Register for your free account! | Forgot your password?


Go Back   elitepvpers > MMORPGs > Conquer Online 2 > CO2 Private Server > CO2 PServer Guides & Releases
You last visited: Today at 01:58

  • Please register to post and access all features, it's quick, easy and FREE!

Advertisement




[Release] Fix for protecting your passwords! (BlizzardCO)

Discussion on [Release] Fix for protecting your passwords! (BlizzardCO) within the CO2 PServer Guides & Releases forum part of the CO2 Private Server category.

Reply
 
Old   #1
 
elite*gold: 12
Join Date: Jul 2011
Posts: 7,733
Received Thanks: 3,839
[Release] Fix for protecting your passwords! (BlizzardCO)

What is this?

This is protection for your server! It's easy to accidentally leave an exploit in your website (SQL injection) or give access away to bad people who can get a dump of all your accounts! This fix doesn't help prevent the above, but it does protect you and your players by replacing your passwords with secure hashes. That way if your database is ever leaked, the passwords are useless!

How does it work?

A hash is like one-way encryption. Once hashed, you can't un-hash it! This tutorial goes a step further and also "salts" your hashes (protecting you against dictionary attacks, and making the same password for different accounts have different hashes). Here's how the password "test" would look in your database for two different accounts:

Code:
23d627df5a2b0bf4ac9c8a083214c8c286df4191b792472fce3662a3368fc832
cf58ee9a4632ad82bdecb0515aedec249b38f5353c2eefdf2447b6f20ed70851
Who is this for?

I made this fix for BlizzardCO sources, but this is for everyone you can share it with! Make your own tutorials on how to do this for other sources, or ask me for a tutorial. Share it with everyone you know who uses these sources!

How do I fix my source?

Just follow the steps below:
  1. Turn off your server and website, and make a backup of everything!
  2. Open Navicat or MySQL Workbench and run the following queries:

    Code:
    ALTER TABLE `accounts` 
    ADD COLUMN `salt` VARCHAR(45) NULL AFTER `password`;
    
    DROP TRIGGER IF EXISTS `accounts_salt_password_insert`;
    
    DELIMITER $$
    CREATE DEFINER = CURRENT_USER TRIGGER `accounts_salt_password_insert` BEFORE INSERT ON `accounts` FOR EACH ROW
    BEGIN
    	SET NEW.salt = (SUBSTRING(MD5(RAND()), -10));
    	SET NEW.password = sha2(concat(NEW.password, NEW.salt), 256);
    END$$
    DELIMITER ;
    
    DROP TRIGGER IF EXISTS `accounts_salt_password_update`;
    
    DELIMITER $$
    CREATE DEFINER = CURRENT_USER TRIGGER `accounts_salt_password_update` BEFORE UPDATE ON `accounts` FOR EACH ROW
    BEGIN
    	IF NEW.password <> OLD.password THEN  
    		SET NEW.password = sha2(concat(NEW.password, NEW.salt), 256);
    	END IF;
    END$$
    DELIMITER ;
  3. Make sure to run this query only once:

    Code:
    UPDATE accounts SET password = sha2(concat(password, salt), 256);
  4. Now open your server source in Visual Studio. In Database/Accounts.cs, add "Salt" to initializers:

    Code:
    public string Account, Password, Character, Status, Salt;
  5. In the same file, find...
    Code:
    acc.Password = reader["Password"].ToString();
    And add this under it:
    Code:
    acc.Salt = reader["Salt"].ToString();
  6. Add this to the top of the file:
    Code:
    using System.Security.Cryptography;
  7. Finally, replace ...
    Code:
    if (Password == (acc.Password))
    With...
    Code:
    byte[] hashedBytes;
    using (SHA256Managed sha2 = new SHA256Managed())
        hashedBytes = sha2.ComputeHash(Encoding.ASCII.GetBytes(Password + acc.Salt));
    
    string hashedPassword = BitConverter.ToString(hashedBytes).Replace("-", string.Empty).ToLower();
    if (hashedPassword == acc.Password)
  8. Build your server and start everything back up!

Troubleshooting

If you get an error saying your password column isn't long enough, you can run the following command to change the size of your column:

Code:
ALTER TABLE `accounts` 
CHANGE COLUMN `password` `password` NVARCHAR(70) NULL DEFAULT NULL ;
If you have any problems changing the files and tables above, just let me know. Cheers!
Spirited is offline  
Thanks
3 Users
Old 01/15/2022, 12:55   #2
 
elite*gold: 0
Join Date: Mar 2005
Posts: 1,416
Received Thanks: 1,535
nice post, however a lot of private servers out there all use the same account server, that they buy / download, the author of the account server would need to release a update to support checking the sha password server side.

Also this would not work with the SRP implementation since you need to be able to decrypt the password server side from the database to do the validation.
Ultimation is offline  
Old 01/15/2022, 14:33   #3
 
elite*gold: 0
Join Date: Mar 2006
Posts: 489
Received Thanks: 51
Wow!
Soulfly25 is offline  
Old 01/15/2022, 20:06   #4
 
elite*gold: 12
Join Date: Jul 2011
Posts: 7,733
Received Thanks: 3,839
Quote:
Originally Posted by Ultimation View Post
nice post, however a lot of private servers out there all use the same account server, that they buy / download, the author of the account server would need to release a update to support checking the sha password server side.

Also this would not work with the SRP implementation since you need to be able to decrypt the password server side from the database to do the validation.
This isn't going to solve itself over night. I'm not expecting this to fix every account server, either. If it fixes one or two, or somehow gets passed along for a reused source, then I'll be happy. Also... If you were working with SRP6 (which nobody is), then this wouldn't even be a problem. You'd hopefully be storing the player's password verifier, and not computing that every single time.
Spirited is offline  
Reply


Similar Threads Similar Threads
[04.09.13] GigaByte v2.6 [FIX, FIX, FIX, FIX AND FIX]
09/11/2013 - WarRock Hacks, Bots, Cheats & Exploits - 79 Replies
http://www.elitepvpers.com/forum/warrock-hacks-bot s-cheats-exploits/2843300-11-09-gigabyte-public-v2 -7-a.html
Protecting your Aion Account from theft
12/31/2009 - Gaming News - EN - 0 Replies
With an increase in Aion account thefts being reported, keeping game accounts safe has become a high priority for us all. What can you do to ensure the safety of your own account? NCsoft shares a few tips.
Uzi Guide to protecting ur account (NOOBY Edition)
12/01/2006 - CO2 Guides & Templates - 3 Replies
this is realy nooby guide lol so dont flame me thought it be good idea to post this coz everyone post scmming account why not protecting also ..... ----------------------------------------&#62; Acknowledging the Danger<---------------------------------------- - I&#39;ve seen many, many situations which people have been hacked, and from four main reasons: 1.) They had a password that was easy to crack. 2.) They were too trusting to the point they let their online spouse, one they&#39;ve never seen...



All times are GMT +1. The time now is 01:58.


Powered by vBulletin®
Copyright ©2000 - 2022, Jelsoft Enterprises Ltd.
SEO by vBSEO ©2011, Crawlability, Inc.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Support | Contact Us | FAQ | Advertising | Privacy Policy | Terms of Service | Abuse
Copyright ©2021 elitepvpers All Rights Reserved.