Log in

View Full Version : MSIE reversing


Snatch
September 18th, 2002, 12:18
Well guys I dont know if you noticed but if you try to get FrogsIce his website is STILL MSIE hostile(this time it pops up a never ending add to favorites). Anyway I am wondering since I assume all he is using is the UserAgent string to determine the browser how we can actually permanently change the user agent? I know you can append to it using the group policy editor but how to change the initial part I am not sure. And since MSIE could be part of the OS or anything I havent the foggiest notion where to check first . Any ideas or information would be great(I assume someone has already done this so why bother to reinvent the wheel ).

Snatch

DakienDX
September 18th, 2002, 12:35
Hello Snatch !

The are several possibilities to do this.
Get some program/firewall which blocks or changes the user agent.
Disable JavaScript when accessing the page.
Use somthing else than MSIE.
Try to look at URLMON.DLL and WININET.DLL.
Try to search. (I think of text search, this way I found the two DLLs)
You can see if it worked at http://hammer.prohosting.com/~fongdev/cgi-bin/checkenv.cgi.

Snatch
September 18th, 2002, 12:46
Thanks for the quick reply DakienDX. Regarding the possibilities you listed:

1) I used to have Norton Personal Firewall but now that we have a NAT router I feel pretty safe(well I shouldnt I am DMZ host right now hehe). Anyway yes it did a fine job of blocking the user agent string . I would rather not bloat my 1.5gb of RDRAM800 with firewall software though if I dont have to.

2) I just tried disabling scripting and your right that works to stop it from fudging IE I saw the lame little 100 byte javascript to make it keep adding the favorite(100000 times hehe).

3) MSIE is there and easy but your right there are other options. I dont think IE is a particularly good or bad browser I am rather neutral on the issue and I hardly care. I have yet to try Opera though and I probably should just for fun sometime .

4) IDA is disassembling them both right now .

5) That was one thing I was wondering. If Microsoft was going to make it easy on you. Of course I can unicode text search too but I thought maybe it would be encrypted.

Well I will tell you what I turn up. Thanks so far.

Snatch

Snatch
September 18th, 2002, 16:30
DakienDX: you were right. URLMON.DLL is the correct file. Actually with symbols loaded you find a nice routine
GetUserAgentString

.text:760FFF98 mov dword ptr [ebp+20h], offset ??_C@_0L@BLHKBGPH@Compatible?$AA@ ; "Compatible"
.text:760FFF9F mov dword ptr [ebp+24h], offset ??_C@_07NGFJPNPN@Version?$AA@ ; "Version"
.text:760FFFA6 mov dword ptr [ebp+10h], offset ??_C@_0M@CBNGAKHO@Mozilla?14?40?$AA@ ; "Mozilla/4.0"
.text:760FFFAD mov dword ptr [ebp+14h], offset ??_C@_0L@JNOGJJCA@compatible?$AA@ ; "compatible"
.text:760FFFB4 mov dword ptr [ebp+18h], offset ??_C@_08JKJAIFDB@MSIE?56?40?$AA@ ; "MSIE 6.0"

Well I tried modifying all of those and that did change it. Nice site by the way great easy way to see what your browser is emitting in the headers. Well frogsprint.cjb.net still doesnt want to load but I think its a different reason now I view source and it looks like the whole forum is there and working but all I see is a little button in the upper left and it appearing to load. Next mystery . Of course I have to disable javascript or I still get the MSIE SUCKS favorite loop annoyance.

Snatch

Czerno
September 25th, 2002, 11:54
Well Snatch, I don't believe your problem nor the way your tackling it worthy of the "advanced" qualification.

Anyway, two solutions:
- basic : browse to Frog's using something else than MSIE ! I would suggest the OffByOne.

- "advanced" ;~) use some filtering proxy like the Proxomitron (in fact nobody "advanced" should ever be browsing the web without something like that...)
Look at the actual http headers and contents when connected to the offensive page - both with MSIE and with the other browser - and see if you can find out what Frog's filters are based upon, and then learn how to make a customized "antiFrog" Proxomitron filter.

I have made such a filter just for fun, I can visit Frog's forum with it and MSIE without a problem. No I won't just give out the answer, you want to learn don't you,
"M. Advanced" ?

LOL

--
Czerno (The Passer-by)

Guybrush
September 25th, 2002, 14:39
you can change your user-agent string in:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent

change the default key and or postplatform subkey

disavowed
September 25th, 2002, 22:29
Read http://www.winguides.com/registry/display.php/799/ on how to change more than just the browser name. (And yes, this works with IE6 too, not only IE5 as the registry key may suggest)

Snatch
September 25th, 2002, 23:37
Czerno: yes I agree your method is a good way to do it and I would learn a thing or two about proxies. However I tried to make this more of a reversing challenge where I would disassemble and patch to get around. Though I will no doubt investigate your method as well.

disavowed: thank you that is priceless registry information in fact that site is now bookmarked as there is a lot already there that we dont have to figure out ourselves .

