Jump to content

Login Name Checker

Mr.Slime

By Mr.Slime,
in Programming & Scripts

 Share

Recommended Posts

Mr.Slime Collaborator

Mr.Slime 113

Posted
Posted

Hi guys.

The game core sends different login result to the server for password wrong and user id not found.

Just one example it's possibile to test with sending packets 9 accounts per second.

 

Affects: Every game core

 

Fix:

Search for this in input_db.cpp: 

case HEADER_DG_LOGIN_NOT_EXIST:
		LoginFailure(DESC_MANAGER:.instance().FindByHandle(m_dwHandle), "NOID");
		break;

case HEADER_DG_LOGIN_WRONG_PASSWD:
		LoginFailure(DESC_MANAGER:.instance().FindByHandle(m_dwHandle),	"WRONGPWD");
		break;

and replace the WRONGPWD with NOID.

 

So you blocked the way to detect if an account exists.

 

Best Regards,

Mr.Slime

  • Love 6
Link to comment
Share on other sites
  • Replies 12
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

Mr.Slime
Mr.Slime

Hi guys. The game core sends different login result to the server for password wrong and user id not found. Just one example it's possibile to test with sending packets 9 accounts per second

Vanilla
Vanilla

Okay you can change locale_game.txt but what if a user changes it back? c++ > txt files With his fix the server won't respond with an accurate message. Next thing is that people could wri

RealReznov
RealReznov

Thanks, it's useful

Vanilla Proficient

Vanilla 1451

Posted
Posted

Okay you can change locale_game.txt but what if a user changes it back?

c++ > txt files

With his fix the server won't respond with an accurate message. Next thing is that people could write a tool to connect with the server and start the bruteforce - this way they won't even need the locale_game.txt and just fetch the result packet the server sends them. Telling people to consider changing a simple text file on a local client instead of a serverside source isn't really that secure^^' It's easier, yes. But comfortability sacrifices security.

 

Therefore: Thanks, I for myself didn't see it. Should be in the next vanilla core release with an option to change it (of course on by default so make sure it's secure)

  • Love 2

We are the tortured.
We're not your friends.
As long as we're not visible.
We are unfixable.

Link to comment
Share on other sites
  • Premium
Galet Mentor

Galet 501

Posted
  • Premium
Posted

I never told .txt was more secure than c++ but it's really more usefull to create a new error message with packet than using the NOID statement, or at least change the text in locale_game.txt

However, if the client is securized a bit, there won't be any problem for locale_game, but indeed you can trace the packet to fetch the result, you're right !

So yeah, c++ method is way better than only a locale_game.txt method, but I think using both could be better (new packet, new error, new message)

Link to comment
Share on other sites
 Share
Go to topic listing

Announcements



×
×
  • Create New...

Important Information

Terms of Use / Privacy Policy / Guidelines / We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.