[Source] Since it was patched, Inventory Viewer source code.

[Tree]

It was using method 120 in the GSI with a key I got friend like a year or two back, and the user ID of who you wanted to view.
It's patched, so don't get your hopes up. I put it here, since it's not really a release or anything.


README[/b]

Just the source to the now patched inventory viewer. This is what I was using, combined with flask to display user inventories. As you can see I was actually hiding some sections from the public, such as trade items, market items, storage, and housing.
Each section of the inventory would be a generator, so that the info grab for the items would only be performed on a per section basis. I was planning to rework it, but it got patched.

Required Requests: HTTP for Humans — Requests 1.1.0 documentation

This won't work anymore so don't try.

https://github.com/elistrophy/Gaia-I...Viewer-PATCHED

[Artificial]

It was using method 120 in the GSI with a key I got friend like a year or two back, and the user ID of who you wanted to view.
It's patched, so don't get your hopes up. I put it here, since it's not really a release or anything.

https://github.com/elistrophy/Gaia-I...Viewer-PATCHED

README

Same method we used. Way to get it patched, fuck!

[Tree]

Same method we used. Way to get it patched, fuck!

It took them forever to patch it though, and all they ended up doing was removing method 120. I'm not sure if they actually use it elsewhere on the site, but if so they probably just moved it. I'll probably end up scanning GSI later if I feel like it, though kinda boring to mess with Gaia.

[Artificial]

Yea we used to offer a public service (much like your site), and you could essentially skip right past that secret if you just passed through 'true' instead. When they patched that we figured it best to only grant a few people access using the key less they patch that as well.

[Tree]

Yea we used to offer a public service (much like your site), and you could essentially skip right past that secret if you just passed through 'true' instead. When they patched that we figured it best to only grant a few people access using the key less they patch that as well.

I actually never did find out how anyone got the key in the first place, I was gone throughout like 2008-2011 so I ended up missing a lot of stuff some people I knew were doing.

[323]

I actually never did find out how anyone got the key in the first place, I was gone throughout like 2008-2011 so I ended up missing a lot of stuff some people I knew were doing.

Ex-Gaia developer gone rouge? Haha.

Also, what did the method look like when not supplied with a key? I have a fairly basic GSI scanner that I could use to scan methods 1 to 9999 for it if you want, I just have to know what kind of output I'm looking for.

[Tree]

Ex-Gaia developer gone rouge? Haha.

Also, what did the method look like when not supplied with a key? I have a fairly basic GSI scanner that I could use to scan methods 1 to 9999 for it if you want, I just have to know what kind of output I'm looking for.

Something like bad secret, but I've made my own scanner that can scan the GSI in probably 30 seconds or less.

[Isonyx]

Neat code.
When you guys refer to a key you used for this, wouldn't you have been able to access a lot more than just the inventory view GSI?
On top of that, why didn't Gaiaonline just invalidate the key being used instead of moving (or removing) the method?

[Tree]

Neat code.
When you guys refer to a key you used for this, wouldn't you have been able to access a lot more than just the inventory view GSI?
On top of that, why didn't Gaiaonline just invalidate the key being used instead of moving (or removing) the method?

Cause it's Gaia, and yeah I tried it elsewhere. At one point I was going to try to bruteforce it to figure out what it was a hash of, but I lost interest.

[Artificial]

Cause it's Gaia, and yeah I tried it elsewhere. At one point I was going to try to bruteforce it to figure out what it was a hash of, but I lost interest.

They seem to salt all of their keys, so I'm guessing no dice

[Isonyx]

So what you're saying is to patch the method, they simply moved the GSI. Meaning the key still could apply elsewhere?

[Artificial]

So what you're saying is to patch the method, they simply moved the GSI. Meaning the key still could apply elsewhere?

I'm guessing they would have at the very least changed the key

[Tree]

So what you're saying is to patch the method, they simply moved the GSI. Meaning the key still could apply elsewhere?

Either deleted, or changed the method number. I assume they only kept it around so long because they needed it, however I'm also sure they changed the key as well.

[Isonyx]

I'm guessing they would have at the very least changed the key

Someone should verify that lmao.

[Tree]

Someone should verify that lmao.

I would but I'm fairly bored of Gaia right now, and can't think of much to make.

[Kitsune]

a common salt gaia used was something like "Go-Gaia 72 XD Squared" that may be off but it was something like that.

[Tree]

a common salt gaia used was something like "Go-Gaia 72 XD Squared" that may be off but it was something like that.

If I was to brute force it I was going to under the assumption it was generated as a normal user password was, but since that is (hopefully) unlikely, it probably wouldn't have worked, and wouldn't have been worth it anyways.

[Kitsune]

I remember when you could use GSI to login (idk if there is another method), You MD5 hashed your password with that salt to login.

[Tree]

I remember when you could use GSI to login (idk if there is another method), You MD5 hashed your password with that salt to login.

If you looked in my Towns source or read the read me it that I also released my GSI login with it. I just released it today, and I decided to release my GSI login bypass with it. Just gotta look at the source and figure it out for yourself though.

[Kitsune]

Is method 107 a working way to login?
err i mean 108

[Tree]

Is method 107 a working way to login?

Look at the source of my bot, it's there.

[Kitsune]

Look at the source of my bot, it's there.

I believe im looking at it.....

i have this

Code:

http://gaiaonline.com/chat/gsi/index.php?v=json&m=[[108,[USER, PASS]]]

i md5'ed my password then added the salt "Go-Gaia-XD-72squared" and md5'ed them together.

This is what it returns:

Code:

[[0,false,[-5,"Nothing generated in response to the request."]]]

what am i doing wrong?

[Tree]

Look at the source more. That's all I will say on that matter, I put it in there, and didn't outright say how to do it so people would have to read the source. also if it says Nothing was Generated it means you sent a malformed json string.

[Kitsune]

okay so i think im getting, however i don't think you can use GSI to login still....

First Request:

Code:

http://gaiaonline.com/chat/gsi/index.php?v=json&m=[[108,["USER","226f4e54a3a813c13d3fbd78be1441bfb0"]]]

Response;

Code:

[["108",false,[-3,"Please use gaiaonline.com to login."]]]]

Second Request:

Code:

http://gaiaonline.com/chat/gsi/index.php?v=json&m=[[108,["USER","226f4e54a3a813c13d3fbd78be1441bfb0", "True"]]]

Response:

Code:

[["108",false,[-3,"failed-captcha"]]]

[Stapled]

Code:

http://gaiaonline.com/chat/gsi/index.php?v=json&m=[[108,["username","password",true]]]

That's how the login works.

Edit: Use the normal login, you must have failed too many times and got a captcha.

[Kitsune]

I SEEE NOW. I GOT IT RIGHT I JUST TYPED IN MY USERNAME WRONG

TY TREE +REP!

ill +Rep you too Stapled since you came in and tried to help

[Tree]

Code:

http://gaiaonline.com/chat/gsi/index.php?v=json&m=[[108,["username","password",true]]]

That's how the login works.

Edit: Use the normal login, you must have failed too many times and got a captcha.

You can also use it on accounts deactivated for being inactive for 6 months, and it'll reactivate them automatically. It'll probably be patched fairly quick though now.

[Stapled]

You can also use it on accounts deactivated for being inactive for 6 months, and it'll reactivate them automatically. It'll probably be patched fairly quick though now.

Maybe, Gaia has been pretty active recently. It kind of sucks but it's nice to see them finally doing something.

[Kitsune]

This whole time when i thought logging in via GSI was no longer all i had to do was add "True" at the end of it >.>

[Tree]

Maybe, Gaia has been pretty active recently. It kind of sucks but it's nice to see them finally doing something.

They've been actively banning any account I register, even if I don't do anything every day for the past week. Only reason I even keep releasing this stuff, is the last time Doc and me tried to help them fix their stuff, worked directly with a Dev etc, gave them some session grabbing exploits, ability to post announcements etc, and once they got that stuff they ran off. This was like a year or two back though, but they still refuse to actively do anything unless you force them to. They give me and others who can actually do stuff absolutely no reason to report any exploits to them at all.

[-0- D i o r -0-]

You can also use it on accounts deactivated for being inactive for 6 months, and it'll reactivate them automatically. It'll probably be patched fairly quick though now.

OMG please

[Kitsune]

Wow, also it seems that accounts made by your account creator (or whoever's account creator people are using) are getting banned fairly quickly just because they are being mass produced. Use tried to give me an account and it was banned, then he gave me a list and they were all banned xD (he used an account creator)

[Tree]

OMG please

Please what? I meant that if you login with the GSI method with an account that has been locked for being inactive for 6 months, it will reactivate it as opposed to having to go through the process of reactivation. It's literally the same as a normal login with the GSI.

[Kitsune]

So i nearly shit myself because i re-activated a mule i had a while back just now.
I looked in the inventory and saw a nitemare sash and thought it was a scarf..... lol

[Stapled]

Gaia has been pretty active lately. They've been patching stuff and banning people like crazy. All but two of my accounts have gotten banned over the last week and them seem to be patching things as soon as people release them.

[Tree]

Gaia has been pretty active lately. They've been patching stuff and banning people like crazy. All but two of my accounts have gotten banned over the last week and them seem to be patching things as soon as people release them.

Seems to me they've been carpet bomb banning anyone they even suspect isn't the original owner which is kind of a slippery slope.
I don't know if they fixed it or not, but with Towns 2 from what I looked at all you have to do in order to use mod powers is simply decompile, set the user_level variable to instead of accessing the server, simply set it to something above 85, and recompile. I'm not sure if they have a server side check or if it's just client sided for when these packets are sent though.

[Artificial]

They do check the forum, so if you release anything noteworthy to the public, it's going to get patched fairly quick

[Tree]

They do check the forum, so if you release anything noteworthy to the public, it's going to get patched fairly quick

Which is another reason I've been releasing stuff. If I release something, I expect it to be patched.

[Kitsune]

Which is another reason I've been releasing stuff. If I release something, I expect it to be patched.

You make me sad...

[Use]

Which is another reason I've been releasing stuff. If I release something, I expect it to be patched.

that sucks your not able to release anything without gaia finding out about it