Forum Settings
       
Reply To Thread

That 20-50 carpenter hack? heres how and then someFollow

#1 Oct 11 2013 at 1:47 PM Rating: Good
*
249 posts
Unsecured Database is being gamed by simple javascript. Apparently its been exploited since beta.
#2 Oct 11 2013 at 1:50 PM Rating: Good
**
589 posts
Surely not?!?
____________________________
Solomon Grundy | Born on a Monday | Excalibur Server | Abyss: Welcome to a Higher Quality of Nerding™
#3 Oct 11 2013 at 1:55 PM Rating: Good
Avatar
***
1,208 posts
That same photo was all over Reddit the other day... only they had blocked out the name of the offender.

It's some sort of exploit that apparently gilsellers are using to get to level 50 crafting within moments, and create a ton of gil at the same time... it looks like they are somehow manipulating the game to think that they have turned in a Levequest over and over and over again within seconds. They could not do this in an Inn because SE won't allow crafting in Inn's this time around (smart move)... the person in this screenshot has been reported already as far as I know... was not on my server so I couldn't do it anyways.
____________________________
The Kraken Club - (Ultros FC)
Character Name: Meat Mithkabob
#4 Oct 11 2013 at 2:09 PM Rating: Good
*
180 posts
Hairspray wrote:
it looks like they are somehow manipulating the game to think that they have turned in a Levequest over and over and over again within seconds


It actually looks like it is alot worse than just this. Read through the BG thread linked in the OP. It seems the hackers can take any simple item (say 99 potions purchased from an NPC) turn them into any other item they like (say Allegan gold Pieces) and sell them right back.

Or, just tell the server to give them a billion gil - and it will!

I'm not very tech-y myself and would never try to figure out exactly how to work this, but if this is really the case it should be fixed pronto.

Edit: to fix my quote.

Edited, Oct 11th 2013 4:10pm by Canadensis
____________________________
Kezia Canadensis
Ultros
TKC <ZAM>
#5 Oct 11 2013 at 2:22 PM Rating: Decent
Scholar
***
2,426 posts
this is pretty much the reason for the recent bannings/suspensions.

I had been reading about this the past couple days but didn't post it here because i was really hoping it was going to turn out to be a hoax.

but yeah, there are sites advertising full AF2 sets for 1500 USD...they aren't getting that stuff by speed running AK. seems like they can literally give themselves any item in the game, or not in the game (as in the case of the infamous lodestone account with as of yet unobtainable minions)

Edited, Oct 11th 2013 4:23pm by Llester
____________________________
monk
dragoon

#6 Oct 11 2013 at 2:22 PM Rating: Good
Needs More Smut
******
21,262 posts
Hey JSON! I know that! Had to spend some quality time converting JSON strings into XML and vice versa in the 4th semester of my master's degree program.

I'm also smart enough not to use Lua and hack a JSON query to give my character six billion gil. Smiley: laugh
____________________________
FFXI: Catwho on Bismarck: Retired December 2014
Thayos wrote:
I can't understand anyone who skips the cutscenes of a Final Fantasy game. That's like going to Texas and not getting barbecue.

FFXIV: Katarh Mest and Taprara Rara on Lamia Server - Member of The Swarm
Curator of the XIV Wallpapers Tumblr and the XIV Fashion Tumblr
#7 Oct 11 2013 at 2:50 PM Rating: Good
***
3,448 posts
Wow that's a lot worse than I suspected.

So basically the client just has free reign over everything and the server double-checks nothing. WHAT COULD POSSIBLY GO WRONG?
____________________________
svlyons wrote:
If random outcomes aren't acceptable to you, then don't play with random people.
#8 Oct 11 2013 at 2:54 PM Rating: Good
Guru
Avatar
*****
11,082 posts
Feel like things would be far, far, far worse if this is truly the case. Isn't to say there isn't some shenanigans going on, but for something like item converting, I'd like to see a vid of a live server pulling it off.
____________________________
Violence good. **** bad. Yay America.
#9 Oct 11 2013 at 2:57 PM Rating: Excellent
Avatar
***
1,208 posts
Oh wow, this is far worse then what I thought it was... do you think they'll shut down the game for a bit?
____________________________
The Kraken Club - (Ultros FC)
Character Name: Meat Mithkabob
#10 Oct 11 2013 at 3:08 PM Rating: Default
Scholar
****
4,506 posts
I dont mean to sound the "Game over" sounds, but people (still) being able to give themselves and others any item, including AF2 and Allegan pieces, and 300 bilion gil if they so wanted to...

This alone seems like grounds for a full wipe, gil wipe or even a "See you all in 3.0 in a few years" from SE :/
____________________________
[XI] Surivere of Valefor
[XIV] Sir Surian Bedivere of Behemoth
http://na.finalfantasyxiv.com/lodestone/character/2401553/
#11 Oct 11 2013 at 3:37 PM Rating: Default
If this is true then this game is ruined.
____________________________
One day maybe:
ShaolinGate.com
#12 Oct 11 2013 at 3:43 PM Rating: Decent
Scholar
***
2,426 posts
despite what i posted above, i'm still not positive that this isn't an elaborate troll, but yes, if its real, it is bad medicine.
____________________________
monk
dragoon

#13 Oct 11 2013 at 3:46 PM Rating: Decent
Scholar
**
356 posts
Is it not possible to 1. Fix the problem and 2. Launch a full scale investigation to ban all those who are gaining massive levels all at once?
#14 Oct 11 2013 at 3:56 PM Rating: Good
***
3,448 posts
aadrenry wrote:
Is it not possible to 1. Fix the problem and 2. Launch a full scale investigation to ban all those who are gaining massive levels all at once?


It's difficult to believe that something that blatant wouldn't show up in a log SOMEWHERE.

Unfortunately it might not be possible to fix the problem in any sort of reasonable timeframe. If, as I suspect, the client has most of the control in this game, then fixing the problem isn't as simple as patching a couple lines of code. It would involve an overhaul of the client-server relationship. Besides the fact that something on that scale takes a long time, SE may not have the infrastructure necessary to put MORE demand on their servers. We've already seen what happens when their servers are overloaded, and that's under current conditions.

Basically it sounds like they've gone from one extreme to the other. At 1.0's launch, the server was responsible for signing off on EVERYTHING, including menu navigation. It seems that now we've shifted to the other extreme where it does almost nothing to verify that what the client is telling it is legit.

It's possible to fix this, but I'm not sure it can be done in a reasonable amount of time on a live product. I honestly don't know what they should do from here, and I'm not sure they do either.
____________________________
svlyons wrote:
If random outcomes aren't acceptable to you, then don't play with random people.
#15 Oct 11 2013 at 4:05 PM Rating: Excellent
**
576 posts
I'm still hoping this is false information, but if not, this is possibly the worst client/server implementation I have ever seen.

Have they never heard of wireshark? Analyzing and then faking JSON requests is trivial for anyone with a modicum of network and programming skills.

I'm still not entirely convinced, though. If this was the case, why have bots mining shards when you could just add gil directly to your inventory?
____________________________
FFXI, Siren: Pickins BST99.:~:.BLM75.:~:.RDM56
FFXIV, Siren: Miss Pickins - Builder of the Realm
#16 Oct 11 2013 at 4:33 PM Rating: Decent
Guru
***
1,310 posts
Pickins wrote:
I'm still not entirely convinced, though. If this was the case, why have bots mining shards when you could just add gil directly to your inventory?


It's called diversifying your portfolio. Let's say the "UPDATE Account SET gil=999999999 WHERE pid=@me" technique gets cleaned out and all those assets are destroyed, you're still going to need a backup source of cash if you still want to keep selling gil. So then you turn to your teleporting mining bot army. Smiley: rolleyes

Still, the fact this has been discovered and reported on for weeks is **** depressing. Can this game even have a future if you can hack yourself anything you want (I've seen reports of Goobue mounts on fresh start servers, minions that aren't yet released in-game, insta-level 50, insta-full bank accounts) and not get punished?
#17 Oct 11 2013 at 4:42 PM Rating: Excellent
***
1,606 posts
There was a post on the main forums yesterday that talked a lot about how it was done but I think it was nuked. Like so many others, I am not going to risk my account trying to see if it is legit.

On a side night... This is the first time I can recall seeing Shadow with a post that had a rating of good lol
#18 Oct 11 2013 at 4:50 PM Rating: Excellent
**
576 posts
MrTalos wrote:
There was a post on the main forums yesterday that talked a lot about how it was done but I think it was nuked.


I've read that they're deleting the threads as soon as they pop up, as though they've never heard of the Streisand Effect.
____________________________
FFXI, Siren: Pickins BST99.:~:.BLM75.:~:.RDM56
FFXIV, Siren: Miss Pickins - Builder of the Realm
#19 Oct 11 2013 at 6:07 PM Rating: Excellent
Scholar
Avatar
**
320 posts
My word, if this is true... there's a wide open web server just waiting for requests with no authentication or authorization, then SE is in some serious trouble. I know they did a lot in a short period of time but to miss basic security like this? Wow, just wow.
____________________________
FFXIV ARR: Ultros - James Kilton
#20 Oct 11 2013 at 8:29 PM Rating: Good
Scholar
***
1,707 posts
Don't y'all think that the game would be flooded with gil and practically ruined by now if this were 100% true? Many years ago when a hack screwed up the economy in ffxi, inflation took off extremely fast.

As of now I am still playing the game having the same fun I've had all along with no substantial difference in the economy since I started at release.

I'm sure there is some legitimacy to the alleged issue, but I suspect it isn't as game breaking as people are making out. It will get corrected and the game will continue on just fine. I suspect the vast majority of people playing would be a little scared to buy gil right now and most certainly not mess around with any hacks. Most people actually play to have fun, not to cheat. So no matter how much gil they create, it does them no good if everyone isn't buying it all up. This isn't their first rodeo, they can track the big money moving around and ban/remove it.
#21 Oct 11 2013 at 9:04 PM Rating: Default
Avatar
**
488 posts
These are amateur mistakes by a company that should be smart enough to know they could happen. This is horrible.
#22 Oct 11 2013 at 11:35 PM Rating: Decent
Avatar
***
1,416 posts
Catwho wrote:
Hey JSON! I know that! Had to spend some quality time converting JSON strings into XML and vice versa in the 4th semester of my master's degree program.

I'm also smart enough not to use Lua and hack a JSON query to give my character six billion gil. Smiley: laugh

I love how people rate down people that know what they are talking about sometimes.
____________________________

#23 Oct 12 2013 at 2:38 AM Rating: Decent
****
4,151 posts
Mithsavvy wrote:
Don't y'all think that the game would be flooded with gil and practically ruined by now if this were 100% true? Many years ago when a hack screwed up the economy in ffxi, inflation took off extremely fast.


Yes, there were tons of bots fishing mass quantities of gil into the economy, but it could have been done without bots and by anyone. It wasn't a hack. The largest influx of gil to the XI economy was a result of poor planning on SE's part. All that was required was a fishing rod and little to no skill in a particular craft to turn your character into a gil machine.

It was just as legit as selling Chocobo Blinkers or Hakuryu to NPC and up until they made the change, legitimate characters were taking advantage of it as well. Don't ask me how I know and I won't tell you Smiley: sly

Mithsavvy wrote:
I suspect the vast majority of people playing would be a little scared to buy gil right now and most certainly not mess around with any hacks. Most people actually play to have fun, not to cheat.


I would agree that most people are just normal players, but there are quite a few people who consider FFXIV to be a job and not entertainment. Also, there isn't anything that says you can't have fun while making money to play a video game and sell virtual goods and currency.

Edited, Oct 12th 2013 4:41am by FilthMcNasty
____________________________
Rinsui wrote:
Only hips + boobs all day and hips + boobs all over my icecream

HaibaneRenmei wrote:
30 bucks is almost free

cocodojo wrote:
Its personal preference and all, but yes we need to educate WoW players that this is OUR game, these are Characters and not Toons. Time to beat that into them one at a time.
#24 Oct 13 2013 at 9:32 PM Rating: Good
Scholar
***
3,653 posts
Pickins wrote:
MrTalos wrote:
There was a post on the main forums yesterday that talked a lot about how it was done but I think it was nuked.


I've read that they're deleting the threads as soon as they pop up, as though they've never heard of the Streisand Effect.


Couple of reasons they're deleting them:
- They don't want information on hacking the game on the main forum (totally justified).
- Leaving those threads on the main forum is akin to poking a hornet's nest (the Official Forum) with a big stick.

If people were trying to be actually useful by posting information about it on the main forum, thy'd simply file a bug report.

Edited, Oct 14th 2013 3:32am by blowfin
____________________________
I tell you, we are here on Earth to **** around, and don’t let anybody tell you different.
#25 Oct 14 2013 at 8:26 AM Rating: Good
***
2,214 posts
While the transactions may not be as visible as one might thing in their logs, they are visible in their backups.

I am assuming they are deleting the threads to reduce the number of innocent bystanders who will get hit by the ban-hammer (and it is coming), and collective rollbacks, and confiscations.

I would assume that the update that is scheduled today will attempt to either address these issues, or put more detailed tracking server-side on types of character transactions. But, it is definitely a first step in attempting to curtail this issue before it gets further out of hand.
#26 Oct 14 2013 at 8:38 AM Rating: Excellent
Avatar
***
1,208 posts
Mithsavvy wrote:
Don't y'all think that the game would be flooded with gil and practically ruined by now if this were 100% true? Many years ago when a hack screwed up the economy in ffxi, inflation took off extremely fast.

As of now I am still playing the game having the same fun I've had all along with no substantial difference in the economy since I started at release.

I'm sure there is some legitimacy to the alleged issue, but I suspect it isn't as game breaking as people are making out. It will get corrected and the game will continue on just fine. I suspect the vast majority of people playing would be a little scared to buy gil right now and most certainly not mess around with any hacks. Most people actually play to have fun, not to cheat. So no matter how much gil they create, it does them no good if everyone isn't buying it all up. This isn't their first rodeo, they can track the big money moving around and ban/remove it.


Well considering the game hasn't blown up and is still operational, and the economy hasn't been flooded with gil, I'm starting to think the whole JSON connection may not be 100% accurate.

Now is there an issue with botting? Yes, absolutely. We all see mining and farming bots, and this photo of the guy leveling to 50 in 2 minutes is another great example that the game is not perfect...

But I have to believe if it were THAT easy to do we'd have many more examples by now.
____________________________
The Kraken Club - (Ultros FC)
Character Name: Meat Mithkabob
#27 Oct 14 2013 at 11:21 AM Rating: Good
Needs More Smut
******
21,262 posts
This could also be something that they ninja-fixed without announcing anything, and they're gathering the data on folks who attempt it after the fix in preparation for a mass banning.

They'll announce the problem and the resolution at the same time they announce the ban of the 1000+ accounts they caught doing it.
____________________________
FFXI: Catwho on Bismarck: Retired December 2014
Thayos wrote:
I can't understand anyone who skips the cutscenes of a Final Fantasy game. That's like going to Texas and not getting barbecue.

FFXIV: Katarh Mest and Taprara Rara on Lamia Server - Member of The Swarm
Curator of the XIV Wallpapers Tumblr and the XIV Fashion Tumblr
#28 Oct 14 2013 at 11:39 AM Rating: Good
Avatar
***
1,208 posts
Catwho wrote:
This could also be something that they ninja-fixed without announcing anything, and they're gathering the data on folks who attempt it after the fix in preparation for a mass banning.

They'll announce the problem and the resolution at the same time they announce the ban of the 1000+ accounts they caught doing it.


HAHA!!! Most likely!

Do you think it could it have been part of the reason why so many people were temporarily or permanently banned recently too?
____________________________
The Kraken Club - (Ultros FC)
Character Name: Meat Mithkabob
#29 Oct 14 2013 at 12:07 PM Rating: Good
Avatar
**
425 posts
Archmage Callinon wrote:
Wow that's a lot worse than I suspected.

So basically the client just has free reign over everything and the server double-checks nothing. WHAT COULD POSSIBLY GO WRONG?


Welcome to why all Phantasy Star online based games failed. FFXIV is in some serious trouble if SE does not act on this.
____________________________
FFXI character: Elathia ::F Tarutaru::87SCH/75RDM/70WHM/54BLM::Cerberus/Ragnarok/Bahamut::1/23/2004 - 3/25/2015 :: Retired
RDM First 75 Job :: RDM Maat victory: March 28, 2008 (1/3) :: San d'Oria R10 Long live King Destin :: Praise be to the late King Ranperre.
FFXIV character: Selene Silverstorm :: F Lalafell :: WAR60/WHM60/BLM60 :: Ragnarok :: 9/2013 -
Patch note archives for FFXIV: http://na.finalfantasyxiv.com/lodestone/special/patchnote_log/
#30 Oct 14 2013 at 12:46 PM Rating: Decent
Needs More Smut
******
21,262 posts
Hairspray wrote:
Catwho wrote:
This could also be something that they ninja-fixed without announcing anything, and they're gathering the data on folks who attempt it after the fix in preparation for a mass banning.

They'll announce the problem and the resolution at the same time they announce the ban of the 1000+ accounts they caught doing it.


HAHA!!! Most likely!

Do you think it could it have been part of the reason why so many people were temporarily or permanently banned recently too?

Can't say for sure. The bans have been all over the place.
____________________________
FFXI: Catwho on Bismarck: Retired December 2014
Thayos wrote:
I can't understand anyone who skips the cutscenes of a Final Fantasy game. That's like going to Texas and not getting barbecue.

FFXIV: Katarh Mest and Taprara Rara on Lamia Server - Member of The Swarm
Curator of the XIV Wallpapers Tumblr and the XIV Fashion Tumblr
#31 Oct 15 2013 at 4:21 AM Rating: Excellent
*****
12,824 posts
Pretty much this is what I was afraid they were doing...

The issue is that I don't think Yoshi P rebuilt the client, he just added on and exported the client-control section of the original server code... meaning that it's 100% trusted in making all the decisions....

This is really, really bad.
____________________________
Twitter: http://www.twitter.com/pawkeshup
YouTube: http://www.youtube.com/pawkeshup
Twitch: http://www.twitch.tv/pawkeshup
Blog: http://pawkeshup.blogspot.com
Olorinus the Ludicrous wrote:
The idea of old school is way more interesting than the reality
#32 Oct 17 2013 at 1:47 PM Rating: Good
Avatar
***
2,550 posts
Pickins wrote:
I'm still hoping this is false information, but if not, this is possibly the worst client/server implementation I have ever seen.

Have they never heard of wireshark? Analyzing and then faking JSON requests is trivial for anyone with a modicum of network and programming skills.

I'm still not entirely convinced, though. If this was the case, why have bots mining shards when you could just add gil directly to your inventory?


I dont know, did you ever play Phantasy Star Online on the Dreamcast and Gamecube? Even the Xbox? All items stored client side.

Also, something tells me that all gil sellers are not the same. I dont think it is a monopolized industry. They apparantly develop proprietary techniques. What puzzles me is, who is the name of all that is holy is buying gil to support these moral compass lacking fools?

Edited, Oct 17th 2013 2:49pm by Valkayree
____________________________
Character Name: Valk Ayree
Server: Lamia; Free Company Leader - The Swarm (Swarm)
http://na.finalfantasyxiv.com/lodestone/character/1746889/
- Blue Mage? FTW? -
#33 Oct 17 2013 at 1:52 PM Rating: Good
Guru
Avatar
*****
11,082 posts
Simple answer? People without time, time they likely spent making the RL money to begin with.

Unfriendly grinds just serve to be the dev end of the equation, in part perpetually justified by time to spent develop content.
____________________________
Violence good. **** bad. Yay America.
#34 Oct 17 2013 at 2:06 PM Rating: Excellent
Avatar
***
2,550 posts
Seriha wrote:
Simple answer? People without time, time they likely spent making the RL money to begin with.

Unfriendly grinds just serve to be the dev end of the equation, in part perpetually justified by time to spent develop content.


I dont have time either, but I guess I am of that old school mentality that likes to earn my keep for that sense of accomplishment. I have never much respected the silver spoon folks.
____________________________
Character Name: Valk Ayree
Server: Lamia; Free Company Leader - The Swarm (Swarm)
http://na.finalfantasyxiv.com/lodestone/character/1746889/
- Blue Mage? FTW? -
#35 Oct 18 2013 at 7:17 AM Rating: Good
Needs More Smut
******
21,262 posts
Valkayree wrote:
Seriha wrote:
Simple answer? People without time, time they likely spent making the RL money to begin with.

Unfriendly grinds just serve to be the dev end of the equation, in part perpetually justified by time to spent develop content.


I dont have time either, but I guess I am of that old school mentality that likes to earn my keep for that sense of accomplishment. I have never much respected the silver spoon folks.


Same here. Now that I'm working 45-50 hour weeks and only have an hour or two, if any time at all, for gaming most days, I am supposed to be the prime demographic for gilsellers. Too bad I'm totally okay with leveling slowly and farming my own materials whenever I can.
____________________________
FFXI: Catwho on Bismarck: Retired December 2014
Thayos wrote:
I can't understand anyone who skips the cutscenes of a Final Fantasy game. That's like going to Texas and not getting barbecue.

FFXIV: Katarh Mest and Taprara Rara on Lamia Server - Member of The Swarm
Curator of the XIV Wallpapers Tumblr and the XIV Fashion Tumblr
#36 Oct 19 2013 at 11:19 AM Rating: Good
Avatar
*
121 posts
This is pretty unbelievable. Not that you can run to 50, but that items are stored client side. What a rookie mistake (cost savings?) by a veteran company. A fix would probably require a complete overhaul, but I will keep playing nonetheless. What I don't understand is it would only take a moment to scrape the logs for X amount of level ups or X amount of shout repeats in a given amount of time to ban the offenders.

Edited, Oct 19th 2013 1:29pm by ErikHighwind
____________________________
[img]http://xivreborn.com/gen/Erik_Highwind_Coeurl_Classes.jpg[/img]
Reply To Thread

Colors Smileys Quote OriginalQuote Checked Help

 

Recent Visitors: 88 All times are in CST
BrokenFox, Anonymous Guests (87)