Seeing whispers in channel.

BlazingKnight · September 07, 2003, 05:26 PM

Denial has a bot called fluffy bot. It can see whispers in a channel. Any idea how this is done?

Spht · September 07, 2003, 05:29 PM

EID_WHISPER will notify you of any received whispers.

Dark-Feanor · September 07, 2003, 09:27 PM

I think that Denial is bullshitting you.

Grok · September 07, 2003, 11:30 PM

Such information is not widely shared, so try to keep this between us, OK? In the header of your join channel packet, remember to set the evil bit. Hope this helps.

Camel · September 07, 2003, 11:44 PM

Quote from: Grok on September 07, 2003, 11:30 PMSuch information is not widely shared, so try to keep this between us, OK? In the header of your join channel packet, remember to set the evil bit. Hope this helps.

Grok, you forgot a couple of steps: First, you have to spoof your ping to get it to be exactly 666. Then, you send continually battle.net 0x25 packets until you get a message about the gem being activated.

TriCk · September 08, 2003, 01:02 AM

FeanOr it is true, denial can receive and then send those "whispers" that other people get.

Denial gave me a demo, i did /F L and his bots responded with the last person on my list.

i have done it too, except my way was unethical, it was simply sending the ALT+0137 code followed by a few letters, and it picked up the whispers but when i tried to add to a txt file or on the chat screen of the bot it didnt work...

iago · September 08, 2003, 01:13 AM

There is a buffer overflow problem, and I've seen a couple screenshots of it, but it's pretty much impossible to spy on people with it. I'm not sure exactly how it works, but I think EvilCheese was looking into it at one point. Or was it Arta? I get all those damn English mixed up

Adron · September 08, 2003, 06:21 AM

Buffer overflow in server code? Client code?

iago · September 08, 2003, 07:58 AM

I honestly don't know.. let me see if I can find those old screenshots..

iago · September 08, 2003, 08:10 AM

I think we determined that a person has the ability to seem to whisper somebody else the last thing they said. The most likely cause is that the recieve buffer isn't cleared and the other person somehow sends either a blank whisper (although that's not allowed) or some special whisper that doesn't add a '\0' to the end for whatever reason.

I started disassembling this awhile back, and if somebody wants to continue, we figure it's around here somewhere:

Code Select

 .text:190180EC                 lea     ecx, [esp+494h+var_464] 
 .text:190180F0                 push    ecx 
 .text:190180F1                 push    esi 
 .text:190180F2                 push    offset aFromSS  ; "<From: %s> %s" 
 .text:190180F7                 jmp     short loc_19018104

So we have to figure out where esi comes from before this jmp is made (19018104 is just a wsprintfA and a jump).

I believe it was right about there that I got sidetracked and never came back to it, but clearly you have to cause the wsprintfA to not get anything useful :-)

[edit] I guess it's not a buffer overflow at all that causes this.. only a buffer underflow. And I don't really know whether it's server or client, but it seems like client..

Adron · September 08, 2003, 08:30 AM

Ah, so they don't actually have knowledge of the whisper contents, they just pretend to?

It sounds a little like the word wrapping bug where if it replaces the \0 with a word wrapping \n or \t, some random data will be displayed on the next line.

To see this happen, produce a line that just barely reaches the end of the box, so that it decides to wrap, but doesn't actually have anything to put on the next line.

Raven · September 08, 2003, 02:23 PM

Denial's bot can likely see the whispers being sent to webbot hosts, but then again, so can just about everyone else.

EvilCheese · September 08, 2003, 05:00 PM

Yes, I was working on this a while ago after a good friend of mine sent me that screenshot you just saw and a couple of others.

The person responsible for the whispers threatened by friend that they would listen into his conversations (being able to see whispers) and to prove it, performed this trick at least 5 times on different occasions.

When I looked at the screens, I noted that the whispers were always the last thing said... I told my friend to ask this "hacker" to repeat the last 4 things I whispered to him.... he was unable to.

I looked into it a little bit ( I think iago and myself spent 45 minutes or so browsing the disassembly the day after ) and we decided it was most likely a buffering problem, but I havent touched it since either.

Would be interesting to know how it's done, though I'm too busy to look into it myself in any depth.

iago · September 08, 2003, 05:11 PM

It would be nice to see somebody replicate it so I can packetsniff and find out if it's serverside or clientside. If it's serverside, it would also work on bots.

UserLoser · September 08, 2003, 05:40 PM

I don't understand that screenshot, Ntrx typed /time, and Natilie_Portman whispered Ntrx the last message that he recieved?

Seeing whispers in channel.

BlazingKnight

Camel

TriCk

Raven

EvilCheese

UserLoser