Hey there,
Just as the title says, there's an exploit/bug whatever you wanna call it that apparently lets you dupe your items. Sadly, I don't know what kind of dupe, is it just desyncing so you can use that item to scam or you get a completely legit item. Information isn't completely available.
Tried injecting buys/registers/settlements with fake/invalid data and errors are working fine (some causing disconnections).
Here're some information that might help you if you decide to help in this investigation^^
Client references:
GameServer references:
Database calls:
On data request a function is being called with data found on address 00453F2B to select the items from database [on every call, so nothing is being saved in the gameserver memory as far as I checked, well ofc a dump of the data but each time a request is sent gameserver requests the data from the database].
Example of the gameserver call:
Bugs found so far:
On injecting a buy request (a legit one), the item is bought but, not shown at the inventory except after a teleport.
Been trying since yesterday to find that dupe with @[Only registered and activated users can see links. Click Here To Register...] since a lot of people confirmed its existence, but with no success yet.
If you have any question/information/rumors about this issue, your contribution is welcomed. The only solution people seem to have now is completely disabling consignment (that isn't cool). Consignment is a good option to have.
Thank you and happy hacking!
*Item Movement works while item is not registered yet [NPC selected].
Just as the title says, there's an exploit/bug whatever you wanna call it that apparently lets you dupe your items. Sadly, I don't know what kind of dupe, is it just desyncing so you can use that item to scam or you get a completely legit item. Information isn't completely available.
Tried injecting buys/registers/settlements with fake/invalid data and errors are working fine (some causing disconnections).
Here're some information that might help you if you decide to help in this investigation^^
Client references:
Code:
005CC6E3 PUSH sro_clie.00D94610 UNICODE "UIIT_STT_OPEN_MARKET_ITEM_SEARCH" 005CC773 PUSH sro_clie.00D94658 UNICODE "UIIT_STT_OPEN_MARKET_ITEM_ENTER" 005CC803 PUSH sro_clie.00D94698 UNICODE "UIIT_STT_OPEN_MARKET_ITEM_CALCULATE" 005CC95F PUSH sro_clie.00D94758 UNICODE "UIIT_STT_OPEN_MARKET_SEARCH" 005CC9DC PUSH sro_clie.00D94720 UNICODE "UIIT_STT_OPEN_MARKET_ENTER" 005CCA4D PUSH sro_clie.00D946E0 UNICODE "UIIT_STT_OPEN_MARKET_CALCULATE" 005CCB3D PUSH sro_clie.00D94610 UNICODE "UIIT_STT_OPEN_MARKET_ITEM_SEARCH" 005DE007 PUSH sro_clie.00D94F6C UNICODE "UIIT_MSG_OPEN_MARKET_ENTER" 005DE05C PUSH sro_clie.00D94F30 UNICODE "UIIT_MSG_OPEN_MARKET_WARNING" 005DEDE7 PUSH sro_clie.00D95090 UNICODE "UIIT_STT_OPEN_MARKET_TEMP_ENTER_CANCEL_ALL" 005DEE20 PUSH sro_clie.00D95040 UNICODE "UIIT_STT_OPEN_MARKET_ENTER_CANCEL_ALL" 005DEE70 PUSH sro_clie.00D94FF8 UNICODE "UIIT_STT_OPEN_MARKET_ENTER_CANCEL" 005DEED5 PUSH sro_clie.00D94FA8 UNICODE "UIIT_STT_OPEN_MARKET_TEMP_ENTER_CANCEL" 005E3486 PUSH sro_clie.00D95108 UNICODE "UIIT_STT_OPEN_MARKET_ADD_ENTERD_ERROR" 005E34F6 PUSH sro_clie.00D95190 UNICODE "UIIT_STT_OPEN_MARKET_SELL_IMPOSSIBLE" 005E3DE9 PUSH sro_clie.00D951E0 UNICODE "UIIT_STT_OPEN_MARKET_CHECKBOX_ERROR" 005E6A92 PUSH sro_clie.00D95340 UNICODE "UIIT_STT_OPEN_MARKET_ENTER_PAGE_ERROR" 005F2E5F PUSH sro_clie.00D95788 UNICODE "UIIT_STT_OPEN_MARKET_MIN_TEXT_ERROR" 005F2EB8 PUSH sro_clie.00D95748 UNICODE "UIIT_STT_OPEN_MARKET_FIND_ERROR" 005F3053 PUSH sro_clie.00D95748 UNICODE "UIIT_STT_OPEN_MARKET_FIND_ERROR" 005F3E53 PUSH sro_clie.00D9594C UNICODE "UIIT_STT_OPEN_MARKET_WAITING" 005F41EE PUSH sro_clie.00D95A98 UNICODE "UIIT_STT_OPEN_MARKET_ANNOUNCING_UI_DELETE_WAIT" 005F4249 PUSH sro_clie.00D95A20 UNICODE "UIIT_STT_OPEN_MARKET_ANNOUNCING_UI_TRADE_FINISH" 005F42A3 PUSH sro_clie.00D959C0 UNICODE "UIIT_STT_OPEN_MARKET_ANNOUNCING_UI_TRADE_ENTER" 005F52AA PUSH sro_clie.00D95E3C UNICODE "UIIT_STT_OPEN_MARKET_TIME_OVER" 007B9D16 PUSH sro_clie.00DC2D78 UNICODE "UIIT_MSG_FLEAMARKET_ERR_CANT_OPEN_MARKET_IN_RIDESTATE" 007B9D2A PUSH sro_clie.00DC2CB0 UNICODE "UIIT_MSG_FLEAMARKET_ERR_CANT_OPEN_MARKET_MURDERER" 007BB21A PUSH sro_clie.00D95340 UNICODE "UIIT_STT_OPEN_MARKET_ENTER_PAGE_ERROR" 007BB224 PUSH sro_clie.00DBDFC8 UNICODE "UIIT_STT_OPEN_MARKET_ENTER_ERROR" 007BB22E PUSH sro_clie.00D95190 UNICODE "UIIT_STT_OPEN_MARKET_SELL_IMPOSSIBLE" 007BB24C PUSH sro_clie.00DBDF50 UNICODE "UIIT_STT_OPEN_MARKET_BUYING_ERROR" 007BB256 PUSH sro_clie.00D95748 UNICODE "UIIT_STT_OPEN_MARKET_FIND_ERROR" 007BB260 PUSH sro_clie.00DBDF00 UNICODE "UIIT_STT_OPEN_MARKET_COST_OVER_ERROR" 007BB26A PUSH sro_clie.00DBDEC0 UNICODE "UIIT_STT_OPEN_MARKET_TEXT_ERROR" 007BB271 PUSH sro_clie.00DBDE68 UNICODE "UIIT_STT_OPEN_MARKET_RECEIPTED_ITEM_ERROR" 007BB278 PUSH sro_clie.00DBDE18 UNICODE "UIIT_STT_OPEN_MARKET_CANCEL_ITEM_ERROR" 007BB27F PUSH sro_clie.00D95788 UNICODE "UIIT_STT_OPEN_MARKET_MIN_TEXT_ERROR" 007BB286 PUSH sro_clie.00DBDDC8 UNICODE "UIIT_STT_OPEN_MARKET_ENTERD_PET_ERROR" 0089ACB3 PUSH sro_clie.00DDD618 UNICODE "UIIT_STT_OPEN_MARKET_SELL_COMMODITY" 008A35E6 PUSH sro_clie.00DDE660 UNICODE "UIIT_STT_OPEN_MARKET_ITEM_DELETE" 008A36A0 PUSH sro_clie.00DDE618 UNICODE "UIIT_STT_OPEN_MARKET_SELL_TIME_OVER" 008A3768 PUSH sro_clie.00DDE5E0 UNICODE "UIIT_STT_OPEN_MARKET_SELL" 008A3B60 PUSH sro_clie.00DDE618 UNICODE "UIIT_STT_OPEN_MARKET_SELL_TIME_OVER" 008A3C10 PUSH sro_clie.00DDE728 UNICODE "UIIT_STT_OPEN_MARKET_DELETE_WARNING" 008A3D77 PUSH sro_clie.00DDE5E0 UNICODE "UIIT_STT_OPEN_MARKET_SELL" 008A3E27 PUSH sro_clie.00DDE728 UNICODE "UIIT_STT_OPEN_MARKET_DELETE_WARNING"
GameServer references:
Code:
00452569 PUSH SR_GameS.00AE3B98 ASCII "AQ_OpenMarket::DoWorkInsert" 004525D6 PUSH SR_GameS.00AE3B98 ASCII "AQ_OpenMarket::DoWorkInsert" 0045285D PUSH SR_GameS.00AE3C04 ASCII "AQ_OpenMarket::DoWorkCancle" 004528CA PUSH SR_GameS.00AE3C04 ASCII "AQ_OpenMarket::DoWorkCancle" 00452B55 PUSH SR_GameS.00AE3C20 ASCII "AQ_OpenMarket::DoWorkPurchase" 00452C0B PUSH SR_GameS.00AE3C20 ASCII "AQ_OpenMarket::DoWorkPurchase" 00452C88 PUSH SR_GameS.00AE3C20 ASCII "AQ_OpenMarket::DoWorkPurchase" 00452DF0 PUSH SR_GameS.00AE3C88 ASCII "LOADTARGET__OPEN_MARKET_SELECT Get Table Failed (%d)" 00452E74 PUSH SR_GameS.00AE3CC0 ASCII "LOADTARGET__OPEN_MARKET_SELECT Get DB_RECORDS Failed (%d)" 00452F0D PUSH SR_GameS.00AE3CFC ASCII "LOADTARGET__OPEN_MARKET_SEARCH Get Table Failed (%d)" 00452F77 PUSH SR_GameS.00AE3D34 ASCII "LOADTARGET__OPEN_MARKET_SEARCH Get DB_RECORDS Failed (%d)" 0045318A PUSH SR_GameS.00AE3D70 ASCII "D:\WORK2005\Source\SilkroadOnline\Server\SR_GameServer\AsyncQuery_OpenMarket.cpp" 0045318F PUSH SR_GameS.00AE3DC4 ASCII "AQ_OpenMarket::DoWorkReceipt" 004531FC PUSH SR_GameS.00AE3DC4 ASCII "AQ_OpenMarket::DoWorkReceipt" 00453418 PUSH SR_GameS.00AE3DE4 ASCII "AQ_OpenMarket::DoWorkUpdate" 00453484 PUSH SR_GameS.00AE3DE4 ASCII "AQ_OpenMarket::DoWorkUpdate" 004546A8 PUSH SR_GameS.00AE4230 ASCII "AQ_OpenMarket::_DoWork_Select__Items_With_OMarket" 00454723 PUSH SR_GameS.00AE4230 ASCII "AQ_OpenMarket::_DoWork_Select__Items_With_OMarket" 00454802 PUSH SR_GameS.00AE4230 ASCII "AQ_OpenMarket::_DoWork_Select__Items_With_OMarket" 00454B02 PUSH SR_GameS.00AE4404 ASCII "AQ_OpenMarket::_DoWork_Select__Items_With_Inventory" 00454B7D PUSH SR_GameS.00AE4404 ASCII "AQ_OpenMarket::_DoWork_Select__Items_With_Inventory" 00454C5C PUSH SR_GameS.00AE4404 ASCII "AQ_OpenMarket::_DoWork_Select__Items_With_Inventory" 00454DFD PUSH SR_GameS.00AE4438 ASCII "AQ_OpenMarket::_DoWork_Update_Gold" 00455250 PUSH SR_GameS.00AE3B88 ASCII "AQ_OpenMarket" 0045525F MOV EAX,SR_GameS.00AE3B88 ASCII "AQ_OpenMarket" 00455273 PUSH SR_GameS.00AE3B88 ASCII "AQ_OpenMarket" 00477621 PUSH SR_GameS.00AE68BC ASCII "openmarket_goods" 00477681 PUSH SR_GameS.00AE68D0 ASCII "OpenMarketContext" 00477E22 PUSH SR_GameS.00AE68E4 ASCII "OpenMarketContext::EraseItem" 00478414 PUSH SR_GameS.00AE6964 ASCII "COpenMarketAgent::PutoutItemWithDBIDX" 00478542 PUSH SR_GameS.00AE6964 ASCII "COpenMarketAgent::PutoutItemWithDBIDX" 00478566 PUSH SR_GameS.00AE6964 ASCII "COpenMarketAgent::PutoutItemWithDBIDX" 0047872C PUSH SR_GameS.00AE6A58 ASCII "COpenMarketAgent::PutoutItemOverTime" 00478791 PUSH SR_GameS.00AE6A58 ASCII "COpenMarketAgent::PutoutItemOverTime" 004787CB PUSH SR_GameS.00AE6A58 ASCII "COpenMarketAgent::PutoutItemOverTime" 00479047 PUSH SR_GameS.00AE6B50 ASCII "COpenMarketMgr::OnPutonGoodsReq" 00479177 PUSH SR_GameS.00AE6B50 ASCII "COpenMarketMgr::OnPutonGoodsReq" 0047930A PUSH SR_GameS.00AE6C18 ASCII "COpenMarketMgr::OnPutoutGoodsReq" 00479576 PUSH SR_GameS.00AE6C3C ASCII "COpenMarketMgr::OnPurchaseGoodsReq" 0047982B PUSH SR_GameS.00AE6C60 ASCII "COpenMarketMgr::OnSearchReq" 00479B02 PUSH SR_GameS.00AE6CCC ASCII "COpenMarketMgr::OnGoodsDetailDataReq" 00479D67 PUSH SR_GameS.00AE6CF4 ASCII "COpenMarketMgr::OnReceiptReq" 0047A279 PUSH SR_GameS.00AE6D14 ASCII "COpenMarketMgr::OnRELAY_OPEN_MARKET_SOLD_ITEM_NOTICE" 0047A322 PUSH SR_GameS.00AE6D98 ASCII "COpenMarketMgr::UpdateOpenMarketGoods" 0047A5FC PUSH SR_GameS.00AE6DEC ASCII "COpenMarketMgr::CheckSetFeePayable" 0047AC7F PUSH SR_GameS.00AE6E54 ASCII "COpenMarketMgr::CheckPutonItemList" 0047ACEA PUSH SR_GameS.00AE6E54 ASCII "COpenMarketMgr::CheckPutonItemList" 0047B26B PUSH SR_GameS.00AE6F2C ASCII "COpenMarketMgr::PostAsyncQeury" 0047B2A1 PUSH SR_GameS.00AE6F2C ASCII "COpenMarketMgr::PostAsyncQeury" 0047B324 PUSH SR_GameS.00AE7018 ASCII "COpenMarketMgr::AsyncQuerySucceeded" 0047B922 PUSH SR_GameS.00AE706C ASCII "LOADTARGET__OPEN_MARKET_SELECT Get table failed (%d)" 0047B9D2 PUSH SR_GameS.00AE70A8 ASCII "LOADTARGET_OPENMARKET_SELECT Create openmarket search info failed" 0047BB20 PUSH SR_GameS.00AE70F0 ASCII "LOADTARGET__OPEN_MARKET_SELECT Create OpenMarket info failed (%d)" 0047BC2C PUSH SR_GameS.00AE7018 ASCII "COpenMarketMgr::AsyncQuerySucceeded" 0047BC31 PUSH SR_GameS.00AE7138 ASCII "##%s %d## QUERY_OPENMARKET_UPDATE is not logging in logDB. [Status: %d]" 0047BCB1 PUSH SR_GameS.00AE7180 ASCII "COpenMarketMgr::AsyncQueryFailed" 0047BD4F PUSH SR_GameS.00AE7180 ASCII "COpenMarketMgr::AsyncQueryFailed" 0047CFC0 PUSH SR_GameS.00AE68BC ASCII "openmarket_goods" 0047CFCF MOV EAX,SR_GameS.00AE68BC ASCII "openmarket_goods" 0047CFE3 PUSH SR_GameS.00AE68BC ASCII "openmarket_goods" 0047D140 PUSH SR_GameS.00AE68D0 ASCII "OpenMarketContext" 0047D14F MOV EAX,SR_GameS.00AE68D0 ASCII "OpenMarketContext" 0047D163 PUSH SR_GameS.00AE68D0 ASCII "OpenMarketContext" 004935EF PUSH SR_GameS.00AE98B8 ASCII "CGItemCOSSummoner::SetEngagedCOSforOpenMarket" 004935F4 PUSH SR_GameS.00AE98E8 ASCII "##%s %d## Can not handle silk pet in OpenMarket" 004C7611 PUSH SR_GameS.00AEF3B0 ASCII "NPC_OPEN_MARKET_JUEL" 0065553D PUSH SR_GameS.00B04D50 ASCII "CTJ_OpenMarketTicketKeeper::Create() Parameter has NULL Pointer" 00659950 PUSH SR_GameS.00B04D34 ASCII "CTJ_OpenMarketTicketKeeper" 0065995F MOV EAX,SR_GameS.00B04D34 ASCII "CTJ_OpenMarketTicketKeeper" 00659973 PUSH SR_GameS.00B04D34 ASCII "CTJ_OpenMarketTicketKeeper" 00730F13 PUSH SR_GameS.00B0BBB4 ASCII "_OpenMarket" 0085FF47 PUSH SR_GameS.00B0BBB4 ASCII "_OpenMarket"
Database calls:
Code:
004536E2 PUSH SR_GameS.00AE3E00 ASCII "{?=CALL _OpenMarket_Insert(%d,?,%d,%d,%d,%d,%d,%d,%I64d,%I64d,%d,'%d-%d-%d %d:%d:%d','%d-%d-%d %d:%d:%d',%I64d,%I64d,%I64d,%d)}"
004538CA PUSH SR_GameS.00AE3E80 ASCII "{?=CALL _OpenMarket_Receipt(%d,%d,%d)}"
00453ADA PUSH SR_GameS.00AE3EA8 ASCII "{?=CALL _OpenMarket_Cancle(%d,%d,%d,%d,%d,%I64d)}"
00453D1C PUSH SR_GameS.00AE3EE0 ASCII "{?=CALL _OpenMarket_Purchase(%d,%d,?,%d,%d,%d,%I64d,%d,'%d-%d-%d %d:%d:%d')}"
00453F2B PUSH SR_GameS.00AE3F30 ASCII "SELECT TOP 500 * FROM [dbo].[_OpenMarket] WHERE TidGroupID=%d AND ItemClass=%d AND Status=%d AND (0 > DATEDIFF(minute, enddate, '%d-%d-%d %d:%d:%d')) ORDER BY RegDate DESC"
00453F69 PUSH SR_GameS.00AE3FE8 ASCII "SELECT TOP 500 * FROM [dbo].[_OpenMarket] WHERE TidGroupID=%d AND Status=%d AND (0 > DATEDIFF(minute, enddate, '%d-%d-%d %d:%d:%d')) ORDER BY RegDate DESC"
0045434D PUSH SR_GameS.00AE40AC ASCII "{?=CALL _OpenMarket_Update(%d,%d,%d,%d,'%d-%d-%d %d:%d:%d')}"
0045461E PUSH SR_GameS.00AE40F0 ASCII "SELECT IT.* FROM _OpenMarket OM JOIN _ITEMS IT ON OM.ItemID=IT.ID64 WHERE OM.JID=%d AND OM.PersnalID=%d"
00454644 PUSH SR_GameS.00AE4168 ASCII "SELECT BIND.* FROM _OpenMarket OM JOIN _ITEMS IT ON OM.ItemID=IT.ID64 JOIN _BindingOptionWithItem BIND ON IT.ID64=BIND.nItemDBID WHERE OM.JID=%d AND OM.PersnalID=%d"
On data request a function is being called with data found on address 00453F2B to select the items from database [on every call, so nothing is being saved in the gameserver memory as far as I checked, well ofc a dump of the data but each time a request is sent gameserver requests the data from the database].
Example of the gameserver call:
PHP Code:
declare @p1 int
set @p1=0
declare @p3 int
set @p3=16388
declare @p4 int
set @p4=8193
declare @p5 int
set @p5=0
exec sp_cursoropen @p1 output,N'SELECT TOP 500 * FROM [dbo].[_OpenMarket] WHERE TidGroupID=1 AND ItemClass=9 AND Status=0 AND (0 > DATEDIFF(minute, enddate, ''2016-4-6 16:32:3'')) ORDER BY RegDate DESC',@p3 output,@p4 output,@p5 output
select @p1, @p3, @p4, @p5
SELECT TOP 500 * FROM [dbo].[_OpenMarket] WHERE TidGroupID=1 AND ItemClass=9 AND Status=0 AND (0 > DATEDIFF(minute, enddate, '2016-4-6 16:32:3')) ORDER BY RegDate DESC
Bugs found so far:
On injecting a buy request (a legit one), the item is bought but, not shown at the inventory except after a teleport.
Been trying since yesterday to find that dupe with @[Only registered and activated users can see links. Click Here To Register...] since a lot of people confirmed its existence, but with no success yet.
If you have any question/information/rumors about this issue, your contribution is welcomed. The only solution people seem to have now is completely disabling consignment (that isn't cool). Consignment is a good option to have.
Thank you and happy hacking!
*Item Movement works while item is not registered yet [NPC selected].
