SvenP Posted April 18, 2005 Posted April 18, 2005 Hello, I heard some rumours about a missing MD5 function in AutoIt. Well I made a very quick conversion from a Visual Basic sample. It works, but it does not use the optimized AutoIt functions for shifting bits. So it is rather slow, but since AutoIt does not have full binary support you will never be able to create a MD5 checksum from binary files. Regards, -SvenTestMD5.AU3MD5.au3
djek Posted April 19, 2005 Posted April 19, 2005 Hello,I heard some rumours about a missing MD5 function in AutoIt. Well I made a very quick conversion from a Visual Basic sample. It works, but it does not use the optimized AutoIt functions for shifting bits. So it is rather slow, but since AutoIt does not have full binary support you will never be able to create a MD5 checksum from binary files.Regards,-Sven<{POST_SNAPBACK}>how about the md5.dll?http://www.autoitscript.com/forum/index.ph...791entry39791
MSLx Fanboy Posted April 19, 2005 Posted April 19, 2005 Man, I LOVE YOU SO MUCH! I've been wanting this for weeks, and I didn't have the mental capacity to do that... Now...to test! Writing AutoIt scripts since _DateAdd("d", -2, _NowCalcDate())
SvenP Posted April 19, 2005 Author Posted April 19, 2005 how about the md5.dll?http://www.autoitscript.com/forum/index.ph...791entry39791<{POST_SNAPBACK}>That's a solution for those who want to use an external DLL. MD5.DLL is a custom DLL, not standard present in Windows. But the DLL will work faster and can also calculate MD5 from files.Regards,-Sven
SvenP Posted April 19, 2005 Author Posted April 19, 2005 Man, I LOVE YOU SO MUCH! I've been wanting this for weeks, and I didn't have the mental capacity to do that...Now...to test!<{POST_SNAPBACK}>Note: it's just a 'Proof of Concept' . The code needs a lot of optimizations.-Sven
DirtyBanditos Posted April 19, 2005 Posted April 19, 2005 Hello,I heard some rumours about a missing MD5 function in AutoIt. Well I made a very quick conversion from a Visual Basic sample. It works, but it does not use the optimized AutoIt functions for shifting bits. So it is rather slow, but since AutoIt does not have full binary support you will never be able to create a MD5 checksum from binary files.Regards,-Sven<{POST_SNAPBACK}>Hello Sven Thx you for this Md5 script can you help me out,to adde the Md5 check to this simpel Autoit3 exampels?I understand it completly,to adde the md5 check to this simpel passwort check.Thx you Sven expandcollapse popup; ; AutoIt Version: 3.0 ; Language: English ; Platform: Win9x/NT ; Author: Jonathan Bennett (jon@hiddensoft.com) ; ; Script Function: ; Demonstrates the InputBox, looping and the use of @error. ; ; Prompt the user to run the script - use a Yes/No prompt (4 - see help file) $answer = MsgBox(4, "AutoIt Example (English Only)", "This script will open an input box and get you to type in some text. Run?") ; Check the user's answer to the prompt (see the help file for MsgBox return values) ; If "No" was clicked (7) then exit the script If $answer = 7 Then MsgBox(4096, "AutoIt", "OK. Bye!") Exit EndIf ; Loop around until the user gives a valid "autoit" answer $bLoop = 1 While $bLoop = 1 $text = InputBox("AutoIt Example", "Please type in the word ""autoit"" and click OK") If @error = 1 Then MsgBox(4096, "Error", "You pressed 'Cancel' - try again!") Else ; They clicked OK, but did they type the right thing? If $text <> "autoit" Then MsgBox(4096, "Error", "You typed in the wrong thing - try again!") Else $bLoop = 0 ; Exit the loop - ExitLoop would have been an alternative too :) EndIf EndIf WEnd ; Print the success message MsgBox(4096,"AutoIt Example", "You typed in the correct word! Congrats.") ; Finished!
MSLx Fanboy Posted April 19, 2005 Posted April 19, 2005 Proof of Concept or not, it keeps the program I'm working on to three files, and no unnecessary fileinstalls(). Writing AutoIt scripts since _DateAdd("d", -2, _NowCalcDate())
SvenP Posted April 20, 2005 Author Posted April 20, 2005 Hello Sven Thx you for this Md5 script can you help me out,to adde the Md5 check to this simpel Autoit3 exampels?I understand it completly,to adde the md5 check to this simpel passwort check.Thx you Sven ...<{POST_SNAPBACK}>Well, this question belongs actually to the 'Support' section. But anyway, here is an example.First you generate a password into an MD5 hash:; Generate a password into file Secret.txt $password = InputBox("AutoIt Example", "Please enter a new password and click OK") If not @error and $password <> "" Then $Encoded=MD5($password) If FileExists("Secret.txt") then FileDelete("Secret.txt") FileWrite ("Secret.txt", $Encoded) EndIfThen, in your script, you ask for the password, encode it into an MD5 hash and compare this hash with the one you stored:; Loop around until the user gives a valid "autoit" answer $bLoop = 1 While $bLoop = 1 $text = InputBox("AutoIt Example", "Please type in your secret password and click OK") If @error = 1 Then MsgBox(4096, "Error", "You pressed 'Cancel' - try again!") Else ; They clicked OK, but did they type the right thing? If MD5($text) <> FileRead("Secret.txt",FileGetSize("Secret.txt")) Then MsgBox(4096, "Error", "You typed in the wrong thing - try again!") Else $bLoop = 0 ; Exit the loop - ExitLoop would have been an alternative too :) EndIf EndIf WEnd ; Print the success message MsgBox(4096,"AutoIt Example", "You typed in the correct word! Congrats.") ; Finished!Note: this NO encryption. MD5 is just a hash or checksum generator. Your password is never safe this way.Regards,-Sven
DirtyBanditos Posted April 20, 2005 Posted April 20, 2005 Hello Sven P i have reade wat you say,thx for your fast exampel ,i test later out) Thx you for your great exampel)
busysignal Posted April 21, 2005 Posted April 21, 2005 SvenP, nice work. I have been looking for a tool like this. Thanks...
therks Posted April 21, 2005 Posted April 21, 2005 (edited) Note: this NO encryption. MD5 is just a hash or checksum generator. Your password is never safe this way.Really? Are you saying that it's possible to convert a hash to the original string of text passed to the MD5 function?If so, how easy/difficult is it? Edited April 21, 2005 by Saunders My AutoIt Stuff | My Github
MSLx Fanboy Posted April 21, 2005 Posted April 21, 2005 There's a difference between hash and encrypt. Encryption hides the information, hashing gives a numerical value of the information. It's practically impossible to determine what the ascii value of a numeric hash. Writing AutoIt scripts since _DateAdd("d", -2, _NowCalcDate())
therks Posted April 21, 2005 Posted April 21, 2005 Okay. So if it's impossible to determine the ASCII value, what makes it such an unsafe method of comparing passwords? In some of my old PHP scripts, I commonly had MD5()'s of passwords stored in a MySQL db, and used that as a comparison for people logging in. I'd often do something like: $md5Password = MD5($username . $password) Or even perhaps a few MD5's, or toss in some arbitrary text. $md5Password = MD5('passEncrypt' . MD5($username) . $password) Then when I wanted to log that user in it was a simple method of comparing: If MD5($username . $password) == $md5Password) {} Is that really all that insecure? My AutoIt Stuff | My Github
SvenP Posted April 21, 2005 Author Posted April 21, 2005 Okay. So if it's impossible to determine the ASCII value, what makes it such an unsafe method of comparing passwords?In some of my old PHP scripts, I commonly had MD5()'s of passwords stored in a MySQL db, and used that as a comparison for people logging in.I'd often do something like:$md5Password = MD5($username . $password)Or even perhaps a few MD5's, or toss in some arbitrary text.$md5Password = MD5('passEncrypt' . MD5($username) . $password)Then when I wanted to log that user in it was a simple method of comparing:If MD5($username . $password) == $md5Password) {}Is that really all that insecure?<{POST_SNAPBACK}>Because MD5 is a hash checksum. That means that multiple ASCII strings can have the same checksum. So you just have to calculate AN ASCII string that produces the same hash. See also: http://userpages.umbc.edu/~mabzug1/cs/md5/md5.html and http://www.rtfm.com/movabletype/archives/2004_08.html#001055 for an example of two different input vectors that produce the same MD5 checksum.Regards,-Sven
therks Posted April 22, 2005 Posted April 22, 2005 Ah, yes I had figured that myself. But I don't understand these input vectors and such though. What are the chances of coming up with duplicate hashes from two different strings? My AutoIt Stuff | My Github
tylo Posted April 22, 2005 Posted April 22, 2005 (edited) Sven, What is the difference between the LShift($v, $s) and BitShift($v, -$s). There seems to be none! However, there is a difference between RShift($v, $s) and BitShift($v, $s). I wonder if the RShift() function is wrong? It also seems to me that you can simplify: Func AddUnsigned($lX, $lY) return $lX + $lY; you should rather inline this in the code if it is correct. EndFunc Func WordToHex($lValue) Return StringFormat("%08x", $lValue); lower case Hex EndFunc You can throw out Class_initialize() (and arrays), RShiftSigned(). Lastly prefix all functions with _MD5_, and this could maybe become a standard lib. Cheers. /ADD: after som tests, I found that when using RShift() with the simplifications that I suggested, I get the same and correct results as from md5sum.exe. When using BitShift($v, $s) instead of RShift($v, $s) I get a wrong sum. Is BitShift() buggy? Edited April 22, 2005 by tylo blub
