Register for your free account! | Forgot your password?

You last visited: Today at 10:50

  • Please register to post and access all features, it's quick, easy and FREE!

 

PS_Login Handshake Exploit Fix

Reply
 
Old   #1



 
elite*gold: 709
Join Date: Mar 2015
Posts: 78
Received Thanks: 894
PS_Login Handshake Exploit Fix

I've known about this exploit for some time (I believe I was one of the first people to discover it, I only know of a couple others who were aware of this at the time), but I never cared enough to make a fix as it didn't seem to be getting abused until recently, so my apologies for that.

The exploit works by sending a corrupted handshake response - when the server receives the handshake response from the client, it crashes upon trying to decrypt it with the RSA keys, as the payload length isn't equal to the length of the modulus, but is instead some arbitrary number. I'm not sure what ps_login I used for this, as JuuF sent me his. I've uploaded the one I used just to be sure. Anyway, here is the fix:

Code:
// Author: Cups
// Date: 31/10/2017
[ENABLE]
alloc(newmem, 128) // New memory cave used for performing the key length check
label(return) // Address to return

/* 404E60 is the CUserCrypto::KeyInit function. The keylen parameter describes the length of the RSA encrypted response from the client, which is the 2nd parameter to the function. Function parameters are stored in the EBP register, and are in reverse order. EBP+08 is the pointer to the second parameter (as all parameters are an
integer, so 4 bytes in size) */
ps_login.exe+4E84:
jmp newmem // Jump to our new memory
return:

// New memory for checking the key length
newmem:

// We overwrote this code when inserting our jump
push eax
mov ebx,ecx
mov eax,esi

// If the key length is not 128 bytes, jump to the end of the function and do nothing
cmp ecx,80
jne ps_login.exe+4FAE

// Key is valid, continue processing as normal
jmp return

[DISABLE]
dealloc(newmem)

ps_login.exe+4E84:
push eax
mov ebx,ecx
mov eax,esi
Attached Files
File Type: zip ps_login.zip (151.1 KB, 164 views)



Cups is offline  
Thanks
28 Users
Old   #2
 
elite*gold: 0
Join Date: Feb 2011
Posts: 163
Received Thanks: 193
A bit easier fix:

Code:
[ENABLE]
"ps_login.exe"+4542:
jne ps_login.exe+44BE

[DISABLE]
"ps_login.exe"+4542:
ja ps_login.exe+44BE


anton1312 is offline  
Thanks
9 Users
Old   #3



 
elite*gold: 709
Join Date: Mar 2015
Posts: 78
Received Thanks: 894
Quote:
Originally Posted by anton1312 View Post
A bit easier fix:

Code:
[ENABLE]
"ps_login.exe"+4542:
jne ps_login.exe+44BE

[DISABLE]
"ps_login.exe"+4542:
ja ps_login.exe+44BE
A bit easier in terms of code length perhaps, but I wanted to make sure people knew WHY the server was crashing, not just apply some arbitrary fix and call it a day.
Cups is offline  
Thanks
11 Users
Old   #4
 
elite*gold: 0
Join Date: Nov 2017
Posts: 83
Received Thanks: 126
it will now be safer in servers thanks


XareL is offline  
Old   #5
 
elite*gold: 0
Join Date: Jul 2016
Posts: 29
Received Thanks: 13
ty
Propice is offline  
Old   #6
 
elite*gold: 0
Join Date: Jun 2017
Posts: 19
Received Thanks: 2
ps_login link?>
mr.hellraven is offline  
Old   #7
 
elite*gold: 0
Join Date: Nov 2012
Posts: 306
Received Thanks: 143
is this the one nubness made a new ps_login.exe file from? because we have a new that pause the login now in may 2018 that killed many servers. just have to know what this stop :-)
GMCronus is offline  
Old   #8
 
elite*gold: 0
Join Date: Jan 2016
Posts: 295
Received Thanks: 214
Quote:
Originally Posted by GMCronus View Post
is this the one nubness made a new ps_login.exe file from? because we have a new that pause the login now in may 2018 that killed many servers. just have to know what this stop :-)
The new exploit creates a lot of faulty accounts online and overloads the number of users you can have in game.
Spectral#1 is offline  
Thanks
1 User
Old   #9
 
elite*gold: 0
Join Date: Nov 2012
Posts: 306
Received Thanks: 143
this is the fix or it's not a fix?
GMCronus is offline  
Old   #10

 
elite*gold: 120
Join Date: Mar 2013
Posts: 687
Received Thanks: 228
Quote:
Originally Posted by Spectral#1 View Post
The new exploit creates a lot of faulty accounts online and overloads the number of users you can have in game.
Are you sure that they create accounts? I had this problem 1 or 2 years ago.. They spam login server with pakets so nobody can login because 5000/5000 Players are logged in.

If you mean this there is a simply solotion.

Regards
.:Skrillex:. is offline  
Old   #11
 
elite*gold: 0
Join Date: Jan 2016
Posts: 295
Received Thanks: 214
Quote:
Originally Posted by .:Skrillex:. View Post
Are you sure that they create accounts? I had this problem 1 or 2 years ago.. They spam login server with pakets so nobody can login because 5000/5000 Players are logged in.

If you mean this there is a simply solotion.

Regards
Yes, They aren't creating accounts. The exploit makes it so the login gets full of "dummy" accounts. so if your being attacked by it, try doing /uc and youll see a large amount of online in the thousands
Spectral#1 is offline  
Thanks
1 User
Old   #12
 
elite*gold: 0
Join Date: Jun 2009
Posts: 270
Received Thanks: 234
Quote:
Originally Posted by Spectral#1 View Post
Yes, They aren't creating accounts. The exploit makes it so the login gets full of "dummy" accounts. so if your being attacked by it, try doing /uc and youll see a large amount of online in the thousands
Thanks,

Whats the fix for this issue?

The culprit wants to sell it to me but i am legit broke and don't pay extortion anyway.

I'ts enough i scrape together the server payments and run donation free.

Help would be appreciated greatly.
SafeBett is offline  
Old   #13

 
elite*gold: 120
Join Date: Mar 2013
Posts: 687
Received Thanks: 228
Quote:
Originally Posted by SafeBett View Post
Thanks,

Whats the fix for this issue?

The culprit wants to sell it to me but i am legit broke and don't pay extortion anyway.

I'ts enough i scrape together the server payments and run donation free.

Help would be appreciated greatly.
This kind of attack is 2+ years old. It was asked by me 2 years ago.

https://www.elitepvpers.com/forum/sh...-flooding.html

This Fix in this thread is for handshake response. Like :

NOT FIXXED:
Good way:
Client: Hello This is real Shaiya Client.
Server: Great! Come In!

Bad Way:
Client: Hello this is faked Client for crashing.
Server: **** I need to go down.

Fixxed way:
Good way:
Client: Hello This is real Shaiya Client.
Server: Great! Come In!

Bad Way:
Client: Hello this is faked Client for crashing.
Server: GO AWAY! You cannot come in here!


This is explaining for """"stupid""" :P dudes.

Regards^^


.:Skrillex:. is offline  
Reply



« Previous Thread | Next Thread »

Similar Threads
ps_login hack fix. ( I need that urgently!! :((
After i was scammed by a person for 100 EUR for a ps_login hack fix. I ask this community. THERE IS ANY TRUE DEVELOPER WHO CAN FIX MY PROBLEM?? ...
5 Replies - Shaiya Private Server
[04.09.13] GigaByte v2.6 [FIX, FIX, FIX, FIX AND FIX]
http://www.elitepvpers.com/forum/warrock-hacks-bots-cheats-exploits/2843300-11-09-gigabyte-public-v2-7-a.html
79 Replies - WarRock Hacks, Bots, Cheats & Exploits



All times are GMT +2. The time now is 10:50.


Powered by vBulletin®
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.
SEO by vBSEO ©2011, Crawlability, Inc.

Support | Contact Us | FAQ | Advertising | Privacy Policy | Abuse
Copyright ©2018 elitepvpers All Rights Reserved.