MiniLogin decompiled/cracked
Well I was told tonight that some of the software for the emu community wasn't quite open source. I explored that, and did find that the mini-login server is closed (pre-compiled), and upon decompiling it, there are parts that are "encoded", not encrypted as some thought.
The difference in the two is a true encryption involves 2 private keys, and 2 public keys, that exchange and overlay each other to make a true encryption that is almost unbreakable unless you happen to have one of the missing keys. For instance, when you send someone encrypted info, you are broadcasting your public key, the information is "sealed" with your PRIVATE key and the other user's PUBLIC key. Once this info is sent, the other user can only open it by using is private key and YOUR public key. These keys are NOT the same by far, and without one or the other, the encryption is virtually impossible to break. Encoding is the act of using a hash, or a code, to scramble data, on the other side, if you have the "key" to this encoding, you can descramble it. Encoding is usually broken in about 30 mins with a really strong 30 character key. Well.... I have decoded it =) Please do not ask me for the source right now. After I did decode it, I found out why they have it encoded. The software is fairly simple, but the main thing they are hiding is their login servers authentication from server to server. Seriously... If you released that, there would be hackers galore right now eating up every server out there, creating SysOp accounts and booting everyone. YES you can control status from the login server though I did find an option in the source of emu to not honor status requests from the login server; I'm sorry but that needs to be on by default... IF I CAN CRACK IT, that means there are a lot of others that can as well. This means if I give out the source, and the algorithm falls into the wrong hands, there will be a lot of sysop accounts on our servers, and sysops that have been demoted and banned. Not to mention our servers could be flooded (literally meaning 1000 account creations per minute to take down the server) to no avail. Also, KLS... Is there an easier way to disable ls server requests for a status change? I saw several spots where the variable lsop then setstatus 250 or so... one that said if shonorLSop which I initialized a FALSE. |
I must say..... And no offense to the dev team... But this is why you do NOT close source things...
When there is a hole or a problem or someone decompiles it... Well lets say I was someone you pissed off a few years back... that wouldn't be a good thing at this point.. To clarify, that was an example lol, I'm not making any threats or insinuating anything... That lskey is safe as long as I'm the only one that has cracked it. Secondly, and again, if it was open-source, the community, I, KLS, or the few hundred others here that are very active and intelligent could have provided you guys with a method of authenticating sessions, not just outright trusting an account creation based on a key received from the ls server (keep in minds I can "push" a packet anywhere i want and make it appear to be sent from George W's pc itself, that info is just modified packet headers and pushed packets... thats it.) Being I'm probably just leaving a message on an answering machine here that won't get heard until another 4 or 5 months down the road... This situation is kinda of urgent, not to mention the other community members here that are strangled at the fact they cannot contribute or submit code because of "dev team" inactivity. *not complaining, just repeating* Suggestion... Change the usrmeth() , re-release eqemu, keep that to yourself, open up the login server, let the community do what communities do best... Build, create, and improve. |
I really think you just gave a new objective to the hackers: "So it can be cracked in 30min... let's go for it!"
I think it's a good idea to report possible exploits, and I really think this is a good step (someone would do this anyday..), but this sort of stuff should be speaked directly with developers in order to avoid future problems...shouldn't it? |
14 days in IRC... not one dev will respond...
We are talking serious 100% idling waiting for a response or something. |
OMG, saw IRC chat, the msg to FNW was blinking...
A ONE LINER! he he.. Quote:
** was a joke from another topic he he. |
From reading some of the assertions you've made, I feel you've got an entirely wrong idea of why the loginserver was closed source.
You say that it's to hide how the loginserver talks to the worldservers, and assert that it's so nobody would be aware that the LS had a way of asking a worldserver to let them in on GM-Mgmt level. But let's keep this in mind: The login server is closed source for two major reasons. First, the original authors of it asked for it to be. Doesn't matter their reasons... if they say they don't want it distributed then, as lessees of their copyrighted LS software, we have to abide by their distribution terms. Second, if the crypto became public, SOE would play a big cat-and-mouse game where they're constantly changing login crypto just to make work for us. Quote:
|
Yes I was refering to the mini-login.
