[GUIDE] How to remove SProtect & SSProtect

Cheatpacks and learning how to use them, as well as other guides for manipulating maps.

Moderator: Cheaters

User avatar
nuzamacuxe
Also Not an Admin, but closer than devoltz
Posts: 1655
Joined: February 14th, 2018, 5:35 am
Title: Just Another S.Mod
Been thanked: 6 times

[GUIDE] How to remove SProtect & SSProtect

Post by nuzamacuxe »

Hello.

This is a rewritten guide from [Guide] Completely deprotect S/SSProtect because it was hard to understand also it wasn't well written. So, here we go.
Image
Before we get started, there are some stuffs you should know about:

- What's a Hash Table?
  • Hash table is the base table for searching files inside MPQs.
- What's a Block Table?
  • For every file in the MPQ, block table contains offset of the file in the MPQ, file size, compressed size and file flags.
- What's little-endian?
  • Little-endian is an order in which the "little end" (least significant byte value in the sequence) is stored first.

Last but not least the tools you'll need to unhex the maps:
SProtection

Spoiler:
Image
  • Open up HxD and search for (CTRL + F) 4D 50 51 1A with Datatype set to: Hex-values
    Image

    Now we need to find the HASH TABLE and BLOCK TABLE.
    Image
    (Use that image as a reference)
    HASH TABLE

    • First off let's 'transform' all these values to LITTLE ENDIAN: 92 E9 A7 01 | 00 04 00 00
      • LITTLE ENDIAN's form: 01 A7 E9 92 | 00 00 04 00


    1) START-OFFSET & LENGTH VALUES:

    NOTE: Don't forget to set your Windows calculator to DWORD.
    • 1.1) To find the START-OFFSET of the HASH TABLE:
      HASH POS + HEADER POS (01 A7 E9 92 + 200) = 1 A7 EB 92
    • 1.2) To find the LENGTH of the HASH TABLE:
      HASH SIZE * 10 (4 00[400] * 10) = 4000


    2) HASH TABLE ITSELF:
    • 2.1) Press CTRL + E and use the START-OFFSET(1 A7 EB 92) and the LENGTH(4000) values;
      2.2) Copy the selected code, press CTRL + N to create a new file, paste the code and save the HASH TABLE FILE.
    Spoiler:
    Image

    3) Decrypting the HASH TABLE FILE with MQPHelper:
    HASH TABLE CODE = 7037AFC3
    (Use that value to decrypt/encrypt)
    • 3.1) Drag and drop the HASH TABLE FILE into MPQHelper.exe;
      3.2) Type: dec, input the HASH TABLE CODE (7037AFC3) and press enter.
    Spoiler:
    Image

    4) Editing the DECRYPTED HASH TABLE in Hex Edit Macro:
    • 4.1) Open up Hex Edit Macro, load the DECRYPTED HASH TABLE, now do the following steps:
      • 1-) Set START VALUE to 8 and set THE OVERWRITE VALUE to 00 00 00 00 and just then press Modify;
        2-) Set START VALUE with an F and set THE OVERWRITE VALUE to 00 and just then press Modify again;
        3-) Save the modified file.
    Spoiler:
    Image

    5) Editing the MODIFIED HASH TABLE in HxD:
    • 5.1) Open up the MODIFIED HASH TABLE FILE in HxD;
      5.2) Press CTRL + R and configure it like so:
      Datatype: Hex-values
      Search direction: All
      5.3) Now do the following steps:
      • ▬ First step ▬:
        Search for: FF FF FF FF FF FF FF FF 00 00 00 00 FE FF FF 00
        Replace with: FF FF FF FF FF FF FF FF FF FF FF FF FE FF FF FF
        Then click on Replace all.
        ---------------------------------------------------------------------
        ▬ Second step ▬:
        Search for: EE EE EE EE EE EE EE EE 00 00 00 00 EE EE EE 00
        Replace with: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
        Then click on Replace all.
      5.4) Save all the changes made.
    Spoiler:
    Image

    6) Encrypting the MODIFIED HASH TABLE with MQPHelper:
    • 6.1) Drag and drop the MODIFIED HASH TABLE into MPQHelper.exe;
      6.2) Type: enc, input the HASH TABLE CODE (7037AFC3) and press enter.
Spoiler:
Image

BLOCK TABLE

  • First off let's 'transform' all these values to LITTLE ENDIAN: 00 00 00 00 | 94 02 00 00
    • LITTLE ENDIAN's form: 00 00 00 00 | 00 00 02 94

  • 1) START-OFFSET & LENGTH VALUES:

