Hydra

Published by Rob on





Untitled Document

Hydra

? Tengen

1991

1. Original game
2. An Amiga or WINUAE
3. Action Replay or ROM image
4. Pencil and paper
5. Two blank disks – find it in your local Amiga store
6. ARIV

Start by backing up the original game disks, so we have something to work with.
The game is protected with a copylock routine, which reads a specially written track on the disk.
This track can not be duplicated using a normal disk drive. When the copylock routine reads the copylock track, it calculates a key that is used (in this game) to modify some of the game code.
When copy of game is used, the routine that modify game will fail and cause a crash.
To crack the copylock routine the easiest way, we will insert the copylock key into the encrypted code.
This will ensure that copylock modifies game correctly.
First we need the correct copylock key.
Start ARIV, insert original disk1 and reboot. After a few secs, ARIV will pop up, due to an exception occurred ( Ex.Trap).
Just exit ARIV and let game continue loading. After a while, ARIV pops up again. This time, it?s due to the ? ILLEGAL ? instruction, done by the copylock. Enable the RNC decrypter so we can decrypt the copylock: ? ROBD ?

The currently running program running is the copylock, so press ? D ? and hold enter down until this appears:

Address 17BE is start of ? second part ? of copylock. After the copylock has read the copylock track, copylock key is moved from register D6 to D0 and address 17BE is called. This is start of the routine, which will modify the game?s memory.
Address 17C6 is looks very interesting. It copies copylock key from D0 to address 60. This is very common for the newer copylocks to return key here. Also address F4 seems very popular and address 24 for old RNC routines.
To get the key, simply boot original game and enter AR when the copylock has been run.
Boot original game and enter AR when game asks for disk2.
Copylock has now run and ? if you used original game ? passed. See contents of address 60:

Enter ARIV and read out copylock routine from copy of disk1: ? RT 8 2 50000 ?.

Copylocks starts with the instruction ? PEA xxxx(PC) ?, search for the opcodes, starting at address 50000:
? F 48 7A,50000 ?
ARIV returns address 52004 & 52014. Enable the RNC decrypter: ? ROBD ? and disassemble start of copylock. Stop disassembling when you see this:

The disk accessing part and key calculations of copylock key are done within the code from address 523EA ? 5242C.
Registers are saved by the code at address 523EA. Address 523FE is a good place to wire key in, as no disk routines has been called yet. When key is inserted in D0, we clear D1. We can then branch to the address that restores registers again. D0 & D1 is not saved. Disassemble a bit further:

Address 5242E moves key from D6 to D0 (we skip this part) and registers are restored at 52430.
Address 52434 branches to second part of copylock, that uses the key to modify games memory.
Assemble address 523FE and insert the code you see above.
Then write track back: ? WT 0 1 50000 ?
Game is now cracked.
I have also added a little trainer, which gives you unlimited fuel and boost.
I will not explain much, just guide you step by step:
Following is done, using your newly cracked disk!
First of all we need to make game call our trainer, when main code has been loaded in, but not executed. Follow these instructions, to make game jump to address 100:

We can locate the trainer on boot block. W have to make a routine to copy trainer to address 100 and alter boot block, so call this routine. Do following:

Then code the trainer itself:

70100; MOVE.W #F0F,DFF180; 70100 ? 70124 flashes screen and waits for mouse
70108; MOVE.W #F,DFF180
70110; BTST #6,BFE001
70118; BEQ 70126
7011A; BTST #A,DFF016
70122; BEQ 7017A
70124; BRA 70100
70126; MOVE.L #4E714E71,D0; 70126 ? 70174 trains game, by NOP out fuel and boost related instructions
7012C; MOVE.L D0,9012
70132; MOVE.W D0,9016
70138; MOVE.L D0,9548
7013E; MOVE.W D0,954C
70144; MOVE.L D0,92EC
7014A; MOVE.W D0,92F0
70150;MOVE.L D0,B7F2
70156; MOVE.W D0,B7F6
7015C; MOVE.L D0,74CE
70162; MOVE.W D0,74D2
70168; MOVE.L D0,B7F8
7016E; MOVE.L D0,B7FC
70174; MOVE.W D0,B800
7017A; MOVE.W #0,DFF180; set background back to black
70182; CLR.L D0; restore D0
70184; JMP F04.S; jump to main code (this originally appears at address 800)

Correct checksum and write back:

When screen flashes in funky colours, press LMB for trainer and RMB for normal.

Dedicated to my little angel Victoria.

Rob.


0

Publication author

offline 20 years

Rob

0
Comments: 103Publics: 79Registration: 20-07-2004
Categories: CrackingSingle trackTutorials
Subscribe
Notify of
guest

0 Comments
Inline Feedbacks
View all comments

Related Posts

Cracking

Shadow of the Beast 2 – Cracking Tutorial [French]

Download the ADF below Attachments ShadowOfTheBeast2_CRACK_TUTORIAL_FR_2020 File size: 3 MB Downloads: 615 Publication author offline 2 weeks mus@shi9 0 Comments: 1160Publics: 2780Registration: 06-03-2017

Cracking

Rodland – Cracking Tutorial [FRENCH]

French Cracking Tutorial by Giants Publication author offline 2 weeks mus@shi9 0 Comments: 1160Publics: 2780Registration: 06-03-2017

Cracking

Xenon 2 – Cracking Tutorial [FRENCH]

French Cracking Tutorial by Giants Publication author offline 2 weeks mus@shi9 0 Comments: 1160Publics: 2780Registration: 06-03-2017

Homepage
Register
Register
Authorization
Registration
*
*

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Entry Lost your Password ?
Registration
*
*
*

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Signup
Registration
Password generation

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Get New Password
0
Would love your thoughts, please comment.x
()
x