Merge pull request #1155 from zach2good/packet_guard

PacketGuard for Cutscenes

Author: zach2good

conf/default/map.conf

@@ -57,6 +57,10 @@ max_time_lastupdate: 60
 #Game settings
 #--------------------------------
 
+# PacketGuard will block and report any packets that aren't in the allow-list for a
+# player's current state.
+packetguard_enabled: 0
+
 #Minimal number of 0x3A packets which uses for detect lightluggage (set 0 for disable)
 lightluggage_block:   4
 

src/map/entities/charentity.cpp

@@ -212,6 +212,8 @@ CCharEntity::CCharEntity()
     m_moghouseID = 0;
     m_moghancementID = 0;
 
+    m_Substate = CHAR_SUBSTATE::SUBSTATE_NONE;
+
     PAI = std::make_unique<CAIContainer>(this, nullptr, std::make_unique<CPlayerController>(this),
         std::make_unique<CTargetFind>(this));
 }

src/map/entities/charentity.h

@@ -29,6 +29,7 @@ along with this program.  If not, see http://www.gnu.org/licenses/
 #include <deque>
 #include <mutex>
 #include <bitset>
+#include <unordered_map>
 
 #include "battleentity.h"
 #include "petentity.h"
@@ -141,6 +142,13 @@ struct GearSetMod_t
     uint16	modValue;
 };
 
+enum CHAR_SUBSTATE
+{
+    SUBSTATE_NONE = 0,
+    SUBSTATE_IN_CS,
+    SUBSTATE_LAST,
+};
+
 /************************************************************************
 *                                                                       *
 *                                                                       *
@@ -310,13 +318,17 @@ class CCharEntity : public CBattleEntity
     bool              m_EffectsChanged;
     time_point        m_LastSynthTime;
 
+    CHAR_SUBSTATE     m_Substate;
+
     int16 addTP(int16 tp) override;
     int32 addHP(int32 hp) override;
     int32 addMP(int32 mp) override;
 
     std::vector<GearSetMod_t> m_GearSetMods;		// The list of gear set mods currently applied to the character.
     std::vector<AuctionHistory_t> m_ah_history;		// AH history list (in the future consider using UContainer)
 
+    std::unordered_map<uint16, uint32> m_PacketRecievedTimestamps;
+
     void SetPlayTime(uint32 playTime);				// Set playtime
     uint32 GetPlayTime(bool needUpdate = true);		// Get playtime
 

src/map/lua/lua_baseentity.cpp

@@ -1065,6 +1065,9 @@ inline int32 CLuaBaseEntity::startEvent(lua_State *L)
     {
         PChar->m_event.Option = (int32)lua_tointeger(L, 10);
     }
+
+    PChar->m_Substate = CHAR_SUBSTATE::SUBSTATE_IN_CS;
+
     return 0;
 }
 

src/map/map.cpp

@@ -45,6 +45,7 @@ along with this program.  If not, see http://www.gnu.org/licenses/
 #include "linkshell.h"
 #include "map.h"
 #include "mob_spell_list.h"
+#include "packet_guard.h"
 #include "packet_system.h"
 #include "party.h"
 #include "utils/petutils.h"
@@ -251,6 +252,8 @@ int32 do_init(int32 argc, char** argv)
     g_PBuff = new int8[map_config.buffer_size + 20];
     PTempBuff = new int8[map_config.buffer_size + 20];
 
