This exploit has been around on eMS for a long, long while.
- Game Version:
- eMS v104.1
I used to get told about this more then a year ago by Doxie and Craig.
It has now, however, been released on gMS, and I guess it's time to make it publicly available here aswell.
[header (word)] [chat_type (byte)] [amount_of_character_ids (byte)] [character_ids (dword)] [message (string)]
To fetch a character_id, double-click on the person, the packet that appears ends with FF 00, the 4 bytes BEFORE FF 00 is the character_id
The below packet contains the correct header for eMS v104.1
0C 01 XX 01 10 15 07 00 03 00 68 61 69
XX is the chat_type, underneat i will give examples:
00 = Buddy Chat (Requires you to have atleast one buddy)
01 = Party Chat (Requires to be in a party)
02 = Guild Chat (Requires to be in a guild)
03 = Alliance Chat (Requires to be in an alliance)
06 = Expedition Chat (Requires to be in an expedition)
Nexon has add a check where you can only send this chat_packet once per 250ms or so, this probably to avoid straight spamming.
However, they forgot to put a check in place where you cannot add the same persons character_id over and over again, which enables you to send a message to someone 100 times per sent packet, this opens op for a DC exploit.
I coded a little program a while ago which will generate a proper DC packet if you provide the persons character_id.
this is what the tool looks like:
Please insert the character id in this format: 00 00 00 00, press Generate DC code, press Copy to clipboard, paste the packet in whatever packetsender you may use, voila.
for those who do not have a clue how to get a character_id, i couldn't be fucked to write it out, someone else could fortunately: