Valhalla Legends Forums Archive | Battle.net Bot Development | <<0E>>?

AuthorMessageTime
Luxer
I was using Interarchy 4 to watch KaneBot connect to BNLS, and it look fairly simple.. However, what is all of this <<0E>> and <<DC>>? I think <<00>> is ASCII 00, AKA null, but I am just not sure.. In case you need it, here is the log I was looking at:



Send info request (T_INFO_REQ = 107).

Receive info ack (T_INFO_ACK = 129).
Max TSDU Size = 0
Max ETSDU Size = -1
Connect Data Size = -2
Disconnect Data Size = -2
TSAP Size = 16
Options Size = 256
TIDU Size = 536
Service Type = 2
Current State = 1 (Unbound)
Provider Flags = 0x40000002

Send option management request (T_OPTMGMT_REQ = 108).

Receive option management ack (T_OPTMGMT_ACK = 131).

Send info request (T_INFO_REQ = 107).

Receive info ack (T_INFO_ACK = 129).
Max TSDU Size = 0
Max ETSDU Size = -1
Connect Data Size = -2
Disconnect Data Size = -2
TSAP Size = 16
Options Size = 256
TIDU Size = 536
Service Type = 2
Current State = 1 (Unbound)
Provider Flags = 0x40000002

Send bind request (T_BIND_REQ = 101).
Bind to «Any Address»
Connection Indication Number = 0

Receive bind ack (T_BIND_ACK = 122).
Bind to port 49656
Connection Indication Number = 0

Send connection request (T_CONN_REQ = 102).
Connect to 63.161.183.202:9367

Receive ok ack (T_OK_ACK = 130).

Receive connection confirmation (T_CONN_CON = 123).
Connect from 63.161.183.202:9367

Send info request (T_INFO_REQ = 107).

Receive info ack (T_INFO_ACK = 129).
Max TSDU Size = 0
Max ETSDU Size = -1
Connect Data Size = -2
Disconnect Data Size = -2
TSAP Size = 16
Options Size = 256
TIDU Size = 1452
Service Type = 2
Current State = 10 (Data Transfer)
Provider Flags = 0x40000002

[code]Send data (14 bytes).
<00000000< «0E»«00»«0E»KaneBotMBB«00»

Receive data (7 bytes).
>00000000> «07»«00»«0E»«DC»«84»6n

Send data (7 bytes).
<0000000E< «07»«00»«0F»\&«86»«D7»

Receive data (7 bytes).
>00000007> «07»«00»«0F»«00»«00»«00»«00»

Send data (7 bytes).
<00000015< «07»«00»«10»«01»«00»«00»«00»

Receive data (11 bytes).
>0000000E> «0B»«00»«10»«01»«00»«00»«00»«C9»«00»«00»«00»

Send data (73 bytes).
<0000001C< I«00» «01»«00»«00»«00»«01»«00»«00»«00»A=161868574 B=807267571
<0000003F< C=922264113 4 A=A^S B=B-C C=C+A A=A-B«00»

Send data (34 bytes).
<00000065< "«00»«0C»«00»«00»«00»«00»«01»«03»«00»«00»«00»«B0»«1E»«9E»«F7»«0C»
<00000076< «F5»zF********«00»

Receive data (55 bytes).
>00000019> 7«00» «01»«00»«00»«00»«03»«01»«01»«01»Y«C3»«F7»^Starcraft.exe
>00000036> 05/26/04 00:46:00 1048576«00»

Receive data (53 bytes).
>00000050> 5«00»«0C»«00»«00»«00»«00»«01»«01»«01»«00»«00»«00»«0C»«F5»zF
>00000062> «00»«00»«00»«01»«00»«00»«00»zl0«00»«00»«00»«00»«00»r«F6»«0C»]7«02»
>00000077> «08»«96»«8F»«CB»H90«B7»«C3»«E3»«86»«F7»«14»W

Send data (26 bytes).
<00000087< «1A»«00»«0B»«07»«00»«00»«00»«02»«00»«00»«00»******«0C»«F5»zF«B0»
<0000009E< «1E»«9E»«F7»

Receive data (23 bytes).
>00000085> «17»«00»«0B»«BE»6«D8»«0B»«02»f«D1» «F3»«9A»«9D»JqQ«0C»«E9»«E3»«AC»
>0000009A> «DF»n[/code]

Send orderly release request (T_ORDREL_REQ = 109).


If this is not BNLS, kill me.

[Edit: added code tags around the packet dump in the vain hope of making it somewhat readable.]
August 17, 2004, 4:20 PM
Kp
[quote author=Luxer link=board=17;threadid=8206;start=0#msg75959 date=1092759635]If this is not BNLS, kill me.[/quote]

Can we instead kill you for using a horribly sucky packet logger? It's much much nicer to show it in the usual unified hexdump / ascii dump of 16 bytes per line, once in hex representation with no garbage characters between them (i.e. no < or >), then again as ASCII characters (using '.' for unprintable characters).
August 17, 2004, 4:31 PM
tA-Kane
The "dots" are characters that the character code for is either less than 32 or greater than 126 (if I remember correctly).

Sometimes they're actually periods, though.

Luxer, turn off 'Show Status Packets' in your Network Monitor window. They're useless for what you're trying to do, and you wouldn't understand them anyway.

And yes, that is a packetlog of my BNLS connection.
August 18, 2004, 4:12 PM
ChR0NiC
Thanks for the CD Key :P
August 18, 2004, 8:00 PM
Luxer
OK.... I don't see a cdkey..
August 18, 2004, 10:43 PM
Myndfyr
[quote author=Luxer link=board=17;threadid=8206;start=0#msg76191 date=1092869033]
OK.... I don't see a cdkey..
[/quote]

Despite your attempt at guarding it by changing it in the right column, check out:

[code]
Send data (34 bytes).
<00000065< 22 00 0C 00 00 00 00 01 03 00 00 00 E8 C0 9A FA "...............
<00000075< 91 A6 E5 4A 32 37 36 36 33 38 32 38 33 32 30 32 ...J*********
<00000085< 38 00
[/code]
Start at the position after where the "J" is.

People who know ASCII know that the representations of the decimal numbers start at 0x30, where 0 is 0x30, 1 is 0x31, etc.

From there, it's relatively simple to see your key. :P
August 18, 2004, 10:52 PM
ChR0NiC
[quote author=Luxer link=board=17;threadid=8206;start=0#msg76191 date=1092869033]
OK.... I don't see a cdkey..
[/quote]

Um notice you edited it? There was a key there before though :P

I won't post the key but it's still visible yes :P
August 19, 2004, 2:47 AM
Adron
[quote author=MyndFyre link=board=17;threadid=8206;start=0#msg76192 date=1092869579]
[code]
<00000075< 91 A6 E5 4A 32 37 36 36 33 38 32 38 33 32 30 32 ...J*********
<00000085< 38 00
[/code]
Start at the position after where the "J" is.

People who know ASCII know that the representations of the decimal numbers start at 0x30, where 0 is 0x30, 1 is 0x31, etc.

From there, it's relatively simple to see your key. :P
[/quote]

This is good to know whenever you run into buffer overflows - if you suddenly see a value like 34333231 in eip, you know that you probably just overwrote a return value with "1234".
August 20, 2004, 4:44 PM

Search