the unknown person creating these exploits sells generated keys over his youtube channel website link, comming from Sophia Bulgaria making thousands of euros and flooding the game with new keys.
...but thats another story ( we can provide upon request)
NOW he modified his exploid, with same basic procedure !
EDIT Senshi: Moved the detailed explanation to an internal forum, as it far too easily serves as a How-To. No need to spread until we have a fix.
Any new fixes to this (same extended) exploid would be apprechiated from our side.
Greetz
Grabbi
PS: tnx again for the last fix !
BF1942 Server Crash New Exploit!
BF1942 Server Crash New Exploit!
[url=bf1942://85.214.226.169:14567]
[/url]
Re: BF1942 Server Crash New Exploit!
I'll move this to a private forum, no need to spread an extensive How-To-Crash here 
. tuia has told me he already is trying to find a fix for this as well, we will tell you ASAP once we receive a fix . Thank you for telling us about this new possible exploit.
. tuia has told me he already is trying to find a fix for this as well, we will tell you ASAP once we receive a fix . Thank you for telling us about this new possible exploit.Re: BF1942 Server Crash New Exploit!
thanks, we really apprechiate your efforts!
Best regards
Grabbi
______________________
grabbi@pixel-fighter.com
Best regards
Grabbi
______________________
grabbi@pixel-fighter.com
[url=bf1942://85.214.226.169:14567][/url]
Re: BF1942 Server Crash New Exploit!
Here are the instructions to prevent the new exploit for BF1942 Linux server files:
The same instructions are to be applied to static file at beginning address 0x08136d46. For BF1942 Linux v1.6 the beginning address for dynamic is 0x0813e5e6 and for static is 0x081372c6.
I've patched the files and tested them. They already contain the code to prevent the previous exploit:
http://estatistic.planetaclix.pt/downlo ... hed.tar.gz
http://estatistic.planetaclix.pt/downlo ... hed.tar.gz
Code: Select all
bf1942_lnxded.dynamic (original) v1.61
813ddb6: 31 c0 xor eax,eax
813ddb8: 8a 46 0d mov al,BYTE PTR [esi+0xd]
813ddbb: 8b 1f mov ebx,DWORD PTR [edi]
813ddbd: 50 push eax
813ddbe: 50 push eax
813ddbf: 8b 85 2c fd ff ff mov eax,DWORD PTR [ebp-0x2d4]
813ddc5: 50 push eax
813ddc6: e8 f5 f2 fd ff call 811d0c0
813ddcb: 59 pop ecx
813ddcc: 5e pop esi
813ddcd: 50 push eax
813ddce: 57 push edi
Code: Select all
bf1942_lnxded.dynamic (patched) v1.61
813ddb6: 31 c9 xor ecx,ecx
813ddb8: 8a 4e 0d mov cl,BYTE PTR [esi+0xd]
813ddbb: 8b 1f mov ebx,DWORD PTR [edi]
813ddbd: 51 push ecx
813ddbe: 51 push ecx
813ddbf: 8b 8d 2c fd ff ff mov ecx,DWORD PTR [ebp-0x2d4]
813ddc5: 5e pop esi
813ddc6: 50 push eax
813ddc7: 57 push edi
813ddc8: 4e dec esi
813ddc9: 83 fe 01 cmp esi,1
813ddcc: 77 07 ja 813ddd5
813ddce: 46 inc esi
I've patched the files and tested them. They already contain the code to prevent the previous exploit:
http://estatistic.planetaclix.pt/downlo ... hed.tar.gz
http://estatistic.planetaclix.pt/downlo ... hed.tar.gz
Last edited by tuia on Wed Nov 23, 2011 11:59 pm, edited 1 time in total.
Re: BF1942 Server Crash New Exploit!
Here are the instructions for BF1942 Windows v1.61 server executable:
Sorry for the delay, I was having some problems debugging Windows binaries and I was also doing a stupid mistake when patching (not looking to the stack). As a bonus, I've optimized this branch of code, allowing to save 14 bytes, in the end.
For BF1942 Windows v1.6 server executable the beginning address to apply the same instructions is at 0x0045aaaf.
