search

farmerbb / RED-Project

ROM Extraction Documentation Project
181 stars 8 forks source link

Capcom Town (playable retro games on Capcom's anniversary website) #105

Open RealRelativeEase opened 1 year ago

RealRelativeEase commented 1 year ago

Capcom's celebrating their 40th anniversary by launching a dedicated anniversary website called Capcom Town, which also includes a couple of retro games that are playable in your web browser.

As of now, the following games are available in both English and Japanese versions:

The NES games seem to be in .wasm format, I suppose they include both the ROM as well as the emulator? I've done a cursory inspection using a hex editor, but I couldn't really make heads or tails of it. I'm not really savvy when it comes to ROM extraction, so I might have overlooked something. SNES games seem to have a .rom file extension. The Rockman X ROM has a file size of 1.5 MB, which is the same as the ROM of Rockman X extracted from the Legacy Collection. I've tried changing the file extension to .sfc, but the game wouldn't boot in an SNES emulator.

These games will remain playable until September 28, so if you want to futz around with their files, you should grab them as soon as you can.

hadess commented 11 months ago 
$ sha256sum *rom
d0b9864ecf9ccc1c43376a41d13d62fc5bb16d106ebeecf350458a82a7a37b1b  Final Fight (J).rom
0a1853e90d30a7614b60b87a4e5b4de7ca93beac76a88a4dc94ecc0748988a22  Final Fight (U).rom
e8cb8fc984916c408dc4b2e3c99e6cbe86496c9c0c66a54dfc0ce63ecab3405f  Megaman 1.rom
b7489d638dc7b91a4b080286bbbbc80cf7de1a631ad5b94e0a23298367053aaf  Megaman 2.rom
4a4912325279b87cbe42ff94b0af4b5fe0ec9fd73086ee2f74334202ffde4bb8  Mega Man X.rom
c1eea3f879ac08b1412774fb96681740e2d7d4ab5459c36fbd0828253ebc55d8  Rockman 1.rom
2cab7549304cd7b4432cd16c70429cd3bdbf7b8d0b0496e62b6f3d2fa2b784b3  Rockman 2.rom
0608c9da9c31d674a767e4f63d8050ebab9825f134a922266c45041fac37d837  Rockman X.rom
57cdb6cf1728d9a4459d6533f638131bb67ba7b5a39dadf1edf8b67f55a0a595  Street Fighter II (J).rom
19e3f1b2013dcecc2a275191ad1e5e641db48252018d0837e603a0334e86bfeb  Street Fighter II (U).rom
hadess commented 11 months ago

From https://twitter.com/GMMan_BZFlag/status/1669160004618960897

I have a passing interest in figuring out how ROMs from Capcom Town are encrypted, but my Ghidra's old and I can't be bothered to recompile a wasm extension for it right now. Basic observation though, there are these two oddly named fields which probably help decrypt the ROM.

Their names end with the same sequence of characters, so my instinct is they're reverse strings with some sort of offset applied for obfuscation.

image

hadess commented 11 months ago

in game.js, the basename of rom_url, and the 2 "hidden" values are passed to the wasm play() function:

            let e = document.getElementById("rom_url").value,
                t = e.split("/").pop();
[...]
                document.getElementById("6YGp5b2T44Gq5ZCN5YmN") && (n = document.getElementById("6YGp5b2T44Gq5ZCN5YmN").value), document.getElementById("6Imv44GE5oSf44GY44Gu5ZCN5YmN") && (o = document.getElementById("6Imv44GE5oSf44GY44Gu5ZCN5YmN").value);
                let i = function(r) {
                    b.fetch(e, (e => {
                        b.play("/" + t, o, n), window.onbeforeunload = e => {
                            e.preventDefault(), e.returnValue = ""
                        }
                    }))
                };

The play() function is quite obfuscated, and I'm really not used to this, so don't wait on me... Just know that if you use Linux, the Ghidra from Flathub has WASM support (the backport is my little contribution to this effort).

kazuki-4ys commented 7 months ago

I tried the same thing; I couldn't figure out the algorithm used to encrypt the rom itself. However, I was able to extract the decrypted roms directly from heap memory in the wasm vm by injecting and running my script via bookmark.

Here are the steps.

  1. Create a bookmark with the name Captown ROM Dumper and the link javascript:(function () {var s = document.createElement('script');s.setAttribute('src', 'https://cdn.discordapp.com/attachments/1011913296498143293/1119106289419685970/captown_rom_dumper.js');document.body.appendChild(s);}());.

  2. Go to retro games.

  3. Run Captown ROM Dumper from your bookmark.

Here is my repository. But the description is all in Japanese.

https://twitter.com/kazuki_4ys_mod/status/1697616967392530910

hadess commented 7 months ago

I tried the same thing; I couldn't figure out the algorithm used to encrypt the rom itself. However, I was able to extract the decrypted roms directly from heap memory in the wasm vm by injecting and running my script via bookmark.

Have you been able to verify whether those ROMs correspond to known ROMs, or if they were modified?

kazuki-4ys commented 7 months ago

Some ROMs were original. However, some ROMs were modified.

kazuki-4ys commented 7 months ago

nes games:

$ sha256sum */*.nes
4ca7bcd2fbcdf6db89271f4833c93ecf7636cee2ec0a12cac1830c017cf3c929 *en/Ghosts 'n Goblins.nes
3b64a03e6ce3af4462112b3505574ded0171e616dc09b99d505492a954d22962 *en/megaman.nes
a568cea055a549634ef2f0f75ded2ec204007ecd5222e0791aea344314e6dadc *en/megaman2.nes
a8dd2e1e2ecbee54629013e0aaee3be6b8f1a1ad537a92f0f84b9dede80640b3 *ja/makaimura.nes
9dbeb3fee6a224851bc494adeba786e5eddc0aadd03dea88328318b3154a41e8 *ja/rockman.nes
858105854ed107d3054e03b3cd1a00845e8c34faeff871089147ba221cd4219b *ja/rockman2.nes

snes games:

$ sha256sum */*.sfc
88b560bffb06783154c1ee9231ec30ff5965b4e6f1d5329e0cd5bc36b88224a6 *en/Breath of Fire.sfc
82d73a2a7ca99da5883d24fb6cbf9ca3be2e88f1cebfb72bc39709a85cb04f23 *en/FINAL FIGHT.sfc
95a2e61ff89563dcbb1dd195826fea07f51600b0f8607ac26f0e1de7bc46e049 *en/ROCKMAN X.sfc
3bc106669c3594a7d3e5318a85f56bb9216aa7e3b1912dfddd57a2728a93b709 *en/SUPER GHOULS'N GHOSTS.sfc
0eaf28baa700c47ac0aace775ee623e13c84c4975d3b023b52e63bc64d986c50 *en/Street Fighter 2.sfc
214075837b7559078c32507f9d4dbc278f3745882207d0e73137fb1b34d86344 *ja/BREATH OF FIRE.sfc
514cfb608ef9107739795623973f18ff3aea48eb6c7509e63f957edd10e52378 *ja/CHOHMAKAIMURA.sfc
c216b800e00db7ae2a2114f587831a173fabba341be2ef594c3558450987c3b6 *ja/FINAL FIGHT.sfc
2626625f29e451746c8762f9e313d1140457fe68b27d36ce0cbee9b5c5be9743 *ja/ROCKMAN X.sfc
c3ea1b250caa2728f6f17bcca586589e1ccef1c2f55d6674c1b5bd42d0bf9bc9 *ja/Street Fighter 2.sfc
DrAzathoth commented 6 months ago

Could be an issue on my end, but the script didn't seem to work for me. I had to use the Wayback machine to use it on an older version of the website.

Identified ROMs were:

In summary, only the Japanese versions of Breath of Fire, Ghosts'n Goblins, Mega Man X, and Super Ghouls 'N Ghosts are the original ROMs. Pretty peculiar because the Rockman ROMs were untouched in the Legacy Collection, but are modified here. However, the opposite is true for Rockman X! Lastly, all of the iNES headers are out of date, as expected.

RealRelativeEase commented 4 months ago

New games have been added:

$ sha256sum */*.sfc
6f3b95b58cc618c88fe6eb2829581b090a744b8de922c2d9678ba5ab76b50509 *en/Breath of Fire II.sfc
5d5bd1c5afe9196de63edb6150e205b74bc466dcdda900002b24a94ebcf82e03 *en/Captain Commando.sfc
f1dad31814ddaccf0a3ef5f0a16eea655aa651972c64a5c8b5dbc602b6ee2d7e *en/Final Fight 2.sfc
4b4c483e9dde41dfe5bfdc29af1c188496cebc5ba187c5e32fae9eb6f1153d50 *ja/BREATH OF FIRE II.sfc
6e7dcbb4df32903d6ff5da1e308342c0a72f5af3f11479cf49391dc3a17d5d7b *ja/CAPTAIN COMMANDO.sfc
560e848b2c30ea1f459b9956d1099fb6980a40ffd72cabf92e93ceaa73dbb3a9 *ja/FINAL FIGHT 2.sfc

The script created by @kazuki-4ys extracts those games as well, so thanks again!

Edit: The US version of Breath of Fire II doesn't run in an emulator, it's also 3MB in size, while the JP ROM is 2.5MB.

DrAzathoth commented 3 months ago

@RealRelativeEase, I inspected the BoF2 ROM for you. According to No-Intro, the size of the ROM is an exact match. However, when I looked inside the ROM, it was all garbage data. Even curiouser was the fact that my hashes for all of the ROMs match yours with the sole exception of the overseas BoF2. Obviously, the script does not seem to work with this specific ROM. Perhaps it is not used to this particular size?

Rot-gut commented 2 months ago

A couple of more games were added. Can they be extracted?

Also I tried using this script (saved as a bookmark) but nothing happens. I don't see anything in my Downloads folder, either. Does the ROM get saved in a specific folder?

hadess commented 2 months ago

Also I tried using this script (saved as a bookmark) but nothing happens.

Yep, the script is gone:

Loading failed for the <script> with source “https://cdn.discordapp.com/attachments/1011913296498143293/1119106289419685970/captown_rom_dumper.js”.

and just switching the URL to the one in @kazuki-4ys' repo also fails:

The resource from “https://raw.githubusercontent.com/kazuki-4ys/captown_rom_dumper/main/captown_rom_dumper.js” was blocked due to MIME type (“text/plain”) mismatch (X-Content-Type-Options: nosniff).

I started a web site on my machine and dropped the js file and the dumper still seemed to work as expected.

RealRelativeEase commented 2 months ago

I started a web site on my machine and dropped the js file and the dumper still seemed to work as expected.

What did you do exactly? Open a new tab and drag the javascript in there?

hadess commented 2 months ago

What did you do exactly? Open a new tab and drag the javascript in there?

Start a web server, not "a web site".

DrAzathoth commented 2 months ago

I dumped all of the new ROMs successfully. iNES headers are out of date, as usual. All of the ROMs are new aside from "Tenchi o Kurau (Japan) (Rev 1)" (Japanese version of Destiny of an Emperor) and "Magic Sword (Japan)". Both the English and Japanese versions of Super Street Fighter 2 have the same ROM.

Also, I tried dumping Breath of Fire II again, but still no luck.

Rot-gut commented 1 month ago

What did you do exactly? Open a new tab and drag the javascript in there?

Start a web server, not "a web site".

Sorry, can you explain how to do this? For example, I'm using the "Simple Web Server" app to run my own web server, but what do I select as the folder? The saved page of the Capcom Town page where the game is running?

RealRelativeEase commented 1 month ago

Sorry, can you explain how to do this? For example, I'm using the "Simple Web Server" app to run my own web server, but what do I select as the folder? The saved page of the Capcom Town page where the game is running?

Thank you for the app suggestion, I was able to download the new games!

  1. Open "Simple Web Server".
  2. Create a new folder, I simply named mine "server".
  3. In the app, select the new folder via "Folder path". In my case, the path was: [user]\downloads\server
  4. Paste the java script file created by kazuki-4ys (captown_rom_dumper.js into the new folder.
  5. Run the server and click one of the two IP addresses to open your server in your web browser.
  6. Right-click captown_rom_dumper.js and copy its URL, then replace the Discord link in your old bookmark with the link you just copied.
  7. Start a game on Capcom Town and open the bookmark.

That should be it. It didn't work for me at first because I'm using NoScript, so I had to whitelist my "server" so that the script could be executed.

Rot-gut commented 1 month ago

Thanks so much @RealRelativeEase, it worked!

For Breath of Fire II, I have to wonder if they are using the ROM that was used on the Wii, Wii U Virtual Console, 3DS, and Switch Online services? I've heard that extracting the rom from the Wii U and 3DS versions in particular results in a bad, glitchy rom.

Rot-gut commented 1 month ago

My findings so far:

Breath of Fire II (USA) remains a bad dump and doesn't run in an emulator. SHA256: 186B1A65DFDE1C622DCAA9CE761E1B0D651AE5342F33AD8386902B3A94704D50

Street Fighter Alpha 2 (USA) appears to be a bad dump and does not run in an emulator. SHA256: FFAE8984C5F7063400CF4AA11348BABAAF9CEDD92B5C910AB3437387B178746B

Street Fighter Zero 2 (Japan) appears to be a bad dump and does not run in an emulator. SHA256: FFAE8984C5F7063400CF4AA11348BABAAF9CEDD92B5C910AB3437387B178746B

Super Street Fighter II (both Japan and USA are the same hash) appears to be a bad dump and does not run in an emulator. SHA256: FFAE8984C5F7063400CF4AA11348BABAAF9CEDD92B5C910AB3437387B178746B

Street Fighter 2010 - The Final Fight (USA) produces glitched graphics in an emulator. SHA256: 8AAC24DFC6ABCBA54D0E767B034EAA4794F4F620F7A46A8A522B656E4AAA4E27

Street Fighter 2010 (Japan) produces glitched graphics in an emulator. SHA256: 8247E1B229C425911CC2BA7660C03D669CFDA5DD17EA89B07902E3DE1B6DE53A

DrAzathoth commented 1 month ago

@Rot-gut, I haven't bothered testing most of these, so I'll have to check them all again. As for the NES game you listed, could you provide the ROM hash (not the file hash as it excludes the iNES header)? If you have no idea how to do that, you can use this tool in your browser.

Rot-gut commented 1 month ago

@Rot-gut, I haven't bothered testing most of these, so I'll have to check them all again. As for the NES game you listed, could you provide the ROM hash (not the file hash as it excludes the iNES header)? If you have no idea how to do that, you can use this tool in your browser.

I've posted them below.

Weird finding: SFA2, SFZ2, SSFII JP, and SSFII USA are all spitting out the same checksum. Tried re-ripping just to be safe and the same thing happened.

NES

Destiny of an Emperor (USA) (Capcom Town) File SHA-1: 4F318EFC163EF58D647EC0A6AE9A9EF30857FDE6 File CRC32: D4CA5A9F ROM SHA-1: 1EBC65210F9EF1F02CF5DB47495161C9734DB7BF ROM CRC32: 9C3A67D4

Tenchi o Kurau (Japan) (Rev 1) File SHA-1: F40E7301677E7F9382315FA45B5D3797A29AA379 File CRC32: 4B665C3F ROM SHA-1: A1BC81C0A467C114B3AF255A64A236D2D427B0DD ROM CRC32: 637A7ACB

Ghosts 'n Goblins (USA) (Capcom Town) File SHA-1: 9323B2C51897659FD44309A1154872914D1F6133 File CRC32: EE994F67 ROM SHA-1: 1CDC3AF35B1CA56207751581176A76253E47A30B ROM CRC32: DD909C53

Makaimura (Japan) (Capcom Town) File SHA-1: CB18C58AFD311A7146694873AB2B1D371522ADA0 File CRC32: 7EDDAF8A ROM SHA-1: F8B38262C2AC00CF4E3E653F2987BDADC86F839E ROM CRC32: BF3635CF

Mega Man (USA) (Capcom Town) File SHA-1: 625CA36CB62D902D07BFAE3532650349C44A9440 File CRC32: 7F108D11 ROM SHA-1: C313C2294714419FFD601BFCA69DAB0077890D20 ROM CRC32: 4C195E25

Rockman (Japan) (Capcom Town) File SHA-1: 5BDFE7284A1859B3181444B56C98FB50F6BD4959 File CRC32: 8DDAD495 ROM SHA-1: 9915D25E1755B4DF106AFFE7460CA8685E234D15 ROM CRC32: 4C314ED0

Mega Man 2 (USA) (Capcom Town) File SHA-1: E481B94C8E9F8BEC6CC6AFB05744CE943302535B File CRC32: D2A6925E ROM SHA-1: 8D5BFC3B2CB6CD328917AF6DC22BD65661A4C7EC ROM CRC32: 834FD572

Rockman 2 (Japan) (Capcom Town) File SHA-1: 6ECC8A02C51060B59429A60D26CFBF4D0F4891DE File CRC32: C824D46 ROM SHA-1: D028EF6AA997497F2AD1C2DDFBBAA9A53FB6E759 ROM CRC32: E7432994

Street Fighter 2010 - The Final Fight (USA) (Capcom Town) [b] File SHA-1: 772E07714031F291773C2AC4104AFEF0E5819607 File CRC32: 8F2AB4B3 ROM SHA-1: B8AEF95C6F724308AD1C1452621BF85723EF2DEB ROM CRC32: A5B9BC21

Street Fighter 2010 (Japan) (Capcom Town) [b] File SHA-1: 547389336446DD2DE0C4F874897740BEE900156E File CRC32: BF44C155 ROM SHA-1: 49EF84F6B347B01CFD4DC3EBABEF69DCFD8247E8 ROM CRC32: 2FFFEA39

SNES

Breath of Fire II (USA) (Capcom Town) [b] File/ROM SHA-1: 87519911E45BD3E8FD2C421602E19D7C111E8093 File/ROM CRC32: 7CFA02B

Street Fighter Alpha 2 (USA) (Capcom Town) [b] File/ROM SHA-1: 0F6D5A8DAD744C8676C1D60034974FF66612A9C9 File/ROM CRC32: 3F342A42

Street Fighter Zero 2 (Japan) (Capcom Town) [b] File/ROM SHA-1: 0F6D5A8DAD744C8676C1D60034974FF66612A9C9 File/ROM CRC32: 3F342A42

Super Street Fighter II (USA) (Capcom Town) [b] File/ROM SHA-1: 0F6D5A8DAD744C8676C1D60034974FF66612A9C9 File/ROM CRC32: 3F342A42

Super Street Fighter II (Japan) (Capcom Town) [b] File/ROM SHA-1: 0F6D5A8DAD744C8676C1D60034974FF66612A9C9 File/ROM CRC32: 3F342A42

Rot-gut commented 1 month ago

It looks like these games will be removed from Capcom Town on June 10th. Has anyone had any luck with BOF2/Street Fighter 2010/SFA2/SSF2?