clientcrasher

Here you can discuss packets, implementation and design, and software related to the packet sniffing and such. This is not the place to post packages for POL, but rather discuss the packet side of them.

Moderator: POL Developer

Post Reply
qrak
Grandmaster Poster
Posts: 198
Joined: Sun Feb 05, 2006 4:35 pm
Location: Poland

clientcrasher

Post by qrak » Tue Jan 02, 2007 2:54 am

Hello. I'm here to warn you about a malicious tool that has just emerged. It's called ClientCrasher.exe and apparently, it does not only crash the clients in its vicinity. It can also intercept logon packets, and then send ambigious packets towards clients which just logged on, kicking them from the server. Unfortunately I got to know the tool in sad circumstances, some of my shard players used it. Could you explain how exactly can it intercept POL packets?

here are some screens:

http://pinoslaw.republika.pl/pvp.rar
Shutdown();

Bracco
Adept Poster
Posts: 80
Joined: Thu Dec 28, 2006 11:52 am

Post by Bracco » Tue Jan 02, 2007 3:22 am

hmm... only screenshots in the rar... btw, i think this tool can't hook anything but local packet stream between your client and the server

it's impossibile that it can hook ("spoof") other clients' packets.

however, to crash nearby client it can exploit some kind of client bug, i remember years ago there was something like this, it used strange speech colours to crash other clients

User avatar
CWO
POL Expert
Posts: 1137
Joined: Sat Feb 04, 2006 5:49 pm
Location: Chicago, IL USA
Contact:

Post by CWO » Tue Jan 02, 2007 3:33 am

This sounds just like the person who said he can grab everyone's IP in UO and hack them very easily. In the end, it was all a bunch of BS thrown together by programs like EUO to put sysmessages in his journal looking like hes able to do it.

qrak
Grandmaster Poster
Posts: 198
Joined: Sun Feb 05, 2006 4:35 pm
Location: Poland

Post by qrak » Tue Jan 02, 2007 3:37 am

I know the tool works because I have heard so many complaints of people who actually get disconnected. The supposed 'ClientCrasher' has a function that allows it to track relogs, and then automagically kick the players, so that there's no chance for them to flee or anything really :). It's not a bunch of EasyUO lines I bet. :(
Shutdown();

User avatar
CWO
POL Expert
Posts: 1137
Joined: Sat Feb 04, 2006 5:49 pm
Location: Chicago, IL USA
Contact:

Post by CWO » Tue Jan 02, 2007 3:39 am

well what client version do you use? This could be the same type of bug Bracco was talking about sending something that the other clients can see but cant process.

qrak
Grandmaster Poster
Posts: 198
Joined: Sun Feb 05, 2006 4:35 pm
Location: Poland

Post by qrak » Tue Jan 02, 2007 3:46 am

I'm using the latest version of the client. All of my players must have the latest one, otherwise they get disconnected by a verification script (client check packethook). I've checked injection's 'transparent' speach bug, and it's not it. Any ideas? Maybe the POL webserver makes it vulnerable?
Shutdown();

User avatar
CWO
POL Expert
Posts: 1137
Joined: Sat Feb 04, 2006 5:49 pm
Location: Chicago, IL USA
Contact:

Post by CWO » Tue Jan 02, 2007 3:58 am

client version checks can be worked around with injection itself.

qrak
Grandmaster Poster
Posts: 198
Joined: Sun Feb 05, 2006 4:35 pm
Location: Poland

Post by qrak » Tue Jan 02, 2007 4:03 am

what do you suggest I do?
Shutdown();

Bracco
Adept Poster
Posts: 80
Joined: Thu Dec 28, 2006 11:52 am

Post by Bracco » Tue Jan 02, 2007 4:06 am

i suggest you doing this...

disguise yourself as a normal player, or let some of the victims lend you his account... then play around with some kind of packetlogging enabled, and when you get disconnected, look at what came to your client before disconnect

User avatar
tekproxy
Forum Regular
Posts: 352
Joined: Thu Apr 06, 2006 5:11 pm
Location: Nederland, Texas
Contact:

Post by tekproxy » Tue Jan 02, 2007 9:13 am

Once you get the log of the packet, post it here. It is probably possible to hook the offending packet and deal with it in a way that doesn't crash clients. Crashing a client is Very easy to do if you are the server. ANY malformed packet, almost, will cause the client to stop responding.

qrak
Grandmaster Poster
Posts: 198
Joined: Sun Feb 05, 2006 4:35 pm
Location: Poland

Post by qrak » Tue Jan 02, 2007 9:42 am

ok i'll try to catch some of those packets
Shutdown();

User avatar
MuadDib
POL Expert
Posts: 1087
Joined: Sun Feb 12, 2006 9:50 pm
Location: Cross Lanes, WV

Post by MuadDib » Tue Jan 02, 2007 10:14 am

You can use a packet logger or use the built in packet logging of the core with startlog and stoplog. very hand commands.

Secondly, if such a program does exist, I'd like to have a copy, to find out how it's working so I can code against it :)
POL Developer - The Penguin Scripter

User avatar
tekproxy
Forum Regular
Posts: 352
Joined: Thu Apr 06, 2006 5:11 pm
Location: Nederland, Texas
Contact:

Post by tekproxy » Tue Jan 02, 2007 10:19 am

This is one example of why I wanted a uo client of my own Muad. I am not sure how to hook into the real UO client's connection and send things so it would be easier to make my own client and try to crash everyone else.

It's probably a chat-type packet. It would have to be something that a client could send that the server would process and then send to another client or group of clients.

User avatar
CWO
POL Expert
Posts: 1137
Joined: Sat Feb 04, 2006 5:49 pm
Location: Chicago, IL USA
Contact:

Post by CWO » Tue Jan 02, 2007 6:55 pm

This could also be a good reason to be able to start the internal core logging textcmd on someone other than your own char.

qrak
Grandmaster Poster
Posts: 198
Joined: Sun Feb 05, 2006 4:35 pm
Location: Poland

Post by qrak » Wed Jan 03, 2007 2:11 am

I tried to catch some of those packets with razor packed logging but it's hard because sudenly everybody stopped using clientcrasher.
Anyway i was looking for that tool and i couldn't find it. Today i'll try to get it from my shard players :P
Shutdown();

qrak
Grandmaster Poster
Posts: 198
Joined: Sun Feb 05, 2006 4:35 pm
Location: Poland

Post by qrak » Sat Jan 06, 2007 2:50 pm

Ok one of my players caught that malicious packet with razor packet logger:

Code: Select all

22:29:58.3175: Server -> Client 0xD9 (Length: 13)
        0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F
       -- -- -- -- -- -- -- --  -- -- -- -- -- -- -- --
0000   44 01 0C F3 F3 44 44 44  28 03 D1 00               TTTTTTTTTTT..
pktlist.html desc:

Packet ID: 0xD9
Packet Name: Spy On Client
Packet Size: Variable
Sent By: Client
Submitted: MuadDib

Description
Sends information related to client pc's hardware, operating system, direct x, etc. Full packet information is still unknown.
Shutdown();

User avatar
MuadDib
POL Expert
Posts: 1087
Joined: Sun Feb 12, 2006 9:50 pm
Location: Cross Lanes, WV

Post by MuadDib » Sat Jan 06, 2007 3:09 pm

.....................................
POL Developer - The Penguin Scripter

User avatar
MuadDib
POL Expert
Posts: 1087
Joined: Sun Feb 12, 2006 9:50 pm
Location: Cross Lanes, WV

Post by MuadDib » Sat Jan 06, 2007 3:19 pm

That is not it.

You want the packets sent by the server before that. It's a packet he's receiving, not sending, that is causing that.
POL Developer - The Penguin Scripter

User avatar
MuadDib
POL Expert
Posts: 1087
Joined: Sun Feb 12, 2006 9:50 pm
Location: Cross Lanes, WV

Post by MuadDib » Sat Jan 06, 2007 3:20 pm

nevermind.... just now seeing it was sent by server to client..........

Does the core even do this at all??? Let me look into this and see, but I am unsure if the core even sends that packet.
POL Developer - The Penguin Scripter

qrak
Grandmaster Poster
Posts: 198
Joined: Sun Feb 05, 2006 4:35 pm
Location: Poland

Post by qrak » Sat Jan 06, 2007 3:32 pm

i don't know much about packets and i can't tell if that packet caused that, it could be something else. Just know that some players are using tool called clientcrasher and all i want to catch packet which is causing a crash.
Shutdown();

tartaros
New User
Posts: 28
Joined: Tue Mar 27, 2007 6:30 am
Contact:

Post by tartaros » Tue Mar 27, 2007 6:34 am

Maybe this topic is already outdated but still... :)

If I were you, I'd focus on the invisible dead horses that are seen on the screenshots. Unless ofc that's perfectly normal on your shard.
Older clients (2.0+, dunno when it was fixed) can easily be crashed by certain hues of items or speech, etc.
When you're saying they "track relogging clients" so that they can't login again, it would suggest it's in fact no tracking, but simply the items still lying there.

User avatar
tekproxy
Forum Regular
Posts: 352
Joined: Thu Apr 06, 2006 5:11 pm
Location: Nederland, Texas
Contact:

Post by tekproxy » Tue Mar 27, 2007 8:22 am

Welcome to the POL forums, mate, and thanks for posting this. I'd been wishing there would be more progress on this thread. :-D

User avatar
MuadDib
POL Expert
Posts: 1087
Joined: Sun Feb 12, 2006 9:50 pm
Location: Cross Lanes, WV

Post by MuadDib » Wed Mar 28, 2007 8:05 am

Those are corpses of Ethereal Horses, perfectly normal for UO :)
POL Developer - The Penguin Scripter

Post Reply