Hi guys,,
i got some real stuff.. :P :P (dont blame me if this is really bullsh!t)
i found somewhere a very nice story about duping,, i dont know a sh!t about it thats why im putting it here :P.. i red it and i thought that it really could work,, AND DONT PUT THIS ON OTHER FORUMS KEEP THIS FOR US!
(when blizzspys know this they could easy nerf it)
I hope some one could figure this out and share it with all of us (or only with me :P:P:P)
Heres the story (its NOT mine):
TO DUPE: First you'll need to decode the network stream, as it's encrypted (actually it's just hashed, encryption would probably be too demanding). The Macroquest2 devs(old everquest hackers) have done this for you. Next, you'll need a packet injector (i use nemesis). Take a dump of the packets, decode them, and take a look at them... You may notice many things to hack, but we're looking to dupe, right!? One key flag in the packet is this one: IsPlayer...x where x is going to be a 1 or a 0. This flag is just after the packet header, and can be seen in plain text once the packet is decrypted. All packets originating from a player have the IsPlayer flag set to 1. Packets sent to you from the server while interacting with an NPC(like a vendor or quest giver) will have the IsPlayer flag set to 0. Here's what I noticed with my debugger. Any time there is a change in your character (gains money, gains a level, trades), your character is automatically saved. However, I noticed that I can dump the packets (I dump the packets with Libpcap, C's packet capture library, becuase I'm a linux guy. For windows use winpcap), alter any packets originating from my character so that the IsPlayer flag is set to 0, and the resend the packet using libpcap's sendpacket function. The dumping of packets, altering, and resending is done by a C program (pretty simple pcap program, dumps the packets, uses mq2's decryption to decrypt the wow packets, then alters the IsPlayer from 1 to 0, then resends the newly crafted packet) which I run on a second computer which acts as a firewall to my WoW computer. I run it on a second machine because it's less likely to be detected by wow's spyware (wow's spyware checks window titles and open processes. My thought was it can't be detetected as easily if i hack the network stream with a second computer.). I'm trying to be detailed, so sorry for going over some stuff twice. Hope you have followed along so far. What I have done by changing the IsPlayer flag to 0 is trick the wow server into thinkin that my character is an NPC. Why do this, you may ask? Well, one reason really. I found with my debugger that after changing this flag, the server does not save after every major change, but saves every 10 minutes. This must be how wow checks for pathing errors and what have you. Every 10 minutes the npcs on the server are saved (at least from what I gathered with my debugger and dissassembler). The server probably saves NPCs every 10 minutes to save processing power or something. Anyway, who cares why npcs are only saved every 10 minutes, the fact is, if you change the IsPlayer flag to 0 in all the packets originating from your character, the server will only save your character every 10 minutes. What does this mean? Check this out. Wait till the server saves(if you dont have a debugger, or don't know how to use one, just guess. You can't mess up really). Now you should have approx. 10 minutes before the next save. Take some items or money you want to dupe, trade them to another character. Complete the trade. Now log the bugged character out (the bugged character is the one with the IsPlayer flag set to 0). Log him back in. Still have the items and gold, don't you? DUPED!!!
This is because we've bugged the character to only be saved every 10 minutes, so when you log off and back on, the server reverts to the last save. If you log off and back on and you dont have the items, it's because the server saved since the trade, which means you have approx. 10 minutes until the next save! PROs and CONs: This could be detected if WoW's Intrusion Detection System was set up to look at that IsPlayer flag. However, I used this exploit on November 2nd, 2006 and have been using it for over a year now (since a little after MQ2 decrypted the network stream, so a good amount of time anyway), and have not been banned. So I think it's safe to try. No, I won't give you my C code, I think I gave a good enough description of how it works anyway. Dump the packets, decrypt the packets, alter the IsPlayer flag from 1 to 0, resend the packet. Cake with the packet capture library, PCAP. I'd imagine after my dumb ass posts this, it won't work for much longer.
c'mon guys figure this out and try it :P And Share with us :P