Please take the time to read this entire thing because you may learn something, i read the entire thing so you should too
:
"I have been meaning to get back on this topic. My time has been rather restrictive, but I really wanted to get back to this, as I know that a lot of people are concerned about this issue and the safety of their SRO account.
Rumors have been going around that you can get hacked by accepting a trade or a random party invite. Things that have added fuel to the fire, are new players comming on to the server begging for gold, and being pushy about it, and several bot programs that auto-invite nearby players to a party.
This seemed very unlikely to me, for several reasons. One is that Joymax uses a seperate server for authenticating users, than the ones you actually go to after authentication. The process is fairly simple, you login to the authenticating server, your username and password is sent encrypted to the authenticating server. You are authenticated and are assigned a session key of sorts that does not contain any of your account login details. This is a fairly secure system. Now keep in mind, that IF they did not do things in this manner, their really would not be any reasonable need for a seperate authenticating server.
Now lets take a closer look at how the SRO program interacts with the MMORPG server. Messages are being sent back and forth between client (the SRO program running on your computer) and the server (in our case, the Aege server). Map messages are never sent, other than coordinates, because, as we learned a few weeks back, people could explore Takla Makan after dc'ing froim the Aege server. That tells us that the client has the entire world map on it, it does not need to recieve messages from the server about the outlay of the map. Other information, however, like monster locations, player locations and interactions, has to be sent from and to the server.
No I have to ask myself, what sense would it make to send my login account info as a message to the server, and then back to another person's client for a trade? Why would the other person's client be at all concerned about my credentials? I had to have been already authenticated to send the message to begin with.
So, I have to admit, I was a big skeptic about the tradeand party hacks, so I decided to investigate. I did a little digging, and went to some of the popular botting sites to figure out if this was really possible.
Now before I continue, you need to know that hackers are arrogant. They are like burglars who can get away with boasting about their last gig. But, like burglars, hackers depend alot on your (the victim's) ignorance. This is important, because if they can keep you ignorant, they retain some control over you. That's why hackers never share how they hacked with their victims.
Something that I took note of about SilkGaurdian's description of what happened, was that XyloLaser applied for a trade with him, but he then cancelled, and the hacker made the comment "... your firewall is not too good..." I know that it is impossible for the hacker to have reached his firewall. First off, I cannot access another person's computer while ingame, because only the server retains the ip addresses of the clients that it communicates with. That information is not passed on anywhere else. It would take effort (granted, a senseless one) for Joymax to do that. And to really tell if someone has a weak firewall, they would have to do what is called a port-scan. Port-scan's take a while, as they probe port openings in ranges from 1 to 10000. Now, a quicker scan could be shot off, if they stuck with just scanning a few well known ports. But, looking back at the SRO client, what do we remember about the client in regards to your account and password? It doesn't store it. If your username and your password information is not stored on your computer, then what's the point in hacking your computer?
Ok, so let's give these arrogant pinheads the benefit of the doubt, and take a closer look at how they might obtain this information through a trade or party.
I read a post from one hacker that said the hack was real and could be done using tsearch. Tsearch is a free program for cheaters. There is no installation program for it, so it doesn't appear to put anything into your registry (although I didn't check after I ran the program). The program essentially cheats the game's interface to allow the cheater to enter in whatever information they want. It has a search interface for reading data in memory, and finding memory segments so you can alter the data.
Now GameGuard does a pretty good job keeping the user from using it. It keeps the game data hidden. Circumvent GameGuard, you can then read what the SRO client is puting into memory with tsearch. There is a free patch you can download that circumvents GameGuard that the botters use. So, armed with all the hacker tools, I went forth to see if I could hack myself (using 2 seperate accounts that I never actually use to play). What is interesting, is that although tsearch seems to do a pretty good job deciphering binary trees for other programs, it did not seem up to the task for the SRO client. This is probably because there is very little server information that gets sent to the SRO client to begin with. I did multiple searches, I began searching for the actual username and password, since I already knew them, that made the most sense. The search turned up nothing. I tried this with both a party invite and a trade. Could not find it anywhere.
I sincerely believe that the trade/party hack is a hoax. A hoax to create uncertainty and fear. Keep you the victims supressed and vulnerable, when really you should be looking elsewhere for the hacks.
Back to the analogy of hackers and burglers. A hacker is no different than the burgler. The burglar will watch the home they wish to rob carefully, sometimes several days. Learn the patterns of the owners, and wait for an opportune time to do their deed.
When I sat there and read the posts of various seasoned hackers, they themselves talk too much. All I heard was how secure SRO is, and "next to impossible to hack". Joymax was just careful not to leave any obvious loopholes open. Trade/party hacks included. Its not hard to secure a site well."
Notice how it's in quotes, its not mine i read it somewhere else.
ya party and trade hacking may be a hoax but im still not risking it. i heard that if u invite the party u cant get hacked. a good peice of advice... DONT DO A PARTY OR AN EXCHANG WITH SOMONE U DONT KNOW.
the client obv is there to communicate with the server silo dur 
