Pretty much all the issues of the original version with permissions are solved now. The following example can be built for sure with msvc 6, and should work with most other compilers as well. This version writes the key to keyfile.dat in the directory its run in, as well as printing the key to the console each time it changes. It can be started at any time, and should work without having to restart it between EQ sessions. Key is scanned once per second, and eqgame is scanned for once per 10 seconds when its not already been found and valid. It can be started with the offset of the key as a command line argument for when it changes, but runs with the current value as default.

edit again: fixed for lcc too, now
.. and again fixed maybe :)



/*
* kscan.c - version 2
*
* if you get an error about a missing symbol PlaySound, be sure to link with winmm.lib
* if your missing Process32First, link with th32.lib
*/

#include <stdio.h>
#include <string.h>
#include <windows.h>
#include <Mmsystem.h>
#include <tlhelp32.h>

FILE *keydat;
unsigned long addr = 0x773b90;

BOOL enable_debug_privs()
{
HANDLE hToken; /* process token */
TOKEN_PRIVILEGES tp; /* token provileges */
TOKEN_PRIVILEGES oldtp; /* old token privileges */
DWORD dwSize = sizeof (TOKEN_PRIVILEGES);
LUID luid;

if (!OpenProcessToken (GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
{
if (GetLastError() == ERROR_CALL_NOT_IMPLEMENTED)
return TRUE;
printf ("OpenProcessToken() failed: %d\n", GetLastError());
return FALSE;
}

if (!LookupPrivilegeValue (NULL, SE_DEBUG_NAME, &luid))
{
printf ("LookupPrivilege() failed: %d\n", GetLastError());
CloseHandle (hToken);
return FALSE;
}

ZeroMemory (&tp, sizeof (tp));
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

/* Adjust Token privileges */
if (!AdjustTokenPrivileges (hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), &oldtp, &dwSize))
{
printf ("AdjustTokenPrivileges() failed: %d\n", GetLastError());
CloseHandle (hToken);
return FALSE;
}
return TRUE;
}

void readkey (HANDLE hProcess)
{
ULONGLONG oldkey = 0;
while (1)
{
ULONGLONG key;

if (ReadProcessMemory (hProcess, (void *)addr, &key, 8, NULL) == 0)
{
printf ("ReadProcessMemory on 8 bytes at 0x%08x failed: %u\n", addr, GetLastError());
break;
} else {
if (key == oldkey)
{
Sleep (1000);
continue;
}
#if defined(__CYGWIN__) || defined(__LCC__)
printf ("new key:\t0x%016llx\n", key);
#else
printf ("new key:\t0x%016I64x\n", key);
#endif
oldkey = key;
if ( (keydat = fopen ("keyfile.dat", "wb")) == NULL)
{
printf ("error opening keyfile.dat for writing\n");
exit (-1);
}
fwrite (&key, 8, 1, keydat);
fclose (keydat);
/* try to play the default exclamation sound, if that fails, use beep */
if (!PlaySound ("Exclamation", NULL, SND_ASYNC))
Beep (500, 500);
}
}
CloseHandle (hProcess);
}

void scanproclist ()
{
HANDLE hProcessSnap = NULL;
PROCESSENTRY32 pe32 = {0};

/* Take a snapshot of all processes in the system. */
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);

if (hProcessSnap == INVALID_HANDLE_VALUE)
return;

/* Fill in the size of the structure before using it. */
pe32.dwSize = sizeof(PROCESSENTRY32);

if (Process32First(hProcessSnap, &pe32))
{
HANDLE hProcess;

do
{
LPSTR pCurChar;
char pName[512];

/* strip path and leave exe filename */
for (pCurChar = (pe32.szExeFile + strlen (pe32.szExeFile));
*pCurChar != '\\\' && pCurChar != pe32.szExeFile - 1;
--pCurChar)

strcpy(pName, pCurChar);
strlwr(pName);

if ( (strncmp (pName, "testeqgame", 10) == 0) || (strncmp (pName, "eqgame", 6) == 0) )
{
printf ("found eqgame - pid = %u\n\n", pe32.th32ProcessID);
hProcess = OpenProcess (PROCESS_VM_READ, FALSE, pe32.th32ProcessID);
if (hProcess == NULL)
{
DWORD dw;
dw = GetLastError();
printf ("OpenProcess failed, error: %u\n", dw);
return;
}
readkey (hProcess);
}
}
while (Process32Next(hProcessSnap, &pe32));
}

CloseHandle (hProcessSnap);
return;
}


int main(int argc, char *argv[])
{
if (argc == 2)
{
addr = strtoul (argv[1], NULL, 16);
printf ("set offset to 0x%08x\n", addr);
} else {
printf ("using default offset 0x%08x (usage is: %s [offset], to use a different one)\n", addr, argv[0]);
}
printf ("enabling debug privs\n");
if (enable_debug_privs() == FALSE)
{
printf ("error enabling privs\n");
return 1;
}
printf ("scanning for eqgame\n");

while (1)
{
scanproclist ();
Sleep (10000); /* pause 10 seconds between checks */
}

return 0;
}

Ok, I give up on trying to get this to show up as an attachment soo... anyway, just consider this a quick example to use for building your own keyreader off of.

WARNING: old version, leaving it here as a reference, I recommend using the version from the post above.

kscan.c:



#include <stdio.h>
#include <string.h>
#include <windows.h>
#include <tlhelp32.h>

void readkey (HANDLE hProcess)
{
while (1)
{
unsigned long addr;
ULONGLONG key;

printf ("\nenter offset (ie: 0x00773b90): ");
if (scanf ("%08x", &addr) == 1)
{
printf ("offset:\t0x%08x\n", addr);
if (ReadProcessMemory (hProcess, (void *)addr, &key, 8, NULL) == 0)
{
printf ("ReadProcessMemory on 8 bytes at 0x%08x failed: %u\n", addr, GetLastError());
} else {
printf ("key:\t0x%016I64x\n", key);
}
}
fflush (stdin);
}
}

void scanproclist ()
{
HANDLE hProcessSnap = NULL;
PROCESSENTRY32 pe32 = {0};

// Take a snapshot of all processes in the system.
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);

if (hProcessSnap == INVALID_HANDLE_VALUE)
return;

// Fill in the size of the structure before using it.
pe32.dwSize = sizeof(PROCESSENTRY32);

if (Process32First(hProcessSnap, &pe32))
{
HANDLE hProcess;

do
{
LPSTR pCurChar;
char pName[512];

// strip path and leave exe filename
for (pCurChar = (pe32.szExeFile + strlen (pe32.szExeFile));
*pCurChar != '\\\' && pCurChar != pe32.szExeFile - 1;
--pCurChar)

strcpy(pName, pCurChar);
strlwr(pName);

if ( (strncmp (pName, "testeqgame", 10) == 0) || (strncmp (pName, "eqgame", 6) == 0) )
{
printf ("found eqgame - pid = %u\n\n", pe32.th32ProcessID);
hProcess = OpenProcess (PROCESS_VM_READ, FALSE, pe32.th32ProcessID);
if (hProcess == NULL)
{
DWORD dw;
dw = GetLastError();
printf ("OpenProcess failed, error: %u\n", dw);
return;
}
readkey (hProcess);
}
}
while (Process32Next(hProcessSnap, &pe32));
}

CloseHandle (hProcessSnap);
return;
}


void main(int argc, char **argv)
{
printf ("scanning for eqgame\n");
scanproclist ();
}

Doesn't compile in MSVC++ 5 (for those *like me *g* that don't have MSVC++ 6)



--------------------Configuration: kscan - Win32 Debug--------------------
Compiling...
kscan.c
C:\Windows\Desktop\kscan.c(53) : error C2001: newline in constant
C:\Windows\Desktop\kscan.c(53) : error C2015: too many characters in constant
C:\Windows\Desktop\kscan.c(54) : error C2105: '--' needs l-value
C:\Windows\Desktop\kscan.c(54) : error C2146: syntax error : missing ';' before identifier 'pCurChar'
C:\Windows\Desktop\kscan.c(54) : error C2059: syntax error : ')'
C:\Windows\Desktop\kscan.c(56) : error C2146: syntax error : missing ')' before identifier 'strcpy'
Error executing cl.exe.

kscan.obj - 6 error(s), 0 warning(s)

-- *pCurChar != '\' && pCurChar != pe32.szExeFile - 1;
++ *pCurChar != '\\' && pCurChar != pe32.szExeFile - 1;


A lot of compilers interrupt the single \ as escaping the ' char.


Also I don't know what compiler the existing format string for the key printf works under, but gcc hates it

-- printf ("key:\t0x%016I64x\n", key);
++ printf ("key:\t0x%016llx\n", key);

NOTE THE FIX ABOVE IS A CHANGE, I borked it up good the first time and only printed 32 bits of the key.

Thanks Mongo, never would have thought of that.

For those that get linking errors during build, don't forget to add th32.lib to your project (Alt+F7, go to Link tab, add "th32.lib" to "Object/library modules")

Interesting approach. Need to stew on this a little.

The thing I don't like about this approach is the need for the sniffer to stay attached to the process the entire game session. It would be nice to just start up a process breifly when you want a key, and then terminate.

I've heard that type of method is more involved.

I don't have the windows coding skills to know.

Thanks for the code though.

You could have it watch the log file, and you could make it read a new key and export it to the seq box when it sees the password. If you are worried, you could make the password something like "Helo" and "accidently" type it in. Also, I think /echo works.. not sure.

-- Course that might be the:
WrongWay

You should only need the PROCESS_VM_READ permission in your OpenProcess statement ... It might succeed in cases where PROCESS_ALL_ACCESS would fail on NT.

Also ... you may want to check to find out if calling OpenProcess on everquest.exe which then in turn launches eqgame.exe will give you (through inheritance) supervisory access to eqgame.exe ...

where did the offset 0x00773b90 come from? is it real? does it change (like maybe when eqclient.exe gets updated)?

how often does the key at the specified address change? per eq run? per zone? per hour?

any info would be helpful. thanks!

Originally posted by maggotboy
You should only need the PROCESS_VM_READ permission in your OpenProcess statement ... It might succeed in cases where PROCESS_ALL_ACCESS would fail on NT.

Also ... you may want to check to find out if calling OpenProcess on everquest.exe which then in turn launches eqgame.exe will give you (through inheritance) supervisory access to eqgame.exe ...

Using PROCESS_VM_READ works wonderfully.

Thanks
GrimJack

With the update of todays source code it would also be possiable to ftp from EQ machine to SEQ machine the key then have SEQ use the load key from file commend. Just a thought on how to semi-automate the process of key entry.

For anyone who doesn't have a compiler, I compiled it and posted it at:

***************

md5sum - e6dcc25c8a5104017e4dda907082a7c5 eqsniff.exe

I know... I know... "What if it's a virus?". It's not. Don't download it if you think it might be. Scan it if you think it is (you should do that with all your downloads anyhow).

Removed the link. It was out of date pretty quick anyhow.

If we are conserned with LibEQ.a being a pw sniffer such that we Md5sum it. Then whats to stop the people from posting links to Key rippers that do not do anything but grab your login info. Nothing. I would recommend caution when running anything Dl'ed from the net in this mode or any mode. Guess I should call my windows programing buddy and get a copy of his compiler.. Unless Fee or Ratt post it.. or its source that i can follow its not going on my machine.

IgorQ.

ps. It doesnt have to be a virus to send your login info to him. and im not saying it is a login graber. just be warry... and the fact that he posted an MD5sum of it means only that its the one he compiled....

Question: Do you have to know any coding or can you just enter that in compile and have it work? I unfortunately no shit about C++.

Thanks for the code snip mvern. On Win98SE the high DWORD of the key it reads is always 0xffffffff for me, which doesn't seem right. Is it right? Decoding isn't working with the key. I have new libEQ.a and latest cvs update, though I didn't do a make clean/full rebuild.

Thanks again

Okay, you are all blowing away my bandwidth. It's only a 400K DSL pipe out and you just hit peak capacity. If someone has a beefier pipe to put it on, please feel welcome to do so. If you don't trust my code, please compile it yourself. If any of the trusted developers want to do so, all the better.

<edit> Thought I had problems launching sniffer from outside debugging environment, turns out I just can't launch from my cygwin bash prompt

Is there an easy way to create a system service I can leave running?

Danka for the code :D Will try to build something a bit more elaborate out of this.....

What are the chances of adding a switch to the exe that points a txt file where it could write the code? then, could just view from a different machine. Then you wouldnt need to run EQ in a window, or log in and log back out to get key. Am I making any sense here?

Keygen ask for offset

Where do you get this?

Sorry about the missing \, got eatten when I first copied the code over.
Yes, PROCESS_VM_READ is probably a better choice as far as permissions go in the OpenProcess.
The string format is for MSVC++, the change mentioned above should be made for gcc based compilers.
Also, if compiling with cygwin/mgw32, you have to add -lth32 on the compile or you'll get an undefined reference error

This message intentionally left blank

The code compiles beautifully on Borland C Builder 5.0 btw ..thanks!


Hmmm...could someone at least tell us where we can determine the 'offset' that the sniffer is looking for? Or, at least where we can read to determine ourselves?

Is it in opcodes.h?

Ok - I took the code at the start of this thread, and very sloppily transformed it into a .NET web-service. Just grab the files out of the zip, use the C++ Web Service wizard to create the basic shell - and copy the contents of the files over top of the files it creates for you, and you should be good to go.

Going to the address:
http://localhost/test/test.asmx?op=HelloWorld
(replace address with the name of the box running this - assuming you call your project test like I did, and leave method-call named HelloWorld like I did, told ya it was sloppy)
And you can call the function from any web-browser on your LAN. I'm also just going to assume that anyone that has the tools to compile this doesn't need instructions on how to configure your comp to run a web service, etc. It will return 0 if it has an error, or the contents of the memory in EQ's process at whatever address you pass it.

Now - need to clean it up (a lot), find the proper address to call it with to return the key, and change ShowEQ to call it with a SOAP call whenever ShowEQ needs a key.

Remembering to attach it helps too.

Edit: Argh - now I can't attach files properly either. If anyone wants to offer to host it I will send it to them.

Hello all.

First of all, i would like to thank all the genious and kind persons here who made me playin eq
with the little extra info called SEQ for longer than one year now.
It was so nice to see you all work so hard to get SEQ working over and over again.

Second, i am reading this board for a long time, but i didnt respond, cause i felt not worthy enough, hehe

Now, with all these changes and diffculties in gettin SEQ workin again, i would like to say a special
thank you to mvern for this nice code and to scrubfire for compiling it...it works! :)

But i have a question: this offset u have to give in.
I would like to know how you can determine what you have to give in to this little program.
I know with this given example it works, i just tested it.
And i also know it depends on the eqgame.exe u use, which offset u have to give.
But how can i find out what offset i need when this eqgame.exe will change in the future?
Don't get me wrong, i don't want it given to me every time it changes, i am looking for a way to find it out myself.
Maybe it requires some knowledge of a rocket scientist, maybe not. So that is my question here.

And excuse me for my bad english and grammar, german here.

Thank you for the code up there, but...

I compiled and try to run (also DL'd the posted one just to see if I borked something) but what I get is:

scanning for eqgame
found eqgame - pid = 1980

OpenProcess failed, error: 5


I am running XP Pro and assume it is causing this. Anyone else ran into this though?

Monster

but it runs ok 98 but i have not got the key to work on SEQ

the offset examples returns a key, but hasnt worked in SEQ yet.

i got it working...but only once.

I downloaded the compiled exe from scrubfire and started it under w2k.
I used the offset it says in the brackets, gave this key into SEQ and it decoded fine.
Than i ended the program, zoned and tried to start it again.
Now i have the error 5 also...any suggestions?

ok, some more infos:

it will work only when i start it BEFORE i start eq...
and it will work fine at zoning when i DO NOT end it, i.e. let it run the whole time...but thats not what i want :)

So a fix would be to zone, end eq, start the sniffer, start eq again.
But thats not so nice...


thx in advance

I got same error. Just restart eq from desktop and the eqsniff once you get to worldserver select.

Perhaps you can't run it again because the process handle is never closed? I haven't gotten home to play with this yet, but usually it is a good idea to close any handle you open.

Question for anyone who has this working: Do you have to re-run this everytime you zone or is the key set once per EQ session?

Thanks on the error 5 info. that worked.

Yes, you have to get the key each time you zone.


Monster

bonkersbobcat:
Yes, u have to sniff again after u zone...every zoning will create a new key...

so, i dont have a compiler yet, and i used the precompiled version...
just downloading the borland trial, and now i want to know how to close the handles u talked about?
Its not very comfortable to zone, log out, restart eq and than fire the sniffer again...:)

new info: after some tests it won't work here if i start the sniffer after completely zoned in...that means i start it at character screen, giving the offstet over and over till i zoned in...
strange behaviour, where are the c++ cracks here?

very dumb question, how are you starting a program if you are in game already? EQW?

nino2469: why asking when u can give the answer yourself? :)

just making sure :)

Thanks to all those who contributed to this thread. Excellent work on eqsniff.exe and all those that contributed code to it.

Oh man thanks guys. It works great. Got a couple of questions though.
I've confirmed that you do indeed have to keep eqsniff running while you play eq. Also you have to get a new key everytime you zone. Ok now for the questions.
1. Where does that offset value come from and will it change everytime that eqame.exe is updated?
2. How easy is it for VI to see if your running the eqsniffer program?

I get get from offset have zone re-enter done everything hasnt worked one time. But key does change when I zone maybe I need to re update??? any thoughts?

Am I correct in assuming that he offset would differ depending on OS and that the current offset is for Win2K ?

Bleble (Im not a Troll, I just have big bones)

Ok, here's what I did and it worked fine. I'm running XP.
1. Started EQW and got the the server selection screen.
2. Started EQsniffer then logged in my char.
3. Switched back to EQsniffer entered the offset that is in the brackets.
4. Take the key it gives you and enter it into ShowEQ.
5. BAMB ShowEQ starts decoding.

I even zoned a couple of time reentered the offset and got the new key, entered it into showEQ and it started decoding.

Seems like we're on to something here ;)

i am not a programmer at all, but i suppose if i were to try i could at the very least download and compile this... but i would like to offer a suggestion to someone that might be better at this than i am.

Have the client be a network based client. when ever it finds a key, it would broadcast the key (not send it to a specific client). showeq could have a listener so that when ever it saw a broadcast of a key from the ip it is watching, it could pick use it.

by broadcasting it, you don't give away your showeq box itself. of course, anyone on a non-nat subnet would be broadcasting their keys all over the place.

i would really prefer a client that interacts with showeq w/o user input. manually entering a key every time two or 4 eq sessions zone is gonna suck. also, i dislike playing in EQW :)

1. running xp pro
2. start eqw and get to server select screen
3. get command window and run eqsniff.exe
4. get "C:\Documents and Settings\None>eqsniff.exe
'eqsniff.exe' is not recognized as an internal or external command,
operable program or batch file.

Any suggestions?

Haytrid
:mad:

EDIT- Moved eqsniff to c:\ and seems to run fine... asking for offset now...

entered offset shown... works like a champ... hope my post helps...

btw I need to shut eqw and sniffer if you want new zones refreshed

Last note... Hats off to those who made it work again.... you ARE awesome

running win2k, using telnet service to avoid using EQW

I get error 5 unless i run it after i log my char in or zone. works most of the time. sometimes i get a key where the first 8 bytes are all F's. When this happens, zone doesn't decode properly

Originally posted by fryfrog

Have the client be a network based client. when ever it finds a key, it would broadcast the key (not send it to a specific client). showeq could have a listener so that when ever it saw a broadcast of a key from the ip it is watching, it could pick use it.

by broadcasting it, you don't give away your showeq box itself. of course, anyone on a non-nat subnet would be broadcasting their keys all over the place.

i would really prefer a client that interacts with showeq w/o user input. manually entering a key every time two or 4 eq sessions zone is gonna suck. also, i dislike playing in EQW :)

Why? The danger is not in SOE picking up network traffic... it's scanning your task list or even more devious, scanning memory for various finger prints.

Unfortunatley, any program, such as the one in this thread, is going to leave finger prints galore. The trick, now, is to obfuscate and hide it effectively.

true, i spose that point was in the back of my head.

i believe the easiest way would to have the program derive any self titling from its name. so by changing it from "keysniffer.exe" to "explorer.exe" it would change anything internal as well. it could very well use virii like abilities, like say it would insert its code into some executable of your choice... then, you could just leave (for instance) internet explorer running in the background. they would then have to have crc values (or something) for EVERY SINGLE version of IE that ever existed to validate weather or not that program was the key sniffer.

if it hibernated until its parent seq session said "hey, i saw a zone send me the key" it would be only visible for split seconds. unfortunatly, i ain't the person to write something like that.

Edit wrong page... delete if necessary.

Haytrid
:mad:

entered offset shown... works like a champ... hope my post helps...

btw I need to shut eqw and sniffer if you want new zones refreshed

You shouldn't have to restart anthing.
- Zone to new zone.
- Go to cmd window, retype in offset in brackets.
- Type new key into SEQ
- Watch the pretty colors show up :)

I get in with MS telnet and run sniff and all it does is sit there.....


I can get it to work fine in eqw but not in telnet...how come?

Is the offset different for different versions of windows? (98 ME 2K XP)?
Duckman:confused:

Doh, Bonk self on head, I had a new but no the new libEQ.a.
hides back in the cracks.
Duckman

DontWannaSay, how come we havent seen your .net stuff yet? try reposting again, if not toss it onto geocities or something..else pm me and ill host it somwhere
rk

Originally posted by link129


You shouldn't have to restart anthing.
- Zone to new zone.
- Go to cmd window, retype in offset in brackets.
- Type new key into SEQ
- Watch the pretty colors show up :)

Your hands are going to fall off, sir. I opted for the fully automated 'hands free' hack myself.

All that is left for me to do is add an 'Input Session Key' hotkey into the SEQ source or a signal that it can catch to run that particular function. As well as to automate the deadlisting/etc to get the brand-new key offset from the EQ executables so I never have to manually update my key offset database file either.


Werd.


zfod

Your hands are going to fall off, sir. I opted for the fully automated 'hands free' hack myself.

If I knew how to code, I would do it different. As it is, I'm just a user. :)

For all you people out there trying to get this to work with a telnet daemon, it won't if you use the Microsoft one, it won't allow memmory calls that eqsniff wants to make, the way around this? Obviously. Find another telnetd for windows. I downloaded TelnetXQ works great. Displays the info in telnet easy to copy and paste into showeq. And just so you all know, SoE dosn't aggressivly scan your memmory, they might in the future, but i seriously doubt it. Otherwise, find a telnetd you like and use it. Hope this helps all the people that don't want to use EQW as much as i don't.

Updated the code, so that it can be started at any time, and made it exit instead of loop, so there is no process running all the time. Only tested on VC++ .NET


#include <stdio.h>
#include <string.h>
#include <windows.h>
#include <tlhelp32.h>
#include <aclapi.h>
#include <tchar.h>

bool AdjustDacl(HANDLE h, DWORD DesiredAccess)
{
// the WORLD Sid is trivial to form programmatically (S-1-1-0)
SID world = { SID_REVISION, 1, SECURITY_WORLD_SID_AUTHORITY, 0 };

EXPLICIT_ACCESS ea =
{
DesiredAccess,
SET_ACCESS,
NO_INHERITANCE,
{
0, NO_MULTIPLE_TRUSTEE,
TRUSTEE_IS_SID,
TRUSTEE_IS_USER,
reinterpret_cast<LPTSTR>(&world)
}
};
ACL* pdacl = 0;
DWORD err = SetEntriesInAcl(1, &ea, 0, &pdacl);
if (err == ERROR_SUCCESS)
{
err = SetSecurityInfo(h, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, 0, 0, pdacl, 0);
LocalFree(pdacl);
return(err == ERROR_SUCCESS);
}
else
return(FALSE);
}

void readkey (HANDLE hProcess)
{
while (1)
{
unsigned long addr;
ULONGLONG key;

printf ("\nenter offset (ie: 0x00773b90): ");
if (scanf ("%08x", &addr) == 1)
{
printf ("offset:\t0x%08x\n", addr);
if (ReadProcessMemory (hProcess, (void *)addr, &key, 8, NULL) == 0)
{
printf ("ReadProcessMemory on 8 bytes at 0x%08x failed: %u\n", addr, GetLastError());
} else {
printf ("key:\t0x%016llx\n", key);
}
}
fflush (stdin);
exit(0);
}
}

void scanproclist ()
{
HANDLE hProcessSnap = NULL;
PROCESSENTRY32 pe32 = {0};

// Take a snapshot of all processes in the system.
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);

if (hProcessSnap == INVALID_HANDLE_VALUE)
return;

// Fill in the size of the structure before using it.
pe32.dwSize = sizeof(PROCESSENTRY32);

if (Process32First(hProcessSnap, &pe32))
{
HANDLE hProcess;

do
{
LPSTR pCurChar;
char pName[512];

// strip path and leave exe filename
for (pCurChar = (pe32.szExeFile + strlen (pe32.szExeFile));
*pCurChar != '\\' && pCurChar != pe32.szExeFile - 1;
--pCurChar)

strcpy(pName, pCurChar);
strlwr(pName);

if ( (strncmp (pName, "testeqgame", 10) == 0) || (strncmp (pName, "eqgame", 6) == 0) )
{
printf ("found eqgame - pid = %u\n\n", pe32.th32ProcessID);
hProcess = OpenProcess (PROCESS_VM_READ, FALSE, pe32.th32ProcessID);
if (hProcess == NULL)
{
HANDLE hpWriteDAC = OpenProcess(WRITE_DAC, FALSE, pe32.th32ProcessID);
if (hpWriteDAC == NULL)
{
DWORD dw;
dw = GetLastError();
printf ("OpenProcess failed DACL, error: %u\n", dw);
return;
} else {
AdjustDacl(hpWriteDAC, PROCESS_VM_READ);
DuplicateHandle(
GetCurrentProcess(),
hpWriteDAC,
GetCurrentProcess(),
&hProcess,
PROCESS_VM_READ,
FALSE,
0
);
}
}
readkey (hProcess);
}
}
while (Process32Next(hProcessSnap, &pe32));
}

CloseHandle (hProcessSnap);
return;
}

void main(int argc, char **argv)
{
printf ("scanning for eqgame\n");
scanproclist ();
}

.

