Answer to How PWI is exploited

ntrceptr · 09/23/2011, 00:14

You can send yourself most items via the jones blessing website.
Build yourself a webproxy that changes the ITEMID= within the URL POST request and viola ...... here are the items i know work.

Getting a proxy that does this is up to you...i just provide the info.

28098 Demon/Sage Event Card (50 Event Gold)
31129 Shadow Fox Mount
27999 White Sage Tiger Mount
24725 Scroll of Tome (love up and Down / other tomes)
25150 Wing Trophy Lunar Glade
23972 Cube of Fate Stamp (Neck)
25151 Warsong Marshall Badge (Belt)
23251 Lunar Glade Insignia Ornament (Rings)
18813 Excitement Card (5 mil coins)
30991 Gift Tag - Garnet
30992 Gift Tag - Primeval
31133 Uncanny Ticket (1 uncanny)
31132 Rapture Ticket (1 Rapture)
15049 (+12) Dragon Flame Orb
27761 VIP Diamond Ticket (10 Lucky Coral)
28350 Medal Of Glory
28641 Gen. Summer Token

ppjdee · 09/23/2011, 00:48

thought they put a stop to that?

~~amineurin~~ · 09/23/2011, 00:58

i hope this info came out, after they fix it.
if not, im for deleting the post.
botting is the one, but this...ruin really the game.

so rumors why +11/+12 was so fast out the shop....were true.

ppjdee · 09/23/2011, 03:07

yea im 99% sure the fb and dq pages have already been fixed.

~~amineurin~~ · 09/23/2011, 03:45

nope, i take a look in the code of the pages.
jb has crypted item id "it seams" for me, since it nots the id from database.
dq page has normal item ids inside the javascript, like the ids from database.

i did not check the exploit and wont be doing this.
i would love to have some great items like love up and down...but not this way.

for me botting is only to not spend real money to the game.
but this...is like buying a game, use from 1 time a cheat and play the game in 1 hour.
wasted time...

ppjdee · 09/23/2011, 05:30

yea i agree if this was abused it would be pointless even log onto the game the next day. and i hope they get this corrected soon. it could ruin the game (more than it is)

~~omarranimado~~ · 09/23/2011, 20:10

nice, thx4 info!

lkdrake · 09/24/2011, 11:20

thanks for the info but for *** sake explain how exlactly i can do that

Tryied to searsh for it everywhere tryied to find the ID i should change but was not able to find it please someone explain before it get fixed

its the best Exploit EVER
___________________
Ok after a few trys found some information:

First:

After login on both facebook and ur acc and get to choice the Jones Blessing Item

On google chrome u click Right mouse botton and go to Check Html Source,

there u may find the Jones Blessing ID

and the Box that say the Item ID number that u have chosen

so question is how do i change that Number and Send it back with the number i want?

in theory we r able to send any item to the game since the Dumb website ask for the ID of the item to send (LOL)

there u can also see server ur char etc so can anyone who is good at html do it for us?

this explain why theres more then 12 Love and Down books on Auction all with the same price

~~amineurin~~ · 09/24/2011, 14:44

^^this is fixed and hopefull never come back
and to ur question...the answer is allready in the 1 post.

Smurfin · 09/24/2011, 18:11

this exploit was known surfaced only recently, but the Jones Blessing website was already up for quite a long time, do you ppl think many of those with fully refined armors and weapons at +12 already using this since ***-knows-how-long ?

Interest07 · 09/24/2011, 18:27

Quote:

Originally Posted by Smurfin

this exploit was known surfaced only recently, but the Jones Blessing website was already up for quite a long time, do you ppl think many of those with fully refined armors and weapons at +12 already using this since ***-knows-how-long ?

I don't think a lot of them, but definitely some yeah. I mean, these things you usually don't spread around too much.

~~amineurin~~ · 09/24/2011, 20:35

the best is how easy it was, since u i never tought to change the item id in the script and see whats happend.

im realy to lazy to make a new account, farm some dragon points and see whats happend on the reward page.
maybe the items are bound to character...but some 100 eventgold cards, change to stuff to sell in the boutique can made it.
if u use ff and greasemonkey it will go fast to change the script^^

but for me, thats to easy if it work and destroy my gameplay.
i dont realy play pwi like a mmorpg, i play it more like a financial game.
makes much fun trading, with botting i get some stuff to sell and the needed money to start selling good stuff.

but days later, its unbelivable for me...what the monkey had coded there -.-

ps: Interest07, u can plz help me out with the packet number for buy/sell to catshop

?

Interest07 · 09/24/2011, 22:24

Quote:

Originally Posted by amineurin

the best is how easy it was, since u i never tought to change the item id in the script and see whats happend.

im realy to lazy to make a new account, farm some dragon points and see whats happend on the reward page.
maybe the items are bound to character...but some 100 eventgold cards, change to stuff to sell in the boutique can made it.
if u use ff and greasemonkey it will go fast to change the script^^

but for me, thats to easy if it work and destroy my gameplay.
i dont realy play pwi like a mmorpg, i play it more like a financial game.
makes much fun trading, with botting i get some stuff to sell and the needed money to start selling good stuff.

but days later, its unbelivable for me...what the monkey had coded there -.-

ps: Interest07, u can plz help me out with the packet number for buy/sell to catshop ?

Yeah, i got em somewher ein my catshop bot I'll dig em up later

Code:

        private int sellSingleCatShopItemAddress;
        private byte[] sellSingleCatShopItemAddressRev;
        private byte[] sellSingleCatShopItemPkt = new byte[] 
        { 
            0x25, 0x00,                 //Header
            0x15, 0x00, 0x00, 0x00,     //npcInteraction type
            0x1A, 0x00, 0x00, 0x00,      //nBytes following
            0x00, 0x00, 0x00, 0x00,     //catshopId [player + C4C]
            0x00, 0x00, 0x00, 0x00,
            0xA8, 0x00, 0x50, 0x39,
            0x01, 0x00, 0x00, 0x00,      //nItems Sold
            0x00, 0x00, 0x00, 0x00,      //typeId
            0x00, 0x00,                 //shopIndex
            0x00, 0x00,                 //inv index
            0x00, 0x00                    //amount
        };

        public void sellSingleCatShopItem(int typeId, int shopIndex, short amount, int catShopId, short invIndex)
        {
            //Get size of the packet
            int packetSize = sellSingleCatShopItemPkt.Length;

            if (sellSingleCatShopItemAddress == 0)
            {
                //load packet in memory
                loadPacket(sellSingleCatShopItemPkt, ref sellSingleCatShopItemAddress, ref sellSingleCatShopItemAddressRev);
            }
            byte[] catShopIdRev = BitConverter.GetBytes(catShopId);
            catShopIdRev.Reverse();
            MemFunctions.MemWriteBytes(pr_processHandle, sellSingleCatShopItemAddress + 10, catShopIdRev);

            byte[] typeIdRev = BitConverter.GetBytes(typeId);
            typeIdRev.Reverse();
            MemFunctions.MemWriteBytes(pr_processHandle, sellSingleCatShopItemAddress + 26, typeIdRev);

            byte[] shopIndexRev = BitConverter.GetBytes(shopIndex);
            shopIndexRev.Reverse();
            MemFunctions.MemWriteBytes(pr_processHandle, sellSingleCatShopItemAddress + 30, shopIndexRev);

            byte[] invIndexRev = BitConverter.GetBytes(invIndex);
            invIndexRev.Reverse();
            MemFunctions.MemWriteBytes(pr_processHandle, sellSingleCatShopItemAddress + 32, invIndexRev);



            byte[] amountRev = BitConverter.GetBytes(amount);
            amountRev.Reverse();
            MemFunctions.MemWriteBytes(pr_processHandle, sellSingleCatShopItemAddress + 34, amountRev);
            sendPacket(sellSingleCatShopItemAddressRev, packetSize);
        }


