Messages

3511

Modification Help / Re: base64, sha1, hell, and me - friends 4 lyfe - [fixed]

« on: August 28, 2012, 02:25:12 PM »

mmm that didn't work out so swell

> Upgrading connection to websocket.
> CatKey: h/D1cwIGMUTXf8khfOOFLw==258EAFA5-E914-47DA-95CA-C5AB0DC85B11
> ShaKey: z7PTz7PTz7PTz7PTz7PTz7PTz7M= //this is the key calculated using the trueSha1 function that truce made and ip modified
> key: di QVHn2UFR5N0BUdi QVHn2UFR5N0BUdi NPQ==

... spaces?

using ip's code

3512

General Discussion / Re: What's the modPaths console command that enables all add-ons?

« on: August 28, 2012, 02:12:28 PM »

the one you're thinking of is setModPaths(getModPaths()); but all that does is allow you to update zip files without rebooting your game.

what you want is exec("path/to/server.cs");

for example: exec("add-ons/event_daycycles/server.cs");

note: this will only work properly on add-ons without "content" which is basically models.
guns = no
events = yes

3513

Modification Help / Re: base64, sha1, hell, and me - friends 4 lyfe - [fixed]

« on: August 28, 2012, 02:07:50 PM »

lovey
thanks for the help guys, i'ma test it now

3514

Modification Help / Re: base64, sha1, hell, and me - friends 4 lyfe - [fixed]

« on: August 28, 2012, 02:01:29 PM »

Code: [Select]

function trueSha1(%input)
{
	%sourceSha = sha1(%input);
	%output = "";

	for(%i = 0; %i < strLen(%sourceSha); %i += 2)
		eval("%output = %output @ " @ collapseEscape("\\x", getSubStr(%sourceSha,%input,2)) @ "\";");

	%return = base64Encode(%output);
	return %return;
}

???

3515

Modification Help / Re: Security flaw in admin only events

« on: August 28, 2012, 02:00:09 PM »

>uck you man im the alex
frightening character!

how did you figure out it was him without logging?

3516

Modification Help / Re: base64, sha1, hell, and me - friends 4 lyfe - getting different sums and results

« on: August 28, 2012, 01:56:54 PM »

thanks mate!
i hear eval uses local variables from the context it's called in. this is valid, right?

Code: [Select]

function trueSha1(%input)
{
	%sourceSha = sha1(%input);
	%output = "";

	for(%i = 0; %i < strLen(%sourceSha); %i += 2)
		eval("%output = %output @ \"\\x" @ getSubStr(%sourceSha,%input,2) @ "\";");

	%return = base64Encode(%output);
	return %return;
}

i got worried when no one was responding, as if i had asked a question that was too complex :(

3517

Add-Ons / Re: {Event_DayCycles} Events for your whole day! V15 8-27 - works with load bricks

« on: August 28, 2012, 12:17:51 PM »

Itt: typos

fixed typos

boobals your problem was probably caused by my typos

try with new version

3518

Modification Help / Re: Security flaw in admin only events

« on: August 28, 2012, 12:16:04 PM »

What add-ons do you have enabled?
What kinds of logging?

3519

Suggestions & Requests / Re: Bluzone Styled Decals

« on: August 28, 2012, 03:08:56 AM »

kniaz's zombies in the bluzone not mine

3520

General Discussion / Re: Zombies in the Bluzone** [UN-OFFICIALLY THE OFFICIAL TOPIC. OFFICIALLY.]]

« on: August 28, 2012, 02:31:23 AM »

a little late there

only ~330 pages which is just under five thousand posts

3521

Off Topic / Re: You Rather - A website that gives you food for thought via decisions

« on: August 28, 2012, 02:22:35 AM »

Just because you are a dog trainer doesnt mean you train dogs.

what the hell

yes it does

you have to own a pokemon to be classified as a pokemon trainer

nice try though

aw

3522

Off Topic / Re: You Rather - A website that gives you food for thought via decisions

« on: August 28, 2012, 02:16:39 AM »

yeah really

just because you attend hogwarts doesn't make you a wizard looool

just because you're a pokemon trainer doesn't mean you have any pokemon

3523

General Discussion / Re: Zombies in the Bluzone** [UN-OFFICIALLY THE OFFICIAL TOPIC. OFFICIALLY.]]

« on: August 28, 2012, 02:12:31 AM »

naturally i ran into a problem

3524

Modification Help / Re: base64, sha1, hell, and me - friends 4 lyfe - getting different sums and results

« on: August 28, 2012, 02:04:01 AM »

Here's the relevant part of that blog post

Connecting
Creating a WebSocket connection is initiated by the client sending the following upgrade request:

Code: [Select]

GET /servicename HTTP/1.1
Host: server.example.com
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==
Origin: http://example.com

The server responds with:

Code: [Select]

HTTP/1.1 101 Switching Protocols
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Accept: s3pPLMBiTxaQ9kYGzzhZRbK+xOo=

Most of these HTTP fields are self explanatory but not Sec-WebSocket-Key and Sec-WebSocket-Accept. Sec-WebSocket-Key is a string sent by the client as a challenge to the server. This leads to the question- how does the server calculate the value of Sec-WebSocket-Accept and complete the challenge? It is quite simple. The server first takes Sec-WebSocket-Key and concatenates it with a GUID string from the WebSocket specification. Then the SHA-1 hash of the resulting string is computed and, finally, Sec-WebSocket-Accept is the base64 encoding of the hash value. Let’s work through an example:

Code: [Select]

SpecifcationGUID = "258EAFA5-E914-47DA-95CA-C5AB0DC85B11";
FullWebSocketKey = concatenate(Sec-WebSocket-Key, SpecifcationGUID);
  // dGhlIHNhbXBsZSBub25jZQ==258EAFA5-E914-47DA-95CA-C5AB0DC85B11
KeyHash = SHA-1(FullWebSocketKey);
  // 0xb3 0x7a 0x4f 0x2c 0xc0 0x62 0x4f 0x16 0x90 0xf6 0x46 0x06 0xcf 0x38 0x59 0x45 0xb2 0xbe 0xc4 0xea
Sec-Websocket-Accept = base64(KeyHash);
  // s3pPLMBiTxaQ9kYGzzhZRbK+xOo=

Additionally, I ran the things in the blog through both my webserver and the default programs:

Code: [Select]

lugnut@LugBook:~$ sha1sum 
dGhlIHNhbXBsZSBub25jZQ==258EAFA5-E914-47DA-95CA-C5AB0DC85B11
05082898ab78f6da9c1ad2587b8012cd0cf52172  -
lugnut@LugBook:~$ base64
05082898ab78f6da9c1ad2587b8012cd0cf52172
MDUwODI4OThhYjc4ZjZkYTljMWFkMjU4N2I4MDEyY2QwY2Y1MjE3Mgo=

Code: [Select]

==> echo(base64encode(sha1("dGhlIHNhbXBsZSBub25jZQ==258EAFA5-E914-47DA-95CA-C5AB0DC85B11")));
YjM3YTRmMmNjMDYyNGYxNjkwZjY0NjA2Y2YzODU5NDViMmJlYzRlYQ==

what the forget.
here's truce's base64 pack and dependancy FWIW

Code: [Select]

////////////////////////////////////////
//  Base64 Pack             by Truce  //
////////////////////////////////////////

function convertBase(%val,%atype,%btype)
{
	%vlen = strLen(%val);
	%alen = strLen(%atype);
	%blen = strLen(%btype);
	
	for(%i = 0; %i < %vlen; %i++)
		%sum += striPos(%atype,getSubStr(%val,%i,1)) * mPow(%alen,%vlen - %i - 1);
	
	while(1)
	{
		%rem = %sum % %blen;
		%new = getSubStr(%btype,%rem,1) @ %new;
		%sum = mFloor(%sum / %blen);
		
		if(!%sum)
			break;
	}
	
	return %new;
}

function base64Encode(%str)
{
	%base64map = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
	%asciimap  = " !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMN" @
	             "OPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~";
	
	%len = strLen(%str);
	
	for(%i = 0; %i < %len; %i++)
	{
		%chr   = getSubStr(%str,%i,1);
		%ascii = strPos(%asciimap,%chr) + 32;
		%bin   = convertBase(%ascii,"0123456789","01");
		
		while(strLen(%bin) < 8)
			%bin = "0" @ %bin;
		
		%all = %all @ %bin;
	}
	
	%len = strLen(%all);
	
	for(%i = 0; %i < %len; %i += 6)
	{
		%pack = getSubStr(%all,%i,6);
		
		while(strLen(%pack) < 6)
			%pack = %pack @ "0";
		
		%dec = convertBase(%pack,"01","0123456789");
		%new = %new @ getSubStr(%base64map,%dec,1);
	}
	
	while(strLen(%new) % 4 > 0)
		%new = %new @ "=";
	
	return %new;
}

3525

Modification Help / websockets and woe - lugnut's mission to create html5 websockets - still broked

« on: August 28, 2012, 01:55:03 AM »

some of you may know i've been running truce's torque webserver.
i've modified it a bit to allow support for various things, and my latest goal is to add support for html5 websockets.

following this guide and numerous other resources
http://www.altdevblogaday.com/2012/01/23/writing-your-own-websocket-server/
and
https://developer.mozilla.org/en-US/docs/WebSockets
i've made this addition to the Webclient::finish method in the webserver at line 253

Code: [Select]

if($_SERVERHTTP_Connection $= "Upgrade")
{
	%server.debug("> Upgrading connection to websocket.");

	if($WebSocketNum $= "")
		$WebSocketNum = 0;

	%spec = "258EAFA5-E914-47DA-95CA-C5AB0DC85B11";
	%clkey = $_SERVERHTTP_Sec_WebSocket_Key;

	%catkey = %clkey @ %spec;
	%server.debug("> CatKey: " @ %catkey);

	%rkey = base64Encode(sha1(%catkey));
	%server.debug("> key: " @ %rkey);

	%this.send("HTTP/1.1 101 Switching Protocols\r\n");
	%this.send("Upgrade: websocket\r\n");
	%this.send("Connection: Upgrade\r\n");
	%this.send("Sec-WebSocket-Accept: " @ %rkey @ "\r\n");
	%this.send("\r\n");
	// %this.send("Num = " @ $WebSocketNum @ "\r\n");

	$WebSocketArray[$WebSocketNum] = %this;
	$WebSocketNum++;
	return;
}

the problem occurs when the system is calculating either the SHA1 sum or the base64 encoding at the end. here's a sample request utilizing javascript console:

Code: (client) [Select]

var s = new WebSocket("69.64.43.11:33580");

Code: (server) [Select]

% [Webserver] > Client timeout in 500 milliseconds.
% [Webserver] Packet terminated from client 1845687.
% [Webserver] Parsing client 1845687's header: Upgrade: websocket
Connection: Upgrade
Host: 69.64.43.11:33580
Origin: http://69.64.43.11:33580
Sec-WebSocket-Key: aGf7b7cHpm/HtRf16dG3Xg==
Sec-WebSocket-Version: 13
Sec-WebSocket-Extensions: x-webkit-deflate-frame
Cookie: a=streamline; n=Lugnut

% [Webserver] > Assigning websocket to HTTP_Upgrade.
% [Webserver] > Assigning Upgrade to HTTP_Connection.
% [Webserver] > Assigning 69.64.43.11:33580 to HTTP_Host.
% [Webserver] > Assigning http://69.64.43.11:33580 to HTTP_Origin.
% [Webserver] > Assigning aGf7b7cHpm/HtRf16dG3Xg== to HTTP_Sec_WebSocket_Key.
% [Webserver] > Assigning 13 to HTTP_Sec_WebSocket_Version.
% [Webserver] > Assigning x-webkit-deflate-frame to HTTP_Sec_WebSocket_Extensions.
% [Webserver] > Assigning a=streamline; n=Lugnut to HTTP_Cookie.
% [Webserver] Parsing client 1845687's POST args:
% [Webserver] > No POST args found to parse!
% [Webserver] > Upgrading connection to websocket.
% [Webserver] > clKey = aGf7b7cHpm/HtRf16dG3Xg==
% [Webserver] > recdKey = aGf7b7cHpm/HtRf16dG3Xg==
% [Webserver] > CatKey: aGf7b7cHpm/HtRf16dG3Xg==258EAFA5-E914-47DA-95CA-C5AB0DC85B11
% [Webserver] > key: ZDdkN2FlMGM5MzFmN2RhY2Y0NDRlOWJmNzVmZTJjNzBkNTQyNzIwOQ==

Code: (client) [Select]

Error during WebSocket handshake: Sec-WebSocket-Accept mismatch

as you can see, the specification magic key is appended to the sent key successfully, and the end result is pooped out.

using default programs in my linux distro, i ran the following commands in my terminal

Code: [Select]

lugnut@LugBook:~$ sha1sum
aGf7b7cHpm/HtRf16dG3Xg==258EAFA5-E914-47DA-95CA-C5AB0DC85B11
bf416c18230328f3113518ed03f8fbcee351d7b4  -
lugnut@LugBook:~$ base64
bf416c18230328f3113518ed03f8fbcee351d7b4
YmY0MTZjMTgyMzAzMjhmMzExMzUxOGVkMDNmOGZiY2VlMzUxZDdiNAo=

firstly i input the whole key (sent + spec) into sha1sum
then i took that and put it into the base64 converter

obviously the webservers result is drastically different than the one i manually created.

however, i don't know who to blame :(

it appears that torque is miscalculating either base64 or sha1...

What can I do?EDIT: after posting this i realized there was two spaces and a - after my sha1 encoding i had ignored

Code: [Select]

lugnut@LugBook:~$ base64
bf416c18230328f3113518ed03f8fbcee351d7b4  -
YmY0MTZjMTgyMzAzMjhmMzExMzUxOGVkMDNmOGZiY2VlMzUxZDdiNCAgLQo=

this is a match to my earlier result without the whitespace.