Fun With Packets!

Firstly, I need to be clear that this exploit has been patched!
Because of the extremely detrimental nature of this exploit I never shared it with anyone except for the GM I reported it to when I quit a few weeks ago and one friend, earlier today, to confirm that it has been patched.

Basically what I found was that when using the Garden Strongbox in your Mog Garden the server validation was flawed.
The client would check:
"amount in box" >= "amount removed"
But the server would only check:
"amount in box" != 0

The server sends a 0x034 type packet with information about the menu that's displayed when you select you Garden Strongbox. This packet contains parameters telling the client how much gil you have in your Garden Strongbox. So just replacing that parameter with a larger value allows you to bypass the client side check. Since the server does check that the amount in your box is not zero you do have to put some amount of gil in initially but then it would gladly give you however much gil you requested. This puts your Strongbox into the negatives which would still pass the != 0 check. The dialog box only allows you to type in numbers as large as 99,999,999 but you could just continue to pull out that much until you had capped gil, then go spend it and do it again.

The one catch was that now your Garden Strongbox would have a negative amount of gil in it. All a GM had to do was check your box and you're done for. Although you could always put all the gil you took back in the box to restore it and there would most likely be no record.

Here's the code and a video I made when I first discovered it: mega

It's obviously of no use now but I found it funny/interesting and wanted to share :)

Printscreen before lock >.>

Well, it's been patched so it's not like it will do any harm now. But yeah, I could see where this might get deleted :)

Packs with funnets.

I hope people still attempt this and get their ***yanked.

Btw, did Skjalf quit the game like you?

Yes, Skjalf quit for personal reasons. He might come back in the distant future but I highly doubt it.

Couldn't someone like buy a new ffxi ID and go use this, while using their main to put an item on AH for the "bank" account to go blow loads of gil on?

I mean rmt have no issues losing accounts. They would love to use this I am sure.

Why don't you try and find out for us.

These kinds of exploits stem back to a fundamental weakness with SE. They just don't seem to learn from their mistakes. They don't get that players use PC's and that they put far too much trust in the integrity of the client. There may have been reasons to have so much autonomy built into clients when this game was being designed, before broadband was the standard and latency had a bigger impact. But, in today's age, it's way too easy to compromise a client with that much autonomy. It's like they just never thought that someone would try it.

Because unlike you, I actually enjoy achieving things through work and perseverance.(Legit Means)

You could, except that it's patched now :) That's why I didn't tell anyone until I knew it was patched.

Yes, but as the OP says this has been patched. Though there's always the possibility of bypassing it another way.

Either way I have mixed feelings of this being posted even if the original means for the glitch has been patched.

Generally I do too! Except I like finding security bugs more :) That's one of the main reasons I quit. I was having more fun finding stuff like this then actually playing, haha.

I don't bot nor cheat, so why are you accusing me of doing so?

Was not referring to you Acacia with that post.

Kingnobody your right, I should not accuse you. I will restate what I meant.

I enjoy playing the game and working hard for what I have. Would not want to lose what I have trying to see if an exploit still worked.

Glad it is patched though, but just feel like people knowing it was possible will try and figure out a way to get around it.

Are items able to be stored in there? Could explain how we got some people with 1100 plates one day watch them sell out and then they have another 1100 plates the next day.

It was just Gil that could be stored.

It's possible. As you can see from my video, I had been using it since September 2014 and they didn't pick up on it until I reported it on Feb. 20th 2015. And even then the GM refused to ban me lol.

Nope, only gil.

That's a mistake that I would expect a first-year programmer to make (if that).

I would agree but also remember that this is a very large, 11 year old project that's been worked on by many different dev teams over the years. The code is probably a mess in general and painful to work with, so stuff like this is bound to happen even with the best programmers working on it.

This a weakness of the dialogue packet and SE's programming. SE's servers trust the client far too much. Often client-side checks are the only checks.


There have been dozens of bugs exactly like this found since the release of Windower 4. I have personally found about a dozen myself and have heard about many more. For instance, the Provenance emergency maintenance was almost certainly in order to patch something exactly like this, probably for the box NPC.



Tbqh Acacia, you're lucky you didn't get banned. I've had one character banned and have known other people who got banned for self-reporting things like this without abusing them. SE generally does not distinguish between abusing an exploit and discovering/reporting on an exploit even when they're less invasive than this.

That's the funny thing, I was trying to get banned! I even told the GM I stole over a billion gil using it and offered to show him how it worked, but he refused to ban me. I was trying to make sure no one would be able to steal Acacia after I stopped playing so I just ended up deleting her.

SE is only consistent in their inconsistency. So it is written.


PS. If you had used about 4 billion gil you would have gone back around to positive gil values in your coffer and it no longer would have been suspicious.

Haha, good call, I didn't even think about the 32bit roll over. You can only hold 999M though so you'd have to spend 3B first, or give it away I guess.

The way some people talk, giving away that much Gil would have flagged you as RMT and banned. And everyone else who you gave it too.

Why do you think flint stones go for several million gil? :D

Because yabadabadoo.

So speaking of this, has anyone found any way to intercept rmt transactions like this and make a ton of free gil?