Mr.Slime 116 Posted February 17, 2016 Share Posted February 17, 2016 Hi guys. The game core sends different login result to the server for password wrong and user id not found. Just one example it's possibile to test with sending packets 9 accounts per second. Affects: Every game core Fix: Search for this in input_db.cpp: case HEADER_DG_LOGIN_NOT_EXIST: LoginFailure(DESC_MANAGER:.instance().FindByHandle(m_dwHandle), "NOID"); break; case HEADER_DG_LOGIN_WRONG_PASSWD: LoginFailure(DESC_MANAGER:.instance().FindByHandle(m_dwHandle), "WRONGPWD"); break; and replace the WRONGPWD with NOID. So you blocked the way to detect if an account exists. Best Regards, Mr.Slime 6 Link to comment Share on other sites More sharing options...
Bot Metin2 Dev 4873 Posted February 19, 2016 Bot Share Posted February 19, 2016 I think that better way is change the lines in locale_game.txt Link to comment Share on other sites More sharing options...
Mr.Slime 116 Posted February 19, 2016 Author Share Posted February 19, 2016 C++ better of .txt ahahha Link to comment Share on other sites More sharing options...
Premium Galet 509 Posted February 19, 2016 Premium Share Posted February 19, 2016 35 minutes ago, Mr.Slime said: C++ better of .txt ahahha The result is just the same, no matter which one is better, the locale_game.txt method is a bit better because you don't have to change anything in sources and moreover the result will be exactly the same Link to comment Share on other sites More sharing options...
Vanilla 1454 Posted February 19, 2016 Share Posted February 19, 2016 Okay you can change locale_game.txt but what if a user changes it back? c++ > txt files With his fix the server won't respond with an accurate message. Next thing is that people could write a tool to connect with the server and start the bruteforce - this way they won't even need the locale_game.txt and just fetch the result packet the server sends them. Telling people to consider changing a simple text file on a local client instead of a serverside source isn't really that secure^^' It's easier, yes. But comfortability sacrifices security. Therefore: Thanks, I for myself didn't see it. Should be in the next vanilla core release with an option to change it (of course on by default so make sure it's secure) 2 We are the tortured. We're not your friends. As long as we're not visible. We are unfixable. Link to comment Share on other sites More sharing options...
Premium Galet 509 Posted February 19, 2016 Premium Share Posted February 19, 2016 I never told .txt was more secure than c++ but it's really more usefull to create a new error message with packet than using the NOID statement, or at least change the text in locale_game.txt However, if the client is securized a bit, there won't be any problem for locale_game, but indeed you can trace the packet to fetch the result, you're right ! So yeah, c++ method is way better than only a locale_game.txt method, but I think using both could be better (new packet, new error, new message) Link to comment Share on other sites More sharing options...
Mr.Slime 116 Posted February 19, 2016 Author Share Posted February 19, 2016 Thanks @Vanilla Link to comment Share on other sites More sharing options...
RealReznov 15 Posted February 20, 2016 Share Posted February 20, 2016 Thanks, it's useful 1 Link to comment Share on other sites More sharing options...
Mr.Slime 116 Posted February 20, 2016 Author Share Posted February 20, 2016 Thanks @RealReznov Link to comment Share on other sites More sharing options...
RealReznov 15 Posted February 20, 2016 Share Posted February 20, 2016 No problem But i tested it, and it still says the text of LOGIN_FAILURE_WRONG_PASSWORD after compile. Did you tested it? Link to comment Share on other sites More sharing options...
Mr.Slime 116 Posted February 20, 2016 Author Share Posted February 20, 2016 Sure Link to comment Share on other sites More sharing options...
RealReznov 15 Posted February 20, 2016 Share Posted February 20, 2016 Then I don't know why doesn't works for me (input_db had compiled) I've rewrited login_failure_wrong_password in locale_game to check it, and it says it, that i rewrited when i type wrong pw. Link to comment Share on other sites More sharing options...
Premium ragem0re 155 Posted February 20, 2016 Premium Share Posted February 20, 2016 It's just a copy from DevChuckNorris @ VIP-Area Link to comment Share on other sites More sharing options...
Recommended Posts