Jump to content

[Exploit + fix]Lets hack: Stack subclass skills ( Race condition exploit ).


Recommended Posts

Posted

It fell under my notice some weeks ago, credits to the one that told me in msn. Instead of just telling you how to do the exploit, ill go into a bit more details for those interested into understanding the mechanisms behind the exploits of that kind ( called race condition exploits ). Now since i got informed that the serious servers ( l2inc bla bla ) have it fixed (in private), i assume it wont do that much harm to share it. Plus , ill post guidelines for fixing it.

 

Where does it work ?

 

Kinda everywhere atm. Both L2JServer and L2JFree and all their forks ( and all the chroncles ).

 

What do you need ?

 

1)A bit slow server, pick one that has lots of ppl online and is during its peak hour. Probably at early night for EU.

2)Auto-learn of skills enabled.

3)A way to get level-up when you are able to change subclass.

 

How to do the exploit ?

 

1)Get in the subclass you want to get the illegal skills from.

2)Get a mob that has enough exp reward to increase your level, to the desired level where  you auto-learn the desired skills.

3)Kill the mob and on the same time, as fast as you can click on change subclass to your main.

4)If all went right, your main class will have the newly learned skills of the subclass.

 

How does it work ?

 

This is an exploit that belongs to a more wide category of exploits called race conditions. A race condition happens when two threads ( for simplicity , think of just 2 CPU cores ) try to access the same resources ( skills , items bla bla ) at the same time. This produces strange results at the outcome of one or both of the threads handing the resources. Take for example the following:

 

public class task1 implements Runnable
{
public void run()
{
vulnerableClass.check = false;
}
}

public class task2 implements Runnable
{
public void run()
{
if(vulnerableClass.check)
System.out.println(vulnerableClass.ckeck);
}
}

public class MainClass{

ScheduleGeneral(new task2());
ScheduleGeneral(new task1());
}

 

Now what will the System.out.println print out ? True or false ? Its code says, if check is true, print check. So you expect it to print true. It wont. And heres the why. Think of the two CPU cores we talked before , they run task1 and task2. Task2 enters the if check, finds the variable being true and procceeds. But before it can complete the system output in the console, the other task, task1 changes the variable to false. This is called a race condition. Something similar (not that much) happens when you do the subclass exploit.

 

1)You send the Action packet which kills the mob. CPU processes that packet and starts calculating SkillLearn objects etc. Before it can finish and add you those SkillLearn objects ( ill say it very simple ) the other packet, (RequestBypassToServer) changes your subclass to the new one. After the subclass gets changed, the new skills get added. Not that much acurate, but you kinda get the idea on how it works.

 

PS: Based on that, since l2jfree keeps a PacketQueue for each gameClient, it wont allow you to execute both packets at the same time. No problem, get a person in party, and make him kill the mob at the same time you press change subclass. That way the packets execute in parallel avoiding the sequencial execution restriction l2jfree implements. Thats an assumpion, i didnt test yet in l2jfree, but i assume it will work.

 

Tested in :

L2Nitro ( interlude crap ).

L2Idol (L2JServer freya ).

 

You may need multiple tries if the server is fast enough. But you will get it finally. Took me about 5-6 tries to stack them in l2idol.

 

 

Posted

Bump. Since i already found some people using their new weapon in their servers and none even cared to reply, i found it rude that i come here and actually get into the pain to explain you what a race condition is and get no feedback and testing. So at least what you can do is give some feedback:

 

I would like someone to confirm for l2jfree if possible ... Do it with two different players in party. One kills the mob the other switches subclass, to avoid their packetqueue protection :)

Posted

So if i made it work i will take the new skills not all to the other sub?

And they stuck?

but how i gonna take the lvl and change sub ?

btw hide it for 1000 posts

Posted

So ,while changing subclasses we get skills from 60lvl(ex) sub

 

You need a good synchronisation ,plus a mob to level up once(or prolly in goddard,anyway)

 

Though i think it's already shared it here,it may be useful

Posted

Okay okay , perfect for giving explanation for the mechanism.I also doubt if some servers give you this possibility but you can "Drag" a mob in town so you can do it succesfully.

 

 

 

Hide it for 500 or more.This share is amazing.+1

Posted

If you read the exploit mechanism explanation you will figure out that paralize wont work.

 

PS2: I found a program that searches your source code for race conditions. But its expensive and cant find it cracked atm. When we find that, i believe we will get more exploits from the source code of the l2js.

Posted

There is already an illegal skill check mechanism implemented in l2j nowadays and btw you could as well stop this substacking with a isInCombat() restriction at the villagemaster instance.

Posted

There is already an illegal skill check mechanism implemented in l2j nowadays and btw you could as well stop this substacking with a isInCombat() restriction at the villagemaster instance.

 

true :D

 

 

ehhh l2j failed (A)

Posted

There is already an illegal skill check mechanism implemented in l2j nowadays and btw you could as well stop this substacking with a isInCombat() restriction at the villagemaster instance.

 

no, because you do not kill the mob, someone from your party does

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...