====================================================================================
#
# this file has been created for the Lame patcher program available for both *nix
# and Windows platforms.
# You need this program for continuing the patching of your files:
#
#   http://aluigi.org/mytoolz.htm#lpatch
#
# Quick step-by-step for Windows:
# - launch lpatch.exe
# - select this codmapboffix.lpatch file
# - read the message windows and click yes
# - select the file (usually executables or dlls) to patch
# - read the message windows to know if everything has been patched correctly
# - test your game
#
# Quick step-by-step for Linux:
# - compile lpatch: gcc -c md5.c ; gcc -o lpatch lpatch.c md5.o
# - launch ./lpatch codmapboffix.lpatch
# - read the text messages
# - specify the name of the file to patch
# - read the text messages to know if everything has been patched correctly
# - test your game

TITLE
    Call of Duty 1 / UO / 2 fix for the callvote buffer-overflow 0.1 (Windows and Linux)
    by Luigi Auriemma
    e-mail: aluigi@autistici.org
    web:    aluigi.org

INTRO
    This unofficial patch for Call of Duty 2 is able to fix the following bug:
    .
    . http://aluigi.org/adv/codmapbof-adv.txt
    .
    If you are unsure if your server is vulnerable please use the proof-of-concept
    provided there.
    .
    The solution I have adopted for this bug is the limiting of the length of the
    input map name to max 63 chars (using the AND instruction)
    .
    The patch is available only for the latest releases of both Windows and Linux
    of the games Call of Duty (1.5b), Call of Duty United Offensive (1.51b) and Call
    of Duty 2 (1.3), older versions will be NOT supported by me so don't ask.

FILE
    CoD2MP_s.exe;cod2_lnxded;CoDMP*.exe;cod*_lnxded

ONLY_ONE

    ### WINDOWS ###
    # CoD2MP_s.exe

BYTES_ORIGINAL
    8B CB                   ; mov ecx, ebx
    8B D1                   ; mov edx, ecx
    C1 E9 02                ; shr ecx, 02
    BF 90 67 9A 01          ; mov edi, 019A6790
    F3 A5                   ; rep movsd
    8B CA                   ; mov ecx, edx
    83 E1 03                ; and ecx, 003
    F3 A4                   ; rep movsb

BYTES_PATCH
    83 E3 3F                ; and ebx, 03F
    8B CB
    8B D1
    90 90 90
    BF 90 67 9A 01
    90 90
    8B CA
    F3 A4

    # CoDMP*.exe

BYTES_ORIGINAL
    8B C8                   ; mov ecx, eax
    8B D1                   ; mov edx, ecx
    C1 E9 02                ; shr ecx, 02
    8B F3                   ; mov esi, ebx
    8D 7C 24 0C             ; lea edi, dword[esp+0C]
    F3 A5                   ; rep movsd
    8B CA                   ; mov ecx, edx
    83 E1 03                ; and ecx, 003
    F3 A4                   ; rep movsb

BYTES_PATCH
    83 E0 3F                ; and eax, 03F
    8B C8
    8B D1
    90 90 90
    8B F3
    8D 7C 24 0C
    8B CA
    90 90
    F3 A4

    ### LINUX ###

RVA
    8048000                 ; IMPORTANT!

    # cod2_lnxded
    # 8066111

BYTES_ORIGINAL
    8d 45 fc                ; lea    eax,[ebp-4]
    83 28 07                ; sub    DWORD PTR [eax],0x7
    8b 45 fc                ; mov    eax,DWORD PTR [ebp-4]
    89 44 24 08             ; mov    DWORD PTR [esp+8],eax
    8b 45 08                ; mov    eax,DWORD PTR [ebp+8]
    89 44 24 04             ; mov    DWORD PTR [esp+4],eax
    c7 04 24 00 95 1e 08    ; mov    DWORD PTR [esp],0x81e9500
    e8 2e 42 fe ff          ; call   804a344 <memcpy@plt>

BYTES_PATCH
    ?? ?? ??
    ?? ?? ??
    ?? ?? ??
    83 e0 3f                ; and    eax,0x3f
    50                      ; push   eax
    8b 45 08                ; mov    eax,DWORD PTR [ebp+8]
    50                      ; push   eax
    68 |81e9500             ; push   0x81e9500
    e8 ^804a344             ; call   804a344 <memcpy@plt>
    83 c4 0c                ; add    esp,0xc
    90 90                   ; nop nop

    # cod_lnxded specific
    # 80875be

BYTES_ORIGINAL
    8d 45 b4                ; lea    eax,[ebp-76]
    83 28 04                ; sub    DWORD PTR [eax],0x4
    8b 45 b4                ; mov    eax,DWORD PTR [ebp-76]
    89 44 24 08             ; mov    DWORD PTR [esp+8],eax
    8b 45 08                ; mov    eax,DWORD PTR [ebp+8]
    89 44 24 04             ; mov    DWORD PTR [esp+4],eax
    8d 45 b8                ; lea    eax,[ebp-72]
    89 04 24                ; mov    DWORD PTR [esp],eax
    e8 29 26 fc ff          ; call   8049bec <memcpy@plt>

BYTES_PATCH
    ?? ?? ??
    ?? ?? ??
    ?? ?? ??
    83 e0 3f                ; and    eax,0x3f
    50                      ; push   eax
    8b 45 08                ; mov    eax,DWORD PTR [ebp+8]
    50                      ; push   eax
    8d 45 b8                ; lea    eax,[ebp-72]
    50                      ; push   eax
    e8 ^8049bec             ; call   8049bec <memcpy@plt>
    83 c4 0c                ; add    esp,0xc
    90 90

    ; coduo_lnxded specific
    ; 80880a6

BYTES_ORIGINAL
    8d 45 b4                ; lea    eax,[ebp-76]
    83 28 04                ; sub    DWORD PTR [eax],0x4
    8b 45 b4                ; mov    eax,DWORD PTR [ebp-76]
    89 44 24 08             ; mov    DWORD PTR [esp+8],eax
    8b 45 08                ; mov    eax,DWORD PTR [ebp+8]
    89 44 24 04             ; mov    DWORD PTR [esp+4],eax
    8d 45 b8                ; lea    eax,[ebp-72]
    89 04 24                ; mov    DWORD PTR [esp],eax
    e8 c1 1b fc ff          ; call   8049c6c <memcpy@plt>

BYTES_PATCH
    ?? ?? ??
    ?? ?? ??
    ?? ?? ??
    83 e0 3f                ; and    eax,0x3f
    50                      ; push   eax
    8b 45 08                ; mov    eax,DWORD PTR [ebp+8]
    50                      ; push   eax
    8d 45 b8                ; lea    eax,[ebp-72]
    50                      ; push   eax
    e8 ^8049c6c             ; call   8049c6c <memcpy@plt>
    83 c4 0c                ; add    esp,0xc
    90 90

====================================================================================