[marshray]

I haven't made it through your crypto challenges, so perhaps someone could explain this to me

https://github.com/mothran/bunny/blob/master/proposal.txt :

> To detect a bunny specific packet, each outbound packet is resized to match pre determined pack_len % mod = remainder values. Then when looking for packet bunny just tests each packets length against the modulus and remainder values.

https://github.com/mothran/bunny/blob/master/libbunny/SendRe... :

    if (round( (size - 4) % MODULUS, 2) == REMAINDER):
        print "pack num: %d, " % n 

https://github.com/mothran/bunny/blob/master/libbunny/config... :

    MODULUS = 1.21
    REMAINDER = 0.85

What?!

[mothran]

Ok so the code is a bit weird in that section because of issues with different wifi chipsets (thus the -4). Sorry about the messy code, I would barely call Bunny alpha.

The mod/remainder values are agreed upon by the network operators, that is why they are in config.

The length % mod == remainder trick for detecting packets was inspired by the KIS rootkit in the later 90's. http://packetstormsecurity.com/files/25029/kis-0.9.tar.gz.ht...

[marshray]

It's not the -4 that's weird, it's the modulus and remainder with floating point arithmetic.

[andrewcooke]

agree it's odd, but it's basically 100 * (len - 4) % 121 = 85

(I think?)

(yes, I know about rounding, fractions, different bases - I was just trying to explain why it still worked. sigh.)

[marshray]

No, actually they're different. http://floating-point-gui.de/ http://web.cse.msu.edu/~cse320/Documents/FloatingPoint.pdf

If you know enough about floating point to prove that the rounding will always give you the correct answer, then probably you would have just used the integer representation to begin with.