catid Posted February 24, 2004 Report Posted February 24, 2004 -*BAD WORD*-o. Qndre was talking with me today, and he mentioned that the VIE EXE checksum generator looked like it could be done without the actual EXE file. So, i wrote this PoC. Can someone check it for me? Uint32 generateEXEChecksum(Uint32 key){ Uint32 part, csum = 0; part = 0xc98ed41f; part += 0x3e1bc | key; part ^= 0x42435942 ^ key; part += 0x1d895300 | key; part ^= 0x6b5c4032 ^ key; part += 0x467e44 | key; part ^= 0x516c7eda ^ key; part += 0x8b0c708b | key; part ^= 0x6b3e3429 ^ key; part += 0x560674c9 | key; part ^= 0xf4e6b721 ^ key; part += 0xe90cc483 | key; part ^= 0x80ece15a ^ key; part += 0x728bce33 | key; part ^= 0x1fc5d1e6 ^ key; part += 0x8b0c518b | key; part ^= 0x24f1a96e ^ key; part += 0x30ae0c1 | key; part ^= 0x8858741b ^ key; csum += part; part = 0x9c15857d; part += 0x424448b | key; part ^= 0xcd0455ee ^ key; part += 0x727 | key; part ^= 0x8d7f29cd ^ key; csum += part; part = 0x824b9278; part += 0x6590 | key; part ^= 0x8e16169a ^ key; part += 0x8b524914 | key; part ^= 0x82dce03a ^ key; part += 0xfa83d733 | key; part ^= 0xb0955349 ^ key; part += 0xe8000003 | key; part ^= 0x7cfe3604 ^ key; csum += part; part = 0xe3f8d2af; part += 0x2de85024 | key; part ^= 0xbed0296b ^ key; part += 0x587501f8 | key; part ^= 0xada70f65 ^ key; csum += part; part = 0xcb54d8a0; part += 0xf000001 | key; part ^= 0x330f19ff ^ key; part += 0x909090c3 | key; part ^= 0xd20f9f9f ^ key; part += 0x53004add | key; part ^= 0x5d81256b ^ key; part += 0x8b004b65 | key; part ^= 0xa5312749 ^ key; part += 0xb8004b67 | key; part ^= 0x8adf8fb1 ^ key; part += 0x8901e283 | key; part ^= 0x8ec94507 ^ key; part += 0x89d23300 | key; part ^= 0x1ff8e1dc ^ key; part += 0x108a004a | key; part ^= 0xc73d6304 ^ key; part += 0x43d2d3 | key; part ^= 0x6f78e4ff ^ key; csum += part; part = 0x45c23f9; part += 0x47d86097 | key; part ^= 0x7cb588bd ^ key; part += 0x9286 | key; part ^= 0x21d700f8 ^ key; part += 0xdf8e0fd9 | key; part ^= 0x42796c9e ^ key; part += 0x8b000003 | key; part ^= 0x3ad32a21 ^ key; csum += part; part = 0xb229a3d0; part += 0x47d708 | key; part ^= 0x10b0a91 ^ key; csum += part; part = 0x466e55a7; part += 0xc7880d8b | key; part ^= 0x44ce7067 ^ key; part += 0xe4 | key; part ^= 0x923a6d44 ^ key; part += 0x640047d6 | key; part ^= 0xa62d606c ^ key; part += 0x2bd1f7ae | key; part ^= 0x2f5621fb ^ key; part += 0x8b0f74ff | key; part ^= 0x2928b332; csum += part; part = 0x62cf369a; csum += part; return csum;}
Qndre Posted February 24, 2004 Report Posted February 24, 2004 Thanks for telling my name but it's still your algo, catid. I only had the idea.
