Exploit Dupe Increase Counted Items [Verrry Hoot]

[ahmetozgur]

I feel like a retard because i didn'T get it actually.. Because u use N01 n0 etc. wtf which char is it my mind blown xD

[PowPanda]

Nice one! I didnt test it but im sure 99% that its working cuz i played a few servers and some players had unlimited vote/farm items etc.

They said that they hack it but i didnt believe them ( cuz i thought they cant hack database).

Well thanks i will try it soon!

[text]

Hello guys , I'd like to share with you one intresting dupe.

 

 

In what we need? (In offline trade)

1 – Windows XP(better)

2 – Hide toolz (in some case)

3- Kill GGuard (also if you have the problems)

Items dupe

What to do?

 

Run l2phx , run game. For dupe we need in 2 la2 boxes.

We will dupe counting items, in my case Donate coins.

 

IMPORTANT!!! We must have at least  5 items!!!

 

1)Char №1 must give trade to char №2 , and give him 1 donate coin.

2)Char N1 must sit on selling, char №2 must buy 1 donate coin.

 

Catch packet like this

 

79 46 92 03 10 01 00 00 00 66 B8 04 10 01 00 00 00 01 00 00 00

 

,where

46 92 03 10 - ОID char

66 B8 04 10 - OID item

01 00 00 00 - price! 

3) Char №2 give back to char №1 1 boughted item.

(it’s look like char  №1 - 4 items, and char №2 – 1 item)

 

Next, char №1 make relog till the window , where we can choose character by which one we would like to login.

 

NOW! For dupe we need in script.

 

begin
if FromClient and (pck[1]=#$03) then pck:=#$30
end.

Open ph, "automatisation" - "scripts", and add script.

When you complete it, tick it. And log in by character  №1 in game.

Yoy must see something like this.

 

Char officially not in game. But we online.There is 1 minus – we couldn’t move , but we could sit on selling and write to PM.

 

Stay to selling Donate Coins, and together you mus add any item  (for exaple Tutorial Guide book). Sit down to offline trade.

 

Open new window of Lineage 2. Log in to charecter №1. Enter till CHOOSING OF CHAR! Turn off the script in L2phx. And log in game. (After log in you will get invisible + antitarget)

 

Now let’s configurate catched  packet(On chars on which I make test , I have  char №1 - 8199 Don.Coin, char  №2 – 1 Don.Coin)

 

Was:

 

79 46 92 03 10 01 00 00 00 66 B8 04 10 01 00 00 00 01 00 00 00

 

Will  be

79 46 92 03 10 01 00 00 00 66 B8 04 10 06 20 00 00 01 00 00 00

 

06 20 00 00 - 8198 Donate Coins

 

We will buy all items -1 !

 

Send it , and we will seen:

Char  №2purchase  items from char№1) but in window with char  №2 we wouldn’t see that we bought something…

http://i003.radikal.ru/1108/9b/5af525b85dd8.jpg[/img]

------------------------------------------------------------------------------------------------------------------------------------

 

Washing off:

 

On every char we must delete by  1 item and Importand! 1stly by char №1 , and after by char №2 make relog.

Enter in game , and we will see that items - DUPED.

 

------------------------------------------------------------------------------------------------------------------------------------

 

By this way you can dupe - items, which can be traded. Weapon (tide off :drawing CA- drawing out СА), and parts of А armor (Seald – unseald )

 

------------------------------------------------------------------------------------------------------------------------------------

 

Bypassing FIX, if on server offline trade with command .offline or smt. else:

 

1 - Char №2 must write in game (NOT sitting in trading!!!!) command of offline selling. Catch packet(for example such packet 74 00 00 00 00 01 00 00 00 25 11 0B 10 01 00 00 00 01 00 00 00 )

2 Char №1 enter in game with script. And sit on selling. But instead of writing command of offline trade , we must send PACKET!

Also we could use it, if for offline trade on server used scrolls. Catch packe and..by steps.

************************************************** ******************************

**************************

Adena dupe

Meaning the same.Also this script and other.

BUT! In this case we will sit on offline BUYING! NOT SELLING!!

We have :

Char A and Char

On char А --- 1кк adena +++ 1к of arrows

On char  Б --- minimum adena and 2 orrows

Char А must sit on buying ARROWS (ON BUYING!!!!) 999к999 aden

Char B sell him  1 arrow.

Char Б give back 999к999 aden to char  А

Char А make relog, enter in game with script. Sit on offline trade buying 1 arrow per 999к999. Next enter to the game by fake char.

Char B send packet .

Washing off by the same way. Char А delete 1 adena, and char B delete 1 adena.

RELOG and voila –adena is duped!!.

 

(Working everywhere , where offline trade!!!!! 99% of server is work!)

 

(In case , when you enter in game with this script , you get black window, what to do?

Solution:

Send the packet on buying\selling

 

74 00 00 00 00 01 00 00 00 68 62 18 40 01 00 00 00 01 00 00 00

 

 

 

 

Tested on lin2crazy.ru online 1к

 

There is video : http://adf.ly/4Qjqb

 

this is not how dupe is going on :)

[Pere]

For admins who have custom shits to trade items, you're still vulnerable to this.

 

There are 2 different fixes to that, only 1 should be enough but of course I applied both:

 

Part 1:

This works only with stackable items, and that's because when someone trades all of one stackable item to someone who doesn't have it, the item instance is just moved. That's error-prone, up to the point in which someone can cheat the server and make it believe that the same item exists in 2 different inventories. For stackable items that's too risky, so let's just avoid it.

Look for a line of code like this in ItemContainer.java:

			// If possible, move entire item object
			if (sourceitem.getCount() == count && targetitem == null)

and change it to:

			// If possible, move entire item object
			if (sourceitem.getCount() == count && targetitem == null && !sourceitem.isStackable())

That way we will always destroy the original item and create a new one (only if it's stackable), which makes sure that the object id is "refreshed" and cannot be used afterwards, so even if you don't apply the part 2 fix nothing bad should be happening.

 

Part 2:

This depends entirely on your custom code. Just make sure to check every single item movement with the l2j function L2PcInstance.checkItemManipulation(int objectId, long count, String action). If it returns null that means that the player who is trying to use the item with the given object id shouldn't be able to, so just abort the code (log cheat attempt and return).

So even if someone got to make our server believe that the same item is in 2 different inventories, every single item knows who is its owner, so one of both cannot be its owner, so this checks returns null and he's detected ;)

 

I hope that helps!

[koksas]

Not working your fix

[Pere]

Not working your fix

 

I wouldn't have posted this here without having tested it by myself. Try harder or care to elaborate.

[Cray-Z]

haha working

[Ayami-]

For admins who have custom shits to trade items, you're still vulnerable to this.

 

There are 2 different fixes to that, only 1 should be enough but of course I applied both:

 

Part 1:

This works only with stackable items, and that's because when someone trades all of one stackable item to someone who doesn't have it, the item instance is just moved. That's error-prone, up to the point in which someone can cheat the server and make it believe that the same item exists in 2 different inventories. For stackable items that's too risky, so let's just avoid it.

Look for a line of code like this in ItemContainer.java:

			// If possible, move entire item object
			if (sourceitem.getCount() == count && targetitem == null)

and change it to:

			// If possible, move entire item object
			if (sourceitem.getCount() == count && targetitem == null && !sourceitem.isStackable())

That way we will always destroy the original item and create a new one (only if it's stackable), which makes sure that the object id is "refreshed" and cannot be used afterwards, so even if you don't apply the part 2 fix nothing bad should be happening.

 

Part 2:

This depends entirely on your custom code. Just make sure to check every single item movement with the l2j function L2PcInstance.checkItemManipulation(int objectId, long count, String action). If it returns null that means that the player who is trying to use the item with the given object id shouldn't be able to, so just abort the code (log cheat attempt and return).

So even if someone got to make our server believe that the same item is in 2 different inventories, every single item knows who is its owner, so one of both cannot be its owner, so this checks returns null and he's detected ;)

 

I hope that helps!

Your fix works and thank you!

Edited January 22, 2015 by Ayami-

[DeMeNs0s]

 

begin
if FromClient and (pck[1]=#$03) then pck:=#$30
end.

Could someone explain what that code does?

Edited March 12, 2015 by DeMeNs0s

[koksas]

Tested. In l2java.com works. More servers someone know where it working ?

[PaulVanDyke]

Works in hi5?

[LordRailan]

Any video to explain better?

I trying to do this in a server without protection, and fail

[LordRailan]

Doesn't work on l2Java

[Nasif]

this hack working?

[xblablax]

when i'm doing the re-log, i see black screen, but i can't see my char...