Sonic Blast Man.

Few words about an arcade bootleg game called 'Sonic Blast Man 2 Special Turbo'. The game is a slighty modified copy of Taito's 'Sonic Blast Man 2'. It runs on hardware ( custom chinese, not the NSS ) "borrowed" from Super Nintendo home console. Just few eproms, rams, three custom QFP chips (there's also another, odler version of the hw, with 6 of them) and Lattice PLD - to handle the most annoying part, protection. So... What's the point to encrypt/protect pirate game? To hide the 'real' (in fact - stolen ) game code and data? Or maybe to annoy other bootlegers? No idea. Kold666 already dumped the ROMs while ago. Unfortunately the pcb is no longer available for additional testing or analysis. The data encryption is not as simple as in other arcade SNES hacks (Killer Instinct, Final Fight 2). But with great help from Andreas Naive it's finally broken. Also the in-game protection checks are now gone (took me a couple of hours to find what's going on and crack them). Ok. So... how the protection works ? 1. Encryption. Four hardcoded lookup tables (16,16,64 and 48 bytes) are used to get the real data. Plus some extra bitswaps and bit negations at the end - or more fun. 2.Boot code relocation. Original boot code (at $8000) is erased. There's also *special* message ;) New boot code (and the custom coinage / game control stuff) is placed around $7xxx and MUST be visible there in memory map. In genuine snes console this area is marked as 'reserved', and afaik - not accessible. Also - like in the other arcade SNES bootlegs - ROM header contains fake boot vector. 3.Read-and-compare checks. Few ( seven iirc ) data test in $6xxxxxx area (red mark = jmp executed when protection check fails). 4. Read-read-compare ;) check. Just opposite to the above - two consecutive reads (almost , with 3 nop-s between) from the same address (in $7xxxxx range) must give different results. Otherwise - boom! 5. Few more mods - special data (including JAMMA coin inputs and DSW) reads in $7xxxxx area and usual game modifications (removed copyrights, etc). Here are few screens from the MAME. Glitchy gfx ( mostly sprites ) is caused by bad emulation of the SNES hardware in MAME - the original SNES version of Sonic Blast Man 2 looks almost identical in MESS (has the same gfx problems).