Jump to content
Tuts 4 You
Sign in to follow this  
LCF-AT

How to access the internet?

Recommended Posts

White

em, I forgot to add on the XP-run mode,I'll recompiler it.


 


Yes,possible translate to asm code.


 


About InternetCloseHandle api, I also check it in ollydbg and the last error is always 1.


I have no idea with it. :(


 


EDIT: same source code add XP -run mode,and compiler it.


Sort_add_XP_RunMode.rar


Edited by White、、 (see edit history)

Share this post


Link to post
LCF-AT

Hi,


 


thanks again for the new XP file now it works.I try to handle this code to get it into my source so I will tell you later whether I got success with that or not. :)


 


So about InternetCloseHandle.Yes I get also 1 into eax = success but the error into in register don't send a Success command.Just check this or use GetlastError and there you should also get ERROR_INVALID_HANDLE (00000006) back.So its for me so each time if I have used Internetread or query API as in your exsample file.If you don't get the same error as me then I don't understand what the problem could be in my case.


 


One thing I forgot: What about double & more same lines?How to handle this simple?



Hammer
Sichel
preis
Zanken
Ablesen
Hammer
Sichel
preis
Zanken
Ablesen
Hammer
Sichel
preis
Zanken
Ablesen

= Remove all double & more lines & sort them = 2 things to do.Just imagine like this.....so I have this now...



003B0000 48 61 6D 6D 65 72 0D 0A 53 69 63 68 65 6C 0D 0A Hammer..Sichel..
003B0010 70 72 65 69 73 0D 0A 5A 61 6E 6B 65 6E 0D 0A 41 preis..Zanken..A
003B0020 62 6C 65 73 65 6E 0D 0A 48 61 6D 6D 65 72 0D 0A blesen..Hammer..
003B0030 53 69 63 68 65 6C 0D 0A 70 72 65 69 73 0D 0A 5A Sichel..preis..Z
003B0040 61 6E 6B 65 6E 0D 0A 41 62 6C 65 73 65 6E 0D 0A anken..Ablesen..
003B0050 48 61 6D 6D 65 72 0D 0A 53 69 63 68 65 6C 0D 0A Hammer..Sichel..
003B0060 70 72 65 69 73 0D 0A 5A 61 6E 6B 65 6E 0D 0A 41 preis..Zanken..A
003B0070 62 6C 65 73 65 6E 00 00 00 00 00 00 00 00 00 00 blesen.........

003B0000 = store section where I have all logged so far + next line marker words 0A0D


Below the same just as patter so this you can paste in your source etc.



48616D6D65720D0A53696368656C0D0A70726569730D0A5A616E6B656E0D0A41626C6573656E0D0A48616D6D65720D0A53696368656C0D0A70726569730D0A5A616E6B656E0D0A41626C6573656E0D0A48616D6D65720D0A53696368656C0D0A70726569730D0A5A616E6B656E0D0A41626C6573656E00000000000000000000

Now I want find all doubles & more in the mem location + remove them which are more than one times logged as you can see above.So the words & positions can be random not same as I postet above.Than I wanna also sort them and put them all into a new or same mem location like this....



003B0000 41 62 6C 65 73 65 6E 0D 0A 48 61 6D 6D 65 72 0D Ablesen..Hammer.
003B0010 0A 70 72 65 69 73 0D 0A 53 69 63 68 65 6C 0D 0A .preis..Sichel..
003B0020 5A 61 6E 6B 65 6E 00 00 00 00 00 00 00 00 00 00 Zanken..........

...all doubles & more was removed and then sortet so this I wanna have. :) Maybe you can make again a little source which should be static and which I can use in my source so that I only need to enter the section xy where I have logged my stuff etc you know.


 


Thanks again so far


Share this post


Link to post
LCF-AT

Hi,


 


I have two more questions again.So I see I have now also any trouble with the InternetReadFile API.So the problem is that this API access need somtimes A LOT time!=?Also here I don't know why.I access the same site for exsample (same size of course) and one time it does it the size straight (I can step normaly over this API call in Olly) and a another time it need till 5 seconds!?Also same if I use BPs before and after this API call.But all in all it looks like a random that it sometimes goes fast and then not.Strange problem again and the InternetCloseHandle does still not work.


