johnparker007
-
Posts
2,656 -
Joined
-
Last visited
-
Days Won
119
Content Type
Profiles
Forums
Gallery
Downloads
Articles
Posts posted by johnparker007
-
-
I guess from my limited knowledge of how these exploits work, is; if you can get it so it's ready to get you near the £6 at the end of the feature trail, can you land on Pound A Round whilst on a 6+ often enough to gain an advantage (assuming that win doesn't count against feature board %age, so you can keep getting back onto that feature square).
Followed this post, interested to see if any kind of advantage over standard percentage payout could be found, that'd be kinda wild
(Reel Fruits won't be happy if there's a shiny new 2024 Andy Capp emptier haha, we'll have to write a custom patch for their ROM!).
Edit: I think on JPM Indiana Jones, the value of the next move is already in RAM before the number reel spins from the user input (or you can patch it mid-move), if a similar thing is present on this machine, it could be a way to see if it's getting the £12 repeatedly without affecting percentage).
Here's a @Chopaholic vid showing controlling the numbers moved on Indy, different tech, but might be an angle for testing some of this idea in the emulator:-
1
-
-
30 minutes ago, thealteredemu said:
2024 even
Goddammit!
-
1
-
-
Googling:
Andy Capp "Pound a round"
The only result is this post, so if you found something, it doesn't seem to have been talked about on public forums before. Be crazy if it could be leveraged to find a new unpatched exploit in 2023
-
1
-
-
Improved rendering of segment displays (more readable now), add alpha duty voltage support (fade effects):
-
3
-
-
Little bonus vid of playing some Andy Capp now I have those two displays vaguely functional. The sound is too fast, that's actually my fault! I recommended an xtal freq be changed in MAME for all MPU4 (to fix audio speed on Adders and Ladders), I think it turns out that if there's a sound card with samples, the xtal should stay at original speed (Andy Capp sound was working correctly before my change - oops!
).
Also wins count up very slowly, I think this is due to the program waiting for sample completion, but that is not coming through at the right time, so again a sound related bug.
Anyway here's a little gameplay in the Layout Editor (even though that's not really its purpose! )
-
3
-
-
Little bit hacked in for now, doesn't look great but it's working - it's a new 16 segment alpha renderer for the Layout Editor. Each individual segment is driven individually (the AS version worked via 'fonts'), so should somewhat futureproof for non-fruit machines from MAME in future... haven't done the variable brightness effect yet:
-
3
-
-
49 minutes ago, dondplayer said:
Remind me of the purpose of these two statements:
78EB cp a
78EC pop af
cp a just compares the a register with itself without changing the value so this just sets the zero flag.
But the next instruction populates the a and f registers with whats on the stack anyway.
Similarly afterwards we appear to see two memory locations loaded with the same value that for some reason is passed between the a and c registers.
It's been a long time since I played with z80
Those instructions from @SomeRandomGuy's example above are showing where the disassembling is wrong, that's why they look odd. Once the word is set to define bytes, everything is opcode aligned again and the cp a, pop af are gone.
-
1
-
-
45 minutes ago, SomeRandomGuy said:
Haven't posted in a while, just checking in here. Haven't abandoned this place or anything, just been hella busy with work stuff, school stuff, and much of the non-busy time has gone to other reversing projects. Very cool to see progress @johnparker007 as always
, great to hear you're feeling better as well!
IDA is a very very useful program, I've been using it for all my fruit machine RE in fact, and many other things too. Z80 code it can handle just fine (Bonus Talker has one) plus so far I've also dealt with MC6800, TMS9900 and Intel 8048 on the fruities. The last 2 don't have processor modules in IDA so I had to make my own, with these simple 8-bitters you can get away with quickly hacking something together in Python though
. There's also Ghidra that's aimed at the same things IDA does, it's main advantages are that you don't need to pirate it, and that it can decompile assembly into C for theoretically every CPU that's supported. Though in practice trying to decompile handwritten 8-bit assembly such as here breaks down quick, and the overall quality of the decompiler isn't as good as IDA, which has been worked on for longer but only does certain architectures, though Ghidra will probably get closer as time goes on. I use IDA myself since Ghidra didn't exist as far as the general public was concerned when I was first getting into all this stuff, and IDA works better for certain niche applications like 16-bit x86 code if you're into that type of thing.
Had a look at the PROCONN stuff, threw in one of the Bullseye ROMs and it looks fine in IDA as far as a quick glance goes at least. One thing that IDA kinda sucks at is dealing with banked memory, where there can be different parts out of the entire ROM code visible in memory depending on what's selected, you see this on the SNES for example. Doesn't seem to be the case with PROCONN on this game at least. The memory map is simple, total size of the ROM chip is 64K, in Z80 memory 0000-EFFF is the first 60K of the ROM, then 2K of RAM at F000-F7FF, and then the last 2K of ROM at F800-FFFF. Dunno if that last 2K of ROM can be switched in some way, but that part is empty for this game anyway so doesn't matter.
What can be confusing though is all sorts of tricks that programmers used back in the olden days of handwritten assembly, for example there's this code here:
It looks like it's jumping to the middle of another instruction, which definitely shouldn't happen. But if you look inside the function at DA04 that's called right before the sketchy code and look at what it's doing, you can see that it reads 2 bytes following the call instruction to DA04, does something with them, then continues to the code after them. So what it should actually look like is this:
Here's another one with code that doesn't disassemble at first:
Much better after fixing:
That's just one example, but you can see many different kinds of this strangeness, depending on how 'clever' the programmer was feeling that day. Jump tables are pretty common for Z80 as well, usually a jp (hl) instruction that has a list of addresses close by that go to different parts of code. With enough experience you eventually develop a feeling for this sort of stuff, but at the same time you never really run out of new ways of being clever. It can get especially bad if the programmer was focused on intentionally making the code hard to follow, but that's more of a thing for stuff like copy protection on home computer games, shouldn't be much to worry about as far as fruit machines go at least. Anyway, good luck with the reversing!
Good to see you around man!
Yeah damn I forgot about opcode alignment issues, with data peppered through the rom - good examples you posted So no one-click perfect solution unfortunately...
And yeah feeling a bit better at the mo ta, so back to some light dabbling with FME dev! Next thing to sort out is these alpha displays...
-
1 minute ago, thealteredemu said:
@johnparker007 I'm very new to python, I'm probably being a noddy but how can I install the skoolkit scripts? I'm only away till teatime and I want to get into this!!! No worries though I will research more when I'm able
J
I've not actually used SkoolKit ever, just one that sprang to mind - as I mentioned above there could be better ones. If I remember I'll have a look when I next am doing some FME stuff...
Something like this might also be good or better:
https://github.com/toptensoftware/yazd
though you'd have to build it yourself. Not sure if more user friendly options out there. You want the disassembler, to generate a text file from the non-blank parts of the rom (or NOP the blank areas) containing the assembly code ('LD A, 0' etc). Then an (ideally matching) assembler, that can take that text file containing the assembly, and build it back to an identical binary file again.
Once you've got that workflow sorted, you are good to go with commenting, changing subroutine/data addresses to labels etc
-
33 minutes ago, thealteredemu said:
Oooh, I like that idea, I did try this with an app called IDA Pro, but it didn't decipher the Z80 code very well sadly. I might try that one just for something to look into, I'll likely learn a lot more with a more readable code base
. Binary compiled code is a bit of a head feck!!
Cheers for that John, will let you know how I get on with it
J
Yeah if you can get it looking more like:
LD A,0
etc... rather than raw hex, and then be able to 'recompile' it again... i.e: more like simply translate directly back to a file that you can put back in the rom, and it is exactly the same.
If you get to that point, then you can start adding comments to the code:
LD A,0 ; reset nudge count to zero
etc... and things get a little less crazy. Then, when you have absolute addresses for jumps and calls, like:
CALL $ABCDetc... you can put labels at the point that compiles to $ABCD, so it'd read more like:
CALL ResetNudges...and the reset nudge routine would look more like:
ResetNudges: LD A,0 RETetc.
You don't have to do this of course But if you really want to own that code, and potentially rewrite large chunks of the machine, that's the way to start going about full reverse-engineering it. It's a super manual process though, I've only done a teeny little bit of that really - I end up handcompiling the hex!
There may be other good Z80 disassemblers/assemblers around, that SkoolKit is not necessarily the best one, just one I remembered. Good luck
-
6 hours ago, thealteredemu said:
Yes, I concur, great to hear you’re starting to feel a little better JP
take care bud.
I’ve been getting into rom hacking, spending a lot of time in the debugger, I’m currently getting my head into the 20p version of Project Coin Bullseye (v29) it’s the final £6 token version and once offering skill shots you can just go for hold after nudges but it must have a hold after wins pot unlike earlier version so a watchdog to monitor reel wins. I’m slowly working bits out but I hope to put this part of the emptier back in, also going to try to put the bullseye trick back in, it isn’t fixed like the fixed 10p version was, that has some extra code and jumps around that portion of the game, I’m hoping it was more a hacky fix
I’m certain it is just clearing the 20 bill mystery ? So it’s still in memory when the machine exits that feature with no credit.
Progress is slow but I’m learning a load of stuff along the way, keeps me out of mischief anyway
I also slowly working on some artwork for the 20p Bullseye and will likely continue if I successfully put the emptiers back in
J
Thanks man, early days, but definitely seem to be improving a little at present
I remember your elaborate emptier, it was very cool - waiting in attract mode, until the correct symbol on the dartboard flashed last, so then that could be hit guaranteed on a feature, something like that, plus forcing it to give out nudges for the 30 skill shots. Just had a look and that is on a Z80 CPU, which is the same as the trusty Speccy
Good luck with the hacking, I wonder if you could use something like skoolkit, a tool for disassembling Speccy games, perhaps with some adaptions... so rather than just poking around the rom, you'd use a tool like this to fully disassemble the entire rom into opcodes/data. Then all the jp/call type commands, it would add in local/global labels in the asm. So then in theory you can slowly reverse engineer the codebase into readable asm with comments, correct labels etc, all while being able to at any point compile it and get back to the original exact rom. Probably a bit overkill for your emptier, though it would probably be a first! I don't think anyone's done that before (reverse engineered a fruity back to source). Perhaps one day we could get AI to reverse engineer all these fruity roms!
Here's an example where someone has fully reverse-engineered Manic Miner (runs on same Z80 CPU as Project Coin Bullseye):
https://skoolkit.ca/disassemblies/manic_miner/
One advantage of this is that you don't have to store all your custom code at the end of the rom, plus it's like you have the actual original game code... like I say though, maybe overkill for your use case
-
1
-
-
Started feeling a bit better over Xmas, so I've been chipping away at 7 segment displays for the layout editor over the past couple of nights
Next job is the 14/16 segment displays - unlike the 7 segments, I can't port them over from Arcade Sim, as I want to make the new ones more versatile (at the expense of a tiny bit of speed). This is needed, as any 3d machine will be able to be built that MAME runs (like Korg synthesisers for instance), and these may use different 16 segment displays to the 3 main types found in fruit machines...-
4
-
-
23 minutes ago, sjakie43 said:
Hi, this is really fantastic news, it's already a great room but also Pinball ?> wow
looking forward to this
Hopefully one day probably years away yet though! ...there is occasional action on the vpengine repo (https://github.com/freezy/VisualPinball.Engine/commits/master/). I am doing very small bits on Oasis again since past couple of nights as been feeling a smidge better, also open source (https://github.com/johnparker007/Oasis/commits/main/).
-
I've been given a heads up that Arcade Simulator website is down again. I did manage to temporarily fix it before, unsure why it has failed this time. For the moment, here is a dropbox link to the same installer:
https://www.dropbox.com/s/dy9cgg2c71y5k91/Arcade Simulator Setup.exe?dl=0
Arcade Sim still seems to be booting and running fine (it also accesses arcadesimulator.net) so files are being served, but the website rendering must have failed on the backend...
Link for @bullionbars2011-
2
-
-
Just an update to this, he said he didn't realise how powerful the artwork system was (i.e: playable slot machine layouts), so he's going to take a look into it when he gets some free time
Issue is here:
https://github.com/seleuco/MAME4droid-2024/issues/1
-
2
-
-
13 hours ago, Altharic said:
You could post it as an issue on the git and maybe he would add it?
Good shout, I have opened an issue, as I'm not up to coding owt at the mo, he might be up for fixing
If he does, I will then look into a test of an old mfme2mame dx... though I did notice when setting the internal render resolution to native (from 640x480), the speed was very slow... so this won't ever be a satisfactory android DX FME experience, while the rendering is so very slow. This was on my Fold4, which I treated myself to, so it's a pretty modern phone... Oasis will probably still end up being the way to play high res DX layouts on mobile tbh... interesting to tinker with this thing though
-
23 minutes ago, Altharic said:
Anyone able to try on a pc with a touchscreen does it pick up the touches if the windows one doesn't the android one won't?
Probably a good shout - though could be how the mame4droid java wrapper is passing through the mouse data, though I'm not really up for implementing this part to be fair if not! I'm certain it could be hooked up though with a bit of coding on the mame4droid side of things
I recorded a terrible quality video showing indy running on my Fold4 , though having to workaround to control some of the buttons - WARNING heavy breathing in this video! To be fair I'd just eaten and I was doubled over one phone holding another phone, sat in bed, it was all really awkward, I'm not actually that out of shape
-
1
-
-
3 hours ago, Altharic said:
I have installed the 139 version I am unable to test the new one as I have an older machine running android 9 and touch screen works for the quiz games but I recall the timing being off on these so you get 'killed' on the question marks too easily as the timer goes down too quick other than that they work I seem to recall around mame 162 it went all cycle accurate on us so took a lot more oomph to run even for games that are quite simplistic.
Ah right, I see that MAME 0.139 was built in 2010, so that's 6 years before I did that first pass of internal layouts thru MFME2MAME.
I have a Galaxy Fold 4 here, I have given it a test on mame4droid v261 - while internal layouts display, the touchscreen taps are not passed through to the layout (this is different from touchscreen video game roms, where input is handled differently).
If another coder or the author himself wanted to, code and an option could be added, to allow the touches to also be sent through as 'layout taps', then the flashing start/hold/collect buttons etc would work. -
1 hour ago, Altharic said:
He still updates the other builds however there is one for 139u1 too updated the same time I noticed this anyone have a device to test my Ambernic is on 9
Ah to clarify, what I meant was keeping up to date with MAME master branch itself (so it will pick up improvements to FME as they are added). He makes these mame4droid android wrappers for a fixed version of MAME (i.e: MAME v139, MAME v261 etc).
So if some work is done in the future that goes into MAME v265 for instance, that will not be present in the google play store version. But if the relevant FME changes can be merged into the mame4droid v261 fork (I set one up here: https://github.com/johnparker007/MAME4droid-2024 ), then those new capabilities would be present in the build compiled from that branch.
Not up to doing coding at the mo, but will hopefully get chance to have a look at this in the future, since the Oasis layout editor could convert DXs for use with it (if artwork is fully supported by the wrapper).
Edit: just checked, looks like it shouldn't be too bad:
1/ Download 0.261 MAME or later src <--- so hopefully will be forward compatible while the makefile/lua stuff stays similar
2/ Put files inside MAME src forlder
3/ Modify makefile/lua scripts so use new OSD -
9 hours ago, Altharic said:
This could be interesting mame 261 has been ported to android in theory it should run JPM impact and a few others
https://play.google.com/store/apps/details?id=com.seleuco.mame4d2024&hl=en_GB&gl=US
Nice that it's up to date with the latest version, be good to see if it properly renders the per machine artwork, and handles touch input to that artwork. If someone sticks a MAME fruit rom in there that has an internal classic layout (e.g. Indiana Jones), and it renders the internal layout correctly, that is interesting (as Oasis will be able to output DXs in the same way it'll be able to output Classics, from imported MFME layouts). Then it would need to be confirmed that it can render a non-internal override layout from the layouts dir (to see about getting DXs running). Could be a lot of nice mobile FME enabled with this, though prob better on tablets or folding phones with large screens (that or use a Nintendo DS-style stylus to press the small layout buttons)
I've forked the repo in case it goes anywhere, also as I think this is just a one off from David the same as his previous mame4droid builds, but it may be possible to keep it up to date for minor FME updates (not massive refactors) going forward.
Original repo: https://github.com/seleuco/MAME4droid-2024
Good spot @Altharic!
-
On 05/12/2023 at 10:46, andrew96 said:
If you can just unpack a BPAK your be doing well!
Haha yeah indeed, I vaguely remember having a look at these, they are encrypted archives. Further info:
Bitpacker or bpak for short is a tool and library for creating firmware archives that can be cryptographically signed, support custom metadata and enable advanced update schemes. Bitpacker is primarily designed for embedded systems.
Embedded systems are often composed of several software components, for example: bootloader, kernel, file systems, device configuration, third party applications, etc. It is common to have many different formats and tools for the various components.
One of the main goals with bitpacker is to reduce the number of tools and formats required to manage these components.
Sauce: https://github.com/jonasblixt/bpak -
On 03/12/2023 at 23:57, Altharic said:
Implement Bell Fruit 96x8 dot matrix display for Scorpion 5. #11805
No idea who 'blueonesarefaster' (the github coder who submitted this preliminary display code) is, he only joined mame github about a week ago, and then this is already his first commit. Perhaps we'll see more from him...
-
12 minutes ago, davados said:
Thank you for the Drop box link and all the work you have done for Arcade Simulator very much appreciated!
Ok I've copied a few files around on the FTP server, and tested on a 'remote browser' - I think it is now fixed, though it may not appear fixed until local browser caches are cleared:
So you may see the same error you saw before, but over time, as local browser caches are cleared, hopefully it will look like this again (and allow for downloading of the Setup exe)
-
6
-
-
1 hour ago, davados said:
It's been a while since I needed to come here. I got a new PC not so long ago as my old SSD died and decided that time to upgrade PC. Lost a lot of things on my old SSD and Arcade Simulator was one of them I can't seem to find a working link to get Arcade Simulator. Am I missing something very obvious? Can someone help me in the right direction please?
Hi Davados
Someone else told me about this issue and I'm seeing it too now, so the website appears to be broken at present. Shows this:
I can hopefully fix, I'm guessing @slasher rolled out an update as he is kindly hosting the Arcade Sim website for us. All the actual data for Arcade Sim is hosted here by the folks at Dif. Some great folks in the community, so I've not had to pay for hosting!
Anyhoo, so for now, here is a link to the Installer exe from my dropbox:
https://www.dropbox.com/s/dy9cgg2c71y5k91/Arcade Simulator Setup.exe?dl=0
Download that and run it, and everything should install fine from there. Remember in this 'legacy' version of Arcade Sim you'll need to also install MFME and update it from v20.0 to v20.1 (this won't be a requirement later, although dev of the open source successor Oasis is on hold due to health).
Hopefully that should all work for you, and you'll be back Arcade Simulating again!
-
1
-
£6Jp Andy Capp - Dodgy programming from yesteryear
in The Laboratory
Posted · Edited by johnparker007
So does it work that whatever number it is on at the start, that is the number it times out on?
I'm only vaguely familiar with the machine (used to pay it as a nipper) - are there other features on the board that allow a number reel timeout, and if so, do they also have the same behaviour?
I'm reminded of Adders & Ladders (and probably Hyper Viper?) where when it gives you 'Even to continue' on the ?, that will also land on an even number when it's even at the start and left to timeout... however, I don't believe it can be used to actually exploit any emptying afaik.