Implement account system

[MlgmXyysd]

In the current Dispatch server implementation, no password is required to log in to the game, which is undoubtedly very insecure.

@Asnxthaony found that passwords were encrypted in transit using RSA, decryption was nearly impossible.

For this, I came up with the following solution for reference:

1. Patch the game to 1) replace RSA key 2) disable password encrypt
   • Hard, needs to be disassembled
   • Unsafe, may be banned if you do not use proxy after patch
2. Simulate the in-game login method (but is_crypto: false) in outside launcher (such as GlassClipper X, and fill in the combo token into the game's registry
   • PC (Windows) only, mobile client cannot use this method to login
   • The registry is encrypted
3. Login outside the game, generate a temporary token (like JWT), and use this token as a username to log in in the game (keep password blank)
   • How long is the temporary period?
   • How to revoke token if it is accidentally leaked?
   • length limit (?)
4. Login inside game: Only user name is required for login. After entering the game, use the chat box to enter the password, like AuthMe (a CraftBukkit plugin)
   • Calling up the chat box isn't as easy as Minecraft (just press /), users need at least 4 steps to bring up the chat box with player Server.
   • It may not be so easy to implement (?)
5. Enter the user name and password in the same input box, using the specified separator as a boundary
   • The separator may be confused with the password/username entered by the player
   • When logging in, the password will be displayed in plaintext on the game
   • length limit (?)
6. Implement the third-party login
   • Impossible, mobile client login by password only

Any other better?

[TheLostTree]

just validate the encrypted password like almost any other account system does

[4Benj]

just validate the encrypted password like almost any other account system does

We need the private key to decrypt the password and then check it against the password in the db

[TheLostTree]

on first login, the password can be anything, -> save the rsa encrypted password sent by client and save it as the account password -> profit

[MlgmXyysd]

on first login, the password can be anything, -> save the rsa encrypted password sent by client and save it as the account password -> profit

RSA encryption contains things like salt, the encryption results are different after entering the same password

[MlgmXyysd]

[15:13:30] [INFO] {"account":"MlgmXyysd","password":"esrL7MEvqJ6RsWRQm0OdzGSdD1EQyuFDjMDDcVJYHoyl28m4oH0KJpKw7+PkNb2mCyBtPxwfpl3U1SDnHHRLv2oG8hM9OTAq+QsouTe56tiMgLilcb94GJY6IilycWvu2xRZn/TLqhoacSOw8H/ZwbY6Gd/Lei/bqENVIAsMtog=","is_crypto":true}
[15:13:34] [INFO] {"account":"MlgmXyysd","password":"B2RMEx/mJ/zYWWOe6BOYuwqcq51QVkG73DGDFzyzGJdjLzZaJTk00dLE2jHRNOwfS5501IUeQmQmzjS/zicnRiFB8Ktng7k2ets7EN939g7xfq5U/0LMybVfJuLGZjQ1OGvVtLBMc6juBjRlz+gqw8R5odmtjC/dAenHj6fShJ4=","is_crypto":true}
[15:13:38] [INFO] {"account":"MlgmXyysd","password":"nd4LoTtci82CqKmswtQfyNBb7kVWS953/wANfKmZju8IgP/kBjeUxY9EwujKnex+AmXF43FrA5l+LAw1llTlwifNmzVEoU2yNa8Y3F4Oa9mhD7rDfuFtmWvhHHn+EJBQM0DtHmm7WK68oAfsZkb+GE62263RapheE04iuMaUY6Q=","is_crypto":true}

Three consecutive login requests, the password I entered is 1

[WetABQ]

on first login, the password can be anything, -> save the rsa encrypted password sent by client and save it as the account password -> profit

RSA encryption contains things like salt, the encryption results are different after entering the same password

Yes, it is GCM mechanism, like aes256-gcm

[MlgmXyysd]

Some useful props

registry:
HKEY_CURRENT_USER\SOFTWARE\miHoYo\原神\ (CNREL)
GENERAL_DATA_h* MIHOYOSDK_ADL_PROD_*_h*

username length limit: 50

[66hh]

I think we can start with a third-party login

[66hh]

我想我们可以从登录

For example, BiliGame third party login

[MlgmXyysd]

For example, BiliGame third party login

No such option on mobile client

[66hh]

比如BiliGame第三方登录

手机客户端没有这个选项

Bilibili Channel service

[66hh]

我想我们可以从登录

比如BiliGame第三方登录

Biligame provides a set of tools to test whether the protocol works properly. Maybe we can use this tool

[MlgmXyysd]

Bilibili Channel service

No use, login will be redirected to Hoyoverse

[66hh]

It seems possible to log in using biligame by modifying the configuration

[MlgmXyysd]

It seems possible to log in using biligame by modifying the configuration

impossible, only Hoyoverse username & password login option on CNRELiOS

[66hh]

好像可以通过修改配置使用biligame登录

不可能，CNRELiOS 上只有 Hoyoverse 用户名和密码登录选项

I just studied biligame. It seems that it is only applicable to Android and windows

[MlgmXyysd]

I just studied biligame. It seems that it is only applicable to Android and windows

Why don't you give it a try? No bilibiligame after passing the proxy

[66hh]

我刚学了biligame。好像只适用于安卓和windows

你为什么不试一试？通过代理后没有bilibiligame

We may hijack Twitter's web login and replace Twitter's login page and authentication JS with our own page, which should be feasible

[MlgmXyysd]

We may hijack Twitter's web login and replace Twitter's login page and authentication JS with our own page, which should be feasible

There is no third party login option

[66hh]

我们可能会劫持推特的网页登录，将推特的登录页面和认证JS替换为我们自己的页面，应该是可行的

没有第三方登录选项

We need to verify when we log in. It seems that this will make the game pop up captcha. Can we replace captcha's web page with a password input box

[66hh]

我们可能会劫持推特的网页登录，将推特的登录页面和认证JS替换为我们自己的页面，应该是可行的

没有第三方登录选项

I just went to confirm that captcha is indeed a web page. Maybe we can use this to change the original captcha check to password check

[lunaticwhat]

I think implementing in-game login is a nice and possible idea.

[alt3ri]

can we connect both web register and in-game login to the same db? Just wondering cuz I've seen a game used that method

[MlgmXyysd]

can we connect both web register and in-game login to the same db? Just wondering cuz I've seen a game used that method

I think that's already the case. BTW, my minecraft also uses this method.

[leeska]

account username with random hash as password?
Account is password

[exzork]

How about this one? add login/register endpoint to grasscutter, use launcher or web or anything to get jwt, payload of jwt is token, username, and uid. Use that token to login ( username column ). Other platform is supported if we use web to generate that jwt

#158

[memetrollsXD]

Already fixed by multiple solutions