• Welcome to Valhalla Legends Archive.
 

<<0E>>?

Started by Luxer, August 17, 2004, 11:20 AM

Previous topic - Next topic

Luxer

I was using Interarchy 4 to watch KaneBot connect to BNLS, and it look fairly simple.. However, what is all of this <<0E>> and <<DC>>? I think <<00>> is ASCII 00, AKA null, but I am just not sure.. In case you need it, here is the log I was looking at:



Send info request (T_INFO_REQ = 107).

Receive info ack (T_INFO_ACK = 129).
 Max TSDU Size = 0
 Max ETSDU Size = -1
 Connect Data Size = -2
 Disconnect Data Size = -2
 TSAP Size = 16
 Options Size = 256
 TIDU Size = 536
 Service Type = 2
 Current State = 1 (Unbound)
 Provider Flags = 0x40000002

Send option management request (T_OPTMGMT_REQ = 108).

Receive option management ack (T_OPTMGMT_ACK = 131).

Send info request (T_INFO_REQ = 107).

Receive info ack (T_INFO_ACK = 129).
 Max TSDU Size = 0
 Max ETSDU Size = -1
 Connect Data Size = -2
 Disconnect Data Size = -2
 TSAP Size = 16
 Options Size = 256
 TIDU Size = 536
 Service Type = 2
 Current State = 1 (Unbound)
 Provider Flags = 0x40000002

Send bind request (T_BIND_REQ = 101).
 Bind to «Any Address»
 Connection Indication Number = 0

Receive bind ack (T_BIND_ACK = 122).
 Bind to port 49656
 Connection Indication Number = 0

Send connection request (T_CONN_REQ = 102).
 Connect to 63.161.183.202:9367

Receive ok ack (T_OK_ACK = 130).

Receive connection confirmation (T_CONN_CON = 123).
 Connect from 63.161.183.202:9367

Send info request (T_INFO_REQ = 107).

Receive info ack (T_INFO_ACK = 129).
 Max TSDU Size = 0
 Max ETSDU Size = -1
 Connect Data Size = -2
 Disconnect Data Size = -2
 TSAP Size = 16
 Options Size = 256
 TIDU Size = 1452
 Service Type = 2
 Current State = 10 (Data Transfer)
 Provider Flags = 0x40000002

Send data (14 bytes).
<00000000< «0E»«00»«0E»KaneBotMBB«00»

Receive data (7 bytes).
>00000000> «07»«00»«0E»«DC»«84»6n

Send data (7 bytes).
<0000000E< «07»«00»«0F»\&«86»«D7»

Receive data (7 bytes).
>00000007> «07»«00»«0F»«00»«00»«00»«00»

Send data (7 bytes).
<00000015< «07»«00»«10»«01»«00»«00»«00»

Receive data (11 bytes).
>0000000E> «0B»«00»«10»«01»«00»«00»«00»«C9»«00»«00»«00»

Send data (73 bytes).
<0000001C< I«00» «01»«00»«00»«00»«01»«00»«00»«00»A=161868574 B=807267571
<0000003F< C=922264113 4 A=A^S B=B-C C=C+A A=A-B«00»

Send data (34 bytes).
<00000065< "«00»«0C»«00»«00»«00»«00»«01»«03»«00»«00»«00»«B0»«1E»«9E»«F7»«0C»
<00000076< «F5»zF********«00»

Receive data (55 bytes).
>00000019> 7«00» «01»«00»«00»«00»«03»«01»«01»«01»Y«C3»«F7»^Starcraft.exe
>00000036> 05/26/04 00:46:00 1048576«00»

Receive data (53 bytes).
>00000050> 5«00»«0C»«00»«00»«00»«00»«01»«01»«01»«00»«00»«00»«0C»«F5»zF
>00000062> «00»«00»«00»«01»«00»«00»«00»zl0«00»«00»«00»«00»«00»r«F6»«0C»]7«02»
>00000077> «08»«96»«8F»«CB»H90«B7»«C3»«E3»«86»«F7»«14»W

Send data (26 bytes).
<00000087< «1A»«00»«0B»«07»«00»«00»«00»«02»«00»«00»«00»******«0C»«F5»zF«B0»
<0000009E< «1E»«9E»«F7»

Receive data (23 bytes).
>00000085> «17»«00»«0B»«BE»6«D8»«0B»«02»f«D1» «F3»«9A»«9D»JqQ«0C»«E9»«E3»«AC»
>0000009A> «DF»n


Send orderly release request (T_ORDREL_REQ = 109).


If this is not BNLS, kill me.

[Edit: added code tags around the packet dump in the vain hope of making it somewhat readable.]

Kp

Quote from: Luxer on August 17, 2004, 11:20 AMIf this is not BNLS, kill me.

Can we instead kill you for using a horribly sucky packet logger?  It's much much nicer to show it in the usual unified hexdump / ascii dump of 16 bytes per line, once in hex representation with no garbage characters between them (i.e. no < or >), then again as ASCII characters (using '.' for unprintable characters).
[19:20:23] (BotNet) <[vL]Kp> Any idiot can make a bot with CSB, and many do!

tA-Kane

The "dots" are characters that the character code for is either less than 32 or greater than 126 (if I remember correctly).

Sometimes they're actually periods, though.

Luxer, turn off 'Show Status Packets' in your Network Monitor window. They're useless for what you're trying to do, and you wouldn't understand them anyway.

And yes, that is a packetlog of my BNLS connection.
Macintosh programmer and enthusiast.
Battle.net Bot Programming: http://www.bash.org/?240059
I can write programs. Can you right them?

http://www.clan-mac.com
http://www.eve-online.com

ChR0NiC

Thanks for the CD Key :P

Luxer

OK.... I don't see a cdkey..

MyndFyre

Quote from: Luxer on August 18, 2004, 05:43 PM
OK.... I don't see a cdkey..

Despite your attempt at guarding it by changing it in the right column, check out:


Send data (34 bytes).
<00000065< 22 00 0C 00  00 00 00 01  03 00 00 00  E8 C0 9A FA  "...............
<00000075< 91 A6 E5 4A  32 37 36 36  33 38 32 38  33 32 30 32  ...J*********
<00000085< 38 00

Start at the position after where the "J" is.

People who know ASCII know that the representations of the decimal numbers start at 0x30, where 0 is 0x30, 1 is 0x31, etc.

From there, it's relatively simple to see your key.  :P
QuoteEvery generation of humans believed it had all the answers it needed, except for a few mysteries they assumed would be solved at any moment. And they all believed their ancestors were simplistic and deluded. What are the odds that you are the first generation of humans who will understand reality?

After 3 years, it's on the horizon.  The new JinxBot, and BN#, the managed Battle.net Client library.

Quote from: chyea on January 16, 2009, 05:05 PM
You've just located global warming.

ChR0NiC

#6
Quote from: Luxer on August 18, 2004, 05:43 PM
OK.... I don't see a cdkey..

Um notice you edited it? There was a key there before though :P

I won't post the key but it's still visible yes :P

Adron

#7
Quote from: MyndFyre on August 18, 2004, 05:52 PM

<00000075< 91 A6 E5 4A  32 37 36 36  33 38 32 38  33 32 30 32  ...J*********
<00000085< 38 00

Start at the position after where the "J" is.

People who know ASCII know that the representations of the decimal numbers start at 0x30, where 0 is 0x30, 1 is 0x31, etc.

From there, it's relatively simple to see your key.  :P

This is good to know whenever you run into buffer overflows - if you suddenly see a value like 34333231 in eip, you know that you probably just overwrote a return value with "1234".