• Welcome to Valhalla Legends Archive.
 

ZTFF

Started by ZergMasterI, October 09, 2006, 12:36 PM

Previous topic - Next topic

ZergMasterI

From a link from BnetDocs (From here to here) to a text file on BotNet's documentation, it says:

Quote(send to client) id 0x06: botnet bot information
Contents:
   (DWORD) bot id
   (4.1) (DWORD) database access flags
      1 = read
      2 = write
      4 = restricted access
   (4.1) (DWORD) administrative capabilities
      Specified in Zerobot Traditional Flags Format (ZTFF):
      A = superuser, can perform any administrative action
      B = broadcast, may use talk-to-all
      C = connection, may administer botnet connectivity
      D = database, may create and maintain databases
      I = ID control, may create and modify hub IDs
      S = botnet service
   (4.1) (Admin only) (DWORD) IP address of the bot being described
   (STRING:20) bot name
   (STRING:*) bot channel
   (DWORD) bot server
   (2) (STRING:16) unique account name
   (3) (STRING:*) database

What is ZTFF and how do I decode it?

UserLoser

A = 1
B = 2
C = 4
D = 8
E = 16
...

To test for flags, do a bitwise check, i.e. use the bitwise and operator

ZergMasterI

Then why does init have Admin = 399663?

UserLoser

Admin = 399663?  What are you talking about?  Like I said already, use the bitwise and operator and get the user's flags

Hdx

#4
If my math dosen't fail me.
399663 = 0x06192F = ABCEHKLQR

QuoteA = superuser, can perform any administrative action
      B = broadcast, may use talk-to-all
      C = connection, may administer botnet connectivity
      D = database, may create and maintain databases
      I = ID control, may create and modify hub IDs
      S = botnet service
So that person would be a.... Superuser, Broadcaster, and a Connection Admin.
Now that dosen't seem right... so my math must be failing.
Anyways.
Here is a basic function:
Public Function GetFlags(Flags as Long) As String
  Dim tmp as String
  tmp = IIF(Flags And &H1 = &H1, "A", vbNullString)
  tmp = tmp & IIF(Flags And &H2 = &H2, "B", vbNullString)
  tmp = tmp & IIF(Flags And &H4 = &H4, "C", vbNullString)
  tmp = tmp & IIF(Flags And &H8 = &H8, "D", vbNullString)
  tmp = tmp & IIF(Flags And &H100 = &H100, "I", vbNullString)
  tmp = tmp & IIF(Flags And &H40000 = &H40000, "S", vbNullString)
  GetFlags = tmp
End Function

Or:
Function GetFlags(Flags):
  Dim A, x
  For x = 1 to 26
   If((Flags And (2^x)) = (2^x)) Then
     A = A & Chr(64 + x)
   End If
  Next
  GetFlags = A
End Function

Thats jsut off the top of my head (Not sure if I got I&S values correct.)
~-~(HDX)~-~

Proud host of the JBLS server www.JBLS.org.
JBLS.org Status:
JBLS/BNLS Server Status

ZergMasterI

"Warning - while you were typing a new reply has been posted. You may wish to review your post."
*Kicks my internet for dropping when I tried to post before*

Sorry 'Admin' was the variable assigned to admin capabilities, and the BotNet user that has the username 'init''s admin capabilities are 399663.
06192Fh
0110  0001  1001  0010  1111b

It appears to be flags A, B, C, D, F, I, L, M, R, S.. what's F, L, M, and R?

UserLoser

ABCDFILMRS looks about right.  Not sure about those, ask Kp about that one.