Server fixes needed.

asm · **Joined:** 13 Jun 2011 08:53 **Posts:** 4

Hello all,

I really like to play the games Crysis and Crysis Wars. But too many
people destroy the fun by using your server crash hacks. I know it's fault
of the programmer's NOT to provide any protection against them. But I
hope to fix these issues by reassambling the server DLL's. I'm really new
to it and need some help. It would be nice to contact me in a PM if you want
to help me(I talk with you aluigi and anybody else :)). I already collected all
server crash hacks and provide some fixes. But a few of your server crash hacks
aren't fixed and need to be fixed in the DLL's itself. I can provide disassembled DLL's
and related functions, I also have some hints where and how to fix it.
Do you have Skype, ICQ or Xfire? But we could work together here via PM, too.
I'm a big fan of doing the work on my own, I don't think companies will fix the bugs
anymore. The problem is I'm not good enough and need some tips to fix the bugs.

aluigi · **Posted:** 13 Jun 2011 21:34

note that I do only public stuff, not private things.

anyway what bugs you would like to fix?
crysisdos
crysisfs
crysisviol
dontcrysis
crysislog

this is old stuff so I don't remember what's currently working on the latest versions of the game.

anyway in case someone has problems with crysisfs on the 64bit version of the CrysisWars server recently I suggested the following work-around:

Code:

if you open Bin64\CrySystem.dll (I guess here I have version 1.5) with a hex editor and go at offset 0x0003C070 you will find the byte 44, replace it with C3 and the server should no longer crash but some messages will be no longer visibles.

asm · **Joined:** 13 Jun 2011 08:53 **Posts:** 4

I want to fix all bugs. I collected all bugs with your descriptions and my ideas to fix it. I provide disassembled DLL's, too. That's why i wanted to contact you somewhere to send you that stuff. The next week I go to holidays, will talk to you in 13 days ;-)

asm · **Joined:** 13 Jun 2011 08:53 **Posts:** 4

Hello, I'm back now. I heard, some Crysis admin fixed the udpsz crash. How to do this? Do I have to check the packet for special content? Or do I have to block anything?

aluigi · **Posted:** 30 Jun 2011 09:16

assembly patches obviously are better but in the case of crysis I guess also packet filtering could work in some cases because it doesn't use encryption.
in short everything depends by the bug.

in this particular case (crysisdos since you talk about udpsz) I would opt for the checking of the rate of the join packet because the bug is just caused by its flooding.

asm · **Joined:** 13 Jun 2011 08:53 **Posts:** 4

Theres a variable "sv_packetrate". Default is 30. Doesn't it create lags on the players, if I put it down? Which new value would you recomment?

I know a guy fixed it in C++, he made something with an offset from CryNetwork.dll. Maybe he patched a function.

Some guys block the server port(default 46000) and have no vulnerability. But some players cannot connect...

Wouldn't it be possible in asm to change those few instructions which create lags to "nop"(no operation) to fix the bug?

I already have a bugfix, in the past hackers spoofed my server with udpsz and the server crashed immediately. Now it crashes after a few minutes up to a few hours. It's better but it's not fully fixed.
This bugfix looks like:

Code:

A little fix:
If you change in "CryNetwork(CrysisWars1.5).dll.asm" the code:

loc_3953FA4E:            ; CODE XREF: sub_3953F789+1CFj
      push   [ebp+arg_4]
      lea   eax, [ebp+arg_0]
      push   eax
      lea   esi, [ebx+90h]
      push   esi
      call   sub_3953A45B
      mov   edi, [ebp+arg_0]
      cmp   edi, esi
      jz   short loc_3953FABA
      push   [ebp+arg_4]
      mov   eax, dword_395F27A8
      mov   eax, [eax+0A0h]
      lea   ecx, [ebp+var_A4]
      push   ecx
      push   eax
      call   sub_395A37BD
      push   dword ptr [eax+8] ; char
      push   offset aSDisconnectedP ; "%s disconnected pre-maturely"
      call   sub_3959D9FF
      pop   ecx
      pop   ecx
      push   [ebp+var_9C]
      lea   eax, [ebp+var_A4]
      call   sub_39510C19
      push   dword ptr [ebp+var_4] ;   char
      push   offset aS_5   ; "%s"
      call   sub_3959D9FF
      pop   ecx
      mov   eax, esp
      mov   [eax], edi
      call   sub_3953986D
      
to:

loc_3953FA4E:            ; CODE XREF: sub_3953F789+1CFj
      push   [ebp+arg_4]
      lea   eax, [ebp+arg_0]
      push   eax
      lea   esi, [ebx+90h]
      push   esi
      call   sub_3953A45B
      mov   edi, [ebp+arg_0]
      cmp   edi, esi
      jz   short loc_3953FABA
      push   [ebp+arg_4]
      mov   eax, dword_395F27A8
      mov   eax, [eax+0A0h]
      lea   ecx, [ebp+var_A4]
      push   ecx
      push   eax
      call   sub_395A37BD
      push   dword ptr [eax+8] ; char
      push   offset aSDisconnectedP ; "%s disconnected pre-maturely"
      call   sub_3959D9FF
      pop   ecx
      pop   ecx
      push   [ebp+var_9C]
      lea   eax, [ebp+var_A4]
      call   sub_39510C19
      push   dword ptr [ebp+var_4]
      push   offset aS_5   ; "%s"
      nop
      nop
      nop
      nop
      nop
      pop   ecx
      mov   eax, esp
      mov   [eax], edi
      call   sub_3953986D
      
than, the server won't crash at the first time with the log:
"<19:50:01> [Warning] $6[net ] 89-76-77-158.dynamic.chello.pl:61148 disconnected pre-maturely"

But the server will freeze and crash still, because there will be thousand messages like:
"<06:18:58> [Warning] $6[net ] Removing inactive pre-mature connection from 187-86-57-10.opcaonet.com.br:60430"

crysisformat:
Possible fix: A guy gave me a modified CryNetwork.dll, I compared
it with the original one. The only difference were a few changes
of log messages. Maybe the format hack doesn't work that way(missing regular expressions in modified version)..

original 'WSARecvFrom failed: %d' was changed to 'Phys sync failed! '
original 'CompleteEmptySuccess: pReq->bytesReceived==%d' to 'Phys way out of sync (0.2 seconds, resetting)'
original offset aCompleteemptys to offset aPhysWayOutOf_0
original offset aWsarecvfromFai to offset aPhysSyncFailed
original offset aRemovingInacti to offset aPhysWayOutOfSy

Maybe it's a bugfix for the crysis format hack.

Your crysislog hack is another issue I can't fix. Do you think, is there a way to fix it?

And of course the fakeplayers hack, is there a way to fix it, too?

By the way, what exactly do you mean with
"anyway in case someone has problems with crysisfs on the 64bit version of the CrysisWars server recently I suggested the following work-around:
Code:
if you open Bin64\CrySystem.dll (I guess here I have version 1.5) with a hex editor and go at offset 0x0003C070 you will find the byte 44, replace it with C3 and the server should no longer crash but some messages will be no longer visibles."? So hacks aren't possible in 64bit if I change the byte 44 to C3 at offset 0x0003C070 ? And what's with the 32bit dll?

Sorry for all the questions :)

azka · **Joined:** 15 Jun 2011 15:19 **Posts:** 13

Actually removing the function to NOP is not the fix, it makes more crash than usually.

aluigi · **Posted:** 02 Jul 2011 15:02

note that this is stuff on which I worked temporary various years ago so remembering what I noticed during my tests and that could help you is practically impossible.

the format string bug can be fixed without problems just because it's just the lack of the format argument.
the note about bin64 I specified was referred only to a work-around, I have only performed vulnerability research on Crysis, I have not spent time for its patching.

crysis uses udp so the fake players bug can be limited with solutions like my playerslimiter project:
http://aluigi.org/patches.htm#playerslimiter
read the txt inside the package and it should be enough easy to create the packet.dat file needed for the filtering of players flooding

I don't remember if it's easy to fix crysislog.

Luigi Auriemma

Server fixes needed.