LCF-AT

WinSock problem

53 posts in this topic

Hi kao,

thanks for your answer but I am still confused.

Info: About the complete URL.So its just for the tool itself I made so the first part gets checked and cut out and the rest will used.Also if there is no port info then I used standart port 80 as default port.

Now again some questions:

1.) Is it now possible with WinSock without SSL (openssl etc) to get successfully access to T4Y for example + getting right page content?

2.) How can I check whether I need to request any site with SSL from the response I get?

3.) Why I get success using WinInet with and also without SSL flags on T4Y site?

Using WinInet with & without SSL Flags

GET /index.php HTTP/1.1
Host: tuts4you.com
Connection: close
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)

HTTP/1.1 200 OK

Pagecontent all there and right....

Using WinSock
--------------------------------------
GET /index.php HTTP/1.1
Host: tuts4you.com
Connection: close
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)

HTTP/1.1 301 Moved Permanently
Date: Fri, 17 Feb 2017 15:57:11 GMT
Server: Apache
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Cache-Control: must-revalidate
Set-Cookie: SESSTUTS4YOUCOM=6efd7798c31d1e7dd2eac3b0b89222af; path=/; domain=.tuts4you.com
Last-Modified: Fri, 17 Feb 2017 15:57:11 GMT
Location: https://tuts4you.com/index.php
Strict-Transport-Security: max-age=15768000;includeSubdomains
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

-----------------------------------------
GET /index.php HTTP/1.1
Host: tuts4you.com:443
Connection: close
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)

HTTP/1.1 301 Moved Permanently
Date: Fri, 17 Feb 2017 15:59:32 GMT
Server: Apache
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Cache-Control: must-revalidate
Set-Cookie: SESSTUTS4YOUCOM=76b7127e22f93deb8c9f415f1cedd435; path=/
Last-Modified: Fri, 17 Feb 2017 15:59:32 GMT
Location: https://tuts4you.com/index.php
Strict-Transport-Security: max-age=15768000;includeSubdomains
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
----------------------------------------
GET /index.php HTTP/1.1
Host: tuts4you.com:80
Connection: close
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)

HTTP/1.1 301 Moved Permanently
Date: Fri, 17 Feb 2017 16:00:24 GMT
Server: Apache
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Cache-Control: must-revalidate
Set-Cookie: SESSTUTS4YOUCOM=68bdd2ad43c8ec6997f31ed9481ff3b0; path=/
Last-Modified: Fri, 17 Feb 2017 16:00:25 GMT
Location: https://tuts4you.com/index.php
Strict-Transport-Security: max-age=15768000;includeSubdomains
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
-------------------------------------------------
GET /index.php HTTP/1.1
Host: 198.57.187.53:443
Connection: close
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)

HTTP/1.1 301 Moved Permanently
Date: Fri, 17 Feb 2017 16:01:11 GMT
Server: Apache
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Cache-Control: must-revalidate
Set-Cookie: SESSTUTS4YOUCOM=86888b0965c546f6474a2a0f142c36f2; path=/
Last-Modified: Fri, 17 Feb 2017 16:01:11 GMT
Location: https://tuts4you.com/index.php
Strict-Transport-Security: max-age=15768000;includeSubdomains
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
-----------------------------------------
GET /index.php HTTP/1.1
Host: 198.57.187.53:80
Connection: close
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)

HTTP/1.1 404 Not Found
Date: Fri, 17 Feb 2017 16:01:35 GMT
Server: Apache
Accept-Ranges: bytes
Strict-Transport-Security: max-age=15768000;includeSubdomains
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html
-----------------------------------------

So I dont get any successfully access to T4Y index.php site using WInSock.Is this because I dont use SSL (extra OpenSSL APIs etc) or should it normaly work anyhow also without SSL?On the examples about WinInet its also working without SSL flags and thats the reason I do wonder.So if it works with WinInet wihtout SSL then it should also work with WinSock without SSL or so thing wrong anyhow?!?

greetz

Share this post


Link to post
Share on other sites

@Teddy Rogers should be able to answer specifics on how the server is configured. From the info you posted, it looks like T4Y works only over HTTPS and WinInet does lots of stuff "behind the scenes", even if don't explicitly tell it to.

You could use WireShark to capture packets for each requedt and see what exactly is happening.

Share this post


Link to post
Share on other sites

So @LCF-AT , do you still need me to look into this issue or is it almost solved ? :)

When you PM-ed me a couple of days ago, I already told you that I would look into it during the weekend as I was (and am) busy till then. But I see that you already put up yet another post yesterday haha :D

Guess you are in a bit of a hurry .. hehe

Anyway, the problrm is, that since you want it to be in ASM, I would need to compile the SSL libraries from scratch on my computer. That would take time and also converting the code to ASM would make it quite bulky as I told you in the PM already.

I have no problem (and its also good :) ) if others are helping out. But what I want to know is whether you would still need me to look into it or not ...

Because I am not really a fan of re-duplication of efforts if you know what I mean.. I do not want to waste time compiling the libraries etc if someone else is already working on it , if you know what I mean... No offense of course, but just want to avoid re-duplication of efforts from our members here.

Is anyone already (and continuing to) work on LCF-AT's issue ? :)

Cheers :)

EDIT :

As I was typing this out, I see that @kao had already posted another reply.

One thing I want to add is that certain security configurations of websites could prevent you from accessing them from "unknown" apps. So as Kao says, its well worth finding out whetehr its teh security configuration of the sites thats preventing you from accessing them.

