White Posted November 6, 2014 Posted November 6, 2014 (edited) em, I forgot to add on the XP-run mode,I'll recompiler it. Yes,possible translate to asm code. About InternetCloseHandle api, I also check it in ollydbg and the last error is always 1. I have no idea with it. EDIT: same source code add XP -run mode,and compiler it. Sort_add_XP_RunMode.rar Edited November 6, 2014 by White、、
LCF-AT Posted November 7, 2014 Author Posted November 7, 2014 Hi, thanks again for the new XP file now it works.I try to handle this code to get it into my source so I will tell you later whether I got success with that or not. So about InternetCloseHandle.Yes I get also 1 into eax = success but the error into in register don't send a Success command.Just check this or use GetlastError and there you should also get ERROR_INVALID_HANDLE (00000006) back.So its for me so each time if I have used Internetread or query API as in your exsample file.If you don't get the same error as me then I don't understand what the problem could be in my case. One thing I forgot: What about double & more same lines?How to handle this simple? Hammer Sichel preis Zanken Ablesen Hammer Sichel preis Zanken Ablesen Hammer Sichel preis Zanken Ablesen = Remove all double & more lines & sort them = 2 things to do.Just imagine like this.....so I have this now... 003B0000 48 61 6D 6D 65 72 0D 0A 53 69 63 68 65 6C 0D 0A Hammer..Sichel.. 003B0010 70 72 65 69 73 0D 0A 5A 61 6E 6B 65 6E 0D 0A 41 preis..Zanken..A 003B0020 62 6C 65 73 65 6E 0D 0A 48 61 6D 6D 65 72 0D 0A blesen..Hammer.. 003B0030 53 69 63 68 65 6C 0D 0A 70 72 65 69 73 0D 0A 5A Sichel..preis..Z 003B0040 61 6E 6B 65 6E 0D 0A 41 62 6C 65 73 65 6E 0D 0A anken..Ablesen.. 003B0050 48 61 6D 6D 65 72 0D 0A 53 69 63 68 65 6C 0D 0A Hammer..Sichel.. 003B0060 70 72 65 69 73 0D 0A 5A 61 6E 6B 65 6E 0D 0A 41 preis..Zanken..A 003B0070 62 6C 65 73 65 6E 00 00 00 00 00 00 00 00 00 00 blesen......... 003B0000 = store section where I have all logged so far + next line marker words 0A0D Below the same just as patter so this you can paste in your source etc. 48616D6D65720D0A53696368656C0D0A70726569730D0A5A616E6B656E0D0A41626C6573656E0D0A48616D6D65720D0A53696368656C0D0A70726569730D0A5A616E6B656E0D0A41626C6573656E0D0A48616D6D65720D0A53696368656C0D0A70726569730D0A5A616E6B656E0D0A41626C6573656E00000000000000000000 Now I want find all doubles & more in the mem location + remove them which are more than one times logged as you can see above.So the words & positions can be random not same as I postet above.Than I wanna also sort them and put them all into a new or same mem location like this.... 003B0000 41 62 6C 65 73 65 6E 0D 0A 48 61 6D 6D 65 72 0D Ablesen..Hammer. 003B0010 0A 70 72 65 69 73 0D 0A 53 69 63 68 65 6C 0D 0A .preis..Sichel.. 003B0020 5A 61 6E 6B 65 6E 00 00 00 00 00 00 00 00 00 00 Zanken.......... ...all doubles & more was removed and then sortet so this I wanna have. Maybe you can make again a little source which should be static and which I can use in my source so that I only need to enter the section xy where I have logged my stuff etc you know. Thanks again so far
LCF-AT Posted November 9, 2014 Author Posted November 9, 2014 Hi, I have two more questions again.So I see I have now also any trouble with the InternetReadFile API.So the problem is that this API access need somtimes A LOT time!=?Also here I don't know why.I access the same site for exsample (same size of course) and one time it does it the size straight (I can step normaly over this API call in Olly) and a another time it need till 5 seconds!?Also same if I use BPs before and after this API call.But all in all it looks like a random that it sometimes goes fast and then not.Strange problem again and the InternetCloseHandle does still not work. Another other question: Today I found any strange issue about my XP clock so if I start it then I see the time (digital & pointer) and now I watched how the time is running and then I see that the time all 5 seconds stops for a short while.So it runs normaly for 4 seconds but the fifth second come first after a while....(1,2,3,4.....5).So I don't think that this is normal or?I also have nothing strange running in the background what could be the reason etc.Has anybody this problem too?But I also have it with other counters in other apps too now.Problem is I don't know what does disturb on my system now (I did already checked the system today - nothing found so far).Maybe you have any idea what the problem could be or for what I could looking for to find the reason etc. Thank you
White Posted November 10, 2014 Posted November 10, 2014 (edited) Two days off, weekend rest, #27, if you wanna remove all double string,then I will use vector and string combination,but I am not sure whether WINASM have that feature or not. waiting for your response Yesterday I had checked that by google, and found nothing useful. Maybe I am a big WINASM fan. #28, you mean the time spent while calling InternetReadFile ? if yes, I remember a API named InternetSetOption with a parameter INTERNET_OPTION_RECEIVE_TIMEOUT with a DWORD define its timeout in milliseconds .But I do not use it, cause it "never" give me the correct answer. I recommend InternetQueryDataAvailable before every InternetReadFile API,it return a DWORD availiable that site or server responsed. Code like this, // in a LOOP ....... bRead =InternetQueryDataAvailable(hUrlFile,&dwSize,0,0); DWORD dwTime =GetTickCount64(); if (!(bRead && dwSize)) { bRead = ::InternetReadFile(hUrlFile,pszBuffer,dwSize,&dwDownLoaded); dwTime =GetTickCount64() -dwTime; } else { // End of hFile } ....... Now dwTime is 0. GetTickCount64 is higher resolution timer than GetTickCount. Edited November 10, 2014 by White、、
atom0s Posted November 10, 2014 Posted November 10, 2014 (edited) Keep in mind, GetTickCount64 is not available on Windows XP.I mention this since a lot of people on this forum seem to still use Windows XP. Edited November 10, 2014 by atom0s
White Posted November 10, 2014 Posted November 10, 2014 Hi,atom0s. Yes, it is for NT 6.0+ OS.For XP,just use GetTickCount instead. LCF-AT, I have re-read you #28 post and found that you have a little misunderstanding of InternetReadFile,maybe that is mine. You cannot get always the same returns through each connection. For example, you download a 1GB file and your internet download speed is about 1MB/s. When it starts,first the speed is 120KB/s,and 5 seconds later it's 700KB/s, and later 900KB/s, and later 300KB/s, and ...... The download speed is not always the same until you set a limit like IDM<an software named Internet Download Manager>. It's the same situation of InternetReadFile. For now, you get it ? If not,ok,there is certainly much benefit of using InternetQueryDataAvailable API before InternetReadFile API in a loop. Use InternetQueryDataAvailable API to get available bytes which server could send you,then use InternetReadFile API to obtain the data which the server can immediately send after your request.And the available dwSize is not what-you-want that large, and the pattern like, 200 bytes,1000,1000+......,200,0 in that loop till its end. All above is my understanding of these apis, there is must something different between yours and mine,maybe it's all wrong.
LCF-AT Posted November 10, 2014 Author Posted November 10, 2014 Hi again and thanks for your answers so far. So I have to say that I am not very good at the moment with WinASM so my source is build almost just in ASM commands as you can see in Olly / MultiASM plugin too. So if I now want to check for double strings & also sort them after then I need to handle it manually again with ASM commands and labels (cmp/mov/rep etc) and in this case I have to write a lot more.So what I need is a ready code part which does find all doubles and more and sort them.The best would be to enter only the variable where the datas is stored as I did post before in the exsample... mov edi, SECTION call ProcFindDoublesAndMoreAndRemoveThem mov edi, SECTION call ProcSortData Something like this you know. ...would be cool if you could make there something for me. About InternetReadFile API: Oh ok so you mean each time it had a other access speed to the site I do call?So I thought that the OpenUrl API does load the site already in background and that InternetRead API only need to read the data which should be already in memory or temp etc. Anyway so with or without InternetQuery... API so at the end it takes the same time for me and I see no better / faster effect.All in all I just download the pagesource which has just some 100 - 300 KB and no idea why it needs so long for this.Anyway so I check this again maybe I did code something wrong what takes a longer time etc. PS: Please think on the code parts for removing double & more + sorting (first letter or digit or sign check of the name should be ok if this is esier for you to code etc). Thanks again so far guys.
White Posted November 12, 2014 Posted November 12, 2014 Remove duplicate strings. Sort - Add_Remove.rar
LCF-AT Posted November 12, 2014 Author Posted November 12, 2014 Hi White, thanks for your code so far but there I just understand train station. I was asking for any way to use your source very simple where I just need to call the proc for sorting or removing etc. Anyway so today I made this code too but in my style....you wanna see..... Very unclean but working so far at the moment and by the way....why you didn't told me that I could also just use the lstrcmp API to sort strings (checking for Alphabetic)?So this API is very fine and helped me to prevent another more direct asm code in my source hehe. @top: mov stackback, ebp mov esi, SECTION2 ; store mov edi, esi invoke VirtualAlloc,0,100000h,MEM_COMMIT,PAGE_EXECUTE_READWRITE mov ebp, eax xor edx, edx xor ecx, ecx @AA1: cmp dword ptr [esi], 0h je @allend cmp word ptr [esi], 0A0Dh je @end1 inc ecx inc esi jmp @AA1 @end1: inc ecx inc ecx inc esi inc esi sub esi, ecx mov dword ptr [ebp], esi mov dword ptr [ebp+4h], ecx add esi, ecx add ebp, 8h inc edx xor ecx, ecx jmp @AA1 @allend: pushad mov ebx,4h mov edi, [eax] cmp edi, -1h je @nepper mov ecx, [eax+4h] @nef: pushad mov esi, [eax+ebx*2] cmp esi, -1h je @fei cmp esi, 0h je @loopend cmp edx, 0h je @loopend REPE CMPS BYTE PTR [EDI],BYTE PTR [ESI] je @doubles @fei: popad @reser: add eax,8h dec edx jmp @nef @doubles: popad mov dword ptr [eax+8h], -1h jmp @reser @loopend: popad @nepper: popad add eax,8h cmp dword ptr [eax], 0h je @allchecked jmp @allend @allchecked: nop ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; AND ebp, 0FFFFF000h pushad ; sort start mov eax, ebp @ww: mov esi, eax mov edi, eax add edi, 8h @tt: cmp dword ptr [edi], 0h je @finout1 cmp dword ptr [eax], -1h je @finout1 cmp dword ptr [edi], -1h je @finout1ex pushad push dword ptr [edi] push dword ptr [esi] call lstrcmpA cmp eax, 0h je @sames cmp eax, 1h je @highers jmp @sames @highers: mov eax, [edi] mov ecx, [edi+4h] ; size mov edx, [esi] mov ebx, [esi+4h] ; size mov [esi], eax mov [esi+4h], ecx mov [edi], edx mov [edi+4h], ebx @sames: popad @finout1ex: add edi, 8h jmp @tt @finout1: cmp dword ptr [eax],0h je @fullesend add eax, 8h jmp @ww @fullesend: popad nop ...etc I know it looks bad right but I can't handle this real coder style so I am unfortunately no coder and have problems to lern this coder ways how to use it. greetz
White Posted November 12, 2014 Posted November 12, 2014 em, lstrcmpi is better than lstrcmp, not case-sensitive. lstrcmp need two character strings, pointer with '\0', but in you case,there is also 0x0A0D HEX characters,so I just code that in C style.
LCF-AT Posted November 12, 2014 Author Posted November 12, 2014 Yes I have seen in this in API help description about case sensitive but good to know now that lstrcmpi is better. Also I have logged all strings in one section + 0x0A0D at the end of each string (next line) and below comes again free 00 bytes so that means it will check each time the entire section where my strings are logged till the end but anyway so long it works its ok for me as no coder. PS: Also I didn't knew that I have to save & restore the EBP value before I wanna use EBP for something when later at tne proc end the leave command is used hehe.I did just wonder today why the app just exit each time after using it till I found the reason in Olly.Yes this would not happen if I would code in the right way with if / else / elseif / whatever etc. Thank you again for your help so far.
