xsha1-0.0.0: cryptanalysis of Blizzard's broken SHA-1 implementation.

Safe HaskellSafe-Infered




Exploring the CD key hash used to authenticate the game with Battle.net.



data Sniff Source

Data accessible to an attacker observing traffic. All plaintext.

Only missing piece of CD key info is the private value, which gets hashed.




snClientTok :: Word32


snServerTok :: Word32


snProduct :: Word32

decoded from key: 6 classic D2, 10 xpac D2 are common values

snPublic :: Word32

decoded from key, server has mapping to the private value




:: Sniff 
-> N

private value

-> Vector N 

Sample D2 CD key hash buffer. XSHA1 of this is sent to the server.

Test values. (CD keys stripped, get your own.)

Expand stage analysis.

view :: Vector N -> IO ()Source

Print infix equations for buffer.

classify :: Vector N -> StringSource

Classify DWORDs based on how much knowledge an eavesdropper has of them.

X = known value

? = unknown (32 bit CD key private value)

# = depends on 5 LSBs of private value

Traffic sniffing attack.

space :: Sniff -> [Vector N]Source

Possible hash buffer construction from data known to eavesdroper.

Since most of the expanded buffer depends just on 5 secret bits, 32 different buffers will cover all the possibilities for all but one DWORD. That DWORD is the private key value, and is unknown.

Only the relevant 5 bits on the private value are set. It should be re-set afterwards, to a better guess or and unknown.

alpha :: Vector N -> RegsSource

Unknown value is the pivot point.

Register states before and after it are marked alpha and beta. Beta has 32 possible values. Alpha just one. Solve for 32 private values.

unhash :: Sniff -> (N, N, N, N, N) -> IO ()Source

Get private values from sniffed data.

Some false positives, Binomial(n=31, p=1/32)

Straightforward to encode back into human-readable CD key.

Debug stuff

printReg :: PrintfType t => (N, N, N, N, N) -> tSource

hfoldl :: (a -> t -> a) -> a -> [t] -> (a, [a])Source

Foldl that keeps history.