Password Hack

[Decide]

Ok. Try whispering yourself your password or anyone else (or anything?)[ON DIABLO]. You will get some messagebox saying how you shouldn't tell your password. This feature, where diablo stores your password in the game after you logon, could be GREATLY exploited. (i.e. Game: i say how dupe while in the game, send them a program that finds the location of the password and sends it outloud in the game :lucifer ) i dont know if I am allowed to post this here, but just a heads up to devs, and if anyone is interested in programming in vB something for this, pm me or aim me @ evil pistol
kthx

 

[CuStOm-OwNaGe]

no its most likly not exploitable seeing how the passwords are stored on blizzard server... which makes it totally illegal to get... so i wouldnt discuss it anymore b/c its pointless... b/c its not possible...

 

[Decide]

no its clientside, its stored in d2 or in a memory thread (have a program find it)

 

[pat]

If you're capable of actually knowing whether it's client-side or server-side, you should be able to make such a program yourself...

send them a program that finds the location of the password and sends it outloud in the game

THAT's the problem, there are enough ways to screw someone over if you can get them to run something, but the problem for scammers has always been getting them to run something.

 

[xXEcranomicalXx]

That right there is s000 ture. Honestly....almost the entire battle is getting them to dl something...

 

[InFerN0]

my girl made program for me when i sell potion server thinks i sell soj and soj counter is growing.so if this is possible then your idea can be made to

 

[Snarg]

Originally posted by InFerN0
my girl made program for me when i sell potion server thinks i sell soj and soj counter is growing.so if this is possible then your idea can be made to

/me whispers: Client side

 

[Decide]

Originally posted by InFerN0
my girl made program for me when i sell potion server thinks i sell soj and soj counter is growing.so if this is possible then your idea can be made to

dang id like to get a hold of that =P

 

[HolyShytItsBob]

Thats bullshyt. Your "girl" didnt make you shyt. You cannot sell an item as another item... the server just wont allow it. Period.

[On Topic]
Im pretty sure that the pw is saved in memory somewhere, just its probably in a random location. I doubt that the servers run through every whisper you send and check to see if it contains your password. That would waste a whole lot of time and processing the servers dont need. They would have to load the pw, decrypt it, and find it.

You might be able to easily test this. Run two d2s. Log on with one of them. Get on the other d2 and change the pw of the account you loged on with the frist d2 then close out of it. Message yourself on the first d2 with your pw. See if it still thinks your old pw is your pw. If not, then I bet it server side. That or it is written to the same spot in memory every time.

 

[irdamage]

like snarg said...its client side only meaning ...it shows up to u...but not to the server..meaning...all ur doin is havin a fun time selling ur pots

 

[xXLordSlippyXx]

usless hacking server=jail time

 

[HolyShytItsBob]

I just did my method and d2 thought it still was the pw. The pw is stored in the memory client side. Go on and try it. Run 2 d2s and log on with one. Change the pw with the other. Go back to the first one and whisper your first pw to yourself. It will still say "Dont send you pw to ppl...." So, the client is checking the pw from within itself. The server isnt the one checkin. You could exploit that.

 

[Me0wMixUp]

...yeah its clientside, one problem though, its encrypted, unless you disasemble it and get the encrypt key well then.... getting nowhere, huh?


Edit : Incase you think blizz is stupid, after every time you find the actual server connection value it randomly changes from 0-255, it just shows blizzard isnt stupid and are aware of people wanting disconnect hacks, and PS.... screw around with unknown packets (from inside info) i have seen a mass desync game hack with it

 

[xXEcranomicalXx]

wat file is it in....i am thinking banche cuz every time u log in and do something the size of the file changes....only one i've seen change...and there is a bunch of jiberish written in it...i am assuming thats the encrypted part.

 

[Me0wMixUp]

yuppers... but i dunno what file, i didnt try to look... but decrypting stuff isnt an easy task without skills... most likely once you disasemble the stuff, you will find an encrypted encrypt key :/ so it helps no where~ thank god for calculators, to much math in decrypting, i usually get a peice of the source off someone and go on from there...

 

[xXEcranomicalXx]

lol, from level 1 to 10, how hard do you think it is to decrypt a blizz file, 10 being the hardest...

 

[Decide]

then lets do this..btw, how do you know its stored in bncache, it could just be client-side values such as systime, home channels, or anything. there is a tool that watches memory threads, i think it comes with c++ not sure, if someone could post that would be great




::BTW:: blizz doesnt give you an IP from 0-255, like useast is only 63.240.202.129 - 63.240.202.140...:::

p.s. blizz files could use common encryption, so it could be 1 or 10, it probably isnt even stored in bncache, its stored in a memory thread that is only created once (holyshyt bob). So if anyone wants to do this, Please pm me or get in contact

 

[xXEcranomicalXx]

Well i'd say its banche because it is the only file that i've seen change after you've logged off b net, and also the only file that you can't access while your logged on.


By logged on i mean at least at the character selction screen.

Although i could be wrong...only way to find out is to test it.

 

[Decide]

its bncache, not banche

 

[xXEcranomicalXx]

me... banche sounds better lol