==================================================================================== # # this file has been created for the Lame patcher program available for both *nix # and Windows platforms. # You need this program for continuing the patching of your files: # # http://aluigi.org/mytoolz.htm#lpatch # # Quick step-by-step # - launch lpatch.exe # - select this mohaaboffix.lpatch file # - read the message windows and click yes # - select the file (usually executables or dlls) to patch # - read the message windows to know if everything has been patched correctly # - test your game TITLE Medal of Honor buffer-overflow fix 0.1 (Windows) by Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org INTRO This unofficial patch is referred to the bug described here: . . http://aluigi.org/adv/mohaaboffix-adv.txt . The vulnerable games which can be fixed by this patch are the following: . Allied Assault <= 1.11v9 Spearhead <= 2.15 Breakthrough <= 2.40b . If you are unsure if your server is vulnerable please use the proof-of-concept provided in the advisory. . This patch automatically finds the bytes to modify in any given Medal of Honor executable and fixes it adding a control that checks if queries and replies values are major than 255 bytes avoiding any crash or code execution. The original bugged code has a lot of wasting instructions so my fix lets you also to save some CPU cicles during the handling of queries and replies. . Remember that if you want to fix a normal game executable (as moh_spearhead.exe mohaa.exe or moh_breakthrough.exe) you NEED to have the decrypted executable (also known as No-CD) because Medal of Honor uses the Safedisc protection which encrypts the executables. FILE moh*.exe COMMENT The following is the disassembled code of the patch (the offsets are referred to the MOHAA dedicated server): . :00428FAD B0FF mov al, FF :00428FAF 8B4D08 mov ecx, dword ptr [ebp+08] :00428FB2 8B9DF4FBFFFF mov ebx, dword ptr [ebp+FFFFFBF4] . :00428FB8 8A11 mov dl, byte ptr [ecx] :00428FBA 80FA5C cmp dl, 5C :00428FBD 7426 je 00428FE5 :00428FBF 84D2 test dl, dl :00428FC1 0F84A3010000 je 0042916A :00428FC7 8813 mov byte ptr [ebx], dl :00428FC9 41 inc ecx :00428FCA 43 inc ebx :00428FCB FEC8 dec al :00428FCD 84C0 test al, al :00428FCF 75E7 jne 00428FB8 :00428FD1 C60100 mov byte ptr [ecx], 00 :00428FD4 E991010000 jmp 0042916A . :00428FE5 894D08 mov dword ptr [ebp+08], ecx :00428FE8 899DF4FBFFFF mov dword ptr [ebp+FFFFFBF4], ebx . . :0042900C B0FF mov al, FF :0042900E 8B4D08 mov ecx, dword ptr [ebp+08] :00429011 8B9DF4FBFFFF mov ebx, dword ptr [ebp+FFFFFBF4] . :00429017 8A11 mov dl, byte ptr [ecx] :00429019 80FA5C cmp dl, 5C :0042901C 7430 je 0042904E :0042901E 84D2 test dl, dl :00429020 742C je 0042904E :00429022 8813 mov byte ptr [ebx], dl :00429024 41 inc ecx :00429025 43 inc ebx :00429026 FEC8 dec al :00429028 84C0 test al, al :0042902A 75EB jne 00429017 :0042902C C60100 mov byte ptr [ecx], 00 :0042902F E936010000 jmp 0042916A . :0042904E 894D08 mov dword ptr [ebp+08], ecx :00429051 899DF4FBFFFF mov dword ptr [ebp+FFFFFBF4], ebx BYTES_ORIGINAL 8B 4D 08 0F BE 11 83 FA 5C 74 36 8B 45 08 0F BE 08 85 C9 75 05 E9 A3 01 00 00 8B 95 F4 FB FF FF 8B 45 08 8A 08 88 0A 8B 95 F4 FB FF FF 83 C2 01 89 95 F4 FB FF FF 8B 45 08 83 C0 01 89 45 08 EB BF 8B 8D F4 FB FF FF C6 01 00 8B 55 08 83 C2 01 89 55 08 8D 85 00 FE FF FF 89 85 F4 FB FF FF 8B 4D 08 0F BE 11 83 FA 5C 74 40 8B 45 08 0F BE 08 85 C9 74 36 8B 55 08 0F BE 02 85 C0 75 05 E9 3A 01 00 00 8B 8D F4 FB FF FF 8B 55 08 8A 02 88 01 8B 8D F4 FB FF FF 83 C1 01 89 8D F4 FB FF FF 8B 55 08 83 C2 01 89 55 08 EB B5 BYTES_PATCH B0 FF 8B 4D 08 8B 9D F4 FB FF FF 8A 11 80 FA 5C 74 26 84 D2 0F 84 A3 01 00 00 88 13 41 43 FE C8 84 C0 75 E7 C6 01 00 E9 91 01 00 00 90 90 90 90 90 90 90 90 90 90 90 90 89 4D 08 89 9D F4 FB FF FF 8B 8D F4 FB FF FF C6 01 00 8B 55 08 83 C2 01 89 55 08 8D 85 00 FE FF FF 89 85 F4 FB FF FF B0 FF 8B 4D 08 8B 9D F4 FB FF FF 8A 11 80 FA 5C 74 30 84 D2 74 2C 88 13 41 43 FE C8 84 C0 75 EB C6 01 00 E9 36 01 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 89 4D 08 89 9D F4 FB FF FF ====================================================================================