(Dev) GSCS strange bug overpowering 1 char with (4545 sd hit and 505 hp hit)
Good morning everybody and thank you for reading my help request,
I'm developing a season 4 server from source (http://forum.ragezone.com/f197/repac...-1-1-a-905214/) and yesterday, during Castle Siege, a strange bug came up, out of nowhere, after log in, a BK started hitting aprox. 126x more then it should... example: the normal damage he should give is: 36 sd, 4 hp ... but, after log in, he hits 4545 sd and 505 hp.
I've found 3 actions that adjusts the damage back to normal, wield weapon, "unwield" weapon and die. This 3 actions, has the power to reset his damage back to normal.
This only happens in gscs. This is only happening to 1 character. I've tried removing all items; I've tried taking out his master level and skill tree; I've tried taking out his skills; I've tried resetting his stats; But, nothing seems to work... the damage always adjusts when the character wields a weapon, "unwields" or dies.
I am debugging the gscs with olly, trying to figure it out the source of the bug ... but nothing so far. What I know is that it, possibly, happens in the "gObjLifeCheck" (as named for some decompilers) functions.
Has anyone encountered the same issue as I'm? Thank you for the help.
Re: (Dev) GSCS strange bug overpowering 1 char with (4545 sd hit and 505 hp hit)
Good afternoon,
After a long run of debugging my game server cs, I managed to find and fix this bug so I'm here sharing my workaround for the players who's having the same issue. This is not a tutorial, it's surely an explanation of how the bug happens and what you'll need to do in order to fix it... it requires assembly knowledge.
On my gscs 1.00.90, the bug happens when it's adding to the Attack Damage value, the Item 380 damage option (+200 pvp damage).
Here's the assembly representation:
Code:
#Get the memory address identifier for EBP+8 (gObj) and moves it to ECX.
004E2A69 |. 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
#Get the value stored in ECX+2088 (gObj->m_ItemOptionExFor380.OpAddDamage, according to Deathway decompiling) and moves
it to EDX; For some reason, even without wielding any weapon, the number found in store is always 1392 (decimal: 5010)
004E2A6C |. 0FBF91 8820000>MOVSX EDX,WORD PTR DS:[ECX+2088]
#Get the Attack Damage calculated so far, stored in EBP+1C
004E2A73 |. 8B45 1C MOV EAX,DWORD PTR SS:[EBP+1C]
#Adds them (AttackDamage + gObj->m_ItemOptionExFor380.OpAddDamage)
004E2A76 |. 03C2 ADD EAX,EDX
#Updates the Attack Damage value in EBP+1C
004E2A78 |. 8945 1C MOV DWORD PTR SS:[EBP+1C],EAX
When the bugged character wields any weapon, "unwields" any weapon or dies on gscs, the m_ItemOptionExFor380.OpAddDamage gets adjusted to the correct value.
The workaround I found obliged to do was to create a few more assembly instructions at the bottom of the file where I first compared if the value wasn't higher then 200 (The maximum value for Damage PvP options from items 380).
Here's the assembly representation:
Code:
#Get the Attack Damage calculated so far, stored in EBP+1C
006811A0 8B45 1C MOV EAX,DWORD PTR SS:[EBP+1C]
#Get the memory address identifier for EBP+8 (gObj) and moves it to ECX.
006811A3 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
#Get the value stored in ECX+2088 (gObj->m_ItemOptionExFor380.OpAddDamage, according to Deathway decompiling) and moves
it to EDX.
006811A6 0FBF91 8820000>MOVSX EDX,WORD PTR DS:[ECX+2088]
#Compare the value in EDX (gObj->m_ItemOptionExFor380.OpAddDamage) with C8 (decimal: 200)
006811AD 81FA C8000000 CMP EDX,0C8
#If the value in EDX is greater then C8, we know it's bugged so we jump to 006811B7, skipping the adding part.
006811B3 7F 02 JG SHORT 006811B7
#Adds them (AttackDamage + gObj->m_ItemOptionExFor380.OpAddDamage)
006811B5 03C2 ADD EAX,EDX
#Updates the Attack Damage value in EBP+1C
006811B7 8945 1C MOV DWORD PTR SS:[EBP+1C],EAX
#Jumps back.
006811BA ^E9 BC18E6FF JMP LONG 004E2A7B
After writting this at the bottom, we'll need to jump here when the program reaches 004E2A69.
Here's the assembly representation:
Code:
#before
#Get the memory address identifier for EBP+8 (gObj) and moves it to ECX.
004E2A69 |. 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
#now
#Jumps to the block of instructions that we made.
004E2A69 JMP LONG 006811A0
Maybe you're wondering, but what if the bugged value is less then 200 (like having that option without wielding any weapon)... In my test case, the value has always been 1392... So for some reason I trust that it'll always be that number...
I'm pretty sure nobody is having the same issue than me, but if you are... here's how to fix it.
And that's it.
