Saturday 3 November 2012

Bypass Slot Reservation In Counter Strike 1.6

So you are crazy about CS but your local servers are always packed and can not enter the servers due to slot reservations for admins? Don't worry, this guide will provide an insight and step by step details on how to bypass slot reservation in Amx Mod X powered servers. I checked the source code of slot reservation plugin (adminslots.sma) from AMXMODX source and found out that the admin slot plugin was executing a brute-force vulnerable randomized command at the client end. See the line of code below:

format(g_cmdLoopback, 15, "amxres%c%c%c%c", random_num('A', 'Z'), random_num('A', 'Z'), random_num('A', 'Z'), random_num('A', 'Z'))


The bruteforce space is quite small, 4 uppercase characters from A-Z i.e. 26 * 26 * 26 * 26 combination is the maximum amount of search required to find the random part of the command. Hence, the command executed at client end is amxresXXXX where {X: X belongs to [A-Z]}. If there are still slots available for normal players or if the connecting user has slot reservation privilege, he will be able to connect to the server otherwise the server will kick the user. We are not going to bruteforce but we are going to use a memory viewer and editor software that is capable of reading the contents in the memory (RAM).



Basically, we hook into the Counter Strike client process from one of the freely available memory editors. We then connect to the server and get dropped due to the slot reservation message. In the meantime, the server sends the partial-random command.. FYI, these memory viewers make use of kernel APIs such as ReadProcessMemory() to read the memory layout of any process. We search for the initial part of the string which is amxres.

Once we find the unique string sent by server to our client, we use the alias command with amxresXXXX as our alias. For your info, alias provides a mechanism to group different commands to achieve something more useful.

The syntax of alias is: alias "alias_name" "cmd1; cmd2; ...; cmdn" And here we've just created an alias "amxresXXXX" which does nothing since the commands list is missing there.

The tool I've used here is ArtMoney available for download at http://www.artmoney.ru/e_download_se.htm In case, the site goes down, you can get it from here: http://www.4shared.com/file/wm7V4pgv/artmoney740eng.html

Several similar tools exist & are available for free. Some of them are CheatEngine (http://cheatengine.org/downloads.php) and Poke (http://codefromthe70s.org/poke.aspx)

Check the video below for more information: