Register for your free account! | Forgot your password?

Go Back   elitepvpers > MMORPGs > Conquer Online 2 > CO2 Private Server > CO2 PServer Guides & Releases
You last visited: Today at 14:31

  • Please register to post and access all features, it's quick, easy and FREE!

Advertisement



[Release] Fix for protecting your passwords! (BlizzardCO)

Discussion on [Release] Fix for protecting your passwords! (BlizzardCO) within the CO2 PServer Guides & Releases forum part of the CO2 Private Server category.

Reply
 
Old   #1
 
Spirited's Avatar
 
elite*gold: 12
Join Date: Jul 2011
Posts: 7,907
Received Thanks: 3,987
[Release] Fix for protecting your passwords! (BlizzardCO)

What is this?

This is protection for your server! It's easy to accidentally leave an exploit in your website (SQL injection) or give access away to bad people who can get a dump of all your accounts! This fix doesn't help prevent the above, but it does protect you and your players by replacing your passwords with secure hashes. That way if your database is ever leaked, the passwords are useless!

How does it work?

A hash is like one-way encryption. Once hashed, you can't un-hash it! This tutorial goes a step further and also "salts" your hashes (protecting you against dictionary attacks, and making the same password for different accounts have different hashes). Here's how the password "test" would look in your database for two different accounts:

Code:
23d627df5a2b0bf4ac9c8a083214c8c286df4191b792472fce3662a3368fc832
cf58ee9a4632ad82bdecb0515aedec249b38f5353c2eefdf2447b6f20ed70851
Who is this for?

I made this fix for BlizzardCO sources, but this is for everyone you can share it with! Make your own tutorials on how to do this for other sources, or ask me for a tutorial. Share it with everyone you know who uses these sources!

How do I fix my source?

Just follow the steps below:
  1. Turn off your server and website, and make a backup of everything!
  2. Open Navicat or MySQL Workbench and run the following queries:

    Code:
    ALTER TABLE `accounts` 
    ADD COLUMN `salt` VARCHAR(45) NULL AFTER `password`;
    
    DROP TRIGGER IF EXISTS `accounts_salt_password_insert`;
    
    DELIMITER $$
    CREATE DEFINER = CURRENT_USER TRIGGER `accounts_salt_password_insert` BEFORE INSERT ON `accounts` FOR EACH ROW
    BEGIN
    	SET NEW.salt = (SUBSTRING(MD5(RAND()), -10));
    	SET NEW.password = sha2(concat(NEW.password, NEW.salt), 256);
    END$$
    DELIMITER ;
    
    DROP TRIGGER IF EXISTS `accounts_salt_password_update`;
    
    DELIMITER $$
    CREATE DEFINER = CURRENT_USER TRIGGER `accounts_salt_password_update` BEFORE UPDATE ON `accounts` FOR EACH ROW
    BEGIN
    	IF NEW.password <> OLD.password THEN  
    		SET NEW.password = sha2(concat(NEW.password, NEW.salt), 256);
    	END IF;
    END$$
    DELIMITER ;
  3. Make sure to run this query only once:

    Code:
    UPDATE accounts SET password = sha2(concat(password, salt), 256);
  4. Now open your server source in Visual Studio. In Database/Accounts.cs, add "Salt" to initializers:

    Code:
    public string Account, Password, Character, Status, Salt;
  5. In the same file, find...
    Code:
    acc.Password = reader["Password"].ToString();
    And add this under it:
    Code:
    acc.Salt = reader["Salt"].ToString();
  6. Add this to the top of the file:
    Code:
    using System.Security.Cryptography;
  7. Finally, replace ...
    Code:
    if (Password == (acc.Password))
    With...
    Code:
    byte[] hashedBytes;
    using (SHA256Managed sha2 = new SHA256Managed())
        hashedBytes = sha2.ComputeHash(Encoding.ASCII.GetBytes(Password + acc.Salt));
    
    string hashedPassword = BitConverter.ToString(hashedBytes).Replace("-", string.Empty).ToLower();
    if (hashedPassword == acc.Password)
  8. Build your server and start everything back up!

Troubleshooting

If you get an error saying your password column isn't long enough, you can run the following command to change the size of your column:

Code:
ALTER TABLE `accounts` 
CHANGE COLUMN `password` `password` NVARCHAR(70) NULL DEFAULT NULL ;
If you have any problems changing the files and tables above, just let me know. Cheers!
Spirited is offline  
Thanks
7 Users
Old 01/15/2022, 12:55   #2
 
Ultimation's Avatar
 
elite*gold: 0
Join Date: Mar 2005
Posts: 1,421
Received Thanks: 1,554
nice post, however a lot of private servers out there all use the same account server, that they buy / download, the author of the account server would need to release a update to support checking the sha password server side.

Also this would not work with the SRP implementation since you need to be able to decrypt the password server side from the database to do the validation.
Ultimation is offline  
Thanks
1 User
Old 01/15/2022, 14:33   #3
 
Soulfly25's Avatar
 
elite*gold: 0
Join Date: Mar 2006
Posts: 515
Received Thanks: 56
Wow!
Soulfly25 is offline  
Old 01/15/2022, 20:06   #4
 
Spirited's Avatar
 
elite*gold: 12
Join Date: Jul 2011
Posts: 7,907
Received Thanks: 3,987
Quote:
Originally Posted by Ultimation View Post
nice post, however a lot of private servers out there all use the same account server, that they buy / download, the author of the account server would need to release a update to support checking the sha password server side.

Also this would not work with the SRP implementation since you need to be able to decrypt the password server side from the database to do the validation.
This isn't going to solve itself over night. I'm not expecting this to fix every account server, either. If it fixes one or two, or somehow gets passed along for a reused source, then I'll be happy. Also... If you were working with SRP6 (which nobody is), then this wouldn't even be a problem. You'd hopefully be storing the player's password verifier, and not computing that every single time.
Spirited is offline  
Old 01/25/2022, 17:04   #5
 
DarkShroud's Avatar
 
elite*gold: 153
Join Date: Nov 2019
Posts: 200
Received Thanks: 135
Thanks for your Release, i'm currently learning some programming stuff and your releases are motivational .... i'm still noob but i appreciate your releases like Phoenix Project
DarkShroud is offline  
Old 01/25/2022, 21:15   #6
 
Spirited's Avatar
 
elite*gold: 12
Join Date: Jul 2011
Posts: 7,907
Received Thanks: 3,987
Quote:
Originally Posted by DarkShroud View Post
Thanks for your Release, i'm currently learning some programming stuff and your releases are motivational .... i'm still noob but i appreciate your releases like Phoenix Project
Thanks for the kind remarks. Phoenix is super old though. You can find my recent projects in my signature, if you're interested. I wrote Phoenix in my second or third year of programming, I think?
Spirited is offline  
Thanks
1 User
Old 01/26/2022, 15:25   #7
 
elite*gold: 0
Join Date: Sep 2014
Posts: 186
Received Thanks: 47
This post should've been posted like 5 years ago. Anyway its good for rookies but at the end of the day 1% of the community are only going to use this.
iBotx is offline  
Old 11/12/2022, 03:32   #8
 
LepEatWorld's Avatar
 
elite*gold: 0
Join Date: Apr 2017
Posts: 76
Received Thanks: 23
Old thread but hoping I could get some help.
Currently trying to gather some information from this, but I guess it doesn't seem to sync in my brain correctly.

Password: 123
Salt: 123
Hashed:
Code:
96cae35ce8a9b0244178bf28e4966c2ce1b8385723a96a6b838858cdd6ca0a1e
Redux Login Server:

DbAccount:

DbAccount xml file:

I'm getting the password incorrectly when I try to log in... is there something I'm doing wrong or am I missing something?
LepEatWorld is offline  
Old 11/12/2022, 19:55   #9
 
Spirited's Avatar
 
elite*gold: 12
Join Date: Jul 2011
Posts: 7,907
Received Thanks: 3,987
Quote:
Originally Posted by LepEatWorld View Post
Old thread but hoping I could get some help.
Currently trying to gather some information from this, but I guess it doesn't seem to sync in my brain correctly.

Password: 123
Salt: 123
Hashed:
Code:
96cae35ce8a9b0244178bf28e4966c2ce1b8385723a96a6b838858cdd6ca0a1e
Redux Login Server:

DbAccount:

DbAccount xml file:

I'm getting the password incorrectly when I try to log in... is there something I'm doing wrong or am I missing something?
It doesn't look like you're referencing the packet's encrypted password.
Spirited is offline  
Thanks
1 User
Old 11/12/2022, 21:49   #10
 
LepEatWorld's Avatar
 
elite*gold: 0
Join Date: Apr 2017
Posts: 76
Received Thanks: 23
Quote:
Originally Posted by Spirited View Post
It doesn't look like you're referencing the packet's encrypted password.
You're right, I'm blind xD thanks for pointing that out. Got it now

Edit: Was having another issue but figured it out as well, all good.
LepEatWorld is offline  
Thanks
1 User
Reply


Similar Threads Similar Threads
[04.09.13] GigaByte v2.6 [FIX, FIX, FIX, FIX AND FIX]
09/11/2013 - WarRock Hacks, Bots, Cheats & Exploits - 79 Replies
http://www.elitepvpers.com/forum/warrock-hacks-bot s-cheats-exploits/2843300-11-09-gigabyte-public-v2 -7-a.html
Protecting your Aion Account from theft
12/31/2009 - Gaming News - EN - 0 Replies
With an increase in Aion account thefts being reported, keeping game accounts safe has become a high priority for us all. What can you do to ensure the safety of your own account? NCsoft shares a few tips.
Uzi Guide to protecting ur account (NOOBY Edition)
12/01/2006 - CO2 Guides & Templates - 3 Replies
this is realy nooby guide lol so dont flame me thought it be good idea to post this coz everyone post scmming account why not protecting also ..... ----------------------------------------&#62; Acknowledging the Danger<---------------------------------------- - I&#39;ve seen many, many situations which people have been hacked, and from four main reasons: 1.) They had a password that was easy to crack. 2.) They were too trusting to the point they let their online spouse, one they&#39;ve never seen...



All times are GMT +1. The time now is 14:31.


Powered by vBulletin®
Copyright ©2000 - 2023, Jelsoft Enterprises Ltd.
SEO by vBSEO ©2011, Crawlability, Inc.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Support | Contact Us | FAQ | Advertising | Privacy Policy | Terms of Service | Abuse
Copyright ©2023 elitepvpers All Rights Reserved.