BE CAREFUL - DO NOT PLAY NOSFLOW!

04/01/2018 01:47 Tbp123#1
Basically, NosFlow is a server, where his owner has the same nickname, and he is trying to decrypt passwords from his own database (and another one that he has) and steal items on vendetta or maybe in official too.

CHANGE YOUR PASSWORD IN VENDETTA AND OFFICIAL NOSTALE!

Proof:
[Only registered and activated users can see links. Click Here To Register...]

TRANSLATION:

"Don't worry, I have 1,500 accounts from NosArmy" (an already dead server tho)

"I took the archive that was posted in epvp, there are passwords that cannot be decrypted and I have to use other programs, not only with the online decrypter" (basically he doesn't know nothing about decrypting and is an asshole without brain)
04/01/2018 01:49 AnimuNazi#2
Kindly post the archive, " for research purposes". :P
04/01/2018 02:10 NT Z0ltar#3
It is not possible to decrypt the passwords, because they are not encrypted, they use an hashing algorithm (Sha-512 for NosTale), so if he doesn't have clear passwords, he can't "decrypt" them.
04/01/2018 03:00 Tbp123#4
Quote:
Originally Posted by NT Z0ltar View Post
It is not possible to decrypt the passwords, because they are not encrypted, they use an hashing algorithm (Sha-512 for NosTale), so if he doesn't have clear passwords, he can't "decrypt" them.
I know they use SHA512, but some of these passwords are kinda common and decryptable, I tried with some
04/01/2018 03:28 0Lucifer0#5
Quote:
Originally Posted by NT Z0ltar View Post
It is not possible to decrypt the passwords, because they are not encrypted, they use an hashing algorithm (Sha-512 for NosTale), so if he doesn't have clear passwords, he can't "decrypt" them.
Unfortunately the client send them to the worldserver in plaintext iirc the only sha512 hashing is done for login server >< or maybe they fixed it since.

Edit:if (account.Password.Equals(EncryptionHelper.Sha512(p acket.Password), StringComparison.OrdinalIgnoreCase)) I confirm the Packet with password for world connexion is in plaintext
04/01/2018 11:14 Blowa#6
Simply by adding a new column which will be filled at registration without an hashed password.

Anyway, if a server owner does not mean about its userbase security, it's true that people should not play there :).
04/02/2018 00:46 NT Z0ltar#7
Quote:
Originally Posted by 0Lucifer0 View Post
Unfortunately the client send them to the worldserver in plaintext iirc the only sha512 hashing is done for login server >< or maybe they fixed it since.

Edit:if (account.Password.Equals(EncryptionHelper.Sha512(p acket.Password), StringComparison.OrdinalIgnoreCase)) I confirm the Packet with password for world connexion is in plaintext
Yes so if you know the password hash of an account, you can see the channel list without know the real password :p
04/02/2018 12:26 ThaRielFliege#8
Metin2 Account.sqls + SentryMBA with Config for Nostale = Enough Accounts on the official servers

Just dont use the same id and password and you are fine.