BF1942 Demo Server Crashes

dierighty
Posts: 11
Joined: Fri Jul 29, 2011 5:38 pm

Re: BF1942 Demo Server Crashes

Post by dierighty »

This patch is for the newer version of the demo, v1.1
1.Modify before func.0048b410

Code: Select all

[offset] [modified bytes] [instruction]              
8b403    8b 45 04         mov eax,dword ptr[ebp+0x4]
8b406    83 f8 01         cmp eax,1
8b409    74 05            je 0048b410
8b40b    eb 29            jmp 0048b436 
2.Modify after func.0048b410

Code: Select all

[offset] [modified bytes] [instruction]
8b436     68 65 47 63 00  push 00634765   ;jump to case 11 to continue without crash
8b43b     c2 08 00        retn 8    
3.Modify call to func.0048b410

Code: Select all

[offset] [modified bytes] [instruction]
2340ab    e8 53 73 e5 ff  call   ;modify call to func.0048b410 so it goes to 0048b403 instead
//The file offsets in the .exe are different for demo v1.1 from demo v1.0, however the relative jumps still work, only
//the func call, and push inst needed to be modified.
User avatar
Senshi
Posts: 697
Joined: Sun Oct 18, 2009 1:14 pm
Location: Germany
Contact:

Re: BF1942 Demo Server Crashes

Post by Senshi »

MOD Senshi:
--Regarding several ugly stuff posted here --
This is not really related to the thread, we are discussing technical issues here and not any spite your or any clans might have. It's a sad thing this exploit is being used to disturb the gameplay of anyone, and we are plain happy to have found a solution for everyone here. Highest gratitude to dierighty is appreciated, but please keep your posts to the thread topic. So I'm moving the OT stuff out of here:
http://bfmods.com/viewtopic.php?f=45&t=1124

Simultaneously, I ask you to refrain from starting a flamewar in the new thread, or else you'll get the thread locked insanely quickly. bfmods.com is a constructive website focused on collaborative and supportive behaviour revolving around the Battlefield series (but mostly focusing on BF42) and certainly not an everyday chat forum. Interest in flamewars is nonexistent. Thank you for your cooperation.
¦RC¦ RockinAngeLX
Posts: 1
Joined: Sun Sep 11, 2011 5:36 pm
Location: CANADA

Re: BF1942 Demo Server Crashes

Post by ¦RC¦ RockinAngeLX »

Thank you Senshi for deleting those posts... Have to deal with it enough as is, don't need it here too. :D

And I have to thank Dierighty again, for all his help and dedication.

I am happy to report that this fix does an amazing job.

What Dierighty's patch does, when exploit is used on the server, is adds the load to the player.
Which causes the player to ping out and lag, instead of the server.
The more they try, the higher their ping goes, until eventually, they are forced to disconnect.
:arrow: :!: Awesome :!:

Anywho, thought those involved here, would appreciate knowing what the effects of this fix are/have been on BF Demo Servers.

Again... Dierighty... Thank you. From all of us in BF Community.

¦RC¦ RockinAngeLX
Image
Image
Android
Posts: 5
Joined: Fri Aug 06, 2010 3:30 am

Re: BF1942 Demo Server Crashes

Post by Android »

Could you please post the fix for the 1.6 Linux version? Would be greatly appreciated, thanks in advance!
tuia
Posts: 129
Joined: Tue Sep 06, 2011 12:36 pm
Location: Lisbon, Portugal

Re: BF1942 Demo Server Crashes

Post by tuia »

Following dierighty instructions, i've patched the BF1942 Linux server version 1.6 executables, static and dynamic.

Detour:

Code: Select all

bf1942_lnxded.dynamic (Original)
 813d5b7:	b8 00 00 00 00       	mov    eax,0
 813d5bc:	8b 5d 10             	mov    ebx,DWORD PTR [ebp+0x10]
 813d5bf:	89 45 c8             	mov    DWORD PTR [ebp-0x38],eax
 813d5c2:	89 45 cc             	mov    DWORD PTR [ebp-0x34],eax
 813d5c5:	89 45 d0             	mov    DWORD PTR [ebp-0x30],eax
 813d5c8:	50                   	push   eax
 813d5c9:	8d 75 98             	lea    esi,[ebp-0x68]
 813d5cc:	50                   	push   eax
 813d5cd:	31 c0                	xor    eax,eax
 813d5cf:	8a 43 0c             	mov    al,BYTE PTR [ebx+0xc]

Code: Select all

bf1942_lnxded.dynamic (Patched)
 813d5b7:	8b 5d 10             	mov    ebx,DWORD PTR [ebp+0x10]
 813d5ba:	8b 43 04             	mov    eax,DWORD PTR [ebx+4]
 813d5bd:	eb 83                	jmp    813d542
 813d5bf:	31 c0                	xor    eax,eax
 813d5c1:	89 45 c8             	mov    DWORD PTR [ebp-0x38],eax
 813d5c4:	89 45 cc             	mov    DWORD PTR [ebp-0x34],eax
 813d5c7:	89 45 d0             	mov    DWORD PTR [ebp-0x30],eax
 813d5ca:	50                   	push   eax
 813d5cb:	8d 75 98             	lea    esi,[ebp-0x68]
 813d5ce:	50                   	push   eax
 813d5cf:	8a 43 0c             	mov    al,BYTE PTR [ebx+0xc]
Comparison:

Code: Select all

bf1942_lnxded.dynamic (Original)
 813d542:	8d b4 26 00 00 00 00 	// padding bytes
 813d549:	8d bc 27 00 00 00 00 	// padding bytes

Code: Select all

bf1942_lnxded.dynamic (Patched)
 813d542:	83 f8 01             	cmp    eax,1
 813d545:	74 78                	je     813d5bf
 813d547:	e9 74 03 00 00       	jmp    813d8c0
 813d54c:	90 90 90 90 90       	nop
The bytes changed are exactly the same for the bf1942_lnxded.static executable, only difference is in the addresses. Detour for static starts at 0x08136297 and comparison starts at 0x08136222.
I can upload the patched executable files.
tuia
Posts: 129
Joined: Tue Sep 06, 2011 12:36 pm
Location: Lisbon, Portugal

Re: BF1942 Demo Server Crashes

Post by tuia »

I've reworked the code for the patch and managed to squeeze 8 bytes of code for the comparison, so there is no need for a detour now. It saves some CPU cycles and it's also easier to patch. Here are the instructions for Linux server version 1.6 dynamic executable:

Code: Select all

bf1942_lnxded.dynamic (original)
 813d5b7:	b8 00 00 00 00       	mov    eax,0                    ; this instruction can be replaced with xor eax,eax
 813d5bc:	8b 5d 10             	mov    ebx,DWORD PTR [ebp+0x10] ; ebx already has this value
 813d5bf:	89 45 c8             	mov    DWORD PTR [ebp-0x38],eax
 813d5c2:	89 45 cc             	mov    DWORD PTR [ebp-0x34],eax
 813d5c5:	89 45 d0             	mov    DWORD PTR [ebp-0x30],eax
 813d5c8:	50                   	push   eax
 813d5c9:	8d 75 98             	lea    esi,[ebp-0x68]
 813d5cc:	50                   	push   eax
 813d5cd:	31 c0                	xor    eax,eax                  ; this instruction can be omitted since eax is preserved

