AVM2 - Hacking the epicduel client.

[noduc_]

First let me start off by saying that I am quite bad when it come to structuring a text, nor that I am good at explaining something.
Also, I would like to thank a few friends who supported me to do the research about the ActionScript Virtual Machine structure.

Note that it is my first time registering on this forum and so I apologize if I somehow, disrespect a rule by mistake.
Also, due to the purpose of this guide, which is to explain the process as simple as possible, I'll avoid complex concepts as much as I can.

I don't have the permissions right now to show images,
I would be grateful if a moderator could change all the (dot) to "." and all the (colons) to ":"
Also putting the images & the gif between the img bbcode would be really awesome


Introduction.
Over the last few years there has been a really small amount of research and attempt, to exploit the EpicDuel battleon game.
Most of the "so-called" research that I considered useful, had been locked away and classed as "outdated" simply because nobody has enough experience to understand them.

Examples of these that I remember:
http(colons)//www(dot)mpgh(dot)net/forum/showthread(dot)php?t=763588
http(colons)//www(dot)mpgh(dot)net/forum/showthread(dot)php?t=1152148

There was also a few successful attempt back in 2010 and 2011 due to the little publicity provided by mmohut, which allowed the game to get a certain interest from people.
And a little bit more recent, some attempt to exploit it, was done by modifying the "RAM" or by sending request to the server, which was nothing serious and most likely patched directly.

Disappointed by the fact that nobody would lead the walk, I told myself that I had to write a small "How To" tutorial about exploiting this game.
Note, that I won't and that I didn't write everything I knew on this tutorial simply because it isn't the purpose of it.


Setting up the environment.
Before we can finally move forward and get what we want, we'll get what we need... which is a web debugging proxy.
The one I would personally recommend, is the "charles web debugging proxy" and a quick google search should bring it up to you.

Obviously, you'll need a Web Browser and charles will work best with firefox.
It will work on chrome but I don't recommend it.

http(colons)//image(dot)prntscr(dot)com/image/dc987984898b481cae746b4b89687e55(dot)png

Once you're done installing it, make sure everything work by refreshing a random web page.
A list of website should start to show up in the left panel, if not, download the firefox add-on for charles.

http(colons)//image(dot)prntscr(dot)com/image/340dc8410ab44ac5a9f4f5e909c36690(dot)png

The last software we will need is the obvious JPEXS Flash Decompiler, here again, a quick google search should bring it up to you.
Note that this decompiler will eat more than 2GB of ram, but it is the best one we can use to modify the client.

http(colons)//image(dot)prntscr(dot)com/image/0fc37a54028845efabe964279c2a0055(dot)png

Once we got everything installed, we can finally, move forward and get what we want.


Road to the client.
Here come the interesting part, mostly because we'll be learning how to do actual modification on the client.
I'll be showing you how to unlock all the 158 haircut in the character creation module.

Obviously, in order to do so, we will need to get the official epicduel client first, which is the following one:
http(colons)//epicduelcdn(dot)artix(dot)com/omega203(dot)swf

You can simply do a CTRL+S on the url in order to save it on your desktop.
Also it would be a good idea to make a backup of the unmodified client in-case you want to revert change.

Now as you have probably guessed already, we'll be using the JPEXS decompiler to open the swf.
Simply drag it on JPEX or use the Open button in the top left corner to do so.

http(colons)//image(dot)prntscr(dot)com/image/feabd4c3621142afb118f6b58df277e8(dot)png

While there's a lots of folders decompiled, what will interest us is obviously the scripts one, it is where the whole game backend is.
Press on the little "+" which is at left of the scripts folder, to see every ActionScript files.

http(colons)//image(dot)prntscr(dot)com/image/6bf6e14f65d542839aba5235535762ad(dot)png

Like I said, I'll be showing how to unlock all the 158 haircut in the character creation module.
With a little bit of hide and seek, you'll find the CharacterCreatorModule.as in the left pane.

You can also use CTRL + F to find it easily.

http(colons)//image(dot)prntscr(dot)com/image/253dc09731f3457fbddccec01a28c6b1(dot)png

A quick look at the actionScript file will reveal us those beautiful lines of code.
http(colons)//image(dot)prntscr(dot)com/image/33d0c8ba4f234dd5be6b950717093581(dot)png

You don't have to be the wizard of oz to understand that MAX_HAIR_BH_M mean "Maximum Haircut Bounty Hunter Male"
If you click on it, some result will appears in the right pane of JPEXS.

http(colons)//image(dot)prntscr(dot)com/image/c8014597dac843e5a76a81b073b5fee0(dot)png

Those aren't the initialized variables and so, should not be edited
To be able to edit the variables, we need to find the initialization point.

Turn out, that this "initialization point" is right under MAX_HAIR_TM_F.

http(colons)//image(dot)prntscr(dot)com/image/281675dd899e4977af083267857a4307(dot)png

You'll notice "initscopedepth 10" and "maxscopedepth 11".
We need to change the value 10 to the value 158 and the value 11 to value 159.

To edit the following, click on the small button bottom right which is called "Edit P-Code".

DON'T use the ActionScript editor!
it won't compile correctly and it will crash the client.

http(colons)//image(dot)prntscr(dot)com/image/e0a809f6d6d3413997ade00440e6a775(dot)png

Sadly the two value we have changed aren't enough to do what we want to do, we'll need to edit the pushbyte one too.
A byte can only take -128 to 127 in java so we'll need to use pushint, to do so, change every pushbyte 10 to pushint 158.

http(colons)//image(dot)prntscr(dot)com/image/8345ac5dfc4b4702adc7cd84e507b23a(dot)png

After that you can save all the work by pressing on the bottom right save button.
By the way, don't forget to press the save button in the top left.

Now, how about we test our modification?


Mappings the world.

Now that we have modified the epicduel client and increased the maximum haircut value, we'll need to test our modified client.
If everything went just fine, we'll need to open charles and to press CTRL+ALT+L, which will bring the map local settings.

http(colons)//image(dot)prntscr(dot)com/image/6bdc6b9c2d98405bbc6fe86a997e1b40(dot)png

On that, simply check the "Enable Map Local" checkbox, then press the "Add" button, which should bring a new window.

http(colons)//image(dot)prntscr(dot)com/image/d5a4f1a546fa42a08c94380a6eff42c8(dot)png

There's a few information we'll need to put in to get our modified client, here's what you need to put:

Protocol: http
Hosts: epicduelcdn(dot)artix(dot)com
Port: 80
Path: /omega203.swf

Make sure to map your modified version of omega203 by pressing the choose button.
http(colons)//image(dot)prntscr(dot)com/image/ff485f61db514e13baecf071910966eb(dot)png

Press OK and you're good to go.
http(colons)//epicduelcdn(dot)artix(dot)com/omegaLoader14(dot)swf

Note: in order for the omega203.swf to take change, you'll need to clear your history cache.
You need to clear your history cache and restart the game every time you change something on your modified client.

if you switch server, The game will also refresh the omega203.swf if you clear the cache.


Conclusion.
Here's what you should see now.

http(colons)//image(dot)prntscr(dot)com/image/b4cde14e6bd040f190e2967e4354db9b(dot)png

Few more examples of what you can do, which are screenshot that I took while trying really quickly some random stuff:

https(colons)//i(dot)gyazo(dot)com/35b5fce300ebf7343e2d7052c3fbbb4b(dot)gif
https(colons)//i(dot)gyazo(dot)com/5bdf43065ef2565c5dc82a86fe20c6f6(dot)gif
https(colons)//i(dot)gyazo(dot)com/0a1f6c4a35b31e97aa68657c91e0d91a(dot)gif
https(colons)//i(dot)gyazo(dot)com/57c7112a6073f0ad491c2cdeefb60f80(dot)gif
https(colons)//i(dot)gyazo(dot)com/1c9e841c03596a713f0db4415051e3db(dot)gif


Oh my god, I'm finally done writing this, I hope you'll be able to use this method to research loophole in the client, there's a ton of shit you can do and my gif are only 0.5% of everything.
Now I hope to see some more research and work being done / released, oh and also, you can use flash to call / access the client function.

It would be really nice if you guys could release what you find on this thread or in the category.

[Dab]

Get 10 posts, then post proper pictures.

Is this at all useful? I see you didn't "save" any of your character changes, implying it doesn't actually do anything besides change the appearance of a value.

[noduc_]

Get 10 posts, then post proper pictures.

Is this at all useful? I see you didn't "save" any of your character changes, implying it doesn't actually do anything besides change the appearance of a value.

It has been almost 2 week without a proper validation from a mod, this forum is definitely not worth my time to write "10 posts".
"implying it doesn't actually do anything", I'm in a good mood so I'll answer your little arrogant question; because you guys can't simply say thank, am I right?

So to say, the simple fact that you're asking such a question mean that you didn't understand shit from MMO client - server architecture.
It's okay, not everyone is mean to understand it.

The ActionScript bytecode segments will allow you to modify around 90% of the whole client code.
I.e: Cloning your inventory items and selling back the copy, Bypassing HP & MANA check leading to being a god, Change the whole search battle engine to always get NPC, Change the Battle system to always start & win directly against NPC and a lots more.

So yes, it is actually useful, and YES you can do a lots more than what I have show in the screenshots.
In short, everything that rely on the client to filter information, will allow you do whatever you want.

