Disabling password salting

Results 1 to 4 of 4
  1. 09-06-14 #1
    ThomasE
    Enthusiast ThomasE is offline
    MemberRank
    Jul 2013 Join Date
    North SwedenLocation
    39Posts

    Disabling password salting

    Hey people,

    I'm fairly new to work with encryptions and so, I have managed to create a working register system encrypted with SHA1, where I also am able to log in to the account on the website - until I have logged in ingame, for the first time. MapleStory is creating a salt for the password.

    I thought that the simpliest way to solve this is probably to somehow disable the function that creates a salt for the password, and make MapleStory use SHA1 without salt instead.

    Now, I would need direction to where I should look in the source (GMS v62) to be able to continue. I have found LoginCrypto.java, but I can't seem to understand where these functions are being executed from. Would be appreciated if anyone could help me further with this!

    Thanks in advance!
    Last edited by ThomasE; 09-06-14 at 03:35 AM.
    Reply With Quote Reply With Quote
  2. Check out our sponsor
    Disabling password salting
  3. 10-06-14 #2
    ThomasE
    Enthusiast ThomasE is offline
    MemberRank
    Jul 2013 Join Date
    North SwedenLocation
    39Posts

    Re: Disabling password salting

    Bump!
    Reply With Quote Reply With Quote
  4. 11-06-14 #3
    Fraysa
    I'm overrated. Fraysa is offline
    MemberRank
    Apr 2008 Join Date
    4,891Posts

    Re: Disabling password salting

    Simply remove everything that has to do with it (mostly loading/saving). When you receive the login packet, encrypt the received password using SHA1 and compare it to the one you loaded from the database. If they match, it's a success. I don't suggest removing salt, it provides another "wall" of security, your choice though.
    Reply With Quote Reply With Quote
  5. 11-06-14 #4
    namazi
    Valued Member namazi is offline
    MemberRank
    Feb 2012 Join Date
    JapanLocation
    133Posts

    Re: Disabling password salting

    I recommend you to rewrite the login() routine in src\client\MapleClient.java .
    SALT is not used with the check by SHA1.

    Code:
                            boolean updatePasswordHash = false;
                        if (LoginCryptoLegacy.isLegacyPassword(passhash) && LoginCryptoLegacy.checkPassword(pwd, passhash)) {
                            loginok = 0;
                            updatePasswordHash = true;
                        } else if (salt == null && LoginCrypto.checkSha1Hash(passhash, pwd)) {
                            loginok = 0;
                            updatePasswordHash = false;  // true => false
                        } else if (LoginCrypto.checkSaltedSha512Hash(passhash, pwd, salt)) {
                            loginok = 0;
                        } else {
                            loggedIn = false;
                            loginok = 4;
                        }
    Reply With Quote Reply With Quote


« Previous Thread | Next Thread »

Advertisement