Patch major security vulnerability in saves

maximegmd · Jan 30, 2021 · 47a6c55 · 47a6c55
1 parent 44bb8de
commit 47a6c55
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 0 deletions.
diff --git a/src/dllmain.cpp b/src/dllmain.cpp
@@ -17,6 +17,7 @@ void OptionsInitHook(const Image* apImage);
 void DisableIntroMoviesPatch(const Image* apImage);
 void DisableVignettePatch(const Image* apImage);
 void DisableBoundaryTeleportPatch(const Image* apImage);
+void SaveVulnerabilityPatch(const Image* apImage);
 
 static HANDLE s_modInstanceMutex = nullptr;
 
@@ -37,6 +38,8 @@ static void Initialize()
         if (s_modInstanceMutex == nullptr)
             return;
 
+        SaveVulnerabilityPatch(&options.GameImage);
+
         // initialize patches
         if (options.PatchEnableDebug)
             EnableDebugPatch(&options.GameImage);

diff --git a/src/patches/SaveVulnerability.cpp b/src/patches/SaveVulnerability.cpp
@@ -0,0 +1,23 @@
+#include <stdafx.h>
+
+#include "Image.h"
+
+void SaveVulnerabilityPatch(const Image* apImage)
+{
+    const mem::pattern cPattern("B8 FF 01 00 00 48 8B F7 48 3B F8 48 8B D3 49 8B");
+    const mem::default_scanner cScanner(cPattern);
+    auto pLocation = cScanner(apImage->TextRegion).as<uint8_t*>();
+
+    if(pLocation == nullptr)
+    {
+        spdlog::warn("Save vulnerability patch: failed, could not be found");
+        return;
+    }
+
+    DWORD oldProtect = 0;
+    VirtualProtect(pLocation, 32, PAGE_EXECUTE_WRITECOPY, &oldProtect);
+    pLocation[2] = 0;
+    VirtualProtect(pLocation, 32, oldProtect, nullptr);
+
+    spdlog::info("Save vulnerability patch: success");
+}