Hard Drivin II

Untitled Document

Hard Drivin? II
? Tengen Inc.
1991

You will need following:

1. Original game ? or disk image
2. An Amiga or WINUAE
3. Action Replay or ROM image
4. Pencil and paper
5. One blank disks – find it in your local Amiga store
6. ARIV ? find on romshare.net
7. Kickstart 2.0 or A1200
8. RNWARP

Start by making a copy of original game disk. You?ll notice an error on track 0. So we are probably dealing with a disk based protection. Let me surprise you all: It?s a copylock?
Game loads an encrypted file into memory. The copylock runs, if it passes, the file gets decrypted and executed.
If copylock fails, guess for your self?
Let?s start by finding a way, to retrieve the copylock key. Start ARIV and enter with right mouse. Copylock is located in the encrypted file ? hd2 ?. Load it into memory, starting at address 50000: LM HD2,50000.

Enable the RNC decrypter, so we can decrypt the file: ROBD.
Disassemble address 50000 and hold enter down, until this appears:

I have marked some of the key calculation routine in the picture above. By matching these two lines, with output from RNWARP, we can get the key. Take note of the lines marked with red. Exit AR, insert original game disk and type this in DOS, to execute RNWARP: RNWARP.EXE VIEW This will show possible copylock key?s.

Can you remember the code marked with green ? This is the same key calc. routine, as in our copylock.
The correct copylock key is stated to the left, I marked it with red.
Enter AR again, insert copy of game and load file ? hd2 ? into memory, starting at address 50000: LM HD2,50000. It is located between address 50000 ? 66F3C.

And enable the RNC decrypter: ROBD.
Disassemble address 50000 and stop when this appears:

Address 5043C is the one we are interested in. This code will appear in most copylocks and it?s here we?ll wire copylock key. After inserting the copylock key, we branch to second part of copylock, that decrypts the file. This will also skip the disk accessing part. So no drive grinding sound anymore?.
Continue disassembling a few lines further. You?ll notice a BRA at address 50482, this BRA also appears in most copylocks, and it branches to ? second ? part of copylock, as mentioned earlier. We can either branch directly to 5082C, or to 50486, it makes no difference.

We wish to alter the code at 5043C, so copylock key is moved into D0 and we branch past the disk part.
Assemble address 5043C and insert the code you see in the picture above.
We are still in the ROBD decryption mode. This means, that the code you type in, is ? normal ? code and will not get decrypted, but ENCRYPTED. You are actually wire?ing the copylock key into the encrypted code, with out doing any calcs at all. ARIV does everything for you.
When done, simply save the file back to disk: SM HD2,50000 66F3C.

Dedicated to sweet sweet Victoria
Rob

Publication author

offline 20 years

Rob

Comments: 103Publics: 79Registration: 20-07-2004

0 Comments

Inline Feedbacks

View all comments

MigMan

8 years ago

Thanks M9, good man. All good for nostalgia :). Now I’ve just seen the comments at the end of Die Hard II………

Anyone able to provide a link to rnwarp pls?

musashi9

Admin

Reply to MigMan

https://flashtro.com/RNWarp.zip

Recent Comments

ROG on Rog Source Code – Beam HackWhen I moved out from my parents' home I put my A500, the additional hardware and hundreds of demo disks into a big box, but unfortunately there was not enough

Annatar on Rog Source Code – Beam HackWhat happened to your Amiga?

prime_evil on Rog Source Code – Bean ScrollerNice one ROG - Epic!!!!

SToRM on Rog Source Code – Bean Scrollerthx 4 da greet, nice idea, but it's not that easy to read.

SToRM on Rog Source Code – Beam Hackwho's that girl?

ROG on Rog Source Code – Beam HackI highly recommend to run the source on a (winUAE-)emulated A500 according to the 'instructions file' for having a more flicker-free experience. And maybe