[Fix] Create item with Guild Cloak

04/29/2020 15:08 ZeroTwo02#1
1. Fix the Overflow

In the function "CDPCacheSrvr::OnGuildPenya" from the files CoreServer/DPCacheSrvr.cpp add the following "check".

Code:
	if( dwType < 0 || dwType >= MAX_GM_LEVEL )
		return;
2. Fix the Creation of the Guild Cloak

In the function "CDPSrvr::OnCreateGuildCloak" from the files WorldServer/DPSrvr.cpp change this code.

Code:
		if( pGuild->m_dwLogo == 0 || pGuild->IsMaster( pUser->m_idPlayer ) == FALSE )
		{
			if( pGuild->m_dwLogo == 0 )
			{
				pUser->AddDefinedText( TID_GAME_GUILDSETTINGLOGO, "" );
			}
			else
			{
				pUser->AddDefinedText( TID_GAME_GUILDONLYMASTERLOGO, "" );
			}
			return;
		}
To this one :

Code:
		if( pGuild->m_dwLogo == 0 || pGuild->m_dwLogo > 20 || pGuild->IsMaster( pUser->m_idPlayer ) == FALSE )
		{
			if( pGuild->m_dwLogo == 0 )
			{
				pUser->AddDefinedText( TID_GAME_GUILDSETTINGLOGO, "" );
			}
			else
			{
				pUser->AddDefinedText( TID_GAME_GUILDONLYMASTERLOGO, "" );
			}
			return;
		}
3. Clear the Guild Logo

Use the following request on the CHARACTER_01_DBF.

Code:
UPDATE GUILD_TBL SET m_dwLogo  = '0' where m_dwLogo > 20
4.1 How to found item create with the Guild Cloak System

Use the following request on the LOGGING_01_DBF.

Code:
SELECT        m_idGuild, m_idPlayer, serverindex, m_Item, State, s_date, Item_count, Item_UniqueNo, SEQ
FROM            LOG_GUILD_BANK_TBL
WHERE        (State = 'C') AND (m_Item > 5000)
Each result found is a item "Exploit".

4.2 How to found item create with the Guild Cloak System

When an item is create by the Guild Cloak System, it is assigned a "m_idGuild" parameter to it.

You will have to check the "pItemElem->m_idGuild" of each item who isn't a Cloak, to found what have been create using this exploit.

You can use many different method, like using the "GetOneItem" function, or simple add a code to remove item who isn't a cloak but have a m_idGuild param != 0.
04/29/2020 16:19 alfredico#2
First fix is correct, although you don't need to check for a negative value, is unsigned...

Code:
	if( dwType >= MAX_GM_LEVEL )
		return;
As for the second fix I don't understand it. The logo is set on CDPSrvr::OnGuildLogo() and it checks for limits.

Code:
	if( dwLogo > CUSTOM_LOGO_MAX )
		return;

	if( dwLogo > 20 && !pUser->IsAuthHigher( AUTH_GAMEMASTER ) )
		return;
Then we have in function CDPSrvr::OnCreateGuildCloak, a function that doesn't serialize any value and takes the cloak creation based on guild logo.

Code:
itemElem.m_dwItemId	= ITEM_INDEX( 4602, II_ARM_S_CLO_CLO_SYSCLOAK01 ) + (pGuild->m_dwLogo - 1);
Unless you changed something in your code to make it exploitable I don't see anything that needs to get fixed there.
04/29/2020 16:37 ZeroTwo02#3
Quote:
Originally Posted by alfredico View Post
CDPSrvr::OnGuildLogo() and it checks for limits.

Code:
	if( dwLogo > CUSTOM_LOGO_MAX )
		return;

	if( dwLogo > 20 && !pUser->IsAuthHigher( AUTH_GAMEMASTER ) )
		return;
Then we have in function CDPSrvr::OnCreateGuildCloak, a function that doesn't serialize any value and takes the cloak creation based on guild logo.

Code:
itemElem.m_dwItemId	= ITEM_INDEX( 4602, II_ARM_S_CLO_CLO_SYSCLOAK01 ) + (pGuild->m_dwLogo - 1);
Unless you changed something in your code to make it exploitable I don't see anything that needs to get fixed there.
The fix is relate to : [Only registered and activated users can see links. Click Here To Register...]

We do not use "OnGuildLogo" to change the logo value, we use OnGuildPenya to make a overflow, because "dwType" isn't check.

Quote from "jooodzszsz"
Quote:
Send:
dwType = 6
dwPenya = 21855

This would write "pGuild->m_adwPenya[6] = 21855;". As you can see in CGuild class, m_adwPenya has just 5 DWORDs, using 6 overflows it and overwrites m_dwLogo with 21855.

Now you just need to create a Guild Cloak for 10k penya.
"itemElem.m_dwItemId = II_ARM_S_CLO_CLO_SYSCLOAK01 + (pGuild->m_dwLogo - 1);"

As you can see they decrease m_dwLogo by 1 and add 4602 (itemid - 4601)
04/29/2020 16:45 netHoxInc#4
I expected a bit more knownledge from someone with 'Systems&Exploits' shop in the signature. I smell a leech-collection lmao.

At first I'd advice you to get some basic knownledge about exploits, and specially their methods.

Also leaving the Cloak Create function like this is - if everything is fine on all code sections - ok, but being honest, a stupid idea to be lazy enough for this few code parts to add, just for an extra layer of security.

Back to topic:
Great release, im sure there'll be a few less server's i can raid on their launch now lmao.
Gj :)
04/29/2020 18:27 alfredico#5
Quote:
Originally Posted by ZeroTwo02 View Post
The fix is relate to : [Only registered and activated users can see links. Click Here To Register...]

We do not use "OnGuildLogo" to change the logo value, we use OnGuildPenya to make a overflow, because "dwType" isn't check.

Quote from "jooodzszsz"

I was aware of this exploit, although not about overflowing the m_dwLogo but to crash the server. I ran a quick test and I can confirm it works as @[Only registered and activated users can see links. Click Here To Register...] says except my client crashes because of the new logo texture. With sending the penya value of 21855, you should be able to create perins (21855 + 4602 - 1) = 26456.


Quote:
Originally Posted by netHoxInc View Post
I expected a bit more knownledge from someone with 'Systems&Exploits' shop in the signature. I smell a leech-collection lmao.

At first I'd advice you to get some basic knownledge about exploits, and specially their methods.

Also leaving the Cloak Create function like this is - if everything is fine on all code sections - ok, but being honest, a stupid idea to be lazy enough for this few code parts to add, just for an extra layer of security.

Back to topic:
Great release, im sure there'll be a few less server's i can raid on their launch now lmao.
Gj :)
First of all, I didn't know the fixes were related and I tend to mistrust when I see fails, like checking a negative value in a DWORD and a post with just copy&paste of data without any explanation about the exploit.
To be honest, I don't understand the mocking part about me in your post and judging my capabilities, you could've kept that part for yourself. I truly know you have way more knowledge in exploiting than I, is more than I prefer to expend my time working on something productive rather looking for vulnerabilities and new open servers for making hacks, exploits and causing problems to other people.
04/29/2020 20:11 B1ackSnow#6
Quote:
Originally Posted by alfredico View Post
To be honest, I don't understand the mocking part about me in your post and judging my capabilities, you could've kept that part for yourself. I truly know you have way more knowledge in exploiting than I, is more than I prefer to expend my time working on something productive rather looking for vulnerabilities and new open servers for making hacks, exploits and causing problems to other people.
Why new hacks and exploits = problems for other people?
I guess, its a work for them, its a ideas, updates and other things

At least its a improving of flyff
Every time adding something new , with new bugs
And without any 'help' in searching maybe noone at 2020 wouldn't knew about CE stathack

I don't tell that is very nice, but then more guys know - then faster it will be fixed. And at least , new server become more safely
04/30/2020 12:14 .S0ulSeller#7
Quote:
Originally Posted by B1ackSnow View Post
Why new hacks and exploits = problems for other people?
I guess, its a work for them, its a ideas, updates and other things

At least its a improving of flyff
Every time adding something new , with new bugs
And without any 'help' in searching maybe noone at 2020 wouldn't knew about CE stathack

I don't tell that is very nice, but then more guys know - then faster it will be fixed. And at least , new server become more safely
A destructive way of improving.
You could also sell your knowledge by selling fixes. But this way you would only potentially make money with 5% of the FlyFF Community (the Admins) not with the remaining part(the players). You kissing ass so much with this post.
04/30/2020 14:15 netHoxInc#8
Guess we won the bet. Epvp is so predictable. @[Only registered and activated users can see links. Click Here To Register...]
04/30/2020 14:40 B1ackSnow#9
Quote:
Originally Posted by .S0ulSeller View Post
A destructive way of improving.
You could also sell your knowledge by selling fixes. But this way you would only potentially make money with 5% of the FlyFF Community (the Admins) not with the remaining part(the players). You kissing ass so much with this post.
Well, I have a bad news for you, my friend, but not about it.
If you can't understand the sence of my post, you have not to answer me with that rudes.
04/30/2020 14:51 netHoxInc#10
He's a perfect example on how I see the epvp community lmao.

But who am I to talk, i fit in the sheme just well enough haha.

Good day, and happy beefing lmao