Luigi Auriemma

video and patch, i cba to write a proper post, so just go there:

http://brandinimp.com/?p=62

good job
but I have some doubts.

the first is about the huge amount of different bytes between the original haloded.exe and the patched one and about the fact that your changes are not documented (I know that the majority of people are blind and use anything without asking what they are doing but maybe one or two admins are more interested and paranoid as everyone should be).

131 bytes in the .text section, the rest are caused by the modification of the PE format which seem useless (at a first look, I have not spent time on this) because the haloded executable already has tons of space at the end of the .text section (so was simply enough to change its raw/virtual size.

where are details about the phone call between gamespy and roger? :)

my name is Luigi and not Aluigi (aluigi is simply the first char of my surname followed by my name) :)

I didnt give out any documentation because ive already taken enough shit for showing the batch file in my video >.>

but okay, ill add some technical specs for you :)


E: http://vivid-abstractions.net/brandinim ... op_dos.txt

just for you Luigi :) and sorry for calling you Aluigi, i wasnt totally sure, but hey, everyone calls me Brandin.

uhmmm but returning on the executable I don't see the need of modifying the resources because these small changes create tons of different bytes in the whole executable (I'm still referring to paranoid people who want to compare the original and modified executable easily) only to show the "Patched by", "Patched Version", "Patches" and the "(by BrandiniMP)" description...

indeed the first rule in an unofficial patch is modifying less bytes as possible and they must be focused only on the specific part of code to modify.

then the .text section has not been resized to match the new size, indeed it terminates before the instructions you added.
in some conditions this thing can cause problems while in others not, but it's good to adjust the sizes of the sections.

then usually it's a good thing to separate the unofficial patches considering their jobs, for example now you talked about this particular bug so was good if you released the work-around only for it leaving out other unrelated things like the CD Key Checking, Version Checking, ASCII Name Check.

well I hope these suggestions are useful, because critics and suggestions are ever rare.

at the moment I don't have suggestions for the modified code because I have not debugged the problem and so I can't judge the work-around.
many bytes could be saved through the classical optimizations like "MOV ECX,0"->"xor ecx,ecx", "MOV EAX,-1"->"or eax,-1", "CMP ESI,0"->"test esi,esi" and so on.

P.S.: and the phone call of gamespy? that's what I'm interested to eh eh eh :)

E: dw, i was half asleep,

additionally, i did things the way i did them because i spent 3 days finding the problem, and i decided fuck it and just patched it quick, because i was sick of looking at assembly, people should be more appreciative that i even bothered, i could of just let the guy who told me tell everyone else.

eh???

edited my last post ^^

ok no problem, as already said mine are only personal suggestions.

but can you explain that thing about Gamespy and Roger?
you pointed a bit about such phone call on the bungie forum so I was interested in the details.

well it was mainly about the fact they they're not going to make another patch because gamespy were angry at roger for making an unofficial release.

that's clear but is not clear why the idiots of gamespy attack roger for the patch of a game developed by the same bungie. that's what I'm interested in knowing.

halo uses some some of the sdk components of gamespy (cdkey, handshake, update and various other stuff) but in any case they have no mounth in what bungie makes or not with its own code because gamespy has only a library.

what I mean is: it's ok to add another shame prize to the (already full) showcase of the idiots of gamespy but I want at least know the reason of this occasion :)

just for fun I have made a couple of quick tests (without debugging) and the result is that the exception arrives exactly after 256 connections sending the malformed packet.

inside the "couple of quick tests" there was also a test performed using the malformed packet of the first haloloop proof-of-concept (because 1.07 fixes that vulnerability) and the interesting thing is that haloded 1.07 is vulnerable while halo 1.04 with the new function taken from 1.07 (my old haloloopfix.lpatch) is not vulnerable.

in another test was added a delay of two seconds between each connection and the exception happened too after the 259th connection (yeah after over 9 minutes from the first connection).

for the tests was simply used the source code of haloloop3.c without the "sleep(ONESEC);" and "break;" at line 222 and 225.

as already said I have performed no debugging (lack of interest) anyway it's possible that the cause is not in the fix made by Bungie for the so called haloloop vulnerabilities but a simple "slot overflow" caused by the haloloop connections which are not correctly closed completely by the server (this is only a quick hypothesis so don't take it as truth).

oh Brandon, I reply here because on that stupid bungie.net forum is not possible to reply with a normal browser (although I tried also with IE with same result)... M$ losers.
---
the check in the client about you refer can be easily avoided:
so it's enough to force the "al" register to be ever 1.
should be enough to substituite the bytes of the second call with b0 01 90 90 90 (solution I adopted in my haloloop3 fix before the official patch)

Hey, sorry for the late reply, thanks for the tip luigi, i hadnt looked into the client much, i just replicated the way it was done in HaloCE cracked, which worked, but thanks anyway :)

edit:

Good work on this.

[Originally there was a rant against BrandiniMP here - not anymore]

don't worry here nothing gets deleted anyway maybe try to use a less critical tone because if brandinimp said that he contacted Roger there is no reason to claim that's not true, it's simply that Roger stated something different and maybe Roger was in error.
would be interesting if you post here the exact phrase Roger said.

while for the unofficial fix I agree with you and that's exactly what I said some posts before, the fix NEEDED to be isolated from the rest and minimalized only to the necessary bytes to change without touching the rest for various reasons (trust, or the admin has implemented other fixes that he doesn't want to lose substituiting the entire executable and so on).

edit:

Thank you for your polite and non offensive comment Omega :)

[Originally there was response to Omega's rant against me - not anymore]