wc3edit.net

United Warcraft 3 map hacking!
It is currently March 28th, 2024, 9:06 pm

All times are UTC




Post new topic Reply to topic  [ 32 posts ]  Go to page 1, 2, 3, 4  Next
Author Message
PostPosted: April 5th, 2018, 4:48 am 
Offline
Also Not an Admin, but closer than devoltz
User avatar

Joined: February 14th, 2018, 5:35 am
Posts: 1791
Title: Just Another S.Mod
Hello.

This is a rewritten guide from [Guide] Completely deprotect S/SSProtect because it was hard to understand also it wasn't well written. So, here we go.

Image


Before we get started, there are some stuffs you should know about:

- What's a Hash Table?
    Hash table is the base table for searching files inside MPQs.

- What's a Block Table?
    For every file in the MPQ, block table contains offset of the file in the MPQ, file size, compressed size and file flags.

- What's little-endian?
    Little-endian is an order in which the "little end" (least significant byte value in the sequence) is stored first.


Last but not least the tools you'll need to unhex the maps:

SProtection




Spoiler:
Image


    Open up HxD and search for (CTRL + F) 4D 50 51 1A with Datatype set to: Hex-values
    Image

    Now we need to find the HASH TABLE and BLOCK TABLE.

    Image

    (Use that image as a reference)


    HASH TABLE


      First off let's 'transform' all these values to LITTLE ENDIAN: 92 E9 A7 01 | 00 04 00 00
        LITTLE ENDIAN's form: 01 A7 E9 92 | 00 00 04 00



    1) START-OFFSET & LENGTH VALUES:

    NOTE: Don't forget to set your Windows calculator to DWORD.

      1.1) To find the START-OFFSET of the HASH TABLE:
      HASH POS + HEADER POS (01 A7 E9 92 + 200) = 1 A7 EB 92

      1.2) To find the LENGTH of the HASH TABLE:
      HASH SIZE * 10 (4 00[400] * 10) = 4000



    2) HASH TABLE ITSELF:

      2.1) Press CTRL + E and use the START-OFFSET(1 A7 EB 92) and the LENGTH(4000) values;
      2.2) Copy the selected code, press CTRL + N to create a new file, paste the code and save the HASH TABLE FILE.
    Spoiler:
    Image



    3) Decrypting the HASH TABLE FILE with MQPHelper:
    HASH TABLE CODE = 7037AFC3
    (Use that value to decrypt/encrypt)


      3.1) Drag and drop the HASH TABLE FILE into MPQHelper.exe;
      3.2) Type: dec, input the HASH TABLE CODE (7037AFC3) and press enter.
    Spoiler:
    Image



    4) Editing the DECRYPTED HASH TABLE in Hex Edit Macro:

      4.1) Open up Hex Edit Macro, load the DECRYPTED HASH TABLE, now do the following steps:
        1-) Set START VALUE to 8 and set THE OVERWRITE VALUE to 00 00 00 00 and just then press Modify;
        2-) Set START VALUE with an F and set THE OVERWRITE VALUE to 00 and just then press Modify again;
        3-) Save the modified file.
    Spoiler:
    Image



    5) Editing the MODIFIED HASH TABLE in HxD:

      5.1) Open up the MODIFIED HASH TABLE FILE in HxD;
      5.2) Press CTRL + R and configure it like so:
      Datatype: Hex-values
      Search direction: All
      5.3) Now do the following steps:
        ▬ First step ▬:
        Search for: FF FF FF FF FF FF FF FF 00 00 00 00 FE FF FF 00
        Replace with: FF FF FF FF FF FF FF FF FF FF FF FF FE FF FF FF
        Then click on Replace all.
        ---------------------------------------------------------------------
        ▬ Second step ▬:
        Search for: EE EE EE EE EE EE EE EE 00 00 00 00 EE EE EE 00
        Replace with: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
        Then click on Replace all.
      5.4) Save all the changes made.
    Spoiler:
    Image



    6) Encrypting the MODIFIED HASH TABLE with MQPHelper:

      6.1) Drag and drop the MODIFIED HASH TABLE into MPQHelper.exe;
      6.2) Type: enc, input the HASH TABLE CODE (7037AFC3) and press enter.
Spoiler:
Image



BLOCK TABLE


    First off let's 'transform' all these values to LITTLE ENDIAN: 00 00 00 00 | 94 02 00 00
      LITTLE ENDIAN's form: 00 00 00 00 | 00 00 02 94



    1) START-OFFSET & LENGTH VALUES:

    NOTE: Don't forget to set your Windows calculator to DWORD.

