• Content Count

  • Joined

  • Days Won

  • Feedback


AlmostGood last won the day on April 25 2019

AlmostGood had the most liked content!

Community Reputation

21 Excellent


About AlmostGood

  • Rank

Profile Information

  • Current Mood
  • Gender
    Not Telling
  • Country
    Northern Mariana Islands

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. i know it will be still simple, just breakpoint on http request to their license check endpoint and traceback nop'ing everything on the way. Java is fucked by design here, my point was they did absolutely 0 effort here :P but i support your topic, L2j was always trash not worth a penny
  2. license code is 1 class in L2PCInstance, most of which is perfectly readable, string "encryption" in this form is just wasted effort as you can decrypt any value in runtime yourself, and that's if your ever needed to, here its some basic http check, basically you can trash most of it without even reading what it does xD
  3. both of these didn't do anything to protect their "license system", i mean not a lot you can do with jars but at least obfuscate names so it takes longer than 10secs to find all "license" occurrences lmao
  4. who even uses topsites in 2020, this shit is dead lmao
  5. These efforts are long gone, i would call it guessing or made up random, everything will work just so "feature" can be listed in server specs to lure new wallets.
  6. to avoid possible exploits, server should always first delete required items and then after making sure no errors occurred, give out output item at absolute end. Current off chronicles work like this on every action, in past it was random, some were correct other were wrong giving lots of way to abuse.
  7. you need to realize L2 client doesn't implement real html rendering you know from web dev. Koreans simply picked something known and simple to build own parser, which has like 20 or so common tags and few hardcoded properties. With use of client textures and occasional updates that's all they needed. There is no DOM or any tree manipulations thus no CSS. If <font> tag happens to have "color" property that's only because L2 devs needed it there at some point. There are people who mastered use of whats L2 can display, but that comes with lot of ugly hacks and trial/error, whole thing is simply limited as fuck :D
  8. i started to admire his determination in finding idiots who will believe in anything he tells them to the point of payment, that requires decent effort by itself.
  9. they have dedicated firewall solutions which doesn't have such limits like VMware NSX, where you can filter traffic on the edge but even if you run on budget, its doable with 20 rules limit and some extra code because you only need to allow connection init, once its established/related it will pass firewall, so you could setup TTL for rules to expire after 10sec and add extra msg on game start about queue when your rules set is full :D to make it smoother, i would block manual auth with login/pass and use autologin + launcher passing login data in process args.
  10. here we go again, whats the excuse this time? :D
  11. use OVHs edge firewall and own rule set with default drop all, extend L2 client to calculate some math challange before login request is attempted, send result together with some hwid/ip to aws/gcp instance which will verify it and query OVHs firewall api to allow login. Mystery of application layer "100% DDos Protection" solved.
  12. server doesn't matter here, client handle html displaying possible in GOD+ clients as these ship with embed chromium support and ingame browser window, in older trash clients it would require lot of work with client extending so can be safely assumed to never happen.
  13. in most cases you will be able to tell what antibot is used by looking for non-L2 files in /system, also size of dsetup.dll (non modified should be ~60kb), unless its something less popular, then no luck as any file can be used. Traffic encryption will be done in same place of engine.dll but antibots will most often hook that function and do own stuff inside theirs dll, so you would need to reverse chunk of (often packed) antibot to find out how encryption works - unpractical, because knowledge required to do so will let you access packets easier, before encryption/after decryption takes place. Network mitm bots are doomed nowadays :D
  14. did you really think any of these companies ever seen or touched any PFC codes users spends on them? :D when you are business you dont use customer-level products and go for B2B solutions/cooperation, that's completely another story and often out of reach if you are not big enough. In your case, look for payment gateway which includes paysafe, like G2A Pay and others
  15. from list of bugs above it cant be even called classic, not even fucking UI works whats ONE classic feature working on your pack which isn't in other shares? lmao pathetic attempt to sell air