I've known about this exploit for some time (I believe I was one of the first people to discover it, I only know of a couple others who were aware of this at the time), but I never cared enough to make a fix as it didn't seem to be getting abused until recently, so my apologies for that.
The exploit works by sending a corrupted handshake response - when the server receives the handshake response from the client, it crashes upon trying to decrypt it with the RSA keys, as the payload length isn't equal to the length of the modulus, but is instead some arbitrary number. I'm not sure what ps_login I used for this, as JuuF sent me his. I've uploaded the one I used just to be sure. Anyway, here is the fix:
Code:
// Author: Cups
// Date: 31/10/2017
[ENABLE]
alloc(newmem, 128) // New memory cave used for performing the key length check
label(return) // Address to return
/* 404E60 is the CUserCrypto::KeyInit function. The keylen parameter describes the length of the RSA encrypted response from the client, which is the 2nd parameter to the function. Function parameters are stored in the EBP register, and are in reverse order. EBP+08 is the pointer to the second parameter (as all parameters are an
integer, so 4 bytes in size) */
ps_login.exe+4E84:
jmp newmem // Jump to our new memory
return:
// New memory for checking the key length
newmem:
// We overwrote this code when inserting our jump
push eax
mov ebx,ecx
mov eax,esi
// If the key length is not 128 bytes, jump to the end of the function and do nothing
cmp ecx,80
jne ps_login.exe+4FAE
// Key is valid, continue processing as normal
jmp return
[DISABLE]
dealloc(newmem)
ps_login.exe+4E84:
push eax
mov ebx,ecx
mov eax,esi
I've known about this exploit for some time (I believe I was one of the first people to discover it, I only know of a couple others who were aware of this at the time), but I never cared enough to make a fix as it didn't seem to be getting abused until recently, so my apologies for that.
The exploit works by sending a corrupted handshake response - when the server receives the handshake response from the client, it crashes upon trying to decrypt it with the RSA keys, as the payload length isn't equal to the length of the modulus, but is instead some arbitrary number. I'm not sure what ps_login I used for this, as JuuF sent me his. I've uploaded the one I used just to be sure. Anyway, here is the fix:
Code:
// Author: Cups
// Date: 31/10/2017
[ENABLE]
alloc(newmem, 128) // New memory cave used for performing the key length check
label(return) // Address to return
/* 404E60 is the CUserCrypto::KeyInit function. The keylen parameter describes the length of the RSA encrypted response from the client, which is the 2nd parameter to the function. Function parameters are stored in the EBP register, and are in reverse order. EBP+08 is the pointer to the second parameter (as all parameters are an
integer, so 4 bytes in size) */
ps_login.exe+4E84:
jmp newmem // Jump to our new memory
return:
// New memory for checking the key length
newmem:
// We overwrote this code when inserting our jump
push eax
mov ebx,ecx
mov eax,esi
// If the key length is not 128 bytes, jump to the end of the function and do nothing
cmp ecx,80
jne ps_login.exe+4FAE
// Key is valid, continue processing as normal
jmp return
[DISABLE]
dealloc(newmem)
ps_login.exe+4E84:
push eax
mov ebx,ecx
mov eax,esi
A bit easier fix:
Code:
[ENABLE]
"ps_login.exe"+4542:
jne ps_login.exe+44BE
[DISABLE]
"ps_login.exe"+4542:
ja ps_login.exe+44BE
[ENABLE]
"ps_login.exe"+4542:
jne ps_login.exe+44BE
[DISABLE]
"ps_login.exe"+4542:
ja ps_login.exe+44BE
A bit easier in terms of code length perhaps, but I wanted to make sure people knew WHY the server was crashing, not just apply some arbitrary fix and call it a day.
is this the one nubness made a new ps_login.exe file from? because we have a new that pause the login now in may 2018 that killed many servers. just have to know what this stop :-)
is this the one nubness made a new ps_login.exe file from? because we have a new that pause the login now in may 2018 that killed many servers. just have to know what this stop :-)
The new exploit creates a lot of faulty accounts online and overloads the number of users you can have in game.
The new exploit creates a lot of faulty accounts online and overloads the number of users you can have in game.
Are you sure that they create accounts? I had this problem 1 or 2 years ago.. They spam login server with pakets so nobody can login because 5000/5000 Players are logged in.
Are you sure that they create accounts? I had this problem 1 or 2 years ago.. They spam login server with pakets so nobody can login because 5000/5000 Players are logged in.
If you mean this there is a simply solotion.
Regards
Yes, They aren't creating accounts. The exploit makes it so the login gets full of "dummy" accounts. so if your being attacked by it, try doing /uc and youll see a large amount of online in the thousands
Yes, They aren't creating accounts. The exploit makes it so the login gets full of "dummy" accounts. so if your being attacked by it, try doing /uc and youll see a large amount of online in the thousands
Thanks,
Whats the fix for this issue?
The culprit wants to sell it to me but i am legit broke and don't pay extortion anyway.
I'ts enough i scrape together the server payments and run donation free.
ps_login hack fix. ( I need that urgently!! :(( 03/27/2019 - Shaiya Private Server - 8 Replies After i was scammed by a person for 100 EUR for a ps_login hack fix.
I ask this community. THERE IS ANY TRUE DEVELOPER WHO CAN FIX MY PROBLEM??
Many Servers have this problem. There is any nub hacker around that is crashing the PS_Logins on Shaiya Servers.
I hope anyone in this World can help me!!!
Gz your White
