Stats Server Exploit

For discussion of the BB stats code.

Stats Server Exploit

Post by nos » Sun Jan 13, 2008 5:37 pm

hey all,

have some interesting news, Not sure if its New news or not but I've never
seen or heard of what I'm about to tell u.

I was messing around with the stats http requests a long time ago when i first
started coding my own shitty version of bf 2142 stats, In particular the,

Code: Select all


This is the Request that uses the Double auth encryption made up of a few account vals(PID,email b-date,ect ect).

Heres the news LOL
I have found if u alter this Request by adding a &pid=pid to the query.

Code: Select all


This allows u to exploit the Stats server, causes a mix up and mashes the stats
from the provided PID account with the stats from the other pids account.

Example Return From Stats server After Player Stats has been exploited.

Code: Select all

    H   pid nick    asof
    D   90684521    MadHatter2142   1200145321
    H   award   level   when    first
    D   100_1   0   1171658314  0
    D   100_2   0   1173801983  0
    D   100_3   0   1178583162  0
    D   101_1   0   1177368648  0

All those stats are linked to my pid but are from "MadHatter2142" account.

The other PID is found encrypted within the pToken, u can change the PID to any
player ID u like.When this modified Request string is sent I have found u
keep that players stats untill u login to BF 2142 and check your "Base" mode stats,
this resets the right pid to the account.

I have not yet found a way to keep the stats or add the stats ontop of the original stats
it just sorta mixes them all up.

But one cool side effect is if u use a pToken from an account that has bf 2 veteran status
then the account to the specified PID will be granted the BF2 symbol next to your ID in Game.
(The BF 2 symbol DOES NOT GET REMOVED!!!!) u keep the Vet status for good.

I have made a little app with VB to grant any player BF 2 vet status, would be happy to share it with your members
and post my source code in the stats forum if you like as it is related to bf 2142 stats.

In light of this it really makes me wonder how well the stats server is coded,
because this was the most obvious thing i could have tried and it worked LOL
I would not be surprised if I can figure out how to Rip stats or maybe even clear stats. :twisted:

BTW I have had this little exploit for over 4 months now
and i have used it on multiple players to grant BF 2 vet status,
its seems very secure, never had any complaints or issues with EA.