====================================================================================
#
# this file has been created for the Lame patcher program available for both *nix
# and Windows platforms.
# You need this program for continuing the patching of your files:
#
#   http://aluigi.org/mytoolz.htm#lpatch
#
# Quick step-by-step for Windows:
# - launch lpatch.exe
# - select this haloboomfix.lpatch file
# - read the message windows and click yes
# - select the file halo.exe or haloded.exe to patch
# - read the message windows to know if everything has been patched correctly
# - test your game

TITLE
    Halo 1.04 haloboom fix 0.1
    by Luigi Auriemma
    e-mail: aluigi@autistici.org
    web:    aluigi.org

INTRO
    This unofficial patch is referred to the bug described here:
    .
    . http://aluigi.org/adv/haloboom-adv.txt
    .
    As written in the advisory the game is affectd by an off-by-one bug, in fact
    the encryption hash received is converted in a hex string and a NULL byte is
    added at its end overwriting one of the bytes of the canary inserted by the
    Windows exception handler code after this 32 bytes buffer.
    After many tests I have found that the best and simpler solution to patch this
    bug is just avoiding the canary check and this is what my fix does.
    .
    Although the patch 1.07 fixes this and other bugs seems that many people still
    use the bugged 1.04 version, that's why I have created this fix.
    Do NOT apply this patch to versions major than 1.04!
    .
    If you are unsure if your server is vulnerable please use the proof-of-concept
    provided there.
    .
    This patch has been created only for the 1.04 version of the game and dedicated
    server, older versions will be NOT supported by me so don't ask.

FILE
    halo*.exe

BYTES_ORIGINAL
    E8 ?? ?? ?? ??          ; call 0061DA40
    83 C4 1C                ; add esp, 0000001C
    8B 4C 24 2C             ; mov ecx, dword ptr [esp+2C]
    F7 D8                   ; neg eax
    5F                      ; pop edi
    1B C0                   ; sbb eax, eax
    5E                      ; pop esi
    F7 D8                   ; neg eax
    5B                      ; pop ebx
    E8 ?? ?? ?? ??          ; call 00629469
    83 C4 24                ; add esp, 00000024
    C3                      ; ret

BYTES_PATCH
    ?? ?? ?? ?? ??
    ?? ?? ??
    ?? ?? ?? ??
    ?? ??
    ??
    ?? ??
    ??
    ?? ??
    ??
    90 90 90 90 90          ; skip canary checking of the third ret
    ?? ?? ??
    ??

====================================================================================