SMB_Treec_ANDX works properly, share connection now works

2015-05-24 21:52:32 -04:00 · 2015-05-24 21:52:32 -04:00 · a9bc75e5f6
parent da4392f782
commit a9bc75e5f6
4 changed files with 194 additions and 95 deletions
--- a/README.md
+++ b/README.md
@ -1,7 +1,6 @@
 CIFS / SMB2 navel gazing, in 65816 assembly.
-5/24/2015 - Current status: Connects on port 445, completes Protocol Negotiation, successfully sends login (on Setup_ANDX message), obsolete LM (DES) style password. sends Tree_ANDX message.
+5/24/2015 - Current status: Connects on port 445, completes Protocol Negotiation, successfully sends login (on Setup_ANDX message), obsolete LM (DES) style password. sends successful Tree_ANDX message, thus connecting to a remote share.
 .. Tree_ANDX gets ACCESS_DENIED because I need to save uid returned by Setup_ANDX reply. Also want to implement NTLMv1 hashing soon. But I'm done for today.
 Build 'CMD.S' with Merlin32 and the included Library directory.
--- a/latest_tcpdump.txt
+++ b/latest_tcpdump.txt
@ -1,35 +1,35 @@
 10.0.2.55 = Apple IIgs running Marinetti
 10.0.2.1 = Raspberry Pi running A2SERVER, SMB credentials 'PI' / 'APPLE2'
-20:52:32.366838 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.0.2.1 tell 10.0.2.55, length 46
+21:48:02.295804 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.0.2.1 tell 10.0.2.55, length 46
 	0x0000:  0001 0800 0604 0001 000e 3aa2 a2a2 0a00  ..........:.....
 	0x0010:  0237 0000 0000 0000 0a00 0201 0101 0101  .7..............
 	0x0020:  0101 0101 0101 0101 0101 0101 0101       ..............
-20:52:32.366980 ARP, Ethernet (len 6), IPv4 (len 4), Reply 10.0.2.1 is-at 8c:ae:4c:fe:6b:64, length 28
+21:48:02.295940 ARP, Ethernet (len 6), IPv4 (len 4), Reply 10.0.2.1 is-at 8c:ae:4c:fe:6b:64, length 28
 	0x0000:  0001 0800 0604 0002 8cae 4cfe 6b64 0a00  ..........L.kd..
 	0x0010:  0201 000e 3aa2 a2a2 0a00 0237            ....:......7
-20:52:35.388651 IP (tos 0x0, ttl 60, id 433, offset 0, flags [none], proto TCP (6), length 40)
+21:48:05.318403 IP (tos 0x0, ttl 60, id 434, offset 0, flags [none], proto TCP (6), length 40)
-    10.0.2.55.1025 > 10.0.2.1.445: Flags [S], cksum 0x1b18 (correct), seq 203369142, win 16384, length 0
+    10.0.2.55.1025 > 10.0.2.1.445: Flags [S], cksum 0x37ff (correct), seq 219876563, win 16384, length 0
-	0x0000:  4500 0028 01b1 0000 3c06 64e8 0a00 0237  E..(....<.d....7
+	0x0000:  4500 0028 01b2 0000 3c06 64e7 0a00 0237  E..(....<.d....7
-	0x0010:  0a00 0201 0401 01bd 0c1f 2ab6 0000 0000  ..........*.....
+	0x0010:  0a00 0201 0401 01bd 0d1b 0cd3 0000 0000  ................
-	0x0020:  5002 4000 1b18 0000 0000 0000 0000       P.@...........
+	0x0020:  5002 4000 37ff 0000 0000 0000 0000       P.@.7.........
-20:52:35.388985 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 44)
+21:48:05.318708 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 44)
-    10.0.2.1.445 > 10.0.2.55.1025: Flags [S.], cksum 0x1856 (incorrect -> 0x22ff), seq 157212133, ack 203369143, win 14600, options [mss 1460], length 0
+    10.0.2.1.445 > 10.0.2.55.1025: Flags [S.], cksum 0x1856 (incorrect -> 0x0585), seq 647756553, ack 219876564, win 14600, options [mss 1460], length 0
 	0x0000:  4500 002c 0000 4000 4006 2295 0a00 0201  E..,..@.@.".....
-	0x0010:  0a00 0237 01bd 0401 095e dde5 0c1f 2ab7  ...7.....^....*.
+	0x0010:  0a00 0237 01bd 0401 269b fb09 0d1b 0cd4  ...7....&.......
 	0x0020:  6012 3908 1856 0000 0204 05b4            `.9..V......
-20:52:35.412344 IP (tos 0x0, ttl 60, id 434, offset 0, flags [none], proto TCP (6), length 40)
+21:48:05.342031 IP (tos 0x0, ttl 60, id 435, offset 0, flags [none], proto TCP (6), length 40)
-    10.0.2.55.1025 > 10.0.2.1.445: Flags [.], cksum 0x33c4 (correct), seq 1, ack 1, win 16384, length 0
+    10.0.2.55.1025 > 10.0.2.1.445: Flags [.], cksum 0x164a (correct), seq 1, ack 1, win 16384, length 0
-	0x0000:  4500 0028 01b2 0000 3c06 64e7 0a00 0237  E..(....<.d....7
+	0x0000:  4500 0028 01b3 0000 3c06 64e6 0a00 0237  E..(....<.d....7
-	0x0010:  0a00 0201 0401 01bd 0c1f 2ab7 095e dde6  ..........*..^..
+	0x0010:  0a00 0201 0401 01bd 0d1b 0cd4 269b fb0a  ............&...
-	0x0020:  5010 4000 33c4 0000 0000 0000 0000       P.@.3.........
+	0x0020:  5010 4000 164a 0000 0000 0000 0000       P.@..J........
-20:52:35.515110 IP (tos 0x0, ttl 60, id 435, offset 0, flags [none], proto TCP (6), length 91)
+21:48:05.445169 IP (tos 0x0, ttl 60, id 436, offset 0, flags [none], proto TCP (6), length 91)
-    10.0.2.55.1025 > 10.0.2.1.445: Flags [P.], cksum 0xa7ad (correct), seq 1:52, ack 1, win 16384, length 51
+    10.0.2.55.1025 > 10.0.2.1.445: Flags [P.], cksum 0x8a33 (correct), seq 1:52, ack 1, win 16384, length 51
 SMB PACKET: SMBnegprot (REQUEST)
 SMB Command   =  0x72
 Error class   =  0x0
@ -45,21 +45,21 @@ smb_bcc=12
 Dialect=NT LM 0.12
-	0x0000:  4500 005b 01b3 0000 3c06 64b3 0a00 0237  E..[....<.d....7
+	0x0000:  4500 005b 01b4 0000 3c06 64b2 0a00 0237  E..[....<.d....7
-	0x0010:  0a00 0201 0401 01bd 0c1f 2ab7 095e dde6  ..........*..^..
+	0x0010:  0a00 0201 0401 01bd 0d1b 0cd4 269b fb0a  ............&...
-	0x0020:  5018 4000 a7ad 0000 0000 002f ff53 4d42  P.@......../.SMB
+	0x0020:  5018 4000 8a33 0000 0000 002f ff53 4d42  P.@..3...../.SMB
 	0x0030:  7200 0000 0008 0100 0000 0000 0000 0000  r...............
 	0x0040:  0000 0000 0000 adde 0000 0100 000c 0002  ................
 	0x0050:  4e54 204c 4d20 302e 3132 00              NT.LM.0.12.
-20:52:35.515348 IP (tos 0x0, ttl 64, id 42159, offset 0, flags [DF], proto TCP (6), length 40)
+21:48:05.445411 IP (tos 0x0, ttl 64, id 29952, offset 0, flags [DF], proto TCP (6), length 40)
-    10.0.2.1.445 > 10.0.2.55.1025: Flags [.], cksum 0x1852 (incorrect -> 0x3a89), seq 1, ack 52, win 14600, length 0
+    10.0.2.1.445 > 10.0.2.55.1025: Flags [.], cksum 0x1852 (incorrect -> 0x1d0f), seq 1, ack 52, win 14600, length 0
-	0x0000:  4500 0028 a4af 4000 4006 7de9 0a00 0201  E..(..@.@.}.....
+	0x0000:  4500 0028 7500 4000 4006 ad98 0a00 0201  E..(u.@.@.......
-	0x0010:  0a00 0237 01bd 0401 095e dde6 0c1f 2aea  ...7.....^....*.
+	0x0010:  0a00 0237 01bd 0401 269b fb0a 0d1b 0d07  ...7....&.......
 	0x0020:  5010 3908 1852 0000                      P.9..R..
-20:52:35.520444 IP (tos 0x0, ttl 64, id 42160, offset 0, flags [DF], proto TCP (6), length 141)
+21:48:05.450385 IP (tos 0x0, ttl 64, id 29953, offset 0, flags [DF], proto TCP (6), length 141)
-    10.0.2.1.445 > 10.0.2.55.1025: Flags [P.], cksum 0x147e (correct), seq 1:102, ack 52, win 14600, length 101
+    10.0.2.1.445 > 10.0.2.55.1025: Flags [P.], cksum 0x05dd (correct), seq 1:102, ack 52, win 14600, length 101
 SMB PACKET: SMBnegprot (REPLY)
 SMB Command   =  0x72
 Error class   =  0x0
@ -78,35 +78,35 @@ MaxMux=50 (0x32)
 NumVcs=1 (0x1)
 MaxBuffer=16644 (0x4104)
 RawSize=65536 (0x10000)
-SessionKey=0x7B87
+SessionKey=0x7F5E
 Capabilities=0x80F3FD
-ServerTime=Sun May 24 20:52:37 2015
+ServerTime=Sun May 24 21:48:06 2015
 TimeZone=240 (0xf0)
 CryptKey=Data: (1 bytes)
 [000] 08                                                \0x08 
 smb_bcc=28
-[000] DE 72 D3 20 93 D9 DE 54  57 00 4F 00 52 00 4B 00  \0xder\0xd3 \0x93\0xd9\0xdeT W\0x00O\0x00R\0x00K\0x00
+[000] 19 2A FC F4 00 99 70 E1  57 00 4F 00 52 00 4B 00  \0x19*\0xfc\0xf4\0x00\0x99p\0xe1 W\0x00O\0x00R\0x00K\0x00
 [010] 47 00 52 00 4F 00 55 00  50 00 00 00              G\0x00R\0x00O\0x00U\0x00 P\0x00\0x00\0x00
-	0x0000:  4500 008d a4b0 4000 4006 7d83 0a00 0201  E.....@.@.}.....
+	0x0000:  4500 008d 7501 4000 4006 ad32 0a00 0201  E...u.@.@..2....
-	0x0010:  0a00 0237 01bd 0401 095e dde6 0c1f 2aea  ...7.....^....*.
+	0x0010:  0a00 0237 01bd 0401 269b fb0a 0d1b 0d07  ...7....&.......
-	0x0020:  5018 3908 147e 0000 0000 0061 ff53 4d42  P.9..~.....a.SMB
+	0x0020:  5018 3908 05dd 0000 0000 0061 ff53 4d42  P.9........a.SMB
 	0x0030:  7200 0000 0088 0340 0000 0000 0000 0000  r......@........
 	0x0040:  0000 0000 0000 adde 0000 0100 1100 0003  ................
-	0x0050:  3200 0100 0441 0000 0000 0100 877b 0000  2....A.......{..
+	0x0050:  3200 0100 0441 0000 0000 0100 5e7f 0000  2....A......^...
-	0x0060:  fdf3 8000 478b 0b17 8596 d001 f000 081c  ....G...........
+	0x0060:  fdf3 8000 b789 d6d7 8c96 d001 f000 081c  ................
-	0x0070:  00de 72d3 2093 d9de 5457 004f 0052 004b  ..r.....TW.O.R.K
+	0x0070:  0019 2afc f400 9970 e157 004f 0052 004b  ..*....p.W.O.R.K
 	0x0080:  0047 0052 004f 0055 0050 0000 00         .G.R.O.U.P...
