yet_another_alt
Member
Not even going to pretend I understand this.
Here's the git from the modder that discovered the vulnerability
As for the drama portion, apparently CDPR is offloading the blame on modders but modders are claiming the exploit is in the base game itself and is present on consoles and even GeForce now. Here's a quote from the previously linked CDPR forums:
[SOLVED] IMPORTANT: PC version vulnerability
If you plan to use Cyberpunk mods/custom saves on PC, use caution. We've been made aware of a vulnerability in external DLL files the game uses which can be used to execute code on PCs. Issue will be fixed ASAP. For now, please refrain from using files from unknown sources. Edit: The...
forums.cdprojektred.com
Here's the git from the modder that discovered the vulnerability
CyberpunkSaveEditor/README.md at main · PixelRick/CyberpunkSaveEditor
A tool to edit Cyberpunk 2077 sav.dat files. Contribute to PixelRick/CyberpunkSaveEditor development by creating an account on GitHub.
github.com
As for the drama portion, apparently CDPR is offloading the blame on modders but modders are claiming the exploit is in the base game itself and is present on consoles and even GeForce now. Here's a quote from the previously linked CDPR forums:
Ok, I feel like I need to say something, this kind of bad practice has to stop.
Let me introduce myself, I am yamashi the creator of Cyber Engine Tweaks.
I wasn't planing on saying anything but since we, the modders, are getting blamed for this, I can't just stand on the sidelines and take it.
What CDPR posted above is WRONG, it isn't caused by an external DLL, the vulnerability is caused by a buffer overflow in a function they use to load strings, this function is used more than 100 times in the game, it is used to load the save games, the archive assets and other parts that we haven't investigated. This is 100% CDPR's fault, it isn't anybody else's fault. This is caused by a lack of proper unit testing.
What happened to owning up to your mistakes CDPR? Not only did PixelRick communicate this a week ago and you didn't do anything (this should have been hotfixed a few hours after you knew about it), but then you go public lying about the nature of the vulnerability so that modders take the fall for this? What we do, we do for free, we aren't your scapegoat, and this is definitely on you. The fact that we redirect the buffer overflow to xinput because it doesn't have ASLR does not mean that it's xinput's fault, we shouldn't be able to access xinput in the first place.
Just so you know everyone this isn't just a PC issue, every platform is affected.
It has been exploited to gain access to Geforce NOW already, maybe you should explain to NVIDIA how it is not your fault CDPR, I am not sure that's going to work once they audit the exe.