.aι₯ιa. .aι@ιa. .aι@ιa. ::::: ;@@@@@@@; ;@@@@@@@; ;@@@@@@@; :::: ::::: ι@@@ @@@ι .a@ό' @@@@ @@ό' :::: ::::: @@@@ό@@@@ .a@@@aa@; @@@@ό@@@a :::: `¦όψ ψό¦' `¦όόόόό¦' `¦όψ ψό¦' ϊgE! "reverse engineering napster: changing your client's id" -- originally released on 07/30/00, updated on ../../.. -- == ( introduction ) ======================================================/\== by now you've probably noticed that some people aren't running versions of napster that match the familiar "v2.0 BETA 6" or "TekNap-v1.0" id tags. you've most likely seen "v3.0 Elite", "v3.5 eLiTe" and "HackNap" (among others) when you issue a /whois command from a napster server. this document is a manual of sorts for napster users who want to alter their client's id using a simple hex editor, and for those users who want to take this concept a bit further and use a slightly longer string than the eleven characters alotted by napster. the techniques described in this document are meant for Napster v2.0 BETA 7 for Windows, however they can be easily applied to any other version. == ( tools required ) ====================================================/\== Hacker's View v6.30 ~~~~~~~~~~~~~~~~~~~ go to http://ftpsearch.lycos.com/ or http://www.altavista.com/ and search for 'hiew630.zip' Windows Disassembler v8.9x ~~~~~~~~~~~~~~~~~~~~~~~~~~ go to http://ftpsearch.lycos.com/ or http://www.altavista.com/ and search for 'w32dsm89.zip' == ( part one: precautions ) =============================================/\== before you start playing with napster, make a backup of NAPSTER.EXE in another directory or just copy it to NAPSTER.BAK. if you mess up, you'll still have a working copy to fall back on. == ( part two: quick hex patch ) =========================================/\== the easiest way to change your client's version number is to load NAPSTER.EXE into hacker's view (referred to as 'hiew' from now on). make sure napster is NOT RUNNING when you attempt to do this. when hiew loads, make sure you're viewing the file in hex mode by pressing F4 and selecting 'hex': ΙΝΝΝΝΝ Select mode ΝΝΝΝΝ» Ί Text Ί Ί Hex Ί Ί Decode Ί ΘΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΌ after switching into hex mode, press CTRL+F7. this will bring up the search box. enter "BETA 7" in the ascii textfield: ΙΝ[Forward /Full ]ΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝ» Ί ASCII: BETA 7°°°°°°°°°°°°°° Ί Ί Ί Ί Hex: 42 45 54 41 20 37 °°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°Ί ΘΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΌ press enter to begin searching. you'll see the following hex code: A9 20 31 39-39 39 2C 20-32 30 30 30-20 4E 61 70 © 1999, 2000 Nap 73 74 65 72-20 49 6E 63-2E 00 00 00-42 75 69 6C ster Inc. Buil 64 00 00 00-52 65 6C 65-61 73 65 20-56 65 72 73 d Release Vers 69 6F 6E 00-76 32 2E 30-20 42 45 54-41 20 37 00 ion v2.0 BETA 7 43 75 72 72-65 6E 74 20-54 72 61 6E-73 66 65 72 Current Transfer 73 00 00 00-25 64 20 44-6F 77 6E 6C-6F 61 64 69 s %d Downloadi 6E 67 2C 20-25 64 20 55-70 6C 6F 61-64 69 6E 67 ng, %d Uploading this is where you can change "v2.0 BETA 7" to anything you like, up to a maximum of eleven characters. to do this, press F3; now hiew is in edit mode. move the blinking cursor to the "v" in "v2.0 BETA 7" and just type right over top of this string. make sure you don't erase parts of the "Current Transfers" string! below i've changed my "v2.0 BETA 7" into "v3.0 Elite": A9 20 31 39-39 39 2C 20-32 30 30 30-20 4E 61 70 © 1999, 2000 Nap 73 74 65 72-20 49 6E 63-2E 00 00 00-42 75 69 6C ster Inc. Buil 64 00 00 00-52 65 6C 65-61 73 65 20-56 65 72 73 d Release Vers 69 6F 6E 00-76 33 2E 30-20 45 4C 49-54 45 20 00 ion v3.0 Elite 43 75 72 72-65 6E 74 20-54 72 61 6E-73 66 65 72 Current Transfer 73 00 00 00-25 64 20 44-6F 77 6E 6C-6F 61 64 69 s %d Downloadi 6E 67 2C 20-25 64 20 55-70 6C 6F 61-64 69 6E 67 ng, %d Uploading once you're happy with the changes you've made, press F9 to save them and press ESC to exit hiew. that's all it takes to modify your napster's client id when people perform a /whois on you. if you want a 20 character string instead, read on.. == ( part three : advanced patch ) =======================================/\== in part two we were limited to a maximum of eleven characters. it was easy to do. anyone with a hex editor can make those changes. why settle for eleven characters, when you could have twenty? most users are running a version of napster for windows. this version of napster can display a maximum of twenty characters in the /whois query box. you can determine this yourself if you try and fit a string longer than twenty characters in its place.. it will get cut off at the twenty character mark. from here on in, i'll assume you know how to use Windows Disassembler (dasm). if not, find a tutorial on the net or ask someone with experience. disassemble NAPSTER.EXE in dasm. now, here's the tough part. we need to identify which instance of "v2.0 BETA 7" (there are many of them) to modify before it gets pushed onto the stack. to do this, look at NAPSTER.TXT that comes with the OpenNap server software. if you want to read the entire text file to see how napster's client and server work, get a copy at http://opennap.sourceforge.net/ if you're not that good at assembly, don't worry about having to "push" anything anywhere.. this tutorial is meant so that users without knowledge of assembly can change their version id string without having to learn anything new. here's the important part from NAPSTER.TXT: ----- 2 login [CLIENT] Format: "" [ ] is the port the client is listening on for data transfer. if this value is 0, it means that the client is behind a firewall and can only push files outward. it is expected that requests for downloads be made using the 500 message (see below) is a string containing the client version info is an integer indicating the client's bandwidth 0 unknown 1 14.4 kbps 2 28.8 kpbs 3 33.6 kbps 4 56.7 kbps 5 64K ISDN 6 128K ISDN 7 Cable 8 DSL 9 T1 10 T3 or greater build number for the windows client [optional] Example: foo badpass 6699 "nap v0.8" 3 ----- when you login to a napster server, your client sends the number "2" along with some other important information: mainly your username and password. the string that gets sent to the server also contains the "" parameter. all we have to do is locate where this string is pushed onto the stack within NAPSTER.EXE and trace back in the code a bit until we find a reference to "v2.0 BETA 7". if you look at the example above, you'll notice the format of the entire command that's being passed to the server goes something like: string string number "string" number... since napster was programmed in C, this can be represented as %s %s %d "%s" %d... looking through the string refs in dasm you'll notice that "%s %s %d "%s" %d %lu %d" occurs somewhere in the dead listing. why the extra %lu and %d? remember from the textfile that there's an extra parameter that specifies the build number. the last %d is extra; i'm not exactly sure what it does. double clicking the string in dasm's string ref window brings you here: * Referenced by a CALL at Addresses: |:004376FD , :00437BAF | :004242D0 81ECE4000000 sub esp, 000000E4 :004242D6 56 push esi :004242D7 8BF1 mov esi, ecx :004242D9 57 push edi :004242DA B91F000000 mov ecx, 0000001F :004242DF 33C0 xor eax, eax :004242E1 8D7C246D lea edi, dword ptr [esp+6D] :004242E5 C644246C00 mov [esp+6C], 00 :004242EA 8B96403A0200 mov edx, dword ptr [esi+00023A40] :004242F0 F3 repz :004242F1 AB stosd :004242F2 8B8E883A0200 mov ecx, dword ptr [esi+00023A88] :004242F8 66AB stosw :004242FA AA stosb :004242FB 8B8604010000 mov eax, dword ptr [esi+00000104] :00424301 50 push eax :00424302 68710E0000 push 00000E71 :00424307 51 push ecx * Possible StringData Ref from Data Obj ->"v2.0 BETA 7" | ->:00424308 6894104800 push 00481094 ; here! :0042430D 8D86F03C0200 lea eax, dword ptr [esi+00023CF0] :00424313 52 push edx :00424314 8D8E783C0200 lea ecx, dword ptr [esi+00023C78] :0042431A 50 push eax :0042431B 51 push ecx * Possible StringData Ref from Data Obj ->"%s %s %d "%s" %d %lu %d" | :0042431C 68C4424800 push 004842C4 :00424321 6A02 push 00000002 :00424323 E818AAFFFF call 0041ED40 :00424328 8D54242C lea edx, dword ptr [esp+2C] :0042432C 6A64 push 00000064 :0042432E 52 push edx :0042432F E80CA9FFFF call 0041EC40 :00424334 83C42C add esp, 0000002C :00424337 83F8FF cmp eax, FFFFFFFF :0042433A 750D jne 00424349 :0042433C 5F pop edi :0042433D 33C0 xor eax, eax :0042433F 5E pop esi :00424340 81C4E4000000 add esp, 000000E4 :00424346 C20400 ret 0004 look at line 00424308. that's our magic string that gets pushed onto the stack before getting passed as a parameter to the call at 00424323. how do you get a longer string? use hiew again to look for "BETA 7". you'll see this in hex view (Ctrl+F7 to search): 66 20 74 68-65 20 71 75-65 75 65 21-00 00 00 00 f the queue! ->45 46 6E 65-74 3A 20 23-77 69 6E 33-32 2C 20 23 EFnet: #win32, # <- 77 69 6E 70-72 6F 67 00-28 63 6F 6E-74 69 6E 75 winprog (continu ... 6F 6D 00 00-43 6F 70 79-72 69 67 68-74 00 00 00 om Copyright A9 20 31 39-39 39 2C 20-32 30 30 30-20 4E 61 70 © 1999, 2000 Nap 73 74 65 72-20 49 6E 63-2E 00 00 00-42 75 69 6C ster Inc. Buil 64 00 00 00-52 65 6C 65-61 73 65 20-56 65 72 73 d Release Vers 69 6F 6E 00-76 32 2E 30-20 42 45 54-41 20 37 00 ion v2.0 BETA 7 look above "v2.0 BETA 7" and check out the string "EFnet: #win32, #winprog". this string is actually 23 characters long, which means it's perfect for changing. using hiew, change the "EFnet..." string to read something like "Hacked Up Napster v0" (F3 to edit, F9 to save): 48 61 63 6B-65 64 20 55-70 20 4E 61-70 73 74 65 Hacked Up Napste 72 20 76 30-20 20 20 00-28 63 6F 6E-74 69 6E 75 r v0 (continu 65 64 29 00-43 72 61 73-68 54 65 73-74 2C 20 53 ed) CrashTest, S 49 6E 65 56-61 6C 2C 20-6C 75 64 64-65 00 00 00 IneVal, ludde now, for the most important part. once you've saved your changes, DON'T EXIT hiew just yet. press F3 again to get back into edit mode and go to the first character of your new version id. in my case, it's "H". The number (offset) for Napster v2.0 BETA 7 is 00080FB0 for this example. write this number down somewhere. remember how the old string is pushed onto the stack? if you bring your cursor in hiew over to the "v" in "v2.0 BETA 7" you'll see it's at offset 00081094 in the file. * Possible StringData Ref from Data Obj ->"v2.0 BETA 7" | :00424308 6894104800 push 00481094 ; here! notice that we 'push 00481094' here. what's the difference between the file offset and the value we push onto the stack? the first three digits are 004 instead of 000. this is because the program's image base starts at 00400000h (check dasm at the very top of the dead listing). so, using a bit of logic, we can assume that if we wanted to push the string located at 00080FB0 onto the stack, the new command would look something like this in assembly: * Possible StringData Ref from Data Obj ->"Hacked Up Napster v0 " | :00424308 6894104800 push 00480FB0 ; here! so, to make this change with hiew, load up NAPSTER.EXE if you've closed it and press F5. type in ".00024308" and press enter. press F4 and select "decode". now make sure it looks like this: .00424308: 6840444800 push 00481094 ;" HD@" .0042430D: 8D86F03C0200 lea eax,[esi][000023CF0] .00424313: 52 push edx .00424314: 8D8E783C0200 lea ecx,[esi][000023C78] .0042431A: 50 push eax .0042431B: 51 push ecx move your cursor up to offset (or line) .00424308 and press F3 then F2. now change the command from "push 00481094" to "push 00480FB0". press F9 to save your changes. press ESC and start using your hacked up copy of napster! == ( final notes ) =======================================================/\== this document isn't intended to be a guide to software reverse engineering; you'll notice that i didn't go into the sort of in-depth explanations that you'd usually see in a cracking tutorial. this was written for beginners who want to show off a little. to those who wanted a more technical doc, i apologize.. but it had to be simple so everyone could understand. personal greets go out to Octavian, !_go0zeGg_! for the jaw-dropping graphics in wrapster v2.0 and as always, 1995. tantrum (a2ure), 07/30/00 == ( end ) ===============================================================/\==