[Old]Vista/XP OnePerOne + Buffer Overflow Fixes

General assistance and guidelines for editing the server side of Soma.

[Old]Vista/XP OnePerOne + Buffer Overflow Fixes

Postby Finito » Mon Apr 21, 2008 9:43 pm

This OnePerOne is old and missing alot of fixes, use the OnePerOne from the server files here instead.

What is this??
For those of you who using vista i have edited the original Euro1p1 and added fixes so that it will now work without any errors.
I will type up a guide on how to apply vista fix to an existing OnePerOne at later date.

The one and only! Vista OnePerOne!!
Please see 3rd post below as there is an update to this 1p1.

Extra info
This OnePerOne also includes buffer overflow fixes for the Strings sent within packets from client. For those of you who are techincal minded an can understand my notes below you will be able to implement these fixes on an existing OnePerOne.

Buffer Overflow Notes
1p1 Buffer overflow fixes

Crashing 1p1 by changing length of username and password in pkt_account_login
added < 0 and > 20 checks inside a function at address 0x00444f12

00444F12 . 25 FF000000 AND EAX,0FF
00444F17 . 7C 07 JL SHORT Euro-1P1.00444F20
00444F19 . 83F8 14 CMP EAX,14
00444F1C . 7F 02 JG SHORT Euro-1P1.00444F20
00444F1E . EB 02 JMP SHORT Euro-1P1.00444F22
00444F20 > 33C0 XOR EAX,EAX
00444F22 > C3 RETN

Add call to this function at the below addresses replacing the AND EAX, 0FF with CALL 00444F12

00443ABD - Account login req
00443ADE - Account login req
004450D7 - New Hero
00445DD3 - Del Hero
0044CF3E - Client Event - Exchange event type
0043D1C8 - Private chat
0045225E - MakeItem
00453837 - MakeItemSpecial
00460490 - Exchange Result

Few notes: This is a single database OnePerOne and obviously this will still work on earlier versions of windows!

Disclaimer: The author of this file can not be hold reliable for any harm it may do or any excessive excitement of this now working on Vista.
Last edited by Finito on Mon Dec 13, 2010 8:09 am, edited 6 times in total.
Finito
SomaDev Staff
 
Posts: 425
Joined: Fri Jan 11, 2008 6:25 pm

Re: Vista OnePerOne + Buffer Overflow Fixes

Postby RauBan » Tue Apr 22, 2008 11:38 am

well done =)
RauBan
SD Four Star
SD Four Star
 
Posts: 184
Joined: Fri Feb 22, 2008 9:43 pm

Re: Vista OnePerOne + Buffer Overflow Fixes

Postby Tiffany » Tue Apr 22, 2008 12:24 pm

Nice, I had already put these in over the past few days. Cool about the Vista fix, not that i'll be using it but a few people have moaned they can't develop test servers as they are on vista :)

Edited to Add a "Normal" Rar'ed version of Finito's 1p1:
Euro-1P1_Vista1_11.rar
Mirror: http://rapidshare.com/files/371770488/Euro-1P1_Vista1_11.rar
PLEASE NOTE: The RAR Above contains Finitos Vista Fixes + the throw and remote shutdown fixes. As detailed below.
Image
This was added in additional to Finito's fixes - Developed by Finito/RauBan/Tiffany:
Throw Dupe Fix change:
Code: Select all
From:
00440328  |> 3BD8          CMP EBX,EAX
0044032A  |. 0F8C E1020000 JL Copy_of_.00440611
To:
00440328     E8 24030000    CALL Euro-1P1.00440651
0044032D     81E5 FFFF0000  AND EBP,0FFFF
00440333     90             NOP
00440334     90             NOP
00440335     90             NOP
00440336     90             NOP
00440337     90             NOP
00440338     90             NOP

00440651     3BD8           CMP EBX,EAX
00440653    ^7C BC          JL SHORT Euro-1P1.00440611
00440655     83FB 32        CMP EBX,32
00440658    ^7F B7          JG SHORT Euro-1P1.00440611
0044065A     C3             RETN


There is one other issue with the 1p1 to my knowlege which can be used by people to remotely crash the server
Remote Shutdown Packet
Code: Select all
0042C85F  |> 8B4424 10      MOV EAX,DWORD PTR SS:[ESP+10]          ;  Cases 0,FE of switch 0042C845
0042C863  |. 8BCE           MOV ECX,ESI
0042C865  |. 03C7           ADD EAX,EDI
0042C867  |. 50             PUSH EAX                                ; /Arg1
0042C868  |. E8 732A0000    CALL Euro-1P1.0042F2E0                  ; \Euro-1P1.0042F2E0
0042C86D  |. E9 91000000    JMP Euro-1P1.0042C903
0042C872  |> 8BCE           MOV ECX,ESI                 ;  Case FA of switch 0042C845
;VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV            ; Remove remote shutdown packet code
0042C874  |. 90             NOP
0042C875  |. 90             NOP
0042C876  |. 90             NOP
0042C877  |. 90             NOP
0042C878  |. 90             NOP
;^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
0042C879  |. E9 85000000    JMP Euro-1P1.0042C903
0042C87E  |> 8BCE           MOV ECX,ESI                            ;  Case FB of switch 0042C845
0042C880  |. E8 2BDC0200    CALL Euro-1P1.0045A4B0
0042C885  |. EB 7C          JMP SHORT Euro-1P1.0042C903


==========================================================================================

My 1p1 seemed a bit different as there is routines either side of 00444F12-00444F1F
notibly: 00444F20 /$ 81EC 20040000 SUB ESP,420.
Since this would muck the function up the checking routine was relocated to 0044856A.
This was the only set of nops that had more than 17 spare bytes. However, there is a small routine that is called once. Therefore is was easy to relocate it.

Code: Select all
Relocate a small subroutine
call was @:
00412061  |. E8 0A650300    CALL Euro-1P1.00448570

Routine
0044856E     90             NOP
0044856F     90             NOP
00448570  /$ 6A 01          PUSH 1                                  ; /Arg1 = 00000001
00448572  |. E8 9931FEFF    CALL Euro-1P1.0042B710                  ; \Euro-1P1.0042B710
00448577  \. C3             RETN
00448578     90             NOP
00448579     90             NOP

now:
call is at 412061
00412055  |> 8BCD           MOV ECX,EBP
00412057  |. C786 80010000 >MOV DWORD PTR DS:[ESI+180],1A
;VVVVV
00412061     E8 1D040000    CALL Euro-1P1.00412483
;^^^^^^
00412066  |. 8BCE           MOV ECX,ESI
00412068  |. 8BF8           MOV EDI,EAX
0041206A  |. E8 21FDFFFF    CALL Euro-1P1.00411D90

Routine relocated to:
00412478  |. 81C4 20040000  ADD ESP,420
0041247E  \. C2 0800        RETN 8
00412481     90             NOP
00412482     90             NOP
;VVVV
00412483     6A 01          PUSH 1      ; Relocated 448570
00412485     E8 86920100    CALL Euro-1P1.0042B710
0041248A     C3             RETN
;^^^^
0041248B     90             NOP
0041248C     90             NOP
0041248D     90             NOP
0041248E     90             NOP
0041248F     90             NOP
00412490  /$ 83EC 10        SUB ESP,10
00412493  |. 57             PUSH EDI

added in the checking function:
00448560  |. 8981 00720000  MOV DWORD PTR DS:[ECX+7200],EAX
00448566  \. C2 0C00        RETN 0C
00448569     90             NOP
;VVVVV
0044856A     25 FF000000    AND EAX,0FF
0044856F     7C 07          JL SHORT Euro-1P1.00448578
00448571     83F8 14        CMP EAX,14
00448574     7F 02          JG SHORT Euro-1P1.00448578
00448576     EB 02          JMP SHORT Euro-1P1.0044857A
00448578     33C0           XOR EAX,EAX
0044857A     C3             RETN
;^^^^^
0044857B     90             NOP
0044857C     90             NOP
0044857D     90             NOP
0044857E     90             NOP
0044857F     90             NOP
00448580  /$ 6A FF          PUSH -1
00448582  |. 68 E2544B00    PUSH Euro-1P1.004B54E2                  ;  SE handler installation


alter 25 FF 000000     AND EAX, 0FF to:
Change 00443ABD - Account login req
00443ABD     E8 A84A0000    CALL Euro-1P1.0044856A

00443ADE - Account login req
00443ADE     E8 874A0000    CALL Euro-1P1.0044856A

004450D7 - New Hero
004450D7     E8 8E340000    CALL Euro-1P1.0044856A

00445DD3 - Del Hero
00445DD3     E8 92270000    CALL Euro-1P1.0044856A

0044CF3E - Client Event - Exchange event type
0044CF3E     E8 27B6FFFF    CALL Euro-1P1.0044856A

0043D1C8 - Private chat
0043D1C8     E8 9DB30000    CALL Euro-1P1.0044856A

0045225E - MakeItem
0045225E     E8 0763FFFF    CALL Euro-1P1.0044856A

00453837 - MakeItemSpecial
00453837     E8 2E4DFFFF    CALL Euro-1P1.0044856A

00460490 - Exchange Result
00460490     E8 D580FEFF    CALL Euro-1P1.0044856A
You do not have the required permissions to view the files attached to this post.
Last edited by Tiffany on Sun Apr 04, 2010 5:01 am, edited 5 times in total.
Tiffany
SD Pro 2 Star
SD Pro 2 Star
 
