Site n00b.. (A leecher if I've been here for more than a month and can't earn 5 rep)
Rep Power: 2
Reputation: 2
Posts: 41
Join Date: Oct 2006
Dupe methode (but u need to find it out how it works :P) -
11-08-2006
Hi guys,,
i got some real stuff.. :P :P (dont blame me if this is really bullsh!t)
i found somewhere a very nice story about duping,, i dont know a sh!t about it thats why im putting it here :P.. i red it and i thought that it really could work,, AND DONT PUT THIS ON OTHER FORUMS KEEP THIS FOR US!
(when blizzspys know this they could easy nerf it)
I hope some one could figure this out and share it with all of us (or only with me :P:P:P)
Heres the story (its NOT mine):
TO DUPE: First you'll need to decode the network stream, as it's encrypted (actually it's just hashed, encryption would probably be too demanding). The Macroquest2 devs(old everquest hackers) have done this for you. Next, you'll need a packet injector (i use nemesis). Take a dump of the packets, decode them, and take a look at them... You may notice many things to hack, but we're looking to dupe, right!? One key flag in the packet is this one: IsPlayer...x where x is going to be a 1 or a 0. This flag is just after the packet header, and can be seen in plain text once the packet is decrypted. All packets originating from a player have the IsPlayer flag set to 1. Packets sent to you from the server while interacting with an NPC(like a vendor or quest giver) will have the IsPlayer flag set to 0. Here's what I noticed with my debugger. Any time there is a change in your character (gains money, gains a level, trades), your character is automatically saved. However, I noticed that I can dump the packets (I dump the packets with Libpcap, C's packet capture library, becuase I'm a linux guy. For windows use winpcap), alter any packets originating from my character so that the IsPlayer flag is set to 0, and the resend the packet using libpcap's sendpacket function. The dumping of packets, altering, and resending is done by a C program (pretty simple pcap program, dumps the packets, uses mq2's decryption to decrypt the wow packets, then alters the IsPlayer from 1 to 0, then resends the newly crafted packet) which I run on a second computer which acts as a firewall to my WoW computer. I run it on a second machine because it's less likely to be detected by wow's spyware (wow's spyware checks window titles and open processes. My thought was it can't be detetected as easily if i hack the network stream with a second computer.). I'm trying to be detailed, so sorry for going over some stuff twice. Hope you have followed along so far. What I have done by changing the IsPlayer flag to 0 is trick the wow server into thinkin that my character is an NPC. Why do this, you may ask? Well, one reason really. I found with my debugger that after changing this flag, the server does not save after every major change, but saves every 10 minutes. This must be how wow checks for pathing errors and what have you. Every 10 minutes the npcs on the server are saved (at least from what I gathered with my debugger and dissassembler). The server probably saves NPCs every 10 minutes to save processing power or something. Anyway, who cares why npcs are only saved every 10 minutes, the fact is, if you change the IsPlayer flag to 0 in all the packets originating from your character, the server will only save your character every 10 minutes. What does this mean? Check this out. Wait till the server saves(if you dont have a debugger, or don't know how to use one, just guess. You can't mess up really). Now you should have approx. 10 minutes before the next save. Take some items or money you want to dupe, trade them to another character. Complete the trade. Now log the bugged character out (the bugged character is the one with the IsPlayer flag set to 0). Log him back in. Still have the items and gold, don't you? DUPED!!! This is because we've bugged the character to only be saved every 10 minutes, so when you log off and back on, the server reverts to the last save. If you log off and back on and you dont have the items, it's because the server saved since the trade, which means you have approx. 10 minutes until the next save! PROs and CONs: This could be detected if WoW's Intrusion Detection System was set up to look at that IsPlayer flag. However, I used this exploit on November 2nd, 2006 and have been using it for over a year now (since a little after MQ2 decrypted the network stream, so a good amount of time anyway), and have not been banned. So I think it's safe to try. No, I won't give you my C code, I think I gave a good enough description of how it works anyway. Dump the packets, decrypt the packets, alter the IsPlayer flag from 1 to 0, resend the packet. Cake with the packet capture library, PCAP. I'd imagine after my dumb ass posts this, it won't work for much longer.
c'mon guys figure this out and try it :P And Share with us :P
Re: Dupe methode (but u need to find it out how it works :P) -
11-08-2006
seems (somewhat) logical. although if you try this on a real server i guarentee it wont work and editing packets is basicly screaming "BAN ME IM HACKING" i think this only works for private servers, although i didnt read the whole thing
Mother Nature cowers before me, clutching at her creations, bowing down and realizing I am the new God in town
Re: Dupe methode (but u need to find it out how it works :P)
Site n00b.. (A leecher if I've been here for more than a month and can't earn 5 rep)
Rep Power: 3
Posts: 9
Join Date: Mar 2006
Re: Dupe methode (but u need to find it out how it works :P) -
11-08-2006
Sending packets disguising yourself as a NPC may indeed have undefined results (most likely nothing or simply kicking you). However, this has nothing to do with the server saving all npc objects every 10 minutes. No matter what packets you send, you are always stored as a player on the server and will follow the player's save sequence.
You can type out unneccesarily long paragraphs and cover it up with, what one would think "fancy" words such as C program, networks stream, bla bla bla, but as someone who actually programs I can safely skip over all the useless bull**** and see what exploit you are in fact trying to communicate to us.
So, whatever. This thread really has no potential.
Re: Dupe methode (but u need to find it out how it works :P)
Re: Dupe methode (but u need to find it out how it works :P) -
11-11-2006
Server saves your character every 10 or 15 minutes, or when you log out, or when server shuts down normally. (Server crash = no save)
Also, I stopped reading your post when you said they hash network data instead of encrypt it...
You do realize you can't de-hash something right? I believe what you're looking for is encoding. Encoding is replacing one character with another.
Second...NPCS ARE NOT SAVED.
NPCs are hard coded into the wow server/data files. If an NPC moves from Point A to Point B and the server goes down, that NPC is still at Point A when the server comes back up.
Anyways, other than location, what else is there to save for an NPC? They don't gain XP, they don't gain gold, they don't gain items.
Third, NPCs do not connect to the server. They are a PART of the server. WoW Servers will NEVER mistake a connection for an NPC because NPCs are not connections.
You sir have NO idea what you're talking about, you are not a programmer, and you're either making this all up or copying it from someone else who is.
That's all I have to say.
Edit: Just read the part where you said someone else wrote it. My advice to you, don't listen to anything else that idiot has to say.
Re: Dupe methode (but u need to find it out how it works :P)
Re: Dupe methode (but u need to find it out how it works :P) -
11-14-2006
IMHO posting this on a PUBLIC forum is pretty stupid. i have no doubt blizzard frequent MMOwned to look out for this sort of thing and you may have just given them a heads up on this. if theres a mini patch within the next month, we know why
Dupe methode (but u need to find it out how it works :P)
