fix Player Change Name item duplication exploit Fix

[Trial 231]

Hello,

So I have shared this fix with someone a few days ago and saw this morning that martysama has published it on it's blog.
I let you know before kids with "private" access to this start playing with it. (I do not have acces to martysama's blog member posts and do not know who does)

The "pc_change_name" function has an exploitable item duplication bug.

The fix is simple, in "pc_change_name" replace this code:

db_clientdesc->DBPacketHeader(HEADER_GD_FLUSH_CACHE, 0, sizeof(DWORD));
db_clientdesc->Packet(&pid, sizeof(DWORD));

with this:

if (!CHARACTER_MANAGER::instance().FlushDelayedSave(ch))
{
    ch->SaveReal();
}

 

I will edit this post to add details on how and why later on to avoid kids playing with it before it's patched on majority of servers.

 

Regards,

[martysama0134 6959]

1 hour ago, Trial said:

saw this morning that martysama has published it on it's blog.

People may misunderstand:

Someone used this exploit in a pserver, and the game admin asked many people for help (I suppose).

Replacing the Flush Cache packet to Save() is enough. It's exactly the same bug ShopEx had years ago in a specific mainline branch.

Edited December 20, 2022 by VegaS™
Removed the how-to part

[Trial 231]

2 hours ago, martysama0134 said:

People may misunderstand:

Someone used this exploit in a pserver, and the game admin asked many people for help (I suppose).

Replacing the Flush Cache packet to Save() is enough. It's exactly the same bug ShopEx had years ago in a specific mainline branch.

Sorry if there was any confusion, I was just mentioning the fact that it was posted on your blog.

And yes this is the same game admin I gave this fix to, don't know why he asked you about this as it was fixed, anyway.

I suggest you remove the "how to" part from your screenshots as it may still be too early, I will edit my initial post about details soon.

Edited December 20, 2022 by Trial
removed how-to part from citation

[[007]DawisHU 262]

My repli was deleted??? for why??


Hi @Trial
BIG THANK for share it.
I have a Premium Offline Shop by @ Rakancito.
But sadly this system is total bugged,and have a lot core crash.

Finally fixed. Thank again!  

Edited December 20, 2022 by Metin2 Dev
Core X - External 2 Internal

[martysama0134 6959]

2 hours ago, [007]DawisHU said:

Finally fixed.

How is that offline shop related to this? Does it use the FLUSH_CACHE packet?

[[007]DawisHU 262]

10 minutes ago, martysama0134 said:

How is that offline shop related to this? Does it use the FLUSH_CACHE packet?

yes It is using.
If u see little closer, some code are bugged, and useless... 

Link:

Spoiler

This is the hidden content, please

• Sign In
• or
• Sign Up

 

Excuse me, for bad eng..

Edited December 20, 2022 by Metin2 Dev
Core X - External 2 Internal

[Trial 231]

1 hour ago, [007]DawisHU said:

yes It is using.
If u see little closer, some code are bugged, and useless... 

Link:

  Reveal hidden contents

This is the hidden content, please

• Sign In
• or
• Sign Up

 

Excuse me, for bad eng..

What the.. 

Anyway, glad it helped!

[Trial 231]

Since I can't edit the original post (?) here are some explanations for those who are interested in the details:
 

Spoiler

Sending "HEADER_GD_FLUSH_CACHE" packet to db flushes db cache for the player. This updates database "player.item" table with current item cache (from db process) at the time of changing name.

You may have already guessed it, if for example you give items in exchange to other players and then change your name then teleport to any map that is on different game core you will still have these items!

Why? The cache! You just flushed cache in db process but did not let the db know about the change of owner for exchanged items before doing so and your next login will load these items from database for you. You need to warp to other game core for this to work because same ID items cannot be loaded twice, there is a check in "ITEM_MANAGER::CreateItem"

(Obviously only works for items loaded from database into db process cache then sent to game in "HEADER_DG_ITEM_LOAD" packet as this cache is needed to update database when changing name)

DB Cache should never be flushed manually, better let the normal cache handling process do it's work.

Edited December 23, 2022 by Trial

[Ulas 167]

On 12/20/2022 at 4:00 PM, Trial said:

Hello,

So I have shared this fix with someone a few days ago and saw this morning that martysama has published it on it's blog.
I let you know before kids with "private" access to this start playing with it. (I do not have acces to martysama's blog member posts and do not know who does)

The "pc_change_name" function has an exploitable item duplication bug.

The fix is simple, in "pc_change_name" replace this code:

db_clientdesc->DBPacketHeader(HEADER_GD_FLUSH_CACHE, 0, sizeof(DWORD));
db_clientdesc->Packet(&pid, sizeof(DWORD));

with this:

if (!CHARACTER_MANAGER::instance().FlushDelayedSave(ch))
{
    ch->SaveReal();
}

 

I will edit this post to add details on how and why later on to avoid kids playing with it before it's patched on majority of servers.

 

Regards,

Can you add proof please. I want show problem.

[WeedHex 626]

21 minutes ago, Ulas said:

Can you add proof please. I want show problem.

Are you one of the kids who @Trialwas talking about?

[Ulas 167]

1 hour ago, WeedHex said:

Are you one of the kids who @Trialwas talking about?

No

[Intel 732]

2 hours ago, Ulas said:

No

(sorry)

Edited December 25, 2022 by Metin2 Dev
Core X - External 2 Internal

[Flourine 102]

In Poland we had nickname change bug abusers since 2016 or smth like that. Personally i fixed in something like end of 2k17

Fix is done well, ty for sharing 

 

Edited December 27, 2022 by Flourine

[bossy_max 1]

same problem exists in owsap pin 

[Jira 444]

Thanks, I'm so curious if can be exploitable with net.SendChangeNamePacket