<<999c01

[rsq110]

Enter the characters<<999c01 in any chat channel and press Enter to make all the players who can see you speak offline and game.exe crash.. This vulnerability is targeted at the client, and there will be no record on the server. You can test whether your server has this vulnerability. You can contact QQ: 399477167 to repair it for a fee!!! My English is not good. The above words are translated by software

[MorningstarV]

there is already a fix in shaiya discord communitty
[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)

newmem: //this is allocated memory, you have read,write,execute access
//place your code here
cmp word ptr [ebx],1102
jne other_chats
pushad
pushfd
mov ebp,18
jmp lopo


other_chats:
pushad
pushfd

mov ebp,3

lopo:
cmp byte ptr [ebx+ebp],0
je endo
cmp word ptr[ebx+ebp],'<<'
je _kick
add ebp,1
jmp lopo

endo:
popfd
popad
jmp originalcode

_kick:
popfd
popad
jmp 0047FC4C

originalcode:
movzx eax,byte ptr [eax+ps_game.exe+7FCA8]

exit:
jmp returnhere

"ps_game.exe"+7F4BA:
jmp newmem
nop 2
returnhere:




[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
"ps_game.exe"+7F4BA:
movzx eax,byte ptr [eax+ps_game.exe+7FCA8]
//Alt: db 0F B6 80 A8 FC 47 00

or

[ENABLE]
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)
label(normal_chat)
label(pm_chat)
label(search_for_exploit_string)
label(search_for_exploit_string_loop)
label(search_for_exploit_string_exit)
label(search_for_exploit_string_return_loop)

newmem:
cmp byte ptr [edx+01],11 // player chat
je normal_chat
cmp byte ptr [edx+01],F1 // admin/gm chat
je normal_chat
cmp word ptr [edx],2303 // player market name
je normal_chat
jmp originalcode

normal_chat:
cmp byte ptr [edx],02
je pm_chat
push ebx
push eax
mov eax,02
call search_for_exploit_string
cmp eax,01
pop eax
pop ebx
je 00474D75
jmp originalcode

pm_chat:
push ebx
push eax
mov eax,17
call search_for_exploit_string
cmp eax,01
pop eax
pop ebx
je 00474D75
jmp originalcode

search_for_exploit_string:
cmp byte ptr [edx+eax],09
jb search_for_exploit_string_exit
mov ebx,eax
add bl, byte ptr [edx+eax]
search_for_exploit_string_loop:
cmp eax,ebx
jae search_for_exploit_string_exit
cmp word ptr [edx+eax],3C3C
jne search_for_exploit_string_return_loop
cmp byte ptr [edx+eax+05],63
jne search_for_exploit_string_return_loop
cmp byte ptr [edx+eax+02],31
jbe search_for_exploit_string_return_loop
mov eax,01
ret
search_for_exploit_string_return_loop:
inc eax
jmp search_for_exploit_string_loop
search_for_exploit_string_exit:
mov eax,00
ret

originalcode:
cmp eax,esi
jne ps_game.exe+74A80

exit:
jmp returnhere

"ps_game.exe"+74963:
jmp newmem
nop 3
returnhere:

[DISABLE]
dealloc(newmem)
"ps_game.exe"+74963:
cmp eax,esi
jne ps_game.exe+74A80

For market

[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)

newmem: //this is allocated memory, you have read,write,execute access
//place your code here
cmp word ptr [edx],2303
jne originalcode

beg:
pushad
pushfd

mov ebp,3

lopo:
cmp byte ptr [edx+ebp],0
je endo
cmp word ptr[edx+ebp],'<<'
je _kick
add ebp,1
jmp lopo

endo:
popfd
popad
jmp originalcode

_kick:
popfd
popad

push 00
push 09
mov ecx,ebx
call ps_game.exe+EC760

jmp 00474D75
originalcode:
cmp eax,esi
jne ps_game.exe+74A80

exit:
jmp returnhere

"ps_game.exe"+74963:
jmp newmem
nop 3
returnhere:




[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
"ps_game.exe"+74963:
cmp eax,esi
jne ps_game.exe+74A80
//Alt: db 3B C6 0F 85 15 01 00 00

[ppoowwnneedd]

Tried this and it just disconnected myself and not anybody else.