[ANN] Qora | Released 16 May | 100% POS | New Source

[twospirit]

nice price recovery, hodl strong!

[wizzardTim]

Crap, I set my buy order to low.  I am hoping to get a 1% safety net before I release, but I think I can do without.  I have time so I may move my funds back to Nxt (taking 7% profit!) Which I can use in the future, but who knows if Nxt is near it's bottom.  I might just hold my BTC.

FYI, I inspected the QORA code and Qora was telling the truth (not that I doubted,) there is no API implemented in the code for the AE so this isn't a problem of lack of documentation.  If I actually finish this project and Qora hasn't updated the client API, I might decompile the app to source, annotate the ofuscated code around what manages the AE GUI and API and see if I can hack together my own client/API.

Again, I'm not a Java dev (c# guy...) but I think I could do it so long as it's easy to recompile the decompiled source.  To be sure, I'm a ways off from being finished with this project.  I keep thinking of more ways to improve the service for both myself and for future-users and that compounds requirements.

Also, I am going to continue to stay mostly silent because I don't want to instigate a pump that could easily deflate if it takes me a long time to release my work.  I, too, am a weekend coder and sometimes there are delays.  However, once I feel that my work is 60-70% complete and that I've done enough work that it would be tough for a competitor to catch up, then I may make a pre-ann to all boards that this applies too.  The good news is I'm not going to need an IPO or any form of fund raising.  I think this service can be self-sustaining from the revenue it receives from day #1.

Good to know that you inspected the code!!! I never had doubts about qora  


I am very happy with the news!

[TwinWinNerD]

Question, when looking at obfuscated code, what exactly are you able to see? Can you extract the whole sourcecode from that?

[rlh]

Question, when looking at obfuscated code, what exactly are you able to see? Can you extract the whole sourcecode from that?

Of course, but instead of seeing code that looks like:

public class Assets
{
    private int WellDescribedVariable;
    public bool WalletManagesAssets()
    {
        ...
    }
    ...
}

You see something illegible like:

public class a
{
    private int b;
    public bool c()
    {
        ...
    }
    ...
}

This is because qora passes the code through a process called an obfuscator, before compiling.

Java (like .Net) is a framework, not a bytewise compiler.  Code is basically converted to some form of intermediate code that is easily converted to bytecode by the end-users Java Runtime.  You can decompile these intermediate objects and view the (near) full source if you don't obfuscate the code.

Qora, and many others, do this to protect their code.  Still, this isn't bullet proof, but it does dramatically raise the barrier for someone to easily fork your work and build something "new" (ahem, a clone coin) from it.

[TwinWinNerD]

Awesome, great answer.

So just by looking at this you can be 100% sure that it is original code!

[rlh]

Awesome, great answer.

So just by looking at this you can be 100% sure that it is original code!

I didn't say that (sorry, I'm hyper-objective) but I am highly suspect that it is original.  Still, your question makes me want to look into this issue just to put it to rest.  I think tonight I may take a moment to see If I can find portions of the Qora code that are easily discernable and distinguishable and compare them to Nxt.

Specifically, I'll try to find and dig into the crypto code.  If Qora is building and signing this data using different mechanisms and algorthims from Nxt then that should be pretty darn good evidence that the code is unique.

Personally, I'm fairly confident that Qora is unique and is not a fork of Nxt.  Still, I can't make that claim with certainty until I take the neccessary steps to inspect and compare the code.

If I take this upon myself, I'll start a new thread and I'll post what I find with verifiable results.  If my conclusions are incorrect, people will be able to follow my work and verify/criticize my conclusion(s).

Yay, forensic coding!! . This should be fun.

[TwinWinNerD]

That sounds amazing. Thank you for doing this.

[twospirit]

Awesome, great answer.

So just by looking at this you can be 100% sure that it is original code!

I didn't say that (sorry, I'm hyper-objective) but I am highly suspect that it is original.  Still, your question makes me want to look into this issue just to put it to rest.  I think tonight I may take a moment to see If I can find portions of the Qora code that are easily discernable and distinguishable and compare them to Nxt.

Specifically, I'll try to find and dig into the crypto code.  If Qora is building and signing this data using different mechanisms and algorthims from Nxt then that should be pretty darn good evidence that the code is unique.

Personally, I'm fairly confident that Qora is unique and is not a fork of Nxt.  Still, I can't make that claim with certainty until I take the neccessary steps to inspect and compare the code.

If I take this upon myself, I'll start a new thread and I'll post what I find with verifiable results.  If my conclusions are incorrect, people will be able to follow my work and verify/criticize my conclusion(s).

Yay, forensic coding!! . This should be fun.

good luck 

[helloge]

Crap, I set my buy order to low.  I am hoping to get a 1% safety net before I release, but I think I can do without.  I have time so I may move my funds back to Nxt (taking 7% profit!) Which I can use in the future, but who knows if Nxt is near it's bottom.  I might just hold my BTC.

FYI, I inspected the QORA code and Qora was telling the truth (not that I doubted,) there is no API implemented in the code for the AE so this isn't a problem of lack of documentation.  If I actually finish this project and Qora hasn't updated the client API, I might decompile the app to source, annotate the ofuscated code around what manages the AE GUI and API and see if I can hack together my own client/API.

Again, I'm not a Java dev (c# guy...) but I think I could do it so long as it's easy to recompile the decompiled source.  To be sure, I'm a ways off from being finished with this project.  I keep thinking of more ways to improve the service for both myself and for future-users and that compounds requirements.

Also, I am going to continue to stay mostly silent because I don't want to instigate a pump that could easily deflate if it takes me a long time to release my work.  I, too, am a weekend coder and sometimes there are delays.  However, once I feel that my work is 60-70% complete and that I've done enough work that it would be tough for a competitor to catch up, then I may make a pre-ann to all boards that this applies too.  The good news is I'm not going to need an IPO or any form of fund raising.  I think this service can be self-sustaining from the revenue it receives from day #1.

Good to know that you inspected the code!!! I never had doubts about qora  


I am very happy with the news!

We finally got some guys to inspecting the qora code,
we all believe the qora. more confident now.

[Fry]

Since 18:28 almost all Blocks have been created by:
QPVknSmwDryB98Hh8xB7E6U75dGFYwNkJ4

Have already deleted Data folder and restarted. Same on Qora Blockexplorer http://qora.co.in.

This doesn't really look healthy to me.

rhl have you found and exploited some forging flaw in qora? 

[Tuck Fheman]

Faucet is dry, please donate ... http://qora.co.in/faucet.php

Faucet account: QXbn5VKQLUCbpHbmaQKRRpouTGXLtyWTut
 Remaining balance: 2.5796437 Qora

[Djinou94]

Awesome, great answer.

So just by looking at this you can be 100% sure that it is original code!

I didn't say that (sorry, I'm hyper-objective) but I am highly suspect that it is original.  Still, your question makes me want to look into this issue just to put it to rest.  I think tonight I may take a moment to see If I can find portions of the Qora code that are easily discernable and distinguishable and compare them to Nxt.

Specifically, I'll try to find and dig into the crypto code.  If Qora is building and signing this data using different mechanisms and algorthims from Nxt then that should be pretty darn good evidence that the code is unique.

Personally, I'm fairly confident that Qora is unique and is not a fork of Nxt.  Still, I can't make that claim with certainty until I take the neccessary steps to inspect and compare the code.

If I take this upon myself, I'll start a new thread and I'll post what I find with verifiable results.  If my conclusions are incorrect, people will be able to follow my work and verify/criticize my conclusion(s).

Yay, forensic coding!! . This should be fun.

Cool
In RLH i trust 

[notsoshifty]

Specifically, I'll try to find and dig into the crypto code.  If Qora is building and signing this data using different mechanisms and algorthims from Nxt then that should be pretty darn good evidence that the code is unique.

If you are examining the decompiled code in detail, please try to focus on the forging algorithm. How does a node decide that it can forge a block with its account(s), and similarly how do nodes decide whether to accept/reject a forged block that it receives. It should be possible to describe this in mathematical or pseduo-code terms.

Although I no longer agree with his decision, I can understand why Qora dev has not open-sourced the code. But not to give a technical description of the forging process doesn't inspire confidence, especially when we frequently see strange forging behaviour (such as long chains of blocks forged by a single account). I have no doubt that Qora is new code, but I currently don't have any confidence that it is secure against various attack vectors, i.e. that it is a crypto-currency in any real sense.

[rlh]

Just a quick update, a couple nights ago I found the oldest version of Qora (without a broken download link), the original nxt source and I downloaded and installed some Java dev tools.  I haven't gotten far because I haven't figured out how to turn the decompiled source files into a Java project.

Anyway, I've also been sick for this past week, so other than my real job, I've spent moat of the past 36 hours trying to sleep as much as I can.  I'll keep looking into this as I can because I've had a pretty bad cold.  Nothing to conclude, yet.  As requested, I'll see about looking into the forging code.  No promises, though.  I have a few areas of the app that I want to look at which be easy to tell if they were copies or newly written.

Developers have "fingerprints" of how they write and structure their code.  Using simpler, but necessary, sections of the applications for inspection will make this process a little easier/quicker.

Also, if I'm a little incoherent these next couple of days, please forgive me and blame the cough syrup. O_o

I've been in a fog for the past couple of days and this sucks.

[jabo38]

I am sorry, not everyone can be as sophisticated as you.

I suggest you let go of this handle and continue to swim through this FUD-SEWER only with your multiple sock-puppets!   

Yeah, I have made 4500 posts here, 1200 on nxtforum and several thousand on other crypto forums and I still have time to maintain dozens, DOZENS of sockpuppets.

PS: smaragda is also one of my sockpuppets. Look through his history atleast 100 of his posts are directly connected to me.

Wow that is a lot of posts!

[wizzardTim]

Just a quick update, a couple nights ago I found the oldest version of Qora (without a broken download link), the original nxt source and I downloaded and installed some Java dev tools.  I haven't gotten far because I haven't figured out how to turn the decompiled source files into a Java project.

Anyway, I've also been sick for this past week, so other than my real job, I've spent moat of the past 36 hours trying to sleep as much as I can.  I'll keep looking into this as I can because I've had a pretty bad cold.  Nothing to conclude, yet.  As requested, I'll see about looking into the forging code.  No promises, though.  I have a few areas of the app that I want to look at which be easy to tell if they were copies or newly written.

Developers have "fingerprints" of how they write and structure their code.  Using simpler, but necessary, sections of the applications for inspection will make this process a little easier/quicker.

Also, if I'm a little incoherent these next couple of days, please forgive me and blame the cough syrup. O_o

I've been in a fog for the past couple of days and this sucks.

Get well soon rlh!

[lovewiki]

Just a quick update, a couple nights ago I found the oldest version of Qora (without a broken download link), the original nxt source and I downloaded and installed some Java dev tools.  I haven't gotten far because I haven't figured out how to turn the decompiled source files into a Java project.

Anyway, I've also been sick for this past week, so other than my real job, I've spent moat of the past 36 hours trying to sleep as much as I can.  I'll keep looking into this as I can because I've had a pretty bad cold.  Nothing to conclude, yet.  As requested, I'll see about looking into the forging code.  No promises, though.  I have a few areas of the app that I want to look at which be easy to tell if they were copies or newly written.

Developers have "fingerprints" of how they write and structure their code.  Using simpler, but necessary, sections of the applications for inspection will make this process a little easier/quicker.

Also, if I'm a little incoherent these next couple of days, please forgive me and blame the cough syrup. O_o

I've been in a fog for the past couple of days and this sucks.

Get well soon rlh!

Take a good rest first rlh. We all understand that you can only do it properly with a clear mind. We've waited long for the answer since the start of this Qora project and don't mind to wait for a few more days.

Thanks so much for your efforts.

[twistelaar]

When Qora will goes OS? And is the problem solved with Dzarmush and Renat0??

[CryptKeeper]

Just a quick update, a couple nights ago I found the oldest version of Qora (without a broken download link), the original nxt source and I downloaded and installed some Java dev tools.  I haven't gotten far because I haven't figured out how to turn the decompiled source files into a Java project.

Anyway, I've also been sick for this past week, so other than my real job, I've spent moat of the past 36 hours trying to sleep as much as I can.  I'll keep looking into this as I can because I've had a pretty bad cold.  Nothing to conclude, yet.  As requested, I'll see about looking into the forging code.  No promises, though.  I have a few areas of the app that I want to look at which be easy to tell if they were copies or newly written.

Developers have "fingerprints" of how they write and structure their code.  Using simpler, but necessary, sections of the applications for inspection will make this process a little easier/quicker.

Also, if I'm a little incoherent these next couple of days, please forgive me and blame the cough syrup. O_o

I've been in a fog for the past couple of days and this sucks.

Sorry to hear this. Take your time and get well soon!

