[Release] Agent and GS exploit fix

[radde94]

Here is a exploit fix for

Gameserver

PHP Code:

fix gameserver exception handler

00521765     90             NOP
00521766     90             NOP

00521768     EB 18          JMP SHORT SR_GameS.00521782



hex_offset 0x007418fb + 4 = 0x78 [old = 0x70]
hex_offset 0x00741913 + 4 = 0x78 [old = 0x70]
hex_offset 0x007419e7 + 4 = 0x78 [old = 0x70] 


Agent

PHP Code:



000C2FAE   0000             ADD BYTE PTR DS:[EAX],AL
000C2FB0   0000             ADD BYTE PTR DS:[EAX],AL




79.143.190.224
agent v188



0x1005

0x00430440 -> 0x1005 [set retn]


0x004079f0 -> exception handler

0x0042caa0
{
EAX 004C653C AgentSer.004C653C
ECX 0241AE70
EDX 00430440 AgentSer.00430440
EBX 00001005
ESP 034EFEAC
EBP 034EFEE8
ESI 0351E5F0
EDI 00000000
EIP 0042CAA0 AgentSer.0042CAA0
C 1  ES 002B 32bit 0(FFFFFFFF)
P 1  CS 0023 32bit 0(FFFFFFFF)
A 1  SS 002B 32bit 0(FFFFFFFF)
Z 0  DS 002B 32bit 0(FFFFFFFF)
S 1  FS 0053 32bit 7EF8E000(FFF)
T 0  GS 002B 32bit 0(FFFFFFFF)
D 0
O 0  LastErr ERROR_SUCCESS (00000000)
EFL 00000297 (NO,B,NE,BE,S,PE,L,LE)
ST0 empty 0.0
ST1 empty 0.0
ST2 empty 0.0
ST3 empty 0.0
ST4 empty 0.0
ST5 empty 0.0
ST6 empty 0.0
ST7 empty 0.0
               3 2 1 0      E S P U O Z D I
FST 0000  Cond 0 0 0 0  Err 0 0 0 0 0 0 0 0  (GT)
FCW 027F  Prec NEAR,53  Mask    1 1 1 1 1 1


}



0x00457b33 -> 0x1005
0x0045ab37 -> 0x1005
0x00484f8e -> 0x1005







{
0x6303 -> 0x00430400 - TESTING [server startup], made straight-forward
0x600d -> 0x00430450 - NOT
0x2311 -> 0x00430350
0x631d -> 0x004303b0
}

common
{
set "retn" at addr 0x004488c0
}

0x631D opcode fix
{
0042BEF4     90             NOP
0042BEF5     90             NOP
0042BEF6     90             NOP
0042BEF7     90             NOP
0042BEF8     90             NOP
0042BEF9     90             NOP
0042BEFA     90             NOP
0042BEFB     90             NOP
0042BEFC     90             NOP
0042BEFD     90             NOP
0042BEFE     90             NOP
0042BEFF     90             NOP
0042BF00     90             NOP
0042BF01     90             NOP
0042BF02     90             NOP
0042BF03     90             NOP
0042BF04     90             NOP
0042BF05     90             NOP
0042BF06     90             NOP
}


0x6303 opcode fix
{
0x0042d339 -> 0x90
0x0042d33A -> 0x90
//////////////////
0x0042d36c -> 0x90
0x0042d36d -> 0x90
//////////////////
0x0042d374 -> jmp
}


