I was using Interarchy 4 to watch KaneBot connect to BNLS, and it look fairly simple.. However, what is all of this <<0E>> and <<DC>>? I think <<00>> is ASCII 00, AKA null, but I am just not sure.. In case you need it, here is the log I was looking at:
Send info request (T_INFO_REQ = 107).
Receive info ack (T_INFO_ACK = 129).
Max TSDU Size = 0
Max ETSDU Size = -1
Connect Data Size = -2
Disconnect Data Size = -2
TSAP Size = 16
Options Size = 256
TIDU Size = 536
Service Type = 2
Current State = 1 (Unbound)
Provider Flags = 0x40000002
Send option management request (T_OPTMGMT_REQ = 108).
Receive option management ack (T_OPTMGMT_ACK = 131).
Send info request (T_INFO_REQ = 107).
Receive info ack (T_INFO_ACK = 129).
Max TSDU Size = 0
Max ETSDU Size = -1
Connect Data Size = -2
Disconnect Data Size = -2
TSAP Size = 16
Options Size = 256
TIDU Size = 536
Service Type = 2
Current State = 1 (Unbound)
Provider Flags = 0x40000002
Send bind request (T_BIND_REQ = 101).
Bind to «Any Address»
Connection Indication Number = 0
Receive bind ack (T_BIND_ACK = 122).
Bind to port 49656
Connection Indication Number = 0
Send connection request (T_CONN_REQ = 102).
Connect to 63.161.183.202:9367
Receive ok ack (T_OK_ACK = 130).
Receive connection confirmation (T_CONN_CON = 123).
Connect from 63.161.183.202:9367
Send info request (T_INFO_REQ = 107).
Receive info ack (T_INFO_ACK = 129).
Max TSDU Size = 0
Max ETSDU Size = -1
Connect Data Size = -2
Disconnect Data Size = -2
TSAP Size = 16
Options Size = 256
TIDU Size = 1452
Service Type = 2
Current State = 10 (Data Transfer)
Provider Flags = 0x40000002
Send data (14 bytes).
<00000000< «0E»«00»«0E»KaneBotMBB«00»
Receive data (7 bytes).
>00000000> «07»«00»«0E»«DC»«84»6n
Send data (7 bytes).
<0000000E< «07»«00»«0F»\&«86»«D7»
Receive data (7 bytes).
>00000007> «07»«00»«0F»«00»«00»«00»«00»
Send data (7 bytes).
<00000015< «07»«00»«10»«01»«00»«00»«00»
Receive data (11 bytes).
>0000000E> «0B»«00»«10»«01»«00»«00»«00»«C9»«00»«00»«00»
Send data (73 bytes).
<0000001C< I«00» «01»«00»«00»«00»«01»«00»«00»«00»A=161868574 B=807267571
<0000003F< C=922264113 4 A=A^S B=B-C C=C+A A=A-B«00»
Send data (34 bytes).
<00000065< "«00»«0C»«00»«00»«00»«00»«01»«03»«00»«00»«00»«B0»«1E»«9E»«F7»«0C»
<00000076< «F5»zF********«00»
Receive data (55 bytes).
>00000019> 7«00» «01»«00»«00»«00»«03»«01»«01»«01»Y«C3»«F7»^Starcraft.exe
>00000036> 05/26/04 00:46:00 1048576«00»
Receive data (53 bytes).
>00000050> 5«00»«0C»«00»«00»«00»«00»«01»«01»«01»«00»«00»«00»«0C»«F5»zF
>00000062> «00»«00»«00»«01»«00»«00»«00»zl0«00»«00»«00»«00»«00»r«F6»«0C»]7«02»
>00000077> «08»«96»«8F»«CB»H90«B7»«C3»«E3»«86»«F7»«14»W
Send data (26 bytes).
<00000087< «1A»«00»«0B»«07»«00»«00»«00»«02»«00»«00»«00»******«0C»«F5»zF«B0»
<0000009E< «1E»«9E»«F7»
Receive data (23 bytes).
>00000085> «17»«00»«0B»«BE»6«D8»«0B»«02»f«D1» «F3»«9A»«9D»JqQ«0C»«E9»«E3»«AC»
>0000009A> «DF»n
Send orderly release request (T_ORDREL_REQ = 109).
If this is not BNLS, kill me.
[Edit: added code tags around the packet dump in the vain hope of making it somewhat readable.]
Quote from: Luxer on August 17, 2004, 11:20 AMIf this is not BNLS, kill me.
Can we instead kill you for using a horribly sucky packet logger? It's much much nicer to show it in the usual unified hexdump / ascii dump of 16 bytes per line, once in hex representation with no garbage characters between them (i.e. no < or >), then again as ASCII characters (using '.' for unprintable characters).
The "dots" are characters that the character code for is either less than 32 or greater than 126 (if I remember correctly).
Sometimes they're actually periods, though.
Luxer, turn off 'Show Status Packets' in your Network Monitor window. They're useless for what you're trying to do, and you wouldn't understand them anyway.
And yes, that is a packetlog of my BNLS connection.
Thanks for the CD Key :P
OK.... I don't see a cdkey..
Quote from: Luxer on August 18, 2004, 05:43 PM
OK.... I don't see a cdkey..
Despite your attempt at guarding it by changing it in the right column, check out:
Send data (34 bytes).
<00000065< 22 00 0C 00 00 00 00 01 03 00 00 00 E8 C0 9A FA "...............
<00000075< 91 A6 E5 4A 32 37 36 36 33 38 32 38 33 32 30 32 ...J*********
<00000085< 38 00
Start at the position after where the "J" is.
People who know ASCII know that the representations of the decimal numbers start at 0x30, where 0 is 0x30, 1 is 0x31, etc.
From there, it's relatively simple to see your key. :P
Quote from: Luxer on August 18, 2004, 05:43 PM
OK.... I don't see a cdkey..
Um notice you edited it? There was a key there before though :P
I won't post the key but it's still visible yes :P
Quote from: MyndFyre on August 18, 2004, 05:52 PM
<00000075< 91 A6 E5 4A 32 37 36 36 33 38 32 38 33 32 30 32 ...J*********
<00000085< 38 00
Start at the position after where the "J" is.
People who know ASCII know that the representations of the decimal numbers start at 0x30, where 0 is 0x30, 1 is 0x31, etc.
From there, it's relatively simple to see your key. :P
This is good to know whenever you run into buffer overflows - if you suddenly see a value like 34333231 in eip, you know that you probably just overwrote a return value with "1234".