How to disable program visiting internet?

[alaphate]

Recently, I downloaded a free video to flv software.

It will check for update every time it starts up, and there's no option to disable it visiting its website.

For example, some freeware will download ads from its website.

Without internet connection, it will work fine.

The problem is how to disable it from visiting internet without using internet firewall.

I tried using winHex to replace its domain to ip address 0.0.0.0, but the application might encrypt its domain.

Windows hosts file may solve this problem, but it will not the best solution for sharing clean software to others.

I will appreciate your good suggestions.

Thank you in advance.

I coded a demo program. See Post #6 please.

Edited June 29, 2009 by alaphate

[Nacho_dj]

Very easy to solve without reversing anything: just install a firewall.

I am using Zone Alarm since don't like any program connecting to the internet. Voil

Edited June 27, 2009 by Nacho_dj

[high6]

Can have a dll detour the Connect function and block their ip.

[SunBeam]

bp InternetOpenA/W for starters. See if you get any results. If not, bp send/recv :-) Post feedback.

[mudlord]

I have been doing research into the exact same scenario.

I found it best to just trace the main APIs used for network connectivity and use Detours to alter them as needed.

[alaphate]

Thank you for replies, buddies.

I coded a small program which will download google's logo to the exe's folder and show a messagebox.

Could any buddy show me a real example how to disable it from visiting internet?

In this program, I used URLDownloadToFile API.

Another question, see the next post.

Thank you.

downgif.zip

Edited June 29, 2009 by alaphate

[alaphate]

I coded another demo program.

In this program, it will download google's logo gif, then show a messagebox, then download google's homepage.

Question is how to disable it from visiting internet before showing messagebox, and enable it visiting internet

after showing messagebox.

The only API I use is URLDownloadToFile.

I'll appreciate your help very much.

downhtm.zip

[SunBeam]

Hi. For first program, you can do it in a few ways :-)

1. Directly NOP or JMP/CALL next instruction instead of "download" function:

0040103B . E8 C0FFFFFF CALL downgif.00401000

to

0040103B . E8 00000000 CALL downgif.00401040

or

0040103B . EB 03FFFFFF JMP downgif.00401040

or

0040103B . NOP NOPs

--

2. Break the API and patch swap its prolog with its epilog:

1A494BBE > 8BFF MOV EDI,EDI

1A494BC0 55 PUSH EBP

1A494BC1 8BEC MOV EBP,ESP

1A494BC3 81EC 14010000 SUB ESP,114

..

1A494C2F E8 BCE7F6FF CALL urlmon.1A4033F0

1A494C34 C9 LEAVE

1A494C35 C2 1400 RETN 14

Be it the A or W version of the API, both return to same spot..

So:

1A494BBE > 8BFF MOV EDI,EDI

to

1A494BBE C2 1400 RETN 14

3. I see something related to TLS here, so I could also do it like this:

00401330 |> \56 PUSH ESI ; /pValue

00401331 |. FF35 C0714000 PUSH DWORD PTR DS:[4071C0] ; |TlsIndex = C

00401337 |. FF15 20604000 CALL DWORD PTR DS:[<&KERNEL32.TlsSetValue>] ; \TlsSetValue

0040133D |. 85C0 TEST EAX,EAX

0040133F |. 75 08 JNZ SHORT downgif.00401349

00401341 |. 6A 10 PUSH 10

00401343 |. E8 99010000 CALL downgif.004014E1

00401348 |. 59 POP ECX

00401349 |> A1 3CA14000 MOV EAX,DWORD PTR DS:[40A13C]

0040134E |. 85C0 TEST EAX,EAX

00401350 |. 74 02 JE SHORT downgif.00401354

00401352 |. FFD0 CALL EAX

00401354 |> 8365 FC 00 AND DWORD PTR SS:[EBP-4],0

00401358 |. FF76 4C PUSH DWORD PTR DS:[ESI+4C]

0040135B |. FF56 48 CALL DWORD PTR DS:[ESI+48] // downloader function

So..

0040135B |. FF56 48 CALL DWORD PTR DS:[ESI+48] //401030

..

00401030 . 8B4424 04 MOV EAX,DWORD PTR SS:[ESP+4] // prolog

00401034 . 8B48 04 MOV ECX,DWORD PTR DS:[EAX+4]

..

00401047 . 6A 01 PUSH 1 ; /ExitCode = 1 // epilog of function

00401049 . FF15 00604000 CALL DWORD PTR DS:[<&KERNEL32.ExitThread>] ; \ExitThread

0040104F . C3 RETN

I could easily patch 401030 to JMP @401047, thus thread exits instantly :-)

4. Direct patching the PUSH :-)

00401073 |. 68 30104000 PUSH downgif.00401030 // to 401047

As for second program.. I do it directly this time:

004012D1 |. E8 8AFDFFFF CALL downhtm.00401060 // NUKE THIS CALL (NOP, CALL 4012D6 or JMP 4012D6)

004012D6 |. 83C4 0C ADD ESP,0C

004012D9 |. 6A 00 PUSH 0 ; /Style = MB_OK|MB_APPLMODAL

004012DB |. 68 40704000 PUSH downhtm.00407040 ; |Title = "tuts4you.com"

004012E0 |. 68 30704000 PUSH downhtm.00407030 ; |Text = "Hello Buddies!"

004012E5 |. 6A 00 PUSH 0 ; |hOwner = NULL

004012E7 |. FF15 E8604000 CALL DWORD PTR DS:[<&USER32.MessageBoxA>] ; \MessageBoxA

004012ED |. 8D5424 10 LEA EDX,DWORD PTR SS:[ESP+10]

004012F1 |. 68 88130000 PUSH 1388

004012F6 |. 8D4424 20 LEA EAX,DWORD PTR SS:[ESP+20]

004012FA |. 52 PUSH EDX

004012FB |. 50 PUSH EAX

004012FC |. E8 5FFDFFFF CALL downhtm.00401060

00401301 |. 83C4 0C ADD ESP,0C

00401304 |. 33C0 XOR EAX,EAX

00401306 |. 5B POP EBX

00401307 |. 83C4 64 ADD ESP,64

0040130A \. C2 1000 RETN 10

P.S.: You may notice some of the above do the same thing. Just wanted to point them all out, that's all..

Edited June 29, 2009 by SunBeam

[alaphate]

SunBeam, thank you for your answers.