XeNTaX Forum Index
Forum MultiEx Commander Tools Tools Home
It is currently Tue Mar 28, 2017 9:00 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 8 posts ] 
Author Message
 Post subject: Getting MD5 hash from actionscript of swf.
PostPosted: Fri Apr 22, 2016 11:27 am 
Offline
advanced

Joined: Fri Nov 21, 2014 12:21 pm
Posts: 70
Has thanked: 17 times
Have thanks: 7 times

Hi, :) . I'm trying to figure out what 'input_md5_1' will be.
Here is sample files. https://drive.google.com/file/d/0B8JGJb-FRy_bNTEyOWZSOXMtVkk/view?usp=sharing
And this is actionscript from sample swf file. To see a actionscript from swf, use this program. https://www.free-decompiler.com/flash/download/

scripts\game\entry\GameEntryDesktopAir.as
Code:
try
         {
            start = getTimer();
            gamesave_bin_txt = this.readChecksumFile("Front-Buffer subsystem M",rp + "gamesave.bin");
            gamesave_bin_txt = gamesave_bin_txt.replace("\n","");
            gamesave_bin_txt = gamesave_bin_txt.replace("\r","");
            swf_md5 = this.verifyChecksum("Front-Buffer subsystem W",rp + "app.game-" + appInfo.sku + ".air.swf",null);
            logInfo("Front-Buffer " + (getTimer() - start));
            worldserpent = "zabbawabba";
            [b]input_1 = swf_md5 + "\r\n" + worldserpent;[/b]
            input_md5_1 = MD5.hash(input_1);
            logInfo("INVOKE entry recursion timestamp [" + swf_md5 + "]");
            if(input_md5_1 != gamesave_bin_txt)
            {
               throw new ArgumentError("Bitswizzle I/O/D error on evaluation of quest parameters");
            }


In my opinion,
Quote:
input_md5_1=app.game-appInfo.sku.air.swf\r\nzabbawabba

However MD5.hash(app.game-appInfo.sku.air.swf\r\nzabbawabba) = 036cd9b37886d3c845d5cd72052b8d2b.
I test it on this site. http://www.miraclesalad.com/webtools/md5.php

As a result, it is different from gamesave_bin_txt(928f95ce47e21045537273f8cc0c34e40D0A)
Can someone solve this problem? Exactly what 'input_md5_1' is?

You can make the ads go away by registering



Top
 Profile  
 
 Post subject: Re: Getting MD5 hash from actionscript of swf.
PostPosted: Fri Apr 22, 2016 8:51 pm 
Offline
ultra-veteran
ultra-veteran

Joined: Fri Nov 06, 2009 12:13 am
Posts: 577
Has thanked: 64 times
Have thanks: 123 times
you sure it isn't hashing the file contents, not the name?

edit

yeah, according to this dump - http://pastebin.com/65kLr9pf it's just

Code:
// pseudocode
MD5.hash( MD5.hash( file_contents( app.game-appInfo.sku.air.swf) ) + "\r\nzabbawabba" )

_________________
Useful tool links:


Top
 Profile  
 
 Post subject: Re: Getting MD5 hash from actionscript of swf.
PostPosted: Sat Apr 23, 2016 2:26 am 
Offline
advanced

Joined: Fri Nov 21, 2014 12:21 pm
Posts: 70
Has thanked: 17 times
Have thanks: 7 times
WRS wrote:
you sure it isn't hashing the file contents, not the name?

edit

yeah, according to this dump - http://pastebin.com/65kLr9pf it's just

Code:
// pseudocode
MD5.hash( MD5.hash( file_contents( app.game-appInfo.sku.air.swf) ) + "\r\nzabbawabba" )


Uhm..
Image

Image

The result is not '928f95ce47e21045537273f8cc0c34e4'.. I'm not sure what do you mean 'file_contents'? Is it md5 hash of swf file? It is 'c3e3378b9e46a859269e1ff1f8ff0e99' But it still different from gamesave_text. And according to actionscripts swf_md5 uses private function veryfyChecksum.

Code:
private function verifyChecksum(param1:String, param2:String, param3:String, param4:Boolean = false) : String
      {
         logDebug(":::: " + param2);
         var _loc5_:* = param3 == "0";
         var _loc6_:File = new File(param2);
         if(!_loc6_.exists)
         {
            if(_loc5_)
            {
               return null;
            }
            if(!param4)
            {
               throw new ArgumentError("Bitswizzle I/O error on " + param1);
            }
            return null;
         }
         if(_loc5_)
         {
            throw new ArgumentError("Bitswizzle I/O error on " + param1);
         }
         var _loc7_:ByteArray = new ByteArray();
         var _loc8_:FileStream = new FileStream();
         _loc8_.open(_loc6_,FileMode.READ);
         _loc8_.readBytes(_loc7_,0,_loc8_.bytesAvailable);
         _loc8_.close();
         _loc8_ = null;
         var _loc9_:String = MD5.hashBytes(_loc7_);
         if(param3)
         {
            if(_loc9_ != param3)
            {
               throw new ArgumentError("Bitswizzle overflow error on " + param1 + " [" + _loc9_ + "]");
            }
         }
         return _loc9_;
      }


Top
 Profile  
 
 Post subject: Re: Getting MD5 hash from actionscript of swf.
PostPosted: Sat Apr 23, 2016 11:27 am 
Offline
Moderator

Joined: Sun Mar 27, 2011 8:42 pm
Posts: 925
Has thanked: 10 times
Have thanks: 118 times
moved to code talk...

_________________
Quick BMS Editor GUI - simple easy to use
Goto : viewtopic.php?uid=34229&f=29&t=6797&start=0

Downloads from DropBox : https://dl.dropboxusercontent.com/u/


Top
 Profile  
 
 Post subject: Re: Getting MD5 hash from actionscript of swf.
PostPosted: Sat Apr 23, 2016 2:41 pm 
Offline
advanced

Joined: Fri Nov 21, 2014 12:21 pm
Posts: 70
Has thanked: 17 times
Have thanks: 7 times
michalss wrote:
moved to code talk...


Hmm, sorry for my mistake. Could you specify what is swf_md5?
In the actionscript code, there are md5 hashs for the files which is need to be checked, so verifyChecksum function will compares param 2 and 3 whether the imported file is changed or not. This function will reads bytearray of file and convert it to MD5 hash with MD5.hashbyte. So, it will also compare md5 of swf and param3. But let's look at the code.

Code:
rp = "C:/Program Files (x86)/Steam/SteamApps/common/tbs2/win32/"
swf_md5 = this.verifyChecksum("Front-Buffer subsystem W",rp + "app.game-" + appInfo.sku + ".air.swf",null);


So, it will reads "C:/Program Files (x86)/Steam/SteamApps/common/tbs2/win32/app.game-saga2.air.swf" and get the md5 hash of swf. But.. param3 = null.

Code:
var _loc9_:String = MD5.hashBytes(_loc7_);
         if(param3)
         {
            if(_loc9_ != param3)
            {
               throw new ArgumentError("Bitswizzle overflow error on " + param1 + " [" + _loc9_ + "]");
            }
         }
         return _loc9_;


So, 'swf_md5 = Bitswizzle overflow error on Front-Buffer subsystem W [c137c4232879032d888bc0edbb94dd09]'..?
But it still doesn't match the one(gamesave.bin).


Top
 Profile  
 
 Post subject: Re: Getting MD5 hash from actionscript of swf.
PostPosted: Sat Apr 23, 2016 3:10 pm 
Offline
ultra-veteran
ultra-veteran

Joined: Fri Nov 06, 2009 12:13 am
Posts: 577
Has thanked: 64 times
Have thanks: 123 times
its very simple.

when i said file_contents i meant get the whole file as a binary stream and hash that as binary data - which is what your function does:

Code:
         var _loc7_:ByteArray = new ByteArray();
         var _loc8_:FileStream = new FileStream();
         _loc8_.open(_loc6_,FileMode.READ);
         _loc8_.readBytes(_loc7_,0,_loc8_.bytesAvailable);
         _loc8_.close();
         _loc8_ = null;
         var _loc9_:String = MD5.hashBytes(_loc7_);


the function MD5.hashBytes seems to return lower-case string for these files, so the md5 value for app.game-saga2.air.swf is

Quote:
c137c4232879032d888bc0edbb94dd09


thats part 1.

the next part is to hash it again using the "salt" , which is "zabbawabba"

if you hash "c137c4232879032d888bc0edbb94dd09\r\nzabbawabba" you get

Quote:
928f95ce47e21045537273f8cc0c34e4


which is what you gave in the game data .bin file


edit

just to clarify, \r\n are special characters, not literals.

[list=]
[*]open http://pajhome.org.uk/crypt/md5/
[*]open the console in your webbrowser
[*]paste
Code:
hex_md5('c137c4232879032d888bc0edbb94dd09\r\nzabbawabba')

[/list]

_________________
Useful tool links:


Top
 Profile  
 
 Post subject: Re: Getting MD5 hash from actionscript of swf.
PostPosted: Sat Apr 23, 2016 3:38 pm 
Offline
advanced

Joined: Fri Nov 21, 2014 12:21 pm
Posts: 70
Has thanked: 17 times
Have thanks: 7 times
WRS wrote:
its very simple.

when i said file_contents i meant get the whole file as a binary stream and hash that as binary data - which is what your function does:

Code:
         var _loc7_:ByteArray = new ByteArray();
         var _loc8_:FileStream = new FileStream();
         _loc8_.open(_loc6_,FileMode.READ);
         _loc8_.readBytes(_loc7_,0,_loc8_.bytesAvailable);
         _loc8_.close();
         _loc8_ = null;
         var _loc9_:String = MD5.hashBytes(_loc7_);


the function MD5.hashBytes seems to return lower-case string for these files, so the md5 value for app.game-saga2.air.swf is

Quote:
c137c4232879032d888bc0edbb94dd09


thats part 1.

the next part is to hash it again using the "salt" , which is "zabbawabba"

if you hash "c137c4232879032d888bc0edbb94dd09\r\nzabbawabba" you get

Quote:
928f95ce47e21045537273f8cc0c34e4


which is what you gave in the game data .bin file


edit

just to clarify, \r\n are special characters, not literals.

[list=]
[*]open http://pajhome.org.uk/crypt/md5/
[*]open the console in your webbrowser
[*]paste
Code:
hex_md5('c137c4232879032d888bc0edbb94dd09\r\nzabbawabba')

[/list]


That's the one that I firstly expected but.. look at this. (I'm not sure what do you mean 'open the console' yet.) I just put 'c137c4232879032d888bc0edbb94dd09\r\nzabbawabba' in to 'input'.
Image

And the result is
Quote:
45c09947d609595d82f483b87781d649
Not a
Quote:
928f95ce47e21045537273f8cc0c34e4


Top
 Profile  
 
 Post subject: Re: Getting MD5 hash from actionscript of swf.
PostPosted: Sat Apr 23, 2016 3:55 pm 
Offline
advanced

Joined: Fri Nov 21, 2014 12:21 pm
Posts: 70
Has thanked: 17 times
Have thanks: 7 times
Ah.. I got it. Thank you!



Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 8 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group