Report post Posted June 12, 2017 FLogin - Secured Captcha Based Login System In this tutorial I'll provide you information to set up my Secured Captcha-RSA protected Login-System. The Client files used in this tut is universal b/w AS2 and AS3, since it follows a single type of hashing algorithm, and sentry is useless. I'll highlight on using this with Kitsune [AS3], this can easily be ported to other CPPS (request the developer to post one), next update of Times C# will automatically integrate this System SCREENSHOTS With Google reCaptcha Without Google reCaptcha PREREQUISITES : A : login.swf : (i) [WITHOUT GOOGLE RECAPTCHA] https://i.succ.in/ONYTd4gr.rar (ii) [GOOGLE RECAPTCHA] https://i.succ.in/O7fZS0Ge.rar B : A CPPS server emulator - Kitsune, Nitro, or Times (sorted in ascending order) C : A database system. D : Crypto.rar : https://i.succ.in/ONxgo2cY.rar E : Login.php : https://i.succ.in/ONQNEVrn.rar F : Play.rar : (i) [WITHOUT GOOGLE RECAPTCHA] https://i.succ.in/ONX2SRYG.rar (ii) [GOOGLE RECAPTCHA] https://i.succ.in/O7iGcWgq.rar G : RSA_keys.rar : https://i.succ.in/ONvjcuTa.rar INSTRUCTIONS : 1. General Instructions INSTRUCTIONS FOR [GOOGLE RECAPTCHA] 1.1 Backup your old login.swf and place login.swf [GOOGLE RECAPTCHA] from above prerequisites (A) in /play/v2/client/ 1.2 Place the contents in Play.rar [GOOGLE RECAPTCHA] (F) in your play folder, for localhost htdocs/play or wherever your play page is located 1.3 Go to your database, and open penguins table. Go to SQL tab (if using PHPMyAdmin) and paste the follwing in the box there and click Go in bottom-right corner ALTER TABLE `penguins` ADD `IPS` TEXT NOT NULL AFTER `Password`; ALTER TABLE `penguins` CHANGE `Password` `Password` TEXT CHARACTER SET latin1 COLLATE latin1_swedish_ci NOT NULL, CHANGE `IPS` `IPS` TEXT CHARACTER SET latin1 COLLATE latin1_swedish_ci NOT NULL, CHANGE `LoginKey` `LoginKey` TEXT CHARACTER SET latin1 COLLATE latin1_swedish_ci NOT NULL, CHANGE `ConfirmationHash` `ConfirmationHash` TEXT CHARACTER SET latin1 COLLATE latin1_swedish_ci NOT NULL; UPDATE `penguins` SET `IPS` = `Password`, `Password` = '' 1.4 Go to your play page (usually htdocs/play/index.html) or wherever you load your game. Add these codes in between your <head> tags <script src="https://i.succ.in/O7gxaCB0.js"></script> <script src="https://www.google.com/recaptcha/api.js?render=explicit" async defer> </script> 1.5 Make sure you have the flash-param (if using SWFObject) or object-param (if using object element) // SWF Object allowscriptaccess : "always" // Object <param name="allowscriptaccess" value="always"> INSTRUCTIONS FOR [WITHOUT GOOGLE RECAPTCHA] 1.1 Backup your old login.swf and place login.swf [WITHOUT GOOGLERECAPTCHA] from above prerequisites (A) in /play/v2/client/ 1.2 Create a database named 'scaptcha'. You need to edit database configs in Securimage.php to match yours: database_host, database_name, database_user, database_pass 1.3 Place the contents in Play.rar [WITHOUT GOOGLERECAPTCHA] (F) in your play folder, for localhost htdocs/play or wherever your play page is located 1.4 Go to your database, and open penguins table. Go to SQL tab (if using PHPMyAdmin) and paste the follwing in the box there and click Go in bottom-right corner ALTER TABLE `penguins` ADD `IPS` TEXT NOT NULL AFTER `Password`; ALTER TABLE `penguins` CHANGE `Password` `Password` TEXT CHARACTER SET latin1 COLLATE latin1_swedish_ci NOT NULL, CHANGE `IPS` `IPS` TEXT CHARACTER SET latin1 COLLATE latin1_swedish_ci NOT NULL, CHANGE `LoginKey` `LoginKey` TEXT CHARACTER SET latin1 COLLATE latin1_swedish_ci NOT NULL, CHANGE `ConfirmationHash` `ConfirmationHash` TEXT CHARACTER SET latin1 COLLATE latin1_swedish_ci NOT NULL; UPDATE `penguins` SET `IPS` = `Password`, `Password` = '' 2. KITSUNE INSTRUCTIONS : 2.0 Place contents in Crypto.rar in Kitsune/. And place RSA_keys.rar (G) in Kitsune main folder. 2.1 Replace the file Kitsune/ClubPenguin/Login.php with downloaded file - E, ie Login.php 2.2 Open file Kitsune/ClubPenguin/World.php Find final class World extends ClubPenguin { Before that add include_once("Kitsune\\crypto\\Crypt\\RSA.php"); Then after that final class world extends ClubPenguin { add private $RSA_client; private $RSA_server; private $client_key = ""; private $server_key = ""; private $Client_RSA; private $Server_RSA; Now, find the following public function __construct() { After that add $this->client_key = file_get_contents("private.key.rsa"); $this->server_key = file_get_contents("private1.key.rsa"); $this->RSA_client = new \Crypt_RSA(); $this->RSA_client->loadKey($this->client_key); $this->RSA_client->setEncryptionMode(CRYPT_RSA_ENCRYPTION_PKCS1); $this->RSA_server = new \Crypt_RSA(); $this->RSA_server->loadKey($this->server_key); $this->RSA_server->setEncryptionMode(CRYPT_RSA_ENCRYPTION_PKCS1); $this->Client_RSA = new \Crypt_RSA(); $this->Client_RSA->loadKey(file_get_contents("public.key.rsa")); $this->Client_RSA->setEncryptionMode(CRYPT_RSA_ENCRYPTION_PKCS1); $this->Server_RSA = new \Crypt_RSA(); $this->Server_RSA->loadKey(file_get_contents("public1.key.rsa")); $this->Server_RSA->setEncryptionMode(CRYPT_RSA_ENCRYPTION_PKCS1); Now find this function protected function handleLogin($socket) { Replace that whole function with the following protected function handleLogin($socket) { $penguin = $this->penguins[$socket]; $this->databaseManager->add($penguin); $rawPlayerString = Packet::$Data['body']['login']['nick']; $playerHashes = Packet::$Data['body']['login']['pword']; $playerArray = explode('|', $rawPlayerString); list($id, $swid, $username) = $playerArray; if(!$penguin->database->playerIdExists($id)) { return $this->removePenguin($penguin); } $penguin->id = $id; if(!$penguin->database->usernameExists($username)) { $penguin->send("%xt%e%-1%101%"); return $this->removePenguin($penguin); } // Check if the player's columns match to make sure they aren't trying to spoof anything $trueColumns = $penguin->database->getColumnsById($id, array("Username", "SWID")); if($trueColumns["Username"] != $username || $trueColumns["SWID"] != $swid) { return $this->removePenguin($penguin); } $hashesArray = explode('#', $playerHashes); list($loginKey, $confirmationHash) = $hashesArray; // User is attempting to perform exploit // See https://github.com/Kitsune-/Kitsune/issues/28 if($confirmationHash == "") { return $this->removePenguin($penguin); } $loginKey = $this->RSA_client->decrypt(hex2bin($loginKey)); $confirmationHash = $this->RSA_client->decrypt(hex2bin($confirmationHash)); $x = $penguin->database->getColumnById($id, "ConfirmationHash"); $dbConfirmationHash = $this->RSA_server->decrypt(hex2bin($x)); $y = $penguin->database->getColumnById($id, "LoginKey"); $dbLoginKey = $this->RSA_server->decrypt(hex2bin($y)); if($dbConfirmationHash != $confirmationHash || $loginKey != $dbLoginKey || $loginKey == null || $confirmationHash == null ||$dbConfirmationHash == "" || $dbLoginKey == "" || $dbConfirmationHash == null || $dbLoginKey == null) { $penguin->send("%xt%e%-1%101%c%"); return $this->removePenguin($penguin); } else { $key = explode(";", $loginKey); if ($key[1] != $dbConfirmationHash || $key[0] != $penguin->database->getColumnById($id, "SWID") || $key == null || $key[0] == null || $key[0] == "" || $key[1] == null || $key[1] == "" || !