Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 04-27-2017, 14:08
Sailor_EDA Sailor_EDA is offline
Friend
 
Join Date: Nov 2004
Posts: 67
Rept. Given: 8
Rept. Rcvd 2 Times in 2 Posts
Thanks Given: 42
Thanks Rcvd at 4 Times in 2 Posts
Sailor_EDA Reputation: 2
Intercepting web requests from an application and modifying response

Hi there,

I'm working with this windows application that sends a request to an http address periodically to check the validity of the license.

I've identified the assembly code where this is happening and have extracted the web address as well and I know where the code jumps to if the correct response is received.

Now normally I would just patch this and it would work fine, but just for the sake of it, I was wondering if there is an easier way to intercept the http request and send an html page with some text in it.

I've never done this before and a cursory search revealed tools like Fiddler etc, but I wanted to reach out to this group to see if anybody had a simpler way this could be done?

Sailor_EDA
Reply With Quote
  #2  
Old 04-27-2017, 16:24
JMP-JECXZ JMP-JECXZ is offline
Friend
 
Join Date: Mar 2017
Posts: 86
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 14
Thanks Rcvd at 102 Times in 48 Posts
JMP-JECXZ Reputation: 1
Hi,
Fiddler is fine, you can put 'breakpoint' on request to intercept them before response or even after, and then edit the content (return content or query)
Reply With Quote
  #3  
Old 04-28-2017, 03:22
Sailor_EDA Sailor_EDA is offline
Friend
 
Join Date: Nov 2004
Posts: 67
Rept. Given: 8
Rept. Rcvd 2 Times in 2 Posts
Thanks Given: 42
Thanks Rcvd at 4 Times in 2 Posts
Sailor_EDA Reputation: 2
Thanks for your suggestion JMP-JECXZ.

Would you also happen to know if there any generic tools that would allow me to "automate" this so I don't have to intercept the call everytime and could just code my response whenever a request is done to that address?

Quote:
Originally Posted by JMP-JECXZ View Post
Hi,
Fiddler is fine, you can put 'breakpoint' on request to intercept them before response or even after, and then edit the content (return content or query)
Reply With Quote
  #4  
Old 04-28-2017, 06:20
JMP-JECXZ JMP-JECXZ is offline
Friend
 
Join Date: Mar 2017
Posts: 86
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 14
Thanks Rcvd at 102 Times in 48 Posts
JMP-JECXZ Reputation: 1
You can force redirection to localhost with windows host file and then recreate the path/file to the file called and give him a dummy response with your dummy file using xamp or similar for making the local server.
Reply With Quote
  #5  
Old 04-28-2017, 06:23
Kerlingen Kerlingen is offline
VIP
 
Join Date: Feb 2011
Posts: 324
Rept. Given: 0
Rept. Rcvd 276 Times in 98 Posts
Thanks Given: 0
Thanks Rcvd at 308 Times in 95 Posts
Kerlingen Reputation: 200-299 Kerlingen Reputation: 200-299 Kerlingen Reputation: 200-299
You might want to edit your hosts file to redirect the traffic and then run the webserver part on your computer. If it's a simple webcheck with static requests there are many tiny webservers or networks tools available which can serve the requests.

If it's more complicated you might need to switch to some script language to process and serve the requests.

But if it's just a simple patch you already know the location to I would prefer patching over running a webserver. You might have redirected other addresses in your hosts file which would get served with unknown data and might behave differently.
Reply With Quote
The Following 3 Users Say Thank You to Kerlingen For This Useful Post:
abhi93696 (04-28-2017), alekine322 (04-30-2017), Sailor_EDA (05-02-2017)
  #6  
Old 04-28-2017, 12:45
niculaita's Avatar
niculaita niculaita is offline
Family
 
Join Date: Jun 2011
Location: here
Posts: 1,342
Rept. Given: 947
Rept. Rcvd 89 Times in 61 Posts
Thanks Given: 4,299
Thanks Rcvd at 479 Times in 338 Posts
niculaita Reputation: 89
try this http://www61.zippyshare.com/v/mUgeUdRJ/file.html
__________________
Decode and Conquer
Reply With Quote
The Following 3 Users Say Thank You to niculaita For This Useful Post:
abhi93696 (04-28-2017), alekine322 (04-30-2017), bilbo (05-02-2017)
  #7  
Old 05-05-2017, 03:28
tusk tusk is offline
Friend
 
Join Date: Jun 2016
Posts: 36
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 8
Thanks Rcvd at 18 Times in 12 Posts
tusk Reputation: 0
The harder sometimes is to know what the response should "look like" from a valid licence check, before you can recreate it

You might receive a full embedded class with objects and data etc...
Reply With Quote
  #8  
Old 05-05-2017, 07:30
user1 user1 is offline
Family
 
Join Date: Sep 2012
Location: OUT
Posts: 1,041
Rept. Given: 547
Rept. Rcvd 120 Times in 67 Posts
Thanks Given: 695
Thanks Rcvd at 566 Times in 337 Posts
user1 Reputation: 41
cloud license emulator?
Reply With Quote
  #9  
Old 05-06-2017, 03:51
Sailor_EDA Sailor_EDA is offline
Friend
 
Join Date: Nov 2004
Posts: 67
Rept. Given: 8
Rept. Rcvd 2 Times in 2 Posts
Thanks Given: 42
Thanks Rcvd at 4 Times in 2 Posts
Sailor_EDA Reputation: 2
That's true. In my case, the program submits the email and lic key via php to an http address and then parses the response. I disassembled the code in IDA and I can clearly see that it's expecting a string response back.

But I can see how some programs might be expecting more than just a basic string, in which case it could get quite complicated.

Quote:
Originally Posted by tusk View Post
The harder sometimes is to know what the response should "look like" from a valid licence check, before you can recreate it

You might receive a full embedded class with objects and data etc...
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Site issue: no https response RedBlkJck General Discussion 6 03-20-2014 19:44
Intercept requests and modification of the server response Smoke General Discussion 9 08-07-2013 22:40


All times are GMT +8. The time now is 21:26.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )