All Activity

This stream auto-updates   

  1. Today
  2. /Fa Listing Assembly code is your friend Here is a WebClient debug version and Assembly listing and a WebClient.pdb for easier debug this exe webclient.rar
  3. Hi kao, thanks for your files so it seems to work (anyhow). But now the question is how I should handle the file to find all needed steps just debugging that file.There is a lot and this C or cpp source I cant really understand.Ok I will try to debug that file also if it will take a much time to not all needed steps etc. greetz
  4. Here is the source with schannel web client sample code: ftp://linux.mikroklima.cz/MIDAM-CD/DIGI/samples/SSLClient/cpp/mssdk/WebClient.c Here is compiled executable from which you can rip the relevant ASM code: ftp://linux.mikroklima.cz/MIDAM-CD/DIGI/samples/SSLClient/WebClient.exe Attached is slightly patched executable that you can use to test again https://forum.tuts4you.com (added proper Host: header in request). Use command line like this: WebClient1.exe -sforum.tuts4you.com -p443 -findex.php >result.txt Result.txt will look like: ... Buffers[1].BufferType = SECBUFFER_DATA Decrypted data: 444 bytes 0000 48 54 54 50 2f 31 2e 31:20 32 30 30 20 4f 4b 0d HTTP/1.1 200 OK. 0010 0a 44 61 74 65 3a 20 4d:6f 6e 2c 20 32 30 20 46 .Date: Mon, 20 F 0020 65 62 20 32 30 31 37 20:31 32 3a 34 33 3a 32 30 eb 2017 12:43:20 0030 20 47 4d 54 0d 0a 53 65:72 76 65 72 3a 20 41 70 GMT..Server: Ap 0040 61 63 68 65 0d 0a 45 78:70 69 72 65 73 3a 20 54 ache..Expires: T 0050 68 75 2c 20 31 39 20 4e:6f 76 20 31 39 38 31 20 hu, 19 Nov 1981 0060 30 38 3a 35 32 3a 30 30:20 47 4d 54 0d 0a 43 61 08:52:00 GMT..Ca 0070 63 68 65 2d 43 6f 6e 74:72 6f 6c 3a 20 6e 6f 2d che-Control: no- 0080 73 74 6f 72 65 2c 20 6e:6f 2d 63 61 63 68 65 2c store, no-cache, 0090 20 6d 75 73 74 2d 72 65:76 61 6c 69 64 61 74 65 must-revalidate 00a0 2c 20 70 6f 73 74 2d 63:68 65 63 6b 3d 30 2c 20 , post-check=0, 00b0 70 72 65 2d 63 68 65 63:6b 3d 30 0d 0a 50 72 61 pre-check=0..Pra 00c0 67 6d 61 3a 20 6e 6f 2d:63 61 63 68 65 0d 0a 58 gma: no-cache..X 00d0 2d 58 53 53 2d 50 72 6f:74 65 63 74 69 6f 6e 3a -XSS-Protection: 00e0 20 30 0d 0a 43 6f 6e 6e:65 63 74 69 6f 6e 3a 20 0..Connection: 00f0 63 6c 6f 73 65 0d 0a 53:65 74 2d 43 6f 6f 6b 69 close..Set-Cooki 0100 65 3a 20 69 70 73 34 5f:49 50 53 53 65 73 73 69 e: ips4_IPSSessi 0110 6f 6e 46 72 6f 6e 74 3d:37 32 32 36 65 36 32 61 onFront=7226e62a 0120 61 37 34 62 61 38 62 39:39 36 30 34 61 63 35 62 a74ba8b99604ac5b 0130 64 33 39 31 33 30 65 36:3b 20 70 61 74 68 3d 2f d39130e6; path=/ 0140 3b 20 73 65 63 75 72 65:3b 20 48 74 74 70 4f 6e ; secure; HttpOn 0150 6c 79 0d 0a 53 74 72 69:63 74 2d 54 72 61 6e 73 ly..Strict-Trans 0160 70 6f 72 74 2d 53 65 63:75 72 69 74 79 3a 20 6d port-Security: m 0170 61 78 2d 61 67 65 3d 31:35 37 36 38 30 30 30 3b ax-age=15768000; 0180 69 6e 63 6c 75 64 65 53:75 62 64 6f 6d 61 69 6e includeSubdomain 0190 73 0d 0a 43 6f 6e 74 65:6e 74 2d 54 79 70 65 3a s..Content-Type: 01a0 20 74 65 78 74 2f 68 74:6d 6c 3b 63 68 61 72 73 text/html;chars 01b0 65 74 3d 55 54 46 2d 38:0d 0a 0d 0a et=UTF-8.... Buffers[1].BufferType = SECBUFFER_DATA Decrypted data: 7689 bytes 0000 3c 21 44 4f 43 54 59 50:45 20 68 74 6d 6c 3e 0a <!DOCTYPE html>. 0010 3c 68 74 6d 6c 20 6c 61:6e 67 3d 22 65 6e 2d 55 <html lang="en-U 0020 53 22 20 64 69 72 3d 22:6c 74 72 22 3e 0a 09 3c S" dir="ltr">..< 0030 68 65 61 64 3e 0a 09 09:3c 74 69 74 6c 65 3e 46 head>...<title>F 0040 6f 72 75 6d 73 20 2d 20:54 75 74 73 20 34 20 59 orums - Tuts 4 Y 0050 6f 75 3c 2f 74 69 74 6c:65 3e 0a 09 09 3c 21 2d ou</title>...<!- 0060 2d 5b 69 66 20 6c 74 20:49 45 20 39 5d 3e 0a 09 -[if lt IE 9]>.. 0070 09 09 3c 6c 69 6e 6b 20:72 65 6c 3d 22 73 74 79 ..<link rel="sty 0080 6c 65 73 68 65 65 74 22:20 74 79 70 65 3d 22 74 lesheet" type="t 0090 65 78 74 2f 63 73 73 22:20 68 72 65 66 3d 22 68 ext/css" href="h 00a0 74 74 70 73 3a 2f 2f 66:6f 72 75 6d 2e 74 75 74 ttps://forum.tut 00b0 73 34 79 6f 75 2e 63 6f:6d 2f 75 70 6c 6f 61 64 s4you.com/upload 00c0 73 2f 63 73 73 5f 62 75:69 6c 74 5f 31 2f 35 65 s/css_built_1/5e 00d0 36 31 37 38 34 38 35 38:61 64 33 63 31 31 66 30 61784858ad3c11f0 00e0 30 62 35 37 30 36 64 31:32 61 66 65 35 32 5f 69 0b5706d12afe52_i 00f0 65 38 2e 63 73 73 2e 36:66 38 39 65 34 30 34 38 e8.css.6f89e4048 0100 66 39 32 30 34 65 32 63:35 63 64 64 30 32 64 33 f9204e2c5cdd02d3 0110 36 63 33 31 30 36 38 2e:63 73 73 22 3e 0a 09 09 6c31068.css">... 0120 20 20 20 20 3c 73 63 72:69 70 74 20 73 72 63 3d <script src= 0130 22 2f 2f 66 6f 72 75 6d:2e 74 75 74 73 34 79 6f "//forum.tuts4yo 0140 75 2e 63 6f 6d 2f 61 70:70 6c 69 63 61 74 69 6f u.com/applicatio 0150 6e 73 2f 63 6f 72 65 2f:69 6e 74 65 72 66 61 63 ns/core/interfac 0160 65 2f 68 74 6d 6c 35 73:68 69 76 2f 68 74 6d 6c e/html5shiv/html 0170 35 73 68 69 76 2e 6a 73:22 3e 3c 2f 73 63 72 69 5shiv.js"></scri 0180 70 74 3e 0a 09 09 3c 21:5b 65 6e 64 69 66 5d 2d pt>...<![endif]- 0190 2d 3e 0a 09 09 0a 3c 6d:65 74 61 20 63 68 61 72 ->....<meta char 01a0 73 65 74 3d 22 75 74 66:2d 38 22 3e 0a 0a 09 3c set="utf-8">...< ... As you can see, it works just fine. webclient1.rar
  5. Ted, Thank you, "Portable Executable File Format - A Reverse Engineer View.PDF" is very helpful.
  6. Nice... ASLR bypass on 22 architectures, using JS Not exactly 'patchable' either....
  7. Yesterday
  8. Hi again, so I checked internet again and found some infos about schannel and I also found a schannel inc & lib for MASM on my HDD but I could not found any example code.So is this something I could maybe use too to handle sites like T4Y or google with location resolve? greetz
  9. Easy
  10. Have you checked out the main page on this site? https://tuts4you.com/download.php?list.30 Ted.
  11. regarding the code page Changing codepage makes the right side of characters unaligned , I did not go thru all the codepages, there is dozens of them, but none of them(so far) except predefined 'ascii' and 'extended ascii' aligns right side even if I pick same font as olly has. It's possible to have right side nicely aligned and at the same time have all the ASCII characters displayed? Noname.bmp
  12. http://reversingproject.info/wp-content/uploads/2009/05/an_in-depth_look_into_the_win32_portable_executable_file_format_part_1.pdf http://reversingproject.info/wp-content/uploads/2009/05/an_in-depth_look_into_the_win32_portable_executable_file_format_part_2.pdf An older article from Matt Pietrek: https://msdn.microsoft.com/en-us/library/ms809762.aspx
  13. Is there any good article/paper/post about PE mapping and/or unmapping?
  14. 1. Yes. 2. Yes, select the right code page. 3. No, you can see it in the edit dialog. 4. Have been super busy recently, I will try to start updating it again soon. If you have any feature requests or bug reports, please create individual issues at http://issues.x64dbg.com
  15. I have a few questions. 1. Why when I want dump memory to file x64dbg forces me to give the file name an extension, is it necessary? 2. Is it possible to see "all" the characters in dump view window, like in olly ? Majority of them are represented now just as dots in x64dbg 3. Is it possible to see in breakpoint tab the instruction to which breakpoint is set? 4. What happened to blog , last update was in december.
  16. Hi, thanks for your interest fearless but as you can read above I am not looking for a WinInet solution and wanna have a WinSock solution only.So if its only working using WinSock + any SSL extra APIs etc then I would be interested to see any example you know.I cant find any example in MASM for this only some C or C++ codes like I did post before in this topic but I dont understand this whole C / C++ language thing to make any translation to MASM I could use later.Thats the problem. greetz
  17. Last week
  18. Here is a basic test prog to fetch a t4y web page using wininet stuff. I used most of this code in a x64dbg plugin to download snapshot updates from github. I've re-purposed it for this test program. Hopefully it helps you, let me know how you get on or if you found it useful. Edit: I'm interested in this topic, so feel free to continue the discussion here. Cheers t4ytest.zip
  19. Well, since most of the discussin would not be of too much interest to others, I would be continuing the discussion via PM. probably would post the final solution that we arrive at, here, for anyone else referring to this thread down the road, If anyone else is following this thread with interest and would rather like the discussion done on the thread, please let us know Cheers
  20. Hi, @GIV Would you like to add some Enigma API into your next UnpackMe? Salam.
  21. Thanks. I own an official license of EP :).
  22. Hi again, hmmm ok.So you mean WinInet functions doing some thing to handle that SSL issue also if I have disabled it?I am not very common using Wireshark. @Techlord Sure I do still need help and nothing is sloved yet of course.Yes I am always in hurry if I dont understand something or cant find any solutions. So my main goal is it to use WinSock only for everything to get successfully access to all sites (like browser) without using WinInet anymore (its working slower and its also limited) but the problem is that I get more success using WinInet instead of WInSock but I dont want use both anymore.So if I need this SSL / TLS thing for WinSock to get success then I would like to use WinSock with SSL and then I could quit WinInet but I still dont know how to implement it for a simple client for example.If I see it right then they are just a few APIs I need to use from ssleay32.dll but I dont check some C / C++ structs I need to use with that key pem thing etc. greetz
  23. So @LCF-AT , do you still need me to look into this issue or is it almost solved ? When you PM-ed me a couple of days ago, I already told you that I would look into it during the weekend as I was (and am) busy till then. But I see that you already put up yet another post yesterday haha Guess you are in a bit of a hurry .. hehe Anyway, the problrm is, that since you want it to be in ASM, I would need to compile the SSL libraries from scratch on my computer. That would take time and also converting the code to ASM would make it quite bulky as I told you in the PM already. I have no problem (and its also good ) if others are helping out. But what I want to know is whether you would still need me to look into it or not ... Because I am not really a fan of re-duplication of efforts if you know what I mean.. I do not want to waste time compiling the libraries etc if someone else is already working on it , if you know what I mean... No offense of course, but just want to avoid re-duplication of efforts from our members here. Is anyone already (and continuing to) work on LCF-AT's issue ? Cheers EDIT : As I was typing this out, I see that @kao had already posted another reply. One thing I want to add is that certain security configurations of websites could prevent you from accessing them from "unknown" apps. So as Kao says, its well worth finding out whetehr its teh security configuration of the sites thats preventing you from accessing them. Having said that, I cannot comment further wihtout knowing what exactly you ar etrying to accomplish with your code in the first place ...
