There's really no point in doing that, the hacker might have access to the database and modify your password and such.
Similar to MSEA, a few cases of people having their password changed and account hacked.
There's really no point in doing that, the hacker might have access to the database and modify your password and such.
Similar to MSEA, a few cases of people having their password changed and account hacked.
Zakum, the poiint is that even if they have the password, they cannot enter your account as it is impossible to type special characters in the passowrd, hence protecting your account.Originally Posted by ZakumSlaYers
^I think he means change it inside the database itself, which doesn't require you to log on.
I guess Nexon hates me or something, because I still haven't got a new password (I've tried each day). Even the "request ID" function doesn't seem to work, it says it sent an e-mail but my mailbox is still empty(on the same e-mail as I entered at the site). I guess I'm going to make a new account and spam tickets or something.
EDIT: Oh wow, I guess I should never go somewhere else when my hotmail is logged on, because my sister just came in and I told her about this, then she said that she changed my spam settings a few days ago(while I changed them the day before that, so I thought they still were the same). She set the thing to "almost everything is spam and delete it right away". Siblings are awesome right?
Last edited by HurrycaneX; 2010-01-22 at 02:17 AM.
did you check your spam folder^
They'd be deleted right away. lol
I bet you didn't get what I am saying.
YEs I didn't. I am an idiot
I don't know if that reply was out of sarcasm or anything... But don't pick a fight.
On-topic, I can't believe I found this thread only now although it's been stickied for quite long already.Brilliant idea, Spidey. Anyone knows if this works for MSEA as well?
HackShield protects from pasting in MS; so you could 1. packet edit; 2. strip hackshield (and then you won't get past charselect); 3. modify the textbox value using a undetected cheat engine (since HackShield aka FalsePositiveShield), though this is very hard
Then again if the hackers still have write access to the DB, they can just modify the password directly.
MSSQL sucks.
It might be a wild guess, but I'm pretty sure you can log in even after changing to such passwords if you divide the unicode character into the two ASCII characters it's made of.
Last edited by Kortestanov; 2010-02-04 at 03:22 PM.
How do you know which two ISCII characters correspond to it? So I can test this.
If you can get the 4 digit hex version (eg. U+266C "Beamed Sixteenth Notes": ♬ ) then you look up the UTF-8 conversion chart to go from a U+#### to 1~4 bytes.
In this case, it's in the range U+0800–U+FFFF
(2,048 to 65,535)
Wikipedia provides the conversion to bytes:
1110yyyy 10yyyyxx 10xxxxxx
Since 0x266C is 0010 0110 0110 1100
You end up with
11100010 10011001 10101100
Which in 8-bit (note: ascii characters never start with 1, this is ansi 8840 or something) is characters 226, 153, 172: ♬
So if you go in and tried alt+0226 alt+0153 alt+0172 you should be able to enter the sixteenth note character.
If your password is 12 unicode characters, it's probably not going to work as expected - if Nexon is truncating to 12 bytes as the password before hashing, it'll just require you to enter the first 12 bytes of your password, if they're hashing the whole thing then there's actually no way to enter your password (except through hash collisions with something under 12 characters).
Last edited by Stereo; 2010-02-04 at 03:19 PM.
I don't really know how Nexon store the passwords (unicode, UTF-8, etc) and if the encode the whole password as unicode or just the letter, so it's hard to say. The hackers, on the other hand, have direct access to the hashes. So in case the unicode characters can really be divided into regular characters, they will find out when they try to crack the hash.
That's true, but as we all know, protecting against hash collisions never was MD5's strong side.
Isn't it also possible that the hackers can get your birth date through the same exploit?
EDIT: mistakenly wrote ISCII instead of ASCII. Lol.
Last edited by Kortestanov; 2010-02-04 at 03:22 PM.
I noticed somebody on the SW thread stated that passwords with special chars actually do work on the Nexon Forum login.
I verified this on my throwaway test account.
I changed the password to something of the form 'aaaa1111x', where x is a special character created using ALT+169, and shows up as the copyright symbol in wordpad, but as ⌐ here.
I was able to successfully sign up and log into the Nexon forum by right-click pasting this password.
The fact that the password works anywhere proves that at least for special characters created using the ALT+1xx method, the characters are not truncated or modified before being hashed and stored. (*)
Of course, as expected, the password does not work at the main nexon.net login (even though right-click pasting normally works there), nor on the game (even though CTRL-V pasting normally works there).
For me, this proves the validity of this method.
Edit:
I don't know if this has been mentioned, but normally when you enter an incorrect password (with or without special characters) at the main .net login, it tells you wrong password. But if you paste in the correct password with special character, it does not say wrong password, but just reverts to the previous page. So it seems like the main login also recognizes the special password, but still does not let you in. I suppose there is a slight worry that hackers could find a way around this if they know more about how these things work than the rest of us.
(*) Unless the forum login script pre-modifies the special characters in the same way as the password change page script does, but other login pages do not act the same.
Last edited by MissingLink; 2010-02-06 at 11:09 AM.
I'm pretty sure you have a confusion there, Alt+0169 is the " © " copyright symbol (which is, by the way, not a special unicode character. It's ANSI 169, or 0xA9 if you like to be hexadecimal). Alt+169 is that weird " ⌐ " symbol, and that one really is a special unicode character.
Last edited by Kortestanov; 2010-02-13 at 02:43 AM.
A friend of mine said this process doesn't work anymore due to recent changes/events. Can anyone confirm/deny?
I would like to know as well. I will try it as soon as this server check ends (don't want to risk pineappleing up my accounts with all these nexon glitches lately).
I guess I can try.
EDIT: F'uck, I can log in the main site with the protected PW: mule1♥34 (Ctrl + V).
Can't log into the game but darn, this could be a problem.
Last edited by Kalovale; 2010-03-02 at 10:00 PM.
Awww. That's too bad.
Copy/paste log-in credentials
Log-in successful
Proceeding to change info
I wanted to take an SS of me successfully changing the PW back to mule1@34, but forgot to.
Posting Permissions
|
|
Reply With Quote
Bookmarks