Bug abusing rage alts in the SW.

[ShadowPWNSyou]

Our local group of friendly raiders and general pests clocked on to the latest custom client crashing bug nice and early and decided to go around the area on a snekkja crashing peoples games and catching aggro before the char logs out.

This is after driving out most our friendly neighbours over the last couple weeks. My village decided to stay and fight back because it sounded fun and still does! Instantly crashing the second the red player alarm goes off and coming back to your stuff gone is not fun however. Ill remake my foraging set and we will keep fighting these guys but generally keep an eye out if you're in the area as they do roam around all day looking for targets and any help or advice would be appreciated by the locals.





Pictured is their base. Their names are Riven, Armadildo, mikifiki99 and some more. Can provide more info and update the thread if needed. We have our suspicions they may be rage alts of a nearby village. They definitely have some relation to said village as several items stolen on different occasions have popped up over there.

[loftar]

Just out of curiosity, what is the bug in question here?

[ShadowPWNSyou]

Just out of curiosity, what is the bug in question here?

Latest update was causing (specifically amber and not default) client to crash under many conditions. They must have found one such condition that allowed them to roam the area causing people to crash out of the game if using amber, possibly other custom clients. Not a game bug per se? I'm not sure. Either way they were exploiting this issue. I didn't get the crash report but I think my friend did after he went to their base to see if it was them causing the crash or just some coincidence. Asked him if he has it, will update.

[ShadowPWNSyou]

My friends crash report when he approached their base. Can't say it is the exact same condition that caused both crashes as this was at their base with no one there and my case was on the water in a boat and them on a snekkja a couple minimaps away.

1.77.3.f7fc477a
Windows 10 10.0 x64, 1.8.0_241 x86
NVIDIA Corporation (GeForce GTX 1070/PCIe/SSE2) - 4.6.0 NVIDIA 442.50

java.lang.RuntimeException: Delayed error in resource gfx/terobjs/items/yellowonion (v10), from forking source backed by HTTP res source (https://game.havenandhearth.com/hres/)
at haven.Resource$Pool$Queued.get(Resource.java:405)
at haven.Resource$Pool$Queued.get(Resource.java:374)
at haven.Session$CachedRes$Ref.get(Session.java:124)
at haven.Session$CachedRes$Ref.get(Session.java:117)
at haven.ResDrawable.getres(ResDrawable.java:100)
at haven.Gob.getres(Gob.java:715)
at haven.LocalMiniMap.drawicons(LocalMiniMap.java:198)
at haven.LocalMiniMap.draw(LocalMiniMap.java:469)
at haven.Widget.draw(Widget.java:726)
at haven.Widget.draw(Widget.java:731)
at haven.MinimapWnd.draw(MinimapWnd.java:257)
at haven.Widget.draw(Widget.java:726)
at haven.Widget.draw(Widget.java:731)
at haven.GameUI.draw(GameUI.java:772)
at haven.Widget.draw(Widget.java:726)
at haven.Widget.draw(Widget.java:731)
at haven.RootWidget.draw(RootWidget.java:67)
at haven.UI.draw(UI.java:144)
at haven.HavenPanel.rootdraw(HavenPanel.java:347)
at haven.HavenPanel.run(HavenPanel.java:646)
at java.lang.Thread.run(Unknown Source)
Caused by: haven.Resource$LoadException: Load error in resource gfx/terobjs/items/yellowonion(v10), from forking source backed by HTTP res source (https://game.havenandhearth.com/hres/)
at haven.Resource$Pool.handle(Resource.java:466)
at haven.Resource$Pool.access$1100(Resource.java:351)
at haven.Resource$Pool$Loader.run(Resource.java:607)
... 1 more
Suppressed: haven.Resource$LoadException: Wrong res version (9 != 10)
at haven.Resource.load(Resource.java:1499)
at haven.Resource.access$600(Resource.java:43)
at haven.Resource$Pool.handle(Resource.java:454)
... 3 more
Suppressed: haven.Resource$LoadException: Load error in resource gfx/terobjs/items/yellowonion(v10), from local res source
at haven.Resource$Pool.handle(Resource.java:466)
... 3 more
Caused by: java.io.FileNotFoundException: Could not find resource locally: gfx/terobjs/items/yellowonion
at haven.Resource$JarSource.get(Resource.java:255)
at haven.Resource$Pool.handle(Resource.java:450)
... 3 more
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
at sun.security.ssl.Handshaker.processLoop(Unknown Source)
at sun.security.ssl.Handshaker.process_record(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source)
at haven.Resource$HttpSource.get(Resource.java:309)
at haven.Resource$TeeSource.get(Resource.java:201)
at haven.Resource$Pool.handle(Resource.java:450)
... 3 more
Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed
at sun.security.validator.PKIXValidator.doValidate(Unknown Source)
at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
... 19 more
Caused by: java.security.cert.CertPathValidatorException: validity check failed
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(Unknown Source)
at sun.security.provider.certpath.PKIXCertPathValidator.validate(Unknown Source)
at sun.security.provider.certpath.PKIXCertPathValidator.validate(Unknown Source)
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(Unknown Source)
at java.security.cert.CertPathValidator.validate(Unknown Source)
... 25 more
Caused by: java.security.cert.CertificateExpiredException: NotAfter: Mon Mar 23 01:51:48 CET 2020
at sun.security.x509.CertificateValidity.valid(Unknown Source)
at sun.security.x509.X509CertImpl.checkValidity(Unknown Source)
at sun.security.provider.certpath.BasicChecker.verifyValidity(Unknown Source)
at sun.security.provider.certpath.BasicChecker.check(Unknown Source)
... 30 more

