| User | Post |
Chuckus
 
   
  
 
 
Since: 07-17-02
Rating: 10 (400 pts)
Since last post: 7619 days
Last activity: 7951 days
|
|
Apparently someone is exploiting a bug in ragnarok where they can easily get access to any GMs account password. Apparently there's a few people aware of this bug and they're passing out the passwords of the GMs accounts (this incident is not limited to iRO according to some people but I have a feeling this is all blown out of proportion. Yesterday, someone was positng on the iRO bbs with Godpoings account. I want to know if there's any validity to these claims and whether or not you think it's possible. This is the only board i know the people on it are not script kiddies  . (i'm not much of a hacker, my frineds are, so I know little things but not much). Do you think there is an exploitable bug that big?
|
Sasami
Goddess in Training
 
Since: 02-18-02
From: Back in texas! YAY! college sucked!
Rating: 10 (1030 pts)
Since last post: 7355 days
Last activity: 7355 days
|
|
| Well, not that i keep up with ragnarok anymore, but from what I do know, all the GM accounts have a set name followed by 2 numbers.. (ex GmAccount01) i cant recall what it is though, so all the GM account names are already known, and you can just try and brute force their passwords, from what I remember hearing frost say once you can run a few thousand.. maybe it was like 10 thousand... passwords a second through their servers easily... *shrugs* i dont see why its not possible. i have seen bigger bugs then that in their system. |
Suzuran
 
Since: 07-22-02
From: Illinois
Since last post: 7535 days
Last activity: 7867 days
|
|
This changed in recent versions of AEGIS.
GM used to be a hard-coded list of accounts, most of them were in the form of
"sergm???" where ??? is numbers. There were exceptions. Recent versions of AEGIS however use the DB to determine who is and isn't a GM. But the GM's special sprites (The magic Christy-Kay sprite) are still based on a hardcoded list of GM AIDs. (Well, not exactly HARDCODED - It's in the client DB).
Even so, unless the server thinks you are a GM, you can't do GM commands even if you send the right packets.
As far as I know, there is no bug to allow easy takeover of GM accounts. Some of the passwords are known because when cRO was hacked, the DB was leaked, and Gravity stores passwords in plaintext.
iRO GM has yet to be hacked. She was faked on Super-Echo (I should know, I did it too  ), but as of Beta2, nobody has hacked iRO GM.
|
| 
