[PHP] Fixing Flappy Webbot

Smarter · September 26, 2007, 06:50 AM

As many of you know, Fapiko created a php based Battle.Net Webbot, which can be easily modified into numerous things, and also uses BNLS, and is open source, and available on his website (fapiko.com), however, it was written before lockdown, and uses BNLS_VERSIONCHECK (0x09), which i'm not personally sure if 0x09 supports lockdown, or only BNLS_VERSIONCHECKEX2, nevertheless, the modification nessscary is located in the packets.php file:

Code Select

function Parse0x50($data) {
 global $bnls, $pbuffer, $sToken;
 $sToken = $pbuffer->GetDWORD(substr($data, 8, 4));
 $mpqVer = substr($data, 31, 1); // Needs to be changed for lockdown-IX86-00.dll
 $checksumFormula = substr($data, 37, strlen($data) - 38);
 
 $pbuffer->InsertDWORD(3);
 $pbuffer->InsertDWORD($mpqVer);
 $pbuffer->InsertString($checksumFormula);
 $pbuffer->SendPacket(9, $bnls);
}

However... I have no idea of the makeup of $data, so I can't modify the substr(), of mpqVer so it can grab the right version, anyone have any ideas, also is 0x09 Lockdown Able?

Don Cullen · September 26, 2007, 08:22 AM

First off, I suggest downloading and installing Notepad++. It's quite useful for coding.

Second off, if you're using Notepad++, just hit CTRL and F. This will bring up the 'Find' dialog box. Click the 'Find in files' tab. Browse to where the main directory of the php files for Flappy is. Then put in the string you'd like it to search the files. In our case, Parse0x50(. Without the ending dot, of course. Click 'Find them all'. It'll begin searching the files for any subsequent references to the function. Once it finds the references, it shouldn't be too hard for you to figure out the structure from there on, and update it.

If you're not using Notepad, hopefully, based on the above instructions, you'll be able to search those files. Perhaps use Windows' search feature? I know Windows is able to search inside files.

Smarter · September 26, 2007, 08:46 AM

No no no, $data, is the data being recieved, and since it's in php, I can only speculate at it's content, I need to know the data being recieved, to parse the mpqFilename out...

Don Cullen · September 26, 2007, 09:13 AM

First off, I'd make a hex dump function and have a die() command in the function. Then I'd pass $data along to the dump function from the Parse0x50 function.

That should give you a general idea of where to work with the data.

Smarter · September 26, 2007, 09:39 AM

Looks like I don't need too, thx to bnet they reverted it back to ver-IX86-#.dll.

Don Cullen · September 26, 2007, 10:20 AM

Dump function in VB:

Code Select

'DumpPacket function coded by Grok
'----------------------------------
Public Sub DumpPacket(ByVal sIn As String)
    RaiseEvent DebugOutput("Dumping packet...")
    Dim x1 As Long, y1 As Long
    Dim iLen As Long, iPos As Long
    Dim sB As String, sT As String
    Dim sOut As String
    Dim Offset As Long, sOffset As String
    
    iLen = Len(sIn)
    If iLen = 0 Then Exit Sub
    sOut = ""
    Offset = 0
    For x1 = 0 To ((iLen - 1) \ 16)
        sOffset = Right$("0000" & Hex(Offset), 4)
        sB = String(48, " ")
        sT = "................"
        For y1 = 1 To 16
            iPos = 16 * x1 + y1
            If iPos > iLen Then Exit For
            Mid(sB, 3 * (y1 - 1) + 1, 2) = Right("00" & Hex(Asc(Mid(sIn, iPos, 1))), 2) & " "
            Select Case Asc(Mid(sIn, iPos, 1))
                Case 0, 9, 10, 13
                Case Else
                    Mid(sT, y1, 1) = Mid(sIn, iPos, 1)
            End Select
        Next y1
        If Len(sOut) > 0 Then sOut = sOut & vbCrLf
        sOut = sOut & sOffset & ": "
        sOut = sOut & sB & " " & sT
        Offset = Offset + 16
    Next x1
    RaiseEvent DebugOutput(sOut)
End Sub

Ported to PHP would be:

Code Select

#DumpPacket function coded by Grok, ported to PHP By Don Cullen
#----------------------------------
function DumpPacket($sIn){
 $iLen = strlen($sIn);
 if(iLen = 0) return;
 $sOut = '';
 $Offset = 0;
 $x1 = 0;
 while($x1 <= ($iLen - 1) \ 16){
  $sOffset = substr("0000".dechex(Offset),-4); 
  $sB = str_pad('', 48, ' ');
  $sT = '................';
  for($y1 = 0; $y1 <= 16; $y1++;){
   $iPos = 16 * $x1 + $y1;
   if($iPos > $ilen) break;
   substr($sB, 3 * ($y1 - 1) + 1, 2) = substr("00" & dechex(ord(substr($sIn, $iPos, 1))), -2);
   if(ord(substr($sIn, $iPos, 1)) == 0 || ord(substr($sIn, $iPos, 1)) == 9 || ord(substr($sIn, $iPos, 1)) == 10 || ord(substr($sIn, $iPos, 1)) == 13){
    # Do nothing
   } else {
    substr($sT, $y1, 1) = substr($sIn, $iPos, 1);
   }
  }
  if(strlen($sOut) > 0) $sOut .= '<br>';
  $sOut .= $sOffset.': ';
  $sOut .= $sB.' '.$sT;
  $Offset = $Offset + 16;
 }
 return $sOut;
}

Keep in mind, I haven't tested the ported code. You might have to make a few adjustments. If you do end up making a few adjustments to make it work, we'd appreciate it if you posted the working code here.

brew · September 26, 2007, 11:04 AM

Smarter: The BNLS 0x09 function does support lockdown checkrevision.
And you're refering to exactly what client when you say, "reverted it back to ver-IX86-##.dll"? They did not change anything at all recently that concerns CheckRevision. I tested just a moment ago to verify. Keep in mind, however, that the version of the CheckRevision used is directly dependant on the Verbyte you report in your 0x50 packet. If you send an invalid value, like say 0x00, you will indeed be sent the older CR mpq, along with a null checksum formula.

Leaky · September 26, 2007, 02:28 PM

Code Select


 function debugOutput($buffer) {
  $i = 0;
  $j = 0;
  $returnString = "";
  for($i = 0; $i < strlen($buffer); $i++) {
   if(($i != 0) && ($i % 16 == 0)) {
    $returnString = $returnString . "\t";
    for($j = $i - 16; $j < $i; $j++) {
     if(ord($buffer[$j]) < 0x20 || ord($buffer[$j]) > 0x7F)
      $returnString = $returnString . '.';
     else
      $returnString = $returnString . $buffer[$j];
    }
    // Add a linefeed after the string
    $returnString = $returnString . "\n";
   }
   $returnString = $returnString . bin2hex($buffer[$i]) . " ";
  }
  if($i != 0 && $i % 16 != 0) {
   for($j = 0; $j < ((16 - ($i % 16)) * 3); $j++) {
    $returnString = $returnString . " ";
   }
  }
  $returnString = $returnString . "\t";
  if($i > 0 && ($i % 16) == 0) {
   $j = $i - 16;
  }
  else {
   $j = ($i - ($i % 16));
  }
  for(; $i >= 0 && $j < $i; $j++) {
   if(ord($buffer[$j]) < 0x20 || ord($buffer[$j]) > 0x7F) {
    $returnString = $returnString . ".";
   }
   else {
    $returnString = $returnString . $buffer[$j];
   }
  }
  $returnString = $returnString . "\n";
  $returnString = $returnString . "Length: " . strlen($buffer) . "\n";
  return $returnString;
 }

there is a 100% working hex dumper...
return is a string but meh you can modify that if you want...

Leaky · September 26, 2007, 02:40 PM

why fix fapico's bot? it wasn't all that usefull to begin with... I would suggest creating your own like I did.. a nice framework can go a LONG way! and fapico's is a nice refrence tool... also i've converted someone's (i dont remember who.. somewhere on these boards) packet class from vb to php and it's open to the public just send me a PM if you'd like it.. it's pritty handy but you need to know how to use classes inorder to use it.

Barabajagal · September 26, 2007, 02:42 PM

Just wondering... I've never quite understood this. First off, how does php send raw packets? Secondly, how does it refresh data on a webpage? Does it use AJAX or some other system of that type?

Leaky · September 26, 2007, 02:45 PM

php doesn't refresh data on a webpage and ajax isn't part of php it's just javascript that gets xml from somewhere else

if your interested in making a phpbot you can aim me for info and help (i dont give handouts but i will help you learn it)

animepages11 (if you dont need help and think your cool cause you can spam people's aim's dont worry i can auto block your spam...)

Barabajagal · September 26, 2007, 02:47 PM

I have no interest in making one, I just wondered how it worked. I know AJAX isn't part of PHP, but I've seen some webapps that use AJAX to show fresh data instantly.

Don Cullen · September 26, 2007, 03:25 PM

The options for that vary. One could use AJAX, or one could use buffering (ob_start, flush, etc), or one could use recurring page refreshes.

Edit: As for how to send raw data via php's sockets...

http://us3.php.net/pack
http://us.php.net/sockets

That should answer your questions. :-)

Leaky · September 26, 2007, 03:31 PM

I could never figure pack out so i did it a different way...

Smarter · September 26, 2007, 04:08 PM

Quote from: Leaky on September 26, 2007, 02:40 PM
why fix fapico's bot? it wasn't all that usefull to begin with... I would suggest creating your own like I did.. a nice framework can go a LONG way! and fapico's is a nice refrence tool... also i've converted someone's (i dont remember who.. somewhere on these boards) packet class from vb to php and it's open to the public just send me a PM if you'd like it.. it's pritty handy but you need to know how to use classes inorder to use it.

Well, any PHP bot would be great, but I didn't know of any others, is your public/open source, also I don't know enough php to write my own bot, just enough to read it, and modify it, and write simple things, so couple that with knowledge of BNCS and I can fix his bot.

[PHP] Fixing Flappy Webbot

Barabajagal

Barabajagal