Use non-prefixed windres for msys2. #372

It has been reported that the DPI systems in Saudi Arabia and
United Arab Emirates are started to search for the beginning of
SNI extension header and its value, without parsing the TLS ClientHello
packet, in any part of TCP session.

Workaround the issue by splitting the packet right after the end
of extension headers and before its value.

https://ntc.party/t/goodbyedpi-in-saudi-arabia/7884
https://ntc.party/t/goodbyedpi-in-uae/7914

.github/ISSUE_TEMPLATE/bug.yml

@@ -1,19 +1,35 @@
 name: Bug Report / Сообщение об ошибке
-description: File a bug report / Сообщить об ошибке в проекте
+description: File a bug report / Сообщить об ошибке в программе
 
 body:
   - type: markdown
     attributes:
       value: |
-        Please pay some attention!
+        **USE THIS FORM ONLY FOR BUGS**
-        GoodbyeDPI does not guarantee to work on your ISP on 100% or at all. If GoodbyeDPI can't unblock some or any websites, this is most likely not a software bug, and you should not report it.
+        GoodbyeDPI does not guarantee to work with your ISP for every blocked website or at all. If GoodbyeDPI can't unblock some or any websites, this is most likely not a software bug, and you should not report it here.
-        Please report software bugs, such as: website incompatibility (if the website works without GoodbyeDPI but breaks with GoobyeDPI enabled), antivirus incompatibility, DNS redirection problems, incorrect packet handling, and other software issues.
-        Please make sure to check other opened and closed issues, it could be your question or issue has been already discussed.
 
-        Пожалуйста, прочтите!
+        Please only report software bugs, such as:
-        GoodbyeDPI не гарантирует ни 100% работу с вашим провайдером, ни работу вообще. Если GoodbyeDPI не разблокирует доступ к некоторым или всем веб-сайтам, вероятнее всего, это не программная ошибка, и не стоит о ней сообщать здесь.
+          * program crash
-        Сообщайте только об ошибках в программе, таких как: некорректная работа с веб-сайтами (когда веб-сайт работает без GoodbyeDPI, но ломается с GoodbyeDPI), несовместимость с антивирусами, проблемы с перенаправлением DNS, некорректная обработка пакетов, и другие проблемы.
+          * incorrect network packet handling
-        Также посмотрите другие открытые и закрытые баги. Возможно, ваш вопрос или проблема уже обсуждались.
+          * antivirus incompatibility
+          * DNS redirection problems
+          * other software 
+
+        Please make sure to check other opened and closed issues, it could be your bug has been reported already.
+        For questions, or if in doubt, [use NTC.party forum](https://ntc.party/c/community-software/goodbyedpi).
+
+        **ИСПОЛЬЗУЙТЕ ЭТУ ФОРМУ ТОЛЬКО ДЛЯ БАГОВ**
+        GoodbyeDPI не гарантирует ни 100% работу с вашим провайдером, ни работу с каждым заблокированным сайтом. Если GoodbyeDPI не разблокирует доступ к некоторым или всем веб-сайтам, вероятнее всего, это не программная ошибка, и не стоит о ней сообщать здесь.
+
+        Пожалуйста, сообщайте только об ошибках в программе, таких как:
+          * падение программы
+          * некорректная обработка сетевых пакетов
+          * несовместимость с антивирусами
+          * проблемы с перенаправлением DNS
+          * другие ошибки в программе
+
+        Также посмотрите другие открытые и закрытые баги. Возможно, ошибка уже обсуждалась или исправлена.
+        Для вопросов, а также в случае сомнений в определении бага, обращайтесь [на форум NTC.party](https://ntc.party/c/community-software/goodbyedpi).
   - type: input
     id: os
     attributes:
@@ -35,8 +51,8 @@ body:
   - type: textarea
     id: what-happened
     attributes:
-      label: Describe the issue / Опишите проблему
+      label: Describe the bug / Опишите ошибку программы
-      description: A clear and concise description of what the bug is / Подробно опишите, в чём заключается проблема
+      description: A clear and concise description of what the bug is / Подробно опишите, в чём заключается ошибка
       placeholder: Attach the screenshots for clarity / При необходимости приложите скриншоты
     validations:
       required: true

.github/workflows/build.yml

@@ -4,6 +4,7 @@ on:
   push:
     paths:
       - 'src/**'
+  workflow_dispatch:
 
 env:
   WINDIVERT_URL: https://www.reqrypt.org/download/WinDivert-2.2.0-A.zip

README.md

@@ -43,13 +43,15 @@ Usage: goodbyedpi.exe [OPTION...]
                           supplied text file (HTTP Host/TLS SNI).
                           This option can be supplied multiple times.
  --allow-no-sni           perform circumvention if TLS SNI can't be detected with --blacklist enabled.
+ --frag-by-sni            if SNI is detected in TLS packet, fragment the packet right before SNI value.
  --set-ttl     <value>    activate Fake Request Mode and send it with supplied TTL value.
-                          DANGEROUS! May break websites in unexpected ways. Use with care.
+                          DANGEROUS! May break websites in unexpected ways. Use with care (or --blacklist).
  --auto-ttl    [a1-a2-m]  activate Fake Request Mode, automatically detect TTL and decrease
                           it based on a distance. If the distance is shorter than a2, TTL is decreased
                           by a2. If it's longer, (a1; a2) scale is used with the distance as a weight.
                           If the resulting TTL is more than m(ax), set it to m.
                           Default (if set): --auto-ttl 1-4-10. Also sets --min-ttl 3.
+                          DANGEROUS! May break websites in unexpected ways. Use with care (or --blacklist).
  --min-ttl     <value>    minimum TTL distance (128/64 - TTL) for which to send Fake Request
                           in --set-ttl and --auto-ttl modes.
  --wrong-chksum           activate Fake Request Mode and send it with incorrect TCP checksum.
@@ -65,6 +67,7 @@ Usage: goodbyedpi.exe [OPTION...]
                           Use this option to reduce CPU usage by skipping huge amount of data
                           (like file transfers) in already established sessions.
                           May skip some huge HTTP requests from being processed.
+                          Default (if set): --max-payload 1200.
 
 
 LEGACY modesets:
@@ -74,8 +77,8 @@ LEGACY modesets:
  -4          -p -r -s (best speed)
 
