So nachdem ich diese vor Jahren mal in der Level2 Area gepostet habe wollte ich das ganze nun public stellen. Ich spiele seit langem kein Florensia mehr aber zu der Zeit als ich aufgehört habe funktionierten diese noch tadellos.
Die genannte "Encryption" bezieht sich immer auf die alte, billige XOR/NOT-Encryption die Netts verwendet hat, ob diese noch verwendet wird kann ich nicht sagen.
Wie gesagt, es ist alles nur Theorie, hat aber 100%ig funktioniert und dürfte vielleicht noch funktionieren.
Als Hilfsmittel habe ich lediglich WPE Pro verwendet.
Wer nicht weiß wie man die Theorie in die Tat umsetzt soll mich bitte nicht mit PMs bombardieren.
Sea-Mode Peer Entrance Bug
Well well,
in the Sea-Mode of Florensia Online you have several Islands you can get to, basically every Island has its own peer. When you enter one of those peers a nice packet is sent. Basically our friends at Netts thought its not necessary to check the players ship position and the peer he wants to enter.
Well thank god they do not check it, so we can teleport to any peer we want from every point of the map by sending the peer-entrance packet.
(plain)
0B 00 0E 3C 61 63 31 00 50 14 EC
<LENGTH>.2B
08 00 == 11(dec)
<HEADER>.2B
0E 3C
<PEER_ID>.4B
61 63 31 00 == "ac1" Cardiff Island - Roxbury Peer
62 63 31 00 == "bc1" Magnel Island - Castle Hall Peer
63 63 31 00 == "cc1" Exeter Island - Glostern Peer
65 63 31 00 == "ec1" Chester Island - Cherry Town Peer
<UNKNOWN>.3B
50 14 EC
Have fun
;O
Sea-Mode Cannon Coord Bug
Heyho,
today I'd like to introduce the great Cannon Coord Bug to you which exists in the Sea-Mode of Florensia Online.
Basically the smart company called Netts considered it best not to check the coords the client sends when a cannon shot to a specific point is fired.
Well what we get is a nice Bug you can use to shoot your cannon to every point of the seamap.
One of those packets looks like this:
(plain)
23 00 06 0C 00 00 00 00 FF 05 00 00 00 FF FF FF FF 98 92 9F 47 2B DB 1D 48 00 00 00 00 02 00 00 00 01 0B
<LENGTH>.2B
23 00 == 35(dec)
<HEADER>.2B
06 0C
<UNKNOWN>.4B
00 00 00 00
<UNKNOWN>.1B
FF
<SHOTCOUNT?>.4B
05 00 00 00
<UNKNOWN>.4B
FF FF FF FF
<COORD_X?>.4B
98 92 9F 47
<COORD_Y?>.4B
2B DB 1D 48
<UNKNOWN>.4B
00 00 00 00
<GUN_POSITION>.4B
02 00 00 00
00 00 00 00 == FRONT GUN
02 00 00 00 == LEFT GUN
03 00 00 00 == RIGHT GUN
<UNKNOWN>.2B
01 0B
Well this is not a bug that could be abused using WPE, that would be too messy but perhabs a nice info for someone who wanna try coding a hack tool or whatever.
Have fun.
Walk/Teleport-Exploit
Well the Florensia Online walking packet is vulnerable as the server doesn't even check if the sent coordinates are valid.
Meaning you are standing at 8 8 8, but sending a walk packet where you tell the server you walk from 1 1 1 to 2 2 2, it works.
It will look like you're teleporting.
The walk-packet has the header 05 3C, so that's what we're looking for.
Example :
(plain)
1D 00 05 3C 98 5E 1C C5 41 D6 A7 C6 04 4B 98 C4 01 00 30 20 C5 00 FC A4 C6 88 CA 99 C4
<LENGTH>.2B
1D 00 == 21(dec)
<HEADER>.2B
05 3C
<DESTINATION_X>.4B
98 5E 1C C5 == -2501,912(float)
<DESTINATION_Y>.4B
41 D6 A7 C6 == -21483,13(float)
<DESTINATION_Z>.4B
04 4B 98 C4 == -1218,344(float)
<WALKFLAG>.1B
00 == walk
01 == run
<SOURCE_X>.4B
00 30 20 C5 == -2563(float)
<SOURCE_Y>.4B
98 5E 1C C5 == -21118(float)
<SOURCE_Z>.4B
98 5E 1C C5 == -1230,329(float)
Well I guess you can imagine now what you can do with this packet, since theres no coord-validation on the serverside. You're able to create a 'teleport' hack.
GM-Broadcast
Structure :
<LENGTH>.2B
0C 00 == 12(dec)
<HEADER>.2B
09 0A
<CHATFLAG>.4B
00 00 00 00
(used to indicate normal, trade, party, guild chat and so on)
<MESSAGELEN>.1B
02 == 2(dec)
<MESSAGE>.MESSAGELEN
3B 4F == ";O"
<TERMINATION>.1B
00
Basically what you have to do to write broadcasts ingame (writing red) is to set the CHARFLAG to 01 00 00 00 (plain), FE FF FF FF (encrypted). Have fun.
![[Release] Florensia Bugs/Exploits](https://www.elitepvpers.com/forum/iconimages/florensia/release-florensia-bugs-exploits_ltr.gif){kind=small}
Gabs damals zum Glück noch nicht.
