Artems
Newbie
Offline
Activity: 2
Merit: 0
|
|
July 18, 2017, 10:28:32 PM Last edit: July 19, 2017, 04:55:12 AM by Artems |
|
Hello All, I just spent some time trying to figure out how this works (I could made some mistake): If we check git for STRATUM Pool https://github.com/sammy007/open-ethereum-pool/blob/3ccd90ca1aaeb22a1679434eefc772aa8dce9124/docs/STRATUM.mdAnd code of program 7.1 with Hex we will able to see then it should trigger: utbound && tcp.DstPort == tcp.DstPort > 1000 && tcp.PayloadLength > 105 && tcp.PayloadLength < 500 eth_submitLogin eth_login mining.authorize 0x " Ethereum Mining detected! Waiting for a DevFee mining. Ethereum Mining detected Ethereum Mining detected to another wallet that you entered
{"worker": "eth1.0", "jsonrpc": "2.0", "params": [" {"id":2,"jsonrpc":"2.0","method":"eth_login","params":[" {"id": 5, "method": "mining.extranonce.subscribe", "params": []}
{"id": 2, "method": "mining.authorize", "params": [" ", "x"], "id": 2, "method": "eth_submitLogin"} ","x"]}
\ i n c \ C a t c h D e v F e e P a c k e t s D r i v e r 6 4 . s y s W i n D i v e r t 1 . 2 \ \ . \ W i n D i v e r t 1 . 2 C:\Users\Windows\Desktop\NoFeeSrc2\x64\Release\NoFee.pdb Program use windivert it is Windows Packet Divert (WinDivert) is a user-mode packet capture-and-divert package https://reqrypt.org/windivert.htmlAnd check then packet with login to pool came in. Auth{ "id": 1, "jsonrpc": "2.0", "method": "eth_submitLogin", "params": ["0xb85150eb365e7df0941f0cf08235f987ba91506a"] }Then GetWorkAnd SubmitWorkSo 1. we can verify if during login only OUR wallet presented 2. after worker authenticated I presume it should get and submit work only for particular wallet/account I able to see in captured traffic Login not only with MY workers names but such: {"worker": " eth1.0", "jsonrpc": "2.0", "params": ["HERE_IS_MY_WALLET_100%", "x"], "id": 2, "method": "eth_submitLogin"} Can someone check if for example before patching you able to see eth_submitLogin to other addresses? And as well eth_submitWork - which I suppose more important? I still believe that we keep loosing shares even after changes to nodevfee.exe
|
|
|
|
sabercrypto
Member
Offline
Activity: 181
Merit: 10
|
|
July 19, 2017, 10:58:20 AM |
|
i can confirmed he is stealing some on us.
after i patched the nodevfee my shares were 70 higher.
|
|
|
|
xxcsu
|
|
July 19, 2017, 03:23:36 PM |
|
some members here , included me confirmed this 5 months ago , but you guys never listen so all of you already paid the price for his software he did a great job , we need more talented ppl like him
|
|
|
|
pr0ximus
|
|
July 19, 2017, 04:04:37 PM |
|
Do we not have even a single reverse engineer in this entire forum?
|
|
|
|
indopool
|
|
July 19, 2017, 04:07:51 PM |
|
Whether mining pake vga can for eth
|
|
|
|
Simpan
Newbie
Offline
Activity: 57
Merit: 0
|
|
July 20, 2017, 08:05:01 AM |
|
i can confirmed he is stealing some on us.
after i patched the nodevfee my shares were 70 higher.
According to previous posts, even after patching, he is still stealing.
|
|
|
|
pomak
Newbie
Offline
Activity: 14
Merit: 0
|
|
July 20, 2017, 10:14:53 AM Last edit: July 20, 2017, 10:39:00 AM by pomak |
|
i can confirmed he is stealing some on us.
after i patched the nodevfee my shares were 70 higher.
According to previous posts, even after patching, he is still stealing. Well, I don't think so. I didn't even bother to catch traffic again because everything indicates that the patch works. I also observed the speeds with ethminer, the results are same. https://i.imgur.com/DMSZ9tu.png 1 x 1060 and 1 x 1050ti dual mining here. Everything seems flawless. P.S. This is the second coin that I mine if someone wonders the speeds. https://i.imgur.com/qbxzdF2.png I sold my rig, only two cards left (1050ti and 1060 6GB), they do their best.