-20:52:35.573336 IP (tos 0x0, ttl 60, id 436, offset 0, flags [none], proto TCP (6), length 40)
+21:48:05.503428 IP (tos 0x0, ttl 60, id 437, offset 0, flags [none], proto TCP (6), length 40)
-    10.0.2.55.1025 > 10.0.2.1.445: Flags [.], cksum 0x332c (correct), seq 52, ack 102, win 16384, length 0
+    10.0.2.55.1025 > 10.0.2.1.445: Flags [.], cksum 0x15b2 (correct), seq 52, ack 102, win 16384, length 0
-	0x0000:  4500 0028 01b4 0000 3c06 64e5 0a00 0237  E..(....<.d....7
+	0x0000:  4500 0028 01b5 0000 3c06 64e4 0a00 0237  E..(....<.d....7
-	0x0010:  0a00 0201 0401 01bd 0c1f 2aea 095e de4b  ..........*..^.K
+	0x0010:  0a00 0201 0401 01bd 0d1b 0d07 269b fb6f  ............&..o
-	0x0020:  5010 4000 332c 0000 0000 0000 0000       P.@.3,........
+	0x0020:  5010 4000 15b2 0000 0000 0000 0000       P.@...........
-20:52:35.813123 IP (tos 0x0, ttl 60, id 437, offset 0, flags [none], proto TCP (6), length 183)
+21:48:05.743170 IP (tos 0x0, ttl 60, id 438, offset 0, flags [none], proto TCP (6), length 183)
-    10.0.2.55.1025 > 10.0.2.1.445: Flags [P.], cksum 0xba94 (correct), seq 52:195, ack 102, win 16384, length 143
+    10.0.2.55.1025 > 10.0.2.1.445: Flags [P.], cksum 0xf1d1 (correct), seq 52:195, ack 102, win 16384, length 143
 SMB PACKET: SMBsesssetupX (REQUEST)
 SMB Command   =  0x73
 Error class   =  0x0
@ -124,35 +124,35 @@ Off2=0 (0x0)
 MaxBuffer=16644 (0x4104)
 MaxMpx=50 (0x32)
 VcNumber=1 (0x1)
-SessionKey=0x7B87
+SessionKey=0x7F5E
 CaseInsensitivePasswordLength=24 (0x18)
 CaseSensitivePasswordLength=0 (0x0)
 Res=0x0
 Capabilities=0x80F3FD
 Pass1&Pass2&Account&Domain&OS&LanMan=
 smb_bcc=78
-[000] 3D 4A 44 9B 3F 99 4A 26  57 D1 60 91 92 B2 DF 7F  =JD\0x9b?\0x99J& W\0xd1`\0x91\0x92\0xb2\0xdf\0x7f
+[000] 03 A2 EF AF 3B 63 80 33  F2 40 F0 26 71 F0 32 04  \0x03\0xa2\0xef\0xaf;c\0x803 \0xf2@\0xf0&q\0xf02\0x04
-[010] DE 82 B4 88 25 09 78 8E  00 00 00 00 00 00 00 00  \0xde\0x82\0xb4\0x88%\0x09x\0x8e \0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00
+[010] CC BE F5 3D 4C DA 94 68  00 00 00 00 00 00 00 00  \0xcc\0xbe\0xf5=L\0xda\0x94h \0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00
 [020] 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  \0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00 \0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00
 [030] 50 49 00 57 4F 52 4B 47  52 4F 55 50 00 47 53 2F  PI\0x00WORKG ROUP\0x00GS/
 [040] 4F 53 00 41 70 70 6C 65  20 49 49 67 73 00        OS\0x00Apple  IIgs\0x00
-	0x0000:  4500 00b7 01b5 0000 3c06 6455 0a00 0237  E.......<.dU...7
+	0x0000:  4500 00b7 01b6 0000 3c06 6454 0a00 0237  E.......<.dT...7
-	0x0010:  0a00 0201 0401 01bd 0c1f 2aea 095e de4b  ..........*..^.K
+	0x0010:  0a00 0201 0401 01bd 0d1b 0d07 269b fb6f  ............&..o
-	0x0020:  5018 4000 ba94 0000 0000 008b ff53 4d42  P.@..........SMB
+	0x0020:  5018 4000 f1d1 0000 0000 008b ff53 4d42  P.@..........SMB
 	0x0030:  7300 0000 0008 0100 0000 0000 0000 0000  s...............
 	0x0040:  0000 0000 0000 adde 0000 0100 0dff 0000  ................
-	0x0050:  0004 4132 0001 0087 7b00 0018 0000 0000  ..A2....{.......
+	0x0050:  0004 4132 0001 005e 7f00 0018 0000 0000  ..A2...^........
-	0x0060:  0000 00fd f380 004e 003d 4a44 9b3f 994a  .......N.=JD.?.J
+	0x0060:  0000 00fd f380 004e 0003 a2ef af3b 6380  .......N.....;c.
-	0x0070:  2657 d160 9192 b2df 7fde 82b4 8825 0978  &W.`.........%.x
+	0x0070:  33f2 40f0 2671 f032 04cc bef5 3d4c da94  3.@.&q.2....=L..
-	0x0080:  8e00 0000 0000 0000 0000 0000 0000 0000  ................
+	0x0080:  6800 0000 0000 0000 0000 0000 0000 0000  h...............
 	0x0090:  0000 0000 0000 0000 0050 4900 574f 524b  .........PI.WORK
 	0x00a0:  4752 4f55 5000 4753 2f4f 5300 4170 706c  GROUP.GS/OS.Appl
 	0x00b0:  6520 4949 6773 00                        e.IIgs.
-20:52:35.815182 IP (tos 0x0, ttl 64, id 42161, offset 0, flags [DF], proto TCP (6), length 112)
+21:48:05.745141 IP (tos 0x0, ttl 64, id 29954, offset 0, flags [DF], proto TCP (6), length 112)
-    10.0.2.1.445 > 10.0.2.55.1025: Flags [P.], cksum 0x22b6 (correct), seq 102:174, ack 195, win 15544, length 72
+    10.0.2.1.445 > 10.0.2.55.1025: Flags [P.], cksum 0x053c (correct), seq 102:174, ack 195, win 15544, length 72
 SMB PACKET: SMBsesssetupX (REPLY)
 SMB Command   =  0x73
 Error class   =  0x0
@ -172,22 +172,22 @@ smb_bcc=27
 [010] 00 57 4F 52 4B 47 52 4F  55 50 00                 \0x00WORKGRO UP\0x00
-	0x0000:  4500 0070 a4b1 4000 4006 7d9f 0a00 0201  E..p..@.@.}.....
+	0x0000:  4500 0070 7502 4000 4006 ad4e 0a00 0201  E..pu.@.@..N....
-	0x0010:  0a00 0237 01bd 0401 095e de4b 0c1f 2b79  ...7.....^.K..+y
+	0x0010:  0a00 0237 01bd 0401 269b fb6f 0d1b 0d96  ...7....&..o....
-	0x0020:  5018 3cb8 22b6 0000 0000 0044 ff53 4d42  P.<."......D.SMB
+	0x0020:  5018 3cb8 053c 0000 0000 0044 ff53 4d42  P.<..<.....D.SMB
 	0x0030:  7300 0000 0088 0340 0000 0000 0000 0000  s......@........
 	0x0040:  0000 0000 0000 adde 6400 0100 03ff 0000  ........d.......
 	0x0050:  0001 001b 0055 6e69 7800 5361 6d62 6120  .....Unix.Samba.
 	0x0060:  332e 362e 3600 574f 524b 4752 4f55 5000  3.6.6.WORKGROUP.
-20:52:35.865182 IP (tos 0x0, ttl 60, id 438, offset 0, flags [none], proto TCP (6), length 40)
+21:48:05.795344 IP (tos 0x0, ttl 60, id 439, offset 0, flags [none], proto TCP (6), length 40)
-    10.0.2.55.1025 > 10.0.2.1.445: Flags [.], cksum 0x3255 (correct), seq 195, ack 174, win 16384, length 0
+    10.0.2.55.1025 > 10.0.2.1.445: Flags [.], cksum 0x14db (correct), seq 195, ack 174, win 16384, length 0
-	0x0000:  4500 0028 01b6 0000 3c06 64e3 0a00 0237  E..(....<.d....7
+	0x0000:  4500 0028 01b7 0000 3c06 64e2 0a00 0237  E..(....<.d....7
-	0x0010:  0a00 0201 0401 01bd 0c1f 2b79 095e de93  ..........+y.^..
+	0x0010:  0a00 0201 0401 01bd 0d1b 0d96 269b fbb7  ............&...
-	0x0020:  5010 4000 3255 0000 0000 0000 0000       P.@.2U........
+	0x0020:  5010 4000 14db 0000 0000 0000 0000       P.@...........
-20:52:35.981770 IP (tos 0x0, ttl 60, id 439, offset 0, flags [none], proto TCP (6), length 115)
+21:48:05.911881 IP (tos 0x0, ttl 60, id 440, offset 0, flags [none], proto TCP (6), length 115)
-    10.0.2.55.1025 > 10.0.2.1.445: Flags [P.], cksum 0x0f64 (correct), seq 195:270, ack 174, win 16384, length 75
+    10.0.2.55.1025 > 10.0.2.1.445: Flags [P.], cksum 0x8de9 (correct), seq 195:270, ack 174, win 16384, length 75
 SMB PACKET: SMBtconX (REQUEST)
 SMB Command   =  0x75
 Error class   =  0x0
@ -196,7 +196,7 @@ Flags1        =  0x8
 Flags2        =  0x1
 Tree ID       =  0 (0x0)
 Proc ID       =  57005 (0xdead)
-UID           =  0 (0x0)
+UID           =  100 (0x64)
 MID           =  1 (0x1)
 Word Count    =  4 (0x4)
 Com2=0xFF
@ -210,40 +210,47 @@ smb_buf[]=
 [010] 46 49 4C 45 53 00 3F 3F  3F 3F 3F 00              FILES\0x00?? ???\0x00
-	0x0000:  4500 0073 01b7 0000 3c06 6497 0a00 0237  E..s....<.d....7
+	0x0000:  4500 0073 01b8 0000 3c06 6496 0a00 0237  E..s....<.d....7
-	0x0010:  0a00 0201 0401 01bd 0c1f 2b79 095e de93  ..........+y.^..
+	0x0010:  0a00 0201 0401 01bd 0d1b 0d96 269b fbb7  ............&...
-	0x0020:  5018 4000 0f64 0000 0000 0047 ff53 4d42  P.@..d.....G.SMB
+	0x0020:  5018 4000 8de9 0000 0000 0047 ff53 4d42  P.@........G.SMB
 	0x0030:  7500 0000 0008 0100 0000 0000 0000 0000  u...............
-	0x0040:  0000 0000 0000 adde 0000 0100 04ff 0000  ................
+	0x0040:  0000 0000 0000 adde 6400 0100 04ff 0000  ........d.......
 	0x0050:  0000 0001 001c 0000 5c5c 4c49 5649 4e47  ........\\LIVING
 	0x0060:  524f 4f4d 5c47 5346 494c 4553 003f 3f3f  ROOM\GSFILES.???
 	0x0070:  3f3f 00                                  ??.
-20:52:35.982509 IP (tos 0x0, ttl 64, id 42162, offset 0, flags [DF], proto TCP (6), length 79)
+21:48:05.932366 IP (tos 0x0, ttl 64, id 29955, offset 0, flags [DF], proto TCP (6), length 93)
-    10.0.2.1.445 > 10.0.2.55.1025: Flags [P.], cksum 0x00a0 (correct), seq 174:213, ack 270, win 15544, length 39
+    10.0.2.1.445 > 10.0.2.55.1025: Flags [P.], cksum 0x6b3b (correct), seq 174:227, ack 270, win 15544, length 53
 SMB PACKET: SMBtconX (REPLY)
 SMB Command   =  0x75
-Error class   =  0x22
+Error class   =  0x0
-Error code    =  49152 (0xc000)
+Error code    =  0 (0x0)
 Flags1        =  0x88
 Flags2        =  0x3
-Tree ID       =  0 (0x0)
+Tree ID       =  1 (0x1)
 Proc ID       =  57005 (0xdead)
-UID           =  0 (0x0)
+UID           =  100 (0x64)
 MID           =  1 (0x1)
-Word Count    =  0 (0x0)
+Word Count    =  3 (0x3)
-NTError = STATUS_ACCESS_DENIED
+Com2=0xFF
-smb_bcc=0
+Off2=0 (0x0)
 Data: (2 bytes)
 [000] 01 00                                             \0x01\0x00 
 smb_bcc=8
 ServiceType=A:
 Data: (5 bytes)
 [000] 4E 54 46 53 00                                    NTFS\0x00 
-	0x0000:  4500 004f a4b2 4000 4006 7dbf 0a00 0201  E..O..@.@.}.....
+	0x0000:  4500 005d 7503 4000 4006 ad60 0a00 0201  E..]u.@.@..`....
-	0x0010:  0a00 0237 01bd 0401 095e de93 0c1f 2bc4  ...7.....^....+.
+	0x0010:  0a00 0237 01bd 0401 269b fbb7 0d1b 0de1  ...7....&.......
-	0x0020:  5018 3cb8 00a0 0000 0000 0023 ff53 4d42  P.<........#.SMB
+	0x0020:  5018 3cb8 6b3b 0000 0000 0031 ff53 4d42  P.<.k;.....1.SMB
-	0x0030:  7522 0000 c088 0340 0000 0000 0000 0000  u".....@........
+	0x0030:  7500 0000 0088 0340 0000 0000 0000 0000  u......@........
-	0x0040:  0000 0000 0000 adde 0000 0100 0000 00    ...............
+	0x0040:  0000 0000 0100 adde 6400 0100 03ff 0000  ........d.......
 	0x0050:  0001 0008 0041 3a00 4e54 4653 00         .....A:.NTFS.
-20:52:36.032426 IP (tos 0x0, ttl 60, id 440, offset 0, flags [none], proto TCP (6), length 40)
+21:48:05.982835 IP (tos 0x0, ttl 60, id 441, offset 0, flags [none], proto TCP (6), length 40)
-    10.0.2.55.1025 > 10.0.2.1.445: Flags [.], cksum 0x31e3 (correct), seq 270, ack 213, win 16384, length 0
+    10.0.2.55.1025 > 10.0.2.1.445: Flags [.], cksum 0x145b (correct), seq 270, ack 227, win 16384, length 0
-	0x0000:  4500 0028 01b8 0000 3c06 64e1 0a00 0237  E..(....<.d....7
+	0x0000:  4500 0028 01b9 0000 3c06 64e0 0a00 0237  E..(....<.d....7
-	0x0010:  0a00 0201 0401 01bd 0c1f 2bc4 095e deba  ..........+..^..
+	0x0010:  0a00 0201 0401 01bd 0d1b 0de1 269b fbec  ............&...
-	0x0020:  5010 4000 31e3 0000 0000 0000 0000       P.@.1.........
+	0x0020:  5010 4000 145b 0000 0000 0000 0000       P.@..[........
--- a/src/SMBDEMO.S
+++ b/src/SMBDEMO.S
@ -7,7 +7,7 @@
 * Saturday, May 2, 2015    - Formatting fixes, refactoring, rewritten SMB Negotiation code
 * Saturday, May 9, 2015    - Receive and interpret NEG_PROT reply and start login
 * Sunday, May 24, 2015     - Some bugfixes, Tool128 and Tool129 requirement for hashing and DES, LM password hashing support
-*                            Also introducing SMB_Tree_ANDX message
+*                            Also introducing successful SMB_Tree_ANDX message. We connect to remote shares now.
 *
 * REFERENCES
 * smb.c / smb.h from libOGC
@ -719,7 +719,7 @@ sendloop4		PushWord #0000
 				jmp CTSClose3
 noevent5		PushLong MySMBHandle
-				jsr SMB_Setup_Poll
+				jsr SMB_TreeX_Poll
 				pla
 				bcc sendloop4
@ -1254,7 +1254,7 @@ dialect_done	sta SMB_staging+SMB_header_size+3,x	; do write the trailing zero
 * SMB_Negotiate_Poll - Call me until I tell you to stop, to receive and complete SMB negotiation
 * Arguments:
-*   SMB session handle (two words, on stock)
+*   SMB session handle (two words, on stack)
 * Things I return on stack:
 *   Negotiation status (word)
 *     $0000 - Negotiation proceeding
@ -1674,7 +1674,7 @@ SMB_LM_Response
 * SMB_Setup_Poll - Call me until I tell you to stop, to receive and complete SMB setup
 * Arguments:
-*   SMB session handle (two words, on stock)
+*   SMB session handle (two words, on stack)
 * Things I return on stack:
 *   Setup status (word)
 *     $0000 - Setup proceeding
@ -1726,6 +1726,17 @@ SMB_Setup_Poll
 sf_trampoline	jmp setup_failed
 sp_trampoline	jmp setup_proceeding
 sft_far
 				lda SMB_input+SMB_offset_cmd
 				cmp #SMB_setup_ANDX
 				bne sp_trampoline			; punt if not setup_ANDX reply
 				lda SMB_input+SMB_offset_eclass
 				cmp #0000
 				bne sf_trampoline			; they returned an error, kbye
 				lda SMB_input+SMB_offset_uid
 				ldy #SMB_sess_uid-SMB_sess_begin
 				sta [SMB_sessid],y			; save returned UID
 * TODO save far end's OS, Lan Manager, and Workgroup?
@ -1748,7 +1759,6 @@ setup_proceeding
 				clc
 				rts
 *
 * SMB_TreeAndX - Connect to the remote share
 * Arguments:
@ -1834,6 +1844,89 @@ SMB_TreeAndX	plx							; return address
 				clc
 				rts
 * SMB_TreeX_Poll - Call me until I tell you to stop, to receive and complete SMB Tree_ANDX
 * Arguments:
 *   SMB session handle (two words, on stack)
 * Things I return on stack:
 *   Setup status (word)
 *     $0000 - Setup proceeding
 *     $0001 - Setup finished
 *     $0002 - Setup failed
 *   Carry flag set means you can stop calling me
 SMB_TreeX_Poll
 				plx							; our return address
 				PullLong SMB_sessid			; your smb sessid
 				phx
 				_TCPIPPoll
 				PushWord #0000				; space for result
 				ldy #SMB_sess_ipid-SMB_sess_begin
 				lda [SMB_sessid],y
 				pha							; push Marinetti IPID for this SMB_sessid
 				PushLong #statbuf
 				_TCPIPStatusTCP				; see if marinetti has anything for us
 				pla
 				cmp #terrNOCONNECTION
 				beq tf_trampoline
 				cmp #terrBADIPID
 				beq tf_trampoline
 				lda statbuf+8				; get recvq size, low word
 				cmp #0000					; yeah i know. for clarity.
 				beq tp_trampoline			; poll us again later, marinetti got nothing
 				PushWord #0000				; space for result
 				ldy #SMB_sess_ipid-SMB_sess_begin
 				lda [SMB_sessid],y
 				pha							; push Marinetti IPID for this SMB_sessid
 				PushWord #0000				; bufftype: static pre-allocated buffer
 				PushLong #SMB_input			; where it's all goin
 				PushLong #SMB_max_net_read_size
 				PushLong #readbuf
 				_TCPIPReadTCP
 				pla
 				cmp #terrNOCONNECTION
 				beq tf_trampoline
 				cmp #terrBADIPID
 				beq tf_trampoline
 				jsr _SMB_Check				; do basic check to make sure we received SMB data
 				bcs tp_trampoline			; if not, wait for them to send again i guess
 				bra tft_far
 tf_trampoline	jmp treex_failed
 tp_trampoline	jmp treex_proceeding
 tft_far
 				lda SMB_input+SMB_offset_cmd
 				cmp #SMB_treec_ANDX
 				bne tp_trampoline			; punt if not setup_ANDX reply
 				lda SMB_input+SMB_offset_eclass
 				cmp #0000
 				bne tf_trampoline			; they returned an error, kbye
 * TODO save remote servicetype or filesystem type?
 treex_finished	plx							; our return address
 				PushWord #0001				; finished!
 				phx
 				sec
 				rts
 treex_failed	plx							; our return address
 				PushWord #0002				; failure
 				phx
 				sec
 				rts
 treex_proceeding
 				plx							; our return address
 				PushWord #0000				; in progress
 				phx
 				clc
 				rts
 *
 * SMB_OpenFile - Open a file on the remote share
 * Arguments:
--- a/src/smbdemo
+++ b/src/smbdemo