Game hacking

I was active in metin2 couple of years ago. I learned coding on it. The server side files leaked one day and people were making private servers (including me). At some point I threw the server executable in ida (it had symbols thankfuly) and slowly started adding shit and fixing bugs. It was very fun to discover some exploit that would crash the server or let you create items etc. And then sell the fix to all private server owners. Happened quite often. I also made cheats that didn't work on my own server which made lots of people butt mad. These were fun times, sometimes I wish I could go back, especially with the knowledge I have now. I'll give one example of a bug that people knew since the beginning of the game (2007 or so) but I discovered why it works only in about 2012.

All items have 3 "sockets", these are just 32 bit variables. Depending on the items these socket mean different things. Items that have time limited use (after time runs out they dissapear) stores the time in socket 0. On the other hand, weapons and armour use the sockets for "soul stones". These stones add some attributes (souls stone of strength: +5 to strength etc.) No all items can have 3 stones at the same time, so the way they do it is...
If socket is
0 - not available
1 - empty
Anything else - taken (Id of the stone)

Now it should be obvious how the bug works.

You put the stone into an item by drag n dropping it onto the item. Then you have a window asking if you want to do it, press yes and the stone is in. What you do is, drag n drop the stone onto a weapon, then move that weapon to a different slot and move your timed item on the slot where the weapon was. Accept the stone insertion and you get an item with 200k minutes or so. This works only if the timed item has 1 minute left.

...

What were you expecting? If you're "gayming" after 18 you're not mature at all, just a manchild living in an infantilized way.
Fucking millennials.

my fucking sides

that bug wouldn't have existed if they would have used rust

That's not true.

The bug exist because the server doesn't check if an item can accept soul stone on the server side, only client does and you can trick it. Even if client would be smarter you can edit it

it is. doc.rust-lang.org/stable/book/second-edition/ch04-02-references-and-borrowing.html#the-rules-of-references

if the client was programmed in rust, this wouldn't work

Who told you that? I certainly don't.
Stop projecting, you missed it =)

Okay XD

I'm taking this bait because I'm bored.
The data structure for items have 3 32-bit values for different purposes. Limited items use the first integer for tracking their time limit and regular weapons used it for storing the enhancing item bound to the weapon. I am guessing it went something like this: the confirmation sent a full "request" to the server, during which you can still interact with your inventory. Let x be the item's slot in inventory, and y the enhancer's item ID.
The request (example format): {"action": "bind_item", "item_id": y, "target": x}
This request is prepared before the confirmation dialog shows.
Now, say you moved the item in slot x to somewhere else and moved a limited item to slot x, then confirm the item bind. The game then finds item at slot x (which is now the limited item) and assigns the value of y to the first 32-bit integer value, which makes the remaining duration of the item really high. I don't know about the 1-minute remaining thing though.
This cannot be fixed with Rust, because the code actually works and there is no undefined behavior whatsoever here. The solution is to;
1) Check for the item's type during the request,
2) Disallow users from modifying the inventory during the confirmation,
3) Use the item's instance ID instead
1 or 3 should be done in addition to 2 because client-side protections are easily bypassed. This could also be solved with distinct types (Nim has this), where static checks are done to make sure a distinct type cannot be assigned to its parent type.

nigger did you even read the link?
doc.rust-lang.org/stable/book/second-edition/ch04-02-references-and-borrowing.html#the-rules-of-references

rust isn't just memory safety and no ub

btw rust also has distinct types
github.com/rust-unofficial/patterns/blob/master/patterns/newtype.md

btw rust is also cucked
github.com/rust-lang/rust-www/issues/268

yes we all know that. it isn't relevant to the discussion though

That's exactly how it works and the fix was easy. Check the flag of target item if it can accept soul stones. Previously only client did that. The item has to have 1 minute remaining because 1 in socket means the socket is empty. If it's 0 then you can't use it (all items have 3 32bit socket variables, but not all items can have 3 stones at the same time)

I'll give you couple more examples of server side bugs from this game. Keep in mind, that I was working on very old server side files (they got leaked once in 2007 or so), the official server had them long fixed, but people on private servers had to deal with them. I fixed them which was kinda big deal back then. If anybody was familiar with this game they could guess who I am just from these posts.

In this game there are "metin stones" and they are a type of enemy. They are kind of meteors, they fly from the sky, you look for them, because they have nice loot. They don't do anything, just stand and get damaged by you, but every 10% hp you take it summons a wave of enemies. There are 2 bugs involved with this "metin stone"

You use character1 to damage the stone, monsters spawn and you let them kill you. Then you lie on the ground (in this game you can respawn in the same place you died after 10 seconds or respawn into town. If you don't do anything for 3 or 5 minutes you will respawn in town automatically). Now use character2 to kill the metin stone, no monsters will attack you. Why ?

Metin stone spawns the enemies, look for nearest player and makes the monster attack it, but it doesn't check if the player is alive. The function that makes monsters attack checks it though and just returns if the target is dead, which makes the monster do nothing. Easy fix

Another bug was much harder to figure out, but when I got it it was like a great Eureka moment.

In this game you have an attribute "chance to slow down target", it will lower the movement speed and attack speed by 20 units. For some reason if you slow down the metin stone, it doesn't spawn any enemies, sometimes it spawns wrong enemies. There's even a metin stone that will spawn a BOSS that doesn't spawn anywhere else. Seems like a intended, but kinda broken feature, right ? I was looking through the metin code looking for any mention of slow down, nothing... And then it hit me. Metin stone doesn't move or attack, so the game uses the movement and attack speed as a range of monster groups. If the metin has 200 mov speed and 250 attack speed it can summon groups of monster of ID from 200 to 250. Guess what slow down does to these numbers... I knew that the metin stone uses these variables for these things, but I didn't make the connection for a long time.

Here's another funny bug. In this game you have 3 types of horses and each has it's own type of food. Let's say you have a horse type3 but only food for type1 (which is not unlikely, as the food for higher types is rarer). You can just drag and drop your food on someone else's level 1 horse and it will feed your horse. Another easy fix, check if the target hourse belongs to you.

This is not really a bug of the code, but the stupid "feature" that private server added on their website enable this. This is how to crash someone's server (with no survivors)

In this game you have 3 different empires. You select which one you want when you create a character. What happens if you hack the client and create a character in 4th or any other empire ? Well, the character gets created, but there are no default position for a character from this empire, so it's 0,0... when you log in, you get kicked out. I moved my character to some map by changing the position in the database and the character works... at least in empire 4 5 and 6. When you use character in empire 7 or more the server crashes... Nice, how to exploit this ? It's not like I have an access to someone's database and even if I did, I could do better stuff than just crashing a server.

Enter the "fix character" "feature"

Because a lot of private servers use custom maps that don't have any collision keeping you inside (the file format for the map collision was unknown for a long time) people could go out of bounds and then the server would kick you and you wouldn't be able to log in. That's why most of the servers had a feature where you could teleport your character to town using their website. So now I create a malicious character in empire 7, restore it to town, log in and the server is ded.

korean niggers should not be allowed to code

And now I will describe to you how I made a 1337 mining bot. In this game you have ores... ores of metal and other shit like that. They are just NPCs like all other, spawn in random places, have lifetime of about 10 minutes, then disappear. Your character needs to have pickaxe equiped, then you just click on it, the character starts to dig for 10-40 seconds (depends on your skill of mining and stuff) and then you either get lucky and get the piece of ore (falls down on the ground like an item from killed monster) or you don't get shit.

Now the funny thing is that you can mine the ore from any distance you want. You just have to send the click packet with the ID of the ore and it will work. What's even better is that the pieces of ore fall on the ground where YOU are, not the ore.

So here's how to bot works
It takes the ID of the monster nearest to you. Let's assume it's 30000
I subtract 1000 from it
I send OnClick packets with these ID
I check for the players animation, as this is the only indication that I actually got the right ID and clicked on the ore and not some non existing NPC/monter
I wait until the animation is over, pick up the stuff, click on it again until it disappears, increate the ID counter, repeat.

That shit made me a lot of money because the ore is kinda expensive and I could just leave this bot overnight and get full inventory in one night.

That metin game sounds like a pile of shit made by retards for retards.

While you're not wrong, I want to point out again that these are bugs from the old build of the game, maybe even the beta. None of this works on the official servers

And this is not a fault of the original devs, as the official server would not have maps that lets you go out of bounds and they don't have a broken feature that just lets you warp your character to town.

