I am trying to find a reliable way to determine if somebody launching my brand new installer (http://masm32.com/board/index.php?topic=94.msg23580#msg23580) is a regular on this Forum or just a script kiddie. My current method invited Dave to google for Visual Basic, so that is probably not a good solution :bgrin:
Attached a little helper that reads some registry values (no, it doesn't write anything - the source is attached). Could you please post results here (or PM me)? I am interested both in boring standard installations and more exotic setups.
Thanks, jj
Example:
### Testing asm files: ###
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asm\UserChoice
Progid=[Applications\qeditor.exe]
HKCU\Software\Classes\Applications\qeditor.exe\shell\open\command
default=["C:\Masm32\qeditor.exe" "%1"]
HKCR\.asm
default=[VCExpress.asm.10.0]
HKCR\VCExpress.asm.10.0\shell\Open\Command
default=["c:\Program Files\Microsoft Visual Studio 10.0\Common7\IDE\VCExpress.exe" /dde]
*** Running Microsoft Windows XP ***
### Testing asm files: ###
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asm\UserChoice
Progid=[* failed *]
HKCR\.asm
default=[asm_auto_file]
HKCR\asm_auto_file\shell\Open\Command
default=["C:\masm32\qeditor.exe" "%1"]
### Testing inc files: ###
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.inc\UserChoice
Progid=[* failed *]
HKCR\.inc
default=[* failed *]
HKCR\* failed *\shell\Open\Command
default=[* failed *]
### Testing rc files: ###
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rc\UserChoice
Progid=[* failed *]
HKCR\.rc
default=[rc_auto_file]
HKCR\rc_auto_file\shell\Open\Command
default=["C:\masm32\qeditor.exe" "%1"]
### Finding the path for qEditor.exe: ###
HKCU\Software\Microsoft\Windows\CurrentVersion\App Paths\qEditor.exe [* failed *]
HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\qEditor.exe [* failed *]
HKCR\Applications\qEditor.exe\shell\open\command ["C:\masm32\qeditor.exe" "%1"]
### Finding the path for winword.exe: ###
HKCU\Software\Microsoft\Windows\CurrentVersion\App Paths\winword.exe [* failed *]
HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\winword.exe [C:\PROGRA~1\MICROS~2\OFFICE11\WINWORD.EXE]
HKCR\Applications\winword.exe\shell\open\command [* failed *]
Messy, right? Now trying to find the editor elsewhere...
Registry HKCU $edi No luck in HKCU...
Registry HKLM $edi "C:\masm32\qeditor.exe" "%1"
Registry HKCR $edi "C:\masm32\qeditor.exe" "%1"
Registry HKCR $edi "C:\masm32\qeditor.exe" "%1"
FileWrite
$esi C:\MASM32\SOURCE\~tmp23081341.asm
$edi C:\masm32\qeditor.exe
Your Masm32 root $M32$ C:\masm32\
Your asm files editor $edi C:\masm32\qeditor.exe
-- bye --
jj2007 wrote:
QuoteI am trying to find a reliable way to determine if somebody launching my brand new installer is a regular on this Forum or just a script kiddie.
Interesting idea and I'm intrigued as to why?
Paulo.
Quote from: Paulo on August 24, 2013, 04:47:19 AM
jj2007 wrote:
QuoteI am trying to find a reliable way to determine if somebody launching my brand new installer is a regular on this Forum or just a script kiddie.
Interesting idea and I'm intrigued as to why?
It's simply a matter of mutual trust, Paulo. MasmBasic is pretty well tested, but there
could be a well-hidden bug somewhere. Members of this forum know that it's assembler, i.e. only 99.5% foolproof ;-)
Therefore I prefer that it gets installed by members only.
@Andy: Thanks for the test - you will not be sent googling for Visual Basic :biggrin:
Here is my notebook's result:
*** Running Microsoft Windows XP ***
### Testing asm files: ###
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asm\UserChoice
Progid=[* failed *]
HKCR\.asm
default=[Assembler_source_code]
HKCR\Assembler_source_code\shell\Open\Command
default=[* failed *]
### Testing inc files: ###
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.inc\UserChoice
Progid=[* failed *]
HKCR\.inc
default=[Assembler_source_code]
HKCR\Assembler_source_code\shell\Open\Command
default=[* failed *]
### Testing rc files: ###
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rc\UserChoice
Progid=[* failed *]
HKCR\.rc
default=[rc_auto_file]
HKCR\rc_auto_file\shell\Open\Command
default=[* failed *]
### Finding the path for qEditor.exe: ###
HKCU\Software\Microsoft\Windows\CurrentVersion\App Paths\qEditor.exe [* faile
d *]
HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\qEditor.exe [* faile
d *]
HKCR\Applications\qEditor.exe\shell\open\command ["D:\masm32\qeditor.exe"
"%1"]
### Finding the path for winword.exe: ###
HKCU\Software\Microsoft\Windows\CurrentVersion\App Paths\winword.exe [* faile
d *]
HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\winword.exe [C:\PROG
RA~1\MICROS~2\OFFICE11\WINWORD.EXE]
HKCR\Applications\winword.exe\shell\open\command [* failed *]
Messy, right? Now trying to find the editor elsewhere...
Registry HKCU $edi No luck in HKCU...
Registry HKLM $edi No luck in HKLM...
Registry HKCR $edi No luck in HKCR...
Registry HKCR $edi No luck in HKCR...
FileWrite
$esi C:\DOCUME~1\USER\DOCUME~1\DOWNLO~1\~tmp23082111.asm
$edi D:\masm32\qeditor.exe
Your Masm32 root $M32$ D:\masm32\
Your asm files editor $edi D:\masm32\qeditor.exeNote the innovative way the boys in Redmond designed the WinWord path (XP and Win7):
[C:\PROGRA~1\MICROS~2\OFFICE11\WINWORD.EXE]
Does somebody have Windows 8 with WinWord?
OK I understand but unless you intend to keep the source code of the installer closed source, what is stopping a non member
simply editing out the checking part and recompile from source?
(and even then a bit of Olly and IDA can reveal a lot).
Checking for member names also might not work as expected as anyone could............[rest censored] :biggrin:
I know that some forums have a feature that certain areas/topics will not show unless one is logged on and hence a member.
If this forum has that capability and if Hutch is willing to help out by setting it up, you could simply move your download there.
Paulo.
Quote from: Paulo on August 24, 2013, 05:20:31 AM
OK I understand but unless you intend to keep the source code of the installer closed source, what is stopping a non member simply editing out the checking part and recompile from source?
(and even then a bit of Olly and IDA can reveal a lot).
The installer will be open source but
inside the package ;-)
Seriously: There is no full protection. It's just for fun - today I learned an awful lot about the registry, and fixed a few issues with GetRegVal (http://www.webalice.it/jj2006/MasmBasicQuickReference.htm#Mb1214).
My next project is accessing the user's webcam, so that I can send back screenshots of script kiddie's face when he is being sent to google for VB :greensml:
jj2007 wrote:
QuoteMy next project is accessing the user's webcam, so that I can send back screenshots of script kiddie's face when he is being sent to google for VB :greensml:
Twain driver anyone? ;)
Have a look at this: http://flatassembler.net/examples/fasmcam.zip (http://flatassembler.net/examples/fasmcam.zip)
In Fasm but should be do-able in MASM.
Quote from: Paulo on August 24, 2013, 06:05:23 AM
Have a look at this: http://flatassembler.net/examples/fasmcam.zip (http://flatassembler.net/examples/fasmcam.zip)
In Fasm but should be do-able in MASM.
Looks feasible. I wonder if FASM adds the zero delimiter automatically:
_camtitle db 'FASMWEBCAM'
Quote from: jj2007 on August 24, 2013, 05:09:41 AM
Progid=[* failed *]
HKCR\.asm
default=[Assembler_source_code]
HKCR\Assembler_source_code\shell\Open\Command
default=[* failed *]
Interesting, what about, in this case, searching in HKCR\.asm\Shell\Open\Command ?
jj2007 wrote:
Quote
Looks feasible. I wonder if FASM adds the zero delimiter automatically:
_camtitle db 'FASMWEBCAM'
and also here:
_filename db 'IMAGE.BMP' ; Filename
Good point.
Perhaps the "invoke" of Fasm automatically zero terminates?
EDIT:
Did some more checking with other Fasm examples and I suspect it's a mistake and it should be zero terminated in the code.
Look at lines 292 to 302 of the asm file in this example:
http://flatassembler.net/examples/quetannon.zip (http://flatassembler.net/examples/quetannon.zip)
EDIT:
Decided to run the webcam exe supplied in the zip thru a hex editor and sure enough no zeros.
Don't have a webcam connected to this PC so can't test.
(http://s11.postimg.org/ep6din277/Fasm_Cam2.jpg)
It turns out that there is a null at offset 0413h so the app might not crash but might also not get the desired result
especially when calling:
capCreateCaptureWindow, _camtitle, WS_VISIBLE + WS_CHILD, 10, 10, 266, 252, [hdlg], 0
:biggrin:
Quote from: Antariy on August 24, 2013, 08:02:07 AM
Interesting, what about, in this case, searching in HKCR\.asm\Shell\Open\Command ?
No such key in my two puters, Alex, only useless
HKEY_CLASSES_ROOT\.asm\OpenWithProgids
HKEY_CLASSES_ROOT\.asm\PersistentHandler
Hi JJ2007, I'm new to MASM.
Here are my results from running your program...
My qEditor.exe is located in "C:\masm32\qEditor.exe"
For some reason it does not show up in HKCU\Software\Microsoft\Windows\CurrentVersion\App Paths\qEditor.exe
I don't know why. :(
*** Running Windows 7 Ultimate ***
### Testing asm files: ###
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asm\UserChoice
Progid=[* failed *]
HKCR\.asm
default=[VCExpress.asm.10.0]
HKCR\VCExpress.asm.10.0\shell\Open\Command
default=["c:\Microsoft Visual Studio 10.0\Common7\IDE\VCExpress.exe" /dde]
### Testing inc files: ###
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.inc\UserChoice
Progid=[* failed *]
HKCR\.inc
default=[ClPhpEd.Files]
HKCR\ClPhpEd.Files\shell\Open\Command
default=["C:\editors\CodelobsterPHPEdition\ClPhpEd.exe" "%1"]
### Testing rc files: ###
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rc\UserChoice
Progid=[* failed *]
HKCR\.rc
default=[DevCpp.rc]
HKCR\DevCpp.rc\shell\Open\Command
default=[C:\programming\Dev-Cpp\devcpp.exe "%1"]
### Finding the path for qEditor.exe: ###
HKCU\Software\Microsoft\Windows\CurrentVersion\App Paths\qEditor.exe [* failed *]
HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\qEditor.exe [* failed *]
HKCR\Applications\qEditor.exe\shell\open\command [* failed *]
### Finding the path for winword.exe: ###
HKCU\Software\Microsoft\Windows\CurrentVersion\App Paths\winword.exe [* failed *]
HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\winword.exe [* failed *]
HKCR\Applications\winword.exe\shell\open\command [* failed *]
Messy, right? Now trying to find the editor elsewhere...
Registry HKCU $edi No luck in HKCU...
Registry HKLM $edi No luck in HKLM...
Registry HKCR $edi No luck in HKCR...
Registry HKCR $edi No luck in HKCR...
FileWrite
$esi C:\masm32\examples\~tmp10091107.asm
$edi c:\Microsoft Visual Studio 10.0\Common7\IDE\VCExpress.exe
-- Good-bye -- :t
Quote from: IdrëamofMasm on September 11, 2013, 04:26:24 AM
Hi JJ2007, I'm new to MASM.
Here are my results from running your program...
My qEditor.exe is located in "C:\masm32\qEditor.exe"
For some reason it does not show up in HKCU\Software\Microsoft\Windows\CurrentVersion\App Paths\qEditor.exe
I don't know why. :(
Hi IdrëamofMasm,
Welcome to the Forum :icon14:
This thread was a test for the MasmBasic installer (http://masm32.com/board/index.php?topic=94.0), and there are indeed cases where it fails miserably. In theory, qEditor should show up as exe for *.asm files after the Masm32 installation, but it seems VS has some special powers inherited by the OS :icon_mrgreen:
Don't worry, even with VS you can be a valid Masm32 Forum member
TM. Although it's a terrible overkill, of course... and slooooooow :P
Quote from: jj2007 on September 11, 2013, 04:52:12 AM
Don't worry, even with VS you can be a valid Masm32 Forum memberTM
What is a "Masm32 Forum member"? AFAICS this forum calls itself
The MASM Forum. There's a Masm32 sub-forum inside the "projects" group, but I'm unaware that there's a special membership required for it.
Andreas,
You got a point there. One could argue, of course, if a private non-Microsoft site can claim to be "the" Masm Forum, but in terms of Google presence it is indeed "the" Masm site, before Wikipedia and Microsoft's own site (http://www.microsoft.com/en-us/download/details.aspx?id=12654) (yes, the dangerous one that merciless consumes your sources).
Of course, Hutch may have his own thoughts... ;)
I thought we were pretty laid back over potential membership, we only allow human beings and selective extra terrestrials but no bots or spammers.
So NSA is allowed carte blanche here? :t
Quote from: hutch-- on September 11, 2013, 10:11:29 PM
I thought we were pretty laid back over potential membership, we only allow human beings and selective extra terrestrials but no bots or spammers.
does that mean you are extraterriestal? :P
watch the Gattaca movie and see we are all invalids
(invalids there are natural borns, vs genemodified humans)
Quote from: daydreamer2 on September 12, 2013, 06:05:14 PM
watch the Gattaca movie and see we are all invalids
(invalids there are natural borns, vs genemodified humans)
I watched that movie and liked it :t
Maybe soon we'll see Programming DNA library in MASM32 package and hardware interface for it (designed by our members ) :biggrin:
Quote from: vertograd on September 12, 2013, 06:24:08 PM
Quote from: daydreamer2 on September 12, 2013, 06:05:14 PM
watch the Gattaca movie and see we are all invalids
(invalids there are natural borns, vs genemodified humans)
I watched that movie and liked it :t
Maybe soon we'll see Programming DNA library in MASM32 package and hardware interface for it (designed by our members ) :biggrin:
it would be great to remove alcoholism and diseases, but it doesnt work that way my exgirlfriend who is educated on matters tell me
but I saw some tvshow about they try to find a gene nicknamed "the grim reaper" and remove it, thats what cause you to age and die of old age, kinda programmed into all species lifespan
but are we ready for immortality?, well probably with all technology to put in robotic prosthetics when a bodypart is worn out we are better equipped than for example in medevial times, you probably do suicide than live in pain of worn out back and shoulders etc without painkillers and with all work you have todo in your lifetime without machines
Quote from: vertograd on September 12, 2013, 07:28:31 PM
Quote from: Magnum on September 12, 2013, 12:18:33 PM
So NSA is allowed carte blanche here? :t
Does NSA stand for National Spiritualist Association ? By the way are the spirits allowed here?
I mean a new advanced form of EVP - Electronic voice phenomenon (http://en.wikipedia.org/wiki/Instrumental_transcommunication#Instrumental_TransCommunication) - forum postings :badgrin:
New Simple Agency
Nitwit Security Agency
I am not a bot, never have been, but I wish to be... :t
ok, later,
Jeff Cummings
Hi Jeff,
Welcome back.
Good to see you again, Jeff.
Gunther
If you used Linux, they would not be a problem. :t
Andy,
Quote from: Magnum on June 13, 2014, 08:42:05 AM
If you used Linux, they would not be a problem. :t
it's a joke, isn't it? What has Linux or BSD or whatever OS to do with those russian spam bots?
Gunther
Quote from: vertograd on September 12, 2013, 06:24:08 PM
Quote from: daydreamer2 on September 12, 2013, 06:05:14 PM
watch the Gattaca movie and see we are all invalids
(invalids there are natural borns, vs genemodified humans)
I watched that movie and liked it :t
Maybe soon we'll see Programming DNA library in MASM32 package and hardware interface for it (designed by our members ) :biggrin:
MS is already working on it:
http://research.microsoft.com/en-us/projects/dna/
Today I find it really difficult if not impossible to come up with REALLY IMPOSSIBLE IDEA .
Quote from: malinowDT on September 01, 2014, 10:17:35 PM
I thought we were pretty laid back over potential membership, we only allow human beings and selective extra terrestrials but no bots or spammers.
The next spam bot. Location is: Россия Москва, the avatar is stolen. It's a mess.
Gunther
How about deleting all posts with a post=1 count, unless they have registered within a random delay time of accepting ?
Just an idea
;)
Tony,
Quote from: K_F on September 02, 2014, 03:39:26 AM
How about deleting all posts with a post=1 count, unless they have registered within a random delay time of accepting ?
Just an idea
;)
on the other hand we've also some diffident members.
Gunther
There should be an automatic function allowing links only after one week of membership. That would stop all "link spammers", because they won't come back after one week to edit their profiles.
Btw at least two of these idiots still have active links - check the middle icon under the avatar. So they do push their google scores.
Jochen,
Quote from: jj2007 on September 02, 2014, 04:44:03 AM
Btw at least two of these idiots still have active links - check the middle icon under the avatar. So they do push their google scores.
yes. Points to an online shop for children's toys.
Gunther
The point is to get links pointing to your target website from other websites which already have a good reputation, thus boosting the target website's reputation. So, as long as their links remain, regardless of the state of their profile, it will continue to be a successful tactic. Spammers' profiles need to obliterated, not just disabled and signature removed.
Possible defensive solution: disable setting of signature and website link for members with profiles less than 30 days old, and possibly require a few (valid) posts. Spamming would then require far more dedication than is worth the trouble.
Hi Tedd,
Quote from: Tedd on September 05, 2014, 02:24:34 AM
Possible defensive solution: disable setting of signature and website link for members with profiles less than 30 days old, and possibly require a few (valid) posts. Spamming would then require far more dedication than is worth the trouble.
why not. But there's one prerequisite: Not more work for the moderators. If this is guaranteed, no problem.
Gunther
:biggrin:
> Possible defensive solution: etc etc ....
Ther are many defensive solution but they all need to be coded into the forum software and it won't be done by me. :badgrin:
Quote from: hutch-- on September 05, 2014, 12:03:39 PM
Ther are many defensive solution but they all need to be coded into the forum software and it won't be done by me. :badgrin:
That was exactly my point. Therefore, the members need to be vigilant in the future.
Gunther