MD5 Hashing in SCAR.

[R0b0t1]

SCAR Code:

program MD5_Authorization;

const
  User  = 'User';
  Pass  = 'Pass';
  Hash1 = '8f9bfe9d1345237cb3b2b205864da075';
  Hash2 = 'b9b57aae83585e17ede4570dcede353c';
begin
  if MD5(User) = Hash1 then   {Method is not secure...}
    if MD5(Pass) = Hash2 then
      WriteLn('Correct, welcome '+User+'!')
    else
      WriteLn('Password incorrect, '+User+'.')
  else
    WriteLn('Unknown user!');
end.

Thats how it might be used, but remember: you could just remove this auth part... Better use PHP, kiddies.

[Freddy1990]

SCAR Code:

program MD5_Authorization;

const
  User  = 'User';
  Pass  = 'Pass';
  Hash1 = '8f9bfe9d1345237cb3b2b205864da075';
  Hash2 = 'b9b57aae83585e17ede4570dcede353c';
begin
  if MD5(User) = Hash1 then   {Method is not secure...}
    if MD5(Pass) = Hash2 then
      WriteLn('Correct, welcome '+User+'!')
    else
      WriteLn('Password incorrect, '+User+'.')
  else
    WriteLn('Unknown user!');
end.

Thats how it might be used, but remember: you could just remove this auth part... Better use PHP, kiddies.

Yea, because can't can't remove a php auth

[Yakman]

write your script to use hash passwords before you send it, then encrypt the script,
remember to salt your passwords before you hash them, with a value that changes every time (sent from the server hopefully)

[R0b0t1]

Yes, I see what you mean...

(Rolling Code)

* Have a file that stores a number which is incremented, hash it.

* Check hash against the next 256 possible hashes, protects against failed connects.

* If successful, use that MD5 to seed a random function...

* Uhm... Use that number as salt? (Processes will be performed on the server also)

* Since password on server and SCAR would have gone through the same processes, they will be identical, so compare them.

* Tell scar: "Sure, this guy is OK".


[Freddy, I forgot that both are useless w/o encryption]

[Yakman]

nah i dont like the storing in the file
try something like this

C: start underlying protocol
S: **gets the cpu cycles, or other almost random number (windows API has the GetTickCount())
S: **Send this number along with some other stuff
C: **use that number as a seed, generates 10 numbers from it, which are between the ascii values of a-z A-Z and 0-9, adds this string to the password, hashes it and sends to server
S: Server does the same thing, and checks if the two hashes are the same, if they are, it replies with an OK message

this isnt incredibly useful, i guess it would just confuse people, like if they are monitoring packets, they get a new hash, even though they typed the same password
also make your own pseduorandom number alogorithm, and keep it secret (IE scar script encrypted and on your php server)
also you might want to xor the seed you get from the server with a (secret) constant value

[R0b0t1]

I've always wondered, why do people always use xor?

[Timer]

xor = either but not both.

[R0b0t1]

Still doesn't answer why they'd use it.

[Timer]

no..? its less code / faster
look at set run

[Bobarkinator]

no..? its less code / faster
look at set run

More code in my opinion. Because then you have to check which side of the statement was true.

[R0b0t1]

But still, WHY THE HELL DO THEY USE IT?

Why is it in so many algorithms? Something special about it?

[Markus]

imagine we got A, B and C
A xor B = C
A xor C = B
B xor C = A
If you xor 2 values, you'll get the missing one.

[Yakman]

in my case, i used it cause its a relativly simple way of scrambling bytes
so if someone is packet sniffing your script, it wont be ascii human readable characters

look on wikipedia for the other uses