PS_Login Handshake Exploit Fix

11/05/2017 15:52 Cups#1
I've known about this exploit for some time (I believe I was one of the first people to discover it, I only know of a couple others who were aware of this at the time), but I never cared enough to make a fix as it didn't seem to be getting abused until recently, so my apologies for that.

The exploit works by sending a corrupted handshake response - when the server receives the handshake response from the client, it crashes upon trying to decrypt it with the RSA keys, as the payload length isn't equal to the length of the modulus, but is instead some arbitrary number. I'm not sure what ps_login I used for this, as JuuF sent me his. I've uploaded the one I used just to be sure. Anyway, here is the fix:

Code:
// Author: Cups
// Date: 31/10/2017
[ENABLE]
alloc(newmem, 128) // New memory cave used for performing the key length check
label(return) // Address to return

/* 404E60 is the CUserCrypto::KeyInit function. The keylen parameter describes the length of the RSA encrypted response from the client, which is the 2nd parameter to the function. Function parameters are stored in the EBP register, and are in reverse order. EBP+08 is the pointer to the second parameter (as all parameters are an
integer, so 4 bytes in size) */
ps_login.exe+4E84:
jmp newmem // Jump to our new memory
return:

// New memory for checking the key length
newmem:

// We overwrote this code when inserting our jump
push eax
mov ebx,ecx
mov eax,esi

// If the key length is not 128 bytes, jump to the end of the function and do nothing
cmp ecx,80
jne ps_login.exe+4FAE

// Key is valid, continue processing as normal
jmp return

[DISABLE]
dealloc(newmem)

ps_login.exe+4E84:
push eax
mov ebx,ecx
mov eax,esi
11/05/2017 20:14 anton1312#2
A bit easier fix:
[Only registered and activated users can see links. Click Here To Register...]
Code:
[ENABLE]
"ps_login.exe"+4542:
jne ps_login.exe+44BE

[DISABLE]
"ps_login.exe"+4542:
ja ps_login.exe+44BE
11/06/2017 18:22 Cups#3
Quote:
Originally Posted by anton1312 View Post
A bit easier fix:
[Only registered and activated users can see links. Click Here To Register...]
Code:
[ENABLE]
"ps_login.exe"+4542:
jne ps_login.exe+44BE

[DISABLE]
"ps_login.exe"+4542:
ja ps_login.exe+44BE
A bit easier in terms of code length perhaps, but I wanted to make sure people knew WHY the server was crashing, not just apply some arbitrary fix and call it a day.
11/26/2017 12:14 XareL#4
it will now be safer in servers thanks :)
01/15/2018 22:17 Propice#5
ty
04/27/2018 00:49 mr.hellraven#6
ps_login link?>
05/23/2018 10:09 GMCronus#7
is this the one nubness made a new ps_login.exe file from? because we have a new that pause the login now in may 2018 that killed many servers. just have to know what this stop :-)
05/25/2018 23:43 Spectral#1#8
Quote:
Originally Posted by GMCronus View Post
is this the one nubness made a new ps_login.exe file from? because we have a new that pause the login now in may 2018 that killed many servers. just have to know what this stop :-)
The new exploit creates a lot of faulty accounts online and overloads the number of users you can have in game.
05/25/2018 23:48 GMCronus#9
this is the fix or it's not a fix?
05/26/2018 06:40 {Skrillex}#10
Quote:
Originally Posted by Spectral#1 View Post
The new exploit creates a lot of faulty accounts online and overloads the number of users you can have in game.
Are you sure that they create accounts? I had this problem 1 or 2 years ago.. They spam login server with pakets so nobody can login because 5000/5000 Players are logged in.

If you mean this there is a simply solotion.

Regards
05/26/2018 09:26 Spectral#1#11
Quote:
Originally Posted by .:Skrillex:. View Post
Are you sure that they create accounts? I had this problem 1 or 2 years ago.. They spam login server with pakets so nobody can login because 5000/5000 Players are logged in.

If you mean this there is a simply solotion.

Regards
Yes, They aren't creating accounts. The exploit makes it so the login gets full of "dummy" accounts. so if your being attacked by it, try doing /uc and youll see a large amount of online in the thousands
05/26/2018 13:59 SafeBett#12
Quote:
Originally Posted by Spectral#1 View Post
Yes, They aren't creating accounts. The exploit makes it so the login gets full of "dummy" accounts. so if your being attacked by it, try doing /uc and youll see a large amount of online in the thousands
Thanks,

Whats the fix for this issue?

The culprit wants to sell it to me but i am legit broke and don't pay extortion anyway.

I'ts enough i scrape together the server payments and run donation free.

Help would be appreciated greatly.
05/26/2018 15:20 {Skrillex}#13
Quote:
Originally Posted by SafeBett View Post
Thanks,

Whats the fix for this issue?

The culprit wants to sell it to me but i am legit broke and don't pay extortion anyway.

I'ts enough i scrape together the server payments and run donation free.

Help would be appreciated greatly.
This kind of attack is 2+ years old. It was asked by me 2 years ago.

[Only registered and activated users can see links. Click Here To Register...]

This Fix in this thread is for handshake response. Like :

NOT FIXXED:
Good way:
Client: Hello This is real Shaiya Client.
Server: Great! Come In!

Bad Way:
Client: Hello this is faked Client for crashing.
Server: Shit I need to go down.

Fixxed way:
Good way:
Client: Hello This is real Shaiya Client.
Server: Great! Come In!

Bad Way:
Client: Hello this is faked Client for crashing.
Server: GO AWAY! You cannot come in here!


This is explaining for """"stupid""" :P dudes.

Regards^^
08/06/2018 20:25 Brownback#14
Quote:
Originally Posted by .:Skrillex:. View Post
This kind of attack is 2+ years old. It was asked by me 2 years ago.

[Only registered and activated users can see links. Click Here To Register...]

This Fix in this thread is for handshake response. Like :

NOT FIXXED:
Good way:
Client: Hello This is real Shaiya Client.
Server: Great! Come In!

Bad Way:
Client: Hello this is faked Client for crashing.
Server: Shit I need to go down.

Fixxed way:
Good way:
Client: Hello This is real Shaiya Client.
Server: Great! Come In!

Bad Way:
Client: Hello this is faked Client for crashing.
Server: GO AWAY! You cannot come in here!


This is explaining for """"stupid""" :P dudes.

Regards^^
:D