      To find the START-OFFSET of the BLOCK TABLE:
      BLOCK POS + HEADER POS (0 + 200) = 200

      To find the LENGTH of the BLOCK TABLE:
      BLOCK SIZE * 10 (2 94[294] * 10) = 2940



    2) BLOCK TABLE ITSELF:

      2.1) Press CTRL + E and use the START-OFFSET(200) and the LENGTH(2940) values.
      2.2) Copy the selected code, press CTRL + N to create a new file, paste the code and save the BLOCK TABLE FILE
    Spoiler:
    Image



    3) Decrypting the BLOCK TABLE FILE with MQPHelper:
    BLOCK TABLE CODE = A3B383EC
    (Use that value to decrypt/encrypt)


      3.1) Drag and drop the BLOCK TABLE FILE into MPQHelper.exe;
      3.2) Type: dec, input the BLOCK TABLE CODE (A3B383EC) and press enter.
    Spoiler:
    Image



    4) Editing the DECRYPTED BLOCK TABLE in Hex Edit Macro:

      4.1) Open up Hex Edit Macro, load the DECRYPTED BLOCK TABLE, now do the following steps:
        1-) Set START VALUE to 2F and set THE OVERWRITE VALUE to 80 and just then press Modify;
        2-) Save the modified file.
    Spoiler:
    Image



    5) Editing the MODIFIED BLOCK TABLE in HxD:

      5.1) Open up the MODIFIED BLOCK TABLE in HxD;
      5.2) Change all the values of the first and second line to 00
      5.3) Save the changes made.
    Spoiler:
    Image



    6) Encrypting the MODIFIED BLOCK TABLE with MQPHelper:

      6.1) Drag and drop the MODIFIED BLOCK TABLE into MPQHelper.exe;
      6.2) Type: enc, input the BLOCK TABLE CODE (A3B383EC) and press enter.
Spoiler:
Image



Removing SProtection


First open up the following files in HxD:
    Masin2rpgTest0.4.w3x
    ENCRYPTED HASH TABLE
    ENCRYPTED BLOCK TABLE



    1) Reinserting the ENCRYPTED HASH TABLE:

      1.1) Go to the end of the map file and save the hash table's offset value (1 A8 2B 92) somewhere;
      1.3) Copy all the data from ENCRYPTED HASH TABLE FILE and paste into the map file.
    Spoiler:
    Image



    2) Reinserting the ENCRYPTED BLOCK TABLE:

      2.1) Go to the end of the map file and save the block table's offset value (1 A8 6B 92) somewhere;
      2.3) Copy all the data from ENCRYPTED BLOCK TABLE FILE and paste into the map file.
    Spoiler:
    Image



    3) Actual hash table pos:
      3.1) To find the actual hash pos:
      HASH TABLE'S OFFSET - HEADER POS (1 A8 2B 92 - 200) = 1 A8 29 92
      3.2) Now transform the actual hash pos to LITTLE ENDIAN:
      92 29 A8 01



    4) Actual block table pos:
      4.1) To find the actual block pos:
      BLOCK TABLE'S OFFSET - HEADER POS (1 A8 6B 92 - 200) = 1 A8 69 92
      4.2) Now transform the actual block pos to LITTLE ENDIAN:
      92 69 A8 01



    Now search for (CTRL + F) 4D 50 51 1A with Datatype set to: Hex-values again.



    5) Changing the map header:
      5.1) Fill the first line of the map header like this:
      Image
      5.2) Change the HASH POS and BLOCK POS to the respective actual hash and actual block pos (both in LITTLE ENDIAN);
      Image
      5.3) Save the map and test it in Ladik's MPQ Editor


SProtect has been removed!
Spoiler:
Image




SSProtection




Spoiler:
Image


    Open up HxD and search for (CTRL + F) 4D 50 51 1A with Datatype set to: Hex-values
    Image

    Now we need to find the HASH TABLE and BLOCK TABLE.

    Image

    (Use that image as a reference)



    HASH TABLE


    NOTE: Where's 00 08 00 10 read as 00 08 00 00.

      First off let's 'transform' all these values to LITTLE ENDIAN: 14 B4 E3 FF | 00 08 00 00
        LITTLE ENDIAN's form: FF E3 B4 14 | 00 00 08 00



    1) START-OFFSET & LENGTH VALUES:

    NOTE: Don't forget to set your Windows calculator to DWORD.

