How do i get the 2nd string from given string?

[ragdogz]

I have a simple tcp program to get the string in incoming data from the server. the server send data in ascii string like this:

Code Select Expand














NuQW4CSS




0Qpa8TnZ

1st string is NuQW4CSS and the 2nd string is 0Qpa8TnZ. i need to get the 2nd string, which is 0Qpa8TnZ. the length of 1st and 2nd string are always changing time to time. in Visual Basic i do like this:

first i convert that incoming data into hex, so the result:

Code Select Expand

01 01 01 01 01 01 01 01 1C 01 01 01 01 01 08 4E 75 51 57 34 43 53 53 01 01 01 01 01 08 30 51 70 61 38 54 6E 5A

1st string: NuQW4CSS or 4E 75 51 57 34 43 53 53 in hex. 1 byte in front of this string (08) indicates the length of the string.
2nd string: 0Qpa8TnZ or 30 51 70 61 38 54 6E 5A in hex. 1 byte in front of this string (08) indicates the length of the string.

so, what i do to get the 2nd string is:
1. get the length of 1st string, which is located in 15th byte. in the above example is 08 or 8 in decimal
2. i add 8 to 21 (8 + 21), where 21 is the constant (the sum of all characters except 1st and 2nd string). so the result is 29. this 29 is the location of the length of 2nd string.
3. the 29th byte in the above example is 08 or 8 in decimal. so i just get the 2nd string from 30th byte with the length of 8, and the result is 0Qpa8TnZ

can u give me an example code on how to do this in assembly?
thank you..

[Jimg]

You say "21 is the constant (the sum of all characters except 1st and 2nd string)"
So the total length is known, in this case 37.
The length of the first string can be found at byte 15, in this case 8.
So far we have 37-8=29 characters left.
So we have 29 characters left, with no way to find where within those 29 characters that the second string starts.
We can't subtract the length of the second string from 29 to get the value of 21 since we don't know where the second string starts yet to find out it's length.

[Mark Jones]

Interesting, looks like username/password combinations.

[BlackVortex]

Interesting, looks like username/password combinations.

Maybe it's a brute forcer    :tdown

[ragdogz]

@Mark Jones
yes, i need the 2nd string to concatenate it with my password. The concatenation of them is for producing the hashcode. if the hashcode is right, then i can successfully logged in to server. it's a chat program..

@Jimg
let me explain one more time, maybe i didn't make myself clear..

like i said before, the data (packets) sent by server in ascii mode. as u know some ascii characters cannot be printed, so i convert the packet first into hex. look at this incoming packets..

01 01 01 01 01 01 01 01 1C 01 01 01 01 01 08 4E 75 51 57 34 43 53 53 01 01 01 01 01 08 30 51 70 61 38 54 6E 5A

the colored hex are the constant i mentioned earlier. they're always in the form like that, i mean their length. they always consist of 21 characters. now take a look at the parts of the constant..

1C
this is located at the 9th byte. this indicates the length of the packet counted from the 10th byte til the end.

08
this is located at the 15th byte. this indicates the length of the 1st string.

08
this is located at "unknown" byte, coz its location depends on the length of the 1st string. this indicates the length of the 2nd string.

that's one of the example. another example is like this:

01 01 01 01 01 01 01 01 1A 01 01 01 01 01 06 53 75 52 58 31 46 01 01 01 01 01 08 41 50 70 61 33 4B 6E 52

you see the packet is changed. it doesn't have same length anymore with the 1st packet. but 1 thing is never changed is the constant. they're always 21.
so, in Visual Basic it's easy to get the 2nd string. i'll write the method i use using the 2nd packet as a study case..

1. The location of the length of 1st string is always at the 15th byte.

Code Select Expand

Dim a As string
a = Mid$(Packet, 15, 1)

the above code will get the byte at position 15 for 1 character, and the result is 06. then i convert it into decimal to get the length of the 1st string:

Code Select Expand

a = HexToDec(a)

the above code will result 6. so now i know the length of the 1st string is 6 character.

2. next step is to catch the location of the length of the 2nd string:

Code Select Expand

Dim b As String
b = Mid$(Packet, (a + 21), 1)

the above code will get the byte at position 27 for 1 character, where 27 = a + 21 (a = 6). the result is 08. there it is! i got the length of the 2nd string. now i convert it to decimal:

Code Select Expand

b = HexToDec(b)

3. now the job is easier. i just get the 2nd string by this method:

Code Select Expand

Dim SecondString as String
SecondString = Right$(Packet, b)

the above code will get characters from the right for the length of b, or 8. i get it from the right coz there are no more characters in the packet after the 2nd string, and the length is known after executing previous codes. so the conclusion is, the location of the 2nd string is changing depends on the length of the 1st string. it's very easy in Visual Basic, but make me headache doing it in Assembly..  :bg

After i get the 2nd string, then i concatenate it with my password in the form: SecondStringMyPassword and get the hashcode. then i send the hashcode back to server, and i log in successfully. It's only a chat program, no more than that..

i hope i make myself clear now and perhaps someone can help..

[Mark Jones]

Looks like someone already tried to help on another forum:

Code Select Expand


hxxp://forum.tuts4you.com/index.php?showtopic=18767&mode=linearplus


Curious, would you like the answer in Masm syntax or Visual Basic?