Now where did I put those Developer Studio Disks I burned before I left my last job.....

Ah! Here they are! Now I just need to learn VC++ and how to compile it...


D'OH!

here is some sourcecode with modifications to work with most compilers with trial and error.

The compiler I used is called LCC-Win32 and is at

http://www.q-software-solutions.com/lccwin32/

Here is a telenet server I found that will allow you to run this program w/o permissions.

http://www.datawizard.net/Free_Software/TelnetXQ_Free/telnetxq_free.htm

hope it works guys =)

-end

also here is the code if you cant download it:



#include <stdio.h>
#include <string.h>
#include <windows.h>
#include <tlhelp32.h>

void readkey (HANDLE hProcess)
{
while (1)
{
unsigned long addr;
ULONGLONG key;

printf ("\nenter offset: ");
if (scanf ("%08x", &addr) == 1)
{
printf ("offset:\t0x%08x\n", addr);
if (ReadProcessMemory (hProcess, (void *)addr, &key, 8, NULL) == 0)
{
printf ("ReadProcessMemory on 8 bytes at 0x%08x failed: %u\n", addr, GetLastError());
} else {
printf ("key:\t0x%016llx\n", key);
}
}
fflush (stdin);
}
}

void scanproclist ()
{
HANDLE hProcessSnap = NULL;
PROCESSENTRY32 pe32 = {0};

// Take a snapshot of all processes in the system.
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);

if (hProcessSnap == INVALID_HANDLE_VALUE)
return;

// Fill in the size of the structure before using it.
pe32.dwSize = sizeof(PROCESSENTRY32);

if (Process32First(hProcessSnap, &pe32))
{
HANDLE hProcess;

do
{
LPSTR pCurChar;
char pName[512];

// strip path and leave exe filename
for (pCurChar = (pe32.szExeFile + strlen (pe32.szExeFile));
*pCurChar != '\\' && pCurChar != pe32.szExeFile - 1;
--pCurChar)

strcpy(pName, pCurChar);
strlwr(pName);

if ( (strncmp (pName, "testeqgame", 10) == 0) || (strncmp (pName, "eqgame", 6) == 0) )
{
printf ("found eqgame - pid = %u\n\n", pe32.th32ProcessID);
hProcess = OpenProcess (PROCESS_VM_READ, FALSE, pe32.th32ProcessID);
if (hProcess == NULL)
{
DWORD dw;
dw = GetLastError();
printf ("OpenProcess failed, error: %u\n", dw);
return;
}
readkey (hProcess);
}
}
while (Process32Next(hProcessSnap, &pe32));
}

CloseHandle (hProcessSnap);
return;
}


void main(int argc, char **argv)
{
printf ("scanning for eqgame\n");
scanproclist ();
}

There is a freeware telnet server at http://www.fictional.net/fictional/index.html

I haven't tested it yet but it's a bit cheaper than the 99.00 one above for sure hehe.

Also this code does not compile in LCC as is.

I did this today for delmar. It is essentually a down and dirty quickfix for the WinXP/NT/2000/etc... security bullshit issue.

This hack of Mvern's great code (as it stands) waits 4 minutes, then checks for the key and writes to keyfile.dat, then rewrites it every 2.5 minutes thereafter. The trick is that you have to be at the character selection screen before it checks the first time, and you can't leave the character selection screen until it completes it's first check. Make sense? Yea, it's ugly and stupid, but...then again, this is a simple hack.

Read the comments..and no complaining, I'm not a programmer by trade :D

EDIT:
- Added a routine to write a small file (keyfile.log) each time that contains just the time that the keyfile.dat was last created.





#include <stdio.h>
#include <string.h>
#include <windows.h>
#include <tlhelp32.h>
#include <time.h>

//---------------------------------------------------------------------------

int HasDecoded = 0; // compiler compatability
HANDLE hProcessSnap = NULL;
HANDLE hProcess;

void readkey (HANDLE hProcess)
{
unsigned long addr = 0x00773b90; // on some compilers (ie, borland builder), this value must be set to 0x773b90
ULONGLONG key;
FILE *fptr_out;
FILE *fptrlog_out;
long t;
time (&t);


if ( ReadProcessMemory (hProcess, (void *)addr, &key, 8, NULL ) == 0)
printf( "ReadProcessMemory on 8 bytes at 0x%08x failed: %u\n", addr, GetLastError());
else
{
// Left this commented out for reference if needed.
// printf( "key:\t0x%016I64x\n", key );
fptr_out = fopen( "keyfile.dat", "wb");
fwrite( &key, 8, 1, fptr_out );
fclose(fptr_out);
fptrlog_out = fopen( "keyfile.log", "wb");
fwrite( ctime(&t), 20, 1, fptrlog_out );
fclose(fptrlog_out);
}
}

void scanproclist ()
{
PROCESSENTRY32 pe32 = {0};


// Take a snapshot of all processes in the system.
if (HasDecoded == 0)
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);

if (hProcessSnap == INVALID_HANDLE_VALUE)
return;

// Fill in the size of the structure before using it.
pe32.dwSize = sizeof(PROCESSENTRY32);

if (Process32First(hProcessSnap, &pe32))
{

do
{
LPSTR pCurChar;
char pName[512];

// strip path and leave exe filename
for (pCurChar = (pe32.szExeFile + strlen (pe32.szExeFile)); *pCurChar != '\\\' && pCurChar != pe32.szExeFile - 1; --pCurChar)

strcpy(pName, pCurChar);
strlwr(pName);

if ( (strncmp (pName, "testeqgame", 10) == 0) || (strncmp (pName, "eqgame", 6) == 0) )
{
if (HasDecoded == 0)
{
hProcess = OpenProcess (PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID);
HasDecoded = 1;
}
if (hProcess == NULL)
{
DWORD dw;
dw = GetLastError();
printf ("OpenProcess failed, error: %u\n", dw);
return;
}
readkey (hProcess);
}
}
while (Process32Next(hProcessSnap, &pe32));
}

return;
}

int main(int argc, char* argv[])
{

Sleep(240000); // Ok..this is the tricky value. This sniffer needs to "attach" to eqgame
// for the FIRST time at the *CHARACTER selection screen*. Therefore, as it is set
// now (at 4 minutes), you need to make sure you're at the char selection screen
// WITHIN 4 minutes, and you don't enter the game until AFTER 4 minutes.
// Make sense? :) ...once it's done it's business the first time (each session),
// it doesn't matter.
// Once you've gotten a feel for it, you can adjust this timer to what works
// best for you. (1000 = 1 second). It's a pain, but this is a simple program!

while (1)
{
scanproclist ();
Sleep(150000); // modify to be every however minutes you wish. It's currently
// set to 2.5 minutes.
}

return 0;
}

A slight modifcation to original code that was posted by mvern, this modifcation will automatically SCP the key file to your SEQ box, then all you need to do is load key file. I need to add a check in showeq to check date/time stamp on keyfile.dat to see if a change happened keyfile.dat, if so reload key so I don't have to load the key anymore.



#include <stdio.h>
#include <string.h>
#include <windows.h>
#include <tlhelp32.h>

void nreadkey (HANDLE hProcess)
{
while (1)
{
unsigned long addr;
ULONGLONG key, lkey;

addr = 0x00773b90;
if (ReadProcessMemory (hProcess, (void *)addr, &key, 8, NULL) == 0)
{
printf ("ReadProcessMemory on 8 bytes at 0x%08x failed: %u\n", addr, GetLastError());
} else {
if ( lkey != key )
{
FILE *fd=fopen("C:\\keyfile.dat", "wt");
if ( fd != (FILE *)NULL ) {
fwrite(&key, sizeof(key), 1, fd);
fclose(fd);
system("C:\\upit.bat");
}
printf ("key:\t0x%016I64x lkey=0x%016I64x\n", key, lkey);
ReadProcessMemory (hProcess, (void *)addr, &lkey, 8, NULL);
}
}
Sleep (15000);
}
}


void scanproclist ()
{
HANDLE hProcessSnap = NULL;
PROCESSENTRY32 pe32 = {0};

// Take a snapshot of all processes in the system.
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);

if (hProcessSnap == INVALID_HANDLE_VALUE)
return;

// Fill in the size of the structure before using it.
pe32.dwSize = sizeof(PROCESSENTRY32);

if (Process32First(hProcessSnap, &pe32))
{
HANDLE hProcess;

do
{
LPSTR pCurChar;
char pName[512];

// strip path and leave exe filename
for (pCurChar = (pe32.szExeFile + strlen (pe32.szExeFile));
*pCurChar != '\\' && pCurChar != pe32.szExeFile - 1;
--pCurChar)

strcpy(pName, pCurChar);
strlwr(pName);

if ( (strncmp (pName, "testeqgame", 10) == 0) || (strncmp (pName, "eqgame", 6) == 0) )
{
printf ("found eqgame - pid = %u\n\n", pe32.th32ProcessID);
hProcess = OpenProcess (PROCESS_VM_READ, FALSE, pe32.th32ProcessID);
if (hProcess == NULL)
{
DWORD dw;
dw = GetLastError();
printf ("OpenProcess failed, error: %u\n", dw);
return;
}
nreadkey (hProcess);
}
}
while (Process32Next(hProcessSnap, &pe32));
}

CloseHandle (hProcessSnap);
return;
}


void main(int argc, char **argv)
{
while ( 1 )
{
printf ("scanning for eqgame\n");
scanproclist ();
Sleep (15000);
}
}



The batch file uses pscp.exe to transfer the keyfile.dat to the SEQ box. PSCP is available here over at http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

upit.bat looks like this:


C:\pscp -pw "secret" -q -batch C:\keyfile.dat root@192.1.1.1:/usr/local/share/showeq/keyfile.dat


Thought I would share it. Works good so far, don't know why for the life of me I couldn't get a simple lkey=key to work, just didn't want to do it.. so had to ReadProcessMemory oh well works.
PS: It only SCP's the key file over if it has changed.

I was looking for a complier and saw someone posted about LCC complier so I downloaded it and can't seem to it to work with the code so I came back and saw the second posting by someone else saying it doesn't complie in LCC ..

Did someone managed to get the code to complie in LCC or is there another freeware/trailware complier I can try to use instead?

Running Win2K Pro here

Thanks

CBiLL

OK

I'm sorry, guy's am I an idiot (stupid question) or am i missing something (supider question)?

Sniffing is great... but how can you 'go to the command window' if switching to it terminates EQ?

/boggle

I downloaded the sniffer, thanks for the work guys. I did get some keys from it, though I can't get Seq to decode yet, go figure.

I did get the following from the sniffer on the last use:

found eqgame - pid = 2048

OpenProcess failed, error: 5

The earlier pids where less than 2048.

Originally posted by Resiliant
OK

I'm sorry, guy's am I an idiot (stupid question) or am i missing something (supider question)?

Sniffing is great... but how can you 'go to the command window' if switching to it terminates EQ?

/boggle

You have to use EQW

not really, there are ways to get around needing EQW.
Hint, its in this thread.

9e02825's code has a few things needing fixed (for .NET compiler)

1. in readkey(),
if (scanf ("%08x", &addr) == 1)
should probably be
if (scanf ("%10x", &addr) == 1)

2. in scanproclist()
*pCurChar != '\' && pCurChar != pe32.szExeFile - 1;
should probably be
*pCurChar != '\\' && pCurChar != pe32.szExeFile - 1;

3. in readkey()
printf ("key:\t0x%016llx\n", key);
should probably be
printf ("key:\t0x%16I64x\n", key);


This produces a nice little app that can gets the key and exits and can be run any time. A nice start for any keygrabber utility.

One thing I would like to see is it set the permission on memory reading back to the original values. One way EQ can detect that this has run is by checking to see if read access to memory was granted to EQ. Perhaps someone could post how to do that, I could probably figure it out in time, but it has been a while since I have done this.

Arg..

First thanks for all this work guys.. but I need to bring something up that about 5 people have already mentioend an KEEPS BEING IGNORED.

Where does the offset come from? It will most likely change each time the client is patched, plus there are those of us who play on TEST which is different as well.

So, PLEASE... How do we determine the offset for ourself?

Anyone know a freeware/trialware/shareware complier avaiable?

CBiLL

gnu gcc for windows. (cygwin)

http://www.cygwin.com

comes with bash, vi, and everything else you might need.

1) Download free Compiler here.

http://www.mingw.org

Install.

2) Go into the <driveletter>:\mingw\bin folder (or where ever you installed at)

3) Create a new text file and insert code obtained from above. Rename to keyscan.c

4) edit the following from code above and save file:

*pCurChar != '\\' && pCurChar != pe32.szExeFile - 1;
to be as
*pCurChar != '\\\' && pCurChar != pe32.szExeFile - 1;

5) Compile the code with "gcc -c keyscan.c"

C:\Program Files\MinGW\bin>gcc -c keyscan.c
keyscan.c: In function `main':
keyscan.c:89: warning: return type of `main' is not `int'

Ignore these errors.

6) Create an executable

C:\Program Files\MinGW\bin>gcc -o keyscan.exe keyscan.o -lth32

You have a new keyscanner. Gratz.

Thank you

CBiLL

has the winxp issue been fixed?

I get OpenProcess failed, error: 5


and no decode so far



running on XP

Im running XP Pro, SP1.

With Mingw, the code that Wxyz posted, and editing the line I specified, I get no codes and it works correctly.

The only thing not working properly is the key written to the key.dat file is not correct, or at least not in hex format?

Is this the way it was meant to be written and then have ShowEQ decode it?

So, PLEASE... How do we determine the offset for ourself?


The easiest way, at this moment, is to go to the IRC channel and type "gm, key" ....I'm not sure if it will ALWAYS be right or available...but that's one place to get it right now.



has the winxp issue been fixed?


Yes...read my posting from earlier and the code that came with it.




I get OpenProcess failed, error: 5


and no decode so far



running on XP


First, Mvern's (awesome!) code will not work for XP users as it is. It will decode the first session, then no more.

The code I posted will work for you, but you have to follow the instructions that I included CAREFULLY! You must have it find the key the first time while at the CHARACTER SELECT screen ....not before, not after. Once it has done that, then it should work fine for the rest of your session.

READ THE SOURCE COMMENTS!

So, PLEASE... How do we determine the offset for ourself?

--------------------------------------------------------------------------------


The easiest way, at this moment, is to go to the IRC channel and type "gm, key" ....I'm not sure if it will ALWAYS be right or available...but that's one place to get it right now.

-----------------------------------------------------------------------------

Hm.. i'm more of the "teach a person to fish" type .. I'd like to know how to determine it myself :( Mainly because I play on the TEST SERVER, which means your offsets will not work for me.

I will really hate it if SEQ now ends up unusable to me simply because I choose to play on a different server.

So, please, can anyone briefly describe how to determine the offset? I'm a programmer myself so I should be able to figure it out with a little instruction (Although i'm not all that good with low level stuff, i'm sure I can figure it out).

Simple: Disassemble eqgame.exe. Locate the decryption routines in eqgame.exe, check the location it gets the key from.

--Jeeves

---
The easiest way, at this moment, is to go to the IRC channel and type "gm, key" ....I'm not sure if it will ALWAYS be right or available...but that's one place to get it right now.
---

somebody had to determine what the offset was and tell the bot what it is.

the question is how does one go about determining the offset in order to tell the bot.

or in order to use the test server, or after a patch, or if you use a localized (international) version.

For those of you having problems with windows xp and the error 5 message.

Did you try starting the program via the at scheduler as is suggested in the first post of the thread? That fixed the problem for me.

Originally posted by high_jeeves
Simple: Disassemble eqgame.exe. Locate the decryption routines in eqgame.exe, check the location it gets the key from.

--Jeeves

Yes, this I assumed. But I don't know how to find the relative code. Could perhaps someone tell me the existing code offset for this? If I look at it now, maybe I can recognize it in a different exe.

C:\Tools\MinGW\src>..\bin\gcc keyscan.c
C:\DOCUME~1\LOCALS~1\Temp/ccWeaaaa.o(.text+0x1c8):keyscan.c: undefined reference to `Process32First@8'
C:\DOCUME~1\LOCALS~1\Temp/ccWeaaaa.o(.text+0x308):keyscan.c: undefined reference to `Process32Next@8'



This is using the Mingw compiler from the link provided above. Anyone care to hazard which headers and libraries I may be missing, and where to get them?

I have that same problem Mr Guy

Yes, this I assumed. But I don't know how to find the relative code. Could perhaps someone tell me the existing code offset for this? If I look at it now, maybe I can recognize it in a different exe.

The current offset is mentioned in the code of the very very very first post in this thread (by thread starter)



C:\DOCUME~1\LOCALS~1\Temp/ccWeaaaa.o(.text+0x308):keyscan.c: undefined reference to `Process32Next@8'


This is using the Mingw compiler from the link provided above. Anyone care to hazard which headers and libraries I may be missing, and where to get them?

Google discussion groups, search for "Process32Next". Or simply read the 5th post in this thread, where I elegantly mention to everyone not to forget to link vs th32.lib

if compiling with mingw use the following:

..\bin\gcc -o prog prog.c -lth32

That should fix you up.

Thanks quack and Mr Suspicious.


I appologize if Process32Next doesn't shout out, you forgot th32.lib to me.

You know.. Im gonna buy the new WineX.. it has linux support.. then i can get RID of my last winders machine :)

Anyway - if you can somehow get the posted keyripper code to print to a file (in unix a simple redirect to a text file - in windows I have now clue.. anyone?), you can create a pair of bat files to do your upload. On XP it's:

upload.bat
--------------
c:\windows\system32\ftp.exe -s:c:\login.txt IP-ADDY-OF-LINUX-BOX

login.txt
----------
LOGIN
PASSWORD
bin
put currentkey.dat
close
bye

Now.. HOW to get the keyripper info to a textfile called currentkey.day - i dunno, microsloths version of C/C++ scares the bejesus out of me. I only have a windows box because I like EQ.. SEQ in it's current state (basically a map that shows where I am) is fine by me - it's what I use it for anyway.

Anyway - if you can somehow get the posted keyripper code to print to a file (in unix a simple redirect to a text file - in windows I have now clue.. anyone?), you can create a pair of bat files to do your upload. On XP it's:


and


Now.. HOW to get the keyripper info to a textfile called currentkey.day - i dunno, microsloths version of C/C++ scares the bejesus out of me. I only have a windows box because I like EQ.. SEQ in it's current state (basically a map that shows where I am) is fine by me - it's what I use it for anyway.

Click back one page (page 5 of this thread), read source, slap head.

related to Wxyz post.

I'm not sure if I missed anything but, I'm having trouble getting my seq to recieve the keyfile.dat. Everything else is going smoothly besides the this.

C:\C>c:\c\pscp -unsafe -batch C:\c\keyfile.dat root@192.168.1.102:/usr/local/share/showeq/keyfile.dat
Fatal: ssh_init: Network error: Connection refused.

Where i'm stumped is wether I can use a normal telnet session to give access to this or if I have to be using an emulated windows to run putty. If I can use telnet how would I go about opening a port? or allowing access to recieve files..

Sorry about dissapearing like that. Posted that just as I was on my way out the door to go home (planning to upload from home) - got paged on my way home and ended up having to help a friend with some RL shit - after which he convinced me to sit around at his place all night getting high.

Anyways - I'll just cut'n'paste the code into here - I don't think it will have the problems that others were having with non-closed processes and stuff because it doesn't loop, it just returns the memory-contents and exits. And even if you don't build SEQ to call it directly when it needs a key, it's nice to be able to use a www-browser from the linux box to get the key from windows without a telnet server or EQW.

Note: it works in decimal for it's input/output, NOT in hex like the original did. If you wanna change it to work in hex/add in fixes that were posted here later in the thread, etc. go ahead.

/em prays the formatting doesn't get screwed.

__________BEGIN Test.h_________________



// Test.h

#pragma once

#include <stdio.h>
#include <string.h>
#include <windows.h>
#include <tlhelp32.h>

#using <System.Web.Services.dll>

using namespace System;
using namespace System::Web;
using namespace System::Web::Services;

namespace Test
{
public __gc
class Class1 : public WebService
{

public:
// WEB SERVICE EXAMPLE
// The HelloWorld() example service returns the string "Hello, World!".
// To test this web service, ensure that the .asmx file in the deployment path is
// set as your Debug HTTP URL, in project properties.
// and press F5.

[System::Web::Services::WebMethod]
String __gc* HelloWorld(UInt32 Address);

// TODO: Add the methods of your Web Service here

};
}

ULONGLONG readkey (HANDLE hProcess, unsigned long addr);
ULONGLONG scanproclist (unsigned long addr);




_________________BEGIN Test.CPP___________________



#include "stdafx.h"
#include "Test.h"
#include "Global.asax.h"

namespace Test
{
String __gc* Class1::HelloWorld(UInt32 Address)
{
//Call with 7814032 as address to use example address from original code.
return scanproclist(Address).ToString();
}
};

ULONGLONG readkey (HANDLE hProcess, unsigned long addr)
{
while (1)
{
ULONGLONG key;
if (ReadProcessMemory (hProcess, (void *)addr, &key, 8, NULL) == 0)
{
} else {
return key;
}
}
}

ULONGLONG scanproclist (unsigned long addr)
{
HANDLE hProcessSnap = NULL;
PROCESSENTRY32 pe32 = {0};
ULONGLONG key;

hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);

if (hProcessSnap == INVALID_HANDLE_VALUE)
return 0;

pe32.dwSize = sizeof(PROCESSENTRY32);

if (Process32First(hProcessSnap, &pe32))
{
HANDLE hProcess;

do
{
LPSTR pCurChar;
char pName[512];

for (pCurChar = (pe32.szExeFile + strlen (pe32.szExeFile));
*pCurChar != '\\' && pCurChar != pe32.szExeFile - 1;
--pCurChar)

strcpy(pName, pCurChar);
strlwr(pName);

if ( (strncmp (pName, "testeqgame", 10) == 0) || (strncmp (pName, "eqgame", 6) == 0) )
{
hProcess = OpenProcess (PROCESS_VM_READ, FALSE, pe32.th32ProcessID);
if (hProcess == NULL)
{
DWORD dw;
dw = GetLastError();
return 0;
}
key = readkey (hProcess, addr);
}
}
while (Process32Next(hProcessSnap, &pe32));
}

CloseHandle (hProcessSnap);
return key;
}

related to Wxyz post.

I'm not sure if I missed anything but, I'm having trouble getting my seq to recieve the keyfile.dat. Everything else is going smoothly besides the this.

C:\C>c:\c\pscp -unsafe -batch C:\c\keyfile.dat root@192.168.1.102:/usr/local/share/showeq/keyfile.dat
Fatal: ssh_init: Network error: Connection refused.

Where i'm stumped is wether I can use a normal telnet session to give access to this or if I have to be using an emulated windows to run putty. If I can use telnet how would I go about opening a port? or allowing access to recieve files..


Did you configure your firewall? I know I had to do mine and allow SSH traffic into it.

So I assume I need to forward the SSH/telnet port to my seq box?

Is there a way to reliably reset the DACL after you have finished reading the key? An easy way to detect this would be to check the properties on the DACL post-execution, and it would be VERY obvious that the DACL has been modified.... (IMHO a bad thing)

I know you can use

DWORD SetSecurityInfo(
HANDLE handle,
SE_OBJECT_TYPE ObjectType,
SECURITY_INFORMATION SecurityInfo,
PSID psidOwner,
PSID psidGroup,
PACL pDacl,
PACL pSacl
);

to access the current ACL settings, but i'm not familiar enough with ACL's to put everything back where it belongs... I think this snippet is one of the nicer variants out there (as it's fire and forget). but the sticky DACL raises some alarms.

---edit This is relating to DWS's snippet based on the original msg in the forum

--edit Someone mentioned SE_DEBUG_NAME, using the AdjustTokenPriveleges... perhaps someone can take this code and use that?

----x---- Original referenced snippet---x---
#include <stdio.h>
#include <string.h>
#include <windows.h>
#include <tlhelp32.h>
#include <aclapi.h>
#include <tchar.h>

bool AdjustDacl(HANDLE h, DWORD DesiredAccess)
{
// the WORLD Sid is trivial to form programmatically (S-1-1-0)
SID world = { SID_REVISION, 1, SECURITY_WORLD_SID_AUTHORITY, 0 };

EXPLICIT_ACCESS ea =
{
DesiredAccess,
SET_ACCESS,
NO_INHERITANCE,
{
0, NO_MULTIPLE_TRUSTEE,
TRUSTEE_IS_SID,
TRUSTEE_IS_USER,
reinterpret_cast<LPTSTR>(&world)
}
};
ACL* pdacl = 0;
DWORD err = SetEntriesInAcl(1, &ea, 0, &pdacl);
if (err == ERROR_SUCCESS)
{
err = SetSecurityInfo(h, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, 0, 0, pdacl, 0);
LocalFree(pdacl);
return(err == ERROR_SUCCESS);
}
else
return(FALSE);
}

void readkey (HANDLE hProcess)
{
while (1)
{
unsigned long addr;
ULONGLONG key;

printf ("\nenter offset (ie: 0x00773b90): ");
if (scanf ("%08x", &addr) == 1)
{
printf ("offset:\t0x%08x\n", addr);
if (ReadProcessMemory (hProcess, (void *)addr, &key, 8, NULL) == 0)
{
printf ("ReadProcessMemory on 8 bytes at 0x%08x failed: %u\n", addr, GetLastError());
} else {
printf ("key:\t0x%016llx\n", key);
}
}
fflush (stdin);
exit(0);
}
}

void scanproclist ()
{
HANDLE hProcessSnap = NULL;
PROCESSENTRY32 pe32 = {0};

// Take a snapshot of all processes in the system.
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);

if (hProcessSnap == INVALID_HANDLE_VALUE)
return;

// Fill in the size of the structure before using it.
pe32.dwSize = sizeof(PROCESSENTRY32);

if (Process32First(hProcessSnap, &pe32))
{
HANDLE hProcess;

do
{
LPSTR pCurChar;
char pName[512];

// strip path and leave exe filename
for (pCurChar = (pe32.szExeFile + strlen (pe32.szExeFile));
*pCurChar != '\' && pCurChar != pe32.szExeFile - 1;
--pCurChar)

strcpy(pName, pCurChar);
strlwr(pName);

if ( (strncmp (pName, "testeqgame", 10) == 0) || (strncmp (pName, "eqgame", 6) == 0) )
{
printf ("found eqgame - pid = %u\n\n", pe32.th32ProcessID);
hProcess = OpenProcess (PROCESS_VM_READ, FALSE, pe32.th32ProcessID);
if (hProcess == NULL)
{
HANDLE hpWriteDAC = OpenProcess(WRITE_DAC, FALSE, pe32.th32ProcessID);
if (hpWriteDAC == NULL)
{
DWORD dw;
dw = GetLastError();
printf ("OpenProcess failed DACL, error: %u\n", dw);
return;
} else {
AdjustDacl(hpWriteDAC, PROCESS_VM_READ);
DuplicateHandle(
GetCurrentProcess(),
hpWriteDAC,
GetCurrentProcess(),
&hProcess,
PROCESS_VM_READ,
FALSE,
0
);
}
}
readkey (hProcess);
}
}
while (Process32Next(hProcessSnap, &pe32));
}

CloseHandle (hProcessSnap);
return;
}

void main(int argc, char **argv)
{
printf ("ID IS \n");
scanproclist ();

}

Amadeus' code, trimmed down to 120 seconds(2 minutes). And nothing happens. Using win2k, logged in as administrator. I tried it trimmed to 20 seconds as well, and got an error 5. bloody thing needs to work

Amadeus' code, trimmed down to 120 seconds(2 minutes). And nothing happens. Using win2k, logged in as administrator. I tried it trimmed to 20 seconds as well, and got an error 5. bloody thing needs to work


Works fine for me and the person that tested it for me on IRC :)


Try this:
1. Start the sniffer application you compiled (without making any changes).
2. Start a stopwatch.
3. Start up EQ.
4. SIT AT THE CHARACTER SELECT SCREEN until your stopwatch says that 4 minutes and 15 seconds have gone by. (ie, your keyfile.dat should be written by this point).
4a. If you havn't gotten to the CHARACTER SELECT SCREEN by 4 minutes, then you will have to start over, raise this value in the code, and recompile.
5. Then select your character and begin playing normally.

(NOTE: The character select screen is the screen where you select your character..not the station select screen or the server select screen.)


YOU HAVE TO DO THIS EACH TIME! If you end your "session" or if EQ crashes, you MUST start the sniffer program again fresh and go through the same routine. It seems stupid and a waste of time, but I don't have days to sit and make it easier :) ....someone coded something and posted it on another thread that might make this easier/better if you want to modify it.



ALSO, there is a bug with ShowEQ at this point that makes it sometimes freeze up/crash when you load the keyfile. I'm sure it will be fixed soon. (I havn't figured out the reason for this yet or a 'pattern' for it.)

I'm not sure if I missed anything but, I'm having trouble getting my seq to recieve the keyfile.dat. Everything else is going smoothly besides the this.

C:\C>c:\c\pscp -unsafe -batch C:\c\keyfile.dat root@192.168.1.102:/usr/local/share/showeq/keyfile.dat
Fatal: ssh_init: Network error: Connection refused.


I got this error too, and what's the matter is that 'sshd' is probably not running on your linux computer. Try telneting your linux computer's IP on port 23. If you're not getting a connection, then this is definately your problem.

If you're running RedHat, type '/etc/rc.d/init.d/sshd start'. Then, type 'setup' and configure it so that it runs every time your computer restarts.

If you're running something besides RedHat, you'll have to look up the proper procedure for starting the ssh daemon.

I'm having trouble... I tried using the offset that was given, but the key i get makes the map on SEQ freak out... so obviously it is not the right key. Could someone give me some pointers on how to obtain the offset myself? i know nothing about decompiling, or where i would look in the code for the offset.
Thanks all for the great work. You are making my EQ experience so much better.

How safe is running this offset checker?

Originally posted by Arrendek
I'm having trouble... I tried using the offset that was given, but the key i get makes the map on SEQ freak out... so obviously it is not the right key. Could someone give me some pointers on how to obtain the offset myself? i know nothing about decompiling, or where i would look in the code for the offset.
Thanks all for the great work. You are making my EQ experience so much better. Do you have the most recent libEQ.a?

Yeah I do... the most recent one is the one that made it work till Wednesday night right?
And let me explain what i mean by the map frekaing out... I starts getting spawns in random places outside the map, so it zooms way out... and has random walkpath lines al over the place.

Nope, you have the old libEQ.a. A new one came out like yesterday. Replace and reinstall showeq. Works like a charm.

updated original post with some new code, enjoy ;)

I've been examining the different sources posted, and one thing stands out in my mind as a red flag:

You CANNOT leave the sniffer active during the entire session.

/tell <gm> I'm sniffing the encryption key. Wanna watch?

Think about it. How short is the code to take the snapshot? You've got MANY examples to choose from... 50 lines (including comments and processing.) That's not very much. How hard do you think it would be for them to send that snapshot back to SOE and allow them to compare notes?

<ENTER SOE NAZI control room>

test.exe here... here... here... here... here... here.... here.... and here.... etc.

sniff.exe here... here... here... here... here... here... here... here... here... here... here... etc.

key.exe here... here... here... here... here... here... and here... etc.

All roughly the same size... All starting at about this date...

Conclusion: They're up to something suspicious. Ban them all, just because we can.

<EXIT control room>

Remember that poll they had a while ago?? I don't remember the exact wording, but I'll paraphrase it for you:

... Would you mind if we scanned your system for running applications that might violate the EULA? ....

I'll admit it, at the time, I said "Sure, have at it. I have nothing to hide." Granted I didn't have SEQ running then,
but even if I did, it's a PASSIVE thing, they can't tell it's there unless they're ACTIVELY monitoring my every move, or I flat out tell them I do.

Yeah, Sure, they *SAY* they're not scanning systems, but it's a corporation. They LIE. We should expect it. It's the American Way!


How difficult do you think it would be for them to send this snapshot code TO YOU while you're playing, execute it every so often, and discard it when you exit? Nothing says they have to put ALL of the code that gets run in the files on your machine. It is after all a NETWORK application that you've given permission to execute on your system. What's to keep it from pulling in some additional code and executing it without you ever knowing about it?


Anyway, enough of that. If this is going to work properly, (and safely,) then the sniffer must do it's business in one pass and terminate completely. It wouldn't be difficult to establish a means by which to tuck the sniffer away in a dark little corner of your computer, and call it every time you zoned to get the new key.

Personally, I've already established *MY* method to get the key whenever I need it, I just need to get the sniffing code worked out so that I can get the key whenever I need it without having to leave a HUGE red flag flying. I enjoy playing EQ, but not enough to have to start completely over again.


We've got the decryption routines, we've got the data stream, we just need to obtain the keys to the locks without drawing any attention to ourselves. Think like a Rouge. "How can we do this without getting caught?" ... If you can't play without SEQ, then you shouldn't be playing at all.


Just something to think about...

Running it the entire time, or running it just once, matters not, if they care to scan for it, and in the process invade every user's privacy, they can do so. Currently, they do not scan for anything. If they decide to next patch, then so be it. Personally, I'll be hiding my scanner as well as possible by then. I dont think they really really want to spend the time just to ban paying customers tho.

Hey guys

What is this key thing ?

Do I need it ?

If so Can someone do a step by step on what I have to do to get it ?

I have found only yew leafs show up now in WL but I need to know where the haze panthers are Im trying to skill up on velious armour : )

I suspect its about this key thing I keep hearing about.

Thanks in advance

The PHAT MAN

Oh Phat_MAN, the thread explains it all, it even tells you step by step what to do... so how about next time you use all those skills your momma taught you like reading and that little thing called intelligence, and read before you post...
But then, maybe i'm giving you too much credit.

Thanks for the help MethHed, even once you told me there was a new one, i couldn't find it :) but i downloaded the one from smurfette.trifocus.net and its compileing now. Hope that one works :)

Ok, I know a little about programming, enough to get me in trouble, but after talking with a friend, he says the only way SOE would know is if the program itself was running under an obvious name or if they did include some subroutine to notify it that the memory was scanned. But the only the OS would be able to tell if that was happening. And with all the programs out there today, memory managers, virus checkers, etc that scan memory all the time, its not likely to be seen.

Just as the sniffer scans the process list for eqgame.exe, eq would have to do the same just to see if you are running a program to do it.

Am I off base here?



him: only the operating system can/could tell EQ when its memory is being scanned.
Me: Maybe even if its a subroutine in the eqgame.exe itself?
Him: only if the operating system is capable of it. which I dont know of any way.
Me: What do you mean? Isn't XP or any windows going to know when a process is called for? All EQ has to do is tell the OS to let it know when a certain process is run. Right?
Him: only if the ReadProcessMemory somehow sets a flag that tells the processes that its memory was scanned. that would mean a list of task names. eq would have to maintain a list of bad names.. just as this program scanns the process list, eq could do the same.

Ok, got the new libEQ.a... and its still not working... every time i run the key scanner, the key it returns is 0xI64x does that seem right? cause it doens't to me... I'm using the last bit of code from this forum... gonna try some of the others till you all get back to me

if you are using MinGW to compile it, follow um... MrEvil's instructions pretty well... but its easy...

Download and install <a href="http://www.mingw.org/">MinGW</a>

copy the source to the program into a file, and save it (easiest is to save it in C:\MinGW\bin where the compiler is). I actually named mine "netscape.c" so it was easier to... hide? from there, its very easy :)



gcc -c keysniffer.c
gcc -o keysniffer.exe keysniffer.o -lth32 -lwinmm


i tried running it from the free telnetd server listed somewhere above, and it worked... only i couldn't close or cancel it. also, while it did grab a key when i pasted it into seq it did not decode. it complained of unknown compression something or other. perhaps i forgot to re-compile or something. i only really want to run this when i REALLY need a decode. i'd rather not have it running all the time.

anyone know how to "ctrl-c" a program that is running from the free telnet deamon "Fictional Deamon"?

I got the following message when It ran....

Fatal: ssh_init: Network error: Connection reset by peer

I saw other people had connection refused.....

What's wrong?

fryfrog,

For MinGw on Windows XP you need to use the:

printf ("new key:\t0x%016I64x\n, key);

line. Suspecting that was the case, I took out the #if/#else and executed both printf statements. The second format worked for me.

Gnomish One

I got the following message when It ran....

Fatal: ssh_init: Network error: Connection reset by peer

I saw other people had connection refused.....

What's wrong?


In my Redhat 8.0, I had to open up and allow ssh traffic in the built in firewall, it worked after that. That was the same error I was getting.

mvern, et al....

Is it beneficial to reset the debug privs back to the way they were? I notice that the various code snippets seem to save the old state, but never make use of it to put things back the way they were after the program snags the key.

Gnomish One

Thanks homer, that got me past that error...now I get this error...


the servers host key is not cached in the registry. You have no guarantee that the server is the computer you think it is.

The server's key fingerprint is:
(A lot of numbers, and letters)

What is this error?

sequser,

take out the -batch command in your upit.bat or keymove.bat file.

this will let you answer yes to a prompt. Once you have done that once, but the -batch command back in and you'll be set.

Monster

haha...Ok..got past that part, next error message...

fatal: ssh_init: Network error: Connection timed out

I have SSH running on Linux box, and Firewall allowing SSH traffic...

Ok, I have compiled Mvern's newly updated code (first code on the first page of thie thread). It works like a charm for the exception of the first half of the key always reads 0x00000000 followed by the correct half of the key. I tested this with the original version that needs to run at all times. Could this possibly be a coding error on this or an error on my part? I complied it twice & still got the same result when testing it with the game. The second half of the listed key is always correct, just the first portion is giving problems.
EDIT:

Switched the compiler from mingw and used lcc. In now is working as intended.

I downloaded MinGW and using Mvern first post code .. after

gcc -c kscan.c

I get this errors

kscan.c:1: parse error before ':' token
kscan.c:9:19: stdio.h: No such file or directory
kscan.c:10:20: string.h: No such file or directory
kscan.c:11:21: windows.h: No such file or directory
kscan.c:12:22: Mmsystem.h: No such file or directory
kscan.c:13:22: tlhelp32.h: No such file or directory
kscan.c:18: parse error before "enable_debug_privs"
kscan.c: In function `enable_debug_privs':
kscan.c:20: `HANDLE' undeclared (first use in this function)
kscan.c:20: (Each undeclared identifier is reported only once
kscan.c:20: for each function it appears in.)
kscan.c:20: parse error before "hToken"
kscan.c:21: `TOKEN_PRIVILEGES' undeclared (first use in this function)
kscan.c:23: `DWORD' undeclared (first use in this function)
kscan.c:24: `LUID' undeclared (first use in this function)
kscan.c:26: `TOKEN_ADJUST_PRIVILEGES' undeclared (first use in this functio
kscan.c:26: `TOKEN_QUERY' undeclared (first use in this function)
kscan.c:26: `hToken' undeclared (first use in this function)
kscan.c:28: `ERROR_CALL_NOT_IMPLEMENTED' undeclared (first use in this func

kscan.c:29: `TRUE' undeclared (first use in this function)
kscan.c:31: `FALSE' undeclared (first use in this function)
kscan.c:34: `NULL' undeclared (first use in this function)
kscan.c:34: `SE_DEBUG_NAME' undeclared (first use in this function)
kscan.c:34: `luid' undeclared (first use in this function)
kscan.c:41: `tp' undeclared (first use in this function)
kscan.c:44: `SE_PRIVILEGE_ENABLED' undeclared (first use in this function)
kscan.c:47: `oldtp' undeclared (first use in this function)
kscan.c:47: `dwSize' undeclared (first use in this function)
kscan.c: At top level:
kscan.c:56: parse error before "hProcess"
kscan.c: In function `readkey':
kscan.c:58: `ULONGLONG' undeclared (first use in this function)
kscan.c:58: parse error before "oldkey"
kscan.c:61: parse error before "key"
kscan.c:63: `hProcess' undeclared (first use in this function)
kscan.c:63: `key' undeclared (first use in this function)
kscan.c:63: `NULL' undeclared (first use in this function)
kscan.c:68: `oldkey' undeclared (first use in this function)
kscan.c:79: `keydat' undeclared (first use in this function)
kscan.c:87: `SND_ASYNC' undeclared (first use in this function)
kscan.c: In function `scanproclist':
kscan.c:96: `HANDLE' undeclared (first use in this function)
kscan.c:96: parse error before "hProcessSnap"
kscan.c:97: `PROCESSENTRY32' undeclared (first use in this function)
kscan.c:100: `hProcessSnap' undeclared (first use in this function)
kscan.c:100: `TH32CS_SNAPPROCESS' undeclared (first use in this function)
kscan.c:102: `INVALID_HANDLE_VALUE' undeclared (first use in this function)
kscan.c:106: `pe32' undeclared (first use in this function)
kscan.c:110: parse error before "hProcess"
kscan.c:114: `LPSTR' undeclared (first use in this function)
kscan.c:114: parse error before "pCurChar"
kscan.c:118: `pCurChar' undeclared (first use in this function)
kscan.c:128: `hProcess' undeclared (first use in this function)
kscan.c:128: `PROCESS_VM_READ' undeclared (first use in this function)
kscan.c:128: `FALSE' undeclared (first use in this function)
kscan.c:129: `NULL' undeclared (first use in this function)
kscan.c:131: `DWORD' undeclared (first use in this function)
kscan.c:131: parse error before "dw"
kscan.c:132: `dw' undeclared (first use in this function)
kscan.c: In function `main':
kscan.c:151: `NULL' undeclared (first use in this function)
kscan.c:157: `FALSE' undeclared (first use in this function)
kscan.c: At top level:
kscan.c:173: parse error before '--' token
kscan.c:173:81: warning: no newline at end of file


I checked the code to see if those strings needed to be changed for MinGW as someone posted to check for and they all corrected ..

Can anyone tell me what I am doing wrong here?

Thank you
CBiLL



P.S. I know this isn't MinGW support forum but at least this forum is based on trying to complie a code use for this software 8-)

Originally posted by Gnomish One
mvern, et al....

Is it beneficial to reset the debug privs back to the way they were? I notice that the various code snippets seem to save the old state, but never make use of it to put things back the way they were after the program snags the key.

Gnomish One

i think that would be wise.

I feel like an idiot, but it might help other people, as I couldn't find anything on this through out the post... However, it's working now..and working nicely..

in the part of the pscp that says -p "password"

Password is the password of your root machine..

<-----Dumbass..

cllnsj,

That is because of your compiler (I assume mingw). I had the same problem. The key that is written to the file however is correct. If you want to clean it up (I did) you should compile using vc++ or posibly one of the other compilers (I had similar results with cygwin and lcc)



CBill,

It sounds like your missing a slash. There is a line that reads:
*pCurChar != '\\' etc...
There should be 2 back slashes between the single quotes. For some reason the forum is dropping one of the slashes.

Monster

This is what my string is

*pCurChar != '\\' && pCurChar != pe32.szExeFile - 1;


Still give the same error :(

CBiLL

CBill, i don't know why, never having used that compiuler,. but the problem you are having is that it can't find the librarys (the .h files) all the other errors are coming from that lack of info...

CBill, did you copy the file to the mingw\bin folder? If not, put it there and try to recompile. :D

Originally posted by CBiLL
I downloaded MinGW and using Mvern first post code .. after

gcc -c kscan.c

I get this errors

kscan.c:1: parse error before ':' token
kscan.c:9:19: stdio.h: No such file or directory
kscan.c:10:20: string.h: No such file or directory
kscan.c:11:21: windows.h: No such file or directory
kscan.c:12:22: Mmsystem.h: No such file or directory
kscan.c:13:22: tlhelp32.h: No such file or directory
kscan.c:18: parse error before "enable_debug_privs"
kscan.c: In function `enable_debug_privs':
kscan.c:20: `HANDLE' undeclared (first use in this function)
kscan.c:20: (Each undeclared identifier is reported only once
kscan.c:20: for each function it appears in.)
kscan.c:20: parse error before "hToken"
kscan.c:21: `TOKEN_PRIVILEGES' undeclared (first use in this function)
kscan.c:23: `DWORD' undeclared (first use in this function)
kscan.c:24: `LUID' undeclared (first use in this function)
kscan.c:26: `TOKEN_ADJUST_PRIVILEGES' undeclared (first use in this functio
kscan.c:26: `TOKEN_QUERY' undeclared (first use in this function)
kscan.c:26: `hToken' undeclared (first use in this function)
kscan.c:28: `ERROR_CALL_NOT_IMPLEMENTED' undeclared (first use in this func

kscan.c:29: `TRUE' undeclared (first use in this function)
kscan.c:31: `FALSE' undeclared (first use in this function)
kscan.c:34: `NULL' undeclared (first use in this function)
kscan.c:34: `SE_DEBUG_NAME' undeclared (first use in this function)
kscan.c:34: `luid' undeclared (first use in this function)
kscan.c:41: `tp' undeclared (first use in this function)
kscan.c:44: `SE_PRIVILEGE_ENABLED' undeclared (first use in this function)
kscan.c:47: `oldtp' undeclared (first use in this function)
kscan.c:47: `dwSize' undeclared (first use in this function)
kscan.c: At top level:
kscan.c:56: parse error before "hProcess"
kscan.c: In function `readkey':
kscan.c:58: `ULONGLONG' undeclared (first use in this function)
kscan.c:58: parse error before "oldkey"
kscan.c:61: parse error before "key"
kscan.c:63: `hProcess' undeclared (first use in this function)
kscan.c:63: `key' undeclared (first use in this function)
kscan.c:63: `NULL' undeclared (first use in this function)
kscan.c:68: `oldkey' undeclared (first use in this function)
kscan.c:79: `keydat' undeclared (first use in this function)
kscan.c:87: `SND_ASYNC' undeclared (first use in this function)
kscan.c: In function `scanproclist':
kscan.c:96: `HANDLE' undeclared (first use in this function)
kscan.c:96: parse error before "hProcessSnap"
kscan.c:97: `PROCESSENTRY32' undeclared (first use in this function)
kscan.c:100: `hProcessSnap' undeclared (first use in this function)
kscan.c:100: `TH32CS_SNAPPROCESS' undeclared (first use in this function)
kscan.c:102: `INVALID_HANDLE_VALUE' undeclared (first use in this function)
kscan.c:106: `pe32' undeclared (first use in this function)
kscan.c:110: parse error before "hProcess"
kscan.c:114: `LPSTR' undeclared (first use in this function)
kscan.c:114: parse error before "pCurChar"
kscan.c:118: `pCurChar' undeclared (first use in this function)
kscan.c:128: `hProcess' undeclared (first use in this function)
kscan.c:128: `PROCESS_VM_READ' undeclared (first use in this function)
kscan.c:128: `FALSE' undeclared (first use in this function)
kscan.c:129: `NULL' undeclared (first use in this function)
kscan.c:131: `DWORD' undeclared (first use in this function)
kscan.c:131: parse error before "dw"
kscan.c:132: `dw' undeclared (first use in this function)
kscan.c: In function `main':
kscan.c:151: `NULL' undeclared (first use in this function)
kscan.c:157: `FALSE' undeclared (first use in this function)
kscan.c: At top level:
kscan.c:173: parse error before '--' token
kscan.c:173:81: warning: no newline at end of file


I checked the code to see if those strings needed to be changed for MinGW as someone posted to check for and they all corrected ..

Can anyone tell me what I am doing wrong here?

Thank you
CBiLL



P.S. I know this isn't MinGW support forum but at least this forum is based on trying to complie a code use for this software 8-)

I would suggest installing cygwin and using the gcc package that it comes with.

Also I would suggest using: gcc -o blah.exe blah.c -lth32 -lwinmm

If you want cygwin to use mingw headers you can do this by adding a -mno-cygwin flag.

Thanks
GrimJack

Arrendek was correct .. I was missing libraries files .. I made a mistake thinking the compiler came with all the library files until I went back to the website and found out it's not packaged with the compiler.

Got some new errors now but it look like something small I can fix myself ..

Thank you for all your helps..

CBiLL

OK...

It works!... mostly

The sniffer is great... my version only pops in every now and then to do its business, then reaches over to the SEQ machine (using a share), and directly creates the file which is then directly read by SEQ -- works like a champ...

Except

1) Every now and then I'll get the wrong key (cause im a *leeetle* too fast. If i do a 'Decoder/Load Session Key', and it's the WRONG key, then it totally crashes SEQ to the point that it won't even respond to process term signals. I have to log off/on

2) Also, from time to time, it appears that the sniffer gives me the *wrong* key... I was in PoT just now, and it looked like it gave me a proper key, but when I tried it it crashed SEQ.

Is there *perhaps* a different key generator for PoP?

Anyway, it mostly works just fine... I would VERY much like a hotkey for the Key load, and some more resiliance if the key is wrong.

1) Every now and then I'll get the wrong key (cause im a *leeetle* too fast. If i do a 'Decoder/Load Session Key', and it's the WRONG key, then it totally crashes SEQ to the point that it won't even respond to process term signals. I have to log off/on


Insert a 10 second "waiting time" before signalling you can load the key and you should be fine. 10 seconds will be more then enough to compensate your "network lag" and to be sure the file has been send over.



// Wait 10 seconds after saving the key to file and uploading it to Linux Box
Sleep (10000);

// Beep via speaker to indicate the key can be loaded in ShowEQ
MessageBeep(500);


I had the same thing, now I simply wait for the beep to indicate the file has been send to the Linux box (10 seconds ago) and never had the issue with loading the wrong key again.

EDIT. crossposted. sorry.

Remove the first 'defined'.

After that, run: gcc -o keyscan.exe keyscan.o -lth32 -lwinmm

edit: looks like you got it figured out in a different post.

I wonder if it might be possible to make a <tiny> request of the developers. Could there possibly be some kind of visual indication.. a color... a character.. something we could look at that would indicate when it is *safe* to enter the key?

Many thanks to all the hard work on this mvern. With your code, some modifications, a VB program, and a NFS share point on my NT Server, I have gotten it to the point that I Click an Icon (the program I wrote in VB) that loads EQ and the sniffer and writes the data file to the NFS share point. When I close EQ the VB program detects it and shuts down the sniffer. "Almost" completely automated. Just gotta click the Load Key whenever I Zone Now :) Thanks Again.......

Edit: Using the sharepoint there is absolutely NO wait time for it to write the file. Pretty much instantaneously. At least I havent been able to click the Load Key button fast enough to notice heh

dumb questions...

obviously, when you zone you get a new each time... so, when you finally enter the new key... does the entire zone decode (like, it saved all the original packets?) or just new spawns? i just assume that it is supposed to be everything. how long do you have until showeq starts throwing away the original zone in packets?

Fry,

If i understand your question the entire zone decodes once you enter the appropriate key.

I do have a few unknowns show up but that could be anything.

J

I have noticed a few anomolies with repops, but the initial decode seems to work unless you wait a while before entering the code. Seems if you wait more than 3 minutes, it takes a while to start decoding and slowly one by one it starts to decode and usually doesnt finish. Best thing to do is try to load the key as soon as you zone :)

Ok, Sorry if this is a stupid question, but how can I have the program (as currently posted on the first message in this thread) write the keyfile as a text file that I can just read?

I'm assuming its on this line:

fwrite (&key, 8, 1, keydat);

I just dont know what to change.

I compiled this last night (after a friend "educated" me on how to compile a w32 console app in VC++), so needless to say I'm not a developer...

It did pull the key in The Nexus, but no in Echo Caverns. I got something strange (significantly different that any other key that has worked) when I was in that zone passing through...

Are there any issues with specific zones?

I was just wondering if any of you programmer types out there could offer any examples, suggestions, etc. about what kind of innocuous, 'extra' code could be added to these programs to disguise their signature, customize them and make them harder to identify or detect.

By the way, the posted scripts are great! This stuff is much more interesting than the game itself. Got the Amadeus version of Mvern's program working on xp. It's very nice.

For starters every place it prints something out change what it says.

Do you really need it to tell you it's scanning for eqgame?

Of course not. Same for any other prompts, such as offset.


Simply changing the size of your program with empty junk couldn't hurt.

int virus_array[1232];
char stuff[256]="McAfee";
char lines[1203]="Consider the case of the Sally, sweetheart of the sea shore";
char lines2[1223]="Seems she had a penchant for the purveyance of pricey products."
char lines3[909]="Terry look at her, with large brown eyes. His throbbing manly loins pressed against her. \"Sally,\" he said. \"Yes Terry\" She sighed with lust in her heart and a swelling in her well endowded bosom. \"I'm gay, Sally\" he replied. \"Fuck\" She said."

Question on obfuscation...

1st, the process for SOE on the key goes something like this (feel free to correct):
Session key is generated and stored in memory then 1 of 2 things happens. 1) the compression/encryption routine reads the key from that memory location or 2) another process transmits the key to the compression/encryption process. The key is encrypted and sent to SOE.

My question is, would it be possible to in scenario 1 watch for that process and "piggyback" on it to get a copy of the key or scenario 2 create a "listener" of sorts to catch the key as it is transmitted/moved between processes?

Network guy here, not a programmer.

Monster

Originally posted by Mr Guy
For starters every place it prints something out change what it says.

Do you really need it to tell you it's scanning for eqgame?

Of course not. Same for any other prompts, such as offset.


Simply changing the size of your program with empty junk couldn't hurt.

int virus_array[1232];
char stuff[256]="McAfee";
char lines[1203]="Consider the case of the Sally, sweetheart of the sea shore";
char lines2[1223]="Seems she had a penchant for the purveyance of pricey products."
char lines3[909]="Terry look at her, with large brown eyes. His throbbing manly loins pressed against her. \"Sally,\" he said. \"Yes Terry\" She sighed with lust in her heart and a swelling in her well endowded bosom. \"I'm gay, Sally\" he replied. \"Fuck\" She said."


I just want to make sure that I have this straight in my head... So, your saying any "code" inserted into the source "changes the signature"? So, if I wanted to plop in there "Hello World" or some other funky little calculation (i.e. show me how many cans are in 27 cases of soda times 3 squared divided by my age minus the square root of the hour etc. etc. etc.) changes the sig?

Just making sure I understand this (since I also am a "network guy" and not a developer)

No... ya'll need to think in terms of a Virus scanner...

Just adding bits and pieces of code to a program isn't going to change it's fundamental fingerprint. That's how virus scanners work... they get a fingerprint of the actual code that's working for the virus, not the bits of fluff that it may attach to itself, etc...

All the key sniffers here have a few things in common that could be targeted. Now, the question is, how do you ferret out that code from "legitimate" code that Joe User may be running on his parents machine? That is Verants stumbling block.

However, it's not a big block, because they don't HAVE to be right... if they wanna ban Grandma Druid who has never heard of ShowEQ just because she's running something that might LOOK like a key sniffer (from some Spyware program or something) ... well, they can.

Looks like I need to take a crash course on C++ crap...

Not that I expect to be able to change the core code much, maybe I'll actually learn something though! :)

**Sigh**

Any suggestions for some "light" reading (Cough Cough Cough)... He he he

However, it's not a big block, because they don't HAVE to be right... if they wanna ban Grandma Druid who has never heard of ShowEQ just because she's running something that might LOOK like a key sniffer (from some Spyware program or something) ... well, they can.

I was wondering about this myself. What if there were apps out there that had a similar "fingerprint" as one of the keysniffers, would SOE be willing to risk banning a NON SEQ user?

I was wondering about this myself. What if there were apps out there that had a similar "fingerprint" as one of the keysniffers, would SOE be willing to risk banning a NON SEQ user?

What "risk" is it to them to ban anyone? Like I said before they will just direct you to whogivesacrap@soe.station.com.

Originally posted by AbaddonxXx69
Ok, Sorry if this is a stupid question, but how can I have the program (as currently posted on the first message in this thread) write the keyfile as a text file that I can just read?

I'm assuming its on this line:

fwrite (&key, 8, 1, keydat);

I just dont know what to change.

Heh,

RTFM -- fputs,fprintf,write,fwrite.


zfod

BTW,

There are some pretty stealthy ways to get around all this hub-bub. First of all, I think you guys need to abandon the concept of just standard Windows horseshit IPC calls for checking on eqgame's memory content.

Look into Win2k kernel objects and \Device\Physical Memory, etc. It's a bit of work, but it isn't impossible.

If you're worth half a tit in 8086 assembler you can get do some creative stuff as well, but you can get by with pure C for sure.

Happy coding.


zfod

Heh,

RTFM -- fputs,fprintf,write,fwrite.


zfod



Thanks, I got it working how I want it.

/cheers :D

Little problem...

--------------------Configuration: vshield - Win32 Debug--------------------
Linking...
vshield.obj : error LNK2001: unresolved external symbol __imp__PlaySoundA@12
Debug/vshield.exe : fatal error LNK1120: 1 unresolved externals
Error executing link.exe.

vshield.exe - 2 error(s), 0 warning(s)



Don't claim to be a programmer... Am I just missing a library include or something?

Your answer is in the first lines of the source code:



/*
* kscan.c - version 2
*
* if you get an error about a missing symbol PlaySound, be sure to link with winmm.lib
* if your missing Process32First, link with th32.lib
*/

God people, you are making this all too easy as usual. I'm running winxp, copied the source from the beginning of this thread, pasted it into MS Visual Studio 6, got the errors predicted in the beginning of the source (doh), followed basic instructions also listed in this thread to correct these errors, compiled my very own sparklin' sniffer proggie, copied it to a folder shared between my linux box and my windows box, ran it, pointed the keyfile from showeq's new tab to this keyfile, and all of a sudden beautiful colors. No problems, just colors. moving dots with levels indicated and all, and best of all, the map fills in EVERY time :)

Now, the reason I say this is too easy is that a couple months ago I bought the "Visual C++ for dummies" book, read to about page 40 and lost it :(. Yup, I'm a total noob. Love you all, but could ya make this showeq stuff a bit more challenging :)

I would rather you be a "n00b" and figure it out than have the devs make an WinSEQ. You still have to compile and have a linux box. This will keep the Aol_user01-1000000 from running it and that is okay with me.

I compiled this utility under win98 using the free borland compiler, and it seems to run fine, but the keys it spits out never end up decoding anything when I type them into showeq.

I believe I have the latest libEQ.a and the latest showeq. When I type the key into showeq it prints out a statement saying it is using the key, along with the "backfill()" message that used to precede successful decoding of zones. No decoded information ever shows up on the map however.

Is it possible that the default address offset currently being used with this program is incorrect for eq running on win98? I believe someone asked earlier in this thread whether it was OS dependent, but no answer was given.

If it is OS dependent, could someone post what the correct offset is for win98? Or where I can find a free disassembler and specific instructions for how to find the correct address myself?

Thanks,
Steve

/bonk lmao - i need to quit screwing with this crap in the middle of the night lol

Now... I've done a search and manually scanned several threads with no luck. How would I go about adding a check so that the key file is only rewritten and thusly a sound is played only if the key has actually changed? Or does it already do that?

BTW, I am using Amadeus's code for this one... Mvern's gives me error 5 for some reason.

Not sure, OldNecro, but if you didn't have such an offensive avatar, perhaps more people would be willing to help you. Personaly I hope they don't...

Anyone who is offended by my avatar is offended by free speech, and I don't need the *bad* advice that such an idiot would have to offer anyway... - Furthermore, anyone here is welcome to put up a black panthers avatar if they so desire and I will speak to them and answer their questions without a second thought. A person's beliefs are their own, and are none of my business.

...and to put one last thing to rest before this turns into a racial argument, I am a firm believer that every race has two types of people. Normal people who contribute to society and build relationships with the people around them, and those other people who leech off welfare and drink themselves into homelessness. There are white people, and there is white trash. There are black people, and there are niggers. Two completely different things.

This board is not the place to discuss things of this nature. Please let that statement be what puts it to rest for good.

OldNecro, your picture and comments about it are by nature provocative, whatever your intentions. They are not relevant to this forum, nor welcome.

"Anyone who is repulsed by a fist up their ass is repulsed by physical intimacy" - no, it is more accurate to say that you are repulsed by some specific instance of physical intimacy.

Anyone who is offended by my avatar is offended by free speech

I fail to see the connection between "freedom of speech" and "burning people alive on a wooden cross".

excercising my free speach by _not_ helping that jerk.

You have the feedom to say anything you want. i have the freedom to be offended by it. blah blah blah.

Originally posted by OldNecro
A person's beliefs are their own, and are none of my business.


LOL but yet you inflict *your* beliefs on everyone else in this forum and expect them to help you....

Listen, believe what you want... but when you brand yourself with hate, don't expect people to run to your aid... /shrug

End this split of the thread... take it to another thread if you want to continue it. I suggest you ignore him (There IS an ignore feature in the User CP) until he changes his avatar.

So anyway... Anyone find a way to only update the file if the key has actually changed?

errr nevermind I just figured it out... just using a var called oldkey and doing an if statement to see if it's the same as the last time it went thru the loop before the file write and sound playing is an easy way to do it...

Very simple indeed. I actually found the time to compile the source on page one. This took a whole whopping 20 minutes of my time (most of which was DL/installing compiler). Follow the instructions and your SEQ will decode as it did before. I did make a bat file to ftp to my box, log in cd to the directory that SEQ looks for keyfile.dat but that is also stated how to do. I have noticed only 1 zone so far that locks SEQ when i use the key.

Hello All,

I have done a search and could not find anything,
i am not a c programmer and do not know alot about
coding, i am a network/storage admin.

i downloaded Mvern's code and then downloaded
borland c/c++ 5.5 the freeware one.

i then tried to compile the code, and got the following errors:

C:\Borland\BCC55\Bin>bcc32.exe kscan.c
Borland C++ 5.5.1 for Win32 Copyright (c) 1993, 2000 Borland
kscan.c:
Warning W8004 kscan.c 96: 'hProcessSnap' is assigned a value that is never used
in function scanproclist
Warning W8065 kscan.c 157: Call to function 'enable_debug_privs' with no prototy
pe in function main
Warning W8065 kscan.c 166: Call to function 'scanproclist' with no prototype in
function main
Warning W8066 kscan.c 170: Unreachable code in function main
Turbo Incremental Link 5.00 Copyright (c) 1997, 2000 Borland

it did compile and i was able to run the kscan.exe
and it seemed to work, but i am not sure what i am
missing.


Thanks For your help

showeqgratefull

give MinGW a try, it was very easy for me.

I can't for the life of me figure out where or how to set the default timeout, Telnetting into my one machine and all goes great, but after about 3 mins, I get the:

# Timeout. Disconnecting.
Connection closed by foreign host.

Anyone help a moron out here?

I had posted earlier about the key being found but not working to decode anything in showeq. Must have been operator error in the build process because redownloading libEQ, doing a 'make clean', then rebuilding showeq did the trick.

Steve

First, let me state that I have posted this in two other threads, but one thread was locked and one wasn't really the best place for it. I apologize for this. This thread is probably the best place to discuss this since it is the thread that seems to have originated the code in question. Here is a copy/paste from the original message and some additional info:

quote:
--------------------------------------------------------------------------------
Originally posted by The Duck
<cut>
A) There are basically two EASY ways for EQ to detect you are using third party programs.
<cut>
The Duck [/B]
--------------------------------------------------------------------------------


I have reviewed some of the sniffer code posted here and have seen the use of the OpenProcess function to read the 'eqgame' PID, such as this line used:

hProcess = OpenProcess (PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID);

and

if ( ReadProcessMemory (hProcess, (void *)addr, &key, 8, NULL ) == 0)

If I remember my windows programming 101, OpenProcess is, in fact, a debug function that will attach the debugger to the process. Now correct me if I'm wrong but the process can not only detect if a debugger has been attached to it, but it can, quite easily with about exactly one line of code, send a message back to SoE that SOMETHING has done a debug read on its PID. It doesn't make ANY difference what you call the program that is sniffing AT ALL. All SoE has to do is determine that some program has done a debug read and then it's all over.

Simply put, the EQGAME process monitors any debug reads to itself. If one happens, send a violation message to the server. Viola. If you open the process for read every 2.5 minutes or whatever to get the current decrypt key, your process will notify SoE that a suspicious process read is occurring every 2.5 minutes.

When I get some time today I'll look up the debugger function calls and show the source code that Verant could use to send a warning message back to the server based off of defeating the existing sniffer code I have reviewed.

The questions comes down to this: Is ReadProcessMemory() detectable by WaitForDebugEvent() or another debugger function?

I understand the MDSN does not mention that the debug process is(or is not) attached when the ReadProcessMemory function is called.

What I have so far is as follows (I'm still working on it, but it's something to start with) :


// Check for any debugger events and print a warning
#include <stdio.h>
#include <string.h>
#include <windows.h>
#include <tlhelp32.h>
#include <time.h>


DEBUG_EVENT DebugEv; // debugging event information
DWORD dwContinueStatus = DBG_CONTINUE; // exception continuation

main()
{
for(;;)
{

// Wait for a debugging event to occur. The second parameter indicates
// that the function does not return until a debugging event occurs.

WaitForDebugEvent(&DebugEv, INFINITE);

// Process the debugging event code.

switch (DebugEv.dwDebugEventCode)
{
case EXCEPTION_DEBUG_EVENT:
// Process the exception code. When handling
// exceptions, remember to set the continuation
// status parameter (dwContinueStatus). This value
// is used by the ContinueDebugEvent function.

switch (DebugEv.u.Exception.ExceptionRecord.ExceptionCode )
{
case EXCEPTION_ACCESS_VIOLATION:
printf("Process has been opened by OpenProcess function! You are busted!\n");
break;

case EXCEPTION_BREAKPOINT:
printf("Process has been opened by OpenProcess function! You are busted!\n");
break;

case EXCEPTION_DATATYPE_MISALIGNMENT:
printf("Process has been opened by OpenProcess function! You are busted!\n");
break;

case EXCEPTION_SINGLE_STEP:
printf("Process has been opened by OpenProcess function! You are busted!\n");
break;

case DBG_CONTROL_C:
printf("Process has been opened by OpenProcess function! You are busted!\n");
break;

default:
printf("Process has been opened by OpenProcess function! You are busted!\n");
break;
}

case CREATE_THREAD_DEBUG_EVENT:
printf("Process has been opened by OpenProcess function! You are busted!\n");
break;

case CREATE_PROCESS_DEBUG_EVENT:
printf("Process has been opened by OpenProcess function! You are busted!\n");
break;

case EXIT_THREAD_DEBUG_EVENT:
printf("Process has been opened by OpenProcess function! You are busted!\n");
break;

case EXIT_PROCESS_DEBUG_EVENT:
printf("Process has been opened by OpenProcess function! You are busted!\n");
break;

case LOAD_DLL_DEBUG_EVENT:
printf("Process has been opened by OpenProcess function! You are busted!\n");
break;

case UNLOAD_DLL_DEBUG_EVENT:
printf("Process has been opened by OpenProcess function! You are busted!\n");
break;

case OUTPUT_DEBUG_STRING_EVENT:
printf("Process has been opened by OpenProcess function! You are busted!\n");
break;

}
}
}

Your code will NEVER work, as they can't catch those events.

From MSDN public site (I am at my home now):

The WaitForDebugEvent function waits for a debugging event to occur in a process being debugged

Remarks
Only the thread that created the process being debugged can call WaitForDebugEvent

---

So, they can't call it from EQ. I still believe that you can't call it from the sniffer either, but maybe you are right on that and ReadProcessMemory() or OpenProcess() activates the whatever is named IAmBeingDebugged flag.

If that is the case, they just need to call IsDebuggerPresent() from time to time to be Busted. That is the function that your app needs to call.

Please correct me if I am wrong, this is extremely important as they will probably use it now or they will surely use it in the next patch (after reading this :( )

This is why I am of the opinion that we should NOT set debug privs in the keysniffing application. Diddle with the ACL or run it as system, but don't set debug privs...

C:\MinGW\bin>gcc -o eqsn.exe eqsniff.o -lth32
eqsniff.o(.text+0x388):eqsniff.c: undefined reference to `PlaySoundA@12'

say to link it with winmm.lib

How do I do that?

thanks

Setting debug privs then OpenProcess and ReadProcessMemory does not set off the 'debugger present' flag. To prove this I used CheckRemoteDebuggerPresent (http://msdn.microsoft.com/library/en-us/debug/base/checkremotedebuggerpresent.asp?frame=true). Adding a snippet of code to my scanner using this always showed false.

Mvern, I concur! Upon further review (as they say in the NFL) it appears that the debug privs do not cause a problem with this command.

In case you want to test your keysniffing apps, here is a little code snippet. Change the process string to point to whatever you call this app, and set the offset to 0x00400010. It should return 0x00000000000000b8 as the key, and this program should never stop saying ok.

To prove that it works, attach to it with a real debugger (like W32DASM) and watch it go nuts!

(and no code quality flames! I didn't say it was nice to look at)



#define _WIN32_WINNT 0x0500

#include <windows.h>
#include <stdio.h>


void main(int argc, char* argv[])
{

while(1)
{

if (IsDebuggerPresent())
{
printf("Busted!\n");
}else
{
printf("ok ");
}
Sleep(500);
}
}

GainGreen:

Put -lwinmm at the end of your line.

thanks just a network grunt here. hehehe

First off, let me state the obvious, I am not a programmer. Also I would like to say that you guys are an awesome group who keep this project running and find new ways to thwart the evil VI.

Question: Compiling the code in the first post of this thread I receive two errors. I think they are minor, but they cause the compile to fail.

1st error. [Waning] in function ‘int main(int, char**)’:

What the warning the compiler does not say other then this message.

2nd error. Implicit declaration of function ‘int strtoul(…)’

I know it’s not a typo on my part because I copy/paste from the post into the compiler.

You might also ask why use Dev-C++. Well, it’s because it’s the compiler I have used before on other small projects and because each complier should create an EXE with a different size to also help in making it unique…

Thank you

Using the posted code, I'm generating the keyfile.dat file and reloading it as needed (read - after zoning) in SEQ.

For some reason, only some spawns are being decoded, maybe 5 to 10% of the total spawns showing in the zone. Anyone have any suggestions?

On a side note, does anyone have a code snippet to have SEQ reload the key as needed, or even flag when it's loaded? I'm looking to automate the process completely, having SEQ send the request through to the keysniffer when it needs a new key. While I'm fairly good at writing and debugging my own code, dealing with someone elses is an entirely different beast and that would be a great headstart. Even a pointer to the ideal place to deal with this in the SEQ source would be great.

Thanks in advance, I'm sure some of the grumpier types will find some reason to flame.

I wanted to say thanks.

I modified the code so it only ran one time. Wrote a shell app to pump the keyfile.dat to a samba directory if keyfile.dat changed, and monitor for a telnet connection on a certain port to trigger your code to grab a new key on connect.

Thanks to all involved. I lurk and never post, but I truly appreciate ALL SEQ (and libEQ.a)developers. I refuse to mention names, because I am certain to forget some.

I love you guys/gals~

Mind posting your source for that ?

THanks :)

Hello Wxyz,

I am using your code posted for the keysniffer that scp's keyfile.dat from windows to linux machine - after installing openssh on redhat.

Anyhow - for some reason the key is not getting written correctly - I was wondering if you had any input. when I look at the key that is scp'd to my linux box it is not in hex value - it looks more like a binary file

do any of you have any suggestions? have you seen this?


Thanks for your time and response.

Ok, here's what I did and it worked fine. I'm running XP.
1. Started EQW and got the the server selection screen.
2. Started EQsniffer then logged in my char.
3. Switched back to EQsniffer entered the offset that is in the brackets.
4. Take the key it gives you and enter it into ShowEQ.
5. BAMB ShowEQ starts decoding.


4. Take the key it gives and enter it into ShowEQ.

Where? Ive read/searched the boards but all I find is "enter key into SEQ". Where do you input the key for SEQ? Is it in the SEQ screen itself or is there a linux code line you have to enter? Sorry in advance, Im a non linux user who is struggling to keep up.

:confused:

Where? Ive read/searched the boards but all I find is "enter key into SEQ". Where do you input the key for SEQ? Is it in the SEQ screen itself or is there a linux code line you have to enter? Sorry in advance, Im a non linux user who is struggling to keep up.


You might want to try reading the announcement forums (You know, the ones you should ALWAYS read before you ask questions)... In there, you will find the EXACT instructions on how to do this.

--Jeeves

Sorry, I read the help and sniffer forum. Figured Annoucements was just saying SEQ was broke. Appreciate the redirect.