- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Admin
You Sir, are pure evil genius :)
Admin
Oh, come on. That's one of the more memorable episodes of ST:TNG. You don't need to be especially geeky to remember it.
Now, linking the episode to this context... maybe that does require exceptional levels of geekness.
Admin
While the posted sample IS an abuse (to put it mildly), I have actually made good use of the ability to create VBA code from within VBA.
Admin
Don't ask how I acquired that knowledge. I'm still ashamed.
Admin
When it comes to self modification, sometimes it is a normal happening. There are machines built that do not have such niceities as index registers, or indirect addressing. I offer the following to those interested:
<Instant Stop><Reset><Insert>
160000900000
<Release><Start>
Which cures all in due time.
Admin
True, but this is not the only dangerous object / property set in VBA. Most VBA Macros take advantage of a Macro.copy command or variation thereof, providing a propogation tool to coders who wouldn't otherwise have their own propogation capability within the interpreted environment.
I actually passed on (through my work) an idea to Microsoft back in '96, telling them that the use of that single command should only be accessible by a command line switch, meaning that sys admins could still do their work but the average person could use and enjoy macros in relative safety. The answer came back that they had it covered, and that their solution would come out in office '97. That's when we got to turn the ENTIRE macro system on and off only, not enjoy the benefits macros without the risks.
Thanks guys.
CAPTCHA - damnum - I swear Alex as put some code in here which is partially pyschic, I've been getting far too many serendipitous Captchas for my liking lately.
Admin
Well done, you've just become part of the problem rather than the solution. People use Macros because they get what they want out of them when IT doesn't deliver. In my experience, places with a heavy reliance on things like VBA, COGNOS, SAS, Notes Databases etc. have it because...
a) Business can't articulate their needs properly b) IT can't deliver tools which serve business properly c) The two arms of the business have developed a confrontational relationship
Pick any or all that apply.
If you REALLY want your users to stop using VBA, give them the tools they need. If they don't know what they need, get in Business Analysts who can figure it out for them, THEN give them what they need.
Banning VBA (or refusing to support it which is tantamount to the same thing) just forces the business units underground. Instead of coming to you, they start hiring HPCs in VBA to fix their problems for a lot less than US$1500/day and we all know where the results end up because we all read this column.
Bottom line. When you start banning things, users tend to go around you. Then years later you end up with an executive breathing down your neck who doesn't give a rat's arse about your official position on VBA, his business critical process is broken and you have to fix it for him and by then you've got a REAL problem on your hands because you now have code written by Lord knows who that does some really funky stuff...
And the funny thing is that it IS your fault because you failed to help them when they first came to you.
So, if you've got a VBA 'problem' in your environment, the first thing you need to do is ask yourself why? Sure, some people will write VBA because they think it's cool to act like a developer. But, if you're covering all the business critical processes, those people won't have anything serious to code and therefore can't generate a 'problem'. In other words, fix the problem at the source and make sure the users have the tools they really need in the first place. After all, it's our job.
Admin
Consider the fact that if the strings are in the code, unless they are encrypted for some reason, they are very easy to get out. There's even a UNIX tool for it, oh what's it called again?
But why bother when you can take the opportunity to be a bigot instead? I think the sort of thing an Italian-Americans would call you a "mook" for, no?
Admin
Settle down.
Admin
it's called compressible encryption. Which is really lame encryption but mostly defeats "strings", or MS Word's "recover text from any file". Of course, if you don't have the VBA source code at all.
BTW, If you actually want to handle compilation errors in a VBA self-modifying code, you would generate code into a second module. When the first module notices that it can't execute the second module at all, it can assume some kind of compilation error and revert the second module's code less risk of damaging the 'driving' first module. Maybe you could have vba modules that make lossy copies and attack dissimilar modules, if you're truly bored.
Admin
Admin
[quote user="tool police]Settle down.[/quote]
Nothing to settle down about, I'm completely calm and I stand by my comment. Sites like this would have less to print if those of us out there that understood IT did our jobs. This has come up several times now, and I've always said the same thing.
Whether we like VBA or ridicule its existence, it's out there and people will use it if we don't give them viable options.
The argument put forward by refusing support of a tool that's openly supplied by the IT infrastructure people is that the users shouldn't have a need to use it. My point is that the validity of that assumption is entirely based on our ability to provide the users with what they need.
Trying to 'ban' VBA in the enterprise by officially expecting branches to pay $1500/day in support for it creates more problems than it solves, I've seen it first hand and I've seen the people the branches hire to save money. Those who don't want messes like that on their hands need to understand more than programming. They need to understand the users they support. That, as I'm forced to keep pointing out, is our job.
Admin
Back (many decades) when I was a student there was a machine called the IBM 360 and one of the subjects required us to to program it in Assembler.
The only instruction for moving data around was MVC (Move Characters) .. which included, hard coded within itself, the one byte length of the number of characters to move.
Since runtime speed was a key factor in the marking scheme amd the startup cost of an MVC was very high, the standard technique (within the student community) was to do an MVC of zero characters - preceded by an instruction to do a logical AND that overlaid the length. Of course moving more than 255 characters became quite interesting .. luckily we didn't know then not to use GOTO's :-).
Admin
Dynamically modifying the MVC instruction ...
Whoops ... that was a logical OR to set (a logical AND to clear first if re-setting)
Admin
[quote user="acid]Well done, you've just become part of the problem rather than the solution. People use Macros because they get what they want out of them when IT doesn't deliver. In my experience, places with a heavy reliance on things like VBA, COGNOS, SAS, Notes Databases etc. have it because...
a) Business can't articulate their needs properly b) IT can't deliver tools which serve business properly c) The two arms of the business have developed a confrontational relationship [/quote]
you forgot d) "Management" have decided that there is "zero" budget for needed application development or support and "that guy/girl" who made that flash looking spreadsheet/powerpoint can do it cheaper than IT e) "Management" want the application "Yesterday" and IT are snowed under with existing "transformation" excercises, but we can go to "that guy/girl" who did that thing above. f) The FNG just didn't know who to ask and "just did it" "management" liked it, and like flopsy it "just Grewed and Grewed"
I personally love "F" as this happened recently at business i know of, excpet the FNG left, changes needed to be made to allow outsourcing the divisions work OS, so they contracted the FNG's new company to get him to fix it, that's WTF!!
Admin
[quote user="Sarails"][quote user="acid]
a) Business can't articulate their needs properly b) IT can't deliver tools which serve business properly c) The two arms of the business have developed a confrontational relationship [/quote]
you forgot d) "Management" have decided that there is "zero" budget for needed application development or support and "that guy/girl" who made that flash looking spreadsheet/powerpoint can do it cheaper than IT e) "Management" want the application "Yesterday" and IT are snowed under with existing "transformation" excercises, but we can go to "that guy/girl" who did that thing above. f) The FNG just didn't know who to ask and "just did it" "management" liked it, and like flopsy it "just Grewed and Grewed"
[/quote] h) "that guy/girl" dislike or simply doesn't trust IT, so he/she create his/her own little fancy app; and from time to time he/she modify it; and one day...
captcha: tation (ff suggest it as already typed in... I'm lucky?)
Admin
Admin
That sure is cute. Why does CodeModule.Lines exist anyway? Does code really need to be self-aware?
Admin
Imagine waking up in the morning to discover than you are a coding horror of epic proportions. Time to call the self-destruct routine, eventually leaving only the good code left in the world.
So yes, not only do we need code to be self aware, we need it to be proud, and understand the concept of suicide.
Admin
why is this a wtf? 99% of the js/html soup does the same thing :D
Admin
Not quite. In the internet business, there's usually a script (in ASP, JSP, PHP, JS, etc...) that manipulates the HTML output of said process. The original script remains untouched.
At least, that's my experience. Granted, I haven;t been around that long, but I've worked with some ... interesting code in the past 4 years.
Admin
99% of your js/html might do that. Mine doesn't.
Admin
what the hell is this site? this looks alot like spam to me
Admin
http://en.wikipedia.org/wiki/Strings_%28Unix%29
Its already been mentioned once by name in the thread. Also, according to the article there is also a windows port of the program.
Admin
Admin
Admin
Sounds like they failed to teach you the EXecute instruction. That's exactly the situation it was design for.
Later IBM machines came with the MVCL (move chars long) instruction which could move up 2 2**31 characters in one assembler instruction.
Admin
Many thanks. I'd never actually heard of this, I thought the "strings" reference earlier was suggesting we hadn't searched the config files for the app.
As for the script kiddies, yeah, they might do better. this is the first time I've actually had to try and break into my own hardware, normally I have access to the admin passwords.
Admin
How did you acquire that knowledge? (I see no shame in asking!)
Admin
You mean Kelsey Grammer is French?
