• Close
    • > > > Any info on how to turn hi-pots into Allagan pieces? >


    Thread Rating:
    • 3 Vote(s) - 3.67 Average
    • 1
    • 2
    • 3
    • 4
    • 5
    Any info on how to turn hi-pots into Allagan pieces?
    kinosix
    Guest
     
    #3
    10-14-2013, 04:21 AM
    Quote:Quote Originally Posted by SAUSER
    So, uh, a couple pages back someone was asking how people were gaining levels in crafting immediately - if there was a bot that was doing it.


    It turns out the answer is yes, and some Japanese players have figured out how. Details here:
    ???????FF14???????????????????? : ????????2chJacklog

    Apparently by simply sifting through the Lua scripting that FF14 uses, people were able to figure out a JSON query that would retrieve your character's information from the character database. Further, any commands you send to the database are simply... not checked at all, and the database just takes the input commands and MODIFIES YOUR DATA DIRECTLY.

    That means it was/is possible to simply tell the server "make me level 50 and give me six billion gil" and the server will... happily do it.

    That is some high-quality programming, server input sanitisation and security right there. Good shit. In the year of our Lord 2013 you can simply send a Javascript request to SE's servers and give yourself billions upon billions of gold

    Quote:You can literally convert any item to any item. I found a video of someone buying 99 potions from the store, then converting them to 99 Allagan gold pieces and selling them right back.

    This is probably - and I'm not going to mince words here - the shittiest implementation of server ANYTHING in any modern online game.

    I'm working on verifying it myself now. I'm familiar with JSON but not with Lua so it will probably take me at least a day or two to work through it.

    If it checks out I'mma pitch it as a story to my editor because

    vvvvvv no idea. I've attached a decompiler to the client and am working through it. I am also guessing the following is true:
    - given that we haven't seen anybody successfully changing the character info of other players' characters (at least, I assume this to be the case) that should indicate that you may only have access to characters you own. I am unsure if that means verification (username/password, or a signal from the client) is sent along with the GET query. My guess is that the client itself may be using the exact same query to update your info when you perform a legitimate transaction, in which case it may be beneficial to analyse the network output from the client - but that would be a nightmare to dig through and would take some time.
    - they may be logging server activity, but as above if the query being used to give yourself gil is the same as the query the client is using, that would mean that on their end there's no way to tell which is legit and which isn't. They would have to do a search for unreasonable queries (e.g. giving yourself six billion gil) but if you kept just, say, giving yourself a few gold pieces every now and then that would be nigh-undetectable without going through the millions of transactions by hand.
    - if I want more detailed instructions on this I will have to get on the usual Usenet boards where the Chinese contingent of online game hackers hangs out. that will take a bit to get a workable reply, or to sift through all the info too.

    Quote:Also, I managed to verify the database exploit I posted about earlier. While I didn't manage to change character info of accounts I didn't own, there is close to nothing you can't do to your own character - leveling every craft to 50, giving yourself more gold than the rest of the server combined, all these are valid database transactions. I won't go into the exact execution details of the exploit here except to say that if SE doesn't comprehensively rework the way it is accepting and storing data from the client, this game will be plagued by hacking and duping its entire lifecycle. Even if they shut the door on this particular exploit, there's every indication that if they didn't follow basic security practices here, they didn't follow them elsewhere either.

    I've dashed off an email with the details to my contact at SE, so that they can fix it before the story runs, but I can already guess what they're going to reply with, assuming they acknowledge receipt at all: "No comment at this time.
    Basically. unless u hack the actual database server, u wont be able to do it. And it will be fixed soon. and you'll probably be banned if u do it. Its not a server side hack its a SE side hack
    Reply
     


    Messages In This Thread
    RE: Any info on how to turn hi-pots into Allagan pieces? - by kinosix - 10-14-2013, 04:21 AM

    Forum Jump:


    Users browsing this thread: 1 Guest(s)

    We help you win the game.

    FFXIV Bot and More.

     

    Products

    Here To Help

    Information