Updates to SEGA's 315-5881 encryption based on new findings from Virt…

…ua Striker 2 '98 (Model3) [Andreas Naive]
mamedev · Jan 18, 2015 · f16795f · p1pkin · Jan 18, 2015 · p1pkin
1 parent 5bff739
commit f16795f
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 23 deletions.
diff --git a/src/mame/drivers/naomi.c b/src/mame/drivers/naomi.c
@@ -6014,7 +6014,7 @@ ROM_START( wldkicks )
 	ROM_LOAD( "wk1ma10.4c",  0xa000000, 0x1000000, CRC(e96f312c) SHA1(0a92640277111aef5c6e9dab4218a8ae2196ce61) )
 
 	ROM_REGION( 4, "rom_key", 0 )
-	ROM_LOAD( "wldkicks-key.bin", 0, 4, CRC(c1e3000b) SHA1(36c2546833effe9452e2b3f7d31335fc5e349f49) )
+	ROM_LOAD( "wldkicks-key.bin", 0, 4, CRC(1708ebb9) SHA1(c1115e4dd675f10d5fb41f57c1eea8e6a4f09fed) )
 ROM_END
 
 ROM_START( wldkicksa )
@@ -6036,7 +6036,7 @@ ROM_START( wldkicksa )
 	ROM_LOAD( "wk1ma10.4c",  0xa000000, 0x1000000, CRC(e96f312c) SHA1(0a92640277111aef5c6e9dab4218a8ae2196ce61) )
 
 	ROM_REGION( 4, "rom_key", 0 )
-	ROM_LOAD( "wldkicks-key.bin", 0, 4, CRC(c1e3000b) SHA1(36c2546833effe9452e2b3f7d31335fc5e349f49) )
+	ROM_LOAD( "wldkicks-key.bin", 0, 4, CRC(1708ebb9) SHA1(c1115e4dd675f10d5fb41f57c1eea8e6a4f09fed) )
 ROM_END
 
 ROM_START( wldkicksb )
@@ -6058,7 +6058,7 @@ ROM_START( wldkicksb )
 	ROM_LOAD( "wk1ma10.4c",  0xa000000, 0x1000000, CRC(e96f312c) SHA1(0a92640277111aef5c6e9dab4218a8ae2196ce61) )
 
 	ROM_REGION( 4, "rom_key", 0 )
-	ROM_LOAD( "wldkicks-key.bin", 0, 4, CRC(c1e3000b) SHA1(36c2546833effe9452e2b3f7d31335fc5e349f49) )
+	ROM_LOAD( "wldkicks-key.bin", 0, 4, CRC(1708ebb9) SHA1(c1115e4dd675f10d5fb41f57c1eea8e6a4f09fed) )
 ROM_END
 
 ROM_START( toukon4 )
@@ -6085,7 +6085,7 @@ ROM_START( toukon4 )
 	ROM_LOAD( "trf1ma15.6l", 0xf000000, 0x1000000, CRC(42d318c5) SHA1(f9fe82ffbfc51fcb52333f94c55a7092e7124fb4) )
 
 	ROM_REGION( 4, "rom_key", 0 )
-	ROM_LOAD( "tr4ae-key.bin", 0x000000, 0x000004, CRC(986a7cee) SHA1(70c3ff80f86de6a0655251658c66a156fb644995) )
+	ROM_LOAD( "tr4ae-key.bin", 0x000000, 0x000004, CRC(1708ebb9) SHA1(c1115e4dd675f10d5fb41f57c1eea8e6a4f09fed) )
 ROM_END
 
 ROM_START( ninjaslt )
@@ -7805,7 +7805,7 @@ ROM_START( vstrik3c )
 	ROM_LOAD( "mpr-23662.ic11", 0xa800000, 0x0800000, CRC(d6ef7d68) SHA1(4ee396af6c5caf4c5af6e9ad0e03a7ac2c5039f4) )
 
 	ROM_REGION( 4, "rom_key", 0 )
-	ROM_LOAD( "vstrik3c-key.bin", 0, 4, CRC(049f41b0) SHA1(4ea444878c8e9288ec95b1763d48bc92c634acdd) )
+	ROM_LOAD( "vstrik3c-key.bin", 0, 4, CRC(8c9012fe) SHA1(d81e00d6377a3f0eeed01dc523707e36ca1b434d) )
 ROM_END
 
