Intriguing......there was at least one hit on Hidden-Street. Anyone wanna send this thread to Maple News?
Intriguing......there was at least one hit on Hidden-Street. Anyone wanna send this thread to Maple News?
The guy that posted my b-day on Hidden-Street is incorrect. That is not ChicaFlaca's birthday (Jan 3, 1989)Originally Posted by holyforest
Oh yeah, and after the 14 days are up, I'd be happy to share with you guys how I created this PIC. Doing so will definitely increase the security of your accounts. :)
The PIC is "special"? O_o I thought this was just some old run of the mill test?
Your birthday isn't secure though. God has/will have it and Bacon claims to have it though he hasn't said anything. Bacon makes a lot of joke posts but based on his overall response to this topic on all forums I would say he was serious. Perhaps you should request he post/PM you it to see if it's right. Of course, without any expected response.
Your argument works for character safety as far as 'guessed' attacks go, but our account and personal safety are still completely worthless. This thread has done a very good job of proving that.
Is it just that thing where you use an algorithm to generate the password based on the game name?
Nope, I don't have it. I haven't been updating myself with Maplestory, and didn't realize that Birthday Crackers no longer work.
Oh you
And your argument only works if someone is stupid enough to give out their username and password. Would it be the same if someone just knew the username but the account password was sufficiently strong?
Point him to my signature if he comes, plz.
An unknown number of accounts are still vulnerable because of the leaked information that no one gave out. This may not apply to visitors of this site but it sure as heck applies to a large number of people out there who are unaware of the situation.
how many PIN/PIC reset requests do you have now? and at what point do you think nexon should temp ban the account they have to find it a bit sus that more then 33 people with differant IP's have been requesting a pic change
This is a key point I think. Most of the account hacks in the past few months did not involve email hacks or changed passwords or PINs, so the assumption is that hackers can (or could) obtain IDs, hashed passwords and PINs from the database, and hacked those accounts that had passwords simple enough to be cracked from the hash. For accounts with strong passwords, it may not matter much whether the PIC is better than PIN or not. What does matter is whether or not hackers can obtain email and birthday and can they access the email.
So the questions I would really like to see definitive answers for from the 'white hats' are these:
1-Can you obtain the registered email just from account ID (or even In-game-name)? (ie, without password)
2-Can you get the date-of birth? (again, without password, and assuming fake birthday not obtainable via google research)
3-Are hotmail accounts and other free email domains really as easy to hack into as many say? (assuming decent password, and not used for any other purpose but for registering the MS account)
1. No, you need to know and breach an email, there are no indications.
2. No, we are responsible for our code.
3. If their security sucks, maybe, but more popular free ones may make it easier to find it.
Spoiler
There is one way (I think) to avoid the PIC crap.
As I've said a few times before, I'm not sure if Nexon has fixed this exploit, but you can easily write your own client that somehow avoids HackShield's checks and Themida's checks, all it does is trades the mesos away or something. After you accomplish that, grab the charID of bisubuild. Note it down and log in to your own account, and log in into your own character. Then instead of providing the charID of that character, provide the charID of bisubuild. You have full access, since the client disconnects from login and then connects to channelserver after character is selected. This is quite hard to successfully patch.
One way to patch this would be to only allow certain IPs to connect to certain charIDs (only the IP that selected the character at login can login(channel) into that charID.)
You still have to provide the correct PIC to progress from double-clicking on your character to going in game. That's when the PIC check occurs. I can see where you're coming from, but I cannot see how this would be a valid way to get into bisubuild.
I think he's saying modify the packets(?)/data to enter your PIC for your character, but log into a different character. It checks for a correct PIC of character A, but then you force it to connect to character B?
Just to clear a random misconception; Themida is a PE (portable executable, not packet editor) packager, not an anti-hacking tool. It's the executible equivalent of a zipping the binary so it's harder to reverse engineer, it's passive and doesn't "check" anything, simply obfuscates, or tries to. UnThemida and various other tools can dump the raw executable as readily as from a zip file too and leave the application wide open for exploratory reversal.
Actually it was proven in the past you could just NOOP past the pin check and have the pseudo-client just skip straight to the world select. The PIC is different in that it occurs further down the chain and prevent access to individual characters, instead of the account itself, so it's uncertain whether a modified client could successfully bypass it, or would fail authentication where the PIN did not.
I vaguely remember stripping something from the client (possibly Themida?) would cause you to fail to pass character selection. But thinking it over, no I don't think it's Themida.
Anyway, the only way that you can't send a different character ID and login into bisubuild would be if PIC was sent to the Channelserver, which is (really reaaally) unlikely.
If anyone does code a pseudo-client (all it does would be login, open a trade to some character, wait for trade accept, then put in meso and lock trade, wait for trade finish and exit), they would need to emulate HackShield's heartbeat.
Last edited by AngelSL; 2010-02-16 at 06:40 AM.
I haven't read every single page but..... some of the info has already been found out? and... Nexon's database HAS been breached?
Posting Permissions
|
|
Reply With Quote
Bookmarks