Luigi Auriemma

aluigi.org (ARCHIVE-ONLY FORUM!)
It is currently 19 Jul 2012 19:09

All times are UTC [ DST ]





Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 17 posts ] 
Author Message
 Post subject: Ventrilo events with ASM
PostPosted: 13 Oct 2008 22:38 

Joined: 08 Jun 2008 07:17
Posts: 92
Hi Hi :D

Lately I've been looking at ventrilo with a disassembler and I've found some strange events:
EG:

One of them says that your ventrilo server has been closed by the secret service...

What I'm trying to do is see what event triggers that. I really am a total newbie in ASM but you can follow and maybe help me along my path :]
Now I know db hold the message

First I found the db that holds the string
Code:
004F02B0  686173206265656E2064+           db   'has been disabled by order of the United States Secret Service.',0




Then referenced backwards and got this
Code:
004378A5                           CASE_004379B4_PROC0006:
004378A5  68B0024F00                      push   SSZ004F02B0_has_been_disabled_by_order_of_th   
004378AA  8D4C2414                        lea   ecx,[esp+14h]
004378AE  E83DE9FCFF                      call   SUB_L004061F0
004378B3  8B442410                        mov   eax,[esp+10h]
004378B7  50                              push   eax
004378B8  6A03                            push   00000003h
004378BA  E9CC000000                      jmp   L0043798B


What I did is just change another function from "PUSH 000000" to "CALL 4379B4"

I don't even know if I'm doing it the right way but it does popup with the message that I wanted.. Anyways I'm really struggling to find out what triggers this to happen.

Keep in mind I only started to learn ASM yesterday :[


Also let's say a textbox can hold 177 characters, is it possible to change the value so it holds 200 characters with a disassembler?

Don't be afraid to link me to some ASM tutorials :D


Top
 Profile  
 
 
 Post subject: Re: Ventrilo events with ASM
PostPosted: 14 Oct 2008 01:13 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
ah ah ah those error messages are incredibly funny 8-)
In short they are the "human message" of the error opcode used for the packet type 6 (the first one received from the server).

the structure of the header of the packet is similar to the following:
Code:
  *(u32 *)(buff + 0)  = 6;      // type 6
  *(u16 *)(buff + 6)  = 9;      // the military stuff from 2 to 9
  *(u16 *)(buff + 8)  = 0x0200; // the "high" byte must be equal to 2
  *(u16 *)(buff + 12) = 0;      // not used for this error

so is the server which is so dumb to say that it has been disabled by this or that entity and so on


Top
 Profile  
 
 Post subject: Re: Ventrilo events with ASM
PostPosted: 14 Oct 2008 02:30 

Joined: 08 Jun 2008 07:17
Posts: 92
Thanks for the reply but I really have no idea what that means can you go into more detail of what code you posted means?

And how I might implement it.


I don't think you have understood what I'm trying to do.

I want to send the packet to my server that causes the

Code:
004F02B0  686173206265656E2064+           db   'has been disabled by order of the United States Secret Service.',0
to happen

Sorry if it's alot but I gotta learn somewhere :D


Top
 Profile  
 
 Post subject: Re: Ventrilo events with ASM
PostPosted: 14 Oct 2008 11:33 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
that message is only in the client, in fact it's a message showed on the client and not on the server.
so probably you refer to how forcing that type of banning on the server, right?
I "think" (if you want I can check it later) that this banning is activated through the packets received by the centralized master servers when the server contacts them at the beginning.

at the moment replicating that thing is not so easy because ventrilo 3 uses that boring centralized stuff so all my tests were performed with a modified ventrilo_proxy which instead of forwarding the normal server packet sends a new one containing that data, so it sux a bit


Top
 Profile  
 
 Post subject: Re: Ventrilo events with ASM
PostPosted: 14 Oct 2008 16:17 

Joined: 08 Jun 2008 07:17
Posts: 92
If you don't mind you can check. I'd have no idea how to check for this.


But.. I just don't want you to do it, I wanted to learn how this is done. So I can help people later like you helped me :D


Top
 Profile  
 
 Post subject: Re: Ventrilo events with ASM
PostPosted: 14 Oct 2008 19:21 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
ok, let me think if I can give you some hints about learning assembly... uhmmm I learnt it mainly with real practice using debuggers and disassemblers.

in this case you can use the usual breakpoint on recv (for the Ventrilo data) or recvfrom (for the centralized Flagship servers data) and then the breakpoint on the received packet for following all the instructions performed over the memory and everytime you see an assembly instruction that you don't know just watch what happens in the debugger (registers, flags and sometimes memory) or refer to an x86 assembly manual or to the "intel set reference"


Top
 Profile  
 
 Post subject: Re: Ventrilo events with ASM
PostPosted: 14 Oct 2008 19:29 

Joined: 08 Jun 2008 07:17
Posts: 92
What debugger do you use?


Personally I use Ollydbg,w32dasm, I saw a post that you used something called IDA but never found it :[


EDIT: Now I always have this problem with debuggers lets use ventrilo for example.. and ollydbg I load up ventrilo in there and press F9 to run it. I'm trying to find where the comment input is. Is there anyway to find with a debugger where the current running code is?


Top
 Profile  
 
 Post subject: Re: Ventrilo events with ASM
PostPosted: 14 Oct 2008 20:22 

Joined: 24 Sep 2007 02:12
Posts: 1114
Location: http://sethioz.co.uk
had IDA, but didn't understand much lol. sticking to olly :) anyways here's link to IDA.
http://www.hex-rays.com/idapro/


Top
 Profile  
 
 Post subject: Re: Ventrilo events with ASM
PostPosted: 14 Oct 2008 20:42 

Joined: 08 Jun 2008 07:17
Posts: 92
Thanks, but ill stick with olly also :D


And I found a really good tutorial about memory and breakpoints that answer my question from before.


Quote:
EDIT: Now I always have this problem with debuggers lets use ventrilo for example.. and ollydbg I load up ventrilo in there and press F9 to run it. I'm trying to find where the comment input is. Is there anyway to find with a debugger where the current running code is?



Here's the tutorial : http://www.youtube.com/watch?v=5lYCC65nl5Q


Top
 Profile  
 
 Post subject: Re: Ventrilo events with ASM
PostPosted: 15 Oct 2008 00:59 

Joined: 24 Sep 2007 02:12
Posts: 1114
Location: http://sethioz.co.uk
ah i totally mislooked it or something...dunno sometimes i just look and look, but dont see what im looking at.
Quote:
is there anyway to find with a debugger where the current running code is?

you was referring to that the comment input changes ?! it doesn't really matter anymore, because you found solution, but i still would like to know if i saw the point this time :)


Top
 Profile  
 
 Post subject: Re: Ventrilo events with ASM
PostPosted: 15 Oct 2008 01:45 

Joined: 08 Jun 2008 07:17
Posts: 92
I don't understand what the last line of your point was supposed to mean "but i still would like to know if i saw the point this time :)"

And Luigi any luck with the funny messages?


Top
 Profile  
 
 Post subject: Re: Ventrilo events with ASM
PostPosted: 15 Oct 2008 19:48 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
no JD, except for that test made with the client to see the message "in action" I have not spent other time on Ventrilo due to the lack of interest (at the moment!) on this thing and generally on new projects.


Top
 Profile  
 
 Post subject: Re: Ventrilo events with ASM
PostPosted: 25 Oct 2008 18:17 

Joined: 08 Jun 2008 07:17
Posts: 92
This is kinda off topic but I don't see the point in making a new post:



On ventrilo I'm trying to find the address that makes the little green mic lite up (when you talk) with ollydbg. You got any tips on how I would go about finding the address of the action?

Thanks


Top
 Profile  
 
 Post subject: Re: Ventrilo events with ASM
PostPosted: 25 Oct 2008 23:14 

Joined: 24 Sep 2007 02:12
Posts: 1114
Location: http://sethioz.co.uk
i would go for a memory editor and value is probably 1 and 0 (1 - icon on, 0 - icon off), but its a long shot. in most programs this is how those simple things work, but actually i would like to know the same thing .. how to find such things with olly (prolly would be way faster).


Top
 Profile  
 
 Post subject: Re: Ventrilo events with ASM
PostPosted: 26 Oct 2008 13:04 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
I think that is called FillRect for placing the green speaker, it's called one time for placing --XMIT-- and a second time for that one


Top
 Profile  
 
 Post subject: Re: Ventrilo events with ASM
PostPosted: 06 Mar 2009 20:41 

Joined: 08 Jun 2008 07:17
Posts: 92
Old bump :]


Can someone help me on this from the original post. I'm stuck


I'm still trying to make my server think its "has been disabled by order of the United States Secret Service."

Do I need to send the packet to the ventrilo server or the centralized ones that flagship has put up?


And Luigi how do you set a breakpoint on Recv data I can't find it?


Top
 Profile  
 
 Post subject: Re: Ventrilo events with ASM
PostPosted: 06 Mar 2009 22:52 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
for the question about how to replicate that thing on the server at the moment I don't have an answer yet.
I have seen that also version 2.3 has this message implemented so I lost some time debugging it and found that the function which builds the packet (0040eca0) creates the packet 6 only through a function (0041d3b0) which gets its parameters from 10 different other functions but none of them passes the needed values (0x200 and 9 or other similar or dynamic values, they pass only 0,1, 2, 0x41 and 4).

and via udp (udp status packet) there are no additional instructions over those which handle the type 1, 2 and 7 (watch ventstat).

the name of the functions is "recv" (case sensitive)


Top
 Profile  
 
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 17 posts ] 

All times are UTC [ DST ]


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for: