Luigi Auriemma

unfortunately seems that the developers didn't fix completely this vulnerability I reported to them over 3 years ago (wow, the time flies) so was enough to change a number in my old proof-of-concept and the latest 1.07 is vulnerable too:

http://aluigi.org/adv/haloloop2-adv.txt

Naturally also my haloloopfix is affected by the problem since, as stated there, I just used the same function from 1.07.

Differently to the old famous haloboom bug, haloloop has worst effects like the CPU at 100% and the freezing of the server due to an endless loop which makes impossible to autorestart it since there is no termination of the process.

Naturally both Halo and Halo Custom Edition are vulnerables.

O_O wow

the DAY i sign up to the forums to try to find a fix for that... is the DAY you post that message....

*sigh* my hopes for halo PC just flew out the window

----
i would love if somebody would make a patch for this (since i want to host dedis in 1.04)

my previous patch for fixing haloloop in the 1.04 servers was just the copying of the 1.07 function and worked but naturally if the bug is not fully fixed in 1.07 the same is valid for my patch too.
So at the moment doesn't exist a Halo server (include CE and demo) not vulnerable.

so sad... halo being such a fun game, ruined by such pitiful coding...

hopefully gearbox gets some funding to create some sort of patch (1.08)?

hard to answer, but considering that 1.07 is dated 2005 and as you have seen was only a work-around and not a real patch I highly highly highly doubt that will be released 1.08... or that it will really fix the bug naturally

random question: main website went down?

mine? in case of temporary downs or dns problems use the mirror: http://mirror.aluigi.org or directly http://luigi.eliott-ness.com

*Deleted by original Author*

uhmmm probably someone that has still not understood that I'm not Gearbox or Bungie and thinks that his personal problems have a minimal interest on a basic support forum for a personal research website... mah

kids these days *sigh*..... welll guess ima go find another game to get latched on to..

EDIT::::
nvm, i'm back on halo

http://home.scarlet.be/mathy/goemitar/d ... op2fix.rar
its been saved yet again :D

*sighs

srry about that, i just get pissed easy, esp about things going bad about my games.

just venting my frustration at who i thought was the main cause.

In reality it's Bungie's fault completely for lying to the dedicated gamers about fixing the loop

If Bungie doesnt get off their lazy asses and REALLY fix it this time, i hope the media ruins them

any chance of Private messaging us an Anti-Loop?

I can understand your frustation but not your lack of respect you had versus me and moreover my research; if there is something you don't understand (what is a security bug and/or all the related details) it's only your problem.

The bug has not been created by me, I simply found it 3 years ago and posted the results of my research, so it was already there (I don't want to enter in the pros and cons of full disclosure, I can only say that I have over 6 years and hundreds of game and non-game vulnerabilities in my experience so I know perfectly about what I talk better than anyone else).

About Bungie/Gearbox is also important to not forget Microsoft since this one is the publisher and it has the main decisional power about patches or the dead of games.
Developers and publishers have a contract, and only the publishers (depending by the contract but 99% of times it's this) can authorize the patch, its testing and its release which often can take lot of time without reasons.

3 years ago when I found the so called haloloop and haloboom bugs I exchanged AT LEAST (so this is the minimal amount) 20 mails with my contact there and the conclusion was that after one or two months that the bug was reported and I really annoyed them with my mails about updates I released the advisory before the releasing of the 1.07 patch which luckily happened later (without receiving thanx in the changelog or from the community).

But it's useless to talk about these things since the end-users are the only which can change something, I can do something with my advisories (the classification and pubblication of the bugs as security vulnerabilities is a big step) but naturally it's up to the users contacting the developers and saying "come on, patch it!"
When the publisher sees hundreds of paid consumers angry for the lack of support of their products be sure that something usually changes.

and who you think pays the media?
marketing and advertising is the primary job of the publisher.


all my research is public on my websites (main and mirror), I don't do private stuff.
try the fix suggested by shankedup, if doesn't work or doesn't fully fix the bug I can't help since I'm not a magician which can fix any bug with the power of the mind

Probably I have understood the reason of your anger wrongly directed versus me.

Yesterday night a Halo admin gave me a link to the page of a certain person that I watched only some minutes ago.
That page is the perfect demonstration of a misuse (aka wrong usage) of my work and research, so it's not important if I write "proof-of-concept"/"testing code"/"demonstration code" in big capital letters (and without considering that my website is located in the Research section of dmoz just for this reason: http://www.dmoz.org/Computers/Security/ ... /Research/) since than anyone has his personal interpretation.

The only positive thing is that at least he has credited me, but being credited for something wrongly showed as bad or malicious is not the max of happyness... blah

I may not be in the position to request this *or to do anything about it*, however I've done my research and i'm completely stumped..

As the hacker (by the original definition, not that script kiddie shit that paradigms the world), I would like your help to solve this puzzle.

Goemitar's patch was really similar to the previous haloloop patch (however only works for 1.07 dedicated servers).

This hex-code at line 1C2F0A

has been changed to:


And the code at line 7211C

has been changed to:

Zagan, i hope it was *lol*

http://freewebs.com/proh1 = epic fail

Is it just me or does the patch not work 64bit systems?

I have tested the work-around made by Goemitar and doesn't fully fixes the bug, the vulnerability is still there (it's enough to modify an instruction in haloloop2)

I quickly made that fix. It wasn't really ready to be released, but because so many people went crazy saying that "halo is now death" I already released it.

Anyway, the new fix also works if you change the instruction. It's that number that needs to be higher than 3 right ;)? About the fix itself, it's a rather simple method to detect if it's in a loop or not. You can't really "proof" this will always work, but it seems to do the trick.

I'll send you a copy of it Luigi, since you're probably better at testing if it actually works or not. Or do you think there's a chance they'll actually release an update? In that case it might actually be better to wait, and let them fix it. The update could make the current aimbot crash (since memory address probably will change etc).

omegga: any chance of the patch being released for 1.04 and more importantly 64bit systems (many good dedicated servers are 64bit and the patch strangely does not work there).

Hey Goemitar, ok send me the new patch and I will glad to test it and if you have MSN we can make the tests in real-time too.
For the moment the important thing is that your work-around (beta or not is not important) has placed a break to who abuses of my work, this gives time to find the best solution.

About the official update... there are probably more chances that the vulnerability evolves and autopatches itself than waiting for a patch 8-)

I could try to send a mail to my old contact at Microsoft but sincerely I don't know if he still works for them and in any case will be needed at least one or two months for a patch... hoping in a definitive fix naturally

I have a feeling the end-users have to put in more effort if Microsoft (or whoever) is to create an official patch for Halo. Regardless of the official patch, I would like to initiate a patch for the other *albeit useless* versions of Halo. There are many people who would rather enjoy previous versions (due to competition, hacks and whatever reasons the community has).

They don't care about this because Halo is too old and they can't make money by selling it anymore. Simply, we have to patch Halo. xD

Anyway I almost managed to fix this but I am a total n00b at RE and asm.

Here is an idea I used:

vulnerable loop probably looks like that:



i tried to change it to:


It didn't fix the bug itself, but it simply bypass it.
However i had a problem with storing value of 'i', i tried to push it on stack but is was a silly idea. Is there any writable, not used memory location in Halo memory to store that variable?
I used haloceded 1.0.

Are you attempting to edit the haloloop Proof source? :S

Good joke.
Im editing function at 0x4cbea0(VA) in haloceded.exe 1.0

whatever happened to online sarcasm T_T.... *u obviously stated that before* lol

but anyhow... is there anyway i can contribute luigi?

for the moment I think not, but naturally when a definitive solution will be found will be required beta testers

in reality probably there is something you and others can do: avoid disinformation about my research.

It's useless documenting and demonstrating a vulnerability publicly if then all the idiots (admins, attackers and players, ignorant people can be on any side) don't have the knowledge or don't want to understand it.
But idiots don't understand in any case so probably it's useless to talk to such type of people... anyway trying doesn't cost anything

I run a Halo CE Server and would be glad to beta test any fixes.

EDIT: work-around removed since not ok