BF1942 Server Crash Exploit FIX - Updated executables HERE

[Senshi]

This is just a new thread in order to consolidate the results from this thread: BF1942 Demo Server Crashes

All credits and gratitude are due to dierighty, who alone has found the exploit in the code and the correct plug for it for each exec version!

The second CTD exploit has been fixed by tuia, who is creating the new fixes.

All f2 fixes contain the f1 fix!

v1.61 WINDOWS+LINUX f2
Download 1.61 Linux - Mirror - Download 1.61 Linux
Download 1.61 Windows - Mirror - Download 1.61 Windows

v1.6 WINDOWS+LINUX f2
Download 1.6 Linux - Mirror - Download 1.6 Linux
Download 1.6 Windows - Mirror - Download 1.6 Windows

v1.1 DEMO WINDOWS f1
v1.0 DEMO WINDOWS f1


LINUX 1.61 f2

Code: Select all

bf1942_lnxded.dynamic (original) v1.61
 813ddb6:	31 c0                	xor    eax,eax
 813ddb8:	8a 46 0d             	mov    al,BYTE PTR [esi+0xd]
 813ddbb:	8b 1f                	mov    ebx,DWORD PTR [edi]
 813ddbd:	50                   	push   eax
 813ddbe:	50                   	push   eax
 813ddbf:	8b 85 2c fd ff ff    	mov    eax,DWORD PTR [ebp-0x2d4]
 813ddc5:	50                   	push   eax
 813ddc6:	e8 f5 f2 fd ff       	call   811d0c0
 813ddcb:	59                   	pop    ecx
 813ddcc:	5e                   	pop    esi
 813ddcd:	50                   	push   eax
 813ddce:	57                   	push   edi

Code: Select all

bf1942_lnxded.dynamic (patched) v1.61
 813ddb6:	31 c9                	xor    ecx,ecx
 813ddb8:	8a 4e 0d             	mov    cl,BYTE PTR [esi+0xd]
 813ddbb:	8b 1f                	mov    ebx,DWORD PTR [edi]
 813ddbd:	51                   	push   ecx
 813ddbe:	51                   	push   ecx
 813ddbf:	8b 8d 2c fd ff ff    	mov    ecx,DWORD PTR [ebp-0x2d4]
 813ddc5:	5e                   	pop    esi
 813ddc6:	50                   	push   eax
 813ddc7:	57                   	push   edi
 813ddc8:	4e                   	dec    esi
 813ddc9:	83 fe 01             	cmp    esi,1
 813ddcc:	77 07                	ja     813ddd5
 813ddce:	46                   	inc    esi

The same instructions are to be applied to static file at beginning address 0x08136d46.
Download 1.61 Linux

LINUX 1.6 f2
It's the same as for 1.61, but the beginning address for dynamic is 0x0813e5e6 and for static is 0x081372c6.
Download 1.6 Linux

WINDOWS 1.61 f2

Code: Select all

BF1942_w32ded v1.61 (original)
  45aacf:	53                   	push   ebx
  45aad0:	8b ce                	mov    ecx,esi
  45aad2:	e8 89 aa ff ff       	call   0x455560
  45aad7:	8b d8                	mov    ebx,eax
  45aad9:	85 db                	test   ebx,ebx
  45aadb:	0f 84 b0 06 00 00    	je     0x45b191
  45aae1:	8b cb                	mov    ecx,ebx
  45aae3:	e8 28 ca 23 00       	call   0x697510
  45aae8:	85 c0                	test   eax,eax
  45aaea:	0f 84 a1 06 00 00    	je     0x45b191
  45aaf0:	0f b6 57 0d          	movzx  edx,BYTE PTR [edi+0xd]
  45aaf4:	8b 2e                	mov    ebp,DWORD PTR [esi]
  45aaf6:	52                   	push   edx
  45aaf7:	8b cb                	mov    ecx,ebx
  45aaf9:	e8 12 ca 23 00       	call   0x697510
  45aafe:	50                   	push   eax
  45aaff:	8b ce                	mov    ecx,esi
  45ab01:	ff 95 40 01 00 00    	call   DWORD PTR [ebp+0x140]
  45ab07:	e9 85 06 00 00       	jmp    0x45b191

Code: Select all

BF1942_w32ded v1.61 (patched)
  45aacf:	53                   	push   ebx
  45aad0:	8b ce                	mov    ecx,esi
  45aad2:	e8 89 aa ff ff       	call   0x455560
  45aad7:	85 c0                	test   eax,eax
  45aad9:	74 1e                	je     0x45aaf9
  45aadb:	8b 40 04             	mov    eax,DWORD PTR [eax+4]
  45aade:	85 c0                	test   eax,eax
  45aae0:	74 17                	je     0x45aaf9
  45aae2:	0f b6 57 0d          	movzx  edx,BYTE PTR [edi+0xd]
  45aae6:	4a                   	dec    edx
  45aae7:	83 fa 01             	cmp    edx,1
  45aaea:	77 0d                	ja     0x45aaf9
  45aaec:	42                   	inc    edx
  45aaed:	8b 2e                	mov    ebp,DWORD PTR [esi]
  45aaef:	52                   	push   edx
  45aaf0:	50                   	push   eax
  45aaf1:	8b ce                	mov    ecx,esi
  45aaf3:	ff 95 40 01 00 00    	call   DWORD PTR [ebp+0x140]
  45aaf9:	e9 93 06 00 00       	jmp    0x45b191
  45aafe:	90 90 90 90 90 90    	nop
  45aa04:	90 90 90 90 90 90    	nop
  45ab0a:	90 90                	nop

