
Message    eris       1/9/00   10:02 AM but like I said, I have some more ideas
                                        I havent tried yet too

Message    eris       1/9/00   10:03 AM big problem is, its impossible to test
                                        that stuff any way other than watching
                                        the bot for hours and hours

Message    eris       1/9/00   10:03 AM ya give it some thought, and I'll try my
                                        ideas too and see where we go from there

Message    eris       1/9/00   10:08 AM Not really for this problem it doesn't
                                        help hehe.. But it does let me make the
                                        bot cooler

Message    eris       1/9/00   10:12 AM BTW if you want to help a ton, find more
                                        ship info and get me the offsets hehe
                                        ... I don't have time to do this and
                                        hunt for that stuff

Message    eris       1/9/00   10:14 AM Any ship info, I'd like as complete a
                                        set as possible. But most important to
                                        me at the moment are:
                                        MOST IMPORTANT: Bounty, ShipType
                                        IMPORTANT: All the spec info, repel
                                        counts, etc..
                                        

Message    eris       1/9/00   10:21 AM hehe figures.. sigh... well ship type
                                        would be really useful too

Message    eris       1/9/00   10:23 AM Hmm.. good call, you know what else you
                                        could try, is find the text %s(%d), then
                                        hunt for the pointer to that, that would
                                        be it being put on the stack for an
                                        sprintf and the bounty should be right
                                        around there, should get a few instances
                                        of this, and one would give you specd
                                        bounty I thikn.. 
                                        
                                        

Message    eris       1/9/00   10:25 AM now its got me thinking.. Find every
                                        instance of that pointer, store all 4
                                        bytes within like say.. 20 bytes or so,
                                        and write code to continually test all
                                        those locations for a certain bounty
                                        (keep changing what you hunt for based
                                        on who you specin).. 
                                        
                                        Eventually it would narrow down to the
                                        real value

Message    eris       1/9/00   10:28 AM Get it spaced right instead - instead
                                        of: %s(%d) use %s%4d
                                        
                                        yes there is a checksum, HOWEVER, If you
                                        change that code with WriteProcessMemory
                                        instead of right in the exe you'd be set

Message    eris       1/9/00   10:29 AM hehe how do you think the cheats get
                                        around checksums :P hehe 

Message    eris       1/11/00  12:22 PM yep... found some more info too

Message    eris       1/11/00  12:22 PM bounty is nuts .. repel counts, etc are
                                        the same

Message    eris       1/11/00  12:23 PM It must call for bounty, etc on the fly
                                        and its just stored on the stack and
                                        erased as fast as it appears
                                        

Message    eris       1/11/00  12:23 PM No i did not
                                        I found: squad points wins losses and
                                        (?) last message sent by that player

Message    eris       1/11/00  12:24 PM yes

Message    eris       1/11/00  12:42 PM ?

Message    eris       1/11/00  12:42 PM lol

Message    eris       1/11/00  6:16 PM  squad 0x1d6
                                        points 0x42
                                        wins 0x3a
                                        losses 0x3e
                                        

Message    eris       1/12/00  7:49 PM  i'm at this machine for awhile ifn you
                                        need me
                                        

Message    eris       1/12/00  7:59 PM  well I havent worked on it too much
                                        since the last email, but after mulling
                                        it over I think I'm going to put a JMP
                                        in the function before encryption, jmp
                                        to one of those areas of NOPs, call
                                        compress (flagging that its a "fake"
                                        call somehow, probably NULL src string)
                                        and then jumping back into the function
                                        at the same point, I think I can pull it
                                        off

Message    eris       1/12/00  8:00 PM  I'm looking at the intel instruction
                                        specs now to snag the machine language I
                                        need to splice in (hehe machine language
                                        eww :P)

Message    eris       1/12/00  8:02 PM  unless you have a better idea... I can't
                                        hook a DLL because the encryption is in
                                        the EXE not in a dll..

Message    eris       1/12/00  10:09 PM yes and? zlib.dll isn't doing the
                                        encryption

Message    eris       1/12/00  10:17 PM Ok pray for my soul.. I'm ready to put
                                        the machine code into ss.exe lol
                                        

Message    eris       1/12/00  10:26 PM here goes... running now LOL 

Message    eris       1/12/00  10:27 PM CRASH

Message    eris       1/12/00  10:32 PM hehe I was expecting it.. I was REALLY
                                        afraid that the compress function was
                                        going to modify some register or
                                        something i didn't notice.. I saved the
                                        ones that I know needed it, and hand
                                        checked the others, but I probably
                                        missed one.. 

Message    eris       1/12/00  10:32 PM or I could of fucked up any one of those
                                        machine instructions... sigh.. not sure
                                        really
                                        

Message    eris       1/12/00  10:33 PM I still think it will work, I just need
                                        to figure out what I screwed up. It
                                        didn't crash until it hit the place I
                                        modified, which is actually encouraging.
                                        That means I hijacked the right spot at
                                        least :P

Message    eris       1/12/00  10:34 PM I want to process the packets rather
                                        than ram. Too much info is not present
                                        in ram

Message    eris       1/12/00  10:35 PM I'm checking the code in msvc now to see
                                        if all the instructions are right.. if
                                        they are then its gotta be a register
                                        thing

Message    eris       1/12/00  10:37 PM hehe found the problem! Something got
                                        typed in wrong looks like! woohoo
                                        there's still hope

Message    eris       1/12/00  10:38 PM lol

Message    eris       1/12/00  10:40 PM i might soon, I'm not fantastic with
                                        that kind of stuff, I can pull it off,
                                        just not elegantly :)

Message    eris       1/12/00  10:40 PM That's what I'm trying to do now

Message    eris       1/12/00  10:42 PM ROFLMAO the problem was I trusted an
                                        opcode from DASM... I just went
                                        searching for more than one for pop eax
                                        - It displays 2 different codes lol. The
                                        first one I used is WRONG. Gonna try the
                                        other, pray again. :)

Message    eris       1/12/00  10:43 PM runnin again..

Message    eris       1/12/00  10:43 PM barfed again...

Message    eris       1/12/00  10:45 PM ya and now all my instructions are
                                        correct

Message    eris       1/12/00  10:48 PM No the instructions are getting in ok..
                                        I think one of 2 things is happening,
                                        either its a register fuckup from the
                                        call (I havent done this in sooooo long
                                        i cant remember what registers are
                                        volatile, actually last time i did this
                                        there WEREN'T 32 bit registers) ..
                                        
                                        or, worse, The DLL is not loaded at that
                                        point for some reason. I THINK they're
                                        being loaded statically though on
                                        startup..

Message    eris       1/12/00  10:50 PM agreed.. they seem to be static calls,
                                        alwyas to the same location.. I'm
                                        running it in the debugger now to trace
                                        my call and find out where it crashes

Message    eris       1/12/00  10:52 PM it crashes right on the call

Message    eris       1/12/00  10:56 PM Well I'm REALLY cramped on instruction
                                        space.. All I have is the little bits of
                                        NOP paddiing between functions (max
                                        size=15 bytes)., Then I just jump from
                                        section to section, which takes up 5 of
                                        the bytes for the jump. So basically its
                                        a royal pain, so I only saved EAX which
                                        I knew I'd need. I manually checked the
                                        others, and they are NOT needed further
                                        in the asm unless I missed one. But, I
                                        don't think thats the problem its
                                        crashing on the call

Message    eris       1/12/00  10:56 PM I think it may be a calling convention
                                        problem, I'm looking into that now

Message    eris       1/12/00  11:01 PM I GOT IT.. Well I got it past the call,
                                        I'll need to run it out the debugger to
                                        see if things are working after (that's
                                        where register probs would show) 
                                        It was calling convention! For some
                                        fucked up reason The zlib stuff is using
                                        pascal calling convention it looks like
                                        (left to right passing instead of right
                                        to left).. Which is weird since its all
                                        in c, and you have to go WAY out of your
                                        way to use pascal calling convention

Message    eris       1/12/00  11:02 PM looks like I might have to save 2 other
                                        registers that i'm not, but I'll have to
                                        play to see..

Message    eris       1/12/00  11:03 PM but this is encouraging.. If tihs does
                                        work, I may have just solved the
                                        compression half of looking for packets
                                        (client to server).. Of course I havent
                                        looked to see if I found the right
                                        string yet hehe.. But I think I did

Message    eris       1/12/00  11:04 PM I'm about to try it.. It worked past the
                                        DLL call, and wrote my file the way it
                                        was supposed to (I wrote a file to flag
                                        that everything was working in the
                                        DLL).. I havent looked at the data or
                                        anything yet, and I havent ran it far
                                        past the call, about to try it out of
                                        the debugger..

Message    eris       1/12/00  11:05 PM lol
                                        i have SERIOUS respect for priitk right
                                        now, this stuff is pretty nasty..
                                        Anytime you have to 1) hijack a DLL 2)
                                        Insert your own code right into the
                                        middle of a function to call that DLL
                                        then you're crazy or desperate.. :P

Message    eris       1/12/00  11:06 PM CRASH :) 
                                        Gotta be those registers

Message    eris       1/12/00  11:07 PM I don't know how he implemented it, but
                                        he deciphered all the packet info. I
                                        know for a fact though his first bot was
                                        a modified SS.EXE, and his second ones
                                        (the ones that run now) run on unix
                                        boxes without ss.exe -> So I'm probably
                                        not going about it the exact same way he
                                        did, but it doesn't matter.. Each way is
                                        equally nasty hehe

