Code EnterWorld exploit fix - ALL L2J versions

Tryskell · February 25, 2019

Short version : upon L2PHX (or any packet manipulation tool) use, the manual or automatic send of EnterWorld packet creates issues (for example, if the config spawn protection is activated, it sends anew the spawn protection, making you immune everytime you send back the packet). Simply select EnterWorld packet from "Packet Sniffer" tab, "Add packet to send..." and check "send every 100 ms".

Issue : packet manipulation spam, calling multiple times the same subroutines (spawn protection custom and whatever custom you added in EnterWorld). Potentially fix other exploits based on your spawnMe() content.

Fix : generate a new GameClientState (personally called ENTERING), isolate EnterWorld on it (RequestManorList being called automatically, it must be part of ENTERING too). Any subsequent calls of EnterWorld will call onUnknownPacket, because it will be considered out of ENTERING scope, since we're already at IN_GAME scope once the Player instance is fully loaded (such stuff already exists for all packets : login packets can't be called during ingame state, etc. It's just than EnterWorld is a transition packet between lobby and ingame, but it is considered an ingame packet while it shouldn't).

Since chronicle got different opcodes, you have to adapt using your own chronicle opcodes. I can't and won't deliver a unique version for all chronicles. Since I'm an IL guy, I share for IL. The diff patch can help you to guess what to edit.

Possible improvements :

If you know more packets which should be sent only during that translation time between AUTHED and IN_GAME, you can answer here (notably for higher chronicles than IL) with your own version for your own chronicle. I will refresh the initial topic with the different versions.
Not sure if RequestManorList can be called anywhere else (manor panel, etc). I preferred to keep it on IN_GAME. If you know the answer, consider to reply :) !

aCis version, based on latest (GameClient is generally called L2GameClient) :

### Eclipse Workspace Patch 1.0
#P aCis_gameserver
Index: java/net/sf/l2j/gameserver/network/clientpackets/CharacterSelected.java
===================================================================
--- java/net/sf/l2j/gameserver/network/clientpackets/CharacterSelected.java	(revision 1146)
+++ java/net/sf/l2j/gameserver/network/clientpackets/CharacterSelected.java	(working copy)
@@ -62,7 +62,7 @@
 					
 					sendPacket(SSQInfo.sendSky());
 					
-					client.setState(GameClientState.IN_GAME);
+					client.setState(GameClientState.ENTERING);
 					
 					sendPacket(new CharSelected(cha, client.getSessionId().playOkID1));
 				}
Index: java/net/sf/l2j/gameserver/network/GameClient.java
===================================================================
--- java/net/sf/l2j/gameserver/network/GameClient.java	(revision 1157)
+++ java/net/sf/l2j/gameserver/network/GameClient.java	(working copy)
@@ -64,6 +64,7 @@
 	{
 		CONNECTED, // client has just connected
 		AUTHED, // client has authed but doesnt has character attached to it yet
+		ENTERING, // client is currently loading his Player instance, but didn't end
 		IN_GAME // client has selected a char and is in game
 	}
@@ -168,6 +168,7 @@
 				case AUTHED:
 					return "[Account: " + getAccountName() + " - IP: " + (address == null ? "disconnected" : address.getHostAddress()) + "]";
 				
+				case ENTERING:
 				case IN_GAME:
 					return "[Character: " + (getPlayer() == null ? "disconnected" : getPlayer().getName()) + " - Account: " + getAccountName() + " - IP: " + (address == null ? "disconnected" : address.getHostAddress()) + "]";
 				
Index: java/net/sf/l2j/gameserver/network/L2GamePacketHandler.java
===================================================================
--- java/net/sf/l2j/gameserver/network/L2GamePacketHandler.java	(revision 1145)
+++ java/net/sf/l2j/gameserver/network/L2GamePacketHandler.java	(working copy)
@@ -51,6 +51,7 @@
 						break;
 				}
 				break;
+				
 			case AUTHED:
 				switch (opcode)
 				{
@@ -80,6 +81,43 @@
 						break;
 				}
 				break;
+				
+			case ENTERING:
+				switch (opcode)
+				{
+					case 0x03:
+						msg = new EnterWorld();
+						break;
+						
+					case 0xd0:
+						int id2 = -1;
+						if (buf.remaining() >= 2)
+						{
+							id2 = buf.getShort() & 0xffff;
+						}
+						else
+						{
+							_log.warning("Client: " + client.toString() + " sent a 0xd0 without the second opcode.");
+							break;
+						}
+						
+						switch (id2)
+						{
+							case 8:
+								msg = new RequestManorList();
+								break;
+							default:
+								printDebugDoubleOpcode(opcode, id2, buf, state, client);
+								break;
+						}
+						break;
+						
+					default:
+						printDebug(opcode, buf, state, client);
+						break;
+				}
+				break;
+				
 			case IN_GAME:
 				switch (opcode)
 				{
@@ -89,9 +127,6 @@
 					// case 0x02:
 					// // Say ... not used any more ??
 					// break;
-					case 0x03:
-						msg = new EnterWorld();
-						break;
 					case 0x04:
 						msg = new Action();
 						break;
Index: java/net/sf/l2j/gameserver/network/clientpackets/EnterWorld.java
===================================================================
--- java/net/sf/l2j/gameserver/network/clientpackets/EnterWorld.java	(revision 1150)
+++ java/net/sf/l2j/gameserver/network/clientpackets/EnterWorld.java	(working copy)
@@ -35,6 +35,7 @@
 import net.sf.l2j.gameserver.model.pledge.SubPledge;
 import net.sf.l2j.gameserver.model.zone.ZoneId;
 import net.sf.l2j.gameserver.network.SystemMessageId;
+import net.sf.l2j.gameserver.network.GameClient.GameClientState;
 import net.sf.l2j.gameserver.network.serverpackets.ActionFailed;
 import net.sf.l2j.gameserver.network.serverpackets.Die;
 import net.sf.l2j.gameserver.network.serverpackets.EtcStatusUpdate;
@@ -77,6 +78,8 @@
 			return;
 		}
 		