Code: Select all

bf1942_lnxded.dynamic (patched)
 813d5b7:	8b 43 04             	mov    eax,DWORD PTR [ebx+4]
 813d5ba:	83 f8 01             	cmp    eax,1
 813d5bd:	75 eb                	jne    813d5aa
 813d5bf:	31 c0                	xor    eax,eax
 813d5c1:	89 45 c8             	mov    DWORD PTR [ebp-0x38],eax
 813d5c4:	89 45 cc             	mov    DWORD PTR [ebp-0x34],eax
 813d5c7:	89 45 d0             	mov    DWORD PTR [ebp-0x30],eax
 813d5ca:	8d 75 98             	lea    esi,[ebp-0x68]
 813d5cd:	50                   	push   eax
 813d5ce:	50                   	push   eax
Same procedure for static file, however the beginning address is 0x08136297.
I've also patched for Linux server version 1.61. Same instructions, beginning addresses are 0x08135d17 for static and 0x0813cd87 for dynamic.
For those who aren't comfortable hex editing the files (it's pretty simple using a free hex editor like XVI32) i've uploaded the files. I've tested them myself, so here they are:
http://estatistic.planetaclix.pt/downlo ... hed.tar.gz
http://estatistic.planetaclix.pt/downlo ... hed.tar.gz
You should do a file compare with the respective original files, in case you want to double check the changes.
Last edited by tuia on Thu Nov 24, 2011 12:01 am, edited 1 time in total.
tuia
Posts: 129
Joined: Tue Sep 06, 2011 12:36 pm
Location: Lisbon, Portugal

Re: BF1942 Demo Server Crashes

Post by tuia »

Here are the instructions for patching BF Vietnam Linux server version 1.21 dynamic and static files.

Code: Select all

bfv_linded.dynamic (original)
 87557ec:	0f b6 47 0c          	movzx  eax,BYTE PTR [edi+0xc]
 87557f0:	89 44 24 04          	mov    DWORD PTR [esp+4],eax
 87557f4:	a1 f0 ed c6 08       	mov    eax,ds:0x8c6edf0
 87557f9:	89 04 24             	mov    DWORD PTR [esp],eax
 87557fc:	e8 df 4d fa ff       	call   86fa5e0
 8755801:	89 85 30 fd ff ff    	mov    DWORD PTR [ebp-0x2d0],eax
 8755807:	0f b6 47 0c          	movzx  eax,BYTE PTR [edi+0xc]    ; these 4 instructions
 875580b:	89 44 24 04          	mov    DWORD PTR [esp+4],eax     ; are repeated and can 
 875580f:	a1 f0 ed c6 08       	mov    eax,ds:0x8c6edf0          ; be easily omitted to put
 8755814:	89 04 24             	mov    DWORD PTR [esp],eax       ; the comparison code

Code: Select all

bfv_linded.dynamic (patched)
 87557ec:	8b 47 04             	mov    eax,DWORD PTR [edi+4]
 87557ef:	83 f8 01             	cmp    eax,1
 87557f2:	0f 85 62 03 00 00    	jne    8755b5a
 87557f8:	90 90 90 90          	nop                              ; 4 bytes were not needed                 
 87557fc:	0f b6 47 0c          	movzx  eax,BYTE PTR [edi+0xc]
 8755800:	89 44 24 04          	mov    DWORD PTR [esp+4],eax
 8755804:	a1 f0 ed c6 08       	mov    eax,ds:0x8c6edf0
 8755809:	89 04 24             	mov    DWORD PTR [esp],eax
 875580c:	e8 cf 4d fa ff       	call   86fa5e0
 8755811:	89 85 30 fd ff ff    	mov    DWORD PTR [ebp-0x2d0],eax

Code: Select all

bfv_linded.static (original)
 8752b0c:	0f b6 47 0c          	movzx  eax,BYTE PTR [edi+0xc]
 8752b10:	89 44 24 04          	mov    DWORD PTR [esp+4],eax
 8752b14:	a1 f0 3c cd 08       	mov    eax,ds:0x8cd3cf0
 8752b19:	89 04 24             	mov    DWORD PTR [esp],eax
 8752b1c:	e8 df 4d fa ff       	call   86f7900
 8752b21:	89 85 30 fd ff ff    	mov    DWORD PTR [ebp-0x2d0],eax
 8752b27:	0f b6 47 0c          	movzx  eax,BYTE PTR [edi+0xc]
 8752b2b:	89 44 24 04          	mov    DWORD PTR [esp+4],eax
 8752b2f:	a1 f0 3c cd 08       	mov    eax,ds:0x8cd3cf0
 8752b34:	89 04 24             	mov    DWORD PTR [esp],eax

Code: Select all

bfv_linded.static (patched)
 8752b0c:	8b 47 04             	mov    eax,DWORD PTR [edi+4]
 8752b0f:	83 f8 01             	cmp    eax,1
 8752b12:	0f 85 62 03 00 00    	jne    8752e7a
 8752b18:	90 90 90 90          	nop
 8752b1c:	0f b6 47 0c          	movzx  eax,BYTE PTR [edi+0xc]
 8752b20:	89 44 24 04          	mov    DWORD PTR [esp+4],eax
 8752b24:	a1 f0 3c cd 08       	mov    eax,ds:0x8cd3cf0
 8752b29:	89 04 24             	mov    DWORD PTR [esp],eax
 8752b2c:	e8 cf 4d fa ff       	call   86f7900
 8752b31:	89 85 30 fd ff ff    	mov    DWORD PTR [ebp-0x2d0],eax
You can get the patched files from here:
http://estatistic.planetaclix.pt/downlo ... hed.tar.gz
I'll add tomorrow the 1.2 Linux patched server files.
tuia
Posts: 129
Joined: Tue Sep 06, 2011 12:36 pm
Location: Lisbon, Portugal

Re: BF1942 Demo Server Crashes

Post by tuia »

Patch for BF Vietnam Linux server version 1.2:
http://estatistic.planetaclix.pt/downlo ... hed.tar.gz

Code: Select all

bfv_linded.dynamic (original)
 8757e05:	0f b6 47 0c          	movzx  eax,BYTE PTR [edi+0xc]
 8757e09:	89 44 24 04          	mov    DWORD PTR [esp+4],eax
 8757e0d:	a1 b0 0a c7 08       	mov    eax,ds:0x8c70ab0
 8757e12:	89 04 24             	mov    DWORD PTR [esp],eax
 8757e15:	e8 86 26 fa ff       	call   86fa4a0
 8757e1a:	89 85 4c fc ff ff    	mov    DWORD PTR [ebp-0x3b4],eax
 8757e20:	0f b6 47 0c          	movzx  eax,BYTE PTR [edi+0xc]
 8757e24:	89 44 24 04          	mov    DWORD PTR [esp+4],eax
 8757e28:	a1 b0 0a c7 08       	mov    eax,ds:0x8c70ab0
 8757e2d:	89 04 24             	mov    DWORD PTR [esp],eax

Code: Select all

bfv_linded.dynamic (patched)
 8757e05:	8b 47 04             	mov    eax,DWORD PTR [edi+4]
 8757e08:	83 f8 01             	cmp    eax,1
 8757e0b:	0f 85 40 03 00 00    	jne    8758151
 8757e11:	90 90 90 90          	nop
 8757e15:	0f b6 47 0c          	movzx  eax,BYTE PTR [edi+0xc]
 8757e19:	89 44 24 04          	mov    DWORD PTR [esp+4],eax
 8757e1d:	a1 b0 0a c7 08       	mov    eax,ds:0x8c70ab0
 8757e22:	89 04 24             	mov    DWORD PTR [esp],eax
 8757e25:	e8 76 26 fa ff       	call   86fa4a0
 8757e2a:	89 85 4c fc ff ff    	mov    DWORD PTR [ebp-0x3b4],eax

Code: Select all

bfv_linded.static (original)
 8755075:	0f b6 47 0c          	movzx  eax,BYTE PTR [edi+0xc]
 8755079:	89 44 24 04          	mov    DWORD PTR [esp+4],eax
 875507d:	a1 70 92 cc 08       	mov    eax,ds:0x8cc9270
 8755082:	89 04 24             	mov    DWORD PTR [esp],eax
 8755085:	e8 86 26 fa ff       	call   86f7710
 875508a:	89 85 4c fc ff ff    	mov    DWORD PTR [ebp-0x3b4],eax
 8755090:	0f b6 47 0c          	movzx  eax,BYTE PTR [edi+0xc]
 8755094:	89 44 24 04          	mov    DWORD PTR [esp+4],eax
 8755098:	a1 70 92 cc 08       	mov    eax,ds:0x8cc9270
 875509d:	89 04 24             	mov    DWORD PTR [esp],eax

