[Release] Remote hack patch (while changing channels)

[Linkerzz]

This works on MapleSolaxia source for me, if you use a different source I can't say it will work with 100% certainty.

Put this in MapleClient somewhere.

PHP Code:

    private boolean preventDoubleLogin() {
        boolean prev = false;
        try {
            try (PreparedStatement ps = DatabaseConnection.getConnection().prepareStatement("SELECT FROM iplog (accountid, ip) VALUES (?, ?)")) {
                try (ResultSet rs = ps.executeQuery()) {
                    rs.next();
                    if (rs.getString(2) == null ? session.getRemoteAddress().toString() == null : rs.getString(2).equals(session.getRemoteAddress().toString())) {
                        prev = true;
                    }
                }
            }
        } catch (SQLException e) {
            e.printStackTrace();
        }
        return prev;
    } 


Then, still within MapleClient, Ctrl+F:

Code:

public void changeChannel(int channel) {

Below:

Code:

if (player.isBanned()) {
			disconnect(false, false);
			return;
		}

Add:

PHP Code:

                //aditionally MaplePacketCreator\changeChannel could use a check, but what do I know anyway?
                if (!player.isLoggedin() || preventDoubleLogin()) {
                    disconnect(false, false);
                    System.out.println("Player: " + player + ", isLoggedin(): " + player.isLoggedin() + ", preventDoubleLogin(): " + preventDoubleLogin());
                    return;
                } 


Thank you to everyone who replied to my help thread here:
https://forum.ragezone.com/f566/patc...-hack-1072340/

Oh, and most importantly, thank fraysa for his sessionId release.
Without it, this release would be worthless.
https://forum.ragezone.com/f427/secu...odinms-975812/

[MentaL]

[Fraysa]

If you're using v.83, it'd be better to use the client check in addition to this check (or just the client check). My release won't work because you need to cache the session id when the client first logs in and then obtain it again using the character id.

Good job, nonetheless.

[Supra]

Don't work for v83 TiredStory Source ): (well I just can't ctrl+f what you told me to) :/

[Linkerzz]

Don't work for v83 TiredStory Source ): (well I just can't ctrl+f what you told me to) :/

PM me, I can help you look. :)

- - - Updated - - -

If you're using v.83, it'd be better to use the client check in addition to this check (or just the client check). My release won't work because you need to cache the session id when the client first logs in and then obtain it again using the character id.

Good job, nonetheless.

Oh! I had thought the sessionid was in the "ip" row of "iplogs"? Example: "/127.0.0.1:49555".
I'm matching this row obtained from logging in with the current value while changing channels, otherwise d/c.

[kevintjuh93]

If you're using v.83, it'd be better to use the client check in addition to this check (or just the client check). My release won't work because you need to cache the session id when the client first logs in and then obtain it again using the character id.

Good job, nonetheless.

That check wasn't released in v.83. If I am not mistaken v.88 has it, so I think it was present since v.87 or so.

[Linkerzz]

Regarding my first post, I have done a bit of research and came up with a better (non-rushed) solution. I think.

Inside "MapleClient.java" add:

PHP Code:

private String[] ip; 


Then add this wherever you want within MapleClient:

PHP Code:

    public final void updateIp(String[] socket) {
        this.ip = socket;
    }
    
    public final boolean compareToSocket(String[] socket) {
        if (socket == this.ip){
            return true;
        }
        return false;
    } 


now in "RegisterPicHandler.java"
under

PHP Code:

final String[] socket = Server.getInstance().getIP(c.getWorld(), c.getChannel()).split(":"); 


add

PHP Code:

c.updateIp(socket); 


then maybe use the compareToSocket method somewhere

[Eric]

@Linkerzz You do realize the socket ip is your local socket, right? Meaning, it's the IP and port of the current World/Channel you're logging onto, not the user's IP. If they're on the same channel/world, and just re-send the packet back, it would be the same socket and the check would fail, no?

[Linkerzz]

@Linkerzz You do realize the socket ip is your local socket, right? Meaning, it's the IP and port of the current World/Channel you're logging onto, not the user's IP. If they're on the same channel/world, and just re-send the packet back, it would be the same socket and the check would fail, no?

I did not know this, haha.. Wait, wouldnt it just be this instead?

PHP Code:

client.getSession().getRemoteAddress().toString().split(":"); 


[xStr0nGx]

I did not know this, haha.. Wait, wouldnt it just be this instead?

PHP Code:

client.getSession().getRemoteAddress().toString().split(":"); 


Seems like it can be that, no clue I quitted long ago.

But I'd suggest you to check out how your server logs the clients ips to the database..