Re: 63/64 bit version of Delphi's function random( aRange : integer ) : integer; ?
Available news archives: comp.lang.tcl - comp.lang.python - comp.security.firewalls - sci.crypt - comp.lang.php - comp.lang.javascript
Google
 
Web news.hping.org


sci.crypt archive

Re: 63/64 bit version of Delphi's function random( aRange : integer ) : integer; ?

From: Skybuck Flying <spam@hotmail.com>
Date: Fri Apr 28 2006 - 14:02:48 CEST



Well the test just completed.



My bet was zero or the max longword.



It turns out that the missing value is 4294967295 itself (the max longword).



The loop goes like this:



for 0 to 4294967295 do


begin


    result := random( $FFFFFFFF );


end;



Result 4294967295 is missing !



Time to reverse engineer the algorithm.



The question is... which input value must be provided to get the output 


value ?



Let's start with turning around the instructions from bottom to top.



***



//  MOV     EAX,EDX


  Result := EDX;



//  MUL     EDX


//  EDX:EAX := EAX * EDX;



  // *** problem code, integer overflow ***


//  Large := EAX * EDX;



  vLargeEAX := EAX;


  vLargeEDX := EDX;



  Large := vLargeEAX * vLargeEDX;



//  MOV     [EBX].RandSeed,EDX


  vUnsignedRandSeed := EDX;



//   INC     EDX


  EDX := EDX + 1;



//  IMUL    EDX,[EBX].RandSeed,08088405H


  EDX := vUnsignedRandSeed * $08088405;



  // EAX is probably initialized with the parameter of the function.


  EAX := ParaRange;



***



Now let's replace all the garbage etc:



EDX := DesiredOutputValue;



EAX := Large div EDX;



EDX := UnsignedRandSeed;



EDX := EDX - 1;



UnsignedRandSeed := EDX div $08088405;



ParaRange := EAX;



This is what the reserved function would look like,



Gonna test it out...



Be back later...



Bye,


  Skybuck ;)


Received on Mon May  1 02:05:39 2006