Luigi Auriemma

q3fill covers only the out-game part of the protocol, so all the packets which start with the usual \xff\xff\xff\xff and which are all in clear-text (only connect is compressed with huffman).

The rest of the packets require compression + encryption which q3fill doesn't support (it's a bit complex)

yeah of course :D but still, u still can make a fake player execute exactly when it connects can't u, if not milisecond after?

it's still possible to make a bot like that though? even make a bot that can fight for that u launch off your pc without using rcon to add a NPC?

sure anything is possible if you have time and desire to take the Quake 3 source code and modifying it 8-)

ehh but through q3fill, u can make the fake player execute something the same time it connects, right?

no I can't because I don't know how to implement the in-game low-level protocol

but its not really in-game its directly when it connects... "gjadifihajd connected" directly when that goes

also is there a fix for dirtrav for linux?

As already said before the quake 3 engine classifies the packets in two types: \xff\xff\xff\xff and in-game, you can also watch the source code for more info.

"connect" is the latest non-in-game packet available (it's just the latest before the starting of the in-game communication) and any command must be included in the in-game packets which use that encryption/compression.
"connect" includes only the data of the player not commands or other stuff.

The fix for q3dirtrav is available only for Windows for various reasons: more easy to create, universal, I had more interest in it and so on.
Naturally this doesn't mean that it's not possible to do the same on Linux where probably hooking can help to make the thing more easy; my code and the patch (the explanation) is open source so who wants can try to port it on Linux too.

The only madness of that patch I created was the placing of the instructions in the middle of various functions (probably I was drunked that day ih ih ih) which is correct, sure, but an easier and more "human" way is just to add the whole patch at the end of the PE section which contains the code (this part is usually visible at the end of the code of the disassembled executables, 00 00 00...).
This note was only for who had doubts about that mad method I used 8-)

oh... :S

anyway, is there any PoC, client overflows, server crashes you have for Battlefield 2 Demo? or regular BF2?
i checked but i couldn't find any except bf2 fake player and battlefield 1942/vietnam bfcboom

actually I'm not aware of security bugs in BF2*

The reason the ban bypass trick doesnt always work, is because the q3infoboom patch fixes it.

When the server receives a out-of-game message (like connect), it reads the params provided into a 1024 byte buffer... normally...
The patch, however, lowers that to 512 bytes, resulting in only 512 bytes from your player profile being read by the server, leaving another 512 bytes being availible for adding your IP, which.. of course..never fails in this situation

yeah i figured that out on jk2 a while ago o_o but all servers have the infoboom patch (because most server providers patch it) so didn't think i should of posted it :D. Even if the server doesn't have the infoboom patch, it still takes a while for it to work, you have to keep trying. It isn't always like that for every game, so when you've tested something state what game you are talking about. :)

That's partially true, because "connect" is compressed so 512 bytes compressed can be 2 kilobytes of plain-text string depending by the type and amount of same chars.

Anyway in this moment I'm doing some tests for a better implementation of the unban stuff in both q3unban_sudp and q3fill.
Probably the char I will choose will be the backslash (0x5c) which is giving the best results in size.
Other good results are also the 'e' and 'o' chars.

Sorry my error.
MSG_ReadStringLine (the function which is modified by my q3infofix limiting the size of the string from 1024 to 383 bytes) is called after the decompression of the connect packet:

boba fett, what game did u test ur theory on?

and luigi, does msgboom affect JA at all?

on JA q3msgboom (the disconnection of the other players in the server) is partially exploitable because the server is affected by a buffer-overflow (jamsgbof) during the handling of the big string sent by the client.
Version tested was the 1.0.1.0

Now what ... ? Aluigi any help xd

that server is for low pings only, probably your bandwidth is not enough or something similar.

holy cow I just lag out 1 server and its just disappear XD YAy
q3fill -u -T 120 xx.x.xxx.xxx xxxx
after that my fake ppls disappear aaaand - q3fill xx.x.xxx.xxx xxxx
LOL I just kill the server XD thanks ALUIGI <3
1 big sorrow I can't change my IP, i dont have Router :'0 :'( :'( :'(

ugh I dont have modem. I use cable for my internet xd lol the IP wont change x'0

is possible that the server admin got scaried of the fake players "invasion" and decided to quit the server 8-)

Lolz no the chief of the server didnt was there. there had only medium lvl admin and some ppls XD XD

sry for out-of-topic .. but wtf ?? you plug cable into ur pc lol ? ..dude cable goes into MODEM and ETHERNET goes from modem into pc (or USB) ..so far i havent seen any pc that has built in modem where you can just stick in the cable.

-->cable and 1 adapter connected with it is input in my computer USB

aluigi, about q3fill, i cannot unban myself from a server on cod1, as said that it works on the cod series, it keeps coming up an error saying:
Error: needcdkey

I have a valid cdkey on my game but the error message keeps coming up. Can you help me? plz?

uhmmm I don't know if I can help you much since I have made the tests mainly in LAN and servers which don't require cdkeys anyway if I'm not in error the cdkey should be handled in a way similar to how ET, so "connect "challenge\blablablabla" *hash"

q3unban_sudp is written in a way to make the "challenge\blablablabla" part to fit all the 1024 chars (MAX_INFO_STRING) so is possible that for some space reasons the subsequent hash is not handled.

anyway this is only a hypotesis, you should modify the source code of q3unban_sudp and recompile it to check if making all the ""challenge\blablablabla" *hash"" part to fit the 1024 chars.
I can't be sure if this is the cause of the problem but if you can't recompile the code I can attach a beta here for the tests.

Spoof your MAC address on your ethernet adapter or router and release/renew it will normally give u a new ip.

release and renew like never works unless u release... come back a week later... then renew

1. This PC isn't mine but is almost the same config. in back - th PC's Net USB
2. That's my ethernet cable (with adapter) Th cable modem Its direct input in my "PC's net USB"
P.S.:I tryed also to output the adapter from the contact - and my internet still is on :S(before then I output the adapter my net stoped but now ... like I dont need anymore this adapter)
3. That's the white box White Box. From there my "ethernet" cable come.I saw is connected with another white boxes witch boxes have another member(s) on on it. And I think all boxex are connected between it selfs and at the end have 1 base