Can you guys share more information?

Page 1 of 2 1 2
04/17/2020 23:34 Fatcode#1
Hi,

Can you guys share more information as to why this error pops up? I've been receiving this error few times that causes core server to crash. Any information is very very well appreciated.

Error:
Code:
CClientSocket.Fetch: ip = 54.245.49.145, size = 790647882
This is only my own theory:
When you use any hosting services, random snapshots of bots maybe or services as well that pings your server in a certain port and thus making your core server crash. I might really be wrong but I hope you get what I want to tell.
04/18/2020 04:34 pbben15#2
possible a DDoS attack you must secure your server if you buy vps/dedicated server make sure that it has Anti-DDoS protection and for your website use SSL protection (CloudFlare) for Anti-SQL Injection. Hope it helps.
04/18/2020 08:51 Naltalah#3
A DDoS attack would rather make you lose the connection. Since the erros is throwing an enourmos packet size, it has to do with somehow an enourmous or just invalid packet is being received.
Funny enough the Core shouldn't be accessible from an open network, so the packet has to come from some other server instance. Quite fun to debug tho.
04/18/2020 09:22 Fatcode#4
Thank you both for your own opinions, I really appreciate it. Im still figuring this out because just about few hours the database crashed with the same error and the same packet size, now I have to know where and what port might this packet came from and I might as well check my packet encryption system.
04/18/2020 10:17 netHoxInc#5
Quote:
Originally Posted by pbben15 View Post
possible a DDoS attack you must secure your server if you buy vps/dedicated server make sure that it has Anti-DDoS protection and for your website use SSL protection (CloudFlare) for Anti-SQL Injection. Hope it helps.
DDoS Protection, Yes, makes sense.
SSL to prevent SQL Injection? What kind of bullshit are you talking about, how can a service prevent ur files to be vulnerable? Lol. If they're exploitable, they're exploitable. Thats how it works lol.


Quote:
Originally Posted by Naltalah View Post
A DDoS attack would rather make you lose the connection. Since the erros is throwing an enourmos packet size, it has to do with somehow an enourmous or just invalid packet is being received.
Funny enough the Core shouldn't be accessible from an open network, so the packet has to come from some other server instance. Quite fun to debug tho.
Agreeing fully, apart of thinking it would be fun, i bet its a pain lol

Quote:
Originally Posted by Fatcode View Post
Thank you both for your own opinions, I really appreciate it. Im still figuring this out because just about few hours the database crashed with the same error and the same packet size, now I have to know where and what port might this packet came from and I might as well check my packet encryption system.
Go for Naltalah's advice, also block port 29000 (Secondary port, i think it was used for cash-shop instances, atleast creating items was possible using it, i barely remember which server instance it runs in, either cache or core server if i remember correctly)
04/18/2020 11:13 Fatcode#6
Hi netHoxInc,

Thank you for the suggestion. I will add that to my list. Right now am figurint things out. Currently am enabling the firewall to only allow the login server and the world server, I might be wrong on this but I feel so dumb as I have accidentally checked the "block incoming for all" for both private and public. I have seen that my other server executables was open to the public. I hope this is the answer to my problem. I will be updating this thread if it fixes my problem or it doesn't.
04/18/2020 11:22 netHoxInc#7
Quote:
Originally Posted by Fatcode View Post
Hi netHoxInc,

Thank you for the suggestion. I will add that to my list. Right now am figurint things out. Currently am enabling the firewall to only allow the login server and the world server, I might be wrong on this but I feel so dumb as I have accidentally checked the "block incoming for all" for both private and public. I have seen that my other server executables was open to the public. I hope this is the answer to my problem. I will be updating this thread if it fixes my problem or it doesn't.
Yea would be kinda cool to know, im personally not working with server's so im not really that well informed about all of these stuff, but i know how to exploit certain stuff quite well and can probably relate in this way to problems.

Good luck on it, let us know how it ends up ^^

If you need somewhat of a penetration test for your website (SQLi) and your game files (only game breaking stuff, duplications, item creations, etc) hit me up on discord (check sig).

Cheers
04/18/2020 12:00 Naltalah#8
From what I have found, the crash results in the closing of the connection if an invalid packet is received.

Code:
		if( &pClientSock->m_ovRecv == lpov )	// receive i/o completed
		{
			CBuffer* pBuffer	= pClientSock->Fetch( dwBytes );
			if( pBuffer )
			{
				if( pBuffer->cb > 0 ) {
					pBuffer->dpid	= hSocket;
					pDPSock->m_lspRecvBuffer.AddTail( pBuffer );
					SetEvent( pDPSock->GetRecvHandle() );
				}
				else {
					SAFE_DELETE( pBuffer );
				}
			}
			else if( WSAGetLastError()
				==  ERROR_BAD_NET_NAME )
			{
				pDPSock->CloseConnection( hSocket );
				continue;
			}
Found in dpsock.cpp IoWorkerThread

This basically results in the connection being terminated, then the pings going on won't be able to communicate resulting in the "TRANS not alive" or "CORE not alive" errors.

Why a crash happens can have multiple issues. Can't really pinpoint it right now. But basically what could happen is that

Code:
m_pRecvBuffer	= CBufferFactory::GetInstance().CreateBuffer( m_nBufferType, uPacketSize );
might cause some memory violation or just returning NULL. If you look at it you'll see that CreateBuffer takes a buffer-type and the packet-size. I don't know if you can somehow manipulate the buffer-type but when actually creating the buffer, there is a check for MAX_BUFFER on the supplied buffer-size. If that fails it's trying to allocate memory on the heap with the supplied buffer-size. So I guess it just busts up the heap rather than dropping the message received.

Code:
CBuffer::CBuffer( u_long uBufSize )
{
	if( uBufSize > MAX_BUFFER ) {
		m_lpBufStart	= (LPBYTE)CBuffer::m_pHeapMng->Malloc( uBufSize );
Since all of this happens as a void* operation, it might as well crash when trying to actually convert the memory data to something it wasn't intended to be.

Those are just some guesses from a quick look at what the code actually does, but I guess debugging will be your best bet to see if it actually crashes on the error or tries to do something else, in which case it would be easier to pinpoint where the exploit is coming from.

Because in theory, the packet has to get corrupted somewhere along the way on a message received from probably cache or worldserver.

If the program just shuts down without throwing an error message or an exception, I would suppose it's this part:

Code:
		fOk		= GetQueuedCompletionStatus( pDPSock->GetCompletionPort( lIoWorker - 1 ), &dwBytes, (LPDWORD)&hSocket, &lpov, INFINITE );
		if( dwBytes == CLOSEIOWORKERMSG )
		{
			InterlockedDecrement( &pDPSock->m_lActiveIoWorker );
			return( 0 );
		}
So basically someone is sending the exact package to turn off the instance. But that's some WinAPI stuff I'm not really familiar with.
04/18/2020 19:15 Mike Oxmaul#9
The problem is someone sends you a reallllyyy big packet (look at the size, its in bytes if i remember correctly)
04/19/2020 16:15 Fatcode#10
Hi @[Only registered and activated users can see links. Click Here To Register...],

That's some really rare talents right there. I would love to work with you on those kind of things. Im going to hit you up on discord when I fly back to my country.

Hi @[Only registered and activated users can see links. Click Here To Register...],

I really appreciate the effort you did on this. This is very informative thus giving me more power and understanding on how the source is written. It looks like you are good with network programming as well.

Hi @[Only registered and activated users can see links. Click Here To Register...],

The packets that I am receiving is indeed not normal. Thank you for the attention that you gave in my post.

--
UPDATE:

What I want you guys to know is that the server is running without players connected as I have turned it up only for testing. What I have found out though is that I need to re-do the packet encryption system and it fixes my problem. So I guess this thread ends here. I'd really like to thank you all for the attention and efforts.
04/22/2020 03:28 Tweeney#11
Quote:
Originally Posted by Fatcode View Post
Hi,

Can you guys share more information as to why this error pops up? I've been receiving this error few times that causes core server to crash. Any information is very very well appreciated.

Error:
Code:
CClientSocket.Fetch: ip = 54.245.49.145, size = 790647882
This is only my own theory:
When you use any hosting services, random snapshots of bots maybe or services as well that pings your server in a certain port and thus making your core server crash. I might really be wrong but I hope you get what I want to tell.
Oh I just experience this right now haha

Code:
2020/ 4/21   23:16:29   CClientSocket.Fetch: ip = 64.225.76.244, size = 1571870089

2020/ 4/21   23:16:29   CClientSocket.Fetch: ip = 64.225.76.244, size = 1953706093

2020/ 4/21   23:16:29   CClientSocket.Fetch: ip = 64.225.76.244, size = 1814967609

2020/ 4/21   23:16:30   CClientSocket.Fetch: ip = 64.225.76.244, size = 1946157061

2020/ 4/21   23:16:30   CClientSocket.Fetch: ip = 64.225.76.244, size = 1634563174

2020/ 4/21   23:16:30   CClientSocket.Fetch: ip = 64.225.76.244, size = 1946157320

2020/ 4/21   23:16:34   CClientSocket.Fetch: ip = 64.225.76.244, size = 1866611479

2020/ 4/21   23:17:43   CClientSocket.Fetch: ip = 167.172.48.101, size = 1915224069

2020/ 4/21   23:17:51   CClientSocket.Fetch: ip = 167.172.48.101, size = 1761607688

2020/ 4/21   23:17:52   CClientSocket.Fetch: ip = 167.172.48.101, size = 1785790469

2020/ 4/21   23:19:38   CORE : is not alive

2020/ 4/21   23:20:38   CORE : is not alive

2020/ 4/21   23:21:38   CORE : is not alive
And it crashes my coreserver.exe

additional logs.

21/04/2020 - 17:27:42
Code:
[CRASH] - C:\Users\Admin\Desktop\ServerFlyFF\Source\WorldServer\DPSrvr.cpp : CDPSrvr::UserMessageHandler (Ln. 704)
Code:
void CDPSrvr::UserMessageHandler( LPDPMSG_GENERIC lpMsg, DWORD dwMsgSize, DPID idFrom )
{
	TRY
	LPBYTE lpBuffer		= (LPBYTE)lpMsg + sizeof(DPID);
	u_long uBufSize		= dwMsgSize - sizeof(DPID);

	CAr ar( lpBuffer, uBufSize );
	GETTYPE( ar )

	void ( theClass::*pfn )( theParameters )	=	GetHandler( dw );

	if( pfn ) 
	{
		( this->*( pfn ) )( ar, idFrom, *(UNALIGNED LPDPID)lpMsg, lpBuffer, uBufSize );
	}
	CATCH
}
09/06/2020 11:33 lalabcu#12
--
UPDATE:

What I want you guys to know is that the server is running without players connected as I have turned it up only for testing. What I have found out though is that I need to re-do the packet encryption system and it fixes my problem. So I guess this thread ends here. I'd really like to thank you all for the attention and efforts.[/QUOTE]

Can give advise which file you did look for packet encryption? - i think we have same issue.
11/11/2022 05:30 makvee#13
Quote:
Originally Posted by Fatcode View Post
Hi @[Only registered and activated users can see links. Click Here To Register...],

That's some really rare talents right there. I would love to work with you on those kind of things. Im going to hit you up on discord when I fly back to my country.

Hi @[Only registered and activated users can see links. Click Here To Register...],

I really appreciate the effort you did on this. This is very informative thus giving me more power and understanding on how the source is written. It looks like you are good with network programming as well.

Hi @[Only registered and activated users can see links. Click Here To Register...],

The packets that I am receiving is indeed not normal. Thank you for the attention that you gave in my post.

--
UPDATE:

What I want you guys to know is that the server is running without players connected as I have turned it up only for testing. What I have found out though is that I need to re-do the packet encryption system and it fixes my problem. So I guess this thread ends here. I'd really like to thank you all for the attention and efforts.
Hi @[Only registered and activated users can see links. Click Here To Register...] can you share what or how did you fix it please? :handsdown:
11/11/2022 07:24 Ruby-FlyFF#14
Do you use that file? I get the impression that this kind of problem occurs with the sources of ketchup, these are the sources you use?

Send me you discord in private
11/11/2022 09:16 makvee#15
Quote:
Originally Posted by Ruby-FlyFF View Post
Do you use that file? I get the impression that this kind of problem occurs with the sources of ketchup, these are the sources you use?

Send me you discord in private
yes im using ketchup's release on the other forum. I sent a friend request in discord sir
Page 1 of 2 1 2