I was now thinking about the gold duplication bug in the game and something came to light: there could be a very serious design flaw in the game server backend.
To put it in context: I’ve worked with server backends from other online games, in the case I’m putting on perspective was “Lineage 2 Java Based”. Something common in servers in the past were hacks that did packet injection in the game, simulating character actions.
Something very common in early server versions were hacks that simulated receiving items for characters by simulating drops from monsters, causing a character to receive an item that he shouldn’t actually be receiving. This was because the item receipt was interpreted by a package sended to the client, which returns it to the server in response to the item receipt confirmation and, on the server side, the item was added to the character based on the client’s confirmation, not when it was calculated the drop. Result: hacks could simulate, via packet injection, the receipt confirmation of any game item and the server would not realize that it was being spoofed.
I think the only explanation for this kind of thing happening at New World is because part of the shipping and delivery confirmation of items depends on something client-side, which is serious. From my point of view something like this should happen:
Player A trades with Player B
Player A places X gold, both confirm the transaction
A’s game sends to the server the package informing that it has passed X gold to B.
B’s game receives the information that X gold was received, adds the X gold information on the interface and then informs the server that it received X gold, which, in turn, updates the +X gold on the database.
The server tries to tell A’s game that X gold has been debited, but it can’t find the game instance. So, without receiving confirmation from the game itself, he does not deduct the X gold from A’s in database, allowing A to keep the same amount of gold in the bag and send that gold again to another player.
Having all this flow explained now comes the question that worries me the most: is it possible to simulate the packages from the 4th step of this transaction even though the bug has been resolved?
shameless bump - obviously there is inconstancies in the databases themselves with naming, perhaps to keep the servers ‘distinct’ in a world approach.
…but really all I want is some attention to /unstuck…
because I’m stuck behind terrain again… having just climbed behind a boulder. Unstuck doesn’t place me outside of this terrain. It only places me back to where I got stuck? Or something… I duno.
Lineage 2 used the Unreal Engine, which has a C# plugin allowing you to write wrapper code for the engine. So I assuming your talking about some ‘emulator home brew version’ which is not going to have the same net-code or even the same game engine. So, whatever you worked on was not an actual online game server, lets just get that out there first.
To the actual point, there are dupes in all games, they just need to clamp down on actions that result in the duping of anything by tracking any object that has duplicate ID#'s (the name ranges from game to game where each object in game as a unique identifier) and if duped that can trigger an email or in game notification to a GM actively by ‘active transaction monitoring code’ or retro-actively via a ‘log tracking’ set of code.
Just saying… they probably already have this in place, and have a list of peeps to ban already.
Thing is: the game language doesn’t matter if the structured logic about item transactions is flaw in the backend, same works on any application (web, cellphone, et cetera).
In my example, “Java Homebrewed servers” fixed it not changing the engine of the game or how the game works in this cases, but making fixes on the backend itself that’s was bad developed.
My concern is the NW game seems to work very similar and it makes “easy” to hackers to do it… there’s a lot of “BOT” softwares that is already on the market working fine on the game, then it’s just a matter of time to people realize how to hack the packets, if is this the case.
Maybe, your logic is sound, that much is true, but all this talk about packets, I am not so sure. Most likely they are using memory injection tools where you find a loc in mem and you trap those pointers, or clone the pointers, name them and assign or inject new data into the mem locs. That is what is going on here.
In the 1980s it was a peek and poke, in more modern times its a memory injection, same idea, different name.
But your concerns are 100% spot on and I agree. Too much data running unchecked in the client application that can be ‘modded’ on the fly.
Bruh, doesn’t that refer to people simply using a lag switch? Not actual injection.
To my knowledge, what was happening is that people would way for the “gold sent” step but disconnect (lag) before the (gold deducted) step, meaning that the transaction would be cancelled bug the person already received the item, this confusing the packet process, which leads to dupes.
“First, i wish to explain why we turned off things. We aware about a small number of players using an package manipulation approach to create invalid transactions. […]”
But, first of all: why the game server isn’t updating the player gold/items amounts in database after every transaction: It’s because the client isn’t responding? THAT’S REALLY DUMB and open’s a door to the hell of bug expoilters to do exactly what I’ve talked about on the original post on this thread.
All item’s transactions must be server-side, the gameserver must update the character inventory on database after every transaction (even the client isn’t responding) and the game client must update the local inventory data based on server info every time inventory/stash/trade window is opened to update item amounts and if the server isn’t responding the character should be disabled to trade, spend or deposit anything. That’s the only way to avoid this kind of behavior: the game client need to be 100% passive.