Are you saying that the two servers are near identical in construct? Quote:
Routers are very simple pieces of electronics, pure router, meaning no DS1, DS3 etc termination, just routing only. They do not do what you said, and do IPSec, IP Filtering, etc.. They simply tell the "world" that a destination IP belongs in its netork(s), and tells the network(s) that their destinations belong outside the router (next hop). I'll reprase, unless you are running a true firewall or Linux, you can make a packet appear to come from the IP address of GW. |
This is a tangential question, so I apologise for the slight derail... but does this mean there could be any possibility of a linux version of the minilogin server at some point in the future? I don't like to use windows for serving anything, ever :)
Paul. |
Quote:
He did NOT say anything not already easily known by anyone with a brain and the right tools anyway. This is absolutely the right way to go about this. I support him because he is RIGHT. Open this stuff up so that once and for all the community can fix this stuff and harden it up. ..and if the problem is that part of the code is SoE code (heaven forbid) then fine... let's find a workaround or a clean room emulation of it. |
Quote:
2) If the crypto became public it would make no difference because we're not patching our client versions. There's no way to change the crypto without changing the client. Sorry not trying to be rude but you do not know what you're talking about. |
Quote:
But you can use minilogin with wine under Linux fine - This is what I always have used with no problems. In fact, it works better for me under Linux, as clients don't hang like they used to under windows. You should probably make it something to do for your friends and people you know, as you can see people are already bragging about how they can hack into it, and shouldn't be long before this starts. |
Quote:
1) It is the crypto that was closed source, both for minilogin and for the regular login server. The crypto in the wrong hands would be a very bad thing, for us and for live servers. Keeping it closed source protects everyone who uses EQEmu and keeps SOE off our backs. 2) plain and simple, the people who coded them dont want the source handed out, they have the right to request that and the Dev team is respecting it. Its been said in the past that anyone is free to code a new one and have it open source, however there is no point arguing over what is there currently, it will not change. |
Matt, just for clairification, crypto is the use really of two keys or a cypher (meaning the use of varable keys). to encrypt/encode something, what the program is using really is a simple encoding process.
About SoE, don't worry about them, or leave them to me. You shouldn't have any issues with SoE while I'm around not unless the LS program has ummm... commideered code from SoE which it didn't appear to have. Matt I understand the person whom coded it didn't want the source handed out, I know why, dispite what a prior dev had to say, that or either the person was really selfish for some reason, but I tend to believe the other side of it. Also, if you open source everything we have here, stick the GNU licensing on it (upgrade to version 3 as soon as it comes out btw!!!) you WILL NOT, I repeat WILL NOT have any issues with SoE. If they did try and cause problem, you can count on the attournies of the Free Software Foundation (GNU) to help out, as they hate proprietary corporations whom horde code and try and extinguish those whome compete and create simular code (not to mention their new license addresses code patenents thanks to Microshit). |
Quote:
Pardon me while I try not to laugh.... *cough HA *cough What makes you so special.... just curious? If it involves the, "They cant do anything cause were breaking no laws" your right. But heres the thing about SOE. There a big company, and big companies can put a whole world of unnessecary hurt on small communities like us. They can drive us to lose lots of things just to put up a defense against them. Most would not be willing to bankrupt themselves and lose thier house just to at least get a lawyer that would work with them in court. And without proper defense and a deep knowledge of the law, whether your in the right or the wrong, your still going to lose cause you have no idea what your doing. Its just flat out not worth it, tempting fate that is. |
Heh, I really doubt that you were able to decompile my program. I have yet to find a decompiler that can decompile an exe and produce anything but useless garbage from it. Even a program as small and simple as minilogin. If you really have somehow decompiled it, send me a portion of the source code. I have the source code so dont worry about sharing it with me.
|
All times are GMT -4. The time now is 08:59 AM. |
Powered by vBulletin®, Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.