CriticalSecurity - Recent Topics http://www.criticalsecurity.net/index.php Sun, 14 Mar 2010 02:59:18 +0000 3 <![CDATA[St. Patrick'S Day]]> http://www.criticalsecurity.net/index.php/topic/32859-st-patricks-day/ Sun, 14 Mar 2010 01:21:45 +0000 http://www.criticalsecurity.net/index.php/topic/32859-st-patricks-day/ Master Boot Record Editor Application http://www.criticalsecurity.net/index.php/topic/32858-master-boot-record-editor-application/ . I've decided to publish it for anyone interested in this kind of stuff, maybe it proves helpful or interesting. First of all...

!!! BIG FAT HEAVY WARNING !!!
This can easily totally fuck up your current setup along with the primary partition table, so you could end up reformatting your computer if you mess something up. I won't be held responsible for any possible damage done to your machine. I know what I'm talking about because it happened to me, too, luckily the damage was small, the only thing I lost is the time while I was repairing it and some links. So use it on a virtual machine or on some computer designated for tests and destruction. Also, it does not do anything on its own, so it's your responsibility to specify the right destructive flags. Consider yourself warned.

The program has been made in Microsoft Visual C++ 2008 Express Edition and successfully tested on Microsoft Windows XP SP2. I don't know if it works on Windows Vista or Seven. (I doubt it, because I've heard they had changed some permissions, so raw disk reading is not supported any more. If anyone decides to test it, please post your findings.)

The program uses CreateFile, ReadFile and WriteFile functions to view and edit the MBR changes. I've spent some time getting it to work because I was getting errors while trying to read it. In the end it came up that the system file buffering is turned off, so you can read or write only the disk sector size and its multiples (I used GetDiskFreeSpace function). Also, the file pointer had to be manually set (function SetFilePointer) and the data had to be aligned in memory (function VirtualAlloc does the good job). Also, as the MBR reading happens always, the file pointer has to be reset again before the MBR rewriting, otherwise you write the sector after the MBR. There were a couple of web pages that helped me, but I lost the most of them. The most important is this one.

The program has the ability to store the MBR in a binary file, which can then be disassembled with "ndisasm" program (for instance) and examined or changed and rewritten(which was my goal). Furthermore, a user can observe boot sectors on different disks, like NTFS boot sector which usually boots Windows.

If anyone engages in the quest of writing their own MBRs or systems, I'd be very interested to see what you've come up with. This is my next assignment, we'll see how it goes.

Here are a couple of useful tools to use along with the MBREditor:


The code:

MBREditor.cpp
Spoiler


MBREditor.h
Spoiler
]]> Sat, 13 Mar 2010 17:48:19 +0000 http://www.criticalsecurity.net/index.php/topic/32858-master-boot-record-editor-application/ Perl System. http://www.criticalsecurity.net/index.php/topic/32857-perl-system/ I am now trying to do this in perl too. How can i accomplish this? Can anyone give me a sample code?

In python i think we have os.system().]]> Sat, 13 Mar 2010 10:51:53 +0000 http://www.criticalsecurity.net/index.php/topic/32857-perl-system/ Slow Performance Mysql http://www.criticalsecurity.net/index.php/topic/32855-slow-performance-mysql/
At work I recently moved our e-commerce software From an iMac to a FreeBSD based server. Since the move, mysql searches that were taking < 1 second before are now taking about 20 seconds. I've messed with the my.cnf file and haven't noticed any significant performance.

Does anyone have suggestions?

Uptime- 12:04PM up 16 days, 52 mins, 3 users, load averages: 1.19, 1.25, 1.25

Top Output
Spoiler



MySQL.cnf
Spoiler
]]> Fri, 12 Mar 2010 17:09:40 +0000 http://www.criticalsecurity.net/index.php/topic/32855-slow-performance-mysql/ Database Transfer http://www.criticalsecurity.net/index.php/topic/32853-database-transfer/
Home:
mysql version : 5.1.41
OS : Windows

University:
mysql version : 4.0.12
OS : UNIX


To export I have been using phpMyAdmin

To import I have been using mysql -u username -p < database.sql

I keep getting the following error

Unknown system variable 'SQL_MODE'



Any ideas?

Thanks

Calypso]]> Thu, 11 Mar 2010 14:49:16 +0000 http://www.criticalsecurity.net/index.php/topic/32853-database-transfer/ It Lawyer http://www.criticalsecurity.net/index.php/topic/32852-it-lawyer/
I am studing Law LLB in a uni in England. We are currently being asked to choose the courses we are going to do for the next year so pretty much I have to make some plans for my future.

What i have in my mind is studing Law which have to do with computer crime, hacking, illegal data exchange and staff like that. So i guess doing a Master in IT Law(when the time comes) will be the only kind of law(i think) which will have to do with these kind of staff.

That`s why i make this topic so if someone believe that there are any alternatives ways of succeeding that I will be glad. Also what unis will be available to do this kind of master and even what country is better to do it.]]> Wed, 10 Mar 2010 18:17:32 +0000 http://www.criticalsecurity.net/index.php/topic/32852-it-lawyer/ Root This Box http://www.criticalsecurity.net/index.php/topic/32849-root-this-box/
This is to be a project run by CS for CS so the better we make it the more fun we can have. Let me know your thoughts/suggestions.]]> Wed, 10 Mar 2010 08:24:06 +0000 http://www.criticalsecurity.net/index.php/topic/32849-root-this-box/ Need Some Feedback On Securitytube.Net http://www.criticalsecurity.net/index.php/topic/32847-need-some-feedback-on-securitytube-net/
I have been running SecurityTube.net for the last year or so. For those who have not ever visited the site, here is the link : http://www.securitytube.net .

Basically the site contains a lot of videos I have made on topics related to security and hacking, other members have made and embeds of good videos from sites such as youtube and vimeo.

The objective of the site was to become a good collection of quality videos people can learn from.

I am planning to revamp the website and wanted to know your feedback on it. Would be great if you could tell me what you like / dislike about the site and what things you feel i could add to make it more useful.

Please be honest with your feedback. I am open to criticism.

Vivek]]> Tue, 09 Mar 2010 07:12:26 +0000 http://www.criticalsecurity.net/index.php/topic/32847-need-some-feedback-on-securitytube-net/ Dos Attack http://www.criticalsecurity.net/index.php/topic/32846-dos-attack/
I am trying to use PackETH v1.6 which can run on windows OS, to simulate the SYN FLOOD attack to load-balancer.

But i fail to see any packet going through when i display the interface statistics.

I wonder if anyone can show me how to configure the PackETH tool.

Thanks.
]]> Tue, 09 Mar 2010 07:00:38 +0000 http://www.criticalsecurity.net/index.php/topic/32846-dos-attack/ Optimizing Php File http://www.criticalsecurity.net/index.php/topic/32845-optimizing-php-file/
I am thinking along the line of a php file taking the following parameters

1. Database username, password, name, fields etc
2. Html form name

Then the script would loop through the form and find all input object such as textfields, comboBoxes, texboxes etc and upload these to the database

Is this possible??


<?php

$TitleGeneral = $_POST['TitleGeneral'];
$FirstNameGeneral = $_POST['FirstNameGeneral'];
$LastNameGeneral = $_POST['LastNameGeneral'];

$AddressGeneral = $_POST['AddressGeneral'];
$TownGeneral = $_POST['TownGeneral'];
$CountyGeneral = $_POST['CountyGeneral'];

$PostCodeGeneral= $_POST['PostCodeGeneral'];
$CountryGeneral = $_POST['CountryGeneral'];
$EmailGeneral = $_POST['EmailGeneral'];
$TelephoneGeneral = $_POST['TelephoneGeneral'];
$MobileGeneral = $_POST['MobileGeneral'];
$EnquiryDescriptionGeneral = $_POST['EnquiryDescriptionGeneral'];
$MarketingGeneral = $_POST['MarketingGeneral'];




mysql_connect("localhost", "root", "") or die;
mysql_select_db("Camira");

