####################################################################### Luigi Auriemma Application: Chrome Engine 4 http://www.techland.pl/?id=home&lang=en Versions: Call of Juarez: Bound in Blood <= 1.1.0.0 Sniper: Ghost Warrior <= 1.0.0.0 ...possibly other games and versions... Platforms: Windows Bug: malloc exception Exploitation: remote, versus server Date: 17 Jun 2010 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== The Chrome Engine 4 is the latest version of the game engine developed by Techland and which moves games like Call of Juarez: Bound in Blood (aka CoJ2), the upcoming Sniper: Ghost Warrior (expected within a week, demo released two days ago) and will be used in other games in development like Chrome 2 and Dead Island. ####################################################################### ====== 2) Bug ====== In this new version of the engine has been implemented a simple 16 bit checksum at the end of the packets. Practically if the checksum of the received packet is invalid then the "checksum comparing" function logs the message "[CSocket::UnHash] Incoming packet has wrong hash, discarded" and returns -111 instead of the length of the data in the packet. The problem is that this returned value is not checked by the engine so it will continue the handling of the packet, if the incoming packet is type 28 and the 32 bit size value in it matches the expected one (-111 - 5) then will be called a function that performs the allocation and the copying of the data in the new memory. So the malloc function (msvcr80) will try to allocate that amount of memory and will raise an exception that crashes the server. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/chromerda.zip ####################################################################### ====== 4) Fix ====== No fix. #######################################################################