Vivid Abstractions

If you haven’t visited it yet, check it out here:

Vivid Community Forum

With the latest News, Trainers and Information Sources!

#######################################################################

BrandiniMP

Application: Halo: Combat Evolved
http://www.microsoft.com/games/pc/halo.aspx
Versions: <= 1.08
Platforms: Windows
Bug: buffer overflow
Exploitation: remote, versus server
Date: 15 June 2009
Author: Brandon McLeod-Miller
web: http://brandinimp.com

#######################################################################

1) Introduction
2) Bug
3) Assembly (Halo PC 1.00.080.0616 Dedicated Server)
4a) Patches (Assembly: Halo PC 1.00.08.0616 Dedicated Server)
4b) Fix

#######################################################################

===============
1) Introduction
===============

Halo is the great FPS game developed by Bungie Studios and ported on PC
by Gearbox Software (http://www.gearboxsoftware.com).
Although it has been released at the end of 2003, it's still one of the
most played games with hundreds of internet servers.

#######################################################################

======
2) Bug
======

This vunerability is related to the previously found Haloloop exploits.

When attacking a server with multiple, looping haloloop attacks, the
server's packet buffer will begin to write outside the allocated area
of memory, this will cause a classic Buffer Overflow, additionally
various parts of the memory begin to try to read areas in the memory
that are out of bounds.

This vunerability can be found by attacking at server with haloloop,
haloloop2 or haloloop3 proof of concepts.

#######################################################################

======
3) Assembly (Halo PC 1.00.080.0616 Dedicated Server)
======

004FC9D9 |. 0FBF6E 22 MOVSX EBP,WORD PTR DS:[ESI+22]
004FC9DD |. 8B5E 34 MOV EBX,DWORD PTR DS:[ESI+34]

ESI becomes 0 causing ESI+0x22 to be an invalid memory region.

-----------------------------------------------------------------------

0042BDB0 /$ A1 144B7600 MOV EAX,DWORD PTR DS:[764B14]
0042BDB5 |. 8A48 01 MOV CL,BYTE PTR DS:[EAX+1]

the DWORD value at 0x764B14 becomes 0x0100007F and the code at 0x42BDB5
tries to read a byte found at 0x0100007F+0x1 which is also an out
of bounds memory region.

-----------------------------------------------------------------------

0045AA98 |. 6BC9 44 IMUL ECX,ECX,44
0045AA9B |. 8999 8C067600 MOV DWORD PTR DS:[ECX+76068C],EBX
0045AAA1 |. 66:89B9 90067600 MOV WORD PTR DS:[ECX+760690],DI

the value of ECX appears to be a counter for the packet buffer,
incremented by 44 each use, and this is the code that causes the actual
overflow.

ECX keeps getting incremented when the loop attack is in progress, thus
causing the code at 0x45AA9B to start reading outside the packet buffer.

-----------------------------------------------------------------------

0045AA74 |> /395E FC /CMP DWORD PTR DS:[ESI-4],EBX <
0045AA77 |. |75 05 |JNZ SHORT haloded.0045AA7E |
0045AA79 |. |66:393E |CMP WORD PTR DS:[ESI],DI |
0045AA7C |. |74 0A |JE SHORT haloded.0045AA88 |
0045AA7E |> |40 |INC EAX |
0045AA7F |. |83C6 44 |ADD ESI,44 |
0045AA82 |. |3BC1 |CMP EAX,ECX |
0045AA84 |.^\7C EE \JL SHORT haloded.0045AA74 -^

A similar overflow problem occurs here on the first line when using ESI,
as the code still increments by 44 and attempts to read from the pointer.

this overflow occurrs after the previous one, even thought this code is
executed prior to the previous code.

#######################################################################

======
4a) Patches (Assembly: Halo PC 1.00.08.0616 Dedicated Server)
======

This fix consists of code caves, and checks of the registers.

———————————————————————–

004FC9D9 . /E9 BB640C00 JMP haloded_.005C2E99
004FC9DE |90 NOP
004FC9DF |90 NOP
——
005C2E99 > \83FE 00 CMP ESI,0
005C2E9C . 75 05 JNZ SHORT haloded_.005C2EA3
005C2E9E . BE C8441900 MOV ESI,1944C8
005C2EA3 > 0FBF6E 22 MOVSX EBP,WORD PTR DS:[ESI+22]
005C2EA7 . 8B5E 34 MOV EBX,DWORD PTR DS:[ESI+34]
005C2EAA .^ E9 319BF3FF JMP haloded_.004FC9E0

check for ESI being 0, if it is 0 spoof to a value that worked previously
in the code.