 Modern modesets (more stable, more compatible, faster):
- -5          -f 2 -e 2 --auto-ttl --reverse-frag (this is the default)
+ -5          -f 2 -e 2 --auto-ttl --reverse-frag --max-payload (this is the default)
- -6          -f 2 -e 2 --wrong-seq --reverse-frag
+ -6          -f 2 -e 2 --wrong-seq --reverse-frag --max-payload
 ```
 
 To check if your ISP's DPI could be circumvented, first make sure that your provider does not poison DNS answers by enabling "Secure DNS (DNS over HTTPS)" option in your browser.
@@ -138,11 +141,16 @@ Modify them according to your own needs.
 
 # Similar projects
 
-- **[zapret](https://github.com/bol-van/zapret)** by @bol-van (for Linux).
+- **[zapret](https://github.com/bol-van/zapret)** by @bol-van (for Linux)
-- **[Green Tunnel](https://github.com/SadeghHayeri/GreenTunnel)** by @SadeghHayeri (for MacOS, Linux and Windows).
+- **[Green Tunnel](https://github.com/SadeghHayeri/GreenTunnel)** by @SadeghHayeri (for MacOS, Linux and Windows)
-- **[DPITunnel](https://github.com/zhenyolka/DPITunnel)** by @zhenyolka (for Android).
+- **[DPI Tunnel CLI](https://github.com/zhenyolka/DPITunnel-cli)** by @zhenyolka (for Linux and routers)
-- **[PowerTunnel](https://github.com/krlvm/PowerTunnel)** by @krlvm (for Windows, MacOS and Linux).
+- **[DPI Tunnel for Android](https://github.com/zhenyolka/DPITunnel-android)** by @zhenyolka (for Android)
-- **[PowerTunnel for Android](https://github.com/krlvm/PowerTunnel-Android)** by @krlvm (for Android).
+- **[PowerTunnel](https://github.com/krlvm/PowerTunnel)** by @krlvm (for Windows, MacOS and Linux)
+- **[PowerTunnel for Android](https://github.com/krlvm/PowerTunnel-Android)** by @krlvm (for Android)
+- **[SpoofDPI](https://github.com/xvzc/SpoofDPI)** by @xvzc (for macOS and Linux)
+- **[GhosTCP](https://github.com/macronut/ghostcp)** by @macronut (for Windows)
+- **[ByeDPI](https://github.com/hufrea/byedpi)** for Linux/Windows + **[ByeDPIAndroid](https://github.com/dovecoteescapee/ByeDPIAndroid/)** for Android (no root)
+- **[Unicorn HTTPS](https://apps.apple.com/kr/app/unicorn-https/id1466584968?l=en)** for iOS
 
 # Kudos
 

src/Makefile

@@ -11,7 +11,12 @@ TARGET = goodbyedpi.exe
 #LIBS = -L$(WINDIVERTLIBS) -Wl,-Bstatic -lssp -Wl,-Bdynamic -lWinDivert -lws2_32
 LIBS = -L$(WINDIVERTLIBS) -lWinDivert -lws2_32 -l:libssp.a
 CC = $(CPREFIX)gcc
+
 CCWINDRES = $(CPREFIX)windres
+ifeq (, $(shell which $(CPREFIX)windres))
+	CCWINDRES = windres
+endif
+
 CFLAGS = -std=c99 -pie -fPIE -pipe -I$(WINDIVERTHEADERS) -L$(WINDIVERTLIBS) \
          -O2 -D_FORTIFY_SOURCE=2 -fstack-protector \
          -Wall -Wextra -Wpedantic -Wformat=2 -Wformat-overflow=2 -Wformat-truncation=2 \

src/goodbyedpi.c

@@ -23,7 +23,7 @@
 // My mingw installation does not load inet_pton definition for some reason
 WINSOCK_API_LINKAGE INT WSAAPI inet_pton(INT Family, LPCSTR pStringBuf, PVOID pAddr);
 
-#define GOODBYEDPI_VERSION "v0.2.1"
+#define GOODBYEDPI_VERSION "v0.2.2"
 
 #define die() do { sleep(20); exit(EXIT_FAILURE); } while (0)
 
@@ -119,8 +119,8 @@ WINSOCK_API_LINKAGE INT WSAAPI inet_pton(INT Family, LPCSTR pStringBuf, PVOID pA
             } \
             else if (ttl_min_nhops) { \
                 /* If not Auto TTL mode but --min-ttl is set */ \
-                if (tcp_get_auto_ttl(tcp_conn_info.ttl, 0, 0, ttl_min_nhops, 0)) { \
+                if (!tcp_get_auto_ttl(tcp_conn_info.ttl, 0, 0, ttl_min_nhops, 0)) { \
-                    /* Send only if nhops > min_ttl */ \
+                    /* Send only if nhops >= min_ttl */ \
                     should_send_fake = 0; \
                 } \
             } \
@@ -162,6 +162,7 @@ static struct option long_options[] = {
     {"dns-verb",    no_argument,       0,  'v' },
     {"blacklist",   required_argument, 0,  'b' },
     {"allow-no-sni",no_argument,       0,  ']' },
+    {"frag-by-sni", no_argument,       0,  '>' },
     {"ip-id",       required_argument, 0,  'i' },
     {"set-ttl",     required_argument, 0,  '$' },
     {"min-ttl",     required_argument, 0,  '[' },
@@ -216,7 +217,8 @@ static void add_ip_id_str(int id) {
 
 static void add_maxpayloadsize_str(unsigned short maxpayload) {
     char *newstr;
-    const char *maxpayloadsize_str = "and (tcp.PayloadLength ? tcp.PayloadLength < %hu : true)";
+    /* 0x47455420 is "GET ", 0x504F5354 is "POST", big endian. */
+    const char *maxpayloadsize_str = "and (tcp.PayloadLength ? tcp.PayloadLength < %hu or tcp.Payload32[0] == 0x47455420 or tcp.Payload32[0] == 0x504F5354 : true)";
     char *addfilter = malloc(strlen(maxpayloadsize_str) + 16);
 
     sprintf(addfilter, maxpayloadsize_str, maxpayload);
@@ -416,7 +418,7 @@ static int extract_sni(const char *pktdata, unsigned int pktlen,
                 }
                 /* Validate that hostname has only ascii lowercase characters */
                 for (int i=0; i<hnlen; i++) {
-                    if (!( (hnaddr[i] >= '1' && hnaddr[i] <= '9') ||
+                    if (!( (hnaddr[i] >= '0' && hnaddr[i] <= '9') ||
                          (hnaddr[i] >= 'a' && hnaddr[i] <= 'z') ||
                          hnaddr[i] == '.' || hnaddr[i] == '-'))
                     {
@@ -473,7 +475,7 @@ static void send_native_fragment(HANDLE w_filter, WINDIVERT_ADDRESS addr,
                         PWINDIVERT_TCPHDR ppTcpHdr,
                         unsigned int fragment_size, int step) {
     char packet_bak[MAX_PACKET_SIZE];
-    memcpy(&packet_bak, packet, packetLen);
+    memcpy(packet_bak, packet, packetLen);
     UINT orig_packetLen = packetLen;
 
     if (fragment_size >= packet_dataLen) {
@@ -530,7 +532,7 @@ static void send_native_fragment(HANDLE w_filter, WINDIVERT_ADDRESS addr,
         packetLen,
         NULL, &addr
     );
-    memcpy(packet, &packet_bak, orig_packetLen);
+    memcpy(packet, packet_bak, orig_packetLen);
     //printf("Sent native fragment of %d size (step%d)\n", packetLen, step);
 }
 
@@ -567,6 +569,7 @@ int main(int argc, char *argv[]) {
         do_dnsv4_redirect = 0, do_dnsv6_redirect = 0,
         do_dns_verb = 0, do_tcp_verb = 0, do_blacklist = 0,
         do_allow_no_sni = 0,
+        do_fragment_by_sni = 0,
         do_fake_packet = 0,
         do_auto_ttl = 0,
         do_wrong_chksum = 0,
@@ -805,7 +808,11 @@ int main(int argc, char *argv[]) {
             case ']': // --allow-no-sni
                 do_allow_no_sni = 1;
                 break;
+            case '>': // --frag-by-sni
+                do_fragment_by_sni = 1;
+                break;
             case '$': // --set-ttl
+                do_auto_ttl = auto_ttl_1 = auto_ttl_2 = auto_ttl_max = 0;
                 do_fake_packet = 1;
                 ttl_of_fake_packet = atoub(optarg, "Set TTL parameter error!");
                 break;
@@ -871,7 +878,7 @@ int main(int argc, char *argv[]) {
                     optarg = argv[optind];
                 if (optarg)
                     max_payload_size = atousi(optarg, "Max payload size parameter error!");
-                if (!max_payload_size)
+                else
                     max_payload_size = 1200;
                 break;
             default:
@@ -897,6 +904,7 @@ int main(int argc, char *argv[]) {
                 "                          supplied text file (HTTP Host/TLS SNI).\n"
                 "                          This option can be supplied multiple times.\n"
                 " --allow-no-sni           perform circumvention if TLS SNI can't be detected with --blacklist enabled.\n"
+                " --frag-by-sni            if SNI is detected in TLS packet, fragment the packet right before SNI value.\n"
                 " --set-ttl     <value>    activate Fake Request Mode and send it with supplied TTL value.\n"
                 "                          DANGEROUS! May break websites in unexpected ways. Use with care (or --blacklist).\n"
                 " --auto-ttl    [a1-a2-m]  activate Fake Request Mode, automatically detect TTL and decrease\n"
@@ -930,8 +938,8 @@ int main(int argc, char *argv[]) {
                 " -4          -p -r -s (best speed)"
                 "\n"
                 "Modern modesets (more stable, more compatible, faster):\n"
-                " -5          -f 2 -e 2 --auto-ttl --reverse-frag (this is the default)\n"
+                " -5          -f 2 -e 2 --auto-ttl --reverse-frag --max-payload (this is the default)\n"
-                " -6          -f 2 -e 2 --wrong-seq --reverse-frag\n");
+                " -6          -f 2 -e 2 --wrong-seq --reverse-frag --max-payload\n");
                 exit(EXIT_FAILURE);
         }
     }
@@ -955,6 +963,7 @@ int main(int argc, char *argv[]) {
            "Fragment HTTP: %u\n"                    /* 2 */
            "Fragment persistent HTTP: %u\n"         /* 3 */
            "Fragment HTTPS: %u\n"                   /* 4 */
+           "Fragment by SNI: %u\n"                  /* 5 */
            "Native fragmentation (splitting): %d\n" /* 5 */
            "Fragments sending in reverse: %d\n"     /* 6 */
            "hoSt: %d\n"                             /* 7 */
@@ -974,23 +983,24 @@ int main(int argc, char *argv[]) {
            (do_fragment_http ? http_fragment_size : 0),           /* 2 */
            (do_fragment_http_persistent ? http_fragment_size : 0),/* 3 */
            (do_fragment_https ? https_fragment_size : 0),         /* 4 */
-           do_native_frag,        /* 5 */
+           do_fragment_by_sni,    /* 5 */
-           do_reverse_frag,       /* 6 */
