Tepoo - Aug 18, 2013 21:21
My Team and me are creating an own Patcher/Login Client atm.
in this development period we are now at the part with hashed passwords send to the server.
but unfortenatly we dont get an established connection.
first we tought its our fault, but the same is happening when we are using loki.
then we tought its a problem of the launchers themself and hashed our passwort manually and sended it over a shortcut.
but the same.
we researched the hercules source code and figured out that on the login.c in line 1310, the flag session[fd]->flag.eof is true.
as there are 32+1 bytes needed for md5 but only 23+1 are accepted at this point it seems. that means, more then 25leters(bytes) = true flag.eof
i would prefer it if you could fix this circumstance, as we would like to use our own patcher, which doesnt sends the passwort in plaintext to the server.
and actually this is the only way to get accepted by a server.
greetings
Tepoo
This post has been edited by
Tepoo
on Aug 18, 2013 22:12
GodLesZ - Sep 8, 2013 7:30
Funny. I had to change this 3 years ago for my patcher used on my test server.
I came up with the simplest solution - using packet [font='courier new', courier, monospace]0x01dd[/font], adjust [font='courier new', courier, monospace]packet_len[/font] and array size of [font='courier new', courier, monospace]passhash[/font] (in login.c).
You may create a simple plugin which add's a packet for [font='courier new', courier, monospace]0x01dd[/font] and implements the correct behavior.
If hercules finished his HPM hook system, a simple hook could work too.
As of the issue, everythign is working as expected.
The max size of passwords in RO is 23+1 (as usernames are too), so there's no reson to raise it.
Maybe a new constant should be introduced for the length of passwords, which could be overwritten by a plugin.
Flash - Sep 12, 2013 14:56
ok but why does the hercules flux cp allows passwords with the length of 30? that doesn't make much sense...
and it's really weird because the loki launcher has the md5 encryption option though it will never work.
Haru - Sep 12, 2013 20:02
Sending a md5 password instead of a plaintext one is completely, utterly pointless in my opinion. What does it defend you from? Eavesdropping? Not really, since if all you need to authenticate is the already md5ed string, well, they can eavesdrop just that, and use it to log in.
The correct way to do this would be to use a challenge-response mechanism, which the client implements with packets 0x01dd, 0x01fa, 0x027c (not 100% sure on this, I'd need to check) - but I suspect those require an older client with the login interface built in.
I'm not sure how the md5 encryption feature works in the loki launcher (I have never used it), but if it just hashes the password before sending it, it's really pointless as I said before. The correct way to do that would be that the launcher program queries the server, receives a challenge, and then hashes the password together with the challenge, and then sends that through the client. That can probably be done with a login server plugin, and is beyond the scope of Hercules.
It's also true that we're probably not using the official implementation of packet 0x0825 though. I haven't researched how it should work, but it seems to have both a token (variable length) and a password (27 bytes) field. Does anyone know how that exactly works on kRO? Does it use both fields or either one?
schwierig - Sep 12, 2013 20:19
The only concern I would have is that anyone could sniff my plain password.
I wouldn't really care about my Ragnarok account, but login with plaintext passwords is always a no-go.
Can't answer your question though.
Haru - Sep 12, 2013 23:02
Well, there's absolutely no difference between sending a plaintext password and a md5 hash, if anyone can log in anytime by sending the same string they sniffed. If the hash would change everytime (i.e. as it happens in a challenge-response protocol), then it'd be another story.
malufett - Sep 13, 2013 12:42
[quote]
I haven't researched how it should work, but it seems to have both a token (variable length) and a password (27 bytes) field. Does anyone know how that exactly works on kRO? Does it use both fields or either one?[/quote]
this is how it works..
login on there site->press game start->new window browser will open->select server on that window then press start->init.exe will start then it will load the kRo patcher->after it the patcher will now start the Ragexe/RagexeRe...
here is what the ie browser sent to the init until it reach the client to server..
token<space>userid<space>integration type<space>Server type[code=auto:0]
Vy23zFySFx5FASzTyGIDx5FDEMO1zCy1379075591zPy36000zAy33zEyVaKHx78x7ArhSgXd6bGx2FA5Vbrx78coUXLx2B6ljO0RQChA1ex78Ex79gt9RcXLLTx7A6iaBgOIdN1lYgME1G8G7q1rwseMkx2FcgFP1D50Sx79bkBpZJf7jLgovdFjMhhiGGjejqtSEEvx79XYjnoteufqltue8koJd65Qq1Yoix79LiZR7RItx79SdZx2B6nw5ZjRFg78kHCXupbMcoOCMT72zKyQtN3x2BoVA6JN2hXBAnx2Bvi1YNwuChBtiBrUD3cZvoWx2Fe8x3DzMyCIV8XPoiSaQx3Dz rud0lp20 G Sakray
[/code]
and I don't think that the password is included in this token anyway if you can hack my kRO password in this token then you successfully decode the encryption..this token expires in a certain time and it changes in every login..
:meow:
Haru - Oct 16, 2013 5:52
While it is still not advisable to use the md5 hash of passwords as I previously stated, this issue should be now solved as of [url="https://github.com/HerculesWS/Hercules/commit/fad3040499293b1ff4ff634680163fcab4ca5e70"]https://github.com/HerculesWS/Hercules/commit/fad3040499293b1ff4ff634680163fcab4ca5e70[/url]