EXETOOLS FORUM  

Go Back   EXETOOLS FORUM > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 04-27-2017, 14:08
Sailor_EDA Sailor_EDA is offline
Friend
 
Join Date: Nov 2004
Posts: 59
Rept. Given: 8
Rept. Rcvd 2 Times in 2 Posts
Thanks Given: 7
Thanks Rcvd at 0 Times in 0 Posts
Sailor_EDA Reputation: 2
Intercepting web requests from an application and modifying response

Hi there,

I'm working with this windows application that sends a request to an http address periodically to check the validity of the license.

I've identified the assembly code where this is happening and have extracted the web address as well and I know where the code jumps to if the correct response is received.

Now normally I would just patch this and it would work fine, but just for the sake of it, I was wondering if there is an easier way to intercept the http request and send an html page with some text in it.

I've never done this before and a cursory search revealed tools like Fiddler etc, but I wanted to reach out to this group to see if anybody had a simpler way this could be done?

Sailor_EDA
Reply With Quote
  #2  
Old 04-27-2017, 16:24
JMP-JECXZ JMP-JECXZ is offline
Friend
 
Join Date: Mar 2017
Posts: 3
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 1
Thanks Rcvd at 0 Times in 0 Posts
JMP-JECXZ Reputation: 0
Hi,
Fiddler is fine, you can put 'breakpoint' on request to intercept them before response or even after, and then edit the content (return content or query)
Reply With Quote
  #3  
Old 04-28-2017, 03:22
Sailor_EDA Sailor_EDA is offline
Friend
 
Join Date: Nov 2004
Posts: 59
Rept. Given: 8
Rept. Rcvd 2 Times in 2 Posts
Thanks Given: 7
Thanks Rcvd at 0 Times in 0 Posts
Sailor_EDA Reputation: 2
Thanks for your suggestion JMP-JECXZ.

Would you also happen to know if there any generic tools that would allow me to "automate" this so I don't have to intercept the call everytime and could just code my response whenever a request is done to that address?

Quote:
Originally Posted by JMP-JECXZ View Post
Hi,
Fiddler is fine, you can put 'breakpoint' on request to intercept them before response or even after, and then edit the content (return content or query)
Reply With Quote
  #4  
Old 04-28-2017, 06:20
JMP-JECXZ JMP-JECXZ is offline
Friend
 
Join Date: Mar 2017
Posts: 3
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 1
Thanks Rcvd at 0 Times in 0 Posts
JMP-JECXZ Reputation: 0
You can force redirection to localhost with windows host file and then recreate the path/file to the file called and give him a dummy response with your dummy file using xamp or similar for making the local server.
Reply With Quote
  #5  
Old 04-28-2017, 06:23
Kerlingen Kerlingen is offline
VIP
 
Join Date: Feb 2011
Posts: 243
Rept. Given: 0
Rept. Rcvd 253 Times in 90 Posts
Thanks Given: 0
Thanks Rcvd at 60 Times in 28 Posts
Kerlingen Reputation: 200-299 Kerlingen Reputation: 200-299 Kerlingen Reputation: 200-299
You might want to edit your hosts file to redirect the traffic and then run the webserver part on your computer. If it's a simple webcheck with static requests there are many tiny webservers or networks tools available which can serve the requests.

If it's more complicated you might need to switch to some script language to process and serve the requests.

But if it's just a simple patch you already know the location to I would prefer patching over running a webserver. You might have redirected other addresses in your hosts file which would get served with unknown data and might behave differently.
Reply With Quote
The Following 3 Users Say Thank You to Kerlingen For This Useful Post:
abhi93696 (04-28-2017), alekine322 (04-30-2017), Sailor_EDA (05-02-2017)
  #6  
Old 04-28-2017, 12:45
niculaita's Avatar
niculaita niculaita is online now
Family
 
Join Date: Jun 2011
Location: here
Posts: 739
Rept. Given: 756
Rept. Rcvd 81 Times in 53 Posts
Thanks Given: 1,106
Thanks Rcvd at 88 Times in 64 Posts
niculaita Reputation: 81
try this http://www61.zippyshare.com/v/mUgeUdRJ/file.html
__________________
Decode and Conquer
Reply With Quote
The Following 3 Users Say Thank You to niculaita For This Useful Post:
abhi93696 (04-28-2017), alekine322 (04-30-2017), bilbo (05-02-2017)
  #7  
Old 05-05-2017, 03:28
tusk tusk is offline
Friend
 
Join Date: Jun 2016
Posts: 15
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 4
Thanks Rcvd at 0 Times in 0 Posts
tusk Reputation: 0
The harder sometimes is to know what the response should "look like" from a valid licence check, before you can recreate it

You might receive a full embedded class with objects and data etc...
Reply With Quote
  #8  
Old 05-05-2017, 07:30
user1's Avatar
user1 user1 is offline
Family
 
Join Date: Sep 2012
Location: Romania
Posts: 479
Rept. Given: 298
Rept. Rcvd 100 Times in 49 Posts
Thanks Given: 184
Thanks Rcvd at 111 Times in 57 Posts
user1 Reputation: 21
cloud license emulator?
Reply With Quote
  #9  
Old 05-06-2017, 03:51
Sailor_EDA Sailor_EDA is offline
Friend
 
Join Date: Nov 2004
Posts: 59
Rept. Given: 8
Rept. Rcvd 2 Times in 2 Posts
Thanks Given: 7
Thanks Rcvd at 0 Times in 0 Posts
Sailor_EDA Reputation: 2
That's true. In my case, the program submits the email and lic key via php to an http address and then parses the response. I disassembled the code in IDA and I can clearly see that it's expecting a string response back.

But I can see how some programs might be expecting more than just a basic string, in which case it could get quite complicated.

Quote:
Originally Posted by tusk View Post
The harder sometimes is to know what the response should "look like" from a valid licence check, before you can recreate it

You might receive a full embedded class with objects and data etc...
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 04:27.


ICP05004977
vBulletin Security provided by vBSecurity v2.2.0 (Lite) - vBulletin Mods & Addons Copyright © 2017 DragonByte Technologies Ltd.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX