How would a python program check its own md5sum?

StackOverflow https://stackoverflow.com/questions/5011151

  •  14-11-2019
  •  | 
  •  

Question

I was playing a game about a year ago. Wanting to speed it up a bit, I edited the main .py file and added psyco to the very beginning. The game ran faster and better, but it would not let me send my scores. I went into the file and it was checking its own md5sum. The part that confused me is that they had its md5 in the file. My question is, how do I get the md5 of a file with the sum of the file including the md5 I don't have yet. Seems a catch 22 to me, but they did it.

Hope I explained that well enough. Example:

File: Example.example

check md5 of Example.example
If md5 I just obtained == "###################################"
allow send score.
Was it helpful?

Solution

You can't (easily) embed an MD5 of a program inside the program that it is computing the MD5, because when you change the MD5 of that you are embedding, the program's MD5 changes. Loop for a while and eventually you may reach a stable point. Then again, you may not. "a while" typically means 2^128 steps, so that's going to be a very long while --- like after the sun becomes a red giant.

So there's a trick. When the program computes its own MD5, it specifically recognizes where the embedded MD5 is located and uses a set value, like all NULLs.

To make it harder for hackers, don't use all NULLs --- use a SALT value. Obfuscate that value in your binary. Now it will be harder for people to edit the embedded MD5 and "fix" it after they have edited your program.

OTHER TIPS

What is usually done in these cases is that when calculating the MD5, the actual number is replaced with some place holder, for instance spaces or zero padding.

This is widely used in cryptography mechanisms like IPSEC.

It would be very difficult to do, you would need to brute force it. Are you sure it's not a red herring and the real verification is done elsewhere?

Doesn't seem like vert good security anyway, what's to stop you modifying the algorithm like this (using your pseudo code)

check md5 of Example.example
If md5 I just obtained != "###################################"
allow send score.
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top