Update bug.yml

Update README.md

.github/ISSUE_TEMPLATE/bug.yml

@@ -5,7 +5,7 @@ body:
   - type: markdown
     attributes:
       value: |
-        **USE THIS FORM ONLY FOR BUGS**
+        ### USE THIS FORM ONLY FOR BUGS! The webside does not open? That's likely NOT a bug, do not report it here!
         GoodbyeDPI does not guarantee to work with your ISP for every blocked website or at all. If GoodbyeDPI can't unblock some or any websites, this is most likely not a software bug, and you should not report it here.
 
         Please only report software bugs, such as:
@@ -18,7 +18,7 @@ body:
         Please make sure to check other opened and closed issues, it could be your bug has been reported already.
         For questions, or if in doubt, [use NTC.party forum](https://ntc.party/c/community-software/goodbyedpi).
 
-        **ИСПОЛЬЗУЙТЕ ЭТУ ФОРМУ ТОЛЬКО ДЛЯ БАГОВ**
+        ### ИСПОЛЬЗУЙТЕ ЭТУ ФОРМУ ТОЛЬКО ДЛЯ БАГОВ! Веб-сайт не открывается? Это, скорее всего, не баг, не сообщайте сюда!
         GoodbyeDPI не гарантирует ни 100% работу с вашим провайдером, ни работу с каждым заблокированным сайтом. Если GoodbyeDPI не разблокирует доступ к некоторым или всем веб-сайтам, вероятнее всего, это не программная ошибка, и не стоит о ней сообщать здесь.
 
         Пожалуйста, сообщайте только об ошибках в программе, таких как:

.github/workflows/build.yml

@@ -4,23 +4,24 @@ on:
   push:
     paths:
       - 'src/**'
+  workflow_dispatch:
 
 env:
-  WINDIVERT_URL: https://www.reqrypt.org/download/WinDivert-2.2.0-A.zip
+  WINDIVERT_URL: https://reqrypt.org/download/WinDivert-2.2.0-D.zip
-  WINDIVERT_NAME: WinDivert-2.2.0-A.zip
+  WINDIVERT_NAME: WinDivert-2.2.0-D.zip
-  WINDIVERT_BASENAME: WinDivert-2.2.0-A
+  WINDIVERT_BASENAME: WinDivert-2.2.0-D
-  WINDIVERT_SHA256: 2a7630aac0914746fbc565ac862fa096e3e54233883ac52d17c83107496b7a7f
+  WINDIVERT_SHA256: 1d461cfdfa7ba88ebcfbb3603b71b703e9f72aba8aeff99a75ce293e6f89d2ba
 
 jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
 
       - name: Declare short commit variable
         id: vars
         run: |
-          echo "::set-output name=sha_short::$(git rev-parse --short HEAD)"
+          echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
 
       - name: Install MinGW-w64
         run: >
@@ -30,7 +31,7 @@ jobs:
 
       - name: Download WinDivert from cache
         id: windivert-cache
-        uses: actions/cache@v2
+        uses: actions/cache@v4
         with:
           path: ${{ env. WINDIVERT_NAME }}
           key: ${{ env. WINDIVERT_SHA256 }}
@@ -48,14 +49,14 @@ jobs:
         run: >
           cd src && make clean &&
           make CPREFIX=x86_64-w64-mingw32- BIT64=1 WINDIVERTHEADERS=../${{ env.WINDIVERT_BASENAME }}/include WINDIVERTLIBS=../${{ env.WINDIVERT_BASENAME }}/x64 -j4
-      
+
       - name: Prepare x86_64 directory
         run: |
           mkdir goodbyedpi_x86_64_${{ steps.vars.outputs.sha_short }}
           cp src/goodbyedpi.exe ${{ env.WINDIVERT_BASENAME }}/x64/*.{dll,sys} goodbyedpi_x86_64_${{ steps.vars.outputs.sha_short }}
 
       - name: Upload output file x86_64
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4
         with:
           name: goodbyedpi_x86_64_${{ steps.vars.outputs.sha_short }}
           path: goodbyedpi_x86_64_${{ steps.vars.outputs.sha_short }}
@@ -71,7 +72,7 @@ jobs:
           cp src/goodbyedpi.exe ${{ env.WINDIVERT_BASENAME }}/x86/*.{dll,sys} goodbyedpi_x86_${{ steps.vars.outputs.sha_short }}
 
       - name: Upload output file x86
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4
         with:
           name: goodbyedpi_x86_${{ steps.vars.outputs.sha_short }}
           path: goodbyedpi_x86_${{ steps.vars.outputs.sha_short }}

README.md

@@ -43,6 +43,7 @@ Usage: goodbyedpi.exe [OPTION...]
                           supplied text file (HTTP Host/TLS SNI).
                           This option can be supplied multiple times.
  --allow-no-sni           perform circumvention if TLS SNI can't be detected with --blacklist enabled.
+ --frag-by-sni            if SNI is detected in TLS packet, fragment the packet right before SNI value.
  --set-ttl     <value>    activate Fake Request Mode and send it with supplied TTL value.
                           DANGEROUS! May break websites in unexpected ways. Use with care (or --blacklist).
  --auto-ttl    [a1-a2-m]  activate Fake Request Mode, automatically detect TTL and decrease
@@ -87,7 +88,7 @@ To check if your ISP's DPI could be circumvented, first make sure that your prov
 
 Then run the `goodbyedpi.exe` executable without any options. If it works — congratulations! You can use it as-is or configure further, for example by using `--blacklist` option if the list of blocked websites is known and available for your country.
 
-If your provider intercepts DNS requests, you may want to use `--dns-addr` option to a public DNS resover running on non-standard port (such as Yandex DNS `77.88.8.8:1253`) or configure DNS over HTTPS/TLS using third-party applications.
+If your provider intercepts DNS requests, you may want to use `--dns-addr` option to a public DNS resolver running on non-standard port (such as Yandex DNS `77.88.8.8:1253`) or configure DNS over HTTPS/TLS using third-party applications.
 
 Check the .cmd scripts and modify it according to your preference and network conditions.
 
@@ -140,12 +141,15 @@ Modify them according to your own needs.
 
 # Similar projects
 
-- **[zapret](https://github.com/bol-van/zapret)** by @bol-van (for Linux).
+- **[zapret](https://github.com/bol-van/zapret)** by @bol-van (for MacOS, Linux and Windows)
-- **[Green Tunnel](https://github.com/SadeghHayeri/GreenTunnel)** by @SadeghHayeri (for MacOS, Linux and Windows).
+- **[Green Tunnel](https://github.com/SadeghHayeri/GreenTunnel)** by @SadeghHayeri (for MacOS, Linux and Windows)
-- **[DPITunnel](https://github.com/zhenyolka/DPITunnel)** by @zhenyolka (for Android).
+- **[DPI Tunnel CLI](https://github.com/zhenyolka/DPITunnel-cli)** by @zhenyolka (for Linux and routers)
-- **[PowerTunnel](https://github.com/krlvm/PowerTunnel)** by @krlvm (for Windows, MacOS and Linux).
+- **[DPI Tunnel for Android](https://github.com/zhenyolka/DPITunnel-android)** by @zhenyolka (for Android)
-- **[PowerTunnel for Android](https://github.com/krlvm/PowerTunnel-Android)** by @krlvm (for Android).
+- **[PowerTunnel](https://github.com/krlvm/PowerTunnel)** by @krlvm (for Windows, MacOS and Linux)
+- **[PowerTunnel for Android](https://github.com/krlvm/PowerTunnel-Android)** by @krlvm (for Android)
 - **[SpoofDPI](https://github.com/xvzc/SpoofDPI)** by @xvzc (for macOS and Linux)
+- **[GhosTCP](https://github.com/macronut/ghostcp)** by @macronut (for Windows)
+- **[ByeDPI](https://github.com/hufrea/byedpi)** for Linux/Windows + **[ByeDPIAndroid](https://github.com/dovecoteescapee/ByeDPIAndroid/)** for Android (no root)
 
 # Kudos
 

src/Makefile

@@ -11,7 +11,12 @@ TARGET = goodbyedpi.exe
 #LIBS = -L$(WINDIVERTLIBS) -Wl,-Bstatic -lssp -Wl,-Bdynamic -lWinDivert -lws2_32
 LIBS = -L$(WINDIVERTLIBS) -lWinDivert -lws2_32 -l:libssp.a
 CC = $(CPREFIX)gcc
+
 CCWINDRES = $(CPREFIX)windres
+ifeq (, $(shell which $(CPREFIX)windres))
+	CCWINDRES = windres
+endif
+
 CFLAGS = -std=c99 -pie -fPIE -pipe -I$(WINDIVERTHEADERS) -L$(WINDIVERTLIBS) \
          -O2 -D_FORTIFY_SOURCE=2 -fstack-protector \
          -Wall -Wextra -Wpedantic -Wformat=2 -Wformat-overflow=2 -Wformat-truncation=2 \

src/goodbyedpi.c

@@ -162,6 +162,7 @@ static struct option long_options[] = {
     {"dns-verb",    no_argument,       0,  'v' },
     {"blacklist",   required_argument, 0,  'b' },
     {"allow-no-sni",no_argument,       0,  ']' },
+    {"frag-by-sni", no_argument,       0,  '>' },
     {"ip-id",       required_argument, 0,  'i' },
     {"set-ttl",     required_argument, 0,  '$' },
     {"min-ttl",     required_argument, 0,  '[' },
@@ -474,7 +475,7 @@ static void send_native_fragment(HANDLE w_filter, WINDIVERT_ADDRESS addr,
                         PWINDIVERT_TCPHDR ppTcpHdr,
                         unsigned int fragment_size, int step) {
     char packet_bak[MAX_PACKET_SIZE];
-    memcpy(&packet_bak, packet, packetLen);
+    memcpy(packet_bak, packet, packetLen);
     UINT orig_packetLen = packetLen;
 
     if (fragment_size >= packet_dataLen) {
@@ -531,7 +532,7 @@ static void send_native_fragment(HANDLE w_filter, WINDIVERT_ADDRESS addr,
         packetLen,
         NULL, &addr
     );
-    memcpy(packet, &packet_bak, orig_packetLen);
+    memcpy(packet, packet_bak, orig_packetLen);
     //printf("Sent native fragment of %d size (step%d)\n", packetLen, step);
 }
 
@@ -568,6 +569,7 @@ int main(int argc, char *argv[]) {
         do_dnsv4_redirect = 0, do_dnsv6_redirect = 0,
         do_dns_verb = 0, do_tcp_verb = 0, do_blacklist = 0,
         do_allow_no_sni = 0,
+        do_fragment_by_sni = 0,
         do_fake_packet = 0,
         do_auto_ttl = 0,
         do_wrong_chksum = 0,
@@ -806,6 +808,9 @@ int main(int argc, char *argv[]) {
             case ']': // --allow-no-sni
                 do_allow_no_sni = 1;
                 break;
+            case '>': // --frag-by-sni
+                do_fragment_by_sni = 1;
+                break;
             case '$': // --set-ttl
                 do_auto_ttl = auto_ttl_1 = auto_ttl_2 = auto_ttl_max = 0;
                 do_fake_packet = 1;
@@ -899,6 +904,7 @@ int main(int argc, char *argv[]) {
                 "                          supplied text file (HTTP Host/TLS SNI).\n"
                 "                          This option can be supplied multiple times.\n"
                 " --allow-no-sni           perform circumvention if TLS SNI can't be detected with --blacklist enabled.\n"
+                " --frag-by-sni            if SNI is detected in TLS packet, fragment the packet right before SNI value.\n"
                 " --set-ttl     <value>    activate Fake Request Mode and send it with supplied TTL value.\n"
                 "                          DANGEROUS! May break websites in unexpected ways. Use with care (or --blacklist).\n"
                 " --auto-ttl    [a1-a2-m]  activate Fake Request Mode, automatically detect TTL and decrease\n"
@@ -957,6 +963,7 @@ int main(int argc, char *argv[]) {
            "Fragment HTTP: %u\n"                    /* 2 */
            "Fragment persistent HTTP: %u\n"         /* 3 */
            "Fragment HTTPS: %u\n"                   /* 4 */
+           "Fragment by SNI: %u\n"                  /* 5 */
            "Native fragmentation (splitting): %d\n" /* 5 */
            "Fragments sending in reverse: %d\n"     /* 6 */
            "hoSt: %d\n"                             /* 7 */
@@ -976,23 +983,24 @@ int main(int argc, char *argv[]) {
            (do_fragment_http ? http_fragment_size : 0),           /* 2 */
            (do_fragment_http_persistent ? http_fragment_size : 0),/* 3 */
            (do_fragment_https ? https_fragment_size : 0),         /* 4 */
-           do_native_frag,        /* 5 */
+           do_fragment_by_sni,    /* 5 */
-           do_reverse_frag,       /* 6 */
+           do_native_frag,        /* 6 */
-           do_host,               /* 7 */
+           do_reverse_frag,       /* 7 */
-           do_host_removespace,   /* 8 */
+           do_host,               /* 8 */
-           do_additional_space,   /* 9 */
+           do_host_removespace,   /* 9 */
-           do_host_mixedcase,     /* 10 */
+           do_additional_space,   /* 10 */
-           do_http_allports,      /* 11 */
+           do_host_mixedcase,     /* 11 */
-           do_fragment_http_persistent_nowait, /* 12 */
+           do_http_allports,      /* 12 */
-           do_dnsv4_redirect,                  /* 13 */
+           do_fragment_http_persistent_nowait, /* 13 */
-           do_dnsv6_redirect,                  /* 14 */
+           do_dnsv4_redirect,                  /* 14 */
-           do_allow_no_sni,                    /* 15 */
+           do_dnsv6_redirect,                  /* 15 */
-           do_auto_ttl ? "auto" : (do_fake_packet ? "fixed" : "disabled"),  /* 16 */
+           do_allow_no_sni,                    /* 16 */
+           do_auto_ttl ? "auto" : (do_fake_packet ? "fixed" : "disabled"),  /* 17 */
                ttl_of_fake_packet, do_auto_ttl ? auto_ttl_1 : 0, do_auto_ttl ? auto_ttl_2 : 0,
                do_auto_ttl ? auto_ttl_max : 0, ttl_min_nhops,
-           do_wrong_chksum, /* 17 */
+           do_wrong_chksum, /* 18 */
-           do_wrong_seq,    /* 18 */
+           do_wrong_seq,    /* 19 */
-           max_payload_size /* 19 */
+           max_payload_size /* 20 */
           );
 
     if (do_fragment_http && http_fragment_size > 2 && !do_native_frag) {
@@ -1046,6 +1054,7 @@ int main(int argc, char *argv[]) {
                    packetLen);
             should_reinject = 1;
             should_recalc_checksum = 0;
+            sni_ok = 0;
 
             ppIpHdr = (PWINDIVERT_IPHDR)NULL;
             ppIpV6Hdr = (PWINDIVERT_IPV6HDR)NULL;
@@ -1129,9 +1138,9 @@ int main(int argc, char *argv[]) {
                      * But if the packet is more than 2 bytes, check ClientHello byte.
                     */
                     if ((packet_dataLen == 2 && memcmp(packet_data, "\x16\x03", 2) == 0) ||
-                        (packet_dataLen >= 3 && memcmp(packet_data, "\x16\x03\x01", 3) == 0))
+                        (packet_dataLen >= 3 && ( memcmp(packet_data, "\x16\x03\x01", 3) == 0 || memcmp(packet_data, "\x16\x03\x03", 3) == 0 )))
                     {
-                        if (do_blacklist) {
+                        if (do_blacklist || do_fragment_by_sni) {
                             sni_ok = extract_sni(packet_data, packet_dataLen,
                                         &host_addr, &host_len);
                         }
@@ -1147,7 +1156,7 @@ int main(int argc, char *argv[]) {
                             char lsni[HOST_MAXLEN + 1] = {0};
                             extract_sni(packet_data, packet_dataLen,
                                         &host_addr, &host_len);
-                            memcpy(&lsni, host_addr, host_len);
+                            memcpy(lsni, host_addr, host_len);
                             printf("Blocked HTTPS website SNI: %s\n", lsni);
 #endif
                             if (do_fake_packet) {
@@ -1182,7 +1191,7 @@ int main(int argc, char *argv[]) {
                         host_len = hdr_value_len;
 #ifdef DEBUG
                         char lhost[HOST_MAXLEN + 1] = {0};
-                        memcpy(&lhost, host_addr, host_len);
+                        memcpy(lhost, host_addr, host_len);
                         printf("Blocked HTTP website Host: %s\n", lhost);
 #endif
 
@@ -1284,7 +1293,11 @@ int main(int argc, char *argv[]) {
                         current_fragment_size = http_fragment_size;
                     }
                     else if (do_fragment_https && ppTcpHdr->DstPort != htons(80)) {
-                        current_fragment_size = https_fragment_size;
+                        if (do_fragment_by_sni && sni_ok) {
+                            current_fragment_size = (void*)host_addr - packet_data;
+                        } else {
+                            current_fragment_size = https_fragment_size;
+                        }
                     }
 
                     if (current_fragment_size) {