To
PPLICAZIONI
Puo to say itself that the reverse engineering he is practical a natural one, daughter
of the human curiosita one, using in all the fields of engineering. And
probably in the experience of every parent observed having just
baby to take apart with enthusiasm the giocattolo new in order to watch
what there and within.
Without doubt from when the man he has begun to use its talent
in order to construct objects, they have been other ready men to observe them, to use them,
to take apart them, in order to understand as they worked and like constructing some of equal or
of better.
As an example, an anecdote reports that the inventor of the fisarmonica,
Paul Soprani, in 1863 I accommodate an Austrian whom he had with if one
mysterious scato it sonorous; if it made it to give, you open it, of study
operation, and bringing several modifications to the mechanisms and to
dimensions arrival to create the prototype of the popular instrument <10>.
The reverse engineering it has multiple applications and it varies methods to you of
I use. Of continuation of it we list some.
In its obvious shape devout, the reverse engineering and simply
study of a whichever object in order to characterize of the principles of
operation or of production. In order to maintain itself competitive on
market, and indispensable that every company examines what produces
its concurrent so as to to offer better characteristics to one
price devout low.
Just in order protect the innovators from the easy copies, they exist i
licences. Who invents a new product or one new technique puo
to record them and to guarantee themselves, for a period of limited time, the right
exclusive to take advantage of them. The licence renders the reverse useless engineering,
for two reasons: first, perche the technique could not in any case
to be used from others without to pay a consistent compensation to
holder of the licence; according to, perche in order to obtain a licence and
necessary to supply one detailed, accessible description to
all. Puo therefore to say that the licences are an institutionalization
of the importance of the exchange of ideas to the aim to accelerate
14
progress. In order to avoid the long and expensive processes of reverse
engineering, the exclusive use of theirs is guaranteed to the inventors
works, asking they in exchange for to render them public instead of
to hold them secret.
Thanks all evolution of the technologies for the digitalizzazione of
three-dimensional objects and to the development of new programs for
treatment of the relati ones gives to you to you, in the last years the reverse engineering
it has acquired large importance like methodology for the creation
and the development of models through CAD (Aided Computer Design).
In this case the one which is studied not and a constructed object gives
other persons, but a prototype (eventually in scale) of
product of which a mathematical model is wanted to be created. The object
puo to be whichever thing, from one shoe to the auto body of
an automobile. The prototype comes created from the planner or from
designer, dopodiche its shape comes scandita by means of appropriate
equipment and memorizzata in a computer like one cloud of
points. Once acquired, they give to you come elaborates to you and you are converted in
superficial curves and that describe the object to the one inside
program CAD. With this system, and possible to pass in times
many expresses from the idea of the planner to a computerized model,
on which it comes executed all the development, arriving finally to
production in series. The costs and the times are considerably inferior to
those of the traditional planning.
The same technique puo to be used also in order to gain models
it computerizes you of existing on the market, but produced objects gia
initially without to use techniques CAD.
For a reason or purpose of example, <11> and <12> they are situated of two of the many companies
specialized in this field.
Also the programs of OCR (Optical Character Recognition)
they can think like a shape of reverse engineering: in this
case the objects to study are text pages, from which
they gain modifiable documents in a word processor.
15
Between all the physical objects of which puo making oneself reverse engineering,
particularly interesting are the electronic apparatuses. And famous
that nacquero compatible computers PC as a result of the reverse
engineering of it originates produced them from IBM. IBM I try also of
to block the production of cloni with one cause, but makes them in its
attempt perche the reverse engineering had been executed in the maximum
respect of all the laws.
To make reverse engineering of one the card electronic not servants single
to copy it, but puo also to serve in order to repair it, in lack case
of the outlines electrical workers.
With the spread of the consumption electronics, a great number of
it gets passionate has been able to dedicate itself to you to the reverse engineering amatoriale.
In <13> serious ones are found link to plans (not all!) of reverse
engineering of several electronic apparatuses of wide spread,
often sold like giocattoli, but complex to their inside: they give
I TIE Mindstorms to Tamagotchi to Furby.
Reverse engineering of the software and a field that it has acquired
much importance in the last years. The systems informed to you have one
constant need of being maintained dawns to you, for the devout ones varied
reasons: changes of technology, widening of the services offers,
new laws, the only currency, l year 2000...
Given to a program or an existing system, if puo to study some
structure and the operation, so as to to improve
understanding, to rewrite the documentation, to add new
funzionalita, to correct errors, or to convert the program in one
other language of programming.
To comprise a relatively small program also, pear tree, and
a complex process that good acquaintance demands of
language in which the written program and, of the system bookcases,
of the algorithms it uses you, of the application within (mathematician,
economic etc).
If it is had to that to make with a program the whose code source not and
available or and gone lost, puo to execute itself
16
decompilazione of the program, by means of programs that
they concur to gain from the single eseguibile a source in language
assembly or also in a language devout to high level (as an example
C).
To times the program in if it does not interest, but only wants
to comprise they give to you that it uses. As an example puo to want itself to migrare one
database, or to examine the rows it saves to you from a program of one
concurrent company so as to to be able to load them in just.
A useful example of reverse engineering of gives to you, to which between the other I have
collaborated, it regards one marks of universal remote controls
programmabili. These remote controls memorizzano the configuration
on one EEPROM, than puo to be read and to be written from the outside by means of
a connector that finds to the inside of the space batteries.
Interfacciandosi to the remote control with a PC, and studied the way in
which they give to you were organizes to you in the EEPROM, and and be possible
to write a program in order to modify the configuration
directly from the PC; not only, but since the EEPROM puo also
to contain small programs, and resolutions to modify itself also
operation of the funzionalita remote control adding not
previewed from the constructor. A carried out job description is found in
<14>.
17
2. SIMULATORS AND EMULATORI
D
EFINIZIONI AND EXAMPLES
Simulation and emulazione are two used terms a lot in within
computer science, but whose meant puo to vary according to the field of I use,
much from being able to consider them, in some cases, nearly synonymous.
Those that follows are the definitions brought back from the dictionary on linens
Digita Garzanti <15>:
Lemma: emulazione
Sillabazione/Fonetica: [ and mu the uncle of ]
Etimologia: From the lat. aemulatio ne(m), deriv. of aemu lus I emulate, avails again
Definition: s. f.
1 l to emulate; l attitude of who tries to catch up or to exceed
others, for devout in a within of positive values you: spirit d emulazione,
competitive fervor
2 (action of) emulazione, (to say.) emulativo action
3 (inform.) it enables of a equipment hardware or a product
software to work imitating the procedures of one various machine or
program.
Lemma: to simulate
Sillabazione/Fonetica: [ mu the king ]
Etimologia: From the lat. it simulates king, propr. to make, to render similar, deriv. of
simi lis similar
Definition: v. tr. [ I simulate etc. ]
18
1 to manifest insinceri feelings: to simulate friendship, interest for
someone|to show cio that he does not have himself, to try to make to believe something that
not and: to simulate the madness
2 (estens.) to imitate: to simulate the song of the birds
3 (scient.) artificially to reproduce the conditions in which one are carried out
process or a phenomenon, in order to study some and to verify of the effects: to simulate
flight spaces them.
As it is looked at, the definition of clear emulazione and much and specific one,
while the simulation covers an immense and generic within devout. The things
ulteriorly they are complicated from the fact that this last term puo
to be used is in meaning n. 3 (to reproduce one artificially
process) that in that one n. 2 (to imitate). According to the type of I use,
simulators and emulatori of the same object can make things similar
or completely various, and, nearly paradoxicalally, the simulator
puo being much less is detailed that much devout detailed of
emulatore correspondent. We see some examples.
One of the devout ones you notice simulators in electronic field and SPICE
(Simulation Program for Integrated Circuits Emphasis). This
program concurs to analyze the operation of circuits
electronic, analogic that it is digita them. SPICE uses the laws of
physics in order to reproduce in the details the characteristics of the several ones
members of the circuit, holding in consideration also
operating temperature.
If the circuit of which the simulation and of digital type is executed them, if of
it could execute also a emulazione, reproducing
behavior of the logical doors using the Boolean algebra
anziche the proprieta physical of the chip.
In this case, simulator and emulatore have a various scope:
first and devout oriented to the physical characteristics of the circuit,
according to to those logical and practical ones. The simulator reproduces with
greater precision the details of operation of all i
members of the circuit, while the emulatore reproduces alone
19
logical operation of the circuit in its together. The simulator,
being devout complex, and devout slow of the emulatore.
One of the common devout applications of simulators and emulatori is had
in the development of software for microprocessori. In this within, of
usual calls simulator a software that reproduces
operation of the microprocessore, concurring to execute
program through an interpreter; in this way puo to study itself
as this would be behaved on the true processore, examinee
which it would be the content of the inner registries to every step,
etc. With emulatore, instead, of usual one is indicated
combination to hardware/software that card is connected to one
electronics in place of the microprocessore, and it reproduces some in all and
for all the operation, always pear tree concurring to verify
flow of the program like in the case of the simulator. By means of
the emulatore and therefore possible to study the operation of all
system that is being developed, not only of the microprocessore.
In this case simulator and emulatore they have devout or less the same one
scope, and the precision with which reproduces the operation of
microprocessore and the same one; the only difference and that the emulatore and in
degree of interfacciarsi with others you leave, while the simulator produces
only one virtual reproduction. Moreover the emulatore must work
in real time, while the simulator could also not be in
degree to make it.
We suppose of having an electronic object, as an example one
pocket calculator, of which the operation is wanted to be reproduced on
personal a computer. We can proceed in two ways. The first one and
to use the calculator, observing as it reacts to the pressure of i
vary keys, and to write a program on the PC that is behaved in
same way. The second and to create a model of the hardware of
calculator (microprocessore, display LCD, etc) and to write one
program that reproduces it; to the center of this program us sara
a emulatore of the microprocessore that, to the contrary of the example
previous, sara entire software, and instead being connected
20
physically with the calculator in place of its microprocessore,
interfaccera with the reproduction software of the hardware of
calculator. Puo to say that the simulator reproduces the software of
calculator, while the emulatore reproduces the hardware.
In this case simulator and emulatore they have the same one exactly
scope. The emulatore reproduces with greater precision the details of
operation of the calculator, while the simulator reproduces some
only the general behavior. The emulatore, that it must interpret
in real time the program of the microprocessore, and devout slow of
simulator.
The last example and that devout close to the argument of which we will take care ourselves
in this thesis.
D
FORMAL EFINIZIONE
In the regarding literature the emulatori trattazione lacks one that
rigorous sistemazione of the concepts and the methods of this supplies one
field. The definitions form them of emulatore and simulator that I propose of
continuation trattazione of the indicated type concurs to start one.
They are U
1
= (Q
1
,
,
1
, q0
1
) and U
2
= (Q
2
,
,
2
, q0
2
) two blot some of Turing
universal, where
Q
1
, Q
2
insiemi ended of the states
ended entirety of the symbols
1
: Q
1
{ { STOP } Q
1
}
{ L, R } 2
: Q
2
{ { STOP } Q
2
}
{ L, R } transition functions q0
1
Q
1
, q0
2
Q
2
states begin them
They are moreover:
with of all the sequences ended of symbols of
with of all it blots some to them of Turing that they use with of
symbols contained in
21
Two functions exist d
1
, d
2
:
that they associate to every M
appropriated description of M for the relative universal machine, cioe t.c.
M
,
, U
1
(d
1
(m)
) = M(
)
M
,
, U
2
(d
2
(m)
) = M(
)
Definition 1
Emulatore for U is called
2
of M the description of M for U
2
, cioe d
2
(M).
Every emulatore enjoys fundamental following, seppur simple,
proprieta.
It is
= d
2
(U
1
) the emulatore for U
2
of U
1
. It is had that
, U
2
(
) = U
2
(d
2
(U
1
)
) = U
1
(
)
from which it follows that
d
1
(
),
, U
2
(
) = U
1
(
)
Therefore the emulatore for U
2
of U
1
it concurs to execute on U
2
, with the same ones
it turns out to you, all the valid descriptions of machine for U
1
.
The other thing that puo to make and to convert one valid description for U
1
in
one description of the same valid machine for U
2
. In fact:
d
1
(
)
s(
)
d
2
(
) t.c.
, U
2
(s(
)
) = U
1
(
)
enough to take M
t.c. d
1
(m) =
and to place s(
) = d
2
(M), from which:
U
2
(s(
)
) = U
2
(d
2
(m)
) = M(
) = U
1
(d
1
(m)
) = U
1
(
)
Definition 2
s(
) simulator for U is called
2
of U
1
that it executes
.
We observe that s(
) and also the emulatore for U
2
of M.
The substantial difference between simulator and emulatore and therefore that
the emulatore reproduces the operation of one integrally machine
(universal and not), while the simulator reproduces the operation of
22
a universal machine only while this is emulating an other
specific machine.
And
MULAZIONE And
R
EVERSE
And
NGINEERING
Previously we have pointed out to the emulatori of microprocessore.
In that field not only and possible to have one reproduction pressoche
perfect of it originates them, but puo also to be believed to generate
automatically the emulatori leaving from one formal definition of
language of the microprocessore.
This ideal situation, pear tree, not always are introduced. Often the system
that it is wanted to be emulated and very not documented, and and therefore necessary
to execute a job of reverse engineering. The creation of the emulatore
puo therefore to be made in many various ways, some devout ones form them, others
devout prati to us, in function of the quantita one of information available on
it arranges to emulate.
We see some examples, all regarding the reproduction on PC of
videogiochi.
1.
And possible to try to understand the operation of a game without to make
other that to use it to along; then puo to write a program that
it resembles devout the possible one. In this case puo to speak itself about
single simulator in the imitatore sense, perche without access to
program and to gives to you uses you from originates them, for how much taking care of
it can be its study, the reproduction difficultly potra being
completely faithful. This and true in particolar way for i
you play, that they are rich of diagram and particular difficult to reply:
tasks, as an example, to the algorithms of artificial intelligence
necessary in order to balance the difficolta of the game.
To the practical action, one only approximate simulation also and
realistically possible only for games with little diagram and structures
of game much simple.
23
A lot turns out to you interesting has been caught up from Luca Antignano,
in a series of simulators of portable games with display LCD <16>.
The advantage of this type of simulator and that it does not demand nobody
acquaintance of the hardware and the software of the game: the only thing
necessary and the possibilita one to observe the game in function, therefore
puo to be written from anyone. Given its limited ones possibilita, pear tree,
and in a generalized manner a road to use only if not there are alternatives,
cioe when the software of the machine originates them and inaccessible or
unusable.
2. If the code is had to disposition source of the game originates them,
they can use the techniques of reverse engineering of the software
in order to transport it on an other architecture hardware, eventually
also changing programming language and/or rewriting
some you leave after to have some formalized the detailed lists. Obviously
in order to execute the conversion and necessary to have also a model
of the hardware it originates them, presumablly derivabile from the comments
of the code source or from the associated documentation to it.
With this type of simulator, the algorithms of the game can
to be preservati and the reproduction, in theory, could also being
perfect. In practical, pear tree, during the writing of a simulator and
easy to take scorciatoie, and to abandon the fedelta absolute
to it originates them for reasons of comodita efficiency or of. Puo to capitare
also to make intentionally of the changes in order to adapt
game to the architecture on which it comes transported, as an example
varying of the level of difficolta, or adding the written one
PRESS F2 TO PLAY
instead leaving to insert virtual coins,
like and happened in the package Microsoft Return of Arcade. Draft
of small changes, than pear tree they make to storcere the nose to the puristi of
game arcade.
Since and necessary to have approached the code source and they give to you
it originates them, possibilita that in practical he is only had in the within of one
authorized licence, this type of simulators and used mainly
for the production of videogiochi it trades them. In that within,
24
simulation and without doubt to prefer to the emulazione, poiche
it demands much little power than calculation in order to work to flood
velocita.
Pac second Man Microsoft
Pac second Man MAME
(simulation)
(emulazione)
In years ' 80 they were the many popular conversions of games from bar
for home computer like 64 Commodore or the Sinclair Spectrum.
Given the limited ones it enables of these blots some, the conversions were
usually much various from it originates them, a lot that to times the only one
relation was the name of the game. In those cases, the conversions were
imitations that took advantage of very little material of the game originate them.
Currently the conversions are perhaps less frequent, but those
that they come made are of qualita usual of good and much similar
to it originates them; often version gives the possibilita one to play is one
devout faithful to that one arcade that modifying for being adapted
to the homely use.
3.
If the code source of the game originates them not and available, puo
equally to try to understand of the operation using
decompilazione. The operation puo to be executed on all
program, in order to create a simulator, or on some you only leave,
25
during the creation of a emulatore. This practical and subordinate to
restrictions from the laws on the copyright.
4.
The greater part of the games uses one or devout reperibili CPU on
market and therefore wide documented. Per.primo.cosa goes
written a emulatore of these CPU, being based on
documentation available. The program is loaded then originates them
on the emulatore and it is taken famous of the accesses to the memory and to
I/O doors. In a large one quantita of cases, these information are
sufficient for intuire with optimal approximation the operation
of the hardware. The emulatori of CPU are members standard, than
once written devout times can be used in order to emulate games
various. For this reason, who takes care itself of the emulazione of one
new hardware does not have neanche needs to know
language assembly of the used CPU: and sufficient to read the directory
of the accesses to the memory and the doors of I/O.
This used technique and the devout ones in the development of MAME, for several
reasons, as an example perche do not demand the direct access
to the hardware to emulate and perche puo violare the laws on
copyright: the reverse engineering of the hardware it comes made
entire through the single study of the behavior of
software.
The disadvantage and that often the model of the hardware that is gained
from the study of the single incomplete software and. As an example, often
software does not use all the potenzialita one of the hardware; in such case,
if devout games exist that turn on the same card, from theirs
usual comparison is succeeded to improve the understanding
of the hardware.
From the single behavior of the software not always and easy to deduce
which it must be the behavior of the hardware; if after a po'
of tried it is not succeeded to construct a model to you of the hardware
coherent with the software, it does not remain other to make that to renounce and
to try again in an other moment, waiting for new inspirations.
26
dependency of this method from the intuito one and the experience of who
it executes the reverse engineering of it represents the main limit.
5.
One strategy alternative for the reverse engineering of the hardware and,
instead entrusting itself to the program it only originates them, to write new
programs to make to turn on the card originate them in order to verify
effects of the accesses to sure leases of memory or doors of I/O.
This technique puo to use itself like completion of that one described
in example 4, in order to resolve the ambiguita one or to collect greater
information. Obviously the disadvantage and that, to the contrary
of the example previous, and necessary to have approached direct
to the hardware to emulate.
6. If the platform that is wanted to be emulated has a handbook for
programmatore, puo to use itself in order to create a model of the hardware
and riprodurlo faithfully. This subordinated technique and before
all to the what, handbook existence such tutt' discounted other that for i
videogiochi arcade, and also to its reperibilita one, perche even if
handbook exists, and not said that it is easy to have it. The emulazione of
home computer and probably that one that better is lend to the use
of this method.
One what to keep in mind and that the handbook of the programmatore
it could be incomplete, omitting to signal characteristics
hidden or also true and own bug of the hardware. If cio it happens,
corrected reproduction of such characteristics puo to only happen to
posterior, through the examination of the eventual programs that not
they work correctly on the emulatore.
7.
Examinee the outlines electrical workers, if they are available, puo to gain itself
a model of the operation of the card to emulate. This
method concurs to obtain emulazioni many faithfuls of originates them,
but he turns out better are obtained to you alone with the games previous to
first goal of years ' 80. In fact, the degree of integration of i
electronic circuits and gone gradually increasing, cosicche, studying
the outlines electrical workers of recent devout cards, are found to us of forehead to
27
integrated circuits of which puo only intuire the operation,
considering them of the black box. In such case, and necessary to place side by side to
this technique one or devout of the others described previously.
If the outlines electrical workers are not available, puo however
to try to use this method, examinee physically the card
of the game, in analogous way to pointed out how much in the example to pag.
16.
We reassume in one table the characteristics of the examples proposals.
We remember that the reverse engineering to black box it does not examine
inner structure of the studied system, while that one to white box.
Example
Type of reproduction
Type of reverse engineering
Software Hardware
1 Imitation
Black
Box N/A
2
Simulation
White Box
Black Box
3
Simulazione/Emulazione White Box
Black Box
4
Emulazione
Black Box
Black Box
5 Emulazione
N/A
Black
Box
6 Emulazione
N/A
White
Box
7 Emulazione
N/A
White
Box
Q
UANTO And TAKEN CARE OF A EMULATORE
In theory, as we have seen from the formal definition, simulators and
emulatori would have to be equivalents. The simulators have the advantage
to demand little power than calculation, perche there and a passage
interpretativo in less, while the emulatori have the advantage to make
to work whichever program written for the emulated system, anziche
one only; to part this, turns out to you would have to be both
indistinguishable from it originates them.
In practical, not always the things go cosi. The previous examples
they show as the creation of these programs is subject to one
28
series of errors, is in the phase of understanding of the system to emulate, than
during the writing of the program.
They give the different to you you approach, and easy that simulators and emulatori
they involve in various way. The emulatori, working to level
of the hardware, they can easy reproduce devout the details of the card
it originates them; the simulators instead, working to level of the software, have
tendency to only reproduce the general behavior.
The emulazione of videogiochi and particularly delicate because of theirs
interattivita and of their operation in real time, for which also
small changes of velocita can alter the way in which the game
it involves. For this reason, and diffused in the comunita one of the players
conviction that the emulatori are faithful reproductions of originates them,
while the simulators not.
In a generalized manner, this and true. Like saying in example 4 to pag. 26,
greater part of the games uses microprocessori standard, that they are
wide it documents to you and emulabili accurately. This means
that logic of the game puo to be reproduced with great precision. Others
parts of the devout hardware are subject to a high error rate, for which
reproduction of sonorous diagram and puo to be imprecisa, also in way
obvious; but all the inner mechanisms of the game, from the movement of i
enemies to the attribution of the points, sara
replied faithfully, until
to comprise also eventual the bug
of the game he originates them, than in one
simulator can easy go
lost.
As an example, Pac Man has a famous bug
had to the fact that the caught up level
and memorizzato in one variable to 8 bit.
When level 256 is caught up,
it exceeds enables it of the variable one,
causing unexpected consequences, like
The bug of the 256 level of Pac Man
puo to look at itself in the image to side. In
emulated from MAME
29
a simulator, probably enables it assigned the variable one would be
various, eliminating the anomalous behavior. In a emulatore, instead,
the program comes executed exactly as in it originates them.
An other detail that in a simulator puo easy to be neglected
they are so-called the Easter egg, cioe hidden messages or other surprise in
code from the programmatori that can be revealed executing
particular actions, like pressing one sequence of keys in determining
order.
The following photos show two examples for the games Pac Man
2
and Xevious
3
,
both emulate to you from MAME.
Easter egg of Pac Man
Easter egg of Xevious
(Namco, 1980)
(Namco, 1982)
2
To put the game in service mode; quickly to put the switch of the service mode on off and
then of new on, so as to to pass to the grill for the test of the monitor; to hold pressed
at the same time the beginning push-buttons game for one and two players and to make of new one
express off/on with the switch of the service mode; to move the joystick up 4 times, 4 times to
left, 4 times to right and 4 times low.
3
To begin one separated normally, to carry themselves immediately low to right and to hold
pressed the push-button of the bombs. After some second the written Namco appears original
program by EVEZOO.
30
They exist also videogiochi devout old, going back to years ' 70, than not
they are equips you of CPU, but that they execute a simple realized program
by means of logical doors. Formally, their cards are not therefore
universal equivalents to blot some of Turing, and therefore, second
definitions that we have given previously, puo to only speak itself about
emulatori and not of simulators, since these last ones are defined alone
for it blots some to them of Turing universal. Obviously puo to continue itself to
to speak about simulators in the sense side of imitatori that indeed, seen
semplicita of these games, they are also rather easy to program.
Pong: emulazione or simulation?
And tried to extend MAME to the support of games lacking in CPU, but
gia in the case of one of devout the elementary ones, celebre the Pong (Atari, 1972), us and
rendered account of the difficolta to establish if the emulazione were really
taken care of. Lacking the CPU, guarantees lacked on the behavior
of the program, and every minimum error in the interpretation of the outlines
electrical workers could have altered the operation of the game. For this
reason, we have decided to exclude from objects you of MAME
the emulazione of this type of videogiochi, concentrating to us single on those
it equips you of CPU.
31
3. ARCHITECTURE OF VIDEOGIOCHI ARCADE
I
NTRODUZIONE
In the previous understood one it we have seen some examples of reverse
engineering applied to the emulazione of videogiochi. In this understood it
we will examine devout in detail of which you leave and composed one machine gives
game arcade, listing also some of the problematic ones connected
to the emulazione of several the subsystems.
One of the main differences between a emulatore of videogiochi arcade and
a emulatore of consul and the quantita one of software that the two must make
to turn. A consul remains on the market for some years, during which
many games come products. A card for games arcade, instead,
usually it has a short life devout, and puo to make to turn little games, often
only one. It achieves some that a emulatore like MAME, that it supports
a great number of games, must manage all the architectures hardware
on which those games turn. In MAME, the modules software it uses you for
this scope is calls to you driver. Every driver it emulates the hardware of one
card, or of devout similar cards much between they, and contains the information
necessary in order to make to turn the games produced for that particular hardware.
Like puo looking at itself in the following diagram, the varied hardware and cosi that
greater part of the driver manages a single game; approximately 16% of the games
it supports demand a driver dedicated to you. A solo driver recognizes devout of
100 you play: not to case, it regards the Neo Geo
4
, a system to cartridges
sold it is for the domestic user that for that one arcade.
4
src/drivers/neogeo.c
32
Distribution of the games in i
driver
of MAME
350
25%
300
20%
Pe
rcentuale on the t
250
river
15%
200
d
otale of the gioch
150
10%
Number of
100
i
5%
50
0
0%
1
2 3
4 7
8 15
16 31
32 63
64+
Number of games for
driver
CPU
The CPU (Central Processing Unit) and the heart of every computer, the element
that it directs the operation of all the system; the videogiochi they do not make
exception. For how much it concerns the performances, pear tree, not and the part devout
important: this role, as we will see devout ahead, is up to the hardware
diagram.
In the greater part of the cases, the cards of the videogiochi are
multiprocessore. Nearly always one CPU and dedicated exclusively to
control of the sonorous one; to times other CPU are present also that
they divide the management of the game, in the case this is too much complex for
to be governed from one single CPU. As an example one secondary CPU
it could be used in order to make the controls of collision between all
present objects on the screen, or in order to execute one conversion of
coordinated from an inner format to that one recognized from the hardware
diagram.
33
MAME emulates one cinquantina of microprocessori
5
, the greater part of i
which used from a number a lot reduced of games.
CPU emulated from MAME and number of games that use them
Z80
1240
68000
751
M6809
222
M6502
188
NÀ03
84
I8080
57
68EC020
53
V30
35
HD63701
32
I8X41
24
TMS34010
23
SH 2
23
HuC6280
21
M68705
21
S2650
21
HD63705
20
M6808
17
HD6309
17
M6803
16
KONAMI
16
68010
15
V33
14
V60
14
CCPU
14
I80186
13
I8086
12
I8035
12
M6802
10
ADSP2105
10
I808Ä
9
M6800
9
I8039
8
M65C02
7
TMS32010
7
V70
5
N7751
5
NSC8105
5
T11
5
TMS9980A
3
ADSP2100
3
Jaguar GPU
3
Jaguar DSP
3
R3000
3
Z180
2
TMS34020
2
TMS9995
2
Z8002
2
ADSP2101
2
TMS32031
2
DSP32C
2
ASAP
1
1
ARM
Between the 8 microprocessori to bit, the devout ones diffused and be without doubt the Zilog
Z80, used in the greater part of the games end nearly to the end of the years
` 80. When 8 bit were not enough devout, the passage of deliveries happened to
5
src/cpuintrf.h, src/cpu
34
Motorola 68000, microprocessore to 16/32 succeeding bit of large. The Z80
however it has continued to widely being used like CPU
secondary.
If between the 8 microprocessori to bit existed valid alternatives to the Z80,
like 6809 Motorola and Rockwell 6502, between those to 16 bit the 68000 and
revealed dominating incontrastato.
Many of the microprocessori use you for the videogiochi of years ' 80 are
the same ones that was found in home the computers of the age: Z80 in
Sinclair ZX Spectrum, 6502 in Apple II and Commodore 64, 68000
in the Apple Macintosh and the Commodore Amiga. Worthy of famous the fact
that Intel 8086, than would be tax like standard de facto in the PC,
it has been nearly completely ignored in the planning of
videogiochi.
A special mention goes made the so-called CPU Cinematronics, cosi
used call perche from omonima the company for its games in diagram
vectorial of period 1978 1981. The peculiarita one of this CPU and that not
draft of a microprocessore, cioe of a single one chip, but of an entire one
circuit realized by means of logical doors. The circuit and state
accurately studied and documented from Zonn Moore [ 8 ]. The emulatore
of this CPU written from Moore and to the base of that content in
MAME
6
.
The following diagram extension com' and changed in the course of the years the class
of the main CPU. They give to you are limits to you to the games emulates to you from MAME,
therefore the diagram does not give a complete image of the situation,
especially for the recent devout years, of the which MAME it supports only one
limited number of games (to see the diagram to pag. 79 for the number of
you play emulates year to you for year). It supplies however an idea of
principle of the course of the market.
6
src/cpu/ccpu/ccpu.c
35
Class of the main CPU in the games emulates to you from MAME
8 bit
16 bit
32 bit
100%
90%
80%
70%
ilizzo
60%
50%
40%
30%
Frequency of ut
20%
10%
0%
1980
1982
1984
1986
1988
1990
1992
1994
1996
1998
2000
Year of production of the games
Like saying in the previous understood one it, the emulazione of the CPU and cio that
it concurs with the emulatori of being devout takes care of you of the simulators in
to reproduce all the characteristics of originates them. These are the reasons
main:
microprocessori are generally members standard,
products in large quantita and wide documents to you, for which on
they and necessary not to complete a job of reverse engineering.
The emulatore of a microprocessore and much sensitive one to the bug: one
error in the reproduction of some instruction of usual makes that
program that turns on the emulatore has of the malfunzionamenti
obvious, carrying therefore quickly to the identification and to
correction of the bug.
36
Often the same used microprocessore and from many various games,
therefore puo to take place the accuracy of the emulatore with a good ones
number of programs.
In a generalized manner, therefore, the emulazione of the CPU does not introduce particular
difficolta theoretical: draft to only come true a implementazione
software of the characteristics declared from the constructor. Obviously
they can it are to us some difficolta practical that grow with to
complessita of the microprocessori to emulate. Moreover, poiche the emulatore
it must work in real time, the velocita one of the computer on which it comes
executed it places of the limits to the velocita one of clock that puo to have
emulated microprocessore.
