Unreal Tournament

Creating pictures for all maps

Pack of many pictures for some maps (323 maps) and lower case named version.

Script for extracting pictures from your's maps and extract pictures from map to lower case named files. U need place this file on the root folder of your's ut server and run it. This works only for windows 2000 and high. Linux not supported. But this is very simple and u may be create some scripts for others OS.
After running script opens folders, placed in root your's ut server and named "img". This folders contains many bmp files for maps, if u need - convert to other grafics format any graphics converts such as ACDSEE.
For extracting picture used ut engine, and if on maps don't present some packages, then picture don't been extracted.

Sample using:

G:\UT   <------ Please place this file extractimg.bat from archive and run it
├───Cache
├───Eal
├───Help
├───Logs
├───Manual
├───Maps
├───Music
├───NetGamesUSA
├───Sounds
├───System
│   ├───editorres
│   └───moviedemomanager-v1.0
├───Textures
└───Web
    ├───images
    └───plaintext

Wait until window with script displayed (this is some minutes) On the end, script try to open folder with pictures:

G:\UT
├───Cache
├───Eal
├───Help
├───img           <------- Pictures placed here
├───Logs
├───Manual
├───Maps
├───Music
├───NetGamesUSA
├───Sounds
├───System
│   ├───editorres
│   └───moviedemomanager-v1.0
├───Textures
└───Web
    ├───images
    └───plaintext

Note: if exist folder temp_img on the root ut server, then will be deleted. this is folder for temporary storage for extracting from map.

Patch exploit in 'secure' query

Info about us:

#######################################################################

                              Luigi Auriemma

Application:  Unreal Engine
               http://unreal.epicgames.com
Vulnerable games:
               - DeusEx                   <= 1.112fm
               - Devastation              <= 390
               - Mobile Forces            <= 20000
               - Nerf Arena Blast         <= 1.2
               - Postal 2                 <= 1337
               - Rune                     <= 107
               - Tactical Ops             <= 3.4.0
               - TNN Pro Hunter (?)
               - Unreal 1                 <= 226f
               - Unreal II XMP            <= 7710
               - Unreal Tournament        <= 451b
               - Unreal Tournament 2003   <= 2225
               - Unreal Tournament 2004   <  3236
               - Wheel of Time            <= 333b
               - X-com Enforcer
NOT vulnerables:
               - America's Army
               - Dead man's hand
               - Magic Battlegrounds
               - Rainbow Six: Raven Shield
               - Splinter Cell: Pandora tomorrow
               - Star Trek: Klingon Honor Guard
               - Unreal Tournament 2004   >= 3236
               - XIII
Platforms:    Windows, Linux and MacOS
Bug:          memory overwriting with possible code execution
Risk:         critical
Exploitation: remote, versus servers
Date:         18 June 2004
Author:       Luigi Auriemma
               e-mail: aluigi@altervista.org
               web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


The Unreal engine is the famous game engine developed by EpicGames and
currently is the most used in the videogames world.
Who doesn't know the great Unreal series???


#######################################################################

======
2) Bug
======


Almost all the games based on the Unreal engine support the "secure"
query.
This type of query is part of the so called Gamespy query protocol and
is used to know if the game server is able to calculate an exact
response using a provided string:
   http://unreal.epicgames.com/IpServer.htm
   http://aluigi.altervista.org/papers/gsmsalg.h

The query is a simple UDP packet like \secure\ABCDEF
If an attacker uses a long value in his secure query, in the Unreal
based game server will be overwritten some important memory zones.

Both remote code execution and spoofing are possibles.


#######################################################################

===========
3) The Code
===========


http://aluigi.altervista.org/poc/unsecure.zip

or send a similar UDP packet to the query port of the game server:

\secure\aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa...aaaa


#######################################################################

======
4) Fix
======


The bug has been noticed to EpicGames over 3 weeks ago.
Currently only UnrealTournament 2004 has been fixed with the recent
3236 patch.
Check the homepages of the other vulnerable games for possible future
fixes.

However fixing the problem should be enough simple, at least for who
has experience with the UnrealScript language.
In fact the instructions that manage the \secure\ query and pass its
value to the bugged function are written in UnrealScript code and are
located in the files IpDrv.u or IpServerver.u (they depend by the used
engine version).


#######################################################################


---
Luigi Auriemma
http://aluigi.altervista.org

Fix for Unreal Tournament

UnrealEd:
Actor Browser - Actor - Info - InternetInfo - InternetLink - UdpLink - UdpServerQuery
Find code:

function string ParseQuery( IpAddr Addr, coerce string Query, int QueryNum, out int PacketNum )
{
	local string QueryType, QueryValue, QueryRest, ValidationString;
	local bool Result;
	local int bFinalPacket;

Inset AFTER new line, and paste code:

	local int max_len;

Find code:

	else if( QueryType=="secure" )
	{	
		ValidationString = "\\validate\\"$Validate(QueryValue, GameName);
		Result = SendQueryPacket(Addr, ValidationString, QueryNum, PacketNum, bFinalPacket);
	}

And REPLACE by this code:

	else if( QueryType=="secure" )
	{	
		max_len = 64;	
		if(Len(QueryValue) > max_len) {
			Log(IpAddrToString(Addr)$": Exploit in secure query detected!");
		}
		ValidationString = "\\validate\\"$Validate(Left(QueryValue, max_len), GameName);
		Result = SendQueryPacket(Addr, ValidationString, QueryNum, PacketNum, bFinalPacket);
	}

Menu Tools - Compile changed scripts
Actor Browser - Menu View - Show Packages
Place checkbox on IpServer
Menu File - Save Selected Packages
After compilition move IpServer.u from folder System to your server and replace old file.

Master server for Unreal Tournament

If you have errors with standards master servers ("Master Server Failed: Connecting to the master server timed out: master0.gamespy.com") you can use my master server. This is simple utilite which parse site GameTracker and load this data into your UT client directly as master server. Data updated hourly. For use you need performing some changes in your UnrealTournament.ini:

  1. Set bKeepMasterServer=True in section UBrowser.UBrowserMainClientWindow. This required for save your custom master servers.
  2. Chage value ListFactories[0] to "UBrowser.UBrowserGSpyFact,MasterServerAddress=inethub.olvi.net.ua,MasterServerTCPPort=28900,Region=0,GameName=ut" in section UBrowserAll.
Example:
[UBrowser.UBrowserMainClientWindow]
[...]
bKeepMasterServer=True

[UBrowserAll]
ListFactories[0]=UBrowser.UBrowserGSpyFact,MasterServerAddress=inethub.olvi.net.ua,MasterServerTCPPort=28900,Region=0,GameName=ut
[...]

If you want use my server as backup for gamespy servers you need place last string in last free slot in ListFactories. Or vice versa, place in 0 slot my server and in other - default master servers. This better solution: if my server is down you use default servers.