 


Another other question: Today I found any strange issue about my XP clock so if I start it then I see the time (digital & pointer) and now I watched how the time is running and then I see that the time all 5 seconds stops for a short while.So it runs normaly for 4 seconds but the fifth second come first after a while....(1,2,3,4.....5).So I don't think that this is normal or?I also have nothing strange running in the background what could be the reason etc.Has anybody this problem too?But I also have it with other counters in other apps too now.Problem is I don't know what does disturb on my system now (I did already checked the system today - nothing found so far).Maybe you have any idea what the problem could be or for what I could looking for to find the reason etc.


 


Thank you


Share this post


Link to post
White

Two days off, weekend rest,


#27, if you wanna remove all double string,then I will use vector and string combination,but I am not sure whether WINASM have that feature or not.


waiting for your response :)  Yesterday I had checked that by google, and found nothing useful. Maybe I am a big WINASM fan. :)


 


#28, you mean the time spent while calling InternetReadFile ?


if yes, I remember a API named InternetSetOption with a parameter INTERNET_OPTION_RECEIVE_TIMEOUT


 


with a DWORD define its timeout in milliseconds .But I do not use it, cause it "never" give me the correct answer.


I recommend InternetQueryDataAvailable before every  InternetReadFile API,it return a DWORD availiable that site or server responsed.


Code like this,



// in a LOOP
.......
bRead =InternetQueryDataAvailable(hUrlFile,&dwSize,0,0);
DWORD dwTime =GetTickCount64();
if (!(bRead && dwSize))
{
bRead = ::InternetReadFile(hUrlFile,pszBuffer,dwSize,&dwDownLoaded);
dwTime =GetTickCount64() -dwTime;
}
else
{
// End of hFile
}
.......

Now dwTime is 0. GetTickCount64 is higher resolution timer than GetTickCount.


Edited by White、、 (see edit history)

Share this post


Link to post
atom0s

Keep in mind, GetTickCount64 is not available on Windows XP.I mention this since a lot of people on this forum seem to still use Windows XP.

Edited by atom0s (see edit history)

Share this post


Link to post
White
Hi,atom0s.

Yes, it is for NT 6.0+ OS.For XP,just use GetTickCount instead.

 

LCF-AT,

I have re-read you #28 post and found that you have a little misunderstanding of InternetReadFile,maybe that is mine.

You cannot get always the same returns through each connection.

For example, you download a 1GB file and your internet download speed is about 1MB/s. When it starts,first the speed is 120KB/s,and 5 seconds later it's 700KB/s, and later 900KB/s, and later 300KB/s, and ......

 

The download speed is not always the same until you set a limit like IDM<an software named Internet Download Manager>.

It's the same situation of InternetReadFile.

 

For now, you get it ?  :sweat:

If not,ok,there is certainly much benefit of using InternetQueryDataAvailable API before InternetReadFile API in a 

loop.

 

Use InternetQueryDataAvailable API to get available bytes which server could send you,then use InternetReadFile API 

to obtain the data which the server can immediately send after your request.And the available dwSize is not what-you-want that large,

and the pattern like, 200 bytes,1000,1000+......,200,0 in that loop till its end.

 

All above is my understanding of these apis, there is must something different between yours and mine,maybe it's all wrong.  :pinch:

Share this post


Link to post
LCF-AT

Hi again and thanks for your answers so far. :)


 


So I have to say that I am not very good at the moment with WinASM so my source is build almost just in ASM commands as you can see in Olly / MultiASM plugin too. :) So if I now want to check for double strings & also sort them after then I need to handle it manually again with ASM commands and labels (cmp/mov/rep etc) and in this case I have to write a lot more.So what I need is a ready code part which does find all doubles and more and sort them.The best would be to enter only the variable where the datas is stored as I did post before in the exsample...



mov edi, SECTION
call ProcFindDoublesAndMoreAndRemoveThem mov edi, SECTION
call ProcSortData Something like this you know.

...would be cool if you could make there something for me. :)


 


About InternetReadFile API: Oh ok so you mean each time it had a other access speed to the site I do call?So I thought that the OpenUrl API does load the site already in background and that InternetRead API only need to read the data which should be already in memory or temp etc.


