[Exploit-Discussion] Consignment Item Duplication [Dupes]

[​Exo]

Hey there,
Just as the title says, there's an exploit/bug whatever you wanna call it that apparently lets you dupe your items. Sadly, I don't know what kind of dupe, is it just desyncing so you can use that item to scam or you get a completely legit item. Information isn't completely available.

Tried injecting buys/registers/settlements with fake/invalid data and errors are working fine (some causing disconnections).

Here're some information that might help you if you decide to help in this investigation^^

Client references:

 Spoiler

Code:

005CC6E3   PUSH sro_clie.00D94610                    UNICODE "UIIT_STT_OPEN_MARKET_ITEM_SEARCH"
005CC773   PUSH sro_clie.00D94658                    UNICODE "UIIT_STT_OPEN_MARKET_ITEM_ENTER"
005CC803   PUSH sro_clie.00D94698                    UNICODE "UIIT_STT_OPEN_MARKET_ITEM_CALCULATE"
005CC95F   PUSH sro_clie.00D94758                    UNICODE "UIIT_STT_OPEN_MARKET_SEARCH"
005CC9DC   PUSH sro_clie.00D94720                    UNICODE "UIIT_STT_OPEN_MARKET_ENTER"
005CCA4D   PUSH sro_clie.00D946E0                    UNICODE "UIIT_STT_OPEN_MARKET_CALCULATE"
005CCB3D   PUSH sro_clie.00D94610                    UNICODE "UIIT_STT_OPEN_MARKET_ITEM_SEARCH"
005DE007   PUSH sro_clie.00D94F6C                    UNICODE "UIIT_MSG_OPEN_MARKET_ENTER"
005DE05C   PUSH sro_clie.00D94F30                    UNICODE "UIIT_MSG_OPEN_MARKET_WARNING"
005DEDE7   PUSH sro_clie.00D95090                    UNICODE "UIIT_STT_OPEN_MARKET_TEMP_ENTER_CANCEL_ALL"
005DEE20   PUSH sro_clie.00D95040                    UNICODE "UIIT_STT_OPEN_MARKET_ENTER_CANCEL_ALL"
005DEE70   PUSH sro_clie.00D94FF8                    UNICODE "UIIT_STT_OPEN_MARKET_ENTER_CANCEL"
005DEED5   PUSH sro_clie.00D94FA8                    UNICODE "UIIT_STT_OPEN_MARKET_TEMP_ENTER_CANCEL"
005E3486   PUSH sro_clie.00D95108                    UNICODE "UIIT_STT_OPEN_MARKET_ADD_ENTERD_ERROR"
005E34F6   PUSH sro_clie.00D95190                    UNICODE "UIIT_STT_OPEN_MARKET_SELL_IMPOSSIBLE"
005E3DE9   PUSH sro_clie.00D951E0                    UNICODE "UIIT_STT_OPEN_MARKET_CHECKBOX_ERROR"
005E6A92   PUSH sro_clie.00D95340                    UNICODE "UIIT_STT_OPEN_MARKET_ENTER_PAGE_ERROR"
005F2E5F   PUSH sro_clie.00D95788                    UNICODE "UIIT_STT_OPEN_MARKET_MIN_TEXT_ERROR"
005F2EB8   PUSH sro_clie.00D95748                    UNICODE "UIIT_STT_OPEN_MARKET_FIND_ERROR"
005F3053   PUSH sro_clie.00D95748                    UNICODE "UIIT_STT_OPEN_MARKET_FIND_ERROR"
