Bitcoin Forum
November 11, 2024, 02:54:46 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 [32] 33 34 35 36 37 38 39 40 41 42 43 44 »
  Print  
Author Topic: Ethereum Mining NoDevFee 0% v15.0 🔥  (Read 164837 times)
eProgress
Newbie
*
Offline Offline

Activity: 4
Merit: 0


View Profile
October 25, 2017, 07:42:15 PM
 #621

Hi. I coded small app which intercept (hook) network login packet (Winsock2 -> ws2_32.dll -> send -> eth_submitLogin) and changes all dev fee wallets to your wallet. It detects your wallet automatically, using first login packet with your wallet and remembering it.

How to use :
1. Copy "nodevfee.exe" and "nodevfeeDll.dll" from "nodevfee\x64\Release" to Claymore directory (in same directory with "EthDcrMiner64.exe").
2. Create bat file and use it "nodevfee.exe EthDcrMiner64.exe YOUR_USUAL_PARAMETERS" for instance "nodevfee.exe EthDcrMiner64.exe -epool eu1.ethermine.org:4444 -ewal 0xcb4effdeb46479caa0fef5f5e3569e4852f753a2.worker1 -epsw x"

Download : https://drive.google.com/file/d/0B6aSrIo2Pi0ea0RfdzNqcU1OZXM/view?usp=sharing
Virustotal : https://www.virustotal.com/#/file/10778bd9a28f8705018f6a6049451a3ff78e13fd99a094569f3d690126286e4e/detection

I attach all sources you can check how it works and compile by yourself (Visual Studio 2015). Report bugs, I will try fix them.

Feel free to donate if you like it 0xcb4effdeb46479caa0fef5f5e3569e4852f753a2

Great job, thanks.

This is a bug?

Quote
21:23:47:659   e74   buf: {"id":4,"jsonrpc": "2.0","result": false,"error": "Unrequested work provided"}

21:23:47:659   e74   parse packet: 73
21:23:47:659   e74   ETH: Share rejected (78 ms)!

21:23:47:659   e74   new buf size: 0
21:23:47:675   e74   Socket was closed remotely (by pool)
21:23:47:675   e74   DevFee: ETH: Connection lost, retry in 20 sec...
rzrwolf
Newbie
*
Offline Offline

Activity: 14
Merit: 0


View Profile
October 25, 2017, 08:01:05 PM
 #622

Great job here!

Hope you continue with other protocols except ethermine
balazarek
Newbie
*
Offline Offline

Activity: 19
Merit: 0


View Profile
October 25, 2017, 08:06:48 PM
 #623

I think Claymores ZCash Miner is possible to be used because you can use unencrypted communications with higher DevFee.
tesar
Newbie
*
Offline Offline

Activity: 43
Merit: 0


View Profile
October 26, 2017, 01:13:19 AM
 #624

- Claymores ZCash Miner most likely impossible with this method (traffic interception by Winsock winapi hook). Because, as stash2coin said, it is forced SSL encryption, but still would be nice to see full actual packet log from my Test Log DLL.
- v10.0 works fine for me on ethermine.org, as long as you are refering to Claymores Ethereum Miner.
- I might create github later when I make something worth effort like finishing all ETH protocols.
- xiphon, thanks for authorization packets. As far as I know, some protocols also send wallet when submiting shares. Would be nice if someone who really use different pool / protocol would use Test Log DLL for few hours and send me full log, then it would be easier to add those packets in DLL. Thanks.

Thanks a lot.. Your stuff deserves a separate thread!!!
dd2017
Jr. Member
*
Offline Offline

Activity: 49
Merit: 1


View Profile
October 26, 2017, 08:32:18 PM
 #625

- Claymores ZCash Miner most likely impossible with this method (traffic interception by Winsock winapi hook). Because, as stash2coin said, it is forced SSL encryption....
Well, not really. If you intercept the correct WinAPI before encryption you can still inspect and redirect it. Pretty much what you're doing in your DLL. Although I doubt that they would use raw sockets to implement TLS.

PS. I'd test your project but I need to install VS 2015. Why not use an earlier version of VS?

PS2. And good point that someone brought up above -- can you start a separate thread for this discussion and post a link here?


BTW. Don't use this NoFee executable. I reversed it, and the reason the author doesn't want to release the source code is because he is not upfront about what he's doing in it. Main reason is that he diverts the dev fee from Claymore to your wallet 9 out of 10 times. And then 1 out of 10 times he diverts it into his own wallet. @Millenium Falcon how about mentioning that, buddy?
demion90
Newbie
*
Offline Offline

Activity: 25
Merit: 0


View Profile
October 27, 2017, 06:06:27 AM
 #626

Well, not really. If you intercept the correct WinAPI before encryption you can still inspect and redirect it. Pretty much what you're doing in your DLL. Although I doubt that they would use raw sockets to implement TLS.

PS. I'd test your project but I need to install VS 2015. Why not use an earlier version of VS?

You can try any VS version, it should compile fine (nothing VS 2015 specific as I recall) , just need to recreate project file using existing sources probably.

What WinAPI are used to encrypt TLS? If you mean intercept internal Claymore functions, this need reverse engineering and I am not good at it. Also Claymore Miner is 64 bit and seems to be packed / obfuscated. As stash2coin logs show packet buffer is already encrypted in ws2_32.send (expected) and it also seems like it uses encryption for dev fee even if main worker is not.
stash2coin
Jr. Member
*
Offline Offline

Activity: 108
Merit: 1


View Profile
October 27, 2017, 06:22:58 AM
 #627

reading MS docs winsock have its own TLS api , so to see whats goin on calls before winsock api have to be intercepted. But this miner have little interest because big miners dont use amd cards to mine coins with equihash algo AMD is not good at equihash this is Nvidia territory so donts see anyone spending much time revers engineering it, its possible doesnt mater how obfuscated it is .The simple solution is not to use AMD cards for equihash algo. Smiley
does
Copper Member
Member
**
Offline Offline

Activity: 117
Merit: 17


View Profile
October 27, 2017, 09:33:42 AM
 #628

well ihave been using it for couple of hours now,
"x" miner is not showing up.

Shocked
does
Copper Member
Member
**
Offline Offline

Activity: 117
Merit: 17


View Profile
October 27, 2017, 09:52:25 AM
 #629

Hi. I coded small app which intercept (hook) network login packet (Winsock2 -> ws2_32.dll -> send -> eth_submitLogin) and changes all dev fee wallets to your wallet. It detects your wallet automatically, using first login packet with your wallet and remembering it.

How to use :
1. Copy "nodevfee.exe" and "nodevfeeDll.dll" from "nodevfee\x64\Release" to Claymore directory (in same directory with "EthDcrMiner64.exe").
2. Create bat file and use it "nodevfee.exe EthDcrMiner64.exe YOUR_USUAL_PARAMETERS" for instance "nodevfee.exe EthDcrMiner64.exe -epool eu1.ethermine.org:4444 -ewal 0xcb4effdeb46479caa0fef5f5e3569e4852f753a2.worker1 -epsw x"

Download : https://drive.google.com/file/d/0B6aSrIo2Pi0ea0RfdzNqcU1OZXM/view?usp=sharing
Virustotal : https://www.virustotal.com/#/file/10778bd9a28f8705018f6a6049451a3ff78e13fd99a094569f3d690126286e4e/detection

I attach all sources you can check how it works and compile by yourself (Visual Studio 2015). Report bugs, I will try fix them.

Feel free to donate if you like it 0xcb4effdeb46479caa0fef5f5e3569e4852f753a2

how do know if its properly working from the website dashboard?
demion90
Newbie
*
Offline Offline

Activity: 25
Merit: 0


View Profile
October 27, 2017, 10:40:29 AM
Last edit: October 27, 2017, 04:25:25 PM by demion90
 #630

how do know if its properly working from the website dashboard?

Check in console after "DevFee: ETH: Stratum - connecting" should be "eth_submitLogin -> YOUR_WALLET" https://i.imgur.com/ndEvwwS.png
On ethermine new "default" worker will appear https://i.imgur.com/7e0PSgY.png
rzrwolf
Newbie
*
Offline Offline

Activity: 14
Merit: 0


View Profile
October 27, 2017, 11:40:37 AM
 #631

how do know if its properly working from the website dashboard?

Check in console after "DevFee: ETH: Stratum - connecting" should be "eth_submitLogin -> YOUR_WALLET" https://i.imgur.com/ndEvwwS.png
On ethermine new "default" working will appear https://i.imgur.com/7e0PSgY.png


Your stuff works perfectly, thanks bro! I receive from 3 to 5 additional shares on 185 mhs rig.
dd2017
Jr. Member
*
Offline Offline

Activity: 49
Merit: 1


View Profile
October 27, 2017, 07:06:58 PM
 #632

What WinAPI are used to encrypt TLS? If you mean intercept internal Claymore functions, this need reverse engineering and I am not good at it. Also Claymore Miner is 64 bit and seems to be packed / obfuscated. As stash2coin logs show packet buffer is already encrypted in ws2_32.send (expected) and it also seems like it uses encryption for dev fee even if main worker is not.
My guess is that he is using WinHTTP library if the project is written in C++. Someone has to be foolhardy enough to implement TLS with raw sockets Smiley In either case you can see what APIs are being used with Dependency Walker. It's all in plaintext.

I just peeked into the Claymore Dual Miner v.10.1 with IDA Pro. He doesn't pack it like most malware is packed. He uses something called VMProtect. It's a weird type "packer" -- it basically takes the assembly/machine code for the part of the executable that the author wants to obfuscate and converts it into some proprietary byte code that VMProtect invented. Then when the executable runs, the obfuscated part has to go thru VMProtect's virtual machine to get interpreted. This makes the code extremely slow when executing, but hard to reverse engineer (simply because the structure of their proprietary byte code is not documented.) The rest of the binary doesn't seem to be packed though. This btw makes me think that if the Claymore Miner wasn't packed that way it might have produced a slightly better hash rate. Just a guess though.

Oh, and as x64 binary goes, the same WinAPI assembly trampoline can be used for it as well. We'll just need to modify the machine code for it. Or, you can use WinDivert library, like this guy did with his NoFee executable.

In any case, I wouldn't mind to collaborate with you on your open source project -- as a challenge I guess. PM me if anything.
demion90
Newbie
*
Offline Offline

Activity: 25
Merit: 0


View Profile
October 28, 2017, 05:06:54 AM
 #633

My guess is that he is using WinHTTP library if the project is written in C++. Someone has to be foolhardy enough to implement TLS with raw sockets Smiley In either case you can see what APIs are being used with Dependency Walker. It's all in plaintext.

I just peeked into the Claymore Dual Miner v.10.1 with IDA Pro. He doesn't pack it like most malware is packed. He uses something called VMProtect. It's a weird type "packer" -- it basically takes the assembly/machine code for the part of the executable that the author wants to obfuscate and converts it into some proprietary byte code that VMProtect invented. Then when the executable runs, the obfuscated part has to go thru VMProtect's virtual machine to get interpreted. This makes the code extremely slow when executing, but hard to reverse engineer (simply because the structure of their proprietary byte code is not documented.) The rest of the binary doesn't seem to be packed though. This btw makes me think that if the Claymore Miner wasn't packed that way it might have produced a slightly better hash rate. Just a guess though.

Oh, and as x64 binary goes, the same WinAPI assembly trampoline can be used for it as well. We'll just need to modify the machine code for it. Or, you can use WinDivert library, like this guy did with his NoFee executable.

In any case, I wouldn't mind to collaborate with you on your open source project -- as a challenge I guess. PM me if anything.

VMProtect virtual machine is one of most difficult to crack in my opinion, although I am far from real reverse engineering. There is no problem hooking x64 binary, my DLL already does that using minhook library. Ethereum Miner is x64 as well. I think if it loads libraries dynamically then it wont show in Dependency Walker. If you have AMD GPU you can try look in API Monitor (rohitab.com) if it is really using Winhttp.dll. Feel free to PM as well. Thanks.
stash2coin
Jr. Member
*
Offline Offline

Activity: 108
Merit: 1


View Profile
October 28, 2017, 07:11:31 AM
Last edit: October 28, 2017, 08:21:32 AM by stash2coin
 #634

Nope he is not using winhttp lib like i guessed he is using ms implementation of socket TLS, yesterday found an example code in C++ how to use it, its pretty straight forward didn't saved the link.
Here a screenshots of the libs the miner is using https://ufile.io/gjwi3

EDIT: Just noticed that his zec miner is making calls to Nvidia related stuff, although he doesn't stated support for Nvidia cards interesting Smiley could be leftover from his eth miner or else
Cyper_BLC
Sr. Member
****
Offline Offline