Snatch

disavowed
September 26th, 2002, 04:00
np. i was actually looking for that exact info for quite some time, and couldn't find it until Guybrush's post led me to the reg key to search for via google

JMI
September 26th, 2002, 04:14
Do any of you have an actual working URL for Frog's Print's home page? I went through about 13 pages of google references, mostly to FrogsIce, without finding a homepage that is currently working. Most of them suggest it was the one that started with "thepentagon.com" which is apparently dead.

If anybody wishes to suggest that I need to search, take your best shot now, or forever hold your peace. Maybe I just need to "google" en francais. (sorry no acent marks.)

Regards.

Woodmann
September 26th, 2002, 05:00
Hmmmmmmmmmmmmmm.................

This may be my chance to "spank" Mr. Search.

The lateset post on the FP messageboard says that the host
Indiano.org is down. I'm not sure about what the rest of the post says because I cant read French.
This post was dated 9-19-02

I also found a post somewhere dated about Feb of 02 that said
that updates would be coming.

OBC

Snatch
September 26th, 2002, 05:03
Hello JMI,

I thinke we all trust that you of all people have done a thorough job of searching .

I actually stumbled upon the link a while ago on this great(now a little bit outdated) page:
asm.deformed.us

Under Download Tools -> Numega at the bottom it has the link: frogsprint.cjb.net

Turn off javascript if you are using IE or add favorites pops up 100000 times . Also change the user agent or you wont get to the page. Its actually hosted on the same server that other message board is I believe.

Snatch

Woodmann
September 26th, 2002, 05:15
Howdy,

It links back to the same messageboard.

OBC

JMI
September 26th, 2002, 05:33
Non, Non, Non mon amies.

Can't spank "Mr. Search" until a "working URL for Frog's Print's home page" is produced. I did not request a URL for the Frog's Print forum. His home page used to link through "NetForwad", which does not appear to be related to Indiano.org, but might be.

Nice try, but no cigar.

Regards.

Snatch
September 26th, 2002, 20:35
Well dont I feel dumb now . Woodmann I could never get the page to display in IE even with a changed user agent and javascript disabled it would simply display a little box in the upper left. When I viewed the source of course I noticed the forum part. It looked a lot different than the other one. Guess I was wrong . JMI: I believe that forwarder actually used to point to indiano but the site never worked even when it did. Then it changed and apparently points to the forum on some page of it I guess but of course it is IE protected unlike other entrances. So I guess the question remains... Hope someone out there has the answer.

Snatch

JMI
September 26th, 2002, 20:50
Snatch:

It's not too dificult to download Opera and use it for access such as this. I've noticed no problems having both Opera and IE open at the same time and going back and forth between them. A few times I've even had multiple copies of IE and Opera going at the same time.

indiano could be the actual server where Frog's Print's Homepage was located, but his redirector through NetForward itself is no longer good. I'm using Win2K now and FrogsIce isn't very relevant any more for me anyway. Patching is the way to go there, a la +Spl/\j's advice.

Regards.

SiNTAX
September 26th, 2002, 21:03
Mozilla also works without a problem. Anyway I'm not sure he is only checking the useragent... he could also try out common IE exploits, which obviously don't work on other browsers.

Snatch
September 27th, 2002, 21:17
Ah ok some interesting things. I have hesitated from ever using any other browsers besides IE after disliking Netscape immensly. I dont know why it just never worked for me. Opera and Mozilla I heard are excellent but I figure all the default browser stuff and all that never worked well. Extra bloat etc. But judging from you guys sounds like I should give them a try as they might be quite good . IE despite all its flaws supports most of the latest technologies decently well. As far as FrogsIce guess your right JMI thing of the past and patch away.

Snatch

Czerno
September 29th, 2002, 10:41
Well Snatch, here's a hint : the anti-IE trick on Frog's page is not with headers, rather it's a device in the HTML coding ( a "marquee" loop with parameters specifically designed to make IE choke, using up all your CPU time ..)

So unless you fell like correcting the I.E. bug ( quite an interesting exercise in reversing I admit ),
the only solution that works, and works very well, is the one I sketched in my last post : use a tool that interfaces as a proxy to IE and rewrites the page, suppressing or modifying the annoying marquee loop. I strongly suggest you got and studies the Proxomitron, that is a very flexible tool with which you can do almost anything to transform your "experience" on the Net

Best of lucks

--
Cz. (The aser-by )

SiNTAX
September 29th, 2002, 20:55
Hey.. call me lazy.. but... isn't it easier to just use another browser?!

Czerno
September 30th, 2002, 17:51
Sure But since you seemed to insist on visiting Frog's with IE, I gave you the hinting...

You should try the Off-by-One : it is a small self contained exe, perfect for everyday browsing.

Best of lucks,

--
Czerno

Snatch
October 1st, 2002, 00:10
Thanks Cz I learned a trick or two and now I can browse with IE . AFAIK this is the only site on the web left that is still IE hostile so I have been trying to apply it to other situations but cant find any other IE exploit pages that havent been fixed with SP1.

Snatch

SiNTAX
October 1st, 2002, 00:14
Now we are turning to the other 'Dark Side' but here goes:

h**p://www.pivx.com/larholm/unpatched/

Still enough exploit possibilities left