[Exploit + fix]Lets hack: Stack subclass skills ( Race condition exploit ).

[Xanderॐ]

It fell under my notice some weeks ago, credits to the one that told me in msn. Instead of just telling you how to do the exploit, ill go into a bit more details for those interested into understanding the mechanisms behind the exploits of that kind ( called race condition exploits ). Now since i got informed that the serious servers ( l2inc bla bla ) have it fixed (in private), i assume it wont do that much harm to share it. Plus , ill post guidelines for fixing it.

 

Where does it work ?

 

Kinda everywhere atm. Both L2JServer and L2JFree and all their forks ( and all the chroncles ).

 

What do you need ?

 

1)A bit slow server, pick one that has lots of ppl online and is during its peak hour. Probably at early night for EU.

2)Auto-learn of skills enabled.

3)A way to get level-up when you are able to change subclass.

 

How to do the exploit ?

 

1)Get in the subclass you want to get the illegal skills from.

2)Get a mob that has enough exp reward to increase your level, to the desired level where  you auto-learn the desired skills.

3)Kill the mob and on the same time, as fast as you can click on change subclass to your main.

4)If all went right, your main class will have the newly learned skills of the subclass.

 

How does it work ?

 

This is an exploit that belongs to a more wide category of exploits called race conditions. A race condition happens when two threads ( for simplicity , think of just 2 CPU cores ) try to access the same resources ( skills , items bla bla ) at the same time. This produces strange results at the outcome of one or both of the threads handing the resources. Take for example the following:

 

public class task1 implements Runnable
{
public void run()
{
vulnerableClass.check = false;
}
}

public class task2 implements Runnable
{
public void run()
{
if(vulnerableClass.check)
System.out.println(vulnerableClass.ckeck);
}
}

public class MainClass{

ScheduleGeneral(new task2());
ScheduleGeneral(new task1());
}

 

Now what will the System.out.println print out ? True or false ? Its code says, if check is true, print check. So you expect it to print true. It wont. And heres the why. Think of the two CPU cores we talked before , they run task1 and task2. Task2 enters the if check, finds the variable being true and procceeds. But before it can complete the system output in the console, the other task, task1 changes the variable to false. This is called a race condition. Something similar (not that much) happens when you do the subclass exploit.

 

1)You send the Action packet which kills the mob. CPU processes that packet and starts calculating SkillLearn objects etc. Before it can finish and add you those SkillLearn objects ( ill say it very simple ) the other packet, (RequestBypassToServer) changes your subclass to the new one. After the subclass gets changed, the new skills get added. Not that much acurate, but you kinda get the idea on how it works.

 

PS: Based on that, since l2jfree keeps a PacketQueue for each gameClient, it wont allow you to execute both packets at the same time. No problem, get a person in party, and make him kill the mob at the same time you press change subclass. That way the packets execute in parallel avoiding the sequencial execution restriction l2jfree implements. Thats an assumpion, i didnt test yet in l2jfree, but i assume it will work.

 

Tested in :

L2Nitro ( interlude crap ).

L2Idol (L2JServer freya ).

 

You may need multiple tries if the server is fast enough. But you will get it finally. Took me about 5-6 tries to stack them in l2idol.

 

 

[Xanderॐ]

Bump. Since i already found some people using their new weapon in their servers and none even cared to reply, i found it rude that i come here and actually get into the pain to explain you what a race condition is and get no feedback and testing. So at least what you can do is give some feedback:

 

I would like someone to confirm for l2jfree if possible ... Do it with two different players in party. One kills the mob the other switches subclass, to avoid their packetqueue protection :)

[Smok3BoY]

So if i made it work i will take the new skills not all to the other sub?

And they stuck?

but how i gonna take the lvl and change sub ?

btw hide it for 1000 posts

[Reptant_]

So ,while changing subclasses we get skills from 60lvl(ex) sub

 

You need a good synchronisation ,plus a mob to level up once(or prolly in goddard,anyway)

 

Though i think it's already shared it here,it may be useful

[RєVєnGeR^]

Okay okay , perfect for giving explanation for the mechanism.I also doubt if some servers give you this possibility but you can "Drag" a mob in town so you can do it succesfully.

 

 

 

Hide it for 500 or more.This share is amazing.+1

[Agelos_DSF]

if subclass player get paralyzed?

[Xanderॐ]

If you read the exploit mechanism explanation you will figure out that paralize wont work.

 

PS2: I found a program that searches your source code for race conditions. But its expensive and cant find it cracked atm. When we find that, i believe we will get more exploits from the source code of the l2js.

[Stive]

i think it's already shared and old or something like 90% this way

[Xanderॐ]

Link it please, cause its strange that it works on all servers out there if its shared in the past. They should have fixed it.

[Theonegandalf]

Just a question: Can't we block all the bugs related to stucksub skills with the following way; When a player enters L2World, to check if he has all legal skills of his class/race, if not, ban him.

[Xanderॐ]

Yes, you can do that. But if you have donations for multi-skills ? You cant enable that option ;) (most servers do have those kind of donations , under the table ).

[mfausb]

There is already an illegal skill check mechanism implemented in l2j nowadays and btw you could as well stop this substacking with a isInCombat() restriction at the villagemaster instance.

[Agelos_DSF]

There is already an illegal skill check mechanism implemented in l2j nowadays and btw you could as well stop this substacking with a isInCombat() restriction at the villagemaster instance.

 

true :D

 

 

ehhh l2j failed (A)

[lalalalalala]

There is already an illegal skill check mechanism implemented in l2j nowadays and btw you could as well stop this substacking with a isInCombat() restriction at the villagemaster instance.

 

no, because you do not kill the mob, someone from your party does

[PwNNNz0r.^]

This is the hidden content, please

• Sign In
• or
• Sign Up