Luigi Auriemma

SA:MP invisible Fake Players DoS 0.1
by Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org

- target xxx.xxx.xxx.xxx: 7777

name: ...::BaluNet Server 0.2.2::...
mode: Public Enemy: LS(m)
map: San Andreas
players: 6/100
password: off

- start attack:
Player:
Error: socket timeout, no reply received

use this on samp 01 but now version 0.2.2

seems that they have changed the protocol and have added zlib compression, I need to add this new one to the tool.
If you have a couple of sniffed packets they can be useful too.

:)

I repeat: if you have a couple of sniffed packets (are ok those collected with wpe too) they are very useful.
I don't have the game so I can only monitor the dedicated server.

i have no sniffed ..! :(

It's enough to use WPE (http://wpepro.net) and dumping some packets, it's just a matter of seconds.
Otherwise here I have nothing else to do since seems that an unique udp packet is no longer enough to fill the server's slot

I have v0.2.2 installed, so I just fired up wireshark real fast and connected to a server. Here is the first 18 packets in order... hope it helps you guys: http://zero-labs.net/samp.txt

The packets which start with SAMP are not very useful, can you collect the first packets which don't have "SAMP" at the beginning?
Thanx!

cause the sampfp was working on version 0.1b perfectlly
now we just need a new version of sampfp that working with 0.2.2
thank you

Hey,

Sorry about that. Those were probably just the server query packets. I did it again, and scanned after clicking on the server (to avoid the query packets).

Refresh the link here to get the new packets: http://zero-labs.net/samp.txt

Hope that helps :)

Excellent work friend 8-)

The packets which starts with the byte 0x78 (the char 'x') identify the beginning of zlib compressed data which use a positive windowbits value, this is usually an interesting thing to know when playing with unknown packets, protocols and files.

Update: I have found where I was wrong... the packets sent by the server are not compressed, that's why I didn't understood the protocol ih ih ih
The new version of sampfp will be released in the next hours.

first of all .. i have never used it, but about packets and WPE pro ..
since WPE pro opens process and records packets directly from that process..it wont capture some vital info sometimes. I dont know why, but its just so. it wont show me half of things sometimes...packets just r not full...

i compared ''join'' packets for game aliens vs predator 2 long time ago .. and i remember that those packets in WPE pro was not full packets. some data was missing. etherpeek is much better :)

try to use my wpe2cap tool so you can have a pcap-style file which you can use for comparing.
During my tests wpe has been ever excellent with its capturing

Interesting, so only the client sends compressed packets, and the server sends regular packets (not compressed)? Cause that's what I noticed.. that only the client's packets sent begin with 0x78

exactly.
Then yesterday I have released the new version of the tool.
The nice thing I have noticed is that passwords are no longer needed, in short an attacker can fill a server without knowing the keyword, which wasn't possible (as far as I remember) in the previous versions of the servers.

That packet info is good information to know, as you said. Do you know of any other ways to identify compression or encryption types in packets like you can with zlib? Like a chart of some kind, or a website with more info about different types?

I think you had a program that could identify what types of encoding/algorithms/etc.. were being used in a process, but I was hoping there was an easier way to narrow down what algorithms are being used at a certain time.

zlib with positive windowbits is the most easy to recognize, then there are gzip and bzip2 which have an initial signature too (signsrch can find them or you can just navigate in signsrch.sig for finding them)

i will try it and post replay here :)

C:\tcpfp>tcpfp -t xxx.xxx.xxx.xxx 7777

Generic TCP Fake Players DoS 0.2.2
by Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org

- target xxx.xxx.xxx.xxx : 7777
- check if remote port is open:
Error: Connection timed out

C:\tcpfp>tcpfp -f xxx.xxx.xxx.xxx 7777

Generic TCP Fake Players DoS 0.2.2
by Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org

- load file containing the data to send: xxx.xxx.xxx.xxx

Error: No such file or directory

C:\tcpfp>tcpfp -r xxx.xxx.xxx.xxx 7777

Generic TCP Fake Players DoS 0.2.2
by Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org

- target xxx.xxx.xxx.xxx : 7777
- check if remote port is open:
Error: Connection timed out

C:\tcpfp>tcpfp -s xxx.xxx.xxx.xxx 7777

Generic TCP Fake Players DoS 0.2.2
by Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org

- target xxx.xxx.xxx.xxx : 7777
- check if remote port is open:
Error: Connection timed out

problem

Ehmmm the tool is called sampfp (as you wrote in the title of this thread too) not tcpfp... I don't know if laughing or crying, really

for explaining but idownload sampfp , and it sayes

C:\sampfp>sampfp xxx.xxx.xxx.xxx 7777

SA:MP invisible Fake Players DoS 0.1.2
by Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org

- target xxx.xxx.xxx.xxx : 7777
..
name: ...::BaluNet Server 0.2.2::...
mode: Public Enemy: LS(m)
map: San Andreas
players: 6/100
password: off

- start attack:
Player: ..
- no reply I try with new version

Player: ..
- no reply I try with new version

Player: ..1
Player: ..2
Player: ..3
Player: ..4
Player: ..5
Player: ..
Error: unknown packet reply (0)

C:\sampfp>

same sampfp but for samp 0.2.2

i have read this topic for a while..and i dont understand a damn thing anymore ..
are you saying that sampfp doesnt work at all .. or you are saying that it works with one version and doesn't work with other version ?

exactly it's working with one and not working with the new version
do you have the game gta ? i mean samp 0.2.2R version it is the newest version of samp and the fullserver bug i mean players , as you can see UP , ERROR Error: unknown packet reply (0)

In my tests the tool works perfectly just versus version 0.2.2 (tried both local and non local servers) so there is nothing else to change

The tool works fine for me too.

Probably a -f option for flooding the server (as in bf1942fp and bf2fp) can be useful with slow networks.
What you think Soma?

it's working on some servers but not in all servers
for example names NaWaR , Mrluigi , max...
like that and by this i could see that players in the game :)))))
and i think about another idea : to make program for players to login and log out , by this the chat will full and players bug it will be really great ...
i can sen an example program like this called abuser in that program player log in and write in chat *&^%$#$%^& and log out it's really great


thats how the old sampfp worked perfectlly

sampfp supports only invisible players for some simple reasons: the one packet filling is minimalistic, does an anonymous work and is possible to add spoofing without problems and then because SA:MP changes protocol continuously and I don't have the desire of re-reverse anything from scratch all the times.
Later I will add the -f option to the tool

yes

[quote="aluigi"]Probably a -f option for flooding the server (as in bf1942fp and bf2fp) can be useful with slow networks.
What you think Soma?[/quote]

Yea I agree that there should always an -f option that floods continuously no matter what the player count currently is. I feel that showing the server players as they are added until it is full is only useful when demonstrating/testing that the tool works. But if you are wanting to be effective in preventing players from joining, flooding continuously with -f would always be more effective.

And with the -f option, I think there should be no checks/restrictions. The program should just send the packets and not worry about errors, replies, etc.