There are of the cases in which instead the difficolta they are of theoretical type, and not
always easy superskillful. We see of it some.
Characteristics not documented
Many microprocessori are in a position to executing instructions that not
they are mentioned in the official documentation, or are
indicated as not supported. Moreover, the instructions can have
effects collaterals do not document to you, as an example on the state registry.
In some cases these characteristics change the review second
of the microprocessore, therefore it becomes still devout complicated
riprodurle accurately. They are looked at, as an example, <17>, <18> and
<19> for information on the particolarita one of some microprocessori
a lot used.
In the emulazione of home the computers and practically
indispensable to duplicate to all the characteristics faithfully not
documented of the CPU for having one good compatibilita with
existing software. In videogiochi arcade the use of such functions and
instead rarest, but there are some famous cases. As an example in King of
Fighters ` 98 the contatore of the time of remained game is not annulled if
instruction SBCD correctly does not set up the flag of N state, than
37
and indicated like not defined in the official documentation of
Motorola 68000
7
.
Cryptography
The coding of the program and one of devout the common systems of
protection from the copy. Of it we will speak devout approfonditamente in
understood it 4.
Inaccessible program
To times puo to capitare of being in a position to emulating one
microprocessore, but... to have the program does not make us to turn
over. Normally the instructions in language machine are found
in some chip of memory ROM that are easy leggibili with
the adapted equipment, but not always this and possible. To
example the chip could have been rendered physically inaccessible
inserting it with to the CPU in a epoxy resin block,
material much difficult one to penetrate without to destroy the content
<20>. Devout frequently, the ROM puo to find itself to the inside of one
MCU (MicroController Unit), member who of usual puo being
shaped so as to to forbid the reading of the content.
The possible options in these cases are essentially three:
1. In some cases puo to find the way to read equally they give to you
protect.
In <21>, Clayton Cowgill illustrates, with the aid of optimal photos,
com' and successful to penetrate the epoxy resin of Pac Man Plus.
In the case of the MCU, some models they can be read
taking advantage of weaknesses in their security systems. The jobs [ 10 ] and
<22> they explain some of these procedures (not regarding
MAME).
2. If and only protect a part of the program, while the rest and
normally accessible, puo to modify the accessible part
replacing it with a Trojan Horse. The Trojan Horse has approached i
7
Cfr. [ 9 ], pag. 606.
38
>
they give to you protect, and them puo therefore to copy from some other part, where
they can easy be read devout.
This technique and be used with some games of the Orca
(Changes, Funky Bee, Navy Boy and Springer) where the single ones first
256 byte of the program were contained to the one inside
called module CPU Pack II.
An other case in which this technique and be fruitful it regards
a series of games of the Namco, between which Pac Land, Sky Kid and i
it arranges Namco System 1 and Namco System 2. All these games
they use one MCU Hitachi HD63701, but the program and
divided in two parts, the first contained one in the inner ROM of
MCU, the other contained in one external ROM in which and be
possible to insert the Trojan Horse.
3. If it is not succeeded in some way to approach the program
protect, the only alternative that remain and the simulation.
Frequently, the MCU with protected program are
only used for controls antipirateria: the main CPU and
MCU are exchanged give through one communication port to you,
and the values return to you from the MCU are use you in order to control
flow of the program (as an example tables of jump), or
they contain give to you not deductible from the single main program
(as an example the coordinates of objects shown during the game).
Puo therefore to execute a reverse engineering of type black box
on the MCU: by means of a made program to turn on the card
it originates them, the possible sequences of input are sended to all and
they record the answers. And cosi resolutions to emulate itself, as an example,
some games of the East Date, like Heavy Barrel
8
, Bad Dudes,
Chelnov
9
and Wonder Planet.
This method and state used also for the reverse
engineering of other devices various you from the MCU, as an example
8
src/machine/dec0.c
9
src/drivers/karnov.c
39
Aaron Giles and Frank Palazzolo have applied it during
study of the slapstic
10
, a chip of protection of the Atari.
Microprocessori disowned
In some rare occasions, the CPU to emulate puo to be of a type
disowned, of which it is not succeeded to find documentation. If
searches do not give fruit, do not remain other possibilita that to try
an operation of reverse engineering, examinee the code in
language machine and trying of intuirne the functions. In MAME,
one what of the sort and made for a microprocessore custom
of the Konami
11
used in various games in period 1987 1991, to
example Ajax and The Simpsons. There are three versions of the chip,
functional equivalents and interscambiabili, indicated with the acronyms
052001, 052526 and 053248. The derived CPU and from the 6809, but a lot
various and with a great number of devout instructions in, also complex
like the division. The reverse engineering, realized for the greater one
part from Ernesto Corvi and Manuel Abadia, demanded some weeks
of job, but it was completed with optimal turns out to you, concurring of
to emulate all the games that use that CPU.
ROM
The device of election for the memorization of programs and gives to you in one
video game arcade is the chip of memory ROM (Read Only Memory),
that they can be of the three described types of continuation [ 11 ].
Masked ROM. The fixed content and before the production, and not puo
devout to be changed. They have the advantage of being little expensive, but
only if produced in large quantita.
PROM (Programmable ROM). To the production they are empty and they can
to be programmed one single time.
10
src/machine/slapstic.c
11
src/cpu/konami/konami.c
40
EPROM (Erasable Programmable ROM). Programmabili like the PROM,
devout times can moreover be riprogramma you, after to have it cancels them to you
by means of ultraviolet light exposure.
The difference between the three types of in any case insignificant ROM and to the ends
of the emulazione and in jargon the images necessary in order to make to work one
emulatore is calls generically ROM, or ROM set.
The progress in the industry of the semiconductors and described from the so-called one
law of Moore, second which the power doubles approximately every 18 months
[ 12 ], [ 13 ]. The following diagram extension the dimension of memory ROM
in all the games it emulates to you from MAME; the agreement with the law of Moore and
rather good.
Dimension of memory ROM in the games emulates to you from MAME
100.000
10.000
B)
1.000
(k
neio
ns
100
Dime
10
1
1975
1980
1985
1990
1995
2000
Year of production of the game
41
The following diagram extension the medium dimensions, year for year, of the three
main types of give to you memorizza to you on ROM: those regarding
program (comprehensive of the same program), that reserves you
to the graphical hardware, and that it reserves you to the sonorous hardware.
Medium dimension of memory ROM in the games emulates to you
from MAME
Program
They give to you graphical
They give to you sonorous
100.000
10.000
B)k
1.000
ione (
100
mensDi
10
1
1975
1980
1985
1990
1995
2000
Year of production of the games
Like puo looking at itself, the largeness of the grown program and devout
slowly of the others two types of give to you and and be gradually exceeded they give
both. In order nearly every year ' 80, the space dedicated before only to
diagram, then also to the sonorous one, and grown a lot quickly, attesting itself
later on on one velocita devout neighbor to that one previewed from the law of
Moore. Puo to notice itself, above all from the end of the years ' 80 in then, one
agreement of course between the dimension of the ROM for the diagram and
for the sonorous one, that it indicates as these two aspects of the qualita one of the games
they progress together. The delay with which the space for the sonorous one it has
begun to grow and probably due to the fact that music and effects
42
it synthetizes, that they demand little give to you to you, were however an alternative
valid to I use of devout sounds samples to you that they have need much
space.
The emulazione of memory ROM first of all demands to read
contained of the chip, what that is made by means of said apparatuses
programmatori of EPROM, that they serve, as suggests the name, not
to only read but also to write on the chip.
A programmatore of EPROM
The reading puo to introduce difficolta of practical order poiche exists
very many models are of chip that of programmatori: puo to capitare that
programmatore is not compatible with the chip that it must be read, that
it demands the construction of an adapter, or that the chip it is of the type to
superficial assembly and demands therefore of being dissaldato from the card
of the game with the risk to be ruined.
Eventualita to hold very present, above all if the old game and, and
that the chip it can be damaged and to contain they give difficult to read to you in
reliable way, or of all the wrong ones. The card originates them of the game
it could also be out of order, rendering impossible to verify the integrita one
of the ROM. The emulatori are an important aid for who try of
to record and to preservare the videogiochi, perche concur to verify if i
they give to you read from the ROM are valid or if instead and necessary to repeat
43
reading, even from one various card. Unfortunately the fact that a sure one
with of ROM functions on a emulatore not and, alone, guarantee that i
they give read you are identical to those programmed ones in factory: for this scope
and necessary that the game contains one function of verification of the checksum
of the ROM, executed to the start or from the men of service. A such control and
enough frequent on the ROM of the program but, since the ROM
containing other they give you of usual are not directly accessible give
part of the CPU, and rare that the control comes executed on all the ROM
of the card.
Once read the ROM, puo to pass itself to their emulazione, than not
it introduces of for if some problem: draft to only load itself in memory
one copy of the content of the ROM. the only shrewdness to follow and
to make sure that the characteristic of single reading of this type of memory
it is respected; there are, in fact, cases of games that, because of bug or of actions
deliberated, they execute instructions that cause an access in writing to
memory ROM, than obviously does not have some effect on the card
it originates them. If it were concurred with these programs to alter the content
of memory ROM, malfunzionamenti could be had. An example
of the sort and Lady Bug of the Universal, in which the sonorous one it stops of
to work correctly.
For everyone of the chip of present memory ROM in the game it must be understood
that type of gives to you contains and in that position goes loaded. The label mails
on chip and the their position on the card of the game it gives of usual gia
many indications. Beyond to this, an express examination with a editor
esadecimale allows to a trained eye to recognize the regolarita one
typical of they give you graphical or sonorous, or other particular that they characterize
they give you relati you to the program.
That one that follows and leaves of one containing ROM the program of Pac
Man: they can be noticed numerous stringhe of text in luminosity that
they concur to identify of easy the function.
44
00000760: 45524054 574F2F85 2CF809202 47414CD45 ER@TWO/./... GAME
00000770: 40404F56 45522F81 2F805202 52454144 @@OVER/./.R.READ
00000780: 40535441 595B2F89 2F90EE02 50555348 Y[/./... PUSH@STA
00000790: 52544042 5554544F Ê2F872F 80B20231 RT@BUTTON/./... 1
000007A0: 40504C41 59455240 4FÊ4C59 402F852F @PLAYER@ONLY@/./
000007B0: 80B20231 404F5240 3240504C 41594552... 1@OR@2@PLAYER
000007C0: 532F8500 2F008000 9603424F Ê555340 S/../.....BONUS @
000007D0: 5055434B 4D41Ê40 464F5240 40403030 PUCKMAN@FOR@@@00
000007E0: 402829À 30405DË 5F2F8E2F 80BA025C 0@]^_/./... \@() *
000007F0: 2B2C2DÈ 40313938 302F832F 80C30243 +, @1980/./... C
00000800: 48415241 43544552 40Á40Ê 49434BÊ HARACTER@:@NICKN
00000810: 41424549 414D452F 8F2F8065 0126414B AME/./.e.&AKABEI
00000820: 262F812F 80450126 4D41434B 59262F81 &/./.E.&MACKY&/.
00000830: 2F804801 265049Ê 4B59262F 832F8048/H.&PINKY&/./.H
00000840: 01264D49 434B5926 2F832F80 76021040 &MICKY&/./.v..@
00000850: 3130405D Ë5F2F9F 2F807802 14403530 10@]^_/./.x..@50
That one that instead follows and always part of one ROM of Pac Man, but
this containing time gives you for the graphical hardware. In this famous case
one sure regolarita of gives and an elevated frequency to you of 00. Of usual in one
Containing ROM gives to you graphical devout of 50% of the byte is 0.
00000À0: 0000FFFF 0000FFFF CCCCFFFF 000077FF..............w.
000002B0: 0000FFFF 0000FFFF 000077FF CCCCFFFF......... w.....
000002C0: 33333333 3333FFEE CCCCCCCC CCCCFF77 333333......... w
000002D0: 33333333 FFEE0000 CCCCCCCC FF770000 3333......... w..
00000È0: 00000000 0000EEFF 00000000 000077FF..............w.
000002F0: 00000000 00000000 00000000 00000000................
00000300: 88773300 88CC2222 66CC8800 3377CC88..""f... 3w... W3.
00000310: 222ÈEEE 22220000 0000FFFF 44000000 "",,""...... D...
00000320: 222ÀAAA EEEE6600 66FFBB99 99CC4400 ""... f.f.....D.
00000330: CCEE2222 22664400 88DDFFBB 99880000.."""fD.........
00000340: 88EEEE88 88888800 00FFFFCC 66331100............ f3..
00000350: CCEE2222 22664400 11BBAAAA AAEEEE00.."""fD.........
00000360: CCEE2222 2ÈECC00 00999999 DD773300,,"""........w3.
00000370: 000000EE EE000000 CCEEBB99 88CCCC00................
00000380: CCEEAAAA 2222CC00 00669999 BBFF6600... ""... f... f.
00000390: 88CC6622 22220000 77FF9999 99FF6600..f"""..w.....f.
Once uniforms the ROM in groups, to put them in the just order and of usual
simple; in the worse one of the hypotheses it is succeeded to us for tried to you. In fact,
like puo taking place itself from the following diagram, the reduced number of chip and:
90% of the games do not have any devout of 23.
45
Number of
chip
of ROM in the games it emulates to you from MAME
180
100%
170
160
90%
150
80%
Percentual
140
130
70%
120
110
and cumu
ochi
60%
100
gi
of
90
50%
80
tiva of
70
40%
Number
60
t
30%
or
50
such
40
and
20%
30
20
10%
10
0
0%
0
5
10
15
20
25
30
35
40
45
50
Number of
chip
The 8 microprocessori to bit, like the Z80 or the 6809, of usual have one
space of indirizzamento to 16 bit, therefore can approach directly
only to 2
16
byte of memory. Often, pear tree, enables it of the dedicated ROM
to the program it exceeds this limit. The space of memory ROM comes
percio divided in benches: writing in a control registry, the CPU
it decides which part of memory ROM to render visible in the window
to dedicated it.
RAM
The RAM equipment and, of usual, limited. In a generalized manner, the greater part
of they give to you, nonche the same program, are contained in ROM and and therefore
necessary only one small quantita of RAM for the variable ones of
program and for the memory video.
46
The various emulazione not and from that one of the ROM, except obviously for
the fact that beyond to the reading and concurred also the writing. It goes held in
consideration that decodes it of the addresses generates to you from the CPU puo
to be partial, for which the same one chip of RAM puo to appear devout times in
memory map, to different physical addresses, sayings mirror address.
Normally the program uses only one of the copies, but there are cases in
which, often because of bug in the game, comes used also some mirror
address; in such necessary case and that the emulatore of it holds account, for
to assure the correct operation.
A case much particular one of mirror address and that one used from some
games of the East Date between which, as an example, Burger Time
12
. In this case
the memory video appears to a mirror address, but with bit 0 4
of the address it exchanges to you with bit 5 9. If it is believed next to what the memory
video represents on the screen, cioe one matrix 32x32, the exchange of i
bit means that, while the normal version of the RAM scandisce
matrix for lines, the specular version scandisce it for columns.
One what of which usually account in the emulazione is not kept is i
wait been (times of attended) in the access to the memory, cioe the periods in which
the CPU remains firm in wait of being able to read or to write a data in
RAM. The wait been they can influence on the temporizzazioni, but in i
videogiochi arcade the important difference not and for the behavior of
game. In the case of consul for videogiochi and home computer, instead,
the taken care of reproduction of the wait been and pressoche indispensable; in fact, i
you play for these frequently blots some push the hardware to its
limits, demanding one perfect temporizzazione.
EEPROM
And
NVRAM
Many games have a memory area that does not lose the content
when it comes removed the current. In this area memorizzate
formulations like difficolta or the number of necessary chips for
12
src/drivers/btime.c
47
to begin one separated and, sometimes, also statistics on the number of games
carried out and their duration, so that the manager can regulate
difficolta in order to maximize the profits.
Games emulate from MAME equip you to you of permanent memory
Totals
With permanent memory
150
140
130
120
110
100
ih
90
ioc
80
of g
70
roem
60
50
40
30
20
10
0
1975
1980
1985
1990
1995
2000
Year of production
The chip of permanent memory it uses you in the videogiochi are of two types:
chip the EEPROM (Electrically Erasable Programmable ROM) are
similar like technology to chip the EPROM, but they can be cancels to you
with an impulse electrical worker anziche with the ultraviolet light exposure;
chip the NVRAM (Flown them RAM) are not essentially chip of RAM
it feeds to you from a battery, cosicche the content remains unchanged
also in current absence electrical worker.
The differences between the two types of memory are substantial. The NVRAM
it uses exactly like normal school RAM, the only difference and that
48
contained it does not disappear to the extinction. The EEPROM, instead, has nearly
always a seriale, therefore and necessary interface that the program
it extracts give to you from the EEPROM copying them in RAM and viceversa.
The emulazione of the identical NVRAM and to that one of the RAM, with the added one
that the content of the NVRAM comes saved on disc to the escape
of the restored emulatore and to the successive execution of the game.
The emulazione of the seriale EEPROM demands instead reproducing
protocol of communication between chip and the rest of the system. Although us
they are on the market many various types of chip of EEPROM, incompatible between
they, the principle of operation and the same one and puo to write a code
generic in a position to emulating whichever version, based on the values of i
fixed parameters to the start
13
.
V
I DEVISE
Puo to say that it enables to them diagrams always they have made the difference between
a video game from bar and the homely systems. In the last years the distance
and reduced, but in 80 years ' the difference was particularly obvious: i
games from bar appeared much devout beautiful of the games for consul and home
computer of the same period. The graphical hardware of the videogiochi and,
in fact, specialized in order to manage in the efficient way devout theirs it needs,
without to uselessly weight down the job of the CPU.
Devout the graphical hardware and the personal part of a machine from game.
While the others you leave, like the CPU or the chip audio, they are of usual
members standard, document to you and use you from devout games, the part
diagram and nearly always developed inner from the producer of
video game. This and one of the devout reasons for which the and often also difficult one
to emulate.
In the last years there and be a large change in the aspect of i
videogiochi: thanks to the progresses of the hardware, and are passed to you from the classic one
13
src/machine/eeprom.c
49
diagram 2D to the diagram 3D. Gia in first years ' 80 had been written games
with three-dimensional effects, thanks to the use of the vectorial diagram. This
particular technique demands the use of a special monitor, in which the paint-brush
of electron, instead to scandire the image line for line, move
liberations through all the screen, literally designing you of
lines.
Vectorial diagram in Star Wars (Atari, 1983)
The monitor vectorial was too much expensive and they were gotten out of order frequently,
percio this technique came abandoned.
MAME and solo to the beginnings as far as the emulazione of games with
modern hardware 3D, therefore in the continuation we will only take care ourselves of
classic diagram 2D.
In spite of the great variations from a game to the other, there are some you leave
of the graphical hardware that can be led back to generic models; one
great number of games uses some combination of these leaves.
50
Tilemap
14
The tilemap, term that puo translate itself with maps of floor tiles,
they are a method much efficient one in order to show and to move blocks of
diagram large the how much all screen; they use little memory
RAM and engage least the CPU. The divided screen and in one
grill composed from floor tiles all of the same largeness,
usually square with dimensions of 8x8 or 16x16 pixel,
very rarely with various dimensions, also rectangular. The designs
available for the floor tiles they come captures to you directly
from the hardware, of usual from memory ROM, very rarely from memory
RAM dedicated to the scope. In order to vary an element of the grill
program must only indicate, in the memory lease
correspondent, the design to use and the combination of colors.
Often two byte is sufficient; as an example dedicating 4 bit to
color and 12 to the design, are had to disposition 2
4
various
combinations of colors and 2
12
various designs. In this way, one
tilemap of 32x32 floor tiles, ciascuna of 16x16 pixel, that it contains
therefore (32 16)
2
= 262144 pixel, it has need of single 2 32
2
= 2048
byte of memory RAM for entire being described. To times
beyond to color and design there are other attributes, as an example a bit puo
to indicate to reflect the design regarding the vertical axis.
An other fundamental characteristic of the tilemap and that they can
to be made to slide through the screen changing the content
of some said leases of memory scroll register, registries of
sliding. Tilemap and the sluice to sides, therefore during
sliding cio that it exits on one side of the screen re-enters later on
from that opposite one. The tilemap puo to move in block, using
therefore two single registries for the long movement the two aces
cartesian, or puo to be uniform in small, free devout rectangles of
independently to move the uni from the others. Not and rare that
this independence is pushed until to every single line (high one
pixel) that it composes the image.
14
src/tilemap.c
51
Some games can manage the tilemap in way still devout
poured them, realizing effects ROZ (ROtate and Zoom), cioe of
spin and blowup.
Effect ROZ on the background of F 1 Grand Prix (System Video, 1991)
The emulazione of the tilemap and rather simple usual; they give give to you
to use they are found in memory RAM, organizes to you in way
to regulate, and and difficult not to intuire the function of the bit associates to you to every
floor tile.
Sprite
One needs primary in videogiochi and the that one to move on
screen many objects, independent between they and from the background. This
it comes of usual realized by means of the so-called sprite, term
gergale that puo translate itself folletti. The sprite ones are small
images, as an example 16x16 pixel, that they can be moved
liberations on the screen indicating some the cartesian coordinates. I
designs to usually use are found in memory ROM
used directly from the graphical hardware, like in the case of
tilemap. Beyond to the coordinates, the program must therefore indicate
number of the design to use and the combination of colors.
52
Usually and possible to reflect the design regarding the two aces; to
times puo also to magnify themselves or to rimpicciolire. The small
dimensions of the sprite ones are not a limitation, poiche can
to obtain devout large devout figures simply using sprite one to
flank to the other; in some cases cio and also managed directly
from the hardware.
This forzatamente highly summarized description and, perche the sprite ones are
the personal part devout of the videogiochi; there are, in fact, large
variations from one card to the other and many other possible ones funzionalita
beyond to those gia described. For this reason, when it is written
the emulatore for a game, the reverse engineering necessary for
to often reproduce sprite and one of the difficult devout things perche
it demands very intuito and experience.
Bitmap
A bitmap it concurs to modify the color independently of
every pixel of the screen. Main its pregio and without doubt
versatilita, in fact the PC manages the diagram in this way.
In comparison to the tilemap,
bitmap they demand much devout
memory RAM and is devout
disc of a valve; of other part, they can
to obtain effects difficultly
realizable with the usual ones
tilemap. The usual defects are
devout of the pregi, percio in i
videogiochi and devout frequent
the use of the tilemap.
Diagram bitmap in Qix (Taito, 1981)
The bitmap they are the devout type of graphical hardware simple to emulate:
enough to copy the bitmap from memory RAM of the game to the screen
of the PC, converting some the colors.
53
Less than the hardware video it is not constituted exclusively give
bitmap, and necessary, before still to begin the reverse engineering,
to determine the way in which the floor tiles memorizzate in the ROM. I
bit that they compose every pixel of the image can, in fact, being
decided in several ways, and the devout planners choose of time in time that
appropriated in order to render simple and economic the hardware devout. MAME
generic function has one in order to convert gives to you graphical from a format
whichever in the inner used format.
One upgrades them source of difficolta during the emulazione of the hardware
video and the way in which composing the several parts in order to form the image
end. As an example, if the game uses three tilemap and with of sprite, and
common that every sprite it can be put of forehead or behind several the layers
created from the tilemap. Also for the mechanism of the priorita one not there are
prefixed outlines, and several the games use many various ways in order to manage them in
flexible way.
To
UDIO
The audio and an important part of whichever video game: sonorous effects
as the musichetta introductory of Pac Man they are enters to make part to you of
popular culture. And obvious pear tree that, for the operation of the game,
video and audio do not have the same importance: of the audio if puo to make some to
less, while of the video not.
The same thing is worth for the emulatori: the sonorous part often and one of
last things that join, and puo also to lack all if for
some reason its emulazione introduces of the difficolta.
In the following diagram puo to look at how many of the games it emulates to you from MAME
they are still lacking in sonorous. Like and easy to observe, the lack
it regards the old devout games above all: this and succeeded perche in i
the first videogiochi sonorous one was produced by means of analogic circuits,
which devout emulazione and complex. For the games of that period, in many cases
54
instead emulating the circuits they are simply uses the sounds you
it records to you from the card originates them.
Games emulate to you without sonorous from MAME
Totals
Without sonorous
150
100%
140
90%
130
120
80%
110
70%
100
Percen
90
ochi
60%
gi
80
of
50%
t
70
uale
60
40%
Number
50
30%
40
30
20%
20
10%
10
0
0%
1975
1980
1985
1990
1995
2000
Year of production
From 1980 in then, the situation and become much similar one to that one of the CPU:
the games have begun to use chip generating of sound, of usual
it documents to you, or sufficiently simple to understand in order to realize some
the reverse engineering. For the games produced after 1990 there and be one
increase of those lacking ones in the sonorous part, for the greater due part
to the use of chip not still it emulates to you but that probably it they will be in
future.
Currently MAME emulates one cinquantina of chip audio, and like puo
to see from the diagram following in comparison with that one to pag. 34,
distribution and not canted how much in the case of the CPU.
The three chip devout used they are also representatives of the three main families
55
of musical synthesis: synthesis of tones to waves quadrants (AY 3 8910), synthesis FM
(YM2151) and reproduction of champions ADPCM (OKI6295).
Chip
audio emulates from MAME and games to you that use them
AY 3 8910
359
YM2151
325
OKI6295
237
YM2610
210
YM2203
159
YM3812
141
SN76496
86
Nintendo
84
Namco
66
MSM5205
55
Pokey
41
uPD7759
39
YM3526
35
QSound
33
YM2413
32
ES5505
32
007232
26
CEM3394
22
TMS5220
21
ES5506
21
C140
20
YMZ280B
19
TMS5110
16
VLM5030
16
053260
15
YMF278B
15
SN76477
14
GA20
14
HC55516
13
YM2612
11
ADPCM
11
MSM5232
11
Y8950
9
YM3438
6
054539
6
It saws PCM
6
YM2610B
5
Astrocade
5
TMS36XX
5
YM2608
4
005289
4
051649
4
RF5C68
4
BSMT2000
2
The emulazione of a chip audio puo to begin, like for the CPU, with
finding of the official documentation, but in this field
frequency of members custom does not document to you and devout elevated, therefore
it must often resort devout to a reverse engineering of type black box.
56
Also when the documentation and available, very rarely this and
exhausting. As an example, many chip can generate a noise
pseudoaccidental; necessary the pseudoaccidental numbers are generate to you through
one formula that and never not documented, since its acquaintance not
and necessary for the normal school I use of the chip. The formula puo pear tree to be
found, thanks to the algorithm of Berlekamp Massey, analyzing the sound
product from chip [ the 14 ].
To perhaps perfect the emulazione of the audio and a po' devout difficult that
to perfect the diagram, perche the small errors in the diagram are devout
easy identifiable, while in order to characterize them in the sonorous one it serves one
ear very trained.
D
ISPOSITIVI OF INPUT
A video game from bar has need to manage input from three various sources:
gettoniera, the controls for the service staff (not accessible
from the outside) and obviously the commandos of the player.
The gettoniera and the only device of input of which no game arcade puo
to be lacking. Beyond to the fissure for coins, often and also present one
active switch who when someone tries to force the shop
of the gettoniera or he shakes the piece of furniture with excessive violence; in such case,
game jams.
The service staff, opening the gettoniera in order to approach the inside,
puo to use some special commandos. Of usual and present a push-button
that it concurs to begin one separated without to insert coins. Often one
push-button or a switch concurs to make to execute to the program some
controls in order to verify of the correct operation, as an example a test
of the RAM or a verification of the ROM. On the card of the game can
to find, above all in the less recent games, one or devout switches DIP
that they serve for regulating the difficolta and other parameters of operation;
in the recent devout games, these scomodi interrupting often are replaced
57
from menu interatti to you it visualizes to you on the monitor, and the formulations are
memorizzate in an area of memory not flown them.
The device of input for excellence in a video game, a lot that of and
become the symbol, and the joystick, cioe one lever that puo to be moved from
player in the four directions. To the inside of the joystick there are four
switches, that they come activated from the movement of the lever. Usually
two adjacent switches, as an example high and skillful, can be
activated at the same time, but some games demand that the joystick
it is shaped so that it is mechanically impossible to close
devout of a switch to the time. This configuration and said 4 way,
while the other 8 way. To the joystick they are of usual places side by side one to you or devout
push-buttons.
In some types of game, joystick and push-buttons are not sufficient for
to obtain a good control, percio other devices are used you, to
example: flying and pedals in the guide games; one spinner, cioe one
grip handle that puo to ruotare around to its
axis, in order to concur fast movements and
you specify, as an example in Arkanoid or
Tempest; a trackball in the games in which
they demand expresses movements in two
directions, as an example Command Missile
or Marble Madness; guns or guns for
to aim at targets on the screen.
Often the producers have been sbizzarriti
in inventing control systems
it originates them, in order to render the own games devout
interesting, and also in order to perhaps render
devout difficult the production of copies
illegal. Cosi has been able to see footballs
from soccer, fishing rods, bicycles, guns
with telescopic view-finder, skateboard, balls
The peculiar system of input of
from billiards with stick, etc.
Slick Shot (Incredible
Technologies, 1990)
58
The emulazione of the devices you of input does not introduce difficolta on the plan
theorist poiche, in the greater part of the cases, draft to only make oneself
to appear the value of input in one the lease of memory. The difficolta
greater they are of practical type: the devices you of input available on a PC
they are, in fact, physically much various from those of a video game arcade,
and and therefore necessary to execute of the conversions. Also one what
apparently obvious like associating four keys to the four directions
of a joystick it hides of the insidie, in how much in a joystick only one or
two directions can at the same time be active, while
the customer could also press all and the four keys together.
The emulatore must make sure that the emulated game they only reach
input valid, in order to avoid possible malfunzionamenti.
For the upset devout players, the spread of the emulatori has pushed some
companies to produce of the identical panels of control to those of i
videogiochi arcade. <23>, <24> and <25> they are some examples.
One of the joystick plans you for the emulatori
59
4. CRYPTOGRAPHY
M
OTIVAZIONI
The word bootleg laughed them like minimum to the 19 century, but was used
above all in years Twenty, during the Proibizionismo [ 17 ]. Its
meant it originates regards them the production and illegal sale of alcoholic,
but and later on extended to other worlds, as an example the recording not
authorized of concerts. In the case of the videogiochi from bar, bootleg and one
illegal copy of a game, often modified, as an example in order to change some
tito it or to remove the indications of copyright.
