Diablo II LoD v1.09d Druid Drop Fix + D2HackIt/Drop 1.0 Crash Prevention ------------------------------------------------------------------------ NOTE: If you are already familiar with what this is, skip to the ADDED sections. This patch should fix the infamous Druid Drop / Werewolf lvl 33 bug, which has claimed so many lives in Hardcore by now. The patch was tested and has proven to work in Single Player/Open Battle.net already - and should work in Closed as well, since the same .DLL is used. However, unpredictable outcomes are possible. What this thing does is disable assertion failure trapping in D2Client.dll, thus allowing the game to continue like nothing happened even if assert() has failed in D2Client.dll. This can potentially result in invalid page fault crashes ("The program has performed an illegal operation and will be shut down") or gameplay irregularities occuring. As well as I might have messed up something which will cause a new glitch or crash - and claim your Hardcore character's life as well. USE THIS THING AT YOUR OWN RISK - the best thing for you to do is wait for the official Blizzard fix. ADDED: As of 01/31/2002, people report that druid drop bug is still in place. Also, because the executables were modified (hex edited), they did not work with NT based systems (Not a valid Win32 application). This release has all affected executables rebuilt with ProcDump, so they should now be all valid and working in Windows NT/2000/XP ADDED: As of 01/22/2002, Blizzard has reported that they implemented a serverside fix for the druid drop. I haven't had a chance to test if it really is gone from the realms or not - but if it is, the way they probably did it is by blocking the erroneous info that causes the crash from being sent to clients, thus preventing the crash. However, no clientside patch was released, so in the single player, TCP/IP and Open Battle.net games (which are hosted on the game maker's machine) the crash will still occur. ADDED: Now this patch, in most cases, also fixes the crash caused by some client using the D2HackIt/Drop 1.0 plugin, which also exploits an assertion failure, in a different module. This exploit is much more evil than the druid drop bug, does not require any skills to work, and allows one to drop every visible player besides oneself. The way drop hack works is, its user will type something at the console, then drop an item on the ground. The testing has shown that this part of the patch is not 100% effective. Even when it does prevent a crash (which happens in most cases) from thus dropped corrupted item, other crashes (with different error messages) might still occur later on. Needless to say, IF YOU PLAY HARDCORE AND SEE A PLAYER DROPPING A SUSPICIOUS LOW QUALITY ITEM, ESPECIALLY AFTER A CONSIDERABLE PAUSE (required to type in the necessary D2HackIt commands), or else wearing some apparently low quality weapon not suited for his/her characher level, LEAVE THE GAME OR TAKE A PORTAL TO TOWN AT ONCE. Installation instructions ------------------------- BACK UP THE FILE CALLED D2Common.dll. THE PATCH OVERWRITES THIS FILE WITH AN UPDATED VERSION. YOU WILL NEED TO RESTORE THE ORIGINAL FILE IN ORDER TO APPLY THE OFFICIAL BLIZZARD PATCH WHEN IT COMES OUT. Then unzip this archive into your Diablo II Lord of Destriction game folder, and run DLOAD.EXE to launch the fixed version of the game. To run the fixed version of the game, YOU HAVE TO RUN DLOAD.EXE - otherwise, if you just run the game by using main menu/desktop shortcuts, only the (possible) D2HackIt/Drop plugin fix will be in effect, but not the Druid Drop fix. If you don't want the Druid Drop fix, just the Drop Hack fix, you may run the game as usual. Files ----- D2CL-FIX.DLL The Druid Drop fixed (hex edited and PE rebuilt) version of D2CLIENT.DLL. D2COMMON.DLL (Possibly) Drop Hack fixed (hex edited and PE rebuilt) version of D2COMMON.DLL. DLOAD.EXE Modified Game Loader. Needed in order to fool Battle.net's version verification system. The original game launcher, GAME.EXE, is checksummed and verified, but the modified game launcher (GAME_CRK.EXE) is actually loaded and run. GAME_CRK.EXE The modified game launcher. The 1.09d NoCD dumped (SecuROM protection stripped) version of GAME.EXE was taken as a base, and the string "D2Client.dll" insiude of it was changed to "D2CL-FIX.DLL" in order to utilize the new, fixed DLL, and the EXE was rebuilt to become valid on NT/2000/XP. README.TXT This file. Q&A --- Q: Is it legal to use this patch? A: According to the Blizzard's EULA and Battle.net TOS, it is not. Neither is using any hacks and cracks. Q: Do your D2COMMON.DLL and D2CLIENT.DLL modifications in any way affect normal gameplay (when no errors occur)? A: No. The only thing that was changed in these files, is the error handling code. Typically when you get an error, the game would give you and error message and quit. The patch actually makes it possible for the game to continue when certain types of errors are encountered. The normal flow of the program (when no errors occur) is not (or at least should not be - unless I messed up) affected by the modifications. Q: What exactly did you do? A: Mostly, located the code that handles the relevant assertion failures, and disabled it - by either NOPs or unconditional JMPs instead of conditional, thus making the corresponding function continue as normal. As per the Drop plugin caused crash (where functions are passed a NULL pointer and choke on that) just made these functions return in this situation (saved registers POPped and ESP adjusted, don't worry), since ignoring the error and continuing would have caused an illegal operation (dereferencing a NULL). Q: Why renaming D2Client.dll to D2CL-FIX.DLL? A: Again, to trick the Battle.net's version verification system into letting you use modified DLLs. If you just have a modified file, Battle.net servers will not let you in ("unable to properly identify your application version"). Therefore the modified file was made a separate DLL, the file name reference in GAME_CRK.EXE (which actually loads the DLL) was changed, while the reference in Bnclient.dll (which does the verification) was left intact and still points to the original file which of course will be verified successfully. Q: Why did you not rename D2Common.dll then? A: Because D2Common.dll is not analyzed by the version checker on connect, so there was no need to make a separate file and go through the pain of changing all the references. Q: What error does Druid Drop normally cause? A: If you have the following in any of your D2 log files, you have likely been a victim of the Druid Drop bug: Assertion Failure Location : D2Client\UNIT\PlrSkills.cpp, line #280 Expression : nWolfBonus >= 0 && nWolfBonus <= MAX_SKILL_LEVEL - MAX_SKILL_BASE_LEVEL Q: What error does Drop Hack normally cause? A: If you have the following in any of your D2 log files, you have likely been a victim of the D2HackIt/Drop 1.0 attack: Assertion Failure Location : D2Common\Stats\Stats.cpp, line #1526 Expression : !"[StatsUnitUnModifyUnit] unit has no stats" Q: Why rebuilding the executables? A: Because it appears that Windows NT based systems have some verification mechanism associated with executable files, that allows them to detect if the file has been tampered with. Thus if you just edit an executable and then try to run it, Windows will refuse to do it. I do not know how exactly the mechanism works or what needs to be corrected to make it all work, so what I did is use a tool called ProcDump (a universal unpacker/process dumper) and its Rebuild PE function to make the files valid. This was tested in Windows XP.