Quadratic Script - buggy graph, PLEASE HELP!

[Achilles]

#199605

[Foy]

  Piano_Man said:

#199605

Thank you very much for the link.

[BrettF]

  Foy said:

I'd gladly take you up on your offer now, I keep getting overwhelmed by the array errors and x, y of the point vs the x, y of the graphic. X.X

I'm still a newbie programmer.

I will try to make the graph work... try

[SadBunny]

  Foy said:

But then I can't use it to store private data that I can decrypt and use... guess I'll have to stick with _StringEncrypt. xP

but MD5 is good for passwords and logins.

That way I also don't technically have access to that info, it only matches their input with the database.

Now I see why website never e-mail your password when you forget it, they can only change it, not decrypt it. xD

Woot woot, learning feels good.

Just to fix any misconceptions: MD5 is not an encryption system nor is it a compression system, it is more like a 'checksum' system. See, using an MD5 algorithm, the string "This is an MD5 test string." always leads to the same MD5 'checksum', but there are many more strings that could have the exact same MD5 checksum (there might even be an infinite amount of strings fitting the same checksum if the checksum size is limited (and I believe that to be the case), but I'm not mathematically trained enough to be sure about it). There are however algorithms for producing strings that fit a certain MD5 checksum, often used for semi-smart brute force password cracking.

Note that this whole thing is also the exact reason for the false-positive-sticky (http://www.autoitscript.com/forum/index.php?showtopic=34658). A certain AutoIt script is determined to be a virus, mostly automatically, and a 'fingerprint' (some sort of checksum obviously) is made, also called a 'virus definition'. Since there are hundreds of new viruses every day, this process is mostly done automaticallly nowadays + the 'definition' needs to be SMALL and GENERIC (you wouldn't want to download 100 MB of new definitions daily ).

Now when you compile an AutoIt script, 1) it gets UPX packed and 2) it gets a large heap-o-stuff that EVERY compiled exe gets, namely the interpreter, making the compiled EXE's 'look' very much alike, and therefor the chance increases that two checksums are the same for two different compiled scripts.

Then, since an AV company can't be expected to test all existing scripts/applications against every update (though we do use clean sets to teach our filters), changes of this kind of false positives detection rises with the amount of new definitions.

Hope this told you anything you didn't know yet

[Foy]

x,x

Might _StringEncrypt() be better or worse?

[Tasmania]

  Foy said:

Next project... password manager. xD

Woot woot, super encryption.

So can you decrypt md5hash stuff?

You can with the _StringEncrypt() thing that's built in lol... dunno the pros/cons of MD5Hash vs the CR4(I think...) one with String.au3...

I don't *really* know ANYTHING about encryption lol.

  Bert said:

MD5 is strong because it is a hash- it is meant to be one way.

  SadBunny said:

Just to fix any misconceptions: MD5 is not an encryption system nor is it a compression system, it is more like a 'checksum' system. See, using an MD5 algorithm, the string "This is an MD5 test string." always leads to the same MD5 'checksum', but there are many more strings that could have the exact same MD5 checksum (there might even be an infinite amount of strings fitting the same checksum if the checksum size is limited (and I believe that to be the case), but I'm not mathematically trained enough to be sure about it). There are however algorithms for producing strings that fit a certain MD5 checksum, often used for semi-smart brute force password cracking.

Note that this whole thing is also the exact reason for the false-positive-sticky (http://www.autoitscript.com/forum/index.php?showtopic=34658). A certain AutoIt script is determined to be a virus, mostly automatically, and a 'fingerprint' (some sort of checksum obviously) is made, also called a 'virus definition'. Since there are hundreds of new viruses every day, this process is mostly done automaticallly nowadays + the 'definition' needs to be SMALL and GENERIC (you wouldn't want to download 100 MB of new definitions daily ).

Now when you compile an AutoIt script, 1) it gets UPX packed and 2) it gets a large heap-o-stuff that EVERY compiled exe gets, namely the interpreter, making the compiled EXE's 'look' very much alike, and therefor the chance increases that two checksums are the same for two different compiled scripts.

Then, since an AV company can't be expected to test all existing scripts/applications against every update (though we do use clean sets to teach our filters), changes of this kind of false positives detection rises with the amount of new definitions.

Hope this told you anything you didn't know yet

  Foy said:

x,x

Might _StringEncrypt() be better or worse?

Ok, let me just clarify where I am coming from... I am a website and website database/interfacing programmer... it is my job to keep up on "the best" way to encrypt things like passwords and things like that... and let me say this... STOP! Okay, first of all, MD5 is not even close to the correct way to encrypt passwords! SadBunny is dead-on about MD5. It is not meant for passwords... once upon a time it was, but now they have improved security methods and such!

Now, the best way? If you can decrypt it in any way, shape, or form yourself, then it is a bad method of encryption. You should never ever ever ever ever be able to decrypt anything (valuable that is) yourself! If you can decrypt it, and you just happen to be the middle of the road programmer... just IMMAGINE what someone with 7 more years of encryption/decryption experience can accomplish!

If you absolutely must encrypt things in a very secure method... first of all, I would cringe at storing anything valuable on the computer itself... but that's unavoidable, especially when it comes to password managers. I highly reccomend SHA1, but I don't know if AutoIt has SHA1 capability... if it doesn't, and you absolutely must use MD5... follow the following steps:

• Create a randomized alpha-numeric symbolized passphrase that only you will know that is approximately 20-25 characters long.
• Generate a randomized number that is between 100,000 and 200,000,000 (if possible) as a random salt to use
• If you so-desire (for added security), create a salt that looks like a word that will go with anything

Let me explain the previous... if you generate a secure passphrase as the following:

Ab35f$@9f,c9$6y124Fyh4ncC (25 characters long)

Your password you enter in to the text box is "mypw345"

And the randomized number (that will be stored in the registry as an oddball variable, such as "Date") is 45285142

And your final (middle salt) is "the", then if you concatinate all of these together it will appear as this:

Ab35f$@9f,c9$6y124Fyh4ncCthemypw34545285142

BEFORE it is MD5'd. Now, if you MD5 that, it will appear as this:

4c7667106431a266268a8ee27d7c9671

Which will be unable to be brute forced because it will have all of those special characters in there. Now, if someone where to get ahold of your passphrase and your midphrase and the location of your midphrase, they could possibly obtain your passwords by generating MD5 passwords attuned to your specific script, which is why you have a random salt stored somewhere. Now the only issue is, if they obtain your random salt, and the other two items, figure out how you sandwich the password in there, they now have the ability to generate a password list attuned to your program based upon MD5. You could also use dates and more to salt the password, rather than a random salt stored in an obscure variable.

Welcome to encryption... this is just the begenning of the headache... if you want more information, post back or PM me.

Edited October 15, 2007 by Tasmania

[SadBunny]

Right, well spoken.

The main thing to realize is, and I reiterate, MD5 hashing is NOT an encryption system. With some tuning you can use it for encryption, but try to think of it as an "integrity-checking system" because that is what it is so very useful for. It is very, very usable for checking integrity of transferred data. Say you have a 100 MB piece of data that you need to download. Then you need it to be checked for integrity for instance because it contains very important data (backups and AV updates come to mind). Now, you could send the complete file multiple times but this has two clear disadvantages: 1. bandwidth waste, and 2. what if the file is broken the second time or third time you send it, no way to tell.

So what you do is create an MD5 checksum from the file you know to be intact. It is very small, and it is very, very unlikely to match for broken copies of files. So that's what it's useful for. The encryption usage part is ONLY useful (because otherwise quite unsafe) when combined with a couple of other cherries on the pie such as salt seeds.

(I just realized that another way to think of MD5 is: very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very lossy compression... )

[Tasmania]

  SadBunny said:

Right, well spoken.

The main thing to realize is, and I reiterate, MD5 hashing is NOT an encryption system. With some tuning you can use it for encryption, but try to think of it as an "integrity-checking system" because that is what it is so very useful for. It is very, very usable for checking integrity of transferred data. Say you have a 100 MB piece of data that you need to download. Then you need it to be checked for integrity for instance because it contains very important data (backups and AV updates come to mind). Now, you could send the complete file multiple times but this has two clear disadvantages: 1. bandwidth waste, and 2. what if the file is broken the second time or third time you send it, no way to tell.

So what you do is create an MD5 checksum from the file you know to be intact. It is very small, and it is very, very unlikely to match for broken copies of files. So that's what it's useful for. The encryption usage part is ONLY useful (because otherwise quite unsafe) when combined with a couple of other cherries on the pie such as salt seeds.

(I just realized that another way to think of MD5 is: very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very, very lossy compression... )

Great description and explination of MD5

I'm going to post up an example of Product Key registration (a VERY basic version of what the professionals do) that you can look at and take with whatever you'd like.

Edit: Here's the product registration link:

http://www.autoitscript.com/forum/index.php?showtopic=55197

Edited October 15, 2007 by Tasmania

[Foy]

oooh. X.X

Well I'm just experimenting at the moment, I don't think people with 5-15 years of encryption are going to kick down my door and hax my computer while I'm at school.

[Foy]

And as this is my first real script most of this is just testing to see what I can do...

[Tasmania]

  Foy said:

And as this is my first real script most of this is just testing to see what I can do...

By all means, have fun

We're simply putting the information out there so that in 6 months when someone comes back to yell at you, you can't say "I didn't know!"

[Foy]

attachment updated!

[SadBunny]

  Quote

oooh. X.X

Well I'm just experimenting at the moment, I don't think people with 5-15 years of encryption are going to kick down my door and hax my computer while I'm at school.

  Foy said:

And as this is my first real script most of this is just testing to see what I can do...

You are so right. I stumbled upon this thread after it had long dwelled offtopic, though interestingly so.

Since I was so brute to take part in hijacking it, I checked out the rest of the topic (which one should always do in the first place; do as I say, not as I do?) and your script. Script is a cool first AutoIt product, and also the installer is quite functional and must have been fun to figure out Your code is well formatted and very readable, if I were a teacher I would probably compliument your versatility in methods and approaches

At any rate it seems like you had fun learning it for the first AutoIt attempt, which is in itself reason enough to like the product.

Two things:

1) I think I found your plain e-mail address right there in the Quadratics2.au3. I suggest changing that, at least before official release, to stop the program mailing all it's keys to your own address.

Maybe if you're gonna have it send e-mails anyway, you want it to not use your own smtp server (because others won't be able to use it) but for instance use _INetMail as a workaround. Or not use mail at all if you don't want to bother the user, but utilize a server at your disposal (if you have any) and try making TCP/IP connections for registering. This is also good to know, and very easy in AutoIt. Just suggestions

2) By the way, there is a forum section called Example Scripts. Post examples there, it attracts the right kind of attention there...

/edit: removed abundant smileys!

Edited October 15, 2007 by SadBunny

[Foy]

Smilies = good, I wouldnt mind this thread itself being moved to example scripts if a mod would be kind enough to do so.

Yeah working on lots, thought i took out my e-mail, doesn't really matter though. I trust you guys enough.

[Tasmania]

Foy, I updated my product registration code, it should be decent now, but if you want to try to incorporate more into it, you are more than welcome

[Foy]

Seet, a keygen lol.

[SadBunny]

Remember to include some cheesy chip tune

Edited October 15, 2007 by SadBunny

[Foy]

lol actually if you look in my quadratics2.au3 source file the first line is $ePw = "69 :: 3|\|<r|>7!0n|>@$$\/\/0Ro|K3y :: 69"

It's basically 1337 speak for "EncryptionPassword" lol, I think that's a good bunch of special characters.

[SadBunny]

  Foy said:

lol actually if you look in my quadratics2.au3 source file the first line is $ePw = "69 :: 3|\|<r|>7!0n|>@$$\/\/0Ro|K3y :: 69"

It's basically 1337 speak for "EncryptionPassword" lol, I think that's a good bunch of special characters.

Agreed; you obviously go through a lot of trouble concocting leetspeak...

[Achilles]

  SadBunny said:

Remember to include some cheesy chip tune

That's definitely a must have.