    NOTE: Don't forget to set your Windows calculator to DWORD.
    • To find the START-OFFSET of the BLOCK TABLE:
      BLOCK POS + HEADER POS (0 + 200) = 200
    • To find the LENGTH of the BLOCK TABLE:
      BLOCK SIZE * 10 (2 94[294] * 10) = 2940


    2) BLOCK TABLE ITSELF:
    • 2.1) Press CTRL + E and use the START-OFFSET(200) and the LENGTH(2940) values.
      2.2) Copy the selected code, press CTRL + N to create a new file, paste the code and save the BLOCK TABLE FILE
    Spoiler:
    Image

    3) Decrypting the BLOCK TABLE FILE with MQPHelper:
    BLOCK TABLE CODE = A3B383EC
    (Use that value to decrypt/encrypt)
    • 3.1) Drag and drop the BLOCK TABLE FILE into MPQHelper.exe;
      3.2) Type: dec, input the BLOCK TABLE CODE (A3B383EC) and press enter.
    Spoiler:
    Image

    4) Editing the DECRYPTED BLOCK TABLE in Hex Edit Macro:
    • 4.1) Open up Hex Edit Macro, load the DECRYPTED BLOCK TABLE, now do the following steps:
      • 1-) Set START VALUE to 2F and set THE OVERWRITE VALUE to 80 and just then press Modify;
        2-) Save the modified file.
    Spoiler:
    Image

    5) Editing the MODIFIED BLOCK TABLE in HxD:
    • 5.1) Open up the MODIFIED BLOCK TABLE in HxD;
      5.2) Change all the values of the first and second line to 00
      5.3) Save the changes made.
    Spoiler:
    Image

    6) Encrypting the MODIFIED BLOCK TABLE with MQPHelper:
    • 6.1) Drag and drop the MODIFIED BLOCK TABLE into MPQHelper.exe;
      6.2) Type: enc, input the BLOCK TABLE CODE (A3B383EC) and press enter.
Spoiler:
Image
Removing SProtection
First open up the following files in HxD:
  • Masin2rpgTest0.4.w3x
    ENCRYPTED HASH TABLE
    ENCRYPTED BLOCK TABLE

  • 1) Reinserting the ENCRYPTED HASH TABLE:
    • 1.1) Go to the end of the map file and save the hash table's offset value (1 A8 2B 92) somewhere;
      1.3) Copy all the data from ENCRYPTED HASH TABLE FILE and paste into the map file.
    Spoiler:
    Image

    2) Reinserting the ENCRYPTED BLOCK TABLE:
    • 2.1) Go to the end of the map file and save the block table's offset value (1 A8 6B 92) somewhere;
      2.3) Copy all the data from ENCRYPTED BLOCK TABLE FILE and paste into the map file.
    Spoiler:
    Image

    3) Actual hash table pos:
    • 3.1) To find the actual hash pos:
      HASH TABLE'S OFFSET - HEADER POS (1 A8 2B 92 - 200) = 1 A8 29 92
      3.2) Now transform the actual hash pos to LITTLE ENDIAN:
      92 29 A8 01


    4) Actual block table pos:
    • 4.1) To find the actual block pos:
      BLOCK TABLE'S OFFSET - HEADER POS (1 A8 6B 92 - 200) = 1 A8 69 92
      4.2) Now transform the actual block pos to LITTLE ENDIAN:
      92 69 A8 01


    Now search for (CTRL + F) 4D 50 51 1A with Datatype set to: Hex-values again.



    5) Changing the map header:
    • 5.1) Fill the first line of the map header like this:
      Image
      5.2) Change the HASH POS and BLOCK POS to the respective actual hash and actual block pos (both in LITTLE ENDIAN);
      Image
      5.3) Save the map and test it in Ladik's MPQ Editor

SProtect has been removed!
Spoiler:
Image

SSProtection

Spoiler:
Image
  • Open up HxD and search for (CTRL + F) 4D 50 51 1A with Datatype set to: Hex-values
    Image

    Now we need to find the HASH TABLE and BLOCK TABLE.
    Image
    (Use that image as a reference)

    HASH TABLE


    NOTE: Where's 00 08 00 10 read as 00 08 00 00.
    • First off let's 'transform' all these values to LITTLE ENDIAN: 14 B4 E3 FF | 00 08 00 00
      • LITTLE ENDIAN's form: FF E3 B4 14 | 00 00 08 00


    1) START-OFFSET & LENGTH VALUES:

    NOTE: Don't forget to set your Windows calculator to DWORD.
    • 1.1) To find the START-OFFSET of the HASH TABLE:
      HASH POS + HEADER POS (FF E3 B4 14 + 1C4E00) = 214
    • 1.2) To find the LENGTH of the HASH TABLE:
      HASH SIZE * 10 (8 00[800] * 10) = 8000


    2) HASH TABLE ITSELF:
    • 2.1) Press CTRL + E and use the START-OFFSET(214) and the LENGTH(8000) values.
      2.2) Copy the selected code, press CTRL + N to create a new file, paste the code and save the HASH TABLE FILE
    Spoiler:
    Image

    3) Decrypting the HASH TABLE FILE with MQPHelper:
    HASH TABLE CODE = 7037AFC3
    (Use that value to decrypt/encrypt)
    • 3.1) Drag and drop the HASH TABLE FILE into MPQHelper.exe;
      3.2) Type: dec, input the HASH TABLE CODE (7037AFC3) and press enter.
    Spoiler:
    Image

    4) Editing the DECRYPTED HASH TABLE in Hex Edit Macro:
    • 4.1) Open up Hex Edit Macro, load the DECRYPTED HASH TABLE, now do the following steps:
      • 1-) Set START VALUE to 8 and set THE OVERWRITE VALUE to 00 00 00 00 and just then press Modify;
        2-) Set START VALUE with an F and set THE OVERWRITE VALUE to 00 and just then press Modify again;
        3-) Save the modified file.
    Spoiler:
    Image

    5) Editing the MODIFIED HASH TABLE in HxD:
    • 5.1) Open up the MODIFIED HASH TABLE FILE in HxD;
      5.2) Press CTRL + R and configure it like so:
      Datatype: Hex-values
      Search direction: All
      5.3) Now do the following steps:
      • ▬ First step ▬:
        Search for: EE EE EE EE EE EE EE EE 00 00 00 00 FE FF FF 00
        Replace with: FF FF FF FF FF FF FF FF FF FF FF FF FE FF FF FF
        Then click on Replace all.
        ---------------------------------------------------------------------
        ▬ Second step ▬:
        Search for: EE EE EE EE EE EE EE EE 00 00 00 00 EE EE EE 00
        Replace with: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
        Then click on Replace all.
      5.4) Save all the changes made.
    Spoiler:
    Image

    6) Encrypting the MODIFIED HASH TABLE with MQPHelper:
    • 6.1) Drag and drop the MODIFIED HASH TABLE into MPQHelper.exe;
      6.2) Type: enc, input the HASH TABLE CODE (7037AFC3) and press enter.
Spoiler:
Image

BLOCK TABLE

  • First off let's 'transform' all these values to LITTLE ENDIAN: 16 FC E4 FF | 06 04 00 00
    • LITTLE ENDIAN's form: FF E4 FC 16 | 00 00 04 06

  • 1) START-OFFSET & LENGTH VALUES:

    NOTE: Don't forget to set your Windows calculator to DWORD.
    • To find the START-OFFSET of the BLOCK TABLE:
      BLOCK POS + HEADER POS (FF E4 FC 16 + 1C4E00) = 1 4A 16
    • To find the LENGTH of the BLOCK TABLE:
      BLOCK SIZE * 10 (4 06[406] * 10) = 4060


    2) BLOCK TABLE ITSELF:
    • 2.1) Press CTRL + E and use the START-OFFSET(1 4A 16) and the LENGTH(4060) values.
      2.2) Copy the selected code, press CTRL + N to create a new file, paste the code and save the BLOCK TABLE FILE
    NOTE: SSProtect doesn't change anything in Block Table so isn't necessary to decrypt etc. Just let it as it is.
    Spoiler:
    Image
Removing SSProtection
First open up the following files in HxD:
  • S R N_RPG 0.6B.w3x
    ENCRYPTED HASH TABLE
    BLOCK TABLE
  • 1) Removing MPQ's corrupted data:
    • 1.1) Search for (CTRL + F) 4D 50 51 1A with Datatype set to: Hex-values;
      1.2) Left click before 0B (check gif);
      1.3) Press CTRL + E and set the start-offset to 200;
      1.4) Remove all these selected datas.
    Spoiler:
    Image

    2) Reinserting the ENCRYPTED HASH TABLE:
    • 2.1) Go to the end of the map file and save the hash table's offset value (1 FC 42 0F) somewhere;
      2.2) Copy all the data from ENCRYPTED HASH TABLE FILE and paste into the map file.
    Spoiler:
    Image

    3) Reinserting the BLOCK TABLE:
    • 3.1) Go to the end of the map file and save the block table's offset value (1 FC C2 0F) somewhere;
      3.2) Copy all the data from BLOCK TABLE FILE and paste into the map file.
    Spoiler:
    Image

