[Alex/Stream] Your Source Is NOT Complete: Missing Packet Validations That Allow Dupes and Item Generation

[PezziTomas]

The Hidden Security Layer Most "Complete" Conquer Online Sources Don't Have

Why Missing Packet Validation Leads to Item Duplication, Item Generation and Server Exploits

A lot of Conquer Online sources are sold as "fully complete" or "production ready". Unfortunately, many of them are missing one of the most important components of a secure server:

Server-side packet validation.

Features do not make a source secure. Security validations do.

The client should never be trusted. Every packet sent by the client must be verified by the server before any item, upgrade, socket, blessing, or inventory modification occurs.

Example #1 - CreateSocketItem Security

A good example is the CreateSocketItem packet.

if (Position != 4 || ItemType.IsHossu(DataItem.ITEM_ID) || Position == 0) { client.Player.PermanentBan(client, "[CreateSocketItem] Cheat in CreateSocketItem Valid Item : Item Name " + DataItem.Name); client.Socket.Disconnect(); break; }

This validation does several things:

Rejects invalid item positions.

Rejects items that should never receive sockets.

Rejects position 0, which is usually an abnormal or manipulated state.

Immediately logs, bans and disconnects the player.

Without this validation, a modified client could attempt to:

Socket items that should never have sockets.

Socket invalid equipment types.

Force packet execution on malformed items.

Potentially create impossible item states and corrupt inventories.

The server is saying:

"I don't care what packet you sent. If the item is not a valid weapon, the request is illegal."

That is proper server authority.

Example #2 - MsgUpdateItem Security

Another good example exists inside MsgUpdateItem.

if (Position == 0) { client.Player.PermanentBan(client, "[Plus] Cheat in Plus System Position 0 : Item Name " + DataItem.Name); client.Socket.Disconnect(); break; } if (Position == (ushort)Role.Flags.ConquerItem.RightWeaponAccessory || Position == (ushort)Role.Flags.ConquerItem.LeftWeaponAccessory || Position == (ushort)Role.Flags.ConquerItem.SteedMount || Position == (ushort)Role.Flags.ConquerItem.Bottle || Position == (ushort)Role.Flags.ConquerItem.Garment) { client.Player.PermanentBan(client, "[Plus] Cheat in Plus System Valid Item : Item Name " + DataItem.Name); client.Socket.Disconnect(); break; }

These checks prevent:

Upgrading items in impossible positions.

Plusing garments.

Plusing bottles.

Plusing accessories.

Plusing mounts.

Creating abnormal equipment states.

Again, the server does not trust the packet.

It verifies that the item is actually allowed to be upgraded.

Why This Matters

Many sources simply do something like this:

DataItem.Plus++; DataItem.Send(client);

or

DataItem.SocketOne = EmptySocket;

without first verifying:

Item type

Item position

Required materials

Bound state

Inventory ownership

Equipment category

Valid packet arguments

This is extremely dangerous.

What Can Happen Without These Validations?

A source missing these security layers becomes vulnerable to:

Item Duplication

Item Generation from Nothing

Invalid Socket Creation

Impossible Equipment States

Packet Injection

Inventory Corruption

Forged Upgrade Requests

Cheat Engine Scripts

Custom Packet Senders

Memory Editors

Malformed Network Packets

The exploit itself is usually not complicated.

The client simply sends data that the server never expected, and because the server blindly trusts the packet, it executes the action anyway.

Final Thoughts

A source is not "complete" because it has events, NPCs, systems or fancy interfaces.

A source is complete when:

The server validates everything and trusts nothing from the client.

If your source does not contain these kinds of validations and security checks, then it is not production ready.

It is simply waiting for someone to discover how much authority the server is giving to the client.

ALL RIGHT RESERVED TO CHAT GPT AND DEEPL TO TRANSLATE FROM SPANISH TO ENGLISH
ALL RIGHT RESERTED TO ME AND HATEM SAKR FOR SECCURITY CODES USING IN EXAMPLES!

[Spirited]

Damn. I think I need to add a rant tag.