Green_Lantern Posted April 22, 2005 Posted April 22, 2005 (edited) Okay. So if it's impossible to determine the ASCII value, what makes it such an unsafe method of comparing passwords?In some of my old PHP scripts, I commonly had MD5()'s of passwords stored in a MySQL db, and used that as a comparison for people logging in.I'd often do something like:$md5Password = MD5($username . $password)Or even perhaps a few MD5's, or toss in some arbitrary text.$md5Password = MD5('passEncrypt' . MD5($username) . $password)Then when I wanted to log that user in it was a simple method of comparing:If MD5($username . $password) == $md5Password) {}Is that really all that insecure?<{POST_SNAPBACK}>It is NOT an unsafe method of comparing passwords. All most all good authentication is performed in this manner. Because MD5 is a hash checksum. That means that multiple ASCII strings can have the same checksum. So you just have to calculate AN ASCII string that produces the same hash. See also: http://userpages.umbc.edu/~mabzug1/cs/md5/md5.html and http://www.rtfm.com/movabletype/archives/2004_08.html#001055 for an example of two different input vectors that produce the same MD5 checksum.Regards,-Sven<{POST_SNAPBACK}>Two inputs of differing content CANNOT produce the same hash.* That goes against the whole purpose of calculating checksums/hashes. Hashing algorithms are specifically designed to produce a predictable hash based on input. And that said input cannot be produced from the hash. It's a one-way street. The only way to crack a hash is as follows:You have a hash like this: 5f4dcc3b5aa765d61d8327deb882cf99. You want to find out what input created that hash. To do so you would have to loop through every possible combination of characters, generating the hash for each one, and comparing your generated hash with the hash you were given that the outset. This can be done a variety of ways. Some are:Dictionary Attack: You have a long list of words and letter combinations that are commonly used as passwords. You loop through the list and generate a hash for each word, and compare with the one given. Success is not guaranteed.Brute Force Attack: You loop through every single possible combination of characters in a specified character set, generating hashes for each one, and comparing it with the given hash. The wider the character set the longer it takes. The stronger the password, the longer it takes, If you don't include every single character in your character set, success is not guaranteed. As the length and complexity of the password increase the time required to crack it increases exponentially. Some passwords cannot be cracked this way because it would take hundreds or thousands of years.Rainbow Tables: This is one of the newest and fastest ways to crack passwords. You have a long list of recomputed hashes and their values (a table). You loop through each hash and compare it with the one given. This method can only be used to crack passwords less than 15 characters. Success is not guaranteed if your tables are not big enough.All of the above mentioned methods are very resource intensive. The probability of a password being cracked rests, not on the strength of the hash (MD5), but on the strength of the password. I hope this clears things up for you just a little.* Over time people have sometimes found slight flaws in algorithms. These flaws might cause an identical checksum to be produced from varying input. BUT THIS IS ONLY IN EXTREME CASES. IT DOES NOT MAKE IT INSECURE! Edited April 26, 2005 by Green_Lantern DreamHost: great web hosting for as little as $7.95 a month.
SvenP Posted April 27, 2005 Author Posted April 27, 2005 Sven,What is the difference between the LShift($v, $s) and BitShift($v, -$s). There seems to be none! However, there is a difference between RShift($v, $s) and BitShift($v, $s). I wonder if the RShift() function is wrong?.../ADD: after som tests, I found that when using RShift() with the simplifications that I suggested, I get the same and correct results as from md5sum.exe. When using BitShift($v, $s) instead of RShift($v, $s) I get a wrong sum.Is BitShift() buggy?<{POST_SNAPBACK}>Hello Tylo,Thanks for sorting this out. I had the same problem while converting the code from VBS to AU3. That's why I didn't do any optimizations with AutoIt's internal functions.When I have some more time, I will check out the difference between MD5's RShift and AutoIt's BitShift.. First I need to fix that nasty 'boolean' bug in 3.1.1.16...Regards,-Sven
Valik Posted April 27, 2005 Posted April 27, 2005 It looks to me that RShift never does anything with the top bit, (the sign bit in a signed integer). If that is correct, then all bits are shifted except it. AutoIt's BitShift() operator, however, shifts all bits, even the top bit. I could be wrong, of course. I just looked at the code, I didn't debug it or anything.
Mast3rpyr0 Posted June 14, 2007 Posted June 14, 2007 I helped in the creation of the Hak5 LM Rainbow tables My UDF's : _INetUpdateCheck() My Programs : GameLauncher vAlpha, InfoCrypt, WindowDesigner, ScreenCap, DailyRemindersPick3GeneratorBackupUtility! Other : Bored? Click Here!
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now