SNK NeoGeo X v370
破解Ninja Master's SDCard
NeoGeo X掌機問世後,國外就有許多人開始進行該掌機的破解,因為總是想把該掌機發揮到極致才過癮,當然最主要的目的是可以玩更多NeoGeo遊戲,司徒當然要加入這場戰局,順便可以學到更多破解的技巧,那一開始要從哪開始破解呢?最初,國外網站將NeoGeo X掌機拆解時,意外發現它是使用MicroSD代替內部Flash IC元件,所以國外高手便將此MicroSD掛載於電腦並進行分析,意外發現它是運行FBA模擬器,於是將其它NeoGeo遊戲轉換成FBA格式並替換原本檔案,竟發現可以玩置換後的遊戲,雖然司徒也很想買到此款掌機,但是,後來出的NeoGeo X掌機便將MicroSD換成Flash IC了,因此,後來購買的掌機,如果想要從MicroSD進行破解,似乎不太容易,那如何知道自己的掌機是否為MicroSD或Flash IC呢?只要在主畫面,按下Menu按鈕時,便會顯示版本,v370以後的版本(包含v370版本)確定是換成Flash IC元件,而低於v370版本的掌機才有可能是MicroSD,因為司徒的NeoGeo X掌機是v370版本,因此,司徒只能朝不拆機的方式嘗試破解它,而唯一的機會便是SDCard,因為購買NeoGeo X掌機時,SNK會附送一張Ninjan Master's SDCard,因此,對SDCard進行分析是最好的一種方式。
首先,司徒將Ninja Master's SDCard插入電腦進行分析,發現這一張SDCard是一種未知的格式,在Windows和Linux系統下都是顯示這樣的錯誤訊息,顯然此SDCard不是FAT、NTFS、Linux檔案系統的相關格式,於是司徒使用WinHEX進行MBR磁區分析,如下表
00000000h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 00000010h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 00000020h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 00000030h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 00000040h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 00000050h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 00000060h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 00000070h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 00000080h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 00000090h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 000000a0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 000000b0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 000000c0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 000000d0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 000000e0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 000000f0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 00000100h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 00000110h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 00000120h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 00000130h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 00000140h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 00000150h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 00000160h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 00000170h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 00000180h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 00000190h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 000001a0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 000001b0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 ;................ 000001c0h: 01 00 08 02 60 F1 4E 00 00 00 E9 F1 08 00 00 00 ;....`醨...濄.... 000001d0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 000001e0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 000001f0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 AA 55 ;..............枓
可以看出該格式是類似MBR格式,而第二個Partition是從0x1C0開始,根據MBR定義,有效的Partition磁區是位於78(0x4E)的位置,可是司徒看了一下第78磁區的位置,該位置的資料都是0x00,而該Partition的ID卻是0x08,根據Partition ID的定義,0x08是AIX Boot Partition的格式,而正常MBR磁區的結束標記應該是0x55、0xAA才對,顯然這個MBR磁區怪怪的,司徒越想越不對,這一些資料可能都是經過加密過的,因此,繼續分析下去可能會沒完沒了。
後來司徒又再度找尋國外NeoGeo網站,發現高手說外部SDCard的線路是經過跳線設計,所以無法直接分析原始資料,而該高手也很熱心的提供一個C語言的轉換工具,該工具可以將資料嘗試還原,但是該高手提供的程式是透過查表方式,於是司徒改寫成比較簡單的邏輯判斷方式,如下程式
#include <unistd.h>
#include <stdio.h>
#include <stdint.h>
#define RW_SIZE (1024 * 32)
int main(int argc, char **argv)
{
FILE *in, *out;
unsigned char buffer[RW_SIZE];
int type, size, i;
if(argc != 3){
printf("%s <input_file> <output_file>\n\n", argv[0]);
return 1;
}
in = fopen(argv[1],"r");
if(in == NULL){
printf("Unable to open input file: %s\n", argv[1]);
return 1;
}
out = fopen(argv[2], "w");
if(out == NULL){
fclose(in);
printf("Unable to open output file: %s\n", argv[2]);
return 1;
}
printf("Processing...\r\n");
while((size = fread(buffer, 1, RW_SIZE, in)) > 0){
for(i=0; i<size; i++){
buffer[i] = (((buffer[i] & 0x01) ? 0x08 : 0x00) |
((buffer[i] & 0x02) ? 0x04 : 0x00) |
((buffer[i] & 0x04) ? 0x02 : 0x00) |
((buffer[i] & 0x08) ? 0x01 : 0x00) |
((buffer[i] & 0x10) ? 0x80 : 0x00) |
((buffer[i] & 0x20) ? 0x40 : 0x00) |
((buffer[i] & 0x40) ? 0x20 : 0x00) |
((buffer[i] & 0x80) ? 0x10 : 0x00));
}
fwrite(buffer, 1, size, out);
usleep(1000);
}
printf("Completed\r\n");
fclose(in);
fclose(out);
}
看完該程式碼,發現它是四位元顛倒擺放,果然厲害,SNK可以想出這種硬體設計,讓軟體無法分析。
經由此程式轉換後,司徒再度將MBR磁區的資料進行分析,發現格式已經正確
00000000h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 00000010h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 00000020h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 00000030h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 00000040h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 00000050h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 00000060h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 00000070h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 00000080h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 00000090h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 000000a0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 000000b0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 000000c0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 000000d0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 000000e0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 000000f0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 00000100h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 00000110h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 00000120h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 00000130h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 00000140h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 00000150h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 00000160h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 00000170h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 00000180h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 00000190h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 000001a0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 000001b0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ;................ 000001c0h: 08 00 01 04 60 F8 27 00 00 00 79 F8 01 00 00 00 ; ....`?...y?.... 000001d0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 000001e0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 000001f0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA ;..............U.
結束位元是0x55和0xAA,這代表是一個正常的MBR磁區,於是找尋第一個Partition位置(BPB),它是位於第39(0x27)磁區,於是,司徒找尋第39磁區的資料,發現它真的是Boot Parameter Block(BPB)的位置,司徒將它整理如下
00000000h: EB 00 90 4D 53 57 49 4E 34 2E 31 00 02 20 01 00 ; ? SWIN4.1.. ..
00000010h: 02 00 02 00 00 F8 0C 00 20 00 08 00 27 00 00 00 ; .....?. ...'...
00000020h: 79 F8 01 00 80 00 29 67 45 23 01 55 44 49 53 4B ; y?. .)gE#.UDISK
00000030h: 20 20 20 20 20 20 46 41 54 31 32 20 20 20 33 C9 ; FAT123?
00000040h: 8E D1 BC FC 7B 16 07 BD 78 00 C5 76 00 1E 56 16 ; 瑩{..綞.權..V.
00000050h: 55 BF 22 05 89 7E 00 89 4E 02 B1 0B FC F3 A4 06 ; U?. . .? ?
00000060h: 1F BD 00 7C C6 45 FE 0F 38 4E 24 7D 20 8B C1 99 ; .?|靂?8N$} ?
00000070h: E8 7E 01 83 EB 3A 66 A1 1C 7C 66 3B 07 8A 57 FC ; 鋓. :f?|f;. ?
00000080h: 75 06 80 CA 02 88 56 02 80 C3 10 73 ED 33 C9 FE ; u. ? . ?s?汋
00000090h: 06 D8 7D 8A 46 10 98 F7 66 16 03 46 1C 13 56 1E ;.堩 . f..F..V.
000000a0h: 03 46 0E 13 D1 8B 76 11 60 89 46 FC 89 56 FE B8 ; .F..?v.` ?V
000000b0h: 20 00 F7 E6 8B 5E 0B 03 C3 48 F7 F3 01 46 FC 11 ; .爢 ..餾蘼.F?
000000c0h: 4E FE 61 BF 00 07 E8 28 01 72 3E 38 2D 74 17 60 ; N ?.?.r.8-t.`
000000d0h: B1 0B BE D8 7D F3 A6 61 74 3D 4E 74 09 83 C7 20 ; ?撻}韟at=Nt.
000000e0h: 3B FB 72 E7 EB DD FE 0E D8 7D 7B A7 BE 7F 7D AC ;; 賨毼.堩{屁}?
000000f0h: 98 03 F0 AC 98 40 74 0C 48 74 13 B4 0E BB 07 00 ; ?藇 t.Ht.??.
00000100h: CD 10 EB EF BE 82 7D EB E6 BE 80 7D EB E1 CD 16 ; ?錝?}錛?}錆?
