I am trying to find a reliable way to determine if somebody launching my brand new installer (http://masm32.com/board/index.php?topic=94.msg23580#msg23580) is a regular on this Forum or just a script kiddie. My current method invited Dave to google for Visual Basic, so that is probably not a good solution :bgrin:
Attached a little helper that reads some registry values (no, it doesn't write anything - the source is attached). Could you please post results here (or PM me)? I am interested both in boring standard installations and more exotic setups.
Thanks, jj
Example:
### Testing asm files: ###
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asm\UserChoice
Progid=[Applications\qeditor.exe]
HKCU\Software\Classes\Applications\qeditor.exe\shell\open\command
default=["C:\Masm32\qeditor.exe" "%1"]
HKCR\.asm
default=[VCExpress.asm.10.0]
HKCR\VCExpress.asm.10.0\shell\Open\Command
default=["c:\Program Files\Microsoft Visual Studio 10.0\Common7\IDE\VCExpress.exe" /dde]
*** Running Microsoft Windows XP ***
### Testing asm files: ###
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asm\UserChoice
Progid=[* failed *]
HKCR\.asm
default=[asm_auto_file]
HKCR\asm_auto_file\shell\Open\Command
default=["C:\masm32\qeditor.exe" "%1"]
### Testing inc files: ###
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.inc\UserChoice
Progid=[* failed *]
HKCR\.inc
default=[* failed *]
HKCR\* failed *\shell\Open\Command
default=[* failed *]
### Testing rc files: ###
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rc\UserChoice
Progid=[* failed *]
HKCR\.rc
default=[rc_auto_file]
HKCR\rc_auto_file\shell\Open\Command
default=["C:\masm32\qeditor.exe" "%1"]
### Finding the path for qEditor.exe: ###
HKCU\Software\Microsoft\Windows\CurrentVersion\App Paths\qEditor.exe [* failed *]
HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\qEditor.exe [* failed *]
HKCR\Applications\qEditor.exe\shell\open\command ["C:\masm32\qeditor.exe" "%1"]
### Finding the path for winword.exe: ###
HKCU\Software\Microsoft\Windows\CurrentVersion\App Paths\winword.exe [* failed *]
HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\winword.exe [C:\PROGRA~1\MICROS~2\OFFICE11\WINWORD.EXE]
HKCR\Applications\winword.exe\shell\open\command [* failed *]
Messy, right? Now trying to find the editor elsewhere...
Registry HKCU $edi No luck in HKCU...
Registry HKLM $edi "C:\masm32\qeditor.exe" "%1"
Registry HKCR $edi "C:\masm32\qeditor.exe" "%1"
Registry HKCR $edi "C:\masm32\qeditor.exe" "%1"
FileWrite
$esi C:\MASM32\SOURCE\~tmp23081341.asm
$edi C:\masm32\qeditor.exe
Your Masm32 root $M32$ C:\masm32\
Your asm files editor $edi C:\masm32\qeditor.exe
-- bye --
jj2007 wrote:
QuoteI am trying to find a reliable way to determine if somebody launching my brand new installer is a regular on this Forum or just a script kiddie.
Interesting idea and I'm intrigued as to why?
Paulo.
Quote from: Paulo on August 24, 2013, 04:47:19 AM
jj2007 wrote:
QuoteI am trying to find a reliable way to determine if somebody launching my brand new installer is a regular on this Forum or just a script kiddie.
Interesting idea and I'm intrigued as to why?
It's simply a matter of mutual trust, Paulo. MasmBasic is pretty well tested, but there
could be a well-hidden bug somewhere. Members of this forum know that it's assembler, i.e. only 99.5% foolproof ;-)
Therefore I prefer that it gets installed by members only.
@Andy: Thanks for the test - you will not be sent googling for Visual Basic :biggrin:
Here is my notebook's result:
*** Running Microsoft Windows XP ***
### Testing asm files: ###
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asm\UserChoice
Progid=[* failed *]
HKCR\.asm
default=[Assembler_source_code]
HKCR\Assembler_source_code\shell\Open\Command
default=[* failed *]
### Testing inc files: ###
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.inc\UserChoice
Progid=[* failed *]
HKCR\.inc
default=[Assembler_source_code]
HKCR\Assembler_source_code\shell\Open\Command
default=[* failed *]
### Testing rc files: ###
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rc\UserChoice
Progid=[* failed *]
HKCR\.rc
default=[rc_auto_file]
HKCR\rc_auto_file\shell\Open\Command
default=[* failed *]
### Finding the path for qEditor.exe: ###
HKCU\Software\Microsoft\Windows\CurrentVersion\App Paths\qEditor.exe [* faile
d *]
HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\qEditor.exe [* faile
d *]
HKCR\Applications\qEditor.exe\shell\open\command ["D:\masm32\qeditor.exe"
"%1"]
### Finding the path for winword.exe: ###
HKCU\Software\Microsoft\Windows\CurrentVersion\App Paths\winword.exe [* faile
d *]
HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\winword.exe [C:\PROG
RA~1\MICROS~2\OFFICE11\WINWORD.EXE]
HKCR\Applications\winword.exe\shell\open\command [* failed *]
Messy, right? Now trying to find the editor elsewhere...
