Topic: Ethereum Mining NoDevFee 0% v15.0 🔥 - page 13. (Read 164844 times)

My guess is that he is using WinHTTP library if the project is written in C++. Someone has to be foolhardy enough to implement TLS with raw sockets In either case you can see what APIs are being used with Dependency Walker. It's all in plaintext.

I just peeked into the Claymore Dual Miner v.10.1 with IDA Pro. He doesn't pack it like most malware is packed. He uses something called VMProtect. It's a weird type "packer" -- it basically takes the assembly/machine code for the part of the executable that the author wants to obfuscate and converts it into some proprietary byte code that VMProtect invented. Then when the executable runs, the obfuscated part has to go thru VMProtect's virtual machine to get interpreted. This makes the code extremely slow when executing, but hard to reverse engineer (simply because the structure of their proprietary byte code is not documented.) The rest of the binary doesn't seem to be packed though. This btw makes me think that if the Claymore Miner wasn't packed that way it might have produced a slightly better hash rate. Just a guess though.

Oh, and as x64 binary goes, the same WinAPI assembly trampoline can be used for it as well. We'll just need to modify the machine code for it. Or, you can use WinDivert library, like this guy did with his NoFee executable.

In any case, I wouldn't mind to collaborate with you on your open source project -- as a challenge I guess. PM me if anything.

Your stuff works perfectly, thanks bro! I receive from 3 to 5 additional shares on 185 mhs rig.

Check in console after "DevFee: ETH: Stratum - connecting" should be "eth_submitLogin -> YOUR_WALLET" https://i.imgur.com/ndEvwwS.png
On ethermine new "default" worker will appear https://i.imgur.com/7e0PSgY.png

how do know if its properly working from the website dashboard?

well ihave been using it for couple of hours now,
"x" miner is not showing up.

reading MS docs winsock have its own TLS api , so to see whats goin on calls before winsock api have to be intercepted. But this miner have little interest because big miners dont use amd cards to mine coins with equihash algo AMD is not good at equihash this is Nvidia territory so donts see anyone spending much time revers engineering it, its possible doesnt mater how obfuscated it is .The simple solution is not to use AMD cards for equihash algo.

You can try any VS version, it should compile fine (nothing VS 2015 specific as I recall) , just need to recreate project file using existing sources probably.

What WinAPI are used to encrypt TLS? If you mean intercept internal Claymore functions, this need reverse engineering and I am not good at it. Also Claymore Miner is 64 bit and seems to be packed / obfuscated. As stash2coin logs show packet buffer is already encrypted in ws2_32.send (expected) and it also seems like it uses encryption for dev fee even if main worker is not.

Well, not really. If you intercept the correct WinAPI before encryption you can still inspect and redirect it. Pretty much what you're doing in your DLL. Although I doubt that they would use raw sockets to implement TLS.

PS. I'd test your project but I need to install VS 2015. Why not use an earlier version of VS?

PS2. And good point that someone brought up above -- can you start a separate thread for this discussion and post a link here?


BTW. Don't use this NoFee executable. I reversed it, and the reason the author doesn't want to release the source code is because he is not upfront about what he's doing in it. Main reason is that he diverts the dev fee from Claymore to your wallet 9 out of 10 times. And then 1 out of 10 times he diverts it into his own wallet. @Millenium Falcon how about mentioning that, buddy?

Thanks a lot.. Your stuff deserves a separate thread!!!

I think Claymores ZCash Miner is possible to be used because you can use unencrypted communications with higher DevFee.

Great job here!

Hope you continue with other protocols except ethermine

Great job, thanks.

This is a bug?

This is the log https://ufile.io/jyqv0 edited out only my zcash address, indeed when TLS encryption is enabled the strings are encrypted.

- Claymores ZCash Miner most likely impossible with this method (traffic interception by Winsock winapi hook). Because, as stash2coin said, it is forced SSL encryption, but still would be nice to see full actual packet log from my Test Log DLL.
- v10.0 works fine for me on ethermine.org, as long as you are refering to Claymores Ethereum Miner.
- I might create github later when I make something worth effort like finishing all ETH protocols.
- xiphon, thanks for authorization packets. As far as I know, some protocols also send wallet when submiting shares. Would be nice if someone who really use different pool / protocol would use Test Log DLL for few hours and send me full log, then it would be easier to add those packets in DLL. Thanks.

Authorization methods among different Ethereum mining protocols:

eth_submitLogin
eth_login
mining.authorize

I think it will work with claymore 9.7 and below.

Thanks for your work.. Would you mind putting the source on github so that others can contribute?

Not much different this is his devfee address from the log file.
EDIT there is a problem he is connecting to SSL port of flypool for the devfee, if the data is already encrypted(openssl) in the socket buffer your method may not work.

I have no AMD gpu to test Claymore's ZCash AMD GPU Miner, but you can test and send me log (nodevfeeLog.txt).

By the way this simple network packet intercept should work for any miner that use default eth stratum protocol (eth_submitLogin). Also this means it may not work with other protocols (1 - qtminer mode (for example, ethpool.org), 2 - miner-proxy mode (for example, coinotron.com), 3 - nicehash mode). If you are using one of those protocols you can also test and send me log I will try add it.

https://github.com/Demion/nodevfee

Edit: Update links.

Great job ! Thank you for shared  asap as soon as possible i will use