• Welcome to Valhalla Legends Archive.
 

A better random

Started by Barabajagal, July 29, 2008, 06:10 PM

Previous topic - Next topic

Barabajagal

How can I generate a random value that's different every time the code is run, even if two instances of the application are run at the exact same time?

l2k-Shadow

Quote from: Andy on July 29, 2008, 06:10 PM
How can I generate a random value that's different every time the code is run, even if two instances of the application are run at the exact same time?

Randomize?
Quote from: replaced on November 04, 2006, 11:54 AM
I dunno wat it means, someone tell me whats ix86 and pmac?
Can someone send me a working bot source (with bnls support) to my email?  Then help me copy and paste it to my bot? ;D
Já jsem byl určenej abych tady žil,
Dával si ovar, křen a k tomu pivo pil.
Tam by ses povídaj jak prase v žitě měl,
Já nechci před nikym sednout si na prdel.

Já nejsem z USA, já nejsem z USA, já vážně nejsem z USA... a snad se proto na mě nezloběj.

Barabajagal

Randomize by default uses the gettickcount value as the seed value, which if run twice at the same time will return the same seed. I've set the seed value to the App.TaskID, and that should do it, I hope.

brew

<3 Zorm
Quote[01:08:05 AM] <@Zorm> haha, me get pussy? don't kid yourself quik
Scio te esse, sed quid sumne? :P

iago

You need a different source of entropy. Not sure how to do it on Windows, but the advapi32 functions might work (see brew's post).
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


Barabajagal

App.TaskID as the seed worked fine, as I said in my second post.

bulletproof tiger

Quote from: Andy on July 29, 2008, 10:43 PM
App.TaskID as the seed worked fine, as I said in my second post.

You never mentioned if it worked or not, smartass.

Barabajagal

Why would it not work?

MyndFyre

Quote from: brew on July 29, 2008, 07:34 PM
Perhaps you should check out advapi32's CryptGenRandom api.

The nice thing about the CryptGenRandom API (and the .NET equivalent) is that it accumulates system-wide; the kernel handles synchronization and ensures that two processes, even calling with exactly the same data and at exactly the same time, are going to be processed in serial, and so hardware conditions provided for in the documentation serve to enhance its security:

Quote
With Microsoft CSPs, CryptGenRandom uses the same random number generator used by other security components. This allows numerous processes to contribute to a system-wide seed. CryptoAPI stores an intermediate random seed with every user. To form the seed for the random number generator, a calling application supplies bits it might have—for instance, mouse or keyboard timing input—that are then added to both the stored seed and various system data and user data such as the process ID and thread ID, the system clock, the system time, the system counter, memory status, free disk clusters, the hashed user environment block. This result is SHA-1 hashed, and the output is used to seed an RC4 stream, which is then used as the random stream and used to update the stored seed. If an application has access to a good random source, it can fill the pbBuffer buffer with some random data before calling CryptGenRandom. The CSP then uses this data to further randomize its internal seed. It is acceptable to omit the step of initializing the pbBuffer buffer before calling CryptGenRandom.
QuoteEvery generation of humans believed it had all the answers it needed, except for a few mysteries they assumed would be solved at any moment. And they all believed their ancestors were simplistic and deluded. What are the odds that you are the first generation of humans who will understand reality?

After 3 years, it's on the horizon.  The new JinxBot, and BN#, the managed Battle.net Client library.

Quote from: chyea on January 16, 2009, 05:05 PM
You've just located global warming.

iago

Quote from: Andy on July 30, 2008, 12:03 AM
Why would it not work?
If it's for anything security-related, then using a predictable value is a bad idea, as an attacker could potentially guess it.

This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


Barabajagal

It's to generate a folder name in the temporary files directory, which is removed on program termination and stores skin data (images and text) mostly.

iago

On a multi-user machine, that can cause a security problem. Seriously. :)

It's a common mistake to create temporary files in a globally writable directory with predictable filenames. The program could be tricked by a malicious user into over-writing system files under certain conditions.

There should be a built-in function to securely generate temporary files/folders, you should use that.

I don't know which language you're using, but this guide might help you out:
https://www.securecoding.cert.org/confluence/display/seccode/VOID+FI039-C.+Create+temporary+files+securely
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


MyndFyre

Quote from: iago on July 30, 2008, 03:03 PM
On a multi-user machine, that can cause a security problem. Seriously. :)

It's a common mistake to create temporary files in a globally writable directory with predictable filenames. The program could be tricked by a malicious user into over-writing system files under certain conditions.

There should be a built-in function to securely generate temporary files/folders, you should use that.
Which OS are you talking about?  Windows (at least Vista, I don't remember for XP) has per-user temporary file paths.
QuoteEvery generation of humans believed it had all the answers it needed, except for a few mysteries they assumed would be solved at any moment. And they all believed their ancestors were simplistic and deluded. What are the odds that you are the first generation of humans who will understand reality?

After 3 years, it's on the horizon.  The new JinxBot, and BN#, the managed Battle.net Client library.

Quote from: chyea on January 16, 2009, 05:05 PM
You've just located global warming.

Barabajagal

As MF says, the temp dir tends to be something along the lines of C:\Documents and Settings\[USERNAME]\Local Settings\Temp\ (in winxp), and my bot (written in VB6, as the location of this topic suggests) writes to a subfolder called RCB within that temp folder.

My program already overwrites system files, seeing as it updates files stored in the System32 folder (or SysWOW64 if you're on an x64 OS), since it seemed like a better place to store runtimes than the application directory in order to keep things simple for users.

iago

Quote from: MyndFyre[vL] on July 30, 2008, 05:17 PM
Quote from: iago on July 30, 2008, 03:03 PM
On a multi-user machine, that can cause a security problem. Seriously. :)

It's a common mistake to create temporary files in a globally writable directory with predictable filenames. The program could be tricked by a malicious user into over-writing system files under certain conditions.

There should be a built-in function to securely generate temporary files/folders, you should use that.
Which OS are you talking about?  Windows (at least Vista, I don't remember for XP) has per-user temporary file paths.
I think that every OS except for windows uses a global temp directory (Linux, BSD, and Mac all use global files, as far as I know).

It's probably ok if per-user temp files are used, but I think it's important to get into good habits no matter which OS you're on.

And for what it's worth, he didn't specify an OS or a language or anything else in his initial post, so I gave a generic answer. :)
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*