+           do_native_frag,        /* 6 */
-           do_host,               /* 7 */
+           do_reverse_frag,       /* 7 */
-           do_host_removespace,   /* 8 */
+           do_host,               /* 8 */
-           do_additional_space,   /* 9 */
+           do_host_removespace,   /* 9 */
-           do_host_mixedcase,     /* 10 */
+           do_additional_space,   /* 10 */
-           do_http_allports,      /* 11 */
+           do_host_mixedcase,     /* 11 */
-           do_fragment_http_persistent_nowait, /* 12 */
+           do_http_allports,      /* 12 */
-           do_dnsv4_redirect,                  /* 13 */
+           do_fragment_http_persistent_nowait, /* 13 */
-           do_dnsv6_redirect,                  /* 14 */
+           do_dnsv4_redirect,                  /* 14 */
-           do_allow_no_sni,                    /* 15 */
+           do_dnsv6_redirect,                  /* 15 */
-           ttl_of_fake_packet ? "fixed" : (do_auto_ttl ? "auto" : "disabled"),  /* 16 */
+           do_allow_no_sni,                    /* 16 */
+           do_auto_ttl ? "auto" : (do_fake_packet ? "fixed" : "disabled"),  /* 17 */
                ttl_of_fake_packet, do_auto_ttl ? auto_ttl_1 : 0, do_auto_ttl ? auto_ttl_2 : 0,
                do_auto_ttl ? auto_ttl_max : 0, ttl_min_nhops,
-           do_wrong_chksum, /* 17 */
+           do_wrong_chksum, /* 18 */
-           do_wrong_seq,    /* 18 */
+           do_wrong_seq,    /* 19 */
-           max_payload_size /* 19 */
+           max_payload_size /* 20 */
           );
 
     if (do_fragment_http && http_fragment_size > 2 && !do_native_frag) {
@@ -1044,6 +1054,7 @@ int main(int argc, char *argv[]) {
                    packetLen);
             should_reinject = 1;
             should_recalc_checksum = 0;
+            sni_ok = 0;
 
             ppIpHdr = (PWINDIVERT_IPHDR)NULL;
             ppIpV6Hdr = (PWINDIVERT_IPV6HDR)NULL;
@@ -1127,9 +1138,9 @@ int main(int argc, char *argv[]) {
                      * But if the packet is more than 2 bytes, check ClientHello byte.
                     */
                     if ((packet_dataLen == 2 && memcmp(packet_data, "\x16\x03", 2) == 0) ||
-                        (packet_dataLen >= 3 && memcmp(packet_data, "\x16\x03\x01", 3) == 0))
+                        (packet_dataLen >= 3 && ( memcmp(packet_data, "\x16\x03\x01", 3) == 0 || memcmp(packet_data, "\x16\x03\x03", 3) == 0 )))
                     {
-                        if (do_blacklist) {
+                        if (do_blacklist || do_fragment_by_sni) {
                             sni_ok = extract_sni(packet_data, packet_dataLen,
                                         &host_addr, &host_len);
                         }
@@ -1145,7 +1156,7 @@ int main(int argc, char *argv[]) {
                             char lsni[HOST_MAXLEN + 1] = {0};
                             extract_sni(packet_data, packet_dataLen,
                                         &host_addr, &host_len);
-                            memcpy(&lsni, host_addr, host_len);
+                            memcpy(lsni, host_addr, host_len);
                             printf("Blocked HTTPS website SNI: %s\n", lsni);
 #endif
                             if (do_fake_packet) {
@@ -1180,7 +1191,7 @@ int main(int argc, char *argv[]) {
                         host_len = hdr_value_len;
 #ifdef DEBUG
                         char lhost[HOST_MAXLEN + 1] = {0};
-                        memcpy(&lhost, host_addr, host_len);
+                        memcpy(lhost, host_addr, host_len);
                         printf("Blocked HTTP website Host: %s\n", lhost);
 #endif
 
@@ -1282,8 +1293,12 @@ int main(int argc, char *argv[]) {
                         current_fragment_size = http_fragment_size;
                     }
                     else if (do_fragment_https && ppTcpHdr->DstPort != htons(80)) {
+                        if (do_fragment_by_sni && sni_ok) {
+                            current_fragment_size = (void*)host_addr - packet_data;
+                        } else {
                             current_fragment_size = https_fragment_size;
                         }
+                    }
 
                     if (current_fragment_size) {
                         send_native_fragment(w_filter, addr, packet, packetLen, packet_data,

src/service.c

@@ -30,7 +30,7 @@ int service_register(int argc, char *argv[])
      */
     if (!service_argc && !service_argv) {
         service_argc = argc;
-        service_argv = malloc(sizeof(void*) * (size_t)argc);
+        service_argv = calloc((size_t)(argc + 1), sizeof(void*));
         for (i = 0; i < argc; i++) {
             service_argv[i] = strdup(argv[i]);
         }