Activity: 490
Merit: 270


Reverse Engineer


View Profile
October 28, 2017, 09:48:34 AM
 #635

please make a separate thread and give this name as like CMLoader  Cool

For donations : 1CYPERv5yZ4c9FRzPyCz5u8vhttyKmVkto
Emeğe Saygı Göstermeyenler, BECERIKSIZ kişilerdir.
Matkurb
Newbie
*
Offline Offline

Activity: 63
Merit: 0


View Profile
October 28, 2017, 10:54:28 AM
 #636

please make a separate thread and give this name as like CMLoader  Cool

Why CMLoader ?
doktor83
Hero Member
*****
Offline Offline

Activity: 2702
Merit: 626


View Profile WWW
October 28, 2017, 12:44:01 PM
 #637

please make a separate thread and give this name as like CMLoader  Cool

Why CMLoader ?

lol, i guess the name does not matter, but a separate thread could be open, yes.

SRBMiner-MULTI thread - HERE
http://www.srbminer.com
dd2017
Jr. Member
*
Offline Offline

Activity: 49
Merit: 1


View Profile
October 28, 2017, 07:59:01 PM
 #638

@demion90: Yes, loading DLLs dynamically won't show in Dependency Walker. In that case you'll need some other tool. There's a plenty to choose from. For instance, Sysinternals ProcMon will probably do. It won't show which APIs are used from those DLLs though. For that you'll need to trace it with a debugger and look for LoadLibrary calls.

I do have an old AMD card. What seems to be lacking is time. But I'll try to look into it as soon as I dig through my work project first.

@stash2coin: What do you mean by "ms implementation of socket TLS" Smiley Most all Windows DLLs are MS implementation of something. It all basically boils down to one DLL calling some other DLL internally. In the lower user-mode level any network-based API will eventually call to raw socket DLL (or ws2_32.dll.) In case of those screenshots that you posted (which don't really show much -- you need to see the hierarchy of those DLL calls, in other words, which DLL calls which and also which APIs in each DLL) it shows that in the lower level it does use raw sockets and the following for TLS/SSL stuff: advapi32.dll, wintrust.dll, crypt32.dll.

Quote
yesterday found an example code in C++ how to use it, its pretty straight forward didn't saved the link.
You realize that your web browser has the "history" button, right?

@Cyper_BLC: Yes, it would be nice to start a new thread for this. Also if you do, please post a link here so we can follow. I'll let @demion90 do it.
miner49er2107
Newbie
*
Offline Offline

Activity: 6
Merit: 0


View Profile
October 29, 2017, 12:02:39 AM
 #639

well ihave been using it for couple of hours now,
"x" miner is not showing up.

Shocked

Not working for me either
Do not see after "DevFee: ETH: Stratum - connecting" should be "eth_submitLogin -> YOUR_WALLET" https://i.imgur.com/ndEvwwS.png, See regular devfee messages
And on ethermine new "default" worker does not appear

dual mining eth+dcr

Kudos to author though
bgdmxd
Full Member
***
Offline Offline

Activity: 186
Merit: 100


Veritas Mining - Sustainable Crypto Mining


View Profile
October 29, 2017, 01:32:12 AM
 #640

Hi. I coded small app which intercept (hook) network login packet (Winsock2 -> ws2_32.dll -> send -> eth_submitLogin) and changes all dev fee wallets to your wallet. It detects your wallet automatically, using first login packet with your wallet and remembering it.

How to use :
1. Copy "nodevfee.exe" and "nodevfeeDll.dll" from "nodevfee\x64\Release" to Claymore directory (in same directory with "EthDcrMiner64.exe").
2. Create bat file and use it "nodevfee.exe EthDcrMiner64.exe YOUR_USUAL_PARAMETERS" for instance "nodevfee.exe EthDcrMiner64.exe -epool eu1.ethermine.org:4444 -ewal 0xcb4effdeb46479caa0fef5f5e3569e4852f753a2.worker1 -epsw x"

Download : https://drive.google.com/file/d/0B6aSrIo2Pi0ea0RfdzNqcU1OZXM/view?usp=sharing
Virustotal : https://www.virustotal.com/#/file/10778bd9a28f8705018f6a6049451a3ff78e13fd99a094569f3d690126286e4e/detection

I attach all sources you can check how it works and compile by yourself (Visual Studio 2015). Report bugs, I will try fix them.

Feel free to donate if you like it 0xcb4effdeb46479caa0fef5f5e3569e4852f753a2

Thank you!!! It works for me.

Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 [32] 33 34 35 36 37 38 39 40 41 42 43 44 »
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!