[1.298, 1.310/1.351/2.0] Exchange system item dupes/abuse
Rocket explained an exploit to me I hadn't heard of previously; you could basically exchange any chest (although it's not limited to chests!) repeatedly until you get what you wanted. This works via a method similar to the /trade cancel dupe method - except the server's not confused, the client is.The client is manually edited to hide the trade window (after starting a trade with someone & putting up your chests, so they're "safe"), so you can go about your business & exchange your chests. If you don't get what you want, you cancel the trade and your chests are returned to you, so you can do it until you get exactly what you want.
The exchange system works out of the EVT event logic handler, so to solve this I decided to patch the start of the EVT event logic handler to check if you're busy trading (or using the PUS, etc) - this means if there were any other 'dupe' exploits involving EVT use, they now can't be used.
So here it is, for 1.310 (presumably 1.351 - I don't know if the codecave is in use!) and 1.298.
1.298
004BBCB0 39BB 3C810000CMP DWORD PTR DS:,EDI
004BBCB6 ^E9 F4F2FFFF JMP 004BAFAF
004BBCBB ^E9 DDF9FFFF JMP 004BB69D
004BBCC0 80BB DD890000 >CMP BYTE PTR DS:,0
004BBCC7 ^75 F2 JNZ SHORT 004BBCBB
004BBCC9 66:81BB DE8900>CMP WORD PTR DS:,0FFFF
004BBCD2 ^75 E7 JNZ SHORT 004BBCBB
004BBCD4 80BB FC890000 >CMP BYTE PTR DS:,0
004BBCDB ^75 DE JNZ SHORT 004BBCBB
004BBCDD 80BB FD890000 >CMP BYTE PTR DS:,0
004BBCE4 ^75 D5 JNZ SHORT 004BBCBB
004BBCE6 ^EB C8 JMP SHORT 004BBCB0
004BAFAA E9 110D0000 JMP 004BBCC0
004BAFAF 90 NOP1.310
00502F48 39BB 1C810000 CMP DWORD PTR DS:,EDI
00502F4E^E9 6379F9FF JMP 0049A8B6
00502F53^E9 5080F9FF JMP 0049AFA8
00502F58 80BB D5890000 00 CMP BYTE PTR DS:,0
00502F5F^75 F2 JNZ SHORT 00502F53
00502F61 66:81BB D6890000>CMP WORD PTR DS:,0FFFF
00502F6A^75 E7 JNZ SHORT 00502F53
00502F6C 80BB F4890000 00 CMP BYTE PTR DS:,0
00502F73^75 DE JNZ SHORT 00502F53
00502F75 80BB F5890000 00 CMP BYTE PTR DS:,0
00502F7C^75 D5 JNZ SHORT 00502F53
00502F7E^EB C8 JMP SHORT 00502F48
0049A8B1 E9 A2860600 JMP 00502F58
0049A8B6 90 NOP1.351/1.39700502DC3 39BB 1C810000 CMP DWORD PTR DS:,EDI
00502DC9^E9 E87AF9FF JMP 0049A8B6
00502DCE^E9 D581F9FF JMP 0049AFA8
00502DD3 80BB D5890000 00 CMP BYTE PTR DS:,0
00502DDA^75 F2 JNZ SHORT 00502DCE
00502DDC 66:81BB D6890000>CMP WORD PTR DS:,0FFFF
00502DE5^75 E7 JNZ SHORT 00502DCE
00502DE7 80BB F4890000 00 CMP BYTE PTR DS:,0
00502DEE^75 DE JNZ SHORT 00502DCE
00502DF0 80BB F5890000 00 CMP BYTE PTR DS:,0
00502DF7^75 D5 JNZ SHORT 00502DCE
00502DF9^EB C8 JMP SHORT 00502DC3
0048E392 E9 3C4A0700 JMP 00502DD3
0048E397 90 NOPThanks Rocket for mentioning the exploit and explaining how it works.
页:
[1]