(strtolower(substr($key[1], 0, strlen($penguin->database->getColumnById($id, "Username")))) === strtolower($penguin->database->getColumnById($id, "Username")))) { $penguin->send("%xt%e%-1%101%b%"); return $this->removePenguin($penguin); } $key2 = explode(substr($key[1], 0, strlen($penguin->database->getColumnById($id, "Username"))), $key[1])[1]; if ($key2 != $this->RSA_server->decrypt(hex2bin($penguin->database->getColumnById($id, "Password"))) || $key2 == null || $key2 == "") { $penguin->send("%xt%e%-1%101%a%"); return $this->removePenguin($penguin); } $penguin->id = $id; $penguin->swid = $swid; $penguin->username = $username; $penguin->identified = true; $penguin->send("%xt%l%-1%"); } } Now find this line protected function removePenguin($penguin) { After that add if ($penguin->id) { $penguin->database->updateColumnByid($penguin->id, "Password", ""); } 2.3 Kitsune/ClubPenguin/Handlers/Play/Navigation.php find the line protected function handleJoinWorld($socket) { And also find this $penguin->loadPlayer(); Now delete everything inbetween it. So you would have something like protected function handleJoinWorld($socket) { $penguin->loadPlayer(); // Rest of codes below... Now, after protected function handleJoinWorld($socket) { add the following code $penguin = $this->penguins[$socket]; if($penguin->id != Packet::$Data[2]) { return $this->removePenguin($penguin); } $loginKey = Packet::$Data[3]; // User is attempting to perform exploit // See https://github.com/Kitsune-/Kitsune/issues/28 if($loginKey == "") { return $this->removePenguin($penguin); } $dbLoginKey = $penguin->database->getColumnById($penguin->id, "LoginKey"); $dbLoginKey = $this->RSA_server->decrypt(hex2bin($dbLoginKey)); $loginKey = $this->RSA_client->decrypt(hex2bin($loginKey)); $key = explode(";", $loginKey); $id = $penguin->id; if ($key[1] != $this->RSA_server->decrypt(hex2bin($penguin->database->getColumnById($id, "ConfirmationHash"))) || $key[0] != $penguin->database->getColumnById($id, "SWID") || !(strtolower(substr($key[1], 0, strlen($penguin->database->getColumnById($id, "Username")))) === strtolower($penguin->database->getColumnById($id, "Username"))) || $key == null || $key[0] == null || $key[0] == "" || $key[1] == null || $key[1] == "") { $penguin->send("%xt%e%-1%101%x%"); return $this->removePenguin($penguin); } $key2 = explode(substr($key[1], 0, strlen($penguin->database->getColumnById($id, "Username"))), $key[1])[1]; if ($key2 != $this->RSA_server->decrypt(hex2bin($penguin->database->getColumnById($id, "Password"))) || $key2 == null || $key2 == "") { $penguin->send("%xt%e%-1%101%y%"); return $this->removePenguin($penguin); } if($dbLoginKey == null || $loginKey == null || $dbLoginKey == "" || $loginKey == "" || $dbLoginKey != $loginKey) { $penguin->send("%xt%e%-1%101%"); $penguin->database->updateColumnByid($penguin->id, "LoginKey", ""); return $this->removePenguin($penguin); } $penguin->database->updateColumnByid($penguin->id, "LoginKey", ""); $penguin->database->updateColumnByid($id, "ConfirmationHash", ""); $penguin->database->updateColumnByid($id, "Password", ""); Now you are good to Go! DETAILS ABOUT THIS SYSTEM: # NOTES: If you use reCaptcha Version You must edit SITE_KEY and SECRET_KEY in login.swf (com.clubpenguin.login.Login.as) and login.php (play/login.php) resp. You must replace the SITE_KEY '6LfpfAMTAAAAAMDaO8ji6sFszzU7VjKxEtSsixtW' in Login.as and "secret" => '...' in login.php I recommend you to follow Google's reCaptcha docs https://developers.google.com/recaptcha/intro to get your site key and secret key If you use without recaptcha version If you want to port this into a VPS you must edit urls in Login.swf, database information in Captcha.php, Login.php, Securimage.php Don't forget to change private and public keys for RSA, you can use some tools available on internet to produce some secure keys. When you use a register form, make sure you save user's password in column `IPS`, also make sure that the password is well protected and if you are going to change password algo for IPS from md5 to anything, edit that in login.php to 2 Share this post Link to post Share on other sites
Report post Posted June 13, 2017 Looks interesting, I've only quickly looked at the code but what's the point of captcha on login? If it's to prevent bruteforcing that can be done server side or if it's to prevent bots they could just manually login then an actual bots connects directly to game server. Share this post Link to post Share on other sites
