|
Cheat Engine The Official Site of Cheat Engine
|
View previous topic :: View next topic |
Author |
Message |
tikiking1 How do I cheat? Reputation: 0
Joined: 23 Jun 2014 Posts: 1
|
Posted: Mon Jun 23, 2014 4:58 pm Post subject: *** buffer overflow detected ***: ./ceserver terminated |
|
|
CEServer refuses to work. I'm using the newest downloads off the front page.
Linux system is running:
Code: | $ uname -srvmo
Linux 3.15.1-1-ARCH #1 SMP PREEMPT Tue Jun 17 09:32:20 CEST 2014 x86_64 GNU/Linux |
When I run ./ceserver and try to connect with CE from Wine:
Code: | $ ./ceserver
&s=0x7fff37eec7d4
main=0x401bf0
CEServer. Waiting for client connection
socket=3
bind=0
listen=0
IdentifierThread active
accept=4
*** buffer overflow detected ***: ./ceserver terminated
======= Backtrace: =========
/usr/lib/libc.so.6(+0x73f8e)[0x7fcc36f87f8e]
/usr/lib/libc.so.6(__fortify_fail+0x37)[0x7fcc3700de57]
/usr/lib/libc.so.6(+0xf7f60)[0x7fcc3700bf60]
./ceserver[0x40668f]
./ceserver[0x4078de]
./ceserver[0x408bf7]
/usr/lib/libpthread.so.0(+0x7124)[0x7fcc376e3124]
/usr/lib/libc.so.6(clone+0x6d)[0x7fcc36ffd4bd]
======= Memory map: ========
00400000-00410000 r-xp 00000000 08:02 1581317 /home/tikiking1/Downloads/ce/ceserver
0060f000-00610000 r--p 0000f000 08:02 1581317 /home/tikiking1/Downloads/ce/ceserver
00610000-00611000 rw-p 00010000 08:02 1581317 /home/tikiking1/Downloads/ce/ceserver
015e8000-01609000 rw-p 00000000 00:00 0 [heap]
7fcc30000000-7fcc30021000 rw-p 00000000 00:00 0
7fcc30021000-7fcc34000000 ---p 00000000 00:00 0
7fcc35cfc000-7fcc35d12000 r-xp 00000000 08:02 6822320 /usr/lib/libgcc_s.so.1
7fcc35d12000-7fcc35f11000 ---p 00016000 08:02 6822320 /usr/lib/libgcc_s.so.1
7fcc35f11000-7fcc35f12000 rw-p 00015000 08:02 6822320 /usr/lib/libgcc_s.so.1
7fcc35f12000-7fcc35f13000 ---p 00000000 00:00 0
7fcc35f13000-7fcc36713000 rw-p 00000000 00:00 0 [stack:4237]
7fcc36713000-7fcc36714000 ---p 00000000 00:00 0
7fcc36714000-7fcc36f14000 rw-p 00000000 00:00 0 [stack:4235]
7fcc36f14000-7fcc370b8000 r-xp 00000000 08:02 6819066 /usr/lib/libc-2.19.so
7fcc370b8000-7fcc372b8000 ---p 001a4000 08:02 6819066 /usr/lib/libc-2.19.so
7fcc372b8000-7fcc372bc000 r--p 001a4000 08:02 6819066 /usr/lib/libc-2.19.so
7fcc372bc000-7fcc372be000 rw-p 001a8000 08:02 6819066 /usr/lib/libc-2.19.so
7fcc372be000-7fcc372c2000 rw-p 00000000 00:00 0
7fcc372c2000-7fcc372c5000 r-xp 00000000 08:02 6819025 /usr/lib/libdl-2.19.so
7fcc372c5000-7fcc374c4000 ---p 00003000 08:02 6819025 /usr/lib/libdl-2.19.so
7fcc374c4000-7fcc374c5000 r--p 00002000 08:02 6819025 /usr/lib/libdl-2.19.so
7fcc374c5000-7fcc374c6000 rw-p 00003000 08:02 6819025 /usr/lib/libdl-2.19.so
7fcc374c6000-7fcc374db000 r-xp 00000000 08:02 6822068 /usr/lib/libz.so.1.2.8
7fcc374db000-7fcc376da000 ---p 00015000 08:02 6822068 /usr/lib/libz.so.1.2.8
7fcc376da000-7fcc376db000 r--p 00014000 08:02 6822068 /usr/lib/libz.so.1.2.8
7fcc376db000-7fcc376dc000 rw-p 00015000 08:02 6822068 /usr/lib/libz.so.1.2.8
7fcc376dc000-7fcc376f4000 r-xp 00000000 08:02 6819084 /usr/lib/libpthread-2.19.so
7fcc376f4000-7fcc378f4000 ---p 00018000 08:02 6819084 /usr/lib/libpthread-2.19.so
7fcc378f4000-7fcc378f5000 r--p 00018000 08:02 6819084 /usr/lib/libpthread-2.19.so
7fcc378f5000-7fcc378f6000 rw-p 00019000 08:02 6819084 /usr/lib/libpthread-2.19.so
7fcc378f6000-7fcc378fa000 rw-p 00000000 00:00 0
7fcc378fa000-7fcc3791b000 r-xp 00000000 08:02 6819046 /usr/lib/ld-2.19.so
7fcc37ae4000-7fcc37ae9000 rw-p 00000000 00:00 0
