• Welcome to Valhalla Legends Archive.
 
Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - brew

#31
Why don't you use your 'fataly' account anymore?
#32
Quote from: CrAzY on October 14, 2009, 10:51 AM
Quote from: brew on October 13, 2009, 12:26 PM
Are you the_wiz_kid_89 on Freenode?
No.
Are you sure? He had a question about something very similar a day before you made your second post in this thread, you both referred to the architecture as "IA32" instead of the normal "x86", his IP places him in Virginia, and your profile states you live in Burke, Virginia.
If not, I suspect I've found a classmate of yours!
#33
Quote from: CrAzY on October 13, 2009, 10:11 AM
is this 4x$eax+"\002" ?  If so, how does that effect the "string" "\002" ? 
Well, that's not a string first of all. It's an integer array. I guess the first element of the array at 0x80497c0 is 0x323000 (00 30 32 00) which gdb was able to print out.

Quote from: CrAzY on October 13, 2009, 10:11 AM
Stepping into this, %eax = 0x06 I think.
This is irrelevant. eax is overwritten.

Quote from: CrAzY on October 13, 2009, 10:11 AM
Can someone explain the algorithm taking place a little better?  I read that "movsbl" drags the sign bit over. 
I'm not quite sure about movsbl. Really, that's movsb which moves a byte from esi to edi then increments each, but this takes two operands. So, I think what gdb really ment to say was "movzx (%edx, %ebx, 1), %eax".

The array at 0x80497c0 contains 16 elements.
The integer value in the element 0x80497c0 is added to an accumulator.
The index of this is the ith byte value of the array at ebx, modulo the size of the array / size of an element.
The loop runs 6 times.

Spoiler alert! I encoded the solution in base64 if you need it:
aSA9IDA7DQphY2N1bSA9IDA7DQpkbyB7DQoJYWNjdW0gKz0gMHg4MDQ5N2MwW2VieFtpXSAmIDB4MEZdOw0KCWkrKzsNCn0gd2hpbGUgKGkgIT0gNik7

Quote from: CrAzY on October 13, 2009, 10:11 AM
Can someone show a small example exactly how that will look in this code?
You worry way too much about what flags each instruction modifies. Instead, only worry about what flags are being set right before an instruction that reads the flags, such as a conditional jump (Jcc), or a set-byte-register-to-flag instruction (SETcc).


Are you the_wiz_kid_89 on Freenode?
#34
Quote from: CrAzY on October 12, 2009, 01:23 PM
Basically I have been using gdb and stepping through each line of assembly monitoring each register and searching for the answers.
That must be killer. It's pretty painful to read AT&T syntax.

Quote from: CrAzY on October 12, 2009, 01:23 PM
What is the purpose of "test %eax, %eax"?  I know its a bitwise AND and I'm assuming no matter what it is, the ZF is set.  I read something like it is used to see if the SF changes or something?
test %eax,%eax checks if a value is zero or nonzero.
x & x always will = x, which is always nonzero unless x is zero.
SF is set after this op if the highest bit is set.

Quote from: CrAzY on October 12, 2009, 01:23 PM
When I do "info registers" in gdb, it will echo the register name, a hexidecimal value, and an interger value.  Are the hex and int values just the address the register points to?  If so, is "print /x $reg" returning the value the address points to or the address it self.
No, they're the values contained inside of the registers.
And no, that prints the value of the register. to check the contents of memory that a register is pointing to, you should preappend the C dereference operator, *, to the expression (ex. print /x *$eax)

Quote from: CrAzY on October 12, 2009, 01:23 PM
I'm aware that %ebp and %esp are the base stack pointer and the stack pointer.  Is the following statement correct?  0x4(%ebp) = return address;  0x8(%ebp) = first parameter;  0xC(%ebp) = 2nd paramenter; and so on?  
No. 4(%ebp) is the stored ebp from the last frame. 0(%ebp) is the return address. But yes, 8(%ebp, %paramnumber, 4) is the expression for the parameters.


Quote from: CrAzY on October 12, 2009, 01:23 PM
Where there is a call such as "push %ebi", why does the %esp move a WORD in the negative direction?  
%ebi? :-? Must be a gdb thing.
The stack is a LIFO queue, try to visualize it and you'll see why. You're pushing the stack down, and then when you pop, it moves a WORD in the positive direction. Like popping up!

Quote from: CrAzY on October 12, 2009, 01:23 PM
What is the purpose of pushing registers on the stack when you can use htem regaurdless?
Maybe the compiler overlooked the fact that it didn't need to use the stack in that instance, or maybe it wasn't optimized to use a register in the first place.

Quote from: CrAzY on October 12, 2009, 01:23 PM
is "ret" always %eax?
Huh? That's a poor question.
I assume you're asking if eax is always used as the return register - yes. It certainly doesn't have to be, but people have always used that convention and will stick to it for centuries to come. ret does not do anything but pop the return address from the stack and jumps to it.

Quote from: CrAzY on October 12, 2009, 01:23 PM
Is there any real difference between each register (without including %esp and %ebp)?
Well no, there's no difference between esp and ebp and the rest of them either.
#35
Quote from: rabbit on October 05, 2009, 05:34 PM
All Battle.net packets use little-endian, so it doesn't matter.
This is true. One 'exception' is any packet containing a sockaddr structure, since the port is in network byte order (big endian). It's simply memcpy'd from the packet and is ment to be read as the whole structure, so it's not really an issue.
Oops, I posted without reading the whole thread. What I just said was mentioned already.
#36
I'm pretty sure no trackpads are pressure sensitive, per se. The MacBook seems like it should be since the whole trackpad is the mouse button, however it has just two pressure levels. A click is registered if the capacitance is over a certain threshold, no irp is sent otherwise. A quick google search turns up this CNet article which explains how Apple has their own option to drop superfluous trackpad IRPs, a feature probably built into the OS. It seems like a flaw of Windows 7's, failing to take into account the oversensitivity of Apple's hardware.

Perhaps you should look at \WinDDK\src\generic\toaster\filter\filter.c, and use that as the base of your filter driver. The underlying logic shouldn't be too hard - you could do something like.. if (KeQueryTickCount() - lastmouseevent < 80) droppacket(pirp); for mouse click events, etc.
#37
Quote from: MyndFyre on September 23, 2009, 01:33 AMInteresting.  I would think that wouldn't work on NT-based systems, and since everyone now is on NT or *nix it seems like that would be pointless these days....
Why not? That code is communicating directly with the hardware at a level below anything NT has to do with. The operating system model being used is irrelevant.
#38
General Programming / Re: [C]Bitwise Help?
September 23, 2009, 07:18 PM
Your code uses a constant larger than 0xFF too. I doubt your instructor would accept that.

The function on that website uses the < and - operators, both of which violate your rules.
What's wrong with my version?
#39
General Programming / Re: [C]Bitwise Help?
September 22, 2009, 10:33 PM
For the second one, I did a play on Kane's idea, except it's not a constant.
x ^ x = 0.

Also,
x ^ 0 = x
and
x ^ -1 = ~x


int sm2tc(int x) {
  return ((x & (~(x ^ x) >> 1)) ^ (~((x & (~(x ^ x) << 31)) >> 31) + 1)) + ((x & (~(x ^ x) << 31)) >> 31);
}


Shame it had to be so repetative because of the restraints of the assignment.

EDIT**
I just realized there's a 15 op limit. Also, it need not be one line.
Saved 4 ops with this:

int sm2tc(int x) {
   int neg1 = ~(x ^ x);
   int hibitpresent = (x & (neg1 << 31);
   return ((x & (neg1 >> 1)) ^ (~(hibitpresent) >> 31) + 1)) + (hibitpresent) >> 31);
}
#40
General Programming / Re: [C]Bitwise Help?
September 22, 2009, 10:03 PM
Quote from: CrAzY on September 22, 2009, 05:46 PM
/*
* isLessOrEqual - if x <= y  then return 1, else return 0
*   Example: isLessOrEqual(4,5) = 1.
*   Legal ops: ! ~ & ^ | + << >>
*   Max ops: 24
*   Rating: 3
*/
int isLessOrEqual(int x, int y) {
return ;
}

Well, what you want to do is compare the two. The traditional way many processor architectures do this behind the scenes is subtraction -- however, you can't use the subtraction or negation operator. However, you do have addition. Subtraction is merely addition with the one's complement. Recall that ~x + 1 == -x. After this, the trick is to check the presense or absense of the top bit - clear means the number is 0 or greater, set means it's less than 0.  In this case, it's the presense of the 31st bit... now all you need to do is move it 31 places to the right and negate your answer.

I don't think Kane's solution would be acceptable since his does contain a larger-than-specified constant (1 << 31).


int isLessOrEqual(int x, int y) {
  return !((y + (~x + 1)) >> 31);
}


I love bit twiddling. Your class sounds pretty neat - what is it?
#41
Quote from: Hdx on September 20, 2009, 02:42 PM
Anyone wanna bother telling me what that asm does? if anything.
*note all formatting is me, his raw code is all on the left.

