Capcom's excellent shooter 1942 is high profile at the moment, thanks to the excellent work done by minwah on replacing the God awful main in-game music with something much more pleasing to the aural cavity.
In the new music thread RGP begged and grovelled for me to do a proper free-play with attract mode for the game, as the built in one merely loads the game with 2 credits and sits on the menu screen. Not exactly good for avoiding screen burn then Capcom.
So today I've been having a scan through the code and stumbled across a very sneaky little rom check which happens about 18 minutes and 12 seconds after cold booting the board (to be precise 65543 frames after cold booting, assuming MAME's emulation of 1942 is frame accurate).
Rom in the region $0000-$bfff is checked and a single 8-bit XOR accumulator is maintained in register A. This is then compared with the byte @ $001c and if they disagree the rom(s) are assumed to be bad (i.e. tampered with).
What's even stranger is that if the rom check fails the game continues running for about another minute before finally halting the CPU at frame 69407 (roughly 19 mins 17 secs after cold boot) with the following message :-
IMO it's a strange decision by Capcom to include this sneaky rom check in the attract mode code but NOT include a rom check in the service mode, where arguably it's needed more. To me this proves this was anti-bootlegging protection rather than anything else. The roms are NOT checked if free play mode is enabled.
For those that are interested the rom checking code starts at $711c. If you put a breakpoint at that address in MAME and run the game from a fresh launch it will hit the breakpoint at frame 65543.
Now that I've broken their flimsy protection I can continue with the rest of my day!
In the new music thread RGP begged and grovelled for me to do a proper free-play with attract mode for the game, as the built in one merely loads the game with 2 credits and sits on the menu screen. Not exactly good for avoiding screen burn then Capcom.
So today I've been having a scan through the code and stumbled across a very sneaky little rom check which happens about 18 minutes and 12 seconds after cold booting the board (to be precise 65543 frames after cold booting, assuming MAME's emulation of 1942 is frame accurate).
Rom in the region $0000-$bfff is checked and a single 8-bit XOR accumulator is maintained in register A. This is then compared with the byte @ $001c and if they disagree the rom(s) are assumed to be bad (i.e. tampered with).
What's even stranger is that if the rom check fails the game continues running for about another minute before finally halting the CPU at frame 69407 (roughly 19 mins 17 secs after cold boot) with the following message :-
IMO it's a strange decision by Capcom to include this sneaky rom check in the attract mode code but NOT include a rom check in the service mode, where arguably it's needed more. To me this proves this was anti-bootlegging protection rather than anything else. The roms are NOT checked if free play mode is enabled.
For those that are interested the rom checking code starts at $711c. If you put a breakpoint at that address in MAME and run the game from a fresh launch it will hit the breakpoint at frame 65543.
Now that I've broken their flimsy protection I can continue with the rest of my day!
