NireBryce

Nire Bryce

@NireBryce

reality is the battlefield

the first line goes in Cohost embeds

๐Ÿฅ I am not embroiled in any legal battle
๐Ÿฆ other than battles that are legal ๐ŸŽฎ

I speak to the universe and it speaks back, in it's own way.

mastodon

email: contact at breadthcharge dot net

I live on the northeast coast of the US.

'non-functional programmer'. 'far left'.

conceptual midwife.

https://cohost.org/NireBryce/post/4929459-here-s-my-five-minut

If you can see the "show contact info" dropdown below, I follow you. If you want me to, ask and I'll think about it.

log inask
NireBryce
@NireBryce
bark
@bark
bark
@bark

trying to reverse engineer windows xp "internet checkers"

Internet Checkers from the MSN Gaming Zone which is Zone.com or something look i'm not good at history and it's not my thing

the checkers exe chkrzm.exe is a thin wrapper which exists only to grab a COM object ZoneM.Client and some random interface from zClientm.exe through which it calls a method and passes the strings Launch and

data=[ID=[mchkr_zm_***]data=[game=<Checkers>dll=<ZCorem.dll,cmnClim.dll>datafile=<ChkrRes.dll,CmnResm.dll>]server=[%1:0]name=[Checkers]family=[Checkers]icw=["%2"%3]setup=[CHKRZM]]

(after some formatting). so then obviously zClientm.exe which was already sitting there in the background being a COM or OLE server or something running a windows event loop parses that string and just, loads all those dlls. and then Something happens. cmnClim.dll pops open that ui and lets you press "Play" which of course causes it to load ZNetM.dll and through as many COM objects and c++ virtual classes and other unmentionable dlls as possible it finally bothers reaching out to checkers.freegames.zone.com:28805 or whatever else the little wrapper stuffed into the server key to that Launch garbage [yay for hosts file].

SO THEN

when it does that it opens a little tcp connection and sends

00000000: 93 69 5F 09 C8 27 36 45  F9 27 06 45 FB 27 36 45  .i_..'6E.'.E.'6E
00000010: BD 62 64 03 F8 27 36 45  F8 27 36 45 F8 27 36 45  .bd..'6E.'6E.'6E
00000020: 32 AF DB 43 2C 9C 46 01  78 35 44 9E 29 68 48 37  2..C,.F.x5D.)hH7

which is of course nothing. because it's decided that it'll XOR every dword with a key, namely f8273645. so the server can un-XOR that and get

00000000: 6B 4E 69 4C 30 00 00 00  01 00 30 00 03 00 00 00  kNiL0.....0.....
00000010: 45 45 52 46 00 00 00 00  00 00 00 00 00 00 00 00  EERF............
00000020: CA 88 ED 06 D4 BB 70 44  80 12 72 DB D1 4F 7E 72  ......pD..r..O~r

which hey! is data! it's a signature, LiNk in little endian, followed by a total packet length, followed by some stuff. the stuff in this case is 01 00 30 00 which is some kinda identifier, FREE which i think literally means "you're playing the game for free" and then the final 16 bytes are your โœจ computer ID โœจ.

so then you send it back something in basically the same form, but with details that i can't actually understand due to aforementioned mess

00000000: 6B 4E 69 4C 28 00 00 00  02 00 28 00 00 00 00 00  kNiL(.....(.....
00000010: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00000020: 00 00 00 00 00 00 00 00                           ........

same packet structure, signature, length, then that identifier ish thing and ๐Ÿ’• all zeros ๐Ÿ’• because i don't know what it wants. just don't forget to do the XOR business before sending it back to the client

then it gets a bit talky, but stops trying to XOR stuff (tbh i think setting all 0s in the reply set the key to 0) and sends you a lovely Hello kinda packet with a bunch of cute data

00000000: 6B 4E 69 4C 9C 00 00 00  00 00 14 00 00 00 00 00  kNiL............
00000010: AA 5D 3D 9C 74 75 6F 72  00 00 00 00 03 00 00 00  .]=.tuor........
00000020: 74 00 00 00 00 00 4C 00  01 00 00 00 43 48 4B 52  t.....L.....CHKR
00000030: 5A 4D 00 00 00 00 00 00  58 06 17 00 01 00 00 00  ZM......X.......
00000040: 00 00 00 00 40 00 00 00  78 F9 00 00 00 00 15 00  ....@...x.......
00000050: 2C DF 90 7C 74 95 80 7C  00 D0 FD 7F 50 FA 12 00  ,..|t..|....P...
00000060: B6 95 80 7C FC F9 12 00  A4 95 80 7C 51 27 08 01  ...|.......|Q'..
00000070: 06 00 0C 00 09 04 09 04  09 04 A8 FD 04 00 1C 00  ................
00000080: 01 00 00 00 6D 63 68 6B  72 5F 7A 6D 5F 2A 2A 2A  ....mchkr_zm_***
00000090: 00 2E 19 00 00 00 01 00  01 00 00 00              ............

woahhhhh so yeah breaking that up the bits i know so far are

6B 4E 69 4C: 'LiNk' signature from before
9C 00 00 00: total packet length
00 00 14 00: no idea
00 00 00 00: literally a sequence number! it increments! wtf
AA 5D 3D 9C: checksum. bad. someone thought doing more xor was a good idea
74 75 6F 72: 'rout', an identifier/signature; some other packets which i've never seen except in code set different things
... blah blah now i'm just gonna list some random fields ...
CHKRZM: they call this a setup token. what
58 06 17 00: i think this is the version?
09 04: 1033, it's a language id. it sends three. idk why there's three
mchkr_zm_***: idk "id" it came from that huge string

if you leave it alone for a while it starts sending heartbeats, which is nice

00000000: 6B 4E 69 4C 28 00 00 00  00 00 14 00 02 00 00 00  kNiL(...........
00000010: DB 30 4D 61 73 79 73 7A  00 00 00 00 00 00 00 80  .0Masysz........
00000020: 00 00 00 00 01 00 00 00                           ........

(you can see the header is the same, the id thingy is zsys now instead of rout, and the sequence number is Sequencing)

but then the mess encroaches again and i have no idea what it's expecting to hear back to acknowledge that the server is online and to keep loading stuff. oh well

You must log in to comment.

in reply to @bark's post:

Pinned Tags