...WHAT. Kay, that is a freaking HUGE security risk then. If it doesn't encrypt the password, a simple sniffer can find the password easily. And seeing as how they're linked to forum accounts, that makes it an even bigger problem.

Got bored.
Made my own little server bot in VB (yes i know it sucks) n lua

What it Does:
Pretty much
My lua serverbot takes in the commands !Set, !Mode and !Rndm.
The VB serverbot sends messages to confirm this. Also the VB serverbot does stuff like responds to "Hi" and then if somone says "ServerBot", he will repeat the string, and put the person who said its name instead.
Example:

I was there

We had a lot of fun with Serverbot.

ServerBot: We had a lot of fun with [FSN]LineTori

Oh damn....

Its a really nice device you made =D

OMG, VISTA

I would like to see something like voteban or votekick. The idea of vote to change mods is cool to, but the bot should also be able to change the servername and the entering-message then (!!!).

I gets a brother in every server .

i'd use a serv bot

Hmm, okay first off Jok, let me explain something, the password encryption... well more
of password hashing, is MD5. When i was packetlogging my toribash client, i noticed that
it sends the command:

mlogin <user> <passhash>

Now, the password i was using for my toribash account, i used for some things when i was
coding php, and working with md5, and i knew the first 10 characters of the hash, and
instantly recognised them when the packet was sent. So thats how i know it was MD5

Now, as far as security goes for that, it's just as safe as a website login system with php.
There are some vulnerbilities, but if you've ever studied hacking like
i have you'll know that there are maybe.. 2 things that "Could" jepordize someone elses account
or whatever. But, the same thing can be said with websites. These 2 things i am speaking of,
are Dictionary attack and brute force attacks. Now, there are things that can be done to prevent
these, such as limiting the number of logins per half hour (i know alot of Bulletin boards have
this feature). Whether the toriserver has that... im not sure, but would be a good feature to have.
But your average joe isn't going to know this sort of thing anyways so it's not that big of threat
unless some wanker decides to ruin the game for others and starts trying to actually do things like
that.

Oh i forgot to add, even if someone manages to get the hash somehow(without directly doing a dict.
attack or brute force) they would have do actually BF/Dict. the hash which can take DAYS or longer
depending on what method you use.. Or theres rainbow tables, but i believe that could only be used
if you obtained the hash. Ahm, yeah and you're wrong, you say


This is not true, the hash part i already said, but a sniffer cannot find this. Know why? The client is sending the packet to the server, and the server only. For a sniffer to be effective, you'd have to be on the same network as the person logging in. And even then, you'd have to do an MITM (Man in the middle) attack on their pc. So it's not as great of threat as you make it out to be.

So, anyways just so you know it DOES work, as i've been testing my bot on some servers and it logs
in just fine and its able to send joint movements just fine.

@Blam - Yes the joint sending is simple enough, i think i've figured the sequence out, thanks to
a thread i had a peek at in this forum.

@Jok(again) - I never asked for actual money, i asked for toricredits... and i said No more than
15k credits for a 1 year license, i havent decided how much to charge.. i may say 4000 for a 6
month or 7500 for a 1 year.. anyways thats the least of my worries at the moment.. Well, the reason
i want to charge, is to ensure i dont have JUST ANYONE getting a hold of the program, no one but
server owners really NEED this anyway. Actually, if the person who wants the bot, can prove to me
that they actually have a server, and have admin access, i may just give it out to them without them
giving me toricredits. However, i would still hardware lock it to their pc. (Sorry i can be a bit
security paranoid :P )

Now i could add security to the program, but i dont feel it is needed for the lua scripting if i give
it to serious owners. As i said. But i may change my mind on this yet.

As far as the telnet session goes, i'll try again later but when i was logging the toriclient i didn't
get the data i was looking for which was POS, ANGVEL, etc.. But i did get JOINT and GRIP, also i wasnt
parsing it, i was packet logging it with Wireshark AND Winsock Packet Editor(WPE).

However, if you say you get this data from telnet i'll check it out later.

But i may change my mind on some things. But anywho i'm going to work on this a bit, and stuff.
Possibly add an anti-spam system, (For the bot as well so it cant spam from console or anything.)

So i gotta be off for now i think i covered everything.. I had to type this fast cuz i only had 10 mins or so to be online. (Dialup during the week sucks :P)

I typed this at school earlier, but i didnt have enough time to finish so i said screw it and didnt save my msg.. anyways that doesnt matter. I'll check back for replies later.

I've realized that before. And, mlogin is not perfect itself, because it is possible to simply stop your own "normal" mlogin from flying through and having a proxy/whatnot replace it with "zomgrandomsuperadmin"'s mlogin.

Which is what I was talking to GrarRR about a while ago. Which, again, goes back to the ever difficult world of security. And, as such, came up with the double salt idea, because of the DB. Which should work quite well, imo.

hmm , okay so i've gone onto a server using telnet, i still get garbled text, and none of the data i want. It almost looks like someone opened character map and started clicking on completely random characters and then pasted them. Maybe, im missing something, or maybe my theory about the encrypted stuff is correct... idk..

I'll tell you, its only for the calculations i think..

im refering to:
ANGVEL
LINVEL
QAT
POS

I get the full joint movements, just not the other things i mentioned above.

I might see something like

P_ANGVEL 1; <insert ALOT of messed up text here>
and so on... Meh..

@Bot - Vote kick shouldnt be too hard to do

Yes, mlogin uses md5. However normal login uses NO encryption/hashes/whatever.

Meaning you just do login name pass and the pass gets sent as raw data. Meaning it's extremely easy to get the pass that way.

Either way, a server bot has been done, and will keep being remade. So, whatever.

And also, 14k toricredits for a year is like charging 14$ a year. And it's not worth it, for one, and not needed either.

Also, telnet works fine for me if I don't use the normal telnet client. Try using Putty. And I really doubt hampa encrypted the joint data, because I recall him saying that the client/server protocol is unecrypted to promote third-party apps.

Ah alright, ill try out putty a bit later.

As for the login, it's still not as bad... well not the way i see it..
Maybe I'm missing something, But, the only people that should be able to get the password, are either people with log/console access to a server daemon, OR
people who are on the same network. Other than that i cant see it happening, but i could be missing something.

The toricredit thing is debatable though, while it does cost roughly $14 for 14k credits, if people have boosters they probably get their credits from winning. So
idk..

Now one other things i probably should have mentioned, is that i've had access to a server while offline, my cousin gave me his old tori key, so i was using the server daemon in 2.8 for testing.. and i think the version of that is 3.0.... meh.. But, i do say that, in the server daemon i use, there are some differences between it, and the ones used on the .. normal toribash servers..
In the one i use, i do actually get the ANGVEL, POS etc, and for the live servers, it doesnt give me that data for some reason.. I'll probably figure it out eventually.