[Dab]

It has been almost 2 week without a proper validation from a mod, this forum is definitely not worth my time to write "10 posts".
"implying it doesn't actually do anything", I'm in a good mood so I'll answer your little arrogant question; because you guys can't simply say thank, am I right?

So to say, the simple fact that you're asking such a question mean that you didn't understand shit from MMO client - server architecture.
It's okay, not everyone is mean to understand it.

The ActionScript bytecode segments will allow you to modify around 90% of the whole client code.
I.e: Cloning your inventory items and selling back the copy, Bypassing HP & MANA check leading to being a god, Change the whole search battle engine to always get NPC, Change the Battle system to always start & win directly against NPC and a lots more.

So yes, it is actually useful, and YES you can do a lots more than what I have show in the screenshots.
In short, everything that rely on the client to filter information, will allow you do whatever you want.

So you've confirmed none of this actually inputs back to the server. Since you're literally just modifying the client, not the server lol.

You can add 100 skill points, but if you can't save those skill points in the server then it's useless. It's just UI changes really, doesn't actually affect anything related to the server. Also cloning an item on your side of the game (client changed), doesn't mean you'll be able to sell it (server input) because if the server doesn't say "you have this item" then even if you make the client say "you have this item" it doesn't mean you have that item, at least according to the server.


Maybe you can just modify the client side and have that data register on the server, if so then get 10 posts and update with proper pictures. If you actually uploaded a file maybe a mod would be able to approve it. You know, just because you have the file on your computer does not mean MPGH magically obtains that file. I guess you just don't understand networking and the basics of how server/client sides work with each other.

[noduc_]

So you've confirmed none of this actually inputs back to the server. Since you're literally just modifying the client, not the server lol.

You can add 100 skill points, but if you can't save those skill points in the server then it's useless. It's just UI changes really, doesn't actually affect anything related to the server. Also cloning an item on your side of the game (client changed), doesn't mean you'll be able to sell it (server input) because if the server doesn't say "you have this item" then even if you make the client say "you have this item" it doesn't mean you have that item, at least according to the server.


Maybe you can just modify the client side and have that data register on the server, if so then get 10 posts and update with proper pictures. If you actually uploaded a file maybe a mod would be able to approve it. You know, just because you have the file on your computer does not mean MPGH magically obtains that file. I guess you just don't understand networking and the basics of how server/client sides work with each other.

"So you've confirmed none of this actually inputs back to the server. Since you're literally just modifying the client, not the server lol."

It is obvious, Sherlock, that you can't get anything to inputs back to the server without the proper authorization from your ID.
Also, I never stated that anything would "input" ( as you call it ) back to the server. ( few exception, loophole. )

" Also cloning an item on your side of the game (client changed), doesn't mean you'll be able to sell it (server input) because if the server doesn't say "you have this item" then even if you make the client say "you have this item" it doesn't mean you have that item, "

There's a loophole, have fun searching & exploiting it.

Perfect example of a loophole being that you can change and save hairsID without buying any.
can be done in-game, not only at the character creation module

Another loophole example being that you can change your classID,
It won't disconnect as long as you put the right amounts of point in core & stats.

won't save but can be used as long as you do local mapping,
work in battle and everyone will see the class as it is sent as a request to the server without requiring any special authorization.

Something else would be your character name, which can be changed and updated to the server, everyone will see your new beautiful name.
won't save and it will most likely get you ban by a mod soon enough. Doesn't require any special authorization.

It's just UI changes really, doesn't actually affect anything related to the server.
You don't say?

* note: when I say <<proper validation from a mod>> I actually mean updating the screenshots.
Also, I won't bother replying anymore, waste of time.

[Dab]

"So you've confirmed none of this actually inputs back to the server. Since you're literally just modifying the client, not the server lol."

It is obvious, Sherlock, that you can't get anything to inputs back to the server without the proper authorization from your ID.
Also, I never stated that anything would "input" ( as you call it ) back to the server. ( few exception, loophole. )

" Also cloning an item on your side of the game (client changed), doesn't mean you'll be able to sell it (server input) because if the server doesn't say "you have this item" then even if you make the client say "you have this item" it doesn't mean you have that item, "

There's a loophole, have fun searching & exploiting it.

Perfect example of a loophole being that you can change and save hairsID without buying any.
can be done in-game, not only at the character creation module

Another loophole example being that you can change your classID,
It won't disconnect as long as you put the right amounts of point in core & stats.

won't save but can be used as long as you do local mapping,
work in battle and everyone will see the class as it is send as a request to the server without requiring any special authorization.

Something else would be your character name, which can be changed and updated to the server, everyone will see your new beautiful name.
won't save and it will most likely get you ban by a mod soon enough. Doesn't require any special authorization.