Having said that, I cannot comment further wihtout knowing what exactly you ar etrying to accomplish with your code in the first place ...

Edited by Techlord

Share this post


Link to post
Share on other sites

Hi again,

hmmm ok.So you mean WinInet functions doing some thing to handle that SSL issue also if I have disabled it?I am not very common using Wireshark.

@Techlord

Sure I do still need help and nothing is sloved yet of course.Yes I am always in hurry if I dont understand something or cant find any solutions. :)

So my main goal is it to use WinSock only for everything to get successfully access to all sites (like browser) without using WinInet anymore (its working slower and its also limited) but the problem is that I get more success using WinInet instead of WInSock but I dont want use both anymore.So if I need this SSL / TLS thing for WinSock to get success then I would like to use WinSock with SSL and then I could quit WinInet but I still dont know how to implement it for a simple client for example.If I see it right then they are just a few APIs I need to use from ssleay32.dll but I dont check some C / C++ structs I need to use with that key pem thing etc.

greetz

1 person likes this

Share this post


Link to post
Share on other sites
On Friday, 17 February, 2017 at 11:59 AM, LCF-AT said:

Sure I do still need help and nothing is sloved yet of course.Yes I am always in hurry if I dont understand something or cant find any solutions

Well, since most of the discussin would not be of too much interest to others, I would be continuing the discussion via PM. probably would post the final solution that we arrive at, here, for anyone else referring to this thread down the road, If anyone else is following this thread with interest and would rather like the discussion done on the thread, please let us know :)

Cheers :)

1 person likes this

Share this post


Link to post
Share on other sites

Here is a basic test prog to fetch a t4y web page using wininet stuff. I used most of this code in a x64dbg plugin to download snapshot updates from github. I've re-purposed it for this test program. Hopefully it helps you, let me know how you get on or if you found it useful.

Edit: I'm interested in this topic, so feel free to continue the discussion here.

Cheers

t4ytest.zip

Edited by fearless
Update to mention interest in discussion on the forums
1 person likes this

Share this post


Link to post
Share on other sites

Hi,

thanks for your interest fearless but as you can read above I am not looking for a WinInet solution and wanna have a WinSock solution only.So if its only working using WinSock + any SSL extra APIs etc then I would be interested to see any example you know.I cant find any example in MASM for this only some C or C++ codes like I did post before in this topic but I dont understand this whole C / C++ language thing to make any translation to MASM I could use later.Thats the problem.

greetz

Share this post


Link to post
Share on other sites

Hi again,

so I checked internet again and found some infos about schannel and I also found a schannel inc & lib for MASM on my HDD but I could not found any example code.So is this something I could maybe use too to handle sites like T4Y or google with location resolve?

greetz

Share this post


Link to post
Share on other sites

Here is the source with schannel web client sample code: ftp://linux.mikroklima.cz/MIDAM-CD/DIGI/samples/SSLClient/cpp/mssdk/WebClient.c
Here is compiled executable from which you can rip the relevant ASM code: ftp://linux.mikroklima.cz/MIDAM-CD/DIGI/samples/SSLClient/WebClient.exe

Attached is slightly patched executable that you can use to test again https://forum.tuts4you.com (added proper Host: header in request). Use command line like this: 

WebClient1.exe -sforum.tuts4you.com -p443 -findex.php >result.txt

 

Result.txt will look like:

...

Buffers[1].BufferType = SECBUFFER_DATA
Decrypted data: 444 bytes
0000  48 54 54 50 2f 31 2e 31:20 32 30 30 20 4f 4b 0d  HTTP/1.1 200 OK.
0010  0a 44 61 74 65 3a 20 4d:6f 6e 2c 20 32 30 20 46  .Date: Mon, 20 F
0020  65 62 20 32 30 31 37 20:31 32 3a 34 33 3a 32 30  eb 2017 12:43:20
0030  20 47 4d 54 0d 0a 53 65:72 76 65 72 3a 20 41 70   GMT..Server: Ap
0040  61 63 68 65 0d 0a 45 78:70 69 72 65 73 3a 20 54  ache..Expires: T
0050  68 75 2c 20 31 39 20 4e:6f 76 20 31 39 38 31 20  hu, 19 Nov 1981 
0060  30 38 3a 35 32 3a 30 30:20 47 4d 54 0d 0a 43 61  08:52:00 GMT..Ca
0070  63 68 65 2d 43 6f 6e 74:72 6f 6c 3a 20 6e 6f 2d  che-Control: no-
0080  73 74 6f 72 65 2c 20 6e:6f 2d 63 61 63 68 65 2c  store, no-cache,
0090  20 6d 75 73 74 2d 72 65:76 61 6c 69 64 61 74 65   must-revalidate
00a0  2c 20 70 6f 73 74 2d 63:68 65 63 6b 3d 30 2c 20  , post-check=0, 
00b0  70 72 65 2d 63 68 65 63:6b 3d 30 0d 0a 50 72 61  pre-check=0..Pra
00c0  67 6d 61 3a 20 6e 6f 2d:63 61 63 68 65 0d 0a 58  gma: no-cache..X
00d0  2d 58 53 53 2d 50 72 6f:74 65 63 74 69 6f 6e 3a  -XSS-Protection:
00e0  20 30 0d 0a 43 6f 6e 6e:65 63 74 69 6f 6e 3a 20   0..Connection: 
00f0  63 6c 6f 73 65 0d 0a 53:65 74 2d 43 6f 6f 6b 69  close..Set-Cooki
0100  65 3a 20 69 70 73 34 5f:49 50 53 53 65 73 73 69  e: ips4_IPSSessi
0110  6f 6e 46 72 6f 6e 74 3d:37 32 32 36 65 36 32 61  onFront=7226e62a
0120  61 37 34 62 61 38 62 39:39 36 30 34 61 63 35 62  a74ba8b99604ac5b
0130  64 33 39 31 33 30 65 36:3b 20 70 61 74 68 3d 2f  d39130e6; path=/
0140  3b 20 73 65 63 75 72 65:3b 20 48 74 74 70 4f 6e  ; secure; HttpOn
0150  6c 79 0d 0a 53 74 72 69:63 74 2d 54 72 61 6e 73  ly..Strict-Trans
0160  70 6f 72 74 2d 53 65 63:75 72 69 74 79 3a 20 6d  port-Security: m
0170  61 78 2d 61 67 65 3d 31:35 37 36 38 30 30 30 3b  ax-age=15768000;
0180  69 6e 63 6c 75 64 65 53:75 62 64 6f 6d 61 69 6e  includeSubdomain
0190  73 0d 0a 43 6f 6e 74 65:6e 74 2d 54 79 70 65 3a  s..Content-Type:
01a0  20 74 65 78 74 2f 68 74:6d 6c 3b 63 68 61 72 73   text/html;chars
01b0  65 74 3d 55 54 46 2d 38:0d 0a 0d 0a              et=UTF-8....

Buffers[1].BufferType = SECBUFFER_DATA
Decrypted data: 7689 bytes
0000  3c 21 44 4f 43 54 59 50:45 20 68 74 6d 6c 3e 0a  <!DOCTYPE html>.
0010  3c 68 74 6d 6c 20 6c 61:6e 67 3d 22 65 6e 2d 55  <html lang="en-U
0020  53 22 20 64 69 72 3d 22:6c 74 72 22 3e 0a 09 3c  S" dir="ltr">..<
0030  68 65 61 64 3e 0a 09 09:3c 74 69 74 6c 65 3e 46  head>...<title>F
0040  6f 72 75 6d 73 20 2d 20:54 75 74 73 20 34 20 59  orums - Tuts 4 Y
0050  6f 75 3c 2f 74 69 74 6c:65 3e 0a 09 09 3c 21 2d  ou</title>...<!-
0060  2d 5b 69 66 20 6c 74 20:49 45 20 39 5d 3e 0a 09  -[if lt IE 9]>..
0070  09 09 3c 6c 69 6e 6b 20:72 65 6c 3d 22 73 74 79  ..<link rel="sty
0080  6c 65 73 68 65 65 74 22:20 74 79 70 65 3d 22 74  lesheet" type="t
0090  65 78 74 2f 63 73 73 22:20 68 72 65 66 3d 22 68  ext/css" href="h
00a0  74 74 70 73 3a 2f 2f 66:6f 72 75 6d 2e 74 75 74  ttps://forum.tut
00b0  73 34 79 6f 75 2e 63 6f:6d 2f 75 70 6c 6f 61 64  s4you.com/upload
00c0  73 2f 63 73 73 5f 62 75:69 6c 74 5f 31 2f 35 65  s/css_built_1/5e
00d0  36 31 37 38 34 38 35 38:61 64 33 63 31 31 66 30  61784858ad3c11f0
00e0  30 62 35 37 30 36 64 31:32 61 66 65 35 32 5f 69  0b5706d12afe52_i
00f0  65 38 2e 63 73 73 2e 36:66 38 39 65 34 30 34 38  e8.css.6f89e4048
0100  66 39 32 30 34 65 32 63:35 63 64 64 30 32 64 33  f9204e2c5cdd02d3
0110  36 63 33 31 30 36 38 2e:63 73 73 22 3e 0a 09 09  6c31068.css">...
0120  20 20 20 20 3c 73 63 72:69 70 74 20 73 72 63 3d      <script src=
0130  22 2f 2f 66 6f 72 75 6d:2e 74 75 74 73 34 79 6f  "//forum.tuts4yo
0140  75 2e 63 6f 6d 2f 61 70:70 6c 69 63 61 74 69 6f  u.com/applicatio
0150  6e 73 2f 63 6f 72 65 2f:69 6e 74 65 72 66 61 63  ns/core/interfac
0160  65 2f 68 74 6d 6c 35 73:68 69 76 2f 68 74 6d 6c  e/html5shiv/html
0170  35 73 68 69 76 2e 6a 73:22 3e 3c 2f 73 63 72 69  5shiv.js"></scri
0180  70 74 3e 0a 09 09 3c 21:5b 65 6e 64 69 66 5d 2d  pt>...<![endif]-
0190  2d 3e 0a 09 09 0a 3c 6d:65 74 61 20 63 68 61 72  ->....<meta char
01a0  73 65 74 3d 22 75 74 66:2d 38 22 3e 0a 0a 09 3c  set="utf-8">...<

...

As you can see, it works just fine. :)

 

webclient1.rar

1 person likes this

Share this post


Link to post
Share on other sites

Hi kao,

thanks for your files so it seems to work (anyhow). :) But now the question is how I should handle the file to find all needed steps just debugging that file.There is a lot and this C or cpp source I cant really understand.Ok I will try to debug that file also if it will take a much time to not all needed steps etc.

greetz

Share this post


Link to post
Share on other sites
Quote

There is a lot and this C or cpp source I cant really understand

/Fa Listing Assembly code is your friend

Here is a WebClient debug version and Assembly listing

and a WebClient.pdb for easier debug this exe

 

webclient.rar

Edited by ragdog
1 person likes this

Share this post


Link to post
Share on other sites

Hi raggy,

thanks for your code but......!?!So how should I use this oder follow this tons of code inside to write something with that in WinASM?So I am not a computer. :) This is really a pain into se Popo.Just great!Now I am again there where I did started.What now?Am I too stupid  or whats the problem?Sometimes I think you guys are talking Chinese. :slap:

greetz

Share this post


Link to post
Share on other sites
Quote

I think you guys are talking Chinese

No Lcf

What i have postet was only a helper to understand it better ( you have say you understand not C/Cpp)

If i translate a c/cpp code to Masm or Fasm and i do not understand a part of code compile i this code and make a Assembly listing

Or debugging it.

Use Notpade++ open the source code WebClient.c and you see the code and line numbers in WebClient.asm can you see line numbers like ; Line 402 etc

e83ewulw.png

 

Or debug this exe in olly and load this pdb file for debug information in Olly!

 

Yes coding is many work,but you have strange wishes :D

Edited by ragdog
1 person likes this

Share this post


Link to post
Share on other sites
10 minutes ago, ragdog said:

Yes coding is many work,but you have strange wishes :D

Amen to that!

 

@LCF-AT: The truth is - 99% of people pick the easiest paths. You insist on finding your own path. That comes with lots of artificial difficulties and obstacles. "I don't want to use WinInet, I don't want to download Visual Studio to compile ready-written C code, I don't want to learn even basic C to read the code examples, I don't want to use this or that but still it must somehow (magically) work!". Guess what, it doesn't work like that. We don't have magic wands.

@Techlord offered you to compile OpenSSL for you. I found you ready-made sample code for schannel, @ragdog even recompiled it for you with symbols and everything and you're still not satisfied? My patience has run out, sorry. You're on your own on this challenge.

Share this post


Link to post
Share on other sites

there are some times when doing it all in asm is not practical.. this is one of them

2 people like this

Share this post


Link to post
Share on other sites

Hi again,

ah ok so the label number are the line pointers of source file.Ok thanks for this info.Will see whether I can follow and check the code sequences on that way a little.

So I would also like to use easy ways if possible in some or more cases kao but in other cases its not easy to find or use any simple ways also if I follow the hints you guys gave me and doing this or that without much success and running from one problem to next etc.

greetz

Share this post


Link to post
Share on other sites

Hi,

so I have some questions about the webclient and the USAGE.So if I see it right then it used TLS 1.0 (-P4) by itself.So what about the other protocols 1 - 3 you can choose?Does it mean I dont need to use them?So I tried them too but they failed.So just wanna ask whether I need to use / set any protocol in some cases or not etc?

Another question: So what about the context _g_pSSPI I see in the source and in many cases the source does call APIs with register call _g_pSSPI+XY.Are the API always stored with same distance from context top to below?

greetz

Share this post


Link to post
Share on other sites

I started doing some conversion of the webclient.c to an assembler version - taking some equates (constants) from sspi.h, wincrypt.h, and the internet and other header files. Dont think you need the g_pSSPI variable as you can call the functions directly as schannel.lib and secur32.lib etc are likely to be static linked in anyhow. So instead of:

//
// Create an SSPI credential.
//

Status = g_pSSPI->AcquireCredentialsHandleA(
                   NULL,                   // Name of principal    
                   UNISP_NAME_A,           // Name of package
                   SECPKG_CRED_OUTBOUND,   // Flags indicating use
                   NULL,                   // Pointer to logon ID
                   &SchannelCred,          // Package specific data
                   NULL,                   // Pointer to GetKey() func
                   NULL,                   // Value to pass to GetKey()
                   phCreds,                // (out) Cred Handle
                   &tsExpiry);             // (out) Lifetime (optional)

you can just call it like:

; Create an SSPI credential.
Invoke AcquireCredentialsHandleA, NULL, UNISP_NAME_A, SECPKG_CRED_OUTBOUND, NULL, Addr SchannelCred, NULL, NULL, phCreds, Addr tsExpiry
mov Status, eax

 

Please note that this is just an initial pass at conversion, i haven't done all functions and have done no testing, other than to see if it assembles without errors. However some structures and offsets and variables will more than likely be wrong and need adjusting when further along - and comparing it to ragdogs listing output will help figure out exactly certain parts of the code. Also i used wsprintf just as a way of storing the string for the moment - probably could be used in a messagebox call - but that can be for later.

Anyhow feel free to take whats there and continue on with the conversion process if you wish.

webclient_library.asm

SSPI.H

wincrypt.h

2 people like this

Share this post


Link to post
Share on other sites

Hi fearless,

so your conversion file looks already very good so far and I wanted to do same but for me its not easy of course (PITA) and would take a year or more or failed. :) On the other hand I did think about it just to add the entire ASM file from ragdog in my project anyhow but its also a bad idea to use this static version so then I cant add my code between in a dynamic way etc you know.Maybe you could make the conversion complete if possible and if its not to much if I ask about it so that would be great and of course more easier for me to use later (I hope you dont mind if I say it so). :)

greetz

Share this post


Link to post
Share on other sites

just a comment, with no offence intended... i've been there doing the whole 'do it in asm' thing.. with pid and other things, and quite honestly, in hindsight it causes more problems really, such as porting to x64 for example (its a huge pain in the arse asm wise if functions are really complex), or taking advantage of specific hardware opcodes etc..

