<<0E>>?

[Luxer]

I was using Interarchy 4 to watch KaneBot connect to BNLS, and it look fairly simple.. However, what is all of this <<0E>> and <<DC>>? I think <<00>> is ASCII 00, AKA null, but I am just not sure.. In case you need it, here is the log I was looking at:



Send info request (T_INFO_REQ = 107).

Receive info ack (T_INFO_ACK = 129).
 Max TSDU Size = 0
 Max ETSDU Size = -1
 Connect Data Size = -2
 Disconnect Data Size = -2
 TSAP Size = 16
 Options Size = 256
 TIDU Size = 536
 Service Type = 2
 Current State = 1 (Unbound)
 Provider Flags = 0x40000002

Send option management request (T_OPTMGMT_REQ = 108).

Receive option management ack (T_OPTMGMT_ACK = 131).

Send info request (T_INFO_REQ = 107).

Receive info ack (T_INFO_ACK = 129).
 Max TSDU Size = 0
 Max ETSDU Size = -1
 Connect Data Size = -2
 Disconnect Data Size = -2
 TSAP Size = 16
 Options Size = 256
 TIDU Size = 536
 Service Type = 2
 Current State = 1 (Unbound)
 Provider Flags = 0x40000002

Send bind request (T_BIND_REQ = 101).
 Bind to «Any Address»
 Connection Indication Number = 0

Receive bind ack (T_BIND_ACK = 122).
 Bind to port 49656
 Connection Indication Number = 0

Send connection request (T_CONN_REQ = 102).
 Connect to 63.161.183.202:9367

Receive ok ack (T_OK_ACK = 130).

Receive connection confirmation (T_CONN_CON = 123).
 Connect from 63.161.183.202:9367

Send info request (T_INFO_REQ = 107).

Receive info ack (T_INFO_ACK = 129).
 Max TSDU Size = 0
 Max ETSDU Size = -1
 Connect Data Size = -2
 Disconnect Data Size = -2
 TSAP Size = 16
 Options Size = 256
 TIDU Size = 1452
 Service Type = 2
 Current State = 10 (Data Transfer)
 Provider Flags = 0x40000002

Code Select Expand

Send data (14 bytes).
<00000000< «0E»«00»«0E»KaneBotMBB«00»

Receive data (7 bytes).
>00000000> «07»«00»«0E»«DC»«84»6n

Send data (7 bytes).
<0000000E< «07»«00»«0F»\&«86»«D7»

Receive data (7 bytes).
>00000007> «07»«00»«0F»«00»«00»«00»«00»

Send data (7 bytes).
<00000015< «07»«00»«10»«01»«00»«00»«00»

Receive data (11 bytes).
>0000000E> «0B»«00»«10»«01»«00»«00»«00»«C9»«00»«00»«00»

Send data (73 bytes).
<0000001C< I«00» «01»«00»«00»«00»«01»«00»«00»«00»A=161868574 B=807267571
<0000003F< C=922264113 4 A=A^S B=B-C C=C+A A=A-B«00»

Send data (34 bytes).
<00000065< "«00»«0C»«00»«00»«00»«00»«01»«03»«00»«00»«00»«B0»«1E»«9E»«F7»«0C»
<00000076< «F5»zF********«00»

Receive data (55 bytes).
>00000019> 7«00» «01»«00»«00»«00»«03»«01»«01»«01»Y«C3»«F7»^Starcraft.exe
>00000036> 05/26/04 00:46:00 1048576«00»

Receive data (53 bytes).
>00000050> 5«00»«0C»«00»«00»«00»«00»«01»«01»«01»«00»«00»«00»«0C»«F5»zF
>00000062> «00»«00»«00»«01»«00»«00»«00»zl0«00»«00»«00»«00»«00»r«F6»«0C»]7«02»
>00000077> «08»«96»«8F»«CB»H90«B7»«C3»«E3»«86»«F7»«14»W

Send data (26 bytes).
<00000087< «1A»«00»«0B»«07»«00»«00»«00»«02»«00»«00»«00»******«0C»«F5»zF«B0»
<0000009E< «1E»«9E»«F7»

Receive data (23 bytes).
>00000085> «17»«00»«0B»«BE»6«D8»«0B»«02»f«D1» «F3»«9A»«9D»JqQ«0C»«E9»«E3»«AC»
>0000009A> «DF»n

Send orderly release request (T_ORDREL_REQ = 109).


If this is not BNLS, kill me.

[Edit: added code tags around the packet dump in the vain hope of making it somewhat readable.]

[Kp]

If this is not BNLS, kill me.

Can we instead kill you for using a horribly sucky packet logger?  It's much much nicer to show it in the usual unified hexdump / ascii dump of 16 bytes per line, once in hex representation with no garbage characters between them (i.e. no < or >), then again as ASCII characters (using '.' for unprintable characters).

[tA-Kane]

The "dots" are characters that the character code for is either less than 32 or greater than 126 (if I remember correctly).

Sometimes they're actually periods, though.

Luxer, turn off 'Show Status Packets' in your Network Monitor window. They're useless for what you're trying to do, and you wouldn't understand them anyway.

And yes, that is a packetlog of my BNLS connection.

[ChR0NiC]

Thanks for the CD Key

[Luxer]

OK.... I don't see a cdkey..

[MyndFyre]

OK.... I don't see a cdkey..

Despite your attempt at guarding it by changing it in the right column, check out:

Code Select Expand


Send data (34 bytes).
<00000065< 22 00 0C 00  00 00 00 01  03 00 00 00  E8 C0 9A FA  "...............
<00000075< 91 A6 E5 4A  32 37 36 36  33 38 32 38  33 32 30 32  ...J*********
<00000085< 38 00

Start at the position after where the "J" is.

People who know ASCII know that the representations of the decimal numbers start at 0x30, where 0 is 0x30, 1 is 0x31, etc.

From there, it's relatively simple to see your key.  

[ChR0NiC]

OK.... I don't see a cdkey..

Um notice you edited it? There was a key there before though

I won't post the key but it's still visible yes

[Adron]

Code Select Expand


<00000075< 91 A6 E5 4A  32 37 36 36  33 38 32 38  33 32 30 32  ...J*********
<00000085< 38 00

Start at the position after where the "J" is.

People who know ASCII know that the representations of the decimal numbers start at 0x30, where 0 is 0x30, 1 is 0x31, etc.

From there, it's relatively simple to see your key.  

This is good to know whenever you run into buffer overflows - if you suddenly see a value like 34333231 in eip, you know that you probably just overwrote a return value with "1234".