====================================================================================
#
# this file has been created for the Lame patcher program available for both *nix
# and Windows platforms.
# You need this program for continuing the patching of your files:
#
#   http://aluigi.org/mytoolz.htm#lpatch
#
# Quick step-by-step
# - compile lpatch: gcc -c md5.c ; gcc -o lpatch lpatch.c md5.o
# - launch ./lpatch igi2fsfix_linux.lpatch
# - read the text messages
# - specify the name of the file to patch
# - read the text messages to know if everything has been patched correctly
# - test your game

TITLE
    IGI 2: Covert Strike dedicated server 1.2 format string fix 0.1 (Linux)
    by Luigi Auriemma
    e-mail: aluigi@autistici.org
    web:    aluigi.org

INTRO
    This unofficial patch is referred to the bug described here:
    .
    . http://aluigi.org/adv/igi2fs-adv.txt
    . http://aluigi.org/adv/igi2bugs-adv.txt (bug 1)
    .
    If you are unsure if your server is vulnerable please use the proof-of-concept
    provided there.
    .
    This patch fully fixes the problem adding a %s before the logging string passed
    to the File_printf function of IGI2.
    Note that this patch works only with version 1.2 of the dedicated server for
    Linux, older versions will be NOT supported by me so don't ask.

FILE
    igi2

RVA
    08048000

BYTES_ORIGINAL
    55                      ; push   ebp
    89 e5                   ; mov    ebp,esp
    81 ec 58 02 00 00       ; sub    esp,0x258
    83 ec 0c                ; sub    esp,0xc
    8d 85 b4 fe ff ff       ; lea    eax,[ebp-0x14c]
    50                      ; push   eax
    e8 4e e1 19 00          ; call   83212b0 <time>
    83 c4 10                ; add    esp,0x10
    83 ec 0c                ; sub    esp,0xc
    8d 85 b4 fe ff ff       ; lea    eax,[ebp-0x14c]
    50                      ; push   eax
    e8 f4 e0 19 00          ; call   8321268 <gmtime>
    83 c4 10                ; add    esp,0x10
    89 85 b0 fe ff ff       ; mov    DWORD PTR [ebp-0x150],eax
    83 ec 04                ; sub    esp,0x4
    ff 75 08                ; push   DWORD PTR [ebp+8]
    8b 85 b0 fe ff ff       ; mov    eax,DWORD PTR [ebp-0x150]
    ff 30                   ; push   DWORD PTR [eax]
    8b 85 b0 fe ff ff       ; mov    eax,DWORD PTR [ebp-0x150]
    ff 70 04                ; push   DWORD PTR [eax+4]
    8b 85 b0 fe ff ff       ; mov    eax,DWORD PTR [ebp-0x150]
    ff 70 08                ; push   DWORD PTR [eax+8]
    68 11 4f 36 08          ; push   0x8364f11
    68 31 01 00 00          ; push   0x131
    8d 85 b8 fe ff ff       ; lea    eax,[ebp-0x148]
    50                      ; push   eax
    e8 15 0b 19 00          ; call   8313cc8 <__snprintf>
    83 c4 20                ; add    esp,0x20
    83 ec 08                ; sub    esp,0x8
    8d 85 b8 fe ff ff       ; lea    eax,[ebp-0x148]
    50                      ; push   eax
    ff 35 e4 c6 39 08       ; push   DWORD PTR ds:0x839c6e4
    e8 d9 ca ec ff          ; call   804fca4 <File_printf>
    83 c4 10                ; add    esp,0x10

BYTES_PATCH
    55                      ; push   ebp
    89 e5                   ; mov    ebp,esp
    81 ec 64 02 00 00       ; sub    esp,0x264*
    8d 85 b4 fe ff ff       ; lea    eax,[ebp-0x14c]
    50                      ; push   eax
    e8 ^83212b0             ; call   83212b0 <time>
    83 c4 04                ; add    esp,0x4*
    8d 85 b4 fe ff ff       ; lea    eax,[ebp-0x14c]
    50                      ; push   eax
    e8 ^8321268             ; call   8321268 <gmtime>
    83 c4 0c                ; add    esp,0xc*
    89 85 b0 fe ff ff       ; mov    DWORD PTR [ebp-0x150],eax
    ff 75 08                ; push   DWORD PTR [ebp+8]
    8b 85 b0 fe ff ff       ; mov    eax,DWORD PTR [ebp-0x150]
    ff 30                   ; push   DWORD PTR [eax]
    8b 85 b0 fe ff ff       ; mov    eax,DWORD PTR [ebp-0x150]
    ff 70 04                ; push   DWORD PTR [eax+4]
    8b 85 b0 fe ff ff       ; mov    eax,DWORD PTR [ebp-0x150]
    ff 70 08                ; push   DWORD PTR [eax+8]
    68 11 4f 36 08          ; push   0x8364f11
    68 31 01 00 00          ; push   0x131
    8d 85 b8 fe ff ff       ; lea    eax,[ebp-0x148]
    50                      ; push   eax
    e8 ^8313cc8             ; call   8313cc8 <__snprintf>
    83 c4 18                ; add    esp,0x18*
    8d 85 b8 fe ff ff       ; lea    eax,[ebp-0x148]
    50                      ; push   eax

    68 |8356c00             ; push   8356c00 (%s)
    90 90 90 90 90 90 90    ; cool we have freed 3 * 4 bytes = 12!

    ff 35 e4 c6 39 08       ; push   DWORD PTR ds:0x839c6e4
    e8 ^804fca4             ; call   804fca4 <File_printf>
    83 c4 14                ; add    esp,0x14 (+4 since we have added one element)

====================================================================================