LCF-AT Posted February 17, 2017 Author Share Posted February 17, 2017 Hi kao, thanks for your answer but I am still confused. Info: About the complete URL.So its just for the tool itself I made so the first part gets checked and cut out and the rest will used.Also if there is no port info then I used standart port 80 as default port. Now again some questions: 1.) Is it now possible with WinSock without SSL (openssl etc) to get successfully access to T4Y for example + getting right page content? 2.) How can I check whether I need to request any site with SSL from the response I get? 3.) Why I get success using WinInet with and also without SSL flags on T4Y site? Using WinInet with & without SSL Flags GET /index.php HTTP/1.1 Host: tuts4you.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1) HTTP/1.1 200 OK Pagecontent all there and right.... Using WinSock -------------------------------------- GET /index.php HTTP/1.1 Host: tuts4you.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1) HTTP/1.1 301 Moved Permanently Date: Fri, 17 Feb 2017 15:57:11 GMT Server: Apache Expires: Sat, 01 Jan 2000 00:00:00 GMT Cache-Control: must-revalidate Set-Cookie: SESSTUTS4YOUCOM=6efd7798c31d1e7dd2eac3b0b89222af; path=/; domain=.tuts4you.com Last-Modified: Fri, 17 Feb 2017 15:57:11 GMT Location: https://tuts4you.com/index.php Strict-Transport-Security: max-age=15768000;includeSubdomains Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8 ----------------------------------------- GET /index.php HTTP/1.1 Host: tuts4you.com:443 Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1) HTTP/1.1 301 Moved Permanently Date: Fri, 17 Feb 2017 15:59:32 GMT Server: Apache Expires: Sat, 01 Jan 2000 00:00:00 GMT Cache-Control: must-revalidate Set-Cookie: SESSTUTS4YOUCOM=76b7127e22f93deb8c9f415f1cedd435; path=/ Last-Modified: Fri, 17 Feb 2017 15:59:32 GMT Location: https://tuts4you.com/index.php Strict-Transport-Security: max-age=15768000;includeSubdomains Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8 ---------------------------------------- GET /index.php HTTP/1.1 Host: tuts4you.com:80 Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1) HTTP/1.1 301 Moved Permanently Date: Fri, 17 Feb 2017 16:00:24 GMT Server: Apache Expires: Sat, 01 Jan 2000 00:00:00 GMT Cache-Control: must-revalidate Set-Cookie: SESSTUTS4YOUCOM=68bdd2ad43c8ec6997f31ed9481ff3b0; path=/ Last-Modified: Fri, 17 Feb 2017 16:00:25 GMT Location: https://tuts4you.com/index.php Strict-Transport-Security: max-age=15768000;includeSubdomains Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8 ------------------------------------------------- GET /index.php HTTP/1.1 Host: 198.57.187.53:443 Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1) HTTP/1.1 301 Moved Permanently Date: Fri, 17 Feb 2017 16:01:11 GMT Server: Apache Expires: Sat, 01 Jan 2000 00:00:00 GMT Cache-Control: must-revalidate Set-Cookie: SESSTUTS4YOUCOM=86888b0965c546f6474a2a0f142c36f2; path=/ Last-Modified: Fri, 17 Feb 2017 16:01:11 GMT Location: https://tuts4you.com/index.php Strict-Transport-Security: max-age=15768000;includeSubdomains Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8 ----------------------------------------- GET /index.php HTTP/1.1 Host: 198.57.187.53:80 Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1) HTTP/1.1 404 Not Found Date: Fri, 17 Feb 2017 16:01:35 GMT Server: Apache Accept-Ranges: bytes Strict-Transport-Security: max-age=15768000;includeSubdomains Connection: close Transfer-Encoding: chunked Content-Type: text/html ----------------------------------------- So I dont get any successfully access to T4Y index.php site using WInSock.Is this because I dont use SSL (extra OpenSSL APIs etc) or should it normaly work anyhow also without SSL?On the examples about WinInet its also working without SSL flags and thats the reason I do wonder.So if it works with WinInet wihtout SSL then it should also work with WinSock without SSL or so thing wrong anyhow?!? greetz Link to comment
kao Posted February 17, 2017 Share Posted February 17, 2017 @Teddy Rogers should be able to answer specifics on how the server is configured. From the info you posted, it looks like T4Y works only over HTTPS and WinInet does lots of stuff "behind the scenes", even if don't explicitly tell it to. You could use WireShark to capture packets for each requedt and see what exactly is happening. Link to comment
Techlord Posted February 17, 2017 Share Posted February 17, 2017 (edited) So @LCF-AT , do you still need me to look into this issue or is it almost solved ? When you PM-ed me a couple of days ago, I already told you that I would look into it during the weekend as I was (and am) busy till then. But I see that you already put up yet another post yesterday haha Guess you are in a bit of a hurry .. hehe Anyway, the problrm is, that since you want it to be in ASM, I would need to compile the SSL libraries from scratch on my computer. That would take time and also converting the code to ASM would make it quite bulky as I told you in the PM already. I have no problem (and its also good ) if others are helping out. But what I want to know is whether you would still need me to look into it or not ... Because I am not really a fan of re-duplication of efforts if you know what I mean.. I do not want to waste time compiling the libraries etc if someone else is already working on it , if you know what I mean... No offense of course, but just want to avoid re-duplication of efforts from our members here. Is anyone already (and continuing to) work on LCF-AT's issue ? Cheers EDIT : As I was typing this out, I see that @kao had already posted another reply. One thing I want to add is that certain security configurations of websites could prevent you from accessing them from "unknown" apps. So as Kao says, its well worth finding out whetehr its teh security configuration of the sites thats preventing you from accessing them. Having said that, I cannot comment further wihtout knowing what exactly you ar etrying to accomplish with your code in the first place ... Edited February 17, 2017 by Techlord Link to comment
LCF-AT Posted February 17, 2017 Author Share Posted February 17, 2017 Hi again, hmmm ok.So you mean WinInet functions doing some thing to handle that SSL issue also if I have disabled it?I am not very common using Wireshark. @Techlord Sure I do still need help and nothing is sloved yet of course.Yes I am always in hurry if I dont understand something or cant find any solutions. So my main goal is it to use WinSock only for everything to get successfully access to all sites (like browser) without using WinInet anymore (its working slower and its also limited) but the problem is that I get more success using WinInet instead of WInSock but I dont want use both anymore.So if I need this SSL / TLS thing for WinSock to get success then I would like to use WinSock with SSL and then I could quit WinInet but I still dont know how to implement it for a simple client for example.If I see it right then they are just a few APIs I need to use from ssleay32.dll but I dont check some C / C++ structs I need to use with that key pem thing etc. greetz 1 Link to comment
Techlord Posted February 18, 2017 Share Posted February 18, 2017 On Friday, 17 February, 2017 at 11:59 AM, LCF-AT said: Sure I do still need help and nothing is sloved yet of course.Yes I am always in hurry if I dont understand something or cant find any solutions Well, since most of the discussin would not be of too much interest to others, I would be continuing the discussion via PM. probably would post the final solution that we arrive at, here, for anyone else referring to this thread down the road, If anyone else is following this thread with interest and would rather like the discussion done on the thread, please let us know Cheers 1 Link to comment
fearless Posted February 18, 2017 Share Posted February 18, 2017 (edited) Here is a basic test prog to fetch a t4y web page using wininet stuff. I used most of this code in a x64dbg plugin to download snapshot updates from github. I've re-purposed it for this test program. Hopefully it helps you, let me know how you get on or if you found it useful. Edit: I'm interested in this topic, so feel free to continue the discussion here. Cheers t4ytest.zip Edited February 18, 2017 by fearless Update to mention interest in discussion on the forums 1 Link to comment
LCF-AT Posted February 19, 2017 Author Share Posted February 19, 2017 Hi, thanks for your interest fearless but as you can read above I am not looking for a WinInet solution and wanna have a WinSock solution only.So if its only working using WinSock + any SSL extra APIs etc then I would be interested to see any example you know.I cant find any example in MASM for this only some C or C++ codes like I did post before in this topic but I dont understand this whole C / C++ language thing to make any translation to MASM I could use later.Thats the problem. greetz Link to comment
LCF-AT Posted February 19, 2017 Author Share Posted February 19, 2017 Hi again, so I checked internet again and found some infos about schannel and I also found a schannel inc & lib for MASM on my HDD but I could not found any example code.So is this something I could maybe use too to handle sites like T4Y or google with location resolve? greetz Link to comment
kao Posted February 20, 2017 Share Posted February 20, 2017 Here is the source with schannel web client sample code: ftp://linux.mikroklima.cz/MIDAM-CD/DIGI/samples/SSLClient/cpp/mssdk/WebClient.c Here is compiled executable from which you can rip the relevant ASM code: ftp://linux.mikroklima.cz/MIDAM-CD/DIGI/samples/SSLClient/WebClient.exe Attached is slightly patched executable that you can use to test again https://forum.tuts4you.com (added proper Host: header in request). Use command line like this: WebClient1.exe -sforum.tuts4you.com -p443 -findex.php >result.txt  Result.txt will look like: ... Buffers[1].BufferType = SECBUFFER_DATA Decrypted data: 444 bytes 0000 48 54 54 50 2f 31 2e 31:20 32 30 30 20 4f 4b 0d HTTP/1.1 200 OK. 0010 0a 44 61 74 65 3a 20 4d:6f 6e 2c 20 32 30 20 46 .Date: Mon, 20 F 0020 65 62 20 32 30 31 37 20:31 32 3a 34 33 3a 32 30 eb 2017 12:43:20 0030 20 47 4d 54 0d 0a 53 65:72 76 65 72 3a 20 41 70 GMT..Server: Ap 0040 61 63 68 65 0d 0a 45 78:70 69 72 65 73 3a 20 54 ache..Expires: T 0050 68 75 2c 20 31 39 20 4e:6f 76 20 31 39 38 31 20 hu, 19 Nov 1981 0060 30 38 3a 35 32 3a 30 30:20 47 4d 54 0d 0a 43 61 08:52:00 GMT..Ca 0070 63 68 65 2d 43 6f 6e 74:72 6f 6c 3a 20 6e 6f 2d che-Control: no- 0080 73 74 6f 72 65 2c 20 6e:6f 2d 63 61 63 68 65 2c store, no-cache, 0090 20 6d 75 73 74 2d 72 65:76 61 6c 69 64 61 74 65 must-revalidate 00a0 2c 20 70 6f 73 74 2d 63:68 65 63 6b 3d 30 2c 20 , post-check=0, 00b0 70 72 65 2d 63 68 65 63:6b 3d 30 0d 0a 50 72 61 pre-check=0..Pra 00c0 67 6d 61 3a 20 6e 6f 2d:63 61 63 68 65 0d 0a 58 gma: no-cache..X 00d0 2d 58 53 53 2d 50 72 6f:74 65 63 74 69 6f 6e 3a -XSS-Protection: 00e0 20 30 0d 0a 43 6f 6e 6e:65 63 74 69 6f 6e 3a 20 0..Connection: 00f0 63 6c 6f 73 65 0d 0a 53:65 74 2d 43 6f 6f 6b 69 close..Set-Cooki 0100 65 3a 20 69 70 73 34 5f:49 50 53 53 65 73 73 69 e: ips4_IPSSessi 0110 6f 6e 46 72 6f 6e 74 3d:37 32 32 36 65 36 32 61 onFront=7226e62a 0120 61 37 34 62 61 38 62 39:39 36 30 34 61 63 35 62 a74ba8b99604ac5b 0130 64 33 39 31 33 30 65 36:3b 20 70 61 74 68 3d 2f d39130e6; path=/ 0140 3b 20 73 65 63 75 72 65:3b 20 48 74 74 70 4f 6e ; secure; HttpOn 0150 6c 79 0d 0a 53 74 72 69:63 74 2d 54 72 61 6e 73 ly..Strict-Trans 0160 70 6f 72 74 2d 53 65 63:75 72 69 74 79 3a 20 6d port-Security: m 0170 61 78 2d 61 67 65 3d 31:35 37 36 38 30 30 30 3b ax-age=15768000; 0180 69 6e 63 6c 75 64 65 53:75 62 64 6f 6d 61 69 6e includeSubdomain 0190 73 0d 0a 43 6f 6e 74 65:6e 74 2d 54 79 70 65 3a s..Content-Type: 01a0 20 74 65 78 74 2f 68 74:6d 6c 3b 63 68 61 72 73 text/html;chars 01b0 65 74 3d 55 54 46 2d 38:0d 0a 0d 0a et=UTF-8.... Buffers[1].BufferType = SECBUFFER_DATA Decrypted data: 7689 bytes 0000 3c 21 44 4f 43 54 59 50:45 20 68 74 6d 6c 3e 0a <!DOCTYPE html>. 0010 3c 68 74 6d 6c 20 6c 61:6e 67 3d 22 65 6e 2d 55 <html lang="en-U 0020 53 22 20 64 69 72 3d 22:6c 74 72 22 3e 0a 09 3c S" dir="ltr">..< 0030 68 65 61 64 3e 0a 09 09:3c 74 69 74 6c 65 3e 46 head>...<title>F 0040 6f 72 75 6d 73 20 2d 20:54 75 74 73 20 34 20 59 orums - Tuts 4 Y 0050 6f 75 3c 2f 74 69 74 6c:65 3e 0a 09 09 3c 21 2d ou</title>...<!- 0060 2d 5b 69 66 20 6c 74 20:49 45 20 39 5d 3e 0a 09 -[if lt IE 9]>.. 0070 09 09 3c 6c 69 6e 6b 20:72 65 6c 3d 22 73 74 79 ..<link rel="sty 0080 6c 65 73 68 65 65 74 22:20 74 79 70 65 3d 22 74 lesheet" type="t 0090 65 78 74 2f 63 73 73 22:20 68 72 65 66 3d 22 68 ext/css" href="h 00a0 74 74 70 73 3a 2f 2f 66:6f 72 75 6d 2e 74 75 74 ttps://forum.tut 00b0 73 34 79 6f 75 2e 63 6f:6d 2f 75 70 6c 6f 61 64 s4you.com/upload 00c0 73 2f 63 73 73 5f 62 75:69 6c 74 5f 31 2f 35 65 s/css_built_1/5e 00d0 36 31 37 38 34 38 35 38:61 64 33 63 31 31 66 30 61784858ad3c11f0 00e0 30 62 35 37 30 36 64 31:32 61 66 65 35 32 5f 69 0b5706d12afe52_i 00f0 65 38 2e 63 73 73 2e 36:66 38 39 65 34 30 34 38 e8.css.6f89e4048 0100 66 39 32 30 34 65 32 63:35 63 64 64 30 32 64 33 f9204e2c5cdd02d3 0110 36 63 33 31 30 36 38 2e:63 73 73 22 3e 0a 09 09 6c31068.css">... 0120 20 20 20 20 3c 73 63 72:69 70 74 20 73 72 63 3d <script src= 0130 22 2f 2f 66 6f 72 75 6d:2e 74 75 74 73 34 79 6f "//forum.tuts4yo 0140 75 2e 63 6f 6d 2f 61 70:70 6c 69 63 61 74 69 6f u.com/applicatio 0150 6e 73 2f 63 6f 72 65 2f:69 6e 74 65 72 66 61 63 ns/core/interfac 0160 65 2f 68 74 6d 6c 35 73:68 69 76 2f 68 74 6d 6c e/html5shiv/html 0170 35 73 68 69 76 2e 6a 73:22 3e 3c 2f 73 63 72 69 5shiv.js"></scri 0180 70 74 3e 0a 09 09 3c 21:5b 65 6e 64 69 66 5d 2d pt>...<![endif]- 0190 2d 3e 0a 09 09 0a 3c 6d:65 74 61 20 63 68 61 72 ->....<meta char 01a0 73 65 74 3d 22 75 74 66:2d 38 22 3e 0a 0a 09 3c set="utf-8">...< ... As you can see, it works just fine.  webclient1.rar 1 Link to comment
LCF-AT Posted February 20, 2017 Author Share Posted February 20, 2017 Hi kao, thanks for your files so it seems to work (anyhow). But now the question is how I should handle the file to find all needed steps just debugging that file.There is a lot and this C or cpp source I cant really understand.Ok I will try to debug that file also if it will take a much time to not all needed steps etc. greetz Link to comment
ragdog Posted February 20, 2017 Share Posted February 20, 2017 (edited) Quote There is a lot and this C or cpp source I cant really understand /Fa Listing Assembly code is your friend Here is a WebClient debug version and Assembly listing and a WebClient.pdb for easier debug this exe  webclient.rar Edited February 20, 2017 by ragdog 1 Link to comment
LCF-AT Posted February 20, 2017 Author Share Posted February 20, 2017 Hi raggy, thanks for your code but......!?!So how should I use this oder follow this tons of code inside to write something with that in WinASM?So I am not a computer. This is really a pain into se Popo.Just great!Now I am again there where I did started.What now?Am I too stupid or whats the problem?Sometimes I think you guys are talking Chinese. greetz Link to comment
ragdog Posted February 20, 2017 Share Posted February 20, 2017 (edited) Quote I think you guys are talking Chinese No Lcf What i have postet was only a helper to understand it better ( you have say you understand not C/Cpp) If i translate a c/cpp code to Masm or Fasm and i do not understand a part of code compile i this code and make a Assembly listing Or debugging it. Use Notpade++ open the source code WebClient.c and you see the code and line numbers in WebClient.asm can you see line numbers like ; Line 402 etc  Or debug this exe in olly and load this pdb file for debug information in Olly!  Yes coding is many work,but you have strange wishes Edited February 20, 2017 by ragdog 1 Link to comment
kao Posted February 20, 2017 Share Posted February 20, 2017 10 minutes ago, ragdog said: Yes coding is many work,but you have strange wishes Amen to that!  @LCF-AT: The truth is - 99% of people pick the easiest paths. You insist on finding your own path. That comes with lots of artificial difficulties and obstacles. "I don't want to use WinInet, I don't want to download Visual Studio to compile ready-written C code, I don't want to learn even basic C to read the code examples, I don't want to use this or that but still it must somehow (magically) work!". Guess what, it doesn't work like that. We don't have magic wands. @Techlord offered you to compile OpenSSL for you. I found you ready-made sample code for schannel, @ragdog even recompiled it for you with symbols and everything and you're still not satisfied? My patience has run out, sorry. You're on your own on this challenge. Link to comment
evlncrn8 Posted February 20, 2017 Share Posted February 20, 2017 there are some times when doing it all in asm is not practical.. this is one of them 2 Link to comment
LCF-AT Posted February 21, 2017 Author Share Posted February 21, 2017 Hi again, ah ok so the label number are the line pointers of source file.Ok thanks for this info.Will see whether I can follow and check the code sequences on that way a little. So I would also like to use easy ways if possible in some or more cases kao but in other cases its not easy to find or use any simple ways also if I follow the hints you guys gave me and doing this or that without much success and running from one problem to next etc. greetz Link to comment
LCF-AT Posted February 22, 2017 Author Share Posted February 22, 2017 Hi, so I have some questions about the webclient and the USAGE.So if I see it right then it used TLS 1.0 (-P4) by itself.So what about the other protocols 1 - 3 you can choose?Does it mean I dont need to use them?So I tried them too but they failed.So just wanna ask whether I need to use / set any protocol in some cases or not etc? Another question: So what about the context _g_pSSPI I see in the source and in many cases the source does call APIs with register call _g_pSSPI+XY.Are the API always stored with same distance from context top to below? greetz Link to comment
fearless Posted February 22, 2017 Share Posted February 22, 2017 I started doing some conversion of the webclient.c to an assembler version - taking some equates (constants) from sspi.h, wincrypt.h, and the internet and other header files. Dont think you need the g_pSSPI variable as you can call the functions directly as schannel.lib and secur32.lib etc are likely to be static linked in anyhow. So instead of: // // Create an SSPI credential. // Status = g_pSSPI->AcquireCredentialsHandleA( NULL, // Name of principal UNISP_NAME_A, // Name of package SECPKG_CRED_OUTBOUND, // Flags indicating use NULL, // Pointer to logon ID &SchannelCred, // Package specific data NULL, // Pointer to GetKey() func NULL, // Value to pass to GetKey() phCreds, // (out) Cred Handle &tsExpiry); // (out) Lifetime (optional) you can just call it like: ; Create an SSPI credential. Invoke AcquireCredentialsHandleA, NULL, UNISP_NAME_A, SECPKG_CRED_OUTBOUND, NULL, Addr SchannelCred, NULL, NULL, phCreds, Addr tsExpiry mov Status, eax  Please note that this is just an initial pass at conversion, i haven't done all functions and have done no testing, other than to see if it assembles without errors. However some structures and offsets and variables will more than likely be wrong and need adjusting when further along - and comparing it to ragdogs listing output will help figure out exactly certain parts of the code. Also i used wsprintf just as a way of storing the string for the moment - probably could be used in a messagebox call - but that can be for later. Anyhow feel free to take whats there and continue on with the conversion process if you wish. webclient_library.asm SSPI.H wincrypt.h 2 Link to comment
LCF-AT Posted February 23, 2017 Author Share Posted February 23, 2017 Hi fearless, so your conversion file looks already very good so far and I wanted to do same but for me its not easy of course (PITA) and would take a year or more or failed. On the other hand I did think about it just to add the entire ASM file from ragdog in my project anyhow but its also a bad idea to use this static version so then I cant add my code between in a dynamic way etc you know.Maybe you could make the conversion complete if possible and if its not to much if I ask about it so that would be great and of course more easier for me to use later (I hope you dont mind if I say it so). greetz Link to comment
evlncrn8 Posted February 23, 2017 Share Posted February 23, 2017 (edited) just a comment, with no offence intended... i've been there doing the whole 'do it in asm' thing.. with pid and other things, and quite honestly, in hindsight it causes more problems really, such as porting to x64 for example (its a huge pain in the arse asm wise if functions are really complex), or taking advantage of specific hardware opcodes etc.. while it is interesting to sharpen your coding skills asm wise, as it all boils down to asm at the end of the day really, i think you might benefit some from downloading visual studio and playing with c/c++ so you can then learn how to easily port over code to asm or see how the compiler optimises stuff)... like in the example you posted with the c code, you'd easily be able to make your own little tiny exe, stick a breakpoint on the function you made in the c code and trace it to get a fuller picture... that really would be my advice to you.. sharpen your c/c++ skills so they benefit your asm ones and it'll also allow you to mix code (c/c++ and asm) which i think is hundreds of times more beneficial Edited February 23, 2017 by evlncrn8 2 Link to comment
LCF-AT Posted February 24, 2017 Author Share Posted February 24, 2017 Hi, so its of course a good practice to check the C source with the ASM file and to check the lines between both files to lern something how C does work but for a C / C++ noob its not easy with that files where the routines are almost very large and I do lost the overview especially in that ClientHandshakeLoop routine for example.So all in all I dont really get it at the moment to convert the other routines I need.Seems I can forget it now and the code I tried to manage by myself should be also wrong... PROBE proc local wsdata:WSADATA local SOCKETGET:DWORD local phContext:FILETIME ;8 local pExtraData[0]:SecBuffer invoke WSAStartup, 101H, addr wsdata ;<-- .if eax != 0h ;invoke ERRORLOG invoke MessageBox,0,chr$("WSAStartup Error!"),chr$("Error!"),MB_ICONWARNING ret .endif invoke CreateCredentials,NULL,addr CredHandle .if eax != 0h ;failed .endif invoke ConnectToServer,chr$("forum.tuts4you.com"),443,addr SOCKETGET .if eax != 0h ;failed .endif invoke PerformClientHandshake,SOCKETGET,addr CredHandle,chr$("forum.tuts4you.com"),addr phContext,addr pExtraData Ret PROBE endp PerformClientHandshake proc Socket:DWORD, phCreds:DWORD, pszServerName1:DWORD, phContext:DWORD, pExtraData:DWORD local dwSSPIFlags:DWORD LOCAL OutBuffers[1]:SecBuffer LOCAL OutBuffer:SecBufferDesc local tsExpiry:FILETIME local dwSSPIOutFlags:DWORD local scRet:DWORD local cbData:DWORD ;local _OutBuffers[12]:BYTE ;local _OutBuffer [12]:BYTE mov dwSSPIFlags,ISC_REQ_STREAM or ISC_REQ_ALLOCATE_MEMORY or ISC_RET_EXTENDED_ERROR or ISC_REQ_CONFIDENTIALITY or ISC_REQ_REPLAY_DETECT or ISC_REQ_SEQUENCE_DETECT ;mov eax, 12 ;imul eax, 0 ;mov DWORD PTR _OutBuffers,[ebp+eax+8], 0 mov OutBuffers[0].pvBuffer, NULL mov eax, SECBUFFER_TOKEN mov OutBuffers[0].BufferType, eax mov OutBuffers[0].cbBuffer, 0 mov OutBuffer.cBuffers, 1 lea eax, OutBuffers mov OutBuffer.pBuffers, eax mov eax, SECBUFFER_VERSION mov OutBuffer.ulVersion, eax Invoke InitializeSecurityContext, phCreds, NULL, pszServerName1, dwSSPIFlags, 0, SECURITY_NATIVE_DREP, NULL, 0, phContext, Addr OutBuffer, Addr dwSSPIOutFlags, Addr tsExpiry mov scRet,eax .if eax != SEC_I_CONTINUE_NEEDED ; Error %d returned by InitializeSecurityContext (1) ret .endif .if(OutBuffers[0].cbBuffer != 0 && OutBuffers[0].pvBuffer != NULL) Invoke send, Socket, Addr OutBuffers[0].pvBuffer, addr OutBuffers[0].cbBuffer, 0 mov cbData,eax .if(cbData == SOCKET_ERROR || cbData == 0) ; Error %d sending data to server (1) invoke FreeContextBuffer,addr OutBuffers[0].pvBuffer invoke DeleteSecurityContext,phContext mov eax,SEC_E_INTERNAL_ERROR ret .endif .endif invoke FreeContextBuffer,addr OutBuffers[0].pvBuffer mov OutBuffers[0].pvBuffer,0 ; _ClientHandshakeLoop invoke ClientHandshakeLoop,Socket,phCreds,phContext,0,pExtraData Ret PerformClientHandshake endp ClientHandshakeLoop proc Socket:DWORD, phCreds:DWORD, phContext:DWORD, fDoInitialRead:DWORD, pExtraData:DWORD LOCAL dwSSPIOutFlags:DWORD local tsExpiry:FILETIME local dwSSPIFlags:DWORD local IoBuffer:DWORD local cbIoBuffer:DWORD local fDoRead:DWORD local scRet:DWORD local cbData:DWORD local InBuffers[0]:SecBuffer local InBuffer[0]:SecBufferDesc local OutBuffers[0]:SecBuffer local OutBuffer[0]:SecBufferDesc mov dwSSPIFlags, ISC_REQ_STREAM or ISC_REQ_ALLOCATE_MEMORY or ISC_RET_EXTENDED_ERROR or ISC_REQ_CONFIDENTIALITY or ISC_REQ_REPLAY_DETECT or ISC_REQ_SEQUENCE_DETECT invoke LocalAlloc,LMEM_FIXED,IO_BUFFER_SIZE mov IoBuffer,eax .if(IoBuffer == NULL) ; Out of memory (1) mov eax,SEC_E_INTERNAL_ERROR ret .endif mov cbIoBuffer,0 mov eax,fDoInitialRead mov fDoRead,eax mov scRet,SEC_I_CONTINUE_NEEDED .while scRet == SEC_I_CONTINUE_NEEDED || scRet == SEC_E_INCOMPLETE_MESSAGE || scRet == SEC_I_INCOMPLETE_CREDENTIALS .if(cbIoBuffer == 0 || scRet == SEC_E_INCOMPLETE_MESSAGE) .if(fDoRead) mov eax,IO_BUFFER_SIZE sub eax,cbIoBuffer mov ecx,IoBuffer add ecx,cbIoBuffer invoke recv,Socket,ecx,eax,0 mov cbData,eax .if(cbData == SOCKET_ERROR) invoke WSAGetLastError ;Error %d reading data from server\ mov scRet, SEC_E_INTERNAL_ERROR jmp A1 .elseif (cbData == 0) ;Server unexpectedly disconnected mov scRet, SEC_E_INTERNAL_ERROR jmp A1 .endif ;%d bytes of handshake data received\ mov eax,cbIoBuffer add eax,cbData mov cbIoBuffer,eax .else mov fDoRead,TRUE .endif m2m InBuffers[0].pvBuffer ,IoBuffer m2m InBuffers[0].cbBuffer ,cbIoBuffer mov InBuffers[0].BufferType ,SECBUFFER_TOKEN mov InBuffers[1].pvBuffer ,NULL mov InBuffers[1].cbBuffer ,0 mov InBuffers[1].BufferType ,0 ;SECBUFFER_EMPTY mov InBuffer.cBuffers , 2 m2m InBuffer.pBuffers ,InBuffers mov InBuffer.ulVersion ,SECBUFFER_VERSION mov OutBuffers[0].pvBuffer , NULL mov OutBuffers[0].BufferType ,SECBUFFER_TOKEN mov OutBuffers[0].cbBuffer , 0 mov OutBuffer.cBuffers ,1 m2m OutBuffer.pBuffers , OutBuffers mov OutBuffer.ulVersion ,SECBUFFER_VERSION invoke InitializeSecurityContext,phCreds,phContext,NULL,dwSSPIFlags,0,SECURITY_NATIVE_DREP,addr InBuffer,0,NULL,addr OutBuffer,addr dwSSPIOutFlags,addr tsExpiry mov scRet, eax ;mov eax,dwSSPIOutFlags ;add eax,ISC_RET_EXTENDED_ERROR .if scRet == SEC_E_OK || scRet == SEC_I_CONTINUE_NEEDED || scRet == 0h && (dwSSPIOutFlags & ISC_RET_EXTENDED_ERROR) ;Line 1149 .if(OutBuffers[0].cbBuffer != 0 && OutBuffers[0].pvBuffer != NULL) invoke send,Socket,addr OutBuffers[0].pvBuffer,addr OutBuffers[0].cbBuffer,0 mov cbData,eax .if(cbData == SOCKET_ERROR || cbData == 0) ; Error %d sending data to server (2) invoke WSAGetLastError invoke FreeContextBuffer,addr OutBuffers[0].pvBuffer invoke DeleteSecurityContext,phContext mov eax,SEC_E_INTERNAL_ERROR ret .endif ;%d bytes of handshake data sent\n invoke FreeContextBuffer,addr OutBuffers[0].pvBuffer mov OutBuffers[0].pvBuffer ,NULL .if(scRet == SEC_E_INCOMPLETE_MESSAGE) nop .endif .endif .endif .endif .endw .if(scRet == SEC_E_OK) ;"Handshake was successful .if(InBuffers[1].BufferType == 5) ;SECBUFFER_EXTRA invoke LocalAlloc,LMEM_FIXED,addr InBuffers[1].cbBuffer mov ecx,pExtraData ASSUME ecx:ptr SecBuffer ;assume dword ptr eax,SecBuffer mov [ecx].pvBuffer,eax .if [ecx].pvBuffer == NULL ; Out of memory (2) mov eax,SEC_E_INTERNAL_ERROR ret .endif mov eax,cbIoBuffer sub eax,InBuffers.cbBuffer add eax,IoBuffer mov ecx,pExtraData ASSUME ecx:ptr SecBuffer invoke crt_memmove,[ecx].pvBuffer,eax,InBuffers mov ecx,pExtraData ASSUME ecx:ptr SecBuffer m2m [ecx].cbBuffer,InBuffers[1].cbBuffer mov [ecx].BufferType,SECBUFFER_TOKEN ;%d bytes of app data was bundled with handshake data ;mov eax, pExtraData .else mov ecx,pExtraData ASSUME ecx:ptr SecBuffer mov [ecx].pvBuffer , NULL mov [ecx].cbBuffer , NULL mov [ecx].BufferType , 0 ;SECBUFFER_EMPTY ;jmp $LN26@ClientHand .endif ;1210 .endif A1: Ret ClientHandshakeLoop endp ...hmmmm.Thanks again so far. greetz Link to comment
LCF-AT Posted February 25, 2017 Author Share Posted February 25, 2017 Hi again, ok I did it again to correct the routine and it should look so now if I am not wrong... ClientHandshakeLoop proc Socket:DWORD, phCreds:DWORD, phContext:DWORD, fDoInitialRead:DWORD, pExtraData:DWORD LOCAL dwSSPIOutFlags:DWORD local tsExpiry:FILETIME local dwSSPIFlags:DWORD local IoBuffer:DWORD local cbIoBuffer:DWORD local fDoRead:DWORD local scRet:DWORD local cbData:DWORD local InBuffers[0]:SecBuffer local InBuffer[0]:SecBufferDesc local OutBuffers[0]:SecBuffer local OutBuffer[0]:SecBufferDesc mov dwSSPIFlags, ISC_REQ_STREAM or ISC_REQ_ALLOCATE_MEMORY or ISC_RET_EXTENDED_ERROR or ISC_REQ_CONFIDENTIALITY or ISC_REQ_REPLAY_DETECT or ISC_REQ_SEQUENCE_DETECT invoke LocalAlloc,LMEM_FIXED,IO_BUFFER_SIZE mov IoBuffer,eax .if(IoBuffer == NULL) ; Out of memory (1) mov eax,SEC_E_INTERNAL_ERROR ret .endif mov cbIoBuffer,0 mov eax,fDoInitialRead mov fDoRead,eax mov scRet,SEC_I_CONTINUE_NEEDED $LN27@ClientHand: .while scRet == SEC_I_CONTINUE_NEEDED || scRet == SEC_E_INCOMPLETE_MESSAGE || scRet == SEC_I_INCOMPLETE_CREDENTIALS .if(cbIoBuffer == 0 || scRet == SEC_E_INCOMPLETE_MESSAGE) .if(fDoRead) mov eax,IO_BUFFER_SIZE sub eax,cbIoBuffer mov ecx,IoBuffer add ecx,cbIoBuffer invoke recv,Socket,ecx,eax,0 mov cbData,eax .if(cbData == SOCKET_ERROR) invoke WSAGetLastError ;Error %d reading data from server\ mov scRet, SEC_E_INTERNAL_ERROR jmp $LN26@ClientHand .elseif (cbData == 0) ;Server unexpectedly disconnected mov scRet, SEC_E_INTERNAL_ERROR jmp $LN26@ClientHand .endif ;%d bytes of handshake data received\ mov eax,cbIoBuffer add eax,cbData mov cbIoBuffer,eax .else mov fDoRead,TRUE .endif .endif m2m InBuffers[0].pvBuffer ,IoBuffer m2m InBuffers[0].cbBuffer ,cbIoBuffer mov InBuffers[0].BufferType ,SECBUFFER_TOKEN mov InBuffers[1].pvBuffer ,NULL mov InBuffers[1].cbBuffer ,0 mov InBuffers[1].BufferType ,0 ;SECBUFFER_EMPTY mov InBuffer.cBuffers , 2 m2m InBuffer.pBuffers ,InBuffers mov InBuffer.ulVersion ,SECBUFFER_VERSION mov OutBuffers[0].pvBuffer , NULL mov OutBuffers[0].BufferType ,SECBUFFER_TOKEN mov OutBuffers[0].cbBuffer , 0 mov OutBuffer.cBuffers ,1 m2m OutBuffer.pBuffers , OutBuffers mov OutBuffer.ulVersion ,SECBUFFER_VERSION invoke InitializeSecurityContext,phCreds,phContext,NULL,dwSSPIFlags,0,SECURITY_NATIVE_DREP,addr InBuffer,0,NULL,addr OutBuffer,addr dwSSPIOutFlags,addr tsExpiry mov scRet, eax ;mov eax,dwSSPIOutFlags ;add eax,ISC_RET_EXTENDED_ERROR .if scRet == SEC_E_OK || scRet == SEC_I_CONTINUE_NEEDED || scRet == 0h && (dwSSPIOutFlags & ISC_RET_EXTENDED_ERROR) ;Line 1149 .if(OutBuffers[0].cbBuffer != 0 && OutBuffers[0].pvBuffer != NULL) invoke send,Socket,addr OutBuffers[0].pvBuffer,addr OutBuffers[0].cbBuffer,0 mov cbData,eax .if(cbData == SOCKET_ERROR || cbData == 0) ; Error %d sending data to server (2) invoke WSAGetLastError invoke FreeContextBuffer,addr OutBuffers[0].pvBuffer invoke DeleteSecurityContext,phContext mov eax,SEC_E_INTERNAL_ERROR ret .endif ;%d bytes of handshake data sent\n invoke FreeContextBuffer,addr OutBuffers[0].pvBuffer mov OutBuffers[0].pvBuffer ,NULL .endif .endif .if(scRet == SEC_E_INCOMPLETE_MESSAGE) jmp $LN27@ClientHand .endif .if(scRet == SEC_E_OK) ;"Handshake was successful .if(InBuffers[1].BufferType == 5) ;SECBUFFER_EXTRA invoke LocalAlloc,LMEM_FIXED,addr InBuffers[1].cbBuffer mov ecx,pExtraData ASSUME ecx:ptr SecBuffer ;assume dword ptr eax,SecBuffer mov [ecx].pvBuffer,eax .if [ecx].pvBuffer == NULL ; Out of memory (2) mov eax,SEC_E_INTERNAL_ERROR ret .endif mov eax,cbIoBuffer sub eax,InBuffers.cbBuffer add eax,IoBuffer mov ecx,pExtraData ASSUME ecx:ptr SecBuffer invoke crt_memmove,[ecx].pvBuffer,eax,InBuffers mov ecx,pExtraData ASSUME ecx:ptr SecBuffer m2m [ecx].cbBuffer,InBuffers[1].cbBuffer mov [ecx].BufferType,SECBUFFER_TOKEN ;%d bytes of app data was bundled with handshake data ;mov eax, pExtraData .else mov ecx,pExtraData ASSUME ecx:ptr SecBuffer mov [ecx].pvBuffer , NULL mov [ecx].cbBuffer , NULL mov [ecx].BufferType , 0 ;SECBUFFER_EMPTY .endif ;1210 jmp $LN26@ClientHand .endif .if(scRet == 0h) ; FAILED ;Error 0x%x returned by InitializeSecurityContext (2) jmp $LN26@ClientHand .endif .if(scRet == SEC_I_INCOMPLETE_CREDENTIALS) invoke GetNewClientCredentials,phCreds, phContext mov fDoRead,FALSE mov scRet,SEC_I_CONTINUE_NEEDED jmp $LN27@ClientHand .endif .if(InBuffers[1].BufferType == 5) ;SECBUFFER_EXTRA mov eax,InBuffers[1].cbBuffer mov cbIoBuffer,eax mov eax, cbIoBuffer sub eax,InBuffers[1].cbBuffer add eax,IoBuffer invoke crt_memmove,IoBuffer,eax,InBuffers[1].cbBuffer .else mov cbIoBuffer ,0 .endif .endw $LN26@ClientHand: .if(scRet == 0h) ; FAILED invoke DeleteSecurityContext,phContext .endif invoke LocalFree, IoBuffer mov eax, scRet Ret ClientHandshakeLoop endp Now I need to handle the GetNewClientCredentials routine but there I need to buld some new structs.So I tried this... PFN_CERT_CHAIN_FIND_BY_ISSUER_CALLBACK TYPEDEF CRYPTOAPI_BLOB CERT_CHAIN_FIND_BY_ISSUER_PARA STRUCT cbSize DWORD ? pszUsageIdentifier DWORD ? dwKeySpec DWORD ? dwAcquirePrivateKeyFlags DWORD ? cIssuer DWORD ? rgIssuer CERT_NAME_BLOB <> pfnFindCallback PFN_CERT_CHAIN_FIND_BY_ISSUER_CALLBACK <> pvFindArg pdwIssuerChainIndex DWORD ? pdwIssuerElementIndex DWORD ? CERT_CHAIN_FIND_BY_ISSUER_PARA ENDS Missing pvFindArg so on MSDN there is set a void command but not sure about the size.Also about pfnFindCallback I am not sure whether its right I did add.So in the file I can see the struct has a size of 32 bytes dec but it dosent match anyhow.If I use DWORD for all = 40 bytes dec.Can anyone tell me how its right now? Thanks Link to comment
evlncrn8 Posted February 25, 2017 Share Posted February 25, 2017 (edited) void is same as ptr - and seeing as you're doing 32 bit, max size = dword.. so just cast it as that... in x64 its qword also for this u can fire up c to find out the sizes.. make a simple console app and use printf("size of blah : 0x%0X", (sizeof(struct.portion))); also bear in mind structs (unless the pragma push / pop) is used can be optimised and aligned automagically by the compiler  Edited February 25, 2017 by evlncrn8 Link to comment
LCF-AT Posted February 28, 2017 Author Share Posted February 28, 2017 Hi again, just have a little other question.So how can I use wsprint API with CRLF in format line?So I cant use / write \r\n so this dosent get handled.Any idea? Thanks Link to comment
kao Posted February 28, 2017 Share Posted February 28, 2017 Each assembler has slightly different syntax. Masm/Tasm syntax would be: db "this is ", 0Dh, 0Ah, "multiline string", 0  Link to comment
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now