Catching Dupe hack at your server.

Dupe hack is a bug exploit that involves forcing your character into retreat mode (or just before it) by buying items from the item mall very fast, or dropping them very fast or selling or anything, and then trading items to your alt and relogging however most people choose to use player shops since its easier.

This hack is a problem at ALL servers. nobody is secure, you can run all the clientside anti-hack you need but it wont work. Speeding up your server does however make it alot harder.


To catch them:
Grep the file world2.log in the logservice folder for "被暂时放逐"
you should then be given things like:
玩家653969被暂时放逐
this means player 652969 entered retreat mode.
Then you can grep world2.log with in this example "652969", do a search for the line you found before and see what they did between the time where they got the retreat mode message and the time when they disconnected:
用户断线了(1):653969
and
save_data:1发送保存用户653969数据请求 包含仓库信息 等级116 金钱106407629 sp531976102

I will make a pwAdmin plugin to perform all these functions at the touch of a button.


Alpha release:
http://forum.ragezone.com/f452/catch...6/#post5847008

may i ask what retreat mode is? xD i understand every thing else but that. iv never heard of this before but it doesnt sound very good.

its a state where u are kicked out of the game and unable to move but not disconnected.

anything that happens when u are in retreat gets rolled back.

rolled back for all player or only dupe player?

Only dupe player

Alpha release of the base script for this.


Run the .sql script into a database (by default i put the database for it as "pwlogs" becuase thats what i use, if you put it somewhere else then you will need to change the database name in the .sh script and in the .php file..)

Place the import_retreat.sh into your /root folder and check that the path inside it on the first line is correctly pointed towards the folder that houses all your log files (world2.formatlog, world2.log.. you get the idea) and open command and run it using ./import_retreat.sh

Then place the retreat.php script into your web server (usualy /var/www/) and open it for editing, on lines 11-14 you will clearly see the MYSQL IP, username, password and database name options clearly marked. Be sure these are configured correctly to your server!

If everything works it should look like this:
retreat.php
Please be aware that by default i have included all the userids in this table into the .sql file u ran so you can test it, you can ignor them or delete them from your database table.

Pro Tips:
edit the crontab scheduled commands to run the import_retreat.sh script every day or so, just be sure to reset your log files into some sort of archive, do not run the import_retreat.sh on the same log files twice! or you will end up with multiple accounts of the same results!

Once your script has picked up somebody entering retreat mode, you should use the grep command on the world2.log file (or world2.formatlog which is in english but has less info) for the persons userid and see exactly what they did, if you see mass spam of dropping items or buying from the item mall then you should be suspicious! In order for them to have duped successfully you should look for what i mentioned in my first post, in the case where the person is "653969" (and your using world2.log not world2.formatlog) you should look for: "玩家653969被暂时放逐" and then scroll down to the next line "用户断线了(1):653969". Every action they did between these 2 lines will have been rolled back and so if they traded with anybody or setup a player shop then those items will of been duped.

Some people however use auto-clickers simply to buy materials very fast and enter retreat mode without meaning to, so be sure to check for a trade.

Im currently writing a servlet to run this script a little better and get the character names of the offenders, having some issues with the script though:

I am currently receiving this error:

Code:

---

HTTP Status 500 -

--------------------------------------------------------------------------------

type Exception report

message

description The server encountered an internal error () that prevented it from fulfilling this request.

exception

org.apache.jasper.JasperException: Unable to load class for JSP
        org.apache.jasper.JspCompilationContext.load(JspCompilationContext.java:599)
        org.apache.jasper.servlet.JspServletWrapper.getServlet(JspServletWrapper.java:137)
        org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:314)
        org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:329)
        org.apache.jasper.servlet.JspServlet.service(JspServlet.java:265)
        javax.servlet.http.HttpServlet.service(HttpServlet.java:802)


root cause

java.lang.ClassNotFoundException: org.apache.jsp.retreatcharnames_jsp
        java.net.URLClassLoader$1.run(URLClassLoader.java:200)
        java.security.AccessController.doPrivileged(Native Method)
        java.net.URLClassLoader.findClass(URLClassLoader.java:188)
        org.apache.jasper.servlet.JasperLoader.loadClass(JasperLoader.java:131)
        org.apache.jasper.servlet.JasperLoader.loadClass(JasperLoader.java:63)
        org.apache.jasper.JspCompilationContext.load(JspCompilationContext.java:597)
        org.apache.jasper.servlet.JspServletWrapper.getServlet(JspServletWrapper.java:137)
        org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:314)
        org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:329)
        org.apache.jasper.servlet.JspServlet.service(JspServlet.java:265)
        javax.servlet.http.HttpServlet.service(HttpServlet.java:802)


note The full stack trace of the root cause is available in the Apache Tomcat/5.5 logs.

---

Its not indicating an issue so it could be linked to anywhere from the actual way the sql db is shown to the connection, ive restarted the java service and the server a few times, all other java services are working fine and even the class this is depending on is running fine. Can I also advise ive emptied the cache etc as well before this gets thrown at me.

Code is:

Code:

---

<%@page contentType="text/html; charset=GBK"%>
<%@page import="java.lang.*"%>
<%@page import="java.util.*"%>
<%@page import="java.text.*"%>
<%@page import="org.apache.commons.lang.StringEscapeUtils"%>
<%@page import="protocol.*"%>
<%@page import="com.goldhuman.auth.*"%>
<%@page import="com.goldhuman.util.*"%>
<%@page import="org.apache.commons.logging.Log"%>
<%@page import="org.apache.commons.logging.LogFactory"%>
<%@page import="java.sql.*"%>

<%
        String db_host = "localhost";
        String db_port = "3306";
        String db_user = "root";
        String db_password = "";
        String db_database = "pwlogs";
%>

<%
        //
        // Coded by [B]aSH from Vendetta Gaming Network.
        //

int count = 0;

try {
        Class.forName("com.mysql.jdbc.Driver").newInstance();
        Connection connection = DriverManager.getConnection("jdbc:mysql://" + db_host + ":" + db_port + "/" + db_database, db_user, db_password);
        Statement statement = connection.createStatement();
        ResultSet rst = statement.executeQuery("SELECT * FROM retreat");
        RoleBean role = null;
        String tempplayername = null;
        int index = 0;
        while (rst.next())
                {       
                        //Prepare Statement
                        PreparedStatement UpdateInfo = connection.prepareStatement("UPDATE retreat SET charname=? WHERE userid=?");
                        int roleid = rst.getInt("userid");
                        role = GameDB.get( roleid );
                        session.setAttribute( "gamedb_rolebean", role );
                        if (null == role){
                        }
                        else {
                                tempplayername = null;
                                tempplayername = StringEscapeUtils.escapeHtml(role.base.name.getString());
                       
                                index = 0;
                                index = tempplayername.indexOf("'");
                                StringBuffer playername = new StringBuffer(tempplayername);
                                if(index > 0){
                                        playername.replace(index, index + 1, "?");
                                }                                               
                        }
                        UpdateInfo.setString(1, tempplayername);
                        UpdateInfo.setInt(2, roleid);
                        UpdateInfo.executeUpdate();

                        count++;
                }
}
catch (Exception e)
{
        out.println("<font color=red>Error Occured But System Added <b>" + count + "</b> Characters to SQL DB.");
}       
%>

<%
if (count > 0) {
out.println("<font color=green><br>Completed! Successfully added: <b>" + count + "</b> Characters to SQL DB.<br><br>");
}
else
{
out.println("<br><font color=red>No Records available for update!");
}
%>

---

Take a look see if im missing anything, cheers.

we could make it into a pwAdmin plugin if we kicked the sql table.

