[Guide] Completely deprotect S/SSProtect

Cheatpacks and learning how to use them, as well as other guides for manipulating maps.

Moderator: Cheaters

User avatar
BlacklightsC
Newcomer
Posts: 13
Joined: February 19th, 2015, 8:04 pm
Title: Author to Cirnix
Location: Korea, Republic of

[Guide] Completely deprotect S/SSProtect

Post by BlacklightsC »

Before Start...
Firstable, my english so poor... Maybe there have some grammar error!

This guide will not use re-package.
You must know how to use hex editor.

About Protection...
Spoiler:
SProtect
Download SProtect (Support drag and drop only)
SProtect, made by T1.
Public released, so you can use to free.
Target of SProtect map is 'Masin2rpgTest0.4.w3x'
i uploaded on google drive.
if you try any map, try it.
SSProtect
Made by SSHacker.
Private released, this was need to don't click me protection tool.
so you can't get this tool on public. (even if it's me)
Target of SSProtect map is 'S R N_RPG 0.6B.w3x'
also uploaded on google drive.
Tool Required
Hex Editor (Important. Recommanded HxD)
MPQ Helper (Important)
Hex Edit Macro (I made it) (Important. If you don't want work manually)
WINMPQ (Important. It will use to compact(or optimize) MPQ)
Ladik's MPQ Editor (Optional. Only need to check completely deprotected)
listfile (Optional. If you want recovery listfile)
Windows Calculator

==================== SProtect ====================
========== Step 1 ==========
Open map to Hex Editor, Find(Ctrl+F) '4D 50 51 1A' by Hex-values. i added tooltip about MPQ Header.
Spoiler:
Image
========== Step 2 ==========
Open dialog 'Select block(Ctrl+E)'.
Select Hash/Block Table.

Calculating Steps is here.
Spoiler:
Open Windows Calculator to Programmer mode.
Change to Hex, DWORD.
Start-offset = Header Pos + Hash/Block Pos
Length = Hash/Block Size * 10

Pos and Size must read little-endian
ex. 92 E9 A7 01 -> 01 A7 E9 92 -> 0x01A7E992
Cut to Hash Table, and save it.
and copy to Block Table, save it too.

========== Step 3 ==========

Code: Select all

MPQ_HASH_FILE_KEY
(hash table) = 7037AFC3
(block table) = A3B383EC
DragDrop Hash/Block table on 'MPQHelper.exe'.
We must decryption Hash/Block Table.
type 'dec', and input MPQ_HASH_FILE_KEY. (Must use correct key)
then, program will create decrypted file.
Spoiler:
Image
========== Step 4 ==========
Open decrypted hash table to Hex Edit Macro.
You must modify 2steps.

Code: Select all

-- Step 1 --
Start = 8
Overwrite Value = 00 00 00 00

-- Step 2 --
Start = F
Overwrite Value = 00
After modify and save, open decrypted hash table to Hex Editor.
Open the Replace(Ctrl+R), and follow the this 2steps. (must replace all!)

Code: Select all

Datatype: Hex-values
Search direction: All
-- Step 1 --
Search for: FF FF FF FF FF FF FF FF 00 00 00 00 FE FF FF 00
Replace with: FF FF FF FF FF FF FF FF FF FF FF FF FE FF FF FF

-- Step 2 --
Search for: EE EE EE EE EE EE EE EE 00 00 00 00 EE EE EE 00
Replace with: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
After finished to replace, save it.

========== Step 5 ==========
Open decrypted block table to Hex Edit Macro.
You must modify only one step.

Code: Select all

Start = 2F
Overwrite Value = 80
After modify and save, open decrypted block table to Hex Editor.
Fill 0x00~0x20 to 00.
Spoiler:
Image
After finished, save it.

========== Step 6 ==========

Code: Select all

MPQ_HASH_FILE_KEY
(hash table) = 7037AFC3
(block table) = A3B383EC
DragDrop modified Hash/Block table on 'MPQHelper.exe'.
We must re-encryption Hash/Block Table.
type 'enc', and input MPQ_HASH_FILE_KEY. (Must use correct key)
then, program will create re-encrypted file.
Spoiler:
Image
========== Step 7 ==========
Open re-encrypted Hash/Block Table to Hex Editor.
Copy to all hex in re-encrypted hash table.
Go to End of map file, and Remember or record somewhere to offset. (1A7EB92)
(I will it call this offset named 'Alter Hash Pos')
Spoiler:
Image
Paste it. (Ctrl+V)

Copy to all hex in re-encrypted block table.
Go to End of map file you modified, and remember again to offset. (1A82B92)
(I will it call this offset named 'Alter Block Pos')
Paste it.

========== Step 8 ==========
Return to map header. (Find a '4D 50 51 1A')
Remark the header like this.
Spoiler:
Image
After finished, save and close the Hex Editor. we are no longer use hex editor.

========== Step 9 ==========
Open map to WINMPQ. (Use to 'All files(*.*)')
Execute compact(Ctrl+P), you should it.

After compact, you can see 'ladik's mpq editor' no longer display [Read-only].
Spoiler:
Image

==================== SSProtect ====================
Many things is same, i will skip same things.
(i will write same things in spoiler.)
Ps. Images are same by SProtect. i apoloze for about that.
========== Step 1 ==========
Same by SProtect. i will skip this part.
Ps. Position of '4D 50 51 1A' is different to map by map(case by case).
Spoiler:
Open map to Hex Editor, Find(Ctrl+F) '4D 50 51 1A' by Hex-values. i added tooltip about MPQ Header.
Image
========== Step 2 ==========
Open dialog 'Select block(Ctrl+E)'.
Select Hash/Block Table.
Ps. SSProtect recorded hash table size + 0x10000000 (like, XX XX XX 10)
please ignore that value. (if, value is 00 08 00 10, then read it to 00 08 00 00)

Calculating Steps is here.
Spoiler:
Open Windows Calculator to Programmer mode.
Change to Hex, DWORD.
Start-offset = Header Pos + Hash/Block Pos
Length = Hash/Block Size * 10

Pos and Size must read little-endian
ex. 14 B4 E3 FF -> FF E3 B4 14 -> 0xFFE3B414
Copy to Hash Table, and save it.
and copy to Block Table, save it too.
========== Step 3 ==========

Code: Select all

MPQ_HASH_FILE_KEY
(hash table) = 7037AFC3
(block table) = A3B383EC
DragDrop Hash table on 'MPQHelper.exe'.
We must decryption Hash Table.
type 'dec', and input MPQ_HASH_FILE_KEY. (Must use correct key)
then, program will create decrypted file.
Ps. SSProtect didn't modified Block Table. So, we don't touch Block Table.
Spoiler:
Image
========== Step 4 ==========
Open decrypted hash table to Hex Edit Macro.
You must modify 2steps.

Code: Select all

-- Step 1 --
Start = 8
Overwrite Value = 00 00 00 00

-- Step 2 --
Start = F
Overwrite Value = 00
After modify and save, open decrypted hash table to Hex Editor.
Open the Replace(Ctrl+R), and follow the this 2steps. (must replace all!)

Code: Select all

Datatype: Hex-values
Search direction: All
-- Step 1 --
Search for: EE EE EE EE EE EE EE EE 00 00 00 00 FE FF FF 00
Replace with: FF FF FF FF FF FF FF FF FF FF FF FF FE FF FF FF

-- Step 2 --
Search for: EE EE EE EE EE EE EE EE 00 00 00 00 EE EE EE 00
Replace with: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
After finished to replace, save it.

========== Step 5 ==========

Code: Select all

MPQ_HASH_FILE_KEY
(hash table) = 7037AFC3
(block table) = A3B383EC
DragDrop modified Hash Table on 'MPQHelper.exe'.
We must re-encryption Hash Table.
type 'enc', and input MPQ_HASH_FILE_KEY. (Must use correct key)
then, program will create re-encrypted file.
Spoiler:
Image
========== Step 6 ==========
Return to map header. (Find a '4D 50 51 1A')
Select 0x00000200 ~ Behind Map Header
Spoiler:
Image
Delete it. You should it.
========== Step 7 ==========
Open re-encrypted Hash Table and Block Table to Hex Editor.
Copy to all hex in re-encrypted hash table.
Go to End of map file, and Remember or record somewhere to offset. (1FC420F)
(I will it call this offset named 'Alter Hash Pos')
Spoiler:
Image
Paste it. (Ctrl+V)

Copy to all hex in block table.
Go to End of map file you modified, and remember again to offset. (1FCC20F)
(I will it call this offset named 'Alter Block Pos')
Paste it.

========== Step 8 ==========
Return to map header. (Find a '4D 50 51 1A')
Remark the header like this.
Spoiler:
Image
After finished, save and close the Hex Editor. we are no longer use hex editor.

========== Step 9 ==========
Open map to WINMPQ. (Use to 'All files(*.*)')
Execute compact(Ctrl+P), you should it.

After compact, you can see 'ladik's mpq editor' no longer display [Read-only].
Spoiler:
Image

If have any question, then reply me.
Last edited by BlacklightsC on June 26th, 2017, 8:40 pm, edited 5 times in total.
User avatar
XD!
Senior Member
Posts: 156
Joined: May 15th, 2012, 6:09 pm

Re: [Guide] Completely deprotect S/SSProtect

Post by XD! »

Thanks for sharing.
Arakunido
Cheater
Posts: 185
Joined: February 7th, 2013, 5:04 am
Title: Skid

Re: [Guide] Completely deprotect S/SSProtect

Post by Arakunido »

Thanks you for sharing, especially for sharing your own tool. Hope it will make our "work" easier in the future, even though we don't like to mess with HEX.
User avatar
devoltz
Co-Admin
Posts: 3133
Joined: March 23rd, 2016, 8:06 pm
Has thanked: 11 times
Been thanked: 53 times

Re: [Guide] Completely deprotect S/SSProtect

Post by devoltz »

Very nice guide, this should be fixed since this method you dont have lost files.
User avatar
[NtP]NtP
Member
Posts: 71
Joined: February 22nd, 2016, 1:56 am
Been thanked: 2 times

Re: [Guide] Completely deprotect S/SSProtect

Post by [NtP]NtP »

Very good post the best I've seen until the moment I see that the lost files were solved no longer
Thank you very much !!!
My question is and I know I can be nice to do it but does this method work with any map?
User avatar
[NtP]NtP
Member
Posts: 71
Joined: February 22nd, 2016, 1:56 am
Been thanked: 2 times

Re: [Guide] Completely deprotect S/SSProtect

Post by [NtP]NtP »

If a question that I forgot to say when you say that your English is bad is that by the miracle of God DX speak Spanish? XD?
Another thing when they say it completely unprotected, I hope that the triger of the abilities and everything else of it is not lost and is preserved
User avatar
BlacklightsC
Newcomer
Posts: 13
Joined: February 19th, 2015, 8:04 pm
Title: Author to Cirnix
Location: Korea, Republic of

Re: [Guide] Completely deprotect S/SSProtect

Post by BlacklightsC »

[NtP]NtP wrote:My question is and I know I can be nice to do it but does this method work with any map?
If you talk about S/SSProtect, yes. it will work on every map.

[NtP]NtP wrote:Another thing when they say it completely unprotected, I hope that the triger of the abilities and everything else of it is not lost and is preserved
I hope also that the recover trigger and abilities. But, that ways should be. I don't know now that ways. But, some people know how to recover thats.
User avatar
arieschan
Senior Member
Posts: 161
Joined: March 30th, 2013, 12:16 pm
Title: Umaru-chan

Re: [Guide] Completely deprotect S/SSProtect

Post by arieschan »

thanks it very usefull XD
dmcdante1990
Newcomer
Posts: 20
Joined: September 5th, 2009, 7:01 am

Re: [Guide] Completely deprotect S/SSProtect

Post by dmcdante1990 »

Hi I am trying to fallow this guide could anyone please provide a little bit more of a example for step 2 with screen shots or something for the calculating steps I am having issues understanding what I am supposed to be doing in this step, I am trying to deprotect the sprotect. thanks

thank you for this great guide.
Arakunido
Cheater
Posts: 185
Joined: February 7th, 2013, 5:04 am
Title: Skid

Re: [Guide] Completely deprotect S/SSProtect

Post by Arakunido »

If you can't find Head Pos, Hash/block Pos, etc. There's screenshot of example in Step 1.
Start-offset = Header Pos + Hash/Block Pos = Header Pos + Hash Pos, then do the same for Block Pos(Header Pos + Block Pos)
And google little-endian, if you don't know what it is, even though there's already example of that.