EQEmulator Forums

EQEmulator Forums (https://www.eqemulator.org/forums/index.php)
-   Support::MiniLogin (https://www.eqemulator.org/forums/forumdisplay.php?f=629)
-   -   MiniLogin decompiled/cracked (https://www.eqemulator.org/forums/showthread.php?t=23731)

Lalolyen 10-06-2007 06:59 PM

MiniLogin decompiled/cracked
 
Well I was told tonight that some of the software for the emu community wasn't quite open source. I explored that, and did find that the mini-login server is closed (pre-compiled), and upon decompiling it, there are parts that are "encoded", not encrypted as some thought.

The difference in the two is a true encryption involves 2 private keys, and 2 public keys, that exchange and overlay each other to make a true encryption that is almost unbreakable unless you happen to have one of the missing keys. For instance, when you send someone encrypted info, you are broadcasting your public key, the information is "sealed" with your PRIVATE key and the other user's PUBLIC key. Once this info is sent, the other user can only open it by using is private key and YOUR public key. These keys are NOT the same by far, and without one or the other, the encryption is virtually impossible to break.

Encoding is the act of using a hash, or a code, to scramble data, on the other side, if you have the "key" to this encoding, you can descramble it.

Encoding is usually broken in about 30 mins with a really strong 30 character key.

Well....

I have decoded it =)

Please do not ask me for the source right now. After I did decode it, I found out why they have it encoded.

The software is fairly simple, but the main thing they are hiding is their login servers authentication from server to server. Seriously... If you released that, there would be hackers galore right now eating up every server out there, creating SysOp accounts and booting everyone. YES you can control status from the login server though I did find an option in the source of emu to not honor status requests from the login server; I'm sorry but that needs to be on by default... IF I CAN CRACK IT, that means there are a lot of others that can as well.

This means if I give out the source, and the algorithm falls into the wrong hands, there will be a lot of sysop accounts on our servers, and sysops that have been demoted and banned. Not to mention our servers could be flooded (literally meaning 1000 account creations per minute to take down the server) to no avail.

Also, KLS... Is there an easier way to disable ls server requests for a status change? I saw several spots where the variable lsop then setstatus 250 or so... one that said if shonorLSop which I initialized a FALSE.

Lalolyen 10-06-2007 07:13 PM

I must say..... And no offense to the dev team... But this is why you do NOT close source things...

When there is a hole or a problem or someone decompiles it...

Well lets say I was someone you pissed off a few years back... that wouldn't be a good thing at this point..

To clarify, that was an example lol, I'm not making any threats or insinuating anything... That lskey is safe as long as I'm the only one that has cracked it.

Secondly, and again, if it was open-source, the community, I, KLS, or the few hundred others here that are very active and intelligent could have provided you guys with a method of authenticating sessions, not just outright trusting an account creation based on a key received from the ls server (keep in minds I can "push" a packet anywhere i want and make it appear to be sent from George W's pc itself, that info is just modified packet headers and pushed packets... thats it.)

Being I'm probably just leaving a message on an answering machine here that won't get heard until another 4 or 5 months down the road... This situation is kinda of urgent, not to mention the other community members here that are strangled at the fact they cannot contribute or submit code because of "dev team" inactivity. *not complaining, just repeating*

Suggestion...

Change the usrmeth() , re-release eqemu, keep that to yourself, open up the login server, let the community do what communities do best... Build, create, and improve.

cofruben 10-06-2007 08:40 PM

I really think you just gave a new objective to the hackers: "So it can be cracked in 30min... let's go for it!"

I think it's a good idea to report possible exploits, and I really think this is a good step (someone would do this anyday..), but this sort of stuff should be speaked directly with developers in order to avoid future problems...shouldn't it?

Lalolyen 10-06-2007 09:12 PM

14 days in IRC... not one dev will respond...

We are talking serious 100% idling waiting for a response or something.

Lalolyen 10-06-2007 11:21 PM

OMG, saw IRC chat, the msg to FNW was blinking...

A ONE LINER! he he..

Quote:

FatherNitwit has quit (Ping timeout).
;)

** was a joke from another topic he he.

RangerDown 10-07-2007 08:08 AM

From reading some of the assertions you've made, I feel you've got an entirely wrong idea of why the loginserver was closed source.

