EDIT: I figured it out. Solution is here:
http://board.byuu.org/viewtopic.php?p=12986#p12986Basically, when NMI triggers (on the bus cycle edge), it clears the S-CPU Memory Data Register.
As the game loops while reading 16-bits, eventually an NMI triggers on the opcode edge after lda $185d,x [x=181a, effective=3077]; which turns $1818 into $0018. And that value magically gets the loop to break.
By observing the number of loop iterations needed to break out, it appears to match hardware very closely. Obviously it's not exact since the counters aren't aligned when you hit the button.
I will write a proper proof ROM later tonight to verify it 100%, but I'm pretty confident that we have this one cracked now.
Unfortunately this test is going to require clock-perfect S-CPU timing, but at least seeing it pass/fail on hardware, you can implement it in MESS