Here are the instructions for BF1942 Windows v1.61 server executable:
- Code: Select all
BF1942_w32ded v1.61 (original)
45aacf: 53 push ebx
45aad0: 8b ce mov ecx,esi
45aad2: e8 89 aa ff ff call 0x455560
45aad7: 8b d8 mov ebx,eax
45aad9: 85 db test ebx,ebx
45aadb: 0f 84 b0 06 00 00 je 0x45b191
45aae1: 8b cb mov ecx,ebx
45aae3: e8 28 ca 23 00 call 0x697510
45aae8: 85 c0 test eax,eax
45aaea: 0f 84 a1 06 00 00 je 0x45b191
45aaf0: 0f b6 57 0d movzx edx,BYTE PTR [edi+0xd]
45aaf4: 8b 2e mov ebp,DWORD PTR [esi]
45aaf6: 52 push edx
45aaf7: 8b cb mov ecx,ebx
45aaf9: e8 12 ca 23 00 call 0x697510
45aafe: 50 push eax
45aaff: 8b ce mov ecx,esi
45ab01: ff 95 40 01 00 00 call DWORD PTR [ebp+0x140]
45ab07: e9 85 06 00 00 jmp 0x45b191
- Code: Select all
BF1942_w32ded v1.61 (patched)
45aacf: 53 push ebx
45aad0: 8b ce mov ecx,esi
45aad2: e8 89 aa ff ff call 0x455560
45aad7: 85 c0 test eax,eax
45aad9: 74 1e je 0x45aaf9
45aadb: 8b 40 04 mov eax,DWORD PTR [eax+4]
45aade: 85 c0 test eax,eax
45aae0: 74 17 je 0x45aaf9
45aae2: 0f b6 57 0d movzx edx,BYTE PTR [edi+0xd]
45aae6: 4a dec edx
45aae7: 83 fa 01 cmp edx,1
45aaea: 77 0d ja 0x45aaf9
45aaec: 42 inc edx
45aaed: 8b 2e mov ebp,DWORD PTR [esi]
45aaef: 52 push edx
45aaf0: 50 push eax
45aaf1: 8b ce mov ecx,esi
45aaf3: ff 95 40 01 00 00 call DWORD PTR [ebp+0x140]
45aaf9: e9 93 06 00 00 jmp 0x45b191
45aafe: 90 90 90 90 90 90 nop
45aa04: 90 90 90 90 90 90 nop
45ab0a: 90 90 nop
Sorry for the delay, I was having some problems debugging Windows binaries and I was also doing a stupid mistake when patching (not looking to the stack). As a bonus, I've optimized this branch of code, allowing to save 14 bytes, in the end.
For BF1942 Windows v1.6 server executable the beginning address to apply the same instructions is at 0x0045aaaf.
Patched server executables which already include the code to prevent the previous exploit:
http://estatistic.planetaclix.pt/download/BF1942_w32ded-1.6-patched.ziphttp://estatistic.planetaclix.pt/download/BF1942_w32ded-1.61-patched.zipThe BF1942 Windows v1.6 server binary also has a fix for an old public exploit (@ 0x00442370 changed from 7f to 77), which it wasn't immune.