Jump to content
Sign in to follow this  
1g0rS1lv4

GameServer crashing...

Recommended Posts

after a while with the online server I'm encountering the following error

 

image.png.b46df3b172de2958ad60948fbfa3e815.png

there is no error and no type of logs in the gate, group and accountserver.

  • Like 1

Being better than others is for those who are weak; what matters is to be true to yourself.         

 

Share this post


Link to post
Share on other sites

And, if you report here how they hack, we can fix it and put public release to any hack. Thanks. 

Use 1.38 files for debug database, use procdump to dump memory before crash so we can analyze. 


kong.png

a2.png

Share this post


Link to post
Share on other sites

Ok, This is a overflow from SystemNotice.
We found this exploit long ago, but never publish or told anyone. Thanks for report. Will publish fix soon

  • Like 2

kong.png

a2.png

Share this post


Link to post
Share on other sites

I think I have a solution.

 

How I did tests. Called the function from Lua scripts:

SystemNotice(role, "Toooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo LoooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooongStriiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiing!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!")

 

 

Patch for GameServer 1.38.

 

Address 0x000CA2C0. Replace bytes:

55 8B EC 6A FF 68 A6 67 5A 00

To:

E9 6B 86 0E 00 C3 90 90 90 90

 

Address 0x001B2930. Replace bytes:

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00

To:

55 8B EC 6A FF 68 A6 67 5A 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 51 81 EC 88 01 00 00 53
56 57 89 65 F0 C7 45 FC 00 00 00 00 8D 45 10 89 85 F0 FE FF FF 8B 85 F0 FE FF FF 50 8B 4D 0C 51
68 F9 00 00 00 8D 95 F4 FE FF FF 8D 95 F4 FE FF FF 52 E8 8A FE FB FF 83 C4 10 C7 85 F0 FE FF FF
00 00 00 00 8D 85 B8 FE FF FF 50 8B 0D 4C 98 77 00 E8 3A 73 F7 FF C6 45 FC 01 68 05 02 00 00 8D
8D B8 FE FF FF E8 86 10 F7 FF 8D 85 F4 FE FF FF 50 E8 0A B8 FB FF 83 C4 04 0F B7 C8 83 C1 01 51
8D 95 F4 FE FF FF 52 8D 8D B8 FE FF FF E8 5E 23 F7 FF 83 EC 38 8B CC 89 A5 70 FE FF FF 8D 85 B8
FE FF FF 50 E8 D7 B1 E6 FF 89 85 6C FE FF FF 8B 8D 6C FE FF FF 89 8D 68 FE FF FF C6 45 FC 02 8B
55 08 52 8B 45 08 8B 10 C6 45 FC 01 8B 4D 08 FF 52 30 C6 45 FC 00 8D 8D B8 FE FF FF E8 2F B2 E6
FF EB 28 E8 08 E9 E4 FF 50 6A 00 8B 8D B4 FE FF FF E8 DA E8 E4 FF 8B 40 04 50 E8 C1 9E F8 FF 83
C4 0C 6A 00 6A 00 E8 56 B3 FB FF C7 45 FC FF FF FF FF 8B 4D F4 64 89 0D 00 00 00 00 5F 5E 5B 8B
E5 5D C3

 

Also need fix functions:

CCharacter::BickerNotice
CCharacter::PopupNotice
CPlayer::SystemNotice

 

  • Like 2
  • Thanks 2

Share this post


Link to post
Share on other sites
Just now, gmedannik said:

 

@wizel1

Good work @V3ct0r.
I will only add that this is just a 250 character limit, if you are not going to send notifications of more than 250 characters - you do not need it (this is not an error).

 

what such u mean of notification? local chat or ?

Share this post


Link to post
Share on other sites
Just now, wizel1 said:

what such u mean of notification? local chat or ?

	if string.len(message) > 100 then
		BickerNotice(role,"<Loca Chat> Message too long!")
		return 0
	end	

use this in your handlechat 

Share this post


Link to post
Share on other sites
Just now, mkhzaleh said:

	if string.len(message) > 100 then
		BickerNotice(role,"<Loca Chat> Message too long!")
		return 0
	end	

use this in your handlechat 

for whats is use?

if player many char too long then bickernotice "Message too long" ?

= deny of request?

Share this post


Link to post
Share on other sites

for systemnotice / BickerNotice Players don't have access to it 

 

Quote

for whats is use?

if player many char too long then bickernotice "Message too long" ?

= deny of request?

this limit local chat "length " to 100 letters only 

Share this post


Link to post
Share on other sites
9 minutes ago, mkhzaleh said:

for systemnotice / BickerNotice Players don't have access to it 

 

this limit local chat "length " to 100 letters only 

thresh hold is 200? for break gameserver

 

Share this post


Link to post
Share on other sites
11 minutes ago, gmedannik said:

 


function BickerNoticeNotCrashed(role, message)

	if (string.len(message) <= 250) then

		BickerNotice(role, message) 

	end

end

 

where put this?

Share this post


Link to post
Share on other sites
3 minutes ago, gmedannik said:

i update function, put into skilleffect.lua to the top and replace all BickerNotice function to BickerNoticeNotCrashed

need change to BickerNoticeNotCrashed?

    BickerNotice(role,"potion is on cooldown wait!!! "..cooldown.." second(s) to use again!!!")

 

vs

 

    BickerNoticeNotCrashed(role,"potion is on cooldown wait!!! "..cooldown.." second(s) to use again!!!")

Share this post


Link to post
Share on other sites

i still don't think players can crash it from this overflow but what ever
this for popnotice
 

PopupNotice = PopupNotice or function(role, text)
------------
	if string.len(text) > 150 then
		BickerNotice(role,"<PopupNotice> Message too long!")
		return 0
	end	
-------------
	local packet = GetPacket() 
	WriteCmd(packet, 503)
	WriteString(packet, text)
	SendPacket(role, packet) 
end

 

Share this post


Link to post
Share on other sites

@mkhzalehthat won’t work.

as far as I can tell, few years ago, me and billy were searching for ways to overflow gameserver using packets that handle strings.

we found out that, adding a player to friend list and using a long string crashed gameserver. Most of which would not even get at the lua controls.

 

now, Idk why people are hacking so much server and asking for money for a fix. If I, vector, klab and the rest were to pull this BS to you all,  we’ll be millionaires. So cut the crap or I will pull out the demons. 

  • Like 3
  • Haha 1

kong.png

a2.png

Share this post


Link to post
Share on other sites
3 hours ago, KONG said:

@mkhzalehthat won’t work.

as far as I can tell, few years ago, me and billy were searching for ways to overflow gameserver using packets that handle strings.

we found out that, adding a player to friend list and using a long string crashed gameserver. Most of which would not even get at the lua controls.

 

now, Idk why people are hacking so much server and asking for money for a fix. If I, vector, klab and the rest were to pull this BS to you all,  we’ll be millionaires. So cut the crap or I will pull out the demons. 

well its would not get at lua controls , but in 
PopupNotice case i guess this will work since players can't use these packets 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

×
×
  • Create New...