    4) Actual hash table pos:
    • 4.1) To find the actual hash pos:
      HASH TABLE'S OFFSET - HEADER POS (1 FC 42 0F - 200) = 1 FC 40 0F
      4.2) Now transform the actual hash pos to LITTLE ENDIAN:
      0F 40 FC 01


    5) Actual block table pos:
    • 5.1) To find the actual block pos:
      BLOCK TABLE'S OFFSET - HEADER POS (1 A8 6B 92 - 200) = 1 FC C0 0F
      5.2) Now transform the actual block pos to LITTLE ENDIAN:
      0F C0 FC 01


    Now search for (CTRL + F) 4D 50 51 1A with Datatype set to: Hex-values again.



    6) Changing the map header:
    • 6.1) Fill the first line of the map header and the hash size like this:
      Image
      Image
      6.2) Change the HASH POS and BLOCK POS to the respective actual hash and actual block pos (both in LITTLE ENDIAN);
      Image
      6.3) Save the map and test it in Ladik's MPQ Editor.

SSProtect has been removed!
Spoiler:
Image
User avatar
devoltz
Co-Admin
Posts: 3133
Joined: March 23rd, 2016, 8:06 pm
Has thanked: 11 times
Been thanked: 53 times

Re: [GUIDE] How to remove SProtect & SSProtect

Post by devoltz »

Nicely done.
User avatar
nuzamacuxe
Also Not an Admin, but closer than devoltz
Posts: 1655
Joined: February 14th, 2018, 5:35 am
Title: Just Another S.Mod
Been thanked: 6 times

Re: [GUIDE] How to remove SProtect & SSProtect

Post by nuzamacuxe »

devoltz wrote:Nicely done.
Thanks! If you have any suggestions please let me know.
User avatar
Vegas
Shopping Maul USA Creator
Posts: 1766
Joined: January 18th, 2007, 11:07 am
Title: No Comment
Location: Calgary Canada
Has thanked: 50 times
Been thanked: 8 times

Re: [GUIDE] How to remove SProtect & SSProtect

Post by Vegas »

so many EEEs and FFFs
User avatar
nuzamacuxe
Also Not an Admin, but closer than devoltz
Posts: 1655
Joined: February 14th, 2018, 5:35 am
Title: Just Another S.Mod
Been thanked: 6 times

Re: [GUIDE] How to remove SProtect & SSProtect

Post by nuzamacuxe »

Indeed... it's really annoying.
User avatar
Bartimaeus
Tyrannical Drama Queen
Posts: 4430
Joined: November 19th, 2007, 5:05 am
Been thanked: 2 times

Re: [GUIDE] How to remove SProtect & SSProtect

Post by Bartimaeus »

Vegas wrote:so many EEEs and FFFs
The joys of working in base 16.
amr_salah
Newcomer
Posts: 3
Joined: April 6th, 2018, 11:32 am
Title: Premier Сasual Datin
Location: Usa

Re: [GUIDE] How to remove SProtect & SSProtect

Post by amr_salah »

Thank you for this great Guide.I have just few questions,is the part of Hash Table Code =7037AFC3 works for all maps with sprotection?,also is there a guide for Spazzler protection?
User avatar
nuzamacuxe
Also Not an Admin, but closer than devoltz
Posts: 1655
Joined: February 14th, 2018, 5:35 am
Title: Just Another S.Mod
Been thanked: 6 times

Re: [GUIDE] How to remove SProtect & SSProtect

Post by nuzamacuxe »

Yeah, it works for all maps. About Spazzler, it's not necessary to unhex. You just need to use the MPQ for KR, CN & Normal Read-Only in the attachments from this thread here:
deprotection-cheating-f64/insert-a-cp-c ... 34777.html
amr_salah
Newcomer
Posts: 3
Joined: April 6th, 2018, 11:32 am
Title: Premier Сasual Datin
Location: Usa

Re: [GUIDE] How to remove SProtect & SSProtect

Post by amr_salah »

Thank you very much.I tested the tool and it works.i never succeed to inject cheat pack in a map (I don't know why it always don't open in Warcraft 3) so i just modified some msg to see if it works. Your Guides are really too great i hope you make more in future. Thank you again
User avatar
nuzamacuxe
Also Not an Admin, but closer than devoltz
Posts: 1655
Joined: February 14th, 2018, 5:35 am
Title: Just Another S.Mod
Been thanked: 6 times

Re: [GUIDE] How to remove SProtect & SSProtect

Post by nuzamacuxe »

I'm glad that I could help you out. Thank you and you're welcome.