SHA2 Server auth request

[Swoosh91]

Hey,

does anyone know how to change the auth hash in server from HMAC MD5 to SHA2 (the alternative authd hashing)?

Currently the server uses HMAC MD5 for hashing the RC4 key, but I need it to use SHA2. I know where client does this, but I have no clue about server. Is there any way to set this in a config file?

Thanks.

Edit : Or for that matter, are there any known ways how to stop other clients from connecting to your server? I am currently looking how to change the encryption of protocol server wise, I have found the code in client that does this and have already started changing it a bit. Just server is giving me a hard time :(

The goal is to only have my client be able to connect to my server, no else clients.

Cheers

[MentaL]

[das7002]

glinkd is only thing that talks to client, rest of daemons only talk amongst themselves. Authd (pretty obvious name) handles authorization and since its Java go ahead and just javad it (comes with the JDK, Java Decompiler is what it stands for) and then update whatever the register scripts are.

For blocking clients from connection add an iptables drop for everyone but you if the server itself manages to ports or disable the router's firewall port forwarding.

Why you would want to do this though is a bit confusing as md5 is perfectly fine for this situation, if I was on the PW development team at Wanmei though I would've used some crazy combination of SHA512 and AES *cough*like I do in PW-Chat*cough* b/c I'm somewhat crazy about security. Just to mention again though it really, really doesn't matter as MD5 is plenty secure for the purposes it's used for. As long as there is a salt used most MD5 rainbow tables can't crack it and most people don't like attempting brute force by running their machine against it for several days.

Even as security anal as I am, there really are some things that don't need insane amounts of security (it's like having the entire Air Force guard a little corner country grocery store)

P.S. the little note about other peoples clients not connecting, it really doesn't matter. Other clients don't really give any advantage over your own, and if you are worried about them passing boundaries for zones on the world map then change the server sided limit as it doesn't matter whose client they use if the server just bounces them out of there.

[Swoosh91]

Thanks for your reply!

What I want to achive here is that only my special client can connect to my server. As in, my 1.3.6 client and 1.2.8 server would both feature small changes on the login protocol (like the SHA2 auth, for example), so no one can use any other client then mine to connect to my server.

Is that easily possible?

[das7002]

Thanks for your reply!

What I want to achive here is that only my special client can connect to my server. As in, my 1.3.6 client and 1.2.8 server would both feature small changes on the login protocol (like the SHA2 auth, for example), so no one can use any other client then mine to connect to my server.

Is that easily possible?

I really just want to know why. You seem to have most of the parts required down (as you mentioned you already know how to do it in the client) and there are server side ways to protect yourself instead of fiddling with the client as in Client-Server development you should never trust the client anyway. Trusting the client is what causes problems. Always, always, always assume the client is lying to you. (Use the guilty until proven innocent mentality when developing Client-Server anything)

[Swoosh91]

Because I have added many things to my client, like WriteProcessmemory() hooking and Createremotethread guard, internal thread counter and some other anti cheat stuff. Thats why I want people to use my client, because it stops cheating, and not the normal one.

I do get your point though, clientside security is bad. Its just another layer of protection and as long as its not that hard to change on server, why not give it a shot :)

[das7002]

Because I have added many things to my client, like WriteProcessmemory() hooking and Createremotethread guard, internal thread counter and some other anti cheat stuff. Thats why I want people to use my client, because it stops cheating, and not the normal one.

I do get your point though, clientside security is bad. Its just another layer of protection and as long as its not that hard to change on server, why not give it a shot :)

Write a daemon for the server that sends an occasional request to the client and have a clientside program that only runs if your client is running AND connected to the server which gives a response based on an algorithm given to it. If the server doesn't receive the proper response (provided you make it difficult enough to reverse engineer) they get booted off. That is really the best I can come up with. One of the best ways to get away with hiding it so others can't find it would be to hide it in the clients ASM itself as you seem to know how to do that.

There aren't really any client side cheats though, what exactly do you seem to be worried about players doing...?

[Swoosh91]

People can still jumphack with our serverfiles. All you need is to freeze client jump offset at 0 and people can jump wherever they want.

This and injecting sendpacket function in order to dupe by buying items from cash shop has been stopped.

I really like your idea though. I may do it that way :)

Thanks for your time!

[ivanaivana]

use this to stop other clients from connecting to your server, Swoosh91

[Romulan]

use this to stop other clients from connecting to your server, Swoosh91

That's for 1.3.4 client only. This tut doesn't work for 1.3.6 as I could see somewhere here on ragezone.