»nintendo64 Posted February 24, 2004 Report Posted February 24, 2004 Qndre... wtf... you didn't have the idea... Mr Ekted told you it could be done without the EXE File. Quoted from MGB's forum. It's not a fixed value. The checksum is calculated from a key the server sends which is combined using feedback with the data being checksummed. So you always need the raw data available. My bots embed the parts of the EXE that it needs as data' date=' so it doesn't have to open subspace.exe as an external file.[/b'] MGB Forum -nintendo64
mister manners Posted February 24, 2004 Report Posted February 24, 2004 yes i am noob here, but what is the point of#1 checksum#2 a checksum genertor what would they be used for?
»nintendo64 Posted February 24, 2004 Report Posted February 24, 2004 yes i am noob here, but what is the point of#1 checksum#2 a checksum genertor what would they be used for?The Security Checksum of SubSpace that's what he's talking about. The security checksum is just another measure to make sure the SubSpace Client connected to a zone is a valid one. IMO i believe is just another step in the security in case someone broke the encryption, so they will have a hard time staying online. In general checksums are used to check the validity of a file. -nintendo64
Qndre Posted February 24, 2004 Report Posted February 24, 2004 Qndre... wtf... you didn't have the idea... Mr Ekted told you it could be done without the EXE File. Quoted from MGB's forum. It's not a fixed value. The checksum is calculated from a key the server sends which is combined using feedback with the data being checksummed. So you always need the raw data available. My bots embed the parts of the EXE that it needs as data' date=' so it doesn't have to open subspace.exe as an external file.[/b'] MGB Forum -nintendo64 Mr Ekted wrote: It's not a fixed value. The checksum is calculated from a key the server sends which is combined using feedback with the data being checksummed. So you always need the raw data available. My bots embed the parts of the EXE that it needs as data, so it doesn't have to open subspace.exe as an external file. You have an EXE-checksum, a MAP-checksum, etc. and the EXE-checksum is a fixed value as far as I know. It's combined with the server key. So what? I can also combine a fixed number with the server key so that it changes when the server key changes. _So you see... Mr. Ekted said this would work without the EXE but not with constants. I said it would also work with constants ...
»nintendo64 Posted February 24, 2004 Report Posted February 24, 2004 Qndre... wtf... you didn't have the idea... Mr Ekted told you it could be done without the EXE File. Quoted from MGB's forum. It's not a fixed value. The checksum is calculated from a key the server sends which is combined using feedback with the data being checksummed. So you always need the raw data available. My bots embed the parts of the EXE that it needs as data' date=' so it doesn't have to open subspace.exe as an external file.[/b'] MGB Forum -nintendo64 Mr Ekted wrote: It's not a fixed value. The checksum is calculated from a key the server sends which is combined using feedback with the data being checksummed. So you always need the raw data available. My bots embed the parts of the EXE that it needs as data, so it doesn't have to open subspace.exe as an external file. You have an EXE-checksum, a MAP-checksum, etc. and the EXE-checksum is a fixed value as far as I know. It's combined with the server key. So what? I can also combine a fixed number with the server key so that it changes when the server key changes. _So you see... Mr. Ekted said this wouldn't work. I said it would work. Qndre... when did Mr Ekted said it would not work... Read what he wrote.. you asked if the EXE-checksum was always the same... it can't be the same because the server sends a key which is used to generate the checksum with some parts of the EXE file. In fact, you said Qndre>I've got a question: Why does every application generate the checksum out of "subspace.exe" instead of just including the instant checksum which is ready to be sent out together with other checksums which have to be generated (like the one of the map, settings, etc.)? That is wrong, because you need the server seed to calculate the EXE-Checksum, so he was right, you were wrong. Note: IMO you have a comprehension problem. Let me put it easy for you to understand. You said the EXE-Checksum is a fixed value. See it here ...instead of just including the instant checksum which is ready to be sent out together with other checksums which have to be generated ... He said it wasn't. Now you are saying the EXE-Checksum is not a fixed value? because the server seed is used to generate it. -nintendo64
Qndre Posted February 24, 2004 Report Posted February 24, 2004 Qndre... when did Mr Ekted said it would not work... Read what he wrote.. you asked if the EXE-checksum was always the same... it can't be the same because the server sends a key which is used to generate the checksum with some parts of the EXE file. In fact, you said Qndre>I've got a question: Why does every application generate the checksum out of "subspace.exe" instead of just including the instant checksum which is ready to be sent out together with other checksums which have to be generated (like the one of the map, settings, etc.)? That is wrong, because you need the server seed to calculate the EXE-Checksum, so he was right, you were wrong. I said it could be a constant combined with the key and you didn't need to load the EXE file. I didn't say the checksum was always the same but that a constant (which is always the same) could be combined with a key (which is not always the same) so the result isn't always the same but the checksum is before it's combined with the key (not after). That's what I wanted to say. I'm sorry if you couldn't get it out of my reply but that's the way it is.
