Broken SHA-1 Differences

Barabajagal · May 14, 2007, 05:39 PM

Ok, I'm trying to find out exactly what the differences are between Standard SHA-1 and Broken SHA-1, using examples from three languages. So far, I've found two things. First is the 0x40 byte null padding. Second is what appears to be byte trimming... by which I mean:

Code Select

for(i = 0x10; i < 0x50; i++)
{
  dw = buf[i-0x10] ^ buf[i-0x8] ^ buf[i-0xE] ^ buf[i-0x3];
  buf[i] = (1 >>> (0x20 - (byte)dw)) | (1 << (byte) dw);
}

The (byte)dw part. However, these two changes alone don't seem to make Standard SHA into Broken SHA. I've looked over copies of the function in C++, Java, and VB6, but I still seem to be missing things. Would someone please shed some light on this for me?

warz · May 14, 2007, 05:59 PM

not sure what the problem is. what is 'broken sha1'? are you referring to the implementation that checkrevision uses, or are you referring to any sha1 implementation that has differences from the standard implementation? if so, which specific one? if you're talking about the implementation that checkrevision has in place, the code for it, in C++, has already been made public, and the differences are within sha1final.

Barabajagal · May 14, 2007, 06:01 PM

I'm talking about the one used in CDKey/Password hashing. That's what Broken SHA-1 has always been...

See:
Java: http://forum.valhallalegends.com/index.php?topic=6999.0
VB: http://forum.valhallalegends.com/index.php?topic=8531.0

warz · May 14, 2007, 06:07 PM

Quote from: RεalityRipplε on May 14, 2007, 06:01 PM
I'm talking about the one used in CDKey/Password hashing. That's what Broken SHA-1 has always been...

so, there's a standard broken SHA1 implementation? i would think the term broken would mean any modified SHA1 implementation, considering the amount of people that probably wouldn't honor such a name is probably pretty high. the fact is, there's tons of SHA1 implementations out there, and using the term broken isn't very specific.

but, i don't know anything about the pre-lockdown hashing functions. so no help here, sorry.

l2k-Shadow · May 14, 2007, 06:08 PM

Quote from: RεalityRipplε on May 14, 2007, 06:01 PM
I'm talking about the one used in CDKey/Password hashing. That's what Broken SHA-1 has always been...

get yourself source code to bncsutil

Barabajagal · May 14, 2007, 06:09 PM

Quote from: l2k-Shadow on May 14, 2007, 06:08 PM
Quote from: RεalityRipplε on May 14, 2007, 06:01 PM
I'm talking about the one used in CDKey/Password hashing. That's what Broken SHA-1 has always been...

get yourself source code to bncsutil

Already did that. I'm trying to find the differences, not get a copy of the code.

warz · May 14, 2007, 06:10 PM

Quote from: RεalityRipplε on May 14, 2007, 06:09 PMAlready did that. I'm trying to find the differences, not get a copy of the code.

isn't that sort of ... what's the word? contradictory. :p

now, wouldn't comments help in this scenario, code poet? lol.

l2k-Shadow · May 14, 2007, 06:10 PM

so just compare the source for the regular hash with the codes you found, I don't understand your question.

Barabajagal · May 14, 2007, 06:13 PM

I've been comparing them for three days. All I've found is the null-char buffer to 64 bytes and the byte cutoff.

warz · May 14, 2007, 06:16 PM

Quote from: RεalityRipplε on May 14, 2007, 06:13 PM
I've been comparing them for three days. All I've found is the null-char buffer to 64 bytes and the byte cutoff.

three days? now, doesn't this topic, and the majority of your posts in this topic make for an interesting discussion?

Barabajagal · May 14, 2007, 06:18 PM

not really? I can read the code just fine. I'm beginning to think it's an endian issue.

warz · May 14, 2007, 06:35 PM

Quote from: RεalityRipplε on May 14, 2007, 06:18 PM
not really? I can read the code just fine. I'm beginning to think it's an endian issue.

oh, so by read, you've always meant that you can visually see the screen. i always thought by 'read the code' you meant understand what it's telling you. interesting.

Barabajagal · May 14, 2007, 06:48 PM

*sigh* i don't know why I even bother.

I read the code just fine. I understand what it says just fine. If you read through a book looking for the word rendezvous without knowing how it's spelled or what chapter it's in, it takes a while, even if you're a god damn English major (though if you're an English major, wtf are you doing not knowing how to spell rendezvous).

Edit: I think I was making it overly complicated. It should instead be something like this...

Code Select

    For I = 16 To 79
        T = W(I - &H10) Xor W(I - &H8) Xor W(I - &HE) Xor W(I - &H3)
        If Broken Then
            W(I) = RoL(1, T)
        Else
            W(I) = RoL(T, 1)
        End If
    Next I

Warrior · May 14, 2007, 06:53 PM

Quote from: betawarz on May 14, 2007, 06:10 PM
Quote from: RεalityRipplε on May 14, 2007, 06:09 PMAlready did that. I'm trying to find the differences, not get a copy of the code.

isn't that sort of ... what's the word? contradictory. :p

now, wouldn't comments help in this scenario, code poet? lol.

WARZ I LOVE YOU.

UserLoser · May 14, 2007, 11:57 PM

Quote
... in SHA-1, thereare a number of bit rotate left ("ROL") operations. The Blizzard programmer responsible for implementing this apparently switched the two parameters in every call to ROL. That is, if there was a "#define ROL(a, b) (...)" macro, the programmer swapped the two arguments. This drastically reduces the securityof Battle.net password hashes, as most of the data being hashed ends up being zero bits. Because of the problem of incompatibility with previously created accounts, this system is still in use today. ...

Valhalla Legends Archive

Broken SHA-1 Differences

Barabajagal

warz

Barabajagal

warz

l2k-Shadow

Barabajagal

warz

l2k-Shadow

Barabajagal

warz

Barabajagal

warz

Barabajagal

Warrior

UserLoser