wc3edit.net

United Warcraft 3 map hacking!
It is currently December 13th, 2018, 12:53 pm

All times are UTC




Post new topic Reply to topic  [ 17 posts ]  Go to page 1, 2  Next
Author Message
PostPosted: June 19th, 2017, 11:13 pm 
Offline
Newcomer
User avatar

Joined: February 19th, 2015, 8:04 pm
Posts: 11
Location: Korea, Republic of
Title: Author to Cirnix
Before Start...

Firstable, my english so poor... Maybe there have some grammar error!

This guide will not use re-package.
You must know how to use hex editor.


About Protection...

Spoiler:
SProtect

Download SProtect (Support drag and drop only)
SProtect, made by T1.
Public released, so you can use to free.
Target of SProtect map is 'Masin2rpgTest0.4.w3x'
i uploaded on google drive.
if you try any map, try it.

SSProtect

Made by SSHacker.
Private released, this was need to buy protection tool.
so you can't get this tool on public. (even if it's me)
Target of SSProtect map is 'S R N_RPG 0.6B.w3x'
also uploaded on google drive.



Tool Required

Hex Editor (Important. Recommanded HxD)
MPQ Helper (Important)
Hex Edit Macro (I made it) (Important. If you don't want work manually)
WINMPQ (Important. It will use to compact(or optimize) MPQ)
Ladik's MPQ Editor (Optional. Only need to check completely deprotected)
listfile (Optional. If you want recovery listfile)
Windows Calculator



==================== SProtect ====================

========== Step 1 ==========

Open map to Hex Editor, Find(Ctrl+F) '4D 50 51 1A' by Hex-values. i added tooltip about MPQ Header.
Spoiler:
Image


========== Step 2 ==========

Open dialog 'Select block(Ctrl+E)'.
Select Hash/Block Table.

Calculating Steps is here.
Spoiler:
Open Windows Calculator to Programmer mode.
Change to Hex, DWORD.
Start-offset = Header Pos + Hash/Block Pos
Length = Hash/Block Size * 10

Pos and Size must read little-endian
ex. 92 E9 A7 01 -> 01 A7 E9 92 -> 0x01A7E992

Cut to Hash Table, and save it.
and copy to Block Table, save it too.


========== Step 3 ==========

Code:
MPQ_HASH_FILE_KEY
(hash table) = 7037AFC3
(block table) = A3B383EC

DragDrop Hash/Block table on 'MPQHelper.exe'.
We must decryption Hash/Block Table.
type 'dec', and input MPQ_HASH_FILE_KEY. (Must use correct key)
then, program will create decrypted file.
Spoiler:
Image



========== Step 4 ==========

Open decrypted hash table to Hex Edit Macro.
You must modify 2steps.
Code:
-- Step 1 --
Start = 8
Overwrite Value = 00 00 00 00

-- Step 2 --
Start = F
Overwrite Value = 00

After modify and save, open decrypted hash table to Hex Editor.
Open the Replace(Ctrl+R), and follow the this 2steps. (must replace all!)
Code:
Datatype: Hex-values
Search direction: All
-- Step 1 --
Search for: FF FF FF FF FF FF FF FF 00 00 00 00 FE FF FF 00
Replace with: FF FF FF FF FF FF FF FF FF FF FF FF FE FF FF FF

-- Step 2 --
Search for: EE EE EE EE EE EE EE EE 00 00 00 00 EE EE EE 00
Replace with: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

After finished to replace, save it.


========== Step 5 ==========

Open decrypted block table to Hex Edit Macro.
You must modify only one step.
Code:
Start = 2F
Overwrite Value = 80

After modify and save, open decrypted block table to Hex Editor.
Fill 0x00~0x20 to 00.
Spoiler:
Image

After finished, save it.


========== Step 6 ==========

Code:
MPQ_HASH_FILE_KEY
(hash table) = 7037AFC3
(block table) = A3B383EC

DragDrop modified Hash/Block table on 'MPQHelper.exe'.
We must re-encryption Hash/Block Table.
type 'enc', and input MPQ_HASH_FILE_KEY. (Must use correct key)
then, program will create re-encrypted file.
Spoiler:
Image


========== Step 7 ==========

Open re-encrypted Hash/Block Table to Hex Editor.
Copy to all hex in re-encrypted hash table.
Go to End of map file, and Remember or record somewhere to offset. (1A7EB92)
(I will it call this offset named 'Alter Hash Pos')
Spoiler:
Image

Paste it. (Ctrl+V)

Copy to all hex in re-encrypted block table.
Go to End of map file you modified, and remember again to offset. (1A82B92)
(I will it call this offset named 'Alter Block Pos')
Paste it.


