Web Browser emulation
(Letting web pages get less info about you)
and some "anti-anti-internet exploder" tricks
student
Not Assigned
3 May 1998
by Hs2L
Courtesy of Fravia's page of reverse engineering
slightly edited
by fravia+
fra_00xx
980503
H2sL
0100
NA
PC
Well, a nice addition to our reversing efforts! Hs2L proves here that EVERYTHING can be reversed, and our silly little tricks too... the simple truth is that NOTHING can last long if a true reverser lays his eyes (and brain) on it... and that our science is powerful indeed... but this we knew already, didn't we?
Of course we'll open right now an anti-reversing reversed browsers new section... that name information you (cleverly) changed is NOT the only difference between browsers, dear H2sL... :-)
There is a crack, a crack in everything That's how the light gets in
Rating
( )Beginner (x)Intermediate ( )Advanced ( )Expert

Since this site is somewhat anti-micro$oft, this essay will be a departure from the norm since it discusses reversing the micro$oft hostile tricks but it's reversing anyway, so it might be appropriate.
Faking Web Browsers
Letting web pages get less info about you
Written by Hs2L


Introduction 

We are going to reverse Fravia's anti internet exploder tricks and figure

out how to fool web pages
Tools required
Hex Editor (HexWorkshop) Borland Resource Workshop (not a must) A local copy of 2 web pages. First, Mammons page (use the link in the tools section) and Fravia's counter measure page (the one where it tells you what browser you're using) A window spy tool (not a must)

Essay 

This essay outlines an  extremely trivial task as you will see.

Anyway... (many of you all will probably kill me for this), for 

some time I have been using Micro$oft's IE as my web browser. 

I accidently deleted a few libraries that are required by Netscape 

3.0 Gold (which is STILL NOW my favorite browser BTW) So, for

some time I had no choice but to go with IE3 until I got the 

necesarry runtime files.

So, needless to say, when I tried to visit Mammons site which I visit every

now and then, I was at the losing end of what is IMHO, a hilarious script 

in Mammon's web page. Basically, if you enter his site with IE, you

automatically get booted to the Netscape home page. There are probably 

lots of anti-ie sites so I decided to do some work on reversing these 

"anti-whatever_browser" scripts.

So, lets take a look at the relevant source code for Mammons web page (yes

even a simple excersise like this ends up with some deadlisting or other)



...

function disclaimer(){

  var i=navigator.appName

  var j="Microsoft Internet Explorer"

      if ( i==j ) {

            msie=window.open("msie.html", "Micro$oft?",

              "width=250,height=75,status=no,scrollbars=no,toolbar=no,

              location=no,menubar=no,resizable=no,directories=no");

            dclose=msie.setTimeout("closeme()",2500);

            Location.href="http://www.netscape.com";

                   }

      else {

            location.replace("http://www.eccentrica.org/Mammon");

            }

...



So, as you can see, the function navigator.appName returns the name of the

Internet Browser you are using. This info is,ofcourse,sent from the browser

itself or one of it's libraries. If we can find out where it's coming from

we can edit it and change the Browser name that is returned by 

navigator.appName



Here's the relevant snippet from Fravia's counter measure page:



...

document.write("MMM..., my dear ") 

document.write(n)

document.write("... I see you've got ")



and...



document.writeln( navigator.appName + " (" + 

navigator.appCodeName + ") " + navigator.appVersion + "")



So, over here, navigator.appName,navigator.appCodeName and

navigator.appVersion are called to comunicate with the browser and get 

the relevant infomation.



So, the question is, where does all this info come from. Well, lets open 

Internet Exploder in BRW and see what we find. Well, it turns out that it's only

got icons, bitmaps, and versions, no string tables. That means the relevant info

is coming from a library (*.dll). Well, I fired up my buggy internet exploder

and used my windows spying tool to get parent the controls (Any windows spying

tool will do. You can probably write a quick one in VB or Delphi like I did)

It turns out that the actual viewing window is from MSHTML.DLL and the toolbar

is from SHDOW_something_or_other.dll. So, we'll try MSHTML.DLL and see what we

find. After opening the file in Hex Workshop, we do a search for "Microsoft

Internet Explorer" since that's the value returned by navigator.appName and

we hit paydirt. This is the relevant hex dump:



000216CC 4D69 6372 6F73 6F66 7420 496E Microsoft In

000216D8 7465 726E 6574 2045 7870 6C6F ternet Explo

000216E4 7265 7200 4D6F 7A69 6C6C 612F rer.Mozilla/

000216F0 322E 3020 2863 6F6D 7061 7469 2.0 (compati

000216FC 626C 653B 204D 5349 4520 332E ble; MSIE 3.

00021708 3041 3B20 5769 6E64 6F77 7320 0A; Windows 

00021714 3935 2900 0000 0000 5356 57BE 95).....SVW.



Have you seen Fravia's counter measure page in your we browser?

Well, I get something like this with Internet Exploder:



MMM..., my dear Hs2L... I see you've 

got Microsoft Internet Explorer (Mozilla) 2.0 (compatible; MSIE 3.0A;

Windows 95) 

let's hope it does not suck.





I don't have to knock you over the head to make you see the connection. Now

we know the relevant info is in MSHTML.DLL

Ok, lets change it:



000216CC 4E6F 6E65 206F 6620 796F 7572 None of your

000216D8 2062 7573 696E 6573 7320 2121  business !!

000216E4 2121 212E 4765 746C 6F73 742F !!!.Getlost/

000216F0 5468 6973 2069 6E66 6F20 6973 This info is

000216FC 6E6F 6E65 206F 6620 796F 7572 none of your

00021708 2062 7573 696E 6573 7320 626C  business bl

00021714 6168 2900 0000 0000 5356 57BE ah).....SVW.





We try to save the file and what happens? We get a stupid "sharing

violation" message. Even after rebooting and editing MSHTML.DLL. IF we attempt to

save, we see this message. Looks like Bill Gates & Co. doesn't want us playing

around with these files (even though they are legally OURS). So, we simply exit

windows to DOS and either use Hiew and make the changes in DOS, or save the changes

with HexWorkshop to a different file and rename them in DOS mode.



Now, a web page will think your browser's name is "None of your business!"

This suits us fine because now we won't be prone to any anti-IE tricks or

by a rare chance, if we come across anti-Netscape tricks we won't be prone to

those too. What about Browser Faking with Netscape?

As I said,I'm yet to collect the relevant files I'm missing but, unlike

IE, Netscape stores most of its resources (if not all) in the executable

That probably explains why Netscape is 3MB while IE is 35KB.So, we can load

up BRW with Netscape and search for the relevant string tables. You should

find one with the string "Netscape" and one with "Mozilla" These are the

strings to change. Make the changes, recompile and you're done. 

Now,we just wait and see what fravia+ and Mammon will do to catch these 

anti-anti-ie tricks :).


Final Notes 

Please don't flame me for using IE, I prefer Netscape just as much as the 

next guy, but as I said, I'm yet to collect the relevant files. 

Send your insults and comments to shivanan@ens.lk


Ob Duh
Ob duh doesn't apply here, we are modyfying our own browsers, and we can do whatever we want with our own files, so get lost, silly lawyers!
You are deep inside fravia's page of reverse engineering, choose your way out:

redhomepage redlinks redsearch_forms red+ORC redstudents' essays redacademy database
redreality cracking redhow to search redjavascript wars
redtools redanonymity academy redcocktails redantismut CGI-scripts redmail_fravia+
redIs reverse engineering legal?