• There is NO official Otland's Discord server and NO official Otland's server list. The Otland's Staff does not manage any Discord server or server list. Moderators or administrator of any Discord server or server lists have NO connection to the Otland's Staff. Do not get scammed!

Linux Login with Client 12 crash the server

Baahzera

Member
Joined
Apr 4, 2014
Messages
74
Solutions
1
Reaction score
18
Hello.

Since I could not find a solution I'm starting this thread.
The server I'm trying to start is: opentibiabr/OTServBR-Global (https://github.com/opentibiabr/OTServBR-Global)
I made sure I compiled following all instructions and have the key.pem file with compiled TFS.
Tested on Ubuntu 19.04, Debian 9, Ubuntu 18.04 and Ubuntu 16.04.
MyAAC from: slawkens/myaac (https://github.com/slawkens/myaac)
Login.php from: opentibiabr/myaac-tibia12-login (https://github.com/opentibiabr/myaac-tibia12-login)
Client: opentibiabr/tools (https://github.com/opentibiabr/tools/tree/master/Tibia%20Client%2012/Tibia%2012)

When I try to login with the Protocol 12 client the server crash and pop up a message:

Code:
terminate called after throwing an instance of 'CryptoPP::Exception'
  what():  InvertibleRSAFunction: computational error during private key operation
Aborted (core dumped)

Server loads without any errors. It is possible to login with Protocol 10.

Edit:

