PHX vs Multisell

[momo61]

Today on my server, a player tried exploiting with PHX. It was the same situation that I reported last time.

Server console message:
Character: LoLLoR is tryign to cheat in Multisell ID: 12271227

I check his inventory and it shows me he has a lot of Goldbars and items from the multisell shop.
I confronted the player asking him how he did it.

He replied that he was using L2 PHX to send packets in milliseconds to the shop and the server is failing to update his inventory. He told me he wants a reward for explaining how to fix it. I agreed of course.
He said: Add a flood protector of 1 second on the Multisell and I will not be able to send so many packets.

I check the database and some items that he hacked out had the location: VOID in the 'items' table.

Why has this not been taken into concideration ?

[blacksea]

coz we are humans:D

[momo61]

coz we are humans:D

please no such comments. Let's try and find a solution.

[momo61]

not sure if this is a fix:

Code: Select all

Index: MultiSellChoose.java===================================================================--- MultiSellChoose.java    (revision 1791)+++ MultiSellChoose.java    (working copy)@@ -38,6 +38,8 @@ import net.l2emuproject.gameserver.templates.item.L2Armor; import net.l2emuproject.gameserver.templates.item.L2Item; import net.l2emuproject.gameserver.templates.item.L2Weapon;+import net.l2emuproject.gameserver.util.FloodProtector;+import net.l2emuproject.gameserver.util.FloodProtector.Protected;  import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory;@@ -89,6 +91,11 @@     private void doExchange(L2PcInstance player, MultiSellEntry templateEntry, boolean applyTaxes, boolean maintainEnchantment, int enchantment)    {+       if (!FloodProtector.tryPerformAction(player, Protected.MULTISELL))+       {+           return;+       }+        PcInventory inv = player.getInventory();         // given the template entry and information about maintaining enchantment and applying taxes@@ -478,4 +485,4 @@    {        return _C__A7_MULTISELLCHOOSE;    }-}\ No newline at end of file+}

find this line HEROVOICE(10000), and after add this MULTISELL(1000),

[toastgodsupreme]

Yeah, I think L2JOfficial or Emu came up with a similar fix not too long ago. Also the same thing for request html as well so the server couldn't be flooded by thousands of html requests from multiple bot clients at once. a 1 second delay would be appropriate.

[momo61]

Yeah, I think L2JOfficial or Emu came up with a similar fix not too long ago. Also the same thing for request html as well so the server couldn't be flooded by thousands of html requests from multiple bot clients at once. a 1 second delay would be appropriate.

Yes. This is from L2Emu. Almost all forks have fixes except for L2J ^_^ which is very strange since L2J is or should be #1

The guy who exploited this way could also make the server stop with his flooding.
I think something should be done and this should be committed in the flood protection system by fordfrog which was committed here:

http://www.l2jserver.com/trac/changeset/2936

[_DS_]

I testing floodprotector expansion for multisell now..

[toastgodsupreme]

I testing floodprotector expansion for multisell now..

If you implement it, you should implement one for html requests as well so a server can't be flooded.

RequestLinkHtml.java

[momo61]

committed in 3080