[Fry]

I did decompile and analyze Qora already some weeks ago.
I think "qora\c\a.class" is the block Class which is very important for the understanding of the forging algo.
Here are three methods of that decompiled class:

Code:

    public final JSONObject bO()
    {
        JSONObject jsonobject;
        (jsonobject = new JSONObject()).put("version", Integer.valueOf(version));
        jsonobject.put("reference", qora.crypto.a.encode(ef));
        jsonobject.put("timestamp", Long.valueOf(timestamp));
        jsonobject.put("generatingBalance", Long.valueOf(ep));
        jsonobject.put("generator", eq.getAddress());
        jsonobject.put("fee", bJ().toPlainString());
        jsonobject.put("transactionsSignature", qora.crypto.a.encode(ev));
        jsonobject.put("generatorSignature", qora.crypto.a.encode(er));
        jsonobject.put("signature", qora.crypto.a.encode(getSignature()));
        JSONArray jsonarray = new JSONArray();
        m m1;
        for(Iterator iterator = bL().iterator(); iterator.hasNext(); jsonarray.add(m1.bO()))
            m1 = (m)iterator.next();

        jsonobject.put("transactions", jsonarray);
        return jsonobject;
    }

    public boolean bP()
    {
        byte abyte0[] = new byte[0];
        byte abyte1[] = Arrays.copyOfRange(ef, 0, 64);  // ef = reference (?Hash of last block i think)
        abyte0 = Bytes.concat(new byte[][] {
            abyte0, abyte1
        });
        abyte1 = Longs.toByteArray(ep);    //  generatingBalance
        abyte0 = Bytes.concat(new byte[][] {
            abyte0, abyte1
        });
        abyte1 = Bytes.ensureCapacity(eq.bp(), 32, 0);  // eq.bp = public key of block creator
        abyte0 = Bytes.concat(new byte[][] {
            abyte0, abyte1
        });
        b.bS();
        if(!b.a(eq.bp(), er, abyte0))
            return false;
        abyte0 = er;
        for(Iterator iterator = bL().iterator(); iterator.hasNext();)
        {
            m m1;
            if(!(m1 = (m)iterator.next()).bP())
                return false;
            abyte0 = Bytes.concat(new byte[][] {
                abyte0, m1.getSignature()
            });
        }

        b.bS();
        return b.a(eq.bp(), ev, abyte0);
    }


    public boolean n(j j1)
    {
        if(ef == null || l(j1) == null)
            return false;
        if(timestamp - 500L > c.a.getTime() || timestamp < l(j1).timestamp)
            return false;
        if(timestamp % 1000L != l(j1).timestamp % 1000L)
            return false;
        if(ep != qora.d.b(j1, l(j1)))
            return false;
        byte abyte0[];
        Arrays.fill(abyte0 = new byte[32], (byte)127);
        BigInteger biginteger = new BigInteger(1, abyte0);
        Object obj = BigInteger.valueOf(qora.d.e(ep));
        biginteger = (biginteger = biginteger.divide(((BigInteger) (obj)))).multiply(eq.c(j1).toBigInteger());
        long l1 = (timestamp - ((a) (obj = l(j1))).timestamp) / 1000L;
        obj = biginteger.multiply(BigInteger.valueOf(l1 - 1L));
        biginteger = biginteger.multiply(BigInteger.valueOf(l1));
        b.bS();
        byte abyte1[] = b.digest(er);
        BigInteger biginteger1;
        if((biginteger1 = new BigInteger(1, abyte1)).compareTo(biginteger) >= 0)
            return false;
        if(biginteger1.compareTo(((BigInteger) (obj))) < 0)
            return false;
        j1 = j1.X();
        m m1;
        for(Iterator iterator = bL().iterator(); iterator.hasNext(); m1.k(j1))
        {
            if((m1 = (m)iterator.next()) instanceof qora.f.g)
                return false;
            if(m1.p(j1) != 1)
                return false;
            if(m1.getTimestamp() > timestamp || m1.getDeadline() <= timestamp)
                return false;
        }

        return true;
    }

I have added the bO() method which creates an JSON Object from that Object because it helps to understand what which variable is.

b.a (Not shown here) is the Crypto-verify method.

"bP()" obviously checks if the transactionsSignature (ev) and the generatorSignature (er) are valid Crypto signatures.
generatorSignature = signature of (ef + ep + eq.bp())
Where
ef = reference (?Hash of last block i think)
ep=generatingBalance
eq.bp = public key of block creator
transactionsSignature = signature of ( generatorSignature + all transactions) in that block

"n(j j1)" Checks if the Block is valid in terms of whether the creator was allowed to build on top of the last block at that given time.
Therefore the generatorSignature is beeing hashed and the result is somehow beeing compared to the time since the last block multiplied with the generatingBalance.