Null byte character file reading in GM?

Posted by Alert Games on April 16, 2012, 10:46 p.m.

Inb4 don't use GM.

So I figured out that GM uses null-terminated strings. Unfortunately this gives an incorrect ranslation of the RC4 encryption on the file for profiles.

So what I am wondering is:

is there a better way to save profiles securely? such as using a different encryption?

or is there a way to handle these null characters? like '\0' or possibly writing bin?

I already have a checksum to check if any information was changed, but it stores the user's password as well which should not be plain text. (the Key is seeded to prevent easy decryption) I need some way of keeping profiles secure for the API :o And im not going to use the one I use to send information to the server, because I purposefully only have the encoder in the API.

If anyone has any ideas let me know!

Comments

poultry 12 years, 8 months ago

don't use GM.

Jeremy 12 years, 8 months ago

@ChIkEn

I've been telling him this. :(

svf 12 years, 8 months ago

AG, you are such a brilliant Programmer. Don't use GM. :(

flashback 12 years, 8 months ago

Can you escape the null when generating it?

MahFreenAmeh 12 years, 8 months ago

your mom's a null-byte

Alert Games 12 years, 8 months ago

@svf: I'm using it to create an API for GM users to make games work with multiplayer. Many people would like to use GM for competitions because you can make quick simple games with it. Unity will probably be next as many game devs like to use it, including classmates I talk to.

@flashback: I've read somewhere that using a string can escape it, or something. I'll look into it I guess.

Josea 12 years, 8 months ago

Just btw, the RC4 stream cipher is not recommended nowadays, there are newer stream ciphers like Salsa20 that do the job faster and are more secure. Also, remember that stream ciphers are very insecure once you encrypt two or more streams using the same key, unless you use what is called a 'nonce'. However, RC4 lacks built-in support for nonces, so you have to implement one yourself (it's very easy though)

I'm not saying to not use RC4, just to be careful, it is very easy to blow up a cipher's security without noticing.

Alert Games 12 years, 8 months ago

Thanks for the information. Yeah I'm using some methods to make the encryption key different. For this project I'm not going to extremes because it is not tied with any money or anything, but its a good learning experience.

My main concern is to hide the password and game information so that the players can't access it(easily), but unfortunately RC4 apparently gives a null character which is quite frustrating. I don't have time to look into this very much so im wondering if anyone knows any solutions off the top of their head?

flashback 12 years, 8 months ago

Kill two birds with one stone - try salsa20 for better security, and see if it doesn't return nulls. If it doesn't return nulls, you win two ways!

Alert Games 12 years, 8 months ago

Only problem is that I would need to translate the code to GML. Maybe i should get Gordy on that? :o

It looks like salsa20 is supported in PHP, so i'll test it out with that and see what it comes up with