Register for your free account! | Forgot your password?

Go Back   elitepvpers > MMORPGs > Flyff > Flyff Private Server > Flyff PServer Guides & Releases
You last visited: Today at 22:48

  • Please register to post and access all features, it's quick, easy and FREE!

Advertisement



[Release] FlyFF PC v21.2 Official Source Code

Discussion on [Release] FlyFF PC v21.2 Official Source Code within the Flyff PServer Guides & Releases forum part of the Flyff Private Server category.

Reply
 
Old 02/22/2020, 15:46   #16
 
elite*gold: 0
Join Date: Jan 2011
Posts: 28
Received Thanks: 17
Code:
BOOL CanAdd( DWORD dwGold, int nPlus )
{
	if( nPlus <= 0 )		// 더하려는 값이 0이하이면 넌센스 
	{
		return FALSE;
	}

	__int64 n64Gold = (__int64)dwGold;

	if( n64Gold < 0 || ( n64Gold + (__int64)nPlus ) < 0 || ( n64Gold + (__int64)nPlus ) > INT_MAX )
	{
		//		FLERROR_LOG( PROGRAM_NAME, _T( "CanAdd Invalid. HaveGold:[%d], AddGold:[%d]" ), dwGold, nPlus );
		return FALSE;
	}

	return TRUE;
}
you can tell that they are scared LOL
miniman06 is offline  
Old 02/22/2020, 16:33   #17

 
elite*gold: 28
Join Date: Feb 2010
Posts: 466
Received Thanks: 274
Quote:
Originally Posted by miniman06 View Post
Code:
BOOL CanAdd( DWORD dwGold, int nPlus )
{
	if( nPlus <= 0 )		// 더하려는 값이 0이하이면 넌센스 
	{
		return FALSE;
	}

	__int64 n64Gold = (__int64)dwGold;

	if( n64Gold < 0 || ( n64Gold + (__int64)nPlus ) < 0 || ( n64Gold + (__int64)nPlus ) > INT_MAX )
	{
		//		FLERROR_LOG( PROGRAM_NAME, _T( "CanAdd Invalid. HaveGold:[%d], AddGold:[%d]" ), dwGold, nPlus );
		return FALSE;
	}

	return TRUE;
}
you can tell that they are scared LOL
Or we can tell you don't understand the point of that.
ZeroTwo02 is offline  
Thanks
5 Users
Old 02/22/2020, 16:56   #18
 
elite*gold: 0
Join Date: Jan 2011
Posts: 28
Received Thanks: 17
Quote:
Originally Posted by ZeroTwo02 View Post
Or we can tell you don't understand the point of that.
Isn't it just a fancy anti int overflow ? I don't this the 64 bit conversion was necessary but whatever floats their boat
miniman06 is offline  
Old 02/22/2020, 17:01   #19
 
elite*gold: 90
Join Date: Dec 2019
Posts: 301
Received Thanks: 201
Quote:
if( nPlus < 0 || (__int64)dwGold + (__int64)nPlus > INT_MAX)
return false
would be enuff sir
jooodzszsz is offline  
Thanks
1 User
Old 02/22/2020, 17:20   #20
 
elite*gold: 0
Join Date: Jan 2011
Posts: 28
Received Thanks: 17
Quote:
Originally Posted by jooodzszsz View Post
would be enuff sir
Yeah that, but since the server is compiled under 32bit the performance would be worse than just straight comparison of both 32bit values separately.Just neat picking here lol
miniman06 is offline  
Old 02/22/2020, 17:34   #21
 
elite*gold: 0
Join Date: Oct 2018
Posts: 9
Received Thanks: 2
Ich habe XTrap entfernt, wie Sie sagten, aber es ndert viel an der Datei, da ich die FLLib-Bibliothek nicht sehe oder finde
Keyzen83 is offline  
Old 02/22/2020, 17:38   #22
 
elite*gold: 90
Join Date: Dec 2019
Posts: 301
Received Thanks: 201
Quote:
Originally Posted by miniman06 View Post
Yeah that, but since the server is compiled under 32bit the performance would be worse than just straight comparison of both 32bit values separately.Just neat picking here lol
Quote:
if( nPlus =< 0 || dwGold => INT_MAX || (nPlus + dwGold) > INT_MAX)
return FALSE;
return TRUE;
or

Quote:
if(nPlus > 0 && dwGold < INT_MAX){
return (dwGold + nPlus) < INT_MAX;
}
return FALSE;
now its 1 nano second faster per year
jooodzszsz is offline  
Old 02/22/2020, 19:51   #23

 
elite*gold: 28
Join Date: Feb 2010
Posts: 466
Received Thanks: 274
Btw, if you want to see some "work in progress".
Look into "WndInventoryWear" and this :

ZeroTwo02 is offline  
Thanks
1 User
Old 02/22/2020, 20:13   #24
 
Mike Oxmaul's Avatar
 
elite*gold: 50
Join Date: Feb 2014
Posts: 290
Received Thanks: 245
Quote:
Originally Posted by ZeroTwo02 View Post
Btw, if you want to see some "work in progress".
Look into "WndInventoryWear" and this :

the taskbar is in the client since years. i dont think its in progress. just concept.
Mike Oxmaul is offline  
Thanks
2 Users
Old 02/23/2020, 18:16   #25
 
cookie69's Avatar
 
elite*gold: 0
Join Date: Nov 2009
Posts: 627
Received Thanks: 684
At least 4 exploits are still not fixed in this version, you can corrupt the stack with bufferoverflow, set a value outside the array limit and make huge memory allocation.

Code:
- BOOL CProject::IsInvalidName( LPCSTR szName )
- void CItemUpgrade::RemovePetVisItem( FLWSUser* pUser, int nPosition, BOOL bExpired )
- struct __MINIGAME_EXT_PACKET : public __MINIGAME_PACKET
- int CMiniGame::Bet_FiveSystem( FLWSUser* pUser, int nBetNum, int nBetPenya )
cookie69 is offline  
Thanks
3 Users
Old 02/23/2020, 18:31   #26
 
Mike Oxmaul's Avatar
 
elite*gold: 50
Join Date: Feb 2014
Posts: 290
Received Thanks: 245
Quote:
Originally Posted by cookie69 View Post
At least 4 exploits are still not fixed in this version, you can corrupt the stack with bufferoverflow, set a value outside the array limit and make huge memory allocation.

Code:
- BOOL CProject::IsInvalidName( LPCSTR szName )
- void CItemUpgrade::RemovePetVisItem( FLWSUser* pUser, int nPosition, BOOL bExpired )
- struct __MINIGAME_EXT_PACKET : public __MINIGAME_PACKET
- int CMiniGame::Bet_FiveSystem( FLWSUser* pUser, int nBetNum, int nBetPenya )
there are more in dpsrvr
Mike Oxmaul is offline  
Old 02/23/2020, 18:44   #27
 
elite*gold: 0
Join Date: Oct 2018
Posts: 9
Received Thanks: 2
_Common\ProjectCmn.cpp
Quote:
if( strlen( szName ) >= 64 )
return TRUE;
WORLDSERVER\ItemUpgrade.cpp
Quote:
if( nPosition < 0 || nPosition >= pItemElemPet->GetPiercingSize() )
return;
_Common\MiniGameBase.h
Quote:
if(nSize > 3)
{
nSize = 3;
}
_Common\MiniGame.cpp

Quote:
int CMiniGame::Bet_FiveSystem( FLWSUserr* pUser, int nBetNum, int nBetPenya )
{
if( nBetNum < 0 || 5 < nBetNum )
return FIVESYSTEM_FAILED;

if( pUser->m_nBetFiveSystem[nBetNum] == 0 && nBetPenya == 0 )
return TRUE;
// 입찰금은 0보다 작을 수 없다.
if(nBetPenya < 0)
return FIVESYSTEM_FAILED;

// 최소 입찰금과 최대 입찰금의 범위를 벗어났을 경우 ( Client 에서 이미 검사.. )
if( ( nBetPenya < m_nBetMinPenya || nBetPenya > m_nBetMaxPenya ) && nBetPenya != 0 )
return FIVESYSTEM_NOTENOUGH;

// 입찰 또는 재입찰 금액이 부족한지 검사
DWORD nGold = pUser->GetGold() + pUser->m_nBetFiveSystem[nBetNum];
if( (int)( nGold ) < nBetPenya )
return FIVESYSTEM_NOTENOUGH;

LogItemInfo aLogItem;
aLogItem.RecvName = "FIVESYSTEM_USE";
BOOL bAddGold = TRUE;
if( 0 < pUser->m_nBetFiveSystem[nBetNum] - nBetPenya ) // 기존에 걸은것보다 적게 걸아서 보상금액
{
int nTotal = pUser->GetGold() + pUser->m_nBetFiveSystem[nBetNum] - nBetPenya;
if( nTotal < 0 ) // overflow?
{
CItemElem ItemElem;
g_dpDBClient.SendQueryPostMail( pUser->m_idPlayer, 0, ItemElem, pUser->m_nBetFiveSystem[nBetNum] - nBetPenya, (char*)GETTEXT( TID_GAME_SELLING_COST_0 ), (char*)GETTEXT( TID_MMI_FIVESYSTEM ) );
pUser->AddDefinedText( TID_GAME_MINIGAME_PENYA_POST, "" );
aLogItem.RecvName = "FIVESYSTEM_USE_POST";
bAddGold = FALSE;
}
}

if( bAddGold )
pUser->AddGold( pUser->m_nBetFiveSystem[nBetNum] - nBetPenya );

aLogItem.Action = "+";
aLogItem.SendName = pUser->GetName();
aLogItem.WorldId = pUser->GetWorld()->GetID();
aLogItem.Gold = pUser->GetGold() - ( pUser->m_nBetFiveSystem[nBetNum] - nBetPenya );
aLogItem.Gold2 = pUser->GetGold();
//aLogItem.ItemName = "SEED";
_stprintf( aLogItem.szItemName, "%d", II_GOLD_SEED1 );
aLogItem.itemNumber = pUser->m_nBetFiveSystem[nBetNum] - nBetPenya;
g_DPSrvr.OnLogItem( aLogItem );

pUser->m_nBetFiveSystem[nBetNum] = nBetPenya;
pUser->AddFiveSystemResult( FIVESYSTEM_BETOK, nBetPenya, nBetNum );

return TRUE;
}
here is some fix
Keyzen83 is offline  
Thanks
1 User
Old 02/23/2020, 22:43   #28
 
elite*gold: 90
Join Date: Dec 2019
Posts: 301
Received Thanks: 201
Quote:
Originally Posted by cookie69 View Post
At least 4 exploits are still not fixed in this version, you can corrupt the stack with bufferoverflow, set a value outside the array limit and make huge memory allocation.

Code:
- BOOL CProject::IsInvalidName( LPCSTR szName )
- void CItemUpgrade::RemovePetVisItem( FLWSUser* pUser, int nPosition, BOOL bExpired )
- struct __MINIGAME_EXT_PACKET : public __MINIGAME_PACKET
- int CMiniGame::Bet_FiveSystem( FLWSUser* pUser, int nBetNum, int nBetPenya )
Code:
- void CItemUpgrade::RemovePetVisItem( FLWSUser* pUser, int nPosition, BOOL bExpired )
How you will crash here with nPosition? its impossible? oO

It will be casted to size_t (unsigned) in GetGeneralPiercingItemID() and checked later with "m_vecGeneralPiercing.size() > Nth"

Quote:
Originally Posted by Jupsi332 View Post
there are more in dpsrvr
"There are more bugs in SOURCE but i dont tell them hihihihihi"
jooodzszsz is offline  
Thanks
1 User
Old 02/23/2020, 23:10   #29
 
cookie69's Avatar
 
elite*gold: 0
Join Date: Nov 2009
Posts: 627
Received Thanks: 684
Quote:
Originally Posted by jooodzszsz View Post
Code:
- void CItemUpgrade::RemovePetVisItem( FLWSUser* pUser, int nPosition, BOOL bExpired )
How you will crash here with nPosition? its impossible? oO

It will be casted to size_t (unsigned) in GetGeneralPiercingItemID() and checked later with "m_vecGeneralPiercing.size() > Nth"

"There are more bugs in SOURCE but i dont tell them hihihihihi"
It is not a cast, if you pass a negative Nth to FLItemElem::GetGeneralPiercingItemIDthen then Nth will stay negative.
And later in m_kPiercingOption.GetGeneralPiercingItemID the check will be successful as m_vecGeneralPiercing.size() is always bigger than a negative value.
And later you do "return m_vecGeneralPiercing.at( Nth );" which will search a value at a negative index.

This will not at 100% crash the server but can corrupt the stack and maybe crash it later or write random data into its memory.

Code:
DWORD	FLItemElem::GetGeneralPiercingItemID( const size_t Nth ) const
{
	return m_kPiercingOption.GetGeneralPiercingItemID( Nth );
}

const DWORD	FLPiercingOption::GetGeneralPiercingItemID( const size_t Nth ) const
{
	if( m_vecGeneralPiercing.empty() == false && m_vecGeneralPiercing.size() > Nth )
	{
		return m_vecGeneralPiercing.at( Nth );
	}

	return 0;
}
cookie69 is offline  
Old 02/23/2020, 23:18   #30
 
elite*gold: 90
Join Date: Dec 2019
Posts: 301
Received Thanks: 201
Quote:
Originally Posted by cookie69 View Post
It is not a cast, if you pass a negative Nth to FLItemElem::GetGeneralPiercingItemIDthen then Nth will stay negative.
And later in m_kPiercingOption.GetGeneralPiercingItemID the check will be successful as m_vecGeneralPiercing.size() is always bigger than a negative value.
And later you do "return m_vecGeneralPiercing.at( Nth );" which will search a value at a negative index.

This will not at 100% crash the server but can corrupt the stack and maybe crash it later or write random data into its memory.

Code:
DWORD	FLItemElem::GetGeneralPiercingItemID( const size_t Nth ) const
{
	return m_kPiercingOption.GetGeneralPiercingItemID( Nth );
}

const DWORD	FLPiercingOption::GetGeneralPiercingItemID( const size_t Nth ) const
{
	if( m_vecGeneralPiercing.empty() == false && m_vecGeneralPiercing.size() > Nth )
	{
		return m_vecGeneralPiercing.at( Nth );
	}

	return 0;
}


const size_t is unsigned integer, it CANT be negative!
jooodzszsz is offline  
Thanks
5 Users
Reply


Similar Threads Similar Threads
[Sharing] V21 Official Link Server (Source File for sale)
12/30/2019 - Flyff PServer Guides & Releases - 3 Replies
#removed
[Selling] FLYFF Official source V21.2
12/11/2018 - Flyff Trading - 6 Replies
NULLED



All times are GMT +2. The time now is 22:48.


Powered by vBulletin®
Copyright ©2000 - 2023, Jelsoft Enterprises Ltd.
SEO by vBSEO ©2011, Crawlability, Inc.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Support | Contact Us | FAQ | Advertising | Privacy Policy | Terms of Service | Abuse
Copyright ©2023 elitepvpers All Rights Reserved.