OpenChess

Posted: **Sat Jan 21, 2012 7:15 pm**

You've heard about hex-edited Houdini 1.5a, Deep Matrix, that came out the other day which is the work of a guy who am sure didn't really know what he was doing -- it has to be a guy because no woman on planet earth would waste her time with such useless and fruitless endeavor:

--- H.exe	2011-07-14 07:37:56.000000000 -0400
+++ D.exe	2011-10-11 17:18:34.000000000 -0400
@@ -5215,2 +5215,2 @@
-      depth       movetime    wtime   btime   winc    binc        movestogo       searchmoves ponder      infinite        ERROR: invalid go string <%s>   id name Houdini 1.5a x64
-       id author       option name Hash type spin min 4 max %d default 128
+      depth       movetime    wtime   btime   winc    binc        movestogo       searchmoves ponder      infinite        ERROR: invalid go string <%s>   id name Deep Matrix 3000
+       id author       option name Hash type spin min 4 max %d default 256
@@ -5226,2 +5226,2 @@
- option name Hard_Probe_Depth type spin min 2 max 99 default 24
- option name Soft_Probe_Depth type spin min 2 max 99 default 16
+ option name Hard_Probe_Depth type spin min 2 max 99 default 50
+ option name Soft_Probe_Depth type spin min 2 max 99 default 25
@@ -5235,2 +5235,2 @@
-        ONE white king required ONE black king required Too many white pieces   Too many black pieces   Too many white pawns    Too many black pawns    Too many white queens   Too many black queens   Too many white rooks    Too many black rooks    Too many white bishops  Too many black bishops  Too many white knights  Too many black knights  Pawn at rank 1 or 8     Illegal castling        Black king can be captured      White king can be captured      Houdini 1.5a x64        
-(c) 2010-11    
+        ONE white king required ONE black king required Too many white pieces   Too many black pieces   Too many white pawns    Too many black pawns    Too many white queens   Too many black queens   Too many white rooks    Too many black rooks    Too many white bishops  Too many black bishops  Too many white knights  Too many black knights  Pawn at rank 1 or 8     Illegal castling        Black king can be captured      White king can be captured      Deep Matrix 3000        
+(c) 2011-21    
@@ -5249 +5249 @@
-             à?      ð?      p@     @@      ðC        333333ó?333?    ffffffæ?33³?    ffffffö?  €?        €„.AÍÌÌÌÌÌð?Ô!@           e+000   log log10   1#QNAN  1#INF   1#IND   1#SNAN      _nextafter  _logb   _yn _y1 _y0 frexp   fmod    _hypot  _cabs   ldexp   modf    fabs    floor   ceil    tan cos sin sqrt    atan2   atan    acos    asin    tanh    cosh    sinh    pow exp             ÿÿÿÿÿÿ?Cÿÿÿÿÿÿ?ÃRSDSU‡ìªþöD¨¥H) x¸   C:\Data\Robert\Schaak\Houdini\VS\x64\Release\Houdini_64.pdb                                         ’p0P Bp0  ¼‰    ] O] À[      2P t d
+             à?      ð?      p@     @@      ðC        333333ó?333?    ffffffæ?33³?    ffffffö?  €?        €„.AÍÌÌÌÌÌð?Ô!@           e+000   log log10   1#QNAN  1#INF   1#IND   1#SNAN      _nextafter  _logb   _yn _y1 _y0 frexp   fmod    _hypot  _cabs   ldexp   modf    fabs    floor   ceil    tan cos sin sqrt    atan2   atan    acos    asin    tanh    cosh    sinh    pow exp             ÿÿÿÿÿÿ?Cÿÿÿÿÿÿ?ÃRSDSU‡ìªþöD¨¥H) x¸   C:\Data\OMeara\Schaak\DMatrix\VS\x64\Release\DeepMatrix.pdb                                         ’p0P Bp0  ¼‰    ] O] À[      2P t d

It was quite easy to catch because if you ran the executable, the "id author" field gave it away.

Robert has employed a little neat loop trick iterated 14 times to generate "Robert Houdart" at run-time, so the guy could not find the strings to change.

This is not a bad idea to deter the silliness, although not enough to stop one who knows what to do, but then if you already know what to do, you would't waste time on such nonsense.

Code: Select all

sub_reveal_my_name                  
                                        
push    ebx
mov     bl, 0A7h
xor     ecx, ecx
jmp     short loc_gen_name_loop

loc_gen_name_loop:             

mov     eax, 151D07EBh
imul    ds:dword_13ECC80[ecx*4]
sar     edx, 3
mov     eax, edx
shr     eax, 1Fh
add     eax, edx
add     bl, al
mov     [ecx+esi], bl
inc     ecx
cmp     ecx, 0Eh
jl      short loc_gen_name_loop
mov     byte ptr [esi+0Eh], 0
pop     ebx
retn
sub_reveal_my_name endp

Instruction                     	Result                                  	
call    sub_D3A250              	ESP=0034FD74                            	
push    ebx                     	ESP=0034FD70                            	
mov     bl, 0A7h                	EBX=7EFDE0A7                            	
xor     ecx, ecx                	ECX=00000000 PF=1 ZF=1                  	
jmp     short loc_D3A260        	                                        	
mov     eax, 151D07EBh          	EAX=151D07EB                            	
imul    ds:dword_D4CC80[ecx*4]  	EAX=00000759 EDX=00000558 CF=1 OF=1     	
sar     edx, 3                  	EDX=000000AB CF=0 PF=0 AF=1 ZF=0 OF=0   	
mov     eax, edx                	EAX=000000AB                            	
shr     eax, 1Fh                	EAX=00000000 PF=1 ZF=1                  	
add     eax, edx                	EAX=000000AB PF=0 AF=0 ZF=0             	
add     bl, al                  	EBX=7EFDE052 CF=1 AF=1 OF=1             	
mov     [ecx+esi], bl           	                                        	
inc     ecx                     	ECX=00000001 AF=0 OF=0                  	
cmp     ecx, 0Eh                	PF=1 AF=1 SF=1                          	
jl      short loc_D3A260        	                                        	
mov     eax, 151D07EBh          	EAX=151D07EB                            	
mul     ds:dword_D4CC80[ecx*4]  	EAX=0000013F EDX=000000E8 OF=1          	
sar     edx, 3                  	EDX=0000001D CF=0 SF=0 OF=0             	
mov     eax, edx                	EAX=0000001D                            	
shr     eax, 1Fh                	EAX=00000000 ZF=1                       	
add     eax, edx                	EAX=0000001D AF=0 ZF=0                  	
add     bl, al                  	EBX=7EFDE06F                             	
mov     [ecx+esi], bl           	                                        	
inc     ecx                     	ECX=00000002 PF=0                       	
cmp     ecx, 0Eh                	CF=1 AF=1 SF=1                          	
jl      short loc_D3A260        	                                        	
mov     eax, 151D07EBh          	EAX=151D07EB                            	
imul    ds:dword_D4CC80[ecx*4]  	EAX=FFFFFF71 EDX=FFFFFF97 OF=1          	
sar     edx, 3                  	EDX=FFFFFFF2 OF=0                       	
mov     eax, edx                	EAX=FFFFFFF2                            	
shr     eax, 1Fh                	EAX=00000001 SF=0                       	
add     eax, edx                	EAX=FFFFFFF3 CF=0 PF=1 AF=0 SF=1        	
add     bl, al                  	EBX=7EFDE062 CF=1 PF=0 AF=1 SF=0        	
mov     [ecx+esi], bl           	                                        	
inc     ecx                     	ECX=00000003 PF=1 AF=0                  	
cmp     ecx, 0Eh                	AF=1 SF=1                               	
jl      short loc_D3A260        	                                        	
mov     eax, 151D07EBh          	EAX=151D07EB                            	
imul    ds:dword_D4CC80[ecx*4]  	EAX=00000021 EDX=00000018 OF=1          	
sar     edx, 3                  	EDX=00000003 CF=0 SF=0 OF=0             	
mov     eax, edx                	EAX=00000003                            	
shr     eax, 1Fh                	EAX=00000000 ZF=1                       	
add     eax, edx                	EAX=00000003 AF=0 ZF=0                  	
add     bl, al                  	EBX=7EFDE065                             	
mov     [ecx+esi], bl           	                                        	
inc     ecx                     	ECX=00000004 PF=0                       	
