

Ask HN: Would you like to play a game? - junto

I am trying to figure out an encoding scheme for a set of game codes. Example codes are below:
ATTK-21BU-F1QI<p>AINY-X1CG-Y1RZ<p>A61X-F1AL-S1S3<p>ALW6-M1D7-41K1<p>AJNE-V1WQ-C136<p>ADQX-J16S-S1CQ<p>AYR2-J1RA-Z1NJ<p>AQNB-6127-B12G<p>AXME-V1EU-41MK<p>ACE4-31SC-617S<p>AHT8-H1Q6-E1VS<p>AVTT-Y1ZR-D1N7<p>A9XG-G1PG-S1D1<p>AX6T-713S-M1TI<p>AY5N-A12B-11IY<p>AT6W-F1VT-H1MN<p>AW5S-G1XA-41HJ<p>AKXC-81NL-I1C2<p>AAZ7-R1BF-F1FH<p>AW6E-T1RH-H16C<p>AQYP-F13T-H14B<p>ABIA-41JK-Y1AS<p>AERU-B1TV-61ZR<p>A844-Z1H3-91BH<p>A861-416A-L1UG<p>AEIH-V1DP-61LC<p>ALS8-61UG-41JA<p>My first guess was that it was a base 36 encoded integer. But I cannot seem to generate the next in the sequence by adding 1 (or 100 or 1000) to the base10 equivalent, so I assume this is more complex. Maybe part of this code is a check digit or check sum (Luhn mod N maybe)?<p>I&#x27;d love to figure this out. Does anyone recognize this kind of encoding scheme offhand?<p>The only thing I noted was that the first letter always starts with A!
======
sklivvz1971
I wrote a similar scheme for UEFA and Euro stickers in 2008. If they use the
same scheme, it's a simple numeric sequence encoded via a PRP.

So basically we took numbers from, say 1000 to 3000 as "valid" codes, used a
modified implementation of RSA to encrypt them to numbers in a specifically
sized domain and then base-30 encoding them, to exclude pairs of hard to
distinguish digits and numbers (5 and S, 1 and I, 0 and O).

To validate the codes, the code needs to decrypt the number and verify that
the value is within our allowed range (in this example, 1000 to 3000).

This is relatively safe if the domain is big enough that random guessing has a
very low probability of hitting a valid code. On the other hand, the domain
needs to me small enough that the codes can be easily typed, typically 12
digits is way more than we would have done.

~~~
junto
By PRP do you mean "Pseudo Random Permutation"?

Would you be able to outline some psuedo code to explain your answer?

I tried out the codes from this rather spammy page on the FIFA stickers app
([http://en.stickeralbum.fifa.com/](http://en.stickeralbum.fifa.com/)), and
they always seem to work, so it appears that the person that put it together
has either figured out the algorithm, or knows what it was to start with!

~~~
sklivvz1971
Yes, pseudo-random permutation.

The basic algorithm goes like this. To generate the codes

    
    
        generate_codes(range valid_range)
    
          for(i in valid_range)
            encoded = RSA.Encode(key, i)
            code = base32.Encode(encoded)
            print code
    

and then, to verify a code

    
    
        verify(string code, range valid_range)
    
          encoded = base32.Decode(code)
          value = RSA.Decode(key, encoded)
    
          return valid_range.contains(value)
    

where of course RSA is an implementation of
[http://en.wikipedia.org/wiki/RSA_(cryptosystem)](http://en.wikipedia.org/wiki/RSA_\(cryptosystem\))
and base32 refers to
[http://en.wikipedia.org/wiki/Base32](http://en.wikipedia.org/wiki/Base32).

On top of that, we needed codes to be of a specified maximum length and with a
specified alphabet. Thus, instead of base32 we used a different base with
different letters, but the same algorithm. To fix the length of the codes, we
needed the output of RSA encode to be less than a specific value. In RSA this
can be controlled by choosing the modulus part of the key.

There are more subtleties to this, but the gist is there.

~~~
junto
Thanks for this. Very interesting.

I assume that without the RSA key I cannot generate these codes myself then,
even if I was to guess at the range?

~~~
sklivvz1971
Yes, that's the idea :-)

~~~
junto
Ok, thus, if a similar scheme is being used for the FIFA stickers, the person
that put this together
([http://fifapaninicode7.appspot.com/](http://fifapaninicode7.appspot.com/))
must know the RSA key!

~~~
kaoD
Did you check that these codes work and are not just a ruse?

~~~
junto
They do work.

------
benvan
From eyeballing, pattern is always: Axxx-x1xx-x1xx

------
jgrahamc
It's not base 36 since there are only 34 distinct characters here (there's the
entire alphabet and digits except for 0 and O).

What is this from?

Some game codes actually consists of a memory address and data to write into
that address so you wouldn't expect there to be a simple sequence.

~~~
junto
I'm trying to figure out how these FIFA online sticker codes have been
generated: Warning Ads! Disable JavaScript.

[http://fifapaninicode7.appspot.com/](http://fifapaninicode7.appspot.com/)

I was trying to figure out how they cracked it. Was harder than I thought.
Thought I'd ask the brains on HN! :-)

~~~
junto
And here's some code I was mucking around with:

[https://dotnetfiddle.net/lSHie4](https://dotnetfiddle.net/lSHie4)

A couple of things caught my interest so far as possibles:

[http://en.wikipedia.org/wiki/International_Securities_Identi...](http://en.wikipedia.org/wiki/International_Securities_Identification_Number)

[http://en.wikipedia.org/wiki/Base_36#Uses_in_practice](http://en.wikipedia.org/wiki/Base_36#Uses_in_practice)

------
metaobject
How about Global Thermonuclear War?

~~~
junto
I wondered if anyone would get the reference :-)

------
jcr
Given "ALS8-61UG-41JA" is separated into blocks by "-" the second character of
block #2 ("-61UG-") and block #3 ("41JA") is always "1" in the examples you
posted.

------
kaoD
Are these codes generated from a binary which you have access to? You might
have an easier time reverse-engineering it, if your local laws allows to do
so.

~~~
junto
For the source of these codes, check out my answer here:
[https://news.ycombinator.com/item?id=8113746](https://news.ycombinator.com/item?id=8113746)

------
bugmen0t
Are these codes in any particular order?

~~~
junto
Nope. Just generated at random. See my answer above for the source of those
codes.

