Tree of Savior Forum

[Exploit] Infinite quest rewards and unrestricted Class switching

It’s possible to start and restart a quest as many times as you want by abusing the
Abandon/Restart functionality, which means infinite xp, stat points, class levels and other rewards.

Steps to reproduce :
The interface function which handles quest restarting is pc.ReqExecuteTx(“RESTART_Q”, questClassID);
The easiest way to execute arbitrary LUA code is to use keybinds.

Add this line to the relevant hotkey.xml file:
<HotKey ID="FreeXP" Name="Free XP" DownScp="pc.ReqExecuteTx(&quot;RESTART_Q&quot;, 30017);" UpScp="None" Key="A" UseShift="NO" UseAlt="NO" UseCtrl="YES" OnEdit="NO" />

then use Ctrl+A to start the Passing Words (1) quest, which gives 2 level 9 xp cards just for talking to a NPC.

This can also be used to pick up Class Advancement quests.

49 Likes

Holy ■■■■, i do hope this one is really fixed on next CBT or we will have a bunch of people abusing this.

And here I am reporting typos and grammar errors…

9 Likes

every bit counts :blush:

2 Likes

@GM_Erick @GM_Fuji Needs to be fixed badly.

1 Like

How did you get the quest ID to do that thought?

Good find, even though I think IMC is aware of that.
This post is annopriate - I’m not sure you’re supposed to post an exploit gamebreaking that much.
Please contact tossupport@imc.co.kr directly about it and delete your thread.

1 Like

doesnt really matter already… At least not after infinite stat points bug was reported.

2 Likes

confirmed

@Staff_John @Staff_J @Staff_Shawn

pretty please.

1 Like

“Our servers are struggling under load already, nothing bad would happen if we put a couple of things client side only, right?” - IMC, 2015

1 Like

THIS. Thanks for sharing it now IMC will wake up and figure out that important things shoudn’t be running client side.

This must be fixed before someone destroy the next beta

And I just wondered how I was randomly taken captivity by a druid/centurio ö,ö

Good thing the test ends soon >.>

The problem isn’t the fact the function is called by the client. That’s needed because that’s how you abandon quests. The server can’t go “oh my psychic powers tell me this player might want to abandon that quest”. The process must be initiated by the client, and that function is how it happens.

The problem lies on the fact there’s no server side check for whether the request is valid or not. Unchecked requests are the root of all evil in the client-server architecture.

7 Likes

This exploit just proves that the server-side of things accepts everything the client orders it, without checking for inconsistencies. It’s absolutely ridiculous that they thought THIS was ready for public presentation.

Hopefully the kOBT will be cancelled after this.

Was there any notice of this exploit in the Korean servers?

I know this is a great find and all, but wouldn’t it have been better to send this via PM?

I’m pretty sure some people will be abusing this for those exp.

1 Like

It’s too late. Half of the playerbase is already running around with level 200 characters with 10 different classes, right now.

exp has limit, but there are quests for free stat points…

At least it wasn’t posted at an earlier date.