====================================================================================
#
# this file has been created for the Lame patcher program available for both *nix
# and Windows platforms.
# You need this program for continuing the patching of your files:
#
# http://aluigi.org/mytoolz.htm#lpatch
#
# Quick step-by-step for Windows:
# - launch lpatch.exe
# - select this sof2guidfix.lpatch file
# - read the message windows and click yes
# - select the file (usually executables or dlls) to patch
# - read the message windows to know if everything has been patched correctly
# - test your game
#
# Quick step-by-step for Linux:
# - compile lpatch: gcc -c md5.c ; gcc -o lpatch lpatch.c md5.o
# - launch ./lpatch sof2guidfix.lpatch
# - read the text messages
# - specify the name of the file to patch
# - read the text messages to know if everything has been patched correctly
# - test your game
TITLE
Soldier of Fortune II (1.03 Windows and 1.02a Linux) cl_guid fix 0.2.1
by Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
INTRO
This unofficial patch is able to fix the following bug:
.
. http://aluigi.org/adv/sof2guidboom-adv.txt
.
If you are unsure if your server is vulnerable please use the proof-of-concept
provided there.
.
The solution I have adopted for this bug is the limiting of the length of the
cl_guid string of the client to max 64 chars.
.
The patch has been tested with the latest releases of the game for Windows
(1.03) and Linux (1.02a), older versions will be NOT supported by me so don't
ask.
FILE
SoF2MP.exe;sof2ded
ONLY_ONE
### WINDOWS ###
; SoF2MP.exe
BYTES_ORIGINAL
5f c6 46 0c 01 5e 33 c0 5b 59 c3 5f 8b c6 5e 5b
59 c3 90 90 90 90 90 90 90 90 90 90 90 90 90 55
8b 6c 24 08 56 57 8d 45 04 68 b0 b3 55 00 50 e8
fb ca fe ff 8b 35 84 3c ba 00 83 c4 08 85 f6 8b
f8
BYTES_PATCH
c6 46 0c 01 33 c0 5f 5e 5b 59 c3 8b c6 eb f7 8b
f8 32 c0 83 c9 ff f2 ae 83 f9 c0 7c 6f eb 20 55
8b 6c 24 08 56 57 8d 45 04 68 b0 b3 55 00 50 e8
fb ca fe ff 8b 35 84 3c ba 00 83 c4 08 eb d0 85
f6
; from the old sof2-103-guidfix readme:
; The bytes I have added are a check made on the cl_guid value to know if
; it is bigger than 64 bytes (its total buffer size).
; This check has been inserted in the function that reads the cl_guid and
; verifies if it is a banned guid, so the attacker will receive the
; "Banned" error message if sends a cl_guid bigger than 64 bytes.
; The other bytes (at the beginning) instead are needed to gain space for
; placing my fix.
; sof2ded
### LINUX ###
RVA
8048000
; 8051204
BYTES_ORIGINAL
55 ; push ebp
8b ec ; mov ebp,esp
83 ec 10 ; sub esp,0x10
89 75 fc ; mov DWORD PTR [ebp-4],esi
8b 75 08 ; mov esi,DWORD PTR [ebp+8]
8d 46 04 ; lea eax,[esi+4]
89 04 24 ; mov DWORD PTR [esp],eax
c7 44 24 04 38 c4 14 08 ; mov DWORD PTR [esp+4],0x814c438 ; cl_guid
e8 b1 36 04 00 ; call 80948d4
89 04 24 ; mov DWORD PTR [esp],eax
e8 29 f6 ff ff ; call 8050854
85 c0 ; test eax,eax
74 17 ; je 8051246
8b 15 2c e9 2b 08 ; mov edx,DWORD PTR ds:0x82be92c
8b 4a 28 ; mov ecx,DWORD PTR [edx+40]
33 c0 ; xor eax,eax
85 c9 ; test ecx,ecx
8b 75 fc ; mov esi,DWORD PTR [ebp-4]
0f 95 c0 ; setne al
8b e5 ; mov esp,ebp
5d ; pop ebp
c3 ; ret
83 c4 e8 ; add esp,0xffffffe8
8d 86 b8 7c 02 00 ; lea eax,[esi+0x27cb8]
8b d4 ; mov edx,esp
8b 08 ; mov ecx,DWORD PTR [eax]
8b 70 04 ; mov esi,DWORD PTR [eax+4]
89 0a ; mov DWORD PTR [edx],ecx
8b 48 08 ; mov ecx,DWORD PTR [eax+8]
89 72 04 ; mov DWORD PTR [edx+4],esi
89 4a 08 ; mov DWORD PTR [edx+8],ecx
8b 48 0c ; mov ecx,DWORD PTR [eax+12]
8b 40 10 ; mov eax,DWORD PTR [eax+16]
89 4a 0c ; mov DWORD PTR [edx+12],ecx
89 42 10 ; mov DWORD PTR [edx+16],eax
e8 e2 d9 03 00 ; call 808ec54
83 c4 18 ; add esp,0x18
BYTES_PATCH
55 ; push ebp
8b ec ; mov ebp,esp
83 ec 10 ; sub esp,0x10
89 75 fc ; mov DWORD PTR [ebp-4],esi
8b 75 08 ; mov esi,DWORD PTR [ebp+8]
8d 46 04 ; lea eax,[esi+4]
; free a couple of bytes
68 |814c438 ; push 0x814c438
50 ; push eax
e8 ^80948d4 ; call 80948d4
83 C4 08 ; add esp,8
; PATCH HERE:
33 C9 ; xor ecx, ecx ; initialize the counter
F6 04 08 FF ; test byte ptr [eax+ecx], 0xff ; check if the byte is zero
74 03 ; jz 3 ; break if zero
41 ; inc ecx ; increment the counter
EB F7 ; jmp -9 ; redo the loop
83 F9 40 ; cmp ecx, 40 ; check if the string is longer than 64
73 0C ; jae 0C ; show the Banned message
89 04 24 ; mov DWORD PTR [esp],eax
e8 ^8050854 ; call 8050854
85 c0 ; test eax,eax
74 17 ; je 8051246
8b 15 |0x82be92c ; mov edx,DWORD PTR ds:0x82be92c
8b 4a 28 ; mov ecx,DWORD PTR [edx+40]
33 c0 ; xor eax,eax
85 c9 ; test ecx,ecx
8b 75 fc ; mov esi,DWORD PTR [ebp-4]
0f 95 c0 ; setne al
8b e5 ; mov esp,ebp
5d ; pop ebp
c3 ; ret
83 c4 e8 ; add esp,0xffffffe8
8d 86 b8 7c 02 00 ; lea eax,[esi+0x27cb8]
8b d4 ; mov edx,esp
; free 14 bytes
ff 70 10 ; push DWORD PTR [eax+16]
ff 70 0c ; push DWORD PTR [eax+12]
ff 70 08 ; push DWORD PTR [eax+8]
ff 70 04 ; push DWORD PTR [eax+4]
ff 30 ; push DWORD PTR [eax]
e8 ^808ec54 ; call 808ec54
83 c4 2c ; add esp,0x2c ; yes + 20 for the previous pushes
====================================================================================
Monday, November 17, 2025
