Silkroad Online Forums

Please take the time to read this entire thing because you may learn something, i read the entire thing so you should too :

"I have been meaning to get back on this topic. My time has been rather restrictive, but I really wanted to get back to this, as I know that a lot of people are concerned about this issue and the safety of their SRO account.

Rumors have been going around that you can get hacked by accepting a trade or a random party invite. Things that have added fuel to the fire, are new players comming on to the server begging for gold, and being pushy about it, and several bot programs that auto-invite nearby players to a party.

This seemed very unlikely to me, for several reasons. One is that Joymax uses a seperate server for authenticating users, than the ones you actually go to after authentication. The process is fairly simple, you login to the authenticating server, your username and password is sent encrypted to the authenticating server. You are authenticated and are assigned a session key of sorts that does not contain any of your account login details. This is a fairly secure system. Now keep in mind, that IF they did not do things in this manner, their really would not be any reasonable need for a seperate authenticating server.

Now lets take a closer look at how the SRO program interacts with the MMORPG server. Messages are being sent back and forth between client (the SRO program running on your computer) and the server (in our case, the Aege server). Map messages are never sent, other than coordinates, because, as we learned a few weeks back, people could explore Takla Makan after dc'ing froim the Aege server. That tells us that the client has the entire world map on it, it does not need to recieve messages from the server about the outlay of the map. Other information, however, like monster locations, player locations and interactions, has to be sent from and to the server.

No I have to ask myself, what sense would it make to send my login account info as a message to the server, and then back to another person's client for a trade? Why would the other person's client be at all concerned about my credentials? I had to have been already authenticated to send the message to begin with.

So, I have to admit, I was a big skeptic about the tradeand party hacks, so I decided to investigate. I did a little digging, and went to some of the popular botting sites to figure out if this was really possible.

Now before I continue, you need to know that hackers are arrogant. They are like burglars who can get away with boasting about their last gig. But, like burglars, hackers depend alot on your (the victim's) ignorance. This is important, because if they can keep you ignorant, they retain some control over you. That's why hackers never share how they hacked with their victims.

Something that I took note of about SilkGaurdian's description of what happened, was that XyloLaser applied for a trade with him, but he then cancelled, and the hacker made the comment "... your firewall is not too good..." I know that it is impossible for the hacker to have reached his firewall. First off, I cannot access another person's computer while ingame, because only the server retains the ip addresses of the clients that it communicates with. That information is not passed on anywhere else. It would take effort (granted, a senseless one) for Joymax to do that. And to really tell if someone has a weak firewall, they would have to do what is called a port-scan. Port-scan's take a while, as they probe port openings in ranges from 1 to 10000. Now, a quicker scan could be shot off, if they stuck with just scanning a few well known ports. But, looking back at the SRO client, what do we remember about the client in regards to your account and password? It doesn't store it. If your username and your password information is not stored on your computer, then what's the point in hacking your computer?

Ok, so let's give these arrogant pinheads the benefit of the doubt, and take a closer look at how they might obtain this information through a trade or party.
I read a post from one hacker that said the hack was real and could be done using tsearch. Tsearch is a free program for cheaters. There is no installation program for it, so it doesn't appear to put anything into your registry (although I didn't check after I ran the program). The program essentially cheats the game's interface to allow the cheater to enter in whatever information they want. It has a search interface for reading data in memory, and finding memory segments so you can alter the data.

Now GameGuard does a pretty good job keeping the user from using it. It keeps the game data hidden. Circumvent GameGuard, you can then read what the SRO client is puting into memory with tsearch. There is a free patch you can download that circumvents GameGuard that the botters use. So, armed with all the hacker tools, I went forth to see if I could hack myself (using 2 seperate accounts that I never actually use to play). What is interesting, is that although tsearch seems to do a pretty good job deciphering binary trees for other programs, it did not seem up to the task for the SRO client. This is probably because there is very little server information that gets sent to the SRO client to begin with. I did multiple searches, I began searching for the actual username and password, since I already knew them, that made the most sense. The search turned up nothing. I tried this with both a party invite and a trade. Could not find it anywhere.

I sincerely believe that the trade/party hack is a hoax. A hoax to create uncertainty and fear. Keep you the victims supressed and vulnerable, when really you should be looking elsewhere for the hacks.

Back to the analogy of hackers and burglers. A hacker is no different than the burgler. The burglar will watch the home they wish to rob carefully, sometimes several days. Learn the patterns of the owners, and wait for an opportune time to do their deed.

When I sat there and read the posts of various seasoned hackers, they themselves talk too much. All I heard was how secure SRO is, and "next to impossible to hack". Joymax was just careful not to leave any obvious loopholes open. Trade/party hacks included. Its not hard to secure a site well."


Notice how it's in quotes, its not mine i read it somewhere else.

cool...thx for sharing tt piece of info to pacify unease...

I sincerely believe that the trade/party hack is a hoax

i glimpsed over it

i could of told you that without knowing anything about computers.

yea. thats why i read it. a lot of people complain and think that a hacker can get your information through a trade or party but they cant because its all server side.

also you cant use T Search because:

1: gameguard blocks it

2: theres nothing to manipulate. or search for in the client because its all serverside.

