Jump to content

Heads up! AH Exploit

Flitterkill

By Flitterkill, GC Board Member
in Diablo Series

 Share

Recommended Posts

Flitterkill Contributor

Flitterkill

Contributor
Flitterkill
Flitterkill
GC Board Member

Legit unfortunately.

 

Some folks have broken out the hex editors and are hacking at the bid and buy it now buttons apparently allowing them to buy out items at the initial listing price, not the buy out price.

 

Options:

 

1) Wait until this is patched.

 

2) Set a comfortable starting bid to protect yourself.

 

Enjoy!

Link to comment
Share on other sites
Sky Newbie

Sky

Newbie
Sky
Sky
Member
(edited)

i blame the novice programmers activision-blizzard hires.

i mean, "let's fire the diablo developers, and then make diablo 3 with a fresh team."

 

I mean, people narc on torchlight as a diablo clone, but those people don't realize that the team developing torchlight is the team that created diablo 1 and 2.

And that's why diablo 3 is so different, and so freakin broken. Ugh.

 

just remember, don't believe everything you hear. If this came from a diablo 3 post and you didn't discover it yourself, it's most likely dismissable. A lot of topics started by people are just garbage, like the session id spoofing which is impossible.

A while back, I farmed out two storm shields, and bought a third, and when I saw what the third was going for on the AH, i bought it out, and then posted on the diablo 3 forum how funny it was that I bought a storm shield for 1000 gold.

 

And the guy who sold it posted on there accusing me of hacking him. Which is just why you can't believe what people say.

But, since the post is buried, I at least thought someone here might get a good kick out of it. It was a low-end stat shield, but, still, the block % is reason enough to own one.

 

But if you really want to follow the rumor mill, just do what jackie and i do, set your B/O to your Bid.

 

 

Edit: Always search for people who accidentally post stuff below what they thought they posted it for. If it's something worth a lot, chances are they'll post one of those "i got hacked" posts =p

Edited by Sky
Link to comment
Share on other sites
Flitterkill Contributor

Flitterkill

  • Author
Contributor
Flitterkill
Flitterkill
GC Board Member

Sky can evaluate the following

 

 

 

Hex Editor (recommended to use Hex Fiend if you are using Mac)

Steps on using Diablo 3 Exploit RMAH Bid Cheat

 

Note that the steps in here are only an educated guess on how Diablo 3 hackers perform the Diablo 3 RMAH bid cheat. We will not spoon feed you on how to use some of the tool involved in this. We will just quickly brief you on how the process is done.

 

Look for an item using the RMAH.

Dump the memory. (memory editor can also be used)

Scan for the item memory address (E.g. 0x1b450c60)

Find the “real” reference for the item.

Find the hex values for the bid confirmation and buyout confirmation.

Switch the bid confirmation with the buyout confirmation.

Find the hex values for the bid button and buyout button.

Switch the bid button with the buyout button.

Click the bid button.

Tada!

 

 

 

I use these guys as my Diablo news source - have for over a decade. If they post up about it, I'm inclined to trust them.

 

http://diablo.incgamers.com/blog/comments/nasty-auction-house-exploit

Link to comment
Share on other sites
Sky Newbie

Sky

Newbie
Sky
Sky
Member

Alright, so I've taken some time to play around with this, and, I admit, I seriously didn't think the developers could accidentally leave something like this available to clients, which is why

I shot it down so quickly.

 

 

So, here's how it works.

The best way to make a general example is to open visual studio, and create a win32 application.

Win32 tutorials often start out with their own version of hello world, which has you typically create a box, and a button, which when you press, screams "hello world!" into it.

The way it works is each button is assigned a memory address. You've seen memory addresses before if you've ever played with a game genie, and effectively, this trick is effectively

like plugging a game genie into diablo 3, or any other game, which is why certain modifications on the genie worked, while others didn't.

When you run a memory dump on this little program you've built, you'll see the hex value for the hello world button.

 

As we all know, Diablo 3 uses an mmo standard, but creates separate instances for players, and restricts those instances to small groups of players. It's like joining a raid group in an

mmo. You go into that dungeon, and it creates a separate instance for you, but you are still connected to a server, which is relaying information back and forth.

 

Typically, the server forces clients to adhere to certain rules. The server being the centralized location or target locations where clients connect and send information to, as well as

receive information in return. The client is each player's system. Typically, you send information to the server, it evaluates it, determines if it's legitimate, and depending on A or B, it

sends certain information back to the client.

We can sort of see how hastily thrown together the Diablo 3 Auction House is. It suffers from vulnerabilities not present in World of Warcraft, in which we can't hack the auction house

in this fashion. Unfortunately, after playing around with hexedit, I'll confirm the above, which is apparently disturbing. See, when you make a change to a memory address, typically, the

server has fail safes built in to catch it and say something like "Whoa dude! You hit the bid button, not the buyout button!" but in this case, it takes whatever the client says to the server

and let's it go through.

This is particularly disturbing, because when a player disconnects prematurely, even if the player doesn't die on his screen, and he does on the server, the server then relays that back

to the player. So, in Diablo 3's case, as long as the client is actually connected to the server, the client is the overriding force. Meaning the server checks with the client to determine if

the action is valid, and it's generally the client -> server <-> client , but in this case it's client <-> server -> client.

 

My honest conclusion, from being a software developer most of my life is that this had to be left intentionally by the developers. I just can't fathom how else it would be able to validate

itself against the server. I can't begin to understand why they'd leave it in, but anyone who knows anything about programming would have prevented this.

 

With further inspection, though, if you take a look, you'll notice there are hidden buttons on the auction house, that aren't visible on your client. I'd test out what they do myself, but I'm not

really into getting banned. At the same time, this isn't easily detectable, at least not at this time with the current code. If this was being detected, the server would stop the action before it

was successful. With that being said, I highly doubt this is being logged, either.

 

All in all, I'm disturbed. I'd say put your items up for the buyout price without a low bid, like jackie and i do.

  • Like 1
Link to comment
Share on other sites
Sky Newbie

Sky

Newbie
Sky
Sky
Member
(edited)

Well... It seems to be that the servers are assuming that whatever the client is sending must be correct. Period.

"In my haste, I forgot coke."

Upon further inspection of the whole fiasco, I figured out some more things, and walked nightling how to do it. I did this privately, as I think everyone can understand

why this shouldn't be public.

 

I did want to at least clarify what I meant about game genies. you could use alphanumeric values ranging from 0 to 9 and a to f.

 

[65][6e][74][2e][43][6c][6f][73][65][42][75][74][74][6f][6e][00]

 

What blizzard really needs to do is patch the server, to always check client files each time a client connects, much in the way that sv_pure 1 in left 4 dead enforces file purity, i.e. vanilla files.

Check the hash tables, etc.

 

As of now, it doesn't matter if they force you to download a new client during an update. You can simply edit the files and reassign the memory addresses, much in the way we used to edit the

dll file that prevented us from using the riot shield or cs_knife in left 4 dead, make the change, and save.

With that being said, no, you won't get banned for using this trick, because as of right now, they can't detect it.

 

 

Edit:

Blizzard claims to have hotfixed it. I assure you, it is not fixed. I'm fairly confident this is another one of their "Let's say it's fixed so people stop spinning the rumour mill."

 

 

So, I actually talked with another programmer, whose response to it was:

"... that's terrible, clearly it was an interns job... no programmer would truck that up that much."

 

And now, time for bed. ~<:-)

Edited by Sky
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...