From b11cc95e50c4a15463ff6c94db9b42021fe8ebe7 Mon Sep 17 00:00:00 2001 From: TheBrokenRail Date: Tue, 1 Oct 2024 20:44:50 -0400 Subject: [PATCH] Fix ChatPacket Reading --- mods/include/mods/misc/misc.h | 4 ++-- mods/src/chat/chat.cpp | 11 +++++++++++ mods/src/misc/misc.cpp | 6 +++--- symbols/src/network/raknet/RakNet_BitStream.def | 9 +++++---- symbols/src/network/raknet/RakNet_RakString.def | 5 +++++ 5 files changed, 26 insertions(+), 9 deletions(-) diff --git a/mods/include/mods/misc/misc.h b/mods/include/mods/misc/misc.h index 57ffebcaea..bbfd71cd1f 100644 --- a/mods/include/mods/misc/misc.h +++ b/mods/include/mods/misc/misc.h @@ -11,8 +11,8 @@ void misc_render_background(int color, const Minecraft *minecraft, int x, int y, extern bool is_in_chat; -typedef RakNet_RakString *(*RakNet_RakString_constructor_t)(RakNet_RakString *self, const char *format, ...); -extern RakNet_RakString_constructor_t RakNet_RakString_constructor; +typedef RakNet_RakString *(*RakNet_RakString_constructor_2_t)(RakNet_RakString *self, const char *format, ...); +extern RakNet_RakString_constructor_2_t RakNet_RakString_constructor_2; } void misc_run_on_update(const std::function &func); diff --git a/mods/src/chat/chat.cpp b/mods/src/chat/chat.cpp index 21e15de770..1d924fd299 100644 --- a/mods/src/chat/chat.cpp +++ b/mods/src/chat/chat.cpp @@ -80,6 +80,16 @@ void _chat_send_message(const Minecraft *minecraft, const char *message) { send_api_chat_command(minecraft, message); } +// Allow Reading Longer ChatPacket Messages +static void ChatPacket_read_injection(__attribute__((unused)) ChatPacket_read_t original, ChatPacket *self, RakNet_BitStream *stream) { + RakNet_RakString *str = RakNet_RakString::allocate(); + str->constructor(); + str->Deserialize(stream); + self->message = str->sharedString->c_str; + str->Free(); + ::operator delete(str); +} + // Init void init_chat() { if (feature_has("Implement Chat", server_enabled)) { @@ -95,5 +105,6 @@ void init_chat() { // Disable Built-In Chat Message Limiting unsigned char message_limit_patch[4] = {0x03, 0x00, 0x53, 0xe1}; // "cmp r4, r4" patch((void *) 0x6b4c0, message_limit_patch); + overwrite_calls(ChatPacket_read, ChatPacket_read_injection); } } diff --git a/mods/src/misc/misc.cpp b/mods/src/misc/misc.cpp index 1d6f8acdd7..8ae6952ccb 100644 --- a/mods/src/misc/misc.cpp +++ b/mods/src/misc/misc.cpp @@ -48,10 +48,10 @@ static void LoginPacket_read_injection(LoginPacket_read_t original, LoginPacket // RakNet::RakString's format constructor is often given unsanitized user input and is never used for formatting, // this is a massive security risk, allowing clients to run arbitrary format specifiers, this disables the // formatting functionality. -RakNet_RakString_constructor_t RakNet_RakString_constructor = (RakNet_RakString_constructor_t) 0xea5cc; +RakNet_RakString_constructor_2_t RakNet_RakString_constructor_2 = (RakNet_RakString_constructor_2_t) 0xea5cc; static RakNet_RakString *RakNet_RakString_injection(RakNet_RakString *rak_string, const char *format, ...) { // Call Original Method - return RakNet_RakString_constructor(rak_string, "%s", format); + return RakNet_RakString_constructor_2(rak_string, "%s", format); } // Print Error Message If RakNet Startup Fails @@ -452,7 +452,7 @@ void init_misc() { // Fix RakNet::RakString Security Bug if (feature_has("Patch RakNet Security Bug", server_enabled)) { - overwrite_calls_manual((void *) RakNet_RakString_constructor, (void *) RakNet_RakString_injection); + overwrite_calls_manual((void *) RakNet_RakString_constructor_2, (void *) RakNet_RakString_injection); } // Print Error Message If RakNet Startup Fails diff --git a/symbols/src/network/raknet/RakNet_BitStream.def b/symbols/src/network/raknet/RakNet_BitStream.def index 851a4ef29d..c6e3e0efd8 100644 --- a/symbols/src/network/raknet/RakNet_BitStream.def +++ b/symbols/src/network/raknet/RakNet_BitStream.def @@ -5,10 +5,11 @@ method void Write_short(short *i) = 0x71918; // right_aligned should be true method void WriteBits(const uchar *buff, uint bits, bool right_aligned) = 0xd41b4; -method void Read_uchar(uchar *i) = 0x45ab0; -method void Read_int(int *i) = 0x184ec; -method void Read_ushort(ushort *i) = 0x45acc; -method void Read_short(short *i) = 0x72070; +method bool Read_uchar(uchar *i) = 0x45ab0; +method bool Read_int(int *i) = 0x184ec; +method bool Read_ushort(ushort *i) = 0x45acc; +method bool Read_short(short *i) = 0x72070; +method bool Read_str(char *str) = 0xd5174; // right_aligned should be true method void ReadBits(uchar *buff, uint bits, bool right_aligned) = 0xd3e18; diff --git a/symbols/src/network/raknet/RakNet_RakString.def b/symbols/src/network/raknet/RakNet_RakString.def index edd79cd00c..ed8d5155d6 100644 --- a/symbols/src/network/raknet/RakNet_RakString.def +++ b/symbols/src/network/raknet/RakNet_RakString.def @@ -1,5 +1,10 @@ +size 0x4; + +constructor () = 0xe8f80; //constructor (const char *format, ...) = 0xea5cc; method void Assign(const char *str) = 0xe9e34; +method void Free() = 0xe9b50; +method bool Deserialize(RakNet_BitStream *stream) = 0xea990; property RakNet_RakString_SharedString *sharedString = 0x0; \ No newline at end of file