It's just UI changes really, doesn't actually affect anything related to the server.
You don't say?

* note: when I say <<proper validation from a mod>> I actually mean updating the screenshots.
Also, I won't bother replying anymore, waste of time.

Update the screens and post a video.

The original reason I posted was for substance. I want to see if it saves, and if so how useful it could be in PvP.

[drakosuli]

Works great! Thank you, let us research.

EDIT: How can I do another things?

[ForTheLulz101]

Thank you for this post and lets hope this teaches others to do more and better with/than this .

[fuckthisshitsite123]

jeez even castle crashers gets more player base than this

[ABrokePCBuilder]

Tried changing many different values, such as changing the p-code of retrieving valium into retrieving credits, but it does not register in the server and the server kicks me out when i try to buy something. I also managed to increase stats in character training, but game tells me "one of your value is below starting value" and doesnt work. What exploits are there that works? (the helmet trick works very well)

[Leaguecracker]

i dont understand i followed all your steps but after i mapped charles i dont know what to do how to play with my client can u help me?
Edit: i forgot to replace pushbyte to pushint, then i checked your accounts in epic duel character pages and u don't have any of the beta aux,gun,club. its just simulation and can u tell us more tricks?

[ABrokePCBuilder]

Same, all the "hacks" i did were only displayed on the client and not logged into the server, except the helmet trick. I tried adjusting process of retrieving information about varium, or stat points, but where you use them epicduel detects something is wrong and kicks you out. The beta trick he did was probably done with Charles, which I replicated quite easily too. However, he did manage to somehow find an exploit which registered with the server. twitter/noduc_
The bot's active could be used. Noduc can you show us where the exploit is located in?

[woahmemelord935]

Ok, let's clarify some of the stuff here...
First, I am noduc, I lost my password to everything due to a HDD failure, ( keepassx database lost ) so I went and logged on one of my old quick trash account.

I would like to apologies to Dab1996426 as I was completely drunk and I have a huge pride, so I saw the <dot> as a arrogant way to look down on me.
Needless to say that he was completely right and I was wrong, client-server must not be confused and I did the mistake to do so.

This was mostly because I had no priors experience in what I was really doing, I just tested thing, it worked and I assumed that you could do x.
That's no the case, everything here is mostly client editing, there's barely anyways to push the change on the server.

Now that this little misunderstanding is clear, there's a few more words that I would like to put:
There's a few server exploit that can be used here and there, one of them being that the client accepts whatever name request you ask.
Therefore you can do an actual working name changer and rename yourself to whatever you want ( the name doesn't stick if you exit the game but everyone else will see it ).

That of course, was back in 2016 and I don't know if that thing still work as of today.
There was a small glitch that could be used to start a battle with, say, 0 HP.

You can't attack and it will be the enemy turn endlessly, resulting in a free lose.
In 2v2 however, if your ally get killed, it result in a auto-win for the enemy team, even if you're still up with full HP. ( HP going back to initial state when you get attacked. )

This is one glitch that can be used on the server-side, I didn't dig deeper in that glitch to see how it could be exploited as an advantage.

I am award that there's some other small glitch that can be exploited on the client to trick the server ( so called loophole ).
I had a small compilation list of what you could do but with my hdd failure I lost them. Sorry to be unable to provide.

As of assembly editing, it would be better if you guy recompile the whole client, ( with time and effort it can be done. )
There again, I can't share my recompiled work as I lost everything.

The bot core exploit that ABrokePCBuilder is asking was simply client-editing again and not server-based, merely changed the number of animation / fla.
Say that bota = 201 and botb = 202, change bota to be 202 and botb to be 201.

So yeah, here you go. Feel free to ask any questions and i'll do my best to answer.

[ABrokePCBuilder]

YES YES YES NODUC YOU ARE BACK!
1. are you still playing epicduel?
2. if its client based how did you get to use the core of the robot? (twitter image)
3. are you aware of any other client sided changes that will modify server too that you had not shared with us previously?

thanks

[woahmemelord935]

YES YES YES NODUC YOU ARE BACK!
1. are you still playing epicduel?
2. if its client based how did you get to use the core of the robot? (twitter image)
3. are you aware of any other client sided changes that will modify server too that you had not shared with us previously?

thanks

No, I am not playing epicduel anymore, the game is obviously dead and it seems that there's no step taken by the devs to make it back alive.
Which is a sad thing considering all they would have to do is to push the game toward mobiles. But instead they prefers to make it even more crap that it was ( hello, npc bullshits ) and the small player base left ( 100(?) max ) prefers to afk-bot.

The core of the bot simply was an animation change in the client-source, I switched the android bot icon for the gamma one and same for animations sprites.
& nah, really didn't bother that much with the game, sorry man.

peace