klavirshik
/
GoodbyeDPI
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: klavirshik:master
Branches Tags
klavirshik:master
klavirshik:quic_block
klavirshik:test_windres
klavirshik:openvpn
klavirshik:windivert2
klavirshik:masterv6
klavirshik:ipv6
klavirshik:windivert-test
klavirshik:0.2.3rc1
klavirshik:0.2.2
klavirshik:0.2.1
klavirshik:0.2.0
klavirshik:0.1.8
klavirshik:0.1.7
klavirshik:0.1.6
klavirshik:0.1.5
klavirshik:0.1.5rc3
klavirshik:0.1.5rc2
klavirshik:0.1.5rc1
klavirshik:0.1.4
klavirshik:0.1.3
klavirshik:0.1.2
klavirshik:0.1.2rc3
klavirshik:0.1.2rc2
klavirshik:0.1.2rc1
klavirshik:0.1.1
klavirshik:0.1.0
klavirshik:0.0.9
klavirshik:0.0.8
klavirshik:0.0.7
klavirshik:0.0.6
klavirshik:0.0.5
klavirshik:0.0.4
klavirshik:0.0.3
klavirshik:0.0.2
klavirshik:0.0.1
..
compare: klavirshik:windivert2
Branches Tags
klavirshik:master
klavirshik:quic_block
klavirshik:test_windres
klavirshik:openvpn
klavirshik:windivert2
klavirshik:masterv6
klavirshik:ipv6
klavirshik:windivert-test
klavirshik:0.2.3rc1
klavirshik:0.2.2
klavirshik:0.2.1
klavirshik:0.2.0
klavirshik:0.1.8
klavirshik:0.1.7
klavirshik:0.1.6
klavirshik:0.1.5
klavirshik:0.1.5rc3
klavirshik:0.1.5rc2
klavirshik:0.1.5rc1
klavirshik:0.1.4
klavirshik:0.1.3
klavirshik:0.1.2
klavirshik:0.1.2rc3
klavirshik:0.1.2rc2
klavirshik:0.1.2rc1
klavirshik:0.1.1
klavirshik:0.1.0
klavirshik:0.0.9
klavirshik:0.0.8
klavirshik:0.0.7
klavirshik:0.0.6
klavirshik:0.0.5
klavirshik:0.0.4
klavirshik:0.0.3
klavirshik:0.0.2
klavirshik:0.0.1

No commits in common. "master" and "windivert2" have entirely different histories.
master ... windivert2

6 changed files with 61 additions and 105 deletions
Show Stats Expand all files Collapse all files

38
.github/ISSUE_TEMPLATE/bug.yml vendored
View File

@ -1,35 +1,19 @@
name: Bug Report / Сообщение об ошибке name: Bug Report / Сообщение об ошибке
description: File a bug report / Сообщить об ошибке в программе description: File a bug report / Сообщить об ошибке в проекте
body: body:
- type: markdown - type: markdown
attributes: attributes:
value: | value: |
### USE THIS FORM ONLY FOR BUGS! The webside does not open? That's likely NOT a bug, do not report it here! Please pay some attention!
GoodbyeDPI does not guarantee to work with your ISP for every blocked website or at all. If GoodbyeDPI can't unblock some or any websites, this is most likely not a software bug, and you should not report it here. GoodbyeDPI does not guarantee to work on your ISP on 100% or at all. If GoodbyeDPI can't unblock some or any websites, this is most likely not a software bug, and you should not report it.
Please report software bugs, such as: website incompatibility (if the website works without GoodbyeDPI but breaks with GoobyeDPI enabled), antivirus incompatibility, DNS redirection problems, incorrect packet handling, and other software issues.
Please make sure to check other opened and closed issues, it could be your question or issue has been already discussed.
Please only report software bugs, such as: Пожалуйста, прочтите!
* program crash GoodbyeDPI не гарантирует ни 100% работу с вашим провайдером, ни работу вообще. Если GoodbyeDPI не разблокирует доступ к некоторым или всем веб-сайтам, вероятнее всего, это не программная ошибка, и не стоит о ней сообщать здесь.
* incorrect network packet handling Сообщайте только об ошибках в программе, таких как: некорректная работа с веб-сайтами (когда веб-сайт работает без GoodbyeDPI, но ломается с GoodbyeDPI), несовместимость с антивирусами, проблемы с перенаправлением DNS, некорректная обработка пакетов, и другие проблемы.
