sticker.

    It’s the same cart DW2001 uses, just with the roms (and maybe the protection chip) replaced, so it’s definitely an IGS027A, and most likely the type we can read out.

  40. Smitdogg says:

    Hi, be careful removing the sticker if you choose to do it. You’ll want to lift up a corner and peel it off, not scrape through it all or else you might scratch out some of the printing on the actual chip we need and then Haze will never know the type if you scratch the letter. The way to remove it is lift a corner with a razor blade and then peel it off carefully by hand and then use 99% alcohol on qtips scrubbing off the gooey crap it leaves behind. That way leaves the chip printing mint. Or just don’t mess with it and I can do it when it gets here.

  41. Merlin says:

    Hi Smitdogg and thanks for the advice. I’d prefer not to attempt it myself.