========== Step 8 ==========

Return to map header. (Find a '4D 50 51 1A')
Remark the header like this.
Spoiler:
Image

After finished, save and close the Hex Editor. we are no longer use hex editor.


========== Step 9 ==========

Open map to WINMPQ. (Use to 'All files(*.*)')
Execute compact(Ctrl+P), you should it.

After compact, you can see 'ladik's mpq editor' no longer display [Read-only].
Spoiler:
Image




==================== SSProtect ====================

Many things is same, i will skip same things.
(i will write same things in spoiler.)
Ps. Images are same by SProtect. i apoloze for about that.
========== Step 1 ==========

Same by SProtect. i will skip this part.
Ps. Position of '4D 50 51 1A' is different to map by map(case by case).
Spoiler:
Open map to Hex Editor, Find(Ctrl+F) '4D 50 51 1A' by Hex-values. i added tooltip about MPQ Header.
Image


========== Step 2 ==========

Open dialog 'Select block(Ctrl+E)'.
Select Hash/Block Table.
Ps. SSProtect recorded hash table size + 0x10000000 (like, XX XX XX 10)
please ignore that value. (if, value is 00 08 00 10, then read it to 00 08 00 00)

Calculating Steps is here.
Spoiler:
Open Windows Calculator to Programmer mode.
Change to Hex, DWORD.
Start-offset = Header Pos + Hash/Block Pos
Length = Hash/Block Size * 10

Pos and Size must read little-endian
ex. 14 B4 E3 FF -> FF E3 B4 14 -> 0xFFE3B414

Copy to Hash Table, and save it.
and copy to Block Table, save it too.

========== Step 3 ==========


Code:
MPQ_HASH_FILE_KEY
(hash table) = 7037AFC3
(block table) = A3B383EC

DragDrop Hash table on 'MPQHelper.exe'.
We must decryption Hash Table.
type 'dec', and input MPQ_HASH_FILE_KEY. (Must use correct key)
then, program will create decrypted file.
Ps. SSProtect didn't modified Block Table. So, we don't touch Block Table.
Spoiler:
Image


========== Step 4 ==========

Open decrypted hash table to Hex Edit Macro.
You must modify 2steps.
Code:
-- Step 1 --
Start = 8
Overwrite Value = 00 00 00 00

-- Step 2 --
Start = F
Overwrite Value = 00

After modify and save, open decrypted hash table to Hex Editor.
Open the Replace(Ctrl+R), and follow the this 2steps. (must replace all!)
Code:
Datatype: Hex-values
Search direction: All
-- Step 1 --
Search for: EE EE EE EE EE EE EE EE 00 00 00 00 FE FF FF 00
Replace with: FF FF FF FF FF FF FF FF FF FF FF FF FE FF FF FF

-- Step 2 --
Search for: EE EE EE EE EE EE EE EE 00 00 00 00 EE EE EE 00
Replace with: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

After finished to replace, save it.


========== Step 5 ==========

Code:
MPQ_HASH_FILE_KEY
(hash table) = 7037AFC3
(block table) = A3B383EC

DragDrop modified Hash Table on 'MPQHelper.exe'.
We must re-encryption Hash Table.
type 'enc', and input MPQ_HASH_FILE_KEY. (Must use correct key)
then, program will create re-encrypted file.
Spoiler:
Image


========== Step 6 ==========

Return to map header. (Find a '4D 50 51 1A')
Select 0x00000200 ~ Behind Map Header
Spoiler:
Image

Delete it. You should it.

========== Step 7 ==========

Open re-encrypted Hash Table and Block Table to Hex Editor.
Copy to all hex in re-encrypted hash table.
Go to End of map file, and Remember or record somewhere to offset. (1FC420F)
(I will it call this offset named 'Alter Hash Pos')
Spoiler:
Image

Paste it. (Ctrl+V)

Copy to all hex in block table.
Go to End of map file you modified, and remember again to offset. (1FCC20F)
(I will it call this offset named 'Alter Block Pos')
Paste it.


