Die Hard 2 ?
? Grand Slam
1992
You will need following:
1. Original game ? or disk image
2. An Amiga or WINUAE
3. Action Replay or ROM image
4. Pencil and paper
5. Two blank disks – find it in your local Amiga store
6. ARIV ? find on romshare.net
7. Kickstart 2.0
8. RNWARP
Start by making a copy of original game disk. You?ll notice an error on track 0. So we are probably dealing with a disk based protection. Let me surprise you all: It?s a copylock?
Game loads an encrypted file into memory. The copylock runs, if it passes the file gets decrypted and executed.
Let?s start by finding a way, to retrieve the copylock key. Start ARIV and enter with right mouse. Copylock is located in the file ? execute ?. Load it into memory, starting at address 50000: LM EXECUTE,50000.
Enable the RNC decrypter, so we can decrypt the file: ROBD.
Disassemble address 50000 and hold enter down, until this appears:
I have marked some of the key calculation routine in the picture above. By matching these two lines, with output from RNWARP, we can get the key. Take note of the lines marked with red. Exit AR, insert original game disk and type this in DOS, to execute RNWARP: RNWARP.EXE view. This will show possible copylock key?s.
Can you remember the code marked with green ? This is the same as in our copylock. The correct copylock key is stated to the left, I marked it with red.
Enter AR again, insert copy of game and load file ? execute ? into memory, starting at address 50000: LM EXECUTE,50000. It is located between address 50000 – 50CA0.
And enable the RNC decrypter: ROBD.
Disassemble address 50000 and stop when this appears:
Address 503FC is the one we are interested in. This code will appear in most copylocks and it?s here we?ll wire copylock key. After inserting the copylock key, we branch to second part of copylock, that decrypts the file. This will also skip the disk accessing part. So no drive grinding sound anymore?.
Continue disassembling a few lines further. You?ll notice a BRA at address 50442, this BRA also appears in most copylocks, and it branches to ? second ? part of copylock, as mentioned earlier. We can either branch directly to 507EC, or to 50446, it makes no difference.
We wish to alter the code at 503FC, so copylock key is moved into D0 and we branch past the disk part.
Assemble address 503FC and insert the code you see in the picture above.
We are still in the ROBD decryption mode. This means, that the code you type in, is ? normal ? code and will not get Decrypted, but ENCRYPTED. You are actually wire?ing the copylock key into the encrypted code, with out doing any calcs at all. ARIV does everything for you.
When done, simply save the file back to disk: SM EXECUTE,50000 50CA0.
Boot your new crack. After some loading, a screen similar to this, appears:
Well, more fun for us?
Type something in and press enter. A new question just appears, as the answer is wrong. Enter AR and press ? R ? to see registers. A0 points to address 15942, let?s see contents of this address: N 15942. Looks like some kind of table.
Let?s see what protection does with this address. Before we do this, we have to set A0 to 0, or we will get lot of false references. Type: R A0 0 + enter
Check what happens with address 15942: FA 15942. AR returns address 1586C. Disassemble this address and hit enter a few times. More addresses are moved into the registers and different calcs are done with them. Perhaps we are getting close?
See what calls address 1586C: FA 1586C. AR returns address 15626, disassemble this address and hold enter down until this appears:
Address 157D4 is ? heart ? of the protection, as it makes the final compare between stored data and what is typed in. If D0 & D1 is word equal, game branches on. We?ll simply change the ? BEQ ? to a ? BRA ?, causing the game to continue no matter what is typed in.
To be able to find this point again, we?ll better take note of the opcodes. Type M 157D2 to see opcodes. Take note of the first long word ( B2 40 67 00). Protection is located in a non- encrypted or crunched file called ? dh.prg ?.
Just load this file into memory, starting at address 30000: LM DH.PRG,30000. File is located between address 30000 ? 5DAF6. Search for the opcodes, starting at address 30000: F B2 40 67 00,30000. AR returns three addresses, we are interested in the last one. See opcodes with M 452EE.
The first ? B2 40 ? is the compare instruction. The ? 67 ? is the ? BEQ ?, change the opcodes to ? 60 ? and instruction will turn into a ? BRA ? instead. Don?t forget to press enter after inserting new opcodes. See picture above.
Save file back: SM DH.PRG,30000 5DAF6.
Boot game and enter what ever you want at the protection screen.
Rob
Yep, also does not work with MotorHead and several others too.
RNWarp should be avoided as it does NOT give the correct key every time.
Use a recent version of WWarp instead which correctly displays all 9 possible keys.
Try and crack WWF Wrestlemania with this method and you will fail miserably.