Message    eris       1/12/00  11:08 PM So you think I can smack the checksum on
                                        SS hehe... I probably won't even try,
                                        good that it takes sysop access to run
                                        this stuff

Message    eris       1/12/00  11:08 PM Heheh agreed :) Although supposedly if
                                        you *setship a roboref, it *super's
                                        itself and spins in a circle constantly
                                        firing bombs

Message    eris       1/12/00  11:11 PM hehe we could just hardcode the alpha
                                        map into its brain :)

Message    eris       1/12/00  11:12 PM definately 2 more registers I need to
                                        push and pop EDX and most important the
                                        stack pointer.. Its leaving 16  bytes on
                                        the stack. I bet this calling convention
                                        is the "caller cleans up" I need to look
                                        it up... Thats the problem for sure

Message    eris       1/12/00  11:13 PM lol hehe Ohhh man I'm gonna have to
                                        repeat all this if they update SS.EXE
                                        DOH.. I better just use it to crack the
                                        encryption! :)

Message    eris       1/12/00  11:14 PM hehe well stdcall calling convention is
                                        callee cleans up, I believe.. I need to
                                        check looking it up now

Message    eris       1/12/00  11:15 PM heh

Message    eris       1/12/00  11:16 PM LOL

Message    eris       1/12/00  11:17 PM You realize I'm probably about a day
                                        away from being able to write a packet
                                        doubler... And 2-3 days for a pfilter...
                                        IF those things are possible (I'm
                                        *REALLY* interested to find out)

Message    eris       1/12/00  11:25 PM AHA there are pop and push all
                                        instructions! I didnt know that! Gotta
                                        see what "all general purpose" means..

Message    eris       1/12/00  11:26 PM hehe well why didn't you say anything?
                                        :P Can you tell its been a
                                        LOOOOONNNNNNGGGGG time since i've done
                                        anything this low level?

Message    eris       1/12/00  11:29 PM hehe my preferred level is borderline..
                                        This is too low for my tastes except
                                        every once in awhile (takes something
                                        really cool like this to work at it)

Message    eris       1/12/00  11:29 PM Ok Added push/pop all checking the
                                        instructions are right then gonna run
                                        (crossing fingesr)
                                        

Message    eris       1/12/00  11:30 PM lol

Message    eris       1/12/00  11:31 PM I've been faking all this to get a job..
                                        I admit it I hired a secretrary to type
                                        for whinebot..

Message    eris       1/12/00  11:31 PM ok runnin...
                                        

Message    eris       1/12/00  11:32 PM CRASH :)

Message    eris       1/12/00  11:32 PM back to the debugger hehe

Message    eris       1/12/00  11:33 PM NM I know why will try again in 30 secs
                                        just did something stupid

Message    eris       1/12/00  11:35 PM IF YOU WANT WE CAN CONTINUE THIS
                                        DISCUSSION IN SUBSPACE
                                        :):):):):):):):):)

Message    eris       1/12/00  11:55 PM It looks like its sending the same text
                                        over and over, but that could be some
                                        kind of ack or something too
                                        

Message    eris       1/12/00  11:56 PM No

Message    eris       1/12/00  11:56 PM I think its probably i'm passing the
                                        wrong index or someting i'll look at it
                                        tomorrow

Message    eris       1/12/00  11:57 PM actually, I'm gonna look at one more
                                        thing first

Message    eris       1/12/00  11:57 PM cool

Message    eris       1/12/00  11:58 PM Ok have a safe trip, hopefully have some
                                        news for you next time we talk. :)

Message    eris       1/13/00  12:01 AM DUHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH
                                        I KNOW

Message    eris       1/13/00  12:02 AM I know the problem.. I push all sorts of
                                        stuff, then use the same code they used:
                                        
                                        lea ecx,[esp+24]  but obviously I'm
                                        changing the stack pointer so that's
                                        pointing who knows where :)

Message    eris       1/13/00  12:19 AM I'm the proud owner of all outgoing
                                        packets prior to encryption :)

Message    eris       1/13/00  4:28 PM  SUBSPACE.EXE = OWNED GG SON
                                        SUBSPACE.EXE = EZ EZ EZ EZ $$$$$$$$

Message    eris       1/13/00  6:29 PM  I have a version that writes
                                        outgoing+incoming packets to disk,
                                        unencrypted.. 
                                        2 outgoing packet types are not written
                                        out, since they arent being encrypted
                                        I should dump them anyway.. I'm not 100%
                                        sure I got them all, but sure looks like
                                        I got the vast majority, need to compare
                                        counts with a sniffer to make sure

Message    eris       2/20/00  10:32 AM you around udp?

Message    eris       2/20/00  11:08 AM hehe ok fine :) don't chat!

Chat       eris       1/11/00  12:24 PM 

Chat       eris       1/11/00  12:42 PM 