* antivirus incompatibility Также посмотрите другие открытые и закрытые баги. Возможно, ваш вопрос или проблема уже обсуждались.
* DNS redirection problems
* other software
Please make sure to check other opened and closed issues, it could be your bug has been reported already.
For questions, or if in doubt, [use NTC.party forum](https://ntc.party/c/community-software/goodbyedpi).
### ИСПОЛЬЗУЙТЕ ЭТУ ФОРМУ ТОЛЬКО ДЛЯ БАГОВ! Веб-сайт не открывается? Это, скорее всего, не баг, не сообщайте сюда!
GoodbyeDPI не гарантирует ни 100% работу с вашим провайдером, ни работу с каждым заблокированным сайтом. Если GoodbyeDPI не разблокирует доступ к некоторым или всем веб-сайтам, вероятнее всего, это не программная ошибка, и не стоит о ней сообщать здесь.
Пожалуйста, сообщайте только об ошибках в программе, таких как:
* падение программы
* некорректная обработка сетевых пакетов
* несовместимость с антивирусами
* проблемы с перенаправлением DNS
* другие ошибки в программе
Также посмотрите другие открытые и закрытые баги. Возможно, ошибка уже обсуждалась или исправлена.
Для вопросов, а также в случае сомнений в определении бага, обращайтесь [на форум NTC.party](https://ntc.party/c/community-software/goodbyedpi).
- type: input - type: input
id: os id: os
attributes: attributes:
@ -51,8 +35,8 @@ body:
- type: textarea - type: textarea
id: what-happened id: what-happened
attributes: attributes:
label: Describe the bug / Опишите ошибку программы label: Describe the issue / Опишите проблему
description: A clear and concise description of what the bug is / Подробно опишите, в чём заключается ошибка description: A clear and concise description of what the bug is / Подробно опишите, в чём заключается проблема
placeholder: Attach the screenshots for clarity / При необходимости приложите скриншоты placeholder: Attach the screenshots for clarity / При необходимости приложите скриншоты
validations: validations:
required: true required: true

21
.github/workflows/build.yml vendored
View File

@ -4,24 +4,23 @@ on:
push: push:
paths: paths:
- 'src/**' - 'src/**'
workflow_dispatch:
env: env:
WINDIVERT_URL: https://reqrypt.org/download/WinDivert-2.2.0-D.zip WINDIVERT_URL: https://www.reqrypt.org/download/WinDivert-2.2.0-A.zip
WINDIVERT_NAME: WinDivert-2.2.0-D.zip WINDIVERT_NAME: WinDivert-2.2.0-A.zip
WINDIVERT_BASENAME: WinDivert-2.2.0-D WINDIVERT_BASENAME: WinDivert-2.2.0-A
WINDIVERT_SHA256: 1d461cfdfa7ba88ebcfbb3603b71b703e9f72aba8aeff99a75ce293e6f89d2ba WINDIVERT_SHA256: 2a7630aac0914746fbc565ac862fa096e3e54233883ac52d17c83107496b7a7f
jobs: jobs:
build: build:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v2
- name: Declare short commit variable - name: Declare short commit variable
id: vars id: vars
run: | run: |
echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT echo "::set-output name=sha_short::$(git rev-parse --short HEAD)"
- name: Install MinGW-w64 - name: Install MinGW-w64
run: > run: >
@ -31,7 +30,7 @@ jobs:
- name: Download WinDivert from cache - name: Download WinDivert from cache
id: windivert-cache id: windivert-cache
uses: actions/cache@v4 uses: actions/cache@v2
with: with:
path: ${{ env. WINDIVERT_NAME }} path: ${{ env. WINDIVERT_NAME }}
key: ${{ env. WINDIVERT_SHA256 }} key: ${{ env. WINDIVERT_SHA256 }}
@ -49,14 +48,14 @@ jobs:
run: > run: >
cd src && make clean && cd src && make clean &&
make CPREFIX=x86_64-w64-mingw32- BIT64=1 WINDIVERTHEADERS=../${{ env.WINDIVERT_BASENAME }}/include WINDIVERTLIBS=../${{ env.WINDIVERT_BASENAME }}/x64 -j4 make CPREFIX=x86_64-w64-mingw32- BIT64=1 WINDIVERTHEADERS=../${{ env.WINDIVERT_BASENAME }}/include WINDIVERTLIBS=../${{ env.WINDIVERT_BASENAME }}/x64 -j4
- name: Prepare x86_64 directory - name: Prepare x86_64 directory
run: | run: |
mkdir goodbyedpi_x86_64_${{ steps.vars.outputs.sha_short }} mkdir goodbyedpi_x86_64_${{ steps.vars.outputs.sha_short }}
cp src/goodbyedpi.exe ${{ env.WINDIVERT_BASENAME }}/x64/*.{dll,sys} goodbyedpi_x86_64_${{ steps.vars.outputs.sha_short }} cp src/goodbyedpi.exe ${{ env.WINDIVERT_BASENAME }}/x64/*.{dll,sys} goodbyedpi_x86_64_${{ steps.vars.outputs.sha_short }}
- name: Upload output file x86_64 - name: Upload output file x86_64
uses: actions/upload-artifact@v4 uses: actions/upload-artifact@v2
with: with:
name: goodbyedpi_x86_64_${{ steps.vars.outputs.sha_short }} name: goodbyedpi_x86_64_${{ steps.vars.outputs.sha_short }}
path: goodbyedpi_x86_64_${{ steps.vars.outputs.sha_short }} path: goodbyedpi_x86_64_${{ steps.vars.outputs.sha_short }}
@ -72,7 +71,7 @@ jobs:
cp src/goodbyedpi.exe ${{ env.WINDIVERT_BASENAME }}/x86/*.{dll,sys} goodbyedpi_x86_${{ steps.vars.outputs.sha_short }} cp src/goodbyedpi.exe ${{ env.WINDIVERT_BASENAME }}/x86/*.{dll,sys} goodbyedpi_x86_${{ steps.vars.outputs.sha_short }}
- name: Upload output file x86 - name: Upload output file x86
uses: actions/upload-artifact@v4 uses: actions/upload-artifact@v2
with: with:
name: goodbyedpi_x86_${{ steps.vars.outputs.sha_short }} name: goodbyedpi_x86_${{ steps.vars.outputs.sha_short }}
path: goodbyedpi_x86_${{ steps.vars.outputs.sha_short }} path: goodbyedpi_x86_${{ steps.vars.outputs.sha_short }}

25
README.md
View File

@ -43,15 +43,13 @@ Usage: goodbyedpi.exe [OPTION...]
supplied text file (HTTP Host/TLS SNI). supplied text file (HTTP Host/TLS SNI).
This option can be supplied multiple times. This option can be supplied multiple times.
--allow-no-sni perform circumvention if TLS SNI can't be detected with --blacklist enabled. --allow-no-sni perform circumvention if TLS SNI can't be detected with --blacklist enabled.
--frag-by-sni if SNI is detected in TLS packet, fragment the packet right before SNI value.
--set-ttl <value> activate Fake Request Mode and send it with supplied TTL value. --set-ttl <value> activate Fake Request Mode and send it with supplied TTL value.
DANGEROUS! May break websites in unexpected ways. Use with care (or --blacklist). DANGEROUS! May break websites in unexpected ways. Use with care.
--auto-ttl [a1-a2-m] activate Fake Request Mode, automatically detect TTL and decrease --auto-ttl [a1-a2-m] activate Fake Request Mode, automatically detect TTL and decrease
it based on a distance. If the distance is shorter than a2, TTL is decreased it based on a distance. If the distance is shorter than a2, TTL is decreased
by a2. If it's longer, (a1; a2) scale is used with the distance as a weight. by a2. If it's longer, (a1; a2) scale is used with the distance as a weight.
If the resulting TTL is more than m(ax), set it to m. If the resulting TTL is more than m(ax), set it to m.
Default (if set): --auto-ttl 1-4-10. Also sets --min-ttl 3. Default (if set): --auto-ttl 1-4-10. Also sets --min-ttl 3.
DANGEROUS! May break websites in unexpected ways. Use with care (or --blacklist).
--min-ttl <value> minimum TTL distance (128/64 - TTL) for which to send Fake Request --min-ttl <value> minimum TTL distance (128/64 - TTL) for which to send Fake Request
in --set-ttl and --auto-ttl modes. in --set-ttl and --auto-ttl modes.
--wrong-chksum activate Fake Request Mode and send it with incorrect TCP checksum. --wrong-chksum activate Fake Request Mode and send it with incorrect TCP checksum.
@ -67,7 +65,6 @@ Usage: goodbyedpi.exe [OPTION...]
Use this option to reduce CPU usage by skipping huge amount of data Use this option to reduce CPU usage by skipping huge amount of data
(like file transfers) in already established sessions. (like file transfers) in already established sessions.
May skip some huge HTTP requests from being processed. May skip some huge HTTP requests from being processed.
Default (if set): --max-payload 1200.
LEGACY modesets: LEGACY modesets:
@ -77,8 +74,8 @@ LEGACY modesets:
-4 -p -r -s (best speed) -4 -p -r -s (best speed)
Modern modesets (more stable, more compatible, faster): Modern modesets (more stable, more compatible, faster):
-5 -f 2 -e 2 --auto-ttl --reverse-frag --max-payload (this is the default) -5 -f 2 -e 2 --auto-ttl --reverse-frag (this is the default)
-6 -f 2 -e 2 --wrong-seq --reverse-frag --max-payload -6 -f 2 -e 2 --wrong-seq --reverse-frag
``` ```
To check if your ISP's DPI could be circumvented, first make sure that your provider does not poison DNS answers by enabling "Secure DNS (DNS over HTTPS)" option in your browser. To check if your ISP's DPI could be circumvented, first make sure that your provider does not poison DNS answers by enabling "Secure DNS (DNS over HTTPS)" option in your browser.
@ -88,7 +85,7 @@ To check if your ISP's DPI could be circumvented, first make sure that your prov
Then run the `goodbyedpi.exe` executable without any options. If it works — congratulations! You can use it as-is or configure further, for example by using `--blacklist` option if the list of blocked websites is known and available for your country. Then run the `goodbyedpi.exe` executable without any options. If it works — congratulations! You can use it as-is or configure further, for example by using `--blacklist` option if the list of blocked websites is known and available for your country.
If your provider intercepts DNS requests, you may want to use `--dns-addr` option to a public DNS resolver running on non-standard port (such as Yandex DNS `77.88.8.8:1253`) or configure DNS over HTTPS/TLS using third-party applications. If your provider intercepts DNS requests, you may want to use `--dns-addr` option to a public DNS resover running on non-standard port (such as Yandex DNS `77.88.8.8:1253`) or configure DNS over HTTPS/TLS using third-party applications.
Check the .cmd scripts and modify it according to your preference and network conditions. Check the .cmd scripts and modify it according to your preference and network conditions.
@ -141,15 +138,11 @@ Modify them according to your own needs.
# Similar projects # Similar projects
- **[zapret](https://github.com/bol-van/zapret)** by @bol-van (for MacOS, Linux and Windows) - **[zapret](https://github.com/bol-van/zapret)** by @bol-van (for Linux).
- **[Green Tunnel](https://github.com/SadeghHayeri/GreenTunnel)** by @SadeghHayeri (for MacOS, Linux and Windows) - **[Green Tunnel](https://github.com/SadeghHayeri/GreenTunnel)** by @SadeghHayeri (for MacOS, Linux and Windows).
- **[DPI Tunnel CLI](https://github.com/zhenyolka/DPITunnel-cli)** by @zhenyolka (for Linux and routers) - **[DPITunnel](https://github.com/zhenyolka/DPITunnel)** by @zhenyolka (for Android).
- **[DPI Tunnel for Android](https://github.com/zhenyolka/DPITunnel-android)** by @zhenyolka (for Android) - **[PowerTunnel](https://github.com/krlvm/PowerTunnel)** by @krlvm (for Windows, MacOS and Linux).
- **[PowerTunnel](https://github.com/krlvm/PowerTunnel)** by @krlvm (for Windows, MacOS and Linux) - **[PowerTunnel for Android](https://github.com/krlvm/PowerTunnel-Android)** by @krlvm (for Android).
