I saw that some people needed some help with a Halo 2 Ranking system, I messaged supersniper about it and he was happy to let me on board. I got a look at the source and it “worked” but it was the style of working that was myself years ago (Very sloppy and rigged code but it worked). I agreed to help them out and take everything through a complete overhaul. That is what I started to do, with no use of the previous source code that allowed me to build my own base and get everything working as smoothly as possible.

Soon this will be enabled throughout many Dedicated Servers everywhere (hopefully) People still have a interest in Halo 2 for PC, I happen to know a great deal about how the Server works after around ~12 hours of reversing. Here is a sneak peak of the upcoming system from server-sided.

h2server$
[Breeze] Breeze Init...
[Breeze] Searching for XLive Memory Checks...
[Breeze] XLive Memory Checks Patched!
[Breeze] Hooks Installed!
[Breeze] Breeze Enabled!
[Breeze] Player Quit! 0 3
[Breeze] Player Quit! 0 4
[Breeze] Player Quit! 0 5
[Breeze] Player Quit! 0 6
[Breeze] Player Quit! 0 7
[Breeze] Player Joined! 0, 21AFB2C
[Breeze] Player Quit! 0 2
[Breeze] Player Quit! 0 1
[Breeze] Player Quit! 0 3
[Breeze] Player Quit! 0 4
[Breeze] Player Quit! 0 5
[Breeze] Player Quit! 0 6
[Breeze] Player Quit! 0 7
[Breeze] Player Joined! 0, 21AFB2C
[Breeze] Player Quit! 0 9
[Breeze] Player Quit! 0 2
[Breeze] Player Quit! 0 1
[Breeze] Player Quit! 0 3
[Breeze] Player Quit! 0 4
[Breeze] Player Quit! 0 5
[Breeze] Player Quit! 0 6
[Breeze] Player Quit! 0 7
[Breeze] Player Joined! 0, 21AFB2C
[Breeze] Player Quit! 0 2
[Breeze] Player Quit! 0 1
[Breeze] Player Quit! 0 3
[Breeze] Player Quit! 0 4
[Breeze] Player Quit! 0 5
[Breeze] Player Quit! 0 6
[Breeze] Player Quit! 0 7
[Breeze] Player Joined! 0, 21AFB2C

I hope to get this project finished in time to show people a early Beta test within a week or so.
-Greetz, fatboy88, supersniper, shock120

Read More for some Reversing Information

H2_RetnServerMode_1        -    0x8A3A
H2_ServerInitSettings        -    0x8EFA
H2_ServerPrintStartupInfo    -    0x94C7
H2_SetServerMode        -    0x98CD
H2_GetServerMode        -    0x9907
H2_GetServerName        -    0x990D
H2_SetServerService        -    0xB3CF
H2_ServerInit            -    0xC6FF
H2_SetServerName        -    0x196FD3
H2_PlayerJoin            -    0x19D2B6
H2_PlayerQUit            -    0x1B79C6
H2_GameStatusUpdate        -    0x1BCC47

I also found some things called __security_cookies. In the Halo 2 Server. I figured out what they do pretty much and it is easy to just patch out the check. I was crashing a bunch when hooking certain functions inside of the Halo 2 Dedicated Server and could not for the life of me figure out why. Pretty much what happens is the security cookie magic is xored with the current stack pointer. The function does all that it needs to do and returns the stack pointer back into where it is suppose to be, then the function will xor the new stack pointer with the security cookie aswell and compare if the old stack pointer = the new stack pointer. If it does the execution continues as normal, if not the server goes into termination and all this other good crashing jazz. Here is an example..

This is the beginning and what was causing Breeze to crash on setting up the rank system. You will find thousands of references to __security_cookie everywhere, but you only need to patch what you need. I’m guessing its more of an integrity thing that is just getting in the way of what I want to do.

.text:005A42AC                 sub     esp, 18h
.text:005A42AF                 mov     eax, ___security_cookie
.text:005A42B4                 xor     eax, esp
.text:005A42B6                 mov     [esp+18h+var_4], eax

The easy way to patch this out is just to falsify the checks at the very end of the function. Or you can run a quick patch that will take out ever reference to that code and just replace them with NOP’s (I prefer to just falsify the checks)

.text:005A43EF                 mov     ecx, [esp+24h+StackPointerSecurity] ; Load the "Hashed" Stack pointer
.text:005A43F3                 pop     esi
.text:005A43F4                 pop     ebp
.text:005A43F5                 mov     al, bl
.text:005A43F7                 pop     ebx
.text:005A43F8                 xor     ecx, esp ; Xor the Hashed Stack Pointer with the current stack pointer
.text:005A43FA                 call    H2_CheckSecurityCookie_00 ; This function checks to see if the return value is the security cookie
.text:005A43FF                 add     esp, 18h
.text:005A4402                 retn    8

And the function of H2_CheckSecurityCookie_00 as I have labeled it

text:00633F7A H2_CheckSecurityCookie_00 proc near     ; CODE XREF: .text:004012B2p
.text:00633F7A                                         ; .text:004012CAp ...
.text:00633F7A                 cmp     ecx, ___security_cookie ; compare to original __security_cookie
.text:00633F80                 jnz     short loc_633F84
.text:00633F82                 rep retn ; return normally to the function and continue execution as normal
.text:00633F84 ; ---------------------------------------------------------------------------
.text:00633F84
.text:00633F84 loc_633F84:                             ; CODE XREF: H2_CheckSecurityCookie_00+6j
.text:00633F84                 jmp     H2_KillServerBadSecurityCookie_00 ; BAD DONT GO HERE

I hope this research will help people along with reversing the Halo 2 Dedicated Server. If so great, if not your loss. Have fun spending hours figuring out why your hooks are crashing.

2 comments on “Breeze – Halo 2 Rank System

  • Ryx

    Nice finds!

  • Shock120

    I love it when you show and explain these things 🙂

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.