Security – Pass hash attack for Yahoo Messenger

Authentication is an important process of a internet service for authenticating users. For example, when you register an account for Yahoo mail, you will be asked for an ID and password so that only you can access to your email account. That means Yahoo will save your ID and your password in their servers so that they can compare with your input later. Your ID can be saved in clear text but the password will not be never saved under clear text. Yahoo uses its own algorithmus to make a hash of your password. For example your password is “123456789”, then Yahoo may save it as format “25f9e794323b453885f5181f1b624d0b”. In this way only you know the password and if the server is attacked, your password will be still safe. Furthermore password hash protects you from losing password through snipping on network connection.

Continue reading Security – Pass hash attack for Yahoo Messenger

C# – Send data to other application

When I surfed on forum Updatesoft for reading some news about Tet holidays in Vietnam I found an interesting disscussion about Yahoo Messenger. In this thread one asked about how to brute force password of Yahoo Messenger because he knows how long it is but can not remember which one is correct. After trying entering some possible passwords, his account was banned. It is completely clear that man can not recover password from Yahoo Messenger. What makes me interested is Yahoo simply blocks account after some false passwords. Let’s consider this case when I would like to send someone in trouble, I just take his ID and enter some false passwords and he will be banned from Yahoo Messenger in 24h. He can not contact with his friends anymore.

Based on this idea, I would like to code a small tool to test my idea. That means this tool should automatically enter the ID, random password into Yahoo Messenger , click button OK to login, close error window of false password, click button OK to login again,…. repeat these steps until Yahoo ID is locked. However this tool can be “dangerous” one if I publish it to internet. Therefore in this small blog, instead of sending data to Yahoo Messenger, I will send to MySQL Login Dialog.

MySQL Login Dialog

In the login dialog of MySQL above you can see there are 4 fields we need to fill out so that we can connect to MySQL Server. These fields are child components of a groupbox. This groupbox is again a child of dialog. To fill out these fields we must find out the handle of each control and set text for them. To locate the controls we can use 2 Windows API functions FindWindow and FindWindowEx.

[DllImport("user32.dll")]
public static extern IntPtr FindWindow(string lpClassName, string lpWindowName);

[DllImport("user32.dll", SetLastError = true)]
public static extern IntPtr FindWindowEx(IntPtr parentHandle, IntPtr childAfter, string className, IntPtr windowTitle);

[DllImport("user32.dll", SetLastError = true)]
public static extern IntPtr FindWindowEx(IntPtr parentHandle, IntPtr childAfter, string className, string windowTitle);

These WinAPIs will find control with given class name and give its handle back. The class name of each control can be got through Spy++, a free Visual Studio tool.

Spy++

After getting the class name of each control, let’s start to get handle of all of controls on login dialog

IntPtr hwndMainWindow = WinAPI.FindWindow("TConnectToInstanceForm.UnicodeClass", "MySQL Administrator 1.2.17 ");
IntPtr hwndGroupBox = WinAPI.FindWindowEx(hwndMainWindow, IntPtr.Zero, "TTntGroupBox.UnicodeClass", "Mit MySQL-Serverinstanz verbinden");
IntPtr hwndUserName = WinAPI.FindWindowEx(hwndGroupBox, IntPtr.Zero, "TTntComboBox.UnicodeClass", IntPtr.Zero);
IntPtr hwndConnection = WinAPI.FindWindowEx(hwndGroupBox, hwndUserName, "TTntComboBox.UnicodeClass", IntPtr.Zero);
IntPtr hwndServerHost = WinAPI.FindWindowEx(hwndGroupBox, hwndConnection, "TTntComboBox.UnicodeClass", IntPtr.Zero);
IntPtr hwndPort = WinAPI.FindWindowEx(hwndGroupBox, IntPtr.Zero, "TTntEdit.UnicodeClass", IntPtr.Zero);
IntPtr hwndPassword = WinAPI.FindWindowEx(hwndGroupBox, hwndPort, "TTntEdit.UnicodeClass", IntPtr.Zero);
IntPtr hwndPanel = WinAPI.FindWindowEx(hwndMainWindow, IntPtr.Zero, "TTntPanel.UnicodeClass", IntPtr.Zero);
IntPtr hwndOKButton = WinAPI.FindWindowEx(hwndPanel, IntPtr.Zero, "TTntButton.UnicodeClass", "&OK");

In the code block above, you can see that the reading sequences is not same as the orders of controls in form, for example I read the handle of textbox user name before the handle of combo box “Gesp. Verbindung” although the combo box lies above the text box in form. Why? Because with the function FindWindowEx I can get the handle of next child control of given control, but the next child control is not determined through position on form but through initilization of controls in source code . So I can not say which control has current handle given back from function FindWindowEx. To solve this problem, I must combine the result of FindWindowEx and Spy++ to find out which control has the handle .

After getting the handle I can write the neccessary info into this dialog with SendMessage API and click button OK to make a connection.

[DllImport("user32.dll", CharSet = CharSet.Auto)]
public static extern IntPtr SendMessage(IntPtr hWnd, UInt32 Msg, IntPtr wParam, IntPtr lParam);

[DllImport("user32.dll", CharSet = CharSet.Auto)]
public static extern IntPtr SendMessage(IntPtr hWnd, UInt32 Msg, int wParam, StringBuilder lParam);

...

Console.WriteLine("WRITING INFO TO MAIN WINDOW");
Console.WriteLine("----------------------------------");
//Set server host
Console.WriteLine("Writing server host...");
WinAPI.SendMessage(hwndServerHost, WM_SETTEXT, 0, new StringBuilder("192.168.200.185"));
//Set port
Console.WriteLine("Writing port...");
WinAPI.SendMessage(hwndPort, WM_SETTEXT, 0, new StringBuilder("4136"));
//Set username
Console.WriteLine("Writing username...");
WinAPI.SendMessage(hwndUserName, WM_SETTEXT, 0, new StringBuilder("nurlesen"));
//Set password
Console.WriteLine("Writing wrong password...");
WinAPI.SendMessage(hwndPassword, WM_SETTEXT, 0, new StringBuilder("123456"));
//Click OK
Console.WriteLine("Click OK to connect...");
WinAPI.SendMessage(hwndOKButton, BM_CLICK, IntPtr.Zero, IntPtr.Zero);
Console.WriteLine("----------------------------------");
Console.WriteLine("\n");

The code above is just for outlining my idea that one can make an auto-tool for bruforcing YM passwords by entering ID and password automatically. In addition, we can learn how to send data to other applications through Windows API like FindWindow, FindWindowEx and SendMessage. The complete source code of this example you can download here “Send data to other application

Game Auto – How to get Max HP of character

Today I would like to write a small article about finding information of game character in game online. This article may help you in writing an auto game which controls a character for you and let you free from the keyboard. I am playing now an online game named Thiên Long Bát Bộ and sometimes I need a tool to attack mobs automatically so that I can do something else, for example watching TV, reading newspaper,… In this game, a character is built with equipments to be stronger through HP, strength… and has some important properties like max HP, current HP. The picture below shows information of my character (believe me, my character is very weak ^^. Do not laugh me.).

Continue reading Game Auto – How to get Max HP of character

Adobe Flash and Proxy

Today I read a thread on forum http://hvaonline.net asking about if Adobe Flash does not use the proxy settings in web browser. That suprises me really because I can visit youtube site from my computer at company although a proxy policy is being applied too. So Adoble Flash reads proxy settings at least in my case. So why does that man say that it does not work?

Let’s examine his case: The poster would like to chat on this site http://thienduongvn.com/ and sometimes he is banned for overacting on chat room. He also uses the web proxy to fake his IP and tries to log in again but it does not work. He can only access the service again when reseting his modem to get new IP from ISP. So we can conclude that he was banned by IP address and does Adoble Flash really not read his proxy settings? The answer is YES. The Adobe Flash does read his settings however it is not simple to bypass this flash application through a web proxy.

A web proxy focuses on World Wide Web trafic. The most common use of it is to serve as a web cache. It’s often used in a corporate, educational, or library enviroment, and anywhere else where content filtering is desired. Some web proxies reformat web pages for a specific purporse or audience, such as for cell phones and PDAs. That means for a web proxy only data of web protocol (port 80 or 8080) should go through the proxy and the other protocol do not.

Moreover the chat application basing on Adoble Flash may be programmed with custom networking protocol using another port (not only 80,8080). The data through these unknown ports will not be hidden under the proxy he used and therefore these packets contain his real IP address which was no longer banned before. And as a result of this he can not get through.

One of simple solution for him is using a software like Freegate or Ultrasurf to hide his computer completely under a proxy and he can bypass this IP ban.