 ROM_START( vstrik3cb )
@@ -7827,7 +7827,7 @@ ROM_START( vstrik3cb )
 	ROM_LOAD( "mpr-23662.ic11", 0xa800000, 0x0800000, CRC(d6ef7d68) SHA1(4ee396af6c5caf4c5af6e9ad0e03a7ac2c5039f4) )
 
 	ROM_REGION( 4, "rom_key", 0 )
-	ROM_LOAD( "vstrik3c-key.bin", 0, 4, CRC(049f41b0) SHA1(4ea444878c8e9288ec95b1763d48bc92c634acdd) )
+	ROM_LOAD( "vstrik3c-key.bin", 0, 4, CRC(8c9012fe) SHA1(d81e00d6377a3f0eeed01dc523707e36ca1b434d) )
 ROM_END
 
 ROM_START( wldrider )
@@ -7870,7 +7870,7 @@ ROM_START( vf4cart )
 	ROM_LOAD( "mpr-23784.ic11", 0xa800000, 0x1000000, CRC(f74f2fee) SHA1(84b07baa6d116727e66ef27e24ba6484c3393891) )
 
 	ROM_REGION( 4, "rom_key", 0 )
-	ROM_LOAD( "vf4cart-key.bin", 0, 4, CRC(22838e16) SHA1(afee674dce3cfdd20360c30da2da5ba69f8d4682) )
+	ROM_LOAD( "vf4cart-key.bin", 0, 4, CRC(aa8cdd58) SHA1(e282b7d215044a005b50c8553b8056f3d599135c) )
 ROM_END
 
 // There is also a development cart (171-7885A) with 20x 64Mb FlashROMs instead of 10x 128Mb MaskROMs. Content is the same.

diff --git a/src/mame/machine/315-5881_crypt.c b/src/mame/machine/315-5881_crypt.c
@@ -121,7 +121,7 @@ Notes below refer to M2 & M3.
 The encryption is done by a stream cipher operating in counter mode, which use a 16-bits internal block cipher.
 
 There are 2 "control bits" at the start of the decrypted stream which control the mode of operation: bit #1 set to 1 means
-that the decrypted stream needs to be decompressed after being decrypted. More on this later.
+that the stream needs to be decompressed after being decrypted. More on this later.
 
 The next 16-bits are part of the header (they don't belong to the plaintext), but his meaning is unclear. It has been
 conjectured that it could stablish when to "reset" the process and start processing a new stream (based on some tests
@@ -134,12 +134,12 @@ internal block-cipher. So, at a given step, the internal block cipher will outpu
 given plaintext word, and the remaining 2 to the next plaintext word.
 
 The underlying block cipher consists of two 4-round Feistel Networks (FN): the first one takes the counter (16 bits),
-the game-key (>=26 bits) and the sequence-key (16 bits) and output a middle result (16 bits) which will act as another key
+the game-key (>=27 bits) and the sequence-key (16 bits) and output a middle result (16 bits) which will act as another key
 for the second one. The second FN will take the encrypted word (16 bits), the game-key, the sequence-key and the result
 from the first FN and will output the decrypted word (16 bits).
 
-Each round of the Feistel Networks use four substitution sboxes, each having 6 inputs and 2 outputs. The input can be the
-XOR of at most two "sources bits", being source bits the bits from the previous round and the bits from the different keys.
+Each round of the Feistel Networks use four substitution sboxes, each having 6 inputs and 2 outputs. The input is the
+XOR of at most one bit from the previous round and at most one bit from the different keys.
 
 The underlying block cipher has the same structure than the one used by the CPS-2 (Capcom Play System 2) and,
 indeed, some of the used sboxes are exactly the same and appear in the same FN/round in both systems (this is not evident,
@@ -151,10 +151,6 @@ Due to the small key-length, no sophisticated attacks are needed to recover the
 some (encrypted word-decrypted word) pairs suffice. However, due to the weak key scheduling, it should be noted that some
 related keys can produce the same output bytes for some (short) input sequences.
 
