Page 1 of 1
Getting MD5 hash from actionscript of swf.
Posted: Fri Apr 22, 2016 11:27 am
by adol365
Hi,
. I'm trying to figure out what '
input_md5_1' will be.
Here is sample files.
https://drive.google.com/file/d/0B8JGJb ... sp=sharing
And this is actionscript from sample swf file. To see a actionscript from swf, use this program.
https://www.free-decompiler.com/flash/download/
scripts\game\entry\GameEntryDesktopAir.as
Code: Select all
try
{
start = getTimer();
gamesave_bin_txt = this.readChecksumFile("Front-Buffer subsystem M",rp + "gamesave.bin");
gamesave_bin_txt = gamesave_bin_txt.replace("\n","");
gamesave_bin_txt = gamesave_bin_txt.replace("\r","");
swf_md5 = this.verifyChecksum("Front-Buffer subsystem W",rp + "app.game-" + appInfo.sku + ".air.swf",null);
logInfo("Front-Buffer " + (getTimer() - start));
worldserpent = "zabbawabba";
[b]input_1 = swf_md5 + "\r\n" + worldserpent;[/b]
input_md5_1 = MD5.hash(input_1);
logInfo("INVOKE entry recursion timestamp [" + swf_md5 + "]");
if(input_md5_1 != gamesave_bin_txt)
{
throw new ArgumentError("Bitswizzle I/O/D error on evaluation of quest parameters");
}
In my opinion,
input_md5_1=app.game-appInfo.sku.air.swf\r\nzabbawabba
However MD5.hash(app.game-appInfo.sku.air.swf\r\nzabbawabba) = 036cd9b37886d3c845d5cd72052b8d2b.
I test it on this site.
http://www.miraclesalad.com/webtools/md5.php
As a result, it is different from gamesave_bin_txt(928f95ce47e21045537273f8cc0c34e4
0D0A)
Can someone solve this problem? Exactly what 'input_md5_1' is?
Re: Getting MD5 hash from actionscript of swf.
Posted: Fri Apr 22, 2016 8:51 pm
by WRS
you sure it isn't hashing the file contents, not the name?
edit
yeah, according to this dump -
http://pastebin.com/65kLr9pf it's just
Code: Select all
// pseudocode
MD5.hash( MD5.hash( file_contents( app.game-appInfo.sku.air.swf) ) + "\r\nzabbawabba" )
Re: Getting MD5 hash from actionscript of swf.
Posted: Sat Apr 23, 2016 2:26 am
by adol365
WRS wrote:you sure it isn't hashing the file contents, not the name?
edit
yeah, according to this dump -
http://pastebin.com/65kLr9pf it's just
Code: Select all
// pseudocode
MD5.hash( MD5.hash( file_contents( app.game-appInfo.sku.air.swf) ) + "\r\nzabbawabba" )
Uhm..
The result is
not '
928f95ce47e21045537273f8cc0c34e4'.. I'm not sure what do you mean '
file_contents'? Is it md5 hash of swf file? It is 'c3e3378b9e46a859269e1ff1f8ff0e99' But it still different from gamesave_text. And according to actionscripts swf_md5 uses private function veryfyChecksum.
Code: Select all
private function verifyChecksum(param1:String, param2:String, param3:String, param4:Boolean = false) : String
{
logDebug(":::: " + param2);
var _loc5_:* = param3 == "0";
var _loc6_:File = new File(param2);
if(!_loc6_.exists)
{
if(_loc5_)
{
return null;
}
if(!param4)
{
throw new ArgumentError("Bitswizzle I/O error on " + param1);
}
return null;
}
if(_loc5_)
{
throw new ArgumentError("Bitswizzle I/O error on " + param1);
}
var _loc7_:ByteArray = new ByteArray();
var _loc8_:FileStream = new FileStream();
_loc8_.open(_loc6_,FileMode.READ);
_loc8_.readBytes(_loc7_,0,_loc8_.bytesAvailable);
_loc8_.close();
_loc8_ = null;
var _loc9_:String = MD5.hashBytes(_loc7_);
if(param3)
{
if(_loc9_ != param3)
{
throw new ArgumentError("Bitswizzle overflow error on " + param1 + " [" + _loc9_ + "]");
}
}
return _loc9_;
}
Re: Getting MD5 hash from actionscript of swf.
