You last visited: Today at 17:55
Advertisement
[Release] Agent and GS exploit fix
Discussion on [Release] Agent and GS exploit fix within the SRO PServer Guides & Releases forum part of the SRO Private Server category.
10/19/2013, 17:35
#1
elite*gold: 0
Join Date: Apr 2009
Posts: 1,272
Received Thanks: 991
[Release] Agent and GS exploit fix
Here is a exploit fix for
Gameserver
PHP Code:
fix gameserver exception handler
00521765 90 NOP
00521766 90 NOP
00521768 EB 18 JMP SHORT SR_GameS.00521782
hex_offset 0x007418fb + 4 = 0x78 [ old = 0x70 ]
hex_offset 0x00741913 + 4 = 0x78 [ old = 0x70 ]
hex_offset 0x007419e7 + 4 = 0x78 [ old = 0x70 ]
Agent
PHP Code:
000C2FAE 0000 ADD BYTE PTR DS :[ EAX ], AL
000C2FB0 0000 ADD BYTE PTR DS :[ EAX ], AL
79.143.190.224
agent v188
0x1005
0x00430440 -> 0x1005 [ set retn ]
0x004079f0 -> exception handler
0x0042caa0
{
EAX 004C653C AgentSer.004C653C
ECX 0241AE70
EDX 00430440 AgentSer.00430440
EBX 00001005
ESP 034EFEAC
EBP 034EFEE8
ESI 0351E5F0
EDI 00000000
EIP 0042CAA0 AgentSer.0042CAA0
C 1 ES 002B 32bit 0 ( FFFFFFFF )
P 1 CS 0023 32bit 0 ( FFFFFFFF )
A 1 SS 002B 32bit 0 ( FFFFFFFF )
Z 0 DS 002B 32bit 0 ( FFFFFFFF )
S 1 FS 0053 32bit 7EF8E000 ( FFF )
T 0 GS 002B 32bit 0 ( FFFFFFFF )
D 0
O 0 LastErr ERROR_SUCCESS ( 00000000 )
EFL 00000297 ( NO , B , NE , BE , S , PE , L , LE )
ST0 empty 0.0
ST1 empty 0.0
ST2 empty 0.0
ST3 empty 0.0
ST4 empty 0.0
ST5 empty 0.0
ST6 empty 0.0
ST7 empty 0.0
3 2 1 0 E S P U O Z D I
FST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 ( GT )
FCW 027F Prec NEAR , 53 Mask 1 1 1 1 1 1
}
0x00457b33 -> 0x1005
0x0045ab37 -> 0x1005
0x00484f8e -> 0x1005
{
0x6303 -> 0x00430400 - TESTING [ server startup ], made straight - forward
0x600d -> 0x00430450 - NOT
0x2311 -> 0x00430350
0x631d -> 0x004303b0
}
common
{
set "retn" at addr 0x004488c0
}
0x631D opcode fix
{
0042BEF4 90 NOP
0042BEF5 90 NOP
0042BEF6 90 NOP
0042BEF7 90 NOP
0042BEF8 90 NOP
0042BEF9 90 NOP
0042BEFA 90 NOP
0042BEFB 90 NOP
0042BEFC 90 NOP
0042BEFD 90 NOP
0042BEFE 90 NOP
0042BEFF 90 NOP
0042BF00 90 NOP
0042BF01 90 NOP
0042BF02 90 NOP
0042BF03 90 NOP
0042BF04 90 NOP
0042BF05 90 NOP
0042BF06 90 NOP
}
0x6303 opcode fix
{
0x0042d339 -> 0x90
0x0042d33A -> 0x90
//////////////////
0x0042d36c -> 0x90
0x0042d36d -> 0x90
//////////////////
0x0042d374 -> jmp
}
//---------------------------------------------------------
0042D31C CC INT3
0042D31D CC INT3
0042D31E CC INT3
0042D31F CC INT3
0042D320 . 83EC 08 SUB ESP , 8
0042D323 . 53 PUSH EBX
0042D324 . 55 PUSH EBP
0042D325 . 8B6C24 14 MOV EBP , DWORD PTR SS :[ ESP + 14 ]
0042D329 . 83BD 48100000 > CMP DWORD PTR SS :[ EBP + 1048 ], 0
0042D330 . 56 PUSH ESI
0042D331 . 57 PUSH EDI
0042D332 . 8BF9 MOV EDI , ECX
0042D334 . C64424 13 02 MOV BYTE PTR SS :[ ESP + 13 ], 2
0042D339 90 NOP ----
0042D33A 90 NOP ----
0042D33B . 8D4424 14 LEA EAX , DWORD PTR SS :[ ESP + 14 ]
0042D33F . 50 PUSH EAX ; / Arg1
0042D340 . 8BC5 MOV EAX , EBP ; |
0042D342 . E8 99A7FDFF CALL AgentSer.00407AE0 ; \ AgentSer.00407AE0
0042D347 . EB 0C JMP SHORT AgentSer.0042D355 ----
0042D349 > 8D4C24 14 LEA ECX , DWORD PTR SS :[ ESP + 14 ]
0042D34D . 51 PUSH ECX ; / Arg1
