[Guide]Exploits -logic, examples, solutions

~~go for it~~ · 09/25/2012, 14:08

what exploit is

Socket any item exploit

being gm/pm on any trinity base source EXPLOIT/BACKDOOR
me and (refused to mention his name) was hacking on some p.s and we did bypass the login of the dedi and we did made a pm at the database then i took copy of the source (trinity base which is actually public) and i found this exploit not fixed (figured out how dumb i was to waste couple of hrs to bypass the login)

Spoiler

more exploits coming , keep in touch , im still searching everything for possible exploits
im also releasing my packet structure for +5500 and +5600 also some more stuff i won't use anymore cuz my college started a week ago and i want 6*A+

but seriously i was like :O when i saw such an exploits/backdoors , it's fun to figure them out and abuse them then release how to fix them

i did edit this post couple of days ago and i was to release it but i did remove it simply because no one will thank me and no one will appreciate it but i decided to release it (personal reasons)

well coming in few mins a more common exploits of npcs dialogs and how people abuse them and if i didn't took all night talking to my bitch ill release +5500 packet structure and how server handle them and more stay tuned
peace out
btw yes im andrewxxx

well now with the common stupid exploits you do while programming an npc dialog without noticing them
ill give now an example for the same npc
lets pick someone like jail npc
THIS FUCKING SHIT IS IMPORTANT AND ILL SHOW YOU THE RESULT

Spoiler

Code:

                            case 10081: //Jail npc
                                {
                                    switch (npcRequest.OptionID)
                                    {
                                        case 0:
                                            {
                                                dialog.Text("Hello there. I can teleport you in jail for the amount of 1000 silvers. Do you want to proceed?");
                                                dialog.Option("Sure.", 1);
                                                dialog.Option("I'm standing by.", 255);
                                                dialog.Send();
                                                break;
                                            }
                                        case 1:
                                            {
                                                if (client.Entity.Money >= 1000)
                                                {
                                                    client.Entity.Money -= 1000;
                                                    client.Entity.Teleport(6000, 32, 72);
                                                }
                                                else
                                                {
                                                    dialog.Text("You need 1000 silvers to be able to enter the jail.");
                                                    dialog.Option("Alright.", 255);
                                                }
                                                break;
                                            }
                                    }
                                    break;
                                }

Code:

                            case 10081: //Jail npc
                                {
                                    switch (npcRequest.OptionID)
                                    {
                                        case 0:
                                            {
                                                dialog.Text("Hello there. I can teleport you in jail for the amount of 1000 silvers. Do you want to proceed?");
                                                dialog.Option("Sure.", 1);
                                                dialog.Option("I'm standing by.", 255);
                                                dialog.Send();
                                                break;
                                            }
                                        case 1:
                                            {
                                                if (client.Entity.Money >= 1000)
                                                {
                                                    dialog.Text("you sure you want to go in this hell !!");
                                                    dialog.Option("go for it.", 2);
                                                    dialog.Option("no nigga ill get the fuck out , peace out", 255);
                                                    dialog.Send();
                                                }
                                                else
                                                {
                                                    dialog.Text("You need 1000 silvers to be able to enter the jail.");
                                                    dialog.Option("Alright.", 255);
                                                }
                                                break;
                                            }
                                        case 2:
                                            {
                                                client.Entity.Money -= 1000;
                                                client.Entity.Teleport(6000, 32, 72);
                                                dialog.Text("Enjoy this mf hell");
                                                dialog.Send();
                                                break;
                                            }
                                    }
                                    break;
                                }

HERE
wanna see the result of a stupid programming and the exploit at those prams ?

this exploit i've mentioned above can destroy your server if someone did abuse it and the reason is you didn't add a decent check on the tele and only at the pram(dialog)
this exploit working with same shit but with cps and working with items (like getting the get out of botjail or get in some map with an item then drop it and loot it , and for example the well known exploit at the moonbox quest when you can drop the token and pass !)

so yes this exploits is pretty enough to destroy any server and you don't log data to see the progress of players to figure out if there is an exploit

but what i really mean out of this example I MADE UP (yes i did change this npc to do tho and it's written in the first form in the source , so i made it up to point this out)
i made this up to give you a logic at programming/gaming called exploits logic , how to get into something that you should not get in
i can get right now more than 20 more exploits to you but i don't want to give you exploits and solutions i want to give you the logic of how to make sure your source is exploitless and how to test the npcs and new quests you release

peace out , will release the packet structures and stuff tonight or tomorrow

the masters · 09/27/2012, 05:38

Multi beautiful wish for more interesting topics

~~go for it~~ · 09/27/2012, 06:38

thanks mate , check out the last part i've written ^^

shadowman123 · 09/27/2012, 06:51

you began to Impress me Really .. GJ (Y)

~~go for it~~ · 09/27/2012, 06:53

thanks mate

that made my day

~~pro4never~~ · 09/27/2012, 07:15

I always wonder what people were thinking when they leave such obvious holes in their logic...

#1: Socketing exploit. It's common sense to double check SERVER SIDE item info based on item UID to calculate what the cost (if even valid) is to socket it.

#2: Backdoors: That's what you get for using a public source without at least looking through it. They are lucky if that's the only backdoor in it. I've seen plenty that have database wiping backdoors to completely shut down your server if they see you're using their source.

#3: This boils down to you not checking gold/CP as it's modified. It's often nice practice to use get/set accessors as well as helper methods to assist with validating any input which can be re-used throughout the source.

EG:

public ushort Money
{
get { return _money; }
set { value < 0? _money = 0: _money = value; }
}

Add in any client updating code here if you want and as always, check AS you are removing anything or you're asking for trouble in any coding project.

Moral of the story, no code should ever blindly accept input. One of the first things they will teach you in any entry level programming course is to validate user input. In he case of online games you have to be concerned not only with normal invalid input (I typed in something wrong and you need to give me feedback and let me enter it again) but also deceptive input (I'm going to purposely search for and exploit holes in your code).

It's something you should constantly be considering when writing absolutely any level of code.

~~go for it~~ · 09/27/2012, 07:27

yup i agree with you , you should always check on action not before it
but what do you expect from someone who can't really write his own source
anyway i wish people learn from this on how to fix exploits and what is the exploit and what is the logic behind it

updated the thread with what is the exploit , commonly used exploits and an example for it explaining it

shadowman123 · 09/27/2012, 16:08

159 Views and just 4 thanks and 6 Comments 3 of them Are OP's for such a Great Thread like that ??!! .. what a Negative Pathetic Community

~~go for it~~ · 09/27/2012, 16:30

Quote:

Originally Posted by shadowman123

159 Views and just 4 thanks and 6 Comments 3 of them Are OP's for such a Great Thread like that ??!! .. what a Negative Pathetic Community

sadly :\ elitepvpers is not the same anymore

-impulse- · 09/27/2012, 20:27

Quote:

Originally Posted by pro4never

EG:
public ushort Money
{
get { return _money; }
set { value < 0? _money = 0: _money = value; }
}

It wouldn't work like that given you would use an unsigned type (I know it's just an example, but still give a proper example)

In CO's case a int would work fine with the given example like this:

public int Money
{
get { return _money; }
set { value < 0? _money = 0: _money = value; }
}

When it's about exploits, the type used for variables is the most important thing, for instance, if you would use signed variables for money(gold/cps) whenever you would do an unchecked difference the server wouldnt allow you to actually use what you see on your client (like 2,147kkk gold) because on other checks like for trying to get in jail the next time you would use the npc it would look like this

if(-2147...000 > 1000)
{ // will never happen

}

Another mention should be noted for synchronization and volatile variables.
Aside CSV3, there is no source on elitepvpers (for CO server emulation) that uses volatile variables or locks when modifying variables like the inventory, gold, cps, etc.
This is the exploiter's heaven (if I may), considering that no matter how many checks you do, if your server runs on a multithreaded packet handler, there will be times when spamming one kind of packet will get you incredible results, even though server-side it shouldn't.

To successfully use this kind of exploits you would need one of those:
1. a proxy
2. a lot of players on the to-be-exploited server

Explanations
1. a proxy - with a proxy you can send 1,000 packets in a seconds (if the internet and your net adapter allows you). This would be very bad for a server that doesn't use synchronization techniques.
2. a lot of players on the to-be-exploited server - many players on a server means many packets to handle every single second, all you'd have to do would be to spam one action and you should get some nice results

Example 1. Gold exploit
Using any of the given scenarios of the above, spam buying a item from a shop, given you have like 30 slots free in your inventory and enough money to buy atleast 25.
Spam the action and you might end up with a very nice amount of currency in your pocket!
-Do not be fooled though -- for the shopping mall you'd have to do buy 1 item at a time

Example 2. Equip/unequip items
Most servers will load/unload your stats as you equip/unequip your gear. Spam equipping one kind of gears like headgears (have like 20 in your inventory and right click like a nut-bag).
Eventually you'll see incredible stats (easy to see on latest version servers as they have the stats window).

Enjoy!

~~I don't have a username~~ · 09/27/2012, 20:54

There is always sql injection for most mysql based servers.

~~go for it~~ · 09/28/2012, 05:20

Quote:

Another mention should be noted for synchronization and volatile variables.
Aside CSV3, there is no source on elitepvpers (for CO server emulation) that uses volatile variables or locks when modifying variables like the inventory, gold, cps, etc.
This is the exploiter's heaven (if I may), considering that no matter how many checks you do, if your server runs on a multithreaded packet handler, there will be times when spamming one kind of packet will get you incredible results, even though server-side it shouldn't.

To successfully use this kind of exploits you would need one of those:
1. a proxy
2. a lot of players on the to-be-exploited server

Explanations
1. a proxy - with a proxy you can send 1,000 packets in a seconds (if the internet and your net adapter allows you). This would be very bad for a server that doesn't use synchronization techniques.
2. a lot of players on the to-be-exploited server - many players on a server means many packets to handle every single second, all you'd have to do would be to spam one action and you should get some nice results

Example 1. Gold exploit
Using any of the given scenarios of the above, spam buying a item from a shop, given you have like 30 slots free in your inventory and enough money to buy atleast 25.
Spam the action and you might end up with a very nice amount of currency in your pocket!
-Do not be fooled though -- for the shopping mall you'd have to do buy 1 item at a time

Example 2. Equip/unequip items
Most servers will load/unload your stats as you equip/unequip your gear. Spam equipping one kind of gears like headgears (have like 20 in your inventory and right click like a nut-bag).
Eventually you'll see incredible stats (easy to see on latest version servers as they have the stats window).

Enjoy!

yup that's actually works , i notice this with exp when i use the proxy and killing way to fast (no sleep) i was getting weird exp
but the worst is over here
when i do send way too many packets i get wrong packets

i was begging pro/jacob/hybird to tell me what's wrong with my packets splitting system but they told me i should not use the splitting system and receive header/body instead , i was pretty sure that the code works and it's the server who send me wrong packets (AS I WAS LOGGING THEM)
and when you was talking about locks i was like "YES YES THIS COULD BE THE MF REASON" as im using the packets splitting system that is already used in server

-impulse- · 09/28/2012, 10:25

Quote:

Originally Posted by go for it

yup that's actually works , i notice this with exp when i use the proxy and killing way to fast (no sleep) i was getting weird exp
but the worst is over here
when i do send way too many packets i get wrong packets
i was begging pro/jacob/hybird to tell me what's wrong with my packets splitting system but they told me i should not use the splitting system and receive header/body instead , i was pretty sure that the code works and it's the server who send me wrong packets (AS I WAS LOGGING THEM)
and when you was talking about locks i was like "YES YES THIS COULD BE THE MF REASON" as im using the packets splitting system that is already used in server

So long your client does not disconnect the problem is at your proxy. It would be wise to have a specific packet quue that will dequeue when a packet is available given the header and body lengths. It might not work fine (with or without) if you don't use locks.

~~go for it~~ · 09/28/2012, 11:18

Quote:

Originally Posted by -impulse-

So long your client does not disconnect the problem is at your proxy. It would be wise to have a specific packet quue that will dequeue when a packet is available given the header and body lengths. It might not work fine (with or without) if you don't use locks.

well about client part yes sometimes it doesn't disconnect but this wrong packets last for maybe 10-30 seconds which **** it up (sometimes it does)
well it's not "wrong packet"
it's incomplete packet
so when i receive the rest i treat it as a new packet which **** it up
so yes header/body network class with sending/receiving queue would be perfect but sadly im still an ******* and need to learn more

edit : btw thanks for the pojerv proxy should have used it to log packets , im testing it and it's pretty good and decent ^^

CptSky · 09/28/2012, 13:22

What I used, for my COPS v6 emulator, is a multithreading system with queues. Each thread had its in/out queue and at login the client was linked with one of a bunch of threads. So, all its I/O was sequential on the same thread, so no concurrency and no locking. I tried to balance the threads, but eh. The result wasn't so great. So, the biggest problem was that some players were getting big latency if one was flooding on their thread.