Help Automatic verify and ban unauthorized skills - L2JFrozen

dextroy · January 10, 2022

Hello, i need some help if anyone know:

I have a multiskill server (L2JFrozen rev) and I've recently had some hacker enter my server and he was able to learn monster passive skills/active skills and some skills that aren't in any character skill tree, like valakas buff, super haste, etc.

Since it happened i activated the AllowedSkills function (plus also activating it on the Protected folder CheckSkillsOnEnter), and added on the list only the character skills on the list (1-500 and 1000-1500), however, the function doesn't seem to be working.

Is there a way a can put a verification on L2PcInstance or some other java instance to automatically ban player/delete skills between 3000-7000 or something like that? My source code already has something like this (i'll be posting below), but it doesn't seem to be working (i tested with another character and nothing happened to it).

	/**
	 * check player skills and remove unlegit ones (excludes hero, noblesse and cursed weapon skills).
	 */
	public void checkAllowedSkills()
	{
		boolean foundskill = false;
		if (!isGM())
		{
			Collection<L2SkillLearn> skillTree = SkillTreeTable.getInstance().getAllowedSkills(getClassId());
			// loop through all skills of player
			for (final L2Skill skill : getAllSkills())
			{
				final int skillid = skill.getId();
				// int skilllevel = skill.getLevel();
				
				foundskill = false;
				// loop through all skills in players skilltree
				for (final L2SkillLearn temp : skillTree)
				{
					// if the skill was found and the level is possible to obtain for his class everything is ok
					if (temp.getId() == skillid)
					{
						foundskill = true;
					}
				}
				
				// exclude noble skills
				if (isNoble() && skillid >= 325 && skillid <= 397)
				{
					foundskill = true;
				}
				
				if (isNoble() && skillid >= 1323 && skillid <= 1327)
				{
					foundskill = true;
				}
				
				// exclude hero skills
				if (isHero() && skillid >= 395 && skillid <= 396)
				{
					foundskill = true;
				}
				
				if (isHero() && skillid >= 1374 && skillid <= 1376)
				{
					foundskill = true;
				}
				
				// exclude cursed weapon skills
				if (isCursedWeaponEquiped() && skillid == CursedWeaponsManager.getInstance().getCursedWeapon(_cursedWeaponEquipedId).getSkillId())
				{
					foundskill = true;
				}
				
				// exclude clan skills
				if (getClan() != null && skillid >= 370 && skillid <= 391)
				{
					foundskill = true;
				}
				
				// exclude seal of ruler / build siege hq
				if (getClan() != null && (skillid == 246 || skillid == 247))
					if (getClan().getLeaderId() == getObjectId())
					{
						foundskill = true;
					}
				
				// exclude fishing skills and common skills + dwarfen craft
				if (skillid >= 1312 && skillid <= 1322)
				{
					foundskill = true;
				}
				
				if (skillid >= 1368 && skillid <= 1373)
				{
					foundskill = true;
				}
				
				// exclude sa / enchant bonus / penality etc. skills
				if (skillid >= 3000 && skillid < 7000)
				{
					foundskill = true;
				}
				
				// exclude Skills from AllowedSkills in options.properties
				if (Config.ALLOWED_SKILLS_LIST.contains(skillid))
				{
					foundskill = true;
				}
				
				// exclude Donator character
				if (isDonator())
				{
					foundskill = true;
				}
				
				// exclude Aio character
				if (isAio())
				{
					foundskill = true;
				}
				
				// remove skill and do a lil LOGGER message
				if (!foundskill)
				{
					removeSkill(skill);
					
					if (Config.DEBUG)
					{
						// sendMessage("Skill " + skill.getName() + " removed and gm informed!");
						LOGGER.warn("Character " + getName() + " of Account " + getAccountName() + " got skill " + skill.getName() + ".. Removed!"/* + IllegalPlayerAction.PUNISH_KICK */);
						
					}
				}
			}
			
			// Update skill list
			sendSkillList();
			
			skillTree = null;
		}
	}

BruT · January 10, 2022

16 minutes ago, dextroy said:
Again, it's not a server-side mistake. You talk about checking my source, the source code i already posted on my previous reply if that would help it's there. The L2JFrozen one, it's the same thing:

http://subversion.assembla.com/svn/L2jFrozenInterlude/trunk/gameserver

Someone used some type of hack bypass to inject themselves with those skills. How? I don't know, i'm not a hacker.

And again, i'm not even asking to find the root of the issue. If there's a way to add an extra layer of security that wouldn't be complicated like a gameguard, or a simple way to find it, what a bonus. But I'm asking for a simple solution in the form of a code:

If a non GM player have those skills learned on their character skill list, they get banned. It's easier to unban later (if it was some sort of mistake) than allowing them exploit for whatever time until i find them exploting and manually ban. That shouldn't be something so complicated.

Which would possibly look something like the line from the code on my first post:
if (skillid >= 3000 && skillid < 7000)
 {
  foundskill = true;
 }
I just don't know where i'd add it or how to code it to make it automatic.

there are two ways to do that, the first is "server-side mistake" the second is sql breach, there is no another way

if its the second way then you are in trouble and skills are your last problem

Edited January 10, 2022 by BruT

dextroy · January 10, 2022

Just now, BruT said:

there are two ways to do that the one is "server-side mistake" the second is sql breach, there is no another way

Yes, but whatever way it is, i'm not asking to know what the hacker did. I'm asking for a countermeasure.

Which would be the automatic ban or kick, or whatever when a player with those skills learned log in the game, or whichever type of verification.

BruT · January 10, 2022

4 minutes ago, dextroy said:

Yes, but whatever way it is, i'm not asking to know what the hacker did. I'm asking for a countermeasure.

Which would be the automatic ban or kick, or whatever when a player with those skills learned log in the game, or whichever type of verification.

so you are saying that someone is "hacking" your server and you dont care if he got access to your database??

dextroy · January 10, 2022

3 minutes ago, BruT said:

so you are saying that someone is "hacking" your server and you dont care if he got access to your database??

If he had access to my database directly he would've given himself the best items in the game, he could've made himself a GameMaster, but no, he was farming for items with monster skills. Or could've done much worse by erasing it.

Plus i keep daily backups. So yeah, if my server got attacked directly on the database, i could give 0 f*cks. And if that happened, THEN i'd be looking for database protection. THEN your comment would make any sense. Not now. For NOW i asked a way to instantly block players that could use the same hack. See the difference?

Really, what's wrong with YOU? Clearly you don't want to help, only want to find ways to boast and criticize to make yourself feel superior. If you have nothing to add, move on to another thread and let someone else assist.

BruT · January 10, 2022

3 minutes ago, dextroy said:

If he had access to my database directly he would've given himself the best items in the game, he could've made himself a GameMaster, but no, he was farming for items with monster skills. Or could've done much worse by erasing it.

Plus i keep daily backups. So yeah, if my server got attacked directly on the database, i could give 0 f*cks. And if that happened, THEN i'd be looking for database protection. THEN your comment would make any sense. Not now. For NOW i asked a way to instantly block players that could use the same hack. See the difference?

Really, what's wrong with YOU? Clearly you don't want to help, only want to find ways to boast and criticize to make yourself feel superior. If you have nothing to add, move on to another thread and let someone else assist.

then you have a "server-side mistake" you are being arrogant so good luck with your "help request"

Edited January 10, 2022 by BruT

dextroy · January 10, 2022

1 minute ago, BruT said:

then you have a "server-side mistake"

And then you're not providing any sort of support, only flooding.

BruT · January 10, 2022

Just now, dextroy said:

And then you're not providing any sort of support, only flooding.

i do not have a fairy stick to help you like that, good luck.

dextroy · January 10, 2022

1 minute ago, BruT said:

i do not have a fairy stick to help you like that, good luck.

Like you even tried. Please. Trying to spam multiple times to get that post number of urs up and some sort of "reputation".

The details are there, the source code is there, what i asked is there. You keep evading the question and boasting. You probably just get other people's work and try to re-sell to others from what i see in your profile. If you knew anything you'd have asked for the specific code lines long ago.

Here's some news for you: you're at the Help section of the forum. If you got nothing to add, move along. Bye.

melron · January 10, 2022

1 hour ago, dextroy said:

i'm not asking to know what the hacker did.

Basically, that's what you have to do. By covering a problem doesn't ensures you the final fix. It may lead to another problem and may it will be harder to find / fix.

A possible solution would be the bypass track. Add logs to each logical action that the player is gonna execute and let him to do it again. once you caught him, you will find what he did.

Can you describe the whole process of a skills set stack? Is it just by switching subclasses?

MrTitanas · January 10, 2022

Tip : Delete Frozen!!!!!!!!!!!! People so daft in theres days! Why da fak u waste u time on project with dead files and after few years you will switch to Acis or Mobius 4 sure !

dextroy · January 10, 2022

8 hours ago, melron said:

Basically, that's what you have to do. By covering a problem doesn't ensures you the final fix. It may lead to another problem and may it will be harder to find / fix.

A possible solution would be the bypass track. Add logs to each logical action that the player is gonna execute and let him to do it again. once you caught him, you will find what he did.

Can you describe the whole process of a skills set stack? Is it just by switching subclasses?

I do understand that finding exactly how the hacker did would be the best solution, but i'm not a programmer. I wouldn't know how to do that bypass track, and that would involve having to wait for another player to come in again and use the same or a similar hacking tool and then looking all over the code to possibly fix multiple things.

Here's the error log i got when the guy started hacking:

Quote

17:36:11,617 WARN BaseStats:125 - Character x has STR over max value 100... Using 100
17:36:11,617 ERROR L2GameServerPacket:47 - Client: [Character: x - Account: x - IP: 0.0.0.0] - Failed writing: [S] 0e StatusUpdate - L2J Server Version: exported - DP Revision: Unsupported Custom Version.
java.lang.ArrayIndexOutOfBoundsException: 100
   at com.l2jfrozen.gameserver.skills.BaseStats$STR.calcBonus(BaseStats.java:126)
   at com.l2jfrozen.gameserver.skills.BaseStats.calcBonus(BaseStats.java:87)
   at com.l2jfrozen.gameserver.skills.Formulas$FuncPAtkMod.calc(Formulas.java:207)
   at com.l2jfrozen.gameserver.skills.Calculator.calc(Calculator.java:188)
   at com.l2jfrozen.gameserver.model.actor.stat.CharStat.calcStat(CharStat.java:105)
   at com.l2jfrozen.gameserver.model.actor.stat.CharStat.getPAtk(CharStat.java:597)
   at com.l2jfrozen.gameserver.model.L2Character.getPAtk(L2Character.java:9914)
   at com.l2jfrozen.gameserver.network.serverpackets.StatusUpdate.writeImpl(StatusUpdate.java:152)
   at com.l2jfrozen.gameserver.network.serverpackets.L2GameServerPacket.write(L2GameServerPacket.java:43)
   at com.l2jfrozen.netcore.SelectorThread.putPacketIntoWriteBuffer(SelectorThread.java:648)
   at com.l2jfrozen.netcore.SelectorThread.prepareWriteBuffer(SelectorThread.java:618)
   at com.l2jfrozen.netcore.SelectorThread.writePacket(SelectorThread.java:528)
   at com.l2jfrozen.netcore.SelectorThread.run(SelectorThread.java:192)

He also learned STR as a skill and had it maxed, that's probably why the server couldn't identify the limitation. There are no other logs about learning the skills or detected illegal activity on the gameserver.

I don't have a professional server nor want to, it's just a fun side project, i know L2JFrozen has it's limitations and i've covered most i found over the months i've worked, that's why the guy that hacked wasn't able to completely ruin the server and compromise other accounts. I just want a way to immediately block the account if such thing happen again. Like: if the guy has one of the illegal skills learned, the character automatically gets kicked or banned. That would solve the root? No, but that would not allow them to exploit any skill related bug anymore.

As for the learning skills process, it's not stack sub, not autolearn, just class masters, as i replied to Zake on a previous post, there are these lines on one of the config files:

# Alternative skill learn rules:
# - all classes can learn all skills
# - skills of another class costs x2 SP
# - skills of another race costs x2 SP
# - skills of fighters/mages costs x3 SP
AltGameSkillLearn = True

With this active the player get to the class master/magister and learn their skills. Stack sub is not activated. They just can learn any class skill on any class master. If you need any other information to help understand the issue, i'll gladly provide, but i just want a countermeasure to block if such thing happens again.

6 hours ago, MrTitanas said:

Tip : Delete Frozen!!!!!!!!!!!! People so daft in theres days! Why da fak u waste u time on project with dead files and after few years you will switch to Acis or Mobius 4 sure !

Yes man, i know those have safer and better coding, but i'm not throwing away all my work to learn how to code every single change i did on another type of java server from scratch. Especially since it's just a fun server. If you can assist with this version, great, i'd thank you. Otherwise i don't see the point in coming to do posts like this.

Psygrammator · January 10, 2022

14 hours ago, dextroy said:

Hello, i need some help if anyone know:

I have a multiskill server (L2JFrozen rev) and I've recently had some hacker enter my server and he was able to learn monster passive skills/active skills and some skills that aren't in any character skill tree, like valakas buff, super haste, etc.

Since it happened i activated the AllowedSkills function (plus also activating it on the Protected folder CheckSkillsOnEnter), and added on the list only the character skills on the list (1-500 and 1000-1500), however, the function doesn't seem to be working.

Is there a way a can put a verification on L2PcInstance or some other java instance to automatically ban player/delete skills between 3000-7000 or something like that? My source code already has something like this (i'll be posting below), but it doesn't seem to be working (i tested with another character and nothing happened to it).

	/**
	 * check player skills and remove unlegit ones (excludes hero, noblesse and cursed weapon skills).
	 */
	public void checkAllowedSkills()
	{
		boolean foundskill = false;
		if (!isGM())
		{
			Collection<L2SkillLearn> skillTree = SkillTreeTable.getInstance().getAllowedSkills(getClassId());
			// loop through all skills of player
			for (final L2Skill skill : getAllSkills())
			{
				final int skillid = skill.getId();
				// int skilllevel = skill.getLevel();
				
				foundskill = false;
				// loop through all skills in players skilltree
				for (final L2SkillLearn temp : skillTree)
				{
					// if the skill was found and the level is possible to obtain for his class everything is ok
					if (temp.getId() == skillid)
					{
						foundskill = true;
					}
				}
				
				// exclude noble skills
				if (isNoble() && skillid >= 325 && skillid <= 397)
				{
					foundskill = true;
				}
				
				if (isNoble() && skillid >= 1323 && skillid <= 1327)
				{
					foundskill = true;
				}
				
				// exclude hero skills
				if (isHero() && skillid >= 395 && skillid <= 396)
				{
					foundskill = true;
				}
				
				if (isHero() && skillid >= 1374 && skillid <= 1376)
				{
					foundskill = true;
				}
				
				// exclude cursed weapon skills
				if (isCursedWeaponEquiped() && skillid == CursedWeaponsManager.getInstance().getCursedWeapon(_cursedWeaponEquipedId).getSkillId())
				{
					foundskill = true;
				}
				
				// exclude clan skills
				if (getClan() != null && skillid >= 370 && skillid <= 391)
				{
					foundskill = true;
				}
				
				// exclude seal of ruler / build siege hq
				if (getClan() != null && (skillid == 246 || skillid == 247))
					if (getClan().getLeaderId() == getObjectId())
					{
						foundskill = true;
					}
				
				// exclude fishing skills and common skills + dwarfen craft
				if (skillid >= 1312 && skillid <= 1322)
				{
					foundskill = true;
				}
				
				if (skillid >= 1368 && skillid <= 1373)
				{
					foundskill = true;
				}
				
				// exclude sa / enchant bonus / penality etc. skills
				if (skillid >= 3000 && skillid < 7000)
				{
					foundskill = true;
				}
				
				// exclude Skills from AllowedSkills in options.properties
				if (Config.ALLOWED_SKILLS_LIST.contains(skillid))
				{
					foundskill = true;
				}
				
				// exclude Donator character
				if (isDonator())
				{
					foundskill = true;
				}
				
				// exclude Aio character
				if (isAio())
				{
					foundskill = true;
				}
				
				// remove skill and do a lil LOGGER message
				if (!foundskill)
				{
					removeSkill(skill);
					
					if (Config.DEBUG)
					{
						// sendMessage("Skill " + skill.getName() + " removed and gm informed!");
						LOGGER.warn("Character " + getName() + " of Account " + getAccountName() + " got skill " + skill.getName() + ".. Removed!"/* + IllegalPlayerAction.PUNISH_KICK */);
						
					}
				}
			}
			
			// Update skill list
			sendSkillList();
			
			skillTree = null;
		}
	}

There are several factors. The code you gave him will not give any facts.

You can analyze your code and trace all possible patterns associated with your problem.

I can find and fix this problem.

dextroy · January 10, 2022

24 minutes ago, Psygrammator said:

There are several factors. The code you gave him will not give any facts.

You can analyze your code and trace all possible patterns associated with your problem.

I can find and fix this problem.

If you have any suggestions i'm happy to listen and try. I did find somewhat of a fix of my own already. I entered the clientpack RequestAquireSkill.java and added the simple line:

		if ((_id) > 1500)
			return;

I tested the code the other way around <1500 and it didn't allow me to learn any skills. So, If the hacker was using the skill masters packets to learn skills this should block them already.

But if it's some other way, they can still get around. That's why i wanted a way to kick/ban players who have those skills learned on their character, because if it is something else, then a countermeasure to block characters with illegal skills would work for all situations. I just don't know which java file and what code could do that automatic verification.

Psygrammator · January 10, 2022

25 minutes ago, dextroy said:
Если у вас есть какие-либо предложения, я рад выслушать и попробовать. Я уже нашел какое-то исправление для себя. Я ввел клиентский пакет RequestAquireSkill.java и добавил простую строку:
 
Я протестировал код наоборот, около <1500, и это не позволило мне изучить какие-либо навыки. Таким образом, если хакер использовал пакеты мастеров навыков для изучения навыков, это должно уже заблокировать их.

Но если это какой-то другой путь, они все еще могут обойти. Вот почему я хотел найти способ кикать/банить игроков, у которых эти навыки изучены на их персонажах, потому что если это что-то другое, то контрмера по блокировке персонажей с нелегальными навыками будет работать во всех ситуациях. Я просто не знаю, какой java-файл и какой код может выполнять эту автоматическую проверку.

Your method will take a long time to figure out how it does it. If you have data that he adds skills from monsters. Isn't it easier in the method of adding skills to make the condition and logging an expanded chain from where it comes from?

Example: if someone adds a monster skill to himself, and this in any case goes through the addSkill method, you will be fully shown from which class this method is called.

As you have already been told above, do not try to block the actions of the hacker, try to understand how he does it in order to fundamentally eliminate your problem forever.

Your code is funny

		if ((_id) > 1500)
			return;

Edited January 10, 2022 by Psygrammator

dextroy · January 10, 2022

6 minutes ago, Psygrammator said:

Your method will take a long time to figure out how it does it. If you have data that he adds skills from monsters. Isn't it easier in the method of adding skills to make the condition and logging an expanded chain from where it comes from?

Example: if someone adds a monster skill to himself, and this in any case goes through the addSkill method, you will be fully shown from which class this method is called.

As you have already been told above, do not try to block the actions of the hacker, try to understand how he does it in order to fundamentally eliminate your problem forever.

I understand, but i'm not sure if i can cover every single possibility of "how he did it" as there were no specific logs generated.

The normal learn skill process on my server calls for the database skill tree on class masters, and the db skill tree only displays skills under 1500, which are the regular skill classes.

If he used a class master to learn the skill, the new line i added on my previous post should already block them from learning. But if he did some other way, i can't figure out 'cause there were no logs.

And i think i can assume it's not addSkill command 'cause only GM/ADM access level can call for those. And i'm assuming it's nothing of the sort, because if it was, he could've cause more damage than simply learning monster/items skills.

Help Automatic verify and ban unauthorized skills - L2JFrozen

Question

dextroy

50 answers to this question

Recommended Posts

BruT

dextroy

BruT

dextroy

BruT

dextroy

BruT

dextroy

melron

MrTitanas

dextroy

Psygrammator

dextroy

Psygrammator

dextroy

AchYlek

Posts

Topics

Browse

Activity

Store