[RELEASE][FIX] GameServer Crash/Runtime Error Exploit

Page 1 of 2 1 2
10/29/2017 20:52 sarkoplata#1
Hello everyone,

This is yet an unknown one (atleast for me and my environment) so I wanted to share this before more people lose their mind. It's a really strong exploit and will crash your gameserver with only 1 packet.
And the fix is also that easy.
Just block the 0x3510 opcode and you'll be fine.

PHP Code:
if(_pck.Opcode == 0x3510) continue; 
Because the attackers used it wisely, we thought it was an error caused by the database. We wasted hours in front of PC (to fix this on BlackPearl) and then we decided to search the packets one by one to see the malicious one.

Hope you use it for good :).
10/29/2017 20:54 tombalaci46#2
Finally we fixed it. I hope that will help you.
10/29/2017 21:00 SubZero**#3
thank you
10/29/2017 21:03 KingDollar#4
i'm happy that you finally find it out
10/29/2017 21:10 tombalaci46#5
Quote:
Originally Posted by KingDollar View Post
i'm happy that you finally find it out
Yeah and also thank you for trying to help.
10/29/2017 22:53 Taisu#6
Thank youuu
10/29/2017 22:59 R3D*#7
Thank you.
10/30/2017 18:23 Xutan*#8
why would you allow this opcode anyway? You should have an opcode whitelist and store only legit opcodes there. I'm not sure if the people above are being sarcastic or they really don't know.
10/30/2017 20:58 elmagico321#9
Quote:
Originally Posted by Xutan* View Post
why would you allow this opcode anyway? You should have an opcode whitelist and store only legit opcodes there. I'm not sure if the people above are being sarcastic or they really don't know.
true but he said " block the opcode" then it's a little mistake at the coding

blocking the opcode can be done from the exploit.txt " if you have a file for bad opcodes " or by making it like this

PHP Code:
 if(_pck.Opcode == 0x3510
{
Disconnect 
//or what ever you need to do 

10/31/2017 00:36 sarkoplata#10
Quote:
Originally Posted by Xutan* View Post
why would you allow this opcode anyway? You should have an opcode whitelist and store only legit opcodes there. I'm not sure if the people above are being sarcastic or they really don't know.
this is a valid packet for BR files (stall network) and maybe I have it whitelisted for a reason.
Or people can still be using blacklists.
Don't be a dick.
08/20/2018 18:21 Radoslavski#11
Quote:
Originally Posted by sarkoplata View Post
this is a valid packet for BR files (stall network) and maybe I have it whitelisted for a reason.
Or people can still be using blacklists.
Don't be a dick.
I have a complete white list for Black Rogue files, and this opcode has nothing to do with Stall network. It's not a valid Black Rogue opcode!

Only these are valid stall network opcodes.
0x7461,CLIENT_BR_STALLNETWORK_SEARCH
0x7462,CLIENT_BR_STALLNETWORK_CLOSE
0x7463,CLIENT_BR_STALLNETWORK_PURCHASE

So you can block it, it won't affect any functionality in BR Files.
08/20/2018 18:27 sarkoplata#12
Quote:
Originally Posted by Radoslavski View Post
I have a complete white list for Black Rogue files, and this opcode has nothing to do with Stall network. It's not a valid Black Rogue opcode!

Only these are valid stall network opcodes.
0x7461,CLIENT_BR_STALLNETWORK_SEARCH
0x7462,CLIENT_BR_STALLNETWORK_CLOSE
0x7463,CLIENT_BR_STALLNETWORK_PURCHASE
Yeah well, but does it crash the BR Gameserver?
05/17/2020 06:55 vietnguyen09#13
Quote:
Originally Posted by sarkoplata View Post
Yeah well, but does it crash the BR Gameserver?
I know this thread is really old, but can you share the way you search the malicious? What software to use to see the packet one by one? Did you log all the packet by using Wireshark?

My SRO server files are getting crash so many times in the last few days, my DB are fine and I really don't know the main problem of that, I think there is a new exploit opcode we don't know.
05/17/2020 07:33 sarkoplata#14
Quote:
Originally Posted by vietnguyen09 View Post
I know this thread is really old, but can you share the way you search the malicious? What software to use to see the packet one by one? Did you log all the packet by using Wireshark?

My SRO server files are getting crash so many times in the last few days, my DB are fine and I really don't know the main problem of that, I think there is a new exploit opcode we don't know.
I logged every single opcode I received, except for the very common ones like ping, skill, move, chat etc. Through filter of course.

Then checked the odd looking ones just before the gameserver crashed.

You can't analyze the sro packet data with Wireshark I guess... You need a filter.
05/17/2020 08:01 vietnguyen09#15
Quote:
Originally Posted by sarkoplata View Post
I logged every single opcode I received, except for the very common ones like ping, skill, move, chat etc. Through filter of course.

Then checked the odd looking ones just before the gameserver crashed.

You can't analyze the sro packet data with Wireshark I guess... You need a filter.
Thanks for your really kindly reply. I have a filter but not own the source, I can code C# but I don't know where to start to built a simple filter to log all opcodes like you do. Is there any open-source simple filter project out there you know can give me a starting point?

I have this opcode list [Only registered and activated users can see links. Click Here To Register...] but I think is not all valid code, can you share your list of valid opcodes?

Thanks for your time.
Page 1 of 2 1 2