005F3E53   PUSH sro_clie.00D9594C                    UNICODE "UIIT_STT_OPEN_MARKET_WAITING"
005F41EE   PUSH sro_clie.00D95A98                    UNICODE "UIIT_STT_OPEN_MARKET_ANNOUNCING_UI_DELETE_WAIT"
005F4249   PUSH sro_clie.00D95A20                    UNICODE "UIIT_STT_OPEN_MARKET_ANNOUNCING_UI_TRADE_FINISH"
005F42A3   PUSH sro_clie.00D959C0                    UNICODE "UIIT_STT_OPEN_MARKET_ANNOUNCING_UI_TRADE_ENTER"
005F52AA   PUSH sro_clie.00D95E3C                    UNICODE "UIIT_STT_OPEN_MARKET_TIME_OVER"
007B9D16   PUSH sro_clie.00DC2D78                    UNICODE "UIIT_MSG_FLEAMARKET_ERR_CANT_OPEN_MARKET_IN_RIDESTATE"
007B9D2A   PUSH sro_clie.00DC2CB0                    UNICODE "UIIT_MSG_FLEAMARKET_ERR_CANT_OPEN_MARKET_MURDERER"
007BB21A   PUSH sro_clie.00D95340                    UNICODE "UIIT_STT_OPEN_MARKET_ENTER_PAGE_ERROR"
007BB224   PUSH sro_clie.00DBDFC8                    UNICODE "UIIT_STT_OPEN_MARKET_ENTER_ERROR"
007BB22E   PUSH sro_clie.00D95190                    UNICODE "UIIT_STT_OPEN_MARKET_SELL_IMPOSSIBLE"
007BB24C   PUSH sro_clie.00DBDF50                    UNICODE "UIIT_STT_OPEN_MARKET_BUYING_ERROR"
007BB256   PUSH sro_clie.00D95748                    UNICODE "UIIT_STT_OPEN_MARKET_FIND_ERROR"
007BB260   PUSH sro_clie.00DBDF00                    UNICODE "UIIT_STT_OPEN_MARKET_COST_OVER_ERROR"
007BB26A   PUSH sro_clie.00DBDEC0                    UNICODE "UIIT_STT_OPEN_MARKET_TEXT_ERROR"
007BB271   PUSH sro_clie.00DBDE68                    UNICODE "UIIT_STT_OPEN_MARKET_RECEIPTED_ITEM_ERROR"
007BB278   PUSH sro_clie.00DBDE18                    UNICODE "UIIT_STT_OPEN_MARKET_CANCEL_ITEM_ERROR"
007BB27F   PUSH sro_clie.00D95788                    UNICODE "UIIT_STT_OPEN_MARKET_MIN_TEXT_ERROR"
007BB286   PUSH sro_clie.00DBDDC8                    UNICODE "UIIT_STT_OPEN_MARKET_ENTERD_PET_ERROR"
0089ACB3   PUSH sro_clie.00DDD618                    UNICODE "UIIT_STT_OPEN_MARKET_SELL_COMMODITY"
008A35E6   PUSH sro_clie.00DDE660                    UNICODE "UIIT_STT_OPEN_MARKET_ITEM_DELETE"
008A36A0   PUSH sro_clie.00DDE618                    UNICODE "UIIT_STT_OPEN_MARKET_SELL_TIME_OVER"
008A3768   PUSH sro_clie.00DDE5E0                    UNICODE "UIIT_STT_OPEN_MARKET_SELL"
008A3B60   PUSH sro_clie.00DDE618                    UNICODE "UIIT_STT_OPEN_MARKET_SELL_TIME_OVER"
008A3C10   PUSH sro_clie.00DDE728                    UNICODE "UIIT_STT_OPEN_MARKET_DELETE_WARNING"
008A3D77   PUSH sro_clie.00DDE5E0                    UNICODE "UIIT_STT_OPEN_MARKET_SELL"
008A3E27   PUSH sro_clie.00DDE728                    UNICODE "UIIT_STT_OPEN_MARKET_DELETE_WARNING"