»nintendo64 Posted February 24, 2004 Report Posted February 24, 2004 Read above Qndre... you indeed have a comprehension problem, i don't know if it the way you type or read in english... -nintendo64
Qndre Posted February 24, 2004 Report Posted February 24, 2004 I first said it would be a constant because I didn't know that it uses a salt-key. After I knew that I suggested CatID that he could combine a constant (the instant checksum) with the key like that: 0xABCDEF xor key (if key is the key and 0xABCDEF is the checksum of the EXE) And this was my idea. So but it isn't that simple - it's a bit more complicated. But I suggested it this way: 0xABCDEF xor key So this way is wrong but I made the suggestion of a constant instead of bytes of the EXE file and not Ekted. He only wrote that you could generate a checksum without including "subspace.exe". _Mr Ekted told you it could be done without the EXE File.That's right but I had the idea with a constant.
Qndre Posted February 24, 2004 Report Posted February 24, 2004 My bots embed the parts of the EXE that it needs as data' date=' so it doesn't have to open subspace.exe as an external file.[/quote']Yes. He wrote he would include parts of the exe file. But I said you wouldn't even need to do this because you can take the checksum as a constant and combine it with the key later. Including parts of the exe was Mr. Ekted's idea. Just take a constant and combine it with the key later was mine. Here's the difference:So you always need the raw data available.And I said "No - you don't even need this".
mister manners Posted February 24, 2004 Report Posted February 24, 2004 oh ok, but that is only ss checsum :/ would that apply to continuum too?I thought priit might have changed it, and the checksum is required for bots right?
numpf Posted February 24, 2004 Report Posted February 24, 2004 (code)Have you tested this? I did what ek says he does long ago, and the portions of the EXE I extracted came to about 220KB if I remember correctly. Maybe I remember wrong, but your code seems too short to work. I suppose you did some simplification?
catid Posted February 24, 2004 Author Report Posted February 24, 2004 Yeah, i've tested a few values of the form N + (N << 13), where N goes from 0 to ffff. Can't test em all I figured someone else had already done this so they could just compare constants for me... Yeah, the simplification comes from the fact that the first conditional in the core of the checksum algorithm only evaluates true 0x24 times. So, other times it's just an XOR between a lot of constants. For those 0x24 times, there's another constant, which is 4 bytes of data from SUBSPACE.BIN. If you're interested in the code that generated this, i can give you a copy
Smong Posted February 24, 2004 Report Posted February 24, 2004 the checksum is required for bots right?Ideally, yes. But since most bots have sysop it doesn't matter as that level of power lets you byp!@#$%^&* security checks.
ExplodyThingy Posted February 29, 2004 Report Posted February 29, 2004 Has anyone actually done what he asked yet and checked the function?
pyxlz Posted February 29, 2004 Report Posted February 29, 2004 Has anyone actually done what he asked yet and checked the function?I tried over 100,000 keys, and it seems to work fine.
ExplodyThingy Posted February 29, 2004 Report Posted February 29, 2004 Then its good enough for me If every now and then it b0rks, its still all good.
Qndre Posted March 8, 2004 Report Posted March 8, 2004 I re-wrote this code to BASIC (not C). Only useful for people who use it in their BASIC programs:part = 0 csum = 0 part = &hc98ed41f part = part + &h3e1bc or key part = part xor &h42435942 xor key part = part + &h1d895300 or key part = part xor &h6b5c4032 xor key part = part + &h467e44 or key part = part xor &h516c7eda xor key part = part + &h8b0c708b or key part = part xor &h6b3e3429 xor key part = part + &h560674c9 or key part = part xor &hf4e6b721 xor key part = part + &he90cc483 or key part = part xor &h80ece15a xor key part = part + &h728bce33 or key part = part xor &h1fc5d1e6 xor key part = part + &h8b0c518b or key part = part xor &h24f1a96e xor key part = part + &h30ae0c1 or key part = part xor &h8858741b xor key csum = csum + part part = &h9c15857d part = part + &h424448b or key part = part xor &hcd0455ee xor key part = part + &h727 or key part = part xor &h8d7f29cd xor key csum = csum + part part = &h824b9278 part = part + &h6590 or key part = part xor &h8e16169a xor key part = part + &h8b524914 or key part = part xor &h82dce03a xor key part = part + &hfa83d733 or key part = part xor &hb0955349 xor key part = part + &he8000003 or key part = part xor &h7cfe3604 xor key csum = csum + part part = &he3f8d2af part = part + &h2de85024 or key part = part xor &hbed0296b xor key part = part + &h587501f8 or key part = part xor &hada70f65 xor key csum = csum + part part = &hcb54d8a0 part = part + &hf000001 or key part = part xor &h330f19ff xor key part = part + &h909090c3 or key part = part xor &hd20f9f9f xor key part = part + &h53004add or key part = part xor &h5d81256b xor key part = part + &h8b004b65 or key part = part xor &ha5312749 xor key part = part + &hb8004b67 or key part = part xor &h8adf8fb1 xor key part = part + &h8901e283 or key part = part xor &h8ec94507 xor key part = part + &h89d23300 or key part = part xor &h1ff8e1dc xor key part = part + &h108a004a or key part = part xor &hc73d6304 xor key part = part + &h43d2d3 or key part = part xor &h6f78e4ff xor key csum = csum + part part = &h45c23f9 part = part + &h47d86097 or key part = part xor &h7cb588bd xor key part = part + &h9286 or key part = part xor &h21d700f8 xor key part = part + &hdf8e0fd9 or key part = part xor &h42796c9e xor key part = part + &h8b000003 or key part = part xor &h3ad32a21 xor key csum = csum + part part = &hb229a3d0 part = part + &h47d708 or key part = part xor &h10b0a91 xor key csum = csum + part part = &h466e55a7 part = part + &hc7880d8b or key part = part xor &h44ce7067 xor key part = part + &he4 or key part = part xor &h923a6d44 xor key part = part + &h640047d6 or key part = part xor &ha62d606c xor key part = part + &h2bd1f7ae or key part = part xor &h2f5621fb xor key part = part + &h8b0f74ff or key part = part xor &h2928b332 csum = csum + part part = &h62cf369a csum = csum + partPlease check if that is right. PS: THIS IS STILL CATID'S CODE - I ONLY RE-WROTE IT FOR BASIC!!!
Qndre Posted March 8, 2004 Report Posted March 8, 2004 I tried it out but it didn't work. I declared "part" and "csum" as long (key as integer) but I got an overflow. What should I do? And if I set a debug-point then I got a negative value in part.
Qndre Posted March 8, 2004 Report Posted March 8, 2004 My "translation" of the algorithm is NOT right because this cannot be directly translated from C to BASIC (Catid told me this). So forget about the basic version. It can't becausea += b xor cdoes not meana = (a + b) xor cbuta = a + (b xor c). That's because BASIC has other mathematical order than C has.
Mr Ekted Posted March 8, 2004 Report Posted March 8, 2004 No, they have the same operator precedence with respect to addition and exclusive or. You just translated it incorrectly.
Recommended Posts