Seamless Posted July 14, 2022 Share Posted July 14, 2022 It literally says it here java.io.FileNotFoundException: .\config\user.ini (The system cannot find the file specified) Quote Link to comment Share on other sites More sharing options...
L2 Archon Posted July 14, 2022 Share Posted July 14, 2022 9 minutes ago, Seamless said: It literally says it here java.io.FileNotFoundException: .\config\user.ini (The system cannot find the file specified) what happen now..? Quote Link to comment Share on other sites More sharing options...
Seamless Posted July 14, 2022 Share Posted July 14, 2022 File not found in config(folder)/ user.ini (file name). Just check your config folder. you are missing a file. Quote Link to comment Share on other sites More sharing options...
sqhizein Posted February 26, 2023 Share Posted February 26, 2023 Which Revision is this cracked source ? Changeset #28 | Revision #899 Changeset #27 | Revision #869 Changeset #24 | Revision #663 i couldn't find any info for that Quote Link to comment Share on other sites More sharing options...
Orochy Posted June 4, 2023 Share Posted June 4, 2023 On 2/26/2023 at 9:07 AM, sqhizein said: Which Revision is this cracked source ? Changeset #28 | Revision #899 Changeset #27 | Revision #869 Changeset #24 | Revision #663 i couldn't find any info for that The last free version available is L2JOrion r21, even then without the phantom settings and others. Quote Link to comment Share on other sites More sharing options...
L2LIVEpro Posted Wednesday at 05:51 AM Share Posted Wednesday at 05:51 AM (edited) Well, sorry not sorry for resurrecting old topic, but I believe it's ultimately stupid to implement license checks like Vilmis did private static String url = "jdbc:mysql://185.80.128.233/" + getData("Zm9ydW1fZGI="); private static String username = getData("bXJjb3B5cmlnaHQ="); private static String password = getData("Y29weXJpZ2h0XzEyMw=="); con = GlobalDB.getInstance().getConnection(); PreparedStatement statement; statement = con.prepareStatement("SELECT field_6 from core_pfields_content WHERE member_id = ?"); statement.setInt(1, Config.FORUM_USER_ID); ResultSet rset = statement.executeQuery(); This awesome way of coding things leaves us with base64-encoded credentials and DB exposed and accessible globally Btw he checks his licensing data from some plugin generated table his forum uses. Vilmis took action and ensured that mrcopyright user would have only needed accesses and rights for this operation. But he forgot to ensure that his INFORMATION_SCHEMA database would not be exposed and readable... That leads us to fully readable server variables like version used (10.1.26-MariaDB-0+deb9u1 - pretty ancient DB and OS, I'd assume). From here you can go south and do some kinky stuff, if you want and have knowledge for that. But who cares, right? Ooh, table core_pfields_content field_6 is IP address which is checked by FORUM_USER_ID. Yep, you can query all IP addresses there (124 of them right now) and also do whatever you want with them! The most fun part? Files source has been shared what, more than 2 years ago? Vilmis still uses very same credentials and never changed it after sources exposure - who cares. Although, "sources" may be way too strong word here. If anyone still use paid Orion versions, I'd suggest packing your shit and leaving immediately, or at least fix this incompetent fool caused problems. It's obvious Vilmis don't care or maybe doesn't even know from the first place how to solve this problem (hint hint - tiny PHP Rest API microservice which would do absolutely the same but without exposing sensitive data?). By doing that, he exposes his infrastructure and YOUR data, and he does that for more than 2 years now Developer of century! Edited Wednesday at 05:56 AM by L2LIVEpro 1 Quote Link to comment Share on other sites More sharing options...
Nightw0lf Posted Wednesday at 12:08 PM Share Posted Wednesday at 12:08 PM he had a friend of mine as customer, he was asking money to fix his mistakes in core, eachtime and he was mad that his client was requesting assistance, and didnt even respond, if he is still around shame. Quote Link to comment Share on other sites More sharing options...
Psygrammator Posted Wednesday at 12:09 PM Share Posted Wednesday at 12:09 PM 6 hours ago, L2LIVEpro said: Well, sorry not sorry for resurrecting old topic, but I believe it's ultimately stupid to implement license checks like Vilmis did private static String url = "jdbc:mysql://185.80.128.233/" + getData("Zm9ydW1fZGI="); private static String username = getData("bXJjb3B5cmlnaHQ="); private static String password = getData("Y29weXJpZ2h0XzEyMw=="); con = GlobalDB.getInstance().getConnection(); PreparedStatement statement; statement = con.prepareStatement("SELECT field_6 from core_pfields_content WHERE member_id = ?"); statement.setInt(1, Config.FORUM_USER_ID); ResultSet rset = statement.executeQuery(); This awesome way of coding things leaves us with base64-encoded credentials and DB exposed and accessible globally Btw he checks his licensing data from some plugin generated table his forum uses. Vilmis took action and ensured that mrcopyright user would have only needed accesses and rights for this operation. But he forgot to ensure that his INFORMATION_SCHEMA database would not be exposed and readable... That leads us to fully readable server variables like version used (10.1.26-MariaDB-0+deb9u1 - pretty ancient DB and OS, I'd assume). From here you can go south and do some kinky stuff, if you want and have knowledge for that. But who cares, right? Ooh, table core_pfields_content field_6 is IP address which is checked by FORUM_USER_ID. Yep, you can query all IP addresses there (124 of them right now) and also do whatever you want with them! The most fun part? Files source has been shared what, more than 2 years ago? Vilmis still uses very same credentials and never changed it after sources exposure - who cares. Although, "sources" may be way too strong word here. If anyone still use paid Orion versions, I'd suggest packing your shit and leaving immediately, or at least fix this incompetent fool caused problems. It's obvious Vilmis don't care or maybe doesn't even know from the first place how to solve this problem (hint hint - tiny PHP Rest API microservice which would do absolutely the same but without exposing sensitive data?). By doing that, he exposes his infrastructure and YOUR data, and he does that for more than 2 years now Developer of century! Protection from schoolchildren. And also terrible code, the project is built to wear out the database with queries. Quote Link to comment Share on other sites More sharing options...
L2LIVEpro Posted Thursday at 06:21 AM Share Posted Thursday at 06:21 AM Oh, and someone TOTALLY should not go and break Vilmis DB. That will TOTALLY not cause all license-enforced Orion servers not to startup anymore. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.