-The only difference in the decryption process between M2 and M3 is the initialization of the counter. In M3, the counter is
-always set to 0 at the beginning of the decryption while, in M2, the bits #1-#16 of the ciphertext's address are used
-to initialize the counter.
-
 Note that this implementation considers that the counter initialization for ram decryption is 0 simply because the ram is
 mapped to multiples of 128K.
 
@@ -164,7 +160,7 @@ accordingly the s-boxes' definitions. So the order of the bits in the keys is ar
 chosen so as to make the key for CAPSNK equal to 0.
 
 It can be observed that a couple of sboxes have incomplete tables (a 255 value indicate an unknown value). The recovered keys
-as of december/2010 show small randomness and big correlations, making possible that some unseen bits could make the
+as of january/2015 show small randomness and big correlations, making possible that some unseen bits could make the
 decryption need those incomplete parts.
 
 ****************************************************************************************/
@@ -478,16 +474,16 @@ const int sega_315_5881_crypt_device::fn1_game_key_scheduling[38][2] = {
 	{1,29},  {1,71},  {2,4},   {2,54},  {3,8},   {4,56},  {4,73},  {5,11},
 	{6,51},  {7,92},  {8,89},  {9,9},   {9,10},  {9,39},  {9,41},  {9,58},
 	{9,59},  {9,86},  {10,90}, {11,6},  {12,64}, {13,49}, {14,44}, {15,40},
-	{16,69}, {17,15}, {18,23}, {18,43}, {19,82}, {20,81}, {21,32}, {21,61},
-	{22,5},  {23,66}, {24,13}, {24,45}, {25,12}, {25,35}
+    {16,69}, {17,15}, {18,23}, {18,43}, {19,82}, {20,81}, {21,32}, {22,5},
+	{23,66}, {24,13}, {24,45}, {25,12}, {25,35}, {26,61},
 };
 
 const int sega_315_5881_crypt_device::fn2_game_key_scheduling[34][2] = {
 	{0,0},   {1,3},   {2,11},  {3,20},  {4,22},  {5,23},  {6,29},  {7,38},
 	{8,39},  {9,47},  {9,55},  {9,86},  {9,87},  {9,90},  {10,50}, {10,53},
 	{11,57}, {12,59}, {13,61}, {13,64}, {14,63}, {15,67}, {16,72}, {17,83},
-	{18,88}, {19,94}, {20,35}, {21,17}, {21,92}, {22,6},  {22,11}, {23,85},
-	{24,16}, {25,25}
+    {18,88}, {19,94}, {20,35}, {21,17}, {22,6},  {22,11}, {23,85}, {24,16},
+	{25,25}, {26,92}
 };
 
 const int sega_315_5881_crypt_device::fn1_sequence_key_scheduling[20][2] = {

diff --git a/src/mame/machine/naomicrypt.c b/src/mame/machine/naomicrypt.c
@@ -28,8 +28,8 @@ static const struct game_keys keys_table[] =
 {
 	// name             key              gameid #         year
 // M2
-	{ "wldkicks",        0x00ae2901 }, // 25209801    2000
-	{ "toukon4",         0x012e2901 }, // 25349801    2000
+	{ "wldkicks",        0x052e2901 }, // 25209801    2000
+	{ "toukon4",         0x052e2901 }, // 25349801    2000
 	{ "ninjaslt",        0x000ca510 }, // 25469801    2000
 	{ "ninjaslt4",       0x000ca510 }, // 25469801    2000
 	{ "gunsur2e",        0x000680d0 }, // 25709801    2001
@@ -68,7 +68,7 @@ static const struct game_keys keys_table[] =
 	{ "alienfnt",        0x00174343 }, // 840-0048    2001
 	{ "alienfnta",       0x00174343 }, // 840-0048    2001
 	{ "crackdj2",        0x00428247 }, // 840-0068    2001
-	{ "vf4cart",         0x02ef2f96 }, // 840-0080    2002
+	{ "vf4cart",         0x06ef2f92 }, // 840-0080    2002
 	{ "pstone",          0x000e69c1 }, // 841-0001    1999
 	{ "suchie3",         0x000368e1 }, // 841-0002    1999
 	{ "doa2",            0x0008ad01 }, // 841-0003    1999