 


Anyway so with or without InternetQuery... API so at the end it takes the same time for me and I see no better / faster effect.All in all I just download the pagesource which has just some 100 - 300 KB and no idea why it needs so long for this.Anyway so I check this again maybe I did code something wrong what takes a longer time etc.


 


PS: Please think on the code parts for removing double & more + sorting (first letter or digit or sign check of the name should be ok if this is esier for you to code etc). :)


 


Thanks again so far guys.


Share this post


Link to post
LCF-AT

Hi White,


 


thanks for your code so far but there I just understand train station. :) I was asking for any way to use your source very simple where I just need to call the proc for sorting or removing etc. :) Anyway so today I made this code too but in my style....you wanna see..... :) Very unclean but working so far at the moment and by the way....why you didn't told me that I could also just use the lstrcmp API to sort strings (checking for Alphabetic)?So this API is very fine and helped me to prevent another more direct asm code in my source hehe. :)



@top:
mov stackback, ebp
mov esi, SECTION2 ; store
mov edi, esi invoke VirtualAlloc,0,100000h,MEM_COMMIT,PAGE_EXECUTE_READWRITE mov ebp, eax
xor edx, edx
xor ecx, ecx
@AA1:
cmp dword ptr [esi], 0h
je @allend
cmp word ptr [esi], 0A0Dh
je @end1
inc ecx
inc esi
jmp @AA1
@end1:
inc ecx
inc ecx
inc esi
inc esi
sub esi, ecx
mov dword ptr [ebp], esi
mov dword ptr [ebp+4h], ecx
add esi, ecx
add ebp, 8h
inc edx
xor ecx, ecx
jmp @AA1 @allend:
pushad
mov ebx,4h
mov edi, [eax]
cmp edi, -1h
je @nepper mov ecx, [eax+4h]
@nef:
pushad
mov esi, [eax+ebx*2]
cmp esi, -1h
je @fei
cmp esi, 0h
je @loopend
cmp edx, 0h
je @loopend REPE CMPS BYTE PTR [EDI],BYTE PTR [ESI]
je @doubles
@fei:
popad
@reser:
add eax,8h
dec edx
jmp @nef
@doubles:
popad
mov dword ptr [eax+8h], -1h
jmp @reser
@loopend:
popad
@nepper:
popad
add eax,8h
cmp dword ptr [eax], 0h
je @allchecked
jmp @allend @allchecked:
nop
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; AND ebp, 0FFFFF000h pushad ; sort start
mov eax, ebp @ww:
mov esi, eax
mov edi, eax
add edi, 8h @tt:
cmp dword ptr [edi], 0h
je @finout1
cmp dword ptr [eax], -1h
je @finout1
cmp dword ptr [edi], -1h
je @finout1ex
pushad
push dword ptr [edi]
push dword ptr [esi]
call lstrcmpA
cmp eax, 0h
je @sames
cmp eax, 1h
je @highers
jmp @sames @highers:
mov eax, [edi]
mov ecx, [edi+4h] ; size
mov edx, [esi]
mov ebx, [esi+4h] ; size
mov [esi], eax
mov [esi+4h], ecx
mov [edi], edx
mov [edi+4h], ebx @sames:
popad
@finout1ex:
add edi, 8h
jmp @tt @finout1:
cmp dword ptr [eax],0h
je @fullesend
add eax, 8h
jmp @ww
@fullesend:
popad
nop ...etc

I know it looks bad right but I can't handle this real coder style so I am unfortunately no coder and have problems to lern this coder ways how to use it.


 


greetz


Share this post


Link to post
White

em, lstrcmpi is better than lstrcmp, not case-sensitive.


 


lstrcmp need two character strings, pointer with '\0', but in you case,there is also 0x0A0D HEX characters,so I just code that in C style. :)


Share this post


Link to post
LCF-AT

Yes I have seen in this in API help description about case sensitive but good to know now that lstrcmpi is better. :) Also I have logged all strings in one section + 0x0A0D at the end of each string (next line) and below comes again free 00 bytes so that means it will check each time the entire section where my strings are logged till the end but anyway so long it works its ok for me as no coder. :)


 


PS: Also I didn't knew that I have to save & restore the EBP value before I wanna use EBP for something when later at tne proc end the leave command is used hehe.I did just wonder today why the app just exit each time after using it till I found the reason in Olly.Yes this would not happen if I would code in the right way with if / else / elseif / whatever etc. :)


 


Thank you again for your help so far. :)


Share this post


Link to post
White

Glad to hear that you have your own solution :)  Hope you have a good day.


Edited by White、、 (see edit history)

Share this post


Link to post
Xyl2k

a bit late but for doing query:

; post.php: 

.486

.model flat, stdcall

option casemap :none

include \masm32\include\windows.inc

include \masm32\include\user32.inc

include \masm32\include\kernel32.inc

include \masm32\include\masm32.inc

include \masm32\include\wininet.inc

include \masm32\include\advapi32.inc

include \masm32\macros\macros.asm

includelib \masm32\lib\user32.lib

includelib \masm32\lib\kernel32.lib

includelib \masm32\lib\masm32.lib

includelib \masm32\lib\wininet.lib

includelib \masm32\lib\advapi32.lib

bufSize=MAX_COMPUTERNAME_LENGTH + 1

.data

format1 db 'computername=%s&username=%s',0

postdata db 100 dup(0)

bSize dd bufSize

computer_name db bufSize dup(?)

user_name db bufSize dup(?)

szData db 1024 dup(0)

host db "localhost",0

headers db 13,10,"Keep-Alive: 115",

13,10,"Connection: keep-alive",

13,10,"Content-Type: application/x-www-form-urlencoded",0

.data?

hInternet dd ?

hConnect dd ?

hRequest dd ?

dwBytesRead dd ?

postdatalen dd ?

.code

main PROC

invoke GetComputerName,addr computer_name,addr bSize

invoke GetUserName,addr user_name,addr bSize

invoke wsprintf,ADDR postdata,ADDR format1,ADDR computer_name,addr user_name

invoke lstrlen,addr postdata

mov postdatalen,eax

call SendReq

invoke ExitProcess,0

main ENDP

SendReq PROC

mov hInternet,FUNC(InternetOpen,chr$("WinInet Test"),INTERNET_OPEN_TYPE_PRECONFIG,NULL,NULL,0)

.if hInternet==NULL

invoke MessageBox,0,chr$("InternetOpen error"),0,0

exit

.endif

invoke InternetConnect,hInternet,offset host,INTERNET_DEFAULT_HTTP_PORT,NULL,NULL,INTERNET_SERVICE_HTTP,0,0

mov hConnect,eax

.if hConnect == NULL

invoke MessageBox,0,chr$("InternetConnect error"),0,0

exit

.endif

mov hRequest,FUNC(HttpOpenRequest,hConnect,chr$("POST"),chr$("/post.php"),NULL,chr$("localhost/post.php"),0,INTERNET_FLAG_KEEP_CONNECTION,1)

.if hRequest == NULL

invoke MessageBox,0,chr$("HttpOpenRequest error"),0,0

exit

.endif

invoke HttpSendRequest,hRequest,offset headers,sizeof headers-1,offset postdata,postdatalen

.if eax == 0

invoke MessageBox,0,chr$("HttpSendRequest error"),0,0

exit

.endif

invoke InternetReadFile,hRequest,offset szData,sizeof szData-1,offset dwBytesRead

test eax,eax ;if (bRead == FALSE)

jz @exit

.if dwBytesRead==0

jmp @exit

.endif

invoke OutputDebugString,chr$("Ok")

@exit:

invoke InternetCloseHandle,hRequest

invoke InternetCloseHandle,hConnect

invoke InternetCloseHandle,hInternet

ret

SendReq ENDP

end main

  • Like 4

Share this post


Link to post
LCF-AT

Hi Xyl2k,


 


thanks for your exsample code but this dosen't work.I get error on HttpSendRequest API.Also I see no location where to enter the link I wanna check.Maybe you post next time more details.


 


greetz


Share this post


Link to post
Xyl2k

Hi LCF-AT,

I just tested in localhost and work fine, according to Fiddler the request was sent successfully on W7 Pro SP1

ClJG10u.png

And on olly, the server answer is correctly on the stack.

nb75E0q.png

In the exemple, it does a post request to 'localhost' with the PC name and Username.

I put that on my post.php: http://pastebin.com/7zEXpJje

Edited by Xyl2k (see edit history)

Share this post


Link to post
LCF-AT

Hi again Xyl2k,


 


so I use XP SP3.Also I have no php server stuff etc you know.So could you maybe change your code so that I could enter any hompage / link into any variable before I compile it or just add any box where I enter the link so this would be better for testing. :)


 


Thanks again


Share this post


Link to post
Xyl2k

Hi again LCF-AT, you just need to edit these three lines with

- domain name (google.com)

- URI (/whateverpage.php)

- POST datas (whatevervariable=whatevervalue)

host db "localhost",0

mov hRequest,FUNC(HttpOpenRequest,hConnect,chr$("POST"),chr$("/post.php"),NULL,chr$("localhost/post.php"),0,INTERNET_FLAG_KEEP_CONNECTION,1)

format1 db 'computername=%s&username=%s',0

For exemple:

host db "requesttests.appspot.com",0

mov hRequest,FUNC(HttpOpenRequest,hConnect,chr$("POST"),chr$("/PostTester"),NULL,chr$("requesttests.appspot.com/PostTester"),0,INTERNET_FLAG_KEEP_CONNECTION,1)

format1 db 'postString=sample+POST',0

Will do a POST query to http://requesttests.appspot.com with the word 'sample POST' on the variable 'postString'

You can also change ("POST") by ("GET") to do a GET query instead of POST.

Share this post


Link to post
LCF-AT

Hi,


 


ok I have test it now but don't understand it now.Why I should use POST if I want to get the page source of any site?Also I see you do use a static size of 3FFhex (not enough so the size if unknown so it can be more of course).Also the command HttpSendRequest don't work for all links I have test (tuts4you/xxxxxx/xxxxx/xxxx) for exsample. :( The only good thing I see is that the InternetCloseHandle APIs are working in your code which are not working in the other code by White for me.


 


greetz


Share this post


Link to post
LCF-AT

Hi guys its me again,


 


so today I have a another question also about how to access internet in special cases.


 


So I know now how to access internet and specific urls to read the page-sources and all is also working very well so far but now I found a new special case where its no more working so easy.The problem is that I found any sites which using some kind of protection called DDoS.Maybe you know this already from other sites you have visit in the past.The problem is if visit the site who used this protection you get first any other site to see with any text which says something like "please move your mouse" and right after you did move the mouse the real site gets loaded.So to so this in browser is no problem so far but the problem is how to handle this situation if you want to access this site via app code.So I tried it but its not working and I only get always this protection site page source to read what means I can't bypass this mouse move thing anyhow.


 


The page source of this protected site looks like this....



<!DOCTYPE html><html><head><title>AntiDDoS Gateway</title><center>Herzlich Willkommen,<br><br>bitte bewege deine Maus um fortzufahren...<br><br><br>DDoS Protection by mich <br><br>--> TestGataway 200--Ok <--<br><br></center><meta http-equiv="Content-Type" content="text/html;charset=UTF-8"><meta http-equiv="pragma" content="no-cache"><meta http-equiv="Cache-Control" content="no-cache"><meta name="keywords" content=""><meta name="description" content=""><link rel="stylesheet" type="text/css" href="anti_ddos.css"><script src="anti_ddos.js"></script><script>var access="141683848813"</script> </head><body><div id="wrapper"><div class="bubblingG"><span id="bubblingG_1"></span><span id="bubblingG_2"></span><span id="bubblingG_3"></span></div></div></body></html>

....and a test site I found is...



http://www.online-ident.me/

The question now is whether there is any method to bypass this first site protection anyhow with any special API combos etc?So the problem seems to be the cookie which I don't have or get if I just access this site on normal way using basic Internet APIs (InternetOpen / OpenUrl / Read etc).


 


So now I am looking for any simple & working solution to handle this problem via code / API xy to get the real site page source loaded without to visit the site manually in browser + moving the mouse to get the cookie xy.Also the question is whether it is possible or not you know and now I am asking you to get some infos about it a plus possible way description to get it work etc.Would be nice if you have something in your mind. :)


 


PS: If you wanna check this out by yourself to know what I mean then just use the test site I found above.


 


Thank you


Share this post


Link to post
maike
Hello LCF-AT, I am unable to find the answer to question me on the site for resgistrar GERMAN Reversing NEWBIES11100101111000001000000010101100100000001101000010000000111101001000000011010001111001000011010000101000110000001000000011110100100000001011010011001101111000001000000010101100100000001100100011010000001101000010100111011101101000011000010111010000100000011010010111001100100000011110000010000000111111 | Was ist x? /// Keine Lösung? Wende dich an c0rk [at] bk [dot] ru

 

what is the correct answer?

thank you

Share this post


Link to post
LCF-AT

Hi again,


 


so today I tried again to check the internet APIs to read a entire pagesource and found some strange thing.So as I told before I had always trouble with the InternetCloseHandle API and got invalidhandle messages.Now I found out that I just get this "ERROR_INVALID_HANDLE (00000006)" if I use the InternetReadFile API so long till lpdwNumberOfBytesRead is set to zero.So MSDN does tell use to check this value till its equal to 0 and that I have done but right after this if I try to close the handle I got by InternetOpenUrl I get the error above.If I do the same steps again without to wait till lpdwNumberOfBytesRead is zero (maybe the loop goes 6 times till zero and now I just do 5 loops) and call then InternetCloseHandle then its working and I get Success for both handles of InternetOpenUrl & InternetOpen.Really strange or?I also tried to use InternetQueryDataAvailable before in a loop and check the value of (...BytesAvailable) till its zero to prevent then calling InternetReadFile right after but also that method dosen't work to get successfully handle closes.


 


Has anybody any small exsample files with different methods (WSock / InternetConnect etc with any page xy to access and read the entire & complete pagesource)?Would be nice if you have something to check out how to do it correctly.


 


Thank you


Share this post


Link to post
LCF-AT

Hi again,

 

can anyone tell me how to sort entrys with SORTASCENDING & SORTDESCENDING by click?So I found a example about sorting by click via filenamelenght but I wanna sort them else (as I told above).Do you have any exsample for this or is there any sort macro which I can use etc or APIs?So I mean I can't read each entry and compare them with 0,1,2,3...A,B,C...etc or?This would be a little much work to do this manually so I think there should be any easier way or?

 

Would be nice if you could help a little. :)

 

greetz
 

Share this post


Link to post
Alzri2

Well I found this in AutoIt help file ...


study the code and the comments ... btw, sort is a command in cmd



#include <AutoItConstants.au3>
#include <MsgBoxConstants.au3> Example() Func Example()
Local $iPID = Run("sort.exe", @SystemDir, @SW_HIDE, $STDIN_CHILD + $STDOUT_CHILD) ; Write a string of items to be sorted to child sort.exe's Stdin.
StdinWrite($iPID, "Banana" & @CRLF & "Elephant" & @CRLF & "Apple" & @CRLF & "Deer" & @CRLF & "Car" & @CRLF) ; Calling StdinWrite without a second parameter closes the stream.
StdinWrite($iPID) Local $sOutput = "" ; Store the output of StdoutRead to a variable. While 1
$sOutput &= StdoutRead($iPID) ; Read the Stdout stream of the PID returned by Run.
If @error Then ; Exit the loop if the process closes or StdoutRead returns an error.
ExitLoop
EndIf
WEnd MsgBox($MB_SYSTEMMODAL, "", "The sorted string is: " & @CRLF & $sOutput)
EndFunc ;==>Example

Share this post


Link to post
LCF-AT

Hi,


 


thanks Alzri2 but I found already a working sort example in IC 31 tutorial. :)


 


greetz


Share this post


Link to post
LCF-AT

Hi,


 


I have a new little question about the WM_SIZE function.So the problem I have now is that the representation of my button & radiobuttons do change very strange if I move the app window a little to inside so it looks very unclean as you can see on my picture below...so I don't know what the problem could be for this and found also no solution so maybe you have any idea how to prevent this representation.So this problem goes away if I just move with the mouse over it or if I just move anything overs it etc but it goes not away from itself just if I make the app window away and restore it etc.Maybe you have a idea how to fix that problem.Is there any kind of refresh API which I could use etc?


 


Thank you


 


post-27695-0-03895100-1429990532.png

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
×
×
  • Create New...