.486
.model flat, stdcall
option casemap :none
include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
include \masm32\include\masm32.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\masm32.lib
.data
Var db 16 dup ("0"); Set 16 Bytes of value "0"
.data?
buffer db ?
Number dd ?
.code
start:
lea esi, [offset Var + 15]
myloop:
invoke GetStdHandle, -11
invoke WriteConsoleA, eax, esi, 1, ecx, 0 ;Uses 2Byte Tchar's
inc byte ptr [esi]
invoke StdIn,ADDR buffer, LENGTHOF buffer
cmp esi, 123
je myout
jmp myloop
ret
myout:
invoke StdIn,ADDR buffer, LENGTHOF buffer
ret ; You have to Return to Exit Properly or the program will crash!
end start
Now I'm aware that WriteConsoleA outputs tchars with are 2byte values... now if you copy and run the code not only is it putting out two values it also inc them which its only sposte to inc one value at a time close to a bruteforce methed.
0
1
2
3
4
5
6
7
8
9
A
B
...
Now this code is doing
0
12
34
56
...
What am I messing up on? =(
And I dont recall WriteConsoleA ever Appending CRLF even looking at the MSDN site for the API? Am I correct?
For the ANSI versions of the functions TCHAR is defined as:
typedef char TCHAR;
For WriteConsole, the fourth parameter is supposed to be the address of a DWORD variable that receives the number of characters written.
Your code is setting ESI to the last byte of Var, is this what you intended?
You code is looping until ESI == 123, but the value of ESI is constant throughout the loop. The statement:
inc byte ptr [esi]
Is incrementing the byte that ESI points to. Furthermore, if ESI is set to address of Var then it is starting out at a value much greater than 123. A conceptually simple way to create a loop would be something like this:
mov ebx, 10 ; to loop 10 times
myloop:
; Use the address in ESI and then increment or decrement it.
dec ebx
jnz myloop
As long as the stack pointer has the same value it had at program entry, executing a RET will exit the program without problems, but a more "normal" way to do it is the call ExitProcess, as this does not depend on the value of the stack pointer.
.486
.model flat, stdcall
option casemap :none
include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
include \masm32\include\masm32.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\masm32.lib
.data
Var db 16 dup ("0"); Set 16 Bytes of value "0"
.data?
STDHandle dd ?
buffer db ?
Number dd ?
.code
start:
lea esi, [offset Var + 15]
invoke GetStdHandle, -11
mov STDHandle, eax
myloop:
inc byte ptr [esi]
invoke WriteConsoleA, STDHandle, esi, 1, ecx, 0 ;Uses 2Byte Tchar's
invoke StdIn,ADDR buffer, LENGTHOF buffer
cmp byte ptr [esi], 123
je myout
jmp myloop
ret
myout:
invoke StdIn,ADDR buffer, LENGTHOF buffer
ret ; You have to Return to Exit Properly or the program will crash!
end start
Ah fixxed it but its still outpuuting two Char's, Is it due to Var(16) even though its not really assisned in my Program that it is not a Null Char? and if so why dosent it do it the first time around?
The console will still display your input when you type; so, when the user presses the enter key, that is the CR/LF that appears. Since pressing the enter key is really TWO entries (a CR and a LF), the stdin has two characters waiting for it; when it comes time to 'pause for any key' a second time, the last part of the enter is still there, and it loops again. To see this in action, instead of just hitting enter, try typing 'abcdefg (enter)', and you will see both those 9 characters displayed, and 9 digits outputted (because there are 9 characters in the buffer). To work around this, try the SetConsoleMode() function.
-r
StdIn?
:eek
Ah That makes sence I did type in asdfg and I got mutiple Values back, how do I fix this? Switch stdin to what else?
does masm have a built in pause? ("Press Any Key To Continue")
Thanks!
There is the inkey macro, which the default text is Press any key to continue.
Either use GetNumberOfConsoleInputEvents() to figure out how many are waiting in the buffer and then use ReadConsole() to read out exactly that many each time through the loop, or use FlushConsoleInputBuffer() to get rid of any extra each time.
It appears to be a no go, whats wrong with my attempt?
.486
.model flat, stdcall
option casemap :none
include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
include \masm32\include\masm32.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\masm32.lib
.data
Var db 16 dup ("0"); Set 16 Bytes of value "0"
.data?
STDHandle dd ?
buffer db ?
Number dd ?
.code
start:
lea esi, [offset Var + 15]
invoke GetStdHandle, -11
mov STDHandle, eax
myloop:
inc byte ptr [esi]
invoke WriteConsoleA, STDHandle, esi, 1, ecx, 0 ;Uses 2Byte Tchar's
invoke StdIn,ADDR buffer, LENGTHOF buffer
push offset buffer
call FlushConsoleInputBuffer
cmp byte ptr [esi], 123
je myout
jmp myloop
ret
myout:
invoke StdIn,ADDR buffer, LENGTHOF buffer
ret ; You have to Return to Exit Properly or the program will crash!
end start
FlushConsoleInputBuffer requres the handle of the buffer, not the address of the holder variable in your program (use another call to GetStdHandle). Is there any reason you use StdIn instead of the ReadConsole?
-r
No reason, Ill try Readconsole... Thanks..
AgentSmithers,
Why not to use wsprintf + StdOut to write NULL terminated strings?
I want this code to be fast a possible but Yes I could do it that way =)
.486
.model flat, stdcall
option casemap :none
include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
include \masm32\include\masm32.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\masm32.lib
.data
Var db 16 dup ("0"); Set 16 Bytes of value "0"
InputBuffer db 16 dup (0)
.data?
STDHandle dd ?
buffer db ?
Number dd ?
BytesToOutput db ?
.code
start:
lea esi, [offset Var + 15]
mov BytesToOutput, 1
invoke GetStdHandle, -11
mov STDHandle, eax
myloop:
inc byte ptr [esi]
invoke SetConsoleCursorPosition, STDHandle, 0
invoke WriteConsoleA, STDHandle, esi, BytesToOutput, ecx, 0 ;Uses 2Byte Tchar's
push 5
call Sleep
cmp byte ptr [esi], 122
je myout
jmp myloop
myout:
cmp esi, [offset Var + 15]
je Jumpover
cmp byte ptr [esi + 1], 122 ;If zz
je IncNextValue
inc byte ptr [esi + 1]
mov byte ptr [esi], "0"
jmp myloop
IncNextValue:
Jumpover:
mov byte ptr [esi], "0"
dec esi
inc BytesToOutput
jmp myloop
ret ; You have to Return to Exit Properly or the program will crash!
end start
BackupToStart:
;invoke StdIn,ADDR buffer, LENGTHOF buffer
ret ; You have to Return to Exit Properly or the program will crash!
end BackupToStart
let's start with this:
what's the program supposed to do ?
Looks like an amateur attempt at a brute-force password cracker, to me ::)
lol - i can't make sense of it - i was trying to figure out (in a few brief sentances) what the goal was
The code's a bit of a mess, but the aim is:
0
1
2
:
:
x
y
z
00
01
02
:
:
zx
zy
zz
000
001
002
:
:
:
:
:
:
:
zzzzzzzzzzzzzzzx
zzzzzzzzzzzzzzzy
zzzzzzzzzzzzzzzz
i.e. all passwords up to length 16, containing characters:
0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz
So just place a $ or ! in your password and you're safe :P
Not that it matters, it'll take 6194232190424717998536135802.880 seconds to complete (196283373590663.41 million years :lol)
Or, being highly optimistic and assuming you get very lucky, with an average password length of 8 characters, 187 years.