0042D34E . 8BC5 MOV EAX , EBP ; |
0042D350 . E8 EBA7FDFF CALL AgentSer.00407B40 ; \ AgentSer.00407B40
0042D355 > 8B17 MOV EDX , DWORD PTR DS :[ EDI ]
0042D357 . 8B5C24 14 MOV EBX , DWORD PTR SS :[ ESP + 14 ]
0042D35B . 8B82 B4000000 MOV EAX , DWORD PTR DS :[ EDX + B4 ]
0042D361 . 53 PUSH EBX
0042D362 . 8BCF MOV ECX , EDI
0042D364 . FFD0 CALL EAX
0042D366 . 84C0 TEST AL , AL
0042D368 . 884424 1C MOV BYTE PTR SS :[ ESP + 1C ], AL
0042D36C 90 NOP ----
0042D36D 90 NOP ----
0042D36E . 0FB6C3 MOVZX EAX , BL
0042D371 . 83E8 01 SUB EAX , 1 ; Switch ( cases 1..2 )
0042D374 EB 09 JMP SHORT AgentSer.0042D37F
0042D376 . 83E8 01 SUB EAX , 1
0042D379 . 75 13 JNZ SHORT AgentSer.0042D38E
0042D37B . 6A 04 PUSH 4 ; Case 2 of switch 0042D371
0042D37D . EB 02 JMP SHORT AgentSer.0042D381
0042D37F > 6A 05 PUSH 5 ; Case 1 of switch 0042D371
0042D381 > 8B0D 249B4E00 MOV ECX , DWORD PTR DS :[ 4E9B24 ] ; AgentSer.0052ABE0
0042D387 . 8B11 MOV EDX , DWORD PTR DS :[ ECX ]
0042D389 . 8B42 4C MOV EAX , DWORD PTR DS :[ EDX + 4C ]
0042D38C . FFD0 CALL EAX
0042D38E > C64424 13 01 MOV BYTE PTR SS :[ ESP + 13 ], 1 ; Default case of switch 0042D371
0042D393 > A1 609A4E00 MOV EAX , DWORD PTR DS :[ 4E9A60 ]
0042D398 . 8B08 MOV ECX , DWORD PTR DS :[ EAX ]
0042D39A . 8B51 48 MOV EDX , DWORD PTR DS :[ ECX + 48 ]
//----------------------------------
0x1005 fix
0x004c2fac -> cmp byte ptr ds :[ 0x4c2ff8 ], 1
0x004c2ff8 -> 0x00 (default)
00430442 E9 652B0900 JMP AgentSer.004C2FAC
returning to ( after codecave finished , if byte at 0x004c2ff8 = 0 ( setting it to 1 before dat )
00430442 . FFA0 88000000 JMP DWORD PTR DS :[ EAX + 88 ]
//----------------------------------------------------
004C2FAC 803D F82F4C00 00 CMP BYTE PTR DS :[ 4C2FF8 ], 0 ; comparing current value with 0
004C2FB3 74 15 JE SHORT AgentSer.004C2FCA ; hould initialize
004C2FB5 90 NOP
004C2FB6 90 NOP
004C2FB7 90 NOP
004C2FB8 90 NOP
004C2FB9 EB 1D JMP SHORT AgentSer.004C2FD8 ; already initialized
004C2FBB 90 NOP
004C2FBC 90 NOP
004C2FBD 90 NOP
004C2FBE 0000 ADD BYTE PTR DS :[ EAX ], AL
004C2FC0 0000 ADD BYTE PTR DS :[ EAX ], AL
004C2FC2 0000 ADD BYTE PTR DS :[ EAX ], AL
004C2FC4 0000 ADD BYTE PTR DS :[ EAX ], AL
004C2FC6 0000 ADD BYTE PTR DS :[ EAX ], AL
004C2FC8 0000 ADD BYTE PTR DS :[ EAX ], AL
004C2FCA C605 F82F4C00 01 MOV BYTE PTR DS :[ 4C2FF8 ], 1 ; Initialize
004C2FD1 FFA0 88000000 JMP DWORD PTR DS :[ EAX + 88 ]
004C2FD7 90 NOP
004C2FD8 C2 1000 RETN 10 ; no initialization
004C2FDB 90 NOP
004C2FDC 0000 ADD BYTE PTR DS :[ EAX ], AL
004C2FDE 0000 ADD BYTE PTR DS :[ EAX ], AL
004C2FE0 0000 ADD BYTE PTR DS :[ EAX ], AL
004C2FE2 0000 ADD BYTE PTR DS :[ EAX ], AL
004C2FE4 0000 ADD BYTE PTR DS :[ EAX ], AL
004C2FE6 0000 ADD BYTE PTR DS :[ EAX ], AL
004C2FE8 0000 ADD BYTE PTR DS :[ EAX ], AL
004C2FEA 0000 ADD BYTE PTR DS :[ EAX ], AL
004C2FEC 0000 ADD BYTE PTR DS :[ EAX ], AL
004C2FEE 0000 ADD BYTE PTR DS :[ EAX ], AL
004C2FF0 0000 ADD BYTE PTR DS :[ EAX ], AL
004C2FF2 0000 ADD BYTE PTR DS :[ EAX ], AL
004C2FF4 0000 ADD BYTE PTR DS :[ EAX ], AL
004C2FF6 0000 ADD BYTE PTR DS :[ EAX ], AL
004C2FF8 0000 ADD BYTE PTR DS :[ EAX ], AL ; DATA SEGMENT FOR CODECAVE
004C2FFA 0000 ADD BYTE PTR DS :[ EAX ], AL
004C2FFC 0000 ADD BYTE PTR DS :[ EAX ], AL
004C2FFE 0000 ADD BYTE PTR DS :[ EAX ], AL
80 3D F8 2F 4C 00 00 74 15 90 90 90 90 EB 1D 90 90 90 00 00 00 00 00 00 00 00 00 00 00 00 C6 05
F8 2F 4C 00 01 FF A0 88 00 00 00 90 C2 10 00 90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
004C2FAC
original entry point [ agentserver + hyperfilter dll ( hyperfilter_as . dll )]
0048 D8E5
new ep : 0x004c2f70
Use ollydbg and patch it to fix agent exploit!
10/23/2013, 13:41
#2
Chat Killer In Duty
elite*gold: 255
Join Date: May 2008
Posts: 16,414
Received Thanks: 6,516
#Approved
10/25/2013, 17:28
#3
elite*gold: 0
Join Date: Nov 2011
Posts: 18
Received Thanks: 1
Any body could share fixed exes?
I'm not ggod at olly
thx
10/25/2013, 17:33
#4
elite*gold: 0
Join Date: Jan 2010
Posts: 213
Received Thanks: 113
Quote:
Originally Posted by
^TWEETY^
Any body could share fixed exes?
I'm not ggod at olly
thx
Here is agent, when i had time i will fix for gs.
10/25/2013, 19:00
#5
elite*gold: 273
Join Date: Aug 2012
Posts: 4,451
Received Thanks: 2,430
So basically it protects from the shared opcodes only? hihi.
10/26/2013, 23:28
#6
elite*gold: 0
Join Date: Jan 2010
Posts: 213
Received Thanks: 113
Quote:
Originally Posted by
Phoenix 1337
So basically it protects from the shared opcodes only? hihi.
If you block opcodes from .exe then it will fix crash exploit
10/27/2013, 10:35
#7
elite*gold: 0
Join Date: Mar 2009
Posts: 2,748
Received Thanks: 2,010
Quote:
Originally Posted by
tombalaci46
If you block opcodes from .exe then it will fix crash exploit
You can't simply go around the executable and block everything you don't like
10/27/2013, 11:15
#8
elite*gold: 273
Join Date: Aug 2012
Posts: 4,451
Received Thanks: 2,430
Like its the LATEST opcodes.
10/28/2013, 01:26
#9
elite*gold: 460
Join Date: Jul 2012
Posts: 394
Received Thanks: 273
nice to help people
but bad to **** sro community
10/28/2013, 08:52
#10
elite*gold: 0
Join Date: Sep 2012
Posts: 41
Received Thanks: 15
Thanks
11/05/2013, 19:59
#11
elite*gold: 0
Join Date: Nov 2013
Posts: 62
Received Thanks: 5
niceeeeeeeeeeeeeeeeeeee
07/10/2014, 12:46
#12
elite*gold: 0
Join Date: Aug 2010
Posts: 32
Received Thanks: 1
i want patch for Agentserver.exe Blackrogue file
help me
07/15/2014, 07:03
#13
elite*gold: 0
Join Date: Jan 2014
Posts: 133
Received Thanks: 88
Good Job Bro Keap it up
08/25/2014, 03:36
#14
elite*gold: 85
Join Date: Feb 2014
Posts: 1,056
Received Thanks: 1,644
Agent
PHP Code:
000C2FAE 0000 ADD BYTE PTR DS:[ EAX ], AL 000C2FB0 0000 ADD BYTE PTR DS :[ EAX ], AL 79.143.190.224 agent v188 0x1005 0x00430440 -> 0x1005 [ set retn ]
i was just seaarching for a few things and stumbled upon this thread. Then i see the IP in there and immediately recognize all of it.
That IP is my old testservers IP at contabo. Chernobyl made that file when he was exploit fixing.
I'm wondering how you didn't even write credits or ****. It's not like you even understand what it means...
seriously people these days...
sorry to revive this old thread but just had to say it.
All times are GMT +2. The time now is 17:55 .