Need help with checking passwords!

02/09/2012 00:17 xBlackPlagu3x#1

Code:

AuthClient Client = Sender.Wrapper as AuthClient;
            if (Sender.RecvSize == 52)
            {     
                byte[] Recv = param;
                if (BitConverter.ToUInt16(Recv, 2) == 0x41B)
                {
                    byte i = 0;
                    Client.Username = Encoding.ASCII.GetString(Recv, 4, 16).Trim(new char[] { (char)0x0000 });
                    Client.Password = "";
                    while (i < 16)
                    {
                        Client.Password += Recv[i + 16].ToString("X2");
                        i = (byte)(i + 1);
                    }

Alright, so based on that, it's trying to take the password and convert it to hexadecimal format I believe. The question is, does anyone know how to make a PHP script that will register the passwords into a format that X2 can read or can anyone tell me how to make this just read the password that the user entered?

02/09/2012 12:38 Mr_PoP#2

PHP Code:


			

function hexEncode($str=NULL){

        if(is_null($str)){
                return FALSE;
        }

        $hexStr = "";

        for($i=0;isset($str[$i]);$i++){
                $char = dechex(ord($str[$i]));
                $hexStr .= $char;
        }

        return "0x".$hexStr;

}

02/09/2012 13:18 I don't have a username#3

Why do you want it to be in hex anyways? You should hash it instead.

02/09/2012 20:38 xBlackPlagu3x#4

Quote:

Originally Posted by Mr_PoP

PHP Code:

function hexEncode($str=NULL){ if(is_null($str)){ return FALSE; } $hexStr = ""; for($i=0;isset($str[$i]);$i++){ $char = dechex(ord($str[$i])); $hexStr .= $char; } return "0x".$hexStr; }

Edit: Upon trying to register an account and then logging in, it failed. =/
Here is the password I registered under: 123456789
Here is what the database read the password from the client as: "00000000C88AF1DF3AA3F4E7A9E65C3C"
And here is what is registered in the database: 0x313233343536373839

Quote:

Originally Posted by I don't have a username

Why do you want it to be in hex anyways? You should hash it instead.

I don't want it to be in hex, the problem is, I haven't learned how to encrypt/decrypt with code yet so I don't know how to change it to that. =[

02/09/2012 20:59 Kiyono#5

Just a simple question but what is it that you're trying to achieve? A register page that is capable of encrypting passwords compatible with CO?

02/09/2012 21:11 xBlackPlagu3x#6

Quote:

Originally Posted by Kiyono

Just a simple question but what is it that you're trying to achieve? A register page that is capable of encrypting passwords compatible with CO?

Basically, but encrypting passwords that the source I have can read. ._.
My two options are to either find a PHP script that will register the passwords right, or remove the current password reading system, and just have it read the password from the client as a string, straight on.

02/09/2012 21:14 Kiyono#7

Quote:

Originally Posted by xBlackPlagu3x

Basically, but encrypting passwords that the source I have can read. ._.
My two options are to either find a PHP script that will register the passwords right, or remove the current password reading system, and just have it read the password from the client as a string, straight on.

Which source are you using? A lot of the newer released source store the password as plain text.

02/09/2012 22:35 xBlackPlagu3x#8

Quote:

Originally Posted by Kiyono

Which source are you using? A lot of the newer released source store the password as plain text.

Arco's 5017

02/09/2012 23:09 Kiyono#9

Since Arco's 5017 is based of Hybrid's base, this should work:
ctrl + f for public static void AuthReceive(HybridWinsockClient Sender, byte[] param)
//edit delete this part:

Code:

while (i < 16)
                    {
                        Client.Password += Recv[i + 16].ToString("X2");
                        i = (byte)(i + 1);
                    }

And stick this there.

Code:

 Client.Password = "";
                    byte[] passarray = new byte[16];
                    Buffer.BlockCopy(Recv, 20, passarray, 0, 16);
                    Client.Password = ConquerPasswordCryptographer.Decrypt(passarray).TrimEnd('\0');
                    Console.WriteLine(Client.Password);

And put this somewhere:

Code:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.IO;

namespace ConquerServer_Basic
{
     public sealed class ConquerPasswordCryptographer
     {
          private static uint[] _key = new uint[] {
                                        0xEBE854BC, 0xB04998F7, 0xFFFAA88C, 0x96E854BB, 
                                        0xA9915556, 0x48E44110, 0x9F32308F, 0x27F41D3E, 
                                        0xCF4F3523, 0xEAC3C6B4, 0xE9EA5E03, 0xE5974BBA, 
                                        0x334D7692, 0x2C6BCF2E, 0xDC53B74,  0x995C92A6, 
                                        0x7E4F6D77, 0x1EB2B79F, 0x1D348D89, 0xED641354, 
                                        0x15E04A9D, 0x488DA159, 0x647817D3, 0x8CA0BC20, 
                                        0x9264F7FE, 0x91E78C6C, 0x5C9A07FB, 0xABD4DCCE, 
                                        0x6416F98D, 0x6642AB5B };

          private static uint LeftRotate(uint dwVar, uint dwOffset)
          {
               uint dwTemp1, dwTemp2;

               dwOffset = dwOffset & 0x1F;
               dwTemp1 = dwVar >> (int)(32 - dwOffset);
               dwTemp2 = dwVar << (int)dwOffset;
               dwTemp2 = dwTemp2 | dwTemp1;

               return dwTemp2;
          }

          private static uint RightRotate(uint dwVar, uint dwOffset)
          {
               uint dwTemp1, dwTemp2;

               dwOffset = dwOffset & 0x1F;
               dwTemp1 = dwVar << (int)(32 - dwOffset);
               dwTemp2 = dwVar >> (int)dwOffset;
               dwTemp2 = dwTemp2 | dwTemp1;

               return dwTemp2;
          }

          public static byte[] Encrypt(string password)
          {
               byte[] result = new byte[16];
               Encoding.ASCII.GetBytes(password).CopyTo(result, 0);
               BinaryReader reader = new BinaryReader(new MemoryStream(result, false));
               uint[] passInts = new uint[4];
               for (uint i = 0; i < 4; i++)
                    passInts[i] = (uint)reader.ReadInt32();

               uint temp1, temp2;
               for (int i = 1; i >= 0; i--)
               {
                    temp1 = _key[5] + passInts[(i * 2) + 1];
                    temp2 = _key[4] + passInts[i * 2];
                    for (int j = 0; j < 12; j++)
                    {
                         temp2 = LeftRotate(temp1 ^ temp2, temp1) + _key[j * 2 + 6];
                         temp1 = LeftRotate(temp1 ^ temp2, temp2) + _key[j * 2 + 7];
                    }
                    passInts[i * 2] = temp2;
                    passInts[i * 2 + 1] = temp1;
               }

               BinaryWriter writer = new BinaryWriter(new MemoryStream(result, true));
               for (uint i = 0; i < 4; i++)
                    writer.Write((int)passInts[i]);
               return result;
          }

          public static string Decrypt(byte[] bytes)
          {
               BinaryReader reader = new BinaryReader(new MemoryStream(bytes, false));
               uint[] passInts = new uint[4];
               for (uint i = 0; i < 4; i++)
                    passInts[i] = (uint)reader.ReadInt32();

               uint temp1, temp2;
               for (int i = 1; i >= 0; i--)
               {
                    temp1 = passInts[(i * 2) + 1];
                    temp2 = passInts[i * 2];
                    for (int j = 11; j >= 0; j--)
                    {
                         temp1 = RightRotate(temp1 - _key[j * 2 + 7], temp2) ^ temp2;
                         temp2 = RightRotate(temp2 - _key[j * 2 + 6], temp1) ^ temp1;
                    }
                    passInts[i * 2 + 1] = temp1 - _key[5];
                    passInts[i * 2] = temp2 - _key[4];
               }

               BinaryWriter writer = new BinaryWriter(new MemoryStream(bytes, true));
               for (uint i = 0; i < 4; i++)
                    writer.Write((int)passInts[i]);
               for (int i = 0; i < 16; i++)
                    if (bytes[i] == 0)
                         return Encoding.ASCII.GetString(bytes, 0, i);
               return Encoding.ASCII.GetString(bytes);
          }
     }
}

You can now use plain text passwords.

02/09/2012 23:46 xBlackPlagu3x#10

Thank you Kiyono! It reads the password perfectly, but now my only problem is it keeps disconnecting the client because it says that it lost the connection to the server. =/ But thank you for helping me get one thing solved!

02/09/2012 23:53 Korvacs#11

If you decrypt to plain text you should really hash it to md6 and then compare that to an md6 hash in the database which the website would use, far more secure than plain text in the database.

02/10/2012 00:14 xBlackPlagu3x#12

Quote:

Originally Posted by Korvacs

If you decrypt to plain text you should really hash it to md6 and then compare that to an md6 hash in the database which the website would use, far more secure than plain text in the database.

Thanks for the advice, and I might actually do that, but first I need to be able to login. =/

02/10/2012 11:51 Kiyono#13

Since you're considering using hashed passwords in the database, here's a useful piece of code from Fusion Origins:

Code:

public class SHA2
    {
        public static string sha256encrypt(string phrase)
        {
            UTF8Encoding encoder = new UTF8Encoding();
            SHA256Managed sha256hasher = new SHA256Managed();
            byte[] hashedDataBytes = sha256hasher.ComputeHash(encoder.GetBytes(phrase));
            return byteArrayToString(hashedDataBytes);
        }

        private static string byteArrayToString(byte[] inputArray)
        {
            StringBuilder output = new StringBuilder("");
            for (int i = 0; i < inputArray.Length; i++)
            {
                output.Append(inputArray[i].ToString("X2"));
            }
            return output.ToString();
        }
    }

So instead of Client.Password = ConquerPasswordCryptographer.Decrypt(passarray).Tr imEnd('\0');
Client.Password = SHA2.sha256encrypt(ConquerPasswordCryptographer.De crypt(passarray).TrimEnd('\0'));

Then just make the register script encrypt them to sha256 too and compare these 2.

02/10/2012 12:00 Korvacs#14

Yes, fully forgot i even used SHA2 in that source, thanks for reminding me!