Thread: [WIP] The Master Exploitation Guide

Results 1 to 9 of 9
  1. #1 [WIP] The Master Exploitation Guide 
    A RSPS Aristocrat

    BooZee's Avatar
    Join Date
    Jul 2014
    Posts
    144
    Thanks given
    222
    Thanks received
    88
    Rep Power
    300
    Got off work today and saw The Master Model Guide.
    Figured why not, I'll make this thread.

    UPDATE 2/9/2021: I will probably never finish this thread, but maybe I will... though I highly doubt it.

    Objective: To create an all-in-one thread that is informative of exploitations and contains resolutions to said exploitations.
    Goal: To have you think like a programmer who is continuously cautious about how they code a solution.

    Part One: Exploit Information
    • General Practices
    • Packets, Packet Interpertation (TODO), & Deobfucation


    General Tips:
    Spoiler for :

    Interaction Bounds (Coordinates):
    Regardless of the interaction: with an object; player; or NPC, validate the player's location when the request is sent.
    For example, if I am not within a 4 tile radius of the Bank Booth, then I should not be able to bank.

    Here is an interesting thought, are you also checking the Z-Location? I have been on a server with a new instance (height), yet still able to interact with `non-existing object` from my point of view.
    For example, if I am not within a 4 tile radius (X, Y) AND the same height (Z) of the Bank Booth, then I should not be able to bank.

    Area Bounds (Coordinates):
    A simple way to prevent people from exploiting (normally minigame) mechanics is to include area checks. Always see if a player is really in the zone they should be. How you handle exceptions to an area is up to you. The most common mechanic is that it will make you `quit` the minigame (or mechanic). Often you see this quickly coded as a logout function. This is because almost all minigames on every source handle logging out during the minigame.

    Personally, I would write something else up; I would want to make a log (using SL4J) of the incident for record-sake. If a server has good logs, they can detect when the issue happened and HOW it happened as well. This is good practice for a well-developed server IMO. (And also, I personally would like to punish the player within reason.)
    For example, if I am in a duel with someone (isDueling), my coordinates should be within the four corners of the dueling area. -> Force teleporting from the duel arena would lead to an automated loss.

    Teleporting/Stalls (Packets):
    While teleporting, additional packets should not be registered. This also applies to other stalls in a player's movement; for example, the interaction of jumping into the Inferno.

    Obfuscate (everything):
    This should be pretty obvious; obfuscate everything. It makes it more difficult to manipulate the client and keeps you safer.

    While on the topic of obfuscation, most bases include at least md5 hashing for passwords. Prior to this, it was possible to force the owner simply by changing your password to a line of code. Please ensure that you are at least hashing your passwords; this is also in case if your server is ever hacked you have an extra layer of protection to your players.

    Spoiler for More-About-Pass-Injection:

    How it worked:
    Early on, all player data was saved into a text file. These text files were read by Java by looking for key terms. So a player would inject a line of code that would trigger the Java to misinterpret the information fed. Once the java scanner saw that the line [CHARACTER], it believe whatever was next.
    "But I thought n was a new line?" It is. But with text files it is interpreted different: See more

    As you can see, that will not work with an encrypted/hash password.
    Attached image

    Spoiler for Have fun with this save file...:




    A Solution:
    https://www.rune-server.ee/runescape...ml#post4826113
    Personally not a fan of this since it is a bad to fix rather than a patch. The way he says to implement it in the thread sounds like a good idea, but it is not, why? Because if you are working with any other developer or spend time away from the project, you may forget about this filtering. And later on, if you were to add new content that is saved back into the character profile, you would be oblivious to the filtering feature.

    My answer:
    Rather than worry about this reoccurring in the future, get out of the hell out of the .txt era. Use something like JSON; I recommend JSON to all developers for RSPS since it is straight forward. It is easier to understand than doing SQL; which could end up having an SQLI if not smart about implementation. I still recommend to HASH your passwords with something. One of the most secured hashing is bcrypt.

    Reference Source: [#180 Project51]
    Uses both hashing and password checking (password checking itself is a good idea): https://i.imgur.com/OjSWfPi.png


    Do not cheat
    Don't try to cheat against the cheaters. Find the root cause of the issue and patch it.
    I remember the original `Fix` to interface abuse was automatically closing the Jar if the "CheatEngine" process was running. We simply renamed the program (or got a different application) to do the same thing.