Posted: Sat Apr 23, 2016 11:27 am
by michalss
moved to code talk...
Re: Getting MD5 hash from actionscript of swf.
Posted: Sat Apr 23, 2016 2:41 pm
by adol365
michalss wrote:moved to code talk...
Hmm, sorry for my mistake. Could you specify what is swf_md5?
In the actionscript code, there are md5 hashs for the files which is need to be checked, so verifyChecksum function will compares param 2 and 3 whether the imported file is changed or not. This function will reads bytearray of file and convert it to MD5 hash with MD5.hashbyte. So, it will also compare md5 of swf and param3. But let's look at the code.
Code: Select all
rp = "C:/Program Files (x86)/Steam/SteamApps/common/tbs2/win32/"
swf_md5 = this.verifyChecksum("Front-Buffer subsystem W",rp + "app.game-" + appInfo.sku + ".air.swf",null);
So, it will reads "C:/Program Files (x86)/Steam/SteamApps/common/tbs2/win32/app.game-saga2.air.swf" and get the md5 hash of swf. But..
param3 = null.
Code: Select all
var _loc9_:String = MD5.hashBytes(_loc7_);
if(param3)
{
if(_loc9_ != param3)
{
throw new ArgumentError("Bitswizzle overflow error on " + param1 + " [" + _loc9_ + "]");
}
}
return _loc9_;
So,
'swf_md5 = Bitswizzle overflow error on Front-Buffer subsystem W [c137c4232879032d888bc0edbb94dd09]'..?
But it still doesn't match the one(gamesave.bin).
Re: Getting MD5 hash from actionscript of swf.
Posted: Sat Apr 23, 2016 3:10 pm
by WRS
its very simple.
when i said
file_contents i meant get the whole file as a binary stream and hash that as binary data - which is what your function does:
Code: Select all
var _loc7_:ByteArray = new ByteArray();
var _loc8_:FileStream = new FileStream();
_loc8_.open(_loc6_,FileMode.READ);
_loc8_.readBytes(_loc7_,0,_loc8_.bytesAvailable);
_loc8_.close();
_loc8_ = null;
var _loc9_:String = MD5.hashBytes(_loc7_);
the function
MD5.hashBytes seems to return lower-case string for these files, so the md5 value for
app.game-saga2.air.swf is
c137c4232879032d888bc0edbb94dd09
thats part 1.
the next part is to hash it again using the "salt" , which is "zabbawabba"
if you hash "c137c4232879032d888bc0edbb94dd09\r\nzabbawabba" you get
928f95ce47e21045537273f8cc0c34e4
which is what you gave in the game data .bin file
edit
just to clarify, \r\n are special characters, not literals.
Re: Getting MD5 hash from actionscript of swf.
Posted: Sat Apr 23, 2016 3:38 pm
by adol365
WRS wrote:its very simple.
when i said
file_contents i meant get the whole file as a binary stream and hash that as binary data - which is what your function does:
Code: Select all
var _loc7_:ByteArray = new ByteArray();
var _loc8_:FileStream = new FileStream();
_loc8_.open(_loc6_,FileMode.READ);
_loc8_.readBytes(_loc7_,0,_loc8_.bytesAvailable);
_loc8_.close();
_loc8_ = null;
var _loc9_:String = MD5.hashBytes(_loc7_);
the function
MD5.hashBytes seems to return lower-case string for these files, so the md5 value for
app.game-saga2.air.swf is
c137c4232879032d888bc0edbb94dd09
thats part 1.
the next part is to hash it again using the "salt" , which is "zabbawabba"
if you hash "c137c4232879032d888bc0edbb94dd09\r\nzabbawabba" you get
928f95ce47e21045537273f8cc0c34e4
which is what you gave in the game data .bin file
edit
just to clarify, \r\n are special characters, not literals.
That's the one that I firstly expected but.. look at this. (I'm not sure what do you mean '
open the console' yet.) I just put 'c137c4232879032d888bc0edbb94dd09\r\nzabbawabba' in to 'input'.
And the result is
45c09947d609595d82f483b87781d649
Not a
928f95ce47e21045537273f8cc0c34e4
Re: Getting MD5 hash from actionscript of swf.
Posted: Sat Apr 23, 2016 3:55 pm
by adol365
Ah.. I got it. Thank you!