[C -> S] 0x51

Trunning · May 10, 2010, 02:11 AM

I was in a rush Mr Negative, hmm.

Length = 17 00
ID = 0b

Size = 03 00 00 00
Flags = 02 00 00 00
Password = 6c 6f 6c
ClientKey = 88 ad e7 4b
ServerKey = 90 ee 12 9a

What's the fd? An extra uninitialized byte?

Hdx · May 10, 2010, 02:13 AM

The fd is from something. When you use malloc() it doesn't actually set the memory to anything, it just leaves what ever happened to be there.
Though, it's odd it's always been fd.. anyways, Its a simple fix, find it!

Trunning · May 10, 2010, 02:14 AM

Take 1 byte of the allocation, ok well that didn't work hmm.

Well memset didn't set it to zero, so it looks like it's being set somewhere.

Hdx · May 10, 2010, 02:17 AM

I don't think that would actually fix it.
I think it's an issue with your bnls_send parameters.

Trunning · May 10, 2010, 02:19 AM

Yeah it was the size.

Code Select

0000   16 00 0b 03 00 00 00 02 00 00 00 6c 6f 6c 2d b3  ...........lol-.
0010   e7 4b 67 3c 33 81                                .Kg<3.

Oh and you've been insisting on me using a packet buffer, care to link me to one. I've searched to forum, without any luck.

Hdx · May 10, 2010, 02:25 AM

I don't have one I can readily link. But you should be able to find iago's. Somewhere on his site: http://www.skullsecurity.org/wiki/

Trunning · May 10, 2010, 02:35 AM

Real quick, when I get to http://www.bnetdocs.org/?op=packet&pid=144.

Do I double hash "password" for the password?

Hdx · May 10, 2010, 02:59 AM

Yes

Trunning · May 10, 2010, 03:25 AM

My title isn't pointing to the right location, I checked my packet log, I'm receiving 3 dwords after the header, and before the string.

Code Select

 BNCS_HEADER head;
 head.Sanity  = 0xFF;
 head.ID   = 0x40;
 head.Length  = sizeof(BNCS_HEADER);

 send(sockBNCS, (char*)&head, head.Length, NULL);

 char *buf = (char*)malloc(sizeof(BNCS_HEADER));
 recv(sockBNCS, buf, sizeof(BNCS_HEADER), NULL);
 BNCS_HEADER da;
 memcpy(&da, buf, sizeof(BNCS_HEADER));
 free(buf);

 char *buffer = (char*)malloc(da.Length - sizeof(BNCS_HEADER));
 int  body_size = da.Length - sizeof(BNCS_HEADER);

 char *title  = buffer + sizeof(DWORD) * 3;
 int  title_len = strlen(title) + 1;
 char *desc  = buffer + sizeof(DWORD) * 3 + title_len;
 int  desc_len = strlen(desc) + 1;

 printf("Title: %s\nDesc: %s\n", title, desc);

 free(buffer);

rabbit · May 10, 2010, 10:26 AM

Are you sure it's not just stuffed packets?

Trunning · May 10, 2010, 10:40 AM

Packet looks fine in wireshark.

Trunning · May 10, 2010, 11:07 AM

Here is the received packet.

Code Select

0000   ff 40 33 00 00 00 00 00 01 00 00 00 01 00 00 00  .@3.............
0010   55 53 57 65 73 74 00 52 65 61 6c 6d 20 66 6f 72  USWest.Realm for
0020   20 74 68 65 20 55 53 20 57 65 73 74 20 43 6f 61   the US West Coa
0030   73 74 00                                         st.

After analyzing the packet everything is there.

Code Select

ff 40 33 00 = Header
00 00 00 00 = Unknown, usually 0
01 00 00 00 = Count
01 00 00 00 = Unknown usually 1

55 53 57 65 73 74 00 = Title
52 65 61 6c 6d 20 66 6f 72 20 74 68 65 20 55 53 20 57 65 73 74 20 43 6f 61 73 74 = Description

rabbit · May 10, 2010, 11:54 AM

What packet do you think that is? It's fine.

Hdx · May 10, 2010, 12:44 PM

Its another obvious error.
Follow your flow of code, see what variables are being set to what...
Also, quit double posting, theres an edit button for a reason.

Trunning · May 10, 2010, 01:32 PM

The ID of my header is being set to 64, it should be 40. I have no idea why this is happening.

Ah, it's in decimal, lemme look at the rest of the code.

I honestly don't know what it was, but rewriting my code fixed it.