GDB Output:
Code:
Thread 1 "tfs" received signal SIGABRT, Aborted.
0x00007ffff7a42428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
54      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  0x00007ffff7a42428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#1  0x00007ffff7a4402a in __GI_abort () at abort.c:89
#2  0x00007ffff5df684d in __gnu_cxx::__verbose_terminate_handler() ()
   from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
#3  0x00007ffff5df46b6 in ?? () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
#4  0x00007ffff5df4701 in std::terminate() () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
#5  0x00007ffff5df4919 in __cxa_throw () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
#6  0x00007ffff65fe42d in CryptoPP::InvertibleRSAFunction::CalculateInverse(CryptoPP::RandomNumberGenerator&, CryptoPP::Integer const&) const () from /usr/lib/libcrypto++.so.9
#7  0x000000000048b8a7 in RSA::decrypt (this=0xb24bc0 <g_RSA>, 
    msg=0xb4ad08 "\256\364\aEp\352{\317ڧ{\255\036D:\302)\212\211ik\325\362C\v\023\001\343T7\305q\301c\030\252;\301z+Do3w\201\240L\256\265Ha\364\065Hf\231l_H\001\211\325\070ޢ\335\377\243|o\327f'5\020\002Y+X\032l\300\206\236\307m\246\021\323s\205\250\t\226N\337V\023\265j);\307;\247FO\347g\355\302\303o䈥mU\367\220\366\252a\272 k\376\020\260")
    at /home/contatohapikdo/OTServBR-Global/src/rsa.cpp:35
#8  0x00000000004b8afc in Protocol::RSA_decrypt (msg=...)
    at /home/contatohapikdo/OTServBR-Global/src/protocol.cpp:147
#9  0x00000000004baf34 in ProtocolGame::onRecvFirstMessage (this=0xb573e0, msg=...)
    at /home/contatohapikdo/OTServBR-Global/src/protocolgame.cpp:277
#10 0x000000000073856e in Connection::parsePacket (this=0xb4ace0, error=...)
    at /home/contatohapikdo/OTServBR-Global/src/connection.cpp:269
Python Exception <class 'gdb.error'> There is no member or method named _M_refcount.: 
#11 0x0000000000745737 in std::_Mem_fn_base::_M_call (this=0x7fffffffe0d8, __ptr=, __args#0=...)
    at /usr/include/c++/5/functional:634
Python Exception <class 'gdb.error'> There is no member or method named _M_refcount.: 
#12 0x000000000074467a in std::_Mem_fn_base::operator() (this=0x7fffffffe0d8, __object=, __args#0=...)
    at /usr/include/c++/5/functional:610
#13 0x0000000000743281 in std::_Bind::__call(<unknown type in /home/contatohapikdo/OTServBR-Global/tfs, CU 0x3c60c3, DIE 0x3e77ec>, std::_Index_tuple) (this=0x7fffffffe0d8, 
    __args=<unknown type in /home/contatohapikdo/OTServBR-Global/tfs, CU 0x3c60c3, DIE 0x3e77ec>)
    at /usr/include/c++/5/functional:1074
#14 0x00000000007416be in std::_Bind::operator() (this=0x7fffffffe0d8, __args#0=..., 
    __args#1=@0x7fffffffe0d0: 144) at /usr/include/c++/5/functional:1133
#15 0x000000000073ef2c in boost::asio::detail::read_op<boost::asio::basic_stream_socket<boost::asio::ip::tcp, boost::asio::stream_socket_service<boost::asio::ip::tcp> >, boost::asio::mutable_buffers_1, boost::asio::detail::transfer_all_t, std::_Bind<std::_Mem_fn<void (Connection::*)(boost::system::error_code const&)> (std::shared_ptr<Connection>, std::_Placeholder<1>)> >::operator()(boost::system::error_code const&, unsigned long, int) (
    this=0x7fffffffe0b0, ec=..., bytes_transferred=144, start=0) at /usr/include/boost/asio/impl/read.hpp:282
#16 0x0000000000715e70 in boost::asio::detail::binder2::operator() (this=0x7fffffffe0b0)
    at /usr/include/boost/asio/detail/bind_handler.hpp:127
#17 0x0000000000715dd3 in boost::asio::asio_handler_invoke (function=...)
    at /usr/include/boost/asio/handler_invoke_hook.hpp:69
#18 0x0000000000715c6a in boost_asio_handler_invoke_helpers::invoke (function=..., context=...)
    at /usr/include/boost/asio/detail/handler_invoke_helpers.hpp:37
#19 0x000000000071586f in boost::asio::detail::asio_handler_invoke (function=..., this_handler=0x7fffffffe0b0)
---Type <return> to continue, or q <return> to quit---
    at /usr/include/boost/asio/impl/read.hpp:502
#20 0x0000000000715539 in boost_asio_handler_invoke_helpers::invoke (function=..., context=...)
    at /usr/include/boost/asio/detail/handler_invoke_helpers.hpp:37
#21 0x0000000000714bb6 in boost::asio::detail::reactive_socket_recv_op<boost::asio::mutable_buffers_1, boost::asio::detail::read_op<boost::asio::basic_stream_socket<boost::asio::ip::tcp, boost::asio::stream_socket_service<boost::asio::ip::tcp> >, boost::asio::mutable_buffers_1, boost::asio::detail::transfer_all_t, std::_Bind<std::_Mem_fn<void (Connection::*)(boost::system::error_code const&)> (std::shared_ptr<Connection>, std::_Placeholder<1>)> > >::do_complete(boost::asio::detail::task_io_service*, boost::asio::detail::task_io_service_operation*, boost::system::error_code const&, unsigned long) (owner=0xb49090, base=0xb57240)
    at /usr/include/boost/asio/detail/reactive_socket_recv_op.hpp:110
#22 0x000000000045656a in complete (this=0xb57240, owner=..., ec=..., bytes_transferred=0)
    at /usr/include/boost/asio/detail/task_io_service_operation.hpp:38
#23 0x00000000004572bc in do_run_one (this=0xb49090, lock=..., this_thread=..., ec=...)
    at /usr/include/boost/asio/detail/impl/task_io_service.ipp:372
#24 0x0000000000457012 in run (this=0xb49090, ec=...)
    at /usr/include/boost/asio/detail/impl/task_io_service.ipp:149
#25 0x00000000004573eb in run (this=0x7fffffffe358) at /usr/include/boost/asio/impl/io_service.ipp:59
#26 0x0000000000458365 in ServiceManager::run() (this=0x7fffffffe320)
    at /home/contatohapikdo/OTServBR-Global/src/server.cpp:45
#27 0x00000000004fe301 in main (argc=1, argv=0x7fffffffe518)
    at /home/contatohapikdo/OTServBR-Global/src/otserv.cpp:87
 
Last edited:
Solution
Change your "decrypt" function in rsa.cpp to:
Code:
void RSA::decrypt(char* msg) const
{
 try {
  CryptoPP::Integer m{reinterpret_cast<uint8_t*>(msg), 128};
  auto c = pk.CalculateInverse(prng, m);
  c.Encode(reinterpret_cast<uint8_t*>(msg), 128);
 } catch (const CryptoPP::Exception& e) {
 }
}
Because "CalculateInverse" will throw when exponentiation failed so this mean if you'll try to connect with any rsa key instead of the one server expect it got crash, you literally can crash every server that run on the crypto++ library(that is what you get for changing something that's working(gmp calculations) for something other without even checking what to expect from this library). You're probably not the first people to find this but...
Try to create a new db and reinstall the aac, and import the schema on the new db
I've already made that. I tested within different machines running Ubuntu 19.04, 18.04 and 16.04, also with Debian 9.
I don't think that database is related to this issue as it appears to be related to crypto++.
Thank you for your answer.
 
Code:
Thread 1 "tfs" received signal SIGABRT, Aborted.
0x00007ffff7a42428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
54      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.

can you check if the file `key.pem` exists on datapack root? if yes, try to set your user as file owner and permissions to 600
 
Change your "decrypt" function in rsa.cpp to:
Code:
void RSA::decrypt(char* msg) const
{
 try {
  CryptoPP::Integer m{reinterpret_cast<uint8_t*>(msg), 128};
  auto c = pk.CalculateInverse(prng, m);
  c.Encode(reinterpret_cast<uint8_t*>(msg), 128);
 } catch (const CryptoPP::Exception& e) {
 }
}
Because "CalculateInverse" will throw when exponentiation failed so this mean if you'll try to connect with any rsa key instead of the one server expect it got crash, you literally can crash every server that run on the crypto++ library(that is what you get for changing something that's working(gmp calculations) for something other without even checking what to expect from this library). You're probably not the first people to find this but others literally don't care about even mentioning it to tfs devs(I wouldn't be surprised if there're others functions that can throw but don't have time to check the tfs source).
 
Solution
can you check if the file `key.pem` exists on datapack root? if yes, try to set your user as file owner and permissions to 600
Yes it is. I tried what you said and played with file permissions, therefore, it didn't work.


Change your "decrypt" function in rsa.cpp to:
Code:
void RSA::decrypt(char* msg) const
{
try {
  CryptoPP::Integer m{reinterpret_cast<uint8_t*>(msg), 128};
  auto c = pk.CalculateInverse(prng, m);
  c.Encode(reinterpret_cast<uint8_t*>(msg), 128);
} catch (const CryptoPP::Exception& e) {
}
}
Because "CalculateInverse" will throw when exponentiation failed so this mean if you'll try to connect with any rsa key instead of the one server expect it got crash, you literally can crash every server that run on the crypto++ library(that is what you get for changing something that's working(gmp calculations) for something other without even checking what to expect from this library). You're probably not the first people to find this but others literally don't care about even mentioning it to tfs devs(I wouldn't be surprised if there're others functions that can throw but don't have time to check the tfs source).

That's what I was thinking that I could literally crash every server using that source.
That worked, the server doesn't crash anymore. Now I wonder why the developers of these OTBR can login (I still cant) without any problem.

Really interested in what you said about "throw". Going to take a look into it.

Edit:
The thing is, I was trying to login with a modified client without changing the RSA key, thats how I found that bug. If correct RSA is provided, then the client works as intended.
 
Last edited:
Back
Top