- **[PowerTunnel for Android](https://github.com/krlvm/PowerTunnel-Android)** by @krlvm (for Android)
- **[SpoofDPI](https://github.com/xvzc/SpoofDPI)** by @xvzc (for macOS and Linux)
- **[GhosTCP](https://github.com/macronut/ghostcp)** by @macronut (for Windows)
- **[ByeDPI](https://github.com/hufrea/byedpi)** for Linux/Windows + **[ByeDPIAndroid](https://github.com/dovecoteescapee/ByeDPIAndroid/)** for Android (no root)
# Kudos # Kudos

5
src/Makefile
View File

@ -11,12 +11,7 @@ TARGET = goodbyedpi.exe
#LIBS = -L$(WINDIVERTLIBS) -Wl,-Bstatic -lssp -Wl,-Bdynamic -lWinDivert -lws2_32 #LIBS = -L$(WINDIVERTLIBS) -Wl,-Bstatic -lssp -Wl,-Bdynamic -lWinDivert -lws2_32
LIBS = -L$(WINDIVERTLIBS) -lWinDivert -lws2_32 -l:libssp.a LIBS = -L$(WINDIVERTLIBS) -lWinDivert -lws2_32 -l:libssp.a
CC = $(CPREFIX)gcc CC = $(CPREFIX)gcc
CCWINDRES = $(CPREFIX)windres CCWINDRES = $(CPREFIX)windres
ifeq (, $(shell which $(CPREFIX)windres))
CCWINDRES = windres
endif
CFLAGS = -std=c99 -pie -fPIE -pipe -I$(WINDIVERTHEADERS) -L$(WINDIVERTLIBS) \ CFLAGS = -std=c99 -pie -fPIE -pipe -I$(WINDIVERTHEADERS) -L$(WINDIVERTLIBS) \
-O2 -D_FORTIFY_SOURCE=2 -fstack-protector \ -O2 -D_FORTIFY_SOURCE=2 -fstack-protector \
-Wall -Wextra -Wpedantic -Wformat=2 -Wformat-overflow=2 -Wformat-truncation=2 \ -Wall -Wextra -Wpedantic -Wformat=2 -Wformat-overflow=2 -Wformat-truncation=2 \

75
src/goodbyedpi.c
View File

@ -23,7 +23,7 @@
// My mingw installation does not load inet_pton definition for some reason // My mingw installation does not load inet_pton definition for some reason
WINSOCK_API_LINKAGE INT WSAAPI inet_pton(INT Family, LPCSTR pStringBuf, PVOID pAddr); WINSOCK_API_LINKAGE INT WSAAPI inet_pton(INT Family, LPCSTR pStringBuf, PVOID pAddr);
#define GOODBYEDPI_VERSION "v0.2.2" #define GOODBYEDPI_VERSION "v0.2.1"
#define die() do { sleep(20); exit(EXIT_FAILURE); } while (0) #define die() do { sleep(20); exit(EXIT_FAILURE); } while (0)
@ -119,8 +119,8 @@ WINSOCK_API_LINKAGE INT WSAAPI inet_pton(INT Family, LPCSTR pStringBuf, PVOID pA
} \ } \
else if (ttl_min_nhops) { \ else if (ttl_min_nhops) { \
/* If not Auto TTL mode but --min-ttl is set */ \ /* If not Auto TTL mode but --min-ttl is set */ \
if (!tcp_get_auto_ttl(tcp_conn_info.ttl, 0, 0, ttl_min_nhops, 0)) { \ if (tcp_get_auto_ttl(tcp_conn_info.ttl, 0, 0, ttl_min_nhops, 0)) { \
/* Send only if nhops >= min_ttl */ \ /* Send only if nhops > min_ttl */ \
should_send_fake = 0; \ should_send_fake = 0; \
} \ } \
} \ } \
@ -162,7 +162,6 @@ static struct option long_options[] = {
{"dns-verb", no_argument, 0, 'v' }, {"dns-verb", no_argument, 0, 'v' },
{"blacklist", required_argument, 0, 'b' }, {"blacklist", required_argument, 0, 'b' },
{"allow-no-sni",no_argument, 0, ']' }, {"allow-no-sni",no_argument, 0, ']' },
{"frag-by-sni", no_argument, 0, '>' },
{"ip-id", required_argument, 0, 'i' }, {"ip-id", required_argument, 0, 'i' },
{"set-ttl", required_argument, 0, '$' }, {"set-ttl", required_argument, 0, '$' },
{"min-ttl", required_argument, 0, '[' }, {"min-ttl", required_argument, 0, '[' },
@ -217,8 +216,7 @@ static void add_ip_id_str(int id) {
static void add_maxpayloadsize_str(unsigned short maxpayload) { static void add_maxpayloadsize_str(unsigned short maxpayload) {
char *newstr; char *newstr;
/* 0x47455420 is "GET ", 0x504F5354 is "POST", big endian. */ const char *maxpayloadsize_str = "and (tcp.PayloadLength ? tcp.PayloadLength < %hu : true)";
const char *maxpayloadsize_str = "and (tcp.PayloadLength ? tcp.PayloadLength < %hu or tcp.Payload32[0] == 0x47455420 or tcp.Payload32[0] == 0x504F5354 : true)";
char *addfilter = malloc(strlen(maxpayloadsize_str) + 16); char *addfilter = malloc(strlen(maxpayloadsize_str) + 16);
sprintf(addfilter, maxpayloadsize_str, maxpayload); sprintf(addfilter, maxpayloadsize_str, maxpayload);
@ -418,7 +416,7 @@ static int extract_sni(const char *pktdata, unsigned int pktlen,
} }
/* Validate that hostname has only ascii lowercase characters */ /* Validate that hostname has only ascii lowercase characters */
for (int i=0; i<hnlen; i++) { for (int i=0; i<hnlen; i++) {
if (!( (hnaddr[i] >= '0' && hnaddr[i] <= '9') || if (!( (hnaddr[i] >= '1' && hnaddr[i] <= '9') ||
(hnaddr[i] >= 'a' && hnaddr[i] <= 'z') || (hnaddr[i] >= 'a' && hnaddr[i] <= 'z') ||
hnaddr[i] == '.' || hnaddr[i] == '-')) hnaddr[i] == '.' || hnaddr[i] == '-'))
{ {
@ -475,7 +473,7 @@ static void send_native_fragment(HANDLE w_filter, WINDIVERT_ADDRESS addr,
PWINDIVERT_TCPHDR ppTcpHdr, PWINDIVERT_TCPHDR ppTcpHdr,
unsigned int fragment_size, int step) { unsigned int fragment_size, int step) {
char packet_bak[MAX_PACKET_SIZE]; char packet_bak[MAX_PACKET_SIZE];
memcpy(packet_bak, packet, packetLen); memcpy(&packet_bak, packet, packetLen);
UINT orig_packetLen = packetLen; UINT orig_packetLen = packetLen;
if (fragment_size >= packet_dataLen) { if (fragment_size >= packet_dataLen) {
@ -532,7 +530,7 @@ static void send_native_fragment(HANDLE w_filter, WINDIVERT_ADDRESS addr,
packetLen, packetLen,
NULL, &addr NULL, &addr
); );
memcpy(packet, packet_bak, orig_packetLen); memcpy(packet, &packet_bak, orig_packetLen);
//printf("Sent native fragment of %d size (step%d)\n", packetLen, step); //printf("Sent native fragment of %d size (step%d)\n", packetLen, step);
} }
@ -569,7 +567,6 @@ int main(int argc, char *argv[]) {
do_dnsv4_redirect = 0, do_dnsv6_redirect = 0, do_dnsv4_redirect = 0, do_dnsv6_redirect = 0,
do_dns_verb = 0, do_tcp_verb = 0, do_blacklist = 0, do_dns_verb = 0, do_tcp_verb = 0, do_blacklist = 0,
do_allow_no_sni = 0, do_allow_no_sni = 0,
do_fragment_by_sni = 0,
do_fake_packet = 0, do_fake_packet = 0,
do_auto_ttl = 0, do_auto_ttl = 0,
do_wrong_chksum = 0, do_wrong_chksum = 0,
@ -808,11 +805,7 @@ int main(int argc, char *argv[]) {
case ']': // --allow-no-sni case ']': // --allow-no-sni
do_allow_no_sni = 1; do_allow_no_sni = 1;
break; break;
case '>': // --frag-by-sni
do_fragment_by_sni = 1;
break;
case '$': // --set-ttl case '$': // --set-ttl
do_auto_ttl = auto_ttl_1 = auto_ttl_2 = auto_ttl_max = 0;
do_fake_packet = 1; do_fake_packet = 1;
ttl_of_fake_packet = atoub(optarg, "Set TTL parameter error!"); ttl_of_fake_packet = atoub(optarg, "Set TTL parameter error!");
break; break;
@ -878,7 +871,7 @@ int main(int argc, char *argv[]) {
optarg = argv[optind]; optarg = argv[optind];
if (optarg) if (optarg)
max_payload_size = atousi(optarg, "Max payload size parameter error!"); max_payload_size = atousi(optarg, "Max payload size parameter error!");
else if (!max_payload_size)
max_payload_size = 1200; max_payload_size = 1200;
break; break;
default: default:
@ -904,7 +897,6 @@ int main(int argc, char *argv[]) {
" supplied text file (HTTP Host/TLS SNI).\n" " supplied text file (HTTP Host/TLS SNI).\n"
" This option can be supplied multiple times.\n" " This option can be supplied multiple times.\n"
" --allow-no-sni perform circumvention if TLS SNI can't be detected with --blacklist enabled.\n" " --allow-no-sni perform circumvention if TLS SNI can't be detected with --blacklist enabled.\n"
" --frag-by-sni if SNI is detected in TLS packet, fragment the packet right before SNI value.\n"
" --set-ttl <value> activate Fake Request Mode and send it with supplied TTL value.\n" " --set-ttl <value> activate Fake Request Mode and send it with supplied TTL value.\n"
" DANGEROUS! May break websites in unexpected ways. Use with care (or --blacklist).\n" " DANGEROUS! May break websites in unexpected ways. Use with care (or --blacklist).\n"
" --auto-ttl [a1-a2-m] activate Fake Request Mode, automatically detect TTL and decrease\n" " --auto-ttl [a1-a2-m] activate Fake Request Mode, automatically detect TTL and decrease\n"
@ -938,8 +930,8 @@ int main(int argc, char *argv[]) {
" -4 -p -r -s (best speed)" " -4 -p -r -s (best speed)"
"\n" "\n"
"Modern modesets (more stable, more compatible, faster):\n" "Modern modesets (more stable, more compatible, faster):\n"
" -5 -f 2 -e 2 --auto-ttl --reverse-frag --max-payload (this is the default)\n" " -5 -f 2 -e 2 --auto-ttl --reverse-frag (this is the default)\n"
" -6 -f 2 -e 2 --wrong-seq --reverse-frag --max-payload\n"); " -6 -f 2 -e 2 --wrong-seq --reverse-frag\n");
exit(EXIT_FAILURE); exit(EXIT_FAILURE);
} }
} }
@ -963,7 +955,6 @@ int main(int argc, char *argv[]) {
"Fragment HTTP: %u\n" /* 2 */ "Fragment HTTP: %u\n" /* 2 */
"Fragment persistent HTTP: %u\n" /* 3 */ "Fragment persistent HTTP: %u\n" /* 3 */
"Fragment HTTPS: %u\n" /* 4 */ "Fragment HTTPS: %u\n" /* 4 */
"Fragment by SNI: %u\n" /* 5 */
"Native fragmentation (splitting): %d\n" /* 5 */ "Native fragmentation (splitting): %d\n" /* 5 */
"Fragments sending in reverse: %d\n" /* 6 */ "Fragments sending in reverse: %d\n" /* 6 */
"hoSt: %d\n" /* 7 */ "hoSt: %d\n" /* 7 */
@ -983,24 +974,23 @@ int main(int argc, char *argv[]) {
(do_fragment_http ? http_fragment_size : 0), /* 2 */ (do_fragment_http ? http_fragment_size : 0), /* 2 */
(do_fragment_http_persistent ? http_fragment_size : 0),/* 3 */ (do_fragment_http_persistent ? http_fragment_size : 0),/* 3 */
(do_fragment_https ? https_fragment_size : 0), /* 4 */ (do_fragment_https ? https_fragment_size : 0), /* 4 */
do_fragment_by_sni, /* 5 */ do_native_frag, /* 5 */
do_native_frag, /* 6 */ do_reverse_frag, /* 6 */
do_reverse_frag, /* 7 */ do_host, /* 7 */
do_host, /* 8 */ do_host_removespace, /* 8 */
do_host_removespace, /* 9 */ do_additional_space, /* 9 */
do_additional_space, /* 10 */ do_host_mixedcase, /* 10 */
do_host_mixedcase, /* 11 */ do_http_allports, /* 11 */
do_http_allports, /* 12 */ do_fragment_http_persistent_nowait, /* 12 */
do_fragment_http_persistent_nowait, /* 13 */ do_dnsv4_redirect, /* 13 */
do_dnsv4_redirect, /* 14 */ do_dnsv6_redirect, /* 14 */
do_dnsv6_redirect, /* 15 */ do_allow_no_sni, /* 15 */
do_allow_no_sni, /* 16 */ ttl_of_fake_packet ? "fixed" : (do_auto_ttl ? "auto" : "disabled"), /* 16 */
do_auto_ttl ? "auto" : (do_fake_packet ? "fixed" : "disabled"), /* 17 */
ttl_of_fake_packet, do_auto_ttl ? auto_ttl_1 : 0, do_auto_ttl ? auto_ttl_2 : 0, ttl_of_fake_packet, do_auto_ttl ? auto_ttl_1 : 0, do_auto_ttl ? auto_ttl_2 : 0,
do_auto_ttl ? auto_ttl_max : 0, ttl_min_nhops, do_auto_ttl ? auto_ttl_max : 0, ttl_min_nhops,
do_wrong_chksum, /* 18 */ do_wrong_chksum, /* 17 */
do_wrong_seq, /* 19 */ do_wrong_seq, /* 18 */
max_payload_size /* 20 */ max_payload_size /* 19 */
); );
if (do_fragment_http && http_fragment_size > 2 && !do_native_frag) { if (do_fragment_http && http_fragment_size > 2 && !do_native_frag) {
@ -1054,7 +1044,6 @@ int main(int argc, char *argv[]) {
packetLen); packetLen);
should_reinject = 1; should_reinject = 1;
should_recalc_checksum = 0; should_recalc_checksum = 0;
sni_ok = 0;
ppIpHdr = (PWINDIVERT_IPHDR)NULL; ppIpHdr = (PWINDIVERT_IPHDR)NULL;
ppIpV6Hdr = (PWINDIVERT_IPV6HDR)NULL; ppIpV6Hdr = (PWINDIVERT_IPV6HDR)NULL;
@ -1138,9 +1127,9 @@ int main(int argc, char *argv[]) {
* But if the packet is more than 2 bytes, check ClientHello byte. * But if the packet is more than 2 bytes, check ClientHello byte.
