Omnimaga

Calculator Community => TI Calculators => ASM => Topic started by: ACagliano on August 05, 2010, 06:58:45 am

Title: OFFBY1
Post by: ACagliano on August 05, 2010, 06:58:45 am
I'm sure all of you are familiar with the OFFBY1 virus, the prank program that makes the answer to any math problem you enter be one off. I am wondering if there is a way, in assembly, to install a hook that intercepts any math problem, and offsets the answer by 1.
Title: Re: OFFBY1
Post by: _player1537 on August 05, 2010, 08:11:49 am
Yes, I have some code lying around that did this, if you'd like to see it.  My code most certainly will not be the generally accepted method for this... but meh.

Edit: Huzzah!  I found it :D  Like I said, my code is kinda wierd... in that it creates a ram hook as opposed to creating an app, and using that for the hook.  Anyways, here it is.  (Feel free to steal my ram hook code :D)
Code: [Select]
#include "ti83plus.inc"
appBackUpScreen     equ 9872h
appbackupscreen     equ 9872h
seed1           equ 9640h
OP1         equ 8478h
OP3         equ 848Eh


.org $9D95
;.db $BB,$6D   ;this will be uncommented (the .db part, not this text) if you are not using asm8x






    LD HL, myhook
    LD DE,appBackUpScreen
    LD BC, myhookend-myhook
    ldir
    LD HL, appbackupscreen
    in A, (6)
    bcall 4FABh    ;Homescreen hook enable
    bcall _Random
    LD HL, seed1+2
    LD DE, LFSRSeed
    LD BC, 8
    ldir
   
    ret
   
myhook:
    .db 83h             ; Required for all hooks
    OR A
    JR NZ, End
    LD HL, OP1
    LD DE, OP3
    LD BC, 11
    ldir
    call RandLFSR-myhook+appbackupscreen
    CP 171
    JR C, GreaterThan
LessThan:

    call OP3toOP1r-myhook+appbackupscreen

    bcall _Plus1
    bcall _StoAns
    CP A
    ret
Middle:

    call OP3toOP1r-myhook+appbackupscreen
   
    CP A
    ret
GreaterThan:
    CP 86
    JR C, Middle
   
    call OP3toOP1r-myhook+appbackupscreen
   

    bcall _Minus1
    bcall _StoAns
    CP A
    ret
End:
    cp A
    ret
   
   
OP3toOP1r:
    LD HL, OP3
    LD DE, OP1
    LD BC, 11
    ldir
    ret
   
;------LFSR------
;James Montelongo
;optimized by Spencer Putt
;out:
; a = 8 bit random number
RandLFSR:
        ld hl,LFSRSeed+4
        ld e,(hl)
        inc hl
        ld d,(hl)
        inc hl
        ld c,(hl)
        inc hl
        ld a,(hl)
        ld b,a
        rl e \ rl d
        rl c \ rla
        rl e \ rl d
        rl c \ rla
        rl e \ rl d
        rl c \ rla
        ld h,a
        rl e \ rl d
        rl c \ rla
        xor b
        rl e \ rl d
        xor h
        xor c
        xor d
        ld hl,LFSRSeed+6
        ld de,LFSRSeed+7
        ld bc,7
        lddr
        ld (de),a
        ret
LFSRSeed:
    .DB 0,0,0,0,0,0,0,0   
myhookend:
Title: Re: OFFBY1
Post by: thepenguin77 on August 05, 2010, 09:55:19 am
I had one laying around too, optimized it a little though.

Code: [Select]
hook:
add a, e
or a
jr nz, quitZ

bcall(_Op2Set1) ;op 2 = 1

ld a, r
and %00000001
rrca
ld (op1), a ;neg or positive
bcall(_FPAdd)
quitZ:
cp a
ret
hookEnd:

And to make it epic, store it at smallEditRam, its a 108 byte area that no one ever uses. That way, it won't get destroyed.
Title: Re: OFFBY1
Post by: ACagliano on August 05, 2010, 12:06:49 pm
I had one laying around too, optimized it a little though.

Code: [Select]
hook:
add a, e
or a
jr nz, quitZ

bcall(_Op2Set1) ;op 2 = 1

ld a, r
and %00000001
rrca
ld (op1), a ;neg or positive
bcall(_FPAdd)
quitZ:
cp a
ret
hookEnd:

And to make it epic, store it at smallEditRam, its a 108 byte area that no one ever uses. That way, it won't get destroyed.

