==================================================================================== # # this file has been created for the Lame patcher program available for both *nix # and Windows platforms. # You need this program for continuing the patching of your files: # # http://aluigi.org/mytoolz.htm#lpatch # # Quick step-by-step for Windows: # - launch lpatch.exe # - select this sof2guidfix.lpatch file # - read the message windows and click yes # - select the file (usually executables or dlls) to patch # - read the message windows to know if everything has been patched correctly # - test your game # # Quick step-by-step for Linux: # - compile lpatch: gcc -c md5.c ; gcc -o lpatch lpatch.c md5.o # - launch ./lpatch sof2guidfix.lpatch # - read the text messages # - specify the name of the file to patch # - read the text messages to know if everything has been patched correctly # - test your game TITLE Soldier of Fortune II (1.03 Windows and 1.02a Linux) cl_guid fix 0.2.1 by Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org INTRO This unofficial patch is able to fix the following bug: . . http://aluigi.org/adv/sof2guidboom-adv.txt . If you are unsure if your server is vulnerable please use the proof-of-concept provided there. . The solution I have adopted for this bug is the limiting of the length of the cl_guid string of the client to max 64 chars. . The patch has been tested with the latest releases of the game for Windows (1.03) and Linux (1.02a), older versions will be NOT supported by me so don't ask. FILE SoF2MP.exe;sof2ded ONLY_ONE ### WINDOWS ### ; SoF2MP.exe BYTES_ORIGINAL 5f c6 46 0c 01 5e 33 c0 5b 59 c3 5f 8b c6 5e 5b 59 c3 90 90 90 90 90 90 90 90 90 90 90 90 90 55 8b 6c 24 08 56 57 8d 45 04 68 b0 b3 55 00 50 e8 fb ca fe ff 8b 35 84 3c ba 00 83 c4 08 85 f6 8b f8 BYTES_PATCH c6 46 0c 01 33 c0 5f 5e 5b 59 c3 8b c6 eb f7 8b f8 32 c0 83 c9 ff f2 ae 83 f9 c0 7c 6f eb 20 55 8b 6c 24 08 56 57 8d 45 04 68 b0 b3 55 00 50 e8 fb ca fe ff 8b 35 84 3c ba 00 83 c4 08 eb d0 85 f6 ; from the old sof2-103-guidfix readme: ; The bytes I have added are a check made on the cl_guid value to know if ; it is bigger than 64 bytes (its total buffer size). ; This check has been inserted in the function that reads the cl_guid and ; verifies if it is a banned guid, so the attacker will receive the ; "Banned" error message if sends a cl_guid bigger than 64 bytes. ; The other bytes (at the beginning) instead are needed to gain space for ; placing my fix. ; sof2ded ### LINUX ### RVA 8048000 ; 8051204 BYTES_ORIGINAL 55 ; push ebp 8b ec ; mov ebp,esp 83 ec 10 ; sub esp,0x10 89 75 fc ; mov DWORD PTR [ebp-4],esi 8b 75 08 ; mov esi,DWORD PTR [ebp+8] 8d 46 04 ; lea eax,[esi+4] 89 04 24 ; mov DWORD PTR [esp],eax c7 44 24 04 38 c4 14 08 ; mov DWORD PTR [esp+4],0x814c438 ; cl_guid e8 b1 36 04 00 ; call 80948d4 89 04 24 ; mov DWORD PTR [esp],eax e8 29 f6 ff ff ; call 8050854 85 c0 ; test eax,eax 74 17 ; je 8051246 8b 15 2c e9 2b 08 ; mov edx,DWORD PTR ds:0x82be92c 8b 4a 28 ; mov ecx,DWORD PTR [edx+40] 33 c0 ; xor eax,eax 85 c9 ; test ecx,ecx 8b 75 fc ; mov esi,DWORD PTR [ebp-4] 0f 95 c0 ; setne al 8b e5 ; mov esp,ebp 5d ; pop ebp c3 ; ret 83 c4 e8 ; add esp,0xffffffe8 8d 86 b8 7c 02 00 ; lea eax,[esi+0x27cb8] 8b d4 ; mov edx,esp 8b 08 ; mov ecx,DWORD PTR [eax] 8b 70 04 ; mov esi,DWORD PTR [eax+4] 89 0a ; mov DWORD PTR [edx],ecx 8b 48 08 ; mov ecx,DWORD PTR [eax+8] 89 72 04 ; mov DWORD PTR [edx+4],esi 89 4a 08 ; mov DWORD PTR [edx+8],ecx 8b 48 0c ; mov ecx,DWORD PTR [eax+12] 8b 40 10 ; mov eax,DWORD PTR [eax+16] 89 4a 0c ; mov DWORD PTR [edx+12],ecx 89 42 10 ; mov DWORD PTR [edx+16],eax e8 e2 d9 03 00 ; call 808ec54 83 c4 18 ; add esp,0x18 BYTES_PATCH 55 ; push ebp 8b ec ; mov ebp,esp 83 ec 10 ; sub esp,0x10 89 75 fc ; mov DWORD PTR [ebp-4],esi 8b 75 08 ; mov esi,DWORD PTR [ebp+8] 8d 46 04 ; lea eax,[esi+4] ; free a couple of bytes 68 |814c438 ; push 0x814c438 50 ; push eax e8 ^80948d4 ; call 80948d4 83 C4 08 ; add esp,8 ; PATCH HERE: 33 C9 ; xor ecx, ecx ; initialize the counter F6 04 08 FF ; test byte ptr [eax+ecx], 0xff ; check if the byte is zero 74 03 ; jz 3 ; break if zero 41 ; inc ecx ; increment the counter EB F7 ; jmp -9 ; redo the loop 83 F9 40 ; cmp ecx, 40 ; check if the string is longer than 64 73 0C ; jae 0C ; show the Banned message 89 04 24 ; mov DWORD PTR [esp],eax e8 ^8050854 ; call 8050854 85 c0 ; test eax,eax 74 17 ; je 8051246 8b 15 |0x82be92c ; mov edx,DWORD PTR ds:0x82be92c 8b 4a 28 ; mov ecx,DWORD PTR [edx+40] 33 c0 ; xor eax,eax 85 c9 ; test ecx,ecx 8b 75 fc ; mov esi,DWORD PTR [ebp-4] 0f 95 c0 ; setne al 8b e5 ; mov esp,ebp 5d ; pop ebp c3 ; ret 83 c4 e8 ; add esp,0xffffffe8 8d 86 b8 7c 02 00 ; lea eax,[esi+0x27cb8] 8b d4 ; mov edx,esp ; free 14 bytes ff 70 10 ; push DWORD PTR [eax+16] ff 70 0c ; push DWORD PTR [eax+12] ff 70 08 ; push DWORD PTR [eax+8] ff 70 04 ; push DWORD PTR [eax+4] ff 30 ; push DWORD PTR [eax] e8 ^808ec54 ; call 808ec54 83 c4 2c ; add esp,0x2c ; yes + 20 for the previous pushes ====================================================================================