On Tue, Aug 27, 2002 at 05:58:19AM +0930, Richard Sharpe wrote:
> Ummm, since SMBs are little endian, 00 58 is a large BCC. Much larger that
> 0x58.
1) rubbish.
encapsulated packets - and SMB is used as a transport for many
different things (other transports; at least two different
totally separate RPC mechanisms; unlimited numbers of services;
encapsulated authentication services which have nothing
to do with SMB, the whole lot)
all of these things have their own rules, none of which have
anything to do with SMB.
2) ms has got it wrong _so_ many times that just doesn't hold
true enough for you to make a blanket statement, "smbs are
little-endian"
3) do your statistics.
on a sample of one, the statistical probability of 0x00 0x58 just
_happening_ to be _exactly and coincidentally_ the same as the
length of the UCS16 string is 1.5e-5 (1 in 65536).
on a sample of one, assuming instead that it's a single-byte length
field and that the 0x00 is something else, then that probability is
0.004 (1 in 256).
on a sample of two, the probabilities go up to 1e-10 and 1e-5
respectively.
on a sample of three, it goes up to 1e-15 and 1e-7orso.
so, my advice to you [no charge]:
change the length of the string, diff the packets.
_nuts_ to whether ms got it right or not: this is
reverse-engineering.
you're only looking for "good enough to be convincing".
> > > who do i send the bill to for my time?
>
> Hmmm, no comment.
*cackle* :)
