Planet MAMEdev

July 03, 2009

MAME Plus!

[MAME] sync with 0.132u3 [Sword]

July 03, 2009 05:00 PM

July 02, 2009

MAME 0.132u3

Time for MAME 0.132u3. Find the updated diffs on the Source Updates page.

July 02, 2009 07:00 PM

July 01, 2009

Who needs Timberlake?

Phil Bennett and I are bringing Sega back. These are images from current MAME, not 0.119.

Posted by site admin at July 01, 2009 07:14 PM

Arrived recently for dumping (yeah, I do that too): ICE’s 2003-ish Johnny Nero: Action Hero. It’s a comic book-style lightgun blaster with 3 selectable worlds and it’s running on hardware way beyond what I was expecting from the YouTube videos: a 300 to 400 MHz VR5500 MIPS main CPU, a big FPGA with custom 3D rendering hardware and 1 or 2 PowerPC 405 CPUs, and an IDE harddisk containing the game data. Needless to say with those specs this is going to be a serious job to emulate and is likely to be slow once it is.

Plug: The Dumping Union hooked me up with the board but I paid for it 100% myself because I know a lot of you guys would rather your donations go towards lost oldies like Steel Worker instead of something this new. Please continue to donate to them if you can – not only do you get to play the results, you get your name in lights on their page.

Posted by site admin at July 01, 2009 06:19 PM

June 27, 2009

Angelo Salese (Kale)

Where defeat happens

Fixed some Maple bugs in the Naomi driver (especially one that was trashing memory with invalid commands), now Moeru Casinyo, Street Fighter Zero 3 Upper, Shinkigami no Shiro 2*, Trizeal and Under Defeat boots fine and are playable.

* Check Haze’s site for this one

Moeru Casinyo

Street Fighter Zero 3 Upper

Trizeal

Under Defeat

Posted by Kale at June 27, 2009 06:48 PM

Because four is megl’ che two…

By request, I’ve spent five minutes in looking at Kick N Run / Mexico ‘86 comms for 4p mode. Actually got something…

…but the major problem is that this fix breaks the normal 2p mode. I wonder if I’ll find a solution for it…

*update* after trying everything I think that the most plausible option is that the reset line for the communication cpu is directly hard-wired with the dip-switch that controls the number of players, but I need to prove it…does anybody kind enough could send to me some high quality pics of this pcb, component and solder sides?

Posted by Kale at June 27, 2009 06:47 PM

smf

Fishing in Japan

Bass Angler 2 (GE865 VER. JAA)

It’s Fisherman’s Bait 2 - A Bass Challenge, but in a different language.

Posted by smf at June 27, 2009 12:33 PM

June 26, 2009

MAME Plus!

fixed broken rockola.c [supersecretos]

June 26, 2009 12:00 PM

June 25, 2009

MAMEdev Main Page

MAME 0.132u2

MAME has just been updated. Grab the 0.132u2 diffs from the Source Updates page.

June 25, 2009 07:00 PM

smf

Hyper Bishi Bashi Champ

Hyper Bishi Bashi Champ (GX908 1999/08/24 VER. JAA)

The CD contains the Japanese & Korean versions.

Posted by smf at June 25, 2009 03:08 PM

June 04, 2009

Tomasz Slanina (Dox)

オセロ

Another game made by Success. And yes - another Othello.

This time from 1984 running on a bit weird hardware (only 20% of pcb is filled with ICs):

- two Z80 (main and audio)
- two AY-8910
- D7751C Nec MCU (sample player ??)
- HD46505SP Crt controller (6x16 pix tiles in 16 colors)

Few preliminary pics (colors are wrong):

PCB pics courtesy of Stefan Lindberg:

Posted by Tom (noreply@blogger.com) at June 04, 2009 10:11 AM

April 18, 2009

Robiza

Super lucky roulette

Giocabile:

00011

0002

Posted by Robiza at April 18, 2009 03:49 PM

April 17, 2009

Robiza

Qualche tipo di roulette

Qualche progresso con roul

Implementato il blitter (da quel che ho potuto vedere riesce solo a tracciare linee)

0036

Posted by Robiza at April 17, 2009 07:59 PM

March 29, 2009

Tomasz Slanina (Dox)

Parent Jack

A few improvements to Parent Jack driver.
Game runs on Taito H System hardware.

Posted by Tom (noreply@blogger.com) at March 29, 2009 06:39 PM

March 22, 2009

Luca Elia

Mahjong Vegas

This version of Mahjong Vegas runs on royalmah.c hardware. But, unlike the previously dumped version, it does not use the internal ROM hidden in the TLCS-90 CPU, so it actually works in MAME..

.. after fixing the very, very broken routine that processes the interrupts in the CPU core, that is (my bad).

Thanks to Uki.

March 22, 2009 11:00 PM

February 16, 2009

Charles MacDonald

Spring cleaning

February 16, 2009 07:00 PM

Updates

February 16, 2009 07:00 PM

January 23, 2009

Luca Elia

Funcube

Namco's Funcube is a series of touch-screen driven redemption games. Multiple cabinets can be locally linked, and each chapter in the series (five in total IFAICT), contains three mini games that challenge players on good memory, fast reactions and cards playing skills.

These are some WIP shots from the only two games there's a dump for, Funcube 2:

and then Funcube 4:

The games have no sound ATM, and are not playable due to missing touch-screen inputs.

Yet, it was pretty surprising getting this far, considering that this system (apparently code-named EVA3A) uses, as main CPU, an unemulated Motorola XCF5206.

Luckily it turns out its ColdFire core is an almost binary compatible 680x0 derivative. So I'm using a 68040, patching out a few unemulated instructions, and hacking in the internal peripherals support (timers, serial).

Then there is a PIC12C508 MCU, whose code is not dumped, that may be involved in the minimal protection that I've bypassed.

In typical Namco fashion, another CPU handles the rest of the inputs (i.e. coins, dips). It's an H8/3007, a variant with no internal ROM. I had to add support for a few more unemulated instructions, but it still has issues with the 16-bit timers.

Sound wise, it uses ADPCM samples, alas through an unemulated OKI MSM9810 chip.

The graphics emulation works though, as the board uses the same chips (DX-101, DX-102) I emulated in seta2.c. Just some trampoline functions were needed, in order to connect the 32-bit data bus of the ColdFire to the 16-bit handlers in that driver.

Thanks to Haze.

January 23, 2009 11:00 PM

January 09, 2009

Stolistic

Wingboard Support

Its been a while since I did any major updates to the peplus driver, but recently I decided to tackle a hardware add-on for the machine.

The add-on is called a "wingboard" or daughterboard. Its purpose is to attach to a superboard pcb where you would normally place the CMOS RAM and DATA chips.

By adding this board you are then able to add a special 5-in-1 game support. With the proper PROGRAM chip installed, the machine will read all 5 DATA chips and display a special Multi-Poker menu.

This board functions similar to the 2 chip (non-wingboard) set XMP00006, but allows the user to swap out different chip sets instead of using the fixed list in the 2 chip set.

The first challenge with making the wingboard work in MAME was discovering how the board functioned. The problem lies with the small PAL chip located on the board that controls the logic of banking to the proper DATA chips. After tracing the board by hand, I figured out a basic schematic and determined that the board switches DATA chips via a CMOS DATA write to the address 0x1FFF. The value written to this address is captured by the PAL chip and used to enable the output of the appropriate DATA chip on the address and data lines.

Once I understood how the wingboard worked, I added support to the peplus driver. Basically, I swap the internal superboard DATA region when address 0x1FFF is written.

Now that I had the game mostly working, I found that not all the graphics were painting correctly. This was due to the fact that the graphics chips are twice the size of any of the games I have added in the past. But I had to find what was triggering the machine to switch to the second half of the graphics chips and color proms. After some investigation, I found that there is a jumper on the superboard pcb (E16/E17) that controls the banking. This lead me to find that a bit on PORT3 is used to signal the machine to bank to the second half of the graphics.

So after a little more cleanup, all things appear to be working fine.

Posted by Stolistic (noreply@blogger.com) at January 09, 2009 12:50 AM

December 22, 2008

Manuel Abadia

Binding a DropDownList to multiple properties and to nested properties

All controls that inherit from ListControl (BulletedList, CheckBoxList, DropDownList, ListBox and RadioButtonList) have some annoying behavior in common:

You can only bind the control to a single property using the DataTextField property. For example, if you have a Customer class with properties Id, Name, Surname, etc and you want to show the full name of a customer in any of the ListControls, you have several options:

When you get the data from the database, return another column with the name and surname.
Create a property (f.e. FullName) that returns what you want to show.
Use a DataSet and add a computed column.
Manually add ListItems with the appropriate values performing the data bind manually.
Create a simple class that will be bound (instead of the original one) just to fix the problem.

The truth is that I don’t like any of those options, all of them are hacks.

For nested properties you have the similar problems. You can bind to Id or Name, but you can’t bind to Address.City or Address.Zip.

Today I faced this problem again and I decided to investigate a more innovative solution. The problem itself is in the controls that inherit from ListControl that are very strict in the binding options. So I took a look of how the controls perform the binding to see if I could do anything to overcome those limitations. At first sight I thought I was loosing my time but after a deeper study I found that it was amazingly easy to fix those problems in a very sleek way.

The data binding of the controls is performed in the PerformDataBinding method. The code at ListControl.PerformDataBinding uses DataBinder.GetPropertyValue to retrieve the value to show in the control if you set the DataTextField property. However, DataBinder.GetPropertyValue doesn’t handle nested properties. DataBinder.Eval is a better choice because it does handle nested properties. So using it we solve one problem. The other problem can be solved easily as well. As we have two properties that control how the Text of each ListItem will be extracted and shown from the data source, with a bit more of effort we can handle the new functionality. I have come up with a very intuitive solution:

DataTextField allows one or more properties (that can be nested if needed) separated by commas.
DataTextFormatString can be used to control the formatting of the items, using {0}, {1}, {2}, {3}… as the value of the properties specified with DataTextField.

The code that performs the data binding is:

          ///
<summary>Binds the data to the control.</summary>
          
          /// <param name="ctrl">control
to bind.</param>
          
          /// <param name="dataSource">data
to bind to the control.</param>
          
          public
          static
          void PerformDataBinding(ListControl
ctrl, IEnumerable dataSource)
{

    // resets the selected
item

    ctrl.SelectedIndex=-1;

    ctrl.SelectedValue= null;

    if(dataSource !=null){

        bool fieldInfoSet = false;

        bool dataTextFormatStringSet = false;

        // checks
if we have to clear the existing items

        if(!ctrl.AppendDataBoundItems){

            ctrl.Items.Clear();

        }

        // if
the data source is a collection, sets the capacity

        ICollection soureceCollection = dataSource as ICollection;

        if(soureceCollection !=null){

            ctrl.Items.Capacity= soureceCollection.Count+ ctrl.Items.Count;

        }

        // save
if the data text field of data value field has been set

        if((ctrl.DataTextField.Length!=0)||(ctrl.DataValueField.Length!=0)){

            fieldInfoSet = true;

        }

        // save
if the data text format string has been set

        if(ctrl.DataTextFormatString.Length!=0){

            dataTextFormatStringSet = true;

        }

        // iterates
through the data source creating the ListItems

        foreach(object obj in dataSource){

            ListItem item =new ListItem();

            if(fieldInfoSet){

                if(ctrl.DataTextField.Length>0){

                    if(ctrl.DataTextField.IndexOf(',')==-1){

item.Text= DataBinder.Eval(obj,
ctrl.DataTextField, ctrl.DataTextFormatString);

                    }else{

                        //
if the DataTextField property has a list of fields, get them to create the text of
the item

                        string[] fields = ctrl.DataTextField.Split(newstring[]{","},
StringSplitOptions.RemoveEmptyEntries);

                        object[] values =newobject[fields.Length];

                        for(int i =0; i < fields.Length; i++){

    string field = fields[i];

    values[i]= DataBinder.Eval(obj,
field);

                        }

item.Text=String.Format(ctrl.DataTextFormatString,
values);

                    }

                }

                if(ctrl.DataValueField.Length>0){

                    item.Value= DataBinder.Eval(obj,
ctrl.DataValueField, null);

                }

            }else{

                if(dataTextFormatStringSet){

                    item.Text=string.Format(CultureInfo.CurrentCulture,
ctrl.DataTextFormatString, newobject[]{ obj });

                }else{

                    item.Text= obj.ToString();

                }

                item.Value= obj.ToString();

            }

            ctrl.Items.Add(item);

        }

    }
}

As we need to call this data binding code instead of the one from ListControl I needed to subclass all controls that inherit from ListControl in order to fix them. So now I have BulletedListEx, CheckBoxListEx, DropDownListEx, ListBoxEx and RadioButtonListEx.

I have created a simple example showing how to use them. Imagine that an Item can be supplied by a set of suppliers, and each supplier sells the item with a different price. The following image shows the properties of the 3 entities of the sample:

I have created a web page with a DropDownList with some items, and when you select an item in the DropDownList you will see a ListBox with the all suppliers of that item with the associated price for the item. Notice how I show the Id and the Name in the DropDownList and how I show the price, supplier Id and supplier name in the ListBox:

The ASPX of the page follows:

          
            <body>
          
    <formid="form1"runat="server">

    <div>

    </div>

        Choose an item to see the suppliers:<br/>

        Items:<br/>

        <manu:DropDownListExID="DropDownListEx1"runat="server"AutoPostBack="True"Width="300px"
            DataTextField="Id,
Name"
            DataTextFormatString="[{0}]
- {1}"
            DataValueField="Id"
            OnSelectedIndexChanged="DropDownListEx1_SelectedIndexChanged"AppendDataBoundItems="True">

            <asp:ListItemSelected="True"Value="0">Select
an Item</asp:ListItem>

        </manu:DropDownListEx><br/>

        Price and suppliers:<br/>

        <manu:ListBoxExID="ListBoxEx1"runat="server"Width="300px"
            DataTextField="Price,
Supplier.Id, Supplier.Name"
            DataTextFormatString="{0}
- [{1}] {2}"
            DataValueField="Supplier.Id">

        </manu:ListBoxEx>

    </form>
</body>

As you can see, the solution is really clean and elegant, and backward compatible with the current controls that inherit from ListControl.

That’s all for now,
Merry christmas!

ListControlsEx_bin.zip (6.53 KB)

ListControlsEx_sample.zip (33.75 KB)

Posted by Your DisplayName here! at December 22, 2008 11:35 PM

December 21, 2008

David Haywood ([Haze])

Parent Jack?

I’d never heard of this before..

Parent Jack

hmm and on another tilemap…
Parent Jack

Looks like rather strange hardware for Taito, but there are lots of card graphics in the roms, so I’m guessing it’s a complete game rather than the video for something else…

Posted by Haze at December 21, 2008 12:57 AM

December 17, 2008

David Haywood ([Haze])

Early Nichibutsu

I’ve been looking at early Nichibutsu Mahjongs with Kale

The following (Night Gal, Night Bunny and Royal Night) ones are an evolution of the hardware used by Jangou.

The main difference is these have a ‘protection’ CPU. In this case it is used to reinterpret the blitter values written by the main CPU, and convert them to the actual format used by the blitter using lookup tables in the protection program ROM. This took a while to figure out, because at first it looked like the ROMs were bad, because the offsets written by the CPU didn’t match the offsets in the blitter data rom at all (It was writing ASCII strings, but the blitter rom characters weren’t in ASCII order)

I’ve been working on getting them to display something. The Protection CPU isn’t hooked up quite correctly yet.

Night Bunny

Royal Night

There are other games using the blitter with this weird configuration too. Sexy Gal, Sweet Gal, and Night Gal Summer. These don’t boot yet.

Posted by Haze at December 17, 2008 11:55 PM

December 09, 2008

Andreas Naive

CPS-3 (5)

Resumiré algunas pruebas realizadas durante los últimos días:

Durante una charla informal con Haze, hablando de las zonas de memoria que están asignadas a la BIOS y a las ROMs 10 y 20, se me ocurrió cómo comprobar cuál era el primer bit que cambiaba en la dirección de comienzo de la BIOS y la ROM 10 (ya sabíamos que, aparentemente, en sfiii2, la BIOS está asignada a la dirección 0 y la ROM 10 a la dirección 0x06000000): si encontraba dos zonas en blanco en la BIOS y la ROM 10 que ocupasen la misma posición con respecto al inicio de la correspondiente ROM, podría inferirse algo de información sobre la diferencia entre las direcciones a las que están asignadas simplemente mirando qué bits coincidían (pues sabemos que f#4 muestra ciclos puros de periodo 2^19 máscaras, f#5 de periodo 20, y así...).

Las zonas «en blanco» escasean en la BIOS (parece que ahí tuvieron mayor cuidado en no dejar «pistas»), pero finalmente fui capaz de encontrar dos tales zonas correspondientes en Warzard y en Sfiii (de 15 y 9 máscaras, respectivamente); se podía ver que, al comparar la BIOS con la ROM 10, en ambos casos los bits f#4, f#5, f#6, f#7 y f#8 eran idénticos, pero f#9 no. Ello indicaba que la diferencia de las direcciones de asignación de la ROM 10 y de la BIOS es un múltiplo impar de 0x02000000 (lo que es compatible con la hipótesis de que están ligadas a las direcciones 0 y 0x06000000 como en sfiii2, pero no la prueba).

ElSemi llamó mi atención sobre la tabla de 256 bytes situada al final de la BIOS; tras un análsis de un par de tablas, resulta claro que: 1º) la tabla se ha generado usando algún tipo de algoritmo que funciona a nivel de octetos, pues el bit #1 de cada octeto muestra regularidades estadísticas significativas cuando se observa la tabla completa (en Jojo, de hecho, ese bit es siempre 0); 2º) por consiguiente, no es razonable suponer que esa tabla esté encriptada, sino que se trata de datos sin encriptar.

Una hipótesis tentadora es considerar que se trata de una tabla de subclaves indexada de alguna manera; sin embargo, no disponemos por el momento de ningún argumento sólido a favor o en contra de esta hipótesis, por lo que no insistiré en ello por ahora. En todo caso, si así fuese y estuviese siendo indexada con bits de la dirección, yo esperaría que fuese con bits de la parte baja, pues los bits altos de la dirección muestran propiedades de difusión mucho peores, lo que no me cuadraría con el hecho de que usasen diferentes entradas de una tabla.

Para tratar de validar el que una operación de tipo rotate_left(x,4) XOR (x AND ???) estuviese siendo hecha (ver CPS-3 (4)), se me ocurrió el siguiente experimento: al actuar, como operandos, una variable de 16 bits y ella misma desplazada 4 bits, se consigue que se creen cuatro clases de equivalencia en el conjunto de los 16 bits, perteneciendo a una misma clase aquellos que se afectan mutuamente por efecto del desplazamiento de 4 posiciones (de este modo, los bits #0, #4, #8 y #12 forman una clase, los bits #1, #5, #9 y #13 otra, y así con el resto). Si ahora estudiamos los números formados al juntar los cuatro bits de una misma clase, obtenemos una nueva variable x' y la operación se reduce a rotate_left(x',1) XOR (x' AND y); y aquí empieza la fiesta: si, aun sabiendo que x' e y tienen que estar necesariamente correladas, suponemos que son lo suficientemente independientes una de la otra como para que la correlación sea pequeña, cabe suponer que la distribución de valores que sigan los datos reales nos dé información sobre si ese tipo de operación está siendo usada o no. Esto es así porque, si suponemos, en la operación anterior, que x' e y son totalmente independientes, y nos hacemos una tabla tabulando las 256 posibilidades según el resultado (de 0 a 15), obtenemos la siguiente distribución:


17 15 15 17 15 17 17 15 15 17 17 15 17 15 15 17

está distribución también la tiene la operación rotate_left(x',1) XOR (x' OR y), pero no así otras posibles operaciones compatibles con lo que ya sabemos (o, al menos, yo no he sido capaz de encontrarlas)

Pues bien, al obtener las distribuciones reales para las cuatro clases de equivalencia correspondientes a JojoIm1, se obtiene lo siguiente:


115163  134440  134684  123578  124325  119368  129136  138039  131465  123863  124014  134368  114033  128910  138950  132739
138511  116005  117079  133371  120561  137598  132515  113767  121234  142936  135015  120354  139340  123419  117903  137467
 97696  155678  150638  107566  144235  105896  104535  149136  147566  109552  104031  153598  100741  153822  148116  114269
106225  149014  147978  108136  148715  110697  103607  151184  149013  112404  104923  149873  106272  145600  145167  108267

Se puede ver que la distribución para la segunda clase de equivalencia muestra, aproximadamente, una proporcionalidad directa con la distribución de arriba, mientras que el resto de clases muestran una proporcionalidad inversa; lo mismo ocurre con JojobaIm1 y con Sfiii3Im1 (aunque, en este último caso, el cuarto grupo es directamente proporcional, y los otros tres inversamente proporcional). Este tipo de distribución es la que yo esperaría si, después de haber realizado una operación como las de arriba (rotate_left(x',1) XOR (x AND/OR y), se hubiese efectuado un XOR con un número fijo; dependiendo de la paridad de ese número, se obtendría una proporcionalidad directa o inversa.

Este experimento, de por sí, ya fue bastante interesante, pero no acabó ahí, pues, al día siguiente de haber hecho eso, tuve la feliz idea de tratar de obtener información sobre los términos x' e y haciendo uso de esa misma distribución. La idea fundamental es que el resultado de la operación te da información sobre los operandos, pues no todos los resultados se producen con la misma probabilidad; de esta forma, si uno dibuja la tabla de frecuencias que relaciona el resultado final (una fila por cada uno, de 0 a 15) con el término y que le dio origen (una columna asociada con cada uno, de 0 a 15), obtiene esto:


{1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,2,},
{1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,},
{1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,},
{1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,2,},
{1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,},
{1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,2,},
{1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,2,},
{1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,},
{1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,},
{1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,2,},
{1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,2,},
{1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,},
{1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,2,},
{1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,},
{1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,},
{1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,2,},

y si hace los mismo relacionando el resultado con el término x', esto otro:


{16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,},
{0,0,0,0,0,0,0,0,8,0,0,0,4,0,2,1,},
{0,8,0,0,0,0,0,0,0,4,0,0,0,2,0,1,},
{0,8,0,0,0,0,0,0,0,4,0,0,0,2,2,1,},
{0,0,8,4,0,0,0,0,0,0,0,2,0,0,0,1,},
{0,0,0,4,0,0,0,0,0,0,4,2,4,0,2,1,},
{0,0,8,4,0,0,0,0,0,0,0,2,0,2,0,1,},
{0,0,0,4,0,0,0,0,0,0,4,2,0,2,2,1,},
{0,0,0,0,8,0,4,2,0,0,0,0,0,0,0,1,},
{0,0,0,0,0,0,0,2,8,0,0,0,4,0,2,1,},
{0,0,0,0,0,4,4,2,0,4,0,0,0,2,0,1,},
{0,0,0,0,0,4,0,2,0,4,0,0,0,2,2,1,},
{0,0,0,0,8,0,4,2,0,0,0,2,0,0,0,1,},
{0,0,0,0,0,0,0,2,0,0,4,2,4,0,2,1,},
{0,0,0,0,0,4,4,2,0,0,0,2,0,2,0,1,},
{0,0,0,0,0,4,0,2,0,0,4,2,0,2,2,1,},

La primera tabla da algo de información, pero no mucha: dado un resultado, asigna sesgos distintos a la probabilidad de un operando y únicamente en función del peso de y (número de bits puestos a 1). Ello hace que no se discrimine bien entre los valores para los bits individuales de ese término y, e imposibilita que se pueda usar con facilidad esa información para reconstruir los ciclos esperados de los bits del término y.

La segunda tabla, en cambio, tiene un aspecto excelente :D Permite discriminar las probabilidades de los bits individuales de x'; así, si cogemos un bloque de 2^19 máscaras consecutivas de JojoIm1, calculamos el sesgo a priori (usando la tabla mencionada) de que f#0 valga 0 (valores positivos indican que es más probable que valga 0 que 1; valores negativos lo contrario) y hacemos un análisis de autocorrelación, obtenemos esto:

Se observa claramente el ciclo de 2^15 máscaras que esperábamos.

Empero, si tratamos de usar esa tabla de probabilidades condicionales para calcular el valor de ese mismo bit para cada una de las 2^15 posiciones del ciclo (es de esperar que x' muestre un ciclo puro), el resultado, siendo aceptable, no es espectacular: el número de datos disponible para cada posición no es suficiente para obtener resultados incontrovertibles para cada posición. Pero la fortuna nos sonríe, porque, si observamos con más detenimiento la tabla, veremos que hay filas (correspondientes a ciertos resultados de la operación) que sólo se pueden dar para ciertos valores de los bits del operando x'; por ejemplo, si el resultado de la operación es 2 (tercera fila de la tabla), entonces necesariamente el bit #0 de x' será 1.

Esto nos permitiría recuperar los valores de algunos bits del ciclo, pero hay algo que debemos no perder de vista: dada la forma de la distribución, suponíamos que un XOR con un valor fijo estaba siendo efectuado después de la operación; cuando probé a recuperar esos bits para cada una de las máscaras XOR aceptables, otro hecho afortunado nos ayudó: al analizar los resultados, había una y sólo una máscara XOR que conseguía que en los bits del ciclo recuperados no se diesen valores idénticos separados por la mitad de tamaño del ciclo (algo que yo esperaba/deseaba, pues es una característica que es invariante ante bastantes de las operaciones que era probable encontrar antes de la que nos ocupa).

Una vez dado el salto de suponer que, efectivamente, esa característica (ser la segunda mitad exactamente como la primera pero invertida) la comparten todos los bits de x, se obtiene, por una parte, la máscara XOR aplicada después (0xd86e en el caso de JojoIm1 y JojobaIm1, y 0x54ca en el caso de Sfiii3) y, por otra, se pueden recuperar más bits de los ciclos (esta forma de obtener más bits y la anterior se retroalimentan). La escasez de máscaras disponibles no nos permite regenerar los ciclos completos, pero, al menos, obtenemos un porcentaje apreciable de algunos de ellos (los primeros bits, que muestran ciclos de longitud menor, son, por supuesto, los que pueden ser regenerados de forma más completa).

Y esto, a su vez, ha hecho surgir interesantes conclusiones:
- La parte del ciclo de tamaño 2^15 (del bit #0 de x) que se recupera encaja perfectamente con el que recuperábamos al estudiar f#5 módulo 2^15 (ver CPS-3 (3)). Esto ha supuesto una confirmación inesperada de algo que, si bien suponía, no encontraba manera de demostrar. :D
- Lo mismo ocurre con el ciclo de tamaño 2^16 pero invirtiendo los bits (lo cual es efecto de la operación XOR hecha después, por lo que no nos debe extrañar a estas alturas).
- El disponer de reconstrucciones parciales de los ciclos de los bits de x' nos permite, a su vez, estudiar y; esta es la actual línea de ataque que estoy siguiendo, pero todavía queda trabajo por hacer antes de extraer conclusiones...

Y este es el estado actual de las cosas... continuaré trabajando en esta línea, pero no será ahora. Hechos felices de la vida real (que algunos conocéis) van a alejarme de los ordenadores y de mi casa por espacio de dos o tres semanas; seguiremos con esto cuando vuelva.

Posted by Andreas Naive (noreply@blogger.com) at December 09, 2008 07:58 PM

Implementación de reglas

Últimamente no he dispuesto de demasiado tiempo libre, lo que me ha impedido trabajar en esto lo que me hubiese gustado... pero algo hemos avanzado:

Tras muchas pruebas, creo que he fijado los modelos de las piezas; he cribado los vértices de los modelos de Morio hasta un punto en que el motor 3d pueda moverlos incluso sin aceleración hardware (en un ordenador relativamente moderno).
La iluminación también ha sido fijada, después de haber tenido bastantes problemas al hacer pruebas (se hace uso de sombreado Gouraud, por cierto).
Gracias a la amabilidad de Will McGugan, que me ha autorizado a utilizar su módulo python de ajedrez, me he ahorrado tener que implementar por mí mismo las reglas; puede que haya que corregir algunos errores, pero me encanta cómo está diseñado el módulo. ¡Gracias, Will! ;)
He continuado con la implementación del protocolo de comunicación, y ya se pueden enviar los movimientos de un tablero al otro sin problemas.

Aún quedan muchas cosas por hacer, no obstante. Amén de terminar de implementar el protocolo (rendición, coronación de piezas, propuesta y aceptación de tablas, tablas reclamadas por un jugador, etc), hay que corregir algunos errores con los movimientos especiales, arreglar la selección de escaques (que, no sé debido a qué, está dando problemas), presentar las condiciones de finalización de partida al usuario, etc.

Seguimos en la brecha. ;)

Posted by Andreas Naive (noreply@blogger.com) at December 09, 2008 07:58 PM

December 04, 2008

Manuel Abadia

Search Engine Optimization - Moving View State to the bottom of the page

One of the greatest problems when trying to optimize an ASP.NET page to be more search engine friendly is the view state hidden field. Most search engines give more score to the content of the firsts thousands of bytes of the document so if your first 2 KB are view state junk your pages are penalized. So the goal here is to move the view state data as down as possible.

I have seen some approaches to solve this problem rewriting the final HTML code of the response. While this approach works I think that it wastes some precious processor cycles that can be used to do other things. So I needed a way to do the same thing without wasting that CPU time. After some large reflector sessions I found a way to do it. My method uses the ASP.NET Control Adapter Architecture.

A control adapter is a class that can be used to control the HTML generated by the control it adapts. Since the Page class is the responsible of rendering the view state hidden field (Page.BeginFormRender calls Page.RenderViewStateFields), an adapter for the Page is needed. However, the view state hidden field plays a key role in the ASP.NET infrastructure (for example, the Page.IsPostBack property checks if the view state hidden field has been posted) and it is difficult to modify the associated HTML.

A PageAdapter has a method called GetStatePersister() that returns an object that inherits from PageStatePersister. The PageStatePersister is called when it is time to load and save the view state. There are 2 classes that inherit from PageStatePersister: HiddenFieldPageStatePersister and SessionPageStatePersister. The first one is the default, which stores the view state in the hidden field called __VIEWSTATE. The second one stores the view state in the session. So, we can easily create a custom PageStatePersister to control the view state load and save process. The big problem is how to create the hidden view state field before the closing form tag while being a fully transparent solution. After some tries I came up with a solution that I was happy with.

I realized that it was impossible to completely remove the view state hidden field from the top of the page, because it plays a key role in the ASP.NET infrastructure. However, with any custom page state persister the ASP.NET infrastructure renders at least an empty view state hidden field of only 70 bytes:

<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="" />

My page adapter adds a hidden field to the bottom of the form called __SEOVIEWSTATE with the actual view state data, and the only limitation that it has it is that you can not use <% %>expressions directly inside the asp.net form. However, this restriction can be easily avoided putting the <% %>expression in a PlaceHolder control or inside another control. For an in-depth explanation of this limitation take a look here.

Let’s see an example of the adapter in action. The following ASP.NET page:

<%@
Page Language="C#" AutoEventWireup="true" CodeBehind="Default.aspx.cs" Inherits="SEOViewStateAdapterTest._Default" %>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >

<head runat="server">

    <title></title>

</head>

<body>

    <form id="form1" runat="server">

    <div>

        Enter a message: <br />

        <asp:TextBox ID="txtMessage" runat="server"></asp:TextBox><br />

        <asp:Button ID="bSaveMessage" runat="server" Text="Save
Message" onclick="bSaveMessage_Click" /><br />

        <asp:Label ID="lMessage" runat="server"></asp:Label><br />

        <p>Page
generated at <asp:PlaceHolder ID="PlaceHolder1" runat="server"><%=
DateTime.Now.ToString("hh:mm
dd/MM/yyy") %></asp:PlaceHolder></p>

    </div>

    </form>

</body>

</html>

With the associated code:

using System;

using System.Collections.Generic;

using System.Web;

using System.Web.UI;

using System.Web.UI.WebControls;

namespace SEOViewStateAdapterTest

{

    public partial class _Default : System.Web.UI.Page

    {

        protected void Page_Load(object sender,
EventArgs e)

        {

            if (!Page.IsPostBack) {

                ViewState["previousMessage"] = txtMessage.Text;

            }

        }

        protected void bSaveMessage_Click(object sender,
EventArgs e)

        {

            lMessage.Text = String.Format("The
current message is '{0}'. The previous message was '{1}'", txtMessage.Text, (string)ViewState["previousMessage"]);

            ViewState["previousMessage"] = txtMessage.Text;

        }

    }

}

after a couple of postbacks, without using the adapter, the HTML looks like this:

<!DOCTYPE
html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >

<head><title>

</title></head>

<body>

    <form name="form1" method="post" action="Default.aspx" id="form1">

<div>

<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUJc01l[...]VwP+cfdSWI6Q==" />

