Quote:
While I'm not a cryptanalyst, I suggest you search the net for "chosen plaintext attack".
|
You do not attack the cryptography in a suitaion like this. The client has to be able to read the .2h files it has to be able to checksum ( hash ) them. Thus the key and the salt for the checksum ( hash ) are in the executable this is where you look.
The developers can do a little to make it hard to find the keys, but in the end a determined attacker will find them.
Quote:
That being the case, there's no defense short of server checking, and there's a lot of checking to do. The type and quantity of every asset a player apparently holds (gems, items, units etc) in the incoming 2h file has to be reconciled against the ftherlnd file, and that's not easy.
|
Not really. The server should do all of the checking that the UI does. And this more than likely is the problem. IW has code which does validation in the UI for some operations ( let's say alchemy ) and they do not validate on the server.