+    PacketGuard::Init();
+
     ShowStatus("The map-server is " CL_GREEN"ready" CL_RESET" to work...\n");
     ShowMessage("=======================================================================\n");
     return 0;
@@ -584,18 +587,35 @@ int32 parse(int8* buff, size_t* buffsize, sockaddr_in* from, map_session_data_t*
 
         if (PacketSize[SmallPD_Type] == SmallPD_Size || PacketSize[SmallPD_Type] == 0) // Tests incoming packets for the correct size prior to processing
         {
-            // если код текущего пакета меньше либо равен последнему полученному
-            // или больше глобального то игнорируем пакет
+            // Google Translate:
+            // if the code of the current package is less than or equal to the last received
+            // or more global then ignore the package
 
             if ((ref<uint16>(SmallPD_ptr, 2) <= map_session_data->client_packet_id) ||
                 (ref<uint16>(SmallPD_ptr, 2) > SmallPD_Code))
             {
                 continue;
             }
+
             if (SmallPD_Type != 0x15)
             {
                 ShowInfo("parse: %03hX | %04hX %04hX %02hX from user: %s\n", SmallPD_Type, ref<uint16>(SmallPD_ptr, 2), ref<uint16>(buff, 2), SmallPD_Size, PChar->GetName());
             }
+
+            if (map_config.packetguard_enabled && PacketGuard::IsRateLimitedPacket(PChar, SmallPD_Type))
+            {
+                ShowError(CL_RED "Rate-limiting packet: Player: %s - Packet: %03hX\n" CL_RESET, PChar->GetName(), SmallPD_Type);
+                continue; // skip this packet
+            }
+
+            if (map_config.packetguard_enabled && !PacketGuard::PacketIsValidForPlayerState(PChar, SmallPD_Type))
+            {
+                // TODO: Log exploit
+                ShowError(CL_RED "Caught mismatch between player substate and recieved packet: Player: %s - Packet: %03hX\n" CL_RESET, PChar->GetName(), SmallPD_Type);
+                // TODO: Plug in optional jailutils usage
+                continue; // skip this packet
+            }
+
             if (PChar->loc.zone == nullptr && SmallPD_Type != 0x0A)
             {
                 ShowWarning("This packet is unexpected from %s - Received %03hX earlier without matching 0x0A\n", PChar->GetName(), SmallPD_Type);
@@ -612,8 +632,9 @@ int32 parse(int8* buff, size_t* buffsize, sockaddr_in* from, map_session_data_t*
     }
     map_session_data->client_packet_id = SmallPD_Code;
 
-    // здесь мы проверяем, получил ли клиент предыдущий пакет
-    // если не получил, то мы не создаем новый, а отправляем предыдущий
+    // Google Translate:
+    // here we check if the client received the previous package
+    // if not received, then we do not create a new one, but send the previous one
 
     if (ref<uint16>(buff, 2) != map_session_data->server_packet_id)
     {
@@ -627,7 +648,7 @@ int32 parse(int8* buff, size_t* buffsize, sockaddr_in* from, map_session_data_t*
         return -1;
     }
 
-    // увеличиваем номер отправленного пакета только в случае отправки новых данных
+    // GT: increase the number of the sent packet only if new data is sent
 
     map_session_data->server_packet_id += 1;
 
@@ -1000,6 +1021,7 @@ int32 map_config_default()
     map_config.blood_pact_shared_timer = 0;
     map_config.vanadiel_time_epoch = 0;
     map_config.lightluggage_block = 4;
+    map_config.packetguard_enabled = false;
     map_config.max_time_lastupdate = 60000;
     map_config.newstyle_skillups = 7;
     map_config.drop_rate_multiplier = 1.0f;
@@ -1101,6 +1123,10 @@ int32 map_config_read(const int8* cfgName)
         {
             map_config.lightluggage_block = atoi(w2);
         }
+        else if (strcmp(w1, "packetguard_enabled") == 0)
+        {
+            map_config.packetguard_enabled = atoi(w2);
+        }
         else if (strcmp(w1, "ah_base_fee_single") == 0)
         {
             map_config.ah_base_fee_single = atoi(w2);

src/map/map.h

@@ -72,6 +72,7 @@ struct map_config_t
     uint32 max_time_lastupdate;       // max interval wait of last update player char
     int32  vanadiel_time_epoch;      // current timestamp - vanadiel_time_epoch = vana'diel time
     int32  lightluggage_block;        // если значение отлично от нуля, то персонажи с lightluggage будут удаляться с сервера автоматически
+    bool   packetguard_enabled;       // Block and report any packets that aren't in the allow-list for a player's current state.
 