In order to avoid the illegal duplication, many producers were forced to
to introduce protection systems: some of they gia have been indicate you to
pag. 38, while in this understood it we will take care ourselves diffusely of one
of the devout ones it uses you, the cryptography.
The crittografate ROM can be are those containing give to you graphical
that, devout frequently, those containing code of one CPU, usual
that main one. In according to case they come used CPU custom, than
they execute decodes it inner, or external modules. The first one
sure method and devout, poiche the second demands that the communication between
module of decodes, CPU and ROM is protect from the intrusione with means
physicists, as an example I rendered some epoxy.
Nearly always the executed coding and in various way for codes
of instruction (opcode) and they give to you; this renders complex devout the crittanalisi.
60
Since it decodes it must happen in real time during the execution
of the program, the coding algorithms must by force be
rather simple. In the time there and be an evolution, passing from i
simple monoalphabetical codes of first years ' 80 to devout algorithms
complexes that are still ignoti. In many cases the impression is had that,
in order to compensate the limitations of the algorithms, the emergency has been
obtained by means of I use it of long keys much.
Sometimes, in the recent devout games, the keys memorizzate in one zone
of NVRAM fed from one battery to lithium; when the battery
(appropriately nicknamed suicide battery) it is get exaustedded,
game stops to work and goes rispedito to the producer for being
repaired. On the legittimita one of a practical one of the sort that, of fact, it renders
cards of some videogiochi of the products to time assign you to
autodistrugger, are contrasting opinions. Some collectors,
however, they are themselves organizes to you in order to resolve the problem to the root,
modifying the cards in order to avoid the use of the batteries <26>.
S
TERN
Between first it gets passionate you of emulazione circulated one struck second which
whichever game puo to turn on the hardware of Scramble. The struck one nacque
perche many of the games support to you from the first versions of MAME
they turned exactly on this card, than to its times it was much diffusing.
Since to the age the market of the videogiochi was in strong increase,
card was used from many in order to realize new games quickly
without having to plan also the hardware. Some games produced from
Stern has the number graphical ROM, probably in order to avoid one
easy pirateria inasmuch as the card cosi was diffused. The algorithm acts alone
on the addresses, on they do not give to you, cioe is limited to stir po' a byte
to the inside of the ROM. If the protection does not come reproduced, the game
it continues to work regularly, but the confused diagram and.
61
The protection executes logical operations on the bit of the address; that one that
it follows, as an example, and the formula used for the Minefield game
15
.
A5 ': = A3
A7
A7 ': = A2
A9
(A0
A5)
(A3
A7
(A0
A5))
A9 ': = A0
A5
(A3
A7)
K
ONAMI
1
16
This CPU and a Motorola 6809 that executes one inner
it decodes of the opcode. And used from a good number of games of
Konami of period 1983 1986.
The algorithm and a simple outline XOR. It acts on bit 1, 3, 5 and 7
of the opcode and it depends on bit 1 and 3 of the address; the other bit of the opcode
they are not alters to you. The outline and following:
D1 ': = D1
A3
D3 ': = D3
A3
D5 ': = D5
A1
D7 ': = D7
A1
The riproducibile protection and therefore easy with a little doors
logical; the fact that is only applied to the opcode does not represent one
problem poiche the 6809, like many other CPU, marks it to the outside if it is
executing the withdrawal of money of a opcode or of they give to you.
In effects, the first emulazione of this be protection and just
obtained studying a card bootleg of the Gyruss game that replaced
CPU Konami 1 with a 6809 logical standard and some doors.
15
src/machine/scramble.c
16
src/machine/konami.c
62
S
EGA
S
YSTEM
1
17
Many games of Sega of period 1982 1986 use versions custom
of the Z80. The name that I have chosen and arbitrary, had to the fact that the CPU and
used mainly for the games that turn on the card System 1.
All the CPU of this family use the same algorithm of coding,
but with different keys. The programmed key and in the CPU in phase of
production and puo not to be modified.
Some information on the ideatori of the system is found, in luminosity,
to the inside of the ROM of some games
18
:
Buck Rogers
SECULITY BY MASATOSHI, MIZUNAGA
Super Locomotives
IT SAWS FUKUMURA MIZUNAGA
Yamato
SECULITY BY M, MIZUNAGA
Regulus
SECULITY BY SYUICHI, KATAGI
Up n Down
19/SEP 1983 MASATOSHI, MIZUNAGA
Mister Viking
SECURITY BY S.KATAGI CONTROL CHIP M140
SWAT
SECURITY BY S.KATAGI
Water Match
PROGRAMED BY KAWAHARA&NAKAGAWA
Flicky
SECURITY BY S.KATAGI
Star Force
STAR FORCE TEHKAN. SECURITY BY SAWS ENTERPRISESE
A famous onlooker $R-with regard to Star Force and that, to the contrary of all the others,
and not produced from Sega but from the Tehkan; in spite of the CPU he has one
number of various code, uses the same key of Super Locomotives.
Evidently to Sega they did not want to make too much job in order to help one
concurrent company to proteggersi from the copies!
The CPU decodes inner is opcode that they give to you, with the same one
algorithm, but codifiche different. The algorithm acts on bit 3, 5 and 7 of
data to codify; the three bit can be permuted in whichever way and
everyone of they puo to be invert. The possible codifiche are therefore:
17
src/machine/segacrpt.c
18
The ortografia errors are cosi as they appear in originates them
63
3! 2
3
= 48.
The permutation and the reversals to apply depend on bit 0, 4, 8 and
12 of the address to which the byte is found and from the fact that the byte is a opcode or
a data; in theory, therefore, the CPU could use 2
5
various codifiche.
The games examine to you, pear tree, use only 6, except that of
it uses 7; in that they use 7, one of the codifiche and the identita one.
It would seem therefore that the CPU cannot manage of a number
greater.
Reverse engineering of this algorithm and realized state studying
two versions of Pengo, one number and the other in luminosity, nearly identical. One
characterized time the algorithm, and be possible to decipher other games.
This operation and rather simple and puo to be made by hand in one
pair of hours: in fact, every single byte puo to be deciphered in 8 various ways, and
as parts of the key are found reduce the values
permissible for the others you leave, therefore the search proceeds speditamente.
V30
19
The V30 of the NEC and one CPU derived from 8086 Intel that, between
funzionalita additions, it has also the possibilita one of having to the inside one
table of conversion of the opcode. Draft, therefore, of a code to
monoalphabetical substitution with an alphabet of 256 characters.
This CPU and be used from the Irem in a good number of games in
period 1991 1994: in some, as an example Bomberman, like CPU
main; in others, as an example Gunforce, like secondary CPU for
sonorous.
And famous that the monoalphabetical codes have one emergency much lowland
when draft protect a text message, but to decipher one
number in this way and however difficult program. Many
19
src/machine/irem_cpu.c
64
instructions of a CPU have similar functions and often some of they are
only used one or two times to the inside of all the program, therefore not and
easy to determine with exactitude the correspondences between instructions and
opcode.
In the case of the games of the Irem, a fundamental and come aid from others
games of the same company, that they use like CPU for sonorous a normal school
Z80 instead of the protected V30. In some cases, the programs of the two CPU
they are pressoche identical for long parts, like puo taking place itself in these
two extracts puttinges to comparison:
Gunforce (V30)
Bomberman (Z80)
1991 Irem
1991 Irem
01FF2: D2 06 00
mov to, [$0006 ]
0AB8: Á 06 FF ld to, ($ff06)
01FF5: 15 C0
and to, to
0ABB: A7
and to
01FF7: C7 03
jne $1FFC
01FF9: F9 36 F1
jmp $1132
0ABC: CA 80 00 jp z, $0080
01FFC: 82 75 45 07 inc byte ss:[iy+$07 ]
0ABF: DD 34 07 inc (ix+$07)
02000: 82 20 45 07 mov to, ss:[iy+$07 ]
0AC2: DD 7E 07 ld to, (ix+$07)
02004: 52 07
and to, $07
0AC5: E6 07
and $07
02006: C7 Is
jne $2036
0AC7: C0
ret nz
02008: 82 75 4D 06 dec byte ss:[iy+$06 ]
0AC8: DD 35 06 dec (ix+$06)
0200C: C7 28
jne $2036
0ACB: C0
ret nz
0200E: 82 20 45 05 mov to, ss:[iy+$05 ]
0ACC: DD 7E 05 ld to, (ix+$05)
02012: 82 07 45 06 mov ss:[iy+$06], to
0ACF: DD 77 06 ld (ix+$06), to
02016: 82 20 5D 02 mov bl, ss:[iy+$02 ]
0AD2: DD 6E 02 ld l, (ix+$02)
0201A: 82 20 7D 03 mov bh, ss:[iy+$03 ]
0AD5: DD 66 03 ld h, (ix+$03)
0201E: 82 20 45 04 mov to, ss:[iy+$04 ]
0AD8: DD 7E 04 ld to, (ix+$04)
02022: 82 AE 07
sub to, ss:[bw ]
0ADB: 96
sub (hl)
02025: C7 03
jne $20À
02027: F9 08 F1
jmp $1132
0ADC: CA 80 00 jp z, $0080
020À: 6D 01
mov to, $01
0ADF: É 01
ld to, $01
0202C: 32 02
jnc $2030
0AE1: 30 02
jr nc, $0AE5
020È: BA D8
neg to
0AE3: AND 44
neg
02030: 82 9D 07
add to, ss:[bw ]
0AE5: 86
add to, (hl)
02033: 82 07 07
mov ss:[bw], to
0AE6: 77
ld (hl), to
02036: 48
ret
0AE7: C9
ret
From listati and obvious that the program for V30 and one literal translation
of the program for Z80.
An other fortunate circumstance and be that in many cases the V30 used like
Main CPU in a game uses the same key of that one used like CPU
secondary in an other, therefore once deciphered the second was gia to
good point also in order to decipher the first one.
65
B
TO URGE
T
IME
20
The algorithm used from the East Date in Burger Time and, with small
variations, in other games of the same period, and interesting not for
coding in if, than and one simple permutation of the bit, but for like
it comes applied.
The CPU and 6502 that only decodes the opcode whose address has bit 2
and 8 set up and, important, single what to you devout if the previous instruction had
caused an access in writing to the memory. It decodes, percio,
it depends on the flow of the program. This renders impossible to decipher
ROM without to interpret the contained code in they.
T
HE
G
LOB
21
This game of the Epos exists in two versions, one that turns on one card
dedicated, the other that turns on the card of Pac Man. Before not and
protect, while the second one and, probably for the same reasons gia
approvals for the Stern games.
It codifies refines the idea of Burger Time, cioe changes under the control of
program. In this case the coding and one classic permutation and
bit reversal, than puo to happen in devout various ways. When the CPU,
a Z80 normal school, executes the instruction
IN
on a door of equal I/O, it comes
selected the successive permutation, while if the door and odd number,
it comes selected the previous permutation.
The permutations and logic of selection of the active permutation are
realized by means of one PAL (Programmable Array Logic), situated
with to the Z80 and the ROM on one covered schedina of resin
epoxy. The reverse engineering and be executed penetrating physically
to the inside of the protection module.
20
src/drivers/btime.c
21
src/machine/theglobp.c
66
K
ABUKI
22
Kabuki and coded name of one CPU used from the Capcom for some
games in period 1989 1993, as an example Buster Bros. The equipped CPU and
of a suicide battery and it uses a not banal algorithm.
The main part of the algorithm, than chiamero bitswap, and the exchange
of ognuna of the four consecutive braces of bit of the byte deciphering.
Every brace puo to be or not to be exchanged: this depends
from the address to which the byte is found, from the fact that it is a data or one
opcode, and from the key of coding memorizzata in the CPU. The bitswap
it comes executed four times; between every brace of bitswap it comes executed
one spin on the left of the bit of the byte, and once also one XOR with
a value that ago part of the coding key.
Reassuming, the operations to execute in order to decipher a byte are
in the order:
bitswap
ROL
bitswap
XOR
ROL
bitswap
ROL
bitswap
This undoubtedly devout algorithm and complex of those examines to you
up to now, but it has of the weaknesses that can be taken advantage of in order to search
key.
For the details on the operation of the algorithm puo to make reference to
rows indicated in famous; in this center it interests to us to notice that the first two
bitswap they are controls to you from bit 0 7 of the address, while second the two
from bit 8 15.
If a byte in luminosity and 00
16
(or FF
16
), from the equal moment that has all the bit
and not influenced from last the two bitswap; these last ones depend on i
22
src/machine/kabuki.c
67
bit 8 15 of the address, therefore codifies it of such byte depends solo from the bit
0 7 of the address. There if, as often happens, in they give in luminosity and one to you long
sequence of 00
16
(or FF
16
), they give to you number to you will contain one sequence of 256
repeated byte devout times. Puo to take advantage of this fact in order to find, with one
search to force bruta, the little permissible values for a part of the key.
The key puo then to be completed, always with a search to force
bruta, through a type attack known plaintext.
D
ATA
And
AST CUSTOM
56/74
23
Two of the many chip custom produced from the East Date, use you in the period
1991 1995, uses crittografate ROM. They are chip graphical, generating of
tilemap, and they have like numbers of code 56 and 74.
The algorithm works on blocks of 2048 word from 16 bit. The key of
fixed coding and, therefore once characterized and valid for all the games that
they use the same one chip.
It decodes consists in three distinguished operations, identical for every
block:
1.
the word is permuted to the inside of the block second an order
prestabilito;
2.
on every word XOR with one of 16 possible values comes executed one
predefined, based on the position to the inside of the block;
3. the bit of every word comes permuted in one of 8 possible ways
predefined, based on the position to the inside of the block.
These chip are an example of the tried ones you of supplire to the deficiencies of
coding algorithms using long keys much: the dimension of
space of the keys, in fact, based on the previous description, and
2048! 16
2048
8
2048
0.62 10
10210
23
src/machine/decocrpt.c
68
The table that presumablly contains the key to the inside of the chip
it uses
2048 11 + 2048 4 + 2048 3 = 2048 18 = 36864
bit of memory.
Reverse engineering of the algorithm and the state executed with an attack of
type known plaintext, thanks to the disponibilita one of versions bootleg, with
ROM in luminosity, of Tumble POP (chip 56) and Funky Jet (chip 74).
The attack and state facilitated from one weakness of the algorithm: when one
block and entire constituted from 0000
16
(or FFFF
16
), steps 1 and 3 are
ininfluenti, therefore outline XOR clearly becomes visible.
Once eliminated outline XOR, counting for every n the number of
word with n bit sets up to you, is in the ROM number that in that one in luminosity,
and verified that the conteggi they corresponded for every block; this
it confirmed that the remaining part of the coding consisted alone in
permutation of the word to the inside of every block and in the permutation
of the bit to the inside of every word.
Assuming one uniform distribution, the probabilita one that one word of
16 bit has n bit sets up to you and
16
1
'
<
0 2
,
2
16
n
In the ROM there are 128 blocks and to the permutation of the word and the same one
in every block. Fixed a position in the blocks number to you and in the blocks
in luminosity, the probabilita one that the word in those two positions have
always the same number of bit and minor of 0,2
128
, than and a number
of the order of 10
90
; in other words, and practically impossible that
correspondence is taken place for case. Through this comparison puo
therefore easy to reconstruct the permutation of step 1.
Once reconstructed the corrected order of the word, only remains
to find the permutations of bit of step 3. The analogous procedure and to
69
that previous one, cioe to use the redundant information supplied from i
128 block in order to isolate the only valid permutation.