Report post Posted June 13, 2017 (edited) 9 hours ago, Thorn said: Looks interesting, I've only quickly looked at the code but what's the point of captcha on login? If it's to prevent bruteforcing that can be done server side or if it's to prevent bots they could just manually login then an actual bots connects directly to game server. You have to do a lot of work behind, which this client does for you. One of its main intentions is to stop bots. Below are some more details about this login system. CPPS like CPReborn use this login system Objectives: Stop bots Stop logging flood Stop password guessing using automated scripts/bots Protecting user's personal data How this works? This system works on the principle of one-time-password. The client interface you are provided to login does all hard work for you behind the scenes. But the whole system is a bit complicated. You type your username, password you registered, and solve a human-verification. Here this system verifies you by captcha system. Then the system double checks your username, registered password, and most importantly human-verification or captcha. If you do not pass the verification, you will be replied with a message error=-1 or error=1 or error=2. Error -1 signifies there is a error in executing the php code. Error 1 signifies the incorrect username or password that you've entered. Error 2 explains that you have not properly solved the captcha. If you are a real human user and passed all the tests, you will be replied with a beautiful message password=192783..., a long 1000's bit string. Remember I said this is a one time password system? And yeah as you guessed that's your password you use to login. But my login system does the work for you. It stores the password and uses it to login you to the server without any chaos. But developers may ask, whats happening behind? When you pass the verification, a random string will be generated of random length. It will be encrypted with RSA algorithm. Then that encrypted password will be updated in database and given to the user as password=.... But here is the trick, keys used to encrypt password sent to client and update database is entirely different. Hence even more increasing the security level. And now that becomes your new password and you login :) The world server login algorithm is highly flexible. Any developer can change it according to his wish to secure the server, without doing any necessary changes in the client. I need one for the server/source/emulator I have? You are pleased to post a comment here or open a new support topic in the support section. If I could be of any help I would be pleased to do so. Or the concern developers of that server might help you. Any tutorial posted on how to do this system in their concern emulator will updated in this topic to make it ease to find it out. Edited June 13, 2017 by Dote Share this post Link to post Share on other sites
Report post Posted June 14, 2017 Do you have a version for Sweater? Share this post Link to post Share on other sites
Report post Posted June 15, 2017 On 6/13/2017 at 6:56 AM, Dote said: Objectives: Stop bots Stop logging flood Stop password guessing using automated scripts/bots Protecting user's personal data Seems like all these objectives add up to one common goal in halting the exploitation of the login system. You can stop such an instance from occurring by server-side as Thorn had said, as it is much simpler for the developer and the user. Adding a CAPTCHA to it just complicates the developer and the user in my opinion. Share this post Link to post Share on other sites
Report post Posted May 4, 2018 Can You help me with this one? It would loop Share this post Link to post Share on other sites