        private int buySingleCatShopItemAddress;
        private byte[] buySingleCatShopItemAddressRev;
        private byte[] buySingleCatShopItemPkt = new byte[] 
        { 
            0x25, 0x00,                 //Header
            0x13, 0x00, 0x00, 0x00,     //npcInteraction type
            0x1A, 0x00, 0x00, 0x00,      //nBytes following
            0x00, 0x00, 0x00, 0x00,     //catshopId [player + C4C]
            0x00, 0x00, 0x00, 0x00,
            0x00, 0x00, 0x00, 0x00,
            0x01, 0x00, 0x00, 0x00,      //nItems Sold
            0x00, 0x00, 0x00, 0x00,      //typeId
            0x00, 0x00, 0x00, 0x00,      //shopIndex
            0x00, 0x00                    //amount
        };

        public void buySingleCatShopItem(int typeId, int shopIndex, short amount, int catShopId)
        {
            //Get size of the packet
            int packetSize = buySingleCatShopItemPkt.Length;

            if (buySingleCatShopItemAddress == 0)
            {
                //load packet in memory
                loadPacket(buySingleCatShopItemPkt, ref buySingleCatShopItemAddress, ref buySingleCatShopItemAddressRev);
            }
            byte[] catShopIdRev = BitConverter.GetBytes(catShopId);
            catShopIdRev.Reverse();
            MemFunctions.MemWriteBytes(pr_processHandle, buySingleCatShopItemAddress + 10, catShopIdRev);

            byte[] typeIdRev = BitConverter.GetBytes(typeId);
            typeIdRev.Reverse();
            MemFunctions.MemWriteBytes(pr_processHandle, buySingleCatShopItemAddress + 26, typeIdRev);

            byte[] shopIndexRev = BitConverter.GetBytes(shopIndex);
            shopIndexRev.Reverse();
            MemFunctions.MemWriteBytes(pr_processHandle, buySingleCatShopItemAddress + 30, shopIndexRev);

            byte[] amountRev = BitConverter.GetBytes(amount);
            amountRev.Reverse();
            MemFunctions.MemWriteBytes(pr_processHandle, buySingleCatShopItemAddress + 34, amountRev);
            sendPacket(buySingleCatShopItemAddressRev, packetSize);
        }

~~amineurin~~ · 09/25/2011, 22:27

thank you

for the comments too, now i understand a bit more!
first i see the number lets say: 2500131A as the packet number only, for a special case.

Quote:

0x25, 0x00, //Header
0x13, 0x00, 0x00, 0x00, //npcInteraction type
0x1A, 0x00, 0x00, 0x00, //nBytes following

in this case for now i see 13 is the one for selling and 15 for buying.
theres a header and more and not only a number command in all.

to bad, now i have to wait a week to test it all.
monday is coming...work, work and work

Shareen · 09/26/2011, 14:39

Quote:

Originally Posted by Interest07

Code:

        private int sellSingleCatShopItemAddress;
        private byte[] sellSingleCatShopItemAddressRev;
        private byte[] sellSingleCatShopItemPkt = new byte[] 
        { 
            0x25, 0x00,                 //Header
            0x15, 0x00, 0x00, 0x00,     //npcInteraction type
            0x1A, 0x00, 0x00, 0x00,      //nBytes following
            0x00, 0x00, 0x00, 0x00,     //catshopId [player + C4C]
            0x00, 0x00, 0x00, 0x00,
            0xA8, 0x00, 0x50, 0x39,
            0x01, 0x00, 0x00, 0x00,      //nItems Sold
            0x00, 0x00, 0x00, 0x00,      //typeId
            0x00, 0x00,                 //shopIndex
            0x00, 0x00,                 //inv index
            0x00, 0x00                    //amount
        };

There seems to be a comment missing for the line:
0xA8, 0x00, 0x50, 0x39

Just in case you happen to know what it is, it differs from value in my packet dumps and I can't map it to any known values.