Jump to content

[1.298, 1.310] CRoom::RoomChat() exploit

Started by twostars, Feb 11 2012 12:53 PM

  • You cannot reply to this topic
No replies to this topic

#1
twostars
Posted 11 February 2012 - 12:53 PM

twostars

    KO Guru

  • GateKeeper
  • Others:Donator
  • 4,461 posts
Length check's slightly wrong -- the buffer allows for 256 bytes, their existing length check allows all 256 bytes to be used instead of allowing for the null-terminator. As it's then passed into sprintf(), well... nothing good can come of it.

Easy fix -- just change the "JG" (jump if greater than) instruction to a "JGE" (jump if greater than or equal to) instruction, so we're only allowing the first 255 bytes to be filled, leaving room for that pesky null-terminator.

1.298
004831A7   /0F8D A7000000   JGE 00483254

1.310
0046C06B   /0F8F A4000000   JGE 0046C115

Back to Assembly patches


  1. Snoxd
  2. Board
  3. Private server development
  4. Knight Online private server development
  5. Assembly patches
IPB skins by Skinbox