hackmud

hackmud

dandykong Oct 4, 2016 @ 9:53am
Loc bruteforcing, game breaker or legitimate tactic?
I played Dark Signs (another hacker MUD) before playing this and from my experience with password crackers on that game immediately thought of making a player loc cracker. I made it, tested it on my alt for a few hours, and it worked. After getting channel 0000 to test it on Trust (after restricting it to only target Trust without a password, of course) I immediately realized what a game-breaking monster I created. Any player or corp can fire it up and steal your loc, even if you just ran sys.init for the first time and never hacked anything or ran any scripts. Will anything be done about this or will it become a legitimate tactic?

EDIT: I saw all I need to see on here, Reddit, and in-game, nobody wants this thing to see the light of day. Still, is it bad enough that Sean should add better loc protection or recovery?
Last edited by dandykong; Oct 5, 2016 @ 8:34pm
< >
Showing 1-11 of 11 comments
Skid Oct 4, 2016 @ 10:08am 
If it wasn't meant to be bruteforcable the random part of the loc wouldn't be only 6 lower case alpha numeric characters (7 if you count the prefix). That said script run time is limited to 5 seconds you'll have to keep running it till you finally get it, but if you have it you have it your patience has been rewarded.
Last edited by Skid; Oct 4, 2016 @ 10:10am
dandykong Oct 4, 2016 @ 11:03am 
Originally posted by Skid:
If it wasn't meant to be bruteforcable the random part of the loc wouldn't be only 6 lower case alpha numeric characters (7 if you count the prefix). That said script run time is limited to 5 seconds you'll have to keep running it till you finally get it, but if you have it you have it your patience has been rewarded.
Locs can't be changed without retiring a user, so getting your loc stolen is pretty much permadeath. This script allows players to steal locs without having to phish or wait for their victim to hack an NPC that saves access logs. It's practically a "You lose" button.

EDIT: Almost forgot, even though it takes forever to get a loc by yourself there's nothing stopping entire corps from using it. I even got channel 0000 to raid Trust in order to work out the bugs.
Last edited by dandykong; Oct 4, 2016 @ 11:13am
Anihillator Oct 4, 2016 @ 12:09pm 
It's legit, dev confirmed it. *shrug*
dandykong Oct 4, 2016 @ 12:18pm 
Originally posted by Anihillator:
It's legit, dev confirmed it. *shrug*
Well, hopefully he adds easier loc recovery. I just posted it on the forums sans password protection to get some help working out the random JSON errors.

EDIT: No response on my other post but I did get breached, why am I not surprised?
Last edited by dandykong; Oct 4, 2016 @ 1:18pm
Shadowspaz Oct 4, 2016 @ 1:50pm 
Well this is somewhat frightening. Curious to see what becomes of it.
Techercizer Oct 5, 2016 @ 4:55pm 
Edit: darn trust breaking rules >.>

Personally, I think we'd be better off if everyone was on a level playing field; it would clean stuff like this up as well.
Last edited by Techercizer; Oct 5, 2016 @ 5:05pm
Demannu Oct 5, 2016 @ 5:06pm 
*sigh* Here we have a classic example of someone who speaks before they test. No matter what you do, it is no possible to form a loc scriptor via a script. It is disabled by default, as a security design within the game engine itself. It is 100% impossible without utilizing an external tool to copy and paste each attempt for you.

@OP is a literal bundle of sticks. He does not have code that does this, will not be able to produce working code for this, and frankly is only confusing players further. Scrublord millionaire should not be trusted, if you want test it for yourself. Create an array of valid NPC's locs, create a for loop with that array and attempt to create a scriptor. You will encounter an ILLEGAL error, which is as Sean designed. You can only hardcode locs for access.

The only thing @OP may have done is create a "bruteforce" in which he tries his guessed loc against get_level, in which case it'll return the security level or false. This has been shown to have a margin of error in the past, as well as taking way longer than the 5 sec execution limit a script has. Combining it with a #db theortectically can create a resume function and this the guesser functioning but goes against what the game is about and is akin to bashing your face full-steam into the keyboard. If I catch anyone doing this, I will not hesistate to make it my goal to ruin your enjoyment of this game. Try us.
dandykong Oct 5, 2016 @ 8:27pm 
Originally posted by DUNK | Demannu:
He does not have code that does this, will not be able to produce working code for this, and frankly is only confusing players further.

