Join Hands for Open Source Sify Dialer

[nishnet2002]

hello guys exams are over and I am back..Inorder to try out various inputs to the Sify BBClient we must depict the Sify's actual server.The various inputs to BBClient would be SessionID.Also the custom Server will enable us to:1) Run the client no of times without actually getting Sify ppl doubt abt our login attempts...2) We will able to send dummy values like SessionID=000000000.....3) One can perform the test even when he doesn't have a sify connectionIf some one can depict the sify server it would be a grt help...we dont want exact working but just working server

 

[agent]

play safe


never use sify BBclient

Usage of sify BBclient might be injurious to ur comp

use an alternative client

 

[max]

agent, if you were on an IRC channel then you would be kicked and banned before the impulse from your finger tip could reach your brain. Please read the entire thread before you post. We are discussing about making an _alternative_ client _because_ the other alternative clients _dont_ work _because_ of the new protocol. But I guess you havent noticed it?

 

[Tushar]

I tried the linux client too under ubuntu, it says "Please Update your Client" even though i downloaded the latest version. its clear that their linux client is also not maintained anymore. Even that client gets a "NOUPDATE" response from the server.

 

[infernalproteus]

A few observations with regards to nishnet's original post.

1) Nishnet, are you sure that the cons string is an encrypted version of the following?
&curservid=.....&prevservid=....&version=....&sessionid=...&srcip=....&username=...&password=..

By sure I mean - did you see all those variables being accessed in code, concatenated in a smilar form and then encrypted? Or this is just an educated guess becuase it was what was being sent for login with the previous protocol and the string still does exist in the new client?

2) Are you sure it's encryption as opposed to a one way hash? I tend to agree with Bhaskar (who said it was a hash [maybe casually]).

3) AFAIK, Crypt.dll is not installed with the new dialer and is a remnant of the older client. It's a right pain installing the new client in a folder of your location (can you?) and when you're not connected to Sify all the time (I have to switch cables and hope Sify is up - which it isn't 50% of the times I try). So I haven't been able to confirm this, but if crypt.dll is not shipped with the new client, then perhaps it should be discounted from our investigation.

My observations:
1) The cons string is the same for each session of BBClient, no matter how many times you attempt to login using that session. If you close BBClient and reopen it - you get a new cons string.

2) I think it is a one way hash formed from your username and password and perhaps the other details specified in the string above. The macid is transmitted in clear text and is used to look up your record in the database, the same hashing function is performed on your records and the results are compared.

Different string each BBClient session? As Nishnet stated, it is quite likely that the session id sent to the client from the server is used to salt the input string. If it's only the session id - then the salt does not need to be transmitted along with the hash, since the server knows it already. If it's something else - like the system clock or a combination, the salt does need to be transmitted to the server in clear text at some time.

The cons string itself could contain the salt, but I'm hardly sure.

Note: This entire theory is backed by intuition, not fact.

3) I think both BBClient.exe and BBAppDll.dll are involved in constructing the cons string.

4) It would be cool if we could somehow spoof the sify server and feed controlled input to BBClient as Nishnet suggested (or intercept and change the packets), the output could then be observed for different cases and give us a better idea of what's goin on.

5) When the app is started and after each login attempt - the SEED value in this key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\RNG is modified. I noticed that this happened in the earlier client as well, and it does not seem to tie in with the fact of a constant cons string per session, as the SEED value changes each time you click Login - probably just a red herring.

6) Apparently the old login pages (validatelogin.php and logout.php) still work, inspite of the server returning validatelogin2.php and logout1.php)
I guess these will work for a little while more until all their servers are uptodate with the new protocol (or maybe until they write the Java client )

No further ideas at this point. I'd vote for making this the thread of choice for protocol discussion. I'm hardly a professional cracker so if anyone can break this and let us all know, awesome. Do share your insights on the issue here.

Best,
Brian.

 

[trump]

on updating to version 3.1 there is a new exe. in sify broadband folder = BBImpSec.exe this also tries to autorun at startup and with every running of sify dialersome anlaysis shows that this app is responsibl for blocking ports.have you ppl analysed it?can it also be responsible for encryption?

 

[ultra vires]

this logout thing wrks with http://210.18.11.98:81/logoutconfirm.php
but u cant login thru http://210.18.11.98:81/validatelogin.php(this url works only when u signin thru there dialer) otehrwise it doesnt evn show up

BBimpsec , thats for closin ports , but even if u end task it while bbclient is running , it will (bbclient) again start bbimpsec. so there is now way to block it frm running.

 

[Tushar]

Using the old login/logout pages works great, currently i'm running Custom Modded version of ES2 on Windows. I'll do a fast php script for login/logout now, coz I really need a way to access internet on ubuntu. Most *nix distros have php installed, so its a good alternate before someone makes a nix client.

 

[power]

this thing blocks port using IP security policies of win2k/xp/2k3 (not in 9x/me) .. I also made a thread on it before . just disable the ipsec service from services.msc or bynet stop ipsecThis wont clear alll ur probles bcoz sify can still block ports on their routers

 

[max]

Brian, I am not a sify bb user but I was trying to reverse engineer the sify client to make a Linux / Java version. But the problems that I have encountered are that the client wont start up as it can't connect to a valid sify server. I have tried to "mimic" a sify server but haven't tried hard enough.I also took a different approach and opened up the DLLs with Sify. You are right about crypt.dll. I can see many functions in the BBApp.dll but one particular function caught my eye (forgot the name). But it had to do something with crypt (encrypt / decrypt?). Also saw many functions including ones like char2byte etc... Dunno what to make of it.Regarding the encryption, I too originally thought it might be a hashing function but I haven't been successful in identifying it. Do you know about the magic-numbers specific to certain cryptographic functions? We could try hunting for them.And finally if you are able to get the API of the DLLs then we could try API hooking.