You say that it's to hide how the loginserver talks to the worldservers, and assert that it's so nobody would be aware that the LS had a way of asking a worldserver to let them in on GM-Mgmt level. But let's keep this in mind:
  • You CAN figure out how the LS talks to the worldservers.... and you can do that simply by examining the Worldserver's code, which IS public source. The existence of any isop() functions can be clearly seen in the worldserver's source if they are there (I haven't seen the code in recent months so I'm going to just assume what you say about the world code is correct).
  • The version of LS you're discussing is minilogin. The minilogin server was intended for small-group LAN play, the kind where you don't have trust and account security issues (or if you do, you're playing alongside some serious psycopaths... watch your back both in game and IRL)
  • On the public loginserver, even in the absence of an LSOP function (or even if it's disabled on your server), you still have to put some trust in the LSops, because when you think about it, I'm sure they could make the LS "say" that the account logging in is <insert the account name/LSID of the world server's owner here> if they really want to.
  • IMO this function could serve quite a useful "support" purpose in that the devs could, upon request, jump into a server without having to say "alright, give me status 200 so I can check out that problem of yours... yeah, you use the #flag command.... no, you have to give arguments to it.... no, not my character name, my account name! Umm, you use /who all to figure out somebody's account name... you've never used the /who all command?!... /camp"
The login server is closed source for two major reasons. First, the original authors of it asked for it to be. Doesn't matter their reasons... if they say they don't want it distributed then, as lessees of their copyrighted LS software, we have to abide by their distribution terms. Second, if the crypto became public, SOE would play a big cat-and-mouse game where they're constantly changing login crypto just to make work for us.

Quote:

make it appear to be sent from George W's pc itself,
And every router in the world should instantly know to reject that packet as a fraud, because it couldn't come from George W's PC, because for his PC to send packets, he would have to know how to turn it on :D

Lalolyen 10-07-2007 11:09 AM

Yes I was refering to the mini-login.

Are you saying that the two servers are near identical in construct?

Quote:

And every router in the world should instantly know to reject that packet as a fraud
Thats not true, I think you've misintrepreted a firewall and a router. Home router that does 10 billion diffrent things and can only handle about 50 nodes regardless that the factory says 253, they are about as secure as Madona in a thong on a 30 day cruise on a Navy sub.

Routers are very simple pieces of electronics, pure router, meaning no DS1, DS3 etc termination, just routing only. They do not do what you said, and do IPSec, IP Filtering, etc.. They simply tell the "world" that a destination IP belongs in its netork(s), and tells the network(s) that their destinations belong outside the router (next hop).

I'll reprase, unless you are running a true firewall or Linux, you can make a packet appear to come from the IP address of GW.

number6 10-07-2007 08:46 PM

This is a tangential question, so I apologise for the slight derail... but does this mean there could be any possibility of a linux version of the minilogin server at some point in the future? I don't like to use windows for serving anything, ever :)

Paul.

gernblan 10-07-2007 10:03 PM

Quote:

Originally Posted by cofruben (Post 139182)
I really think you just gave a new objective to the hackers: "So it can be cracked in 30min... let's go for it!"

I think it's a good idea to report possible exploits, and I really think this is a good step (someone would do this anyday..), but this sort of stuff should be speaked directly with developers in order to avoid future problems...shouldn't it?

NO, because they don't listen any other way.

He did NOT say anything not already easily known by anyone with a brain and the right tools anyway.

This is absolutely the right way to go about this. I support him because he is RIGHT. Open this stuff up so that once and for all the community can fix this stuff and harden it up.

..and if the problem is that part of the code is SoE code (heaven forbid) then fine... let's find a workaround or a clean room emulation of it.

gernblan 10-07-2007 10:07 PM

Quote:

Originally Posted by RangerDown (Post 139199)
The login server is closed source for two major reasons. First, the original authors of it asked for it to be. Doesn't matter their reasons... if they say they don't want it distributed then, as lessees of their copyrighted LS software, we have to abide by their distribution terms. Second, if the crypto became public, SOE would play a big cat-and-mouse game where they're constantly changing login crypto just to make work for us.

