• Welcome to Valhalla Legends Archive.
 

Seeing whispers in channel.

Started by BlazingKnight, September 07, 2003, 05:26 PM

Previous topic - Next topic

BlazingKnight

Denial has a bot called fluffy bot. It can see whispers in a channel. Any idea how this is done?

Spht

EID_WHISPER will notify you of any received whispers.

Dark-Feanor

I think that Denial is bullshitting you.
- Feanor[xL]
clan exile
Firebot
iago: "caps lock is like cruise control for cool"

Grok

Such information is not widely shared, so try to keep this between us, OK?  In the header of your join channel packet, remember to set the evil bit.  Hope this helps.

Camel

Quote from: Grok on September 07, 2003, 11:30 PMSuch information is not widely shared, so try to keep this between us, OK?  In the header of your join channel packet, remember to set the evil bit.  Hope this helps.

Grok, you forgot a couple of steps: First, you have to spoof your ping to get it to be exactly 666. Then, you send continually battle.net 0x25 packets until you get a message about the gem being activated.

TriCk

FeanOr it is true, denial can receive and then send those "whispers" that other people get.

Denial gave me a demo, i did /F L and his bots responded with the last person on my list.

i have done it too, except my way was unethical, it was simply sending the ALT+0137 code followed by a few letters, and it picked up the whispers but when i tried to add to a txt file or on the chat screen of the bot it didnt work... >:(

iago

There is a buffer overflow problem, and I've seen a couple screenshots of it, but it's pretty much impossible to spy on people with it.  I'm not sure exactly how it works, but I think EvilCheese was looking into it at one point.  Or was it Arta?  I get all those damn English mixed up :)
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


Adron

Buffer overflow in server code? Client code?

iago

I honestly don't know.. let me see if I can find those old screenshots..
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


iago

#9


I think we determined that a person has the ability to seem to whisper somebody else the last thing they said.  The most likely cause is that the recieve buffer isn't cleared and the other person somehow sends either a blank whisper (although that's not allowed) or some special whisper that doesn't add a '\0' to the end for whatever reason.

I started disassembling this awhile back, and if somebody wants to continue, we figure it's around here somewhere:
.text:190180EC                 lea     ecx, [esp+494h+var_464]
.text:190180F0                 push    ecx
.text:190180F1                 push    esi
.text:190180F2                 push    offset aFromSS  ; "<From: %s> %s"
.text:190180F7                 jmp     short loc_19018104


So we have to figure out where esi comes from before this jmp is made (19018104 is just a wsprintfA and a jump).  

I believe it was right about there that I got sidetracked and never came back to it, but clearly you have to cause the wsprintfA to not get anything useful :-)

[edit] I guess it's not a buffer overflow at all that causes this.. only a buffer underflow.  And I don't really know whether it's server or client, but it seems like client..
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


Adron

#10
Ah, so they don't actually have knowledge of the whisper contents, they just pretend to?

It sounds a little like the word wrapping bug where if it replaces the \0 with a word wrapping \n or \t, some random data will be displayed on the next line.

To see this happen, produce a line that just barely reaches the end of the box, so that it decides to wrap, but doesn't actually have anything to put on the next line.

Raven

Denial's bot can likely see the whispers being sent to webbot hosts, but then again, so can just about everyone else. ;)

EvilCheese

Yes, I was working on this a while ago after a good friend of mine sent me that screenshot you just saw and a couple of others.

The person responsible for the whispers threatened by friend that they would listen into his conversations (being able to see whispers) and to prove it, performed this trick at least 5 times on different occasions.

When I looked at the screens, I noted that the whispers were always the last thing said... I told my friend to ask this "hacker" to repeat the last 4 things I whispered to him.... he was unable to.

I looked into it a little bit ( I think iago and myself spent 45 minutes or so browsing the disassembly the day after ) and we decided it was most likely a buffering problem, but I havent touched it since either.

Would be interesting to know how it's done, though I'm too busy to look into it myself in any depth.

iago

It would be nice to see somebody replicate it so I can packetsniff and find out if it's serverside or clientside.  If it's serverside, it would also work on bots.
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


UserLoser

I don't understand that screenshot, Ntrx typed /time, and Natilie_Portman whispered Ntrx the last message that he recieved?