==================================================================================== # # this file has been created for the Lame patcher program available for both *nix # and Windows platforms. # You need this program for continuing the patching of your files: # # http://aluigi.org/mytoolz.htm#lpatch # # Quick step-by-step for Windows: # - launch lpatch.exe # - select this hlboomfix.lpatch file # - read the message windows and click yes # - select the file (usually executables or dlls) to patch # - read the message windows to know if everything has been patched correctly # - test your game # # Quick step-by-step for Linux: # - compile lpatch: gcc -o lpatch lpatch.c md5.c # - launch ./lpatch hlboomfix.lpatch # - read the text messages # - specify the name of the file to patch # - read the text messages to know if everything has been patched correctly # - test your game TITLE Half-Life x.1.1.1e (Windows and Linux) hlboom fix 0.1 by Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org INTRO This patch is referred to the following advisory and corrects both the bugs: . . http://aluigi.org/adv/hlboom-adv.txt . Remember to test your server with the proof-of-concept provided in the advisory . Note that the patch about the so called new hlboom crash should be considered experimental and it could give problems to the clients which use too much splitted packets since my solution drops all the splits major than 1/?? (which lead to the crash of the unpatched server), anyway in my tests everything worked perfectly. . This patch has been created only for the latest known patches for the dedicated server 4.1.1.1e/3.1.1.1e of both Windows (swds.dll) and Linux (engine* amd, i486 and i686), older versions will be NOT supported by me so don't ask FILE swds.dll;engine*.so ;####################################; # # # old HLBOOM crash # # # # solved checking if the size of the # # packet less 9 is minor than 0 # # # ;####################################; ; Windows BYTES_ORIGINAL 90 90 90 90 90 ; nops for the patch 90 90 90 90 *5a ; bytes to skip 8B 4D 0C ; mov ecx, dword ptr [ebp+0C] 8B 04 BD ?? ?? ?? ?? ; mov eax, dword ptr [4*edi+00DF0F44] 83 E9 09 ; sub ecx, 00000009 3B C6 ; cmp eax, esi 89 4D 0C ; mov dword ptr [ebp+0C], ecx 0F 84 ?? 00 00 00 ; je 00D4834F BYTES_PATCH 83 E9 09 ; sub ecx, 00000009 7F 02 ; jg +2 33 C9 ; xor ecx, ecx EB 67 ; jmp old code *5a ; ...skip... 8B 4D 0C ; mov ecx, dword ptr [ebp+0C] 8B 04 BD ?? ?? ?? ?? ; mov eax, dword ptr [4*edi+00DF0F44] EB 91 ; jmp patch 90 3B C6 ; cmp eax, esi 89 4D 0C ; mov dword ptr [ebp+0C], ecx 0F 84 ?? 00 00 00 ; je 00D4834F ; Linux AMD BYTES_ORIGINAL 8d 83 ?? ?? ?? ?? ; lea eax,[ebx-0x161e8] 8d 14 88 ; lea edx,[eax+ecx*4] 83 44 24 34 f7 ; add DWORD PTR [esp+52],0xfffffff7 89 44 24 18 ; mov DWORD PTR [esp+24],eax 39 3a ; cmp DWORD PTR [edx],edi 0f 84 ?? 00 00 00 ; je a3320 *1ed ; ...skip... 90 90 90 90 90 ; nops for the patch 90 90 90 90 90 BYTES_PATCH 8d 83 ?? ?? ?? ?? ; lea eax,[ebx-0x161e8] 8d 14 88 ; lea edx,[eax+ecx*4] e8 |1f9 ; call patch 89 44 24 18 ; mov DWORD PTR [esp+24],eax 39 3a ; cmp DWORD PTR [edx],edi 0f 84 ?? 00 00 00 ; je a3320 *1ed ; ...skip... 83 44 24 38 f7 ; add DWORD PTR [esp+56],0xfffffff7 // +4!!! 7F 02 ; jg +2 89 3a ; mov DWORD PTR [edx],edi // forces give up C3 ; ret ; Linux i486 BYTES_ORIGINAL 83 45 0c f7 ; add DWORD PTR [ebp+12],0xfffffff7 8d 83 34 22 ff ff ; lea eax,[ebx-0xddcc] 8d 0c b5 00 00 00 00 ; lea ecx,[esi*4] 89 45 f0 ; mov DWORD PTR [ebp-16],eax 8b 55 f8 ; mov edx,DWORD PTR [ebp-8] 39 14 01 ; cmp DWORD PTR [ecx+eax],edx 0f 84 ?? 00 00 00 ; je a5ac0 *6ae ; ...skip... 90 90 90 90 90 ; nops for the patch 90 90 90 90 90 BYTES_PATCH 8d 83 34 22 ff ff ; lea eax,[ebx-0xddcc] 89 f1 ; mov ecx,esi c1 e1 02 ; shl ecx,0x2 90 e8 |6bd ; call patch 89 45 f0 ; mov DWORD PTR [ebp-16],eax 8b 55 f8 ; mov edx,DWORD PTR [ebp-8] 39 14 01 ; cmp DWORD PTR [ecx+eax],edx 0f 84 ?? 00 00 00 ; je a5ac0 *6ae ; ...skip... 83 45 0c f7 ; add DWORD PTR [ebp+12],0xfffffff7 7F 03 ; jg +3 89 14 01 ; mov DWORD PTR [ecx+eax],edx // forces give up C3 ; ret ; Linux i686 BYTES_ORIGINAL 83 44 24 34 f7 ; add DWORD PTR [esp+52],0xfffffff7 8d 83 c8 9a fe ff ; lea eax,[ebx-0x16538] 8d 14 88 ; lea edx,[eax+ecx*4] 89 44 24 18 ; mov DWORD PTR [esp+24],eax 39 3a ; cmp DWORD PTR [edx],edi 0f 84 ?? 00 00 00 ; je a3bb0 *39b ; ...skip... 90 90 90 90 90 ; nops for the patch 90 90 90 90 90 BYTES_PATCH 8d 83 c8 9a fe ff ; lea eax,[ebx-0x16538] 8d 14 88 ; lea edx,[eax+ecx*4] e8 |3a7 ; call patch 89 44 24 18 ; mov DWORD PTR [esp+24],eax 39 3a ; cmp DWORD PTR [edx],edi 0f 84 ?? 00 00 00 ; je a3bb0 *39b ; ...skip... 83 44 24 38 f7 ; add DWORD PTR [esp+56],0xfffffff7 // +4!!! 7F 02 ; jg +2 89 3a ; mov DWORD PTR [edx],edi // forces give up C3 ; ret ;####################################; # # # new HLBOOM crash # # # # solved checking if the byte at # # offset 8 shifted right 4 is not 0 # # this is the only compatible way I # # have found to fix this bug easily # # # ;####################################; ; Windows BYTES_ORIGINAL 8B 70 04 ; mov esi, dword[eax+04] 8A 40 08 ; mov al, byte[eax+08] 88 45 FC ; mov byte[ebp-04], al 8B 45 FC ; mov eax, dword[ebp-04] 25 FF 00 00 00 ; and eax, 000000FF BYTES_PATCH 8B 70 04 ; mov esi, dword[eax+04] 0F B6 40 08 ; movzx eax, byte[eax+08] A8 F0 ; test al, F0 74 02 ; jz +2 32 C0 ; xor al, al 88 45 FC ; mov byte[ebp-04], al 90 ; Linux AMD BYTES_ORIGINAL 90 90 90 90 90 90 ; nops for the patch 90 90 90 90 90 90 ; nops for the patch *637 ; ...skip... 8b 44 24 30 ; mov eax,DWORD PTR [esp+48] bd 0f 00 00 00 ; mov ebp,0xf 8b 78 04 ; mov edi,DWORD PTR [eax+4] 8a 50 08 ; mov dl,BYTE PTR [eax+8] 88 d0 ; mov al,dl c0 e8 04 ; shr al,0x4 BYTES_PATCH 88 d0 ; mov al,dl c0 e8 04 ; shr al,0x4 84 c0 ; test al,al 74 02 ; jz +2 30 c0 ; xor al,al c3 ; ret *637 ; ...skip... 8b 44 24 30 ; mov eax,DWORD PTR [esp+48] bd 0f 00 00 00 ; mov ebp,0xf 8b 78 04 ; mov edi,DWORD PTR [eax+4] 8a 50 08 ; mov dl,BYTE PTR [eax+8] e8 |-657 ; call patch ; Linux i486 BYTES_ORIGINAL 90 90 90 90 90 90 ; nops for the patch 90 90 90 90 90 90 ; nops for the patch *f86 ; ...skip... 8b 45 08 ; mov eax,DWORD PTR [ebp+8] 8b 4d 08 ; mov ecx,DWORD PTR [ebp+8] 8b 40 04 ; mov eax,DWORD PTR [eax+4] 89 45 f8 ; mov DWORD PTR [ebp-8],eax 8a 51 08 ; mov dl,BYTE PTR [ecx+8] 88 d0 ; mov al,dl c0 e8 04 ; shr al,0x4 BYTES_PATCH 88 d0 ; mov al,dl c0 e8 04 ; shr al,0x4 84 c0 ; test al,al 74 02 ; jz +2 30 c0 ; xor al,al c3 ; ret *f86 ; ...skip... 8b 45 08 ; mov eax,DWORD PTR [ebp+8] 8b 4d 08 ; mov ecx,DWORD PTR [ebp+8] 8b 40 04 ; mov eax,DWORD PTR [eax+4] 89 45 f8 ; mov DWORD PTR [ebp-8],eax 8a 51 08 ; mov dl,BYTE PTR [ecx+8] e8 |-fa6 ; call patch ; Linux i686 BYTES_ORIGINAL 90 90 90 90 90 90 ; nops for the patch 90 90 90 90 90 90 ; nops for the patch *3c7 ; ...skip... 8b 44 24 30 ; mov eax,DWORD PTR [esp+48] 8b 78 04 ; mov edi,DWORD PTR [eax+4] 8a 50 08 ; mov dl,BYTE PTR [eax+8] 88 d0 ; mov al,dl c0 e8 04 ; shr al,0x4 BYTES_PATCH 88 d0 ; mov al,dl c0 e8 04 ; shr al,0x4 84 c0 ; test al,al 74 02 ; jz +2 30 c0 ; xor al,al c3 ; ret *3c7 ; ...skip... 8b 44 24 30 ; mov eax,DWORD PTR [esp+48] 8b 78 04 ; mov edi,DWORD PTR [eax+4] 8a 50 08 ; mov dl,BYTE PTR [eax+8] e8 |-3e2 ; call patch ====================================================================================