$query = "INSERT INTO General (

    ID,
    TitleGeneral,
    FirstNameGeneral,
    LastNameGeneral,
    AddressGeneral,
    TownGeneral,
    CountyGeneral,
    PostCodeGeneral,
    CountryGeneral,
    EmailGeneral,
    TelephoneGeneral,
    MobileGeneral,
    EnquiryDescriptionGeneral,
    MarketingGeneral

    )VALUES (
    
    'NULL',
    '".$TitleGeneral."',
    '".$FirstNameGeneral."',
    '".$LastNameGeneral."',
    '".$AddressGeneral."',
    '".$TownGeneral."',
    '".$CountyGeneral."',
    '".$PostCodeGeneral."',
    '".$CountryGeneral."',
    '".$EmailGeneral."',
    '".$TelephoneGeneral."',
    '".$MobileGeneral."',
    '".$EnquiryDescriptionGeneral."',
    '".$MarketingGeneral."')";

mysql_query($query) or die ('Error updating db2');
/*echo "DB updateed with " .$Name;*/
include("../Home/Home.php")
?>
]]> Sun, 07 Mar 2010 20:11:38 +0000 http://www.criticalsecurity.net/index.php/topic/32845-optimizing-php-file/ Newb Question: Printing All Prime Numbers B/W 1 And 100? http://www.criticalsecurity.net/index.php/topic/32844-newb-question-printing-all-prime-numbers-bw-1-and-100/
I had an account on here before, but had to make a new one. I suppose the boards were redone. Anyways, I am embarking on 9++ and have a program that prints the prime numbers between 1 and 100, but I can't figure out step-by-step why the code works. I tried to follow it, but I end up losing myself. Sad? I know. If someone can please explain, it would be appreciated. Thanks in advance. 

// Find prime numbers between 1 and 100. 
 
#include <iostream> 
using namespace std; 
 
int main() {    
  int i, j; 
  bool isprime; 
 
  for(i=1; i < 100; i++) { 
    isprime = true;  
 
    // see if the number is evenly divisible 
    for(j=2; j <= i/2; j++) 
      // if it is, then its not prime 
      if((i%j) == 0) isprime = false; 
 
    if(isprime) 
      cout << i << " is prime.\n"; 
  } 
 
  return 0; 
}
]]> Sun, 07 Mar 2010 18:07:03 +0000 http://www.criticalsecurity.net/index.php/topic/32844-newb-question-printing-all-prime-numbers-bw-1-and-100/ Mac Spoofing In Vista http://www.criticalsecurity.net/index.php/topic/32843-mac-spoofing-in-vista/ Right now the network adapter card in my laptop is a Atheros AR5007 802.11b/g WiFi Adapter, and I've tried SMAC, Technitium and Hide my MAC Address software and no changes will take effect. I've even went in to the properties and put a value in the Network Address and rebooted and that didn't work either. So just want to know if anyone knows of an adapter that will let you do this. I've scoured the net and am having a really hard time finding any successful MAC spoofing in Vista, maybe I'm just looking in the wrong place! LOL! Any advice would be appreciated!
Thanks!]]> Sun, 07 Mar 2010 13:24:16 +0000 http://www.criticalsecurity.net/index.php/topic/32843-mac-spoofing-in-vista/ Telnet Tls Decryption http://www.criticalsecurity.net/index.php/topic/32842-telnet-tls-decryption/
I would like to test the security on the connections to my IBM CICS server which is using TLS SSL protocol I am using wireshark and I have the private RSA key and have setup wireshark ssl preference to use the mentioned key
ip,port,pro,path_to_key but apparently I am not getting the packets payload decrypted...

can someone help ???!!!]]> Sun, 07 Mar 2010 11:14:06 +0000 http://www.criticalsecurity.net/index.php/topic/32842-telnet-tls-decryption/ Sql http://www.criticalsecurity.net/index.php/topic/32841-sql/
Now using javascript I have written a small script to make sure all field have been correctly filled in, how do i transfer this infomation to an sql database. I have