while it is interesting to sharpen your coding skills asm wise, as it all boils down to asm at the end of the day really, i think you might benefit some from downloading visual studio and playing with c/c++ so you can then learn how to easily port over code to asm or see how the compiler optimises stuff)... like in the example you posted with the c code, you'd easily be able to make your own little tiny exe, stick a breakpoint on the function you made in the c code and trace it to get a fuller picture...  that really would be my advice to you.. sharpen your c/c++ skills so they benefit your asm ones and it'll also allow you to mix code (c/c++ and asm) which i think is hundreds of times more beneficial

Edited by evlncrn8
2 people like this

Share this post


Link to post
Share on other sites

Hi,

so its of course a good practice to check the C source with the ASM file and to check the lines between both files to lern something how C does work but for a C / C++ noob its not easy with that files where the routines are almost very large and I do lost the overview especially in that ClientHandshakeLoop routine for example.So all in all I dont really get it at the moment to convert the other routines I need.Seems I can forget it now and the code I tried to manage by myself should be also wrong...

PROBE proc

local wsdata:WSADATA  
local SOCKETGET:DWORD
local phContext:FILETIME ;8
local pExtraData[0]:SecBuffer 

    invoke  WSAStartup, 101H, addr wsdata  ;<--
    .if eax != 0h
    ;invoke ERRORLOG
    invoke MessageBox,0,chr$("WSAStartup Error!"),chr$("Error!"),MB_ICONWARNING
    ret
    .endif    
    
    
    invoke CreateCredentials,NULL,addr CredHandle
    .if eax != 0h
    ;failed
    .endif
    
    invoke ConnectToServer,chr$("forum.tuts4you.com"),443,addr SOCKETGET
    .if eax != 0h
    ;failed
    .endif
    
    invoke PerformClientHandshake,SOCKETGET,addr CredHandle,chr$("forum.tuts4you.com"),addr phContext,addr pExtraData
    
    
    

	Ret
PROBE endp	




PerformClientHandshake  proc Socket:DWORD, phCreds:DWORD, pszServerName1:DWORD, phContext:DWORD, pExtraData:DWORD

local  dwSSPIFlags:DWORD
LOCAL  OutBuffers[1]:SecBuffer
LOCAL  OutBuffer:SecBufferDesc 
local  tsExpiry:FILETIME
local  dwSSPIOutFlags:DWORD
local  scRet:DWORD
local  cbData:DWORD
;local _OutBuffers[12]:BYTE
;local _OutBuffer [12]:BYTE


    mov  dwSSPIFlags,ISC_REQ_STREAM or ISC_REQ_ALLOCATE_MEMORY or ISC_RET_EXTENDED_ERROR or ISC_REQ_CONFIDENTIALITY or ISC_REQ_REPLAY_DETECT or ISC_REQ_SEQUENCE_DETECT
    ;mov	eax, 12
    ;imul	eax, 0
    ;mov	DWORD PTR _OutBuffers,[ebp+eax+8], 0
    mov OutBuffers[0].pvBuffer, NULL
    mov eax, SECBUFFER_TOKEN
    mov OutBuffers[0].BufferType, eax
    mov OutBuffers[0].cbBuffer, 0

    mov OutBuffer.cBuffers, 1
    lea eax, OutBuffers
    mov OutBuffer.pBuffers, eax
    mov eax, SECBUFFER_VERSION
    mov OutBuffer.ulVersion, eax
    
    Invoke InitializeSecurityContext, phCreds, NULL, pszServerName1, dwSSPIFlags, 0, SECURITY_NATIVE_DREP, NULL, 0, phContext, Addr OutBuffer, Addr dwSSPIOutFlags, Addr tsExpiry
    mov scRet,eax
    .if eax != SEC_I_CONTINUE_NEEDED
        ; Error %d returned by InitializeSecurityContext (1)
        ret
    .endif
    
    
    .if(OutBuffers[0].cbBuffer != 0 && OutBuffers[0].pvBuffer != NULL)
       Invoke send, Socket, Addr OutBuffers[0].pvBuffer, addr OutBuffers[0].cbBuffer, 0
       mov cbData,eax
       .if(cbData == SOCKET_ERROR || cbData == 0)
        ; Error %d sending data to server (1)
          invoke FreeContextBuffer,addr OutBuffers[0].pvBuffer
          invoke DeleteSecurityContext,phContext
          mov eax,SEC_E_INTERNAL_ERROR
          ret
       .endif   
    .endif
    
    invoke FreeContextBuffer,addr OutBuffers[0].pvBuffer
    mov OutBuffers[0].pvBuffer,0
    
    ; _ClientHandshakeLoop
    invoke ClientHandshakeLoop,Socket,phCreds,phContext,0,pExtraData


	Ret
PerformClientHandshake endp


ClientHandshakeLoop     proc Socket:DWORD, phCreds:DWORD, phContext:DWORD, fDoInitialRead:DWORD, pExtraData:DWORD

LOCAL dwSSPIOutFlags:DWORD
local tsExpiry:FILETIME
local dwSSPIFlags:DWORD
local IoBuffer:DWORD
local cbIoBuffer:DWORD
local fDoRead:DWORD
local scRet:DWORD
local cbData:DWORD
local InBuffers[0]:SecBuffer
local InBuffer[0]:SecBufferDesc
local OutBuffers[0]:SecBuffer
local OutBuffer[0]:SecBufferDesc

    mov dwSSPIFlags, ISC_REQ_STREAM or ISC_REQ_ALLOCATE_MEMORY or ISC_RET_EXTENDED_ERROR or ISC_REQ_CONFIDENTIALITY or ISC_REQ_REPLAY_DETECT or ISC_REQ_SEQUENCE_DETECT
    invoke LocalAlloc,LMEM_FIXED,IO_BUFFER_SIZE
    mov IoBuffer,eax
    .if(IoBuffer == NULL)
       ; Out of memory (1)
       mov eax,SEC_E_INTERNAL_ERROR
       ret
    .endif
    mov cbIoBuffer,0
    
    mov eax,fDoInitialRead
    mov fDoRead,eax
    mov scRet,SEC_I_CONTINUE_NEEDED
    
    .while scRet == SEC_I_CONTINUE_NEEDED || scRet == SEC_E_INCOMPLETE_MESSAGE || scRet == SEC_I_INCOMPLETE_CREDENTIALS
        .if(cbIoBuffer == 0 || scRet == SEC_E_INCOMPLETE_MESSAGE)
             .if(fDoRead)
                   
                   mov eax,IO_BUFFER_SIZE
                   sub eax,cbIoBuffer
                   mov ecx,IoBuffer
                   add ecx,cbIoBuffer
                   invoke recv,Socket,ecx,eax,0
                   mov cbData,eax
                   .if(cbData == SOCKET_ERROR)
                      invoke WSAGetLastError
                      ;Error %d reading data from server\
                      mov scRet, SEC_E_INTERNAL_ERROR
                      jmp A1
                   .elseif (cbData == 0)    
                      ;Server unexpectedly disconnected
                      mov scRet, SEC_E_INTERNAL_ERROR
                      jmp A1
                   .endif
                   ;%d bytes of handshake data received\
                   mov eax,cbIoBuffer 
                   add eax,cbData   
                   mov cbIoBuffer,eax
             .else
             mov fDoRead,TRUE
             .endif
             
             m2m InBuffers[0].pvBuffer   ,IoBuffer
             m2m InBuffers[0].cbBuffer   ,cbIoBuffer
             mov InBuffers[0].BufferType ,SECBUFFER_TOKEN
             
             mov InBuffers[1].pvBuffer   ,NULL
             mov InBuffers[1].cbBuffer   ,0
             mov InBuffers[1].BufferType ,0 ;SECBUFFER_EMPTY
             
             mov InBuffer.cBuffers       , 2
             m2m InBuffer.pBuffers       ,InBuffers
             mov InBuffer.ulVersion      ,SECBUFFER_VERSION
             
             mov OutBuffers[0].pvBuffer  , NULL
             mov OutBuffers[0].BufferType ,SECBUFFER_TOKEN
             mov OutBuffers[0].cbBuffer  , 0
             
             mov OutBuffer.cBuffers       ,1
             m2m OutBuffer.pBuffers      , OutBuffers
             mov OutBuffer.ulVersion      ,SECBUFFER_VERSION
             
             invoke InitializeSecurityContext,phCreds,phContext,NULL,dwSSPIFlags,0,SECURITY_NATIVE_DREP,addr InBuffer,0,NULL,addr OutBuffer,addr dwSSPIOutFlags,addr tsExpiry
             mov scRet, eax
             
             ;mov eax,dwSSPIOutFlags
             ;add eax,ISC_RET_EXTENDED_ERROR
             .if scRet == SEC_E_OK || scRet == SEC_I_CONTINUE_NEEDED || scRet == 0h && (dwSSPIOutFlags & ISC_RET_EXTENDED_ERROR) 
             ;Line 1149
                 .if(OutBuffers[0].cbBuffer != 0 && OutBuffers[0].pvBuffer != NULL)
                     invoke send,Socket,addr OutBuffers[0].pvBuffer,addr OutBuffers[0].cbBuffer,0
                     mov cbData,eax
                     .if(cbData == SOCKET_ERROR || cbData == 0)
                     ; Error %d sending data to server (2)
                     invoke WSAGetLastError
                     invoke FreeContextBuffer,addr OutBuffers[0].pvBuffer
                     invoke DeleteSecurityContext,phContext
                     mov eax,SEC_E_INTERNAL_ERROR
                     ret
                     .endif
                     ;%d bytes of handshake data sent\n
                     invoke FreeContextBuffer,addr OutBuffers[0].pvBuffer
                     mov OutBuffers[0].pvBuffer ,NULL
                     
                     .if(scRet == SEC_E_INCOMPLETE_MESSAGE)
                     nop
                     .endif
                 
                 
                 
                 
                 
                 .endif
             
             
             
             
             .endif
        
        
        .endif

    .endw
    
    .if(scRet == SEC_E_OK)
     ;"Handshake was successful
         .if(InBuffers[1].BufferType == 5) ;SECBUFFER_EXTRA
            invoke LocalAlloc,LMEM_FIXED,addr InBuffers[1].cbBuffer
            
            mov ecx,pExtraData
            ASSUME ecx:ptr SecBuffer
            ;assume dword ptr eax,SecBuffer
            mov [ecx].pvBuffer,eax
                .if [ecx].pvBuffer == NULL
                ; Out of memory (2)
                 mov eax,SEC_E_INTERNAL_ERROR
                 ret
                .endif
                
                mov eax,cbIoBuffer
                sub eax,InBuffers.cbBuffer
                add eax,IoBuffer
                
                mov ecx,pExtraData
                ASSUME ecx:ptr SecBuffer
                invoke crt_memmove,[ecx].pvBuffer,eax,InBuffers
                mov ecx,pExtraData
                ASSUME ecx:ptr SecBuffer
                m2m [ecx].cbBuffer,InBuffers[1].cbBuffer
                mov [ecx].BufferType,SECBUFFER_TOKEN
                ;%d bytes of app data was bundled with handshake data
                ;mov eax, pExtraData
         .else
         mov ecx,pExtraData
         ASSUME ecx:ptr SecBuffer
         mov  [ecx].pvBuffer   , NULL
         mov  [ecx].cbBuffer   , NULL
         mov  [ecx].BufferType , 0 ;SECBUFFER_EMPTY
         ;jmp	$LN26@ClientHand
         .endif ;1210
    
    
    
    
    .endif



A1:


	Ret
ClientHandshakeLoop endp




...hmmmm.Thanks again so far.

greetz

Share this post


Link to post
Share on other sites

Hi again,

ok I did it again to correct the routine and it should look so now if I am not wrong...

ClientHandshakeLoop     proc Socket:DWORD, phCreds:DWORD, phContext:DWORD, fDoInitialRead:DWORD, pExtraData:DWORD

LOCAL dwSSPIOutFlags:DWORD
local tsExpiry:FILETIME
local dwSSPIFlags:DWORD
local IoBuffer:DWORD
local cbIoBuffer:DWORD
local fDoRead:DWORD
local scRet:DWORD
local cbData:DWORD
local InBuffers[0]:SecBuffer
local InBuffer[0]:SecBufferDesc
local OutBuffers[0]:SecBuffer
local OutBuffer[0]:SecBufferDesc

    mov dwSSPIFlags, ISC_REQ_STREAM or ISC_REQ_ALLOCATE_MEMORY or ISC_RET_EXTENDED_ERROR or ISC_REQ_CONFIDENTIALITY or ISC_REQ_REPLAY_DETECT or ISC_REQ_SEQUENCE_DETECT
    invoke LocalAlloc,LMEM_FIXED,IO_BUFFER_SIZE
    mov IoBuffer,eax
    .if(IoBuffer == NULL)
       ; Out of memory (1)
       mov eax,SEC_E_INTERNAL_ERROR
       ret
    .endif
    mov cbIoBuffer,0
    
    mov eax,fDoInitialRead
    mov fDoRead,eax
    mov scRet,SEC_I_CONTINUE_NEEDED

$LN27@ClientHand:   
    .while scRet == SEC_I_CONTINUE_NEEDED || scRet == SEC_E_INCOMPLETE_MESSAGE || scRet == SEC_I_INCOMPLETE_CREDENTIALS
        .if(cbIoBuffer == 0 || scRet == SEC_E_INCOMPLETE_MESSAGE)
             .if(fDoRead)
                   
                   mov eax,IO_BUFFER_SIZE
                   sub eax,cbIoBuffer
                   mov ecx,IoBuffer
                   add ecx,cbIoBuffer
                   invoke recv,Socket,ecx,eax,0
                   mov cbData,eax
                   .if(cbData == SOCKET_ERROR)
                      invoke WSAGetLastError
                      ;Error %d reading data from server\
                      mov scRet, SEC_E_INTERNAL_ERROR
                      jmp $LN26@ClientHand
                   .elseif (cbData == 0)    
                      ;Server unexpectedly disconnected
                      mov scRet, SEC_E_INTERNAL_ERROR
                      jmp $LN26@ClientHand
                   .endif
                   ;%d bytes of handshake data received\
                   mov eax,cbIoBuffer 
                   add eax,cbData   
                   mov cbIoBuffer,eax
             .else
             mov fDoRead,TRUE
             .endif            
       .endif      
             
             
             
             m2m InBuffers[0].pvBuffer   ,IoBuffer
             m2m InBuffers[0].cbBuffer   ,cbIoBuffer
             mov InBuffers[0].BufferType ,SECBUFFER_TOKEN
             
             mov InBuffers[1].pvBuffer   ,NULL
             mov InBuffers[1].cbBuffer   ,0
             mov InBuffers[1].BufferType ,0 ;SECBUFFER_EMPTY
             
             mov InBuffer.cBuffers       , 2
             m2m InBuffer.pBuffers       ,InBuffers
             mov InBuffer.ulVersion      ,SECBUFFER_VERSION
             
             mov OutBuffers[0].pvBuffer  , NULL
             mov OutBuffers[0].BufferType ,SECBUFFER_TOKEN
             mov OutBuffers[0].cbBuffer  , 0
             
             mov OutBuffer.cBuffers       ,1
             m2m OutBuffer.pBuffers      , OutBuffers
             mov OutBuffer.ulVersion      ,SECBUFFER_VERSION
             
             invoke InitializeSecurityContext,phCreds,phContext,NULL,dwSSPIFlags,0,SECURITY_NATIVE_DREP,addr InBuffer,0,NULL,addr OutBuffer,addr dwSSPIOutFlags,addr tsExpiry
             mov scRet, eax
             
             ;mov eax,dwSSPIOutFlags
             ;add eax,ISC_RET_EXTENDED_ERROR
             .if scRet == SEC_E_OK || scRet == SEC_I_CONTINUE_NEEDED || scRet == 0h && (dwSSPIOutFlags & ISC_RET_EXTENDED_ERROR) 
             ;Line 1149
                 .if(OutBuffers[0].cbBuffer != 0 && OutBuffers[0].pvBuffer != NULL)
                     invoke send,Socket,addr OutBuffers[0].pvBuffer,addr OutBuffers[0].cbBuffer,0
                     mov cbData,eax
                     .if(cbData == SOCKET_ERROR || cbData == 0)
                     ; Error %d sending data to server (2)
                     invoke WSAGetLastError
                     invoke FreeContextBuffer,addr OutBuffers[0].pvBuffer
                     invoke DeleteSecurityContext,phContext
                     mov eax,SEC_E_INTERNAL_ERROR
                     ret
                     .endif
                     ;%d bytes of handshake data sent\n
                     invoke FreeContextBuffer,addr OutBuffers[0].pvBuffer
                     mov OutBuffers[0].pvBuffer ,NULL
                .endif
             .endif
        
        
           .if(scRet == SEC_E_INCOMPLETE_MESSAGE)
             jmp $LN27@ClientHand
           .endif
           
           
    .if(scRet == SEC_E_OK)
     ;"Handshake was successful
         .if(InBuffers[1].BufferType == 5) ;SECBUFFER_EXTRA
            invoke LocalAlloc,LMEM_FIXED,addr InBuffers[1].cbBuffer
            
            mov ecx,pExtraData
            ASSUME ecx:ptr SecBuffer
            ;assume dword ptr eax,SecBuffer
            mov [ecx].pvBuffer,eax
                .if [ecx].pvBuffer == NULL
                ; Out of memory (2)
                 mov eax,SEC_E_INTERNAL_ERROR
                 ret
                .endif
                
                mov eax,cbIoBuffer
                sub eax,InBuffers.cbBuffer
                add eax,IoBuffer
                
                mov ecx,pExtraData
                ASSUME ecx:ptr SecBuffer
                invoke crt_memmove,[ecx].pvBuffer,eax,InBuffers
                mov ecx,pExtraData
                ASSUME ecx:ptr SecBuffer
                m2m [ecx].cbBuffer,InBuffers[1].cbBuffer
                mov [ecx].BufferType,SECBUFFER_TOKEN
                ;%d bytes of app data was bundled with handshake data
                ;mov eax, pExtraData
         .else
         mov ecx,pExtraData
         ASSUME ecx:ptr SecBuffer
         mov  [ecx].pvBuffer   , NULL
         mov  [ecx].cbBuffer   , NULL
         mov  [ecx].BufferType , 0 ;SECBUFFER_EMPTY       
         .endif ;1210
         jmp	$LN26@ClientHand
    
    .endif
           

    .if(scRet == 0h) ; FAILED
    ;Error 0x%x returned by InitializeSecurityContext (2)
    jmp	$LN26@ClientHand
    .endif
   
       .if(scRet == SEC_I_INCOMPLETE_CREDENTIALS)
       invoke GetNewClientCredentials,phCreds, phContext
       mov fDoRead,FALSE
       mov scRet,SEC_I_CONTINUE_NEEDED
       jmp $LN27@ClientHand
       .endif
       
       .if(InBuffers[1].BufferType == 5) ;SECBUFFER_EXTRA
           mov eax,InBuffers[1].cbBuffer
           mov cbIoBuffer,eax
           mov eax, cbIoBuffer
           sub eax,InBuffers[1].cbBuffer
           add eax,IoBuffer
           invoke crt_memmove,IoBuffer,eax,InBuffers[1].cbBuffer
       .else
           mov cbIoBuffer ,0
       .endif
   
    .endw
    
$LN26@ClientHand:    
    .if(scRet == 0h) ; FAILED
        invoke DeleteSecurityContext,phContext
    .endif
    invoke LocalFree, IoBuffer
    mov eax, scRet

	Ret
ClientHandshakeLoop endp

Now I need to handle the GetNewClientCredentials routine but there I need to buld some new structs.So I tried this...

PFN_CERT_CHAIN_FIND_BY_ISSUER_CALLBACK  TYPEDEF CRYPTOAPI_BLOB

CERT_CHAIN_FIND_BY_ISSUER_PARA STRUCT
    cbSize                   DWORD ?
    pszUsageIdentifier       DWORD ?
    dwKeySpec                DWORD ?
    dwAcquirePrivateKeyFlags DWORD ?
    cIssuer                  DWORD ?
    rgIssuer                 CERT_NAME_BLOB <>
    pfnFindCallback          PFN_CERT_CHAIN_FIND_BY_ISSUER_CALLBACK <>
    pvFindArg
    pdwIssuerChainIndex      DWORD ?
    pdwIssuerElementIndex    DWORD ?
CERT_CHAIN_FIND_BY_ISSUER_PARA ENDS

Missing pvFindArg so on MSDN there is set a void command but not sure about the size.Also about pfnFindCallback I am not sure whether its right I did add.So in the file I can see the struct has a size of 32 bytes dec but it dosent match anyhow.If I use DWORD for all = 40 bytes dec.Can anyone tell me how its right now?

Thanks

Share this post


Link to post
Share on other sites

void is same as ptr - and seeing as you're doing 32 bit, max size = dword.. so just cast it as that... in x64 its qword

also for this u can fire up c to find out the sizes.. make a simple console app

and use printf("size of blah : 0x%0X", (sizeof(struct.portion)));

also bear in mind structs (unless the pragma push / pop) is used can be optimised and aligned automagically by the compiler

 

Edited by evlncrn8

Share this post


Link to post
Share on other sites

Hi again,

just have a little other question.So how can I use wsprint API with CRLF in format line?So I cant use / write \r\n so this dosent get handled.Any idea?

Thanks

Share this post


Link to post
Share on other sites

Each assembler has slightly different syntax.

Masm/Tasm syntax would be:

db "this is ", 0Dh, 0Ah, "multiline string", 0

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now