Answer to How PWI is exploited

Page 1 of 5 1 23 Last »
09/23/2011 00:14 ntrceptr#1
You can send yourself most items via the jones blessing website.
Build yourself a webproxy that changes the ITEMID= within the URL POST request and viola ...... here are the items i know work.

Getting a proxy that does this is up to you...i just provide the info.

28098 Demon/Sage Event Card (50 Event Gold)
31129 Shadow Fox Mount
27999 White Sage Tiger Mount
24725 Scroll of Tome (love up and Down / other tomes)
25150 Wing Trophy Lunar Glade
23972 Cube of Fate Stamp (Neck)
25151 Warsong Marshall Badge (Belt)
23251 Lunar Glade Insignia Ornament (Rings)
18813 Excitement Card (5 mil coins)
30991 Gift Tag - Garnet
30992 Gift Tag - Primeval
31133 Uncanny Ticket (1 uncanny)
31132 Rapture Ticket (1 Rapture)
15049 (+12) Dragon Flame Orb
27761 VIP Diamond Ticket (10 Lucky Coral)
28350 Medal Of Glory
28641 Gen. Summer Token
09/23/2011 00:48 ppjdee#2
thought they put a stop to that?
09/23/2011 00:58 amineurin#3
i hope this info came out, after they fix it.
if not, im for deleting the post.
botting is the one, but this...ruin really the game.

so rumors why +11/+12 was so fast out the shop....were true.
09/23/2011 03:07 ppjdee#4
yea im 99% sure the fb and dq pages have already been fixed.
09/23/2011 03:45 amineurin#5
nope, i take a look in the code of the pages.
jb has crypted item id "it seams" for me, since it nots the id from database.
dq page has normal item ids inside the javascript, like the ids from database.

i did not check the exploit and wont be doing this.
i would love to have some great items like love up and down...but not this way.

for me botting is only to not spend real money to the game.
but this...is like buying a game, use from 1 time a cheat and play the game in 1 hour.
wasted time...
09/23/2011 05:30 ppjdee#6
yea i agree if this was abused it would be pointless even log onto the game the next day. and i hope they get this corrected soon. it could ruin the game (more than it is)
09/23/2011 20:10 omarranimado#7
nice, thx4 info!
09/24/2011 11:20 lkdrake#8
thanks for the info but for god sake explain how exlactly i can do that

Tryied to searsh for it everywhere tryied to find the ID i should change but was not able to find it please someone explain before it get fixed

its the best Exploit EVER
___________________
Ok after a few trys found some information:

First:

After login on both facebook and ur acc and get to choice the Jones Blessing Item

On google chrome u click Right mouse botton and go to Check Html Source,

there u may find the Jones Blessing ID

and the Box that say the Item ID number that u have chosen

so question is how do i change that Number and Send it back with the number i want?

in theory we r able to send any item to the game since the Dumb website ask for the ID of the item to send (LOL)

there u can also see server ur char etc so can anyone who is good at html do it for us?

this explain why theres more then 12 Love and Down books on Auction all with the same price
09/24/2011 14:44 amineurin#9
^^this is fixed and hopefull never come back
and to ur question...the answer is allready in the 1 post.
09/24/2011 18:11 Smurfin#10
this exploit was known surfaced only recently, but the Jones Blessing website was already up for quite a long time, do you ppl think many of those with fully refined armors and weapons at +12 already using this since god-knows-how-long ?
09/24/2011 18:27 Interest07#11
Quote:
Originally Posted by Smurfin View Post
this exploit was known surfaced only recently, but the Jones Blessing website was already up for quite a long time, do you ppl think many of those with fully refined armors and weapons at +12 already using this since god-knows-how-long ?
I don't think a lot of them, but definitely some yeah. I mean, these things you usually don't spread around too much.
09/24/2011 20:35 amineurin#12
the best is how easy it was, since u i never tought to change the item id in the script and see whats happend.

im realy to lazy to make a new account, farm some dragon points and see whats happend on the reward page.
maybe the items are bound to character...but some 100 eventgold cards, change to stuff to sell in the boutique can made it.
if u use ff and greasemonkey it will go fast to change the script^^

but for me, thats to easy if it work and destroy my gameplay.
i dont realy play pwi like a mmorpg, i play it more like a financial game.
makes much fun trading, with botting i get some stuff to sell and the needed money to start selling good stuff.

but days later, its unbelivable for me...what the monkey had coded there -.-

ps: Interest07, u can plz help me out with the packet number for buy/sell to catshop :) ?
09/24/2011 22:24 Interest07#13
Quote:
Originally Posted by amineurin View Post
the best is how easy it was, since u i never tought to change the item id in the script and see whats happend.

im realy to lazy to make a new account, farm some dragon points and see whats happend on the reward page.
maybe the items are bound to character...but some 100 eventgold cards, change to stuff to sell in the boutique can made it.
if u use ff and greasemonkey it will go fast to change the script^^

but for me, thats to easy if it work and destroy my gameplay.
i dont realy play pwi like a mmorpg, i play it more like a financial game.
makes much fun trading, with botting i get some stuff to sell and the needed money to start selling good stuff.

but days later, its unbelivable for me...what the monkey had coded there -.-

ps: Interest07, u can plz help me out with the packet number for buy/sell to catshop :) ?
Yeah, i got em somewher ein my catshop bot I'll dig em up later :)

Code:
        private int sellSingleCatShopItemAddress;
        private byte[] sellSingleCatShopItemAddressRev;
        private byte[] sellSingleCatShopItemPkt = new byte[] 
        { 
            0x25, 0x00,                 //Header
            0x15, 0x00, 0x00, 0x00,     //npcInteraction type
            0x1A, 0x00, 0x00, 0x00,      //nBytes following
            0x00, 0x00, 0x00, 0x00,     //catshopId [player + C4C]
            0x00, 0x00, 0x00, 0x00,
            0xA8, 0x00, 0x50, 0x39,
            0x01, 0x00, 0x00, 0x00,      //nItems Sold
            0x00, 0x00, 0x00, 0x00,      //typeId
            0x00, 0x00,                 //shopIndex
            0x00, 0x00,                 //inv index
            0x00, 0x00                    //amount
        };

        public void sellSingleCatShopItem(int typeId, int shopIndex, short amount, int catShopId, short invIndex)
        {
            //Get size of the packet
            int packetSize = sellSingleCatShopItemPkt.Length;

            if (sellSingleCatShopItemAddress == 0)
            {
                //load packet in memory
                loadPacket(sellSingleCatShopItemPkt, ref sellSingleCatShopItemAddress, ref sellSingleCatShopItemAddressRev);
            }
            byte[] catShopIdRev = BitConverter.GetBytes(catShopId);
            catShopIdRev.Reverse();
            MemFunctions.MemWriteBytes(pr_processHandle, sellSingleCatShopItemAddress + 10, catShopIdRev);

            byte[] typeIdRev = BitConverter.GetBytes(typeId);
            typeIdRev.Reverse();
            MemFunctions.MemWriteBytes(pr_processHandle, sellSingleCatShopItemAddress + 26, typeIdRev);

            byte[] shopIndexRev = BitConverter.GetBytes(shopIndex);
            shopIndexRev.Reverse();
            MemFunctions.MemWriteBytes(pr_processHandle, sellSingleCatShopItemAddress + 30, shopIndexRev);

            byte[] invIndexRev = BitConverter.GetBytes(invIndex);
            invIndexRev.Reverse();
            MemFunctions.MemWriteBytes(pr_processHandle, sellSingleCatShopItemAddress + 32, invIndexRev);



            byte[] amountRev = BitConverter.GetBytes(amount);
            amountRev.Reverse();
            MemFunctions.MemWriteBytes(pr_processHandle, sellSingleCatShopItemAddress + 34, amountRev);
            sendPacket(sellSingleCatShopItemAddressRev, packetSize);
        }


        private int buySingleCatShopItemAddress;
        private byte[] buySingleCatShopItemAddressRev;
        private byte[] buySingleCatShopItemPkt = new byte[] 
        { 
            0x25, 0x00,                 //Header
            0x13, 0x00, 0x00, 0x00,     //npcInteraction type
            0x1A, 0x00, 0x00, 0x00,      //nBytes following
            0x00, 0x00, 0x00, 0x00,     //catshopId [player + C4C]
            0x00, 0x00, 0x00, 0x00,
            0x00, 0x00, 0x00, 0x00,
            0x01, 0x00, 0x00, 0x00,      //nItems Sold
            0x00, 0x00, 0x00, 0x00,      //typeId
            0x00, 0x00, 0x00, 0x00,      //shopIndex
            0x00, 0x00                    //amount
        };

        public void buySingleCatShopItem(int typeId, int shopIndex, short amount, int catShopId)
        {
            //Get size of the packet
            int packetSize = buySingleCatShopItemPkt.Length;

            if (buySingleCatShopItemAddress == 0)
            {
                //load packet in memory
                loadPacket(buySingleCatShopItemPkt, ref buySingleCatShopItemAddress, ref buySingleCatShopItemAddressRev);
            }
            byte[] catShopIdRev = BitConverter.GetBytes(catShopId);
            catShopIdRev.Reverse();
            MemFunctions.MemWriteBytes(pr_processHandle, buySingleCatShopItemAddress + 10, catShopIdRev);

            byte[] typeIdRev = BitConverter.GetBytes(typeId);
            typeIdRev.Reverse();
            MemFunctions.MemWriteBytes(pr_processHandle, buySingleCatShopItemAddress + 26, typeIdRev);

            byte[] shopIndexRev = BitConverter.GetBytes(shopIndex);
            shopIndexRev.Reverse();
            MemFunctions.MemWriteBytes(pr_processHandle, buySingleCatShopItemAddress + 30, shopIndexRev);

            byte[] amountRev = BitConverter.GetBytes(amount);
            amountRev.Reverse();
            MemFunctions.MemWriteBytes(pr_processHandle, buySingleCatShopItemAddress + 34, amountRev);
            sendPacket(buySingleCatShopItemAddressRev, packetSize);
        }
09/25/2011 22:27 amineurin#14
thank you :handsdown:
for the comments too, now i understand a bit more!
first i see the number lets say: 2500131A as the packet number only, for a special case.
Quote:
0x25, 0x00, //Header
0x13, 0x00, 0x00, 0x00, //npcInteraction type
0x1A, 0x00, 0x00, 0x00, //nBytes following
in this case for now i see 13 is the one for selling and 15 for buying.
theres a header and more and not only a number command in all.

to bad, now i have to wait a week to test it all.
monday is coming...work, work and work :o
09/26/2011 14:39 Shareen#15
Quote:
Originally Posted by Interest07 View Post
Code:
        private int sellSingleCatShopItemAddress;
        private byte[] sellSingleCatShopItemAddressRev;
        private byte[] sellSingleCatShopItemPkt = new byte[] 
        { 
            0x25, 0x00,                 //Header
            0x15, 0x00, 0x00, 0x00,     //npcInteraction type
            0x1A, 0x00, 0x00, 0x00,      //nBytes following
            0x00, 0x00, 0x00, 0x00,     //catshopId [player + C4C]
            0x00, 0x00, 0x00, 0x00,
            0xA8, 0x00, 0x50, 0x39,
            0x01, 0x00, 0x00, 0x00,      //nItems Sold
            0x00, 0x00, 0x00, 0x00,      //typeId
            0x00, 0x00,                 //shopIndex
            0x00, 0x00,                 //inv index
            0x00, 0x00                    //amount
        };
There seems to be a comment missing for the line:
0xA8, 0x00, 0x50, 0x39
;)

Just in case you happen to know what it is, it differs from value in my packet dumps and I can't map it to any known values.
Page 1 of 5 1 23 Last »