———————————————————————–

0042BDB0 $ /E9 FB701900 JMP haloded_.005C2EB0
——
005C2EB0 > \813D 144B7600 7F000001 CMP DWORD PTR DS:[764B14],100007F
005C2EBA . 75 0A JNZ SHORT haloded_.005C2EC6
005C2EBC . C705 144B7600 40773040 MOV DWORD PTR DS:[764B14],40307740
005C2EC6 > A1 144B7600 MOV EAX,DWORD PTR DS:[764B14]
005C2ECB .^ E9 E58EE6FF JMP haloded_.0042BDB5

check the value at 0×764B14 for 0×100007F, if the value is 0×100007F
spoof the value to a valid value that has worked previously.

———————————————————————–

0045AA9B . /E9 31841600 JMP haloded_.005C2ED1
0045AAA0 |90 NOP
——
005C2ED1 > \81F9 00540000 CMP ECX,5400
005C2ED7 . 72 0A JB SHORT haloded_.005C2EE3
005C2ED9 . B8 FFFFFFFF MOV EAX,-1
005C2EDE . B9 00000000 MOV ECX,0
005C2EE3 > 8999 8C067600 MOV DWORD PTR DS:[ECX+76068C],EBX
005C2EE9 .^ E9 B37BE9FF JMP haloded_.0045AAA1

Check ECX for being an out of range value, if it is out of range, set
it to 0 which will begin rewriting the packet buffer, the after effect
of this is slight lag, however it takes a few seconds to actually
fill the packet buffer and set the return value to -1 which the loop that
calls this function is checking for to exit the loop.

———————————————————————–

0045AA74 > /E9 76841600 JMP haloded_.005C2EEF
——
005C2EEF > \81FE 00540000 CMP ESI,5400
005C2EF5 . 72 02 JB SHORT haloded_.005C2EF9
005C2EF7 . 5E POP ESI ; kernel32.7C817077
005C2EF8 . C3 RETN
005C2EF9 > 395E FC CMP DWORD PTR DS:[ESI-4],EBX
005C2EFC .^ 0F85 7C7BE9FF JNZ haloded_.0045AA7E
005C2F02 .^ E9 727BE9FF JMP haloded_.0045AA79

Check the value of ESI and if it is out of range, exit the function.

#######################################################################

======
4b) Fix
======

Patches downloads can be found at: http://brandinimp.com/?p=62

Halo PC 1.00.08.0609 Dedicated Server – http://vivid-abstractions.net/brandinimp/haloded_108.zip
Halo CE 1.00.08.0609 Dedicated Server – http://vivid-abstractions.net/brandinimp/haloceded_108.zip
Halo PC 1.00.04.0607 Dedicated Server – http://vivid-abstractions.net/brandinimp/haloded_104.zip
Halo CE 1.00.00.0619 Dedicated Server – http://vivid-abstractions.net/brandinimp/haloceded_100.zip

#######################################################################
End of File
#######################################################################

Hey all, recently i have found some time to work on Asgard, my Halo Server app.

Im going to create a page for it, until then enjoy a spreadsheet of the progress.

http://asgard.vivid-abstractions.net/

To avoid bots I added an Anti-Bot question to the forums:

“The star closest to earth” and for the people that still don’t know the answer “..it shines bright during the day”

If you still can’t answer that question you should go more outside and enjoy it and seriously think about your life.

If you have a better suggestion…please go ahead.

Nothing fancy but as you can see we have a new skin (the old one was pretty ugly). I also updated the forums because those annoying robots/crawlers were spamming everything up.

Hope you like it C&C welcome.

Shortly the 32-bit and 64-bit of the Windows 7 Beta will be available for download. The 64-bit have 2.5 million reserved copies so be sure to be the first!

Download Place

From the whole VA-Team. Looking forward to a next year of new experiences and hopefully more released.

Drifting towards perfection.

Little DLL I wrote. You need a dll injector like Winject or Injec-TOR to inject the dll into the running CoD4 process. I can’t gurantee you that it works.

Key Shortcuts:

“P” - Toggle Unlimited Ammo

“L” - Toggle No Recoil

“O” - Toggle God Mode

“K” - Toggle Automatic Right-Clicking (for C4 explosives)

Download& Enjoy

Internet Explorer? Who really cares since there is Firefox or Opera out there…

I gave the Beta a shot and it really impressed me and you should try it as well.

Download

Small Demonstration

How To Uninstall Internet Explorer Beta 1

1. Start->type “appwiz.cpl” (without quotes)
2. In the Taskpanel select “View Installed Updates”
3. Scroll down to “Windows Internet Explorer 8″ and hit uninstall
4. Restart your computer

The Dlls are coming along nicely. The code is clean, efficient and fast.

Just a little screenie for the day: