Release 2.13.1 (#1270)

Author: ShrBox

LiteLoader/include/liteloader/Version.h

@@ -6,7 +6,7 @@
 
 #define LITELOADER_VERSION_MAJOR 2
 #define LITELOADER_VERSION_MINOR 13
-#define LITELOADER_VERSION_REVISION 0
+#define LITELOADER_VERSION_REVISION 1
 #define LITELOADER_VERSION_COMMIT_SHA UNKNOWN
 #define LITELOADER_VERSION_STATUS LITELOADER_VERSION_DEV
 #define LITELOADER_VERSION_STATUS_VERSION 0

LiteLoader/include/llapi/mc/ExtendedStreamReadResult.hpp

@@ -17,6 +17,10 @@
 struct ExtendedStreamReadResult {
 
 #define AFTER_EXTRA
+    ExtendedStreamReadResult(StreamReadResult result, std::string resultContext) {
+        this->result = result;
+        this->resultContext = resultContext;
+    }
     StreamReadResult result;
     std::string resultContext;
 #undef AFTER_EXTRA

LiteLoader/src/liteloader/BuiltinBugFix.cpp

@@ -173,16 +173,17 @@ TInstanceHook(void, "?moveSpawnView@Player@@QEAAXAEBVVec3@@V?$AutomaticID@VDimen
         return original(this, pos, dimid);
     fixPlayerPosition(this, false);
 }
-// 这个函数没有了，我也不知这个修的是啥，就注释了
-//TClasslessInstanceHook(__int64,
-//                       "?move@ChunkViewSource@@QEAAXAEBVBlockPos@@H_NW4ChunkSourceViewGenerateMode@@V?$function@$$"
-//                       "A6AXV?$buffer_span_mut@V?$shared_ptr@VLevelChunk@@@std@@@@V?$buffer_span@I@@@Z@std@@@Z",
-//                       BlockPos a2, int a3, unsigned __int8 a4, int a5, __int64 a6) {
-//    if (validPosition(a2))
-//        return original(this, a2, a3, a4, a5, a6);
-//    fixPlayerPosition(movingViewPlayer);
-//    return 0;
-//}
+
+TClasslessInstanceHook(
+    __int64,
+    "?move@ChunkViewSource@@QEAAXAEBVBlockPos@@H_NW4ChunkSourceViewGenerateMode@@V?$function@$$A6AXV?$buffer_span_mut"
+    "@V?$shared_ptr@VLevelChunk@@@std@@@@V?$buffer_span@I@@@Z@std@@PEBM@Z",
+    BlockPos a2, int a3, bool a4, enum class ChunkSourceViewGenerateMode a5, void* a6, void* a7, const float* a8) {
+    if (validPosition(a2))
+        return original(this, a2, a3, a4, a5, a6, a7, a8);
+    fixPlayerPosition(movingViewPlayer);
+    return 0;
+}
 
 TInstanceHook(void, "?move@Player@@UEAAXAEBVVec3@@@Z", Player, Vec3 pos) {
     if (validPosition(pos))
@@ -191,6 +192,53 @@ TInstanceHook(void, "?move@Player@@UEAAXAEBVVec3@@@Z", Player, Vec3 pos) {
     this->kick("error move");
 }
 
+// Built-in packet filter
+// #include "llapi/mc/NetworkPeer.hpp"
+// #include "llapi/mc/NetworkConnection.hpp"
+// static inline bool checkPktId(unsigned int id) {
+//    id &= 0x3ff;
+//    return id==0 || id == 0x01 || id == 0x5e || id == 0xc1;
+//}
+//
+// static inline bool& connState(void* conn) {
+//    return dAccess<bool, 362>(conn);
+//}
+//
+// TInstanceHook(NetworkPeer::DataStatus,
+//              "?receivePacket@NetworkConnection@@QEAA?AW4DataStatus@NetworkPeer@@AEAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AEAVNetworkSystem@@AEBV?$shared_ptr@V?$time_point@Usteady_clock@chrono@std@@V?$duration@_JU?$ratio@$00$0DLJKMKAA@@std@@@23@@chrono@std@@@5@@Z",
+//              NetworkConnection, string* data, __int64 a3, __int64** a4) {
+//    auto status = original(this, data, a3, a4);
+//    if (status == NetworkPeer::DataStatus::HasData) {
+//        auto stream = ReadOnlyBinaryStream(*data, false);
+//        auto packetId = stream.getUnsignedVarInt();
+//        if (packetId == 0) {
+//            data->clear();
+//            return NetworkPeer::DataStatus::NoData;
+//        }
+//        if (!data->empty()) {
+//            if (checkPktId(packetId)) {
+//                connState(this) = true;
+//            } else {
+//                if (!connState(this)) {
+//                    data->clear();
+//                    return NetworkPeer::DataStatus::NoData;
+//                }
+//            }
+//        }
+//    }
+//    return status;
+//}
+//
+// THook(void*,
+//      "??0NetworkConnection@@QEAA@AEBVNetworkIdentifier@@V?$shared_ptr@VNetworkPeer@@@std@@V?$time_point@Usteady_clock@"
+//      "chrono@std@@V?$duration@_JU?$ratio@$00$0DLJKMKAA@@std@@@23@@chrono@3@_NV?$NonOwnerPointer@VIPacketObserver@@@"
+//      "Bedrock@@AEAVScheduler@@@Z",
+//      void* thi, void* a1, void* a2, void* a3, void* a4, void* a5, void* a6, void* a7) {
+//    auto res = original(thi, a1, a2, a3, a4, a5, a6,a7);
+//    connState(thi) = false;
+//    return res;
+//}
+
 // Fix wine stop
 TClasslessInstanceHook(void, "?leaveGameSync@ServerInstance@@QEAAXXZ") {
     original(this);
@@ -302,9 +350,8 @@ TClasslessInstanceHook(
     return original(this, a2, a3, a4, a5, a6, a7, a8, a9);
 }
 
-// Try Fix BDS Crash
+// Try fixing BDS crash
 // Beta
-
 THook(void*, "??0ScopedTimer@ImguiProfiler@@QEAA@PEBD0_N@Z", void* self, char* a2, char* a3, char a4) {
     if (ll::globalConfig.enableFixBDSCrash) {
         return nullptr;
@@ -405,6 +452,7 @@ TInstanceHook(std::shared_ptr<class ChunkViewSource>,
     auto result = ChunkViewSource(chunkSource, ChunkSource::LoadMode::Deferred);
     return std::make_shared<ChunkViewSource>(result);
 }
+
 /*
 // Fix carried item display
 // Fix armor display
@@ -463,25 +511,28 @@ TClasslessInstanceHook(void, "?sendEvent@ActorEventCoordinator@@QEAAXAEBV?$Event
     }
 }
 */
-// Fix LevelChunkPacket crash
-#include "llapi/mc/LevelChunkPacket.hpp"
-
-TInstanceHook(StreamReadResult, "?_read@LevelChunkPacket@@EEAA?AW4StreamReadResult@@AEAVReadOnlyBinaryStream@@@Z",
-              LevelChunkPacket, ReadOnlyBinaryStream* bs) {
-    size_t readPointer = bs->getReadPointer();
-    bs->getVarInt();
-    bs->getVarInt();
-    unsigned int varInt = bs->getUnsignedVarInt();
-    if (varInt != -2) {
-        bs->getUnsignedVarInt();
-    }
-    bool boolean = bs->getBool();
-    if (boolean) {
-        varInt = bs->getUnsignedVarInt();
-        if (varInt > 10000) {
-            return StreamReadResult::Valid;
-        }
+// Fix horion client's crash module
+#include "llapi/mc/PlayerListPacket.hpp"
+#include "llapi/mc/ExtendedStreamReadResult.hpp"
+
+TInstanceHook(ExtendedStreamReadResult,
+              "?readExtended@PlayerListPacket@@UEAA?AUExtendedStreamReadResult@@AEAVReadOnlyBinaryStream@@@Z",
+              PlayerListPacket, ReadOnlyBinaryStream) {
+    return ExtendedStreamReadResult{StreamReadResult::Valid, ""};
+}
+
+// Fix SubClient exploit: Getting OP by using OP's xuid to join server
+#include "llapi/mc/SubClientLoginPacket.hpp"
+
+TInstanceHook(StreamReadResult, "?_read@SubClientLoginPacket@@EEAA?AW4StreamReadResult@@AEAVReadOnlyBinaryStream@@@Z",
+              SubClientLoginPacket, class ReadOnlyBinaryStream& binaryStream) {
+    size_t readPointer = binaryStream.getReadPointer();
+    unsigned int header = binaryStream.getUnsignedInt();
+    unsigned int senderSubClientId = (header >> 10) & 3;
+    unsigned int targetSubClientId = (header >> 12) & 3;
+    binaryStream.setReadPointer(readPointer);
+    if (targetSubClientId != 0 || senderSubClientId != 0) {
+        return StreamReadResult::Valid;
     }
-    bs->setReadPointer(readPointer);
-    return original(this, bs);
+    return original(this, binaryStream);
 }

RELEASE_NOTES.md

@@ -1,16 +1,17 @@
-# Release 2.13.0
+# Release 2.13.1
 
 ![BDS 1.19.81.01](https://img.shields.io/badge/BDS-1.19.81.01-blue?style=for-the-badge) ![Protocol 582](https://img.shields.io/badge/Protocol-582-orange?style=for-the-badge)
 
-## Added
+# Notice
 
-feat(llse): effect method of Entity(#1225) (#1236) (by @harryxi)
-feat: adapt to 1.19.81 (#1237) (by @ShrBox @dreamguxiang @OEOTYAN @quizhizhe @Tsubasa6848)
+This version has fixed two destructive BDS vulnerabilities, please update as quickly as possible
 
+[//]: # (## Added)
 ## Changed
 
-refactor: add unused module.exports for BaseLib.js (#1230) (by @student_2333)
+- refactor: remove LevelChunkPacket hook because its vulnerability has been fixed
 
 ## Fixed
 
-fix: fix #1232 (#1235) (by @harryxi)
+- fix: add hook to fix PlayerListPacket's memory leak vulnerability
+- fix: add hook to fix SubClient exploit