Jul -- The Cutting Room Floor: Mega Man X1 copy protection

devin

Yoshi
i'm mima irl
Level: 112

Posts: 3042/3519
EXP: 14918972
For next: 419233

Since: 04-29-08

Pronouns: any
From: FL

Since last post: 297 days
Last activity: 1 day

Posted on 04-12-14 01:28:54 AM (last edited by devin at 04-13-14 12:00:56 AM)

Link | Quote

Here are some notes I took about some rather aggressive copy protection in Mega Man X. It checks for the presence of SRAM at various addresses and has (at least) three main effects if it detects it:

After 128 enemies have been destroyed, a Buster shot bouncing off of something will cause the level to abruptly end and return you to the intro, and dropped health pickups disappear almost immediately
After jumping between 128 and 256 times, every other jump will have severely reduced height
After taking damage 128 times, controller input becomes completely random every frame, making the game completely unplayable

Each effect has multiple redundant routines which try to detect (in a very specific, easy-to-circumvent way) if any of the other routines have been tampered with, and can make the effect even more apparent than normal - in probably the worst case, if the game thinks you're trying to hack away a part of the "random input" effect, it'll just take effect as soon as you collect any health instead. Pretty nasty.

Of course, the self-protection only works by testing a couple of specific bytes in each routine, so there are plenty of other ways around it. It's very aggressive and also very ineffectual.

There's an additional routine that checks the ROM itself to make sure it's mirrored correctly (specifically it makes sure banks 00 and 40 are mapped to the same physical ROM address), and if this fails, any enemy dropping a 1up will cause you to return to the intro stage at the end of the current stage. I haven't checked to see if this routine has similar hack protection.

I'm going to write about this on the article proper later, but here's some notes for now:

84A46D (A1): if $701000 (SRAM) is mapped, increase $1F9D (when destroying an enemy)

84A3BF (A2): if byte at $84A475 != $84A3C7 (A1 tampered), increase $1F9D (when destroying an enemy)

848FCD (A3): if byte at $84A481 != $849D29 (A2 tampered), increase $1F9D (every frame, wrapping FF->00)

   if this is >= 128 when a buster shot bounces, the level ends prematurely and returns to the intro,

  and dropped health pickups disappear immediately after landing


818526 (B1): if $700804 (SRAM) is mapped, increase $1F9E (when X begins falling)

819602 (B2): if word at $81853B != #$1F9E (B1 tampered), increase $1F9E (when jumping)

81942E (B3): if byte at $809E75 != $81853A (B1 tampered), $1F9E |= 128 immediately (when firing)

819950 (B4): if byte at $818533 != $81966A (B1 tampered), $1F9E |= 128 immediately (when jumping)

   if this is >= 128, every other jump has half the maximum height until counter reaches 255

   (possible other effects tied to this counter as well)


849D07 (C1): if $700505 (SRAM) is mapped, increase $1F9F (when X takes damage)

849F97 (C2): if byte at $849D0A != $849AF5 or $849D0E (C1 tampered), $1F9F |= 128 immediately (when X gains health)

  when this is >= 128 , start spamming bogus controller input every frame


81816B (D1): if $700800 (SRAM) is mapped, increase $0C2B (dp+$83) (every frame)

      effect unknown

____________________
Photo by Luc Viatour

devin

Yoshi
i'm mima irl
Level: 112

Posts: 3044/3519
EXP: 14918972
For next: 419233

Since: 04-29-08

Pronouns: any
From: FL

Since last post: 297 days
Last activity: 1 day

Posted on 04-15-14 12:48:39 AM (last edited by devin at 04-15-14 01:26:22 AM)

Link | Quote

Small addendum: Demon's Crest; another SRAM/LoROM-based protection. This one doesn't try to protect itself.

80875A: if $701FFF is mapped, set byte at $7E0EEB to $FF (during capcom logo)

829B33: if byte at $80FFC0 != 40FFC0 (mirroring), set byte at $7E0EED to $FF (when ???)

       cannot pause/view menu


80E561: if $701FFF is mapped, set byte at $7E0EEC to $FF (when taking damage)

BEE356: if byte at $80FFC1 != 40FFC1 (mirroring), set byte at $7E0EEE to $FF (when ???)

      opening boss (or all bosses/all enemies?) invincible

Super Street Fighter II:

C407C3: if byte at $41934A != $C1934A (mirroring), increase $7E00EF (checked frequently during game)

     screen is blanked once timer gets to about 50

____________________
Photo by Luc Viatour

Register - Login
Views: 99391254	Main - Memberlist - Active users - Calendar - Wiki - IRC Chat - Online users Ranks - Rules/FAQ - Stats - Latest Posts - Color Chart - Smilies	04-24-22 09:40:19 AM

Query execution time:	0.083777 seconds
Script execution time:	0.007525 seconds
Total render time:	0.091302 seconds