7fcc37b18000-7fcc37b1a000 rw-p 00000000 00:00 0
7fcc37b1a000-7fcc37b1b000 r--p 00020000 08:02 6819046 /usr/lib/ld-2.19.so
7fcc37b1b000-7fcc37b1c000 rw-p 00021000 08:02 6819046 /usr/lib/ld-2.19.so
7fcc37b1c000-7fcc37b1d000 rw-p 00000000 00:00 0
7fff37ece000-7fff37eef000 rw-p 00000000 00:00 0 [stack]
7fff37ffe000-7fff38000000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
zsh: abort ./ceserver
|
The text up to and including Code: | IdentifierThread active | is printed immediately, the crash dump is printed after I try to connect.
At the same time, the Cheat Engine Client (6.4) says "I can't get the process list. You are propably [sic] using windows [sic] NT. Use the window list instead!".
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25295 Location: The netherlands
|
Posted: Mon Jun 23, 2014 6:25 pm Post subject: |
|
|
Thanks, i'll check it out. Perhaps the formatting of /proc is slightly different
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
vityav Newbie cheater Reputation: 0
Joined: 24 Oct 2014 Posts: 15
|
Posted: Fri Oct 24, 2014 2:34 am Post subject: |
|
|
I have the same exact problem in both Fedora 17 and Arch linux, both attempted with the client in Wine and in a virtual machine, and both with the newest (only listed) ceserver, and Cheat Engine 6.4.
With all the steam games now starting to support linux (specifically for steamos), I really hope a linux Cheat Engine can be worked out. CE is miles ahead of any other linux memory scanning/hacking tools.
|
|
Back to top |
|
|
efjay Newbie cheater Reputation: 0
Joined: 17 Apr 2014 Posts: 12
|
Posted: Sun Oct 26, 2014 3:46 pm Post subject: |
|
|
Also having the same issue, built it from source for fun and it connects, but it hangs and the client doesn't get the process list.
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25295 Location: The netherlands
|
Posted: Sun Oct 26, 2014 6:04 pm Post subject: |
|
|
Which linux distro? Kernel version?
I tested with mint 14 (might be a bit outdated now)
my guess is that the /proc folder structure isn't fully what ceserver expects it to be
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
vityav Newbie cheater Reputation: 0
Joined: 24 Oct 2014 Posts: 15
|
Posted: Mon Oct 27, 2014 2:33 pm Post subject: |
|
|
I'm on kernel Linux v 3.16.4-1-ARCH. Not quite sure how to compile it (lots of 'undefined reference' errors when I try), but looking through the code, all the files it seems to be looking for in /proc seem to be there. Any suggestions on what in particular to look for?
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25295 Location: The netherlands
|
Posted: Mon Oct 27, 2014 3:54 pm Post subject: |
|
|
Perhaps you have a process running where the path of the exe is longer than 255 bytes
api.c line 2595 contains a bug but not sure if that is it. Try adding some debug messages to see where it goes wrong
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
efjay Newbie cheater Reputation: 0
Joined: 17 Apr 2014 Posts: 12
|
Posted: Mon Oct 27, 2014 11:50 pm Post subject: |
|
|
Ah yes, I believe the issue is that 255 byte limit. :/.
|
|
Back to top |
|
|
efjay Newbie cheater Reputation: 0
Joined: 17 Apr 2014 Posts: 12
|
Posted: Tue Oct 28, 2014 10:51 am Post subject: |
|
|
I played around with the source and limited the size of the strings on the server, now it doesn't send strings too big for the client and it seems to be working fine.
