CD Projekt's Cyberpunk 2077 Update 2.0 + Phantom Liberty Expansion Thread

[Myobi]

 

[racofer]

It gets better:
https://forums.cdprojektred.com/index.php?threads/important-pc-version-vulnerability.11078852/

The vulnerability was discovered a little while ago but only now CDPR acknowledges it, by shifting blame to modders. Whatever happened to Marcin Iwiński "owning up to their mistakes". Apparently, something happened over at the Geforce Now platform where this vulnerability was used to gain privileged access, so expect more to come out of this.

Here is a summary about the vulnerability:
https://github.com/PixelRick/CyberpunkSaveEditor/blob/main/README.md

A quick summary about the vulnerability I found in the game
The vulnerability impacts DATA files. A buffer overflow can be triggered in the game when it loads those files. The reason is that the game uses a buffer of 512 bytes to serialize a maximum of 512 wide-characters for identifier strings, and that is 1024 bytes (a wide-character is 2 bytes). This buffer overflow can be exploited with the help of a second vulnerability that is a third-party library that the game uses: xinput1_3.dll. This dynamic library is not relocatable and thus is a direct bypass for a security feature called ASLR (Address Space Layour Randomization). Also, this library is enough to build a ROP-chain to bypass DEP (Data Execution Prevention) in order to execute code that has been inlined in the overflowed buffer. (This ROP-chain won't be disclosed any time soon as it represents a risk not only for CP77 but for every piece of software using it..)

I chose to work on the most scary scenario that is code hidden in harmless-looking save files. When the game does read this file it uses a specific reader object that I use in the shellcode to read more after the 1024 bytes string and thus load an even bigger shellcode.. this second shellcode does different things: it hides the exploit from the file reader so that it can load the original save file afterwards; it reads a payload dll and manually maps it; it repairs the stack to be able to call load_save again; it repairs other things i won't disclose here; it does a copy of the exploit in memory; it hooks the file writing method to be able to inject the exploit in future save files when the game does save or auto-save.. At this point it is what we could call a virus-dropper worm that would use save files sharing to spread. Don't worry though, the only version I shared with trustworthy people is one that crashes the game and has no worm capabilities at all. But it is possible someone else found it earlier and kept the information secret, and that's why cdpr relayed the warning to the community.

This is a shared responsiblity between CDPR for the buffer overflow and Microsoft for not providing a safe backward compatible version of xinput to companies in need. CDPR did fix the buffer overflow internally, and this fix is expected to arrive with one of the next two patches.

Thanks to yamashi who is currently protecting people from this exploit by patching the first vulnerability dynamically with his mod https://github.com/yamashi/CyberEngineTweaks/ that is used by many.

Please mind that it is only about data files. Once the vulnerability is patched, only data files will be safe to use again (texture, model mods, saves, etc..), whereas executable mods will remain potentially dangerous and will always be (so at least check their authors and comments about them first).

There wasn't any bug bounty program so I received peanuts for the discovery.

If you wish to thank me for it, I wouldn't be against being offered a cyberpunk t-shirt

 

[Twiglard]

What do you mean you don't force DYNAMICBASE in Windows settings? All Windows binaries are already position-independent.

 

[Gargaune]

It gets better:
https://forums.cdprojektred.com/index.php?threads/important-pc-version-vulnerability.11078852/

The vulnerability was discovered a little while ago but only now CDPR acknowledges it, by shifting blame to modders. Whatever happened to Marcin Iwiński "owning up to their mistakes". Apparently, something happened over at the Geforce Now platform where this vulnerability was used to gain privileged access, so expect more to come out of this.

Here is a summary about the vulnerability:
https://github.com/PixelRick/CyberpunkSaveEditor/blob/main/README.md

A quick summary about the vulnerability I found in the game
The vulnerability impacts DATA files. A buffer overflow can be triggered in the game when it loads those files. The reason is that the game uses a buffer of 512 bytes to serialize a maximum of 512 wide-characters for identifier strings, and that is 1024 bytes (a wide-character is 2 bytes). This buffer overflow can be exploited with the help of a second vulnerability that is a third-party library that the game uses: xinput1_3.dll. This dynamic library is not relocatable and thus is a direct bypass for a security feature called ASLR (Address Space Layour Randomization). Also, this library is enough to build a ROP-chain to bypass DEP (Data Execution Prevention) in order to execute code that has been inlined in the overflowed buffer. (This ROP-chain won't be disclosed any time soon as it represents a risk not only for CP77 but for every piece of software using it..)

I chose to work on the most scary scenario that is code hidden in harmless-looking save files. When the game does read this file it uses a specific reader object that I use in the shellcode to read more after the 1024 bytes string and thus load an even bigger shellcode.. this second shellcode does different things: it hides the exploit from the file reader so that it can load the original save file afterwards; it reads a payload dll and manually maps it; it repairs the stack to be able to call load_save again; it repairs other things i won't disclose here; it does a copy of the exploit in memory; it hooks the file writing method to be able to inject the exploit in future save files when the game does save or auto-save.. At this point it is what we could call a virus-dropper worm that would use save files sharing to spread. Don't worry though, the only version I shared with trustworthy people is one that crashes the game and has no worm capabilities at all. But it is possible someone else found it earlier and kept the information secret, and that's why cdpr relayed the warning to the community.

This is a shared responsiblity between CDPR for the buffer overflow and Microsoft for not providing a safe backward compatible version of xinput to companies in need. CDPR did fix the buffer overflow internally, and this fix is expected to arrive with one of the next two patches.

Thanks to yamashi who is currently protecting people from this exploit by patching the first vulnerability dynamically with his mod https://github.com/yamashi/CyberEngineTweaks/ that is used by many.

Please mind that it is only about data files. Once the vulnerability is patched, only data files will be safe to use again (texture, model mods, saves, etc..), whereas executable mods will remain potentially dangerous and will always be (so at least check their authors and comments about them first).

There wasn't any bug bounty program so I received peanuts for the discovery.

If you wish to thank me for it, I wouldn't be against being offered a cyberpunk t-shirt

What a circus. "MODS WILL FIX SECURE IT!" I've never understood the appeal of downloading someone else's save, but still, this is something else.

 

[Alienman]

Yellow PR picture with "I'm sorry" text incoming.

 

[DeepOcean]

Also, modders discovered that most clothing mods and some cyberware dont apply their effect and every single ultimate perk in the game break on reload, yes, this after the latest patch, they still didnt fix it. Yeah boys, so much for that "The PC version is perfect, we are only having problems with consoles." that Marcin was bullshiting about.

 

[racofer]

Also, modders discovered that most clothing mods and some cyberware dont apply their effect and every single ultimate perk in the game break on reload, yes, this after the latest patch, they still didnt fix it. Yeah boys, so much for that "The PC version is perfect, we are only having problems with consoles." that Marcin was bullshiting about.

 

[Bad Sector]

On one hand: I doubt most games have super secure savegame loading mechanisms. Aren't they one of the typical means for console jailbreaks?
On the other hand: Buffer overflows in 2021 are a sure sign of horrendous coding practices.

Nah, it is extremely common in games to assume all data are valid, after all they're not made with security in mind. Exception being online games (and engines like unity/unreal that are often used for online games), but when it comes to singleplayer games - especially those using custom engines - you can crash a lot of them by inserting random bytes in savegames, data files, etc.

But TBH this is the case with any data file or program, downloading random crap from the Internet can harm your computer - just because it doesn't have an .exe extension it doesn't mean it is safe. I think people are overblowing this.

 

[Myobi]

"The PC version is perfect, we are only having problems with consoles."

"Sounds fucking legit."
Adolf Hitler, 1896 Vietnam

 

[Bliblablubb]

Turns out I might have been blaming the game for a violent bug that might have not (entirely) been his fault after all.
As I said before, my game liked to crash repeatedly on startup during the title cards for... reasons.
I had read about people having similar problems thanks to galaxy overlays, but since I am not using it, I dismissed that.
But, it brought my suspishuns suspicions about the radeon bloatware back up. So, I made a new clean install of all drivers and fired it up again, FOR SCIENCE.
Lo and behold, no crashes anymore. Where it would crash, I now get... a tiny "press alt-r for options" overlay.

What. The. Fuck.

How can the failure to display that lead to violent crashes up to bluescreens?

But, I am not beyond admitting if I was wrong, so: Sorry game. Probably.

 

[AwesomeButton]

According to this, CP77 has had 2 million copies refunded: https://youtu.be/hNYIe7Aj2zw

 

[Gargaune]

According to this, CP77 has had 2 million copies refunded: https://youtu.be/hNYIe7Aj2zw

I saw that last night but the premise is flawed, you can't extrapolate from YouTuber fan communities to the general gaming public. Much as we might look down on them as plebs, anyone who follows a gaming YouTuber and actually bothers to vote on their polls (on Twitter, to boot), is still far, far more engaged with core gaming than the average consumer, and therefore more likely to take an active approach to their videogames spending and demand a refund. There's other issues, like how he can't know how many of his own respondents had already refunded the game by the point the 13 million figure was published, but that's academic at this point, the sample's not representative.

 

[Bliblablubb]

So he is basing his clickbait news on a youtube poll?
Yeah, I know why I try stay away from those youtube mudcrabs...

But on that topic, are there reliable numbers about refunds out there?
Especially such that split up between platforms. The console versions had enough problems to warrant refunds, but I for one am curious how many PC customers, their core audience, decided to jump ship early.

 

[AwesomeButton]

I don't need any of the forewarning, but even 1 million refunds is significant.

 

[DeepOcean]

"The PC version is perfect, we are only having problems with consoles."

"Sounds fucking legit."
Adolf Hitler, 1896 Vietnam

Well, he actually said the PC version isnt perfect but he is very proud of it, I wouldnt use the proud word in there and "isnt perfect" is the understatement of the decade.

 

[Gargaune]

But on that topic, are there reliable numbers about refunds out there?
Especially such that split up between platforms. The console versions had enough problems to warrant refunds, but I for one am curious how many PC customers, their core audience, decided to jump ship early.

None that I'm aware of. Hard enough to get solid, detailed sales figures from companies, let alone "customers thought our product sucked so bad they actually bothered to ask for their money back" numbers.

I don't need any of the forewarning, but even 1 million refunds is significant.

Purely on gut feeling, I'd suspect they're in the hundreds of thousands. Which would still be exceptionally high, mind you, but I'd be surprised if they broke the million mark.

 

[moon knight]

It's an interesting video, expecially the part about C&C and reactivity

 

[Duralux for Durabux]

According to this, CP77 has had 2 million copies refunded: https://youtu.be/hNYIe7Aj2zw

Cyberpunk 2077 thousand refunds.

 

[racofer]

6 MILLION REFUNDS!!!!

 

[Myobi]

"The PC version is perfect, we are only having problems with consoles."

"Sounds fucking legit."
Adolf Hitler, 1896 Vietnam

Well, he actually said the PC version isnt perfect but he is very proud of it, I wouldnt use the proud word in there and "isnt perfect" is the understatement of the decade.

Yeah, he actually said the opposite of what you quoted, I know. As for them being proud of it despite it being far from perfect... I mean, c'mon dude, even ya mommy and pappy are probably proud of something like you, and that's perfectly okay.

 

[DeepOcean]

"The PC version is perfect, we are only having problems with consoles."

"Sounds fucking legit."
Adolf Hitler, 1896 Vietnam

Well, he actually said the PC version isnt perfect but he is very proud of it, I wouldnt use the proud word in there and "isnt perfect" is the understatement of the decade.

Yeah, he actually said the opposite of what you quoted, I know. As for them being proud of it despite it being far from perfect... I mean, c'mon dude, even ya mommy and pappy are probably proud of something like you, and that's perfectly okay.

Man, a cuck for CDProjeckt saying other people arent perfect is irony incarnate.

 

[Bad Sector]

How can the failure to display that lead to violent crashes up to bluescreens

In general, unless applications install their own driver or kernel modules, they cannot bluescreen a computer - this has been one of the most basic features of CPUs with memory management going back to the 80s (though in mainstream consumer PCs OSes really got it with Windows XP). Bluescreens happen due to either OS or -more often- driver bugs. Those bugs can be triggered by applications, however the fault for the crash lies with the driver, not the application. This is also why Microsoft after XP tried to move a lot of the work graphics drivers do in user space (where applications run and cannot crash the OS) and away from kernel space (where drivers run and can crash the OS). Windows XP had this separation too but it also had a lot of stuff done in kernel space and thus bugs in the drivers could crash the OS (in Vista a crash in the driver often just causes the driver to be restarted, thus avoiding bringing down the whole OS).

So in modern Windows whenever you see a bluescreen, it is certainly a driver or an OS bug with the former being *way* more likely, or in some cases, a hardware failure.

 

[Myobi]

"The PC version is perfect, we are only having problems with consoles."

"Sounds fucking legit."

Adolf Hitler, 1896 Vietnam

Well, he actually said the PC version isnt perfect but he is very proud of it, I wouldnt use the proud word in there and "isnt perfect" is the understatement of the decade.

Yeah, he actually said the opposite of what you quoted, I know. As for them being proud of it despite it being far from perfect... I mean, c'mon dude, even ya mommy and pappy are probably proud of something like you, and that's perfectly okay.

Man, a cuck for CDProjeckt saying other people arent perfect is irony incarnate.

Roflmao

 

[Zer0wing]

It's an interesting video, expecially the part about C&C and reactivity

Very good video, really nails it by putting Cyberpunk next to Witcher 3 itself and not doing a 100500th comparison with GTA5.

 

[Heroic Liberator]