Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[nightcracker]

I was talking to Orpheon on IRC and I asked how the haxxy golden statue award was put in the game. He told me award winners got a secret key. So I challenged myself and see if I could break the encryption.

After looking I saw that currently the game uses as identification a public MD5 key which can be checked with the private key, but the md5 algorithm doesn't use a salt. This isn't secure. If you use md5 (not truly cryptographically secure) without a salt it means standard rainbow tables can be used to brute force it.

And indeed, after 30 minutes of brute-forcing I found the key (no I'm not going to post it).

Perhaps this should be fixed to used sha1 with salt instead?

[cats4gold]

its not worth it

[nightcracker]

It takes about 10 minutes to fix...

[cats4gold]

nooooot woooooooorth iiiiit

[Saniblues]

The haxxy was supposed to be a short-term prize that was to be removed in the next update. However, by popular demand, it's being kept in. The system has already been exploited in the past, so it's not news to us, really.

We could fix it, of course.

[I_am_awesome]

if you really want the key, can't you just host a server (or maybe just join a server if the key is sent to everyone in the server), wait for a haxxy dude to join and let the game write the key he sends to a text file?

or does the server only recieve the encrypted key?

[MedO]

I didn't actually think it could be bruteforced that easily, interesting. I know md5 is not considered secure anymore, but still. I used md5 because there is a GML implementation that I could just copy in, I didn't find one for SHA.

Anyway, I did know you can just grab the the key as server, although i tried obfuscating that a bit with the bogus "challenge" thingie. I just accepted it since it's only a short-term thing and no need for big security. Solving that problem would be far more difficult than making the key longer (which would prevent the bruteforce / rainbow table attack), since you would either need asymmetric keys or a trusted party that performs the authentication, and I don't fancy implementing public key crypto in GML.

[BassMakesPaste]

grab the the key as server

I tried that, but I can't host for extended periods of time.

[NAGN]

The key was released to everyone anyways when a winner leaked it to archer (This is unavoidable as well)

[BillyBobJoe]

who cares? Who wants to turn gold when dead? Just get flaw's Haxxy Garrison 2 mod

[NAGN]

There's a difference between a client sided novelty and a required novelty shared by all clients

[Sentry]

so how did the winners 'activate' the key?
and could this system be used for other things e.g.  hats?

just curious and I don't know how it works

[Saniblues]

The prize for the mini haxxy is a hat, but closer to a full-blown costume really. That is, if enough people enter (...!!!)

So the answer is yes, it could.

[Sentry]

Well I would enter but I don't know much about modding

I just read the actual post. 

[Saniblues]

Its open to art, too.

And you can work in teams.