Posts: 428
Joined: Sat Jan 12, 2008 1:17 pm

Re: Vista OnePerOne + Buffer Overflow Fixes

Postby Tiffany » Sat Dec 20, 2008 2:38 pm

Alternative to Finito's 1P1 with other updates.
Passwords: soma soma soma
  • 11-Dupes/ Server crash fixes
  • 32k BagWgt (inc. Wgt Gain Fix)
  • 500 Total Wep Skill Cap
  • 500 Total craft cap
  • Global Shout Level 75
  • 1P1 running on Vista Fixes
  • Hsoma sSid1836-1849 and Dsoma sSid3985-3999 undroppable/untradable hardcoded
  • Remote Shutdown: Packet 250(FA) call removed
  • Maps have been sequential extended to 30 by editing the offset at 1b2bd
    You MUST have 30maps sequentiallly from 1-30 or the application WILL crash!
Image
Few things to point out:
When using a Euro 1p1 with these changes you changing values in the zone columns in SERVERINFO table will have NO effect.

The maps are loaded in number order 1, 2 ,3 ,4 ,5 ,6 ,7 ,8 and so on...so you cannot have maps lodaing such as 1, 2 , 5 ,7 it just will NOT work.

When adding new maps to server simply increase the max amount of map value within your euro 1p1 exe which can be changed using a hex editor and is at the address offset 0001B2BD ( HEX ).

Edited: Re-uploaded the exe since the encryption keys were different than EU std so has to put them back.
Euro1p1_v145_30maps.rar
Mirror: http://rapidshare.com/files/371770307/Euro1p1_v145_30maps.rar
You do not have the required permissions to view the files attached to this post.
Last edited by Tiffany on Sun Apr 04, 2010 4:59 am, edited 2 times in total.
Tiffany
SD Pro 2 Star
SD Pro 2 Star
 
Posts: 428
Joined: Sat Jan 12, 2008 1:17 pm

Re: Vista OnePerOne + Buffer Overflow Fixes

Postby redger » Sun Dec 28, 2008 7:55 pm

Something isn't quite right with it, I too am having issues with this, have tried several unpacking programs, all which say it's corrupt.
redger
SD One Star
SD One Star
 
Posts: 11
Joined: Wed Dec 24, 2008 9:32 pm

Re: Vista OnePerOne + Buffer Overflow Fixes

Postby arcanine » Mon Dec 29, 2008 2:51 pm

I'm currently using this on my own server so I can confirm the file isn't corrupt at least on the forum side of things

I would recommend downloading the file in firefox/flashget or another download manager to confirm your connection isn't corrupting the file during transfer
User avatar
arcanine
SD Pro 5 Star
SD Pro 5 Star
 
Posts: 1056
Joined: Mon Apr 21, 2008 2:53 pm

Re: Vista OnePerOne + Buffer Overflow Fixes

Postby Tiffany » Thu Jan 01, 2009 7:50 pm

Updated my first post to include a re-compression of Finito's 1p1 updates. Added the detail to fix some 1p1's and also another two issues, (Throw Dupe and Remote shutdown).
Tiffany
SD Pro 2 Star
SD Pro 2 Star
 
Posts: 428
Joined: Sat Jan 12, 2008 1:17 pm

Re: Vista OnePerOne + Buffer Overflow Fixes

Postby redger » Fri Jan 02, 2009 1:45 am

The .rar works for me fine, still can't fathom why the zip wouldn't, anyway thanks a lot.
redger
SD One Star
SD One Star
 
Posts: 11
Joined: Wed Dec 24, 2008 9:32 pm

Re: Vista OnePerOne + Buffer Overflow Fixes

Postby GlanzaVTee » Thu Jan 29, 2009 10:29 pm

zipfile works correctly no errors in archive use firefox or flashget to download it
GlanzaVTee
SD One Star
SD One Star
 
Posts: 14
Joined: Tue Jan 27, 2009 2:24 am

Re: Vista OnePerOne + Buffer Overflow Fixes

Postby Tiffany » Thu Jan 29, 2009 11:01 pm

Updated post with an alternative 1p1 with additional updates as detailed and sequential maps (extended maps from 26 max to 30).
Tiffany
SD Pro 2 Star
SD Pro 2 Star
 
Posts: 428
Joined: Sat Jan 12, 2008 1:17 pm

Next

Return to Server Development

Who is online

Users browsing this forum: No registered users and 1 guest

cron