[Jimg]

mov esi,offset inputbytes ; address of input
movzx eax,byte ptr [esi+14]  ; len str 1
add eax,21
add esi,eax
movzx ecx,byte ptr [esi]  ; len str 2
add esi,1
mov edi,offset SecondString
rep movsb

[ragdogz]

yes, that's me too who's asking in that forum..
of course i need answer in masm coz i already completed my program in Visual Basic..

so far i stuck with this code:

Code Select Expand

cld

xor eax,eax
mov al,[Packet+1ch]
mov Usize,eax

mov esi, offset Packet+1dh
mov edi, offset GetString
xor ecx,ecx
mov ecx,Usize
rep movsb

all i know with that code is:

xor eax,eax ; set eax to 0
mov al,[Packet+1ch] ; place the pointer at the 1ch location or 28th byte and then copy the byte after that, which is the 1dh or 29th byte
mov Usize,eax   ; then copy that 29th byte into variable named Usize. the 29th byte is the length of 2nd string

mov   esi, offset Packet+1dh ; then place the pointer at the 1dh location and then copy the byte after that, which starting from the 30th byte into source
mov   edi, offset GetString ; copy the variable named GetString into destination
xor    ecx,ecx ; set ecx to 0
mov   ecx,Usize ; copy the length of Usize into ecx
rep   movsb ; then finally variable GetString fill be filled with the 2nd string

but the problem with that code is, it only works properly if the length of 1st string is 8, which means the position of length of 2nd string will be at 29th byte. but if the length of 1st string is changed, like 6, then the position of the length of 2nd string will be at 27th byte...

[ragdogz]

oww i didnt realize there was a new reply when i was typing my post..
thx Jimg, i'll try it and i'll tell u the result..
thx again..

[ragdogz]

Hi Jimg,
thx very much for ur help. ur code is working properly. but i need to adjust it to be like this:

Code Select Expand

mov esi,offset inputbytes ; address of input
movzx eax,byte ptr [esi+14]  ; len str 1
add eax,20 ; THIS IS WHERE I CHANGE, FROM 21 TO 20
add esi,eax
movzx ecx,byte ptr [esi]  ; len str 2
add esi,1
mov edi,offset SecondString
rep movsb

now ur code gets the 2nd string perfectly no matter how long the 1st string in the packet from the server. ur code, as i request, is only get the 2nd string. i need to concatenate it with my password. in the old code i use, there's a variable named Usize that hold the length of the 2nd string. i need it for the next step. so i put that Usize into ur code so the final code is like this:

Code Select Expand

mov esi,offset inputbytes ; address of input
movzx eax,byte ptr [esi+14]  ; len str 1
add eax,20
add esi,eax
movzx ecx,byte ptr [esi]  ; len str 2
add esi,1
mov edi,offset SecondString
mov Usize,ecx ; THIS IS THE ADDITIONAL LINE I ADD
rep movsb

so, in the next step i have the concatenation of the 2nd string and my password, and no problem til now. i can login successfuly everytime i launched the program. what i want to know now, is it right to add that line mov Usize,ecx in that position? i mean i want to copy the ecx into Usize. or is there any other better way?

thx again for ur help..

[Jimg]

That's just fine.  Could be one or two lines up, but it really doesn't matter, so long as you save it before the rep movsb.

[ragdogz]

Hi, it's me again need help..
now i want to get the first 5 string from the given string.

for my exercise, i make code like this:

Code Select Expand

.data
packet  db "abcdefghijklmnopqrstuvwxyz",0
correct db "correct!",0
wrong db "wrong!",0
string1 db "abcde",0
string2 db "abcdf",0

.data?
getResult db 100 dup(?)

GetString proc strings:DWORD

mov esi,offset packet
mov edi,offset getResult
mov ecx,5
rep movsb

        ;invoke SetDlgItemText,hwwnd,EDIT_STRING,addr getResult ;this will put "abcde" in my textbox so the result is correct

        .if al==string1
        invoke SetDlgItemText,hwwnd,EDIT_STRING,addr correct
        .else
        invoke SetDlgItemText,hwwnd,EDIT_STRING,addr wrong
        .endif
ret

GetString endp

i just want to compare the result. mov   ecx,5 should get abcde as a result, but why in my textbox always show "wrong!" eventhough the result is correct..
thx..

[Jimg]

First you forgot to put a zero byte terminator after the partial string you copied.  It probably didn't make any difference in this case, but it's going to bite you bad in the future if you don't learn to terminate your strings.

Second, I have no idea what you are testing in the .if al==stirng1 line.
At no place did you put anything in al to test against, and you can't test a byte value in al against a 32 bit address.  And it wouldn't tell you anything anyway.
For your test, you have to put the start of the string to test in one register, put the address of the string to test against in another register, pick up a character from the first string, test it against a character from the second string, if it matches, increment both addresses and test the next character, etc. until you've tested all the characters.  The way to tell if you are done in this case is to see if both the character in the first string and the second string are zero, rather than just testing 5 characters, since the first 5 could be correct, but the sixth of the result might not be a zero and thus incorrect.

I didn't give you the actual code because I'm assuming you want to learn, so figure it out.  If you need more help, just ask.

[ragdogz]

and you can't test a byte value in al against a 32 bit address.

thx for your direction, but i don't know what you mean with that sentence. if i can't, then why the assembler didn't tell anything wrong?
i'll try it again with your direction and will tell the result..

[Jimg]

Okay, I tried it an it actually assembled.

.if al==string1 assembles to

  cmp al,byte ptr  [string1]

which compares what is in al, (which could have been anything, it was never set in your code), to the first byte of the string located at string1, which in this case is an 'a'.
So if you accidentally had an 'a' in al, the test would have passed.  It would have said nothing about the remaining characters in the string, only the first.