I had another post with the code when I was trying to fix a JSON parsing error but had to take it down due to angry players. I also tried turning to Reddit but it got heavily downvoted with no comments. Judging from the response I'd say it's doing or close to doing exactly what I was talking about.

Originally posted by DUNK | Demannu:
The only thing @OP may have done is create a "bruteforce" in which he tries his guessed loc against get_level, in which case it'll return the security level or false. This has been shown to have a margin of error in the past, as well as taking way longer than the 5 sec execution limit a script has.

I figured that out, it tests generated loc names against get_access_level now, the same way Inf checks locdump submissions.

Overall your response, as well as the huge backlash to any published code, pretty much tells me everything I need to know about this concept. It's a credible rage-inducing threat to the game.

P.S. Since you were so adamant it would never work I made it fully public and announced it in channel 0000. No more testing restrictions. If making it is as pointless as you say then there should be no problem with what I just did.
Last edited by dandykong; Oct 5, 2016 @ 9:08pm
jester Oct 9, 2016 @ 3:00pm 
Originally posted by DUNK | Demannu:
*sigh* Here we have a classic example of someone who speaks before they test. No matter what you do, it is no possible to form a loc scriptor via a script. It is disabled by default, as a security design within the game engine itself. It is 100% impossible without utilizing an external tool to copy and paste each attempt for you.

@OP is a literal bundle of sticks. He does not have code that does this, will not be able to produce working code for this, and frankly is only confusing players further. Scrublord millionaire should not be trusted, if you want test it for yourself. Create an array of valid NPC's locs, create a for loop with that array and attempt to create a scriptor. You will encounter an ILLEGAL error, which is as Sean designed. You can only hardcode locs for access.

The only thing @OP may have done is create a "bruteforce" in which he tries his guessed loc against get_level, in which case it'll return the security level or false. This has been shown to have a margin of error in the past, as well as taking way longer than the 5 sec execution limit a script has. Combining it with a #db theortectically can create a resume function and this the guesser functioning but goes against what the game is about and is akin to bashing your face full-steam into the keyboard. If I catch anyone doing this, I will not hesistate to make it my goal to ruin your enjoyment of this game. Try us.

+1
dandykong Oct 9, 2016 @ 3:15pm 
Originally posted by jester:
Originally posted by DUNK | Demannu:
*sigh* Here we have a classic example of someone who speaks before they test. No matter what you do, it is no possible to form a loc scriptor via a script. It is disabled by default, as a security design within the game engine itself. It is 100% impossible without utilizing an external tool to copy and paste each attempt for you.

@OP is a literal bundle of sticks. He does not have code that does this, will not be able to produce working code for this, and frankly is only confusing players further. Scrublord millionaire should not be trusted, if you want test it for yourself. Create an array of valid NPC's locs, create a for loop with that array and attempt to create a scriptor. You will encounter an ILLEGAL error, which is as Sean designed. You can only hardcode locs for access.

The only thing @OP may have done is create a "bruteforce" in which he tries his guessed loc against get_level, in which case it'll return the security level or false. This has been shown to have a margin of error in the past, as well as taking way longer than the 5 sec execution limit a script has. Combining it with a #db theortectically can create a resume function and this the guesser functioning but goes against what the game is about and is akin to bashing your face full-steam into the keyboard. If I catch anyone doing this, I will not hesistate to make it my goal to ruin your enjoyment of this game. Try us.

+1

Yeah I know, this guy is salty. I do in fact have working code (combined with a #db function as this guy mentioned) but it has to be run by a ton of players at once and targeting the same person. Once I find his in-game name and get his loc, whether with a bruteforce raid or checking breached NPCs, I'm making the highlights of that post into an in-game public copypasta script followed by his loc.
Fronkfurter Oct 9, 2016 @ 5:07pm 
It's possible to bruteforce, if you've got... Say, 50 years? Give or take, with a bit of luck.
< >
Showing 1-11 of 11 comments
Per page: 1530 50

Date Posted: Oct 4, 2016 @ 9:53am
Posts: 11