Anonymity 4 Proxy
After reading the first essay, if you practice a4proxy, you will see sometimes an annoying nag appearing into your favorite browser. I'll tell you how to remove this.
First here's the nag :
You see this
page because you are using evaluation copy of Anonymity 4 Proxy 2.0
|
A4Proxy
for LAN,
149.95 USD |
A4Proxy
Business,
65 USD |
A4Proxy
Home use,
45 USD |
It appears sometimes when you surf, and have enabled a4proxy to work with your browser.
Looks like some html code is injected inside the browser, or something else; you just can't find some text references inside your a4proxy directory.
Use your favorite port sniffer, record all the packets while surfing, stop it when the nag appears, if you search inside the log, you can find this :
00000020 00 04 01 00 00 01 ...... 00000030 00 00 00 00 00 00 03 77 77 77 0B 69 6E 65 74 70 .......www.inetp 00000040 72 69 76 61 63 79 03 63 6F 6D 00 00 01 00 01 rivacy.com.....
As a dns request... Well we didn't ask our browser to resolve this url, strange.
Some packets after :
00000: 08 00 3E 15 97 DB 00 00 E8 E7 19 FE 08 00 45 00 ..>......E. 00010: 00 FB 08 87 40 00 80 06 E3 1E D4 C6 47 E6 A8 90 ..@...G樐 00020: 49 1A 04 5D 00 50 4E E4 66 5E 9E 8F E7 13 50 18 I..].PNf^.P. 00030: 44 70 90 75 00 00 47 45 54 20 2F 62 75 79 32 2E Dpu..GET /buy2. 00040: 68 74 6D 20 48 54 54 50 2F 31 2E 30 0D 0A 52 65 htm HTTP/1.0..Re 00050: 66 65 72 65 72 3A 20 68 74 74 70 3A 2F 2F 77 77 ferer: http://ww 00060: 77 2E 65 6C 65 61 63 61 72 64 2E 63 6F 6D 2F 66 w.eleacard.com/f 00070: 72 5F 61 63 63 2E 68 74 6D 0D 0A 55 73 65 72 2D r_acc.htm..User- 00080: 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C 61 2F 34 Agent: Mozilla/4 00090: 2E 30 20 28 63 6F 6D 70 61 74 69 62 6C 65 3B 20 .0 (compatible; 000A0: 4D 53 49 45 20 35 2E 30 31 3B 20 57 69 6E 64 6F MSIE 5.01; Windo 000B0: 77 73 20 4E 54 20 35 2E 30 29 0D 0A 48 6F 73 74 ws NT 5.0)..Host 000C0: 3A 20 77 77 77 2E 69 6E 65 74 70 72 69 76 61 63 : www.inetprivac 000D0: 79 2E 63 6F 6D 0D 0A 50 72 6F 78 79 2D 43 6F 6E y.com..Proxy-Con 000E0: 6E 65 63 74 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C nection: Keep-Al 000F0: 69 76 65 0D 0A 50 72 61 67 6D 61 3A 20 4E 6F 2D ive..Pragma: No- 00100: 43 61 63 68 65 0D 0A 0D 0A Cache.... Just try inside your browser http://www.inetprivacy.com/buy2.htm and you will see the nag. So a4proxy deviates the browser request and asks for this nag, randomly.
For the following, you have to use ida , this is a mfc program and we need to locate some mfc signatures. Trying several calls to mfc, I found this interesting one : call j_?Bind@CAsyncSocket@@QAEHIPBD@Z ; CAsyncSocket::Bind(uint,char const *)
According to m$ documentation, this call links an url address to an opened socket. A4proxy uses this mfc method to link your browser to the targeted url, but it can use it too to get the nag.
I did this bpx in softice some lines after a bind inside a4proxy :
BPX #0008:00405A70 IF (*(((ESP->0)+5))!=0x6361656C)
.text:00405A17 call j_?Bind@CAsyncSocket@@QAEHIPBD@Z ; CAsyncSocket::Bind(uint,char const *) .text:00405A1C test eax, eax .text:00405A1E jnz short loc_0_405A2A .text:00405A20 pop edi .text:00405A21 pop esi .text:00405A22 pop ebp .text:00405A23 pop ebx .text:00405A24 add esp, 10h .text:00405A27 retn 10h .text:00405A2A ; --------------------------------------------------------------------------- .text:00405A2A .text:00405A2A loc_0_405A2A: ; CODE XREF: sub_0_405960+BEj .text:00405A2A mov eax, [esp+38h+var_8] .text:00405A2E sub eax, 2 .text:00405A31 jz loc_0_405B79 .text:00405A37 dec eax .text:00405A38 jz loc_0_405B16 .text:00405A3E sub eax, 4 .text:00405A41 jnz loc_0_405BCD .text:00405A47 mov eax, [esp+38h+var_C] .text:00405A4B xor edx, edx .text:00405A4D mov [esp+38h+var_28], edx .text:00405A51 push eax .text:00405A52 mov [esp+3Ch+var_24], edx .text:00405A56 mov word ptr [esp+3Ch+var_28], 2 .text:00405A5D mov [esp+3Ch+var_20], edx .text:00405A61 mov [esp+3Ch+var_1C], edx .text:00405A65 call j_htons .text:00405A6A push ebp .text:00405A6B mov word ptr [esp+3Ch+var_28+2], ax .text:00405A70 bpx here call j_inet_addr .text:00405A75 cmp eax, 0FFFFFFFFh .text:00405A78 mov [esp+38h+var_24], eax .text:00405A7C jnz short loc_0_405AB3 .text:00405A7E push ebp .text:00405A7F mov ecx, esi .text:00405A81 call sub_0_405DE0
what IF (*(((ESP->0)+5))!=0x6361656C) stands for ? It just freeze if the url pushed to j_inet_addr is different than www.eleacard.fr, a test url I used.
If a4proxy asks for www.inetprivacy, esp->0 points to a different url and softice pops, we're just inside the main routine.
Do a p-ret after sice appears, you land here :
.text:0040438D add edx, 32h .text:00404390 push ecx .text:00404391 push edx .text:00404392 mov ecx, ebp .text:00404394 call sub_0_405960 .text:00404399 jmp loc_0_404D90 If you remove the if condition in my bpx, sice pops everytime you resolve another url in your browser, if you p-ret you land somewhere else, so the call at 404394 is the culprit.
We have now to finally locate the critical test, leading to this point. Looking some lines before we see this.
.text:0040430E loc_0_40430E: ; CODE XREF: sub_0_403B20+7D0j .text:0040430E ; sub_0_403B20+7D8j ... .text:0040430E mov eax, [ebp+24h] .text:00404311 mov ecx, [eax+1400h] .text:00404317 inc ecx .text:00404318 mov [eax+1400h], ecx .text:0040431E mov edx, [ebp+24h] .text:00404321 mov ecx, [edx+1400h] .text:00404327 mov eax, [edx+1404h] .text:0040432D cmp ecx, eax .text:0040432F .text:0040432F crack7: .text:0040432F jl short loc_0_40439E <-culprit jump .text:00404331 mov edi, offset unk_0_417234 .text:00404336 or ecx, 0FFFFFFFFh .text:00404339 xor eax, eax .text:0040433B repne scasb
This is a random sequence, if ecx is equal or higher than eax, a4proxy doesn't jump to 40439e and retrieves the infamous buy2.htm from their server. You just have to transform the jl to jmp and a4proxy will never show this nag again.
+Tsehp April 2000
This ad protection is new to me, but interesting. Harder to locate because is happens randomly. Mail me if you find other ones. +Tsehp