Code: Select all

bfv_linded.static (patched)
 8755075:	8b 47 04             	mov    eax,DWORD PTR [edi+4]
 8755078:	83 f8 01             	cmp    eax,1
 875507b:	0f 85 40 03 00 00    	jne    87553c1
 8755081:	90 90 90 90          	nop
 8755085:	0f b6 47 0c          	movzx  eax,BYTE PTR [edi+0xc]
 8755089:	89 44 24 04          	mov    DWORD PTR [esp+4],eax
 875508d:	a1 70 92 cc 08       	mov    eax,ds:0x8cc9270
 8755092:	89 04 24             	mov    DWORD PTR [esp],eax
 8755095:	e8 76 26 fa ff       	call   86f7710
 875509a:	89 85 4c fc ff ff    	mov    DWORD PTR [ebp-0x3b4],eax
tuia
Posts: 129
Joined: Tue Sep 06, 2011 12:36 pm
Location: Lisbon, Portugal

Re: BF1942 Demo Server Crashes

Post by tuia »

Battlefield Vietnam Windows server executables patched:
http://estatistic.planetaclix.pt/downlo ... atched.zip
http://estatistic.planetaclix.pt/downlo ... atched.zip
It contains the fix to the new exploit. Check out the other thread for details and instructions code changed.
The instructions code changed for this fix were:

Code: Select all

bfvietnam_w32ded.exe v1.21 (original)
  4953cf:	8d 4e 10             	lea    ecx,[esi+0x10]
  4953d2:	51                   	push   ecx
  4953d3:	8d 8c 24 ec 01 00 00 	lea    ecx,[esp+0x1ec]
  4953da:	e8 71 d2 f6 ff       	call   0x402650
  4953df:	0f b6 56 0c          	movzx  edx,BYTE PTR [esi+0xc]
  4953e3:	8b 0d c4 b5 bd 00    	mov    ecx,DWORD PTR ds:0xbdb5c4
  4953e9:	57                   	push   edi
  4953ea:	52                   	push   edx
  4953eb:	e8 20 d0 f8 ff       	call   0x422410
  4953f0:	8b 0d c4 b5 bd 00    	mov    ecx,DWORD PTR ds:0xbdb5c4
  4953f6:	50                   	push   eax
  4953f7:	0f b6 46 0c          	movzx  eax,BYTE PTR [esi+0xc]
  4953fb:	50                   	push   eax
  4953fc:	e8 9f cf f8 ff       	call   0x4223a0
  495401:	0f b6 4e 0d          	movzx  ecx,BYTE PTR [esi+0xd]
  495405:	0f b6 56 0c          	movzx  edx,BYTE PTR [esi+0xc]

Code: Select all

bfvietnam_w32ded.exe v1.21 (patched)
  4953cf:	8b 4e 04             	mov    ecx,DWORD PTR [esi+4]
  4953d2:	83 f9 01             	cmp    ecx,1
  4953d5:	0f 85 60 0c 00 00    	jne    0x49603b
  4953db:	90                   	nop
  4953dc:	90                   	nop
  4953dd:	8d 4e 10             	lea    ecx,[esi+0x10]
  4953e0:	51                   	push   ecx
  4953e1:	8d 8c 24 ec 01 00 00 	lea    ecx,[esp+0x1ec]
  4953e8:	e8 63 d2 f6 ff       	call   0x402650
  4953ed:	0f b6 56 0c          	movzx  edx,BYTE PTR [esi+0xc]
  4953f1:	8b 0d c4 b5 bd 00    	mov    ecx,DWORD PTR ds:0xbdb5c4
  4953f7:	57                   	push   edi
  4953f8:	52                   	push   edx
  4953f9:	e8 12 d0 f8 ff       	call   0x422410
  4953fe:	50                   	push   eax
  4953ff:	52                   	push   edx
  495400:	e8 9b cf f8 ff       	call   0x4223a0
  495405:	0f b6 4e 0d          	movzx  ecx,BYTE PTR [esi+0xd]

Code: Select all

bfvietnam_w32ded.exe v1.2 (original)
  4952df:	8d 4e 10             	lea    ecx,[esi+0x10]
  4952e2:	51                   	push   ecx
  4952e3:	8d 8c 24 ec 01 00 00 	lea    ecx,[esp+0x1ec]
  4952ea:	e8 61 d3 f6 ff       	call   0x402650
  4952ef:	0f b6 56 0c          	movzx  edx,BYTE PTR [esi+0xc]
  4952f3:	8b 0d c4 b5 bd 00    	mov    ecx,DWORD PTR ds:0xbdb5c4
  4952f9:	57                   	push   edi
  4952fa:	52                   	push   edx
  4952fb:	e8 d0 cc f8 ff       	call   0x421fd0
  495300:	8b 0d c4 b5 bd 00    	mov    ecx,DWORD PTR ds:0xbdb5c4
  495306:	50                   	push   eax
  495307:	0f b6 46 0c          	movzx  eax,BYTE PTR [esi+0xc]
  49530b:	50                   	push   eax
  49530c:	e8 4f cc f8 ff       	call   0x421f60
  495311:	0f b6 4e 0d          	movzx  ecx,BYTE PTR [esi+0xd]
  495315:	0f b6 56 0c          	movzx  edx,BYTE PTR [esi+0xc]

Code: Select all

bfvietnam_w32ded.exe v1.2 (patched)
  4952df:	8b 4e 04             	mov    ecx,DWORD PTR [esi+4]
  4952e2:	83 f9 01             	cmp    ecx,1
  4952e5:	0f 85 60 0c 00 00    	jne    0x495f4b
  4952eb:	90                   	nop
  4952ec:	90                   	nop
  4952ed:	8d 4e 10             	lea    ecx,[esi+0x10]
  4952f0:	51                   	push   ecx
  4952f1:	8d 8c 24 ec 01 00 00 	lea    ecx,[esp+0x1ec]
  4952f8:	e8 53 d3 f6 ff       	call   0x402650
  4952fd:	0f b6 56 0c          	movzx  edx,BYTE PTR [esi+0xc]
  495301:	8b 0d c4 b5 bd 00    	mov    ecx,DWORD PTR ds:0xbdb5c4
  495307:	57                   	push   edi
  495308:	52                   	push   edx
  495309:	e8 c2 cc f8 ff       	call   0x421fd0
  49530e:	50                   	push   eax
  49530f:	52                   	push   edx
  495310:	e8 4b cc f8 ff       	call   0x421f60
  495315:	0f b6 4e 0d          	movzx  ecx,BYTE PTR [esi+0xd]
tuia
Posts: 129
Joined: Tue Sep 06, 2011 12:36 pm
Location: Lisbon, Portugal

Re: BF1942 Demo Server Crashes

Post by tuia »

Here is the fix for Battlefield 1942 Demo version 1.1:

Code: Select all

BF1942Demo.exe v1.1 original)
  634025:	90 90 90 90 90 90 90 	nop
  63402c:	90 90 90 90          	nop
---
  63409f:	8b 0d c4 e9 ba 00    	mov    ecx,DWORD PTR ds:0xbae9c4
  6340a5:	33 d2                	xor    edx,edx

Code: Select all

BF1942Demo.exe v1.1 (patched)
  634025:	8b 56 04             	mov    edx,DWORD PTR [esi+4]
  634028:	83 fa 01             	cmp    edx,1
  63402b:	74 74                	je     0x6340a1
  63402d:	eb 5b                	jmp    0x63408a
  63402f:	90                   	nop
---
  63409f:	eb 84                	jmp    0x634025
  6340a1:	8b 0d c4 e9 ba 00    	mov    ecx,DWORD PTR ds:0xbae9c4
It consists of a detour and then a check for the correct sequence event number. I'm aware that dierighty published his fix, so this is an alternative method, which i believe it's more simple to apply.
You can download the patched server file from this link.
http://estatistic.planetaclix.pt/downlo ... atched.zip
It contains also the fix for the new exploit. Check the other thread for details and instructions changed.
Note that, the original file is not the client file, but the server file obtained from the package mpdemo_server_11.zip.
Post Reply