+		getClient().setState(GameClientState.IN_GAME);
+		
 		final int objectId = player.getObjectId();
 		
 		if (player.isGM())

Edited February 26, 2019 by Tryskell

Setekh · February 25, 2019

Dude you still share shit? It's like making my stomach feel weird, like in a good way tho.

Gotta have to wait for my reacts to cool down.

Nice to see ya <3

Elfo · February 25, 2019

a

Edited October 1, 2021 by Elfocrash

Tryskell · February 25, 2019

54 minutes ago, Setekh said:

Dude you still share shit? It's like making my stomach feel weird, like in a good way tho.

Gotta have to wait for my reacts to cool down.

Nice to see ya <3

I only share public exploits fixes, and help on dev help section when the question is ok. Which is still far better than some others ppl.

You maybe should check for chestburster if you got stomach problems.

AlmostGood · February 25, 2019

it was possible to lag servers using that years ago cuz it init all enterworld steps and has no flood protection :D

but beside that its useless, it didn't give you spawn protection on H5+ back in days (mobs will just still attack you).

Kara · February 25, 2019

Tryskell made 2 share in 1 month. Now we all need 2 revision of aCis in same year and its cleary a sign of the end of the world!

Also "Little weird orange hair dwarf make aliens movie reference in a gaming forum", cliche. +1 SIN

Edited February 25, 2019 by Kara`

Tryskell · February 25, 2019

6 minutes ago, Kara` said:

Tryskell made 2 share in 1 month. Now we all need 2 revision of aCis in same year and its cleary a sign of the end of the world!

I'm already at 3 revs for the 2 current months and a 4th is coming, you should review your statistics.

Should I ask a rename for Nibiru ?

Edited February 25, 2019 by Tryskell

Kara · February 25, 2019

6 minutes ago, Tryskell said:

I'm already at 3 revs for the 2 current months and a 4th is coming, you should review your statistics.

Should I ask a rename for Nibiru ?

This would be a hit don't mess with your luck tryski

Setekh · February 25, 2019

25 minutes ago, Tryskell said:

You maybe should check for chestburster if you got stomach problems.

Hahaha, didnt expect that one, nais :D

Tryskell · February 25, 2019

56 minutes ago, AlmostGood said:

it was possible to lag servers using that years ago cuz it init all enterworld steps and has no flood protection :D

but beside that its useless, it didn't give you spawn protection on H5+ back in days (mobs will just still attack you).

The only people you can spam is actually... The hacker. Cause the hacker sends to himself 10+ packets everytime, the packet queue is simply growing and you end with unresponsive client (with 100ms at least, on aCis). And EnterWorld barely sends anything as broadcast.

The problem is more about called methods, notably spawnMe() and customs. Imagine let's say, a custom counter which resets on EnterWorld (since EnterWorld is a really common place to edit for customs), you only have to send back EnterWorld to reset that custom counter.

All in one, EnterWorld isn't supposed to be called anytime after first call. So even on a logic base, it should be restrained to a single call, with a unique call window (being between CharacterSelected and EnterWorld first call).

Edited February 25, 2019 by Tryskell

UnAfraid · February 25, 2019

Nice catch!

Red-Hair-Shanks · February 25, 2019

im glad that i make you that report and you fixed it :)

AlmostGood · February 25, 2019

8 hours ago, Tryskell said:

The only people you can spam is actually... The hacker. Cause the hacker sends to himself 10+ packets everytime, the packet queue is simply growing and you end with unresponsive client (with 100ms at least, on aCis). And EnterWorld barely sends anything as broadcast.

I wrote lag not spam

around 2-3 years back it only required ~5 clients running flooding script with no delay (which also dropped all related answers from server to dont kill client) to lag whole server to the unplayable point (h5 tales pack).

About lagging ppl around by broadcast its even more trivial, it only requires 1 client and ppl around wont be able to move. Most l2j packs have at least few non flood protected packets which can be used, dunno about acis but if you didn't rework that part its prolly no different.

Edited February 25, 2019 by AlmostGood

Tryskell · February 26, 2019

Fix is slightly edited. Don't forget to add

case ENTERING:

on L2GameClient#toString, on the same level than case IN_GAME.

                case ENTERING:
                case IN_GAME:
                    return...

valentin · March 29, 2019

gj

Code EnterWorld exploit fix - ALL L2J versions

Recommended Posts

Tryskell

Setekh

Elfo

Tryskell

AlmostGood

Kara

Tryskell

Kara

Setekh

Tryskell

UnAfraid

Red-Hair-Shanks

AlmostGood

Tryskell

valentin

Create an account or sign in to comment

Create an account

Sign in

Posts

Topics

Browse

Activity

Store

Important Information