N
EO
G
EO
24
The Neo Geo and state without doubt devout the long-lived system for videogiochi
arcade never produced. Introduced in 1990, it has resistito for devout of ten
years; it boasts a bookcase of approximately 150 tito them, and are still develops to you new
you play, in spite of the house original manufacturer, the SNK, is failed in
2001. Visiting one whichever knows it games, will find one sure
pair of cabin cruisers equips you of this system, with the last version of King of
Fighters or of Metal Slug, or even some sempreverde like Puzzle
Bobble.
Happened of the Neo Geo and in part which had to the fact that and a system to
cartridges, sold also under shape of consul for the homely use.
Although the cartridges for the version arcade and that one home are
various, the contained and absolutely identical game. In the version
arcade, and quite possible to insert devout games at the same time:
the customer puo to choose the preferred game with a push-button on the cabin cruiser.
The pirateria must have represented a serious problem, poiche the system
and much diffuse and and lacking in protections, and and therefore easy one to realize
illegal copies of the cartridges. To add a protection was not pear tree one
simple what, perche the main card could not devout be
modified, while the cartridges contained only the little devout ROM and;
although these difficolta, in the produced games to leave from the 1999
Graphical ROM are number.
Poiche gives to you had to exit in luminosity from the cartridge, the only one possibilita
in order number the content of the ROM it was to insert within to the cartridge of i
chip custom that they deciphered the content of the ROM before sending it
to the outside. As we have said previously, one solution of the sort,
24
src/machine/neocrypt.c
70
in which the communication between the ROM and the rest of the not protect system and, and
intrinsically uncertain; the protection, in fact, has not resistito to along to i
pirati. The versions bootleg have concurred an attack with the algorithm of
type known plaintext.
The algorithm and a complex outline XOR that acts is on the lines gives to you
that on the lines you address. Work on word from 32 bit, and beyond to the XOR has
possibilita to permute the two inner byte external and the two byte of every
word. The key consists of 9 tables from 256 byte. The way in which the tables
they come used for the XOR on give to you and complex and puo to be studied in
rows source indicated in famous; the XOR on the 24 bit of the address and instead devout
simple and puo to be reassumed in the following way, where
To
0
= value contained in bit 0 7 of the address
To
1
= value contained in bit 8 15 of the address
To
2
= value contained in bit 16 23 of the address
c
= constant that it changes from game to game
K
n
[
x
]
= value that is found in position x in the table n of the key
1.
To
0
: = To
0
c
2.
To
1
: = To
1
K
1
[ To
2
]
3.
To
1
: = To
1
K
2
[ To
0
]
4.
To
2
: = To
2
K
3
[ To
0
]
5.
To
2
: = To
2
K
4
[ To
1
]
6.
To
0
: = To
0
K
5
[ To
1
]
The algorithm operates on the values modified in the previous steps: as an example,
To
1
used to 5 step and the result of the XOR to step 3.
The reverse engineering of the algorithm and begun observing sure
regolarita and repetitive outlines to the inside of the number ROM, caused from
fact that normally devout of 60% of they give to you uses you for the diagram is
composed from byte with value 00
16
or FF
16
. And constructed therefore one outline
XOR that maximized the presence of such values. To the verified end and
that the conteggio of the byte in the ROM number, elaborated with such outline,
it corresponded to that one of the ROM in luminosity taken from a bootleg; this
it confirmed that the outline was corrected and that the coding part
71
remaining it acted alone on the addresses. Although the algorithm that acts on i
they give to you is, like saying previously, rather complex, the regolarita one
characterized have revealed one its weakness, is worth to say that one of being
function of the address in the number ROM; if, to the contrary, such algorithm
it had been function of the address in the ROM in luminosity, probably
reverse engineering it would have been devout difficult, perche the repetitive outlines
they would have been hidden from the complex permutation of the addresses.
Once eliminated the coding on gives to you, and been able to take advantage of a second one
weakness of the algorithm, cioe that one to work very on word 32 bit.
With a cosi number of high bit, there and a great number of values that
they appear one single time in the entire ROM, cosicche puo to construct one
table of correspondences between the address in the number ROM and that one in
ROM in luminosity, table that then puo to study itself in order to reconstruct the algorithm.
72
5. MAME
G
THEM
I
NIZI
The history of 5 MAME begins February 1997 with the release officially
of version 0.1. That version supported five plays: Pac Man,
Ms Pac Man, Crush Roller, Pengo and Lady Bug.
My job on the emulatori of games arcade was begun some
week before. The eve of Been born them of the 1996 capitai for case on a situated one
called The Arcade Emulation Programming Repository. Its
author, Allard van der Bas, a far-sighted Dutch boy, had
had the idea to not only put to disposition of all the customers
emulatori, but also their code source, so as to to stimulate
exchange of ideas between programmatori. From the situated one I unloaded the prototype
of the emulatore for one of the popular devout games of all the times, Pac Man.
I found with a little hard work the ROM originates them, I tried launch the emulatore
and accidents, did not work! On the screen one was looked at alone series of
accidental characters. Disappointed, I was in order to exit the program and to forget
all, but to the unexpected arrival the shielded one begins them of the game.
It worked! The accidental characters were only of the normal controls on the RAM
that the game executed before leaving.
The emulazione was rather primitiva, the colors was completely
it mistakes to you, it lacked the sonorous one, and the anziche screen was square
rectangular. Made curious, decided to pass some hour to try of
to improve it. Some hour, some day soon I became account that
enormous they were potenzialita of development. Completed the emulazione of Pac
Man, I began to interest to me also to other games, and after a month
I am decided that it was reached the moment to reorder the ideas and to collect
73
the emulazione of all the games to the inside of an only program, equipped of
a flexible and easy expandible architecture.
The main problem with which I had to be confronted to the beginning, data
that I did not have some experience in the field of the programming of
emulatori, were that one of reperire information, obviously on Internet.
information available were fragmentary, often conflicting, and
scattered for the net without organization. I thought therefore that the principle to
MAME base would have had to be a lot the possibilita one not to play to
videogiochi of the past, but to supply one documentation how much devout
possible exhausting and taken care of of the hardware on which they were it bases to you.
This enunciated principle and to the beginning of the documentation of MAME:
MAME is strictly not profit project. Its main purpose is to be to
reference to the inner workings of the emulated arcade machines. This is
done for educational purposes and to prevent many historical games from
sinking into oblivion ounces the hardware they run on stops working. Of
course to preservants the games, you must also be able to actually play them;
you can consider that to nice side effect.
It is not our intention to infringes on any copyrights or patents on the
original games. All of MAME s source tails is either our own or freely
available. To operated, the emulator requires images of the original ROMs
from the arcade machines, which must be provided by the user. Not
portions of the original ROM codes to are included in the executable.
It turns out you of this politics were optimal. After a beginning a po' in
mute, also perche in that period the emulazione of games arcade was
one novita and the new emulatori dulled like fungi, many
programmatori were interested to the plan and offered their aid.
Some of they have continued to work on MAME until today.
An other result that I expected to obtain with the distribution of
code source was to stimulate the birth of other plans that they would have
been able to reach liberations to the information collections from MAME.
This and happened, above all with the development of some emulatori
it focuses you to the improvement of the performances on little powerful computers,
74
but with smaller resonance of how much I had previewed, simply
perche MAME has had so the many happened that persons
interested to the emulazione have found devout effective to collaborate
directly to anziche MAME to try to create an other plan in
competition.
S
TRUTTURA
The nature of the plan very lend to one modular structure like
that one outlined in figure.
Nucleus
Modules CPU
Management
CPU
Control
Driver of the games
Management
memory
Management
ROM
Timer
virtual
Management
NVRAM
Modules sound
Management
Management
Management
diagram
input
sound
Functions of interface with the system
operating
Outline of the MAME structure
75
Like puo looking at itself, the modules trace the several parts of a video game
arcade described in understood it the 3.
A nucleus centers directs them the operations, manages the interface customer and
it puts to disposition of driver a good number of use functions
common. The nucleus delegation to external modules the emulazione of several the types of
CPU and of chip audio supports to you.
In practical the nucleus it supplies a specialized operating atmosphere
in the emulazione of videogiochi arcade, than the driver they can take advantage of with
little code adds them. Often the greater part of the one content
driver and constituted from structures they give to you, managed directly from the nucleus.
driver it must only supply code for some specific tasks, as an example
the modernization of the video.
Game
Machine
St
Directory ROM
r
Directory CPU
Format
uttu
diagram
king d
Directory doors
Maps of
Directory chip
at
of input
i
memory
audio
Memory handlers
Co
dic
and
Video refresh
Outline of the content of a driver
76
The used language of programming and the C, for its dowries of
portabilita and for its spread. Probably the modularita enunciated one
it would have concurred to apply in profitable way a oriented language
to the objects like the C++. The structure of the such code however and from not
to render scomodo the use of the C in the writing of the driver. In any case,
difficolta in the writing of a driver all in the reverse resides engineering
and not in the use of a language rather than an other.
The main version of MAME turned initially under MS DOS,
now under Windows. Problematic regarding the transport on
various architectures always have been held in the principle
consideration, separating all the functions employee from the system
operating. The structured code source and so as to to re-unite in little rows
all the code employee from the operating system, that it emerges less
of 2% of the total. Remaining 98% of the code do not demand modifications for
to be used with other systems operated to you. The collaboration of i
programmatori Macintosh and be Unix/Linux and, and and still, a lot
important in order to guarantee the portabilita one of the plan. Beyond to the systems
acts to you as soon as it mentions to you, there are versions of MAME for platforms
less diffuse like OS/2, Amiga and BeOS, than pear tree they do not come devout
dawned. They have been realized also versions that turn on computer
palmari [ 18 ] and on some types of even blot some photographic! <27>, [ 19 ].
Or
PEN
S
OURCE
MAME and free software of which it comes distributed also the code
source, but not and of free software second the definition of the Free
Foundation Software <28> (in which free it is for free and not for
free), of open source second the definition of the Open Source
Initiative <29>.
Given the particular nature of MAME, to the beginning of the development I seem
in fact opportune to use a restrictive licence of devout use of those of
77
free software, so as to to be able to maintain a sure control and
to make sure that the plan evolvesse in the wished direction.
Beyond to this, never I have personally not appreciate the clause that
it concurs with anyone of lucrare over to free software: if I decide of
to donate my job to the comunita one, I would want that it was free for all. But
this, evidently, and a point of view not shared from the greater one
part of the other free sviluppatori of software.
Like puo imagining itself, the restrictive licence of adopted use from MAME
it has triggered innumerevoli controversies in the comunita one, between the intégriste ones
of the free software and who instead it defended the choices of the sviluppatori of
MAME.
Joints to this point of the development, by now mature MAME and and have
achieved the scopes that there were prefixed. It does not seem therefore devout
necessary to soon use one restrictive licence and a lot, but
complications, sara adopted the GNU General Public License of the Free
Foundation Software.
R
OBTAINED ISULTATI
Also with all the problems of velocita that door behind cause of its
generalista nature, MAME and tax like point of reference for
emulatori of videogiochi arcade, boasting one thoroughness without equal.
Of other part, like saying previously, the thoroughness and the accuracy
they are to just objects it to you main of MAME, while the possibilita one of
to play also on little powerful computers and an interest of all
marginal.
KLOV (Killer List of Games Video, <30>) and devout the popular one database of
videogiochi arcade available on Internet. Not and suit to the hundreds for
hundreds, but from one reasonable vision of with of what and be
market of the videogiochi. KLOV contains the description of every game and,
often, images that show it in function. The greater part of
78
these last ones are not photographies of the true game, but photograms
of the emulazione made from MAME.
In graphical following they are placed to comparison, uniforms for year of
production, the games emulates to you from MAME with those present ones on KLOV. I
they give to you are not perfectly confrontabili, poiche some games emulates to you
from MAME they are not present in KLOV, while others appear in KLOV
devout once with various names.
Games emulate to you from MAME and catalogue to you from KLOV
KLOV
MAME
250
100%
90%
Percen
200
80%
70%
tual
ochi
150
60%
and of
gi
50%
gi
oc
100
40%
hi emul
Number of
30%
ati
50
20%
10%
0
0%
1975
1980
1985
1990
1995
2000
Year of production
Like puo looking at itself, for the vintage years that go from 1980 to 1994, MAME
it supports devout of 50% of the games contained in the database. And natural that
percentage is lowered for the recent devout games, since the hardware gives
to emulate gradually becomes devout complex. Less obvious and like never
percentage decreases also for the old devout games: in the first place, this
it happens perche devout is gone behind in the time, devout and difficult to find
working exemplary of the games originate them; in the second place, perche many
of they they are excluded from objects you of MAME in how much lacking in CPU
25
.
25
cfr. pag. 31
79
Some collectors of videogiochi do not see of good eye
emulatori, poiche think that the involvement given from a emulatore
it is only scialba an retort of that data from originates them. An example of
these ideas are found in [ 45 ]. The position and senz' other condivisibile, but
it does not hold account of the fact that and possible to install MAME to the inside of
a cabin cruiser originates them, like shown in [ 52 ]. Still devout important,
MAME puo to be a useful instrument for the collectors, is in order to verify
the correctness of the copies of backup of the ROM, is like aid in
search of breakdowns on the cards.
C
RESCITA
In the following diagram we can see the MAME increase measured in
base to the number of games supports to you: every point of the diagram represents
one distributed version of MAME public.
Course of the number of games supports to you from MAME
2500
2000
1500
ochi
Gi
1000
500
0
1/1/1997
1/1/1998
1/1/1999
1/1/2000
31/12/2000
31/12/2001
31/12/2002
As it is looked at, the course and enough regular state, with periods of
less fast increase devout or to second than how many persons was
80
collaborating in that moment. Some technical progresses of MAME
they have given the possibilita one to emulate new types of games: as an example,
that in the second due and the famous acceleration goal 1998 in part
to the support of the hardware Neo Geo.
The following diagram extension instead the increase of the number of lines of
code
26
.
Course of the dimensions of the code source
900
)ia
800
lia
700
) (mige
600
I give
f C
500
ose
400
in
300
rcuo
200
(S
OC
100
LS
0
1/1/1997
1/1/1998
1/1/1999
1/1/2000
31/12/2000
31/12/2001
31/12/2002
Puo to notice itself that in some cases the number of lines of diminished code and
from one version to the successive one. This and happened as a result of
structural improvements that have diminished the complessita one of the code
maintaining some immutate the funzionalita one.
Other pointers of the increase and the popolarita one of MAME can
to gain from its spread on Internet. The situated official of MAME <1> he has
recorded devout of 27 million visitors to leave from 12 May 1997. One
search of MAME on the devout ones used search engine, Google <31>, it finds
devout of 200.000 pages.
26
conteggio executed with CodeCount 1,0, 1998 USC CSE
81
P
FUTURE ROSPETTIVE
The job on MAME and very far away from being able itself to consider concluded: one
nourished directory of games still to emulate and contained in <32>.
The difficolta technical to exceed in order to add new games they become
gradually greater, but also our experience grows, and slowly slowly
obstacles that seemed unsurmountable become superskillful. The diagrams of
increase shows an light slowing down, but they still do not seem
to indicate signs of yielding.
One of objects technical devout next and that one to you of the emulazione of i
games with diagram 3D. Cercheremo at the same time also to generalize
the management of this type of diagram, much various one from the diagram 2D to which
we are accustoms to you. Phil Stroffolino and Aaron Giles have made optimal progresses
in this field and a good number of games and state added in the last one
rilasciata version.
The emulazione of fast CPU RISC used from many recent games and
difficult on the PC odierni, than still they do not succeed to execute it in
real time. Techniques as the dynamics ricompilazione could
to carry large benefits still all to explore.
Proseguira then the search, through the collectors, of rare games that for
hour there are you escape yourself. Devout a rare game and, devout high and the risk that goes
lost in order always: ill-fatedly, we have had test of the dangers
when only backup of a version of the Rafflesia game and the state lost to
cause of the breach of a hard disk.
The objective to which personally I hold of devout and to maintain the standards
of qualita, continuing to make always every effort in order to render
documentation that comes taken care of collection devout the possible one, according to
null principle that of what and be made and definitive. To this
purpose, as an example, in the course of the drawing up of the thesis, while
rileggevo the source parts relating to the arguments that I was dealing,
I have characterized and corrected some errors that were hidden to you from years:
this and be one of the things that they have made me devout appeals to.
82
6. STATE OF THE ART
P
RIMI PASSES
The emulatori of videogiochi arcade have begun to diffuse themselves single
from some year. Previously they had been realizes to you emulatori of others
it blots some, like the consul and home the computers, but the power of calculation
of the PC he was not still sufficient in order to manage in real time one
video game arcade.
In the last years, thanks to the work of hundred of get passionate to you, the things
they are changed radically, a lot that someone has felt the requirement of
to catalogue all cio that and be realized with regard to <33>.
The first true emulatore of videogiochi from bar for PC, Williams Arcade
Classics of GT Interactive <34>, it was commercialized to the end of 1995. I
devout you notice games supports to you were Joust, Robotron, Defender and Sinistar, all
of the Williams. It does not astonish that these titles had been chosen just them:
draft, in fact, of some of the little games with diagram bitmap, the devout ones
similar to that one of a PC
27
. For being able to work to flood velocita on one
machine with processore 486 to 33MHz, the sonorous one was not emulated in
real time but used estimate champions.
On the wake of the aforesaid one tito it they trades, in the 1996 began themselves to
to diffuse also some freewares, prelevabili liberations give
Internet. Between the devout representatives meant you of that period we can
to cite Sparcade di Dave Spicer <35>, than between the others Pac Man emulated,
27
cfr. pag. 53
83
and EMU of Neil Bradley <36>, specialized in the games in diagram
vectorial of the Atari, like Asteroids. In that period to support devout of
a game, as in the two cases as soon as it mentions to you, it was an exception:
greater part of the emulatori of it managed only one.
C
RESCITA
The MAME arrival, in 1997, I represent one carried out. It did not convene devout
to recommence every time from zero in order to create a program to if being,
poiche were much devout simple and express to add the games directly
to MAME. Fortunately, pear tree, MAME I do not monopolize the scene:
many of the progresses made in the following years must to other emulatori, i
devout important of which they are lists you of continuation.
Callus <37>: the first one to support games CPS 1 of the Capcom, and
still considered one of the best emulatori never written.
NeoRAGE <38>: the first emulatore of the system Neo Geo, still
used from many in its version for Windows.
M72: the first one to reproduce the M72 system of the Irem, with the most famous one
game R Type.
System 16 <39>: the first one to begin the reverse engineering of System 16
of Sega, a system that, with all its varying, and still be
emulated perfectly.
Cinematronics Emulator <40>: as it suggests the name, the first one to
to document the games in vectorial diagram of the Cinematronics.
Shark <41>: the first one to face the games of the Toaplan.
Nobody of these emulatori and state developed ulteriorly from the authors.
The games from they support to you have been pian plan added to MAME, often
with an accurate emulazione devout, even if devout slow. Many authors of
concurrent emulatori have offered their aid to us or they are themselves
directly joined to the group of development of MAME, abandoning i
plans characterize them.
84
S
ITUAZIONE PUTS INTO EFFECT THEM
MAME, only emulatore to to have been developed without pause in
last years, puo not to be a point of reference. The others
emulatori currently in phase of development can be collected in two
categories: those that mean to ago make better cio that MAME gia, and those
the whose scope and to make cio that MAME still does not make. We see the devout ones
important.
RAINE <42>: after MAME, and the emulatore the whose hard development from devout
time. Been born like emulatore of Rainbow Islands, extended then its
compatibilita to other games it bases to you on Motorola 68000, mainly
of the Taito. Currently it supports approximately 400 you play; now they are nearly
all support to you also from MAME, but in many cases RAINE and state
first to emulate them. One particolarita of RAINE and that, after to have had
beginning like a plan closed source, and later on become open
source, perhaps also thanks to the MAME push. Between the sviluppatori of
RAINE and MAME there and a profitable collaboration that has concurred of
to improve both the emulatori.
Nebula <43> and Kawaks <44>: both manage in way devout
efficient of MAME some popular systems much between the frequent visitors
of it knows them games: CPS 1 and CPS 2 of the Capcom and Neo Geo. The development of
Kawaks seems to be slowed down, while the author of Nebula is
working to the support of games not still it emulates to you from MAME.
Final Burn <45>: beyond to usuals CPS 1 and CPS 2, this emulatore
it supports various games of Sega not still included in MAME, like
Power Drift and Rail Chase.
DAPHNE <46>: and one of interesting the devout plans, perche is taken care
exclusively of the games with laserdisc, it blots some that knew one
fugace popolarita moment of to goal of years ' 80. The diagram of
these games were constituted for the greater part from true and own films
memorizza you on laserdisc, controls to you from the program under the guide of
player. DAPHNE concurs see again these games is from the laserdisc
it originates them, through a reader connected to the PC, is using one copy
of the film memorizzata on the hard disk.
85
Modeler <47>: emulatore of the powerful one Saws System 32, that we hope of
to be able to add also to MAME soon.
Zinc <48>: and the advanced plan devout of emulazione of games arcade with
diagram 3D, in this case based on the hardware of the Sony Playstation.
And the much positive fact that the greater part of the authors of emulatori
they are animated from spirit of collaboration and very disposed to help the one
the other in order to favor devout progresses expresses in the search. It appeals to to me to believe that
the example given from MAME has been important in order to address towards
this way to think.
86
GLOSSARIO
ADPCM
Adaptive Differential Pulse Modulation Tails.
Method of jam of marks them audio that
it uses the difference between consecutive champions.
arcade
Abbreviation of amusement arcade, knows it games.
bit
From BInary digiT, it number binary that puo to be 0 or 1.
bootleg
Illegal version of a game, often modified for
to eliminate the name of the producer or to go around
protections.
bug
Programming error.
byte
Joined of information of 8 bit.
CAD
Aided Computer Design. Technique used for
to plan with the aid of a computer.
checksum
Sum of control. Used value in order to verify
the integrita one of gives to you.
chip
Integrated circuit, cioe electronic circuit
miniaturized contained entire to the inside of
a single covering.
clock
Generator of impulses that control
temporizzazione of an electronic circuit.
code source
Program written in language source that must
to be compiled in order to become eseguibile.
compilation
Translation from language source to program
eseguibile.
consul
Homely video game, used connecting it to
television set.
87
CPU
Central Processing Unit, joined centers them of
elaboration that executes the instructions of
program.
crittanalisi
Science that studies like deciphering messages
crittografati without to have of the authorization.
cryptography
Science that studies like codifying gives you for
to prevent of the access without authorization.
custom
Integrated circuit or other object realized on
ordinazione and not available in commerce.
database
With of they give to you organizes to you.
debugger
Used program in order to try errors (bug) in
software.
decompilazione
Inverse operation of the compilation.
DIP switch
Group of switches contained in a Dual In linens
Package, connects you to the printed circult directly.
EEPROM
Electrically Erasable Programmable Read Only
Memory.
EPROM
Erasable Programmable Read Only Memory.
rows
With of they give to you stores on one memory to you of
mass.
flag
Variable used in order memorizzare one condition
logic.
to turn
Gergale term in order to say to execute a program.
hard disk
Joined of memory of mass constituted from one or devout
rigid magnetic discs.
hardware
The physical part of a computer.
home computer
Domestic computer. Category of computer, with
reduced performances and low cost, popular in the years
' 80.
I/O
Input/Output, ingresso/uscita.
icona
Image that indicates rows in an operating system
equipped of graphical interface.
joystick
Peripheral of input constituted from one lever that puo
to be moved in the four directions.
88
kB
Kilobyte, 1 kB = 2
10
byte.
laserdisc
Used analogic optical support for
film memorization.
LCD
Liquid Crystal Display.
link
Connection to one Internet page.
MB
Megabyte, 1 MB = 2
20
byte.
MCU
Micro Controller Unit.
OCR
Optical Character Recognition, program for
acknowledgment automatic rifle of the text.
opcode
Operation Tails, code of instruction of one
microprocessore.
PAL
Programmable Array Logic.
PC
Personal Computer.
pixel
Point on the screen.
PROM
Programmable Read Only Memory.
RAM
Random Access Memory.
RNG
Random Number Generator.
ROM
Read Only Memory.
it arranges operating With of necessary programs for the management of
a computer and of its peripheral ones.
software
With of the eseguibili programs on a computer,
contrapposto to hardware.
spinner
Peripheral of input constituted from one grip handle
rotary around to an axis.
it tightens
Sequence of characters.
trackball
Peripheral of input constituted from one sphere that puo
to ruotare on if same.
Trojan Horse
Program used for introdursi in a system
and estrarne information.
word
Indirizzabile word in a single access, puo being
constituted from one or devout byte.
89
BIBLIOGRAPHY
Introduction
[ 1 ] J. C. Herz, the people of the joystick. Feltrinelli, Milan, 1997.
[ 2 ] L.
Herman,
Phoenix: The Fall & Rise of Videogames. Rolenta Press,
Springfield, 1997.
[ 3 ] S. L. Kent, The Ultimate History of Games Video. First Publishing,
Rocklin, 2001.
Understood it 1
[ 4 ] And J. Chikofsky and J. H. Cross II, Reverse Engineering and Design
Recovery: To Taxonomy. IEEE Software, vol. 7, n. 1, January 1990, p.
13 17.
[ 5 ] S.
Rugaber,
Program Comprehension for Reverse Engineering. In:
AAAI Workshop on To and the Automated Program Understanding,
Saint Jose, Ca., July 1992, p. 106 110.
90
Understood it 2
[ 6 ] To M. Turing, On computable numbers with an application to the
Entscheidungsproblem. In: Proceedings of the London Mathematical
Society, ser. 2, vol. 42, 1937, p. 230 265.
[ 7 ] J. And Hopcroft, J. D. Ullman, Introduction to Automata Theory,
Languages, and Computation. Addison Wesley, Reading, Mass.,
1979.
Understood it 3
[ 8 ] Z.
Moore,
The Cinematronics CPU Programmer s Reference Guides.
2000.
http://zonn.com/Cinematronics/files/CineRef.pdf
[ 9 ] G. Kane, D. Hawkins, L. Leventhal, Assembler for 68000. Jackson,
Milan, 1986.
[ 10 ] R. Anderson and M. Kuhn, Tamper Resistance to Cautionary Notes. In:
Proceedings of the Second USENIX Workshop on Electronic
Commerce, Oakland, Ca., November 1996, p. 1 11.
http://www.cl.cam.ac.uk/users/rja14/tamper.html
[ 11 ] M. Barr, Memory Types. Embedded Systems Programming,
May 2001, p. 103 104.
http://www.netrino.com/Publications/Glossary/MemoryTypes.html
[ 12 ] G. And Moore, Cramming More Components onto Integrated Circuits.
Electronics, vol. 38, n. 8, 19 you open them 1965, p. 114 117.
http://www.intel.com/research/silicon/moorespaper.pdf
91
[ 13 ] G. And Moore, Progress in Digital Integrated Electronics. In: IEEE
International Electron Devices Meeting Technical Digest, December
1975, p. 11 13.
[ 14 ] J. L. Massey, Shift Register Synthesis and BCH Decoding. IEEE
Transactions on Information Theory, vol. IT 15, n. 1, January 1969,
p. 122 127.
Understood it 4
[ 15 ] B. Schneier, Applied Cryptography, Second Edition. Wiley, New
York, 1996.
[ 16 ] C. Giustozzi, To codi[ci]frati Monti, And Zimuel, Secrets spies. Apogee,
Milan, 1999.
[ 17 ] Robert L. Chapman, The Dictionary of American Slang. Pan Books,
London, 1988.
Understood it 5
[ 18 ] P. van Sebille, EMame: to MAME port to EPOC Release 5 and
Symbian platform v 6,0 (Quartz). 2001.
http://www.symbian.com/developer/techlib/papers/mame/mamedream.html
[ 19 ] D. Cohen, the Am Not Just to Room. Wired, vol. 8, n. 5. May
2000.
http://www.wired.com/wired/archive/8.05/streetcred.html?pg=2
[ 20 ] To R. Meo, free Software and open source. Digital world them, n. 2,
june 2002.
http://www.aicanet.it/rivista/numero_due/Meo.pdf
92
MAME in the average
Many of following articles contain imprecisioni, also rough.
[ 21 ] S. Campbell, Nicholas Salmoria s Fines Arcade Machine Emulator
illustrates perfectly the dynamism of the PC arcade emulation scenes.
Edge, n. 45, February 1997.
http://dialspace.dial.pipex.com/town/estate/dh69/wos/world/edge/mame.htm
[ 22 ] M. Triulzi, C was once mister Pacman. Courier of the Evening, 21
june 1997.
[ 23 ] T. Toniutti, Interview with Nicholas Salmoria. ZETA, n. 29, september
1997, p. 46 47.
[ 24 ] M. Alberico, Videogiochi MAME. Medium (transmission
television), 24 October 1997.
http://www.mediamente.rai.it/home/tv2rete/mm9798/97102024/i971024.htm
[ 25 ] J. Prisco, Fines Arcade Machine Emulator. PC Force, n. 1, March
1998, p. 14 16.
[ 26 ] J. C. Herz, In Software Sleight of Hand, Video Ghosts Rise. The New
York Times, 5 March 1998.
http://query.nytimes.com/search/abstract?res=F20713FA38550C768CDDAA0894D0494D81
[ 27 ] J. M. Moran, Software Emulating Classic Games Video. The
Hartford Courant, 2 you open them 1998.
[ 28 ] J. Borland, Anti Piracy Forces Target Arcade Classics. TechWeb
News, 22 you open them 1998.
http://www.techweb.com/wire/story/TWB19980422S0010
[ 29 ] M. Stroh, Blasts from the past: Digital archaeologists hoping to
restore classic games. The Sacramento Bee, 29 you open them 1998.
93
[ 30 ] Past Blasters. Entertainment Weekly, n. 433, 22 May 1998, p.
76.
[ 31 ] First among emus. Edge UK Edition, n. 61, August 1998, p. 74 79.
[ 32 ] G. Zanetti, X MAME: also the pinguini they are amused.
MCmicrocomputer, n. 189, November 1998, p. 276 279.
[ 33 ] M. Baccan, The Emulatori. DEV., n. 62, you open them 1999, p. 30 34.
[ 34 ] D. McCandless, History in the Taking. Wired, vol. 7, n. 5, May
1999, p. 64.
http://www.wired.com/wired/archive/7.05/mustread.html?pg=9
[ 35 ] To S. Bub, Emulation Conflagration Game Fans versus the Music,
Arcade and Companies Consul. Voodoo: The Official 3DFx
Magazine, vol. 2, n. 2, summer 1999.
[ 36 ] M. Lella, Evviva the mame. The Newspaper, 21 February 2000.
