Rocket explained an exploit to me I hadn't heard of previously; you could basically exchange any chest (although it's not limited to chests!) repeatedly until you get what you wanted. This works via a method similar to the /trade cancel dupe method - except the server's not confused, the client is.

The client is manually edited to hide the trade window (after starting a trade with someone & putting up your chests, so they're "safe"), so you can go about your business & exchange your chests. If you don't get what you want, you cancel the trade and your chests are returned to you, so you can do it until you get exactly what you want.

The exchange system works out of the EVT event logic handler, so to solve this I decided to patch the start of the EVT event logic handler to check if you're busy trading (or using the PUS, etc) - this means if there were any other 'dupe' exploits involving EVT use, they now can't be used.

So here it is, for 1.310 (presumably 1.351 - I don't know if the codecave is in use!) and 1.298.

1.298

1. 
   
2. 004BBCB0     39BB 3C810000  CMP DWORD PTR DS:[EBX+813C],EDI
   
3. 004BBCB6    ^E9 F4F2FFFF    JMP 004BAFAF
   
4. 004BBCBB    ^E9 DDF9FFFF    JMP 004BB69D
   
5. 004BBCC0     80BB DD890000 >CMP BYTE PTR DS:[EBX+89DD],0
   
6. 004BBCC7    ^75 F2          JNZ SHORT 004BBCBB
   
7. 004BBCC9     66:81BB DE8900>CMP WORD PTR DS:[EBX+89DE],0FFFF
   
8. 004BBCD2    ^75 E7          JNZ SHORT 004BBCBB
   
9. 004BBCD4     80BB FC890000 >CMP BYTE PTR DS:[EBX+89FC],0
   
10. 004BBCDB    ^75 DE          JNZ SHORT 004BBCBB
    
11. 004BBCDD     80BB FD890000 >CMP BYTE PTR DS:[EBX+89FD],0
    
12. 004BBCE4    ^75 D5          JNZ SHORT 004BBCBB
    
13. 004BBCE6    ^EB C8          JMP SHORT 004BBCB0
    
14. 
    
15. 004BAFAA     E9 110D0000    JMP 004BBCC0
    
16. 004BAFAF     90             NOP

复制代码

1.310

1. 
   
2. 00502F48   39BB 1C810000    CMP DWORD PTR DS:[EBX+811C],EDI
   
3. 00502F4E  ^E9 6379F9FF      JMP 0049A8B6
   
4. 00502F53  ^E9 5080F9FF      JMP 0049AFA8
   
5. 00502F58   80BB D5890000 00 CMP BYTE PTR DS:[EBX+89D5],0
   
6. 00502F5F  ^75 F2            JNZ SHORT 00502F53
   
7. 00502F61   66:81BB D6890000>CMP WORD PTR DS:[EBX+89D6],0FFFF
   
8. 00502F6A  ^75 E7            JNZ SHORT 00502F53
   
9. 00502F6C   80BB F4890000 00 CMP BYTE PTR DS:[EBX+89F4],0
   
10. 00502F73  ^75 DE            JNZ SHORT 00502F53
    
11. 00502F75   80BB F5890000 00 CMP BYTE PTR DS:[EBX+89F5],0
    
12. 00502F7C  ^75 D5            JNZ SHORT 00502F53
    
13. 00502F7E  ^EB C8            JMP SHORT 00502F48
    
14. 
    
15. 0049A8B1     E9 A2860600    JMP 00502F58
    
16. 0049A8B6     90             NOP

复制代码

1.351/1.397

1. 00502DC3   39BB 1C810000    CMP DWORD PTR DS:[EBX+811C],EDI
   
2. 00502DC9  ^E9 E87AF9FF      JMP 0049A8B6
   
3. 00502DCE  ^E9 D581F9FF      JMP 0049AFA8
   
4. 00502DD3   80BB D5890000 00 CMP BYTE PTR DS:[EBX+89D5],0
   
5. 00502DDA  ^75 F2            JNZ SHORT 00502DCE
   
6. 00502DDC   66:81BB D6890000>CMP WORD PTR DS:[EBX+89D6],0FFFF
   
7. 00502DE5  ^75 E7            JNZ SHORT 00502DCE
   
8. 00502DE7   80BB F4890000 00 CMP BYTE PTR DS:[EBX+89F4],0
   
9. 00502DEE  ^75 DE            JNZ SHORT 00502DCE
   
10. 00502DF0   80BB F5890000 00 CMP BYTE PTR DS:[EBX+89F5],0
    
11. 00502DF7  ^75 D5            JNZ SHORT 00502DCE
    
12. 00502DF9  ^EB C8            JMP SHORT 00502DC3
    
13. 
    
14. 0048E392   E9 3C4A0700      JMP 00502DD3
    
15. 0048E397   90               NOP

复制代码

Thanks Rocket for mentioning the exploit and explaining how it works.

