Originally posted by [b]theultramage[/b]
http://www.eathena.ws/board/index.php?autocom=bugtracker&showbug=2323
For some ridiculous reason, the values of the kafra storage password aren't stored as they are. Instead, the values in the database use a primitive obfuscation:
CODE
set #kafra_code,@code+getcharid(3)+1337;
the code is shifted by a constant (1337) and the owner's account id.
Now let me ask you, what is the point of this?
Q: To prevent cracking the password if someone gets access to the database?
A: No. the account id value is right there in the column next to it.
Q: "Note: You can change '1337' value to another to raise password protection" [Lupus]
A: No. You just need to become a player and create your own kafra password before stealing the database, and just extract the constant from that.
To actually improve the 'security' of this thing, you'd need to change the equation to something different, custom. And since that requires customization of the script itself, it shouldn't be part of the base eathena package. Let the admins of RO servers deal with their security, and get rid of this.
Proposed solution: add adapter code that permanently converts the value from old format to new format, and leave it there for a year or so.
Note: due to stupid design, there are actually at least 2 separate places that apply the equation, so you'll need to modify all of them.
This post has been edited by theultramage: Oct 7 2008, 02:20 PM