Jump to content

Recommended Posts

Posted

Hello everyone;

 

I'm starting in the world of Lineage 2 OFF (interlude) and would like to know some things ... (if you can).

I am developing a panel and I want to create the account for it, but I can not create the user password in the binary value that is needed.

How do I create the user password in the format required to be able to enter the game?

I am using PHP on my panel.

 

Thanks...

Posted

this is not an secure way to make queries in database but in short you check database for username and password since there is no function to verify a password you just check if its the same so you have to recreate it

if you execute the following query it will return the user's data so you can check later if you have a row > 0 you set the session variables and you make the login action

"SELECT * FROM user_auth WHERE account='" . $login . "' AND password=" . encrypt($pass);

about the query to make it safe google prepared statements and how to bind a variable.

 

take from here some ideas

 

Function to encrypt password in PHP

function encrypt($str)
	{
		$key = array ();
		$dst = array ();
		$i = 0;

		$nBytes = strlen($str);
		while ($i < $nBytes)
		{
			$i ++;
			$key[$i] = ord(substr($str, $i - 1, 1));
			$dst[$i] = $key[$i];
		}
		for ($i = 1; $i <= 16; $i ++)
		{
			if (! isset($key[$i]))
			{
				$key[$i] = 0;
			}
			if (! isset($dst[$i]))
			{
				$dst[$i] = 0;
			}
		}

		$rslt = $key[1] + $key[2] * 256 + $key[3] * 65536 + $key[4] * 16777216;
		$one = $rslt * 213119 + 2529077;
		$one = $one - intval($one / 4294967296) * 4294967296;

		$rslt = $key[5] + $key[6] * 256 + $key[7] * 65536 + $key[8] * 16777216;
		$two = $rslt * 213247 + 2529089;
		$two = $two - intval($two / 4294967296) * 4294967296;

		$rslt = $key[9] + $key[10] * 256 + $key[11] * 65536 + $key[12] * 16777216;
		$three = $rslt * 213203 + 2529589;
		$three = $three - intval($three / 4294967296) * 4294967296;

		$rslt = $key[13] + $key[14] * 256 + $key[15] * 65536 + $key[16] * 16777216;
		$four = $rslt * 213821 + 2529997;
		$four = $four - intval($four / 4294967296) * 4294967296;

		$key[1] = $one & 0xFF;
		$key[2] = ($one >> 8) & 0xFF;
		$key[3] = ($one >> 16) & 0xFF;
		$key[4] = ($one >> 24) & 0xFF;

		$key[5] = $two & 0xFF;
		$key[6] = ($two >> 8) & 0xFF;
		$key[7] = ($two >> 16) & 0xFF;
		$key[8] = ($two >> 24) & 0xFF;

		$key[9] = $three & 0xFF;
		$key[10] = ($three >> 8) & 0xFF;
		$key[11] = ($three >> 16) & 0xFF;
		$key[12] = ($three >> 24) & 0xFF;

		$key[13] = $four & 0xFF;
		$key[14] = ($four >> 8) & 0xFF;
		$key[15] = ($four >> 16) & 0xFF;
		$key[16] = ($four >> 24) & 0xFF;

		$dst[1] = $dst[1] ^ $key[1];

		$i = 1;
		while ($i < 16)
		{
			$i ++;
			$dst[$i] = $dst[$i] ^ $dst[$i - 1] ^ $key[$i];
		}

		$i = 0;
		while ($i < 16)
		{
			$i ++;
			if ($dst[$i] == 0)
			{
				$dst[$i] = 102;
			}
		}

		$encrypt = "0x";
		$i = 0;
		while ($i < 16)
		{
			$i ++;
			if ($dst[$i] < 16)
			{
				$encrypt = $encrypt . "0" . dechex($dst[$i]);
			}
			else
			{
				$encrypt = $encrypt . dechex($dst[$i]);
			}
		}
		return $encrypt;
	}

 

Posted (edited)
On 9/17/2019 at 9:27 AM, DenArt Designs said:

"SELECT * FROM user_auth WHERE account='" . $login . "' AND password=" . encrypt($pass);

On 9/17/2019 at 9:27 AM, DenArt Designs said:

this is not an secure way to make queries in database

On 9/18/2019 at 12:20 AM, duartegabriel said:

It worked.

read more about sql injection in google because login can do harm on your database

https://en.wikipedia.org/wiki/SQL_injection

use PDO or if you have old PHP

$login = mysql_real_escape_string($login);

or

$login = preg_replace("/[^a-zA-Z]/", "", $login);// this leaves only letters from a to z + capital

for numbers a-zA-Z0-9

Edited by Nightw0lf
  • 3 weeks later...
Posted

Also, if you can, use hauthd and MD5 passwords. NCsoft hash isn't really cryptographic and can be easily reversed to original password (or different string, but it works too, there are lot of collisions in results of this hashing function) so if anybody manages to steal your database, they'll be able to get passwords from it very quickly.

Posted
7 hours ago, eressea said:

Also, if you can, use hauthd and MD5 passwords. NCsoft hash isn't really cryptographic and can be easily reversed to original password (or different string, but it works too, there are lot of collisions in results of this hashing function) so if anybody manages to steal your database, they'll be able to get passwords from it very quickly.

 

intval(10 / 3)

 

reverse 3*3 = 10  good

Posted
23 hours ago, eressea said:

so if anybody manages to steal your database

depends on the permissions you give and the connection method you use (ofc how bad/old is the code).

PDO's hard to get pass through, proper sanitize, know what to expect on data but most panels have holes because creators never sanitize properly, few know how to make it but nobody does it.

15 hours ago, guytis said:

 

intval(10 / 3)

 

reverse 3*3 = 10  good

in case we have a password 123456789 yes its perfect

in case we have a password abc1234 you have a big error

your commend is not valid in any possible way regarding lineage or user/pass protection.

Posted
1 hour ago, Nightw0lf said:

depends on the permissions you give and the connection method you use (ofc how bad/old is the code).

PDO's hard to get pass through, proper sanitize, know what to expect on data but most panels have holes because creators never sanitize properly, few know how to make it but nobody does it.

in case we have a password 123456789 yes its perfect

in case we have a password abc1234 you have a big error

your commend is not valid in any possible way regarding lineage or user/pass protection.

its logic 3 * 3 not 10
its sarcasm...

Posted (edited)
1 hour ago, guytis said:

its logic 3 * 3 not 10
its sarcasm...

if you think that with this commend I meant that 3*3 = 10 you must be really stupid, prove me wrong with your full thought behind " intval " and "reverse check"

when i type my password: %$1'"53"(51)_$'hackcommand

Edited by Nightw0lf
Posted
On 10/10/2019 at 6:38 AM, Nightw0lf said:

if you think that with this commend I meant that 3*3 = 10 you must be really stupid, prove me wrong with your full thought behind " intval " and "reverse check"

when i type my password: %$1'"53"(51)_$'hackcommand

i say

 

int A =10;

int Z = inval(A / 3 );

int U = Z x 3;

 

//U === 9

 

If you think I'm wrong, grab a book first.
Donkey

Posted
1 hour ago, guytis said:

i say

 

int A =10;

int Z = inval(A / 3 );

int U = Z x 3;

 

//U === 9

 

If you think I'm wrong, grab a book first.
Donkey

Best sanitize of the year award goes to you.

 

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



  • Posts

    • L2 DEVS - HTML DESIGN (ALL NPC'S)    
    • I only share for free what they are reselling 🙂 You keep crying in all the publications, and if you are looking for h5 or gd wait for 5 or 6 years... cheers.... GENERAL Cached Extended to 8192kb IOBuffer Hair2SlotCache ItemBidAuctioner Clan Hall Current Olympiad Season Rank pages System (Shows Points/Games - Fully Configurable) Automatic Flag Around Raidboss System Offline Shop & Buffers Restore After Restart (Fixed location) Offline Buffer System PvP Auto Announce System Rebuilt with Extra Addons (Fully Configurable, Name, Zones, Rewards) Automatic Announce System Rebuilt with Extra Addons (Fully Configurable) ALT+B Augmentation House Shift+Click Droplist/Spoil List Epic Items Rank RB points Rank ChangeColorName ChangeColorTitle Change Skin (Race) Change Gender Custom Subclass (Acumulative) Achievements Item Delivery System  Augmentations/Enchants Automatic Announce System Auto Learn Skills PvP Reward Pk Reward War Reward Scheme buffer GlobalChatTrade Trade Augment Items Castle Announce Time Castle Standby Time Fix Spiritshots delay SpellbooksDrop Enable/Disable Drop custom Fully configurable, lvl min max allmobs, allrb, individual New cancel effect min,max BlessedarmorEnchantRate BlessedmagicWeaponEnchantRate BlessednormalWeaponEnchantRate MaxSlosChars MaxSlotsDwarfs Enable or disable all commands Fix fast loading npc OlympiadRestoreStatsOnFightStart OlympiadSystemSecondTimeEnabled OlympiadEnterLast10Minute OlympiadThirdClassSummons MinLevelTrade AnnounceSubClassMsg1 AnnounceSubClassMsg2 AnnounceSubClassMsg3 LimitedSubClassRace NoSellItems Change ID SealStones for AA NoPrivateBuyItems NoDropPlayerOnDie DisableSkillEnchantData Show Level Mobs Show npc clan flag DespawnSummonEnBattle SummonPetEnBattle RideSummonPetEnBattle DitanceToTargetMove EnterWorld_Undying EnterWorld_UnHide BlockWhispMessagePlayerToGM UseItemsWithHide CriticalSkillDamageBonusPer=4.0 Disable SSQSystem OnCastle Siege End Use any dyes Buy halls directly in auctioneer without waiting for the auction, configuration to change the item you consume MensajeEnterWorldServer Command .hero enable/disable hero aura Config vip global chat character, chat by systemsg Soulshots: NoSendSystemMessageUse Panel //admin Global vote reward Agathions system Anti Interface, control all patch files by md5 Command .menu configurable, last restart, name, maxusers, privatestores Spawn protection activate deactivate consume items to activate  Activate or deactivate autoloot for vip characters EVENTS Happy Hour Event reworked Configurable by announcements or systemsg Team VS Team Capture The Flag Death Match Last Man Standing Destroy The Base Korean Style Castle Siege Check if the player is inside the tvt event due to disconnection/critical error Top 1/5 killer reward/announce TimeAfk ResetReuseSkills ResetBuffsOnFinish Firework effect Reward win/lost Add Team Location Title custom Red/blue Open Door/Wall System BalanceBishops Show kills in title Invest positions Show Death To Top Delete Non-Subclass Skills     RELOADS Reload Enterworld Html Option Reload Faction System Reload Donate Shop Reload OfflineBuffer Reload Champion NPC Reload CliExt Reload AntiBot Reload Vip System Reload Auction Reload AutoLoot Reload CastleSiegeManager Reload CharacterLock Reload ClanPvPStatus Reload AutoLearn Reload ClanReputationRank Reload ClanSystem Reload CreatureAction Reload Customs.ini Reload L2server.ini Reload SkillData.txt Reload doordata.txt Reload decodata.txt Reload Multisell Reload DropList   Extender tested for more than 3 years. Assured stability. Possibility of adding MOD's upon request. (Not included, consult).
    • some peoples trash is another mans treasure, is that your treasure?   people might like the content but you are still the rat in the room     thats the community judging you.  
    • Keep reselling what I publish here for free!!! 🙂 GG  
  • Topics

×
×
  • Create New...