Woo!
edit: thought I'd add my patch, it's very rough, and done on the fly, probably lots of errors and what not. I just kept tinkering until it did not hang.
apparently I can not attach it so here it is.
-- when I go to memory view, it is filled with ??, no values are coming up .
-- this might be related to any green address showing up as ("[heap]" + hex), which point to garbage ??.
Code: |
Index: Debug-linux/makefile
===================================================================
--- Debug-linux/makefile (revision 2774)
+++ Debug-linux/makefile (working copy)
@@ -39,7 +39,6 @@
-@echo ' '
post-build:
- -cp ceserver "/home/eric/workspace/ceserverbin"
-@echo ' '
.PHONY: all clean dependents
Index: api.c
===================================================================
--- api.c (revision 2774)
+++ api.c (working copy)
@@ -195,7 +195,7 @@
char _taskdir[255];
DIR *taskdir;
- sprintf(_taskdir, "/proc/%d/task", p->pid);
+ snprintf(_taskdir, 255, "/proc/%d/task", p->pid);
taskdir=opendir(_taskdir);
@@ -2075,8 +2075,8 @@
int f;
char mempath[255];
- sprintf(mempath,"/proc/%d/task/%d/mem", p->pid, (int)event.threadid);
- // printf("Opening %s\n", mempath);
+ snprintf(mempath, 255, "/proc/%d/task/%d/mem", p->pid, (int)event.threadid);
+ printf("Opening %s\n", mempath);
f=open(mempath, O_RDONLY);
printf("f=%d\n", f);
if (f>=0)
@@ -2391,9 +2391,9 @@
//check if the process exists
char processpath[100];
int handle;
- sprintf(processpath, "/proc/%d/", pid);
+ snprintf(processpath, 100, "/proc/%d/", pid);
-
+ printf("opening: %s\n", processpath);
//check if this process has already been opened
handle=SearchHandleList(htProcesHandle, SearchHandleListProcessCallback, &pid);
if (handle)
@@ -2420,10 +2420,10 @@
p->pid=pid;
p->path=strdup(processpath);
- sprintf(processpath,"/proc/%d/maps", pid);
+ snprintf(processpath, 100, "/proc/%d/maps", pid);
p->maps=strdup(processpath);
- sprintf(processpath,"/proc/%d/mem", pid);
+ snprintf(processpath, 100, "/proc/%d/mem", pid);
p->mem=open(processpath, O_RDONLY);
@@ -2579,22 +2579,21 @@
{
int pid;
char exepath[80];
- char processpath[255];
- sprintf(exepath, "/proc/%s/exe", currentfile->d_name);
-
- int i=readlink(exepath, processpath, 254);
+ char processpath[252];
+ snprintf(exepath, 80, "/proc/%s/exe", currentfile->d_name);
+ printf("%s\n", exepath);
+ int i=readlink(exepath, processpath, 126);
if (i != -1)
{
- char extrafile[255];
+ char extrafile[126];
int f;
processpath[i]=0;
-
- sprintf(extrafile, "/proc/%s/cmdline", currentfile->d_name);
-
+ snprintf(extrafile, 255, "/proc/%s/cmdline", currentfile->d_name);
+ printf("Path to file: %s\n", extrafile);
f=open(extrafile, O_RDONLY);
if (i!=-1)
{
- i=read(f, extrafile, 255);
+ i=read(f, extrafile, 126);
if (i>=0)
extrafile[i]=0;
else
@@ -2601,7 +2600,7 @@
extrafile[0]=0;
strcat(processpath," ");
- strcat(processpath,extrafile);
+ strncat(processpath,extrafile, 125);
close(f);
}
Index: ceserver.c
===================================================================
--- ceserver.c (revision 2774)
+++ ceserver.c (working copy)
@@ -1114,7 +1114,7 @@
}
else
- printf("bind failed\n");
+ printf("bind failed: %d %s\n", i, strerror(errno));
printf("IdentifierThread exit\n");
Index: extensionloader.c
===================================================================
--- extensionloader.c (revision 2774)
+++ extensionloader.c (working copy)
@@ -179,7 +179,7 @@
printf("found it. Module: %s Offset=%x\n", currentmodule, offset);
//find this module in the target process and apply this offset to get the address of dlopen
- sprintf(mapsfilename, "/proc/%d/maps", pid);
+ snprintf(mapsfilename, 255, "/proc/%d/maps", pid);
FILE *maps2=fopen(mapsfilename, "r");
if (maps2)
{
@@ -255,7 +255,7 @@
s=socket(AF_UNIX, SOCK_STREAM, 0);
printf("s=%d\n", s);
- sprintf(name, " ceserver_extension%d", pid);
+ snprintf(name, 256, " ceserver_extension%d", pid);
struct sockaddr_un address;
address.sun_family=AF_UNIX;
|
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25295 Location: The netherlands
|
Posted: Tue Oct 28, 2014 3:28 pm Post subject: |
|
|
Thanks. I doubt those sprintf's with only %d are the issue though
Quote: |
when I go to memory view, it is filled with ??, no values are coming up .
|
don't doubleclick on green addresses, but add them to the addresslist as the address being shown. I think there is an issue with the symbolhandler
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping
Last edited by Dark Byte on Tue Oct 28, 2014 3:31 pm; edited 1 time in total |
|
Back to top |
|
|
efjay Newbie cheater Reputation: 0
Joined: 17 Apr 2014 Posts: 12
|
Posted: Tue Oct 28, 2014 3:30 pm Post subject: |
|
|
Dark Byte wrote: | Thanks. I doubt those sprintf's with only %d are the issue though
Quote: |
when I go to memory view, it is filled with ??, no values are coming up .
|
don't doubleclick on green addresses, but add them to the addresslist as the address being shown |
Yeah, I've found that works well. Just wasn't sure was all.
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25295 Location: The netherlands
|
Posted: Tue Oct 28, 2014 3:33 pm Post subject: |
|
|
yeah, the symbolhandler is messing up. Probably because the symbol starts with [ (interpret first bytes as pointer) and heap shouldn't be an official symbol used for statics anyhow (too random)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
efjay Newbie cheater Reputation: 0
Joined: 17 Apr 2014 Posts: 12
|
Posted: Tue Oct 28, 2014 3:49 pm Post subject: |
|
|
Dark Byte wrote: | Thanks. I doubt those sprintf's with only %d are the issue though |
yeah, i just did a search for sprintf and just put in the safer snprintf method to limit the writing.
the actual fix I believe is this part,
Code: | @@ -2579,22 +2579,21 @@
{
int pid;
char exepath[80];
- char processpath[255];
- sprintf(exepath, "/proc/%s/exe", currentfile->d_name);
-
- int i=readlink(exepath, processpath, 254);
+ char processpath[252];
+ snprintf(exepath, 80, "/proc/%s/exe", currentfile->d_name);
+ printf("%s\n", exepath);
+ int i=readlink(exepath, processpath, 126);
if (i != -1)
{
- char extrafile[255];
+ char extrafile[126];
int f;
processpath[i]=0;
-
- sprintf(extrafile, "/proc/%s/cmdline", currentfile->d_name);
-
+ snprintf(extrafile, 255, "/proc/%s/cmdline", currentfile->d_name);
+ printf("Path to file: %s\n", extrafile);
f=open(extrafile, O_RDONLY);
if (i!=-1)
{
- i=read(f, extrafile, 255);
+ i=read(f, extrafile, 126);
if (i>=0)
extrafile[i]=0;
else
|
Where you do strcat on two strings, each 255 characters long, i think it then would get sent to client and the client would yell because of the size. i did not look at the client code.
|
|
Back to top |
|
|
vityav Newbie cheater Reputation: 0
Joined: 24 Oct 2014 Posts: 15
|
Posted: Wed Oct 29, 2014 6:00 pm Post subject: |
|
|
I can confirm efjay's patch works wonderfully. Thanks!
To continue hijacking this thread: is it possible to adapt a cheat table made for windows to this? Or are the structures/offsets too different? E.g. running the game FTL (for something easy that I know works and is on both windows and linux), I can manually find the value of scrap at 1A8A2040. The windows cheat table for it suggests it should be at "FTL"+0039BA90, but that works out to be 0079BA90, which is just question marks in the memory viewer. Am I missing some method of adaptation, or is it a lost cause?
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25295 Location: The netherlands
|
Posted: Wed Oct 29, 2014 6:05 pm Post subject: |
|
|
the difference in specific addresses is likely the same if they belong to the same object
e.g health and armor are often stored close together and it's likely that the distance between them is the same in the linux version.
So if you find health, you know where armor is.
As for static addresses like FTL+xxxx that's most likely a lost cause as they are different versions. (see it like a patched version, there the old address won't work either)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
|
|