    Packets:
    Spoiler for :
    Rune-Agent:
    https://github.com/silabsoft/RuneAgent

    `Ready to Go` RuneAgent
    https://mega.nz/file/ssZCTC6Z#HMKGob...wmuxU2GqrQcgJc
    The client.jar, ByteStream.class, and GameClient.class will have to be replaced.

    Wiki Page on Rune-Agent (they did a good job): rune-agent - RuneScape Private Server Wiki
    Known Packet Exploits: https://pastebin.com/7qrhH1Pf
    Known Packet Solutions: PI Optimizations (Stop packet abusing by Silabsoft's JavaAgent)

    For clients that are obfuscated, you are going to have deobfuscate the client. And disclaimer, you may even have to REOBFUSCATE just to deobfuscate and replace elements of config. You will have obfuscate the classes a second time if they have the exact same name (e.g. two "a.class") -- windows cannot have two of the same file name (really dumb, but it is what it is).
    Default Client: https://mega.nz/file/Vhg0TSYK#84PU4Z...9166aTmd-Be3mk
    Source Credits: trees - Clean #317

    Disclaimer: I did not bother trying RA with this client (just an example of clean source).
    You mainly care about the Stream class: https://pastebin.com/BNCYcqsQ
    (ISAACRandomGen is included, but sometimes you are better off finding the ISAACRandomGen class)

    For the config, you may need to include
    Code:
    load('nashorn:mozilla_compat.js');
    This should work for you as a batch file.
    Code:
    java -Xbootclasspath/a:"RuneAgent.jar";"lib/bcel-5.2.jar";"lib/rsyntax.jar";"client.jar" -javaagent:"RuneAgent.jar"=config.js -jar client.jar
    https://www.rune-server.ee/runescape...ml#post4592672

    Alternatives to RuneAgent:
    There are plenty of other options aside from RuneAgent. Examples:
    - Wireshark https://www.wireshark.org/faq.html (Server -> Client packets; capture only)
    - Ostinato https://ostinato.org/
    - Scapy https://scapy.readthedocs.io/en/late...e.html#hexdump (Seems interesting - I read into it for this thread.)
    - Winsock Packet Editor (Oldschool stuff there, bud.)
    Instead of using RuneAgent or reflection to no-clip, we used Winsock Packet Editor since it was reusable. It was the easiest way of no clipping.

    BEST TUTORIAL: Learn how to deobfuscate: Make Jar reflections and set up RuneAgent too.

    (Tutorial was made for me specifically, fun fact.)


    [To be continued]

    Part Two: Exploitations In Action
    • Topic: Dupe Methods
    • Topic: Interfaces Exploitation (non-basics)
    • 0 Interface [Day]
    • The SoulPlay Smuggle [Bonus]
    • Topic: Mechanical Abuse (no third-party software)


      The SoulPlay Smuggle [Bonus]
      Spoiler for :

      During my prime of bug abuse, I was extremely dedicated into finding exploits. This story is about finding a smuggle on a once popular server, SoulPlay. Now, prior to this finding there were many other smuggles of dungeoneering. Some of these include using the bank interface and the bank pin interface. However, this is by far the most extensive and complex smuggle I, and probably anyone, has done in the Runescape Private Server Community.

      To begin the story, I will start off by stating that I was using Cheat Engine to find various interfaces on SoulPlay. After a few hours of trial and error of dozens interfaces, I came across a single interface that went unchecked. Only one chat interface out of the entire server was able to be forced and interacted with. If I spoke to a NPC or had some form of dialogue occurring and the dialogue ended abruptly (e.g. walking away using the minimap), I could use that interface to continue the interaction. As to why it was only this one interface, I cannot say for certain the reason for this case. Knowing this information, I went around the entire server, speaking to every NPC that existed, in hopes that one of them would allow to teleport. Unfortunately, none of the NPC dialogues with this given interface ID had an option to teleport.

      However, I was not one to give up on my mission to find a use-case (exploit) of this bug. Me, being autistic in this scenario, ran around the whole map, interacting with everything. With luck, I came across the lumbridge gate to the desert, and just so happened it was using the very interface that I was looking for! Using the dialogue, you would be teleported to the other side of the gate. Perfect for my purposes!

      My brain immediately thought "what if i use this 1 block force teleport to get outside duel arena or castle wars?" I took this theory and ran with it, quite literally (more on this soon). Alas, I quickly came to realize that a single block teleport would not get me out of duel arena. Knowing this information, I tried my luck from castle wars. Using the same strategy, I forced the single interface to teleport outside of the castle wars arena (thanks to jagex for having the observation wall). With excitement, I ran to dungeoneering, entered the lobby, then into the dungeeon. My high hopes came crashing down after the castle wars game ended. My character was not force teleported out. They seemed to have blocked teleports, including forced ones (meaning an admin would not even be able to do a ;;teletome command) while I am in the dungeon.

      Again, at this point, I was not going to accept defeat. My solution: adding duel arena into the mix. So again, we waited for castle wars to begin; used our 1 time use and 1 block force teleport to get outside of castle wars. From there, I ran all the way to the duel arena. On my second account, I offered a summoning scroll and tabs alongside it. Duel arena did not have the same check as dungeoneering. Meaning once the castle wars game ended, I was sent back to outside the minigame. Due to lack of area checks, I was now in a duel without being in the restricted area. I then ran back to the dungeoneering lobby and entered dungeon. Knowing the previous information, I made my second account forfeit the duel, giving my main character the tools of destruction. I was able to spawn the familiar within the dungeoneering area and also was able store items. Finally, after hours and hours of hunting and trying everything, I was able to smuggle items out.

      Funny story, the first time I did this, I summoned the NPC inside the dungeoneering lobby and I found out the hard way there was an additional check when talking to the NPC to enter for spawned familiars (and pouches), so it did not work. Also, if I recall correctly, it did not work with the lower level storing familiars; only the higher ones. Again, not able explain this either.

      Hope you enjoyed my story about SoulPlay. It certainly was one of, if not the most, complex and niche bug abuse stories I have ever done. Let this be a lesson to always have area checks, even if you believe there is no way of packet or interface exploitation. It is always better be safe than sorry.



    All Credits:
    purchaos - Force Owner Exploitation
    MrClassic - [PI] Anti-Silabsoft (RuneAgent)
    tree - Clean Source
    Jason - Trade and Duel code (not in WIP yet)
    Last edited by BooZee; 08-29-2020 at 10:28 PM.
    Users with a big brain: Totty (RuneHD), Graham (Apollo), Tomm0017 (RSMod), ghost (DragonFire), Leanbow ("a lot" - 21 savage), 3lou 55 ("grind hard, I done grind hard" - 21 savage), Corey (idr), patrity (Kronos), Jet Kai (Spawnscape/Security Threads)
    Reply With Quote  
     


  2. #2  
    Registered Member
    Join Date
    Nov 2017
    Posts
    16
    Thanks given
    1
    Thanks received
    1
    Rep Power
    8
    Ayeee haha
    Reply With Quote  
     

  3. #3  
    Registered Member
    Tamatea's Avatar
    Join Date
    Aug 2010
    Posts
    1,317
    Thanks given
    401
    Thanks received
    357
    Rep Power
    2457
    Probably an honorable mention that MD5 is deprecated and has been broken.

    I'd recommend anybody looking to secure passwords to use Bcrypt.

    Here is a java library for Bcrypt I've used in the past.
    Spoiler for sig too large:


    Attached image
    Attached image
    Reply With Quote  
     

  4. Thankful users:


  5. #4  
    Registered Member
    Join Date
    Jun 2020
    Posts
    16
    Thanks given
    5
    Thanks received
    8
    Rep Power
    36
    Finally, something interesting to read that is for the greater good.
    Reply With Quote  
     

  6. #5  
    A RSPS Aristocrat

    BooZee's Avatar
    Join Date
    Jul 2014
    Posts
    144
    Thanks given
    222
    Thanks received
    88
    Rep Power
    300
    Quote Originally Posted by Tamatea View Post
    Probably an honorable mention that MD5 is deprecated and has been broken.

    I'd recommend anybody looking to secure passwords to use Bcrypt.

    Here is a java library for Bcrypt I've used in the past.
    Bcrypt is the optimal choice. I think some bases including Apollo use it.

