Joined: 02 Sep 2012
|Posted: Sun Aug 04, 2013 5:54 pm Post subject: [REL]Halo PC Checksum Bypass / Change Map Folder Patch
|This allows you to hex-edit halo.exe without having the Checksum Error.
I use this to be able to change the "maps" folder to "mods" (same 4 character string).
To use this you need to hex-edit halo.exe, and change the function that does the checksumming so that it returns always 0 (good checkum) instead of 1 (bad checksum)
Here is the comparison between the unpatched one (left) and the patched one (right), so you can hex-edit your exe (i can't upload patched exe).
|00141651: 0F 90
00141652: 85 90
00141653: 7A 90
00141654: FF 90
00141655: FF 90
00141656: FF 90
0014166B: 94 95
00141651: jne 005415D1 --> nop, nop, nop, nop, nop, nop
0014166B: setz al --> setnz al
If the checksum is good al is set to 1, else is set to 0
The jump is taken if a check fails (the checksum check is the last of a series of checks. Anyway, this fails when halo.exe is hex-edited). This happens then: xor al,al.
This means al becomes 0, and we don't want it, so we nop the jump out.
Then al is still 0, because there is an opcode before it, repe cmpsb
According to http faydoc.tripod . com/cpu/cmpsb . htm (can't post urls yet )
Compares byte at address DS:(E)SI with byte at address ES:(E)DI and sets the status flags accordingly.
This means ESI contains our checksum, and EDI contains the expected one.
The expected one is "WIRTSMSZ" --> 57 49 52 54 53 4D 53 5A.
The instruction setz al, which follows the string compare, set al to 1 (good) if the comparison returned 0 (equal strings).
So, we change it to setnz al, and will always work, because applying the hex patch above makes the checksum change.
The "maps" string is located at 0025FD7C and 0025FE30. YOu can change it to "mods", like i did. Anyway, you must use max 4 characters.
With this approach i have:
halo.exe --> reads maps folder
halo-mods.exe --> reads mods folder