[osflash] RTMP protocol handshake data

Dominick Accattato daccattato at gmail.com
Sun Sep 3 10:25:47 EDT 2006 

bravo Yves!

On 9/3/06, Yves Kavanovich <ydk at youfailit.com> wrote:
>
> Hello,
>
> After some reverse engineering of the Flash Player and Flash Media Server
> for
> Windows I have further information on how the RTMP handshake data is
> constructed.
>
> >From http://www.osflash.org/rtmp/protocol we already know that both the
> client and server generate a chunk of 1536 (0x600) bytes each that each
> side
> must respond with for the handshake to succeed.
>
> The format of this chunk is the same from client and server:
>
>    Bytes 0 to 3       A 32-bit integer holding the system uptime in
>                       milliseconds, stored in big-endian format
>
>    Bytes 4 to 7       Always zero
>
>    Bytes 8 to 1535    Pseudo-random sequence as described below
>
>
> The last 1528 bytes of the data are constructed using a pseudo-random
> number
> generator seeded with the least significant byte of the system uptime.
>
> C code to make the entire chunk is as follows:
>
>     unsigned char chunk[1536];
>     int i, p, su;
>
>     /* retrieve the system uptime */
>     su = timeGetTime();
>
>     /* set first four bytes to system uptime as big-endian */
>     chunk[0] = (su >> 24) & 0xff;
>     chunk[1] = (su >> 16) & 0xff;
>     chunk[2] = (su >> 8) & 0xff;
>     chunk[3] = su & 0xff;
>
>     /* zero next four bytes */
>     for (i = 4; i < 8; i++) {
>        chunk[i] = 0;
>     }
>
>     /* seed the PRNG */
>     p = su % 256;
>
>     /* fill every other byte in the rest of the chunk with
>        pseudo-random sequence */
>     for (i = 8; i < 1536; i += 2) {
>         p = (12111221 * p + 1) % 256;
>         chunk[i] = p & 0xff;
>     }
>
> However, this only accounts for every other byte in the last 1528, due to
> the
> "i += 2" in the for loop. The algorithm does not initialise the rest of
> the
> chunk to any known pattern, so the contents are whatever was in memory
> previous to the chunk memory being allocated. As an example:
>
>     **    **    **    **    **    **    **    **
>     5e 00 f7 00 e4 00 35 f8 3a 00 83 f8 e0 05 61 00
>     56 7c 4f 32 1c 7c cd 00 b2 00 5b fc 98 05 79 e3
>     4e 05 a7 00 54 00 65 ff 2a ff 33 00 50 00 91 fc
>     46 05 ff 05 8c 7c fd e4 a2 7c 0b 05 08 7c a9 fd
>     **    **    **    **    **    **    **    **
>
> The data in all columns marked with asterisks have been made by the PRNG,
> and
> all the rest of the data was like that at allocation.
>
> As this is a local variable declaration inside a function, the chunk is
> allocated from the program stack. The uninitialized data you see in a
> handshake packet is return addresses, function parameters and local
> variable
> allocations previously used in other parts of the program!
>
> YK
>
>
> _______________________________________________
> osflash mailing list
> osflash at osflash.org
> http://osflash.org/mailman/listinfo/osflash_osflash.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://osflash.org/pipermail/osflash_osflash.org/attachments/20060903/903a2dc1/attachment.htm

More information about the osflash mailing list