Im sure u can grep the world2.log in jsp and export the variables to a file.

ugh pwAdmin >.<

I dont like using it lol. Ive been writing my own administration control panel recently and ive just made this to fit into what im currently writing. Ill look into writing a plugin for pwAdmin though since its a well used programme for most of you. Just lemme finish this script off first then ill write something unless Ronny beats me to it.

hmm i'm doubtful about this line now, i just found a dupe that did not show it, ill include the logs for you to see if u can pick anything out:

Code:

---

2010-08-15 08:55:30 devistation gamed: info : 用户780032在百宝阁购买1样物品，花费1点剩余49984663点(*9000 before this)
2010-08-15 08:55:30 devistation gamed: info : 用户780032在百宝阁购买1样物品，花费1点剩余49984662点
2010-08-15 08:55:30 devistation gamed: info : 用户780032在百宝阁购买1样物品，花费1点剩余49984661点
2010-08-15 08:55:31 devistation gamed: info : 用户780032在百宝阁购买1样物品，花费1点剩余49984660点
2010-08-15 08:55:31 devistation gamed: info : 用户780032在百宝阁购买1样物品，花费1点剩余49984659点
2010-08-15 08:55:31 devistation gamed: info : 用户780032在百宝阁购买1样物品，花费1点剩余49984658点
2010-08-15 08:55:31 devistation gamed: info : 用户780032在百宝阁购买1样物品，花费1点剩余49984657点
2010-08-15 08:55:31 devistation gamed: info : 用户780032在百宝阁购买1样物品，花费1点剩余49984656点
2010-08-15 08:55:31 devistation gamed: info : 用户780032在百宝阁购买1样物品，花费1点剩余49984655点
2010-08-15 08:55:31 devistation gamed: info : 用户780032在百宝阁购买1样物品，花费1点剩余49984654点
2010-08-15 08:55:31 devistation gamed: info : 用户780032在百宝阁购买1样物品，花费1点剩余49984653点
2010-08-15 08:55:32 devistation gamed: info : 用户780032在百宝阁购买1样物品，花费1点剩余49984652点
2010-08-15 08:55:32 devistation gamed: info : 用户780032在百宝阁购买1样物品，花费1点剩余49984651点
2010-08-15 08:56:35 devistation gamed: info : 127发送用户780032(2,40469)心跳消息
2010-08-15 08:56:40 devistation gamed: info : 用户780032开始摆摊
2010-08-15 08:57:00 devistation gamed: info : 用户780032卖给用户780048 1个20355，单价1 (sold item to player thus duping it)
2010-08-15 08:57:00 devistation gamed: info : 用户780032卖给用户780048 1个25345，单价1
2010-08-15 08:57:00 devistation gamed: info : 用户780032卖给用户780048 1个25019，单价1
2010-08-15 08:57:00 devistation gamed: info : 用户780032卖给用户780048 1个26007，单价1
2010-08-15 08:57:00 devistation gamed: info : 用户780032卖给用户780048 1个26003，单价1
2010-08-15 08:57:00 devistation gamed: info : 用户780032卖给用户780048 1个26000，单价1
2010-08-15 08:57:00 devistation gamed: info : 用户780032卖给用户780048 1个26011，单价1
2010-08-15 08:57:00 devistation gamed: info : 用户780032卖给用户780048 1个19163，单价1
2010-08-15 08:57:00 devistation gamed: info : 用户780032卖给用户780048 1个20059，单价1
2010-08-15 08:57:00 devistation gamed: info : 用户780032卖给用户780048 1个20059，单价1
2010-08-15 08:57:00 devistation gamed: info : 用户780032卖给用户780048 1个20059，单价1
2010-08-15 08:57:00 devistation gamed: info : 用户780032卖给用户780048 1个20059，单价1
2010-08-15 08:57:00 devistation gamed: info : 用户780032得到金钱12
2010-08-15 08:57:01 devistation gamed: info : 用户780032停止摆摊
2010-08-15 08:57:08 devistation gamed: info : 127发送用户780032(2,40469)心跳消息
2010-08-15 08:57:10 devistation gamed: info : 用户780032脱离队伍(780032,1281858138)
2010-08-15 08:57:33 devistation gamed: info : 用户780032执行登出逻辑1
2010-08-15 08:57:33 devistation gamed: info : save_data:127发送保存用户780032数据请求 包含仓库信息 等级90 金钱84431801 sp500034805

---

Theres always been 2 ways of basic duping: enter retreat mode or just get close to it. I know for a fact it works either way but you need to have your stall setup before you go into retreat. It apears when you dont enter retreat mode however, the line the script searches for is not printed into the logs.

they only can dupe treadable items right? :ehh:
can we increase check point interval to solved?