Rocket explained an exploit to me I hadn't heard of previously; you could basically exchange any chest (although it's not limited to chests!) repeatedly until you get what you wanted. This works via a method similar to the /trade cancel dupe method - except the server's not confused, the client is.

The client is manually edited to hide the trade window (after starting a trade with someone & putting up your chests, so they're "safe"), so you can go about your business & exchange your chests. If you don't get what you want, you cancel the trade and your chests are returned to you, so you can do it until you get exactly what you want.

The exchange system works out of the EVT event logic handler, so to solve this I decided to patch the start of the EVT event logic handler to check if you're busy trading (or using the PUS, etc) - this means if there were any other 'dupe' exploits involving EVT use, they now can't be used.

So here it is, for 1.310 (presumably 1.351 - I don't know if the codecave is in use!) and 1.298.

1.298

1. 
   
2. 004BBCB0     39BB 3C810000  CMP DWORD PTR DS:[EBX+813C],EDI
   
3. 004BBCB6    ^E9 F4F2FFFF    JMP 004BAFAF
   
4. 004BBCBB    ^E9 DDF9FFFF    JMP 004BB69D
   
5. 004BBCC0     80BB DD890000 >CMP BYTE PTR DS:[EBX+89DD],0
   
6. 004BBCC7    ^75 F2          JNZ SHORT 004BBCBB
   
7. 004BBCC9     66:81BB DE8900>CMP WORD PTR DS:[EBX+89DE],0FFFF
   
8. 004BBCD2    ^75 E7          JNZ SHORT 004BBCBB
   
9. 004BBCD4     80BB FC890000 >CMP BYTE PTR DS:[EBX+89FC],0
   
10. 004BBCDB    ^75 DE          JNZ SHORT 004BBCBB
    
11. 004BBCDD     80BB FD890000 >CMP BYTE PTR DS:[EBX+89FD],0
    
12. 004BBCE4    ^75 D5          JNZ SHORT 004BBCBB
    
13. 004BBCE6    ^EB C8          JMP SHORT 004BBCB0
    
14. 
    
15. 004BAFAA     E9 110D0000    JMP 004BBCC0
    
16. 004BAFAF     90             NOP

复制代码

1.310

1. 
   
2. 00502F48   39BB 1C810000    CMP DWORD PTR DS:[EBX+811C],EDI
   
3. 00502F4E  ^E9 6379F9FF      JMP 0049A8B6
   
4. 00502F53  ^E9 5080F9FF      JMP 0049AFA8
   
5. 00502F58   80BB D5890000 00 CMP BYTE PTR DS:[EBX+89D5],0
   
6. 00502F5F  ^75 F2            JNZ SHORT 00502F53
   
7. 00502F61   66:81BB D6890000>CMP WORD PTR DS:[EBX+89D6],0FFFF
   
8. 00502F6A  ^75 E7            JNZ SHORT 00502F53
   
9. 00502F6C   80BB F4890000 00 CMP BYTE PTR DS:[EBX+89F4],0
   
10. 00502F73  ^75 DE            JNZ SHORT 00502F53
    
11. 00502F75   80BB F5890000 00 CMP BYTE PTR DS:[EBX+89F5],0
    
12. 00502F7C  ^75 D5            JNZ SHORT 00502F53
    
13. 00502F7E  ^EB C8            JMP SHORT 00502F48
    
14. 
    
15. 0049A8B1     E9 A2860600    JMP 00502F58
    
16. 0049A8B6     90             NOP

复制代码

1.351/1.397

1. 00502DC3   39BB 1C810000    CMP DWORD PTR DS:[EBX+811C],EDI
   
2. 00502DC9  ^E9 E87AF9FF      JMP 0049A8B6
   
3. 00502DCE  ^E9 D581F9FF      JMP 0049AFA8
   
4. 00502DD3   80BB D5890000 00 CMP BYTE PTR DS:[EBX+89D5],0
   
5. 00502DDA  ^75 F2            JNZ SHORT 00502DCE
   
6. 00502DDC   66:81BB D6890000>CMP WORD PTR DS:[EBX+89D6],0FFFF
   
7. 00502DE5  ^75 E7            JNZ SHORT 00502DCE
   
8. 00502DE7   80BB F4890000 00 CMP BYTE PTR DS:[EBX+89F4],0
   
9. 00502DEE  ^75 DE            JNZ SHORT 00502DCE
   
10. 00502DF0   80BB F5890000 00 CMP BYTE PTR DS:[EBX+89F5],0
    
11. 00502DF7  ^75 D5            JNZ SHORT 00502DCE
    
12. 00502DF9  ^EB C8            JMP SHORT 00502DC3
    
13. 
    
14. 0048E392   E9 3C4A0700      JMP 00502DD3
    
15. 0048E397   90               NOP

复制代码

Thanks Rocket for mentioning the exploit and explaining how it works.