1) NO, it was originally released as GPL, they can't just change their minds once they do that. Sure, they can release future version closed source, Mozilla license, hell use the Microsoft EULA for all I care but the code up to the POINT it was closed again should be available.

2) If the crypto became public it would make no difference because we're not patching our client versions. There's no way to change the crypto without changing the client. Sorry not trying to be rude but you do not know what you're talking about.

Angelox 10-07-2007 10:08 PM

Quote:

Originally Posted by number6 (Post 139207)
This is a tangential question, so I apologise for the slight derail... but does this mean there could be any possibility of a linux version of the minilogin server at some point in the future? I don't like to use windows for serving anything, ever :)
Paul.

Probably no, at least for now.
But you can use minilogin with wine under Linux fine - This is what I always have used with no problems. In fact, it works better for me under Linux, as clients don't hang like they used to under windows.
You should probably make it something to do for your friends and people you know, as you can see people are already bragging about how they can hack into it, and shouldn't be long before this starts.

mattmeck 10-07-2007 10:34 PM

Quote:

Originally Posted by gernblan (Post 139209)
1) NO, it was originally released as GPL, they can't just change their minds once they do that. Sure, they can release future version closed source, Mozilla license, hell use the Microsoft EULA for all I care but the code up to the POINT it was closed again should be available.

2) If the crypto became public it would make no difference because we're not patching our client versions. There's no way to change the crypto without changing the client. Sorry not trying to be rude but you do not know what you're talking about.



1) It is the crypto that was closed source, both for minilogin and for the regular login server. The crypto in the wrong hands would be a very bad thing, for us and for live servers. Keeping it closed source protects everyone who uses EQEmu and keeps SOE off our backs.

2) plain and simple, the people who coded them dont want the source handed out, they have the right to request that and the Dev team is respecting it. Its been said in the past that anyone is free to code a new one and have it open source, however there is no point arguing over what is there currently, it will not change.

Lalolyen 10-08-2007 12:10 PM

Matt, just for clairification, crypto is the use really of two keys or a cypher (meaning the use of varable keys). to encrypt/encode something, what the program is using really is a simple encoding process.

About SoE, don't worry about them, or leave them to me. You shouldn't have any issues with SoE while I'm around not unless the LS program has ummm... commideered code from SoE which it didn't appear to have.

Matt I understand the person whom coded it didn't want the source handed out, I know why, dispite what a prior dev had to say, that or either the person was really selfish for some reason, but I tend to believe the other side of it.

Also, if you open source everything we have here, stick the GNU licensing on it (upgrade to version 3 as soon as it comes out btw!!!) you WILL NOT, I repeat WILL NOT have any issues with SoE. If they did try and cause problem, you can count on the attournies of the Free Software Foundation (GNU) to help out, as they hate proprietary corporations whom horde code and try and extinguish those whome compete and create simular code (not to mention their new license addresses code patenents thanks to Microshit).

techguy84 10-08-2007 01:47 PM

Quote:

Originally Posted by Lalolyen
About SoE, don't worry about them, or leave them to me. You shouldn't have any issues with SoE while I'm around not unless the LS program has ummm... commideered code from SoE which it didn't appear to have.



Pardon me while I try not to laugh.... *cough HA *cough

What makes you so special.... just curious?

If it involves the, "They cant do anything cause were breaking no laws" your right. But heres the thing about SOE. There a big company, and big companies can put a whole world of unnessecary hurt on small communities like us. They can drive us to lose lots of things just to put up a defense against them. Most would not be willing to bankrupt themselves and lose thier house just to at least get a lawyer that would work with them in court. And without proper defense and a deep knowledge of the law, whether your in the right or the wrong, your still going to lose cause you have no idea what your doing.

Its just flat out not worth it, tempting fate that is.

Edgar1898 10-08-2007 02:07 PM

Heh, I really doubt that you were able to decompile my program. I have yet to find a decompiler that can decompile an exe and produce anything but useless garbage from it. Even a program as small and simple as minilogin. If you really have somehow decompiled it, send me a portion of the source code. I have the source code so dont worry about sharing it with me.


All times are GMT -4. The time now is 08:59 AM.

Powered by vBulletin®, Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.