GameServer references:

 Spoiler

Code:

00452569   PUSH SR_GameS.00AE3B98                    ASCII "AQ_OpenMarket::DoWorkInsert"
004525D6   PUSH SR_GameS.00AE3B98                    ASCII "AQ_OpenMarket::DoWorkInsert"
0045285D   PUSH SR_GameS.00AE3C04                    ASCII "AQ_OpenMarket::DoWorkCancle"
004528CA   PUSH SR_GameS.00AE3C04                    ASCII "AQ_OpenMarket::DoWorkCancle"
00452B55   PUSH SR_GameS.00AE3C20                    ASCII "AQ_OpenMarket::DoWorkPurchase"
00452C0B   PUSH SR_GameS.00AE3C20                    ASCII "AQ_OpenMarket::DoWorkPurchase"
00452C88   PUSH SR_GameS.00AE3C20                    ASCII "AQ_OpenMarket::DoWorkPurchase"
00452DF0   PUSH SR_GameS.00AE3C88                    ASCII "LOADTARGET__OPEN_MARKET_SELECT Get Table Failed (%d)"
00452E74   PUSH SR_GameS.00AE3CC0                    ASCII "LOADTARGET__OPEN_MARKET_SELECT Get DB_RECORDS Failed (%d)"
00452F0D   PUSH SR_GameS.00AE3CFC                    ASCII "LOADTARGET__OPEN_MARKET_SEARCH Get Table Failed (%d)"
00452F77   PUSH SR_GameS.00AE3D34                    ASCII "LOADTARGET__OPEN_MARKET_SEARCH Get DB_RECORDS Failed (%d)"
0045318A   PUSH SR_GameS.00AE3D70                    ASCII "D:\WORK2005\Source\SilkroadOnline\Server\SR_GameServer\AsyncQuery_OpenMarket.cpp"
0045318F   PUSH SR_GameS.00AE3DC4                    ASCII "AQ_OpenMarket::DoWorkReceipt"
004531FC   PUSH SR_GameS.00AE3DC4                    ASCII "AQ_OpenMarket::DoWorkReceipt"
00453418   PUSH SR_GameS.00AE3DE4                    ASCII "AQ_OpenMarket::DoWorkUpdate"
00453484   PUSH SR_GameS.00AE3DE4                    ASCII "AQ_OpenMarket::DoWorkUpdate"
004546A8   PUSH SR_GameS.00AE4230                    ASCII "AQ_OpenMarket::_DoWork_Select__Items_With_OMarket"
00454723   PUSH SR_GameS.00AE4230                    ASCII "AQ_OpenMarket::_DoWork_Select__Items_With_OMarket"
00454802   PUSH SR_GameS.00AE4230                    ASCII "AQ_OpenMarket::_DoWork_Select__Items_With_OMarket"
00454B02   PUSH SR_GameS.00AE4404                    ASCII "AQ_OpenMarket::_DoWork_Select__Items_With_Inventory"
00454B7D   PUSH SR_GameS.00AE4404                    ASCII "AQ_OpenMarket::_DoWork_Select__Items_With_Inventory"
00454C5C   PUSH SR_GameS.00AE4404                    ASCII "AQ_OpenMarket::_DoWork_Select__Items_With_Inventory"
00454DFD   PUSH SR_GameS.00AE4438                    ASCII "AQ_OpenMarket::_DoWork_Update_Gold"
00455250   PUSH SR_GameS.00AE3B88                    ASCII "AQ_OpenMarket"
0045525F   MOV EAX,SR_GameS.00AE3B88                 ASCII "AQ_OpenMarket"
00455273   PUSH SR_GameS.00AE3B88                    ASCII "AQ_OpenMarket"
00477621   PUSH SR_GameS.00AE68BC                    ASCII "openmarket_goods"
00477681   PUSH SR_GameS.00AE68D0                    ASCII "OpenMarketContext"
00477E22   PUSH SR_GameS.00AE68E4                    ASCII "OpenMarketContext::EraseItem"
00478414   PUSH SR_GameS.00AE6964                    ASCII "COpenMarketAgent::PutoutItemWithDBIDX"
00478542   PUSH SR_GameS.00AE6964                    ASCII "COpenMarketAgent::PutoutItemWithDBIDX"
00478566   PUSH SR_GameS.00AE6964                    ASCII "COpenMarketAgent::PutoutItemWithDBIDX"
0047872C   PUSH SR_GameS.00AE6A58                    ASCII "COpenMarketAgent::PutoutItemOverTime"
00478791   PUSH SR_GameS.00AE6A58                    ASCII "COpenMarketAgent::PutoutItemOverTime"
004787CB   PUSH SR_GameS.00AE6A58                    ASCII "COpenMarketAgent::PutoutItemOverTime"
00479047   PUSH SR_GameS.00AE6B50                    ASCII "COpenMarketMgr::OnPutonGoodsReq"
00479177   PUSH SR_GameS.00AE6B50                    ASCII "COpenMarketMgr::OnPutonGoodsReq"
0047930A   PUSH SR_GameS.00AE6C18                    ASCII "COpenMarketMgr::OnPutoutGoodsReq"
00479576   PUSH SR_GameS.00AE6C3C                    ASCII "COpenMarketMgr::OnPurchaseGoodsReq"
0047982B   PUSH SR_GameS.00AE6C60                    ASCII "COpenMarketMgr::OnSearchReq"
00479B02   PUSH SR_GameS.00AE6CCC                    ASCII "COpenMarketMgr::OnGoodsDetailDataReq"
00479D67   PUSH SR_GameS.00AE6CF4                    ASCII "COpenMarketMgr::OnReceiptReq"
0047A279   PUSH SR_GameS.00AE6D14                    ASCII "COpenMarketMgr::OnRELAY_OPEN_MARKET_SOLD_ITEM_NOTICE"
0047A322   PUSH SR_GameS.00AE6D98                    ASCII "COpenMarketMgr::UpdateOpenMarketGoods"
0047A5FC   PUSH SR_GameS.00AE6DEC                    ASCII "COpenMarketMgr::CheckSetFeePayable"
0047AC7F   PUSH SR_GameS.00AE6E54                    ASCII "COpenMarketMgr::CheckPutonItemList"
0047ACEA   PUSH SR_GameS.00AE6E54                    ASCII "COpenMarketMgr::CheckPutonItemList"
0047B26B   PUSH SR_GameS.00AE6F2C                    ASCII "COpenMarketMgr::PostAsyncQeury"
0047B2A1   PUSH SR_GameS.00AE6F2C                    ASCII "COpenMarketMgr::PostAsyncQeury"
0047B324   PUSH SR_GameS.00AE7018                    ASCII "COpenMarketMgr::AsyncQuerySucceeded"
0047B922   PUSH SR_GameS.00AE706C                    ASCII "LOADTARGET__OPEN_MARKET_SELECT Get table failed (%d)"
0047B9D2   PUSH SR_GameS.00AE70A8                    ASCII "LOADTARGET_OPENMARKET_SELECT Create openmarket search info failed"
0047BB20   PUSH SR_GameS.00AE70F0                    ASCII "LOADTARGET__OPEN_MARKET_SELECT Create OpenMarket info failed (%d)"
0047BC2C   PUSH SR_GameS.00AE7018                    ASCII "COpenMarketMgr::AsyncQuerySucceeded"
0047BC31   PUSH SR_GameS.00AE7138                    ASCII "##%s %d## QUERY_OPENMARKET_UPDATE is not logging in logDB. [Status: %d]"
0047BCB1   PUSH SR_GameS.00AE7180                    ASCII "COpenMarketMgr::AsyncQueryFailed"
0047BD4F   PUSH SR_GameS.00AE7180                    ASCII "COpenMarketMgr::AsyncQueryFailed"
0047CFC0   PUSH SR_GameS.00AE68BC                    ASCII "openmarket_goods"
0047CFCF   MOV EAX,SR_GameS.00AE68BC                 ASCII "openmarket_goods"
0047CFE3   PUSH SR_GameS.00AE68BC                    ASCII "openmarket_goods"
0047D140   PUSH SR_GameS.00AE68D0                    ASCII "OpenMarketContext"
0047D14F   MOV EAX,SR_GameS.00AE68D0                 ASCII "OpenMarketContext"
0047D163   PUSH SR_GameS.00AE68D0                    ASCII "OpenMarketContext"
004935EF   PUSH SR_GameS.00AE98B8                    ASCII "CGItemCOSSummoner::SetEngagedCOSforOpenMarket"
004935F4   PUSH SR_GameS.00AE98E8                    ASCII "##%s %d## Can not handle silk pet in OpenMarket"
004C7611   PUSH SR_GameS.00AEF3B0                    ASCII "NPC_OPEN_MARKET_JUEL"
0065553D   PUSH SR_GameS.00B04D50                    ASCII "CTJ_OpenMarketTicketKeeper::Create() Parameter has NULL Pointer"
00659950   PUSH SR_GameS.00B04D34                    ASCII "CTJ_OpenMarketTicketKeeper"
0065995F   MOV EAX,SR_GameS.00B04D34                 ASCII "CTJ_OpenMarketTicketKeeper"
00659973   PUSH SR_GameS.00B04D34                    ASCII "CTJ_OpenMarketTicketKeeper"
00730F13   PUSH SR_GameS.00B0BBB4                    ASCII "_OpenMarket"
0085FF47   PUSH SR_GameS.00B0BBB4                    ASCII "_OpenMarket"

Database calls:

 Spoiler

Code:

004536E2   PUSH SR_GameS.00AE3E00                    ASCII "{?=CALL _OpenMarket_Insert(%d,?,%d,%d,%d,%d,%d,%d,%I64d,%I64d,%d,'%d-%d-%d %d:%d:%d','%d-%d-%d %d:%d:%d',%I64d,%I64d,%I64d,%d)}"
004538CA   PUSH SR_GameS.00AE3E80                    ASCII "{?=CALL _OpenMarket_Receipt(%d,%d,%d)}"
00453ADA   PUSH SR_GameS.00AE3EA8                    ASCII "{?=CALL _OpenMarket_Cancle(%d,%d,%d,%d,%d,%I64d)}"
00453D1C   PUSH SR_GameS.00AE3EE0                    ASCII "{?=CALL _OpenMarket_Purchase(%d,%d,?,%d,%d,%d,%I64d,%d,'%d-%d-%d %d:%d:%d')}"
00453F2B   PUSH SR_GameS.00AE3F30                    ASCII "SELECT TOP 500 * FROM [dbo].[_OpenMarket] 			   WHERE TidGroupID=%d AND ItemClass=%d AND Status=%d AND (0 > DATEDIFF(minute, enddate, '%d-%d-%d %d:%d:%d')) 			   ORDER BY RegDate DESC"
00453F69   PUSH SR_GameS.00AE3FE8                    ASCII "SELECT TOP 500 * FROM [dbo].[_OpenMarket] 			   WHERE TidGroupID=%d AND Status=%d AND (0 > DATEDIFF(minute, enddate, '%d-%d-%d %d:%d:%d')) 			   ORDER BY RegDate DESC"
0045434D   PUSH SR_GameS.00AE40AC                    ASCII "{?=CALL _OpenMarket_Update(%d,%d,%d,%d,'%d-%d-%d %d:%d:%d')}"
0045461E   PUSH SR_GameS.00AE40F0                    ASCII "SELECT IT.* FROM _OpenMarket OM JOIN _ITEMS IT ON OM.ItemID=IT.ID64 													WHERE OM.JID=%d AND OM.PersnalID=%d"
00454644   PUSH SR_GameS.00AE4168                    ASCII "SELECT BIND.* FROM _OpenMarket OM JOIN _ITEMS IT ON OM.ItemID=IT.ID64 														  JOIN _BindingOptionWithItem BIND ON IT.ID64=BIND.nItemDBID 														  WHERE OM.JID=%d AND OM.PersnalID=%d"

On data request a function is being called with data found on address 00453F2B to select the items from database [on every call, so nothing is being saved in the gameserver memory as far as I checked, well ofc a dump of the data but each time a request is sent gameserver requests the data from the database].

Example of the gameserver call:

 Spoiler

PHP Code:

declare @p1 int
set @p1=0
declare @p3 int
set @p3=16388
declare @p4 int
set @p4=8193
declare @p5 int
set @p5=0
exec sp_cursoropen @p1 output,N'SELECT TOP 500 * FROM [dbo].[_OpenMarket]       WHERE TidGroupID=1 AND ItemClass=9 AND Status=0 AND (0 > DATEDIFF(minute, enddate, ''2016-4-6 16:32:3''))       ORDER BY RegDate DESC',@p3 output,@p4 output,@p5 output
select @p1, @p3, @p4, @p5
SELECT TOP 500 * FROM [dbo].[_OpenMarket]       WHERE TidGroupID=1 AND ItemClass=9 AND Status=0 AND (0 > DATEDIFF(minute, enddate, '2016-4-6 16:32:3'))       ORDER BY RegDate DESC 


Bugs found so far:
On injecting a buy request (a legit one), the item is bought but, not shown at the inventory except after a teleport.

Been trying since yesterday to find that dupe with @ since a lot of people confirmed its existence, but with no success yet.

If you have any question/information/rumors about this issue, your contribution is welcomed. The only solution people seem to have now is completely disabling consignment (that isn't cool). Consignment is a good option to have.
Thank you and happy hacking!

*Item Movement works while item is not registered yet [NPC selected].

[​Goofie​]

It's not with consignment tho, maybe there is one there as well but the DUPE I know about is in exchange and it's only a visual affect until buyer/seller teleported and the item will replace it's "icon" again.

[​Exo]

Quote:

Originally Posted by ​Goofie​

It's not with consignment tho, maybe there is one there as well but the DUPE I know about is in exchange and it's only a visual affect until buyer/seller teleported and the item will replace it's "icon" again.

Well, so far @ , @ , @ confirmed it had something to do with consignment.

[​Goofie​]

Quote:

Originally Posted by ​Exo

Well, so far @ , @ , @ confirmed it had something to do with consignment.

Do not believe it unless I see it, the exchange dupe thingy I'm aware of and have known it for 1-2 years already.

Really easy to fix if there is such a thing, just force people to Teleport after using consignment.

The exchange dupe bug works by using F12 in the middle of the exchange, try that in consignment.

By the way, you shouldn't call this an "exploit", it's a visual bug.

[​Exo]

Quote:

Originally Posted by ​Goofie​

Do not believe it unless I see it, the exchange dupe thingy I'm aware of and have known it for 1-2 years already.

Really easy to fix if there is such a thing, just force people to Teleport after using consignment.

The exchange dupe bug works by using F12 in the middle of the exchange, try that in consignment.

By the way, you shouldn't call this an "exploit", it's a visual bug.

-Not sure why 3 individuals would lie about the same topic, the only reasonable lie would be denying its existence so they can keep it a secret but that's not the case here so it makes no sense.

-Keeping that as a last resort tho.

-Ye, ik about that one and it didn't work there.

-w/e xd

[Royalblade*]

BTW ask Orchide, Skyrish or one of those people. Don't remember who it was that reported it to me first.

Saw screens as well from one of them when the **** was found out. Been around 20-30 months.

[MeGaMaX]

When you buy the item gs get the price from _Inventory table, if it failed it will return false, if its not false, it gets the char gold by the query and then update it with group char gold data = 4

[$WeGs]

Quote:

Originally Posted by MeGaMaX.

When you buy the item gs get the price from _Inventory table, if it failed it will return false, if its not false, it gets the char gold by the query and then update it with group char gold data = 4

price from _Inventory ?

[B1Q]

Quote:

Originally Posted by $WeGs

price from _Inventory ?

he probably meant _RefScrapOfPackageItem

[​Exo]

Quote:

Originally Posted by hazemooking

he probably meant _RefScrapOfPackageItem

Not sure if sarcasm or wut but nah, **** is stored mainly at _OpenMarket

[MeGaMaX]

Carp it was late night, i meant the open market system get the price from the owner then do the query for it in _Inventory table to check if the item exist or not

[B1Q]

Quote:

Originally Posted by ​Exo

Not sure if sarcasm or wut but nah, **** is stored mainly at _OpenMarket

[Deja45Vu]

I think, probably its a bug in GS, when you copy item, it is only on the server side, gameserver didnt write it into database, so therefore item disappears. After relog/teleport. character data are loaded from database.

When someone do it, check logs of this item.(especially itemID? same)

If ItemID is same, it'll be problem to fix it in procedures