</div>

<div>

    <input type="hidden" name="__EVENTVALIDATION" id="__EVENTVALIDATION" value="/wEWAwKb4uenCgK/1s7/DwKf8MMPfiUvZtKPSXk//XdxkLooz8QDI0Y=" />

</div>

    <div>

        Enter a message: <br />

        <input name="txtMessage" type="text" value="Message
2" id="txtMessage" /><br />

        <input type="submit" name="bSaveMessage" value="Save
Message" id="bSaveMessage" /><br />

        <span id="lMessage">The
current message is 'Message 2'. The previous message was 'Message 1'</span><br />

        <p>Page
generated at 08:13 04/12/2008</p>

    </div>

    </form>

</body>

</html>

and after a couple of postbacks, using the adapter, the HTML looks like this:

<!DOCTYPE
html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >

<head><title>

</title></head>

<body>

    <form name="form1" method="post" action="Default.aspx" id="form1">

<div>

<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="" />

</div>

<div>

    <input type="hidden" name="__EVENTVALIDATION" id="__EVENTVALIDATION" value="/wEWAwL+raDpAgK/1s7/DwKf8MMPyF7nqN1AbwNwFBq8OAjEAQorsyo=" />

</div>

    <div>

        Enter a message: <br />

        <input name="txtMessage" type="text" value="Message
2" id="txtMessage" /><br />

        <input type="submit" name="bSaveMessage" value="Save
Message" id="bSaveMessage" /><br />

        <span id="lMessage">The
current message is 'Message 2'. The previous message was 'Message 1'</span><br />

        <p>Page
generated at 08:11 04/12/2008</p>

    </div>

    <input type="hidden" name="__SEOVIEWSTATE" id="__SEOVIEWSTATE" value="/wEPc01lc3[...]CdNY6AtgigHvU=" /></form>

</body>

</html>

In order to use the adapter, you have to add a reference to the assembly and add a file called SEOViewStateAdapter.browser (the name of the file does not matter. The extension needs to be the same. Or also you could merge the contents to another file if you already have one) to the App_Browsers folder. The content of the file should be:

<browsers>

    <!-- use the adapters
for all browsers -->

    <browser refID="Default">

        <controlAdapters>

            <!--
ths adapter is used to save the view and control state at the bottom of the form so
the page is more friendly to search engines -->

            <adapter controlType="System.Web.UI.Page" adapterType="Manu.Web.Adapters.SEOFriendlyViewStatePageAdapter,
SEOViewStateAdapter" />

        </controlAdapters>

    </browser>

</browsers>

That’s all. Enjoy!

SEOViewState.zip (29.67 KB)

Posted by Your DisplayName here! at December 04, 2008 07:26 PM

August 14, 2008

Frank Palazzolo

Yikes - more than 2 years without blogging!

Not the kind of anniversary I wanted to celebrate. Anyways, I'm in the middle of a move to a new house, and work is heating up. So, hopefully around October, things will settle down...and I will try to post something more regularly.

Posted by Knarfian (noreply@blogger.com) at August 14, 2008 07:28 PM

Demons and Dragons

This is a prototype game that is supposed to run on Professor Pacman hardware, or something very similar. I got it run a little bit...but it's not playable yet.

Posted by Knarfian (noreply@blogger.com) at August 14, 2008 01:40 AM

August 04, 2008

Charles MacDonald

(!) Can't read content

We're sorry, content cannot be read.

If you are the feed creator, something went wrong while the Dapp ran. To see what happened, please go to the Dapp's page on dapper.net, or Contact Dapper support specifying the Dapp name

If you are a subscriber, this feed was created using Dapper. Dapper lets anyone turn regular websites into RSS feeds. The feed doesn't work at the moment, We're again sorry for the inconvenience.

- Contact Dapper support
- Learn more about how to create feeds with Dapper

August 04, 2008 03:00 AM

(!) Can't read content

We're sorry, content cannot be read.

If you are the feed creator, something went wrong while the Dapp ran. To see what happened, please go to the Dapp's page on dapper.net, or Contact Dapper support specifying the Dapp name

If you are a subscriber, this feed was created using Dapper. Dapper lets anyone turn regular websites into RSS feeds. The feed doesn't work at the moment, We're again sorry for the inconvenience.

- Contact Dapper support
- Learn more about how to create feeds with Dapper

August 04, 2008 01:00 AM

June 12, 2008

Stolistic

Lots of Slots

I decided to revisit the PE+ driver specifically to find out why all the video slots did not accepts coins. I assumed the slots had some special code that maybe affected the coin-in timing, but after a lot of tracing, I couldn't find any differences. Eventually, I noticed that the last page of the operator screens was blank and the Spin button was lit. Pressing the Spin button didn't seem to do anything. Using some experience I learned from the S+ slot machine, I figured this screen was used to show the reel stops. Each time you press Spin you would see the next reel stop etc.

But the screen wasn't painting the reels and seemed to be stuck in a loop. After much tracing, I finally found that the Timer 1 interrupt at 0x001b stopped firing. Without this interrupt, the game would basically sit in an endless loop waiting for the timer bit to update.

It turns out that the split timer code in the i8051 core needed a small tweak. Once the code was fixed, the reel stops showed up in the operator screen, and the game started accepting coins.

Now that I could see the slot games play properly, I found that PS0716 was not "Quarter Mania", but rather "River Gambler".

With the video slots working, I added support for 5 new romsets to the driver:

(PS0014) Super Joker Slots

(PS0022) Red White & Blue Slots

(PS0043) Double Diamond Slots

(PS0045) Red White & Blue Slots

(PS0308) Double Jackpot Slots

Posted by Stolistic (noreply@blogger.com) at June 12, 2008 01:30 AM

February 17, 2007

Nicola Salmoria

CPS2 not much left to do

When I originally wrote the key searching program, that was on the assumption that the key for the second Feistel network was 96 bits long.

Each (E,D) pair reduces the key space by a factor of about 2¹⁶, so to isolate the correct key with good confidence one would need at least 96/16 = 6 (E,D) pairs.

The big problem is finding those pairs. Remember that they must be at compatible addresses, that is addresses whose bottom 17 bits are the same. This is a serious limitation, because the code of several games only covers a range of 0x80000 bytes, which would give a maximum of 4 pairs at any address. For the Super Puzzle Fighter 2 games, the range is just 0x40000 bytes, giving just 2 pairs per address.
One can find hundreds, even thousands of of (E,D) pairs, but if they are not at compatible addresses they are of no use to find the key using this attack.

However, now we know that the key actually has only 64 significant bits, some of which are repeated. I therefore rewrote the program to take that into account. This means that only 4 (E,D) pairs are needed to isolate the key.

Also, I made several important optimisations that I missed the first time around, like caching intermediate results and speeding up the s-boxes calculations by using precalculated tables (this last optimisation also made into MAME so the decryption when loading a game is now faster).

The end result is a program that is orders of magnitude faster than the previous one.
Now it takes just 15 seconds to find the key given 8 (E,D) pairs. With 5 pairs, which was just plain impossible before, it takes 5 minutes. With 4 pairs, 35 minutes.

These improvement made it simple to find most of the remaining keys, even for games that didn't have a matching revision already decrypted (most notably some of the Steeet Fighter Zero versions).

But there's more: the program is now fast enough to go one step further, and look for the key with just 3 pairs. Of course 3 pairs are not enough to isolate the right key: they only reduce the key space by about 2⁴⁸, therefore leaving about 2¹⁶ keys which are compatible with the data. Once a 64-bit key for the second Feistel network is selected, the compatible 64-bit master keys can then be easily generated, and used to verify other (E,D) pairs at different addresses. This allows to find the correct key in less than one day, and I had to use this extended attack for a couple of the most problematic games.

In the meantime, Andreas Naive has been busy implementing the attack he had described on his blog, and was able to find the keys for two of the Super Puzzle Fighter 2 games. Unfortunately, the attack failed on the third. Work is still in progress on that one, and there is some hope that the key will eventually be found.

The only other games that are missing a key are the two CPS2 versions of Mega Man. There is no decrypted CPS2 version of that game to compare with, and the CPS1 version seems to be too different to be able to find good pairs.

Posted by Nicola Salmoria (noreply@blogger.com) at February 17, 2007 12:39 PM

CPS2 Key Bit Order

As previously mentioned, the 64-bit keys I'm currently using should be the same as the hardware ones, except for a fixed permutation of the bits.

The permutation is actually irrelevant as far as the algorithm is concerned, since it is already taken into account when generating subkeys. The difference that it does make, however, is that there are strong suspicions that some of the keys are not random numbers, so what looks like random gibberish currently would show some order if we had the correct permutation.

Take the ssf2 versions for example. There are currently 6 different versions supported: World, USA, Asia, Japan, Tournament World, Tournament Japan. Here are the keys (in a different order):

3D9E1E15A58C32CE
3599DF35AD98284C
B74433502F4653D7
8758E3923FFA1A50
F0AE3D08420DD6BF
6260014FD857F7A7

there is something immediately obvious about those keys: they all contain exactly 32 0s and 32 1s.
When picking one random 64-bit numbers, the likelihood of this happening is about 1 in 10, so it's ok. But the likelihood of it happening for SIX numbers is about 1 in 1 million! So we can be pretty sure that those keys are not random numbers.

What is one particularly simple sequence that has exactly 32 1s? Well, of course 0123456789ABCDEF. And sure enough, after looking at the bits for a while and applying an appropriate permutation, here is what the above keys become:

0123456789ABCDEF
1032547698BADCFE
45673210CDEFAB89
67451032FEDC98BA
89ABDCEF45672301
CDEFBA9823016754

looks much better doesn't it?
Though there's no way to tell how close it is to the real thing.

Posted by Nicola Salmoria (noreply@blogger.com) at February 17, 2007 10:33 AM

January 15, 2005

Paul Priest (Tourniquet)

Testing... 1.. 2.. 3..

January 15, 2005 12:45 PM

May 23, 2004

Paul Priest (Tourniquet)

MAME 0.82u2 'fishsalad' (don't ask me :) is over a...

MAME 0.82u2 'fishsalad' (don't ask me :) is over at Haze's. It features all manner of ZN goodness.

May 23, 2004 07:30 PM

An aggregator of MAME development weblogs

Essentials

Subscriptions

Legal

Powered by

Edited by

Thanks to

Last updated

Planetarium

July 03, 2009

July 02, 2009

July 01, 2009

June 27, 2009

Angelo Salese (Kale)

June 26, 2009

June 25, 2009

June 04, 2009

Tomasz Slanina (Dox)

April 18, 2009

April 17, 2009

March 29, 2009

Tomasz Slanina (Dox)

March 22, 2009

February 16, 2009

January 23, 2009

January 09, 2009

December 22, 2008

December 21, 2008

David Haywood ([Haze])

December 17, 2008

David Haywood ([Haze])

December 09, 2008

December 04, 2008

August 14, 2008

August 04, 2008

June 12, 2008

February 17, 2007

January 15, 2005

Paul Priest (Tourniquet)

May 23, 2004

Paul Priest (Tourniquet)