      1.1) To find the START-OFFSET of the HASH TABLE:
      HASH POS + HEADER POS (FF E3 B4 14 + 1C4E00) = 214

      1.2) To find the LENGTH of the HASH TABLE:
      HASH SIZE * 10 (8 00[800] * 10) = 8000



    2) HASH TABLE ITSELF:

      2.1) Press CTRL + E and use the START-OFFSET(214) and the LENGTH(8000) values.
      2.2) Copy the selected code, press CTRL + N to create a new file, paste the code and save the HASH TABLE FILE
    Spoiler:
    Image



    3) Decrypting the HASH TABLE FILE with MQPHelper:
    HASH TABLE CODE = 7037AFC3
    (Use that value to decrypt/encrypt)


      3.1) Drag and drop the HASH TABLE FILE into MPQHelper.exe;
      3.2) Type: dec, input the HASH TABLE CODE (7037AFC3) and press enter.
    Spoiler:
    Image



    4) Editing the DECRYPTED HASH TABLE in Hex Edit Macro:

      4.1) Open up Hex Edit Macro, load the DECRYPTED HASH TABLE, now do the following steps:
        1-) Set START VALUE to 8 and set THE OVERWRITE VALUE to 00 00 00 00 and just then press Modify;
        2-) Set START VALUE with an F and set THE OVERWRITE VALUE to 00 and just then press Modify again;
        3-) Save the modified file.
    Spoiler:
    Image



    5) Editing the MODIFIED HASH TABLE in HxD:

      5.1) Open up the MODIFIED HASH TABLE FILE in HxD;
      5.2) Press CTRL + R and configure it like so:
      Datatype: Hex-values
      Search direction: All
      5.3) Now do the following steps:
        ▬ First step ▬:
        Search for: EE EE EE EE EE EE EE EE 00 00 00 00 FE FF FF 00
        Replace with: FF FF FF FF FF FF FF FF FF FF FF FF FE FF FF FF
        Then click on Replace all.
        ---------------------------------------------------------------------
        ▬ Second step ▬:
        Search for: EE EE EE EE EE EE EE EE 00 00 00 00 EE EE EE 00
        Replace with: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
        Then click on Replace all.
      5.4) Save all the changes made.
    Spoiler:
    Image



    6) Encrypting the MODIFIED HASH TABLE with MQPHelper:

      6.1) Drag and drop the MODIFIED HASH TABLE into MPQHelper.exe;
      6.2) Type: enc, input the HASH TABLE CODE (7037AFC3) and press enter.
Spoiler:
Image



BLOCK TABLE


    First off let's 'transform' all these values to LITTLE ENDIAN: 16 FC E4 FF | 06 04 00 00
      LITTLE ENDIAN's form: FF E4 FC 16 | 00 00 04 06



    1) START-OFFSET & LENGTH VALUES:

    NOTE: Don't forget to set your Windows calculator to DWORD.

      To find the START-OFFSET of the BLOCK TABLE:
      BLOCK POS + HEADER POS (FF E4 FC 16 + 1C4E00) = 1 4A 16

      To find the LENGTH of the BLOCK TABLE:
      BLOCK SIZE * 10 (4 06[406] * 10) = 4060



    2) BLOCK TABLE ITSELF:

      2.1) Press CTRL + E and use the START-OFFSET(1 4A 16) and the LENGTH(4060) values.
      2.2) Copy the selected code, press CTRL + N to create a new file, paste the code and save the BLOCK TABLE FILE

    NOTE: SSProtect doesn't change anything in Block Table so isn't necessary to decrypt etc. Just let it as it is.
    Spoiler:
    Image





Removing SSProtection


First open up the following files in HxD:
    S R N_RPG 0.6B.w3x
    ENCRYPTED HASH TABLE
    BLOCK TABLE

    1) Removing MPQ's corrupted data:

      1.1) Search for (CTRL + F) 4D 50 51 1A with Datatype set to: Hex-values;
      1.2) Left click before 0B (check gif);
      1.3) Press CTRL + E and set the start-offset to 200;
      1.4) Remove all these selected datas.
    Spoiler:
    Image



    2) Reinserting the ENCRYPTED HASH TABLE:

      2.1) Go to the end of the map file and save the hash table's offset value (1 FC 42 0F) somewhere;
      2.2) Copy all the data from ENCRYPTED HASH TABLE FILE and paste into the map file.
    Spoiler:
    Image



    3) Reinserting the BLOCK TABLE:

      3.1) Go to the end of the map file and save the block table's offset value (1 FC C2 0F) somewhere;
      3.2) Copy all the data from BLOCK TABLE FILE and paste into the map file.
    Spoiler:
    Image



    4) Actual hash table pos:

      4.1) To find the actual hash pos:
      HASH TABLE'S OFFSET - HEADER POS (1 FC 42 0F - 200) = 1 FC 40 0F
      4.2) Now transform the actual hash pos to LITTLE ENDIAN:
      0F 40 FC 01



    5) Actual block table pos:

      5.1) To find the actual block pos:
      BLOCK TABLE'S OFFSET - HEADER POS (1 A8 6B 92 - 200) = 1 FC C0 0F
      5.2) Now transform the actual block pos to LITTLE ENDIAN:
      0F C0 FC 01



    Now search for (CTRL + F) 4D 50 51 1A with Datatype set to: Hex-values again.



    6) Changing the map header:

      6.1) Fill the first line of the map header and the hash size like this:
      Image
      Image
      6.2) Change the HASH POS and BLOCK POS to the respective actual hash and actual block pos (both in LITTLE ENDIAN);
      Image
      6.3) Save the map and test it in Ladik's MPQ Editor.


SSProtect has been removed!
Spoiler:
Image


Top
 Profile  
 
PostPosted: April 5th, 2018, 1:10 pm 
Offline
Forum Staff
User avatar

Joined: March 23rd, 2016, 8:06 pm
Posts: 3236
Nicely done.


Top
 Profile  
 
PostPosted: April 5th, 2018, 3:29 pm 
Offline
Also Not an Admin, but closer than devoltz
User avatar

Joined: February 14th, 2018, 5:35 am
Posts: 1791
Title: Just Another S.Mod
devoltz wrote:
Nicely done.


Thanks! If you have any suggestions please let me know.


Top
 Profile  
 
PostPosted: April 5th, 2018, 7:05 pm 
Offline
Shopping Maul USA Creator
User avatar

Joined: January 18th, 2007, 11:07 am
Posts: 1992
Location: Calgary Canada
Title: No Comment
so many EEEs and FFFs


Top
 Profile  
 
PostPosted: April 5th, 2018, 10:06 pm 
Offline
Also Not an Admin, but closer than devoltz
User avatar

Joined: February 14th, 2018, 5:35 am
Posts: 1791
Title: Just Another S.Mod
Indeed... it's really annoying.


Top
 Profile  
 
PostPosted: April 6th, 2018, 5:38 pm 
Offline
Tyrannical Drama Queen
User avatar

Joined: November 19th, 2007, 5:05 am
Posts: 5014
Vegas wrote:
so many EEEs and FFFs


The joys of working in base 16.


Top
 Profile  
 
PostPosted: April 6th, 2018, 6:59 pm 
Offline
Newcomer

Joined: April 6th, 2018, 11:32 am
Posts: 3
Thank you for this great Guide.I have just few questions,is the part of Hash Table Code =7037AFC3 works for all maps with sprotection?,also is there a guide for Spazzler protection?


Top
 Profile  
 
PostPosted: April 6th, 2018, 7:13 pm 
Offline
Also Not an Admin, but closer than devoltz
User avatar

Joined: February 14th, 2018, 5:35 am
Posts: 1791
Title: Just Another S.Mod
Yeah, it works for all maps. About Spazzler, it's not necessary to unhex. You just need to use the MPQ for KR, CN & Normal Read-Only in the attachments from this thread here:
deprotection-cheating-f64/insert-a-cp-cc-enable-sp-deprotect-rc-t34777.html


Top
 Profile  
 
PostPosted: April 7th, 2018, 12:02 pm 
Offline
Newcomer

Joined: April 6th, 2018, 11:32 am
Posts: 3
Thank you very much.I tested the tool and it works.i never succeed to inject cheat pack in a map (I don't know why it always don't open in Warcraft 3) so i just modified some msg to see if it works. Your Guides are really too great i hope you make more in future. Thank you again


Top
 Profile  
 
PostPosted: April 7th, 2018, 1:04 pm 
Offline
Also Not an Admin, but closer than devoltz
User avatar

Joined: February 14th, 2018, 5:35 am
Posts: 1791
Title: Just Another S.Mod
I'm glad that I could help you out. Thank you and you're welcome.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 32 posts ]  Go to page 1, 2, 3, 4  Next

All times are UTC


Who is online

Users browsing this forum: No registered users and 9 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group

phpBB SEO


Privacy Policy Statement
Impressum (German)