BF1942 Demo Server Crashes

[Player]

In my case I was able to ban the culprits IP range as it's one they would need to make a actual connection by joining the server.

We have had the users ISP take action a few times where they removed service from the user for 2 weeks on more than one occasion but only to have them come back and get service and continue where they left off.. nice to see the ISP taking this seriously.

But I'm now facing several DoS attacks from random addresses. I have tried to block at the router level, which seems to have failed and than at the software level and still no luck. I guess time to start collecting some logs and hope my ISP will take things more seriously, but doubt it.

All this over a silly game...

[dierighty]

I made a patch for the bf1942_lnxded.static server executable, that stops the game.createLocalPlayer "" 0 exploit from crashing the server.

How the exploit works:
The exploit takes advantage of a loop in dice::bf::GameServer::createPlayer(), to cause the server to hang. This loop normally resolves name conflicts, so that when a client joins the server and someone already has the name, the server will append a "_1" to the new client. When an exploiter uses the game.createLocalPlayer command it causes the server to never be able to create a new player no matter what the name is so it infinitely loops trying to append "_1"... "_2"..."_3", createPlayer() assumes that at some point it will be able to append a large enough number to successfully create a player.

The patch:
The createPlayer() function is called by the dice::bf::GameServer::handleGameEventManagerEvent() function. handleGameEventManagerEvent() calls createPlayer() in response to a 'create player' event. Since each player has their own event queue, the patch will only handle one 'create player' event from a player, and then ignore all subsequent 'create player' events from that player. The patch consists of a detour and a comparison. The detour redirects execution from the handleGameEventManagerEvent() to comparison code that checks to see if this a subsequent 'create player' event.

Modify the bf1942_lnxded.static executable at these file offsets:

For the detour:

Code: Select all

File_Offset    Original_Instruction_Bytes     Instructions
000EDD17       B8 00 00 00 00                 mov eax,0                   
000EDD1C       8B 5D 10                       mov ebx,[ebp+0x10]     ;get address of the game event obj  

Modify it to this:

Code: Select all

File_Offset    Modified_Instruction_Bytes     Instructions
000EDD17       8B 5D 10                       mov ebx,[ebp+0x10]    ;get address of the game event obj
000EDD1A       EB 89                          jmp 08135ca5          ;jump to the comparison
000EDD1C       31 C0                          xor eax,eax
000EDD1E       90                               nop

For the comparison code:

Code: Select all

File_Offset     Original_Instruction_Bytes     Instructions
000EDCA5        00 00 00 00 8D BC 27 00 00 00  ;padding

Modify this to:

Code: Select all

File_Offset         Modified_Instruction_Bytes     Instructions
000EDCA5:           8B 73 04  mov esi,dword ptr[ebx+4]
000EDCA8:           83 fe 01  cmp esi,1
000EDCAB:           74 6F	  je 08135d1c
000EDCAD:           EB 5B	  jmp 08135d0a

[Senshi]

Wonderful. This would be most awesome if it works. How the hell did you find that in the exe??

EDIT: I informed the BG42 team about this and their servers should be fixed in the next days. Again, a huge Kudos to you for fixing this.

[fo0k]

wow! amazing stuff there dierighty!

[Player]

dierighty

You are my hero even though i have yet to confirm it's working the fact you took the effort.. is huge...

Thanks You!!

[Jeronimo]

Good man, dierighty!

Is there a chance you could make such a patch for the Windows executable, too?

[tekk]

I have to ask , what program would be needed to make these changes. I help out modding at one of my favorite DC servers and we have been hit hard with that exploit the past 2 weeks from the same kid. Now im wondering if its actually the EXE that needs to be modified (bf1942_lnxded.static executable) , if so any instructions on how to do so would be appreciated ALOT.

[Player]

I have to ask , what program would be needed to make these changes. I help out modding at one of my favorite DC servers and we have been hit hard with that exploit the past 2 weeks from the same kid. Now im wondering if its actually the EXE that needs to be modified (bf1942_lnxded.static executable) , if so any instructions on how to do so would be appreciated ALOT.

I'm guessing you would use a disassembler / debugger like Ollydbg, where you could apply said changes and save a patched executable. The one he referenced above I believe is for the Linux based server.

We have been bombarded by this exploit which has all but ruined the game. We've been relying on PeerBlock and setting server passwords.

I believe the offsets would be different for each version of the game. This patch will be huge..

[Senshi]

He described it...it's not rocket science.

Modify the bf1942_lnxded.static executable at these file offsets:

Obviously you need a hex editor to do this. Doesn't matter which one. Open the file with the editor, then go to the file offset and make the changes. It's easy.

[tekk]

Thanks for that info, yes the server admins have been on there feet alot trying to catch the guy, no matter how many times he gets IP banned or hash banned he comes back, got down to the point where they aswell have had to resort to passwording the server for a few days but that killed the numbers down to a mere 10-15 players at any given time. The server is running Linux so thats a bonus, I will try that program you speak of and see if I can try figure out how to do this patch and then get the info to the server admins. Would be nice to play a full round without getting crashed

edit:

He described it...it's not rocket science.

Modify the bf1942_lnxded.static executable at these file offsets:

Obviously you need a hex editor to do this. Doesn't matter which one. Open the file with the editor, then go to the file offset and make the changes. It's easy.

Well im not familiar with that side of the game, so its all new to me even thou his instructions you understand ... I didnt. By the way was this confirmed to have worked ?