[storagewdb]
homedir = /dbf/dbhomewdb
datadir = dbdata
logdir = dblogs
backupdir = /dbf/backup
checkpoint_interval = 60

that wont solve anything.

Hi there, im checking these on my server... Are u sure about those lines? I sometimes get the "玩家653969被暂时放逐" but not the "用户断线了(1):653969"

Btw... someone can send me via PM the dupe procedure to test it in a sandbox?

nobody will share dupe procedure... i've tried and robb refused xD

he have say, its dupe using auto clicker, buying item mall very fast, and will got retreat mode, than dupe player will disconnected, and make rollback for player.
before trade some items to other players, than use this, items will be back after dupe.

i think so..

I can use AutoClicker as many as i want on npc or item mall, it's impossible to go in "retreat mode" ...

How can i know when i'm in retreat? Does the client "say" an error message in the chatbox? ><

Maybe i got a similar case but not sure if it's the same.

When i "abuse" of the za-zen mode after a while my character stuck in za zen mode and the only way to unstuck is to force disconnect...

But in za zen impossible to buy item mall and movements are blocked xDD

ive seen some ppl doing odd things lately with shops i would like to know exactly what to look for... i know u said that it involves buying or dropping really fast , but is there a way i can see this visually or can u explain more in detail on how u can do it so i know exactly what to look for

I never got success when I tried to dupe on mah server, so Idk how they do that :mellow:

Im sure they use tools also to help but I'm not sure of that cuz they never tell how they do their tricks.

One thing I'm sure, some of them use an autoclicker to do some actions very fast until they get corrupted packets and tada! Magicaly duped items with a lucky lag that came out from nowhere!

Otherway is, some areas of the main world make it crash if you go inside. But Idk where are those areas.

Quote:

---

Originally Posted by Romulan

I never got success when I tried to dupe on mah server, so Idk how they do that :mellow:

Im sure they use tools also to help but I'm not sure of that cuz they never tell how they do their tricks.

One thing I'm sure, some of them use an autoclicker to do some actions very fast until they get corrupted packets and tada! Magicaly duped items with a lucky lag that came out from nowhere!

Otherway is, some areas of the main world make it crash if you go inside. But Idk where are those areas.

---

try add pet food to gshop, and use autoclicker

Quote:

---

Originally Posted by rbb138

Dupe hack is a bug exploit that involves forcing your character into retreat mode (or just before it) by buying items from the item mall very fast, or dropping them very fast or selling or anything, and then trading items to your alt and relogging however most people choose to use player shops since its easier.

This hack is a problem at ALL servers. nobody is secure, you can run all the clientside anti-hack you need but it wont work. Speeding up your server does however make it alot harder.


To catch them:
Grep the file world2.log in the logservice folder for "被暂时放逐"
you should then be given things like:
玩家653969被暂时放逐
this means player 652969 entered retreat mode.
Then you can grep world2.log with in this example "652969", do a search for the line you found before and see what they did between the time where they got the retreat mode message and the time when they disconnected:
用户断线了(1):653969
and
save_data:1发送保存用户653969数据请求 包含仓库信息 等级116 金钱106407629 sp531976102

I will make a pwAdmin plugin to perform all these functions at the touch of a button.


Alpha release:
http://forum.ragezone.com/f452/catch...6/#post5847008

---

Pro.
Nice dupe fix..(Guess no more duping on your server) :D lol jk. I didn't even learn how till recently. BTW robb, to stop it even more..make sure none of the items in your gshop stack and stack. That will make it damn near impossible. :thumbup:

i don't know how to dupe hack, so i don't understand about all of this :?:

I will continue this as well for u robb I have been working with forbid classes on JSP figured a way to auto ban anyone with incorrect log adjustments etc I will release it once it is 100% finished.

-edited-

the best way to remove dupe is:
remove dropping of items.
put all item mall objects be full/half stack or decrease their max stack.

Otherwise its just work arounds that wont really garrentee full safety.

I thought i had block it before in 2009, im not taking any risks this time.

-edited-