Ventrilo Algorithm to PHP

Sheepa · **Joined:** 25 Jun 2008 19:51 **Posts:** 9

Hello, im still quite noobish with c/c++ and I'm having trouble to convert this piece of code from your ventrcon in to a working php variant.

Code:

void ventrilo_first_dec(char *data, int size) {
    char  first[] = "\xAA\x55\x22\xCC\x69\x7C\x38\x91\x88\xF5\xE1";
    int     i;

    for(i = 0; i < size; i++) {
        *data -= first[i % 11] + (i % 27);
        data++;
    }
}

Any help much appreciated.

aluigi · **Posted:** 30 Jul 2008 09:44

the following has not been tested so I don't know if works or needs a small modification:

Code:

function ventrilo_first_dec($data, $size) {
    $first = array(0xAA,0x55,0x22,0xCC,0x69,0x7C,0x38,0x91,0x88,0xF5,0xE1);

    for($i = 0; $i < $size; $i++) {
        $data[$i] -= $first[$i % 11] + ($i % 27);
    }
}

Sheepa · **Joined:** 25 Jun 2008 19:51 **Posts:** 9

Thanks for the help after some time I managed to make a working (?) one.

Anyhow, this is what i've made.

Code:

function ventrilo_first_enc(&$data) {
   $first = "\xAA\x55\x22\xCC\x69\x7C\x38\x91\x88\xF5\xE1";
   $first = str_split($first);
   
   $len = strlen($data);

   for($i=0;$i<$len;$i++) {
      $data{$i} = chr(ord($data{$i}) + ord($first[$i % 11]) + ($i % 27));
   }
}

$buf = "\x00\x00\x00\x00\x32\x2e\x33\x2e\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x44\x62\x42\x51\x36\x4c\x54\x71\x53\x6f\x71\x58\x72\x74\x64\x4f\x6c\x53\x48\x66\x75\x44\x46\x44\x39\x68\x32\x4b\x53\x68\x34\x00\x5a\x73\x6a\x35\x4c\x32\x66\x48\x34\x63\x76\x56\x6d\x7a\x7a\x5a\x52\x38\x6f\x52\x45\x74\x73\x6f\x72\x37\x38\x63\x56\x55\x6f\x00";

ventrilo_first_enc($buf);

When I send $buf to a ventrilo server this is whats sent. (sniffed with ethereal)

Code:

char peer0_0[] = {
0xaa, 0x56, 0x24, 0xcf, 0x9f, 0xaf, 0x71, 0xc6, 
0xc0, 0xfe, 0xeb, 0xb5, 0x61, 0x2f, 0xda, 0x78, 
0x8c, 0x49, 0xa3, 0x9b, 0x4d, 0x58, 0x02, 0xbd, 
0x70, 0x31, 0xd7, 0xed, 0x8c, 0x02, 0xfc, 0x51, 
0x58, 0x24, 0xc0, 0x79, 0x41, 0xc6, 0xcf, 0xaa, 
0x13, 0xda, 0x4a, 0x35, 0xf4, 0xcf, 0x67, 0x2b, 
0xd1, 0xfa, 0x83, 0xa9, 0xfb, 0x82, 0x4b, 0xe0, 
0xa3, 0x57, 0x36, 0xb6, 0xb6, 0xa2, 0x0f, 0xe7, 
0x6c, 0x66, 0x30, 0xbc, 0x82, 0x13, 0xe8, 0xdf, 
0x8f, 0x18, 0x0f, 0x79, 0x69, 0xf8, 0xa5, 0x9e, 
0x3c, 0xbe, 0xec, 0x3a };

Im getting no response whatsoever here.

I've also tried to compare the data with your function in C++

Code:

void ventrilo_first_enc(char *data, int size) {

   const static unsigned char  first[] = "\xAA\x55\x22\xCC\x69\x7C\x38\x91\x88\xF5\xE1";
   int   i;

   for(i = 0; i < size; i++) {
      *data += first[i % 11] + (i % 27);
      data++;
   }

}

char buf[] = "\x00\x00\x00\x00\x32\x2e\x33\x2e\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x44\x62\x42\x51\x36\x4c\x54\x71\x53\x6f\x71\x58\x72\x74\x64\x4f\x6c\x53\x48\x66\x75\x44\x46\x44\x39\x68\x32\x4b\x53\x68\x34\x00\x5a\x73\x6a\x35\x4c\x32\x66\x48\x34\x63\x76\x56\x6d\x7a\x7a\x5a\x52\x38\x6f\x52\x45\x74\x73\x6f\x72\x37\x38\x63\x56\x55\x6f\x00";

ventrilo_first_enc(buf,sizeof(buf));

This is what i get when I once again sniff the data sent:

Code:

char peer0_0[] = {
0xaa, 0x56, 0x24, 0xcf, 0x9f, 0xaf, 0x71, 0xc6, 
0xc0, 0xfe, 0xeb, 0xb5, 0x61, 0x2f, 0xda, 0x78, 
0x8c, 0x49, 0xa3, 0x9b, 0x4d, 0x58, 0x02, 0xbd, 
0x70, 0x31, 0xd7, 0xed, 0x8c, 0x02, 0xfc, 0x51, 
0x58, 0x24, 0xc0, 0x79, 0x41, 0xc6, 0xcf, 0xaa, 
0x13, 0xda, 0x4a, 0x35, 0xf4, 0xcf, 0x67, 0x2b, 
0xd1, 0xfa, 0x83, 0xa9, 0xfb, 0x82, 0x4b, 0xe0, 
0xa3, 0x57, 0x36, 0xb6, 0xb6, 0xa2, 0x0f, 0xe7, 
0x6c, 0x66, 0x30, 0xbc, 0x82, 0x13, 0xe8, 0xdf, 
0x8f, 0x18, 0x0f, 0x79, 0x69, 0xf8, 0xa5, 0x9e, 
0x3c, 0xbe, 0xec, 0x3a, 0x94 };

Its exactly the same except for that 0x94 in the end (why?) but im still getting no respone whatsoever from the server.

Basically im trying to create a SIMPLE Ventrilo-bot in php for learning purposes. But since my knowledge in C/C++ is very limited its quite hard to follow your source from ventrcon.

Right now im trying to send this piece of code encrypted with the ventrilo protocol and since im running a server with version 2.1.2 im hoping to get an answer back telling me that the server is running a different version.

Code:

00 00 00 32 2e 33 2e 30 00 00 00 00 00 00 00   ....2.3.0.......
00 00 00 44 62 42 51 36 4c 54 71 53 6f 71 58   ....DbBQ6LTqSoqX
74 64 4f 6c 53 48 66 75 44 46 44 39 68 32 4b   rtdOlSHfuDFD9h2K
68 34 00 5a 73 6a 35 4c 32 66 48 34 63 76 56   Sh4.Zsj5L2fH4cvV
6d 7a 7a 5a 52 38 6f 52 45 74 73 6f 72 37 38 63   mzzZR8oREtsor78c
55 6f 00                                       VUo.

I really appreciate your help!

aluigi · **Posted:** 30 Jul 2008 17:21

have you remembered to add the 16 bit size before the data?

Code:

  ##OOOOOOOOOOO
  | |
  | encrypted data
  16 bit size of data in network endian

Sheepa · **Joined:** 25 Jun 2008 19:51 **Posts:** 9

Ahh, what a silly mistake!

Right, so now I just need to figure out what to do now.

After sendind this packet: (decoded)

Code:

00 00 00 00 32 2e 31 2e 30 00 00 00 00 00 00 00   ....2.1.0.......
00 00 00 00 45 4c 56 44 6f 37 73 67 33 73 5a 73   ....ELVDo7sg3sZs
76 46 69 67 78 64 68 6c 31 73 6c 59 6a 6e 58 53   vFigxdhl1slYjnXS
6d 30 53 00 6e 5a 36 6d 39 65 6b 78 72 78 75 74   m0S.nZ6m9ekxrxut
49 7a 66 68 4e 31 41 74 4b 56 58 67 6d 4f 34 6d   IzfhN1AtKVXgmO4m
6c 72 7a 00                                       lrz.

I receive: (decoded)

Code:

00 00 00 00 00 00 00 04 00 00 00 41 45 73 28   ............AEs(
61 21 3b 51 7f 51 63 48 73 76 4e 4b 47 26 50   (a!;Q.QcHsvNKG&P
5a 4e 71 7f 4f 52 7d 43 59 56 44 7d 37 55 7a   wZNq.OR}CYVD}7Uz
3f 46 30 59 24 31 40 7d 3f 35 65 7a 58 6e 74 6f   ?F0Y$1@}?5ezXnto
5b 6d 4f 4a 4f 26 70 4e 32 28 6b 32 71 42 7a   s[mOJO&pN2(k2qBz
37 7f 50 41 7b 5b 6e 4e 35 52 2c 59 74 32 30   $7.PA{[nN5R,Yt20
48 7d 53 33 24 3e 50 6c 3f 64 28 54 30 37 46   hH}S3$>Pl?d(T07F
48 4b 49 73 73 4e 75 3b 56 7d 74 43 43 2a 5a   cHKIssNu;V}tCC*Z
6f 78 4c 6f 7b 29 57 56 51 7e 38 25 3c 31 31 6a   oxLo{)WVQ~8%<11j
7b 6a 72 61 32 46 24 44 58 59 25 7d 63 6a 36   i{jra2F$DXY%}cj6
36 4f 7e 5d 28 57 72 44 32 79 68 6e 6e 4a 00   H6O~](WrD2yhnnJ.
00                                                .

Im guessing this is some kind of key or something (?) which should be used to encode the packets further? Am I on the right track? How should I do this? I've looked at your function ventrilo_read_keys but I dont understand much.

aluigi · **Posted:** 30 Jul 2008 23:55

the ventrilo_read_keys is a very simple function, looks hard to understand simply because it needs to handle both the ',' and '|' delimiters which change the order of the keys.

if you find the ',' delimiter means that the first key is the one used for the incoming data and the other for the outgoing, while if the delimiter is the pipe the order is inverted.

Sheepa · **Joined:** 25 Jun 2008 19:51 **Posts:** 9

Hmm, I think I've almost got it. But the encode function wont work properly.

This is a small php script i've made to test the encoding function. Comments should describe pretty well.

http://pastebin.com/m3dede06c (Syntax highlighting makes it easier to read)

The script prints this:

Code:

It works great upto byte 30 but then it fails.. Cannot figure out why.

aluigi · **Posted:** 31 Jul 2008 09:52

you have used strlen() on data which is a sequence of bytes, this is an error for sure.
$l must be passed as argument of the function.

Sheepa · **Joined:** 25 Jun 2008 19:51 **Posts:** 9

hm, I'm not sure im following.

strlen($dec) and sizeof(str_split($dec)) both returns the same (252)

$l is suppose to be the length/size of the decoded data right? Why must i pass it as an argument?

aluigi · **Posted:** 31 Jul 2008 19:50

the original buffer you pass to the function can contain any byte from 0x00 to 0xff and strlen() tells you how much bytes there are before finding a 0x00.
that's why is impossible for the enc() function to know how much long is the input buffer, you must pass this size number as argument of the function just as I do with my code

Sheepa · **Joined:** 25 Jun 2008 19:51 **Posts:** 9

After too much failing i finally got it to work. The thing that messed everything up was quite the opposite to your last post. PHP does not stop on null chars - which it should to parse the keys correctly.

aluigi · **Posted:** 02 Aug 2008 17:29

http://it2.php.net/manual/en/function.strlen.php#50938

PHP sux

Sheepa · **Joined:** 25 Jun 2008 19:51 **Posts:** 9

I wouldnt say it sucks.

However, while testing I did find a denial of service which instantly shuts down the server, works on all current versions. Im not sure i would like to release it though as it would probably result in my servers death.

Luigi Auriemma

Ventrilo Algorithm to PHP