ScriptVessel Protocol?

05/25/2007 12:38 Foxsilver#1
Protocol SV 1.** (Tested 1.02 to 1.15) Updated
[Client] SV 1st SEND
Code:
POST .... HTTP/1.1
Contents-Type: .....
User-Agent: [name exe]
Host: [rand host]
..
g=annnn[v][MD5(ScriptVessel ID)][MD5(Password)][MD5(New Password){*}]
[Server] SV 1st SEND
Code:
HTTP/1.1 302
..
Location: [web check]
....
Code:
<%
'ASP CODE
Response.Redirect("[web check]")
Response.ContentType = "text/html"
Response.Flush
Response.End
%>
[Client] SV 2nd SEND
Code:
GET [web check] HTTP/1.1
Connection: .....
User-Agent: [name exe]
Host: [rand host]
Cookie: ASPSESSIONID[ID]=[Cookie]

[Server] SV 2nd SEND
Code:
HTTP/1.1 200 OK
Date: ...
..
<a MD5(UNKNOW)&[Message]>
  • Updated at 2007-05-30:
    All Errors: <a MD5(ScriptVessel ID)&{[Client name exe error] |[Client Error version]|[Log Error MSG]} >
    OK Login: <a MD5(UNKNOW)&[Log OK MSG] >
------------------------------
[English]
---------
a=1 (Login) / 3 (Logout) / 4 (Change Password)
nnnn=unknow 4 numbers
[v]=Protocol version Ex.: sv v1.10=110 other sv v1.12=112 other sv v1.02=102

[Message]
->[Client name exe error] Sorry, The client is not accepted, Pls check it!#
->[Client Error version]Sorry, This client is updated, Pls download the new one!#
->[Log OK MSG]Confirms successfully,the Account will be Expired at YYY-mm-dd!#YYY-mm-dd ho:mi:se
->[Log Error MSG]Sorry, Username or Password Error!#

{*}=If this field is no wirte make MD5()=d41d8cd98f00b204e9800998ecf8427e
--------------
[Spanish]
----------
a=1 (Iniciar sessión) / 3 (Salir) / 4 (Cambiar contraseña)
nnnn=4 numeros desconocidos
[v]=Version del Protocolo Ej.: sv v1.10=110 otro sv v1.12=112 otro sv v1.02=102

[Message]
->[Error en nombre del exe] Sorry, The client is not accepted, Pls check it!#
->[Error de Version del Cliente] Sorry, This client is updated, Pls download the new one!#
->[Mensaje de Sessión OK] Confirms successfully,the Account will be Expired at YYY-mm-dd!#YYY-mm-dd ho:mi:se
->[Mensaje de Sessión Erroneo] Sorry, Username or Password Error!#

{*}=Si este campo esta vacio hará MD5()=d41d8cd98f00b204e9800998ecf8427e
---------------------------------------
[English]
---------
My question is in "[Server] SV 2nd SEND" how make "MD5(UNKNOW)"? it's prolly saved on ASPSESSIONID[ID]=[Cookie] with server
Prolly in "[Server] SV 2nd SEND" on "[Message]" check the !# Date and Time but i dont sure =S

can any one help me? thx

[Spanish]
----------
Mi pregunta es en "[Server] SV 2nd SEND" Como hace "MD5(UNKNOW)"? esto puede ser guradrado en ASPSESSIONID[ID]=[Cookie] por el server
Seguramente en "[Server] SV 2nd SEND" en "[Message]" comprueba !# Fecha y Hora pero no estoy seguro =S

Alguien me pude ayudar? gracias
05/31/2007 03:22 Foxsilver#2
PHP Test Protocol :o (unfinished)
Code:
&#60;?PHP
/*
 * *PHP SV Server Simulator for SV1.*
 * *Powered by Foxsilver &#40;c&#41; 2.007
*/
if &#40;isset&#40;&#036;_POST&#91;'simul'&#93;&#41;&#41; {
 echo &#34;------------- Protocol Client Simulation -----------&#60;br>&#34;;
 //Client MD5's
 &#036;md5_id=MD5&#40;&#036;_POST&#91;'id'&#93;&#41;;
 &#036;md5_psw=MD5&#40;&#036;_POST&#91;'pwd'&#93;&#41;;
 &#036;md5_new_psw=MD5&#40;&#036;_POST&#91;'new_pwd'&#93;&#41;;
 //Packed Sender
 &#036;cli_get=&#34;g=&#34;.&#036;_POST&#91;'proto'&#93;.&#34;????&#34;.&#036;_POST&#91;'ver'&#93;.&#34;&#34;.&#036;md5_id.&#34;&#34;.&#036;md5_psw.&#34;&#34;.&#036;md5_new_psw;
 echo &#34;&#91;Client&#93; &#34;.&#036;cli_get.&#34;&#60;br>&#34;;
 echo &#34;-----------------------------------------------------&#60;br>&#34;;
 echo &#34;------------- Protocol Server Simulation -----------&#60;br>&#34;;
 //Server
 *//Version protocol
 &#036;ver_protocol=112;
 //Server Message
 &#036;msg_protocol=&#34;Sorry, This client is updated, Pls download the new one!# &#34;;
 &#036;msg_wrong_user_pass=&#34;Sorry, Username or Password Error!# &#34;;
 &#036;msg_ok_login=&#34;Confirms successfully,the Account will be Expired at &#34;;
 &#036;msg_log_out_correct=&#34;Logout successfully!#&#34;;
 //Server Date time &#40;-1 Hours for GMT+1 To GMT+0&#41; GMT
 &#036;gmt_time=strtotime&#40;&#34;-1 hours&#34;, time&#40;&#41;&#41;;
 //MAKE Date Time SV server &#58;O
 &#036;time_part1=strftime&#40;&#34;-%m-%d %H&#58;&#34;, strtotime&#40;&#34;+7 hours&#34;,&#036;gmt_time&#41;&#41;;
 &#036;time_ok=str_replace&#40;0,&#34;&#34;, &#036;time_part1&#41;;
 //Sv server time
 &#036;sv_time=str_replace&#40;&#34;&&#34;,&#036;time_ok, strftime&#40;&#34;%Y&%M&#58;%S&#34;, strtotime&#40;&#34;+7 hours&#34;,&#036;gmt_time&#41;&#41;&#41;;
 //SQL simulatro user pass
 &#036;check_usr=MD5&#40;&#34;test&#34;&#41;;
 &#036;check_pws=MD5&#40;&#34;123456&#34;&#41;;
 &#036;date_exp=&#34;2007-m-d&#34;;
 //PHP Options
 &#036;check_get=explode&#40;&#34;=&#34;, &#036;cli_get&#41;;
 &#036;vars=&#036;check_get&#91;1&#93;;
 &#036;long_rand_num=4;
 &#036;check_ver=substr&#40;&#036;vars, &#036;long_rand_num+1, strlen&#40;&#036;ver_protocol&#41;&#41;;
 //Check protocol version
 if &#40;&#036;check_ver == &#036;ver_protocol&#41; {
 *&#036;start_md5s=strlen&#40;&#036;ver_protocol&#41;+&#036;long_rand_num+1;
 *//LogIn
 *if &#40;&#036;vars&#91;0&#93;== &#34;1&#34;&#41; {
 * &#036;long_max=strlen&#40;&#036;vars&#41;;
 * &#036;long_null_pass=strlen&#40;MD5&#40;&#34;&#34;&#41;&#41;;
 * &#036;client_user_psw=substr&#40;&#036;vars, &#036;start_md5s, &#036;long_max-&#036;start_md5s-&#036;long_null_pass&#41;;
 * &#036;sql_user_pass=&#036;check_usr.&#34;&#34;.&#036;check_pws;
 * //WTF fu... MD5 =S isn't MD5&#40;usrpss&#41;, *MD5&#40;usr&#58;pss&#41;, MD5&#40;usr;pss&#41;, ....
 * if &#40;&#036;sql_user_pass == &#036;client_user_psw&#41; { echo &#34;&#91;SERVER&#93; MD5&#40;????&#41;&&#34;.&#036;msg_ok_login.&#34;&#34;.&#036;date_exp.&#34;!#&#34;.&#036;sv_time; }
 * else { echo &#34;&#91;Server&#93; &#34;.&#036;md5_id.&#34;&&#34;.&#036;msg_wrong_user_pass.&#34;&#34;; }

 *}
 *//LogOut
 *elseif &#40;&#036;vars&#91;0&#93;== &#34;3&#34;&#41; { echo &#34;&#91;SERVER&#93; MD5&#40;???&#41;&&#34;.&#036;msg_log_out_correct.&#34;&#34;.&#036;sv_time; }
 *//Change Password
 *elseif &#40;&#036;vars&#91;0&#93;== &#34;4&#34;&#41; {
 * &#036;sql_user_pass=&#036;check_usr.&#34;&#34;.&#036;check_pws;
 * &#036;sql_long=strlen&#40;&#036;sql_user_pass&#41;;
 * &#036;client_user_psw=substr&#40;&#036;vars, &#036;start_md5s, &#036;sql_long&#41;;
 * if &#40;&#036;sql_user_pass == &#036;client_user_psw&#41; { echo &#34;&#91;Server&#93; GOT New Pass MD5&#58; &#34;.substr&#40;&#036;vars, &#036;sql_long+&#036;start_md5s, strlen&#40;&#036;vars&#41;-&#036;sql_long-&#036;start_md5s&#41;; }
 * else { echo &#34;&#91;Server&#93; &#34;.&#036;md5_id.&#34;&&#34;.&#036;msg_wrong_user_pass.&#34;&#34;; }
 *}
 *else { echo &#34;&#91;Server&#93; ?? &#40;ERROR protocol WTF&#41;&#34;; }
 }
 else { echo &#34;&#91;Server&#93; &#34;.&#036;md5_id.&#34;&&#34;.&#036;msg_protocol.&#34;&#34;;}
 echo &#34;&#60;br>-----------------------------------------------------&#60;br>&#34;;
}
?>
&#60;form action=&#34;sv_simulator.php&#34; METHOD=&#34;POST&#34;>
&#60;select name=&#34;proto&#34;>&#60;option value=&#34;1&#34; &#60;?PHP if&#40;&#036;_POST&#91;'proto'&#93; == 1&#41; { echo &#34;selected&#34;; } ?>>Login&#60;/option>&#60;option value=&#34;3&#34; &#60;?PHP if &#40;&#036;_POST&#91;'proto'&#93; == 3&#41; { echo &#34;selected&#34;; } ?>>LogOut&#60;/option>&#60;option value=&#34;4&#34; &#60;?PHP if &#40;&#036;_POST&#91;'proto'&#93; == 4&#41; { echo &#34;selected&#34;; } ?>>Change Password&#60;/option>&#60;/select>&#60;br>
&#60;input type=&#34;hidden&#34; name=&#34;ver&#34; value=&#34;112&#34;>
ScriptVessel ID &#60;input type=&#34;text&#34; name=&#34;id&#34; value=&#34;&#60;?PHP echo &#036;_POST&#91;'id'&#93;; ?>&#34;>&#60;br>
Password &#60;input type=&#34;text&#34; name=&#34;pwd&#34; value=&#34;&#60;?PHP echo &#036;_POST&#91;'pwd'&#93;; ?>&#34;>&#60;br>
New Password &#60;input type=&#34;text&#34; name=&#34;new_pwd&#34; value=&#34;&#60;?PHP echo &#036;_POST&#91;'new_pwd'&#93;; ?>&#34;>&#60;br>
&#60;input type=&#34;Submit&#34; name=&#34;simul&#34; value=&#34;Simule it!&#34;>&#60;br>&#60;/form>
ASP Code (unfinished) Updated
1 form on html and <input type="text" name="g">
value of this input annnn[v][MD5(ScriptVessel ID)][MD5(Password)][MD5(New Password){*}][/CODE]
And u emule SV Client :)
{*}=If this field is no wirte make MD5()=d41d8cd98f00b204e9800998ecf8427e

Ex.: SVgoto113.aSp
Code:
&#60;%
Dim sv_method
If Len&#40;request.form&#40;&#34;g&#34;&#41;&#41; > 0 Then
 *sv_method = request.form&#40;&#34;g&#34;&#41;
 *If Len&#40;Session&#40;&#34;emulator&#34;&#41;&#41; = 0 then
 * * Session&#40;&#34;emulator&#34;&#41; = sv_method
 * * 'Ex for protocol 112
 * * Response.Redirect&#40;&#34;svck112.asp&#34;&#41;
 * * Response.ContentType = &#34;text/html&#34;
 * * Response.Flush
 * * Response.End
 *End If
Else
 Response.Write&#40;&#34;¬¬ no sv method&#34;&#41;
End If
%>
Ex.: svck112.asp
Code:
&#60;%
'Define Server Emulator vars
md5_start=9
md5_max_len=32
sv_version=&#34;112&#34;
sv_error_version=&#34;Sorry, This client is updated, Pls download the new one!#&#34;
sv_error_up=&#34;Sorry, Username or Password Error!#&#34;
sv_error_option=&#34;SV Emulator, wrong choise man, u are bad ^^!#&#34;
sv_ok_login=&#34;Confirms successfully,the Account will be Expired at &#34;
sv_ok_logout=&#34;Logout successfully!#&#34;
'Don't know the form =S
sv_ok_chnpss=&#34;&#34;
'Adapting server time &#40;Got Error&#41;
locate_time=5
gmt_date=DateAdd&#40;&#34;h&#34;,locate_time,Now&#40;&#41;&#41;
locate_time=7
sv_date=DateAdd&#40;&#34;h&#34;,locate_time,gmt_date&#41;
'Error no got 0 on Len 1 Segs
if Len&#40;second&#40;sv_date&#41;&#41; = 1 Then
Correct_segs = &#34;0&#34; & second&#40;sv_date&#41;
else
Correct_segs=second&#40;sv_date&#41;
End If
'Error no got 0 on Len 1 Minuts
if Len&#40;minute&#40;sv_date&#41;&#41; = 1 Then
Correct_min = &#34;0&#34; & minute&#40;sv_date&#41; 
else
Correct_min = minute&#40;sv_date&#41;
End If
format_date=&#34;&#34; & Year&#40;sv_date&#41; & &#34;-&#34; & Month&#40;sv_date&#41; & &#34;-&#34; & Day&#40;sv_date&#41; & &#34; &#34; & hour&#40;sv_date&#41; & &#34;&#58;&#34; & Correct_min & &#34;&#58;&#34; & Correct_segs
If Len&#40;Session&#40;&#34;emulator&#34;&#41;&#41; &#60;> 0 then
 *g=Session.Contents&#40;&#34;emulator&#34;&#41;
 *Session.Abandon
 *Action=mid&#40;g,1,1&#41;
 *check_version=mid&#40;g,6,3&#41;
 *Dim user_sql_emul
 *Dim pass_sql_emul
 *'user MD5 = test
 *user_sql_emul=&#34;098f6bcd4621d373cade4e832627b4f6&#34;
 *'pass MD5 = 123456
 *pass_sql_emul=&#34;e10adc3949ba59abbe56e057f20f883e&#34;
 *' SQL Date user
 *expire_date_client=&#34;2007-12-31&#34;
 *'user&pass from sv client
 *check_user=mid&#40;g,md5_start,md5_max_len&#41;
 *check_pass=mid&#40;g,md5_start+md5_max_len,md5_max_len&#41;
 *new_pass=mid&#40;g,md5_start+md5_max_len+md5_max_len,md5_max_len&#41;
 *if sv_version = check_version Then
 * Select Case Action
 * case 1
 * *if user_sql_emul = check_user AND pass_sql_emul = check_pass Then
 * * *Response.Write&#40;&#34;&#60;a &#34;&&#34;MD5&#40;??&#41;&#34;&&#34;&&#34;&sv_ok_login&&#34;&#34;&expire_date_client&&#34;!#&#34;&format_date&&#34;>&#34;&#41;
 * *else
 * * Response.Write&#40;&#34;&#60;a &#34;&mid&#40;g,md5_start,md5_max_len&#41;&&#34;&&#34;&sv_error_up&&#34; >&#34;&#41;
 * *End if
 * case 3
 * *if user_sql_emul = check_user AND pass_sql_emul = check_pass Then
 * * *Response.Write&#40;&#34;&#60;a &#34;&&#34;MD5&#40;??&#41;&#34;&&#34;&&#34;&sv_ok_logout&&#34;&#34;&format_date&&#34;>&#34;&#41;
 * *else
 * * Response.Write&#40;&#34;&#60;a &#34;&mid&#40;g,md5_start,md5_max_len&#41;&&#34;&&#34;&sv_error_up&&#34; >&#34;&#41;
 * *End if * 
 * case 4
 * *if user_sql_emul = check_user AND pass_sql_emul = check_pass Then
 * * *Response.Write&#40;&#34;Change Pass value to&#58; &#34;&new_pass&#41;
 * *else
 * * Response.Write&#40;&#34;&#60;a &#34;&mid&#40;g,md5_start,md5_max_len&#41;&&#34;&&#34;&sv_error_up&&#34; >&#34;&#41;
 * *End if 
 * case else
 * * Response.Write&#40;&#34;&#60;a &#34;&mid&#40;g,md5_start,md5_max_len&#41;&&#34;&&#34;&sv_error_option&&#34; >&#34;&#41;
 * End Select
 *Else
 * Response.Write&#40;&#34;&#60;a &#34;&mid&#40;g,md5_start,md5_max_len&#41;&&#34;&&#34;&sv_error_version&&#34; >&#34;&#41;
 *End if
End if
%>
05/31/2007 08:22 anantasia#3
Did you capture all package for all time?

Sometime it's had timer to selfcheck by verfication again to Server.

After 1.12 every time you activate bot (press F11) it's will check entire program in memory for modify/trap process.

Anyway keepup your work.
05/31/2007 15:54 Foxsilver#4
Quote:
Originally posted by anantasia@May 31 2007, 08:22
After 1.12 every time you activate bot (press F11) it's will check entire program in memory for modify/trap process.
thx for the information
But isn't the problem now, when send the last packed: "<a MD5()&Confirms successfully,the Account will be Expired at EXPIRE_DATE!#DATE_TIME_SV>"
Got 2 problems:
1- MD5 i unknow how it make it, and leater SV client check it
2- DATE_TIME_SV, That's from server but when u login into real server with user & pass incorrect only send message balblablab!# and client make the time and show it, prolly when send the last packed and read the time from packed sv client make other time and compare it.

In other versions are very easy, only need make a sniff from a true user & password, modify exe for run in localhost and make a program to run in localhost and send this same packets, but now it change, now need make test, test ... for see whats the problem for this version
05/31/2007 17:16 mrlol#5
fox gay