Thread: MiniLogin decompiled/cracked
View Single Post
  #1  
Old 10-06-2007, 06:59 PM
Lalolyen
Banned
  
Join Date: Aug 2007
Location: Sneeking up behind a admin IRL
Posts: 169
Default MiniLogin decompiled/cracked
Well I was told tonight that some of the software for the emu community wasn't quite open source. I explored that, and did find that the mini-login server is closed (pre-compiled), and upon decompiling it, there are parts that are "encoded", not encrypted as some thought.

The difference in the two is a true encryption involves 2 private keys, and 2 public keys, that exchange and overlay each other to make a true encryption that is almost unbreakable unless you happen to have one of the missing keys. For instance, when you send someone encrypted info, you are broadcasting your public key, the information is "sealed" with your PRIVATE key and the other user's PUBLIC key. Once this info is sent, the other user can only open it by using is private key and YOUR public key. These keys are NOT the same by far, and without one or the other, the encryption is virtually impossible to break.

Encoding is the act of using a hash, or a code, to scramble data, on the other side, if you have the "key" to this encoding, you can descramble it.

Encoding is usually broken in about 30 mins with a really strong 30 character key.

Well....

I have decoded it =)

Please do not ask me for the source right now. After I did decode it, I found out why they have it encoded.

The software is fairly simple, but the main thing they are hiding is their login servers authentication from server to server. Seriously... If you released that, there would be hackers galore right now eating up every server out there, creating SysOp accounts and booting everyone. YES you can control status from the login server though I did find an option in the source of emu to not honor status requests from the login server; I'm sorry but that needs to be on by default... IF I CAN CRACK IT, that means there are a lot of others that can as well.

This means if I give out the source, and the algorithm falls into the wrong hands, there will be a lot of sysop accounts on our servers, and sysops that have been demoted and banned. Not to mention our servers could be flooded (literally meaning 1000 account creations per minute to take down the server) to no avail.

Also, KLS... Is there an easier way to disable ls server requests for a status change? I saw several spots where the variable lsop then setstatus 250 or so... one that said if shonorLSop which I initialized a FALSE.