You are not logged in. Please login or register.
Teeworlds Forum → Development → MasterPW Noob?
why is adding masterpw in your private (closed source) mod is noob?
i know the player can open the mod by hex editor and find the pw but what if there's a way to protect your master pw like you can only login to your pw with your private client, does that will still noob? and why?
// decapitalized by Landil
on the one hand: there is actually no reason to make the source code of an open source project closed source, just to hide a master password
on the other hand: it will be hacked, coz with using m-pw you are pleasing for.
in addition: you wont have any benefit from it.
// decapitalized by Landil
why is adding masterpw in your private (closed source) mod is noob?
i know the player can open the mod by hex editor and find the pw but what if there's a way to protect your master pw like you can only login to your pw with your private client, does that will still noob? and why?
If you want to host a server, you want to have full control. That's why adding master passwords frowned upon. Additionally, it also creates a security hole. People can just reverse-engineer the server binary to check the PW (in most cases).
You can write your own str_copy(...)/str_format(...) function to hide the %s, %i or whatever from HEX-Editor...
Imo it isn't nooblike, it's fun for other to search for the masterpw and try to get full control on your server^^
It's quite hard to understand. Becoming older, you'll get it yourself. Master pw is a kidding. Probably, if you are responsible, you won't make smth bad on the server you don't host, however i don't know any reasons to use it. So, what are the advantages for hoster to host server with m-pw?
Hey! Shahan, we are in same clan so you have to agree with my opinion!!!
Joke, yes you are right, we also had a master pw in iDDRace once but it wasn't needed any more because we understod that more people host the server if there is no mpw and also even if you try your best to hide your pw there are people which need 5 minutes to find it. And they were kidding the people on their own server even more than us when we started with coding^^
good times 0.5.2...
Yes, i agree with you 
I have a cool story about m-pw:
M-pw was smth like a challenge for me-> i was a kid 
As i remember, it was formatted string: "%s%d", g_Config.m_SvMap, (int)<some float number>*<another float number>
"%s%d" was protected from edition in HEX editors with md5 (if it didn't equal to some hash, server crashed)
Nobody could hack it imo, but some guys on #ddrace channel explained me that it's useless(heinrich5991) and found the m-pw in 2 minutes(ravomavain) since i sent them .exe!
Since that day iDDRace is open source, and i never regret it
Just to tell you an amusing story:
When inherited and me were working on nodes one of the binaries leaked because someone "trustworthy" had access to our sever hoster. As a result we hardcoded a masterpassword into the next versions to be able to shutdown every server. It worked fine, but we forgot to remove it, when we released the source code. And therefore when nodes was released everyone was able to rcon servers, which made playing nearly impossible.
yep, really stupid as me^^ i also forgot to remove some parts when I published uTown source
I don't see any reason to include the master password as plain text in the executable. Why no just keep it's hash? say sha-256. Can anyone brute force a sha-256 in 2 mins? (considering the master password is not a very common password)
maybe in some hours, if you use cpu and gpu and maybe some more computers
Maybe in some days or weeks... or months.. or years... or centuries. Depending on what hash-algorithm.
The problem of plain-text passwords in binarys is that you can even open the binary in a simple text-editor, search for something that looks like a hash or a password and change one single char and your password doesn't work anymore.
Sure, you won't have the password then but ofc. you can replace it by known hashes or whatever and distribute these modified versions, whatever.
Anyway, you can bypass such things easily.
even if you use
aPw[i] = (char)(ascii_number);for every char in your password array?
This is no plaintext anymore. But yes. On runtime the string will be build anyway and may remain in memory. But of course you can overwrite this space, encrypt the hash.. spread it all over the source, whatever. But well, this is ridiculous... and can be bypassed anyway, depending how much motivated and talented the 'attacker' is.
Just dont make such things, they're just a security-hole
uh, didn't know this - need to take a look when and how they are build, i guess a disassembler like OllyDBG should be enough...
Teeworlds Forum → Development → MasterPW Noob?
Powered by PunBB, supported by Informer Technologies, Inc.
Currently installed 3 official extensions. Copyright © 2003–2009 PunBB.