Well thanks to BrandiniMP he has discovered a new haloloop.
He does NOT provide a download to the haloloop but he does provide a patch that will help any dedicated server owner be protected. And on top of that he provides an awesome video that lets you understand and see what exactly you are being protected against.

I am not BrandiniMP!

Any questions contact him at his website (http://brandinimp.com/?p=62).

DOWNLOADS:
Halo CE: http://vivid-abstractions.net/brandinimp/haloceded_108.zip
Halo PC: http://vivid-abstractions.net/brandinimp/haloded_108.zip

Thread is locked and link has been removed because the downloads circumvent copy protection.

Actually, I think I'll leave it up and then see how Bungie reacts to the exploit...

thanks jcap :)

give it to me

I'm bungies official exploit tester

read the post on the link, its just a new way of using haloloop

Can someone release a fixed exe that works with the Devicator/Rec0's please? Thanks.

I'm not too worried, I assume he edited the haloboom code, maybe to accept a new version of Halo.

I'm not too worried, I assume he edited the haloboom code, maybe to accept a new version of Halo.


If you read my post you will see that im using an unedited version of haloloop (haloloop1 actually) it works with 2 and 3 also, the problem is actually partally caused by Bungies attempt to stop haloloop, causing a buffer overrun in the packet buffer.

Oh I see how it works now. So they fixed it however denying access to server is actually not preventing it. Because its a DoS attack which still sends packets whether the join is accepted.

Also congrats on finally updating your site lol.

Oh I see how it works now. So they fixed it however denying access to server is actually not preventing it. Because its a DoS attack which still sends packets whether the join is accepted.

Also congrats on finally updating your site lol.


The problem i believe is, they are allowing the server to process the packet, however there is a timeout, which is a logical choice, however this timeout is there for EVERY loop packet received, so by hitting the server with alot of loop packets the packet buffer will fill up, and Bungie, being noobs, didnt bother to add a check for writing outside the packet buffer, thats where my patch came in.

And thank you, i thought i might aswell start a blog lol ^^

Yeah I see how it works and uh it did work >_>.

Um?
Patched: -exec...halo( ..halo pc 01.00.00.0609)
Vulnerable: -exec...halo( ..halo pc 01.00.08.0616)

So your spoofing the version back to 1.0?

Waah, pat wasnt taught by bitterbanana :)

lol, you downloaded the 1.00 version.

E: there are 3 versions (soon to be 4) HaloCE and PC 1.08 and HaloCE 1.00 (and soon HPC 1.04)

That would be true >_>. So you've edited the sort of handshake to not use the packet buffer for checking?

no, i added a code cave in the code that writes the packet buffer to check for the counter being higher than the size of the packet buffer (which only happens if someone is looping) which then sets the counter to 0, there are a few leaks elsewhere also which im spoofing the values of also.


E: and Pat was taught some stuff by BitterBanana :P

BrandiniMP, does this work with servers patched to use SAPP?

BrandiniMP, does this work with servers patched to use SAPP?

yes the SAPP patcher works with it.

Awesome Brandini, thanks for the fix.

Can someone release a fixed exe that works with the Devicator/Rec0's please? Thanks.
.

Doesn't devicator check if a player joining has a valid cd hash and kick them if it doesn't.
I believe this patch removes that check so if you would to update it wouldn't it clash and cause problems?

Doesn't devicator check if a player joining has a valid cd hash and kick them if it doesn't.
I believe this patch removes that check so if you would to update it wouldn't it clash and cause problems?
I'm pretty sure Devicator doesn't have any functionality to kick people based on the same CD key hash. That has always been taken care of by haloceded.exe/haloded.exe I think.

hey guys, here

http://vivid-abstractions.net/brandinimp/halo_loop_dos.txt

whoever knows what they're doing can patch the devicator with those notes.

please give me a mention though :(

.

highly unlikely, as the (very few) people here that can do it, most likely don't give a shit about it.

hell, even one of the guys that can do it messed it up last time.


-edit- this method won't really work that well if there are only one or two slots open on the server... you also tested it on your local dedi... did you confirm this works on remote servers?

Stank do you think im stupid?

ofcourse i tested the exploit on remote servers && the fix on remote servers too.

and the method works on just 1 open slot, (maybe even full, i havent tried it on a full server)

hey guys, here

http://vivid-abstractions.net/brandinimp/halo_loop_dos.txt

whoever knows what they're doing can patch the devicator with those notes.

please give me a mention though :(
Here (http://freelancer.scifi-frontier.com/downloads/devicator_executable/haloceded.exe) is the Devicator executable, it's a modified version of the Halo CE 1.08 executable so it shouldn't be that hard to patch. If I knew anything about Assembly I'd gladly do it myself.

ill post back with a patched version in a bit :)

Here (http://freelancer.scifi-frontier.com/downloads/devicator_executable/haloceded.exe) is the Devicator executable, it's a modified version of the Halo CE 1.08 executable so it shouldn't be that hard to patch. If I knew anything about Assembly I'd gladly do it myself.

don't know why youd give him the fucked up 1.08 version....

don't know why youd give him the fucked up 1.08 version....

whats up with it?

i havent actually done it yet, i did but then haloloop lagged out my pc (170 copies >.<) and i hard rebooted and lost the patched version.

So whats up with it?

Bacon is referring to the fact that "sv_say" is borked in that version I believe. Thats why we need to use SAPP's "say" command with Rec0's app instead.

is the sv_say problem that is exceptions the server? because if it is, i fixed it in about 3 seconds...

EDIT:

Okay, i patched the devicator, fixed sv_say and i added a devmode toggle because i noticed that the devmode tab commandlist was there but you couldnt actually use devmode, so to toggle on and off devmode just type devmode

im too tired to do the command any other way to the toggle, so ya, anyways, here ya go:

http://vivid-abstractions.net/brandinimp/haloceded_108_devicator.zip

EDIT Again:
Patrickssj6, eat your heart out <3

Tryin' this.

Edit: Worked on my local machine, "sv_say" commands didn't crash the server at all and all my admin commands worked as well, did you have to ruin the console window by adding all the extra advertising? lol

I hate HEX editing all that stuff out to make it simplistic again.

Edit Edit: The Devicator no longer needs SAPP, and it's patched against this new exploit! For more information and a download link, see this post (http://www.modacity.net/forums/showthread.php?p=415710#post415710)!

oh comon leave the BrandiniMP bit in, im sick of "BrandiniMP who?" from... everyone.

after all i did do the patch at like 6am.

oh comon leave the BrandiniMP bit in, im sick of "BrandiniMP who?" from... everyone.

after all i did do the patch at like 6am.
I added you into the credits in the "readme.htm", with a fairly detailed note on all of what you did.

is pats name still in the sv_status?

is pats name still in the sv_status?
The console is stock in the version I released, so I don't think it is. He's also in the readme credits.