Hacking Help decompressing/compresing "game.bin.z" from VC game

[sr_corsario]

Ironcland is a neogeo-CD game, however nintendo (or snk) did a remake using the originals "music" (music tracks) to generate the needed "V" files (samples) and the "M" file (Z80 program, sound driver). Getting a "small" game.

Note: As you provably know, it was from the virtual console game where was posible to build a "special" neogeo cartridge




Metal slug 3 is not the biggest neogeo game, however is the biggest game played as genuine on the virtual console.
And yes, it use a new compression or this time... encryption (or looks like to me)

 

[G0dLiKe]

anything newish here?

 

[sr_corsario]

No news...

I asked on:

http://encode.ru/for...ata-Compression
http://forum.xentax....wforum.php?f=15
http://www.romhackin.../board,4.0.html
http://asmodean.bbs.fc2.com/
http://www.elotrolad...ug-3-vc_1759860
and here obviouslly xD
Moreover on dolphin emulator issues list http://code.google.c...emu/issues/list

And request to many of the relevants wii sceners.


Anyone know somewhere to ask¿?¿?

Thanks in advance.

Apsss!! About investigation into memory dump from dolphin... I got reasonable data from a "old" game (on dump exist the compressed and uncompressed game...), however on the metal slug 3 memory dump i cant succed... (possibly because the game doesnt work on it)

 

[themanuel]

Related question:
Some games are said not to work on emunand with d2x because they use compression. If I somehow decompress one of these games and inject it back uncompressed into the wad, would I run into trouble if the size is greater than 40MB?
By the way, I still don't know how I can uncompressed them...

 

[sr_corsario]

Related question:
Some games are said not to work on emunand with d2x because they use compression. If I somehow decompress one of these games and inject it back uncompressed into the wad, would I run into trouble if the size is greater than 40MB?
By the way, I still don't know how I can uncompressed them...

Many vc games are compressed... I mean ... the "original" rom. But thats not new, have a look to n64, snes, megadrive(genesis)... or neogeo...
Probably is some quint of incompatibillity but is extrange for me to think about a compression problem because is the "original" 1.app from the game who decompress (when the game is loaded) the compressed rom stored in the nand. And well ... if we decompress the rom ourself and reinject it again, the emulator (1.app) will not work becouse will try to decompress again... Well all of this is my supposition...

PD:However... the problem could be on the size of memory saved to load the nandemu+1.app+loader ... its just an idea... just talking into my ignorance...

 

[themanuel]

Many vc games are compressed... I mean ... the "original" rom. But thats not new, have a look to n64, snes, megadrive(genesis)... or neogeo...
Probably is some quint of incompatibillity but is extrange for me to think about a compression problem because is the "original" 1.app from the game who decompress (when the game is loaded) the compressed rom stored in the nand. And well ... if we decompress the rom ourself and reinject it again, the emulator (1.app) will not work becouse will try to decompress again... Well all of this is my supposition...

PD:However... the problem could be on the size of memory saved to load the nandemu+1.app+loader ... its just an idea... just talking into my ignorance...

Well, that makes sense.
I won't even bother to try.
Gracias, señor.

 

[sr_corsario]

Some of us have made some testing with mslug3 and shock troopers (genuine) swapping the "game file" from one to the other... The result... none of them working...

Is it possible to use a personal key encryption in each game?¿ or is just a crc/sha1/Md5 check somewhere¿?

Any idea¿?¿?

 

[sr_corsario]

I got some help:

BMS script.

the files have the CR00 magic at the beginning and the rest is encrypted with AES using a key and an ivec.
looks like both are generated for each file... don't know.
anyway even after decrypting the file (the key is correct but it's not that easy to debug) the content means nothing.

if someone is interested the following was my work-in-progress test script for Shock Troopers:

idstring "CR00"
#getdstring IVEC 0x10   # ivec or hash or what?
savepos OFFSET
get SIZE asize
math SIZE -= OFFSET
encryption aes "\x88\x2A\x16\xFB\x4E\x08\xD9\x9C\x19\x2D\x98\x68\xEB\xA3\xB7\x99" "\xF4\xC1\x23\xF2\xF3\xAD\x49\xA1\xC3\xC7\xD4\xB1\xE2\x91\x65\x2D"
# "\xD1\xF4\x55\xF2\x0F\x10\x5D\x8A\x0C\x8C\xD3\xFA\x56\x32\x30\xE5" ivec xored with first 16 bytes?
log "test.dat" OFFSET SIZE

or

idstring "CR00"
getdstring IVEC 0x10
savepos OFFSET
get SIZE asize
math SIZE -= OFFSET
set IVECX binary "\xD1\xF4\x55\xF2\x0F\x10\x5D\x8A\x0C\x8C\xD3\xFA\x56\x32\x30\xE5"
string IVEC ^= IVECX
encryption aes_128_cbc "\x88\x2A\x16\xFB\x4E\x08\xD9\x9C\x19\x2D\x98\x68\xEB\xA3\xB7\x99" IVEC
log "test.dat" OFFSET SIZE

so nothing is finished and I'm not interested in this thing

Any one can do something?¿

Now i can say... each game is encrypted with a diferent key (as we thought) because making a comparison between game.bin.z from pal and japanese version of metal slug 3 they are DIFFERENTS!! but with the same file size...

 

[givemesomewiistu]

I was starting to believe they were using individual encryptions for each game a month or two ago, now it looks to be confirmed.

Also, this game.bin.z is confusing me. Previous NeoGeo game.bin.z files used zlib compression, if this one is using zlib compression, it isn't the standard zlib I'm used to.

 

[bikerspade]

Has any progress been made on decompressing / decrypting these game.bin.z files?

 

[SaulFabre]

Has any progress been made on decompressing / decrypting these game.bin.z files?

Sorry for bump

@bikerspade @sr_corsario (if you're still interested in it)

But looks like someone had made some ass investigation on some latest NeoGeo Wii VC games for see what's going on with the game.bin.z compression.
In this fork of vcromclaim made by user JanErikGunnar:

https://github.com/JanErikGunnar/vcromclaim

The guy was even nice for document something of the latest compression used in those newer NeoGeo VC games for Wii, which is explained here: https://github.com/JanErikGunnar/vcromclaim/blob/master/neogeo_readme.txt

It requires Python 3.8 or newer if you want to run it

Important notes about decompressing newer NeoGeo VC games on Wii can be found in the README of this project: https://github.com/JanErikGunnar/vcromclaim#readme

 

[sr_corsario]

@SaulFabre
Incredible, possibilities finally appear

 

[totakeke95]

I have a similar problem with several files from a WAD but it is not a VC game but a WiiWare game, specifically FF CC My life as a king. In its internal files I saw a files something like this but instead of .bin.z it was bin.t
They are files where the text is found of the game and my intention is modify them but first I need to uncompressed them.

Someone knows something about it? Some program or tool that can extract that type of file.

 

[JanErikGunnar]

Hello!

It only took 11 years but I recently updated my fork of vcromclaim to automatically calculate the encryption key and decrypt/decompress most games now.

I can clear up some things:

Some WC NG games are raw (at least two different file formats exist)

Some (bin.z) are compressed with zlib)

Some (bin.zx) are compressed with LZMA and encrypted with AES

The AES key is calculated using the content of banner.bin AND the first 20 bytes of the compressed ROM archive. (The actual encrypted data starts after that.) (It's also using some other data for input, that is found in other app files, that seems to be the same for every game.) So if swapping encrypted ROMs you would need to decrypt and re-encrypt the ROMs with the correct key. Replacing/changing banner.bin would require the same. I would not be surprised if the emulator does additional checks to make sure the game hasn't been tampered with though, so this might not be enough.

All encryption used by original NG hardware has been decrypted in the Wii versions, probably to save performance and memory on the Wii. Thus some games extracted from Wii have to be encrypted with the original algorithms to be playable in MAME. Also most likely the VC emulator will NOT accept games with their original encryption.

Some games also have different encodings and compression of the graphics, they probably would not fit into RAM if they didn't.

Note that the Wii does NOT have a lot of RAM, and the entire game MUST fit in RAM. Hence I guess some of the largest will simply never be possible to inject.

As you see, there are plenty of different formats. I don't know how flexible the VC emulator is, whether each game is bundled with a customized emulator or whether they will happily accept different file formats.

Let me know if you wonder anything.
If there is some NG game that vcromclaim can't export, please create a bug.

DISCLAIMER: I won't touch anything illegal, I'm doing this for the sake of preservation only.

 

[SaulFabre]

Some are zipped

@JanErikGunnar

Another question i have about these that are only zipped...

AFAIK these first-gen game.bin.z files were compressed using a variant of ZLIB, but AFAIK only a tool called SimplyZip (by Dirk Paehl) can handle these.

Do you know or have idea what exact kind or type of ZLIB is used in these first game.bin.z files? (Ex. The ones from KOF97, KOF95, Samurai Shodown III)

Thanks

 

[JanErikGunnar]

Do you know or have idea what exact kind or type of ZLIB

Not really, I just use zlib in Python, this is literally all the code in vcromclaim to decompress them:

import zlib
decompressed = zlib.decompress(compressed)


HOWEVER I don't own any of the games you mention, if they use a different algorithm I don't know (and vcromclaim probably isn't able to extract them)

 

[SaulFabre]

Not really, I just use zlib in Python, this is literally all the code in vcromclaim to decompress them:

import zlib
decompressed = zlib.decompress(compressed)


HOWEVER I don't own any of the games you mention, if they use a different algorithm I don't know (and vcromclaim probably isn't able to extract them)

All of these games i mentioned now used the same zlib variant, and ARE injectable.

Welp, looks like it needs more investigation.

Thanks for responding.

 

[JanErikGunnar]

All of these games i mentioned now used the same zlib variant, and ARE injectable.

Welp, looks like it needs more investigation.

Thanks for responding.

To clarify - Metal Slug 3, Magical Drop 3 and Spinmaster definitely works with the zlib that vcromclaim is using. Are you saying e.g. Samurai Showdown 3 is using a different zlib version than those?

zlib AFAIK is the "original" library, what libraries did you try that didn't work?

BTW, I was technically wrong to call them "zipped", as they are not compressed with ZIP/PKZip etc. I've corrected my post above.

Post automatically merged: Sep 1, 2023

Or are you saying your problem is only when injecting? zlib might certainly accept more compression variants than the Wii emulator does. In that case I'm not sure exactly what the emulator wants, maybe there are functions to call on zlib to show exactly what compression is used on the original games.

 

[SaulFabre]

Are you saying e.g. Samurai Showdown 3 is using a different zlib version than those?

Maybe yes, but the most simple one without that confusing AES encryption, only the zlib compression.
Spin Master and Magical Drop 3 also use the same simple zlib compression (but what type? Idk.)

Also, isnt it supposed that Metal Slug 3 also use AES encryption? Sorry for my ignorance :v

 

[JanErikGunnar]

Sorry, I meant Metal Slug 2. MS3 indeed use AES.

I'm not really sure I understand what problem you are facing?

(FYI, I don't think AES encrypted games use zlib, they use LZMA instead. Not really sure LZMA is more or less difficult than zlib, there are external libraries available for both.)