My server is hacked: 0x0007 0x0003 Disconnecting players

11/02/2020 16:55 zalo0944172680#1
My server is hacked, I get the message at SR_ShardManager:
msg is not completely used : IP:xxx.xxx.xxx.xxx Req:0x0007 (0x0000) (MsgType:7), 32 - 31
msg is not completely used : IP:xxx.xxx.xxx.xxx Req:0x0003 (0x0000) (MsgType:7), 32 - 31

Disconnecting players when logging in, could it be a new IWA exploit. Please help me fix it
11/02/2020 17:01 #HB#2
These messages are normal.

New IWA exploit? xd
11/02/2020 17:10 Devsome#3
Quote:
Originally Posted by #HB View Post
These messages are normal.

New IWA exploit? xd
who ever called it iwa exploit: maybe one of these [Only registered and activated users can see links. Click Here To Register...]
11/02/2020 17:13 zalo0944172680#4
Quote:
Originally Posted by Devsome View Post
who ever called it iwa exploit: maybe one of these [Only registered and activated users can see links. Click Here To Register...]
Please help me fix it, I used a lot of code related 0x7007 but still got exploit
11/02/2020 17:14 Devsome#5
Quote:
Originally Posted by zalo0944172680 View Post
Please help me fix it, I used a lot of code related 0x7007 but still got exploit
Whatever filter you are using, just block it or use a whitelist.
11/02/2020 17:19 zalo0944172680#6
Quote:
Originally Posted by Devsome View Post
Whatever filter you are using, just block it or use a whitelist.
#region 0x7007_CLIENT_CHARSCREEN
else if (_pck.Opcode == 0x7007)
{
if (!this.isCharScreen)
{
Send(false);
continue;
}
byte response = _pck.ReadUInt8();
switch (response)
{
#region Create char
case 1:
{
try
{
_pck.ReadAscii(); // Charname

_pck.ReadUInt32(); // RefObjID

_pck.ReadUInt8(); // Height

_pck.ReadUInt32(); // ItemID
_pck.ReadUInt32(); // ItemID
_pck.ReadUInt32(); // ItemID
_pck.ReadUInt32(); // ItemID
}
catch
{
this.DisconnectModuleSocket();
return;
}
}
break;
#endregion

#region Char screen call
case 2:
{
if (_pck.GetBytes().Length > 1)
{
MainForm.SUSPECT++;
this.DisconnectModuleSocket();
return;
}
}
break;
#endregion

#region Delete char by name
case 3:
{
int name_length = _pck.ReadAscii().Length;
if ((_pck.GetBytes().Length - name_length) != 3)
{
MainForm.SUSPECT++;
this.DisconnectModuleSocket();
return;
}
}
break;
#endregion

#region Restore char by name
case 4:
{
int name_length = _pck.ReadAscii().Length;
if ((_pck.GetBytes().Length - name_length) != 3)
{
MainForm.SUSPECT++;
this.DisconnectModuleSocket();
return;
}
}
break;
#endregion

#region Don't remember what this is, but it exists :)
case 5:
{
int name_length = _pck.ReadAscii().Length;
if ((_pck.GetBytes().Length - name_length) != 3)
{
MainForm.SUSPECT++;
this.DisconnectModuleSocket();
return;
}
}
break;
#endregion

#region Default
default:
{
this.DisconnectModuleSocket();
return;
}
#endregion

}

m_RemoteSecurity.Send(_pck);
Send(true);
continue;
}
#endregion


I used this code but still attacked the server, please help me fix it
11/02/2020 17:37 #HB#7
Quote:
Originally Posted by Devsome View Post
who ever called it iwa exploit: maybe one of these [Only registered and activated users can see links. Click Here To Register...]
I know about that, but that was an old exploit and is fixed in most servers rn, but I'm laughing at the fact that he's calling any new exploit as IWA's, just because IWA released an exploit before.
11/02/2020 17:51 thaidu0ngpr0#8
Quote:
Originally Posted by zalo0944172680 View Post
#region 0x7007_CLIENT_CHARSCREEN
else if (_pck.Opcode == 0x7007)
{
if (!this.isCharScreen)
{
Send(false);
continue;
}
byte response = _pck.ReadUInt8();
switch (response)
{
#region Create char
case 1:
{
try
{
_pck.ReadAscii(); // Charname

_pck.ReadUInt32(); // RefObjID

_pck.ReadUInt8(); // Height

_pck.ReadUInt32(); // ItemID
_pck.ReadUInt32(); // ItemID
_pck.ReadUInt32(); // ItemID
_pck.ReadUInt32(); // ItemID
}
catch
{
this.DisconnectModuleSocket();
return;
}
}
break;
#endregion

#region Char screen call
case 2:
{
if (_pck.GetBytes().Length > 1)
{
MainForm.SUSPECT++;
this.DisconnectModuleSocket();
return;
}
}
break;
#endregion

#region Delete char by name
case 3:
{
int name_length = _pck.ReadAscii().Length;
if ((_pck.GetBytes().Length - name_length) != 3)
{
MainForm.SUSPECT++;
this.DisconnectModuleSocket();
return;
}
}
break;
#endregion

#region Restore char by name
case 4:
{
int name_length = _pck.ReadAscii().Length;
if ((_pck.GetBytes().Length - name_length) != 3)
{
MainForm.SUSPECT++;
this.DisconnectModuleSocket();
return;
}
}
break;
#endregion

#region Don't remember what this is, but it exists :)
case 5:
{
int name_length = _pck.ReadAscii().Length;
if ((_pck.GetBytes().Length - name_length) != 3)
{
MainForm.SUSPECT++;
this.DisconnectModuleSocket();
return;
}
}
break;
#endregion

#region Default
default:
{
this.DisconnectModuleSocket();
return;
}
#endregion

}

m_RemoteSecurity.Send(_pck);
Send(true);
continue;
}
#endregion


I used this code but still attacked the server, please help me fix it
you have video demo exploit ?
11/03/2020 22:58 bimbum*#9
close ur server and play gamegami
11/05/2020 21:17 Iwa13#10
Quote:
Originally Posted by #HB View Post
I know about that, but that was an old exploit and is fixed in most servers rn, but I'm laughing at the fact that he's calling any new exploit as IWA's, just because IWA released an exploit before.
These exploits has nothing to do with me, people often miscredit me for years due to my nick..
IWA is name given to specific kind of sro exploits that disconnect players. Credits goes to goofie (he usually targeted servers which owned by arabs, hence the name IWA=I Warn Arabs)
11/05/2020 23:16 #HB#11
Quote:
Originally Posted by Iwa13 View Post
(he usually targeted servers which owned by arabs, hence the name IWA=I Warn Arabs)
Wow, didn't know that, makes sense now.