(default server misconfiguration) Skill range bypass: 14 cells skills usage

[100percent-zz]

Just a followup to this issue:

http://herc.ws/board/tracker/issue-8302-potnd-bypass-range-skill-delay/

This bug is still existent in the present build of Hercules ( and rathena too! ) but not on any eathena servers.

How to reproduce:

1 - Record packet via WPE / RPE. 2 - Send the recorded packet. 3 - Try to send the packet outside the range of skills.

NOTE: If you followed the temporary fix on the link above...it would only fix the vertical and horizontal range of the skill..but if you try the diagonal way - the bug still persists! I have a screenshot of a guild abusing this, please see screenshot below:

http://i.imgur.com/TPmzNxt.jpg

As you can see, their guild programmer made a program that modify the client binaries to prevent the client from sending the move packet when using skills...that's why it turns out to be behaving like it's only sending packets without moving - and the bug shows up! Notice how he is casting dispell outside the correct range. Please fix this, a cheat that is on its way on becoming famous is abusing it ( xrag ) and its not healthy for the competitive WoE community and the whole RO community in general.

[kyeme]

Master @MishimaHaruna @4144

[anacondaq]

i can confirm this issue since 2012. Still not fixed, and very dangerous. Botters & Guilds do money of selling this shit, a lot of reports at rathena, a lot of reports at hercules, nobody care. Some guy said he already fix the bug with range issue, but it's not, and his fix not working at all. What a shame for people who can prevent it, but do nothing against. All of this bugs possible to deny at server-side

• maya-p. hack -> dynamic packets with salt.
• range-hack -> server must read data of src & dst where they are at server-side, and attack only if range < then possible range. Yes, it's a little bit more of code & checks -> but this exploit will be closed.
• freewalk -> cell_nostack block that shit.
• visual bots & autopots -> nothing to do here, it's client-based shit. Against Visual bots maybe will be good some captcha (i saw some time ago some guys already reported about missed packets at clients since 2009 about the captcha, but i do not know about this function...
• mousebooters -> they bypass client-side delays.

In most cases, few tips & tricks can make cheaters life harder.

• complete packet encryption
• live file validation (visual bots using cyntax & greyworld, to clean the map from different colored pixels, then botters using changed sprites of mobs & different tools like UOPilot, where they write a macroses what they want to do.
• Against problem above (visual bots), will be good some bots, which will block most stupid bots scenarios
• Some visual bots totally packet based (i'm do not talking about Opencore, i'm talking about ROPS addons with large config)

Summary

• client-server packet-encryption for all packets
• modified login packets
• grf encryption and less grf loading.
• server-side fixed with cell-nostack against freewalk shit
• server-side fixes against nodelay shit (cooldown fix, when you can't to use spell with no delay (i will trow some stone to Adelays, because i saw some videos (4.3 version) where some guy was bypass that protection too, i don't know method, how adelays protect against delays, and i though it's hardcoded + cooldown-type delays, where is imposible to do anything, if you have adelays, but still not helping against cheaters.)
• Anti-WPE feature cool, but i saw some software, where people was extract custom packet keys from the game client, and was insert them in their tools. Yes, sure, it's helps against shitty users (99% of them, but in most cases complete client-server packet encryption much better).
• server-side fixes against range exploits
• server-side fixes against data validation between doing something.
• server-side extra macroses which will check ALL parameters 1 step before dealing damage on the target
• against autopots imposible to protect client with 3rd-party protection (even with Gepard / Hashield / Harmony each custom-made solution will works fine, because they do not have such level to protect the game client against cheats, (it's not a level of alone developers, without drivers, certificates, etc)
• use the latest game clients, usually it's enough to broke a lot of cheats (and it's wrong way, but in most cases a lot of cheat-devs are not so good as they want to be, because most of them using very smart guys works which are published at github & around the internet (ROPS & etc RO based Japan public source code).

What we have at rAthena / Hercules to minimize problem of cheats:

• Anti-WpE patch with custom keys +- good
• Md5 game client verification +- good
• custom delays for all spells & actions at config +- good
• we can set custom cooldown delays for spells +- good
• cell_stack_limit -> freewalk protection
• Pincode system -> totally bypassed by bots or opencore
• any script-based bot-protection -> very easy to bypass with the same easy scripts (even with image based captchaes loaded from the game client with the same name of the file)
• we have idletime feature in sources, but it's not powerful as it can be, this feature must be enchanted to a new level, to avoid do the same acts at some maps / for some accounts at the same map coordinats

What we can do to make hercules / rathena much better

• we need more extra checks at server-side against all problems above

Some stupid examples: usually cheaters using very stupid bots (i'm talking about visual ones), they never walking, or they do the same acts by hours. How to capture them:

1. idletime function, which will calculate a player, if he inside the one zone for example 3 x 3 square, and teleporting & wings will be ignored if player do not move out from this 3x3 square, each other skills / item usage will not destroy idletimer, then if idle timer loaded -> send captcha to the player
2. grf encryption... and do not allow any grf modifications at your server.

main Ragnarok Problem in 2015

Players who playing in this game in 2015, in most cases can't even imagine a game without cheats. They will cry a lot, if you will block any of this cheat. But stupid money-sucker administrators who made servers for such guilds and ignore a lot of tips & trics inside the emulator or allow some functional at their servers totally destroy a last big part of community who do not even use cheats & hate to use that shit.

Sure, someone can "bla bla" with me about cheating problem, and can talk to me with different teories, but 99% of players do not even know how to cheat, and only 5-6 talented developers which using ROPS functions make to us a lot of troubbles.

But all of these troubbles we was permit by ourself. Current WOE scena at RO -> death for RO. Cheats in 2015 start to be a part of gameplay.

Sorry for my very bad english, i can explain each paragraph above, and how to fight against each shit, except client-based math. (autopots imposible to prohibit, macroses too, but make hard life for visual botteres, or opencore users -> no problem at all with guys who know good C).

And the last, very important problem of RO usually anti-cheat developers -> develop cheats by themself, or have large experience with their own protections for RO client, or usually they are GM's of popular (not always) servers, they have a clue how game-client & server-side works, so, it's make current rAthena / hercules developers life much harder.

About Gepard / Hashield / Harmony / InternalGuard / Frost Dear server owners, who think this protections can help you stop cheaters. It's totally wrong. Each big guild have their own software writter, or Each WoE guys in RO scene knows each other else, and they have access for custom tools (not public, like trash romedic & etc shit). The current problem of each of protections above -> they are signature based. That's means -> you can downlod ROPS, you can compile your application with custom name -> you will have custom cheat. The protection must be more server-side, then client-side. Client-side add only FPS lags at the game, and nothing more. Each your hash-sum checks without the salt -> easy to bypass by the same send_client_hash() functions inside the cheat software, each of your "game-file verification" possible to freez with special software or driveres taked at public in internet from different cheat communities.

Dear Anti-Cheat developers, if you want to build a good protection, just take attention to this:

• server-side protection against skill-based delays
• server-side protection against walking delays & acting at map.
• server-side protection against item usage & switching delays
• server-side protection against packet verification against modification
• server-side protection of UI of the game client (shortcuts, buttons programmed at server-side, so you can do some things to increase security of the server)
• server-side protection based on good token authorization & server-side captchas depends on player actions.
• server-side protection against mechanic behavior and limiting some things (for example range feature, max_walk path, max_visible_range, etc)

In 2015 is very stupid to protect the game-client against knowed software by 2005 anti-cheat solutions like: "we will block all knowed software, and we will think anything is good". No guys, not good at all, because tons of different software builded everyday, and this methods is not effective anymore. Igmore the problem with reading memory of the process and values from memory points, start to do a globally things, like Adelays. Adelays looks cool, but a lot of things can be enchanted at the server-side. Yea, sure, it's easy to say for me about cheats because i have large experience with them, and with guys who develop and using very hardcore tools, but in most cases, they are not gods, and very stupid limits at server-side can totally destroy current cheat-scena & WoE scena and limit problems at RO to maximum two things:

1. autopots & memory reading of the game client
2. visual bots

But for now, each mechanic thing at current Hercules / rAthena have a lot of security (big security) holes, or poorly coded, or just ignored.

Sure, you can ignore the part with security, and said: "haha, we just copy-paste Aegis, and we are ignoring this shit, because it's not our mission, and not our ideas", but sorry. Aegis Community ~3-5% of all servers in the world. 90-95% of servers in the world & 90-95% community of RO playing not at official servers, they are playing at "pirate one". So, RO is not gravity product, gravity just ideas & client-developer, Current RO in hand of the current GNU GPL emulator devs.

[100percent-zz]

The range exploit is the most OP and must be fixed immediately because this is a GAME BREAKING bug! Imagine 7 cells Asura Strike and Sonic Blow!?

The sad thing here is that...the range hack doesn't work on eathena! What a time to be alive when old codebase are outperforming newer ones and it's left in the dust forever.

I already explained how to reproduce the bug, I hope some devs can try and see the bug for themselves..to see how alarming this stuff exists since forever...

[anacondaq]

oh, @100percent i've report about bugs since 2011, nobody listen to me, i will be surpriced, if someone will react of this. Usually people do not care about it, and do not understand a lot of child-problems is result of this issue. eAthena have a lot of mechanic-breaking things, and most of them fixed already at rAthena & Hercules, but not all, still a lot of them exist, and they are reported at their bugtrackers or at issues.

The sense of feedback what i was recieve: "we have a lot of headcache with current bugs, current features, current delayed releases, current not finished episodes", and the latest main problem: Current RO emulator development in 2015 -> ~ 10-12 people who build and support emulators for ALL RO scena. It's very small amount of devs, we need more...

[anacondaq]

Btw, many people do not even hear about sit bug, when you can break any mechanic behavior because of fast sitting. A lot of software using that shit to make instant asura strike after body relocation. And this bug still not fixed:)

[4144]

Look like all exploits from message is client changes to avoid client limitation. They not break any server settings. Yes default server settings can be not good. Like skill delays. Any client protections can be and will be breaked. Explots must avoide some server settings, only after this it can be fixed on server. For example old eathena cloning items. This is real exploit.

I not sure how aegis working, but from hercules comment in file src/config/core.h: /// Uncomment to enable circular area checks. /// By default, most server-sided range checks in Aegis are of square shapes, so a monster /// with a range of 4 can attack anything within a 9x9 area. /// Client-sided range checks are, however, are always circular. /// Enabling this changes all checks to circular checks, which is more realistic, /// - but is not the official behaviour. //#define CIRCULAR_AREA

Commented define this mean this feature disabled.

[dastgirp]

@anacondaqq We don't replicate everything in aegis, we just have to know if there's a bug, if no one reports, we surely would have no idea about the bug...

[anacondaq]

@dastgir I have no negativity towards the developers. You guys good. You rock. Thank you for your works. But, dear devs., if you will have a some amount of time, please improve basic security things for herc / ra. Thx. Reports available above.

[Rytech2]

I wasnt aware of exploits this severe. Kinda makes me want to look into issues like this. Bypassing range limits? Thats a very bad thing.

[kyeme]

Actually editing luafiles/skillinfoz folder can affect range of some skill xD

[Rytech2]

Really???? I never knew that. Im looking into server side methods to fix this issue. There needs to be a check where the server expects a certain range or lower to be sent from the client. But there's also this thing of if the caster needs to walk closer or not. A bit tricky.

[Heler]

@anacondaqq

Hello! You wrote: "The current problem of each of protections above -> they are signature based."

You are wrong. Almost all functionality of Gepard Shield is not signature-based. It blocks methods of cheating. Not specific cheat software.

But I agree with you, that problem with cheaters can be partially solved on server-side. ;-)

[ermanherman]

hi is this problem sloved?

[kyeme]

Up

[Keysito]

How was the progress of this Exploit?

[anacondaq]

Don't worry @Keysito nobody will fix bugs posted by me above. You will not find any motivated and experienced guy with a lot of time for developing complete product and for supporting this product for next 2-3 years. I'm talking about server-client side protection, where around 99% checks should be done at server-side (yes, it will be heavy CPU application).

For people who will try to fix problems above:

You can do that. Because mostly all cheaters with whom i have contacts in past - newbies, and not professional developers, they just know several tips and tricks, and nothing more, and time to time they are using solutions developed by really smart asians (japanese / chinese guys). But even with them nobody can fight, because of luck in motivation.

[Kenpachi2k13]

Was fixed in #1457.