  24. @Teddy Rogers should be able to answer specifics on how the server is configured. From the info you posted, it looks like T4Y works only over HTTPS and WinInet does lots of stuff "behind the scenes", even if don't explicitly tell it to. You could use WireShark to capture packets for each requedt and see what exactly is happening.
  25. Hi kao, thanks for your answer but I am still confused. Info: About the complete URL.So its just for the tool itself I made so the first part gets checked and cut out and the rest will used.Also if there is no port info then I used standart port 80 as default port. Now again some questions: 1.) Is it now possible with WinSock without SSL (openssl etc) to get successfully access to T4Y for example + getting right page content? 2.) How can I check whether I need to request any site with SSL from the response I get? 3.) Why I get success using WinInet with and also without SSL flags on T4Y site? Using WinInet with & without SSL Flags GET /index.php HTTP/1.1 Host: tuts4you.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1) HTTP/1.1 200 OK Pagecontent all there and right.... Using WinSock -------------------------------------- GET /index.php HTTP/1.1 Host: tuts4you.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1) HTTP/1.1 301 Moved Permanently Date: Fri, 17 Feb 2017 15:57:11 GMT Server: Apache Expires: Sat, 01 Jan 2000 00:00:00 GMT Cache-Control: must-revalidate Set-Cookie: SESSTUTS4YOUCOM=6efd7798c31d1e7dd2eac3b0b89222af; path=/; domain=.tuts4you.com Last-Modified: Fri, 17 Feb 2017 15:57:11 GMT Location: https://tuts4you.com/index.php Strict-Transport-Security: max-age=15768000;includeSubdomains Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8 ----------------------------------------- GET /index.php HTTP/1.1 Host: tuts4you.com:443 Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1) HTTP/1.1 301 Moved Permanently Date: Fri, 17 Feb 2017 15:59:32 GMT Server: Apache Expires: Sat, 01 Jan 2000 00:00:00 GMT Cache-Control: must-revalidate Set-Cookie: SESSTUTS4YOUCOM=76b7127e22f93deb8c9f415f1cedd435; path=/ Last-Modified: Fri, 17 Feb 2017 15:59:32 GMT Location: https://tuts4you.com/index.php Strict-Transport-Security: max-age=15768000;includeSubdomains Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8 ---------------------------------------- GET /index.php HTTP/1.1 Host: tuts4you.com:80 Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1) HTTP/1.1 301 Moved Permanently Date: Fri, 17 Feb 2017 16:00:24 GMT Server: Apache Expires: Sat, 01 Jan 2000 00:00:00 GMT Cache-Control: must-revalidate Set-Cookie: SESSTUTS4YOUCOM=68bdd2ad43c8ec6997f31ed9481ff3b0; path=/ Last-Modified: Fri, 17 Feb 2017 16:00:25 GMT Location: https://tuts4you.com/index.php Strict-Transport-Security: max-age=15768000;includeSubdomains Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8 ------------------------------------------------- GET /index.php HTTP/1.1 Host: 198.57.187.53:443 Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1) HTTP/1.1 301 Moved Permanently Date: Fri, 17 Feb 2017 16:01:11 GMT Server: Apache Expires: Sat, 01 Jan 2000 00:00:00 GMT Cache-Control: must-revalidate Set-Cookie: SESSTUTS4YOUCOM=86888b0965c546f6474a2a0f142c36f2; path=/ Last-Modified: Fri, 17 Feb 2017 16:01:11 GMT Location: https://tuts4you.com/index.php Strict-Transport-Security: max-age=15768000;includeSubdomains Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8 ----------------------------------------- GET /index.php HTTP/1.1 Host: 198.57.187.53:80 Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1) HTTP/1.1 404 Not Found Date: Fri, 17 Feb 2017 16:01:35 GMT Server: Apache Accept-Ranges: bytes Strict-Transport-Security: max-age=15768000;includeSubdomains Connection: close Transfer-Encoding: chunked Content-Type: text/html ----------------------------------------- So I dont get any successfully access to T4Y index.php site using WInSock.Is this because I dont use SSL (extra OpenSSL APIs etc) or should it normaly work anyhow also without SSL?On the examples about WinInet its also working without SSL flags and thats the reason I do wonder.So if it works with WinInet wihtout SSL then it should also work with WinSock without SSL or so thing wrong anyhow?!? greetz
  26. You're violating all the standards for HTTP(S) requests (see RFC2616) in so many ways that I'm surprised it sometimes actually works.. #1 - if you put an IP address in the "host" field, you'll get webservers default page back. One physical server can host multiple webs, so it really needs a correct host field to know which web you want to access. #2 - you should not put protocol and server name (aka "absolute URI") in the GET line. That syntax is reserved for proxies only ("To allow for transition to absoluteURIs in all requests in future versions of HTTP, all HTTP/1.1 servers MUST accept the absoluteURI form in requests, even though HTTP/1.1 clients will only generate them in requests to proxies.") As for your 3 examples, the are missing impotant data, like to which port your client connected and whether in reality it was HTTP or HTTPS connection. My guess: 1) https to port 443. Works as intended, even though it violates RFCs I mentioned; 2) http request to port 80, incorrectly specifies HTTPS and absolute URI in the GET. Server redirects to HTTPS, location field is broken because you used absolute URI. "Garbage in, garbage out" 3) http request to port 80, incorrect host field. Server gives you the default web page. "Garbage in, garbage out"..
  27. Hi again, another question.So I have test again a little the diffrent between WinSock & WinInet and found some issues.In the past I created 2 request ways using one time normal WinSock way and one time WinInet way with SSL to prevent the moved permanently 301 problem I get for some sites using WinSock way.Today I checked any site with WinSock I got again this 301 message = no chance to bypass it and used the WinInet way I got error on HttpSendRequest 12029 (cant create connection to server) and the problem in this case was using port 443 for SSL.Now I did added another WinInet way using normal http request without SSL and there its working and I get status 200 back + site content and thats a thing I dont understand.So why is then WinSock not working to get status 200 (just only 301) and for WinInet without SSL its working?!? SSL InternetConnect INTERNET_DEFAULT_HTTPS_PORT HttpOpenRequest INTERNET_FLAG_SECURE or INTERNET_FLAG_RELOAD Normal InternetConnect INTERNET_DEFAULT_HTTP_PORT HttpOpenRequest INTERNET_FLAG_RELOAD The normal way should be same as WinSock way --------------Normal---------------------------- GET https://forum.tuts4you.com/ HTTP/1.1 Host: forum.tuts4you.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1) HTTP/1.1 200 OK ------------------------------------------------ --------------WinSock--------------------------- GET https://forum.tuts4you.com/ HTTP/1.1 Host: forum.tuts4you.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1) HTTP/1.1 301 Moved Permanently Location: https://forum.tuts4you.comhttps/forum.tuts4you.com/ or GET https://forum.tuts4you.com/ HTTP/1.1 Host: 198.57.187.53 Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1) HTTP/1.1 200 OK But: Pagecontent isnt same as for WinInet <html><head><META HTTP-EQUIV="refresh" CONTENT="0;URL=/cgi-sys/defaultwebpage.cgi"></head><body></body></html> Thats strange for me.So why is this T4Y site in that case working with WinInet normal way without SSL and normal WinSock not?So I thought I need to use extra SSL stuff for WinInet & WinSock to bypass this 301 moved permanently issues.So whats the diffrent here now? That really bad.So lets say I build a tool to request sites then I need to add 3 methods.First my fav using WInSock and if this failed because of 301 problem I need to switch to WinInet SSL and if this failed because of connection problem with port 443 then I have to use WinInet without SSL.Uhhhhhh what a puke. greetz
  1. Load more activity