[Fix] Create item with Guild Cloak

ZeroTwo02 · 04/29/2020, 15:08

1. Fix the Overflow

In the function "CDPCacheSrvr::OnGuildPenya" from the files CoreServer/DPCacheSrvr.cpp add the following "check".

Code:

	if( dwType < 0 || dwType >= MAX_GM_LEVEL )
		return;

2. Fix the Creation of the Guild Cloak

In the function "CDPSrvr::OnCreateGuildCloak" from the files WorldServer/DPSrvr.cpp change this code.

Code:

		if( pGuild->m_dwLogo == 0 || pGuild->IsMaster( pUser->m_idPlayer ) == FALSE )
		{
			if( pGuild->m_dwLogo == 0 )
			{
				pUser->AddDefinedText( TID_GAME_GUILDSETTINGLOGO, "" );
			}
			else
			{
				pUser->AddDefinedText( TID_GAME_GUILDONLYMASTERLOGO, "" );
			}
			return;
		}

To this one :

Code:

		if( pGuild->m_dwLogo == 0 || pGuild->m_dwLogo > 20 || pGuild->IsMaster( pUser->m_idPlayer ) == FALSE )
		{
			if( pGuild->m_dwLogo == 0 )
			{
				pUser->AddDefinedText( TID_GAME_GUILDSETTINGLOGO, "" );
			}
			else
			{
				pUser->AddDefinedText( TID_GAME_GUILDONLYMASTERLOGO, "" );
			}
			return;
		}

3. Clear the Guild Logo

Use the following request on the CHARACTER_01_DBF.

Code:

UPDATE GUILD_TBL SET m_dwLogo  = '0' where m_dwLogo > 20

4.1 How to found item create with the Guild Cloak System

Use the following request on the LOGGING_01_DBF.

Code:

SELECT        m_idGuild, m_idPlayer, serverindex, m_Item, State, s_date, Item_count, Item_UniqueNo, SEQ
FROM            LOG_GUILD_BANK_TBL
WHERE        (State = 'C') AND (m_Item > 5000)

Each result found is a item "Exploit".

4.2 How to found item create with the Guild Cloak System

When an item is create by the Guild Cloak System, it is assigned a "m_idGuild" parameter to it.

You will have to check the "pItemElem->m_idGuild" of each item who isn't a Cloak, to found what have been create using this exploit.

You can use many different method, like using the "GetOneItem" function, or simple add a code to remove item who isn't a cloak but have a m_idGuild param != 0.

alfredico · 04/29/2020, 16:19

First fix is correct, although you don't need to check for a negative value, is unsigned...

Code:

	if( dwType >= MAX_GM_LEVEL )
		return;

As for the second fix I don't understand it. The logo is set on CDPSrvr::OnGuildLogo() and it checks for limits.

Code:

	if( dwLogo > CUSTOM_LOGO_MAX )
		return;

	if( dwLogo > 20 && !pUser->IsAuthHigher( AUTH_GAMEMASTER ) )
		return;

Then we have in function CDPSrvr::OnCreateGuildCloak, a function that doesn't serialize any value and takes the cloak creation based on guild logo.

Code:

itemElem.m_dwItemId	= ITEM_INDEX( 4602, II_ARM_S_CLO_CLO_SYSCLOAK01 ) + (pGuild->m_dwLogo - 1);

Unless you changed something in your code to make it exploitable I don't see anything that needs to get fixed there.

ZeroTwo02 · 04/29/2020, 16:37

Quote:
Originally Posted by alfredico
CDPSrvr::OnGuildLogo() and it checks for limits.
Code:
	if( dwLogo > CUSTOM_LOGO_MAX )
		return;

	if( dwLogo > 20 && !pUser->IsAuthHigher( AUTH_GAMEMASTER ) )
		return;
Then we have in function CDPSrvr::OnCreateGuildCloak, a function that doesn't serialize any value and takes the cloak creation based on guild logo.
Code:
itemElem.m_dwItemId	= ITEM_INDEX( 4602, II_ARM_S_CLO_CLO_SYSCLOAK01 ) + (pGuild->m_dwLogo - 1);
Unless you changed something in your code to make it exploitable I don't see anything that needs to get fixed there.

The fix is relate to :

We do not use "OnGuildLogo" to change the logo value, we use OnGuildPenya to make a overflow, because "dwType" isn't check.

Quote from "jooodzszsz"

Quote:

Send:
dwType = 6
dwPenya = 21855

This would write "pGuild->m_adwPenya[6] = 21855;". As you can see in CGuild class, m_adwPenya has just 5 DWORDs, using 6 overflows it and overwrites m_dwLogo with 21855.

Now you just need to create a Guild Cloak for 10k penya.
"itemElem.m_dwItemId = II_ARM_S_CLO_CLO_SYSCLOAK01 + (pGuild->m_dwLogo - 1);"

As you can see they decrease m_dwLogo by 1 and add 4602 (itemid - 4601)

netHoxInc · 04/29/2020, 16:45

I expected a bit more knownledge from someone with 'Systems&Exploits' shop in the signature. I smell a leech-collection lmao.

At first I'd advice you to get some basic knownledge about exploits, and specially their methods.

Also leaving the Cloak Create function like this is - if everything is fine on all code sections - ok, but being honest, a stupid idea to be lazy enough for this few code parts to add, just for an extra layer of security.

Back to topic:
Great release, im sure there'll be a few less server's i can raid on their launch now lmao.
Gj

alfredico · 04/29/2020, 18:27

Quote:

Originally Posted by ZeroTwo02

The fix is relate to :

We do not use "OnGuildLogo" to change the logo value, we use OnGuildPenya to make a overflow, because "dwType" isn't check.

Quote from "jooodzszsz"

I was aware of this exploit, although not about overflowing the m_dwLogo but to crash the server. I ran a quick test and I can confirm it works as @

says except my client crashes because of the new logo texture. With sending the penya value of 21855, you should be able to create perins (21855 + 4602 - 1) = 26456.

Quote:

Originally Posted by netHoxInc

I expected a bit more knownledge from someone with 'Systems&Exploits' shop in the signature. I smell a leech-collection lmao.

At first I'd advice you to get some basic knownledge about exploits, and specially their methods.

Also leaving the Cloak Create function like this is - if everything is fine on all code sections - ok, but being honest, a stupid idea to be lazy enough for this few code parts to add, just for an extra layer of security.

Back to topic:
Great release, im sure there'll be a few less server's i can raid on their launch now lmao.
Gj

First of all, I didn't know the fixes were related and I tend to mistrust when I see fails, like checking a negative value in a DWORD and a post with just copy&paste of data without any explanation about the exploit.
To be honest, I don't understand the mocking part about me in your post and judging my capabilities, you could've kept that part for yourself. I truly know you have way more knowledge in exploiting than I, is more than I prefer to expend my time working on something productive rather looking for vulnerabilities and new open servers for making hacks, exploits and causing problems to other people.

B1ackSnow · 04/29/2020, 20:11

Quote:

Originally Posted by alfredico

To be honest, I don't understand the mocking part about me in your post and judging my capabilities, you could've kept that part for yourself. I truly know you have way more knowledge in exploiting than I, is more than I prefer to expend my time working on something productive rather looking for vulnerabilities and new open servers for making hacks, exploits and causing problems to other people.

Why new hacks and exploits = problems for other people?
I guess, its a work for them, its a ideas, updates and other things

At least its a improving of flyff
Every time adding something new , with new bugs
And without any 'help' in searching maybe noone at 2020 wouldn't knew about CE stathack

I don't tell that is very nice, but then more guys know - then faster it will be fixed. And at least , new server become more safely

.S0ulSeller · 04/30/2020, 12:14

Quote:

Originally Posted by B1ackSnow

Why new hacks and exploits = problems for other people?
I guess, its a work for them, its a ideas, updates and other things

At least its a improving of flyff
Every time adding something new , with new bugs
And without any 'help' in searching maybe noone at 2020 wouldn't knew about CE stathack

I don't tell that is very nice, but then more guys know - then faster it will be fixed. And at least , new server become more safely

A destructive way of improving.
You could also sell your knowledge by selling fixes. But this way you would only potentially make money with 5% of the FlyFF Community (the Admins) not with the remaining part(the players). You kissing *** so much with this post.

netHoxInc · 04/30/2020, 14:15

Guess we won the bet. Epvp is so predictable. @

B1ackSnow · 04/30/2020, 14:40

Quote:

Originally Posted by .S0ulSeller

A destructive way of improving.
You could also sell your knowledge by selling fixes. But this way you would only potentially make money with 5% of the FlyFF Community (the Admins) not with the remaining part(the players). You kissing *** so much with this post.

Well, I have a bad news for you, my friend, but not about it.
If you can't understand the sence of my post, you have not to answer me with that rudes.

netHoxInc · 04/30/2020, 14:51

He's a perfect example on how I see the epvp community lmao.

But who am I to talk, i fit in the sheme just well enough haha.

Good day, and happy beefing lmao