Answer to How PWI is exploited

[redsnake]

I wonder if this is working on private servers? like servers that offer the same kidn of service... or was it a PWI based bug?

[Sᴡoosh]

If the private servers are stupid enough to do it in the same retarded way as PWI (not checking JSP parameters serversided), then sure...

[altivex]

<p itemid="31537" itemname="Perfect Stone" cost="50" maxqty="99" class="send ">Send</p>
we can see it in dq points...
But how to launch sending command with changed id?

[Sᴡoosh]

Use Firebug or send http manually - it will not work anymore though, how often do we need to repeat that?!

[altivex]

or chrome. ) i also tried to change the cost - it didn`t work....
Only changed things in user part(

[Zeomak]

I soooo wish I had found this topic when it still worked xD I have an extra account fo such things which I can spare if it gets banned.... To bad they fixed it. PLZ can some1 burry this thread already? It depresses me every time I see it.

[boredsauce]

need a mod to jus close this shiz lol

[to6]

So how exactly can i change the ITEMID? I made webproxy but im struggle with changing itemid xD I know it wont work but im just curious how to do it
I want to learn in other words.

<li val="28297">Jones' Blessing (+30 Atk Lvl)</li>
I found this line in the code but what i do with it? How to change it?

[Sᴡoosh]

Firebug for firefox is easiest way.

[Interest07]

Or just use javascript in the url bar to send whatever info you need to.

[Afro-Head]

Quote:

Originally Posted by Interest07

Yeah, i got em somewher ein my catshop bot I'll dig em up later

Code:

        private int sellSingleCatShopItemAddress;
        private byte[] sellSingleCatShopItemAddressRev;
        private byte[] sellSingleCatShopItemPkt = new byte[] 
        { 
            0x25, 0x00,                 //Header
            0x15, 0x00, 0x00, 0x00,     //npcInteraction type
            0x1A, 0x00, 0x00, 0x00,      //nBytes following
            0x00, 0x00, 0x00, 0x00,     //catshopId [player + C4C]
            0x00, 0x00, 0x00, 0x00,
            0xA8, 0x00, 0x50, 0x39,
            0x01, 0x00, 0x00, 0x00,      //nItems Sold
            0x00, 0x00, 0x00, 0x00,      //typeId
            0x00, 0x00,                 //shopIndex
            0x00, 0x00,                 //inv index
            0x00, 0x00                    //amount
        };

        public void sellSingleCatShopItem(int typeId, int shopIndex, short amount, int catShopId, short invIndex)
        {
            //Get size of the packet
            int packetSize = sellSingleCatShopItemPkt.Length;

            if (sellSingleCatShopItemAddress == 0)
            {
                //load packet in memory
                loadPacket(sellSingleCatShopItemPkt, ref sellSingleCatShopItemAddress, ref sellSingleCatShopItemAddressRev);
            }
            byte[] catShopIdRev = BitConverter.GetBytes(catShopId);
            catShopIdRev.Reverse();
            MemFunctions.MemWriteBytes(pr_processHandle, sellSingleCatShopItemAddress + 10, catShopIdRev);

            byte[] typeIdRev = BitConverter.GetBytes(typeId);
            typeIdRev.Reverse();
            MemFunctions.MemWriteBytes(pr_processHandle, sellSingleCatShopItemAddress + 26, typeIdRev);

            byte[] shopIndexRev = BitConverter.GetBytes(shopIndex);
            shopIndexRev.Reverse();
            MemFunctions.MemWriteBytes(pr_processHandle, sellSingleCatShopItemAddress + 30, shopIndexRev);

            byte[] invIndexRev = BitConverter.GetBytes(invIndex);
            invIndexRev.Reverse();
            MemFunctions.MemWriteBytes(pr_processHandle, sellSingleCatShopItemAddress + 32, invIndexRev);



            byte[] amountRev = BitConverter.GetBytes(amount);
            amountRev.Reverse();
            MemFunctions.MemWriteBytes(pr_processHandle, sellSingleCatShopItemAddress + 34, amountRev);
            sendPacket(sellSingleCatShopItemAddressRev, packetSize);
        }


        private int buySingleCatShopItemAddress;
        private byte[] buySingleCatShopItemAddressRev;
        private byte[] buySingleCatShopItemPkt = new byte[] 
        { 
            0x25, 0x00,                 //Header
            0x13, 0x00, 0x00, 0x00,     //npcInteraction type
            0x1A, 0x00, 0x00, 0x00,      //nBytes following
            0x00, 0x00, 0x00, 0x00,     //catshopId [player + C4C]
            0x00, 0x00, 0x00, 0x00,
            0x00, 0x00, 0x00, 0x00,
            0x01, 0x00, 0x00, 0x00,      //nItems Sold
            0x00, 0x00, 0x00, 0x00,      //typeId
            0x00, 0x00, 0x00, 0x00,      //shopIndex
            0x00, 0x00                    //amount
        };

        public void buySingleCatShopItem(int typeId, int shopIndex, short amount, int catShopId)
        {
            //Get size of the packet
            int packetSize = buySingleCatShopItemPkt.Length;

            if (buySingleCatShopItemAddress == 0)
            {
                //load packet in memory
                loadPacket(buySingleCatShopItemPkt, ref buySingleCatShopItemAddress, ref buySingleCatShopItemAddressRev);
            }
            byte[] catShopIdRev = BitConverter.GetBytes(catShopId);
            catShopIdRev.Reverse();
            MemFunctions.MemWriteBytes(pr_processHandle, buySingleCatShopItemAddress + 10, catShopIdRev);

            byte[] typeIdRev = BitConverter.GetBytes(typeId);
            typeIdRev.Reverse();
            MemFunctions.MemWriteBytes(pr_processHandle, buySingleCatShopItemAddress + 26, typeIdRev);

            byte[] shopIndexRev = BitConverter.GetBytes(shopIndex);
            shopIndexRev.Reverse();
            MemFunctions.MemWriteBytes(pr_processHandle, buySingleCatShopItemAddress + 30, shopIndexRev);

            byte[] amountRev = BitConverter.GetBytes(amount);
            amountRev.Reverse();
            MemFunctions.MemWriteBytes(pr_processHandle, buySingleCatShopItemAddress + 34, amountRev);
            sendPacket(buySingleCatShopItemAddressRev, packetSize);
        }

Maybe necro a very old Thread, but i found this while searching for some Info about the ??? in my Buy Packet research for Catshops.

Code:

2500
13000000
1C000000
F84A6451   ; ???
00000000
00000000
01000000   
9E1F0000   <- item id
00000000   <- shop index
01000000   <- amount
Size 38

That confused me:

Code:

0x00, 0x00, 0x00, 0x00,     //catshopId [player + C4C]

Is that a different ID to a Player ID or did you just named it catshopId ?
Since the Hex PlayerID is different then what i found inside the Packet: F84A6451

Is "player" that the base of the selected Player ?

Would be great if some one can explain this to me, thank you.

[Shareen]

Quote:

Originally Posted by Afro-Head

Maybe necro a very old Thread, but i found this while searching for some Info about the ??? in my Buy Packet research for Catshops.

Code:

2500
13000000
1C000000
F84A6451   ; ???
00000000
00000000
01000000   
9E1F0000   <- item id
00000000   <- shop index
01000000   <- amount
Size 38

That confused me:

Code:

0x00, 0x00, 0x00, 0x00,     //catshopId [player + C4C]

Is that a different ID to a Player ID or did you just named it catshopId ?
Since the Hex PlayerID is different then what i found inside the Packet: F84A6451

Is "player" that the base of the selected Player ?

Would be great if some one can explain this to me, thank you.

Yes, catshopId is different from playerId, each player has both.

Player would be the base of player, no matter how you reach it, be it via players array, current target or your own self.

Mind you, that offset for it, probably isn't up to date.

[Afro-Head]

Thank you Shareen
So it is the Base + Offset of the Player who owns the Catshop.

[Afro-Head]

Quote:

Originally Posted by Shareen

Just to finalize this discussion, I'd like to point out something else to watch for using this packet: ShopIndex

You are viewing the shop window and "Items Offered" as they called it, meaning items you can sell to shop are on the right side in their own 'group'.

Tendency would be to thus use index 0 for first item in first row, but that however isn't the case.

ShopIndex is calculated using ALL the items shop deals with, those for sale as well as those for purchase, while skipping empty slots.

Thus, in selling to cat shop, item that is located first in first row and with total items on sale being, let's say 12, ShopIndex would be: (12+1)-1. -1 is for zero indexing.

See image below to avoid confusion.

I got some Problem to calculate the right cell, maybe you can please help me out ?

Heres my Example:

Code:

;sell packet
25 00
15 00 00 00
1C 00 00 00
09 60 69 51 ; shop id
00 00 00 00
BE 00 28 8C ; [[playerBase]+0x08] and [[playerBase]+0x0A] (not needed) 
01 00 00 00 ; nItems Sold
2D 03 00 00 ; item id
16 00 07 00 ; shop index = shop cell and player inv. cell
01 00 00 00 ; amount

So Shop index is based like this:

Code:

16 00 07 00

first the Cell of the Item i want to sell in the Shop = 16 hex = count 19
last the Cell of the Item i want to sell in my Inventory = 7 hex = count 7

So i start counting like you descriped:



The Cell in the Shop to sell should be 19 = 13 hex
But in the packet from the listener it shows as 16 hex = count 22 and with hex 13 it wont work

Maybe the Cell counting is changed meanwhile ?

Edit:
I try on other Shop:
He is selling 10 Items.
I sell the first Item in his Buy Cell to him, Results 0A hex = 10 cell count
So your Description is Right (10 items selling -1 = first item buying cell = 1+9)

But why is in the Shop i tested before the Cell 16 hex = 22 count and not 13 hex = 19 count.
The Shop has no 22 Cells with Items and the Item i like to sell is on count 19.

Quote:

Originally Posted by Interest07

oh yeah, and something to pay attention to:
say originally a shop sets up with item X at slot 0 and item Y at slot 1.
Someone buys all of item X, now moving item Y to slot 0. When sending the packet you will still need to send shopIndex 1.

So if i understand right, the Shop started first with more Items to sell.
Some buy the Items out and the Cell Count changed for me to viewing count 19 but wen the Shop set up first, it was on Count 22 = 16 hex ?

Like dumfck say:

Quote:

Originally Posted by dumbfck

Oooh nasty... So for item Y which was in slot 1, but now in slot 0, you need to send 1? That's dangerous xD. Is this only if you don't close the shop interface? If that's always the case then those item slot IDs are pretty worthless as far as sending packets go?

And the Problem is Interest07 forget were to get the right Value ?

Quote:

Originally Posted by Interest07

Nahh, that value can be found still I forget where exactly though

So another Place to read out the real Item Count and that Info is lost

[Interest07]

Ehmm, I believe it can be found in a tiny array before you take the +0xC pointer. But it's been a long time ago since I did anything with this, you'll just have to browse the memory along the pointer chain to find it.