Download 1.61 Windows

WINDOWS v1.6 f2
For BF1942 Windows v1.6 server executable the beginning address to apply the same instructions is at 0x0045aaaf.
Download 1.6 Windows
The BF1942 Windows v1.6 server binary also has a fix for an old public exploit (@ 0x00442370 changed from 7f to 77), which it wasn't immune.



WINDOWS v1.1 DEMO f1

1.Modify before func.0048b410

Code: Select all

[offset] [modified bytes] [instruction]              
8b403    8b 45 04         mov eax,dword ptr[ebp+0x4]
8b406    83 f8 01         cmp eax,1
8b409    74 05            je 0048b410
8b40b    eb 29            jmp 0048b436 

2.Modify after func.0048b410

Code: Select all

[offset] [modified bytes] [instruction]
8b436     68 65 47 63 00  push 00634765   ;jump to case 11 to continue without crash
8b43b     c2 08 00        retn 8    

3.Modify call to func.0048b410

Code: Select all

[offset] [modified bytes] [instruction]
2340ab    e8 53 73 e5 ff  call   ;modify call to func.0048b410 so it goes to 0048b403 instead

WINDOWS v1.0 DEMO f1
//The file offsets in the .exe are different for demo v1.1 from demo v1.0, however the relative jumps still work, only
//the func call, and push inst needed to be modified.



If somebody can provide me the compiled version of the executables (or even a single one of them), I will add them directly as download links here (hosted on stable and good bfmods server) so everyone can easily retrieve them without possibility for making mistakes, as not everyone is sure-footed in hex editing.

Updated on 24.11.11 - Added the f2 fixed verrsions for 1.61 and 1.6 as well as DL links for them

[tekk]

Just a FYI,

dierighty did not discover the exploit, the individual who created the exploit gave him the patch. dierighty held on to the patch for months in hopes that his server would benifit from being the only server still up. So yes im glad he finally made the patch public but im disappointed in him holding onto it for so long with selfish intentions.

[Senshi]

Well, why didn't the "individual who really created the patch" publish his fix himself then? There are plenty of BF42 platforms that would be glad to help spread such a fix. dierighty has posted it here and offered several alternatives for the various .exe versions that are still in use online (1.6, 1.61, Demo 1.0, Demo 1.1 etc., Windows, Linux...), so unless you come forward with some hard evidence I'm not inclined to mistrust dierighty, as you might understand.

[dierighty]

tekk,

the patch was not given to me by the exploiters(whoever they are). Each server executable requires a different alteration to be crafted, because the sequence and location of the machine instructions that make up the executable and subsequently the handleGameEventManagerEvent() function are unique. There is not a universal "patch", as the function radically changes between the linux server and windows server as well as the demo.
I am not part of the exploiters. I was on the wake clan server when it was crashed by someone using this exploit. Others had also witnessed the server crashing and our collective knowledge of the attack was pooled in their forums as well as the forums here, this lead to the discovery of a youtube video that showed exactly how to carry out the attack. I was able to re-produce the exploit on my own machine and with the aid of the gdb debugger determined that the offending function was createPlayer() when called by handleGameEventManagerEvent() in the server executable.
I did not harbor patches for selfish intentions. The first patches were posted here to this forum and with the help of Jeronimo to fix my screw ups, as well as all those who helped by testing the patches, we were able to produce patches for the community.

sincerely,
dierighty

[Android]

Would it be possible to find a fix for the linux version of the 1.6 patch? I would be happy to send the linux server files if needed.

[GreenHippo]

I have tried to do this to the Battlefield 1942 Secret Weapons Demo but have no clue where to start.
I have compared the code between the Wake island demo and its patched version but again, the Secret Weapons demo is
different, obviously.

Programs I used were Hexworkshop,W32Dasm and Ollydbg for code comparison.

The crashing stopped on the Wake Island demo as of this fix but has now followed us to our Secret Weapons server.
Anyone willing to patch the Secret Weapons demo for the community or point me in the right direction.

I have read the old thread from where this thread was compiled from.

Thanks.

[Senshi]

For questions, discussions, help or anything similar please head over to our discussion thread.

This thread is merely meant as a compilation of all the fixes achieved so far, allowing an easier overview and sort of a "directory" for all newcomers. The other thread is meant for development and other stuff.

If someone has a compiled exec and wants to share it, please contact me via PM so I can integrate it into this list. All credits due will be given, obviously.

To avoid further confusion, I'll lock this thread.

[Senshi]

Updated first post of this thread. New fixes for 1.61 and 1.6 available (incl. DL!)