//---------------------------------------------------------

0042D31C     CC             INT3
0042D31D     CC             INT3
0042D31E     CC             INT3
0042D31F     CC             INT3
0042D320   . 83EC 08        SUB ESP,8
0042D323   . 53             PUSH EBX
0042D324   . 55             PUSH EBP
0042D325   . 8B6C24 14      MOV EBP,DWORD PTR SS:[ESP+14]
0042D329   . 83BD 48100000 >CMP DWORD PTR SS:[EBP+1048],0
0042D330   . 56             PUSH ESI
0042D331   . 57             PUSH EDI
0042D332   . 8BF9           MOV EDI,ECX
0042D334   . C64424 13 02   MOV BYTE PTR SS:[ESP+13],2
0042D339     90             NOP                                                        ----
0042D33A     90             NOP                                                        ----
0042D33B   . 8D4424 14      LEA EAX,DWORD PTR SS:[ESP+14]
0042D33F   . 50             PUSH EAX                                 ; /Arg1
0042D340   . 8BC5           MOV EAX,EBP                              ; |
0042D342   . E8 99A7FDFF    CALL AgentSer.00407AE0                   ; \AgentSer.00407AE0
0042D347   . EB 0C          JMP SHORT AgentSer.0042D355                            ----
0042D349   > 8D4C24 14      LEA ECX,DWORD PTR SS:[ESP+14]
0042D34D   . 51             PUSH ECX                                 ; /Arg1
0042D34E   . 8BC5           MOV EAX,EBP                              ; |
0042D350   . E8 EBA7FDFF    CALL AgentSer.00407B40                   ; \AgentSer.00407B40
0042D355   > 8B17           MOV EDX,DWORD PTR DS:[EDI]
0042D357   . 8B5C24 14      MOV EBX,DWORD PTR SS:[ESP+14]
0042D35B   . 8B82 B4000000  MOV EAX,DWORD PTR DS:[EDX+B4]
0042D361   . 53             PUSH EBX
0042D362   . 8BCF           MOV ECX,EDI
0042D364   . FFD0           CALL EAX
0042D366   . 84C0           TEST AL,AL
0042D368   . 884424 1C      MOV BYTE PTR SS:[ESP+1C],AL
0042D36C     90             NOP                                            ----
0042D36D     90             NOP    ----
0042D36E   . 0FB6C3         MOVZX EAX,BL
0042D371   . 83E8 01        SUB EAX,1                                ;  Switch (cases 1..2)
0042D374     EB 09          JMP SHORT AgentSer.0042D37F
0042D376   . 83E8 01        SUB EAX,1
0042D379   . 75 13          JNZ SHORT AgentSer.0042D38E
0042D37B   . 6A 04          PUSH 4                                   ;  Case 2 of switch 0042D371
0042D37D   . EB 02          JMP SHORT AgentSer.0042D381
0042D37F   > 6A 05          PUSH 5                                   ;  Case 1 of switch 0042D371
0042D381   > 8B0D 249B4E00  MOV ECX,DWORD PTR DS:[4E9B24]            ;  AgentSer.0052ABE0
0042D387   . 8B11           MOV EDX,DWORD PTR DS:[ECX]
0042D389   . 8B42 4C        MOV EAX,DWORD PTR DS:[EDX+4C]
0042D38C   . FFD0           CALL EAX
0042D38E   > C64424 13 01   MOV BYTE PTR SS:[ESP+13],1               ;  Default case of switch 0042D371
0042D393   > A1 609A4E00    MOV EAX,DWORD PTR DS:[4E9A60]
0042D398   . 8B08           MOV ECX,DWORD PTR DS:[EAX]
0042D39A   . 8B51 48        MOV EDX,DWORD PTR DS:[ECX+48]

//----------------------------------


0x1005 fix

0x004c2fac -> cmp byte ptr ds:[0x4c2ff8], 1



0x004c2ff8 -> 0x00 (default)

00430442   E9 652B0900      JMP AgentSer.004C2FAC


returning to (after codecave finished, if byte at 0x004c2ff8 = 0 (setting it to 1 before dat)
00430442   . FFA0 88000000  JMP DWORD PTR DS:[EAX+88]







//----------------------------------------------------

004C2FAC   803D F82F4C00 00 CMP BYTE PTR DS:[4C2FF8],0               ; comparing current value with 0
004C2FB3   74 15            JE SHORT AgentSer.004C2FCA               ; hould initialize
004C2FB5   90               NOP
004C2FB6   90               NOP
004C2FB7   90               NOP
004C2FB8   90               NOP
004C2FB9   EB 1D            JMP SHORT AgentSer.004C2FD8              ; already initialized
004C2FBB   90               NOP
004C2FBC   90               NOP
004C2FBD   90               NOP
004C2FBE   0000             ADD BYTE PTR DS:[EAX],AL
004C2FC0   0000             ADD BYTE PTR DS:[EAX],AL
004C2FC2   0000             ADD BYTE PTR DS:[EAX],AL
004C2FC4   0000             ADD BYTE PTR DS:[EAX],AL
004C2FC6   0000             ADD BYTE PTR DS:[EAX],AL
004C2FC8   0000             ADD BYTE PTR DS:[EAX],AL
004C2FCA   C605 F82F4C00 01 MOV BYTE PTR DS:[4C2FF8],1               ; Initialize
004C2FD1   FFA0 88000000    JMP DWORD PTR DS:[EAX+88]
004C2FD7   90               NOP
004C2FD8   C2 1000          RETN 10                                  ; no initialization
004C2FDB   90               NOP
004C2FDC   0000             ADD BYTE PTR DS:[EAX],AL
004C2FDE   0000             ADD BYTE PTR DS:[EAX],AL
004C2FE0   0000             ADD BYTE PTR DS:[EAX],AL
004C2FE2   0000             ADD BYTE PTR DS:[EAX],AL
004C2FE4   0000             ADD BYTE PTR DS:[EAX],AL
004C2FE6   0000             ADD BYTE PTR DS:[EAX],AL
004C2FE8   0000             ADD BYTE PTR DS:[EAX],AL
004C2FEA   0000             ADD BYTE PTR DS:[EAX],AL
004C2FEC   0000             ADD BYTE PTR DS:[EAX],AL
004C2FEE   0000             ADD BYTE PTR DS:[EAX],AL
004C2FF0   0000             ADD BYTE PTR DS:[EAX],AL
004C2FF2   0000             ADD BYTE PTR DS:[EAX],AL
004C2FF4   0000             ADD BYTE PTR DS:[EAX],AL
004C2FF6   0000             ADD BYTE PTR DS:[EAX],AL
004C2FF8   0000             ADD BYTE PTR DS:[EAX],AL                 ; DATA SEGMENT FOR CODECAVE
004C2FFA   0000             ADD BYTE PTR DS:[EAX],AL
004C2FFC   0000             ADD BYTE PTR DS:[EAX],AL
004C2FFE   0000             ADD BYTE PTR DS:[EAX],AL



80 3D F8 2F 4C 00 00 74 15 90 90 90 90 EB 1D 90 90 90 00 00 00 00 00 00 00 00 00 00 00 00 C6 05
F8 2F 4C 00 01 FF A0 88 00 00 00 90 C2 10 00 90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00


004C2FAC




original entry point [agentserver + hyperfilter dll (hyperfilter_as.dll)]
0048D8E5


new ep: 0x004c2f70 


Use ollydbg and patch it to fix agent exploit!

[PortalDark]

#Approved

[^TWEETY^]

Any body could share fixed exes?

I'm not ggod at olly

thx

[tombalaci46]

Quote:

Originally Posted by ^TWEETY^

Any body could share fixed exes?

I'm not ggod at olly

thx

Here is agent, when i had time i will fix for gs.

[鳳凰城]

So basically it protects from the shared opcodes only? hihi.

[tombalaci46]

Quote:

Originally Posted by Phoenix 1337

So basically it protects from the shared opcodes only? hihi.

If you block opcodes from .exe then it will fix crash exploit

[Nezekan]

Quote:

Originally Posted by tombalaci46

If you block opcodes from .exe then it will fix crash exploit

You can't simply go around the executable and block everything you don't like

[鳳凰城]

Like its the LATEST opcodes.

[Alexiuns]

nice to help people
but bad to **** sro community

[H4rdStyl333]

Thanks

[Power Road]

niceeeeeeeeeeeeeeeeeeee

[focus2525]

i want patch for Agentserver.exe Blackrogue file
help me

[[GM]Hellkings]

Good Job Bro Keap it up

[Royalblade*]

Agent

PHP Code:



000C2FAE   0000             ADD BYTE PTR DS:[EAX],AL
000C2FB0   0000             ADD BYTE PTR DS:[EAX],AL


79.143.190.224
agent v188



0x1005

0x00430440 -> 0x1005 [set retn] 


i was just seaarching for a few things and stumbled upon this thread. Then i see the IP in there and immediately recognize all of it.

That IP is my old testservers IP at contabo. Chernobyl made that file when he was exploit fixing.

I'm wondering how you didn't even write credits or ****. It's not like you even understand what it means...

seriously people these days...
sorry to revive this old thread but just had to say it.