All credits and gratitude are due to dierighty, who alone has found the exploit in the code and the correct plug for it for each exec version!
The second CTD exploit has been fixed by tuia, who is creating the new fixes.
All f2 fixes contain the f1 fix!
v1.61 WINDOWS+LINUX f2
Download 1.61 Linux - Mirror - Download 1.61 Linux
Download 1.61 Windows - Mirror - Download 1.61 Windows
v1.6 WINDOWS+LINUX f2
Download 1.6 Linux - Mirror - Download 1.6 Linux
Download 1.6 Windows - Mirror - Download 1.6 Windows
v1.1 DEMO WINDOWS f1
v1.0 DEMO WINDOWS f1
LINUX 1.61 f2
- Code: Select all
bf1942_lnxded.dynamic (original) v1.61
813ddb6: 31 c0 xor eax,eax
813ddb8: 8a 46 0d mov al,BYTE PTR [esi+0xd]
813ddbb: 8b 1f mov ebx,DWORD PTR [edi]
813ddbd: 50 push eax
813ddbe: 50 push eax
813ddbf: 8b 85 2c fd ff ff mov eax,DWORD PTR [ebp-0x2d4]
813ddc5: 50 push eax
813ddc6: e8 f5 f2 fd ff call 811d0c0
813ddcb: 59 pop ecx
813ddcc: 5e pop esi
813ddcd: 50 push eax
813ddce: 57 push edi
- Code: Select all
bf1942_lnxded.dynamic (patched) v1.61
813ddb6: 31 c9 xor ecx,ecx
813ddb8: 8a 4e 0d mov cl,BYTE PTR [esi+0xd]
813ddbb: 8b 1f mov ebx,DWORD PTR [edi]
813ddbd: 51 push ecx
813ddbe: 51 push ecx
813ddbf: 8b 8d 2c fd ff ff mov ecx,DWORD PTR [ebp-0x2d4]
813ddc5: 5e pop esi
813ddc6: 50 push eax
813ddc7: 57 push edi
813ddc8: 4e dec esi
813ddc9: 83 fe 01 cmp esi,1
813ddcc: 77 07 ja 813ddd5
813ddce: 46 inc esi
The same instructions are to be applied to static file at beginning address 0x08136d46.
Download 1.61 Linux
LINUX 1.6 f2
It's the same as for 1.61, but the beginning address for dynamic is 0x0813e5e6 and for static is 0x081372c6.
Download 1.6 Linux
WINDOWS 1.61 f2
- Code: Select all
BF1942_w32ded v1.61 (original)
45aacf: 53 push ebx
45aad0: 8b ce mov ecx,esi
45aad2: e8 89 aa ff ff call 0x455560
45aad7: 8b d8 mov ebx,eax
45aad9: 85 db test ebx,ebx
45aadb: 0f 84 b0 06 00 00 je 0x45b191
45aae1: 8b cb mov ecx,ebx
45aae3: e8 28 ca 23 00 call 0x697510
45aae8: 85 c0 test eax,eax
45aaea: 0f 84 a1 06 00 00 je 0x45b191
45aaf0: 0f b6 57 0d movzx edx,BYTE PTR [edi+0xd]
45aaf4: 8b 2e mov ebp,DWORD PTR [esi]
45aaf6: 52 push edx
45aaf7: 8b cb mov ecx,ebx
45aaf9: e8 12 ca 23 00 call 0x697510
45aafe: 50 push eax
45aaff: 8b ce mov ecx,esi
45ab01: ff 95 40 01 00 00 call DWORD PTR [ebp+0x140]
45ab07: e9 85 06 00 00 jmp 0x45b191
- Code: Select all
BF1942_w32ded v1.61 (patched)
45aacf: 53 push ebx
45aad0: 8b ce mov ecx,esi
45aad2: e8 89 aa ff ff call 0x455560
45aad7: 85 c0 test eax,eax
45aad9: 74 1e je 0x45aaf9
45aadb: 8b 40 04 mov eax,DWORD PTR [eax+4]
45aade: 85 c0 test eax,eax
45aae0: 74 17 je 0x45aaf9
45aae2: 0f b6 57 0d movzx edx,BYTE PTR [edi+0xd]
45aae6: 4a dec edx
45aae7: 83 fa 01 cmp edx,1
45aaea: 77 0d ja 0x45aaf9
45aaec: 42 inc edx
45aaed: 8b 2e mov ebp,DWORD PTR [esi]
45aaef: 52 push edx
45aaf0: 50 push eax
45aaf1: 8b ce mov ecx,esi
45aaf3: ff 95 40 01 00 00 call DWORD PTR [ebp+0x140]
45aaf9: e9 93 06 00 00 jmp 0x45b191
45aafe: 90 90 90 90 90 90 nop
45aa04: 90 90 90 90 90 90 nop
45ab0a: 90 90 nop
Download 1.61 Windows
WINDOWS v1.6 f2
For BF1942 Windows v1.6 server executable the beginning address to apply the same instructions is at 0x0045aaaf.
Download 1.6 Windows
The BF1942 Windows v1.6 server binary also has a fix for an old public exploit (@ 0x00442370 changed from 7f to 77), which it wasn't immune.
WINDOWS v1.1 DEMO f1
1.Modify before func.0048b410
- Code: Select all
[offset] [modified bytes] [instruction]
8b403 8b 45 04 mov eax,dword ptr[ebp+0x4]
8b406 83 f8 01 cmp eax,1
8b409 74 05 je 0048b410
8b40b eb 29 jmp 0048b436
2.Modify after func.0048b410
- Code: Select all
[offset] [modified bytes] [instruction]
8b436 68 65 47 63 00 push 00634765 ;jump to case 11 to continue without crash
8b43b c2 08 00 retn 8
3.Modify call to func.0048b410
- Code: Select all
[offset] [modified bytes] [instruction]
2340ab e8 53 73 e5 ff call ;modify call to func.0048b410 so it goes to 0048b403 instead
WINDOWS v1.0 DEMO f1
//The file offsets in the .exe are different for demo v1.1 from demo v1.0, however the relative jumps still work, only
//the func call, and push inst needed to be modified.
If somebody can provide me the compiled version of the executables (or even a single one of them), I will add them directly as download links here (hosted on stable and good bfmods server) so everyone can easily retrieve them without possibility for making mistakes, as not everyone is sure-footed in hex editing.
Updated on 24.11.11 - Added the f2 fixed verrsions for 1.61 and 1.6 as well as DL links for them