BF1942 Server Crash New Exploit!

tuia
Posts: 129
Joined: Tue Sep 06, 2011 12:36 pm
Location: Lisbon, Portugal

Re: BF1942 Server Crash New Exploit!

Post by tuia »

Patched file for Battlefield Vietnam Linux server version 1.2:
http://estatistic.planetaclix.pt/downlo ... hed.tar.gz
It already contains the fix to the previous exploit.
Here are the instructions for the dynamic executable to prevent the new exploit:

Code: Select all

bfv_linded.dynamic v1.2 (original)
 8759021:	89 c3                	mov    ebx,eax
 8759023:	0f 84 28 f1 ff ff    	je     8758151
 8759029:	89 04 24             	mov    DWORD PTR [esp],eax
 875902c:	e8 af a0 fd ff       	call   87330e0
 8759031:	85 c0                	test   eax,eax
 8759033:	0f 84 18 f1 ff ff    	je     8758151
 8759039:	89 1c 24             	mov    DWORD PTR [esp],ebx
 875903c:	e8 9f a0 fd ff       	call   87330e0
 8759041:	8b 55 08             	mov    edx,DWORD PTR [ebp+8]
 8759044:	8b 5d 10             	mov    ebx,DWORD PTR [ebp+0x10]
 8759047:	8b 7d 08             	mov    edi,DWORD PTR [ebp+8]
 875904a:	8b 0a                	mov    ecx,DWORD PTR [edx]
 875904c:	ba 01 00 00 00       	mov    edx,1
 8759051:	89 54 24 0c          	mov    DWORD PTR [esp+0xc],edx
 8759055:	0f b6 53 0d          	movzx  edx,BYTE PTR [ebx+0xd]
 8759059:	89 44 24 04          	mov    DWORD PTR [esp+4],eax
 875905d:	89 3c 24             	mov    DWORD PTR [esp],edi
 8759060:	89 54 24 08          	mov    DWORD PTR [esp+8],edx
 8759064:	ff 91 88 01 00 00    	call   DWORD PTR [ecx+0x188]
 875906a:	e9 e2 f0 ff ff       	jmp    8758151
 875906f:	90                   	nop

Code: Select all

bfv_linded.dynamic v1.2 (patched)
 8759021:	74 32                	je     8759055
 8759023:	8b 40 04             	mov    eax,DWORD PTR [eax+4]
 8759026:	85 c0                	test   eax,eax
 8759028:	74 2b                	je     8759055
 875902a:	8b 5d 10             	mov    ebx,DWORD PTR [ebp+0x10]
 875902d:	0f b6 53 0d          	movzx  edx,BYTE PTR [ebx+0xd]
 8759031:	4a                   	dec    edx
 8759032:	83 fa 01             	cmp    edx,1
 8759035:	77 1e                	ja     8759055
 8759037:	42                   	inc    edx
 8759038:	8b 7d 08             	mov    edi,DWORD PTR [ebp+8]
 875903b:	31 c9                	xor    ecx,ecx
 875903d:	41                   	inc    ecx
 875903e:	89 4c 24 0c          	mov    DWORD PTR [esp+0xc],ecx
 8759042:	89 54 24 08          	mov    DWORD PTR [esp+8],edx
 8759046:	89 44 24 04          	mov    DWORD PTR [esp+4],eax
 875904a:	89 3c 24             	mov    DWORD PTR [esp],edi
 875904d:	8b 0f                	mov    ecx,DWORD PTR [edi]
 875904f:	ff 91 88 01 00 00    	call   DWORD PTR [ecx+0x188]
 8759055:	e9 f7 f0 ff ff       	jmp    8758151
 875905a:	90 90 90 90 90 90 90 	nop
 8759061:	90 90 90 90 90 90 90 	nop
 8759068:	90 90 90 90 90 90 90 	nop
 875906f:	90                   	nop
Same instructions apply to static executable, beginning address is at 0x08756291.
User avatar
jrivett
Posts: 17
Joined: Sat Nov 26, 2011 8:03 pm
Location: Vancouver, Canada
Contact:

Re: BF1942 Server Crash New Exploit!

Post by jrivett »

Grabbi wrote:the unknown person creating these exploits sells generated keys over his youtube channel website link, comming from Sophia Bulgaria making thousands of euros and flooding the game with new keys.
...but thats another story ( we can provide upon request)
Thanks for posting this info and the fixes. I run the Tanks n Planes Unlimited co-op server and although I haven't seen any evidence of someone using this new exploit to crash the server, I figure it's just a matter of time before it happens.

My server was getting crashed a lot a few weeks back; someone was using the previous hack. I deployed the patch I found here and the crashes stopped.

You mentioned that you could provide the details on the new exploit upon request. Could you possibly send them to me? I want to understand how to recognize this exploit when I see it.
tuia
Posts: 129
Joined: Tue Sep 06, 2011 12:36 pm
Location: Lisbon, Portugal

Re: BF1942 Server Crash New Exploit!

Post by tuia »

The previous exploit caused the server executable to loop infinitely, making it unresponsive and use all system resources. This new one causes it to crash due to an invalid argument, it displays an error dialog in Windows server executables.
tuia
Posts: 129
Joined: Tue Sep 06, 2011 12:36 pm
Location: Lisbon, Portugal

Re: BF1942 Server Crash New Exploit!

Post by tuia »

Patched Battlefield Vietnam Windows server executables:
http://estatistic.planetaclix.pt/downlo ... atched.zip
http://estatistic.planetaclix.pt/downlo ... atched.zip
It contains the fix to the previous exploit. Check out the other thread for details and instructions code changed.
The instructions code changed for this fix were:

Code: Select all

bfvietnam_w32ded.exe v1.21 (original)
  495954:	8b d8                	mov    ebx,eax
  495956:	3b df                	cmp    ebx,edi
  495958:	0f 84 dd 06 00 00    	je     0x49603b
  49595e:	8b cb                	mov    ecx,ebx
  495960:	e8 8b 8b 14 00       	call   0x5de4f0
  495965:	85 c0                	test   eax,eax
  495967:	0f 84 ce 06 00 00    	je     0x49603b
  49596d:	0f b6 46 0d          	movzx  eax,BYTE PTR [esi+0xd]
  495971:	8b 7d 00             	mov    edi,DWORD PTR [ebp]
  495974:	6a 01                	push   1
  495976:	50                   	push   eax
  495977:	8b cb                	mov    ecx,ebx
  495979:	e8 72 8b 14 00       	call   0x5de4f0
  49597e:	50                   	push   eax
  49597f:	8b cd                	mov    ecx,ebp
  495981:	ff 97 84 01 00 00    	call   DWORD PTR [edi+0x184]
  495987:	e9 af 06 00 00       	jmp    0x49603b

Code: Select all

bfvietnam_w32ded.exe v1.21 (patched)
  495954:	85 c0                	test   eax,eax
  495956:	74 21                	je     0x495979
  495958:	8b 40 04             	mov    eax,DWORD PTR [eax+4]
  49595b:	85 c0                	test   eax,eax
  49595d:	74 1a                	je     0x495979
  49595f:	0f b6 4e 0d          	movzx  ecx,BYTE PTR [esi+0xd]
  495963:	49                   	dec    ecx
  495964:	83 f9 01             	cmp    ecx,1
  495967:	77 10                	ja     0x495979
  495969:	41                   	inc    ecx
  49596a:	6a 01                	push   1
  49596c:	51                   	push   ecx
  49596d:	50                   	push   eax
  49596e:	8b 7d 00             	mov    edi,DWORD PTR [ebp]
  495971:	8b cd                	mov    ecx,ebp
  495973:	ff 97 84 01 00 00    	call   DWORD PTR [edi+0x184]
  495979:	e9 bd 06 00 00       	jmp    0x49603b
  49597e:	90 90 90 90 90 90 90 	nop
  495985:	90 90 90 90 90 90 90 	nop
Same instructions must be applied to bfvietnam_w32ded.exe v1.2, the beginning address, however, is at 0x00495864.
tuia
Posts: 129
Joined: Tue Sep 06, 2011 12:36 pm
Location: Lisbon, Portugal

Re: BF1942 Server Crash New Exploit!

Post by tuia »

Here are the instructions for the fix to Battlefield 1942 Demo server version 1.1:

Code: Select all

BF1942Demo.exe v1.1 (original)
  63496e:	0f 84 0a 06 00 00    	je     0x634f7e
  634974:	8b 70 10             	mov    esi,DWORD PTR [eax+0x10]
  634977:	85 f6                	test   esi,esi
  634979:	0f 84 ff 05 00 00    	je     0x634f7e
  63497f:	8b ce                	mov    ecx,esi
  634981:	e8 fa 57 47 00       	call   0xaaa180
  634986:	85 c0                	test   eax,eax
  634988:	0f 84 f0 05 00 00    	je     0x634f7e
  63498e:	8b 3b                	mov    edi,DWORD PTR [ebx]
  634990:	33 c9                	xor    ecx,ecx
  634992:	8a 4d 0d             	mov    cl,BYTE PTR [ebp+0xd]
  634995:	51                   	push   ecx
  634996:	8b ce                	mov    ecx,esi
  634998:	e8 e3 57 47 00       	call   0xaaa180
  63499d:	50                   	push   eax
  63499e:	8b cb                	mov    ecx,ebx
  6349a0:	ff 97 28 01 00 00    	call   DWORD PTR [edi+0x128]
  6349a6:	e9 d3 05 00 00       	jmp    0x634f7e

Code: Select all

BF1942Demo.exe v1.1 (patched)
  63496e:	74 28                	je     0x634998
  634970:	8b 70 10             	mov    esi,DWORD PTR [eax+0x10]
  634973:	85 f6                	test   esi,esi
  634975:	74 21                	je     0x634998
  634977:	89 f0                	mov    eax,esi
  634979:	8b 40 04             	mov    eax,DWORD PTR [eax+4]
  63497c:	85 c0                	test   eax,eax
  63497e:	74 18                	je     0x634998
  634980:	8b 3b                	mov    edi,DWORD PTR [ebx]
  634982:	33 c9                	xor    ecx,ecx
  634984:	8a 4d 0d             	mov    cl,BYTE PTR [ebp+0xd]
  634987:	49                   	dec    ecx
  634988:	83 f9 01             	cmp    ecx,1
  63498b:	77 0b                	ja     0x634998
  63498d:	41                   	inc    ecx
  63498e:	51                   	push   ecx
  63498f:	50                   	push   eax
  634990:	8b cb                	mov    ecx,ebx
  634992:	ff 97 28 01 00 00    	call   DWORD PTR [edi+0x128]
  634998:	e9 e1 05 00 00       	jmp    0x634f7e
  63499d:	90 90 90 90 90 90 90 	nop
  6349a4:	90 90 90 90 90 90 90 	nop
Patched file can be obtained from here:
http://estatistic.planetaclix.pt/downlo ... atched.zip
It also contains the fix to the previous exploit.
Keep in mind that the original server file was obtained from the package mpdemo_server_11.zip.
Last edited by tuia on Mon Nov 28, 2011 7:03 pm, edited 1 time in total.
User avatar
jrivett
Posts: 17
Joined: Sat Nov 26, 2011 8:03 pm
Location: Vancouver, Canada
Contact:

Re: BF1942 Server Crash New Exploit!

Post by jrivett »

tuia wrote:The previous exploit caused the server executable to loop infinitely, making it unresponsive and use all system resources. This new one causes it to crash due to an invalid argument, it displays an error dialog in Windows server executables.
Thanks for that. It looks like my server hasn't been hit by this one yet.

I'm curious: what debugging tools are you using for Windows?
tuia
Posts: 129
Joined: Tue Sep 06, 2011 12:36 pm
Location: Lisbon, Portugal

Re: BF1942 Server Crash New Exploit!

Post by tuia »

OllyDbg for debugging, IDA Pro Free for disassembling and Hiew for hex editing. For Linux programs i use GDB for debugging.
User avatar
jrivett
Posts: 17
Joined: Sat Nov 26, 2011 8:03 pm
Location: Vancouver, Canada
Contact:

Re: BF1942 Server Crash New Exploit!

Post by jrivett »

Sweet. Thanks. I was already playing with IDA Pro, but hadn't heard of OllyDbg. Would you recommend the paid version of Hiew?
tuia
Posts: 129
Joined: Tue Sep 06, 2011 12:36 pm
Location: Lisbon, Portugal

Re: BF1942 Server Crash New Exploit!

Post by tuia »

Play around with the Hiew32 Demo, although it lacks some features which are really handy like the F2 key assembler function, you can hex edit easily. If you hex edit a lot i recommend getting the paid version.
tuia
Posts: 129
Joined: Tue Sep 06, 2011 12:36 pm
Location: Lisbon, Portugal

Re: BF1942 Server Crash New Exploit!

Post by tuia »

Fix for Battlefield 1942 Demo version 1.0:

Code: Select all

BF1942Demo v1.0 (original)
  62dda5:	0f 84 58 07 00 00    	je     0x62e503
  62ddab:	8b 78 10             	mov    edi,DWORD PTR [eax+0x10]
  62ddae:	3b fe                	cmp    edi,esi
  62ddb0:	0f 84 4d 07 00 00    	je     0x62e503
  62ddb6:	8b cf                	mov    ecx,edi
  62ddb8:	e8 83 da 46 00       	call   0xa9b840
  62ddbd:	85 c0                	test   eax,eax
  62ddbf:	0f 84 3e 07 00 00    	je     0x62e503
  62ddc5:	8b 33                	mov    esi,DWORD PTR [ebx]
  62ddc7:	33 c9                	xor    ecx,ecx
  62ddc9:	8a 4d 0d             	mov    cl,BYTE PTR [ebp+0xd]
  62ddcc:	51                   	push   ecx
  62ddcd:	8b cf                	mov    ecx,edi
  62ddcf:	e8 6c da 46 00       	call   0xa9b840
  62ddd4:	50                   	push   eax
  62ddd5:	8b cb                	mov    ecx,ebx
  62ddd7:	ff 96 28 01 00 00    	call   DWORD PTR [esi+0x128]
  62dddd:	e9 21 07 00 00       	jmp    0x62e503

Code: Select all

BF1942Demo v1.0 (patched)
  62dda5:	74 28                	je     0x62ddcf
  62dda7:	8b 78 10             	mov    edi,DWORD PTR [eax+0x10]
  62ddaa:	3b fe                	cmp    edi,esi
  62ddac:	74 21                	je     0x62ddcf
  62ddae:	89 f8                	mov    eax,edi
  62ddb0:	8b 40 04             	mov    eax,DWORD PTR [eax+4]
  62ddb3:	85 c0                	test   eax,eax
  62ddb5:	74 18                	je     0x62ddcf
  62ddb7:	8b 33                	mov    esi,DWORD PTR [ebx]
  62ddb9:	33 c9                	xor    ecx,ecx
  62ddbb:	8a 4d 0d             	mov    cl,BYTE PTR [ebp+0xd]
  62ddbe:	49                   	dec    ecx
  62ddbf:	83 f9 01             	cmp    ecx,1
  62ddc2:	77 0b                	ja     0x62ddcf
  62ddc4:	41                   	inc    ecx
  62ddc5:	51                   	push   ecx
  62ddc6:	50                   	push   eax
  62ddc7:	8b cb                	mov    ecx,ebx
  62ddc9:	ff 96 28 01 00 00    	call   DWORD PTR [esi+0x128]
  62ddcf:	e9 2f 07 00 00       	jmp    0x62e503
  62ddd4:	90 90 90 90 90 90 90 	nop
  62dddb:	90 90 90 90 90 90 90 	nop
You can download the patched file from here:
http://estatistic.planetaclix.pt/downlo ... atched.zip
This also contains the fix to the previous exploit. Please note that this is the server file, obtained from bf1942_mpdemo_server.exe.
Post Reply