==================================================================================== # # this file has been created for the Lame patcher program available for both *nix # and Windows platforms. # You need this program for continuing the patching of your files: # # http://aluigi.org/mytoolz.htm#lpatch # # Quick step-by-step for Windows: # - launch lpatch.exe # - select this kailleraexfix.lpatch file # - read the message windows and click yes # - select the file (usually executables or dlls) to patch # - read the message windows to know if everything has been patched correctly # - test your game # # Quick step-by-step for Linux: # - compile lpatch: gcc -c md5.c ; gcc -o lpatch lpatch.c md5.o # - launch ./lpatch kailleraexfix.lpatch # - read the text messages # - specify the name of the file to patch # - read the text messages to know if everything has been patched correctly # - test your game TITLE Kaillera 0.86 code execution fix 0.1 (Windows, Linux and BSD) by Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org INTRO This unofficial patch is referred to the following security bug: . . http://aluigi.org/adv/kailleraex-adv.txt . The patch works with the Windows/Linux/BSD versions of the dedicated server of Kaillera 0.86. . NOTE THAT THE WINDOWS EXECUTABLE IS COMPRESSED WITH UPX SO YOU MUST UNCOMPRESS IT BEFORE APPLYING THIS PATCH!!! . . http://upx.sourceforge.net . upx -d kaillerasrv.exe . Note: if you test your server with my proof-of-concept (kailleraex) after having patched your executable you will still see the "vulnerable" message, don't worry and ignore it FILE kaillerasrv* ONLY_ONE ### WINDOWS ### BYTES_ORIGINAL 33 C9 ; xor ecx, ecx 8A 06 ; mov al, byte[esi] 57 ; push edi 84 C0 ; test al, al 74 0C ; je 00401A06 46 ; inc esi 88 44 0B 04 ; mov byte[ebx+ecx+04], al 41 ; inc ecx 8A 06 ; mov al, byte[esi] 84 C0 ; test al, al 75 F4 ; jne 004019FA BYTES_PATCH 33 C9 ; xor ecx, ecx 57 ; push edi 8A 06 ; mov al, byte[esi] 84 C0 ; test al, al 74 0c ; je +0c 46 ; inc esi 88 44 0B 04 ; mov byte[ebx+ecx+04], al 41 ; inc ecx 83 f9 1f ; cmp ecx,0x1f 72 ef ; jb -11 90 ; nop ### LINUX ### BYTES_ORIGINAL 80 7a 01 00 ; cmp BYTE PTR [edx+1],0x0 74 0e ; je 804f6d1 89 ea ; mov edx,ebp 8a 03 ; mov al,BYTE PTR [ebx] 88 04 11 ; mov BYTE PTR [ecx+edx],al 43 ; inc ebx 41 ; inc ecx 80 3b 00 ; cmp BYTE PTR [ebx],0x0 75 f4 ; jne 804f6c5 BYTES_PATCH 89 ea ; mov edx,ebp 80 3b 00 ; cmp BYTE PTR [ebx],0x0 74 0d ; je +0d 8a 03 ; mov al,BYTE PTR [ebx] 88 04 11 ; mov BYTE PTR [ecx+edx],al 43 ; inc ebx 41 ; inc ecx 83 f9 1f ; cmp ecx,0x1f 72 ef ; jb -11 90 ; nop ### BSD ### BYTES_ORIGINAL 80 7a 01 00 ; cmp BYTE PTR [edx+1],0x0 74 12 ; je 805029c 8d 57 04 ; lea edx,[edi+4] 8d 76 00 ; lea esi,[esi] 8a 03 ; mov al,BYTE PTR [ebx] 88 04 11 ; mov BYTE PTR [ecx+edx],al 43 ; inc ebx 41 ; inc ecx 80 3b 00 ; cmp BYTE PTR [ebx],0x0 75 f4 ; jne 8050290 BYTES_PATCH 8d 57 04 ; lea edx,[edi+4] 8d 76 00 ; lea esi,[esi] 80 3b 00 ; cmp BYTE PTR [ebx],0x0 74 0d ; je +0d 8a 03 ; mov al,BYTE PTR [ebx] 88 04 11 ; mov BYTE PTR [ecx+edx],al 43 ; inc ebx 41 ; inc ecx 83 f9 1f ; cmp ecx,0x1f 72 ef ; jb -11 90 ; nop ====================================================================================