    Quote Originally Posted by Side Hustle View Post
    Finally, something interesting to read that is for the greater good.
    Yeah maybe I’ll stop being lazy and write some more. Currently have far too much on my mind to write this
    Users with a big brain: Totty (RuneHD), Graham (Apollo), Tomm0017 (RSMod), ghost (DragonFire), Leanbow ("a lot" - 21 savage), 3lou 55 ("grind hard, I done grind hard" - 21 savage), Corey (idr), patrity (Kronos), Jet Kai (Spawnscape/Security Threads)
    Reply With Quote  
     

  7. Thankful user:


  8. #6  
    A RSPS Aristocrat

    BooZee's Avatar
    Join Date
    Jul 2014
    Posts
    144
    Thanks given
    222
    Thanks received
    88
    Rep Power
    300
    A friend of mine brought up RSPS today, so I decided to fill the `The SoulPlay Smuggle [Bonus]`. Very good story, worth the read.

    Not sure if I will ever finish this thread - I doubt it.
    Users with a big brain: Totty (RuneHD), Graham (Apollo), Tomm0017 (RSMod), ghost (DragonFire), Leanbow ("a lot" - 21 savage), 3lou 55 ("grind hard, I done grind hard" - 21 savage), Corey (idr), patrity (Kronos), Jet Kai (Spawnscape/Security Threads)
    Reply With Quote  
     

  9. #7  
    Registered Member
    Join Date
    Sep 2012
    Age
    24
    Posts
    47
    Thanks given
    4
    Thanks received
    2
    Rep Power
    11
    How do you replace the bytestream and gameclient classes?

    this is the error im recieving on the clean 317 client

    Code:
    Transformer => org.silabsoft.runeagent.transformer.RuneTekFourTransformer =>Error Transforming: ByteStream => java.lang.NullPointerException
    Reply With Quote  
     

  10. #8  
    A RSPS Aristocrat

    BooZee's Avatar
    Join Date
    Jul 2014
    Posts
    144
    Thanks given
    222
    Thanks received
    88
    Rep Power
    300
    Quote Originally Posted by smiles down View Post
    How do you replace the bytestream and gameclient classes?
    You want the actual .class files, not the decompiled classes (.java). Extract them from the Jar client.
    Easiest way would be to simply open it as a zip and drag and drop the classes you want to the folder.
    https://i.imgur.com/MRpsLo6.png

    You can use https://bytecodeviewer.com or use something from the Wiki rune-agent - RuneScape Private Server Wiki for class extraction.
    Users with a big brain: Totty (RuneHD), Graham (Apollo), Tomm0017 (RSMod), ghost (DragonFire), Leanbow ("a lot" - 21 savage), 3lou 55 ("grind hard, I done grind hard" - 21 savage), Corey (idr), patrity (Kronos), Jet Kai (Spawnscape/Security Threads)
    Reply With Quote  
     

  11. #9  
    Registered Member
    Join Date
    Sep 2012
    Age
    24
    Posts
    47
    Thanks given
    4
    Thanks received
    2
    Rep Power
    11
    Quote Originally Posted by BooZee View Post
    You want the actual .class files, not the decompiled classes (.java). Extract them from the Jar client.
    Easiest way would be to simply open it as a zip and drag and drop the classes you want to the folder.
    https://i.imgur.com/MRpsLo6.png

    You can use https://bytecodeviewer.com or use something from the Wiki rune-agent - RuneScape Private Server Wiki for class extraction.
    yeah I did exactly that, RuneAgent and 317 Client compiled with the same versions of java. On ANY client I'm recieving the bytestream error :
    Code:
    p1isaac => hooked
    p4 => hooked
    java.lang.NullPointerException
            at org.apache.bcel.generic.MethodGen.<init>(MethodGen.java:178)
            at org.silabsoft.runeagent.util.ClassModifier.addMethodWrap(ClassModifie
    r.java:224)
            at org.silabsoft.runeagent.util.ClassModifier.transform(ClassModifier.ja
    va:97)
            at org.silabsoft.runeagent.transformer.RuneTekFourTransformer.transform(
    RuneTekFourTransformer.java:40)
            at sun.instrument.TransformerManager.transform(TransformerManager.java:1
    88)
            at sun.instrument.InstrumentationImpl.transform(InstrumentationImpl.java
    :428)
            at client.<init>(client.java:12281)
            at client.main(client.java:2691)
    Reply With Quote  
     


Thread Information
Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)


User Tag List

Similar Threads

  1. The Master Model Guide
    By lumplum in forum Models
    Replies: 24
    Last Post: 07-31-2020, 11:04 PM
Tags for this Thread

View Tag Cloud

Posting Permissions
  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •