Jump to content
  • 0

why they can hack in this script?

Nero

Asked by Nero,

 Share

Question

Nero Poring

Nero

Posted
  • Group:  Members
  • Topic Count:  74
  • Topics Per Day:  0.02
  • Content Count:  194
  • Reputation:   2
  • Joined:  12/18/11
  • Last Seen:  
Posted 

ayothaya,151,171,3	script	Drops Trader	403,{
	mes .name$;
	mes "You currently have "+countitem(.Imagine_item)+" Mithril coin/s.";
	mes "Would you like to look at the shop?";
	next;
	if(select("Yes:No") == 2) {
		close;
	}
	close2;
	callshop "Imagine_SHOP",1;
	npcshopattach "Imagine_SHOP";
	dispbottom "You currently have "+countitem(.Imagine_item)+" Mithril coin/s.";
	end;

OnBuyItem:
	for(set @i,0; @i < getarraysize(@bought_nameid); set @i,@i+1) {
		for(set @j,0; @j < getarraysize(.Imagine_ITEMS); set @j,@j+2) {
			if(.iMAGINE_ITEMS[@j] == @bought_nameid[@i]) {
				set @itemcost,(.IMAGINE_ITEMS[(@j+1)]*@bought_quantity[@i]);
				set @totalcost,(@totalcost+@itemcost);
				break;
			}
		}
	}
	if(@totalcost > countitem(.Imagine_item)) {
		dispbottom "You don't have enough coin.";
	}
	else {
		for(set @i,0; @i < getarraysize(@bought_nameid); set @i,@i+1) {
			getitem @bought_nameid[@i],@bought_quantity[@i];
		}
		delitem .Imagine_item,@totalcost;
		dispbottom "Thank you for shopping.";
		dispbottom "You now have "+countitem(.Imagine_item)+" Mithril coin left.";
	}
	set @totalcost,0;
	deletearray @bought_nameid[0],128;
	deletearray @bought_quantity[0],128;
	end;

OnInit:
	npcshopdelitem "Imagine_SHOP",909;	 // Leave this alone
	set .name$,"[DropsTrader]";
	set .Imagine_item,674;	 // Input TCG ID
	setarray .Imagine_ITEMS[0],7086,2,7090,2,7091,2,7077,2,7076,2;	 // Input as many items as you want (item::price)



	for(set .@i,0; .@i < getarraysize(.IMAGINE_ITEMS); set .@i,.@i+2) {
		npcshopadditem "Imagine_SHOP",.IMAGINE_ITEMS[.@i],.Imagine_ITEMS[(.@i+1)];
	}
}


-	shop	Imagine_SHOP	139,909:1
 

in my past server, as iv'e used this script. Some people can hack or bug this script using hack programs.. 

i already post it in here before but im not satisfied with the feedbacks that ive receive.. Im really affraid to use dynamic shop or multi currency shop because of this...

 

any body can figure it out why?

Link to comment
Share on other sites

7 answers to this question

Recommended Posts

Digos Poring

Digos

Posted
  • Group:  Members
  • Topic Count:  12
  • Topics Per Day:  0.00
  • Content Count:  88
  • Reputation:   23
  • Joined:  01/30/12
  • Last Seen:  
Posted
I would like suggest to always put delitem before of getitem.

 

So, the script execution will stop if player don't have the item. This will prevent exploits like sending mail with the item attached.
  • Upvote 1
Link to comment
Share on other sites
Nero Poring

Nero

Posted
  • Group:  Members
  • Topic Count:  74
  • Topics Per Day:  0.02
  • Content Count:  194
  • Reputation:   2
  • Joined:  12/18/11
  • Last Seen:  
  • Author
Posted

so thats they hacked it? by using @mail?

Link to comment
Share on other sites
Digos Poring

Digos

Posted
  • Group:  Members
  • Topic Count:  12
  • Topics Per Day:  0.00
  • Content Count:  88
  • Reputation:   23
  • Joined:  01/30/12
  • Last Seen:  
Posted

I don't know exactly. @mail can be used to exploit bad coded scripts. Details http://eathena.ws/forum/tracker/issue-5098-mail-potential-exploit/

Link to comment
Share on other sites
Capuche Poporing

Capuche

Posted
  • Group:  Developer
  • Topic Count:  10
  • Topics Per Day:  0.00
  • Content Count:  2407
  • Reputation:   613
  • Joined:  07/05/12
  • Last Seen:  
Posted

I don't see any problem in this script (unless the price of Jellopy but no need to worry).

Link to comment
Share on other sites
Nero Poring

Nero

Posted
  • Group:  Members
  • Topic Count:  74
  • Topics Per Day:  0.02
  • Content Count:  194
  • Reputation:   2
  • Joined:  12/18/11
  • Last Seen:  
  • Author
Posted

Im sorry that i cannon explain how they can hack it but as i observed they can get any items in that npc. this was also the problem of other eatena member before..

Link to comment
Share on other sites
nanakiwurtz Poring

nanakiwurtz

Posted
  • Group:  Members
  • Topic Count:  81
  • Topics Per Day:  0.02
  • Content Count:  1654
  • Reputation:   583
  • Joined:  08/09/12
  • Last Seen:  
Posted

Maybe they're using a program to retain the items (in this case the TCG), so the script thinks it's already deleted via delitem but actually it's not.

You could make a check before and after transaction.

Like this:

ayothaya,151,171,3    script    Drops Trader    403,{
    mes .name$;
    mes "You currently have "+countitem(.Imagine_item)+" Mithril coin/s.";
    mes "Would you like to look at the shop?";
    next;
    if(select("Yes:No") == 2) {
        close;
    }
    close2;
    callshop "Imagine_SHOP",1;
    npcshopattach "Imagine_SHOP";
    dispbottom "You currently have "+countitem(.Imagine_item)+" Mithril coin/s.";
    end;

OnBuyItem:
    for(set @i,0; @i < getarraysize(@bought_nameid); set @i,@i+1) {
        for(set @j,0; @j < getarraysize(.Imagine_ITEMS); set @j,@j+2) {
            if(.iMAGINE_ITEMS[@j] == @bought_nameid[@i]) {
                set @itemcost,(.IMAGINE_ITEMS[(@j+1)]*@bought_quantity[@i]);
                set @totalcost,(@totalcost+@itemcost);
                break;
            }
        }
    }
    if(@totalcost > countitem(.Imagine_item)) {
        dispbottom "You don't have enough coin.";
    }
    else {
        set .@before,countitem(.Imagine_item);
        set .@expected,.@before-@totalcost;
        delitem .Imagine_item,@totalcost;
        for(set @i,0; @i < getarraysize(@bought_nameid); set @i,@i+1) {
            getitem @bought_nameid[@i],@bought_quantity[@i];
        }
        set .@after,countitem(.Imagine_item);
        if (.@before == .@after || @.after != .@expected) logmes "WARNING: "+strcharinfo(0)+" is trying to buy items from NPC "+.name$+" illegally!";
        dispbottom "Thank you for shopping.";
        dispbottom "You now have "+countitem(.Imagine_item)+" Mithril coin left.";
    }
    set @totalcost,0;
    deletearray @bought_nameid[0],128;
    deletearray @bought_quantity[0],128;
    end;

OnInit:
    npcshopdelitem "Imagine_SHOP",909;     // Leave this alone
    set .name$,"[DropsTrader]";
    set .Imagine_item,674;     // Input TCG ID
    setarray .Imagine_ITEMS[0],7086,2,7090,2,7091,2,7077,2,7076,2;     // Input as many items as you want (item::price)



    for(set .@i,0; .@i < getarraysize(.IMAGINE_ITEMS); set .@i,.@i+2) {
        npcshopadditem "Imagine_SHOP",.IMAGINE_ITEMS[.@i],.Imagine_ITEMS[(.@i+1)];
    }
}


-    shop    Imagine_SHOP    139,909:1
Link to comment
Share on other sites
Emistry Deviling

Emistry

Posted
  • Group:  Forum Moderator
  • Topic Count:  93
  • Topics Per Day:  0.02
  • Content Count:  10015
  • Reputation:   2348
  • Joined:  10/28/11
  • Last Seen:  
Posted

if you wan..you can try these 2....so far...never received any abusable feedback for these 2 script..

or

trunk/npc/custom/quests/quest_shop.txt

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to question listing
×
×
  • Create New...