1. Hercules bug tracker archive
  2. eA Bug Archives
  3. name requests work at any distance

name requests work at any distance

Issue information

Issue ID
#3206
Status
Fixed
Severity
Critical
Started
Hercules Elf Bot
Jun 7, 2009 16:17
Last Post
Hercules Elf Bot
Jun 7, 2009 16:17
Confirmation
N/A

Hercules Elf Bot - Jun 7, 2009 16:17

Originally posted by [b]theultramage[/b]
http://www.eathena.ws/board/index.php?autocom=bugtracker&showbug=3206

Each ingame unit has an id, and a name. The 'getcharnamerequest' packet (0x8c on latest clients, 0x94 on iro?) does this id-to-name lookup. In all normal situations, this is to obtain the name of a player, mob or npc that's onscreen / in sight range.

However, on eathena this range constraint is missing. As long as you ask using a valid id, the server will answer back with the associated object's name. Works anytime and on any map, even across maps.

This has some severe consequences.

First, the rather harmless case, where you gather a list of player IDs. Then you can forge namerequest packets and observe the answer. If the player's online, you'll get his name, confirming that he's online. Otherwise you get no reply, confirming that he's offline. Works on GMs as well. So you essentially have @who. Advantage is that the players won't know you're scanning them, disadvantage is the packet spam produced.

Second, the exploit case, where you gather a list of miniboss/mvp IDs on a server that has show_mob_info set to display hp/%. Then you can forge namerequest packets and observe the answer. If the mvp is alive, you'll get its name + current hp, cofirming that it's alive. Otherwise you get its name + 0 / 0% hp, confirming that it's dead. So you essentially have a weaker but server-wide Convex Mirror. Using a specialized tool, you could scan a prepared list of mvps periodically, and even gather long-term statistics.

The advantage is obvious - being able to tell if a mvp is alive without having to search for it. The disadvantage is having to gather the object ids beforehand; however, unless the server's spawn structure changes between restarts (doesn't happen often; and npcs come after mobs, so no problem here), the object ids will stay the same.

EDIT: just checked for fun; aegis x.4 doesn't have this range check either, and allows querying dead mobs... however it doesn't modify the mob's name so there is nothing to be gained from it.

This post has been edited by theultramage: Jun 7 2009, 09:31 AM