Dawn of War II Unlockable Content
Dawn of War II has unlockable content; that is certain maps, campaign wargear, army painter colours and so on are locked by default, and have to be unlocked using special codes. People who pre-ordered the game got a code or two, and codes are also available through other promotional sources.
This unlockable content is implemented as follows:
content.binfile in the Dawn of War 2 folder lists all of the unlockable content, in the form of a compiled Lua file.
- Each set of unlockable content has an entry in the
content.binfile listing the files/colours/wargear/etc. which it unlocks, and the
UnlockMaskrequired to unlock it.
- Each GFWL account has an
- Registering an unlock code sets the appropriate bit in your
- To decide which content to unlock, the game (
DOW2.exe) iterates over each set in turn, tests to see if all the bits in the
UnlockMaskare set in your
UnlockMaskthen), and if so, unlocks the things in that set.
content.binis cryptographically signed by the
content.catsecurity catalogue file.
DOW2.exeis cryptographically signed by the
DOW2.exe.catsecurity catalogue file.
wintrust.dllis used by
xlive.dll, and some other DLLs to verify the security catalogues.
The standard approaches to unlocking all of the content might include:
content.binand set every
UnlockMaskto zero (zero bitwise-and
UnlockBitsequals zero). This would fail as then
content.catwould fail to verify
DOW2.exewould abort loading.
DOW2.exeand patch the code to read zero for every
UnlockMask. Again, this would fail as
xlive.dllwould fail to validate the signature on
DOW2.exeand multiplayer wouldn't work.
Neither of the above methods would work, due to the cryptographic checks done on the
DOW2.exe files. The weakpoint of DoW2's system is how these checks are done. As previously stated,
wintrust.dll (a Microsoft DLL which lives in
C:\Windows\System32) is used to make sure that the security catalogue files are valid and successfully verify
DOW2.exe and content.bin, using the
WinVerifyTrust[Ex] function. Furthermore,
wintrust.dll itself is not cryptographically signed. If
wintrust.dll is copied from the
System32 directory to the dawn of war directory and then modified so that
WinVerifyTrust always returns
ERROR_SUCCESS, then the cryptographic checks are sidestepped (
ERROR_SUCCESS is conveniently the value zero, so this simply means replacing the first five bytes of
xor eax, eax; retn 12; or
33 C0 C2 0C 00 in machine code).
content.bin is now modified so that the unlock masks are all zero, then when the game is run, it'll load
wintrust.dll from the game directory rather than the
System32 directory (DLLs in the 'current' directory override those in the system directory by default), and when it comes to verify
content.bin, the patched
ERROR_SUCCESS, and so the game believes that the file is still cryptographically signed. It then comes to see what content the GFWL account has unlocked by doing 'does
UnlockMask' for each unlock set, and as zero bitwise-and anything does equal zero, it'll unlock all of the content.
For further reading, see part 2.