Admin
Ah, for the good old days. When a programmer actually knew what was going on inside the computer.
http://catb.org/jargon/html/story-of-mel.html
Admin
I also like the recursion. If it fails, just call the same method again. Based on the user input, it will execute differently. I was too dizzy to figure out if it would correctly unwind the stack.
On the kudos side, I like the separation of the UI layer from the backend layer from the error handling
LogIn() vs. BatchLogin(...) vs. PassWordReset()
Points off for inconsistent case though. It should have been Login() or else BatchLogIn(). (Or it could have been editorial misconduct?)
Admin
Right, I'm going to go out on a very thin limb and suggest that this is not actually necessarily daft.
The basic problem with building any sort of VBA application that e.g. runs queries against a database is: where the hell do you store the password? If you put it in a spreadsheet cell then, no matter how you try to conceal it, anyone with a basic knowledge of VBA will be able to grab that password.
This can be bad if the VBA code does things to the database that you don't want normal users being able to do. Users have a regrettable tendency to try to make their own lives easier, and finding out that the admin account on the database has a password of "overlord" could be used in a whole range of innovative labour-saving techniques. Right up until someone types DROP TABLE by mistake.
Same problem if you try to stick the password in an external file. Probably you could do some funky encryption, but that's beyond most VBA coders (definitely beyond me). So really the only sensible thing to do is hardwire the password into the VBA code, and then lock the VBA project so no-one can view it.
This is fine and dandy right up to the point that the password needs changing, at which point it becomes necessary for the code to self-modify. QED.
Incidentally, there are non-evil uses for the CodeModule object's scarier methods. For example, I've used it to apply a bugfix to a couple hundred copies of the same spreadsheet.
Admin
Cancer also grows organically... just like this abomination of code :-/
Admin
Username: John316 Password: M0053F15H
Asuming the above are valid login details* the following password would succesfully log you in and display a message box:
M0053F15H"): MsgBox "The MooseFish Has You." '
After modification, line 3 in the code module would read:
Result = BatchLogin("John316", "M0053F15H"): MsgBox "The MooseFish Has You" ' ")
Only tested this in Excel 2003.
*code modification only happens after valid details are entered.
Admin
I have used self-modifying code, but only in machine-code and in Forth, and not all the time (self-modifying codes are rarely useful, but it is sometimes good).
However, I have once used self-modifying in GWBASIC, in a program where you enter an expression and it graphs it, it prepended a line number and wrote the expression to a file and then loaded it with CHAIN.
But machine-codes and Forth codes does self-modifying codes best.
Admin
@Herby: I've stored values in x86 instructions when I was out of registers. Don't do that in DLL's though. And be aware of multithreaded environments.
I feel like that all the time. Just can't find the epic self-destructor.Admin
Admin
Admin
Its crazy and amazing
Admin
You need a password to access a database? Never heard of integrated security?
I also store connection strings in Custom Properties, and use a property editing .dll (dsofile.dll) as part of a nant build script to substitute in the correct environment settings as required.
Admin
Now THIS is truly worthy of a facepalm...
What's worse is that this must surely have been done as a sort of sinister joke. It's unlikely that someone who is capable of writing self-modifying VBA code would be so incompetent as to not know how to make use of simple variables...
Admin
Assuming there is no upper limit on password length...
") : x = 5: y = "ThisWorkbook.VBProject.VBComponents.Item(" & chr(34) & "DataBase" & chr(34) & ").CodeModule.InsertLines x, y: x=x+1": ThisWorkbook.VBProject.VBComponents.Item("DataBase").InsertLines 4,y 'Admin
Admin
"Application" is Excel. These lines save the Excel state, change it, then restore it.
Specifically, screen updating is expected to be off, which makes the code run faster and cleaner, and is turned on once, at a specific place. But if, for some reason, screen updating is already on, this doesn't mess it up.
Admin
As a relevant example, object oriented programming was not invented Ex Nihilo when object oriented programming languages were developed. In BASIC you implemented inheritance by deriving new objects from old objects. You do this by creating new objects which inherit the code of the old objects. To do this, you need to be able to write and load code.
And why was a dangerous practice like object oriented programming allowed? Real applications. Real programs.
Admin
") : someFunnyCode("dummy", 42) 'Admin
VBA for trading algorithms? No wonder we had a banking crisis. Do those banks have a Quality Assurance?
Admin
Ah yes... The VBA Extensibility library, in all almost-reflective glory. For my sins, I have been guilty of referencing it.
But not for anything like this. Damn, I wish someone would make better goggles.