Maggotboy's Super Stealth Sniffer V2 (code)

**curio** · 11-19-2002, 04:43 PM

I wasnt getting decodes the first few times I tried this using the 2.01 release. I didnt make alot of changes on my first compile, but the one thing I did change was the INJECT_OFFSET.

here's the default:

Code:

// V2
// This offset determines where the new code is injected in the allocated
// memory block.  This number will be bit-shifted to get a good
// aligned offset for the code.  You may make the number anything from
// 0x00 - 0xFF (0 - 255 in decimal notation)
#define INJECT_OFFSET    0x04

I had changed mine to

Code:

#define INJECT_OFFSET    0x63

Changing it to an EVEN offset seems to have gotten my decode back. Maybe this is just anidotal evidence. Are there values we shouldn't use? Bitshifting seems like odd/even offsets might make a difference, but I havent recompiled (yet) to convince myself that odd-aligned offsets throw off the decode.

ymmv

**OrangePeelBeef** · 11-19-2002, 04:46 PM

Working on getting this wonderful piece of work to compile in either lcc or dev-cpp.

I found that #1 they do both support inline assembly

in lcc

_asm(" ");

in dev-cpp

__asm(" ");

I found this for lcc
http://www.q-software-solutions.com/...ual/Pragma.htm

I also found *this* from the dev-cpp faq

16. How to use assembly with Dev-C++ ?

The assembler uses AT&T (not Intel). Here's an example of such a syntax :

// 2 global variables

int AdrIO ;
static char ValIO ;

void MyFunction(..........)
{
__asm("mov %dx,_AdrIO") ; // loading 16 bits register
__asm("mov %al,_ValIO") ; // loading 8 bits register

/*
Don't forget the underscore _ before each global variable names !
*/
__asm("mov %dx,%ax") ; // AX --> DX
}

To me that's just a bunch of gibberish... i know jack about ASM.

I attempted in Lcc

_asm("call $ + 5");
_asm("pop pvmem");
_asm("add pvmem 7");

and during compile i received

Internal Error 1028 on line 556
and there are only 515 lines of code.

On Dev-cpp
i attempted
__asm("call $ + 5");
__asm("pop pvmem");
__asm("add pvmem, 7");

but i got

Assembler messages::
error: suffix or operands invalid for 'call'
error: too many memory references for 'add'

I am doing some more checking... just thought I'd post what I'd found so far

edit: added link for lcc

**maggotboy** · 11-19-2002, 04:51 PM

I updated the code to 2.01 ... fixed the bug in DllMain that prevented it from loading. OOPS!

Maggotboy

**LordCrush** · 11-19-2002, 05:02 PM

/cheer Maggotboy

Ty for your great work - i have not running it now, but will start as soon as i can!

Hmm using Borland ... seems to be some obstacles to overcome

/cheer

/bow

**maggotboy** · 11-19-2002, 05:31 PM

I'm still researching AT&T inline assembly ...

I found this site:

http://www.delorie.com/djgpp/doc/bre...ine_djgpp.html

I'm not really sure how to convert them ... what about:

__asm("pop pvmem");
__asm("add $7, pvmem");

...not sure how to convert the first line. Still researching.

Maggotboy

**OrangePeelBeef** · 11-19-2002, 05:33 PM

Using
__asm("call ($ + 5)");
__asm("pop pvmem");
__asm("add $7, pvmem");

Its getting past the initial asm errors in Dev-CPP
I will try in lcc also

Dev-cpp is tossing out some different ones now
C:\Dev-Cpp\eqsniffer2.o
[Warning] In function `InstallHook(HWND__ *, HINSTANCE__ *, char *, int)':

[Linker error] undefined reference to `inet_addr@4'
[Linker error] undefined reference to `htons@4'

C:\Dev-Cpp\eqsniffer2.o
[Warning] In function `InternalHookProc(int, unsigned int, long)':

[Linker error] undefined reference to `$'
[Linker error] undefined reference to `pvmem'
[Linker error] undefined reference to `pvmem'

**goldmund** · 11-19-2002, 05:35 PM

Deleted my previous project, redownloaded the code, and recompiled a new dll without problems. However I'm still getting the "error loading tcpcnt.dll a dll initialization routine failed"

I noticed in the .cpp file it still said Revision 2.0. Do I still have the older version of the zip file cached maybe?

**Alwayslost** · 11-19-2002, 05:40 PM

Ok, I'll admit it, I was absolutely chicken-shit to try any of the sniffers before now. SEQ had become nothing more than a glorified GPS device for me.

But damn.

You put together a tool that has gotten nothing but praise from those that seem to know whats what. THEN you make it accessable to those of us that don't know a compiler from a compressor AND build into it the ability to customize it to make it even better.

This is so good that others were even pointing people from their code to yours. That was the deciding factor for me.

I can't wait to get home to try it!

THANK YOU!

**wizard** · 11-19-2002, 05:42 PM

in mingw obviously i renamed the eqsniffer2.cpp to snif2.c just causei hate dealing with long filenames at a dos prompt.. line 483 is the { before the inline asm.

I tried some of the examples for lcc and the other compiler given but that just produced more errors.. gcc gives no help on command line arguments near as i can find and the "documentation" in the doc directory is weak at best..

C:\MinGW\bin>gcc -c snif2.c
snif2.c: In function `InternalHookProc':
snif2.c:483: parse error before '{' token

**maggotboy** · 11-19-2002, 06:00 PM

goldmund -- aye, the .cpp file should say "Revision 2.01"

wizard -- this inline assembly is gonna kick everyone's ass, unfortunately. I'm a complete n00b when it comes to assembly, and only got this code from USENET.

Near as I can tell ... if you're using a non-MS compiler the inline assembly has to be converted to "AT&T syntax" ... that is, if the compiler even supports assembly ...

So ... guess some research is in order.

OrangePeel -- the unresolved references to htons and inet_addr are easy to fix -- make sure wsock32.lib is included when the linker runs. The other errors are probably related to the differences between the AT&T syntax and the Intel syntax. Wish I had more info on this, but I don't.

Maggotboy

**cheeze69** · 11-19-2002, 06:05 PM

maggotboy, you are SO the man!

I'll try to slam your new code through VS.net tonight when I get home.

**The Mad Poet** · 11-19-2002, 06:05 PM

Borland supports inline assembly - just preface it with [asm] I believe...

**wizard** · 11-19-2002, 06:07 PM

yea i am at the same point Orange is.. i did the same changes as he did and i am getting the same three pvmem errors he is getting.. not the others though. does the AT&T syntax use something different from a $ as thats what it appears to be barfing on..

**wizard** · 11-19-2002, 06:12 PM

google search AT&T inline intel got me this link..

its all greek to me though..

http://www.delorie.com/djgpp/doc/bre...ine_djgpp.html

**OrangePeelBeef** · 11-19-2002, 06:20 PM

w00ps my brain must be mush to not have noticed i forgot the wsock32.lib

as for lcc i am getting nowhere as to the cryptic 1028 internal error, and can't get that bastard to compile.

wizard: that link is the same one maggot posted about 4 posts up

here are a couple of things from the link that may be useful.. ?

Addressing a particular C variable:

AT&T: _booga
Intel: [_booga]

Note: the underscore ("_") is how you get at static (global) C variables from assembler. This only works with global variables. Otherwise, you can use extended asm to have variables preloaded into registers for you. I address that farther down.

and this one

: "c" (count), "a" (fill_value), "D" (dest)

that second one is interesting.. moving c variables into registers.. may be what we need to do to get past the undefined pvmem?

something like
__asm(: "c" (pvmem) );

i have no idea if that even works

just tossing out ideas here again i know jack about ASM

Thread: Maggotboy's Super Stealth Sniffer V2 (code)

Thread Tools

Rate This Thread

Display

lcc and dev-cpp

2.01 update

first line

Thanks

linking

Thread Information

Users Browsing this Thread

Posting Permissions