cmp     ecx, 0Eh                	CF=1 PF=1 AF=1 SF=1                     	
jl      short loc_D3A260        	                                        	
mov     eax, 151D07EBh          	EAX=151D07EB                            	
imul    ds:dword_D4CC80[ecx*4]  	EAX=0000008F EDX=00000068 OF=1          	
sar     edx, 3                  	EDX=0000000D CF=0 PF=0 SF=0 OF=0        	
mov     eax, edx                	EAX=0000000D                            	
shr     eax, 1Fh                	EAX=00000000 PF=1 ZF=1                  	
add     eax, edx                	EAX=0000000D PF=0 AF=0 ZF=0             	
add     bl, al                  	EBX=7EFDE072 PF=1 AF=1                  	
mov     [ecx+esi], bl           	                                        	
inc     ecx                     	ECX=00000005 AF=0                       	
cmp     ecx, 0Eh                	CF=1 PF=0 AF=1 SF=1                     	
jl      short loc_D3A260        	                                        	
mov     eax, 151D07EBh          	EAX=151D07EB                            	
imul    ds:dword_D4CC80[ecx*4]  	EAX=00000016 EDX=00000010 OF=1          	
sar     edx, 3                  	EDX=00000002 CF=0 SF=0 OF=0             	
mov     eax, edx                	EAX=00000002                            	
shr     eax, 1Fh                	EAX=00000000 PF=1 ZF=1                  	
add     eax, edx                	EAX=00000002 PF=0 AF=0 ZF=0             	
add     bl, al                  	EBX=7EFDE074 PF=1                       	
mov     [ecx+esi], bl           	                                        	
inc     ecx                     	ECX=00000006                            	
cmp     ecx, 0Eh                	CF=1 PF=0 AF=1 SF=1                     	
jl      short loc_D3A260        	                                        	
mov     eax, 151D07EBh          	EAX=151D07EB                            	
imul    ds:dword_D4CC80[ecx*4]  	EAX=FFFFFC64 EDX=FFFFFD5F OF=1          	
sar     edx, 3                  	EDX=FFFFFFAB OF=0                       	
mov     eax, edx                	EAX=FFFFFFAB                            	
shr     eax, 1Fh                	EAX=00000001 SF=0                       	
add     eax, edx                	EAX=FFFFFFAC CF=0 PF=1 AF=0 SF=1        	
add     bl, al                  	EBX=7EFDE020 CF=1 PF=0 AF=1 SF=0        	
mov     [ecx+esi], bl           	                                        	
inc     ecx                     	ECX=00000007 AF=0                       	
cmp     ecx, 0Eh                	PF=1 AF=1 SF=1                          	
jl      short loc_D3A260        	                                        	
mov     eax, 151D07EBh          	EAX=151D07EB                            	
imul    ds:dword_D4CC80[ecx*4]  	EAX=000001B8 EDX=00000140 OF=1          	
sar     edx, 3                  	EDX=00000028 CF=0 SF=0 OF=0             	
mov     eax, edx                	EAX=00000028                            	
shr     eax, 1Fh                	EAX=00000000 ZF=1                       	
add     eax, edx                	EAX=00000028 AF=0 ZF=0                  	
add     bl, al                  	EBX=7EFDE048                             	
mov     [ecx+esi], bl           	                                        	
inc     ecx                     	ECX=00000008 PF=0                       	
cmp     ecx, 0Eh                	CF=1 PF=1 AF=1 SF=1                     	
jl      short loc_D3A260        	                                        	
mov     eax, 151D07EBh          	EAX=151D07EB                            	
imul    ds:dword_D4CC80[ecx*4]  	EAX=000001AD EDX=00000138 OF=1          	
sar     edx, 3                  	EDX=00000027 CF=0 SF=0 OF=0             	
mov     eax, edx                	EAX=00000027                            	
shr     eax, 1Fh                	EAX=00000000 ZF=1                       	
add     eax, edx                	EAX=00000027 AF=0 ZF=0                  	
add     bl, al                  	EBX=7EFDE06F                             	
mov     [ecx+esi], bl           	                                        	
inc     ecx                     	ECX=00000009                            	
cmp     ecx, 0Eh                	CF=1 PF=0 AF=1 SF=1                     	
jl      short loc_D3A260        	                                        	