@zypher, i only posted this to ease the distress that certain people feel

This was a good read. The problem is, the discussion seems to revolve around the "victim" player's computer and the hacker trying to break into THAT computer. I can't say if the trade/party hack is real or a hoax, but if it is real, the hack would be most certainly be done against Joymax's SQL databases, NOT on the individual user's home computer.

I suppose if the hacker can get the other player's IP address information through the SRO backend database, then he could run other hacks, but they wouldn't have anything to do with SRO.

yes exactly. this is about inside SRO, people getting hacked through SRO trades and party invites. that is impossible. because there is no need for the hacker to be sent any information of the victim. its impossible

ok people iv read this time in and time over since about 3 months ago now


trade hacks are hoaxs same with the party and other related ones that have been said

take rev6 for one they can pick out items your char is wearing and such but they cannot see your user name



i even read a thread with proof it was fake if you give me time il bring it up


but all your doing is scaring people and if your this paranoid quit taking drugs and find a better game with less things to be paranoid about

Where is the source?

We dont know is the author of the thread is trustable, or maybe it's one of the hacker who is trying to put our guard down

did u mean im scarin people? if you are then you obviously didnt read the thread because this disproves that there is anyway to hack through trades

and nuclear he is a admin on another SRO website like this one who discourages and is against bot users.

i thought everyone already knew that it was a hoax, but good reasearch anyway.

look on the official forums. like 17293128309123 people complaining about getting hacked this way

The other way they said it was done, I think, had to do with, (can't remmeber exactly word for word) displaying usernames when you trade or you're in party. I only say displaying for lack of a better word.. i just mean your username being used for what you said doesn't happen (authentication etc). It was also said your drops also held your username.

Individuals supposedly would use these usernames and bruteforce your pass. Supposedly that would be stupid because of the amount of time a bruteforce attack would take for a good password. However ... not everyone has good passwords.. Either way I believe bruteforce is a stupid time wasting way to steal an account. Any good hacker wouldn't waste his/her time.

I will say this, as it stands right now, it is not possible to "hack" in silkroadonline. All that remains is scamming and most, if not all the people who will say "I got hacked" were scammed or gave out their account information.

There is also the incidence of keyloggers though.. that is another story.

But yeah trade and party hack.. most likely did not exist and even if it did, does not anymore.

Interesting... I had a feeling it was a hoax, but then my friend was hacked yesterday the day after his nephew made an exchange.

I guess that was a co-incidence then....

[quote="Mage Pker"]Please take the time to read this entire thing because you may learn something, i read the entire thing so you should too :

"I have been meaning to get back on this topic. My time has been rather restrictive, but I really wanted to get back to this, as I know that a lot of people are concerned about this issue and the safety of their SRO account.

Rumors have been going around that you can get hacked by accepting a trade or a random party invite. Things that have added fuel to the fire, are new players comming on to the server begging for gold, and being pushy about it, and several bot programs that auto-invite nearby players to a party.

This seemed very unlikely to me, for several reasons. One is that Joymax uses a seperate server for authenticating users, than the ones you actually go to after authentication. The process is fairly simple, you login to the authenticating server, your username and password is sent encrypted to the authenticating server. You are authenticated and are assigned a session key of sorts that does not contain any of your account login details. This is a fairly secure system. Now keep in mind, that IF they did not do things in this manner, their really would not be any reasonable need for a seperate authenticating server.

Now lets take a closer look at how the SRO program interacts with the MMORPG server. Messages are being sent back and forth between client (the SRO program running on your computer) and the server (in our case, the Aege server). Map messages are never sent, other than coordinates, because, as we learned a few weeks back, people could explore Takla Makan after dc'ing froim the Aege server. That tells us that the client has the entire world map on it, it does not need to recieve messages from the server about the outlay of the map. Other information, however, like monster locations, player locations and interactions, has to be sent from and to the server.

No I have to ask myself, what sense would it make to send my login account info as a message to the server, and then back to another person's client for a trade? Why would the other person's client be at all concerned about my credentials? I had to have been already authenticated to send the message to begin with.

So, I have to admit, I was a big skeptic about the tradeand party hacks, so I decided to investigate. I did a little digging, and went to some of the popular botting sites to figure out if this was really possible.

Now before I continue, you need to know that hackers are arrogant. They are like burglars who can get away with boasting about their last gig. But, like burglars, hackers depend alot on your (the victim's) ignorance. This is important, because if they can keep you ignorant, they retain some control over you. That's why hackers never share how they hacked with their victims.

Something that I took note of about SilkGaurdian's description of what happened, was that XyloLaser applied for a trade with him, but he then cancelled, and the hacker made the comment "... your firewall is not too good..." I know that it is impossible for the hacker to have reached his firewall. First off, I cannot access another person's computer while ingame, because only the server retains the ip addresses of the clients that it communicates with. That information is not passed on anywhere else. It would take effort (granted, a senseless one) for Joymax to do that. And to really tell if someone has a weak firewall, they would have to do what is called a port-scan. Port-scan's take a while, as they probe port openings in ranges from 1 to 10000. Now, a quicker scan could be shot off, if they stuck with just scanning a few well known ports. But, looking back at the SRO client, what do we remember about the client in regards to your account and password? It doesn't store it. If your username and your password information is not stored on your computer, then what's the point in hacking your computer?

Ok, so let's give these arrogant pinheads the benefit of the doubt, and take a closer look at how they might obtain this information through a trade or party.
I read a post from one hacker that said the hack was real and could be done using tsearch. Tsearch is a free program for cheaters. There is no installation program for it, so it doesn't appear to put anything into your registry (although I didn't check after I ran the program). The program essentially cheats the game's interface to allow the cheater to enter in whatever information they want. It has a search interface for reading data in memory, and finding memory segments so you can alter the data.

Now GameGuard does a pretty good job keeping the user from using it. It keeps the game data hidden. Circumvent GameGuard, you can then read what the SRO client is puting into memory with tsearch. There is a free patch you can download that circumvents GameGuard that the botters use. So, armed with all the hacker tools, I went forth to see if I could hack myself (using 2 seperate accounts that I never actually use to play). What is interesting, is that although tsearch seems to do a pretty good job deciphering binary trees for other programs, it did not seem up to the task for the SRO client. This is probably because there is very little server information that gets sent to the SRO client to begin with. I did multiple searches, I began searching for the actual username and password, since I already knew them, that made the most sense. The search turned up nothing. I tried this with both a party invite and a trade. Could not find it anywhere.

I sincerely believe that the trade/party hack is a hoax. A hoax to create uncertainty and fear. Keep you the victims supressed and vulnerable, when really you should be looking elsewhere for the hacks.

Back to the analogy of hackers and burglers. A hacker is no different than the burgler. The burglar will watch the home they wish to rob carefully, sometimes several days. Learn the patterns of the owners, and wait for an opportune time to do their deed.

When I sat there and read the posts of various seasoned hackers, they themselves talk too much. All I heard was how secure SRO is, and "next to impossible to hack". Joymax was just careful not to leave any obvious loopholes open. Trade/party hacks included. Its not hard to secure a site well."


Notice how it's in quotes, its not mine i read it somewhere else.[/quote]

ya party and trade hacking may be a hoax but im still not risking it. i heard that if u invite the party u cant get hacked. a good peice of advice... DONT DO A PARTY OR AN EXCHANG WITH SOMONE U DONT KNOW.

Did you even pay attention to what was said in this thread.. if you could get hacked with those things you would think by now it would be fixed gawd its stupid to think that big a flaw would be allowed to exist.. no matter how incompetent people think joymax is.

Not to mention there is no reason at all for the server to send your LOGIN info to another client for a party/trade, especially since the info being used is going to be keyed on your IGN. The only reason to deny random trade invites is because they are f'ing annoying. Has nothing to do with being hacked.

most people who get "hacked" actually got scammed and cant ell the difference >_>

inconclusive

its very conclusive. u just didnt bother reading it.

Exactly. Not to mention that a lot of "hackers" spread stupid crap like this to make them seem all powerful and to put fear in others. Fearful people panic and give out the very info "hackers" need to obtain the account. Also, just because someone can tell you your coordinates in the game does NOT mean they have your account info or are breaking into your machine. They are simply reading off what the little packet-sniffing program is telling them, because the server sends coordinates to his client in order to render you. 90% of all "hacks" are socially engineered. Kevin Mitnick is one of the most famous "hackers" and nearly all of his work was based on conning people into giving out their info. People just have a highly skewed idea of how hacks are done, and are afraid of them.

I think he was trying to sound cool "inconclusive" .... try harder^^

I can almost guarantee 90% of the "hacking" is people downloading
a keylogger because they didn't have common sense...

Who is the 1st person who spread propaganda about trade/party hack? Every rumor has an origine.
Beside, at that time, players who got hacked always said that they exchanged something with a stranger...

this is a site i came across while looking for a certain book.
anyway it show's alot about general hacks even house hold stuff


http://www.i-hacked.com/component/option,com_frontpage/Itemid,1/

Can I get a short version please?

ok,

trade hacks = fake, hoax

i read it, he only tried it with tsearch and from what i understand tsearch is a n00bie haqqing program that edits memory.. therefore there is not enough evidence to determine that you can not get haqqed by trading/partying,
and who is the author of this article? tbh, ive never heard of him



this article sucks

i tried it with other proggys. yes me myself. it doesnt work because again. its server side.

tsearch doesnt just edit memory btw. and for any hacking to be done it has to be client side. and again. its server side.

no user name and password is being sent from client to server that wouldnt make sense.

the only time is when u first log in but its encrypted. after that nothing goes from client to server. no information from ur computer or anything along those lines.

You may have read it but common sense dictates its stupid for such a vunerability to exist. Even if it did it would obviously be fixed by now. Lets use some logic here plz.

+1