I already have xampp installed and have apache and mysql local sever running

Thanks

Calypso]]> Sun, 07 Mar 2010 11:09:58 +0000 http://www.criticalsecurity.net/index.php/topic/32841-sql/ <![CDATA[[Alg002] Implemented In Assembly (X86)]]> http://www.criticalsecurity.net/index.php/topic/32840-alg002-implemented-in-assembly-x86/ Don't get discouraged if you feel this code is complicated - implementing ALG002 can be done a lot easier, especially if you're using a higher level language than assembly. This code is provided for those (like me) who prefer learning stuff by example. Assembly is very easy to learn, but quite hard to be able to write decent code in as it's so specific to the details of the task at hand.

This project is set up much like in this thread, that is, a Visual Studio project with both assembly and c/c++ code. This time a struct is also defined (although it could also have been just a pointer to a 208 byte large area as the c/c++ code hasn't any use for the data in the struct).

First up is the header file:
// alg002.h
#pragma once

#ifdef __cplusplus
extern "C" {
#endif
    typedef struct
    {
        unsigned int state[3];
        unsigned int length;
        unsigned int buffer[48];
    }
    ALG002_context;

    void extern ALG002_reset(ALG002_context* ctx);
    void extern ALG002_input(ALG002_context* ctx, void* input, unsigned int length);
    void extern ALG002_result(ALG002_context* ctx, unsigned char output[8]);
#ifdef __cplusplus
}
#endif

Then it's the actual assembly code:
; alg002.asm
.686
.XMM
.model flat, stdcall
option casemap:none

;===========================================;
;   Prototypes                              ;
;===========================================;
ALG002_reset    proto C ctx:DWORD
ALG002_input    proto C ctx:DWORD, src:DWORD, len:DWORD
ALG002_result   proto C ctx:DWORD, dst:DWORD
ALG002_process  proto C ctx:DWORD

;===========================================;
;   Constants                               ;
;===========================================;
C_ALG002_0      equ     010B6B4CCh
C_ALG002_1      equ     05C341141h
C_ALG002_2      equ     0E8CEA154h

;===========================================;
;   Structures                              ;
;===========================================;
ALG002_CTX  struc
    state   dd   3 dup (?)
    count   dd   ?
    buffer  dd  48 dup (?)
ALG002_CTX  ends

;===========================================;
;   Macros                                  ;
;===========================================;
round1  MACRO   a,b,c,i,t1,t2
    mov     eax,b
    not     eax
    and     eax,[ebx].buffer[i*4]
    mov     ecx,b
    or      ecx,c
    xor     eax,ecx     ; eax = f
    lea     a,[a+eax+t1-1]
    sub     a,[ebx].buffer[i*4]
    rol     a,t2
    add     a,b
    ENDM

round2  MACRO   a,b,c,i,t1,t2
    mov     eax,c
    mov     ecx,c
    not     eax
    or      ecx,[ebx].buffer[i*4]
    and     eax,b
    xor     eax,ecx     ; eax = f
    lea     a,[a+eax+t1-1]
    sub     a,[ebx].buffer[i*4]
    rol     a,t2
    add     a,b
    ENDM

round3  MACRO   a,b,c,i,t1,t2
    mov     eax,[ebx].buffer[i*4]
    not     eax
    xor     eax,b
    xor     eax,c       ; eax = f
    lea     a,[a+eax+t1-1]
    sub     a,[ebx].buffer[i*4]
    rol     a,t2
    add     a,b
    ENDM

;===========================================;


.data
padding db  80h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
        db  00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
        db  00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
        db  00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h


