I saw that some people needed some help with a Halo 2 Ranking system, I messaged supersniper about it and he was happy to let me on board. I got a look at the source and it “worked” but it was the style of working that was myself years ago (Very sloppy and rigged code but it worked). I agreed to help them out and take everything through a complete overhaul. That is what I started to do, with no use of the previous source code that allowed me to build my own base and get everything working as smoothly as possible.
Soon this will be enabled throughout many Dedicated Servers everywhere (hopefully) People still have a interest in Halo 2 for PC, I happen to know a great deal about how the Server works after around ~12 hours of reversing. Here is a sneak peak of the upcoming system from server-sided.
h2server$ [Breeze] Breeze Init... [Breeze] Searching for XLive Memory Checks... [Breeze] XLive Memory Checks Patched! [Breeze] Hooks Installed! [Breeze] Breeze Enabled! [Breeze] Player Quit! 0 3 [Breeze] Player Quit! 0 4 [Breeze] Player Quit! 0 5 [Breeze] Player Quit! 0 6 [Breeze] Player Quit! 0 7 [Breeze] Player Joined! 0, 21AFB2C [Breeze] Player Quit! 0 2 [Breeze] Player Quit! 0 1 [Breeze] Player Quit! 0 3 [Breeze] Player Quit! 0 4 [Breeze] Player Quit! 0 5 [Breeze] Player Quit! 0 6 [Breeze] Player Quit! 0 7 [Breeze] Player Joined! 0, 21AFB2C [Breeze] Player Quit! 0 9 [Breeze] Player Quit! 0 2 [Breeze] Player Quit! 0 1 [Breeze] Player Quit! 0 3 [Breeze] Player Quit! 0 4 [Breeze] Player Quit! 0 5 [Breeze] Player Quit! 0 6 [Breeze] Player Quit! 0 7 [Breeze] Player Joined! 0, 21AFB2C [Breeze] Player Quit! 0 2 [Breeze] Player Quit! 0 1 [Breeze] Player Quit! 0 3 [Breeze] Player Quit! 0 4 [Breeze] Player Quit! 0 5 [Breeze] Player Quit! 0 6 [Breeze] Player Quit! 0 7 [Breeze] Player Joined! 0, 21AFB2C
I hope to get this project finished in time to show people a early Beta test within a week or so.
-Greetz, fatboy88, supersniper, shock120
Read More for some Reversing Information
H2_RetnServerMode_1 - 0x8A3A H2_ServerInitSettings - 0x8EFA H2_ServerPrintStartupInfo - 0x94C7 H2_SetServerMode - 0x98CD H2_GetServerMode - 0x9907 H2_GetServerName - 0x990D H2_SetServerService - 0xB3CF H2_ServerInit - 0xC6FF H2_SetServerName - 0x196FD3 H2_PlayerJoin - 0x19D2B6 H2_PlayerQUit - 0x1B79C6 H2_GameStatusUpdate - 0x1BCC47
I also found some things called __security_cookies. In the Halo 2 Server. I figured out what they do pretty much and it is easy to just patch out the check. I was crashing a bunch when hooking certain functions inside of the Halo 2 Dedicated Server and could not for the life of me figure out why. Pretty much what happens is the security cookie magic is xored with the current stack pointer. The function does all that it needs to do and returns the stack pointer back into where it is suppose to be, then the function will xor the new stack pointer with the security cookie aswell and compare if the old stack pointer = the new stack pointer. If it does the execution continues as normal, if not the server goes into termination and all this other good crashing jazz. Here is an example..
This is the beginning and what was causing Breeze to crash on setting up the rank system. You will find thousands of references to __security_cookie everywhere, but you only need to patch what you need. I’m guessing its more of an integrity thing that is just getting in the way of what I want to do.
.text:005A42AC sub esp, 18h .text:005A42AF mov eax, ___security_cookie .text:005A42B4 xor eax, esp .text:005A42B6 mov [esp+18h+var_4], eax
The easy way to patch this out is just to falsify the checks at the very end of the function. Or you can run a quick patch that will take out ever reference to that code and just replace them with NOP’s (I prefer to just falsify the checks)
.text:005A43EF mov ecx, [esp+24h+StackPointerSecurity] ; Load the "Hashed" Stack pointer .text:005A43F3 pop esi .text:005A43F4 pop ebp .text:005A43F5 mov al, bl .text:005A43F7 pop ebx .text:005A43F8 xor ecx, esp ; Xor the Hashed Stack Pointer with the current stack pointer .text:005A43FA call H2_CheckSecurityCookie_00 ; This function checks to see if the return value is the security cookie .text:005A43FF add esp, 18h .text:005A4402 retn 8
And the function of H2_CheckSecurityCookie_00 as I have labeled it
text:00633F7A H2_CheckSecurityCookie_00 proc near ; CODE XREF: .text:004012B2p .text:00633F7A ; .text:004012CAp ... .text:00633F7A cmp ecx, ___security_cookie ; compare to original __security_cookie .text:00633F80 jnz short loc_633F84 .text:00633F82 rep retn ; return normally to the function and continue execution as normal .text:00633F84 ; --------------------------------------------------------------------------- .text:00633F84 .text:00633F84 loc_633F84: ; CODE XREF: H2_CheckSecurityCookie_00+6j .text:00633F84 jmp H2_KillServerBadSecurityCookie_00 ; BAD DONT GO HERE
I hope this research will help people along with reversing the Halo 2 Dedicated Server. If so great, if not your loss. Have fun spending hours figuring out why your hooks are crashing.
Nice finds!
I love it when you show and explain these things 🙂