[ 37 ] J. Kroll, GAME FOCUS > MAME Emulation of 1951 games. Linux
Journal, n. 71, March 2000, p. 14.
http://www.linuxjournal.com/article.php?sid=3836
[ 38 ] To Ihnatko, Penny arcade on your PC. Chicago Sun Times, 4 you open them
2000.
[ 39 ] To Lawendel, the PC seems the PlayStation. Courier of the Evening, 12
june 2000.
[ 40 ] K. Poulsen, The Arcade Underground. SecurityFocus Online, 10
July 2000.
http://online.securityfocus.com/news/57
94
[ 41 ] G. Bajo, To emulate with MAME. ioProgrammo, n. 40, October 2000,
p. 30 33.
http://www.itportal.it/developer/cpp/emumame/
[ 42 ] M. Camisasca and S. Soletta, To times return. Computer idea, n. 21,
29 November 12 Decembers 2000, p. 10 11.
[ 43 ] G. Bajo, MAME or not m ame. ioProgrammo, n. 42, December
2000, p. 34 37.
http://www.itportal.it/developer/cpp/mame/
[ 44 ] To Ihnatko, The Game Room. Macworld, March 2001.
http://www.macworld.com/2001/03/opinion/gameroom.html
[ 45 ] J. Sellers, Remembrance of Things Blast. Slate, 27 March 2001.
http://slate.msn.com/default.aspx?id=103013
[ 46 ] W. O' Neal, Keep Your Friggin Gameboy! Could MameCE be
WindowsCE s killer app. Computer Gaming World, 31 March
2001.
http://cma.zdnet.com/texis/techinfobase/techinfobase/+kwq_qosXsWWKWs/cdisplay.html
[ 47 ] G. Mola, Mame mania, live again on the PC the myth of the games from bar.
Repubblica.it, 2 May 2001.
http://www.repubblica.it/online/tecnologie_internet/mame/mame/mame.html
[ 48 ] F. Santucci, Shutdown. DEV., n. 86, june 2001, p. 113.
http://online.infomedia.it/riviste/dev/86/articolo16/index.htm
[ 49 ] K. Kleiner, The Y Space Invaders. New Scientist, vol. 172, n. 2313, 20
October 2001, p. 46 48.
[ 50 ] M. Saltzman, Keys to the Kingdom. Electronic Gaming Monthly,
October 2001, p. 194 200.
95
[ 51 ] F. Tarassi, the ancestors of the videogiochi returns living on Internet.
the Republic, 27 October 2001.
[ 52 ] P. Besser, Arcade @Home KNOWS IT GAMES To IT To HOUSE YOURS!. PC
Action, n. 105, November 2001, p. 112 117.
http://www.paolobesser.it/arcade/articolo.htm
[ 53 ] B. King, Pac Man s Trek From Arcade to PC. Wired News, 26
January 2002.
http://www.wired.com/news/games/0,2101,49969,00.html
[ 54 ] L. Gambetta, XMAME: it knows it games in the PC. Practical Linux, n. 5,
marzo/aprile 2002, p. 4 9.
[ 55 ] G. Moro, Xmame: hundred of games to capacity of mouse. Linux
Magazine, n. 21, luglio/agosto 2002, p. 49 51.
[ 56 ] The MAME Game. Edge, n. 115, October 2002, p. 76 83.
[ 57 ] P. Faranda, Cosi but from the extinction those old ones game from bar.
Courier of the Special Evening technologies, 23 October 2002.
[ 58 ] L. Valdesi, Cosi I have saved the video you play. The Siena Nation, 24
October 2002.
http://lanazione.quotidiano.net/chan/12/2:3790794:/2002/10/24
96
LINKS
Introduction and thankses
<1> Multiple MAME The official Arcade Machine Emulator situated
http://www.mame.net/
<2> MAMEWorld The largest MAME resource on the net!
http://www.mameworld.net/
<3> Video Arcade Preservation Society
http://www.vaps.org/
<4> Videotopia
http://www.videotopia.com/
<5> The Arcade Flyer Archive
http://www.arcadeflyers.com/
<6> Aaron s Home Page
http://www.aarongiles.com/
<7> Haze' s MAME Page
http://haze.mame.net/
<8> MAME Testers
http://www.mameworld.net/mametesters/
97
Understood it 1
<9> Chilling Effects FAQ about Reverse Engineering
http://www.chillingeffects.org/reverse/faq.cgi
<10> Common of Castelfidardo history of the fisarmonica
http://www.comune.castelfidardo.an.it/Visitatori/Fisarmonica/storia_fisa.htm
<11> Digi.Lab CAD/CAM/Reverse Engineering
http://www.digilab.it/reverse/reverse.htm
<12> Techniques of Reverse Engineering for the footwear
http://www.microsystem.it/recalz.asp
<13> Open Directory Kids and Teens: Sports and Hobbies: Toys:
Reverse Engineering
http://dmoz.org/Kids_and_Teens/Sports_and_Hobbies/Toys/Reverse_Engineering
<14> JP1 Interface
http://www.hifi remote.com/jp1/index.shtml
Understood it 2
<15> Linguistica Garzanti
http://www.garzantilinguistica.it
<16> _ MADrigal _ s handhelds simulators
http://madrigal.retrogames.com/
Understood it 3
<17> 68000 Undocumented Behavior Notes
http://dynarec.com/~bart/files/68knotes.txt
98
<18> Z80 Undocumented Features
http://www.greew.freeserve.co.uk/Z80Undoc.html
<19> 6502 Undocumented Opcodes
http://members.chello.nl/taf.offenga/illopc31.txt
<20> University of Southern the Mississippi
School of Polymers and High Materials Performance
I rendered some epoxy
http://www.psrc.usm.edu/italian/epoxy.htm
<21> How to crack to Pacman Plus!
http://www.multigame.com/pacplus.html
<22> Crack PIC
http://www.piclist.com/techref/microchip/crackpic.htm
<23> HanaHo Games, Inc.
http://www.hanaho.com/
<24> SlikStick The Worlds Best Arcade Controller
http://www.slikstik.com/
<25> XGAMING, Manufacturer of High End Gaming Accessories
http://www.x arcade.com/
Understood it 4
<26> The Dead Battery Society
http://www.arcadecollecting.com/dead/dead.html
Understood it 5
<27> MAME for Digita Enabled Cameras
http://digita.mame.net/
99
<28>
GNU s Not Unix! the GNU Project and the Free Software
Foundation (FSF)
http://www.gnu.org/
<29> Open Source Initiative DARES
http://www.opensource.org/
<30> The Killer List of Videogames
http://www.klov.com
<31> Google
http://www.google.com
<32> unMAMEd arcade games
http://unmamed.mame.net/
Understood it 6
<33> CAESAR: Catalogue of Arcade Emulation Software the Absolute
Reference
http://caesar.logiqx.com/
<34> Digital Eclipse Software, Inc. Williams Arcade Classics
http://www.digitaleclipse.com/live/main/main.php?v=pr&id=53
<35> Sparcade! aka Dave' s Arcade Emulator
http://www.sparcade.freeserve.co.uk/
<36> EMU Homepage
http://www.synthcom.com/~emu/
<37> Official Bloodlust Software Callus Page
http://bloodlust.zophar.net/Callus/callus.html
<38> R.A.G.E: Homepage
http://home5.swipnet.se/~w 50884/emulator/rage.htm
100
<39> The System 16 Arcade Emulator!
http://www.system16.com/emu s16.html
<40> Cinematronics Emulator
http://zonn.com/Cinematronics/emu.htm
<41> The most official Shark distribution situated
http://www.c64.org/~magnus/shark.html
<42> RAINE (680x0 Arcade Emulation)
http://www.rainemu.com/
<43> Nebula
http://nebula.emulatronia.com/
<44> Kawaks Saikyo Dojo
http://kawaks.retrogames.com/
<45> Final Burn
http://www.finalburn.com
<46> DAPHNE Laserdisc Arcade Game Emulator
http://daphne.rulecity.com/
<47> Modeler
http://www.emuhype.com/index.phtml?s=modeler&ss=index
<48> Zinc
http://www.emuhype.com/index.phtml?s=zinc&ss=index
101
INDEX OF THE FIGURES
Pac second Man Microsoft (simulation)............................................................. 25
Pac second Man MAME (emulazione)................................................................. 25
The bug of the 256 level of Pac Man emulated from MAME........................................... 29
Easter egg of Pac Man (Namco, 1980)..................................................................... 30
Easter egg of Xevious (Namco, 1982)........................................................................ 30
Pong: emulazione or simulation? .............................................................................. 31
A programmatore of EPROM.................................................................................. 43
Vectorial diagram in Star Wars (Atari, 1983).......................................................... 50
Effect ROZ on the background of F 1 Grand Prix (System Video, 1991).................... 52
Diagram bitmap in Qix (Taito, 1981)......................................................................... 53
The peculiar system of input of Slick Shot (Incredible Technologies, 1990)...... 58
One of the joystick plans you for emulatori........................................................... 59
Outline of the structure of MAME.............................................................................. 75
Outline of the content of driver............................................................................ 76
102
INDEX OF THE DIAGRAMS
Distribution of the games in the driver of MAME......................................................... 33
CPU emulated from MAME and number of games that use them............................. 34
Class of the main CPU in the games emulates to you from MAME................................... 36
Dimension of memory ROM in the games emulates to you from MAME......................... 41
Medium dimension of memory ROM in the games emulates to you from MAME............. 42
Number of chip of ROM in the games emulates to you from MAME......................................... 46
Games emulate from MAME equip you to you of permanent memory................................... 48
Games emulate to you without sonorous from MAME................................................................... 55
Audio Chip emulates from MAME and games to you that use them....................................... 56
Games emulate to you from MAME and catalogue to you from KLOV.................................................... 79
Course of the number of games supports to you from MAME...................................... 80
Course of the dimensions of the code source.................................................. 81
103
ANALYTICAL INDEX
Commodore 64................................. 25, 35
To
Crows, Ernesto................................. 11, 40
Abadia, Manuel.............................. 11, 40
Cowgill, Clayton.................................... 38
Ajax......................................................... 40
CPU...,,20, 21, 23, 26, 29, 31, 33, 34, 35,
Antignano, Luca.................................... 24
36, 37, 38, 39, 40, 44, 46, 47, 49, 51,
Arkanoid................................................. 58
55, 56, 60, 62, 63, 64, 65, 66, 67, 76,
Asteroids................................................. 84
82
Atari........................................... 31, 40, 84
Crush Roller........................................... 73
AY 3 8910.............................................. 56
D
B
Date East.............................. 39, 47, 66, 68
Bad Dudes.............................................. 39
decompilazione.............................. 17, 25
Bomberman....................................,,64, 65
Defender.................................................. 83
Bradley, Neil.......................................... 84
And
Buck Rogers............................................ 63
Buffoni, Mirko....................................... 11
Easter egg................................................ 30
Burger Time.................................... 47, 66
EEPROM...........................,,17, 47, 48, 49
Buster Bros............................................. 67
EMU........................................................ 84
Epos......................................................... 66
C
epoxy, I rendered................... 38, 60, 66
CAD......................................................... 15
F
Callus...................................................... 84
Capcom...................................... 67, 84, 85
F 1 Grand Prix...................................... 52
CPS 1................................................... 84, 85
fisarmonica............................................. 14
CPS 2......................................................... 85
Flicky....................................................... 63
Changes................................................... 39
Funky Bee................................................ 39
Chelnov................................................... 39
Funky Jet................................................. 69
Cinematronics................................. 35, 84
Furby....................................................... 16
Commodore................................. 6, 25, 35
Amiga............................................. 6, 35, 77
104
G
Missile Command................................. 58
Mister Viking......................................... 63
gettoniera............................................... 57
Moore, law of..............................,,41, 42
Giles, Aaron.............................. 11, 40, 82
Moore, Zonn.......................................... 35
Gridlee.................................................... 10
Motorola.............................. 35, 38, 62, 85
Gunforce.......................................... 64, 65
68000............................................ 35, 38, 85
Gyruss...................................................... 62
6809.......................................,,35, 40, 46, 62
H
Ms Pac Man........................................... 73
Heavy Barrel.......................................... 39
N
Hitachi.................................................... 39
Namco.............................................,,30, 39
I
System 1................................................... 39
System 2................................................... 39
IBM.......................................................... 16
Nebula..................................................... 85
Intel......................................................... 35
NEC......................................................... 64
Internet..................... 5, 10, 74, 78, 81, 83
V30...................................................... 64, 65
Irem............................................ 64, 65, 84
Neo Geo....................... 32, 70, 81, 84, 85
M72............................................................ 84
NeoRAGE................................................ 84
J
NVRAM.............................. 47, 48, 49, 61
Joust......................................................... 83
Or
joystick....................................... 30, 58, 59
OCR......................................................... 15
K
Orca......................................................... 39
Kawaks.................................................... 85
P
King of Fighters..............................,,37, 70
Pac Land................................................ 39
Konami............................................. 40, 62
Pac Man6, 24, 29, 30, 38, 44, 45, 54, 66,
052001...................................................... 40
73, 83
052526...................................................... 40
Palazzolo, Frank.............................. 11, 40
053248...................................................... 40
Pengo................................................ 64, 73
L
Playstation.............................................. 86
Poly Play................................................. 10
Lady Bug.......................................... 44, 73
Pong......................................................... 31
M
Power Drift............................................. 85
Puzzle Bobble......................................... 70
Marble Madness................................... 58
Navy Boy............................................. 39
Q
MCU................................................,,38, 39
Qix........................................................... 53
Metal Slug.............................................. 70
microcontroller.......................vedi MCU
R
microprocessore...................... you see CPU
Rafflesia................................................... 82
Minefield................................................ 62
105
Rail Chase.............................................. 85
T
Rainbow Islands.................................... 85
Taito........................................................ 85
RAINE..................................................... 85
Tamagotchi............................................ 16
Regulus.................................................... 63
Tehkan.................................................... 63
Robby Roto............................................. 10
Tempest................................................... 58
Robotron................................................. 83
The Glob................................................. 66
Rockwell................................................. 35
The Simpsons......................................... 40
6502...................................................,,35, 66
R Type..................................................... 84
Toaplan................................................... 84
trackball.................................................. 58
S
Trojan Horse....................................,,38, 39
Scramble................................................. 61
Tumble POP............................................ 69
It saws............................................. 63, 84, 85
U
System 1................................................... 63
System 16..................................................84
Universal................................................. 44
System 32..................................................86
Up' n Down.............................................. 63
Sinclair............................................. 25, 35
V
Spectrum..........................................,,25, 35
Sinistar.................................................... 83
van der Bas, Allard................................ 73
Sky Kid.................................................... 39
vectorial, graphical...................... 35, 50, 84
slapstic.................................................... 40
W
Slick Shot................................................ 58
SNK......................................................... 70
Water Match.......................................... 63
Sony......................................................... 86
Williams.................................................. 83
Sparcade................................................. 83
Williams Arcade Classics.................... 83
19 SPICE......................................................
Wonder Planet....................................... 39
Spicer, Dave........................................... 83
X
spinner.................................................... 58
Springer................................................... 39
Xevious................................................... 30
Star Force................................................ 63
Y
Star Wars................................................ 50
Stern................................................,,61, 66
Yamaha
Stroffolino, Phil.............................. 11, 82
YM2151.....................................................56
Super Locomotives.................................. 63
Yamato.................................................... 63
SWAT...................................................... 63
Z
Zilog......................................................... 34
Z80...........................,,34, 35, 46, 63, 65, 66
106