00000110h: 5E 1F 66 8F 04 CD 19 BE 81 7D 8B 7D 1A 8D 45 FE ; ^.f???} . ?
00000120h: 8A 4E 0D F7 E1 03 46 FC 13 56 FE B1 04 E8 C2 00 ; .欒.F?V .餔.
00000130h: 72 D7 EA 00 02 70 00 52 50 06 53 6A 01 6A 10 91 ;r郰..p.RP.Sj.j.?
00000140h: 8B 46 18 A2 26 05 96 92 33 D2 F7 F6 91 F7 F6 42 ; .?.?3窉?蘾B
00000150h: 87 CA F7 76 1A 8A F2 8A E8 C0 CC 02 0A CC B8 01 ; 饔. 檜..抶.
00000160h: 02 80 7E 02 0E 75 04 B4 42 8B F4 8A 56 24 CD 13 ; . ~..u.婿 $?
00000170h: 61 61 72 0A 40 75 01 42 03 5E 0B 49 75 77 C3 03 ; aar.@u.B.^.Iuw?
00000180h: 18 01 27 0D 0A 49 6E 76 61 6C 69 64 20 73 79 73 ; ..'..Invalidsys
00000190h: 74 65 6D 20 64 69 73 6B FF 0D 0A 44 69 73 6B 20 ; temdisk ..Disk
000001a0h: 49 2F 4F 20 65 72 72 6F 72 FF 0D 0A 52 65 70 6C ; I/Oerror ..Repl
000001b0h: 61 63 65 20 74 68 65 20 64 69 73 6B 2C 20 61 6E ; ace the disk,an
000001c0h: 64 20 74 68 65 6E 20 70 72 65 73 73 20 61 6E 79 ; d then pressany
000001d0h: 20 6B 65 79 0D 0A 00 00 49 4F 20 20 20 20 20 20 ; key....IO
000001e0h: 53 59 53 4D 53 44 4F 53 20 20 20 53 59 53 7F 01 ; SYSMSDOSSYS.
000001f0h: 00 41 BB 00 07 60 66 6A 00 E9 3B FF 00 00 55 AA ;.A?.`fj.? ..U
該BPB磁區的結束標記是0x55、0xAA,這代表它是一個正確的BPB磁區。
資料整理如下
| OEM Name | MSWIN4.1 |
|---|---|
| Byte Per Section | 512 Bytes |
| Sector Per Cluster | 32 Sectors |
| Reserved Sector Count | 1 Sector |
| Number of FAT Table | 2 FAT Tables |
| Root Directory Entry Count | 512 Files |
| Media Type | Fixed Media |
| FAT Table Size | 12 Sectors |
| Sector Per Track | 32 Sectors |
| Number of Head | 8 Sectors |
| Hidden Sectors | 39 Sectors |
| Total Sectors | 129145 Sectors(129145 x 512 = 64M Bytes) |
| Media Type | FAT12 |
經由上面表格的分析,可以知道Ninjan Master's SDCard是FAT12的格式。
接著我們需要找出根目錄磁區,它是位於第64磁區的位置,內容如下
00000000h: 55 44 49 53 4B 20 20 20 20 20 20 08 00 00 00 00 ;UDISK..... 00000010h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 00000020h: 41 63 00 61 00 72 00 64 00 5F 00 0F 00 AF 67 00 ;Ac.a.r.d._...症. 00000030h: 61 00 6D 00 65 00 00 00 FF FF 00 00 FF FF FF FF ;a.m.e... .. 00000040h: 43 41 52 44 5F 47 7E 31 20 20 20 10 00 A8 E5 72 ;CARD_G~1..典r 00000050h: 58 41 58 41 00 00 E6 72 58 41 02 00 00 00 00 00 ;XAXA..熳XA...... 00000060h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 00000070h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 00000080h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 00000090h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 000000a0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 000000b0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 000000c0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 000000d0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 000000e0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 000000f0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 00000100h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 00000110h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 00000120h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 00000130h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 00000140h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 00000150h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 00000160h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 00000170h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 00000180h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 00000190h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 000001a0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 000001b0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 000001c0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 000001d0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 000001e0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................ 000001f0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;................
FAT目錄是每32個位元組為一個單位,因此,經由分析,第一個UDISK是一個磁碟標籤,而接下來的是一個檔案目錄,它的名稱是card_game,檔案內容如下