.code
;===============================================;
; In:   ctx (context)                           ;
; Out:  -nothing-                               ;
;===============================================;
ALG002_reset    proc C  ctx:DWORD
    push    ebx
    mov     ebx,ctx
    assume  ebx:ptr ALG002_CTX
    mov     [ebx].state[0*4],C_ALG002_0
    mov     [ebx].state[1*4],C_ALG002_1
    mov     [ebx].state[2*4],C_ALG002_2
    mov     [ebx].count,0
    assume  ebx:nothing
    pop     ebx
    ret
ALG002_reset    endp

;===============================================;
; In:   ctx (context)                           ;
;       src (arbitrary block of data)           ;
;       len (number of octets of data)          ;
; Out:  -nothing-                               ;
;===============================================;
ALG002_input    proc C  ctx:DWORD, src:DWORD, len:DWORD
    pushad
    mov     ebx,ctx
    assume  ebx:ptr ALG002_CTX
    mov     ecx,len
    and     ecx,ecx
    jz      _done

    mov     esi,src
    mov     eax,[ebx].count
    mov     edx,64
    and     eax,3Fh
    add     [ebx].count,ecx
    sub     edx,eax
    lea     edi,[ebx].buffer[eax]
    and     eax,eax
    jz      _skip
    cmp     ecx,edx
    jb      _skip
    sub     ecx,edx
@@: movsb
    dec     edx
    jnz     @b
    invoke  ALG002_process, ebx
    lea     edi,[ebx].buffer
_skip:
    cmp     ecx,64
    jb      _skip2
    push    edi
    push    ecx
    lea     edi,[ebx].buffer
    mov     ecx,16
    rep movsd
    invoke  ALG002_process, ebx
    pop     ecx
    pop     edi
    sub     ecx,64
    jmp     _skip
_skip2:
    rep movsb

_done:
    assume  ebx:nothing
    popad
    ret
ALG002_input    endp

;===============================================;
; In:   ctx (context)                           ;
; Out:  dst (64bit digest)                      ;
;===============================================;
ALG002_result   proc C  ctx:DWORD, dst:DWORD
    local   msglen:DWORD

    pushad
    mov     ebx,ctx
    assume  ebx:ptr ALG002_CTX
    mov     eax,[ebx].count
    mov     ecx,eax
    shl     ecx,3
    mov     msglen,ecx

    and     eax,3Fh
    mov     ecx,60
    cmp     eax,60
    jl      @f
    add     ecx,64
@@: sub     ecx,eax
    invoke  ALG002_input, ebx, addr padding, ecx
    invoke  ALG002_input, ebx, addr msglen, 4

    mov     edi,dst
    mov     eax,[ebx].state[1*4]
    mov     edx,[ebx].state[2*4]
    mov     [edi+0*4],eax
    mov     [edi+1*4],edx

    assume  ebx:nothing
    popad
    ret
ALG002_result   endp

;===============================================;
; In:   ctx (context)                           ;
; Out:  -nothing-                               ;
;===============================================;
ALG002_process  proc C  ctx:DWORD
    pushad
    mov     ebx,ctx
    assume  ebx:ptr ALG002_CTX

    ; expand message block
    xor     ecx,ecx
_expand_msg:
    mov     eax,[ebx].buffer[ecx*4+ 0*4]
    mov     edx,[ebx].buffer[ecx*4+ 2*4]
    rol     edx,5
    xor     eax,edx
    mov     edx,[ebx].buffer[ecx*4+ 9*4]
    shr     edx,2
    xor     eax,edx
    mov     edx,[ebx].buffer[ecx*4+15*4]
    rol     edx,13
    xor     eax,edx
    mov     [ebx].buffer[ecx*4+16*4],eax
    inc     ecx
    cmp     ecx,32
    jne     _expand_msg

    ; get internal state
    mov     edx,[ebx].state[0*4]
    mov     esi,[ebx].state[1*4]
    mov     edi,[ebx].state[2*4]

    ; do the rounds
    round1  edx,esi,edi, 0,0243F6A88h,11
    round1  edi,edx,esi, 1,085A308D3h, 3
    round1  esi,edi,edx, 2,013198A2Eh, 6
    round1  edx,esi,edi, 3,003707344h,19
    round1  edi,edx,esi, 4,0A4093822h,11
    round1  esi,edi,edx, 5,0299F31D0h, 3
    round1  edx,esi,edi, 6,0082EFA98h, 6
    round1  edi,edx,esi, 7,0EC4E6C89h,19
    round1  esi,edi,edx, 8,0452821E6h,11
    round1  edx,esi,edi, 9,038D01377h, 3
    round1  edi,edx,esi,10,0BE5466CFh, 6
    round1  esi,edi,edx,11,034E90C6Ch,19
    round1  edx,esi,edi,12,0C0AC29B7h,11
    round1  edi,edx,esi,13,0C97C50DDh, 3
    round1  esi,edi,edx,14,03F84D5B5h, 6
    round1  edx,esi,edi,15,0B5470917h,19

    round2  edi,edx,esi,16,09216D5D9h, 4
    round2  esi,edi,edx,17,08979FB1Bh,14
    round2  edx,esi,edi,18,0D1310BA6h,21
    round2  edi,edx,esi,19,098DFB5ACh, 2
    round2  esi,edi,edx,20,02FFD72DBh, 4
    round2  edx,esi,edi,21,0D01ADFB7h,14
    round2  edi,edx,esi,22,0B8E1AFEDh,21
    round2  esi,edi,edx,23,06A267E96h, 2
    round2  edx,esi,edi,24,0BA7C9045h, 4
    round2  edi,edx,esi,25,0F12C7F99h,14
    round2  esi,edi,edx,26,024A19947h,21
    round2  edx,esi,edi,27,0B3916CF7h, 2
    round2  edi,edx,esi,28,00801F2E2h, 4
    round2  esi,edi,edx,29,0858EFC16h,14
    round2  edx,esi,edi,30,0636920D8h,21
    round2  edi,edx,esi,31,071574E69h, 2

    round3  esi,edi,edx,32,0A458FEA3h,17
    round3  edx,esi,edi,33,0F4933D7Eh, 5
    round3  edi,edx,esi,34,00D95748Fh,28
    round3  esi,edi,edx,35,0728EB658h,18
    round3  edx,esi,edi,36,0718BCD58h,17
    round3  edi,edx,esi,37,082154AEEh, 5
    round3  esi,edi,edx,38,07B54A41Dh,28
    round3  edx,esi,edi,39,0C25A59B5h,18
    round3  edi,edx,esi,40,09C30D539h,17
    round3  esi,edi,edx,41,02AF26013h, 5
    round3  edx,esi,edi,42,0C5D1B023h,28
    round3  edi,edx,esi,43,0286085F0h,18
    round3  esi,edi,edx,44,0CA417918h,17
    round3  edx,esi,edi,45,0B8DB38EFh, 5
    round3  edi,edx,esi,46,08E79DCB0h,28
    round3  esi,edi,edx,47,0603A180Eh,18

    add     [ebx].state[0*4],edx
    add     [ebx].state[1*4],esi
    add     [ebx].state[2*4],edi
    assume  ebx:nothing
    popad
    ret
ALG002_process  endp

    end

All the procedures take (at least) one parameter which is a pointer to a ALG002_CTX structure. Use of assume allows us to tell the assembler that a register (ebx in this case) holds a pointer to a structure of a given type. This allows us to address offsets into said structure without having to calculate these by hand and, most importantly, any changes made to the struct are automatically reflected in the assembled code when this is taken care of by the assembler.

It's good practice to add a 'assume <register>:nothing' whenever you're done using that register for the assumed purpose, as that will let the assembler warn you if you keep on using it for this later on. Beware, though, the assembler doesn't try to keep track of any changes to the given register so if I were to, for instance, change ebx half-way through ALG002_input and then continue using ebx as a ALG002_CTX pointer, the code would (most likely) fail horribly, yet the assembler would give any warnings.

ALG002_reset simply set the states to their 'magic' values and zeroes the length. ALG002_input simply fills the internal buffer and calls ALG002_process whenever the buffer is full, while keeping track of how many bytes we've added (the number of bytes will be converted to number of bits at the very end). ALG002_result pads the input and appends the number of bits digested and then returns the digest which is state[1] and state[2].

The actual hashing is being done in the ALG002_process procedure and here's what most of the interesting stuff is going on. As you may have noticed, I'm not doing the 'bit-mashing' in a loop but have unrolled it. Loops take time because of branching (multiple branches because of there being three different rounds) and stuff, but unrolling this has also another big advantage.

Looking closely at the algorithm you may notice that the three internal state registers are rotated each step, i.e. c => a, b => c etc. This requires an extra register (or memory location) to accomplish and we're a bit short on registers (we could use ebp, though - or mmx/xmm registers). The actual rotating takes time as well.

This rotating isn't actually neccesary, though. By using macros instead of 'regular code', we can easily rotate these registers in the parameter lists instead, or 'aliasing' them if you like (this is actually also done internally in the micro-code pipeline in the modern CPUs). It doesn't matter what the register is called as long as the expected value is in it, and that the expected register ends up with the result. Since we're executing these macros a total of 48 times, we've fully rotated the registers 16 times, thus leaving us with the changed states in the original registers (not that it'd be a problem to adjust for it if it were 32 iterations, though).

Since we're using macros and writing one line for each iteration, there's no point in retrieving the values from table1 and table2. Iteration 5 will always use the fifth entry of table1 and the second entry of table 2 so we'll save us the time/cost of looking it up and simply have the respective numbers as constants. Writing the list of 'macro-calls' may take some time but it's usually only done once.

Looking at the three different macros you'll see that the first part is different between them, while the second part is the same. The first part calculates the f as given in the algorithm, while the second part is the calculating of the new b. We've gotten rid of the part where the registers are rotated, and by using different macro parameters we've gotten rid of the two table lookups.

How I do that latter part may (initially) be a little hard to understand, though:
    lea     a,[a+eax+t1-1]
    sub     a,[ebx].buffer[i*4]
is simply a shorter version of
   add     a,eax
   mov     ecx,[ebx].buffer[i*4]
   not     ecx
   add     a,t1
   add     a,ecx
which shouldn't be hard to see that (keep in mind that a is used instead of b as we're not rotating the actual state registers) is basically the same as 'b = b + ((a + f + ~buffer[idx] + table1_val) <<< table2_val)' from the algorithm description. But how can it be shortened like that two-liner above?

Remember how adding the two's complement of a number is the same as subtracting it? Bitwise NOT done twice (or any even number of times) is the same as not doing it at all, so by subtracting the dword from the buffer rather than adding it, we're eliminating the need to put that value into a register just so that we can NOT it and then add it. Of course, that's just the ones' complement, so we also have to subtract one in order to get the (reverse) two's complement.

'Luckily' (or, rather, by design) we're adding a constant value (from table 1), so all we have to do is subtract one from this value - thus this operation is eliminated as well. Now we're left with adding two registers and a constant value. The op-code lea may be used for this - actually adding reg + mul*reg + const, where mul is 1 - giving us lea reg,[reg1+reg2+const].

The complex lea op-code is translated into a series of simpler micro-code instructions where the CPU can execute out-of-order and use more (temporary) registers than we can, thus it's about as fast (depending on additional dependencies in the near code etc) and it's certainly smaller, making it more likely that the entire procedure may fit in the cache (not really of importance here, but when we start cracking hashes it wil be..). (I wonder how many compilers are able to optimize stuff like this to this level? I'm guessing that carefully hand-coded assembly still might have an edge over the professional compilers.. =P)

Well, that's about it. I hope you learned something useful from this - and feel free to ask and/or comment, on this code or assembly in general.

~pH7

Edit:
The code tag seems to have stopped preserving empty lines and that makes the code harder to read - sorry about that.. =/]]> Sat, 06 Mar 2010 14:44:43 +0000 http://www.criticalsecurity.net/index.php/topic/32840-alg002-implemented-in-assembly-x86/