Patched server executables which already include the code to prevent the previous exploit:
http://estatistic.planetaclix.pt/downlo ... atched.zip
http://estatistic.planetaclix.pt/downlo ... atched.zip
The BF1942 Windows v1.6 server binary also has a fix for an old public exploit (@ 0x00442370 changed from 7f to 77), which it wasn't immune.
Code: Select all
BF1942_w32ded v1.61 (original)
45aacf: 53 push ebx
45aad0: 8b ce mov ecx,esi
45aad2: e8 89 aa ff ff call 0x455560
45aad7: 8b d8 mov ebx,eax
45aad9: 85 db test ebx,ebx
45aadb: 0f 84 b0 06 00 00 je 0x45b191
45aae1: 8b cb mov ecx,ebx
45aae3: e8 28 ca 23 00 call 0x697510
45aae8: 85 c0 test eax,eax
45aaea: 0f 84 a1 06 00 00 je 0x45b191
45aaf0: 0f b6 57 0d movzx edx,BYTE PTR [edi+0xd]
45aaf4: 8b 2e mov ebp,DWORD PTR [esi]
45aaf6: 52 push edx
45aaf7: 8b cb mov ecx,ebx
45aaf9: e8 12 ca 23 00 call 0x697510
45aafe: 50 push eax
45aaff: 8b ce mov ecx,esi
45ab01: ff 95 40 01 00 00 call DWORD PTR [ebp+0x140]
45ab07: e9 85 06 00 00 jmp 0x45b191
Code: Select all
BF1942_w32ded v1.61 (patched)
45aacf: 53 push ebx
45aad0: 8b ce mov ecx,esi
45aad2: e8 89 aa ff ff call 0x455560
45aad7: 85 c0 test eax,eax
45aad9: 74 1e je 0x45aaf9
45aadb: 8b 40 04 mov eax,DWORD PTR [eax+4]
45aade: 85 c0 test eax,eax
45aae0: 74 17 je 0x45aaf9
45aae2: 0f b6 57 0d movzx edx,BYTE PTR [edi+0xd]
45aae6: 4a dec edx
45aae7: 83 fa 01 cmp edx,1
45aaea: 77 0d ja 0x45aaf9
45aaec: 42 inc edx
45aaed: 8b 2e mov ebp,DWORD PTR [esi]
45aaef: 52 push edx
45aaf0: 50 push eax
45aaf1: 8b ce mov ecx,esi
45aaf3: ff 95 40 01 00 00 call DWORD PTR [ebp+0x140]
45aaf9: e9 93 06 00 00 jmp 0x45b191
45aafe: 90 90 90 90 90 90 nop
45aa04: 90 90 90 90 90 90 nop
45ab0a: 90 90 nop
For BF1942 Windows v1.6 server executable the beginning address to apply the same instructions is at 0x0045aaaf.
Patched server executables which already include the code to prevent the previous exploit:
http://estatistic.planetaclix.pt/downlo ... atched.zip
http://estatistic.planetaclix.pt/downlo ... atched.zip
The BF1942 Windows v1.6 server binary also has a fix for an old public exploit (@ 0x00442370 changed from 7f to 77), which it wasn't immune.
Re: BF1942 Server Crash New Exploit!
Thank you very much Tuia for your efforts and solving the problem !
All PFC servers are running your fix patch now and once again a BIG THANK YOU from the whole PFC-Crew and Community for the hard work you did within these few days !
YOU!... made the difference!
Greetz
Grabbi
All PFC servers are running your fix patch now and once again a BIG THANK YOU from the whole PFC-Crew and Community for the hard work you did within these few days !
YOU!... made the difference!
Greetz
Grabbi
[url=bf1942://85.214.226.169:14567][/url]
Re: BF1942 Server Crash New Exploit!
Thank you so much Tuia although i dont know you, you have my respect and gratitude for helping us keep bf42 alive and kickin. It takes alot of dedication and hard work to chase down these new fixes, something your not lacking in. However something we are all not lacking in is the resolve to push these petty hackers aside and keep enjoying bf42 forever! Rock on! 
Re: BF1942 Server Crash New Exploit!
I'm glad to help. About this fix, I can't give too much details now, as this exploit has been used and is being used against vulnerable servers. Basically, I just put a check for valid arguments before the function, which causes the crash, is called. Thanks to Grabbi for pointing out the error message and describing the procedure to apply the exploit. Much respect and thanks to dierighty and all who assisted him, for devising a solution to the first exploit. It was a great work and much harder to plan.
Re: BF1942 Server Crash New Exploit!
Also I wanted to give a big thanks to you here Tuia,
somehow this hacker is targeting our community for whatever reason
and we all love this older game so much.
Thanks to you we can fight on these WWII battlefields again and enjoy our gameplay!
Tuia, many many thanks for your fast and hard work!!
We all (within the -=PFC=- crew & our whole community) appreciate this very much!
Greetings,
LoonyLau
somehow this hacker is targeting our community for whatever reason
and we all love this older game so much.
Thanks to you we can fight on these WWII battlefields again and enjoy our gameplay!
Tuia, many many thanks for your fast and hard work!!
We all (within the -=PFC=- crew & our whole community) appreciate this very much!
Greetings,
LoonyLau
Re: BF1942 Server Crash New Exploit!
Instructions to fix the new exploit for Battlefield Vietnam Linux server files version 1.21:
Same instructions to be applied for the static binary, the beginning address is 0x08753e51.
Download the patched files from here, which, as usual, contain the fix for the previous exploit:
http://estatistic.planetaclix.pt/downlo ... hed.tar.gz
Code: Select all
bfv_linded.dynamic v1.21 (original)
8756b31: 89 c7 mov edi,eax
8756b33: 0f 84 21 f0 ff ff je 8755b5a
8756b39: 89 04 24 mov DWORD PTR [esp],eax
8756b3c: e8 df c6 fd ff call 8733220
8756b41: 85 c0 test eax,eax
8756b43: 0f 84 11 f0 ff ff je 8755b5a
8756b49: 89 3c 24 mov DWORD PTR [esp],edi
8756b4c: e8 cf c6 fd ff call 8733220
8756b51: 8b 75 10 mov esi,DWORD PTR [ebp+0x10]
8756b54: 8b 0b mov ecx,DWORD PTR [ebx]
8756b56: c7 44 24 0c 01 00 00 mov DWORD PTR [esp+0xc],1
8756b5d: 00
8756b5e: 0f b6 56 0d movzx edx,BYTE PTR [esi+0xd]
8756b62: 89 1c 24 mov DWORD PTR [esp],ebx
8756b65: 89 44 24 04 mov DWORD PTR [esp+4],eax
8756b69: 89 54 24 08 mov DWORD PTR [esp+8],edx
8756b6d: ff 91 88 01 00 00 call DWORD PTR [ecx+0x188]
8756b73: e9 e2 ef ff ff jmp 8755b5a
Code: Select all
bfv_linded.dynamic v1.21 (patched)
8756b31: 74 2f je 8756b62
8756b33: 8b 40 04 mov eax,DWORD PTR [eax+4]
8756b36: 85 c0 test eax,eax
8756b38: 74 28 je 8756b62
8756b3a: 8b 75 10 mov esi,DWORD PTR [ebp+0x10]
8756b3d: 0f b6 56 0d movzx edx,BYTE PTR [esi+0xd]
8756b41: 4a dec edx
8756b42: 83 fa 01 cmp edx,1
8756b45: 77 1b ja 8756b62
8756b47: 42 inc edx
8756b48: 31 c9 xor ecx,ecx
8756b4a: 41 inc ecx
8756b4b: 89 1c 24 mov DWORD PTR [esp],ebx
8756b4e: 89 44 24 04 mov DWORD PTR [esp+4],eax
8756b52: 89 54 24 08 mov DWORD PTR [esp+8],edx
8756b56: 89 4c 24 0c mov DWORD PTR [esp+0xc],ecx
8756b5a: 8b 0b mov ecx,DWORD PTR [ebx]
8756b5c: ff 91 88 01 00 00 call DWORD PTR [ecx+0x188]
8756b62: e9 f3 ef ff ff jmp 8755b5a
8756b67: 90 90 90 90 90 90 90 nop
8756b6e: 90 90 90 90 90 90 90 nop
8756b75: 90 90 90 nop
Download the patched files from here, which, as usual, contain the fix for the previous exploit:
http://estatistic.planetaclix.pt/downlo ... hed.tar.gz