• There is NO official Otland's Discord server and NO official Otland's server list. The Otland's Staff does not manage any Discord server or server list. Moderators or administrator of any Discord server or server lists have NO connection to the Otland's Staff. Do not get scammed!

[WARNING] Custom OTC/OTCv8 Game Store hack

Gesior.pl

Gesior.pl

Mega Noob&LOL 2012
Senator
Joined
Sep 18, 2007
Messages
3,385
Solutions
125
Reaction score
4,248
Location
Poland
GitHub
gesior
It's not official Game Store module used in any official OTC.

If your Game Store Lua code on server starts like that (store.lua):
LUA: 
function onExtendedOpcode(cid, opcode, buffer)
    if opcode == OpCode.store then
    local json_status, json_data =
    pcall(
      function()
        return json.decode(buffer)
      end
      )
    if not json_status then
      print("SHOP json error: " .. json_data)
      return false
    end
    local action = json_data["action"]
    local data = json_data["data"]

or you OTC game store module starts like that (store.lua):
LUA: 
local storeWindow, interface, msgWindow, itemsPanel, historyPanel, confirmWindow, transferPoints = nil
local itemsInfo, historyInfo = nil
local code = 52
local donateURL = "https://xxx.com/donate"

(...)

function init()
  storeWindow = g_ui.displayUI('store')
  storeWindow:hide()
  interface = storeWindow:getChildById("storeInterFace")
  itemsPanel = storeWindow:getChildById("ItemsPanels")
  historyPanel = storeWindow:getChildById("historyTextListt")
  storeWindow.transferPoints.onClick = transfer

You are probably using bugged Game Store that allows hackers to create any item, get any outfit and get premium points for free!

There is someone going from OTS to OTS and try to abuse that to get billions of free premium points, crystal coins etc.

IDK if this code was published anywhere, probably not. For sure some people sell it for last 3 years on Discord to 500+ OTSes. I know 2 servers that use that bugged code.
There is no easy fix for that bug (probably half of server side of store code rewrite), but if you have that Game Store code, disable it immediately!
 
So this looks like some custom edit of my old store that got leaked long time ago. By the looks of it, some variables have the same name (and even that json error string) but rest is different (mine is not creating ui in init, I don't have all these vars either).
 
oen432 said:
So this looks like some custom edit of my old store that got leaked long time ago.
Click to expand...
Store script I get sends list of offers from server to client, client picks one offer and sends it back to server.. with itemid, count, name, category and premium points. Server does not verify any data send by client, just removes (adds for negative value) premium points and add item/outfit (depends on category)
Hacker just replace client code to 0 points or negative value (to get free points) and set any itemid he wants to get item/outfit.

EDIT:
This code was used on 500+ OTSes for 3+ years!
 
Gesior.pl said:
Store script I get sends list of offers from server to client, client picks one offer and sends it back to server.. with itemid, count, name and premium points. Server does not verify any data send by client.
Hacker just replace client code to 0 points or negative value (to get free points) and set any itemid he wants to get item/outfit.
Click to expand...
Oh then that's not mine for sure. Big yikes tho.
 
Using leaked, free, or cheap code almost always results to poor quality - this system seems to have relied entirely on the client side. I’ve fixed similar code before, though in a slightly different system that also used a table sent from the server to the client instead of keeping it server-side.
 
Vitor Luna said:
This store looks a lot like what you posted, would it have this loophole that you mentioned in the post?
github.com

otcv8-tools/server/shop/shop.lua at main · OTCv8/otcv8-tools

Tools for otclientv8. Contribute to OTCv8/otcv8-tools development by creating an account on GitHub.
github.com github.com
Click to expand...
No. It reads category and offer ID from client, but then it converts them to server points/itemid/outfitid:
github.com

otcv8-tools/server/shop/shop.lua at main · OTCv8/otcv8-tools

Tools for otclientv8. Contribute to OTCv8/otcv8-tools development by creating an account on GitHub.
github.com github.com
In last line it even checks, if points are higher that 0 points, so you can't sell 0 points items in shop.
 
I don't know what all the fuss is about. The frontend code can be flawed, it can allow for value swapping if it's poorly coded. The backend itself is for verifying what comes from the client and whether it matches the correct values (correct itemid, correct price). It's like with everything else, the client can swap that instead of LMM it shoots HMM, but ultimately it's the server that checks whether the player has a given rune and whether they can use it (e.g. presence of a wall, profession/mlvl requirements).
 
Canarian said:
not in this case
Click to expand...
How do you know what's on the server side in OTSs that use this module? If they are properly secured (verify incoming data), how do you want to make someone buy something for free or send any itemID? After all, it's enough to have the same array of offers from the store defined on the server side and check if there is an item-cost pair that comes from the client.
 
check said:
How do you know what's on the server side in OTSs that use this module? If they are properly secured (verify incoming data), how do you want to make someone buy something for free or send any itemID? After all, it's enough to have the same array of offers from the store defined on the server side and check if there is an item-cost pair that comes from the client.
Click to expand...

One hundred percent agree with you!

Using open sourced (and easily modded for that matter) software is always double sided... if people know how it works, they can surely manipulate data to their own desire.

For those who are smart enough, or are determined enough, OTC is a giant OT hacker deluxe starter kit

It is absolutely a necessity to validate things from the client, can't trust it, don't trust it, never trust it!

Just look at all those headless clients being created for OT's nowadays, I know at least three people who have made them and two have openly shown them off (jeidi and source).
 
Just send id of the selected offer to server, there it will look for the offer in the array by id from key.
 
chucky91 said:
Just send id of the selected offer to server, there it will look for the offer in the array by id from key.
Click to expand...
That's how every game store code works and should work. Except this one.
To fix this one without rewriting it, you have to loop over offers and search for offer with all parameters as in client request. If you can't find it, it's spoofed in client and request to buy should be ignored (or player reported/banned).

Warning is here for over 24h and I've contacted 2 people who sold it on Discord to make them message their clients, so now I disclose how to check, if your server is affected.
Code to check, if your server has this code is:
LUA: 
function sendAction(code, action, data)
  local protocolGame = g_game.getProtocolGame()
  if data == nil then data = {} end
  if protocolGame then
    protocolGame:sendExtendedOpcode(code, json.encode({ action = action, data = data }))
  end
end

sendAction(52, "buy", {item = "my fake name", count = 100, itemid = 2160, catId = 1, price = -500})
Login to game on any character, open OTC Terminal (CTRL+T) and paste it all at once, it will appear as 1 line in Terminal, but it's fine.
Press Enter.
If your server has that game store, it will give you 100x 2160 (crystal coin), add 500 premium points and show window with message that item was added.
If your server doesn't have this game store, it should do nothing and show nothing in OTC.
 
I use something like this, for safety, maybe it's enough, unless it's handling table sizes by pairs is more complex.
LUA: 
local clientAction = jsonData.clientAction or nil
local clientData = jsonData.clientData or {}

if type(clientAction) ~= "string" and #clientAction > 10 then return end
if type(clientData.offerID) ~= "number" then return end

local offerID = clientData.offerID or -1
local offerName, serverData = findOnOfferList(offerID, nil)

offerName = offerName or "Unknown Offer"
serverData = serverData or {}
 

Similar threads

Jpstafe
  • Question Question
How could I configure this?
Replies
0
Views
212
Jpstafe
Jpstafe
Shoorkill
  • Question Question
TFS 1.X+ [TFS 1.5] buy duplicates from the game store
Replies
0
Views
186
Shoorkill
Shoorkill
J
  • Solved
OTC SHOP Aura and Wings PRoblem
Replies
9
Views
439
Mateus Robeerto
Mateus Robeerto
K
  • Question Question
the store does not add the outfit
Replies
2
Views
227
kowal67612
K
darcioantonio
[Tutorial] How to Display a Custom Image and Sounds on Screen Using a Client Mod (OTClient + TFS 1.4.2)
Replies
1
Views
329
Coul
Coul
Back
Top