Do you think that you could set it to store there and upload the .8xp for it? Or the hex. I use mac and I don't have any working assemblers.
Title: Re: OFFBY1
Post by: thepenguin77 on August 05, 2010, 01:50:50 pm
I had to change ld (op1), a to ld (op2), a. I accidentally made the whole answer negative.
Title: Re: OFFBY1
Post by: ztrumpet on August 05, 2010, 01:53:37 pm
That works wonderfully.  However, is there any way to turn it off? ;D
Title: Re: OFFBY1
Post by: nemo on August 05, 2010, 01:56:23 pm
RAM clear, i assume
Title: Re: OFFBY1
Post by: calc84maniac on August 05, 2010, 02:03:47 pm
You could also use calcsys (or axe) to set the byte at smallEditRam to 0.
Title: Re: OFFBY1
Post by: thepenguin77 on August 05, 2010, 02:09:36 pm
My personal favorite is to bring up the press to test menu and cancel. Just brining it up kills all hooks.
Title: Re: OFFBY1
Post by: ztrumpet on August 05, 2010, 02:19:20 pm
That's crazy.  Why does it do that if you just bring up the menu? ;D
Title: Re: OFFBY1
Post by: thepenguin77 on August 05, 2010, 03:22:03 pm
I have no idea. But it's really helpful when people bring me their calcs at school that have "Viruses." Basically some font hook gone crazy, sometimes on purpose.

PTT does have one fatal flaw though, it kills all hooks, but not OFFSCRPT. Which means make an OFFSCRPT that disables it, all you have to do is off/on and you're good to go.
Title: Re: OFFBY1
Post by: ztrumpet on August 05, 2010, 03:39:31 pm
I have no idea. But it's really helpful when people bring me their calcs at school that have "Viruses." Basically some font hook gone crazy, sometimes on purpose.

PTT does have one fatal flaw though, it kills all hooks, but not OFFSCRPT. Which means make an OFFSCRPT that disables it, all you have to do is off/on and you're good to go.
Ah, ok.  Sorry to be so offtopic, but how do you get to the PPT menu again?  Thanks. ;D
Title: Re: OFFBY1
Post by: thepenguin77 on August 05, 2010, 03:54:04 pm
Left Right On.

Or 2 5 On, and 2 8 On
Title: Re: OFFBY1
Post by: ACagliano on August 05, 2010, 05:59:53 pm
Thanks for that. Can't wait to test.
Title: Re: OFFBY1
Post by: ACagliano on August 08, 2010, 03:23:20 pm
Hey. I have an idea that make make it more inconspicuous. How about have it sometimes output the right answer, sometimes the off-by-1 one, randomly.
Title: Re: OFFBY1
Post by: Builderboy on August 08, 2010, 03:32:01 pm
Maybe it could be advanced badness, like if the answer is within -50 to 50, dont do anything because user would notice.  If the answer has a decimal part larger than 5 digits, change the 100s place.  If the number is larger than 10000, and not a power of 10, mess with the 1's place.  Or multiply the answer by 2 or something :P
Title: Re: OFFBY1
Post by: thepenguin77 on August 08, 2010, 05:32:41 pm
I have thought about doing that for a long time. The reason I never did it is because 1. I'm too lazy, and 2. that could actually really cause problems. I look at the off by one as a joke, but that would be so unnoticeable that people wouldn't turn it off and would end up losing points on tests.

Like for instance when I put my friends float on 0 (I know it's not called float but calling it float causes the least problems). He took a test and thought that all the problems conveniently came out even. I tried to tell him while he was taking it but he didn't understand. Luckily I told him afterwards that someone else did it and the teacher didn't take off. But the off by one would just make someone look incompetent.
Title: Re: OFFBY1
Post by: _player1537 on August 09, 2010, 01:06:25 am
My friend at school constantly ends up doing something similar to the float 0 thing.  He's gotten quite a few (~25%) points taken off because of the float 0 thing.  I think his solution was something crazy like a program that changes all the settings to the default.  Idk.  I've never run into that problem personally.

also, @the hook thing.  I've thought of roughly the same idea before.  If I knew more about floating points, I'd do something like that.  But I agree that it would be quite evil :P