Registry HKCU $edi No luck in HKCU...
Registry HKLM $edi No luck in HKLM...
Registry HKCR $edi No luck in HKCR...
Registry HKCR $edi No luck in HKCR...
FileWrite
$esi C:\DOCUME~1\USER\DOCUME~1\DOWNLO~1\~tmp23082111.asm
$edi D:\masm32\qeditor.exe
Your Masm32 root $M32$ D:\masm32\
Your asm files editor $edi D:\masm32\qeditor.exe
Note the innovative way the boys in Redmond designed the WinWord path (XP and Win7):
[C:\PROGRA~1\MICROS~2\OFFICE11\WINWORD.EXE]
Does somebody have Windows 8 with WinWord?
OK I understand but unless you intend to keep the source code of the installer closed source, what is stopping a non member
simply editing out the checking part and recompile from source?
(and even then a bit of Olly and IDA can reveal a lot).
Checking for member names also might not work as expected as anyone could............[rest censored] :biggrin:
I know that some forums have a feature that certain areas/topics will not show unless one is logged on and hence a member.
If this forum has that capability and if Hutch is willing to help out by setting it up, you could simply move your download there.
Paulo.
Quote from: Paulo on August 24, 2013, 05:20:31 AM
OK I understand but unless you intend to keep the source code of the installer closed source, what is stopping a non member simply editing out the checking part and recompile from source?
(and even then a bit of Olly and IDA can reveal a lot).
The installer will be open source but
inside the package ;-)
Seriously: There is no full protection. It's just for fun - today I learned an awful lot about the registry, and fixed a few issues with GetRegVal (http://www.webalice.it/jj2006/MasmBasicQuickReference.htm#Mb1214).
My next project is accessing the user's webcam, so that I can send back screenshots of script kiddie's face when he is being sent to google for VB :greensml:
jj2007 wrote:
QuoteMy next project is accessing the user's webcam, so that I can send back screenshots of script kiddie's face when he is being sent to google for VB :greensml:
Twain driver anyone? ;)
Have a look at this: http://flatassembler.net/examples/fasmcam.zip (http://flatassembler.net/examples/fasmcam.zip)
In Fasm but should be do-able in MASM.
Quote from: Paulo on August 24, 2013, 06:05:23 AM
Have a look at this: http://flatassembler.net/examples/fasmcam.zip (http://flatassembler.net/examples/fasmcam.zip)
In Fasm but should be do-able in MASM.
Looks feasible. I wonder if FASM adds the zero delimiter automatically:
_camtitle db 'FASMWEBCAM'
Quote from: jj2007 on August 24, 2013, 05:09:41 AM
Progid=[* failed *]
HKCR\.asm
default=[Assembler_source_code]
HKCR\Assembler_source_code\shell\Open\Command
default=[* failed *]
Interesting, what about, in this case, searching in HKCR\.asm\Shell\Open\Command ?
jj2007 wrote:
Quote
Looks feasible. I wonder if FASM adds the zero delimiter automatically:
_camtitle db 'FASMWEBCAM'
and also here:
_filename db 'IMAGE.BMP' ; Filename
Good point.
Perhaps the "invoke" of Fasm automatically zero terminates?
EDIT:
Did some more checking with other Fasm examples and I suspect it's a mistake and it should be zero terminated in the code.
Look at lines 292 to 302 of the asm file in this example:
http://flatassembler.net/examples/quetannon.zip (http://flatassembler.net/examples/quetannon.zip)
EDIT:
Decided to run the webcam exe supplied in the zip thru a hex editor and sure enough no zeros.
Don't have a webcam connected to this PC so can't test.
(http://s11.postimg.org/ep6din277/Fasm_Cam2.jpg)
It turns out that there is a null at offset 0413h so the app might not crash but might also not get the desired result
especially when calling:
capCreateCaptureWindow, _camtitle, WS_VISIBLE + WS_CHILD, 10, 10, 266, 252, [hdlg], 0
:biggrin:
Quote from: Antariy on August 24, 2013, 08:02:07 AM
Interesting, what about, in this case, searching in HKCR\.asm\Shell\Open\Command ?
No such key in my two puters, Alex, only useless
HKEY_CLASSES_ROOT\.asm\OpenWithProgids
HKEY_CLASSES_ROOT\.asm\PersistentHandler
Hi JJ2007, I'm new to MASM.
Here are my results from running your program...
My qEditor.exe is located in "C:\masm32\qEditor.exe"
For some reason it does not show up in HKCU\Software\Microsoft\Windows\CurrentVersion\App Paths\qEditor.exe
I don't know why. :(
*** Running Windows 7 Ultimate ***
### Testing asm files: ###
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asm\UserChoice
Progid=[* failed *]
HKCR\.asm
default=[VCExpress.asm.10.0]
HKCR\VCExpress.asm.10.0\shell\Open\Command
default=["c:\Microsoft Visual Studio 10.0\Common7\IDE\VCExpress.exe" /dde]
### Testing inc files: ###
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.inc\UserChoice
Progid=[* failed *]
HKCR\.inc
default=[ClPhpEd.Files]
HKCR\ClPhpEd.Files\shell\Open\Command
default=["C:\editors\CodelobsterPHPEdition\ClPhpEd.exe" "%1"]
### Testing rc files: ###
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rc\UserChoice
Progid=[* failed *]
HKCR\.rc
default=[DevCpp.rc]
HKCR\DevCpp.rc\shell\Open\Command
default=[C:\programming\Dev-Cpp\devcpp.exe "%1"]
### Finding the path for qEditor.exe: ###
HKCU\Software\Microsoft\Windows\CurrentVersion\App Paths\qEditor.exe [* failed *]
HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\qEditor.exe [* failed *]
HKCR\Applications\qEditor.exe\shell\open\command [* failed *]
### Finding the path for winword.exe: ###
HKCU\Software\Microsoft\Windows\CurrentVersion\App Paths\winword.exe [* failed *]
HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\winword.exe [* failed *]
HKCR\Applications\winword.exe\shell\open\command [* failed *]
Messy, right? Now trying to find the editor elsewhere...
Registry HKCU $edi No luck in HKCU...
Registry HKLM $edi No luck in HKLM...
Registry HKCR $edi No luck in HKCR...
Registry HKCR $edi No luck in HKCR...
FileWrite
$esi C:\masm32\examples\~tmp10091107.asm
$edi c:\Microsoft Visual Studio 10.0\Common7\IDE\VCExpress.exe
-- Good-bye --
:t
Quote from: IdrëamofMasm on September 11, 2013, 04:26:24 AM
Hi JJ2007, I'm new to MASM.
Here are my results from running your program...
My qEditor.exe is located in "C:\masm32\qEditor.exe"
For some reason it does not show up in HKCU\Software\Microsoft\Windows\CurrentVersion\App Paths\qEditor.exe
I don't know why. :(
Hi IdrëamofMasm,
Welcome to the Forum :icon14:
This thread was a test for the MasmBasic installer (http://masm32.com/board/index.php?topic=94.0), and there are indeed cases where it fails miserably. In theory, qEditor should show up as exe for *.asm files after the Masm32 installation, but it seems VS has some special powers inherited by the OS :icon_mrgreen:
Don't worry, even with VS you can be a valid Masm32 Forum member
TM. Although it's a terrible overkill, of course... and slooooooow :P
Quote from: jj2007 on September 11, 2013, 04:52:12 AM
Don't worry, even with VS you can be a valid Masm32 Forum memberTM
What is a "Masm32 Forum member"? AFAICS this forum calls itself
The MASM Forum. There's a Masm32 sub-forum inside the "projects" group, but I'm unaware that there's a special membership required for it.
Andreas,
You got a point there. One could argue, of course, if a private non-Microsoft site can claim to be "the" Masm Forum, but in terms of Google presence it is indeed "the" Masm site, before Wikipedia and Microsoft's own site (http://www.microsoft.com/en-us/download/details.aspx?id=12654) (yes, the dangerous one that merciless consumes your sources).
Of course, Hutch may have his own thoughts... ;)
I thought we were pretty laid back over potential membership, we only allow human beings and selective extra terrestrials but no bots or spammers.
So NSA is allowed carte blanche here? :t
Quote from: hutch-- on September 11, 2013, 10:11:29 PM
I thought we were pretty laid back over potential membership, we only allow human beings and selective extra terrestrials but no bots or spammers.
does that mean you are extraterriestal? :P
watch the Gattaca movie and see we are all invalids
(invalids there are natural borns, vs genemodified humans)
Quote from: daydreamer2 on September 12, 2013, 06:05:14 PM
watch the Gattaca movie and see we are all invalids
(invalids there are natural borns, vs genemodified humans)
I watched that movie and liked it :t
Maybe soon we'll see Programming DNA library in MASM32 package and hardware interface for it (designed by our members ) :biggrin:
Quote from: vertograd on September 12, 2013, 06:24:08 PM
Quote from: daydreamer2 on September 12, 2013, 06:05:14 PM
watch the Gattaca movie and see we are all invalids
(invalids there are natural borns, vs genemodified humans)
I watched that movie and liked it :t
Maybe soon we'll see Programming DNA library in MASM32 package and hardware interface for it (designed by our members ) :biggrin:
it would be great to remove alcoholism and diseases, but it doesnt work that way my exgirlfriend who is educated on matters tell me
but I saw some tvshow about they try to find a gene nicknamed "the grim reaper" and remove it, thats what cause you to age and die of old age, kinda programmed into all species lifespan
but are we ready for immortality?, well probably with all technology to put in robotic prosthetics when a bodypart is worn out we are better equipped than for example in medevial times, you probably do suicide than live in pain of worn out back and shoulders etc without painkillers and with all work you have todo in your lifetime without machines
:icon_redface:
:icon_redface:
Interesting idea and I'm intrigued as to why?
Quote from: vertograd on September 12, 2013, 07:28:31 PM
Quote from: Magnum on September 12, 2013, 12:18:33 PM
So NSA is allowed carte blanche here? :t
Does NSA stand for National Spiritualist Association ? By the way are the spirits allowed here?
I mean a new advanced form of EVP - Electronic voice phenomenon (http://en.wikipedia.org/wiki/Instrumental_transcommunication#Instrumental_TransCommunication) - forum postings :badgrin:
New Simple Agency
Nitwit Security Agency
The user milanLR with the senseless post here:
http://masm32.com/board/index.php?topic=2277.msg25561#msg25561
is a spammer.
This user promotes a service in his custom web-site link near the avatar. The link there promotes a website about photo-epilation ::) (I don't know how it is in English), the exact description of the link is "photoepication cost in moscow" - that's SEO phrase to promote website.
probably female
not too many guys gonna use Brad Pitt as an avatar - lol
:lol: I guess the epilation is the thing that really would not attract the members here :greensml:
It just for google ranks or somesuch.
I thought we were pretty laid back over potential membership, we only allow human beings and selective extra terrestrials but no bots or spammers.
Quote from: MGrigorj on May 12, 2014, 03:31:06 PM.. no bots or spammers.
Some clever Russian bots have managed to sneak in almost unnoticed ;-)
Quote from: jj2007 on May 12, 2014, 03:40:54 PM
Some clever Russian bots have managed to sneak in almost unnoticed ;-)
Yes, especially this one. (http://masm32.com/board/index.php?topic=2277.msg25561#msg25561)
Gunther
We can see the same pattern: black&white avatar of the same size, randomly generated names and irrelevant web site promoting ...
Let's wait for the third guest ;)
Jochen, probably you need to explain better that you mean with your thin humour :t
The post above - http://masm32.com/board/index.php?topic=2277.msg33268#msg33268
Is from the "spam-bot", and it promotes the political site in its link near the avatar.
Gunther, yes, that one i noted about is still the forum member, too :biggrin:
Hi vertograd,
Quote from: vertograd on May 12, 2014, 08:40:12 PM
We can see the same pattern: black&white avatar of the same size, randomly generated names and irrelevant web site promoting ...
Let's wait for the third guest ;)
Yep. What Kind of graphics Format is the attached image?
Gunther
Hi Alex,
Quote from: Antariy on May 12, 2014, 09:05:26 PM
Gunther, yes, that one i noted about is still the forum member, too :biggrin:
ah yes, I've checked it now. Hutch knows what must be done.
Gunther
Hi Gunther,
Attached image is PNG renamed to ZIP
Quote from: vertograd on May 12, 2014, 08:40:12 PM
We can see the same pattern: black&white avatar of the same size, randomly generated names and irrelevant web site promoting ...
Let's wait for the third guest ;)
Seems that those avatars are from standard forum set of avatars - the nicks are suitable to what they are promoting - the first one on previous page is the name of the "epilation centre" in the Moscow, the second is "Russian name" :t And the strange thing is - every "bot" just copied the earlier message ::)
The humanity will have the right to claim that the real AI is invented only at the time, when the machine contolled with that AI will made the non-senseless ADS posts on the forums:greensml:
Currently the people (not even machines) do that work, and the posts are pretty senseless ::)
vertograd,
Quote from: vertograd on May 12, 2014, 09:14:24 PM
Attached image is PNG renamed to ZIP
okay, good to know.
Alex,
Quote from: Antariy on May 12, 2014, 09:19:40 PM
Currently the people (not even machines) do that work, and the posts are pretty senseless ::)
yes, you're right. Another nice mess which is coming upon us.
Gunther
Voices ... electronic voices :shock:
Guys,
I catch most of this crap and you probably don't see it but with the odd one that gets past, it makes it a lot easier to find them if I get the name they are using.
A new advertising for construction machines from China and other friendly contries. Interesting, but has nothing to do with assembly language. The next spam bot from Moscow.
Gunther
I am not a bot, never have been, but I wish to be... :t
ok, later,
Jeff Cummings
Hi Jeff,
Welcome back.
Good to see you again, Jeff.
Gunther
Quote from: aktiwIN on June 12, 2014, 02:57:27 AM...no bots or spammers.
Indeed, so please pixx off, buddy.
...
Quote from: aktiwIN on June 12, 2014, 02:57:27 AM
I thought we were pretty laid back over potential membership, we only allow human beings and selective extra terrestrials but no bots or spammers.
spam bots, spam bots, ... what a mess.
Gunther
If you used Linux, they would not be a problem. :t
Andy,
Quote from: Magnum on June 13, 2014, 08:42:05 AM
If you used Linux, they would not be a problem. :t
it's a joke, isn't it? What has Linux or BSD or whatever OS to do with those russian spam bots?
Gunther
Quote from: vertograd on September 12, 2013, 06:24:08 PM
Quote from: daydreamer2 on September 12, 2013, 06:05:14 PM
watch the Gattaca movie and see we are all invalids
(invalids there are natural borns, vs genemodified humans)
I watched that movie and liked it :t
Maybe soon we'll see Programming DNA library in MASM32 package and hardware interface for it (designed by our members ) :biggrin:
MS is already working on it:
http://research.microsoft.com/en-us/projects/dna/
Today I find it really difficult if not impossible to come up with REALLY IMPOSSIBLE IDEA .
Quote from: malinowDT on September 01, 2014, 10:17:35 PM
I thought we were pretty laid back over potential membership, we only allow human beings and selective extra terrestrials but no bots or spammers.
The next spam bot. Location is: Россия Москва, the avatar is stolen. It's a mess.
Gunther
How about deleting all posts with a post=1 count, unless they have registered within a random delay time of accepting ?
Just an idea
;)
Tony,
Quote from: K_F on September 02, 2014, 03:39:26 AM
How about deleting all posts with a post=1 count, unless they have registered within a random delay time of accepting ?
Just an idea
;)
on the other hand we've also some diffident members.
Gunther
There should be an automatic function allowing links only after one week of membership. That would stop all "link spammers", because they won't come back after one week to edit their profiles.
Btw at least two of these idiots still have active links - check the middle icon under the avatar. So they do push their google scores.
Jochen,
Quote from: jj2007 on September 02, 2014, 04:44:03 AM
Btw at least two of these idiots still have active links - check the middle icon under the avatar. So they do push their google scores.
yes. Points to an online shop for children's toys.
Gunther
Reply #22 is almost a year old and still contains a link to some Russian website - it's obvious SEO spam.
The point is to get links pointing to your target website from other websites which already have a good reputation, thus boosting the target website's reputation. So, as long as their links remain, regardless of the state of their profile, it will continue to be a successful tactic. Spammers' profiles need to obliterated, not just disabled and signature removed.
Possible defensive solution: disable setting of signature and website link for members with profiles less than 30 days old, and possibly require a few (valid) posts. Spamming would then require far more dedication than is worth the trouble.
Hi Tedd,
Quote from: Tedd on September 05, 2014, 02:24:34 AM
Possible defensive solution: disable setting of signature and website link for members with profiles less than 30 days old, and possibly require a few (valid) posts. Spamming would then require far more dedication than is worth the trouble.
why not. But there's one prerequisite: Not more work for the moderators. If this is guaranteed, no problem.
Gunther
:biggrin:
> Possible defensive solution: etc etc ....
Ther are many defensive solution but they all need to be coded into the forum software and it won't be done by me. :badgrin:
Quote from: hutch-- on September 05, 2014, 12:03:39 PM
Ther are many defensive solution but they all need to be coded into the forum software and it won't be done by me. :badgrin:
That was exactly my point. Therefore, the members need to be vigilant in the future.
Gunther