========== Step 8 ==========

Return to map header. (Find a '4D 50 51 1A')
Remark the header like this.
Spoiler:
Image

After finished, save and close the Hex Editor. we are no longer use hex editor.


========== Step 9 ==========

Open map to WINMPQ. (Use to 'All files(*.*)')
Execute compact(Ctrl+P), you should it.

After compact, you can see 'ladik's mpq editor' no longer display [Read-only].
Spoiler:
Image




If have any question, then reply me.


Last edited by BlacklightsC on June 26th, 2017, 8:40 pm, edited 5 times in total.

Top
 Profile  
 
PostPosted: June 20th, 2017, 8:41 am 
Offline
Senior Member
User avatar

Joined: May 15th, 2012, 6:09 pm
Posts: 177
Thanks for sharing.


Top
 Profile  
 
PostPosted: June 20th, 2017, 9:51 am 
Offline
Cheater

Joined: February 7th, 2013, 5:04 am
Posts: 170
Title: Skid
Thanks you for sharing, especially for sharing your own tool. Hope it will make our "work" easier in the future, even though we don't like to mess with HEX.


Top
 Profile  
 
PostPosted: June 20th, 2017, 6:12 pm 
Offline
Super Moderator
User avatar

Joined: March 23rd, 2016, 8:06 pm
Posts: 2112
Title: big brain
Very nice guide, this should be fixed since this method you dont have lost files.


Top
 Profile  
 
PostPosted: June 28th, 2017, 5:54 pm 
Offline
Member
User avatar

Joined: February 22nd, 2016, 1:56 am
Posts: 60
Very good post the best I've seen until the moment I see that the lost files were solved no longer
Thank you very much !!!
My question is and I know I can be nice to do it but does this method work with any map?


Top
 Profile  
 
PostPosted: June 28th, 2017, 5:56 pm 
Offline
Member
User avatar

Joined: February 22nd, 2016, 1:56 am
Posts: 60
If a question that I forgot to say when you say that your English is bad is that by the miracle of God DX speak Spanish? XD?
Another thing when they say it completely unprotected, I hope that the triger of the abilities and everything else of it is not lost and is preserved


Top
 Profile  
 
PostPosted: June 29th, 2017, 4:53 pm 
Offline
Newcomer
User avatar

Joined: February 19th, 2015, 8:04 pm
Posts: 11
Location: Korea, Republic of
Title: Author to Cirnix
[NtP]NtP wrote:
My question is and I know I can be nice to do it but does this method work with any map?

If you talk about S/SSProtect, yes. it will work on every map.


[NtP]NtP wrote:
Another thing when they say it completely unprotected, I hope that the triger of the abilities and everything else of it is not lost and is preserved

I hope also that the recover trigger and abilities. But, that ways should be. I don't know now that ways. But, some people know how to recover thats.


Top
 Profile  
 
PostPosted: July 1st, 2017, 2:17 pm 
Offline
Senior Member
User avatar

Joined: March 30th, 2013, 12:16 pm
Posts: 170
Location: Việt Nam
Title: Umaru-chan
thanks it very usefull XD


Top
 Profile  
 
PostPosted: July 17th, 2017, 3:47 am 
Offline
Newcomer

Joined: September 5th, 2009, 7:01 am
Posts: 20
Hi I am trying to fallow this guide could anyone please provide a little bit more of a example for step 2 with screen shots or something for the calculating steps I am having issues understanding what I am supposed to be doing in this step, I am trying to deprotect the sprotect. thanks

thank you for this great guide.


Top
 Profile  
 
PostPosted: July 17th, 2017, 12:25 pm 
Offline
Cheater

Joined: February 7th, 2013, 5:04 am
Posts: 170
Title: Skid
If you can't find Head Pos, Hash/block Pos, etc. There's screenshot of example in Step 1.
Start-offset = Header Pos + Hash/Block Pos = Header Pos + Hash Pos, then do the same for Block Pos(Header Pos + Block Pos)
And google little-endian, if you don't know what it is, even though there's already example of that.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 17 posts ]  Go to page 1, 2  Next

All times are UTC


Who is online

Users browsing this forum: No registered users and 16 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group

phpBB SEO


Privacy Policy Statement
Impressum (German)