|Author:||Lord Crass (guest: search)|
|Date:||Tue, Jun 14th, 2011 @ 10:55 ( . )|
I took a wild guess and just tried the simple, tried-and-true decrypt loop you see used everywhere (the standard LDA #$key, EOR/STA, loop) and the decrypted code was 50% correct. EOR every odd byte with #$31 after that, and you have completely decrypted code. This makes it simple to re-encrypt too, although I haven't looked for checksums on the encrypted block yet.
The decrypt routine does wind up setting some values in the I/O and zero-page areas. Not sure if these values are used as part of the routine, or if they're breadcrumbs for later.
When you see that "Still loading, please wait..." screen and wonder what's taking so long, it's this decrypt loop, the uploading of drive code through a VM (x2), decrypting of drive code in the drive itself, and then the execution of the protection checks themselves (x2).
I'm surprised this protection wasn't used on more than 2 games considering the effort that must have gone into designing it. The VM has 20 instructions, but SRB only uses 8 of them.
--* Star Rank Boxing V2
6/15/2011 @ 01:53--hyper active
--- 0 Users Online --- 0 Recent Unique Posters