Jump to content
MaxCheaters Official Group at Discord
--> Place your ad text here <--

LoginPacket - Critical security bug (all chronicles)

eressea
 Share

Recommended Posts

eressea Newbie

eressea

Posted
  • Author
Posted
5 minutes ago, xxdem said:

imho I would just go O(n) with an array of struct{int accountId, int sessionId} and perform a search or something similar, it doesn't seem that the n will ever be huge on this case, I could be wrong

 

That's true for the first map (accountId -> sessionId), it usually contains just few items. But the second map contains all account IDs that were logged since last server start so O(n) would be bad

Link to comment
Share on other sites
japarzo Newbie

japarzo

Posted
Posted

kind of sick see this guy commenting all the time about which language is the best, "no, c is the best". please, everyone has their opinion so, keep you preference for c to yourself. stop complaining full of mimi and do better job using c  before post anything.


 

Thank you for the share  eresea.

Link to comment
Share on other sites
xxdem Newbie

xxdem

Posted
Posted (edited)
1 hour ago, japarzo said:

kind of sick see this guy commenting all the time about which language is the best, "no, c is the best". please, everyone has their opinion so, keep you preference for c to yourself. stop complaining full of mimi and do better job using c  before post anything.


 

Thank you for the share  eresea.

 

What a clown, I never said C is the best, you say "all the time" I never did xd

 

1 hour ago, eressea said:

 

That's true for the first map (accountId -> sessionId), it usually contains just few items. But the second map contains all account IDs that were logged since last server start so O(n) would be bad

 

Can you enlighten me a bit? Why we need to cache all these sessions on the map? Even if we do, what would the average n lenght be on an official NCSoft server?

Edited by xxdem
Link to comment
Share on other sites
eressea Newbie

eressea

Posted
  • Author
Posted
45 minutes ago, xxdem said:

Can you enlighten me a bit? Why we need to cache all these sessions on the map? Even if we do, what would the average n lenght be on an official NCSoft server?

 

I'm not sure about purpose of the second map (I just know it's there and that it contains all account IDs since server start, maybe I'll dig bit more into it later), on retail server it will be big (surely 10k+)... That will be big difference between O(n) and O(log n). Probably it can be omitted - but it would probably have some performance impact.

Link to comment
Share on other sites
Nightw0lf Experienced

Nightw0lf

Posted
Posted
5 hours ago, japarzo said:

kind of sick see this guy commenting all the time about which language is the best, "no, c is the best". please, everyone has their opinion so, keep you preference for c to yourself. stop complaining full of mimi and do better job using c  before post anything.


 

Thank you for the share  eresea.

respect the forum's last toxic user, its like a kind without ways to breed and reproduce, you just watch it fade slowly and smile for his sort but happy future.

Link to comment
Share on other sites
Anarchy Enthusiast

Anarchy

Posted
Posted

yeah it's a pretty ancient bug that one, caused all kinds of havoc back in the like c2-c4 days before people actually figured out what it was, any c4-based ext will have it fixed via amped

Link to comment
Share on other sites
eressea Newbie

eressea

Posted
  • Author
Posted
2 hours ago, Anarchy said:

yeah it's a pretty ancient bug that one, caused all kinds of havoc back in the like c2-c4 days before people actually figured out what it was, any c4-based ext will have it fixed via amped

 

I've forgot about amped - this strategy of using two extenders at once seemed weird to me so I didn't care much about it :D

Still not fixed in leaked H5 and GD... maybe still not fixed on offic server :D

Link to comment
Share on other sites
Anarchy Enthusiast

Anarchy

Posted
Posted

i wouldn't be surprised tbh, i mean hell you can still do the file download exploit on official servers atm, used it to snag eventdata not so long ago from there, seems they aren't much interested in security so hardly a surprise so many of their files floating around :D

Link to comment
Share on other sites
japarzo Newbie

japarzo

Posted
Posted
On 7/31/2018 at 6:13 PM, xxdem said:

 

What a clown, I never said C is the best, you say "all the time" I never did xd

 

it is not hard to find your comments in the forum saying about "C, why not C? C is better than other languages" , so, please. You are the only Clown here trying to fool your own self. thx much love <3

Link to comment
Share on other sites
xxdem Newbie

xxdem

Posted
Posted
23 minutes ago, japarzo said:

it is not hard to find your comments in the forum saying about "C, why not C? C is better than other languages" , so, please. You are the only Clown here trying to fool your own self. thx much love <3

 

yeah, its not hard its impossible. Prove me false

Link to comment
Share on other sites
pada Enthusiast

pada

Posted
Posted

The file download exploit is fixed via the html link check setting in l2server.ini, they recently turned it on in NA due to what im assumeing, noticeing files being leaked :P. Though i have a feeling it will be turned back off in the next major update on NA when they replace the l2server.ini :D and forget about it. this login exploit is also fixed on retail

Link to comment
Share on other sites
Anarchy Enthusiast

Anarchy

Posted
Posted

the reason it's disabled is they gave up on updating the whitelist for bypass commands for all the random shit they added in the newer chronicles in the client which sends bypass commands instead of packets, combined with the fact that in hf+ l2server they changed the way fstrings from AI work and now the fstring id is passed directly to the client in the html body like: 

<fstring p1="%s" p2="%s" p3="%s" p4="%s" p5="%s">%d</fstring>

and it fills in whole bypass commands via localized NPCString-x.dat - both of which end up with false blocks on the bypass check and fuck up a bunch of systems :D

 

( so to any of you building exts on the hf+ files, don't forget to fix that ;) )

 

but from what i hear in the latest shit they don't appear to have enabled the link check (for example you can still rip htmls no problem if you know the html names) but instead might've added some filtering to prevent the download shit but last time i checked it was like 3 months ago and it worked fine on NA,RU and KR servers but a lot can change in 3 months :D

Link to comment
Share on other sites
pada Enthusiast

pada

Posted
Posted

Ya, it was enabled on NA only as far as i can tell, as of ~2ish months ago, and when they did it broke a ton of quests and people trying to learn awakening race skills :D,  all it does is DC you on anything not cached, , so i expect they just enabled the l2server.ini setting when they noticed the log shit appearing a bit more then normal lol. but i expect it to be turned off again when they do there next major update and they get a new l2server.ini from KR, and forget they had it enabled :D.

Link to comment
Share on other sites
AlmostGood Enthusiast

AlmostGood

Posted
Posted
2 hours ago, Anarchy said:

the reason it's disabled is they gave up on updating the whitelist for bypass commands for all the random shit they added in the newer chronicles in the client which sends bypass commands instead of packets, combined with the fact that in hf+ l2server they changed the way fstrings from AI work and now the fstring id is passed directly to the client in the html body like:

  


<fstring p1="%s" p2="%s" p3="%s" p4="%s" p5="%s">%d</fstring>

 

and it fills in whole bypass commands via localized NPCString-x.dat - both of which end up with false blocks on the bypass check and fuck up a bunch of systems :D

 

( so to any of you building exts on the hf+ files, don't forget to fix that ;) )

 

but from what i hear in the latest shit they don't appear to have enabled the link check (for example you can still rip htmls no problem if you know the html names) but instead might've added some filtering to prevent the download shit but last time i checked it was like 3 months ago and it worked fine on NA,RU and KR servers but a lot can change in 3 months :D

doubt that's the reason, there are close to none global bypasses on GOD+ (some oly/coc, few npcs) and privs running last off files like gamecoast have validation fully enabled with auto kick

about exploit, it still works fine on innova (+ they even had plain txt scripts for most of last years, lul)

Link to comment
Share on other sites
Anarchy Enthusiast

Anarchy

Posted
Posted

it's the reason trust me :D in classic half the damn interface is run off bypasses + they clearly don't know how their own bypass check parser works cuz i have to reformat their own htmls every time to remove whitespace and shit from bypass urls in random htmls which also cause false blocks, and there's a reason gamecoast has it enabled with no problems (they patched it) but the fstring shit is for sure the biggest reason, check out npcstring-x.dat that shit is full of full bypass strings where they really only need the localized string to be in there, all those links will false block if u enable bypass checks on any server highfive or above, including latest classic and salvation l2server

Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share
Go to topic listing


  • Posts

    • utchiha-market
      CHEAP 2015 - 2021 DISCORD ACCOUNT'S | WITH FULL MAIL ACCESS

      By utchiha-market · Posted

      DISCORD :   utchiha_market   telegram    https://t.me/utchiha_market   SELLIX STORE :   https://utchiha-market.mysellix.io/   Join the server for more products :   https://discord.gg/hoodservices
    • DiscordOLD
      DISCORD ACCOUNTS⚡️EARLY SUPPORTER - PRICES UPDATED ✅ LIMITED

      By DiscordOLD · Posted

      https://discordold.mysellix.io/
    • CaliGardner
      Password encryption (Hex)

      By CaliGardner · Posted

      When it comes to encrypting passwords, using a strong hashing algorithm like SHA-256 or bcrypt is recommended. These algorithms help ensure that passwords are securely stored and protected from being easily decrypted.
    • ZOUMHS
      PTS Vanganth Classic Interlude - P110

      By ZOUMHS · Posted

      ***CLExt L2OFF Extender Premium Account Save - Auto Login***   We would like to sell account panel for save accounts for server owners or self player.  You can login and save your id and pass accounts or delete it etc.       Price: 100 euro.   ***CLExt L2OFF Extender Premium Auto-Farm Macro System*** We would like to sell Auto-Farm Macro System for server owners or self player.  You can add your potions and your macro to farm your character with your standars.       Price: 100 euro.   If you like to order send me DM or skype zoumhs999.
    • rlfem123
      Diablo III Open Source Server Available

      By rlfem123 · Posted

      Diablo III, the action-packed hack-and-slash RPG developed by Blizzard Entertainment, has captivated gamers worldwide since its release in 2012. Now, imagine a world where Diablo III's source code is opened up to the community, inviting developers and enthusiasts alike to enhance and refine this beloved game. This topic delves into the possibilities, challenges, and community desires surrounding the idea of Diablo III as an open-source project.   Key Points: 1. Defining Diablo III: Diablo III is an action role-playing game set in the dark fantasy world of Sanctuary. Players traverse through randomized dungeons, battling hordes of demons and collecting loot to strengthen their characters. With its compelling storyline, addictive gameplay mechanics, and rich lore, Diablo III has amassed a dedicated fanbase over the years.   2. Open Source Potential: Opening up the source code of Diablo III could unlock a wealth of opportunities for the game's future. Community developers could introduce new features, enhance existing gameplay elements, and address long-standing issues. The modding community, known for its creativity and innovation, could breathe new life into the game by creating custom content, game modes, and user interface improvements. 3. Community Interest: The question arises - would the gaming community welcome the idea of Diablo III becoming open source? Many players are eager to see the game evolve beyond its current state, with enhancements such as improved balance, expanded end-game content, and enhanced multiplayer features. By involving the community in the development process, Diablo III could foster a stronger sense of ownership and collaboration among its players. 4. Challenges and Considerations: While the concept of Diablo III as an open source is enticing, it also presents several challenges. Ensuring the integrity of the game's balance and preventing cheating would be paramount concerns. Additionally, coordinating development efforts and maintaining a cohesive vision for the game could prove challenging in a community-driven environment. However, with proper oversight and collaboration, these obstacles can be overcome. 5. Is Diablo III an MMORPG? Diablo III is often categorized as an action RPG rather than a traditional MMORPG (massively multiplayer online role-playing game). While it does feature online multiplayer elements, including cooperative play and player-versus-player combat, it lacks the persistent open world typically associated with MMORPGs. Instead, Diablo III focuses on instanced dungeons and smaller-scale multiplayer interactions. The Benefits of Improvement: Improving Diablo III through open-source development could revitalize the game, attracting new players and re-engaging existing fans. By embracing community-driven innovation, Diablo III could remain relevant and enjoyable for years to come. Additionally, fostering an active modding community could extend the game's longevity and create new opportunities for player expression and creativity.   Source code  

  • Topics

×
×
  • Create New...