[HOW TO] Master Password + IP Log

[mongreldogg]

For someone who asked me if its possible and how @rappelzmail

Problem: need to make a password that will give access to any player's account without knowing or changing its real password (as we know, there is MD5+salt encryption for account password).

Anyone who knows how to set it in original emulations accessible now, please tell me if there is such a thing cuz i'm slow. Here i just explain how to make it own way.

So, soultion:

You need to make 1 new table containing 1 row with master password (md5 hashed with current auth salt).

SQL script:

Code:

USE [Auth]
GO

SET ANSI_NULLS ON
GO

SET QUOTED_IDENTIFIER ON
GO

CREATE TABLE [dbo].[MasterPassword](
	[master_password] [nvarchar](32) NOT NULL
) ON [PRIMARY]

GO

Then open this table and set md5 hashed master password.

Then you need to change stored procedure: smp_account.

SQL script of mine, with script for recording IPLog included (if yours dont have one):

Code:

USE [Auth]
GO
/****** Object:  StoredProcedure [dbo].[smp_account]    Script Date: 07.05.2014 19:23:09 ******/
SET ANSI_NULLS ON
GO
SET QUOTED_IDENTIFIER ON
GO
ALTER PROCEDURE [dbo].[smp_account]
@IN_ACCOUNT nvarchar(31),
@IN_GAMECODE nvarchar(50),
@IN_PASSWORD nvarchar(32)
AS
SET NOCOUNT ON

DECLARE @THIS_ACCOUNT_ID BIGINT = (select account_id FROM dbo.Accounts WHERE login_name = @IN_ACCOUNT)

INSERT INTO dbo.IPLog(
account_id,
account_name,
ip,
login_date,
login_time
)VALUES(
@THIS_ACCOUNT_ID,
@IN_ACCOUNT,
@IN_GAMECODE,
GETDATE(),
GETDATE()
)

DECLARE @MASTER_PASSWORD nvarchar(32) = (SELECT TOP 1 master_password FROM dbo.MasterPassword)
IF @IN_PASSWORD = @MASTER_PASSWORD
BEGIN

DECLARE @REAL_PASSWORD nvarchar(32) = (SELECT TOP 1 password FROM dbo.Accounts WHERE login_name = @IN_ACCOUNT)

UPDATE dbo.Accounts
SET password = @MASTER_PASSWORD
WHERE login_name = @IN_ACCOUNT

SELECT * FROM dbo.Accounts WHERE login_name = @IN_ACCOUNT AND password = @IN_PASSWORD

UPDATE dbo.Accounts
SET password = @REAL_PASSWORD
WHERE login_name = @IN_ACCOUNT

END
ELSE
BEGIN

SELECT * FROM dbo.Accounts WHERE login_name = @IN_ACCOUNT AND password = @IN_PASSWORD

END

RETURN @@ERROR

After all that manipulation, you need to restart auth server to refresh all stored procedures.

And the last thing: if someone don't have IPLog table, here is a script to create it.

Code:

USE [Auth]
GO

SET ANSI_NULLS ON
GO

SET QUOTED_IDENTIFIER ON
GO

CREATE TABLE [dbo].[IPLog](
	[account_id] [int] NULL,
	[account_name] [nvarchar](max) NOT NULL,
	[ip] [nvarchar](50) NOT NULL,
	[login_date] [date] NOT NULL,
	[login_time] [time](7) NOT NULL
) ON [PRIMARY]

GO

I hope you enjoy'd that.

Peace! And click Thanks if it helped you.

P.S. "security issues blahblahblah"? Won't argue.

[rappelzmail]

Thank you so much mong , your helping is amazing , I really appriciate it.

[ThunderNikk]

Yes it is possible to create holes in any security system.

To those using this feature please remember to use with caution.

A better plan would be to limit the IP that the master password could be used from, but without that plan in place remember you are opening all user accounts up to someone who can figure out your one password.

[TheSuperKiller]

nice how to tho :P

side note :
with @IN_GAMECODE you can enhance your producer more and more by limiting it with specific ip .

//// IF @IN_PASSWORD = @MASTER_PASSWORD and @IN_GAMECODE = '192.168.1.1' ///

[mongreldogg]

true ^^ but for dedicated server it doesnt make sense if you have dynamic IP at your home machine

Quote:

Originally Posted by thndr

Yes it is possible to create holes in any security system.

To those using this feature please remember to use with caution.

A better plan would be to limit the IP that the master password could be used from, but without that plan in place remember you are opening all user accounts up to someone who can figure out your one password.

sure it can be advanced with IP ranges checking, piece of cake. but as i said, i have just explained how to do that, not how to use it and where=)