Page 6 of 7
Re: BF1942 Demo Server Crashes
Posted: Thu Sep 15, 2011 2:36 am
by dierighty
This patch is for the newer version of the demo, v1.1
1.Modify before func.0048b410
Code: Select all
[offset] [modified bytes] [instruction]
8b403 8b 45 04 mov eax,dword ptr[ebp+0x4]
8b406 83 f8 01 cmp eax,1
8b409 74 05 je 0048b410
8b40b eb 29 jmp 0048b436
2.Modify after func.0048b410
Code: Select all
[offset] [modified bytes] [instruction]
8b436 68 65 47 63 00 push 00634765 ;jump to case 11 to continue without crash
8b43b c2 08 00 retn 8
3.Modify call to func.0048b410
Code: Select all
[offset] [modified bytes] [instruction]
2340ab e8 53 73 e5 ff call ;modify call to func.0048b410 so it goes to 0048b403 instead
//The file offsets in the .exe are different for demo v1.1 from demo v1.0, however the relative jumps still work, only
//the func call, and push inst needed to be modified.
Re: BF1942 Demo Server Crashes
Posted: Sat Sep 17, 2011 11:49 pm
by Senshi
MOD Senshi:
--Regarding several ugly stuff posted here --
This is not really related to the thread, we are discussing technical issues here and not any spite your or any clans might have. It's a sad thing this exploit is being used to disturb the gameplay of anyone, and we are plain happy to have found a solution for everyone here. Highest gratitude to dierighty is appreciated, but please keep your posts to the thread topic. So I'm moving the OT stuff out of here:
http://bfmods.com/viewtopic.php?f=45&t=1124
Simultaneously, I ask you to refrain from starting a flamewar in the new thread, or else you'll get the thread locked insanely quickly. bfmods.com is a constructive website focused on collaborative and supportive behaviour revolving around the Battlefield series (but mostly focusing on BF42) and certainly not an everyday chat forum. Interest in flamewars is nonexistent. Thank you for your cooperation.
Re: BF1942 Demo Server Crashes
Posted: Sun Sep 18, 2011 9:30 pm
by ¦RC¦ RockinAngeLX
Thank you Senshi for deleting those posts... Have to deal with it enough as is, don't need it here too.
And I have to thank Dierighty again, for all his help and dedication.
I am happy to report that this fix does an amazing job.
What Dierighty's patch does, when exploit is used on the server, is adds the load to the player.
Which causes the player to ping out and lag, instead of the server.
The more they try, the higher their ping goes, until eventually, they are forced to disconnect.
Awesome
Anywho, thought those involved here, would appreciate knowing what the effects of this fix are/have been on BF Demo Servers.
Again... Dierighty... Thank you. From all of us in BF Community.
¦RC¦ RockinAngeLX
Re: BF1942 Demo Server Crashes
Posted: Mon Oct 24, 2011 12:11 am
by Android
Could you please post the fix for the 1.6 Linux version? Would be greatly appreciated, thanks in advance!
Re: BF1942 Demo Server Crashes
Posted: Mon Nov 14, 2011 11:25 pm
by tuia
Following dierighty instructions, i've patched the BF1942 Linux server version 1.6 executables, static and dynamic.
Detour:
Code: Select all
bf1942_lnxded.dynamic (Original)
813d5b7: b8 00 00 00 00 mov eax,0
813d5bc: 8b 5d 10 mov ebx,DWORD PTR [ebp+0x10]
813d5bf: 89 45 c8 mov DWORD PTR [ebp-0x38],eax
813d5c2: 89 45 cc mov DWORD PTR [ebp-0x34],eax
813d5c5: 89 45 d0 mov DWORD PTR [ebp-0x30],eax
813d5c8: 50 push eax
813d5c9: 8d 75 98 lea esi,[ebp-0x68]
813d5cc: 50 push eax
813d5cd: 31 c0 xor eax,eax
813d5cf: 8a 43 0c mov al,BYTE PTR [ebx+0xc]
Code: Select all
bf1942_lnxded.dynamic (Patched)
813d5b7: 8b 5d 10 mov ebx,DWORD PTR [ebp+0x10]
813d5ba: 8b 43 04 mov eax,DWORD PTR [ebx+4]
813d5bd: eb 83 jmp 813d542
813d5bf: 31 c0 xor eax,eax
813d5c1: 89 45 c8 mov DWORD PTR [ebp-0x38],eax
813d5c4: 89 45 cc mov DWORD PTR [ebp-0x34],eax
813d5c7: 89 45 d0 mov DWORD PTR [ebp-0x30],eax
813d5ca: 50 push eax
813d5cb: 8d 75 98 lea esi,[ebp-0x68]
813d5ce: 50 push eax
813d5cf: 8a 43 0c mov al,BYTE PTR [ebx+0xc]
Comparison:
Code: Select all
bf1942_lnxded.dynamic (Original)
813d542: 8d b4 26 00 00 00 00 // padding bytes
813d549: 8d bc 27 00 00 00 00 // padding bytes
Code: Select all
bf1942_lnxded.dynamic (Patched)
813d542: 83 f8 01 cmp eax,1
813d545: 74 78 je 813d5bf
813d547: e9 74 03 00 00 jmp 813d8c0
813d54c: 90 90 90 90 90 nop
The bytes changed are exactly the same for the bf1942_lnxded.static executable, only difference is in the addresses. Detour for static starts at 0x08136297 and comparison starts at 0x08136222.
I can upload the patched executable files.
Re: BF1942 Demo Server Crashes
Posted: Sat Nov 19, 2011 7:33 pm
by tuia
I've reworked the code for the patch and managed to squeeze 8 bytes of code for the comparison, so there is no need for a detour now. It saves some CPU cycles and it's also easier to patch. Here are the instructions for Linux server version 1.6 dynamic executable:
Code: Select all
bf1942_lnxded.dynamic (original)
813d5b7: b8 00 00 00 00 mov eax,0 ; this instruction can be replaced with xor eax,eax
813d5bc: 8b 5d 10 mov ebx,DWORD PTR [ebp+0x10] ; ebx already has this value
813d5bf: 89 45 c8 mov DWORD PTR [ebp-0x38],eax
813d5c2: 89 45 cc mov DWORD PTR [ebp-0x34],eax
813d5c5: 89 45 d0 mov DWORD PTR [ebp-0x30],eax
813d5c8: 50 push eax
813d5c9: 8d 75 98 lea esi,[ebp-0x68]
813d5cc: 50 push eax
813d5cd: 31 c0 xor eax,eax ; this instruction can be omitted since eax is preserved
Code: Select all
bf1942_lnxded.dynamic (patched)
813d5b7: 8b 43 04 mov eax,DWORD PTR [ebx+4]
813d5ba: 83 f8 01 cmp eax,1
813d5bd: 75 eb jne 813d5aa
813d5bf: 31 c0 xor eax,eax
813d5c1: 89 45 c8 mov DWORD PTR [ebp-0x38],eax
813d5c4: 89 45 cc mov DWORD PTR [ebp-0x34],eax
813d5c7: 89 45 d0 mov DWORD PTR [ebp-0x30],eax
813d5ca: 8d 75 98 lea esi,[ebp-0x68]
813d5cd: 50 push eax
813d5ce: 50 push eax
Same procedure for static file, however the beginning address is 0x08136297.
I've also patched for Linux server version 1.61. Same instructions, beginning addresses are 0x08135d17 for static and 0x0813cd87 for dynamic.
For those who aren't comfortable hex editing the files (it's pretty simple using a free hex editor like XVI32) i've uploaded the files. I've tested them myself, so here they are:
http://estatistic.planetaclix.pt/downlo ... hed.tar.gz
http://estatistic.planetaclix.pt/downlo ... hed.tar.gz
You should do a file compare with the respective original files, in case you want to double check the changes.
Re: BF1942 Demo Server Crashes
Posted: Sun Nov 20, 2011 5:52 pm
by tuia
Here are the instructions for patching BF Vietnam Linux server version 1.21 dynamic and static files.
Code: Select all
bfv_linded.dynamic (original)
87557ec: 0f b6 47 0c movzx eax,BYTE PTR [edi+0xc]
87557f0: 89 44 24 04 mov DWORD PTR [esp+4],eax
87557f4: a1 f0 ed c6 08 mov eax,ds:0x8c6edf0
87557f9: 89 04 24 mov DWORD PTR [esp],eax
87557fc: e8 df 4d fa ff call 86fa5e0
8755801: 89 85 30 fd ff ff mov DWORD PTR [ebp-0x2d0],eax
8755807: 0f b6 47 0c movzx eax,BYTE PTR [edi+0xc] ; these 4 instructions
875580b: 89 44 24 04 mov DWORD PTR [esp+4],eax ; are repeated and can
875580f: a1 f0 ed c6 08 mov eax,ds:0x8c6edf0 ; be easily omitted to put
8755814: 89 04 24 mov DWORD PTR [esp],eax ; the comparison code
Code: Select all
bfv_linded.dynamic (patched)
87557ec: 8b 47 04 mov eax,DWORD PTR [edi+4]
87557ef: 83 f8 01 cmp eax,1
87557f2: 0f 85 62 03 00 00 jne 8755b5a
87557f8: 90 90 90 90 nop ; 4 bytes were not needed
87557fc: 0f b6 47 0c movzx eax,BYTE PTR [edi+0xc]
8755800: 89 44 24 04 mov DWORD PTR [esp+4],eax
8755804: a1 f0 ed c6 08 mov eax,ds:0x8c6edf0
8755809: 89 04 24 mov DWORD PTR [esp],eax
875580c: e8 cf 4d fa ff call 86fa5e0
8755811: 89 85 30 fd ff ff mov DWORD PTR [ebp-0x2d0],eax
Code: Select all
bfv_linded.static (original)
8752b0c: 0f b6 47 0c movzx eax,BYTE PTR [edi+0xc]
8752b10: 89 44 24 04 mov DWORD PTR [esp+4],eax
8752b14: a1 f0 3c cd 08 mov eax,ds:0x8cd3cf0
8752b19: 89 04 24 mov DWORD PTR [esp],eax
8752b1c: e8 df 4d fa ff call 86f7900
8752b21: 89 85 30 fd ff ff mov DWORD PTR [ebp-0x2d0],eax
8752b27: 0f b6 47 0c movzx eax,BYTE PTR [edi+0xc]
8752b2b: 89 44 24 04 mov DWORD PTR [esp+4],eax
8752b2f: a1 f0 3c cd 08 mov eax,ds:0x8cd3cf0
8752b34: 89 04 24 mov DWORD PTR [esp],eax
Code: Select all
bfv_linded.static (patched)
8752b0c: 8b 47 04 mov eax,DWORD PTR [edi+4]
8752b0f: 83 f8 01 cmp eax,1
8752b12: 0f 85 62 03 00 00 jne 8752e7a
8752b18: 90 90 90 90 nop
8752b1c: 0f b6 47 0c movzx eax,BYTE PTR [edi+0xc]
8752b20: 89 44 24 04 mov DWORD PTR [esp+4],eax
8752b24: a1 f0 3c cd 08 mov eax,ds:0x8cd3cf0
8752b29: 89 04 24 mov DWORD PTR [esp],eax
8752b2c: e8 cf 4d fa ff call 86f7900
8752b31: 89 85 30 fd ff ff mov DWORD PTR [ebp-0x2d0],eax
You can get the patched files from here:
http://estatistic.planetaclix.pt/downlo ... hed.tar.gz
I'll add tomorrow the 1.2 Linux patched server files.
Re: BF1942 Demo Server Crashes
Posted: Mon Nov 21, 2011 12:09 am
by tuia
Patch for BF Vietnam Linux server version 1.2:
http://estatistic.planetaclix.pt/downlo ... hed.tar.gz
Code: Select all
bfv_linded.dynamic (original)
8757e05: 0f b6 47 0c movzx eax,BYTE PTR [edi+0xc]
8757e09: 89 44 24 04 mov DWORD PTR [esp+4],eax
8757e0d: a1 b0 0a c7 08 mov eax,ds:0x8c70ab0
8757e12: 89 04 24 mov DWORD PTR [esp],eax
8757e15: e8 86 26 fa ff call 86fa4a0
8757e1a: 89 85 4c fc ff ff mov DWORD PTR [ebp-0x3b4],eax
8757e20: 0f b6 47 0c movzx eax,BYTE PTR [edi+0xc]
8757e24: 89 44 24 04 mov DWORD PTR [esp+4],eax