mov     eax, 151D07EBh          	EAX=151D07EB                            	
imul    ds:dword_D4CC80[ecx*4]  	EAX=00000042 EDX=00000030 OF=1          	
sar     edx, 3                  	EDX=00000006 CF=0 PF=1 SF=0 OF=0        	
mov     eax, edx                	EAX=00000006                            	
shr     eax, 1Fh                	EAX=00000000 ZF=1                       	
add     eax, edx                	EAX=00000006 AF=0 ZF=0                  	
add     bl, al                  	EBX=7EFDE075 PF=0 AF=1                  	
mov     [ecx+esi], bl           	                                        	
inc     ecx                     	ECX=0000000A PF=1 AF=0                  	
cmp     ecx, 0Eh                	CF=1 AF=1 SF=1                          	
jl      short loc_D3A260        	                                        	
mov     eax, 151D07EBh          	EAX=151D07EB                            	
imul    ds:dword_D4CC80[ecx*4]  	EAX=FFFFFF45 EDX=FFFFFF77 OF=1          	
sar     edx, 3                  	EDX=FFFFFFEE OF=0                       	
mov     eax, edx                	EAX=FFFFFFEE                            	
shr     eax, 1Fh                	EAX=00000001 PF=0 SF=0                  	
add     eax, edx                	EAX=FFFFFFEF CF=0 AF=0 SF=1             	
add     bl, al                  	EBX=7EFDE064 CF=1 AF=1 SF=0             	
mov     [ecx+esi], bl           	                                        	
inc     ecx                     	ECX=0000000B AF=0                       	
cmp     ecx, 0Eh                	AF=1 SF=1                               	
jl      short loc_D3A260        	                                        	
mov     eax, 151D07EBh          	EAX=151D07EB                            	
imul    ds:dword_D4CC80[ecx*4]  	EAX=FFFFFFDF EDX=FFFFFFE7 OF=1          	
sar     edx, 3                  	EDX=FFFFFFFC PF=1 OF=0                  	
mov     eax, edx                	EAX=FFFFFFFC                            	
shr     eax, 1Fh                	EAX=00000001 PF=0 SF=0                  	
add     eax, edx                	EAX=FFFFFFFD CF=0 AF=0 SF=1             	
add     bl, al                  	EBX=7EFDE061 CF=1 AF=1 SF=0             	
mov     [ecx+esi], bl           	                                        	
inc     ecx                     	ECX=0000000C PF=1 AF=0                  	
cmp     ecx, 0Eh                	PF=0 AF=1 SF=1                          	
jl      short loc_D3A260        	                                        	
mov     eax, 151D07EBh          	EAX=151D07EB                            	
imul    ds:dword_D4CC80[ecx*4]  	EAX=000000BB EDX=00000088 OF=1          	
sar     edx, 3                  	EDX=00000011 CF=0 PF=1 SF=0 OF=0        	
mov     eax, edx                	EAX=00000011                            	
shr     eax, 1Fh                	EAX=00000000 ZF=1                       	
add     eax, edx                	EAX=00000011 AF=0 ZF=0                  	
add     bl, al                  	EBX=7EFDE072                             	
mov     [ecx+esi], bl           	                                        	
inc     ecx                     	ECX=0000000D PF=0                       	
cmp     ecx, 0Eh                	CF=1 PF=1 AF=1 SF=1                     	
jl      short loc_D3A260        	                                        	
mov     eax, 151D07EBh          	EAX=151D07EB                            	
imul    ds:dword_D4CC80[ecx*4]  	EAX=00000016 EDX=00000010 OF=1          	
sar     edx, 3                  	EDX=00000002 CF=0 PF=0 SF=0 OF=0        	
mov     eax, edx                	EAX=00000002                            	
shr     eax, 1Fh                	EAX=00000000 PF=1 ZF=1                  	
add     eax, edx                	EAX=00000002 PF=0 AF=0 ZF=0             	
add     bl, al                  	EBX=7EFDE074 PF=1                       	
mov     [ecx+esi], bl           	                                        	
inc     ecx                     	ECX=0000000E PF=0                       	
cmp     ecx, 0Eh                	PF=1 ZF=1                               	
jl      short loc_D3A260        	                                        	
mov     byte ptr [esi+0Eh], 0   	                                        	
pop     ebx                     	EBX=7EFDE000 ESP=0034FD74               	
retn                            	ESP=0034FD78

Posted: **Sat Jan 21, 2012 7:54 pm**

I'm sure Robert Houdart is thrilled that you've posted this.

Posted: **Sat Jan 21, 2012 7:55 pm**

zullil wrote:I'm sure Robert Houdart is thrilled that you've posted this.

The code is not posted for such reason, and only the assembly. Even if the equivalent C code were posted, it changes nothing. One who knows what to do, already knew, or will immediately find out.

Posted: **Sun Jan 22, 2012 12:28 am**

But you've gotten rid of "people that didn't know what to look for", as they do now after reading your message.

Posted: **Sun Jan 22, 2012 4:37 am**

Uly wrote:But you've gotten rid of "people that didn't know what to look for", as they do now after reading your message.

This is not "rocket science". For YEARS, people have actually built instructions, stored them in memory, and then executed them, to do such things. Such as check for an expiration date. Or check for a bad sector on a CD (a sector INTENTIONALLY corrupted and used as a verification that the user has an original disk (since a bad sector can't be copied). There's not a thing new in this idea. And such "tests" have been getting cracked for as long as I can remember. I have done a BUNCH of those myself... I wanted to be able to play Falcon on my laptop, with an extra battery in the CD drive slot. Program insisted that the CD be available. I insisted that the battery be available. I won. Many more examples...

Posted: **Sun Jan 22, 2012 5:14 am**

Dear KLO,

I think this is a bit over-the-top. Maybe leaving RH at peace is a better idea. Everyone (who wanted to listen) knows the truth about H1.03 and IMO there is no need to pursue the matter further...

Posted: **Sun Jan 22, 2012 7:23 am**

And then there will be people stuck saying that since Houdini's source is not available, that you can't prove it's a clone, and only speculate...

Posted: **Sun Jan 22, 2012 5:13 pm**

Richard Vida wrote:Dear KLO,

I think this is a bit over-the-top. Maybe leaving RH at peace is a better idea. Everyone (who wanted to listen) knows the truth about H1.03 and IMO there is no need to pursue the matter further...

Hi Richard, this was not an attempt to re-litigate Houdini's history, it was a mockery at the individual who got caught and how easily it was. The post shows the handful of changes (diff output) compared to the hex-edited version, and then discussed how method used to discourage such behaviour is a good idea. Perhaps I'm missing exactly what was over-the-top...

Uly wrote:But you've gotten rid of "people that didn't know what to look for", as they do now after reading your message.

I seriously doubt that.

Posted: **Sun Jan 22, 2012 6:22 pm**

kingliveson wrote:You've heard about hex-edited Houdini 1.5a, Deep Matrix, that came out the other day which is the work of a guy who am sure didn't really know what he was doing -- it has to be a guy because no woman on planet earth would waste her time with such useless and fruitless endeavor:

--- H.exe	2011-07-14 07:37:56.000000000 -0400
+++ D.exe	2011-10-11 17:18:34.000000000 -0400
@@ -5215,2 +5215,2 @@
-      depth       movetime    wtime   btime   winc    binc        movestogo       searchmoves ponder      infinite        ERROR: invalid go string <%s>   id name Houdini 1.5a x64
-       id author       option name Hash type spin min 4 max %d default 128
+      depth       movetime    wtime   btime   winc    binc        movestogo       searchmoves ponder      infinite        ERROR: invalid go string <%s>   id name Deep Matrix 3000
+       id author       option name Hash type spin min 4 max %d default 256
@@ -5226,2 +5226,2 @@
- option name Hard_Probe_Depth type spin min 2 max 99 default 24
- option name Soft_Probe_Depth type spin min 2 max 99 default 16
+ option name Hard_Probe_Depth type spin min 2 max 99 default 50
+ option name Soft_Probe_Depth type spin min 2 max 99 default 25
@@ -5235,2 +5235,2 @@
-        ONE white king required ONE black king required Too many white pieces   Too many black pieces   Too many white pawns    Too many black pawns    Too many white queens   Too many black queens   Too many white rooks    Too many black rooks    Too many white bishops  Too many black bishops  Too many white knights  Too many black knights  Pawn at rank 1 or 8     Illegal castling        Black king can be captured      White king can be captured      Houdini 1.5a x64        
-(c) 2010-11    
+        ONE white king required ONE black king required Too many white pieces   Too many black pieces   Too many white pawns    Too many black pawns    Too many white queens   Too many black queens   Too many white rooks    Too many black rooks    Too many white bishops  Too many black bishops  Too many white knights  Too many black knights  Pawn at rank 1 or 8     Illegal castling        Black king can be captured      White king can be captured      Deep Matrix 3000        
+(c) 2011-21    
@@ -5249 +5249 @@
-             à?      ð?      p@     @@      ðC        333333ó?333?    ffffffæ?33³?    ffffffö?  €?        €„.AÍÌÌÌÌÌð?Ô!@           e+000   log log10   1#QNAN  1#INF   1#IND   1#SNAN      _nextafter  _logb   _yn _y1 _y0 frexp   fmod    _hypot  _cabs   ldexp   modf    fabs    floor   ceil    tan cos sin sqrt    atan2   atan    acos    asin    tanh    cosh    sinh    pow exp             ÿÿÿÿÿÿ?Cÿÿÿÿÿÿ?ÃRSDSU‡ìªþöD¨¥H) x¸   C:\Data\Robert\Schaak\Houdini\VS\x64\Release\Houdini_64.pdb                                         ’p0P Bp0  ¼‰    ] O] À[      2P t d
+             à?      ð?      p@     @@      ðC        333333ó?333?    ffffffæ?33³?    ffffffö?  €?        €„.AÍÌÌÌÌÌð?Ô!@           e+000   log log10   1#QNAN  1#INF   1#IND   1#SNAN      _nextafter  _logb   _yn _y1 _y0 frexp   fmod    _hypot  _cabs   ldexp   modf    fabs    floor   ceil    tan cos sin sqrt    atan2   atan    acos    asin    tanh    cosh    sinh    pow exp             ÿÿÿÿÿÿ?Cÿÿÿÿÿÿ?ÃRSDSU‡ìªþöD¨¥H) x¸   C:\Data\OMeara\Schaak\DMatrix\VS\x64\Release\DeepMatrix.pdb                                         ’p0P Bp0  ¼‰    ] O] À[      2P t d

It was quite easy to catch because if you ran the executable, the "id author" field gave it away.

I still don't understand why you decided to go beyond this. What is the point of revealing specifically why the cloning attempt failed?

Then again, the type of cloner caught in this case probably wouldn't benefit from the information you've revealed.

Posted: **Mon Jan 23, 2012 6:57 am**

kingliveson wrote:I seriously doubt that.

It's quite clear future cloners that would have committed that mistake will no longer do it after reading your message.

This deterrent is gone.

OpenChess

Not So Deep Matrix

Not So Deep Matrix

Re: Not So Deep Matrix

Re: Not So Deep Matrix

Re: Not So Deep Matrix

Re: Not So Deep Matrix

Re: Not So Deep Matrix

Re: Not So Deep Matrix

Re: Not So Deep Matrix

Re: Not So Deep Matrix

Re: Not So Deep Matrix