White Posted November 12, 2014 Posted November 12, 2014 (edited) Glad to hear that you have your own solution Hope you have a good day. Edited November 12, 2014 by White、、
Xyl2k Posted November 16, 2014 Posted November 16, 2014 a bit late but for doing query: ; post.php: .486 .model flat, stdcall option casemap :none include \masm32\include\windows.inc include \masm32\include\user32.inc include \masm32\include\kernel32.inc include \masm32\include\masm32.inc include \masm32\include\wininet.inc include \masm32\include\advapi32.inc include \masm32\macros\macros.asm includelib \masm32\lib\user32.lib includelib \masm32\lib\kernel32.lib includelib \masm32\lib\masm32.lib includelib \masm32\lib\wininet.lib includelib \masm32\lib\advapi32.lib bufSize=MAX_COMPUTERNAME_LENGTH + 1 .data format1 db 'computername=%s&username=%s',0 postdata db 100 dup(0) bSize dd bufSize computer_name db bufSize dup(?) user_name db bufSize dup(?) szData db 1024 dup(0) host db "localhost",0 headers db 13,10,"Keep-Alive: 115", 13,10,"Connection: keep-alive", 13,10,"Content-Type: application/x-www-form-urlencoded",0 .data? hInternet dd ? hConnect dd ? hRequest dd ? dwBytesRead dd ? postdatalen dd ? .code main PROC invoke GetComputerName,addr computer_name,addr bSize invoke GetUserName,addr user_name,addr bSize invoke wsprintf,ADDR postdata,ADDR format1,ADDR computer_name,addr user_name invoke lstrlen,addr postdata mov postdatalen,eax call SendReq invoke ExitProcess,0 main ENDP SendReq PROC mov hInternet,FUNC(InternetOpen,chr$("WinInet Test"),INTERNET_OPEN_TYPE_PRECONFIG,NULL,NULL,0) .if hInternet==NULL invoke MessageBox,0,chr$("InternetOpen error"),0,0 exit .endif invoke InternetConnect,hInternet,offset host,INTERNET_DEFAULT_HTTP_PORT,NULL,NULL,INTERNET_SERVICE_HTTP,0,0 mov hConnect,eax .if hConnect == NULL invoke MessageBox,0,chr$("InternetConnect error"),0,0 exit .endif mov hRequest,FUNC(HttpOpenRequest,hConnect,chr$("POST"),chr$("/post.php"),NULL,chr$("localhost/post.php"),0,INTERNET_FLAG_KEEP_CONNECTION,1) .if hRequest == NULL invoke MessageBox,0,chr$("HttpOpenRequest error"),0,0 exit .endif invoke HttpSendRequest,hRequest,offset headers,sizeof headers-1,offset postdata,postdatalen .if eax == 0 invoke MessageBox,0,chr$("HttpSendRequest error"),0,0 exit .endif invoke InternetReadFile,hRequest,offset szData,sizeof szData-1,offset dwBytesRead test eax,eax ;if (bRead == FALSE) jz @exit .if dwBytesRead==0 jmp @exit .endif invoke OutputDebugString,chr$("Ok") @exit: invoke InternetCloseHandle,hRequest invoke InternetCloseHandle,hConnect invoke InternetCloseHandle,hInternet ret SendReq ENDP end main 4
LCF-AT Posted November 16, 2014 Author Posted November 16, 2014 Hi Xyl2k, thanks for your exsample code but this dosen't work.I get error on HttpSendRequest API.Also I see no location where to enter the link I wanna check.Maybe you post next time more details. greetz
Xyl2k Posted November 16, 2014 Posted November 16, 2014 (edited) Hi LCF-AT, I just tested in localhost and work fine, according to Fiddler the request was sent successfully on W7 Pro SP1 And on olly, the server answer is correctly on the stack. In the exemple, it does a post request to 'localhost' with the PC name and Username. I put that on my post.php: http://pastebin.com/7zEXpJje Edited November 16, 2014 by Xyl2k
LCF-AT Posted November 16, 2014 Author Posted November 16, 2014 Hi again Xyl2k, so I use XP SP3.Also I have no php server stuff etc you know.So could you maybe change your code so that I could enter any hompage / link into any variable before I compile it or just add any box where I enter the link so this would be better for testing. Thanks again
Xyl2k Posted November 17, 2014 Posted November 17, 2014 Hi again LCF-AT, you just need to edit these three lines with - domain name (google.com) - URI (/whateverpage.php) - POST datas (whatevervariable=whatevervalue) host db "localhost",0 mov hRequest,FUNC(HttpOpenRequest,hConnect,chr$("POST"),chr$("/post.php"),NULL,chr$("localhost/post.php"),0,INTERNET_FLAG_KEEP_CONNECTION,1) format1 db 'computername=%s&username=%s',0 For exemple: host db "requesttests.appspot.com",0 mov hRequest,FUNC(HttpOpenRequest,hConnect,chr$("POST"),chr$("/PostTester"),NULL,chr$("requesttests.appspot.com/PostTester"),0,INTERNET_FLAG_KEEP_CONNECTION,1) format1 db 'postString=sample+POST',0 Will do a POST query to http://requesttests.appspot.com with the word 'sample POST' on the variable 'postString' You can also change ("POST") by ("GET") to do a GET query instead of POST.
LCF-AT Posted November 18, 2014 Author Posted November 18, 2014 Hi, ok I have test it now but don't understand it now.Why I should use POST if I want to get the page source of any site?Also I see you do use a static size of 3FFhex (not enough so the size if unknown so it can be more of course).Also the command HttpSendRequest don't work for all links I have test (tuts4you/xxxxxx/xxxxx/xxxx) for exsample. The only good thing I see is that the InternetCloseHandle APIs are working in your code which are not working in the other code by White for me. greetz
LCF-AT Posted January 21, 2015 Author Posted January 21, 2015 Hi guys its me again, so today I have a another question also about how to access internet in special cases. So I know now how to access internet and specific urls to read the page-sources and all is also working very well so far but now I found a new special case where its no more working so easy.The problem is that I found any sites which using some kind of protection called DDoS.Maybe you know this already from other sites you have visit in the past.The problem is if visit the site who used this protection you get first any other site to see with any text which says something like "please move your mouse" and right after you did move the mouse the real site gets loaded.So to so this in browser is no problem so far but the problem is how to handle this situation if you want to access this site via app code.So I tried it but its not working and I only get always this protection site page source to read what means I can't bypass this mouse move thing anyhow. The page source of this protected site looks like this.... <!DOCTYPE html><html><head><title>AntiDDoS Gateway</title><center>Herzlich Willkommen,<br><br>bitte bewege deine Maus um fortzufahren...<br><br><br>DDoS Protection by mich <br><br>--> TestGataway 200--Ok <--<br><br></center><meta http-equiv="Content-Type" content="text/html;charset=UTF-8"><meta http-equiv="pragma" content="no-cache"><meta http-equiv="Cache-Control" content="no-cache"><meta name="keywords" content=""><meta name="description" content=""><link rel="stylesheet" type="text/css" href="anti_ddos.css"><script src="anti_ddos.js"></script><script>var access="141683848813"</script> </head><body><div id="wrapper"><div class="bubblingG"><span id="bubblingG_1"></span><span id="bubblingG_2"></span><span id="bubblingG_3"></span></div></div></body></html> ....and a test site I found is... http://www.online-ident.me/ The question now is whether there is any method to bypass this first site protection anyhow with any special API combos etc?So the problem seems to be the cookie which I don't have or get if I just access this site on normal way using basic Internet APIs (InternetOpen / OpenUrl / Read etc). So now I am looking for any simple & working solution to handle this problem via code / API xy to get the real site page source loaded without to visit the site manually in browser + moving the mouse to get the cookie xy.Also the question is whether it is possible or not you know and now I am asking you to get some infos about it a plus possible way description to get it work etc.Would be nice if you have something in your mind. PS: If you wanna check this out by yourself to know what I mean then just use the test site I found above. Thank you
maike Posted January 28, 2015 Posted January 28, 2015 Hello LCF-AT, I am unable to find the answer to question me on the site for resgistrar GERMAN Reversing NEWBIES11100101111000001000000010101100100000001101000010000000111101001000000011010001111001000011010000101000110000001000000011110100100000001011010011001101111000001000000010101100100000001100100011010000001101000010100111011101101000011000010111010000100000011010010111001100100000011110000010000000111111 | Was ist x? /// Keine Lösung? Wende dich an c0rk [at] bk [dot] ru what is the correct answer?thank you
LCF-AT Posted April 14, 2015 Author Posted April 14, 2015 Hi again, so today I tried again to check the internet APIs to read a entire pagesource and found some strange thing.So as I told before I had always trouble with the InternetCloseHandle API and got invalidhandle messages.Now I found out that I just get this "ERROR_INVALID_HANDLE (00000006)" if I use the InternetReadFile API so long till lpdwNumberOfBytesRead is set to zero.So MSDN does tell use to check this value till its equal to 0 and that I have done but right after this if I try to close the handle I got by InternetOpenUrl I get the error above.If I do the same steps again without to wait till lpdwNumberOfBytesRead is zero (maybe the loop goes 6 times till zero and now I just do 5 loops) and call then InternetCloseHandle then its working and I get Success for both handles of InternetOpenUrl & InternetOpen.Really strange or?I also tried to use InternetQueryDataAvailable before in a loop and check the value of (...BytesAvailable) till its zero to prevent then calling InternetReadFile right after but also that method dosen't work to get successfully handle closes. Has anybody any small exsample files with different methods (WSock / InternetConnect etc with any page xy to access and read the entire & complete pagesource)?Would be nice if you have something to check out how to do it correctly. Thank you
LCF-AT Posted April 20, 2015 Author Posted April 20, 2015 Hi again, can anyone tell me how to sort entrys with SORTASCENDING & SORTDESCENDING by click?So I found a example about sorting by click via filenamelenght but I wanna sort them else (as I told above).Do you have any exsample for this or is there any sort macro which I can use etc or APIs?So I mean I can't read each entry and compare them with 0,1,2,3...A,B,C...etc or?This would be a little much work to do this manually so I think there should be any easier way or? Would be nice if you could help a little. greetz
Alzri2 Posted April 23, 2015 Posted April 23, 2015 Well I found this in AutoIt help file ...study the code and the comments ... btw, sort is a command in cmd #include <AutoItConstants.au3> #include <MsgBoxConstants.au3> Example() Func Example() Local $iPID = Run("sort.exe", @SystemDir, @SW_HIDE, $STDIN_CHILD + $STDOUT_CHILD) ; Write a string of items to be sorted to child sort.exe's Stdin. StdinWrite($iPID, "Banana" & @CRLF & "Elephant" & @CRLF & "Apple" & @CRLF & "Deer" & @CRLF & "Car" & @CRLF) ; Calling StdinWrite without a second parameter closes the stream. StdinWrite($iPID) Local $sOutput = "" ; Store the output of StdoutRead to a variable. While 1 $sOutput &= StdoutRead($iPID) ; Read the Stdout stream of the PID returned by Run. If @error Then ; Exit the loop if the process closes or StdoutRead returns an error. ExitLoop EndIf WEnd MsgBox($MB_SYSTEMMODAL, "", "The sorted string is: " & @CRLF & $sOutput) EndFunc ;==>Example
LCF-AT Posted April 23, 2015 Author Posted April 23, 2015 Hi, thanks Alzri2 but I found already a working sort example in IC 31 tutorial. greetz
LCF-AT Posted April 25, 2015 Author Posted April 25, 2015 Hi, I have a new little question about the WM_SIZE function.So the problem I have now is that the representation of my button & radiobuttons do change very strange if I move the app window a little to inside so it looks very unclean as you can see on my picture below...so I don't know what the problem could be for this and found also no solution so maybe you have any idea how to prevent this representation.So this problem goes away if I just move with the mouse over it or if I just move anything overs it etc but it goes not away from itself just if I make the app window away and restore it etc.Maybe you have a idea how to fix that problem.Is there any kind of refresh API which I could use etc? Thank you
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now