==================================================================================== # # this file has been created for the Lame patcher program available for both *nix # and Windows platforms. # You need this program for continuing the patching of your files: # # http://aluigi.org/mytoolz.htm#lpatch # # Quick step-by-step for Windows: # - launch lpatch.exe # - select this etwsfix.lpatch file # - read the message windows and click yes # - select the file (usually executables or dlls) to patch # - read the message windows to know if everything has been patched correctly # - test your game # # Quick step-by-step for Linux: # - compile lpatch: gcc -c md5.c ; gcc -o lpatch lpatch.c md5.o # - launch ./lpatch etwsfix.lpatch # - read the text messages # - specify the name of the file to patch # - read the text messages to know if everything has been patched correctly # - test your game TITLE Enemy Territory 2.55/2.60b and ET Pro 3.1.0/3.2.6 Cmd_WeaponStat_f fix 0.1 (Windows and Linux) by Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org INTRO This unofficial patch for Enemy Territory is referred to the problem described here: . . http://www.tommyserver.de/et.php . this bug, exploitable with an in-game command like \ws 99999999, is located in the following code of the ET SDK in the file game\g_cmds.c: . . void Cmd_WeaponStat_f ( gentity_t* ent ) { . ... . trap_Argv( 1, buffer, 16 ); . stat = atoi(buffer); . . trap_SendServerCommand( ent-g_entities, va( "rws %i %i", . ent->client->sess.aWeaponStats[stat].atts, ent->client->sess.aWeaponStats[stat].hits ) ); . This fix is available only for the versions of the game specified in the title of this patch although could work on others too, in any case don't ask about additional versions. . Although this patch supports also ETPro I highly suggest to use the lua script of ReyalP with this mod (if lua is supported by the version of ET Pro you use) which fixes other ET specific bugs too: . http://www.collectivecomputing.com/~reed/et/lua/combinedfixes.lua FILE qagame_mp_x86.dll;qagame.mp.i386.so //ONLY_ONE not only one because etpro has the vulnerable code in two locations and I don't know why // 2.60b BYTES_ORIGINAL 8D 14 80 ; lea edx, dword ptr [eax+4*eax] 8B 86 90 01 00 00 ; mov eax, dword ptr [esi+00000190] 8B 8C 90 78 0B 00 00 ; mov ecx, dword ptr [eax+4*edx+00000B78] 8D 04 90 ; lea eax, dword ptr [eax+4*edx] *3A cc cc cc cc cc cc cc cc cc BYTES_PATCH EB 4B ; jmp patch 6B C0 14 ; imul eax, 00000014 03 86 90 01 00 00 ; add eax, dword ptr [esi+00000190] 8B 88 78 0B 00 00 ; mov ecx, dword ptr [eax+00000B78] 90 ; nop 90 ; nop *3A 83 F8 15 ; cmp eax, 00000015 76 02 ; jbe +2 33 C0 ; xor eax, eax EB AC ; jmp code // 2.60b (nops) BYTES_ORIGINAL 8D 14 80 ; lea edx, dword ptr [eax+4*eax] 8B 86 90 01 00 00 ; mov eax, dword ptr [esi+00000190] 8B 8C 90 78 0B 00 00 ; mov ecx, dword ptr [eax+4*edx+00000B78] 8D 04 90 ; lea eax, dword ptr [eax+4*edx] *3A 90 90 90 90 90 90 90 90 90 BYTES_PATCH EB 4B ; jmp patch 6B C0 14 ; imul eax, 00000014 03 86 90 01 00 00 ; add eax, dword ptr [esi+00000190] 8B 88 78 0B 00 00 ; mov ecx, dword ptr [eax+00000B78] 90 ; nop 90 ; nop *3A 83 F8 15 ; cmp eax, 00000015 76 02 ; jbe +2 33 C0 ; xor eax, eax EB AC ; jmp code // 2.55 BYTES_ORIGINAL 8D 14 80 ; lea edx, dword ptr [eax+4*eax] 8B 86 8C 01 00 00 ; mov eax, dword ptr [esi+0000018C] 8B 8C 90 78 0B 00 00 ; mov ecx, dword ptr [eax+4*edx+00000B78] 8D 04 90 ; lea eax, dword ptr [eax+4*edx] *3A 90 90 90 90 90 90 90 90 90 BYTES_PATCH EB 4B ; jmp patch 6B C0 14 ; imul eax, 00000014 03 86 8C 01 00 00 ; add eax, dword ptr [esi+0000018C] 8B 88 78 0B 00 00 ; mov ecx, dword ptr [eax+00000B78] 90 ; nop 90 ; nop *3A 83 F8 15 ; cmp eax, 00000015 76 02 ; jbe +2 33 C0 ; xor eax, eax EB AC ; jmp code // etpro 3.2.6 BYTES_ORIGINAL 8B 7C 24 2C ; mov edi, dword ptr [esp+2C] 8D 04 80 ; lea eax, dword ptr [eax+4*eax] C1 E0 02 ; shl eax, 02 8B 8F 90 01 00 00 ; mov ecx, dword ptr [edi+00000190] 8B 94 01 D8 16 00 00 ; mov edx, dword ptr [ecx+eax+000016D8] 89 54 24 08 ; mov dword ptr [esp+08], edx 8B 9C 01 CC 16 00 00 ; mov ebx, dword ptr [ecx+eax+000016CC] C7 04 24 35 02 0F 20 ; mov dword ptr [esp], 200F0235 89 5C 24 04 ; mov dword ptr [esp+04], ebx BYTES_PATCH 83 F8 15 ; cmp eax, 00000015 76 02 ; jbe 2004C7C6 33 C0 ; xor eax, eax 8B 7C 24 2C ; mov edi, dword ptr [esp+2C] 6B C8 14 ; imul ecx, eax, 00000014 03 8F 90 01 00 00 ; add ecx, dword ptr [edi+00000190] 8B 91 D8 16 00 00 ; mov edx, dword ptr [ecx+000016D8] 8B 99 CC 16 00 00 ; mov ebx, dword ptr [ecx+000016CC] 83 C4 0C ; add esp, 0000000C 52 ; push edx 53 ; push ebx 68 35 02 0F 20 ; push 200F0235 90 90 90 // etpro 3.2.6 (not needed) BYTES_ORIGINAL 8B 8E 90 01 00 00 ; mov ecx, dword ptr [esi+00000190] 8D 04 80 ; lea eax, dword ptr [eax+4*eax] C1 E0 02 ; shl eax, 02 81 EE 70 94 10 22 ; sub esi, 22109470 8B 94 01 D8 16 00 00 ; mov edx, dword ptr [ecx+eax+000016D8] C1 FE 03 ; sar esi, 03 89 54 24 08 ; mov dword ptr [esp+08], edx 8B 9C 01 CC 16 00 00 ; mov ebx, dword ptr [ecx+eax+000016CC] C7 04 24 35 02 0F 20 ; mov dword ptr [esp], 200F0235 89 5C 24 04 ; mov dword ptr [esp+04], ebx BYTES_PATCH 83 F8 15 ; cmp eax, 00000015 76 02 ; jbe 2004C7C6 33 C0 ; xor eax, eax 6B C8 14 ; imul ecx, eax, 00000014 03 8E 90 01 00 00 ; add ecx, dword ptr [esi+00000190] 81 EE 70 94 10 22 ; sub esi, 22109470 C1 FE 03 ; sar esi, 03 8B 91 D8 16 00 00 ; mov edx, dword ptr [ecx+000016D8] 8B 99 CC 16 00 00 ; mov ebx, dword ptr [ecx+000016CC] 83 C4 0C ; add esp, 0000000C 52 ; push edx 53 ; push ebx 68 35 02 0F 20 ; push 200F0235 90 90 90 // etpro 3.1.0 BYTES_ORIGINAL 8B 8E 90 01 00 00 ; mov ecx, dword ptr [esi+00000190] 83 C4 20 ; add esp, 00000020 83 C4 F8 ; add esp, FFFFFFF8 83 C4 FC ; add esp, FFFFFFFC 8D 04 80 ; lea eax, dword ptr [eax+4*eax] C1 E0 02 ; shl eax, 02 8B 94 08 CC 15 00 00 ; mov edx, dword ptr [eax+ecx+000015CC] 52 ; push edx 8B 84 08 C0 15 00 00 ; mov eax, dword ptr [eax+ecx+000015C0] 50 ; push eax BYTES_PATCH ?? ?? ?? ?? ?? ?? 83 C4 14 ; add esp, 00000014 83 F8 15 ; cmp eax, 00000015 76 02 ; jbe 20043FE2 33 C0 ; xor eax, eax 6B C0 14 ; imul eax, 00000014 90 90 ##### // linux 2.60b BYTES_ORIGINAL 8B B7 90 01 00 00 ; mov esi, dword ptr [edi+00000190] 8D 0C 80 ; lea ecx, dword ptr [eax+4*eax] C1 E1 02 ; shl ecx, 02 01 F1 ; add ecx, esi 8B B1 78 0B 00 00 ; mov esi, dword ptr [ecx+00000B78] 89 74 24 08 ; mov dword ptr [esp+08], esi 8B B1 6C 0B 00 00 ; mov esi, dword ptr [ecx+00000B6C] 8D 8B BD 8E FE FF ; lea ecx, dword ptr [ebx+FFFE8EBD] 89 0C 24 ; mov dword ptr [esp], ecx 89 74 24 04 ; mov dword ptr [esp+04], esi BYTES_PATCH 83 F8 15 ; cmp eax, 00000015 76 02 ; jbe 2004C7C6 33 C0 ; xor eax, eax 6B C8 14 ; imul ecx, eax, 00000014 03 8F 90 01 00 00 ; add ecx, dword ptr [edi+00000190] 83 C4 0C ; add esp, 0000000C 8B B1 78 0B 00 00 ; mov esi, dword ptr [ecx+00000B78] 56 ; push esi 8B B1 6C 0B 00 00 ; mov esi, dword ptr [ecx+00000B6C] 8D 8B BD 8E FE FF ; lea ecx, dword ptr [ebx+FFFE8EBD] 56 ; push esi 51 ; push ecx 90 90 90 // linux 2.55/2.56 BYTES_ORIGINAL 8B 8F ?? 01 00 00 ; mov ecx, dword ptr [edi+00000190] 83 C4 10 ; add esp, 00000010 8D 04 80 ; lea eax, dword ptr [eax+4*eax] 83 C4 F8 ; add esp, FFFFFFF8 C1 E0 02 ; shl eax, 02 83 C4 FC ; add esp, FFFFFFFC 8B 94 08 78 0B 00 00 ; mov edx, dword ptr [eax+ecx+00000B78] 52 ; push edx 8B 84 08 6C 0B 00 00 ; mov eax, dword ptr [eax+ecx+00000B6C] 50 ; push eax 8D 83 ?? ?? ?? ?? ; lea eax, dword ptr [ebx+FFFE73FA] 50 ; push eax BYTES_PATCH ?? ?? ?? ?? ?? ?? 83 F8 15 ; cmp eax, 00000015 76 02 ; jbe 2004C7C6 33 C0 ; xor eax, eax 5A ; pop edx 90 8D 04 80 ; lea eax, dword ptr [eax+4*eax] C1 E0 02 ; shl eax, 02 // etpro 3.1.0 BYTES_ORIGINAL 8B 97 90 01 00 00 ; mov edx, dword ptr [edi+00000190] 8D 04 80 ; lea eax, dword ptr [eax+4*eax] 83 C4 0C ; add esp, 0000000C 83 C2 0C ; add edx, 0000000C 8D 04 85 C0 15 00 00 ; lea eax, dword ptr [4*eax+000015C0] FF 34 10 ; push dword ptr [eax+edx] 03 87 90 01 00 00 ; add eax, dword ptr [edi+00000190] FF 30 ; push dword ptr [eax] 8D 83 A3 3E FE FF ; lea eax, dword ptr [ebx+FFFE3EA3] 50 ; push eax BYTES_PATCH 83 F8 15 ; cmp eax, 00000015 76 02 ; jbe 2004C7C6 33 C0 ; xor eax, eax 6B D0 14 ; imul edx, eax, 00000014 03 97 90 01 00 00 ; add edx, dword ptr [edi+00000190] 83 C4 0C ; add esp, 0000000C 8B 82 CC 15 00 00 ; mov eax, dword ptr [edx+000015CC] 50 ; push eax 8B 82 C0 15 00 00 ; mov eax, dword ptr [edx+000015C0] 50 ; push eax 8D 83 A3 3E FE FF ; lea eax, dword ptr [ebx+FFFE3EA3] 50 ; push eax // etpro 3.2.6 BYTES_ORIGINAL 8B 8F 90 01 00 00 ; mov ecx, dword ptr [edi+00000190] 8D 93 5C 84 FE FF ; lea edx, dword ptr [ebx+FFFE845C] 8D 04 80 ; lea eax, dword ptr [eax+4*eax] C1 E0 02 ; shl eax, 02 8B B4 08 D8 16 00 00 ; mov esi, dword ptr [eax+ecx+000016D8] 89 74 24 08 ; mov dword ptr [esp+08], esi 8B B4 08 CC 16 00 00 ; mov esi, dword ptr [eax+ecx+000016CC] 89 14 24 ; mov dword ptr [esp], edx 89 74 24 04 ; mov dword ptr [esp+04], esi BYTES_PATCH 83 F8 15 ; cmp eax, 00000015 76 02 ; jbe 2004C7C6 33 C0 ; xor eax, eax 6B C8 14 ; imul ecx, eax, 00000014 03 8F 90 01 00 00 ; add ecx, dword ptr [edi+00000190] 83 C4 0C ; add esp, 0000000C 8D 93 5C 84 FE FF ; lea edx, dword ptr [ebx+FFFE845C] 8B B1 D8 16 00 00 ; mov esi, dword ptr [ecx+000016D8] 56 ; push esi 8B B1 CC 16 00 00 ; mov esi, dword ptr [ecx+000016CC] 56 ; push esi 52 ; push edx 90 90 90 ====================================================================================