Source Code Common Game Exploit - Signed Integer Mismatch Vulnerability

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

MegaByte

Newbie
Full Member
May 11, 2016
37
2,323
2
A lot of games have had this particular exploit (Yes even very popular MMORPGs in their early / rushed development with coders who don't know how to check things correctly... )
I won't name any games but if you managed to find this exploit you can pretty much make infinite money in virtual world or something in most cases.

In one game it had a way to convert time played into a currency and that currency into another another form of points.
It wrapped around and gave a lot of points which also put people on the leader board hah.


When coding, never trust input from your users.


There are a few variations of this exploit but basically bad code / not knowing about signed values properly, and accepting signed input from the user.

I have exploited this in the following cases with varying methods.

  • In game mail system sending money
  • In game player shop listing item
  • FB Game Ajax Request to buy points/in game items
  • Transfer between characters
  • Transfer to/from in game bank
  • Conversion of points from one in game format to another

Basic knowledge here.

A negative number subtracted from another will become an addition (the signs get reversed) *Magic omg*.

Example: 1000 - -500 === 1500
The -500 becomes a +500

This can also work in some cases with multiplication or division where you wrap the signed value on the server around negatively so much that it wraps around and goes into the billions.
Assuming signed integer type.


One example of bad code:

C++:
#include <iostream>

using namespace std;

int main()
{
	// Define our varables
	int Money=1000;
	int Cost=0;

	printf("Money: %i\n",Money); // Ouput money
	printf("Please enter how much the cost should be: "); // Ask user to enter how much cost should be
	scanf("%i",&Cost);  // This just gets user input for the cost
	printf("\n");  // Writes new line
	fflush(stdin); // Clears input buffer
        // <<<<<<<< NO CHECK for - OOPS!
	if (Money>=Cost) // <------------------------- THIS ONE!
	{
		printf("You have enough money to pay\n");
		printf("Money-=Cost\n%i-=%i",Money,Cost);
		Money-=Cost;
		printf("Money is now %i\n",Money);
	}
	else
	{
		printf("You do not have enough money...\n");
	}

	cin.get();
	return 0;
}
Example of solution:

C++:
// Example of a common exploit in badly coded games and software
// Problem Accepting values as signed when they never go negitive
// Solution use unsigned.
// This can be exploited for dupe, money, hacks, level hacks etc...
// Shown by MegaByte
// Ive used this exploit on a few games for ProfiT$!
#include <iostream>

using namespace std;

int main()
{
	// Define our varables
	unsigned int Money=1000; // It NEVER will go - so use unsigned...
	unsigned int Cost=0; // this also means max money can be higher MAX_UINT :) 0xFFFFFFFF

	printf("Money: %u\n",Money); // Ouput money its unsigned so output as %u
	printf("Please enter how much the cost should be: "); // Ask user to enter how much cost should be
	scanf("%u",&Cost);  // This just gets user input for the cost notice the unsigned again
	// Note if you are using atoi to get user input it will be signed integer use atol

	printf("\n");  // Writes new line
	fflush(stdin); // Clears input buffer

	if (Money>=Cost)
	{
		printf("You have enough money to pay\n");
		printf("Money-=Cost\n%u-=%u",Money,Cost);
		Money-=Cost;
		printf("Money is now %u",Money);
	}
	else
	{
		printf("You do not have enough money...\n");
	}

	cin.get();
	return 0;
}

Lets do the logic.

Bad Case:
User buys something for -500
The code/server says
Do they have enough for this?
if (Money >= Cost)
OH YES they do.
Money -= Cost;
Give items etc....

The player now has 1500 instead of 1000. Whoops (And possibly a free item)



Note: I have attached solution and compiled binary showing off this.
Enter a - value eg -100 when prompted.

Virus Scans:

https://virusscan.jotti.org/en-US/filescanjob/nmnbdnzf5n

https://www.virustotal.com/en/file/...b532355ba856a24abb97ff45/analysis/1465177381/



Yes, really... this happens sometimes in games.

Note: There are of course more checks to do for overflow if you use unsigned int.
Don't let people get so much cash that it wraps around or you will have some pissed players.
 

Attachments

Last edited:

Rake

Cesspool Admin
Administrator
Jan 21, 2014
12,153
78,998
2,396
I was just thinking about this the other day, thanks for the excellent write-up!
 

gyn

Newbie
Full Member
Apr 12, 2014
5
142
1
Always fun to see pitfalls of 80s-90s coming back from time to time. Sending negative amount transactions on online banks and then actually receiving the amount instead of having it withdrawn.. Seen loads of webapps similar to what you posted, and the expectations for xss or sqli protection can't get any higher after that lol
 

Schnee

Newbie
Dec 18, 2017
4
288
0
This has been used on Maplestory (2D mmorpg) a lot, negative value exploits are awesome! A packet edtior comes pretty handy for testing purposes.

Edit: thread poped up in "new posts", didn´t notice the date.
 
  • Like
Reactions: MegaByte
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods