Bleemcast conspiracy *disclaimer tin foil necessary*

[|darc|]

So, apparently the bleemcast beta IP.BIN is the exact same IP.BIN from Heartbreak Diary, just made region free, and binary name changed to "1BLEEM.BIN". There are no other differences whatsoever.

After descrambling the rainbow bins you can see the first 668 bytes of each are the same, and then the next 318,052 bytes are encrypted. Fairly safe assumption that the first 668 bytes are the loading/decrypting routine.

After descrambling the cracked beta you can see that the first 668 bytes are the same as the uncracked colors, except 2 bytes are changed to a NOP, most likely meaning they disabled the decryption algorithm and the remaining 318,052 bytes are already decrypted.

I don't have any more time tonight but all someone would need to do is load up the first 668 bytes in a disassembler. All of your answers would be right there.

[SMiTH]

Hell ya.
Now that is some awesome info.
Thank you.

[|darc|]

Here is the disassembly of those 668 bytes, and I can see at lines 67 - 72 match this information:

Code: Select all

Here is extra info included - BETA Known Protections
================== ==================
- basically what happens is it copies its own data to 0x8c00f??? range
- then decrypts that data using a v.simple algorithm
- a mixture of a key in GR14 and using the XOR instruction

0x8c00f1ec: MOVLL (R2) --> R0
0x8c00f1ee: DT R1 - 1 --> R1; if R1=0, T=1, else T=0
0x8c00f1f0: XOR R0 ^ R13 --> R0
0x8c00f1f2: ADD R0 + R14 --> R0
0x8c00f1f4: XOR R14 ^ R13 --> R14
0x8c00f1f6: SUB R13 - R0 --> R13
0x8c00f1f8: MOVLS R0 --> (R2)

but the two bytes that were NOP'd in the cracked version are the last MOV.L R0, @R2 instruction from that routine.

so yeah... all of this is confirming what we already know.

[SMiTH]

If you NOP those two bytes in the other uncracked 1bleem.bin's, will it load the remaining 318,052 bytes and allow the 1bleem.bin to boot? or they are encrypted and none of that matters? you just stop the initial routine from loading that we believe to be is what locks the bin to a specific dreamcast? or i'm way off here lol?

[|darc|]

If you NOP those bytes on any of the uncracked betas, it’s going to try to execute encrypted code which will be illegal instructions causing a crash or reboot.

It’s essentially the same as leaving the bytes not NOP’d, in which case it will decrypt into garbage because it has the wrong key, that garbage will also be illegal instructions causing a crash or reboot.

The next steps would be to read that assembly and understand the instructions, then duplicate that functionality in a program, then have it try every possible key until the output data matches the currently known cracked bleemcast beta. This should be possible to do for all 5 colors and then you’d have your “proof”

[SMiTH]

perfect.

[|darc|]

Had a minute to look at this again before bedtime, yeah, basically at line 51 the instructions set up making a SYSINFO_INIT syscall to initialize the system info, at line 53 it's setting up the offset to start decryption (660 bytes from start of program memory) into register R10, then it makes a SYSINFO_ID syscall at line 57 to retrieve a pointer to the console's 8-byte serial number into register R0 (see System Calls at Marcus's site), at lines 60 and 62 it retrieves the 8 byte console serial number at the address of the pointer and places it into registers R13 and R14. When it gets to lines 67-72 to loop through and decrypt all the bytes, it's using the serial in registers R13 and R14 as an initial key. It then decrypts the program in place in memory. The cracked version NOPs the instruction that copies the decrypted byte into place, so technically it still "decrypts" what's there but discards the value instead of moving it into place.

So Rand or Rod or whoever retrieved the 8-byte console serials from their testers' consoles, referred to them as color coded, and made console-specific releases for them. If the binary wasn't used on that specific Dreamcast with that serial, then it would decrypt to garbage and would not run.

My time is limited in the next two weeks but if I find some time I'll write a program to figure out what the 5 console serial numbers were that corresponded to the 5 color builds.

[SMiTH]

This is fkn awesome, I love it.

[MoeFoh]

Awesome, reverse-engineering the reverse-engineering! darc has got it nailed down.

[Stringer_bell]

Can anyone provide a non technical explanation as to what the end goal is of whats being discussed?