Re: keyroll ecm and the fix (code it ur self)
Well the first step is to understand what the keyroll is doing and how to fix it to work properly.
The idea is to patch the buffer so the correct keys are returned.
There is a copy of a decrypted emm in this thread.
Alter that emm so it gives the required result ie how you want it to look after the patch.
Once that is done then we can start discussing how to actually create the patch.
OK, that part I know. In English this is what is happening:
Store the value $79 into register A
Stash the contents of A into memory location $41.
Then load a 'fake' value of 02 into A
Now comes the 'hit' - the emulator cannot properly handle the interupt bit set and jump etc, which must copy the contents of $41 into register X somehow.
Then the value of X is copied into A, which is XOR'd with a byte of the key to produce the real key. This is done twice to fix each key.
Now, I think the trick here, is to bypass all that interrupt set code etc, and get the value we require into X somehow or modify the key in the patch, so a patch basically has to:
begin
before jumping to execute the emm jmp to patch code
set X to contain the contents of $83 in patch
execute the same instructions to carry out the XOR's
jmp to $6B01 (which is where the EMM should jump to on completion)
jmp to $94 (which is where the key is updated if X is correct
end
Am I correct?
The problem I have is, I can see in my mind how this works, but I have no idea:
1. How to find the place I need to insert the patch into the ROM code
2. How to locate the place the EMM gets called from, and how to place a hook there into the patch