Anonymity 4 Proxy 2.0


Part 2 Removing the annoying nag.

student
Not Assigned
April 2000
by +Tsehp
Courtesy of Fravia's page of reverse engineering
slightly edited
by +Tsehp
There is a crack, a crack in everything That's how the light gets in
Rating
( )Beginner (x)Intermediate ( )Advanced ( )Expert

Anonymity matters, those days, the web is becoming more and more filled by commercial crooks, they collect
more and more info about you, they use cgi apps to collect your browser's environment variables, they record
your ip, feed you with cookies and advertisements.
Lets definitly stop all this, at your pc level, imagine an app that will impeach every browser to send the info you
don't want to. Now they can program everything they want, this great program will stop everything and cover your
cracker's ass. It's not expensive but the protection deserves a look because it's original.

Anonymity 4 Proxy

Part 2 Removing the annoying nag.

Written by +Tsehp

Introduction
After reading the first essay, if you practice a4proxy, you will see sometimes an
annoying nag appearing into your favorite browser. I'll tell you how to remove this.
Tools required
Ida pro 4.03
Softice 4.05
A port sniffer
Target's URL/FTP
http://www.inetprivacy.com/welcome.htm

Essay
First here's the nag :

You see this page because you are using evaluation copy of Anonymity 4 Proxy 2.0
Buy full version:

A4Proxy for LAN,
149.95 USD
A4Proxy Business,
65 USD
A4Proxy Home use,
45 USD
Full version includes a large database with checked anonymous proxy servers.
Free updates for life to A4Proxy software and the proxy database are included in the price.
No other fees.
Other payment options
Learn more about different licenses

It appears sometimes when you surf, and have enabled a4proxy to work with your browser.
Looks like some html code is injected inside the browser, or something else; you just can't find some text 
references inside your a4proxy directory.
Use your favorite port sniffer, record all the packets while surfing, stop it when the nag appears, if you 
search inside the log, you can find this :
00000020                                00 04 01 00 00 01           ......
00000030  00 00 00 00 00 00 03 77 77 77 0B 69 6E 65 74 70 .......www.inetp
00000040  72 69 76 61 63 79 03 63 6F 6D 00 00 01 00 01    rivacy.com..... 
As a dns request... Well we didn't ask our browser to resolve this url, strange.
Some packets after :
00000:  08 00 3E 15 97 DB 00 00 E8 E7 19 FE 08 00 45 00   ..>......E.
00010:  00 FB 08 87 40 00 80 06 E3 1E D4 C6 47 E6 A8 90   ..@...G樐
00020:  49 1A 04 5D 00 50 4E E4 66 5E 9E 8F E7 13 50 18   I..].PNf^.P.
00030:  44 70 90 75 00 00 47 45 54 20 2F 62 75 79 32 2E   Dpu..GET /buy2.
00040:  68 74 6D 20 48 54 54 50 2F 31 2E 30 0D 0A 52 65   htm HTTP/1.0..Re
00050:  66 65 72 65 72 3A 20 68 74 74 70 3A 2F 2F 77 77   ferer: http://ww
00060:  77 2E 65 6C 65 61 63 61 72 64 2E 63 6F 6D 2F 66   w.eleacard.com/f
00070:  72 5F 61 63 63 2E 68 74 6D 0D 0A 55 73 65 72 2D   r_acc.htm..User-
00080:  41 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C 61 2F 34   Agent: Mozilla/4
00090:  2E 30 20 28 63 6F 6D 70 61 74 69 62 6C 65 3B 20   .0 (compatible; 
000A0:  4D 53 49 45 20 35 2E 30 31 3B 20 57 69 6E 64 6F   MSIE 5.01; Windo
000B0:  77 73 20 4E 54 20 35 2E 30 29 0D 0A 48 6F 73 74   ws NT 5.0)..Host
000C0:  3A 20 77 77 77 2E 69 6E 65 74 70 72 69 76 61 63   : www.inetprivac
000D0:  79 2E 63 6F 6D 0D 0A 50 72 6F 78 79 2D 43 6F 6E   y.com..Proxy-Con
000E0:  6E 65 63 74 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C   nection: Keep-Al
000F0:  69 76 65 0D 0A 50 72 61 67 6D 61 3A 20 4E 6F 2D   ive..Pragma: No-
00100:  43 61 63 68 65 0D 0A 0D 0A                        Cache....       

Just try inside your browser http://www.inetprivacy.com/buy2.htm and you will
see the nag.
So a4proxy deviates the browser request and asks for this nag, randomly.
For the following, you have to use ida , this is a mfc program and we need to
locate some mfc signatures. Trying several calls to mfc, I found this interesting one :

call    j_?Bind@CAsyncSocket@@QAEHIPBD@Z ; CAsyncSocket::Bind(uint,char const *)
According to m$ documentation, this call links an url address to an opened socket. A4proxy uses this mfc
method to link your browser to the targeted url, but it can use it too to get the nag.
I did this bpx in softice some lines after a bind inside a4proxy :
BPX #0008:00405A70  IF (*(((ESP->0)+5))!=0x6361656C)
.text:00405A17                 call    j_?Bind@CAsyncSocket@@QAEHIPBD@Z ; CAsyncSocket::Bind(uint,char const *)
.text:00405A1C                 test    eax, eax
.text:00405A1E                 jnz     short loc_0_405A2A
.text:00405A20                 pop     edi
.text:00405A21                 pop     esi
.text:00405A22                 pop     ebp
.text:00405A23                 pop     ebx
.text:00405A24                 add     esp, 10h
.text:00405A27                 retn    10h
.text:00405A2A ; ---------------------------------------------------------------------------
.text:00405A2A 
.text:00405A2A loc_0_405A2A:                           ; CODE XREF: sub_0_405960+BEj
.text:00405A2A                 mov     eax, [esp+38h+var_8]
.text:00405A2E                 sub     eax, 2
.text:00405A31                 jz      loc_0_405B79
.text:00405A37                 dec     eax
.text:00405A38                 jz      loc_0_405B16
.text:00405A3E                 sub     eax, 4
.text:00405A41                 jnz     loc_0_405BCD
.text:00405A47                 mov     eax, [esp+38h+var_C]
.text:00405A4B                 xor     edx, edx
.text:00405A4D                 mov     [esp+38h+var_28], edx
.text:00405A51                 push    eax
.text:00405A52                 mov     [esp+3Ch+var_24], edx
.text:00405A56                 mov     word ptr [esp+3Ch+var_28], 2
.text:00405A5D                 mov     [esp+3Ch+var_20], edx
.text:00405A61                 mov     [esp+3Ch+var_1C], edx
.text:00405A65                 call    j_htons
.text:00405A6A                 push    ebp
.text:00405A6B                 mov     word ptr [esp+3Ch+var_28+2], ax
.text:00405A70   bpx here      call    j_inet_addr
.text:00405A75                 cmp     eax, 0FFFFFFFFh
.text:00405A78                 mov     [esp+38h+var_24], eax
.text:00405A7C                 jnz     short loc_0_405AB3
.text:00405A7E                 push    ebp
.text:00405A7F                 mov     ecx, esi
.text:00405A81                 call    sub_0_405DE0
what IF (*(((ESP->0)+5))!=0x6361656C) stands for ?
It just freeze if the url pushed to j_inet_addr is different than www.eleacard.fr, a test url I used.
If a4proxy asks for www.inetprivacy, esp->0 points to a different url and softice pops, we're just inside
the main routine.
Do a p-ret after sice appears, you land here :
.text:0040438D                 add     edx, 32h
.text:00404390                 push    ecx
.text:00404391                 push    edx
.text:00404392                 mov     ecx, ebp
.text:00404394                 call    sub_0_405960
.text:00404399                 jmp     loc_0_404D90

If you remove the if condition in my bpx, sice pops everytime you resolve another url in your browser, if you
p-ret you land somewhere else, so the call at 404394 is the culprit.
We have now to finally locate the critical test, leading to this point. Looking some lines before we see this.
.text:0040430E loc_0_40430E:                           ; CODE XREF: sub_0_403B20+7D0j
.text:0040430E                                         ; sub_0_403B20+7D8j ...
.text:0040430E                 mov     eax, [ebp+24h]
.text:00404311                 mov     ecx, [eax+1400h]
.text:00404317                 inc     ecx
.text:00404318                 mov     [eax+1400h], ecx
.text:0040431E                 mov     edx, [ebp+24h]
.text:00404321                 mov     ecx, [edx+1400h]
.text:00404327                 mov     eax, [edx+1404h]
.text:0040432D                 cmp     ecx, eax
.text:0040432F 
.text:0040432F crack7:
.text:0040432F                 jl      short loc_0_40439E <-culprit jump
.text:00404331                 mov     edi, offset unk_0_417234
.text:00404336                 or      ecx, 0FFFFFFFFh
.text:00404339                 xor     eax, eax
.text:0040433B                 repne scasb
This is a random sequence, if ecx is equal or higher than eax, a4proxy doesn't jump to 40439e and retrieves
the infamous buy2.htm from their server. You just have to transform the jl to jmp and a4proxy will never show
this nag again.
					+Tsehp April 2000


Final Notes
This ad protection is new to me, but interesting. Harder to locate because is happens randomly.
Mail me if you find other ones. 

						+Tsehp


Ob Duh
I wont even bother explaining you that you should BUY this target program if you intend to use it for a longer period than the allowed one. Should you want to STEAL this software instead, you don't need to crack its protection scheme at all: you'll find it on most Warez sites, complete and already regged, farewell, don't come back.

You are deep inside Fravia's page of reverse engineering, choose your way out:


redhomepage redlinks redsearch_forms red+ORC redhow to protect redacademy database
redreality cracking redhow to search redjavascript wars
redtools redanonymity academy redcocktails redantismut CGI-scripts redmail_Fravia
redIs reverse engineering legal?