Just found out that there are four more "copy-protected" bootleg games, similar to those mentioned by d4s ages ago: viewtopic.php?f=12&t=4417 (and as summarized here: http://problemkaputt.de/fullsnes.htm#sn ... edvariants ).
Squirrel (2MB, CRC32=BAD1D9B8h) this is just using the same "bitswap" feature as most of the other games (A Bug's Life, Aladding 2000, etc.).
Marvel Super Heroes vs Street Fighter (2MB, CRC32=CDB590E4h) this is doing the same "bitswap", too, but accessed via different memory addresses. Instead of Read=80-xx:8000-FFFF and Write=88-xx:8000-FFFF, it's using Read=4x:8xx0 and Write=4x:8xx2. I don't know which addresses it's mirrored to exactly. Some used addresses are:
-- Write Area = 40:8182, 46:80E2, 4E:8062, 4E:88E2
-- Read Area = 40:8180, 46:80E0, 4E:8060, 4E:88E0
bank might be 40-4F, or maybe 40-7D, and maybe also C0-FF
offs might be 8000-8FFF, or maybe 8000-FFFF, or 0000-FFFF
R/W might be indicated by A1 address line, and/or by read/write signals
the whole hardware might be same as in the other "bitswap" carts, but wired to different address lines, or it might be even wired exactly the same (it's unknown if the other "bitswap" carts are mapping anything to bank 40-7D).
Dragon Ball Z - Final Bout (2MB, CRC32=5BBA4EB3h) this seems to use the same "constant" feature as Soul Blade. Or at least it can be emulated that way. On the other hand, Soul Blade didn't really verify the 55h,0Fh,AAh,F0h constants (it's working okay even replacing that constants by FFh,FFh,FFh,FFh). If the verification in Dragon Ball is equally weak then it might work with other constants, too. So it's hard to tell how the cartridge really works (unless when physically dumping the constants from the cartridge).
Campeonato Brasileiro 2 (2MB, CRC32=CBE9A9BDh) this is using some new feature, and I haven't fully figured out it's working yet. It looks as if each 2nd 32Kbyte ROM bank is "encrypted" via some relative simple XOR pattern:
The game writes [C002C1h]=4126h shortly after reset, and data in odd ROM banks seems to be corrupted/encrypted (eg. opcodes at 87CCB7h seem to be XORed by 03h, or by 01h and/or other values in some cases).
That is, when dumping the game without initializing the XOR pattern (which is probably done by the [C002C1h] write). If it's initialized properly then it should return clean "decrypted" data (without needing the XOR by 03h), but the game is probably changing the XOR pattern for different ROM areas, so it would be best to get a dump that has clean "encrypted" data, and then to figure out how to decrypt/emulate it.
Some MORE bootleg games are mentioned here: http://bootleggames.wikia.com/wiki/Category:SNES_games - I haven't tried them and don't know if they do contain protection hardware, too. If somebody wants to try: If they don't work in no$sns then they are probably containing protection hardware (which would be nice to know).
If they do work (would be nice to know too), then they are unprotected (or already emulated, like A Bug's Life, Aladdin, Soul Blade etc.)
PS. photos for the different bootleg cartridges would be also interesting (with PCB front/back sides).
Squirrel (2MB, CRC32=BAD1D9B8h) this is just using the same "bitswap" feature as most of the other games (A Bug's Life, Aladding 2000, etc.).
Marvel Super Heroes vs Street Fighter (2MB, CRC32=CDB590E4h) this is doing the same "bitswap", too, but accessed via different memory addresses. Instead of Read=80-xx:8000-FFFF and Write=88-xx:8000-FFFF, it's using Read=4x:8xx0 and Write=4x:8xx2. I don't know which addresses it's mirrored to exactly. Some used addresses are:
-- Write Area = 40:8182, 46:80E2, 4E:8062, 4E:88E2
-- Read Area = 40:8180, 46:80E0, 4E:8060, 4E:88E0
bank might be 40-4F, or maybe 40-7D, and maybe also C0-FF
offs might be 8000-8FFF, or maybe 8000-FFFF, or 0000-FFFF
R/W might be indicated by A1 address line, and/or by read/write signals
the whole hardware might be same as in the other "bitswap" carts, but wired to different address lines, or it might be even wired exactly the same (it's unknown if the other "bitswap" carts are mapping anything to bank 40-7D).
Dragon Ball Z - Final Bout (2MB, CRC32=5BBA4EB3h) this seems to use the same "constant" feature as Soul Blade. Or at least it can be emulated that way. On the other hand, Soul Blade didn't really verify the 55h,0Fh,AAh,F0h constants (it's working okay even replacing that constants by FFh,FFh,FFh,FFh). If the verification in Dragon Ball is equally weak then it might work with other constants, too. So it's hard to tell how the cartridge really works (unless when physically dumping the constants from the cartridge).
Campeonato Brasileiro 2 (2MB, CRC32=CBE9A9BDh) this is using some new feature, and I haven't fully figured out it's working yet. It looks as if each 2nd 32Kbyte ROM bank is "encrypted" via some relative simple XOR pattern:
The game writes [C002C1h]=4126h shortly after reset, and data in odd ROM banks seems to be corrupted/encrypted (eg. opcodes at 87CCB7h seem to be XORed by 03h, or by 01h and/or other values in some cases).
That is, when dumping the game without initializing the XOR pattern (which is probably done by the [C002C1h] write). If it's initialized properly then it should return clean "decrypted" data (without needing the XOR by 03h), but the game is probably changing the XOR pattern for different ROM areas, so it would be best to get a dump that has clean "encrypted" data, and then to figure out how to decrypt/emulate it.
Some MORE bootleg games are mentioned here: http://bootleggames.wikia.com/wiki/Category:SNES_games - I haven't tried them and don't know if they do contain protection hardware, too. If somebody wants to try: If they don't work in no$sns then they are probably containing protection hardware (which would be nice to know).
If they do work (would be nice to know too), then they are unprotected (or already emulated, like A Bug's Life, Aladdin, Soul Blade etc.)
PS. photos for the different bootleg cartridges would be also interesting (with PCB front/back sides).