How To Crash Hgserver
buffer overflowing the level of a character generally crashes a server
<img src='http://ic1.deviantart.com/fs11/i/2006/1 ... leroth.gif' border='0' alt='user posted image' />
It generally does not 
Taking a peep at the code learns you that most of the times your character just get disconnected.
I must admit i never thought about the shutdown command bening sent to it.
If it is sent over a socket (tcp) connection, one can easily spoof the originating ip address, so i see some potential there
Taking a peep at the code learns you that most of the times your character just get disconnected.
I must admit i never thought about the shutdown command bening sent to it.
If it is sent over a socket (tcp) connection, one can easily spoof the originating ip address, so i see some potential there
-
twistedrealm
- Regular
- Posts: 35
- Joined: Sat Sep 25, 2004 6:34 am
if u DDos it with enough computers/big enough connection and u crash one of the maps u can up the map on ur own computer then edit the hg server and do what ever u want
<img src='http://www.stickdeath.com/blair.gif' border='0' alt='user posted image' /><a href='http://www.stickdeath.com/blair.gif' target='_blank'>stickdeath</a>
It's much easier to just modify your charfile with an extra added HG....
<img src='http://i9.tinypic.com/2vs292h.jpg' border='0' alt='user posted image' />
you still dont know that you dont need to down a map? you can just put up a hgserver with a map like "omgthismapsux.amd" and tadatwistedrealm wrote: if u DDos it with enough computers/big enough connection and u crash one of the maps u can up the map on ur own computer then edit the hg server and do what ever u want
Correct! Going on for the fridge!Jaap wrote:you still dont know that you dont need to down a map? you can just put up a hgserver with a map like "omgthismapsux.amd" and tadatwistedrealm wrote: if u DDos it with enough computers/big enough connection and u crash one of the maps u can up the map on ur own computer then edit the hg server and do what ever u want
<img src='http://i9.tinypic.com/2vs292h.jpg' border='0' alt='user posted image' />
Maybe, but I'm sure there's no GrolschDarkieDuck wrote: heineken in it ?
<img src='http://i9.tinypic.com/2vs292h.jpg' border='0' alt='user posted image' />
If you have the right tools, you don't need alot of computers.twistedrealm wrote: if u DDos it with enough computers/big enough connection and u crash one of the maps u can up the map on ur own computer then edit the hg server and do what ever u want
Besides, if you hit a HG Server with UDP it will most likely restart the server or crash it completly.
Noob, try putting your char lvl 20000marburg wrote: It generally does not
Taking a peep at the code learns you that most of the times your character just get disconnected.
I must admit i never thought about the shutdown command bening sent to it.
If it is sent over a socket (tcp) connection, one can easily spoof the originating ip address, so i see some potential there
<img src='http://ic1.deviantart.com/fs11/i/2006/1 ... leroth.gif' border='0' alt='user posted image' />
Don't hope to connect your character into a well kept server...u crash one of the maps u can up the map on ur own computer then edit the hg server and do what ever u want
- Maybe China351 server files are eligeable for that?
- HBx2.24 includes an Admin list
- I's really easy to change some little thingswhen coding own server, end your "parasitic" server will not have it,so either unable to read character or the character it'll save will not be read by other servers.
- Finally Just find your target server name! (WS1 ? WS2 ? WS15 ? or ???)
_\_ _<br> / , \__/ . \ Admin of Equilibrium Project<br> II\ \___ . O<br> III \_/ \ _ / <a href='http://www.equiprojet.com' target='_blank'>http://www.equiprojet.com</a><br> II I¯I
I'm about to go a bit offtopic here, since this topic is about crashing the server, not hacking it. But I'll post it here anyway.
History
A long time ago, on Helbreath International when it was still in BETA, there were those few people that had the 2.03 server source. If you've played Helbreath International, you'll probably remember them. People like MamaBearz running around with edited character and GM-Shield or duries with alot of rares including Xelima's Axe, Blade and Rapier. Also, there was a guy that went into Elvine WH and mass spawned Helclaws and Tigerworms.
Good, you remember it. That's the history of the hack. These people (or perhaps one person) was the father of the "worldserver registration hack". Actually, it's not really a hack - it's more like a stupid thing Siementech forgot to do.
Suddenly, at a certain point a few months before P2P, the 2.03 server source was available to more people and they found out the same basic concept of the hack. They compiled it, connected to the Helbreath International server and pressed the INS and DEL key repeatedly to produce mass meteor strikes through Helbreath International with mass panic ingame. This happened several times.
You probably remember that too, don't you?
It's time to explain how this hack works. Like I said it can be described as the "worldserver registration hack".
How the hack works
The most simple way to express how the hack works is as follows;
You connect your socket to the worldserver, send a (correct) registration packet to it and then you send the character save packet along with the character info you want to save. It's amazing, because you can actually send the entire character data TXT file along. This means that you can change anything, including stats, skills, adminlevel, items, and so forth.
So, what do I mean with "registration packet" and "character save packet"? Because nowadays everyone has source code of the gameserver and client, we can look into some of the code and how the worldserver works. I'll quickly explain how the Helbreath server system is structured. That will hopefully make a clear picture of how the hack works in a more detailed way.
Above you see how the system is organized. The clients connect to port 2848 and login. Once they've succesfully logged in, they get redirected by the MainLogServer to the correct HGServer (based on which map they are in). Usually, those gameserver ports start at 3001 and onwards, but private servers commonly use 9001 and onwards.
The gateserver is the most boring part, and is not too useful when you hack a Helbreath server. The gateserver is used to send global message to all HGServers in a particular world. It was used to make mass meteor strikes. But, you can't change your character by using the gateserver. Also, gateservers nowadays are protected with a so called "permitted-address" configuration. You can configure what IP is allowed to connect to it. If you're not on this list, you won't get registered.
The worldserver is the most interesting, it maintains all character data (MainLogServer maintains the account data). Each gameserver registered to the worldserver. The worldserver connects to the MainLogServer on port 3840 (internal port). You *could* add a worldserver to any private server out there, but that's pretty useless. You'd have a complete different character base.
The vulnerable point lies in the worldserver itself. Port 2501 is the one that the gameservers use to connect to the worldserver and register to it. In the old days, even Siementech didn't secure this port and that why people were able to hack it. The worldserver that everyone still uses is still not secure. If port 2501 is open, it basically means you can get in. If a firewall blocks it, too bad - you're out. That means the server is not hackable by this exploit. If you can't find a worldserver on port 2501, it doesn't always mean that it's blocked by a firewall though. Some people change the port of the worldserver (and that's what you *should* do). But, you can attempt to locate it by portscanning. Most semi-smart private servers just use a tad higher port number like 2505 or so, so try that first.
Connected. Now what?
The technical part starts now, because you need to establish a connection to the worldserver, then register to it and finally send in your character data. After that, you can immediately disconnect.
To make a connection, you must use the Helbreath packet format which is roughly as follows:
[ Key(1) ][ Size(2) ][ MsgId(4) ][ MsgType(2) ][ All other packet-related data(X) ]
The numbers between brackets mean how many bytes that part of the packet it takes. As you can see, we can identify which packet is which by looking at it's MsgId and MsgType (MsgType is not always used though). Furthermore, you can always use key 0x00, which means that you don't encypt the packet (it's not required).
The MsgId's for the most interesting packets are right in the NetMessages.h source code that *everyone* has. Obviously, since the gameserver uses that in order to register to the worldserver. The packets used are the following ones:
MSGID_REQUEST_REGISTERGAMESERVER (to register)
MSGID_REQUEST_PLAYERDATA (to fetch character data)
MSGID_REQUEST_SAVEPLAYERDATA (to save character data)
Those 3 packets are the ones we need. The others are not interesting. The structure of each of the packets is as follows:
MSGID = MSGID_REQUEST_REGISTERGAMESERVER (0x0512A3F4, DWORD)
MSGTYPE = DEF_MSGTYPE_CONFIRM (0x0F14, WORD)
Then the other packet data:
SERVER NAME = 10 bytes (char)
SERVER IP ADDRESS = 16 bytes (char)
SERVER PORT = 2 bytes (WORD)
TOTAL MAPS = 1 byte (char)
And then for each map (specified in TOTAL MAPS):
MAPNAME = 11 bytes (char)
MSGID = MSGID_REQUEST_PLAYERDATA (0x0C152210, DWORD)
MSGTYPE = DEF_MSGTYPE_CONFIRM (0x0F14, WORD)
Then the other packet data:
CHARNAME = 10 bytes (char)
ACCOUNT NAME = 10 bytes (char)
PASSWORD = 10 bytes (char)
CLIENT IP ADDRESS = 15 bytes (char)
MSGID = MSGID_REQUEST_SAVEPLAYERDATA (0x0DF3076F, DWORD)
MSGTYPE = DEF_MSGTYPE_CONFIRM (0x0F14, WORD)
Then the other packet data:
CHARACTER NAME = 10 bytes (char)
ACCOUNT NAME = 10 bytes (char)
PASSWORD = 10 bytes (char)
FLAG = 1 byte (char)
CHARACTER FILE DATA = various bytes (char)
You could use a modified 2.03 gameserver to connect and succesfully send the correct packets using the XSocket class. But, it's also very possible to just make a new project and quickly hack up a nice program to do it.
Conclusion
So, you see - you do not need to down a map to get in. You don't need to enter a map with a character just to modify it. You can do it directly as well.
The best part is that it makes the HBx Admincfg totally useless, because you can give yourself items, change your stats and so on without the need for a GameMaster character! (GM chars SUX!)
I hope you found it a useful article. Finally something useful on outpost (well not for some of you, but those can get a kratje Grolsch instead).
Good luck with your future "server hacks"!
History
A long time ago, on Helbreath International when it was still in BETA, there were those few people that had the 2.03 server source. If you've played Helbreath International, you'll probably remember them. People like MamaBearz running around with edited character and GM-Shield or duries with alot of rares including Xelima's Axe, Blade and Rapier. Also, there was a guy that went into Elvine WH and mass spawned Helclaws and Tigerworms.
Good, you remember it. That's the history of the hack. These people (or perhaps one person) was the father of the "worldserver registration hack". Actually, it's not really a hack - it's more like a stupid thing Siementech forgot to do.
Suddenly, at a certain point a few months before P2P, the 2.03 server source was available to more people and they found out the same basic concept of the hack. They compiled it, connected to the Helbreath International server and pressed the INS and DEL key repeatedly to produce mass meteor strikes through Helbreath International with mass panic ingame. This happened several times.
You probably remember that too, don't you?
It's time to explain how this hack works. Like I said it can be described as the "worldserver registration hack".
How the hack works
The most simple way to express how the hack works is as follows;
You connect your socket to the worldserver, send a (correct) registration packet to it and then you send the character save packet along with the character info you want to save. It's amazing, because you can actually send the entire character data TXT file along. This means that you can change anything, including stats, skills, adminlevel, items, and so forth.
So, what do I mean with "registration packet" and "character save packet"? Because nowadays everyone has source code of the gameserver and client, we can look into some of the code and how the worldserver works. I'll quickly explain how the Helbreath server system is structured. That will hopefully make a clear picture of how the hack works in a more detailed way.
Above you see how the system is organized. The clients connect to port 2848 and login. Once they've succesfully logged in, they get redirected by the MainLogServer to the correct HGServer (based on which map they are in). Usually, those gameserver ports start at 3001 and onwards, but private servers commonly use 9001 and onwards.
The gateserver is the most boring part, and is not too useful when you hack a Helbreath server. The gateserver is used to send global message to all HGServers in a particular world. It was used to make mass meteor strikes. But, you can't change your character by using the gateserver. Also, gateservers nowadays are protected with a so called "permitted-address" configuration. You can configure what IP is allowed to connect to it. If you're not on this list, you won't get registered.
The worldserver is the most interesting, it maintains all character data (MainLogServer maintains the account data). Each gameserver registered to the worldserver. The worldserver connects to the MainLogServer on port 3840 (internal port). You *could* add a worldserver to any private server out there, but that's pretty useless. You'd have a complete different character base.
The vulnerable point lies in the worldserver itself. Port 2501 is the one that the gameservers use to connect to the worldserver and register to it. In the old days, even Siementech didn't secure this port and that why people were able to hack it. The worldserver that everyone still uses is still not secure. If port 2501 is open, it basically means you can get in. If a firewall blocks it, too bad - you're out. That means the server is not hackable by this exploit. If you can't find a worldserver on port 2501, it doesn't always mean that it's blocked by a firewall though. Some people change the port of the worldserver (and that's what you *should* do). But, you can attempt to locate it by portscanning. Most semi-smart private servers just use a tad higher port number like 2505 or so, so try that first.
Connected. Now what?
The technical part starts now, because you need to establish a connection to the worldserver, then register to it and finally send in your character data. After that, you can immediately disconnect.
To make a connection, you must use the Helbreath packet format which is roughly as follows:
[ Key(1) ][ Size(2) ][ MsgId(4) ][ MsgType(2) ][ All other packet-related data(X) ]
The numbers between brackets mean how many bytes that part of the packet it takes. As you can see, we can identify which packet is which by looking at it's MsgId and MsgType (MsgType is not always used though). Furthermore, you can always use key 0x00, which means that you don't encypt the packet (it's not required).
The MsgId's for the most interesting packets are right in the NetMessages.h source code that *everyone* has. Obviously, since the gameserver uses that in order to register to the worldserver. The packets used are the following ones:
MSGID_REQUEST_REGISTERGAMESERVER (to register)
MSGID_REQUEST_PLAYERDATA (to fetch character data)
MSGID_REQUEST_SAVEPLAYERDATA (to save character data)
Those 3 packets are the ones we need. The others are not interesting. The structure of each of the packets is as follows:
MSGID = MSGID_REQUEST_REGISTERGAMESERVER (0x0512A3F4, DWORD)
MSGTYPE = DEF_MSGTYPE_CONFIRM (0x0F14, WORD)
Then the other packet data:
SERVER NAME = 10 bytes (char)
SERVER IP ADDRESS = 16 bytes (char)
SERVER PORT = 2 bytes (WORD)
TOTAL MAPS = 1 byte (char)
And then for each map (specified in TOTAL MAPS):
MAPNAME = 11 bytes (char)
MSGID = MSGID_REQUEST_PLAYERDATA (0x0C152210, DWORD)
MSGTYPE = DEF_MSGTYPE_CONFIRM (0x0F14, WORD)
Then the other packet data:
CHARNAME = 10 bytes (char)
ACCOUNT NAME = 10 bytes (char)
PASSWORD = 10 bytes (char)
CLIENT IP ADDRESS = 15 bytes (char)
MSGID = MSGID_REQUEST_SAVEPLAYERDATA (0x0DF3076F, DWORD)
MSGTYPE = DEF_MSGTYPE_CONFIRM (0x0F14, WORD)
Then the other packet data:
CHARACTER NAME = 10 bytes (char)
ACCOUNT NAME = 10 bytes (char)
PASSWORD = 10 bytes (char)
FLAG = 1 byte (char)
CHARACTER FILE DATA = various bytes (char)
You could use a modified 2.03 gameserver to connect and succesfully send the correct packets using the XSocket class. But, it's also very possible to just make a new project and quickly hack up a nice program to do it.
Conclusion
So, you see - you do not need to down a map to get in. You don't need to enter a map with a character just to modify it. You can do it directly as well.
The best part is that it makes the HBx Admincfg totally useless, because you can give yourself items, change your stats and so on without the need for a GameMaster character! (GM chars SUX!)
I hope you found it a useful article. Finally something useful on outpost (well not for some of you, but those can get a kratje Grolsch instead).
Good luck with your future "server hacks"!