Jump to content
Sign in to follow this  
SvenP

Calculating MD5 Checksum in AutoIt

Recommended Posts

Hello,

I heard some rumours about a missing MD5 function in AutoIt.

Well I made a very quick conversion from a Visual Basic sample.

It works, but it does not use the optimized AutoIt functions for shifting bits.

So it is rather slow, but since AutoIt does not have full binary support you will never be able to create a MD5 checksum from binary files.

Regards,

-Sven

TestMD5.AU3

MD5.au3

Share this post


Link to post
Share on other sites

Hello,

I heard some rumours about a missing MD5 function in AutoIt.

Well I made a very quick conversion from a Visual Basic sample.

It works, but it does not use the optimized AutoIt functions for shifting bits. 

So it is rather slow, but since AutoIt does not have full binary support you will never be able to create a MD5 checksum from binary files.

Regards,

-Sven

<{POST_SNAPBACK}>

how about the md5.dll?

http://www.autoitscript.com/forum/index.ph...791entry39791

Share this post


Link to post
Share on other sites

Man, I LOVE YOU SO MUCH!  I've been wanting this for weeks, and I didn't have the mental capacity to do that...

Now...to test!

<{POST_SNAPBACK}>

Note: it's just a 'Proof of Concept' . The code needs a lot of optimizations.

-Sven

Share this post


Link to post
Share on other sites

Hello,

I heard some rumours about a missing MD5 function in AutoIt.

Well I made a very quick conversion from a Visual Basic sample.

It works, but it does not use the optimized AutoIt functions for shifting bits. 

So it is rather slow, but since AutoIt does not have full binary support you will never be able to create a MD5 checksum from binary files.

Regards,

-Sven

<{POST_SNAPBACK}>

Hello Sven :)

Thx you for this Md5 script :D

can you help me out,to adde the Md5 check to this simpel Autoit3 exampels?

I understand it completly,to adde the md5 check to this simpel passwort check.

Thx you Sven :D

;
; AutoIt Version: 3.0
; Language:    English
; Platform:    Win9x/NT
; Author:        Jonathan Bennett (jon@hiddensoft.com)
;
; Script Function:
;   Demonstrates the InputBox, looping and the use of @error.
;


; Prompt the user to run the script - use a Yes/No prompt (4 - see help file)
$answer = MsgBox(4, "AutoIt Example (English Only)", "This script will open an input box and get you to type in some text.  Run?")


; Check the user's answer to the prompt (see the help file for MsgBox return values)
; If "No" was clicked (7) then exit the script
If $answer = 7 Then
    MsgBox(4096, "AutoIt", "OK.  Bye!")
    Exit
EndIf

; Loop around until the user gives a valid "autoit" answer
$bLoop = 1
While $bLoop = 1
    $text = InputBox("AutoIt Example", "Please type in the word ""autoit"" and click OK")
    If @error = 1 Then
        MsgBox(4096, "Error", "You pressed 'Cancel' - try again!")
    Else
       ; They clicked OK, but did they type the right thing?
        If $text <> "autoit" Then
            MsgBox(4096, "Error", "You typed in the wrong thing - try again!")
        Else
            $bLoop = 0   ; Exit the loop - ExitLoop would have been an alternative too :)
        EndIf
    EndIf
WEnd

; Print the success message
MsgBox(4096,"AutoIt Example", "You typed in the correct word!  Congrats.")

; Finished!

Share this post


Link to post
Share on other sites

Hello Sven :rolleyes:

Thx you for this Md5 script :P

can you help me out,to adde the Md5 check to this simpel Autoit3 exampels?

I understand it completly,to adde the md5 check to this simpel passwort check.

Thx you Sven :P

...

<{POST_SNAPBACK}>

Well, this question belongs actually to the 'Support' section. But anyway, here is an example.

First you generate a password into an MD5 hash:

; Generate a password into file Secret.txt
$password = InputBox("AutoIt Example", "Please enter a new password and click OK")
If not @error and $password <> ""  Then
    $Encoded=MD5($password)
    If FileExists("Secret.txt") then FileDelete("Secret.txt")
    FileWrite ("Secret.txt", $Encoded)
EndIf

Then, in your script, you ask for the password, encode it into an MD5 hash and compare this hash with the one you stored:

; Loop around until the user gives a valid "autoit" answer
$bLoop = 1
While $bLoop = 1
 $text = InputBox("AutoIt Example", "Please type in your secret password and click OK")
    If @error = 1 Then
        MsgBox(4096, "Error", "You pressed 'Cancel' - try again!")
    Else
      ; They clicked OK, but did they type the right thing?
        If MD5($text) <> FileRead("Secret.txt",FileGetSize("Secret.txt")) Then
            MsgBox(4096, "Error", "You typed in the wrong thing - try again!")
        Else
            $bLoop = 0  ; Exit the loop - ExitLoop would have been an alternative too :)
        EndIf
    EndIf
WEnd

; Print the success message
MsgBox(4096,"AutoIt Example", "You typed in the correct word!  Congrats.")

; Finished!

Note: this NO encryption. MD5 is just a hash or checksum generator. Your password is never safe this way.

Regards,

-Sven

Share this post


Link to post
Share on other sites

Note: this NO encryption.  MD5 is just a hash or checksum generator.  Your password is never safe this way.

Really? Are you saying that it's possible to convert a hash to the original string of text passed to the MD5 function?

If so, how easy/difficult is it?

Edited by Saunders

Share this post


Link to post
Share on other sites

Okay. So if it's impossible to determine the ASCII value, what makes it such an unsafe method of comparing passwords?

In some of my old PHP scripts, I commonly had MD5()'s of passwords stored in a MySQL db, and used that as a comparison for people logging in.

I'd often do something like:

$md5Password = MD5($username . $password)

Or even perhaps a few MD5's, or toss in some arbitrary text.

$md5Password = MD5('passEncrypt' . MD5($username) . $password)

Then when I wanted to log that user in it was a simple method of comparing:

If MD5($username . $password) == $md5Password) {}

Is that really all that insecure?

Share this post


Link to post
Share on other sites

Okay. So if it's impossible to determine the ASCII value, what makes it such an unsafe method of comparing passwords?

In some of my old PHP scripts, I commonly had MD5()'s of passwords stored in a MySQL db, and used that as a comparison for people logging in.

I'd often do something like:

$md5Password = MD5($username . $password)

Or even perhaps a few MD5's, or toss in some arbitrary text.

$md5Password = MD5('passEncrypt' . MD5($username) . $password)

Then when I wanted to log that user in it was a simple method of comparing:

If MD5($username . $password) == $md5Password) {}

Is that really all that insecure?

<{POST_SNAPBACK}>

Because MD5 is a hash checksum. That means that multiple ASCII strings can have the same checksum. So you just have to calculate AN ASCII string that produces the same hash.

See also: http://userpages.umbc.edu/~mabzug1/cs/md5/md5.html

and http://www.rtfm.com/movabletype/archives/2004_08.html#001055 for an example of two different input vectors that produce the same MD5 checksum.

Regards,

-Sven

Share this post


Link to post
Share on other sites

Sven,

What is the difference between the LShift($v, $s) and BitShift($v, -$s). There seems to be none! However, there is a difference between RShift($v, $s) and BitShift($v, $s). I wonder if the RShift() function is wrong?

It also seems to me that you can simplify:

Func AddUnsigned($lX, $lY) 
   return $lX + $lY; you should rather inline this in the code if it is correct.
EndFunc

Func WordToHex($lValue)
   Return StringFormat("%08x", $lValue); lower case Hex
EndFunc

You can throw out Class_initialize() (and arrays), RShiftSigned(). Lastly prefix all functions with _MD5_, and this could maybe become a standard lib. :)

Cheers.

/ADD: after som tests, I found that when using RShift() with the simplifications that I suggested, I get the same and correct results as from md5sum.exe. When using BitShift($v, $s) instead of RShift($v, $s) I get a wrong sum.

Is BitShift() buggy?

Edited by tylo

Share this post


Link to post
Share on other sites

Okay. So if it's impossible to determine the ASCII value, what makes it such an unsafe method of comparing passwords?

