hello, everyone,
help me to show time.
.386
.model flat, stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
include \masm32\include\user32.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
.data
pzCaption db "system time show test",0
stm SYSTEMTIME<>
dateformat db " yyyy:MM:dd ",13,10
timeformat db " HH:ss:mm ",0
buffer db 100 dup (0)
buffer1 db 100 dup (0)
buffer0 db 200 dup (0)
.code
start:
invoke GetLocalTime, addr stm
invoke GetDateFormat,LOCALE_USER_DEFAULT,NULL,addr stm,addr dateformat,addr buffer,sizeof buffer
invoke GetTimeFormat,LOCALE_USER_DEFAULT,NULL,addr stm,addr timeformat,addr buffer1,sizeof buffer1
invoke wsprintf,addr buffer0,addr buffer,addr buffer1
invoke MessageBox,NULL,addr buffer0,addr pzCaption,MB_OK or MB_ICONINFORMATION
invoke ExitProcess,NULL
end start
regards
NULL terminate dateformat...
dateformat db " yyyy:MM:dd ",13,10,0
wsprintf requires a format string...
wspformat DB "%s",13,10,"%s",0
invoke wsprintf, addr buffer0, offset wspformat, addr buffer1, addr buffer2
donkey,
OK!
Thank you very much.
best regards.
six_L1,
There is a security alert in the Platform SDK in regards to wsprintf:
QuoteSecurity Alert Using this function incorrectly can compromise the security of your application. The string returned in lpOut is not guaranteed to be NULL-terminated. Also, avoid the %s format -- it can lead to a buffer overrun. If an access violation occurs it causes a denial of service against your application. In the worse case, an attacker can inject executable code. Consider using one of the following alternatives: StringCbPrintf, StringCbPrintfEx, StringCbVPrintf, StringCbVPrintfEx, StringCchPrintf, StringCchPrintfEx, StringCchVPrintf, or StringCchVPrintfEx. You should review Security Considerations: Windows User Interface before continuing.
I have highlighted the part that might concern you. I thought it might help you to know this.
John,
:U
Thans you gave me another information.
yes, most of time i used the wsprintf, crashing has been happened often. StringCbPrintf, StringCbPrintfEx, StringCbVPrintf, StringCbVPrintfEx, StringCchPrintf, StringCchPrintfEx, StringCchVPrintf, or StringCchVPrintfEx, I'v never used about this. next time I want to learn how using this.
best regards.
You could also use
xor eax,eax
movsx eax, stm.wDay
invoke dwtoa, eax, addr buff
etc.
Peter
What I use:
.data
dateformat db "dd MMM yyyy", 0
timeformat db "HH:mm:ss", 0
rightnow db "Right Now!", 0
.data?
date_buf db 40 dup (?)
; time_buf db 20 dup (?)
sys_time SYSTEMTIME <>
.const
LOCALE_SYSTEM_DEFAULT equ 0
.code
start:
invoke GetLocalTime, addr sys_time
invoke GetDateFormat, LOCALE_SYSTEM_DEFAULT, NULL, \
ADDR sys_time, ADDR dateformat, ADDR date_buf, 40
mov ecx, offset date_buf
add ecx, eax ;add length returned by GetDateFormat
dec ecx
mov byte ptr [ecx], ' ' ;replace sz null with space
inc ecx
invoke GetTimeFormat, LOCALE_SYSTEM_DEFAULT, NULL, \
ADDR sys_time, ADDR timeformat, ecx, 20
;Alternative to above 6 lines
; invoke GetTimeFormat, LOCALE_SYSTEM_DEFAULT, NULL, \
; ADDR sys_time, ADDR timeformat, ADDR time_buf, 20
; invoke lstrcat, addr date_buf, addr time_buf
invoke MessageBox, NULL, addr date_buf, addr rightnow, MB_OK
invoke ExitProcess, 0
end start
hth
farrier
Hi, wsprintf is fine in this situation. As MSDN says,you should review the risk and the security problem does not exist here. After all you are dealing with known lengths and no user input is required. The security risk is primarily concerned with users passing strings that are larger than the output buffer, this is ofcourse not possible in this case. The only other possible problem is the lack of NULL termination on the output buffer, again with a buffer of 100 bytes for the date and time that was initialized with NULL, it is not a problem.
petezl,farrier,
Thanks you.
I knew a lot of information.
:U
best regards