[ydex]

Yes, changing name on res files (with for example auto scramble tables) will break the custom clients and reduce the ease of botting by a fair bit.
Specially if its auto scrambled a few times a week (or even once a day, depending on how you upload files to servers these days).

That yellow onion seams to stronk?

Sad way to die tho mate, hope you get the murderers back!

[Artemiswhb]

Yes, changing name on res files (with for example auto scramble tables) will break the custom clients and reduce the ease of botting by a fair bit.
Specially if its auto scrambled a few times a week (or even once a day, depending on how you upload files to servers these days).

What are you even talking about? This does nothing to prevent any kind of botting, it's not exactly difficult to automatically update the res path if you keep a reference object for example...
Also loftar would have to update a lot and i mean A LOT of resource code. This does nothing, exactly nothing but make the dev's lifes harder

And not to forget, this post has absolutely nothing to do with the issue posted in this thread as this is not a botting or custom client issue it was an issue with the certification of the resource server
The devs allow for custom clients and hell, the devs openly support it so please

The actual source code of the client is released under the GNU LGPL, which means that you're basically free to do whatever you want with it, as long as you yourself continue releasing it under the GNU LGPL. That would include building a new game server of your own devise and hosting a new game using the same client. We don't mind—that would basically be a new game anyway, and we might even enjoy playing it! More importantly, having access to the client code allows you to modify the game UI to fit you better, or to fix bugs that may be peculiar to your system or any other issue that may be important to you.

"Free and Non-free Parts"

[loleznub]

How long ago did this even happen? Your map of that place seems quite outdated, as I've not been that area in like 2 weeks or so and my map of that base looks a lot different.

[loftar]

Caused by: java.security.cert.CertificateExpiredException: NotAfter: Mon Mar 23 01:51:48 CET 2020

This specific error would only have happened for an hour or two last night, whereas, unless I misunderstood you, you said this has been going on for weeks. Unless I did indeed misunderstand you, I think there has to be some other kind of error that has been the usual case.

I guess I'd just like to try and figure out how likely it is that they've been doing this knowingly.

[shubla]

Will you nuke ban etc. them if this appears to be true?
Doesn't matter if it was a custom client or not, they are intentionally abusing a bug to crash peoples clients and then killing them, which I think is one of the worst offenses one can make.

[loftar]

Doesn't matter if it was a custom client or not, they are intentionally abusing a bug to crash peoples clients and then killing them, which I think is one of the worst offenses one can make.

I would tend to agree with that opinion, but I'm very much not sure to what extent I can prove who they were, where they're from, or to what extent that they did it knowingly. Also, I honestly just hate the sheer drudgery of nuking people, so I'm kind of hoping I don't have to.