CPS-2 Shock

Report Four
I am now going to show you some encrypted data. To do this I will use ROM's from Street Fighter Zero revisions 950627 and 950727 along with Street Fighter Alpha. Only one ROM from each game board contains the encrypted data in question, it sits in socket 3 of the game board. I am also going to use the one equivalent ROM from the CPS Changer version of Street Fighter Zero. This is the same as its CPS-2 counterparts but is non encrypted. If you have the ROM dumps of these games the checksums for these ROM's are;

Street Fighter Zero (rev. 950627) : 844220c2
Street Fighter Zero (rev. 950727) : f5444120
Street Fighter Alpha (rev. 950727) : ebf2054d
Street Fighter Zero (Changer) : 1140743f

Before I looked at any data from these ROM's they had to be byte swapped. If your going to compare data from this page with your ROM's you must byte swap them before the data here will match up. From now on all references to Street Fighter Zero revisions 950627 / 950727 and Street Fighter Alpha will be as SFz1, SFz2 and SFa. References to Street Fighter Zero (CPS Changer) will be as SFzch. With these details out the way lets make a start.

The data in the table below consists of two hexadecimal dumps from a set location in SFz1 and SFz2 only. All data here is encrypted.

         SFz1
         SFz2

$486C2 : $486D2 : C2 2F D6 49 33 34 2C A4 97 29 E2 F1 A8 82 D1 86 53 1F 73 B2 CF B1 8F BB F0 A2 B7 03 16 AB 42 F7 $486C2 : $486D2 : 1B 26 25 0F 51 80 46 62 97 29 E2 F1 A8 82 D1 86 53 1F 36 79 96 9C 8F BB 49 55 B7 03 16 AB 42 F7
As you can see about half the bytes (marked yellow) actually match in both encrypted sets. Lets move this information to it's correct offsets program wise and compare more of it with the non encrypted version. I used the same techniques as my first report here to do this.

        SFzch
         SFz1          SFz2

00 10 D5 6E 00 14 4E 75 00 00 00 00 00 00 00 00 00 00 FF E4 00 10 00 00 00 00 00 00 00 00 00 00 00 00 FF E8 00 00 FF E8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 $486C2 : $486D2 : $486E2 : $486F2 : $48702 : C2 2F D6 49 33 34 2C A4 97 29 E2 F1 A8 82 D1 86 53 1F 73 B2 CF B1 8F BB F0 A2 B7 03 16 AB 42 F7 95 C4 93 DE 9A 5F 19 90 5B 87 E2 DA 3E 5D DD C5 7A 6A 17 A2 9E FA 6C 29 B6 C1 6B 7D B6 55 DE C4 1E 99 C8 DA 56 FE 61 C7 94 E2 73 9F 0A B3 85 9F $486B4 : $486C4 : $486D4 : $486E4 : $486F4 : 56 A4 B0 64 74 21 14 2A F1 7E 72 E5 33 79 1B 26 25 0F 51 80 46 62 97 29 E2 F1 A8 82 D1 86 53 1F 36 79 96 9C 8F BB 49 55 B7 03 16 AB 42 F7 95 C4 2A C6 9A 5F 6F 0C 5B 87 E2 DA 3E 5D DD C5 7A 6A 17 A2 9E FA 6C 29 B6 C1 6B 7D B6 55 DE C4 1E 99
Although this table looks a little complicated, what you can basically see here is that all the encrypted code that was equal in SFz1 and SFz2 falls on a $00 in the non encrypted SFzch (all marked yellow). The $00's that did not get highlighted I have underlined and can explain why. The address offsets in the table above between SFz1 and SFz2 ($486C2 and $486B4) has a difference of $E, this means there also needs to be a $00 at a $E offset in the correct direction against all $00's in SFzch. In all cases this is true apart from the ones I underlined thus confirming the encrypted and non encrypted code matches.

These $00's carry on for a while past what's shown above. Lets get all the $00's into two tables, one for SFz2 and one for SFa. These two ROM's are the same revision but have different encryption variables stored on the game board. This fact is shown in an earlier report here .

SFz2

$486B0 : $486C0 : $486D0 : $486E0 : $486F0 : $48700 : $48710 : $48720 : $48730 : $48740 : $48750 : $48760 : $48770 : $48780 : $48790 : $487A0 : $487B0 : $487C0 : $487D0 : $48BC0 : $48BD0 : $48BE0 : $48BF0 : $48C00 : $48C10 : $48C20 : $48C30 : $48C40 : $48C50 : $48C60 : $48C70 : $48C80 : $48C90 : $48CA0 : $48CB0 : $48CC0 : $48CD0 : -- -- -- -- -- -- -- -- -- -- -- -- F1 7E 72 E5 33 79 1B 26 25 0F -- -- -- -- 97 29 E2 F1 A8 82 D1 86 53 1F 36 79 -- -- 8F BB F0 A2 B7 03 16 AB 42 F7 95 C4 2A C6 9A 5F 6F 0C 5B 87 E2 DA 3E 5D DD C5 7A 6A 17 A2 9E FA 6C 29 B6 C1 6B 7D B6 55 DE C4 1E 99 C8 DA 56 FE 61 C7 94 E2 73 9F 0A B3 85 9F 15 3A 26 17 CC E7 04 9E A7 22 6B F4 0D DE 96 53 32 FD 49 87 AD 7F 5C 01 17 CE 82 D8 A7 86 63 80 66 DB F1 4C 06 6B 0F 27 4A 49 61 34 10 A4 02 AD 1E 55 75 19 E0 FC 76 3C F0 F8 47 14 B2 76 86 F0 13 87 4C 5C A5 6D 03 CF DF 0D D4 18 1A F0 97 83 2C E5 AF 03 EE 68 CA D8 2C 71 CC B5 39 46 FA 6D CA 3D 45 59 E0 DE 52 E9 0B AD D4 57 CC 4D 4F E2 E6 9C EC AF 04 37 17 97 BC 25 D0 4E 49 9F 1D 82 71 9B 69 D0 65 69 9E 36 7A 60 D2 05 A0 E7 9B 49 82 A9 83 12 A4 2F C5 17 62 3A E4 E4 C8 4D 58 6A A6 3E DD D4 7A 46 CD 92 ED 44 B6 F5 12 FE D1 57 63 0B B9 AF 49 A3 EB B3 89 6F 57 3A 44 20 BE 90 4F 6D 82 41 -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 07 9E 93 DA 39 E3 91 A5 A0 55 65 59 CB 57 04 3A 89 8F 11 D8 AF 32 41 A9 94 72 10 C6 CF F8 B2 BA DE 8A DB 1A A6 5B DC 3B EC 97 -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 12 3D EA E0 C6 E4 41 1B 9F 3C 1C C7 13 5F 40 55 29 A3 F3 82 70 FB 5D C3 C7 BD ED 41 ED FB 3E 79 CF FF 6F D8 7D 15 64 12 C2 2A DA B9 77 ED E5 02 20 6C F5 C6 7B C8 3E 3A B6 FB F0 76 25 CB 9F 9B DE 5C 6B 3A 53 49 63 47 AD EE 9B 2E 71 2D 65 A5 04 19 35 A2 A6 B8 3C 39 2F 08 6E AF F9 25 AF 38 9F BA 9C B9 E1 F4 05 43 F1 7F -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 2D 38 24 17 06 40 96 4E CE F3 3E 0C 7A 56 DA 2B 40 FA D2 7F 16 3A 37 34 14 4D C6 25 0A 6B 2B 8E A5 25 36 BC D4 1F EA 38 0E 9E 62 86 05 37 06 72 F0 A5 7D F2 EB 38 AA 4E C7 F4 CC 14 25 0B EA B4 C4 CF AF EC 63 86 C3 59 26 DE F3 BC B6 B3 -- -- -- -- -- --

SFa

$486B0 : $486C0 : $486D0 : $486E0 : $486F0 : $48700 : $48710 : $48720 : $48730 : $48740 : $48750 : $48760 : $48770 : $48780 : $48790 : $487A0 : $487B0 : $487C0 : $48BC0 : $48BD0 : $48BE0 : $48BF0 : $48C00 : $48C10 : $48C20 : $48C30 : $48C40 : $48C50 : $48C60 : $48C70 : $48C80 : $48C90 : $48CA0 : $48CB0 : $48CC0 : -- -- -- -- -- -- -- -- -- -- -- -- 5D C3 C7 7B 15 3A 0F AE 44 45 -- -- -- -- 26 9E A8 77 EA 8D 7F EB C5 9C 2F 51 -- -- F7 50 -- -- 87 9A 63 97 F3 12 59 A3 13 8C 95 4D 78 3C 1E 87 B8 BA 4B 9E 8B B5 2C 61 3A 56 0E 86 1D 96 FA E3 EF 8B 10 6E B6 8E 1F F1 FD 22 FD 77 EC CC 7E 80 B7 3E 90 87 2E 40 F7 8C 31 F6 5F 6C 40 2A 5E 87 DA 1D 17 58 DB DB 33 4D BB C6 00 5B 56 57 76 CC 34 E8 CA 72 4B 95 B7 96 6A 34 2A 85 8B 86 88 8A CC D7 F0 45 55 9E F7 9E B4 4A 4E 8B 2F D8 99 93 2E 4D 07 F8 7B 6A 37 89 81 F3 BE 19 6E AC 57 E6 A8 86 2A 00 17 49 38 23 BB C8 7E A5 46 43 84 81 21 FA 3E 3B 85 0D 35 F4 A0 A6 8C 62 20 1A 29 C1 56 34 7D 2A -- -- -- -- -- -- -- -- -- -- -- -- 49 F9 73 99 66 DC F6 0C 61 11 9C 7C A7 46 F2 26 D7 88 49 C1 F9 C0 F2 3C 3A A0 36 47 F1 3D 6D F7 E3 FB C5 AB 1B 82 1B EC AE CC 78 50 B7 8F E8 61 83 44 18 62 8A 2C 52 AA 3E 94 CC 7C -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 15 C0 E6 36 19 81 98 5D DE AD D3 07 0F 9C 64 F8 CA ED 9D DB B6 4F 64 B2 B3 F4 7E C1 -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 9A F4 4B 09 D2 5C 13 2C 9E 5B 5D 13 DA 3D F9 7F 49 0A 98 8B 15 0A C8 BC BA 9E 77 EA F1 54 47 BA 46 07 C3 8E F6 9A AC 82 96 BA E9 20 46 84 1B F7 29 C2 04 5E 2F 35 03 11 EC 14 9B 03 25 D5 98 1C 86 B4 99 C4 27 3E E7 7E 9E E6 DE 93 A9 AE 16 72 7D 8A 34 32 0E C4 47 5A D3 BE EA E2 -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- FA F1 7B B6 4F 6B D4 1C B8 44 90 D5 3C C5 B5 A9 06 1A 2C 3D 2A 2F 73 A1 B7 C4 3F B9 E3 CF 15 9C CD 9F 88 FD 62 D9 FC F9 1D BF 52 F6 F4 67 B0 FD AC D9 39 A1 FA 7F B3 4C ED 0E F2 53 52 9C 28 05 -- -- -- --

Quite simply all these encrypted numbers above will equal $00 once non encrypted. The blank spaces in the tables are bytes that I could not fill in the and I used these to confirm all the data here is correct. Some of the blanks do have $00's in them but because they are repeated every other byte ($00 $5D $00 $45 etc.) the data does not match up. This confirms what I had expected in my last report ( here ) which is the encryption works on word values, not bytes or long words. I'll repeat that again.

The encryption works on WORD values, not bytes or long words.
You will not get better data than above for use with cryptography programs unless you find a $00 repeating range encrypted bigger than the biggest one above which is 252 decimal bytes long.