i had one of my yahoo accounts "stolen" a couple years ago (i got it back by contacting yahoo - several times)
after that, all my important passwords are very long - i do not want to say how long, but they are over 16 characters
length is the best defense
there may come a day when some log-ins allow a paragraph length password - or at least, multiple lines
yahoo has made the matter worse
several years ago, you could make yahoo IDs that started with a numeric, also you could use capital letters
they stopped allowing these - so now they are sought-after IDs
crackers have made a hobby out of stealing these "rare" IDs
so they have made cracker programs that not only rotate passwords, but IDs as well
they sift through all the possible rares until they find one they can steal
yahoo could take the wind out of their sails by re-allowing those IDs
Yes thats correct, and the term would be password recovery, but its helping sharpen my ASM skills again so its educational =)
As for the yahoo thing, they just got mugged by a Cookie creator back like 3 months ago i think, someone found the Agrorythm for generating a cookie from your username tricking the Media server into thinking you were already authenticate and letting you right in, Ima stay away from yahoo =)
this thread have final result?
:eek
What is the issue with this
.486
.model flat, stdcall
option casemap :none
include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
include \masm32\include\masm32.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\masm32.lib
.data
Var db 16 dup ("0"); Set 16 Bytes of value "0"
Number dd 1
.data?
STDHandle dd ?
buffer db ?
.code
start:
lea esi, offset Var
invoke GetStdHandle, -11
mov STDHandle, eax
myloop:
inc byte ptr [esi]
invoke WriteConsoleA, STDHandle, esi, Number, ecx, 0 ;Uses 2Byte Tchar's
;invoke Sleep, 10
cmp byte ptr [esi], 122 ;If 'z'
je myout
jmp myloop
myout:
call INCLoop
jmp myloop
invoke StdIn,ADDR buffer, LENGTHOF buffer
ret ; You have to Return to Exit Properly or the program will crash!
INCLoop proc
mov byte ptr [esi], "0"
mov ecx, Number
cmp ecx, 1
jne looper
call AddAZero
ret
looper:
sub ecx, 1
cmp byte ptr [esi + ecx], 122
je ItsAz
dec ecx
cmp ecx, 0
jz looper
ItsAz:
mov byte ptr [esi + ecx], 0
;inc Number
jmp myloop
ret ; You have to Return to Exit Properly or the program will crash!
INCLoop endp
AddAZero proc
inc Number
mov byte ptr [esi + Number - 1], "0"
ret
AddAZero endp
end start
AddAZero crashes I belive mov byte ptr [esi + Number - 1], "0"
whats wrong with that line?
see item #3 at this link...
http://www.masm32.com/board/index.php?topic=31.0
I was not asking how to Hack with ASM, You assumed, My Question was simple on Adding Addeses together.
Ive read the rules and as far as you should be consered it only genererates Letters and Char's what if I was making a game of scrabble!
Quote from: AgentSmithers on May 23, 2009, 05:14:11 AM
Yes thats correct, and the term would be password recovery, but its helping sharpen my ASM skills again so its educational =)
Quote from: AgentSmithers on May 23, 2009, 05:54:47 PM
I was not asking how to Hack with ASM, You assumed, My Question was simple on Adding Addeses together.
Ive read the rules and as far as you should be consered it only genererates Letters and Char's what if I was making a game of scrabble!
Keep digging ::)
As far as we should be concerned, you've already admitted it's for "password recovery" (no mention of whose passwords that should be), so there's no point trying to argue otherwise. If it was for legitimate recovery, there are far better methods than trying every possibility in sequence. If it was for Scrabble, you wouldn't be generating every permutation either - you'd use a dictionary (you also would only consider uppercase alphabetic characters.)
Quote from: AgentSmithers on May 23, 2009, 05:54:47 PM
I was not asking how to Hack with ASM, You assumed, My Question was simple on Adding Addeses together.
Ive read the rules and as far as you should be consered it only genererates Letters and Char's what if I was making a game of scrabble!
Nice try :D
Locked.