One more example. I have hard time remembering all of this, it was so long ago, but there was lots of it.

One of the classes has a skill that will give you 10% of the damage you deal as HP. So let's say you deal 100 dmg, you will get 10 HP. Also, in this game you often fight with lots of monsters at the same time, 50-100... However, the game doesn't just takes the ammount of damage you output and use that number, because the target might have some resistance, so instead it checks how much health you took from it. If a monster is almost dead (f.e 10 HP) and you deal 100 DMG, it will see it as -100 DMG dealt, (current health -90 - health before hit 10 = -100 so you will actually lose health. Because of that this skill was useless in areas where you have lots of monsters at once, because you would get bombarded with -10hps and just die.

In this game you can build your own guild and have wars with other guilds. There are 3 types of war. You declare a war by typing the name of the guild you want to fight and the type of the war. If the leader of opposite guild is online he will get the request and he can accept it or ignore it. Under the hood the game just sends a command /war guild_name type (0,1,2)
Server checks if the type is larger than 2, and if so, it will default to 2, but it doesn't check if the value is less than 0. /war enemy -1 crashes the server.

In this game all items that you can wear have different levels from +0 to +9. In reality, they are different items all together, but when you upgrade your weapon or armor or wahtever, it will delete the old item and create a new one with the higher level (and copy the unique attributes like soul stones). You have 90 slots in your inventory, then 18 for the stuff you actually wear. So slots from 0-89 are for all items, then 90 is the armor, 91 is the weapon, 92 is shoes etc. Of course you can't upgrade stuff that you wear, you have to take it off. But they fucked up checking if the item you want to upgrade is taken off. They accept items from 0 to 90 inclusively, so you can upgrade the armor you have on you. That will not delete the item but will create a new one in the same slot. Now you can take off your armor twice and you get 2 items, one upgraded and the old one.

1 hit killer cheat.. now this is really hilarious. For some reason you can control from the server how far away you push someone when you hit them. Set that value to 999999 and profit. Monster will go out of bounds and that kills them instantly, you won't get experience, as they are too far away from you, but their items still drop next to you. When you attack a player, he will get pushed out of bounds and he will be kicked from the server.

You can control it from the client I meant.

Now you can see why me fixing this shit (and adding new stuff) was such a big deal. None of this worked on the official server, but suddenly there's a private server that fixes all that and adds new stuff on top of that. I don't want to brag about it, because who cares about obscure korean MMO game from 2000s, but I just wanted to mention some of the funny stuff that happened around this game. Here's a little story I think I once told on this board before.

There was this private server that was about to launch next week. It was very common for the new servers to announce themselfs 1-2 weeks before, showing all the new stuff they made and so on. In their presentation they claim to be THE FIRST IN THE WORLD SERVER WITH 4 EMPIRES. I made more than 3 empires (a little a bit about that here

) so I took issue with this statement. I decided to release the solution to the public, I just made a tutorial on how to add more empires yourself. They got really mad, started spaming my instant messeger. You want war ? you'll have war, you this and that. We're kids, remember.

So I thought challenge accepted, looked at their list of "exclusive" features again and just started releasing them to the public. Before they started the server they had nothing "exclusive" and the server didnt attract as many people as they hoped for and so it died.

some stuff i made for this game that I recorded in 2012

who remembers the old dupe trick from the original PSO where you lure the shop NPC to the vendor NPC so you talk to them both at once, then exit out of the conversation with the shop dialogue still open and running to the bank and being able to dupe infinite amounts of anything. shit funded my charge vulcans.

mmos are fucking dying though. everyone plays mobile shit.

unfree mobile operating systems are making this an increasingly difficult hobby. Especially when some games require a google or apple ID (which now require real names and phone numbers).

Not that its not been done. Hacking and emulators destroyed Pokemon Go because the devs were too innocent to expect location to be faked. I've seen a big crackdown lately and many games ban you on startup if they detect bluestacks or whatever emulator.

The golden age is gone.

Right. I've never been big into MMOs or even RPGs, always a FPS guy, but this metin2 somehow sucked me in. I played on the official server, then I got banned in 2010 and since then I only modded it, didn't play on any server. I know people who still play it though, it's fairly popular. I mean, 1000-2000 people playing a single game might not be a lot, but for a single private server that's a lot of people (and a lot of $$$ from the item shop) and there's couple of servers that have 1-2k people online.

