Badges are up

Ahh, you gotta love KBH, all 4 badges gotten without any effort (broken image removed)

Yup. I tried finding an useful swf but got nowhere....so I just went to KBH =P

Got the badges legit (broken image removed) I couldn't find anything when the game first came out (that didn't get me banned) so I'm not going to be looking now (although an AoB to submit the correct stats for the badges should be possible)

Quote from: "Hitomi"

Is this game a clone of Civony/Evony or made by same developers?

Its a really cheap ripoff from heroes of might and magic mixed with elements from Evony.
I just hate when people just steal ideas from other games to make a little bit of money just because they are to lazy to make a proper mmo.

Not really a ripoff if there are 20 games like this on Kong and 100 games everywhere else.

Evony = Civony, with more pornographic advertisements (unneeded too, they do it to grab little kiddies' attention)

As a hacking method: How about Firebug? That submits fake stats like KBH.

Quote from: "ChaoMing"

How about Firebug? That submits fake stats like KBH.

Firebug edits HTML and CSS, as the client side is (from what I've seen) entirely flash Firebug is pretty much useless. Our best chance to get something done here is with WPE. Or SQL injection if you find the risk worthwile, which should go without saying that it's not.

If I had to choose: Risk the Cops by Successfully Hacking a Server-Sided game using Brute Force (I think it's Brute Force ( :?: ) or Simple KBH/Firebug, I'd choose KBH or not at all.

So basically this is a KBH job or get a mate to help you out? wow... how shit that is.

Hey, server-sided stuff sometimes makes all of us butthurt. Maybe even praetor :?.

My problem is my IE does not work AT ALL so running KBH has been a nono for a while, I'll have to run it up on a different PC

My IE works but "works" like an ADHD kid would. unless I stare at the thing while it loads up with no other windows running, it won't work.
Click anything else while it's loading? Na, decided to freeze. Uselss cunt.

KBH works fine though, strangely.

does any1 still have a copy of wpe or another pocket editor? that might be our best bet.
oh god how i loved those WoWEmu days.
Oh and wpe wont get u wanned. Its does not work as brute force. It simply sends false response. But it is a hell lot of work to get a good codetableup. If presuming they dont have a server check.

Use Paros Proxy if you are looking for a PACKET editor. (broken image removed)

Also, WoWEmu is for emulating World of Warcraft servers... I ran one for two years...



Anyway...

I dare you to try a SQL injection. First off, I don't know of a single SS (Server Side) developer that uses native mysql commands. All of us use a custom DB class that acts more or less like an abstraction layer between your database and your front end. For example...

Standard MySQL Query

$result = mysql_query('SELECT * FROM users WHERE user_id = 2;');

Class driven SQL example

$result = $db->sql_query('SELECT * FROM users WHERE user_id = 2;');

The class might look something like this

Class db
{
function sql_query($sql)
{
$sql = sanitizer($sql);
return mysql_query($sql);
}
}


That is extremely basic, but it gives you the fundamentals...

Now, imagine that, in my DB class's sql_query function, I put a script that encodes the entire SQL string sent to it and stores it in a separate table, along with a timestamp and the origin IP address...

Every SQL command sent through my game, regardless if it's something as simple as a basic select statement, is recoded in a massive table with a timestamp and the origin IP address. A script periodically runs through the records, looking for special words, such as UNION, or the string --, or even SELECT twice in the same line. All of these throw red flags. At the end of the script, it dumps those into a separate table that has an identical structure as the main recording table, then the script runs a 'TRUNCATE TABLE db_audit_trail' that empties the entire table out.

Then, an administrator comes along and examines the SQL strings for hack attempts. Attempts are recorded, stuff is logged, phone calls are made, emails are sent, etc...


The best of these SQL injection scripts are tucked away and cost huge bucks. They scan every query before it is passed to the database for nearly every sql injection technique known to man. If it detects anything, it will instantly IP ban you at the server level (using a(n) .htaccess file) and will log you, what command was sent, when it was sent, the OS/Browser you are using, your IP address, a tracert from the server back to your IP address, as well as the current WhoIs data for your address. I have even seen them send out automated emails to the ISP's tech support email that is included in the whois. (broken image removed)


OK, enough ranting about SS security. (broken image removed)