Well, he tries to read from port 3f6h multiple times, which is a reserved floppy disk controller port (perhaps this code relies on undocumented behavior of some sort). It then sets the drive and head number, sends a few commands to the first ISA drive controller's command register (such as, run the drive diagnostics, identify drive, so on), and promptly thereafter checks the status register to see if there was an error since the last command, and if so, checks which drive it originated on (master or slave).

So, in fact, it does do something - Not quite sure what, though.
Of course, none of this would have a chance in hell of being executed. A good third of the instructions in that code blob are privileged.


EDIT**
A google search for "mov dx, 3f6" turns up one result: http://thestarman.pcministry.com/asm/debug/DEVIDP0.DSF.txt. I figured that'd be the best instruction to search for since it's very uncommon to use this kind of hackery.
#42
Battle.net Bot Development / Re: 0x25
September 14, 2009, 06:53 PM
Quote from: ReaSoN on September 13, 2009, 04:54 PM
why does BNET keep sending 0x25 if it doesnt update the ping?
Good question. I think it's like a typical "are you still there bro?" kind of ping to test if the connection is still active and ok at the application level, whereas the one way SID_NULL keepalive is to keep the connection active and ping at a level below the application layer.


Quote from: ReaSoN on September 13, 2009, 04:54 PM
And how can i "improve" my method to make it work?
By delaying the sending of all other packets until your 0x25 is sent. What I like to do is break my program off into another GetMessage/TranslateMessage/DispatchMessage loop so it could service the GUI messages and the packets from other connections while it waits for the spoofing period to be over like so:


void __stdcall PingSpoofProc(int index) {
   char asdf[64];
   AddChatf(vbYellow, bot[index]->hWnd_rtfChat, asdf, "Sleep()ing for %dms...", bot[index]->spoofedping);
   Sleep(bot[index]->spoofedping);
   AddChat(vbGreen, "Wakey wakey!", bot[index]->hWnd_rtfChat);
   InsertDWORD(0);
   SendPacket(0x25, index);
   PostMessage(hWnd_main, WM_WAKEUP, 0, index);
}

void WaitForPingSpoof(int index) {
   MSG msg;
   HANDLE hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)PingSpoofProc, (void *)index, 0, NULL);
   while (GetMessage(&msg, (HWND)NULL, 0, 0)) {
      if (msg.message == WM_WAKEUP && msg.lParam == index && msg.hwnd == hWnd_main)
         break;
      if (!TranslateMDISysAccel(hWnd_Client, &msg)) {
         TranslateMessage(&msg);
         DispatchMessage(&msg);
      }
   }
   CloseHandle(hThread);
}

#43
Are you sure this qualifies as "alive"?
#44
Quote from: MyndFyre on August 04, 2009, 03:51 AM
* If I mapped in the whole files of the games (so that it didn't depend, for instance, on the .ini files that have floated around on the forum), I'd need to create separate processes for each game, right?  I'd bet (I haven't checked) that their images overlap in memory.
You would. For example, Warcraft 3's Storm loads at the exact same base address as Starcraft's, however they different binaries. I reckon that if a module were to request Storm, it'd like the flavor of Storm that client uses.

Quote from: MyndFyre on August 04, 2009, 03:51 AM
* Do you recommend hosting my own code in a specific region in memory (i.e. by creating different base addresses for my assemblies)?  Obviously I'll have to avoid the game memory.
Yes. Pehaps the preferred base address of your module should be 0x70000000, or something like that. Most developers wouldn't dream of putting something there, since it's relatively close to Windows' DLLs.

Quote from: MyndFyre on August 04, 2009, 03:51 AM
* Is it adequate to load the game files using LoadLibraryEx with DONT_RESOLVE_DLL_REFERENCES, or should I plan on loading them manually?
LoadLibraryEx with LOAD_LIBRARY_AS_DATAFILE works fine for me. Just remember, if you're using LoadLibraryEx, to trim off the 2 low bytes. Kernel32 has a penchant for tacking on flags to the address it's loaded to (remember, it's a 'handle' not a 'base address', so they can get away with that....).


Although it is a noble gesture, I don't think it'd be worth all the work to split off a warden worker process and have it handle all the packets on its own. That kind of sounds like the early Warden 'solutions' that'd require Starcraft to be open in order to function. I do realize it seems appealing to have an always-going-to-work-unless-they-break-it-on-purpose solution to Warden, but it's doubtful we'll see any changes in this cheat detection over BNCS for the 'legacy' clients (Warcraft 3, Starcraft, etc.)
I do expect a more integrated anti-cheat solution with StarCraft 2.
#45
"Ringo" en este foro problamente pueda ayudele, él sabe mucho de D2GS. Debe hablar a él.

P.S.
Quiere decir "me" en su oracíon prima, no "my". mí = my (posesivo), me = me (objeto indirecto)