8757e28: a1 b0 0a c7 08 mov eax,ds:0x8c70ab0
8757e2d: 89 04 24 mov DWORD PTR [esp],eax
Code: Select all
bfv_linded.dynamic (patched)
8757e05: 8b 47 04 mov eax,DWORD PTR [edi+4]
8757e08: 83 f8 01 cmp eax,1
8757e0b: 0f 85 40 03 00 00 jne 8758151
8757e11: 90 90 90 90 nop
8757e15: 0f b6 47 0c movzx eax,BYTE PTR [edi+0xc]
8757e19: 89 44 24 04 mov DWORD PTR [esp+4],eax
8757e1d: a1 b0 0a c7 08 mov eax,ds:0x8c70ab0
8757e22: 89 04 24 mov DWORD PTR [esp],eax
8757e25: e8 76 26 fa ff call 86fa4a0
8757e2a: 89 85 4c fc ff ff mov DWORD PTR [ebp-0x3b4],eax
Code: Select all
bfv_linded.static (original)
8755075: 0f b6 47 0c movzx eax,BYTE PTR [edi+0xc]
8755079: 89 44 24 04 mov DWORD PTR [esp+4],eax
875507d: a1 70 92 cc 08 mov eax,ds:0x8cc9270
8755082: 89 04 24 mov DWORD PTR [esp],eax
8755085: e8 86 26 fa ff call 86f7710
875508a: 89 85 4c fc ff ff mov DWORD PTR [ebp-0x3b4],eax
8755090: 0f b6 47 0c movzx eax,BYTE PTR [edi+0xc]
8755094: 89 44 24 04 mov DWORD PTR [esp+4],eax
8755098: a1 70 92 cc 08 mov eax,ds:0x8cc9270
875509d: 89 04 24 mov DWORD PTR [esp],eax
Code: Select all
bfv_linded.static (patched)
8755075: 8b 47 04 mov eax,DWORD PTR [edi+4]
8755078: 83 f8 01 cmp eax,1
875507b: 0f 85 40 03 00 00 jne 87553c1
8755081: 90 90 90 90 nop
8755085: 0f b6 47 0c movzx eax,BYTE PTR [edi+0xc]
8755089: 89 44 24 04 mov DWORD PTR [esp+4],eax
875508d: a1 70 92 cc 08 mov eax,ds:0x8cc9270
8755092: 89 04 24 mov DWORD PTR [esp],eax
8755095: e8 76 26 fa ff call 86f7710
875509a: 89 85 4c fc ff ff mov DWORD PTR [ebp-0x3b4],eax
Re: BF1942 Demo Server Crashes
Posted: Sun Nov 27, 2011 11:07 am
by tuia
Battlefield Vietnam Windows server executables patched:
http://estatistic.planetaclix.pt/downlo ... atched.zip
http://estatistic.planetaclix.pt/downlo ... atched.zip
It contains the fix to the new exploit. Check out the other thread for details and instructions code changed.
The instructions code changed for this fix were:
Code: Select all
bfvietnam_w32ded.exe v1.21 (original)
4953cf: 8d 4e 10 lea ecx,[esi+0x10]
4953d2: 51 push ecx
4953d3: 8d 8c 24 ec 01 00 00 lea ecx,[esp+0x1ec]
4953da: e8 71 d2 f6 ff call 0x402650
4953df: 0f b6 56 0c movzx edx,BYTE PTR [esi+0xc]
4953e3: 8b 0d c4 b5 bd 00 mov ecx,DWORD PTR ds:0xbdb5c4
4953e9: 57 push edi
4953ea: 52 push edx
4953eb: e8 20 d0 f8 ff call 0x422410
4953f0: 8b 0d c4 b5 bd 00 mov ecx,DWORD PTR ds:0xbdb5c4
4953f6: 50 push eax
4953f7: 0f b6 46 0c movzx eax,BYTE PTR [esi+0xc]
4953fb: 50 push eax
4953fc: e8 9f cf f8 ff call 0x4223a0
495401: 0f b6 4e 0d movzx ecx,BYTE PTR [esi+0xd]
495405: 0f b6 56 0c movzx edx,BYTE PTR [esi+0xc]
Code: Select all
bfvietnam_w32ded.exe v1.21 (patched)
4953cf: 8b 4e 04 mov ecx,DWORD PTR [esi+4]
4953d2: 83 f9 01 cmp ecx,1
4953d5: 0f 85 60 0c 00 00 jne 0x49603b
4953db: 90 nop
4953dc: 90 nop
4953dd: 8d 4e 10 lea ecx,[esi+0x10]
4953e0: 51 push ecx
4953e1: 8d 8c 24 ec 01 00 00 lea ecx,[esp+0x1ec]
4953e8: e8 63 d2 f6 ff call 0x402650
4953ed: 0f b6 56 0c movzx edx,BYTE PTR [esi+0xc]
4953f1: 8b 0d c4 b5 bd 00 mov ecx,DWORD PTR ds:0xbdb5c4
4953f7: 57 push edi
4953f8: 52 push edx
4953f9: e8 12 d0 f8 ff call 0x422410
4953fe: 50 push eax
4953ff: 52 push edx
495400: e8 9b cf f8 ff call 0x4223a0
495405: 0f b6 4e 0d movzx ecx,BYTE PTR [esi+0xd]
Code: Select all
bfvietnam_w32ded.exe v1.2 (original)
4952df: 8d 4e 10 lea ecx,[esi+0x10]
4952e2: 51 push ecx
4952e3: 8d 8c 24 ec 01 00 00 lea ecx,[esp+0x1ec]
4952ea: e8 61 d3 f6 ff call 0x402650
4952ef: 0f b6 56 0c movzx edx,BYTE PTR [esi+0xc]
4952f3: 8b 0d c4 b5 bd 00 mov ecx,DWORD PTR ds:0xbdb5c4
4952f9: 57 push edi
4952fa: 52 push edx
4952fb: e8 d0 cc f8 ff call 0x421fd0
495300: 8b 0d c4 b5 bd 00 mov ecx,DWORD PTR ds:0xbdb5c4
495306: 50 push eax
495307: 0f b6 46 0c movzx eax,BYTE PTR [esi+0xc]
49530b: 50 push eax
49530c: e8 4f cc f8 ff call 0x421f60
495311: 0f b6 4e 0d movzx ecx,BYTE PTR [esi+0xd]
495315: 0f b6 56 0c movzx edx,BYTE PTR [esi+0xc]
Code: Select all
bfvietnam_w32ded.exe v1.2 (patched)
4952df: 8b 4e 04 mov ecx,DWORD PTR [esi+4]
4952e2: 83 f9 01 cmp ecx,1
4952e5: 0f 85 60 0c 00 00 jne 0x495f4b
4952eb: 90 nop
4952ec: 90 nop
4952ed: 8d 4e 10 lea ecx,[esi+0x10]
4952f0: 51 push ecx
4952f1: 8d 8c 24 ec 01 00 00 lea ecx,[esp+0x1ec]
4952f8: e8 53 d3 f6 ff call 0x402650
4952fd: 0f b6 56 0c movzx edx,BYTE PTR [esi+0xc]
495301: 8b 0d c4 b5 bd 00 mov ecx,DWORD PTR ds:0xbdb5c4
495307: 57 push edi
495308: 52 push edx
495309: e8 c2 cc f8 ff call 0x421fd0
49530e: 50 push eax
49530f: 52 push edx
495310: e8 4b cc f8 ff call 0x421f60
495315: 0f b6 4e 0d movzx ecx,BYTE PTR [esi+0xd]
Re: BF1942 Demo Server Crashes
Posted: Sun Nov 27, 2011 9:06 pm
by tuia
Here is the fix for Battlefield 1942 Demo version 1.1:
Code: Select all
BF1942Demo.exe v1.1 original)
634025: 90 90 90 90 90 90 90 nop
63402c: 90 90 90 90 nop
---
63409f: 8b 0d c4 e9 ba 00 mov ecx,DWORD PTR ds:0xbae9c4
6340a5: 33 d2 xor edx,edx
Code: Select all
BF1942Demo.exe v1.1 (patched)
634025: 8b 56 04 mov edx,DWORD PTR [esi+4]
634028: 83 fa 01 cmp edx,1
63402b: 74 74 je 0x6340a1
63402d: eb 5b jmp 0x63408a
63402f: 90 nop
---
63409f: eb 84 jmp 0x634025
6340a1: 8b 0d c4 e9 ba 00 mov ecx,DWORD PTR ds:0xbae9c4
It consists of a detour and then a check for the correct sequence event number. I'm aware that dierighty published his fix, so this is an alternative method, which i believe it's more simple to apply.
You can download the patched server file from this link.
http://estatistic.planetaclix.pt/downlo ... atched.zip
It contains also the fix for the new exploit. Check the other thread for details and instructions changed.
Note that, the original file is not the client file, but the server file obtained from the package mpdemo_server_11.zip.