I didn't mention the funniest thing about this game. So all of these bugs I mentioned worked only on the very old build that got leaked first. The revision number was 404. Then in 2011 we got version 1765, 2019 and 2089. Not much difference between these 3, but they had most of the bugs fixed and some other stuff. It was almost like the official server (the files were leaked in 2011, but they were build earlier). Nobody knows where they came from, but there was a rumor that there's a backdoor installed that lets you become the GM (game master, admin with all commands). Not made by the company, but installed by the guys who published it on the forums. I started digging around and I've found it. Apparently at some point they wanted you to be able to sid down and stand up. There are functions in the server exe CHARACTER::SitUp and CHARACTER::StandUp. They don't do anything (my guess is that in the original source they just have return; at the start of the function) but there were enough spare bytes left to put a payload there, that when this function gets called you get the GM rights. And this function could still be called if you send the right packet. So I've found that, my friend wrote a .dll for the client to send arbitrary packets and it worked. We had a lot of fun with it.

Then in 2013 I think some guy from Germany made a server that was way ahead of everybody else. It was almost like a clone of the official server. It turn out that he was buddy buddy with the owners of the Singaporean official server and they shared the latest build with him. He was so cocky, that he had to show them on Team Viewer to some other guys from the forum. At some point he went afk, but left TV on so they just copied all the files. Best hacking job in 2013. So we got the newer files, Singaporean server didn't get any more updates.

In 2015 the source code was leaked. That's also when I decided to leave the "scene" because now with the source code everyone could just add shit easely. I had the server binary in IDA and wrote my own lib that would inject into that in asm/c. Only the source code was published, but the hackers got everything from their server, including the 3ds max projects of all the models, their emails (that's how we know Singaporean didn't get any updates, they were spaming their email asking for fixes) even photos from the wedding of the CEO. I saw couple of these (I had one of these hackers on my skype) but officially I think only the source code was published and it wasn't done by them. One of the hackers got some malware and the files were leaked from him, so some other guy actually published the source code. They just had it for themselfs.

There are a few academic books that explain how to do basic reverse engineering memory editing, detouring and all the other low level techniques used in game hacking.

As for your main point:

Video games are for children.
Children see value in gaining in game resources.
Children don't have the discipline to hack games.

Adults have the skills to hack games.
Adults don't find value in a child's games.
Adults find value in committing identity theft.

Do you see where I'm going with this?

i see that you are a larper

It's really easy today as almost everything interesting is implemented in a scripting language that can be decompiled. Unity is a great example as they generally don't even obfuscate it so you can decompile what is almost the original C# source and recompile rather than have to deal with anything low level. The only thing keeping the skiddies at bay is when Unity releases with a new version of Mono and decompilers haven't been updated yet as they don't have the skill to make the changes.
Hellgate was the last game I dealt with that required a lot of effort in the debugger, it was right on the edge of that transition to generic engines with scripting so most of it was still tangled up with the engine. Here's a pic from one of their test levels that was left in the game. I had also created a proxy that would make me invincible in multiplayer when connected through it (filtered out the message sent by the client that it had finished loading the level and adjusted sequence numbers). Like many games, they tried to prevent proxies via TLS, but (this is a very common mistake) trusted the cert store to validate their server's certificate so you could just register your own CA and make a cert for the proxy. But it was worse than that, as (also a common mistake) they were trusting /any/ valid cert, so I could just point it at my own webserver via the config file.

Ah i see, what do serious adults do instead?

Work and raise their kids.

You mean their wife's son?

You must have grown up with retards. My condolences.

What are you talking about? That logic doesn't follow anything.

hownew.ru

Then why are you posting on a forum for autistic children?

...

picking archer

I was a kid (15-18) when I did all of these and more

Nothing grand, but it is some form of game hacking I guess. I released the source code of my libraries (to show them on my resume, they are pretty much worthless nowdays) you can take a look if you so desire. Most of it is C++ mixed with assembly like this

#define SetLevelOnPointChange sub_081113 extern "C" int SetLevelOnPointChange(SCHAR* a1, BYTE a2){ int level = a2 + a1->new_level; if (level > max_level) { return 0x08075488; } REAL_SetLevel(a1, level); return 0x08075DD1;}#define SetLevelOnPointChange_asm sub_081114extern "C" void SetLevelOnPointChange_asm(){ asm(".intel_syntax noprefix\n" ".globl sub_081113\n" "add esp, 4\n" "mov eax, [ebp - 0x58]\n" "push eax\n" "push edi\n" "call sub_081113\n" "add esp, 8\n" "jmp eax\n" );}
gitlab.com/pseregiet/mt2-custom-lib-1765
gitlab.com/pseregiet/mt2-custom-lib-2089M

Thanks for the anecdotes user. They were entertaining.

No problem. It's hard to remember all of it. I was more interested in adding new stuff. For example, in this game you can create your own private shop, but you can't play when you make it, because your character becomes the shop. Pretty much everyone had a second account with level 1 character just to sell shit on (it wasn't forbidden to have multi accounts like in some other games, in fact, it's common for people to play 4-5 characters at the same time). I made an "offline shop" where you can just go play or log out and the shop would stay, stuff like that. I have a whole youtube channel with all the new features documented, but it's all in polish and for someone who didn't play the game it wont mean anything anyway.

If you try to summon your horse and you didn't feed him for a long time and it's dead, you will summon a horse corpse and for some reason that corpse doesn't despawn after you log out. So you can summon it again after you reconnect. It's actually pretty funny, but can crash the server if you do it for enough long time

Every item you can wear (weapon, armor, shield, helmet etc.) can have 5 random attributes on top of the static ones. Only shield can have an attribute "immune to stuns". The devs however don't check your shill if you have that bonus when you get stuned, instead there's a flag on your character that determines if you're immune or not. It is set when you take on a shield with this attribute, but if you take on any item without that attribute the flag will be cleared, so you always have to take on the shield last, otherwise you won't be immune. I fixed that.

By default this game has max 99 level. People on private servers changed that to 127 (value for level is a signed char), then someone replaced all jumps instruction involved with the level variable to interpret that value as unsigned, so now you can have 255 max level. I made it possible to have 64k (0xFFFF) levels. To do that I had to replace all instuctions that deal with that value to use word instead of char, also changing the offset, because otherwise the other byte would overwrite something of course. Then I had to hack the "db" (a separate program that talks to the MySQL database) so it will accept packets with levels as 16 bit values. In total, I had to change the code in 146 places.

A bug is involved with more than 99 levels. Because the game by default was coded for only 99 levels, some tables also only have 99 elemets. For example, there's a table of experience bonus you get on each level if you're in a party. Suddenly on level 135 or something the numbers go crazy and you can level up by 3-5 levels by killing one monster. Turns out that table has only 99 elements, then there are some zeros, so there's no bonus (the bonus is so insignificant nobody noticed anyway) and then there's some table of other shit with big numbers.

How did people pirate vidya to CDs 10 years ago?

Are you asking how people broke the CD copy protection or what exactly ? I didn't have internet till 2008 or so, I had lots of pirated vidya on CD from friends and whoever had some stuff.

Yes

The first wave of CD copy protection was very simple, usually they just checked for a file in a CD and you could overwrite that check with a nop or something. Stuff like SecuROM actually use a windows driver (and microsoft abandoned that driver for windows 8 and 10, so these games won't work without a crack now haha) and is more robust. I don't know any details of how it's done.

That is the biggest shit ever.

10 years ago was 2007. Bit Torrent was around around for a while.

People also used IRC, direct connect, and i think normies were still even using limewire to download disc images.

Stallman has been saying that there are a class of treacherous technologies that are designed to be defective. Digital restrictions management is defective by design.

10 years ago I argued this exact point about DRM. it's a bunch of fragile OS/environment dependent bullshit. now that I think about it, it's possible to do non-trivial copy protection in a portable way, but no 9-5niggermonkey is going to do this.

here you go:
longpoke.github.io/750602224faffeaf812ff2512e164e7ccefc5c8532868b5b6529b8f9e38327f9.html

that's a good read.

How does this work?

Yeah, he should've said "pick one and only one".

...

Girls don't have penises to hack

girl (male)
girl is a role, not a gender or a sex

In portuguese words have genders and one of the words for penis is a female word.
Feminine penises are a very real thing.

That's funny. In my languages words also have genders it penis is male.

It's called faggot, maggot

I bet it was your role in prison.

Gaymes are gay