[Release] FlyFF PC v21.2 Official Source Code

Page 2 of 14

02/22/2020 15:46 miniman06#16

Code:

BOOL CanAdd( DWORD dwGold, int nPlus )
{
	if( nPlus <= 0 )		// ���Ϸ��� ���� 0�����̸� �ͼ��� 
	{
		return FALSE;
	}

	__int64 n64Gold = (__int64)dwGold;

	if( n64Gold < 0 || ( n64Gold + (__int64)nPlus ) < 0 || ( n64Gold + (__int64)nPlus ) > INT_MAX )
	{
		//		FLERROR_LOG( PROGRAM_NAME, _T( "CanAdd Invalid. HaveGold:[%d], AddGold:[%d]" ), dwGold, nPlus );
		return FALSE;
	}

	return TRUE;
}

you can tell that they are scared LOL

02/22/2020 16:33 ZeroTwo02#17

Quote:

Originally Posted by miniman06

Code:

BOOL CanAdd( DWORD dwGold, int nPlus )
{
	if( nPlus <= 0 )		// ���Ϸ��� ���� 0�����̸� �ͼ��� 
	{
		return FALSE;
	}

	__int64 n64Gold = (__int64)dwGold;

	if( n64Gold < 0 || ( n64Gold + (__int64)nPlus ) < 0 || ( n64Gold + (__int64)nPlus ) > INT_MAX )
	{
		//		FLERROR_LOG( PROGRAM_NAME, _T( "CanAdd Invalid. HaveGold:[%d], AddGold:[%d]" ), dwGold, nPlus );
		return FALSE;
	}

	return TRUE;
}

you can tell that they are scared LOL

Or we can tell you don't understand the point of that.

02/22/2020 16:56 miniman06#18

Quote:

Originally Posted by ZeroTwo02

Or we can tell you don't understand the point of that.

Isn't it just a fancy anti int overflow ? I don't this the 64 bit conversion was necessary but whatever floats their boat

02/22/2020 17:01 jooodzszsz#19

Quote:

if( nPlus < 0 || (__int64)dwGold + (__int64)nPlus > INT_MAX)
return false

would be enuff sir

02/22/2020 17:20 miniman06#20

Quote:

Originally Posted by jooodzszsz

would be enuff sir

Yeah that, but since the server is compiled under 32bit the performance would be worse than just straight comparison of both 32bit values separately.Just neat picking here lol

02/22/2020 17:34 Keyzen83#21

Ich habe XTrap entfernt, wie Sie sagten, aber es �ndert viel an der Datei, da ich die FLLib-Bibliothek nicht sehe oder finde

02/22/2020 17:38 jooodzszsz#22

Quote:

Originally Posted by miniman06

Yeah that, but since the server is compiled under 32bit the performance would be worse than just straight comparison of both 32bit values separately.Just neat picking here lol

Quote:

if( nPlus =< 0 || dwGold => INT_MAX || (nPlus + dwGold) > INT_MAX)
return FALSE;
return TRUE;

Quote:

if(nPlus > 0 && dwGold < INT_MAX){
return (dwGold + nPlus) < INT_MAX;
}
return FALSE;

now its 1 nano second faster per year :jofrly:

02/22/2020 19:51 ZeroTwo02#23

Btw, if you want to see some "work in progress".
Look into "WndInventoryWear" and this :

[Only registered and activated users can see links. Click Here To Register...]

02/22/2020 20:13 Mike Oxmaul#24

Quote:

Originally Posted by ZeroTwo02

Btw, if you want to see some "work in progress".
Look into "WndInventoryWear" and this :

[Only registered and activated users can see links. Click Here To Register...]

the taskbar is in the client since years. i dont think its in progress. just concept.

02/23/2020 18:16 cookie69#25

At least 4 exploits are still not fixed in this version, you can corrupt the stack with bufferoverflow, set a value outside the array limit and make huge memory allocation.

Code:

- BOOL CProject::IsInvalidName( LPCSTR szName )
- void CItemUpgrade::RemovePetVisItem( FLWSUser* pUser, int nPosition, BOOL bExpired )
- struct __MINIGAME_EXT_PACKET : public __MINIGAME_PACKET
- int CMiniGame::Bet_FiveSystem( FLWSUser* pUser, int nBetNum, int nBetPenya )

02/23/2020 18:31 Mike Oxmaul#26

Quote:
Originally Posted by cookie69
At least 4 exploits are still not fixed in this version, you can corrupt the stack with bufferoverflow, set a value outside the array limit and make huge memory allocation.
Code:
- BOOL CProject::IsInvalidName( LPCSTR szName )
- void CItemUpgrade::RemovePetVisItem( FLWSUser* pUser, int nPosition, BOOL bExpired )
- struct __MINIGAME_EXT_PACKET : public __MINIGAME_PACKET
- int CMiniGame::Bet_FiveSystem( FLWSUser* pUser, int nBetNum, int nBetPenya )

there are more in dpsrvr

02/23/2020 18:44 Keyzen83#27

_Common\ProjectCmn.cpp

Quote:

if( strlen( szName ) >= 64 )
return TRUE;

WORLDSERVER\ItemUpgrade.cpp

Quote:

if( nPosition < 0 || nPosition >= pItemElemPet->GetPiercingSize() )
return;

_Common\MiniGameBase.h

Quote:

if(nSize > 3)
{
nSize = 3;
}

_Common\MiniGame.cpp

Quote:

int CMiniGame::Bet_FiveSystem( FLWSUserr* pUser, int nBetNum, int nBetPenya )
{
if( nBetNum < 0 || 5 < nBetNum )
return FIVESYSTEM_FAILED;

if( pUser->m_nBetFiveSystem[nBetNum] == 0 && nBetPenya == 0 )
return TRUE;
// 입찰금은 0보다 작을 수 없다.
if(nBetPenya < 0)
return FIVESYSTEM_FAILED;

// 최소 입찰금과 최대 입찰금의 범위를 벗어났을 경우 ( Client 에서 이미 검사.. )
if( ( nBetPenya < m_nBetMinPenya || nBetPenya > m_nBetMaxPenya ) && nBetPenya != 0 )
return FIVESYSTEM_NOTENOUGH;

// 입찰 또는 재입찰 금액이 부족한지 검사
DWORD nGold = pUser->GetGold() + pUser->m_nBetFiveSystem[nBetNum];
if( (int)( nGold ) < nBetPenya )
return FIVESYSTEM_NOTENOUGH;

LogItemInfo aLogItem;
aLogItem.RecvName = "FIVESYSTEM_USE";
BOOL bAddGold = TRUE;
if( 0 < pUser->m_nBetFiveSystem[nBetNum] - nBetPenya ) // 기존에 걸은것보다 적게 걸아서 보상금액
{
int nTotal = pUser->GetGold() + pUser->m_nBetFiveSystem[nBetNum] - nBetPenya;
if( nTotal < 0 ) // overflow?
{
CItemElem ItemElem;
g_dpDBClient.SendQueryPostMail( pUser->m_idPlayer, 0, ItemElem, pUser->m_nBetFiveSystem[nBetNum] - nBetPenya, (char*)GETTEXT( TID_GAME_SELLING_COST_0 ), (char*)GETTEXT( TID_MMI_FIVESYSTEM ) );
pUser->AddDefinedText( TID_GAME_MINIGAME_PENYA_POST, "" );
aLogItem.RecvName = "FIVESYSTEM_USE_POST";
bAddGold = FALSE;
}
}

if( bAddGold )
pUser->AddGold( pUser->m_nBetFiveSystem[nBetNum] - nBetPenya );

aLogItem.Action = "+";
aLogItem.SendName = pUser->GetName();
aLogItem.WorldId = pUser->GetWorld()->GetID();
aLogItem.Gold = pUser->GetGold() - ( pUser->m_nBetFiveSystem[nBetNum] - nBetPenya );
aLogItem.Gold2 = pUser->GetGold();
//aLogItem.ItemName = "SEED";
_stprintf( aLogItem.szItemName, "%d", II_GOLD_SEED1 );
aLogItem.itemNumber = pUser->m_nBetFiveSystem[nBetNum] - nBetPenya;
g_DPSrvr.OnLogItem( aLogItem );

pUser->m_nBetFiveSystem[nBetNum] = nBetPenya;
pUser->AddFiveSystemResult( FIVESYSTEM_BETOK, nBetPenya, nBetNum );

return TRUE;
}

here is some fix :)

02/23/2020 22:43 jooodzszsz#28

Quote:
Originally Posted by cookie69
At least 4 exploits are still not fixed in this version, you can corrupt the stack with bufferoverflow, set a value outside the array limit and make huge memory allocation.
Code:
- BOOL CProject::IsInvalidName( LPCSTR szName )
- void CItemUpgrade::RemovePetVisItem( FLWSUser* pUser, int nPosition, BOOL bExpired )
- struct __MINIGAME_EXT_PACKET : public __MINIGAME_PACKET
- int CMiniGame::Bet_FiveSystem( FLWSUser* pUser, int nBetNum, int nBetPenya )

Code:

- void CItemUpgrade::RemovePetVisItem( FLWSUser* pUser, int nPosition, BOOL bExpired )

How you will crash here with nPosition? its impossible? oO

It will be casted to size_t (unsigned) in GetGeneralPiercingItemID() and checked later with "m_vecGeneralPiercing.size() > Nth"

Quote:

Originally Posted by Jupsi332

there are more in dpsrvr

"There are more bugs in SOURCE but i dont tell them hihihihihi"

02/23/2020 23:10 cookie69#29

Quote:
Originally Posted by jooodzszsz
Code:
- void CItemUpgrade::RemovePetVisItem( FLWSUser* pUser, int nPosition, BOOL bExpired )
How you will crash here with nPosition? its impossible? oO

It will be casted to size_t (unsigned) in GetGeneralPiercingItemID() and checked later with "m_vecGeneralPiercing.size() > Nth"

"There are more bugs in SOURCE but i dont tell them hihihihihi"

It is not a cast, if you pass a negative Nth to FLItemElem::GetGeneralPiercingItemIDthen then Nth will stay negative.
And later in m_kPiercingOption.GetGeneralPiercingItemID the check will be successful as m_vecGeneralPiercing.size() is always bigger than a negative value.
And later you do "return m_vecGeneralPiercing.at( Nth );" which will search a value at a negative index.

This will not at 100% crash the server but can corrupt the stack and maybe crash it later or write random data into its memory.

Code:

DWORD	FLItemElem::GetGeneralPiercingItemID( const size_t Nth ) const
{
	return m_kPiercingOption.GetGeneralPiercingItemID( Nth );
}

const DWORD	FLPiercingOption::GetGeneralPiercingItemID( const size_t Nth ) const
{
	if( m_vecGeneralPiercing.empty() == false && m_vecGeneralPiercing.size() > Nth )
	{
		return m_vecGeneralPiercing.at( Nth );
	}

	return 0;
}

02/23/2020 23:18 jooodzszsz#30

Quote:
Originally Posted by cookie69
It is not a cast, if you pass a negative Nth to FLItemElem::GetGeneralPiercingItemIDthen then Nth will stay negative.
And later in m_kPiercingOption.GetGeneralPiercingItemID the check will be successful as m_vecGeneralPiercing.size() is always bigger than a negative value.
And later you do "return m_vecGeneralPiercing.at( Nth );" which will search a value at a negative index.

This will not at 100% crash the server but can corrupt the stack and maybe crash it later or write random data into its memory.
Code:
DWORD	FLItemElem::GetGeneralPiercingItemID( const size_t Nth ) const
{
	return m_kPiercingOption.GetGeneralPiercingItemID( Nth );
}

const DWORD	FLPiercingOption::GetGeneralPiercingItemID( const size_t Nth ) const
{
	if( m_vecGeneralPiercing.empty() == false && m_vecGeneralPiercing.size() > Nth )
	{
		return m_vecGeneralPiercing.at( Nth );
	}

	return 0;
}

[Only registered and activated users can see links. Click Here To Register...]

const size_t is unsigned integer, it CANT be negative!

Page 2 of 14

Last »