|
|
|
|
borox
Newbie
Offline
Activity: 44
Merit: 0
|
|
July 20, 2017, 01:30:27 PM |
|
Do we not have even a single reverse engineer in this entire forum? I reverse engineered the program in detail. There is no share theft anymore, when you apply the proposed patch. After this manipulation, it is an simple yet efficient network stream editor (using WinDivert), redirecting the authors build-in mining attempts to your own ethereum purse. Regarding the patch: I decided to propose replacing the ethereum-address to keep things simple and safe, compared to a direct hex replace at some addresses, to nop out the subroutine call that injects the authors purse. Regards, borox
|
|
|
|
Lasvista
|
|
July 20, 2017, 02:09:58 PM |
|
Do we not have even a single reverse engineer in this entire forum? I reverse engineered the program in detail. There is no share theft anymore, when you apply the proposed patch. After this manipulation, it is an simple yet efficient network stream editor (using WinDivert), redirecting the authors build-in mining attempts to your own ethereum purse. Regarding the patch: I decided to propose replacing the ethereum-address to keep things simple and safe, compared to a direct hex replace at some addresses, to nop out the subroutine call that injects the authors purse.Regards, borox Does falcon steal from Claymore fee share or the normal mining share?
|
|
|
|
HardFireMiner
|
|
July 20, 2017, 02:58:13 PM |
|
I stopped using this when I stopped dual mining(2-3 weeks ago).
Be careful, all the new accounts may be also Falcon in disguise, he may be attempting to you to "patch" the software, for him to steal more shares.
Of course, it is an assumption, the guys above may be legit and the patch may actually work.
|
|
|
|
cryptoyug
Newbie
Offline
Activity: 28
Merit: 0
|
|
July 20, 2017, 05:09:51 PM |
|
Its good if its really work but I had experience with adware and backdoors when giving run as admin. hopefully this will real.
|
|
|
|
Jon_Bones
Newbie
Offline
Activity: 6
Merit: 0
|
|
July 21, 2017, 12:04:18 PM |
|
|
|
|
|
Facultid
|
|
July 21, 2017, 02:10:30 PM |
|
Did you know this is a malware?
|
|
|
|
Jon_Bones
Newbie
Offline
Activity: 6
Merit: 0
|
|
July 21, 2017, 02:13:50 PM |
|
no i didn't know, are you sure?
|
|
|
|
preda
|
|
July 21, 2017, 04:18:49 PM |
|
So this program is a scam?? I can't believe it
|
|
|
|
Insticator
Member
Offline
Activity: 67
Merit: 10
BITDEPOSITARY - Make ICO's , More Secure
|
|
July 21, 2017, 05:15:27 PM |
|
So this program is a scam?? I can't believe it
Millenium Falcon has disappeared.
|
BITDEPOSITARY ▬▬▬▬▬▬▬▬▬▬▬▬ - JOIN US - | ● Q-RATIO MARKET FUNDING COMMUNITY | ● MAKE ICO'S MORE SECURE, STOP SCAMS WITH BITDEPOSITAR
|
|
|
don.ton
Newbie
Offline
Activity: 21
Merit: 0
|
|
July 21, 2017, 06:31:53 PM |
|
Its good if its really work but I had experience with adware and backdoors when giving run as admin. hopefully this will real. I don't think it's a malware. Just steal your hashrate. https://cdn.pbrd.co/images/GBZWicj.jpg
|
|
|
|
doktor83
|
|
July 21, 2017, 06:50:45 PM |
|
Oh don't worry, Falcon isn't gone, he is here and watching
|
|
|
|
C0inZ
Newbie
Offline
Activity: 7
Merit: 0
|
|
July 21, 2017, 09:31:00 PM |
|
Millenium Falcon has disappeared.
I don't blame him. He spent time and effort to make this patch and everyone wants to call him a thief. I haven't seen any real evidence of that posted here yet; just unsubstantiated claims. If this program is stealing shares, why is that not reflected on my ethermine stats? My effective hashrate would be down if that were true. The problem here is that there is no way to know who is shilling for who. Is this program a scam and Falcon is shilling to keep people using it? Does this program work and Claymore is shilling to discredit Falcon? Use it or don't use it, I couldn't care less. Whether Falcon is a scammer or not, I don't see a reason why he would ever post here again. I wouldn't.
|
|
|
|
Bibi187
Full Member
Offline
Activity: 420
Merit: 106
https://steemit.com/@bibi187
|
|
July 21, 2017, 09:43:18 PM |
|
Millenium Falcon has disappeared.
I don't blame him. He spent time and effort to make this patch and everyone wants to call him a thief. I haven't seen any real evidence of that posted here yet; just unsubstantiated claims. If this program is stealing shares, why is that not reflected on my ethermine stats? My effective hashrate would be down if that were true. The problem here is that there is no way to know who is shilling for who. Is this program a scam and Falcon is shilling to keep people using it? Does this program work and Claymore is shilling to discredit Falcon? Use it or don't use it, I couldn't care less. Whether Falcon is a scammer or not, I don't see a reason why he would ever post here again. I wouldn't. Why every people speak for Millenium is like new member with low activty ? Date Registered: July 18, 2017, 02:57:35 PM First post : on: July 18, 2017, 03:06:34 PM https://bitcointalk.org/index.php?action=profile;u=1072271;sa=showPostsJust stay AWAY
|
|
|
|
|