 Show Posts
|
|
Pages: [1] 2
|
|
1
|
Feedback Terminal / "Bugs" and Problems / Re: Possible exploit using the connect screen
|
on: January 11, 2012, 01:21:05 PM
|
sending 4.294.967.296 requests would either take years or get you a flood ban. there are easier ways to get ips. Not if your using the link to try and connect. This is just for using the connect screen and inputting the IP's in the textarea to try and connect to an IP.
whats the point of securing one way to connect and leaving the other unsecured? someone would just use links instead of forms to exploit this The point is that IP's do change, and the links become invalid. It like what s3lphctr1 said: Im all for tightening up the server dont get me wrong, but wouldnt that lock you out if your cracking multiple ips and they reset ip during the crack. You know you get the ip does not exist message. Which i seem to get a lot these days.
If your following links that the game generated, it shouldn't lock you out because you keep hitting the IP doesn't exist message, because it did before. The exception to that is if you hit the same link multiple times in a row, since I'm pretty sure that is not something most people do. This is just to tighten down any form of automation that can use the connect screen. |
|
|
|
|
2
|
Hacker Project Café / Game Room / Re: The Corrupted Wish Game
|
on: January 11, 2012, 12:56:51 AM
|
|
You get your wish, but you crash it into a pole minutes after you take it onto the road due to a defect.
---
I wish woodchucks could chuck the wood they wish they could chuck while woodchucks couldn't chuck wood.
|
|
|
|
|
3
|
Feedback Terminal / Suggestions / Database Overload Bomb
|
on: January 10, 2012, 11:43:54 PM
|
I just thought of this when talking to WolfDoc about how he wasn't cheating (yea, I know, GNU is on a "HE CHEATED" thing, but meh, he knows I'll call him out on it if I think he is) Anyways, with the IP database, if you get a lot of IP's in your database, it makes it easy to get IP's of someone your looking for. Now, many would argue that this is a good thing, and I agree, it'll rock to find someone when they changed their IP with one or two purchases. The problem lies in the fact that the defender has no way to prevent this, which is where this Viii comes in. A cat and mouse game in heavy favor for the cat, of sorts. Now, the DBOB will run in the footsteps of the MOB and MLB. It's a Malware-type viii that will do damage to the targeted users IP database, effectively overloading it and causing some of the tablerows to drop, depending on time ran and version of the Malware. Now, for how utterly powerful this is, and how it can take the top placed player out of the equation fairly quickly, you can only have one active at a time. I know this seems like a cheap blow tactic, but look at it like this: If I wanted to slow down my attacker, I would have to do something to make them need to regather themselves. This would effectively do that by both them needing to re-purchase IP's and waste time doing so. Tell me what you think  |
|
|
|
|
4
|
Feedback Terminal / "Bugs" and Problems / Re: Possible exploit using the connect screen
|
on: January 10, 2012, 10:20:30 PM
|
Im all for tightening up the server dont get me wrong, but wouldnt that lock you out if your cracking multiple ips and they reset ip during the crack. You know you get the ip does not exist message. Which i seem to get a lot these days.
Not if your using the link to try and connect. This is just for using the connect screen and inputting the IP's in the textarea to try and connect to an IP. |
|
|
|
|
5
|
Feedback Terminal / "Bugs" and Problems / Re: Possible exploit using the connect screen
|
on: January 10, 2012, 10:11:49 PM
|
|
No offence WolfDoc, this wasn't because of you. I was just bored and randomly inputting IP's when I started thinking about this and how it can be exploited.
Secondly, since I'm not the brightest cookie, I assumed that it's has been or is currently being used this way.
Now, if I was pointing fingers, I would. You should know this WolfDoc, from the conversation we had. I came out and said I thought you were cheating before and I was wrong. If I thought you were cheating using something like this, I would of called you out on it. This is just my ADD mind going on a tangent.
Now, if we can please not assume that everyone from GNU is on a witchhunt for WolfDoc, that'll make tensions easier for everyone
|
|
|
|
|
6
|
Feedback Terminal / "Bugs" and Problems / Possible exploit using the connect screen
|
on: January 10, 2012, 06:45:10 PM
|
|
After theorizing about a couple things, I came across a problem in the connect screen that may allow a user to spam IP to find a user without buying IP's from the software dealer.
Now, this theory is biased on a couple of assumptions, since I have no clue how the connect screen works:
1.) IP's (biased on the IPv4 format HP uses) has about 232, or 4.294.967.296, possible addresses. Using desktops or laptops within the last 3-5 years, that number of Alpha-only addresses will take about 10-30 minutes to fully rotate that list.
2.) The Connect screen doesn't dock AP points for using it. This can be exploited by a program (Greasemonkey or Tampermonkey) that generates a random IP address and places it in the connect textarea when a injected button is pressed. I don't have a proof of concept program to show how this works, but if I had a domain host, I could write one together to show you what I mean since I need PHP and SQL.
Now, given this information, one with an above-average computer (at least 4 core without hyperthreading, 2+ gigs of RAM, and at least a GPU that supports some sort of process offloading, like OpenCL) can generate enough IP's to find someone without using the software dealer in a short amount of time.
My proposed solution:
When using the connect screen, if someone get's five (5) failed attempts in five (5) minutes, the system should restrict connects and bounces for either:
A.) an amount of AP or
B.) IP's currently in the users IP database.
This would prevent many current and future abusers, if a catch like this isn't already in place.
Thank you,
--Hh2
|
|
|
|
|
7
|
Hacker Project Café / Whatever / Re: Hello, i was bugshunter ;)
|
on: January 08, 2012, 07:41:08 PM
|
|
Firstly, for bugshunter, he did what he did and Emi most likely knew about it. Whether it be this exploit or another, it doesn't matter as he's banned.
Secondly, Jager found the proof of concept behind the ServerID exploit. Nowhere did he say that he, or we for that matter, used it to our advantage.
Lastly, your now twisting my words to your liking, as you accused me of doing. I'm only enforcing my claim that the users of this exploit should be banned because it breaks the game to the point that people the pour money into it will win no matter what.
I may not know Jager personally, but I don't think he cheated or used exploits to get where he's at now. I think he just had a lot of time on his hands and poured all of it into HP then into RL, due to depressive tendencies or what have you. People can be that good without using outside help. If he was cheating, he would of been banned by now, am I right? Because there is NO program that can perfectly emulate human behavior (the closest I know of to emulating human-like behavior is creating a Java program using the Robot class, querying the website with a screen reader, and using complex algorithms, clicking on links depending on a near infinite number of situations that may happen between each second).
|
|
|
|
|
9
|
Hacker Project Café / Whatever / Re: Hello, i was bugshunter ;)
|
on: January 08, 2012, 07:03:34 PM
|
Because I referenced it when I made the post. Since the Group PM system uses, what I assume, a 255 character plain text system backed by a PHP function that will censor words when it's stored by the SQL backend, it's impossible to create a BB link using it, since the only thing that supports BBCode is these forums. NOW, as a moderator and a developer for a small community, I learned to reference other sources to back up my claims. I'm sorry I confused you by hotlinking within a self quoted reference, I'll change it so it won't confuse anyone else. |
|
|
|
|
10
|
Hacker Project Café / Whatever / Re: Hello, i was bugshunter ;)
|
on: January 08, 2012, 06:49:43 PM
|
Just saying, but I think that the only person ON the dev 'team' is Emi.
As far as I know, all the others have left.
Either way, this game is dying, mainly because Emi is spreading his time to thin.
Still, right now you are just posting words that serve your purposes. Until you post ss's of the message (From in game) then most/all people are going to assume that your all just butthurt.
Edit - Looked over. To me, it looks like your just blowing nuts out of your ass. Know why? The date on the message is Jan 3, yet it has a link to a post that was made on Jan 8? I'm sorry. I've never majored in Temporal Physics, but something just doesn't seem right to me. Unless you have a time machine, how could a message sent on the third be refering to a post that wouldn't be made until the 8th?
the same way and reason I can link to Wikipedia and Google. I was siting references that prove the things being said have a backbone, and that they weren't, quote, blowing nuts out of your ass. Also, The link references PM's that took place on the new year, it was just posted today. |
|
|
|
|
11
|
Hacker Project Café / Whatever / Re: Hello, i was bugshunter ;)
|
on: January 08, 2012, 04:39:40 PM
|
[GNU] Exousia(#8447)
08-Jan-2012 04:55
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Hey
jager (#10302) Edit PM 03-Jan-2012 04:57:25
true almost everytime. Except one time:
open IP database, check one server with those checkboxes and click button Bounce at the bottom of the list. That uses function, that takes ID not IP from that server and bounces to it.
bugshunter (#35091) Edit PM 03-Jan-2012 04:53:46
the thing is that as i can see, when you connect to a server, you use the ip, not id... or i don't know well enough ?
jager (#10302) Edit PM 03-Jan-2012 04:50:10
it's actually very simple if you want to use that exploit. In about an hour you can have javablocked parser with php/mysql backend, where you store all ID. Then it's simple to cycle them and getting new IPs...
bugshunter (#35091) Edit PM 03-Jan-2012 04:49:26
jager, i've already bypassed emi's restrictions and that random stupid javablocked :) so, he needs to up his game... i started to play this game for fun.. but seems like after all, it's a good lesson about blockeding :)
jager (#10302) Edit PM 03-Jan-2012 04:49:02
Just be sure to check about any hidden variables when submitting your forms. You can get current variable by unserializing that hidden eval code with javablocked.
The Rest of the conversation that was "left out": bugshunter (#35091) PM 03-Jan-2012 04:47:48 i will take a look at that exploit you're talking about... :) jager (#10302) PM 03-Jan-2012 04:46:58 And cheater who knows what will get changed from owner of the game will always have advantage. jager (#10302) PM 03-Jan-2012 04:45:40 what we can do? Nothing really. Your surprise tactic last round was nice touch, now they are ready for it. This round they will collect that money prize. Ivan Drago (#1237) PM 03-Jan-2012 04:43:13 I cant believe that siremi is as ignorant as to give one player a huge advantage over everyone else. If Wolfdoc manages to get all exploits fixed except his own then my journey in HP end here and nowIvan Drago (#1237) PM 03-Jan-2012 04:42:49 Offcourse it is unfair, I was just wondering what we can do without getting into those cheats ourselves jager (#10302) PM 03-Jan-2012 04:38:46 and since i will get my servers bombed no matter what i do or how many times i change IP, i don't see how to play this fair ... and i will get my reserach cancelled no matter what i do. jager (#10302) PM 03-Jan-2012 04:33:47 oh, he knows that exploit. wolfdoc admitted that emi will change it a bit, so other scripts won't work tomorrow any more. his of course will, cos he knows how that little variable is generated. Ivan Drago (#1237) PM 03-Jan-2012 04:30:48 What else can we do than just keep reporting exploits to siremi ? I dont want to lower myself by using these tricks too jager (#10302) PM 03-Jan-2012 04:29:10 even when round resets, your primary server is the same. Different IP, same ID. If you have it from previous round, you can access server then. jager (#10302) PM 03-Jan-2012 04:27:53 been here all the time. Wolfdoc confessed ( bragged) he is using it to get our servers even if we change ip. ( Picture proof backup) ( Supporting References posted on Jan 8th about PM's made on Dec 31st) jager (#10302) PM 03-Jan-2012 04:27:14 my last server has id [edited]. so there are about 100.000 server currently ingame. Simple script can cycle through all ID's in few minutes and gets you their names and IPs. Ivan Drago (#1237) PM 03-Jan-2012 04:26:55 it not really into computer codes .... are you saying the game has BECOME unplayable or has this trick been here all the time ? This exploit needs to be changed. AS STATED IN THE ToS: Fair play
Players who try to manipulate the rules and/or use loopholes in them may be deleted from the game. Each case will be looked at separately by The Hacker Project team, before a decision is made.
Playing fairly and Honestly
The Hacker Project upholds high standards of moral behavior. Any player who is caught manipulating bugs in the game or has been cheating in any other way will be deleted from the game immediately. Using vulgar words towards other players may also lead to deletion.
WolfDoc has ADMITTED to using an exploit to track people down after IP changes, which is two violations of the ToS. He should be banned like every other cheater, staff or not, his staff tag removed, his account locked as such, and the exploit fully fixed by the Hacker-project dev team. Just because he can throw money around doesn't mean he should be exempt from the rules. |
|
|
|
|
13
|
Feedback Terminal / Suggestions / Re: Worm viii
|
on: November 05, 2008, 03:20:14 PM
|
Updated the main topic on how the anti-worm may work, using an idea that emi was thinking about implementing but never did --Hh2 |
|
|
|
|
