Luigi Auriemma

aluigi.org (ARCHIVE-ONLY FORUM!)
It is currently 19 Jul 2012 12:32

All times are UTC [ DST ]





Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 3 posts ] 
Author Message
 Post subject: Is possible to exploit rand() remotely?
PostPosted: 22 Jun 2010 06:47 

Joined: 22 Jun 2010 06:34
Posts: 2
Hi Luigi, I play on a game that contains a system that allows a player to create items.

This game feature works like this: the player tries to create an item in the Machine NPC, and if he is lucky the item will be created, otherwise the item is not created.

By debugging the gameserver.exe I noticed that it uses rand() function to calculate the success rate:
if the function returns a number below of 40, the creation of the item fails. Otherwise it succeeds.

My question is, is it possible to exploit the rand() function remotely, by sending packets to the server or by any other method that you know of?

Regards


Top
 Profile  
 
 
 Post subject: Re: Is possible to exploit rand() remotely?
PostPosted: 26 Jun 2010 23:12 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
although rand can be predicted in some specific situations (like fulltiltpwd on my website) in any case you need to know some informations from which you don't have access remotely.
so, no, you can do nothing


Top
 Profile  
 
 Post subject: Re: Is possible to exploit rand() remotely?
PostPosted: 27 Jun 2010 11:31 

Joined: 22 Jun 2010 06:34
Posts: 2
aluigi, thank you for your answer, if you say that then I have no hopes to continue trying the impossible hehe

I took a look at your code and there is a similarity between my gameserver rand() code and your:
both use the same calculation that you presented on your comments:
Code:
// why rand works?
// simple, because it's a fixed function and not real random stuff:
//    seed = (seed * 0x343fd) + 0x269ec3;
//    return((seed >> 16) & 0x7fff);


rand() function of my gs.exe:
Code:
006168E4  /$ E>CALL GameServ.0061B7F0                   
006168E9  |. 8>MOV ECX,DWORD PTR DS:[EAX+14]          ;  ecx = rand_ctx->dwSeed; //its always initialized in 1
006168EC  |. 6>IMUL ECX,ECX,343FD
006168F2  |. 8>ADD ECX,269EC3
006168F8  |. 8>MOV DWORD PTR DS:[EAX+14],ECX           ;  save the generated number into rand_ctx->dwSeed;
006168FB  |. 8>MOV EAX,ECX                                        ; do some more calcs and returns the rand number in eax
006168FD  |. C>SHR EAX,10                                          ; ..
00616900  |. 2>AND EAX,7FFF                                       ; ..
00616905  \. C>RETN


I understand now why it's pratically impossible to predict the next random value in my case: the function above may be called by gs.exe for everything any players do or any events that occur in game (for ex: a player1 tries to create an item first than us or the function is called to show the next coordinate of where a monster will respawn etc...), we have really no control or we dont know when that function will be called. :(


Top
 Profile  
 
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 3 posts ] 

All times are UTC [ DST ]


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
cron