*/ */
if ((packet_dataLen == 2 && memcmp(packet_data, "\x16\x03", 2) == 0) || if ((packet_dataLen == 2 && memcmp(packet_data, "\x16\x03", 2) == 0) ||
(packet_dataLen >= 3 && ( memcmp(packet_data, "\x16\x03\x01", 3) == 0 || memcmp(packet_data, "\x16\x03\x03", 3) == 0 ))) (packet_dataLen >= 3 && memcmp(packet_data, "\x16\x03\x01", 3) == 0))
{ {
if (do_blacklist || do_fragment_by_sni) { if (do_blacklist) {
sni_ok = extract_sni(packet_data, packet_dataLen, sni_ok = extract_sni(packet_data, packet_dataLen,
&host_addr, &host_len); &host_addr, &host_len);
} }
@ -1156,7 +1145,7 @@ int main(int argc, char *argv[]) {
char lsni[HOST_MAXLEN + 1] = {0}; char lsni[HOST_MAXLEN + 1] = {0};
extract_sni(packet_data, packet_dataLen, extract_sni(packet_data, packet_dataLen,
&host_addr, &host_len); &host_addr, &host_len);
memcpy(lsni, host_addr, host_len); memcpy(&lsni, host_addr, host_len);
printf("Blocked HTTPS website SNI: %s\n", lsni); printf("Blocked HTTPS website SNI: %s\n", lsni);
#endif #endif
if (do_fake_packet) { if (do_fake_packet) {
@ -1191,7 +1180,7 @@ int main(int argc, char *argv[]) {
host_len = hdr_value_len; host_len = hdr_value_len;
#ifdef DEBUG #ifdef DEBUG
char lhost[HOST_MAXLEN + 1] = {0}; char lhost[HOST_MAXLEN + 1] = {0};
memcpy(lhost, host_addr, host_len); memcpy(&lhost, host_addr, host_len);
printf("Blocked HTTP website Host: %s\n", lhost); printf("Blocked HTTP website Host: %s\n", lhost);
#endif #endif
@ -1293,11 +1282,7 @@ int main(int argc, char *argv[]) {
current_fragment_size = http_fragment_size; current_fragment_size = http_fragment_size;
} }
else if (do_fragment_https && ppTcpHdr->DstPort != htons(80)) { else if (do_fragment_https && ppTcpHdr->DstPort != htons(80)) {
if (do_fragment_by_sni && sni_ok) { current_fragment_size = https_fragment_size;
current_fragment_size = (void*)host_addr - packet_data;
} else {
current_fragment_size = https_fragment_size;
}
} }
if (current_fragment_size) { if (current_fragment_size) {

2
src/service.c
View File

@ -30,7 +30,7 @@ int service_register(int argc, char *argv[])
*/ */
if (!service_argc && !service_argv) { if (!service_argc && !service_argv) {
service_argc = argc; service_argc = argc;
service_argv = calloc((size_t)(argc + 1), sizeof(void*)); service_argv = malloc(sizeof(void*) * (size_t)argc);
for (i = 0; i < argc; i++) { for (i = 0; i < argc; i++) {
service_argv[i] = strdup(argv[i]); service_argv[i] = strdup(argv[i]);
} }