This is a rewritten guide from [Guide] Completely deprotect S/SSProtect because it was hard to understand also it wasn't well written. So, here we go.
- What's a Hash Table?
- Hash table is the base table for searching files inside MPQs.
- For every file in the MPQ, block table contains offset of the file in the MPQ, file size, compressed size and file flags.
- Little-endian is an order in which the "little end" (least significant byte value in the sequence) is stored first.
Last but not least the tools you'll need to unhex the maps:
SProtection
- → This is the map we will remove the SProtection: Masin2rpgTest0.4.w3x
Spoiler:
- Open up HxD and search for (CTRL + F) 4D 50 51 1A with Datatype set to: Hex-values
Now we need to find the HASH TABLE and BLOCK TABLE.
(Use that image as a reference)HASH TABLE
- First off let's 'transform' all these values to LITTLE ENDIAN: 92 E9 A7 01 | 00 04 00 00
- LITTLE ENDIAN's form: 01 A7 E9 92 | 00 00 04 00
1) START-OFFSET & LENGTH VALUES:
NOTE: Don't forget to set your Windows calculator to DWORD.
- 1.1) To find the START-OFFSET of the HASH TABLE:
HASH POS + HEADER POS (01 A7 E9 92 + 200) = 1 A7 EB 92
- 1.2) To find the LENGTH of the HASH TABLE:
HASH SIZE * 10 (4 00[400] * 10) = 4000
2) HASH TABLE ITSELF:
- 2.1) Press CTRL + E and use the START-OFFSET(1 A7 EB 92) and the LENGTH(4000) values;
2.2) Copy the selected code, press CTRL + N to create a new file, paste the code and save the HASH TABLE FILE.
Spoiler:
3) Decrypting the HASH TABLE FILE with MQPHelper:HASH TABLE CODE = 7037AFC3
(Use that value to decrypt/encrypt)- 3.1) Drag and drop the HASH TABLE FILE into MPQHelper.exe;
3.2) Type: dec, input the HASH TABLE CODE (7037AFC3) and press enter.
Spoiler:
4) Editing the DECRYPTED HASH TABLE in Hex Edit Macro:
- 4.1) Open up Hex Edit Macro, load the DECRYPTED HASH TABLE, now do the following steps:
- 1-) Set START VALUE to 8 and set THE OVERWRITE VALUE to 00 00 00 00 and just then press Modify;
2-) Set START VALUE with an F and set THE OVERWRITE VALUE to 00 and just then press Modify again;
3-) Save the modified file.
- 1-) Set START VALUE to 8 and set THE OVERWRITE VALUE to 00 00 00 00 and just then press Modify;
Spoiler:
5) Editing the MODIFIED HASH TABLE in HxD:
- 5.1) Open up the MODIFIED HASH TABLE FILE in HxD;
5.2) Press CTRL + R and configure it like so:
Datatype: Hex-values
Search direction: All
5.3) Now do the following steps:- ▬ First step ▬:
Search for: FF FF FF FF FF FF FF FF 00 00 00 00 FE FF FF 00
Replace with: FF FF FF FF FF FF FF FF FF FF FF FF FE FF FF FF
Then click on Replace all.
---------------------------------------------------------------------
▬ Second step ▬:
Search for: EE EE EE EE EE EE EE EE 00 00 00 00 EE EE EE 00
Replace with: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
Then click on Replace all.
- ▬ First step ▬:
Spoiler:
6) Encrypting the MODIFIED HASH TABLE with MQPHelper:
- 6.1) Drag and drop the MODIFIED HASH TABLE into MPQHelper.exe;
6.2) Type: enc, input the HASH TABLE CODE (7037AFC3) and press enter.
- First off let's 'transform' all these values to LITTLE ENDIAN: 92 E9 A7 01 | 00 04 00 00
Spoiler:
BLOCK TABLE
- First off let's 'transform' all these values to LITTLE ENDIAN: 00 00 00 00 | 94 02 00 00
- LITTLE ENDIAN's form: 00 00 00 00 | 00 00 02 94
- 1) START-OFFSET & LENGTH VALUES:
NOTE: Don't forget to set your Windows calculator to DWORD.
- To find the START-OFFSET of the BLOCK TABLE:
BLOCK POS + HEADER POS (0 + 200) = 200
- To find the LENGTH of the BLOCK TABLE:
BLOCK SIZE * 10 (2 94[294] * 10) = 2940
2) BLOCK TABLE ITSELF:
- 2.1) Press CTRL + E and use the START-OFFSET(200) and the LENGTH(2940) values.
2.2) Copy the selected code, press CTRL + N to create a new file, paste the code and save the BLOCK TABLE FILE
Spoiler:
3) Decrypting the BLOCK TABLE FILE with MQPHelper:BLOCK TABLE CODE = A3B383EC
(Use that value to decrypt/encrypt)- 3.1) Drag and drop the BLOCK TABLE FILE into MPQHelper.exe;
3.2) Type: dec, input the BLOCK TABLE CODE (A3B383EC) and press enter.
Spoiler:
4) Editing the DECRYPTED BLOCK TABLE in Hex Edit Macro:
- 4.1) Open up Hex Edit Macro, load the DECRYPTED BLOCK TABLE, now do the following steps:
- 1-) Set START VALUE to 2F and set THE OVERWRITE VALUE to 80 and just then press Modify;
2-) Save the modified file.
- 1-) Set START VALUE to 2F and set THE OVERWRITE VALUE to 80 and just then press Modify;
Spoiler:
5) Editing the MODIFIED BLOCK TABLE in HxD:
- 5.1) Open up the MODIFIED BLOCK TABLE in HxD;
5.2) Change all the values of the first and second line to 00
5.3) Save the changes made.
Spoiler:
6) Encrypting the MODIFIED BLOCK TABLE with MQPHelper:
- 6.1) Drag and drop the MODIFIED BLOCK TABLE into MPQHelper.exe;
6.2) Type: enc, input the BLOCK TABLE CODE (A3B383EC) and press enter.
- To find the START-OFFSET of the BLOCK TABLE:
Spoiler:
Removing SProtection
First open up the following files in HxD:
- Masin2rpgTest0.4.w3x
ENCRYPTED HASH TABLE
ENCRYPTED BLOCK TABLE
- 1) Reinserting the ENCRYPTED HASH TABLE:
- 1.1) Go to the end of the map file and save the hash table's offset value (1 A8 2B 92) somewhere;
1.3) Copy all the data from ENCRYPTED HASH TABLE FILE and paste into the map file.
Spoiler:
2) Reinserting the ENCRYPTED BLOCK TABLE:
- 2.1) Go to the end of the map file and save the block table's offset value (1 A8 6B 92) somewhere;
2.3) Copy all the data from ENCRYPTED BLOCK TABLE FILE and paste into the map file.
Spoiler:
3) Actual hash table pos:- 3.1) To find the actual hash pos:
HASH TABLE'S OFFSET - HEADER POS (1 A8 2B 92 - 200) = 1 A8 29 92
3.2) Now transform the actual hash pos to LITTLE ENDIAN:
92 29 A8 01
4) Actual block table pos:- 4.1) To find the actual block pos:
BLOCK TABLE'S OFFSET - HEADER POS (1 A8 6B 92 - 200) = 1 A8 69 92
4.2) Now transform the actual block pos to LITTLE ENDIAN:
92 69 A8 01
Now search for (CTRL + F) 4D 50 51 1A with Datatype set to: Hex-values again.
5) Changing the map header:- 5.1) Fill the first line of the map header like this:
5.2) Change the HASH POS and BLOCK POS to the respective actual hash and actual block pos (both in LITTLE ENDIAN);
5.3) Save the map and test it in Ladik's MPQ Editor
- 1.1) Go to the end of the map file and save the hash table's offset value (1 A8 2B 92) somewhere;
SProtect has been removed!
Spoiler:
SSProtection
- → This is the map we will remove the SSProtection: S R N_RPG 0.6B.w3x
Spoiler:
- Open up HxD and search for (CTRL + F) 4D 50 51 1A with Datatype set to: Hex-values
Now we need to find the HASH TABLE and BLOCK TABLE.
(Use that image as a reference)
HASH TABLE
NOTE: Where's 00 08 00 10 read as 00 08 00 00.
- First off let's 'transform' all these values to LITTLE ENDIAN: 14 B4 E3 FF | 00 08 00 00
- LITTLE ENDIAN's form: FF E3 B4 14 | 00 00 08 00
1) START-OFFSET & LENGTH VALUES:
NOTE: Don't forget to set your Windows calculator to DWORD.
- 1.1) To find the START-OFFSET of the HASH TABLE:
HASH POS + HEADER POS (FF E3 B4 14 + 1C4E00) = 214
- 1.2) To find the LENGTH of the HASH TABLE:
HASH SIZE * 10 (8 00[800] * 10) = 8000
2) HASH TABLE ITSELF:
- 2.1) Press CTRL + E and use the START-OFFSET(214) and the LENGTH(8000) values.
2.2) Copy the selected code, press CTRL + N to create a new file, paste the code and save the HASH TABLE FILE
Spoiler:
3) Decrypting the HASH TABLE FILE with MQPHelper:HASH TABLE CODE = 7037AFC3
(Use that value to decrypt/encrypt)- 3.1) Drag and drop the HASH TABLE FILE into MPQHelper.exe;
3.2) Type: dec, input the HASH TABLE CODE (7037AFC3) and press enter.
Spoiler:
4) Editing the DECRYPTED HASH TABLE in Hex Edit Macro:
- 4.1) Open up Hex Edit Macro, load the DECRYPTED HASH TABLE, now do the following steps:
- 1-) Set START VALUE to 8 and set THE OVERWRITE VALUE to 00 00 00 00 and just then press Modify;
2-) Set START VALUE with an F and set THE OVERWRITE VALUE to 00 and just then press Modify again;
3-) Save the modified file.
- 1-) Set START VALUE to 8 and set THE OVERWRITE VALUE to 00 00 00 00 and just then press Modify;
Spoiler:
5) Editing the MODIFIED HASH TABLE in HxD:
- 5.1) Open up the MODIFIED HASH TABLE FILE in HxD;
5.2) Press CTRL + R and configure it like so:
Datatype: Hex-values
Search direction: All
5.3) Now do the following steps:- ▬ First step ▬:
Search for: EE EE EE EE EE EE EE EE 00 00 00 00 FE FF FF 00
Replace with: FF FF FF FF FF FF FF FF FF FF FF FF FE FF FF FF
Then click on Replace all.
---------------------------------------------------------------------
▬ Second step ▬:
Search for: EE EE EE EE EE EE EE EE 00 00 00 00 EE EE EE 00
Replace with: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
Then click on Replace all.
- ▬ First step ▬:
Spoiler:
6) Encrypting the MODIFIED HASH TABLE with MQPHelper:
- 6.1) Drag and drop the MODIFIED HASH TABLE into MPQHelper.exe;
6.2) Type: enc, input the HASH TABLE CODE (7037AFC3) and press enter.
- First off let's 'transform' all these values to LITTLE ENDIAN: 14 B4 E3 FF | 00 08 00 00
Spoiler:
BLOCK TABLE
- First off let's 'transform' all these values to LITTLE ENDIAN: 16 FC E4 FF | 06 04 00 00
- LITTLE ENDIAN's form: FF E4 FC 16 | 00 00 04 06
- 1) START-OFFSET & LENGTH VALUES:
NOTE: Don't forget to set your Windows calculator to DWORD.
- To find the START-OFFSET of the BLOCK TABLE:
BLOCK POS + HEADER POS (FF E4 FC 16 + 1C4E00) = 1 4A 16
- To find the LENGTH of the BLOCK TABLE:
BLOCK SIZE * 10 (4 06[406] * 10) = 4060
2) BLOCK TABLE ITSELF:
- 2.1) Press CTRL + E and use the START-OFFSET(1 4A 16) and the LENGTH(4060) values.
2.2) Copy the selected code, press CTRL + N to create a new file, paste the code and save the BLOCK TABLE FILE
Spoiler: - To find the START-OFFSET of the BLOCK TABLE:
Removing SSProtection
First open up the following files in HxD:
- S R N_RPG 0.6B.w3x
ENCRYPTED HASH TABLE
BLOCK TABLE
- 1) Removing MPQ's corrupted data:
- 1.1) Search for (CTRL + F) 4D 50 51 1A with Datatype set to: Hex-values;
1.2) Left click before 0B (check gif);
1.3) Press CTRL + E and set the start-offset to 200;
1.4) Remove all these selected datas.
Spoiler:
2) Reinserting the ENCRYPTED HASH TABLE:
- 2.1) Go to the end of the map file and save the hash table's offset value (1 FC 42 0F) somewhere;
2.2) Copy all the data from ENCRYPTED HASH TABLE FILE and paste into the map file.
Spoiler:
3) Reinserting the BLOCK TABLE:
- 3.1) Go to the end of the map file and save the block table's offset value (1 FC C2 0F) somewhere;
3.2) Copy all the data from BLOCK TABLE FILE and paste into the map file.
Spoiler:
4) Actual hash table pos:
- 4.1) To find the actual hash pos:
HASH TABLE'S OFFSET - HEADER POS (1 FC 42 0F - 200) = 1 FC 40 0F
4.2) Now transform the actual hash pos to LITTLE ENDIAN:
0F 40 FC 01
5) Actual block table pos:
- 5.1) To find the actual block pos:
BLOCK TABLE'S OFFSET - HEADER POS (1 A8 6B 92 - 200) = 1 FC C0 0F
5.2) Now transform the actual block pos to LITTLE ENDIAN:
0F C0 FC 01
Now search for (CTRL + F) 4D 50 51 1A with Datatype set to: Hex-values again.
6) Changing the map header:
- 6.1) Fill the first line of the map header and the hash size like this:
6.2) Change the HASH POS and BLOCK POS to the respective actual hash and actual block pos (both in LITTLE ENDIAN);
6.3) Save the map and test it in Ladik's MPQ Editor.
- 1.1) Search for (CTRL + F) 4D 50 51 1A with Datatype set to: Hex-values;
SSProtect has been removed!
Spoiler:
