Web Browser emulation
(Letting web pages get less info about you)
and some "anti-anti-internet exploder" tricks
student
Not Assigned
3 May 1998
by Hs2L
Courtesy of Fravia's page of reverse engineering
slightly edited
by fravia+
fra_00xx
980503
H2sL
0100
NA
PC
Well, a nice addition to our reversing efforts! Hs2L proves here that EVERYTHING can be reversed, and our silly little tricks too... the simple truth is that NOTHING can last long if a true reverser lays his eyes (and brain) on it... and that our science is powerful indeed... but this we knew already, didn't we?
Of course we'll open right now an anti-reversing reversed browsers new section... that name information you (cleverly) changed is NOT the only difference between browsers, dear H2sL... :-)
There is a crack, a crack in everything That's how the light gets in
Rating
( )Beginner (x)Intermediate ( )Advanced ( )Expert

Since this site is somewhat anti-micro$oft, this essay will be a departure from the norm since it discusses reversing the micro$oft hostile tricks but it's reversing anyway, so it might be appropriate.
Faking Web Browsers
Letting web pages get less info about you
Written by Hs2L


Introduction 
We are going to reverse Fravia's anti internet exploder tricks and figure
out how to fool web pages
Tools required
Hex Editor (HexWorkshop) Borland Resource Workshop (not a must) A local copy of 2 web pages. First, Mammons page (use the link in the tools section) and Fravia's counter measure page (the one where it tells you what browser you're using) A window spy tool (not a must)

Essay 
This essay outlines an  extremely trivial task as you will see.
Anyway... (many of you all will probably kill me for this), for 
some time I have been using Micro$oft's IE as my web browser. 
I accidently deleted a few libraries that are required by Netscape 
3.0 Gold (which is STILL NOW my favorite browser BTW) So, for
some time I had no choice but to go with IE3 until I got the 
necesarry runtime files.
So, needless to say, when I tried to visit Mammons site which I visit every
now and then, I was at the losing end of what is IMHO, a hilarious script 
in Mammon's web page. Basically, if you enter his site with IE, you
automatically get booted to the Netscape home page. There are probably 
lots of anti-ie sites so I decided to do some work on reversing these 
"anti-whatever_browser" scripts.
So, lets take a look at the relevant source code for Mammons web page (yes
even a simple excersise like this ends up with some deadlisting or other)

...
function disclaimer(){
  var i=navigator.appName
  var j="Microsoft Internet Explorer"
      if ( i==j ) {
            msie=window.open("msie.html", "Micro$oft?",
              "width=250,height=75,status=no,scrollbars=no,toolbar=no,
              location=no,menubar=no,resizable=no,directories=no");
            dclose=msie.setTimeout("closeme()",2500);
            Location.href="http://www.netscape.com";
                   }
      else {
            location.replace("http://www.eccentrica.org/Mammon");
            }
...

So, as you can see, the function navigator.appName returns the name of the
Internet Browser you are using. This info is,ofcourse,sent from the browser
itself or one of it's libraries. If we can find out where it's coming from
we can edit it and change the Browser name that is returned by 
navigator.appName

Here's the relevant snippet from Fravia's counter measure page:

...
document.write("MMM..., my dear ") 
document.write(n)
document.write("... I see you've got ")

and...

document.writeln( navigator.appName + " (" + 
navigator.appCodeName + ") " + navigator.appVersion + "")

So, over here, navigator.appName,navigator.appCodeName and
navigator.appVersion are called to comunicate with the browser and get 
the relevant infomation.

So, the question is, where does all this info come from. Well, lets open 
Internet Exploder in BRW and see what we find. Well, it turns out that it's only
got icons, bitmaps, and versions, no string tables. That means the relevant info
is coming from a library (*.dll). Well, I fired up my buggy internet exploder
and used my windows spying tool to get parent the controls (Any windows spying
tool will do. You can probably write a quick one in VB or Delphi like I did)
It turns out that the actual viewing window is from MSHTML.DLL and the toolbar
is from SHDOW_something_or_other.dll. So, we'll try MSHTML.DLL and see what we
find. After opening the file in Hex Workshop, we do a search for "Microsoft
Internet Explorer" since that's the value returned by navigator.appName and
we hit paydirt. This is the relevant hex dump:

000216CC 4D69 6372 6F73 6F66 7420 496E Microsoft In
000216D8 7465 726E 6574 2045 7870 6C6F ternet Explo
000216E4 7265 7200 4D6F 7A69 6C6C 612F rer.Mozilla/
000216F0 322E 3020 2863 6F6D 7061 7469 2.0 (compati
000216FC 626C 653B 204D 5349 4520 332E ble; MSIE 3.
00021708 3041 3B20 5769 6E64 6F77 7320 0A; Windows 
00021714 3935 2900 0000 0000 5356 57BE 95).....SVW.

Have you seen Fravia's counter measure page in your we browser?
Well, I get something like this with Internet Exploder:

MMM..., my dear Hs2L... I see you've 
got Microsoft Internet Explorer (Mozilla) 2.0 (compatible; MSIE 3.0A;
Windows 95) 
let's hope it does not suck.


I don't have to knock you over the head to make you see the connection. Now
we know the relevant info is in MSHTML.DLL
Ok, lets change it:

000216CC 4E6F 6E65 206F 6620 796F 7572 None of your
000216D8 2062 7573 696E 6573 7320 2121  business !!
000216E4 2121 212E 4765 746C 6F73 742F !!!.Getlost/
000216F0 5468 6973 2069 6E66 6F20 6973 This info is
000216FC 6E6F 6E65 206F 6620 796F 7572 none of your
00021708 2062 7573 696E 6573 7320 626C  business bl
00021714 6168 2900 0000 0000 5356 57BE ah).....SVW.


We try to save the file and what happens? We get a stupid "sharing
violation" message. Even after rebooting and editing MSHTML.DLL. IF we attempt to
save, we see this message. Looks like Bill Gates & Co. doesn't want us playing
around with these files (even though they are legally OURS). So, we simply exit
windows to DOS and either use Hiew and make the changes in DOS, or save the changes
with HexWorkshop to a different file and rename them in DOS mode.

Now, a web page will think your browser's name is "None of your business!"
This suits us fine because now we won't be prone to any anti-IE tricks or
by a rare chance, if we come across anti-Netscape tricks we won't be prone to
those too. What about Browser Faking with Netscape?
As I said,I'm yet to collect the relevant files I'm missing but, unlike
IE, Netscape stores most of its resources (if not all) in the executable
That probably explains why Netscape is 3MB while IE is 35KB.So, we can load
up BRW with Netscape and search for the relevant string tables. You should
find one with the string "Netscape" and one with "Mozilla" These are the
strings to change. Make the changes, recompile and you're done. 
Now,we just wait and see what fravia+ and Mammon will do to catch these 
anti-anti-ie tricks :).


Final Notes 
Please don't flame me for using IE, I prefer Netscape just as much as the 
next guy, but as I said, I'm yet to collect the relevant files. 
Send your insults and comments to shivanan@ens.lk


Ob Duh
Ob duh doesn't apply here, we are modyfying our own browsers, and we can do whatever we want with our own files, so get lost, silly lawyers!
You are deep inside fravia's page of reverse engineering, choose your way out:

redhomepage redlinks redsearch_forms red+ORC redstudents' essays redacademy database
redreality cracking redhow to search redjavascript wars
redtools redanonymity academy redcocktails redantismut CGI-scripts redmail_fravia+
redIs reverse engineering legal?