     uint16 ah_base_fee_single;        // Base AH fee for single items
     uint16 ah_base_fee_stacks;        // Base AH fee for stacks

src/map/packet_guard.cpp

@@ -0,0 +1,75 @@
+#include "packet_guard.h"
+
+#include "entities/charentity.h"
+
+#include <unordered_map> // Lookup
+#include <unordered_set> // Capture
+
+// #define PACKETGUARD_CAP_ENABLED 1
+
+namespace PacketGuard
+{
+#ifdef PACKETGUARD_CAP_ENABLED
+std::unordered_map<CHAR_SUBSTATE, std::unordered_set<uint16>> regular_client_packets;
+#endif
+
+std::unordered_map<CHAR_SUBSTATE, std::unordered_map<uint16, bool>> allowList;
+std::unordered_map<uint16, uint32> ratelimitList; // Default will be 0 - No Limit
+
+void Init()
+{
+    // Allow all non-substate packets
+    for (uint16 i = 0; i < 512; ++i)
+    {
+        allowList[SUBSTATE_NONE][i] = true;
+    }
+
+    // In Cutscene
+    allowList[SUBSTATE_IN_CS][0x015] = true; // Player Sync
+    allowList[SUBSTATE_IN_CS][0x016] = true; // Entity Information Request
+    allowList[SUBSTATE_IN_CS][0x01A] = true; // Player Action
+    allowList[SUBSTATE_IN_CS][0x03A] = true; // Sort Inventory
+    allowList[SUBSTATE_IN_CS][0x05B] = true; // Event Update (Completion or Update)
+    allowList[SUBSTATE_IN_CS][0x05C] = true; // Event Update (Update Player Position)
+    allowList[SUBSTATE_IN_CS][0x0B5] = true; // Chat Message
+    allowList[SUBSTATE_IN_CS][0x0B6] = true; // Tell Message
+    allowList[SUBSTATE_IN_CS][0x0F2] = true; // Update Player Zone Boundary
+    allowList[SUBSTATE_IN_CS][0x114] = true; // Map Marker Request
+}
+
+bool PacketIsValidForPlayerState(CCharEntity* PChar, uint16 SmallPD_Type)
+{
+#if PACKETGUARD_CAP_ENABLED == 1
+    regular_client_packets[PChar->m_Substate].insert(SmallPD_Type);
+    for (uint8 state = SUBSTATE_IN_CS; state < SUBSTATE_LAST; ++state)
+    {
+        fmt::print("Substate {}: ", state);
+        for (auto& entry : regular_client_packets[(CHAR_SUBSTATE)state])
+        {
+            fmt::print("{:#04x}, ", entry);
+        }
+        fmt::print("\n");
+    }
+    return true;
+#endif
+
+    return allowList[PChar->m_Substate][SmallPD_Type];
+}
+
+bool IsRateLimitedPacket(CCharEntity* PChar, uint16 SmallPD_Type)
+{
+    uint32 lastPacketRecievedTime = PChar->m_PacketRecievedTimestamps[SmallPD_Type];
+    uint32 timeNowSeconds = static_cast<uint32>(std::chrono::time_point_cast<std::chrono::seconds>(server_clock::now()).time_since_epoch().count());
+    uint32 ratelimitTime = ratelimitList[SmallPD_Type];
+
+    PChar->m_PacketRecievedTimestamps[SmallPD_Type] = timeNowSeconds;
+
+    if (lastPacketRecievedTime == 0 || ratelimitTime == 0)
+    {
+        return false;
+    }
+
+    return timeNowSeconds - lastPacketRecievedTime < ratelimitList[SmallPD_Type];
+}
+
+} // namespace PacketGuard

src/map/packet_guard.h

@@ -0,0 +1,17 @@
+#ifndef _PACKETGUARD_H
+#define _PACKETGUARD_H
+
+#include "../common/cbasetypes.h"
+#include "packet_system.h"
+#include "packets/basic.h"
+
+class CCharEntity;
+
+namespace PacketGuard
+{
+void Init();
+bool PacketIsValidForPlayerState(CCharEntity* PChar, uint16 SmallPD_Type);
+bool IsRateLimitedPacket(CCharEntity* PChar, uint16 SmallPD_Type);
+}
+
+#endif // _PACKETGUARD_H

src/map/packet_system.cpp

@@ -2787,6 +2787,7 @@ void SmallPacket0x05B(map_session_data_t* session, CCharEntity* PChar, CBasicPac
             //reset if this event did not initiate another event
             if (PChar->m_event.EventID == EventID)
             {
+                PChar->m_Substate = CHAR_SUBSTATE::SUBSTATE_NONE;
                 PChar->m_event.reset();
             }
         }
@@ -2824,6 +2825,7 @@ void SmallPacket0x05C(map_session_data_t* session, CCharEntity* PChar, CBasicPac
             updatePosition = luautils::OnEventFinish(PChar, EventID, Result) == 1;
             if (PChar->m_event.EventID == EventID)
             {
+                PChar->m_Substate = CHAR_SUBSTATE::SUBSTATE_NONE;
                 PChar->m_event.reset();
             }
         }

src/map/packets/release.cpp

@@ -36,6 +36,8 @@ CReleasePacket::CReleasePacket(CCharEntity * PChar, RELEASE_TYPE releaseType)
 	{
 		ref<uint16>(0x05) = PChar->m_event.EventID;
 	}
+
+    PChar->m_Substate = CHAR_SUBSTATE::SUBSTATE_NONE;
 }
 
 // типы release

win32/vcxproj/topaz_game.vcxproj

@@ -433,6 +433,7 @@
     <ClInclude Include="..\..\src\map\packets\wide_scan_track.h" />
     <ClInclude Include="..\..\src\map\packets\zone_in.h" />
     <ClInclude Include="..\..\src\map\packets\zone_visited.h" />
+    <ClInclude Include="..\..\src\map\packet_guard.h" />
     <ClInclude Include="..\..\src\map\packet_system.h" />
     <ClInclude Include="..\..\src\map\party.h" />
     <ClInclude Include="..\..\src\map\recast_container.h" />
@@ -689,6 +690,7 @@
     <ClCompile Include="..\..\src\map\packets\wide_scan_track.cpp" />
     <ClCompile Include="..\..\src\map\packets\zone_in.cpp" />
     <ClCompile Include="..\..\src\map\packets\zone_visited.cpp" />
+    <ClCompile Include="..\..\src\map\packet_guard.cpp" />
     <ClCompile Include="..\..\src\map\packet_system.cpp" />
     <ClCompile Include="..\..\src\map\party.cpp" />
     <ClCompile Include="..\..\src\map\recast_container.cpp" />

win32/vcxproj/topaz_game.vcxproj.filters

@@ -116,6 +116,9 @@
     <ClInclude Include="..\..\src\map\mob_modifier.h">
       <Filter>Header Files</Filter>
     </ClInclude>
+    <ClInclude Include="..\..\src\map\packet_guard.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
     <ClInclude Include="..\..\src\map\packet_system.h">
       <Filter>Header Files</Filter>
     </ClInclude>
@@ -931,6 +934,9 @@
     <ClCompile Include="..\..\src\map\modifier.cpp">
       <Filter>Source Files</Filter>
     </ClCompile>
+    <ClCompile Include="..\..\src\map\packet_guard.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
     <ClCompile Include="..\..\src\map\packet_system.cpp">
       <Filter>Source Files</Filter>
     </ClCompile>