In some of my old PHP scripts, I commonly had MD5()'s of passwords stored in a MySQL db, and used that as a comparison for people logging in.

I'd often do something like:

$md5Password = MD5($username . $password)

Or even perhaps a few MD5's, or toss in some arbitrary text.

$md5Password = MD5('passEncrypt' . MD5($username) . $password)

Then when I wanted to log that user in it was a simple method of comparing:

If MD5($username . $password) == $md5Password) {}

Is that really all that insecure?

<{POST_SNAPBACK}>

It is NOT an unsafe method of comparing passwords. All most all good authentication is performed in this manner.

Because MD5 is a hash checksum. That means that multiple ASCII strings can have the same checksum. So you just have to calculate AN ASCII string that produces the same hash.

See also: http://userpages.umbc.edu/~mabzug1/cs/md5/md5.html

and http://www.rtfm.com/movabletype/archives/2004_08.html#001055 for an example of two different input vectors that produce the same MD5 checksum.

Regards,

-Sven

<{POST_SNAPBACK}>

Two inputs of differing content CANNOT produce the same hash.* That goes against the whole purpose of calculating checksums/hashes. Hashing algorithms are specifically designed to produce a predictable hash based on input. And that said input cannot be produced from the hash. It's a one-way street.

The only way to crack a hash is as follows:

You have a hash like this: 5f4dcc3b5aa765d61d8327deb882cf99. You want to find out what input created that hash. To do so you would have to loop through every possible combination of characters, generating the hash for each one, and comparing your generated hash with the hash you were given that the outset. This can be done a variety of ways. Some are:

Dictionary Attack: You have a long list of words and letter combinations that are commonly used as passwords. You loop through the list and generate a hash for each word, and compare with the one given. Success is not guaranteed.

Brute Force Attack: You loop through every single possible combination of characters in a specified character set, generating hashes for each one, and comparing it with the given hash. The wider the character set the longer it takes. The stronger the password, the longer it takes, If you don't include every single character in your character set, success is not guaranteed. As the length and complexity of the password increase the time required to crack it increases exponentially. Some passwords cannot be cracked this way because it would take hundreds or thousands of years.

Rainbow Tables: This is one of the newest and fastest ways to crack passwords. You have a long list of recomputed hashes and their values (a table). You loop through each hash and compare it with the one given. This method can only be used to crack passwords less than 15 characters. Success is not guaranteed if your tables are not big enough.

All of the above mentioned methods are very resource intensive. The probability of a password being cracked rests, not on the strength of the hash (MD5), but on the strength of the password. I hope this clears things up for you just a little.

* Over time people have sometimes found slight flaws in algorithms. These flaws might cause an identical checksum to be produced from varying input. BUT THIS IS ONLY IN EXTREME CASES. IT DOES NOT MAKE IT INSECURE!

Edited by Green_Lantern

DreamHost: great web hosting for as little as $7.95 a month.

Share this post


Link to post
Share on other sites

Sven,

What is the difference between the LShift($v, $s) and BitShift($v, -$s). There seems to be none! However, there is a difference between RShift($v, $s) and BitShift($v, $s). I wonder if the RShift() function is wrong?

...

/ADD: after som tests, I found that when using RShift() with the simplifications that I suggested, I get the same and correct results as from md5sum.exe.  When using BitShift($v, $s) instead of RShift($v, $s) I get a wrong sum.

Is BitShift() buggy?

<{POST_SNAPBACK}>

Hello Tylo,

Thanks for sorting this out. I had the same problem while converting the code from VBS to AU3. That's why I didn't do any optimizations with AutoIt's internal functions.

When I have some more time, I will check out the difference between MD5's RShift and AutoIt's BitShift.. First I need to fix that nasty 'boolean' bug in 3.1.1.16...

Regards,

-Sven

Share this post


Link to post
Share on other sites

It looks to me that RShift never does anything with the top bit, (the sign bit in a signed integer). If that is correct, then all bits are shifted except it. AutoIt's BitShift() operator, however, shifts all bits, even the top bit. I could be wrong, of course. I just looked at the code, I didn't debug it or anything.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×
×
  • Create New...