I futzed around a bit with the function that sends the initial 20 bytes to the protection device last night. I discovered that if I killed the random number that it used as a seed and made it 1, the game would simply dump out the key bytes. Heartened, I wrote some functionality to take those bytes and fashion an appropriate 8-byte return value from them, and with only a 4-byte patch to always return 1 rather than a nuclear NOP-out of nearly an entire function, all the games started firing up.
Even better, I had a hunch that since the main CPU never sends any kind of key to the MCU, perhaps the values themselves are symmetric. It turns out that they are, and so any seed - not just 1 - will work with the same algorithm. So the patch could go, but the functionality stayed. Hooray - all the games will run with no RAM patching!
Now for the bad part: Quizard 3.2, 4.1 and 4.2 all still refuse to go in-game for reasons unknown. They don't try to chat up the microcontroller in any way, so it must just be what the MCU is returning that they *eventually* don't like.
Quizard 2.2, however, is fully playable. Pictures:
No comments:
Post a Comment