The Un-Official Proxomitron Forum

Over the years I've hacked into Proxo's guts with various disassemblers and debuggers as a result of some kind of annoyance. I've been using Proxomitron forever, and without it I wouldn't be enjoying my job as much as I do.

I teach in a Korean high school situated in Indonesia, where I control a computer lab. For three years my lab had 20 computers, and this year I moved to one with 35. The current lab has a dedicated 10 Gb link. On a typically busy day I've got a maximum of 20 students in there, hammering the connection with Youtube, Twitch and HD K-soaps for between 10 and 40 minutes solid. The worst was when my lab was used with one day of warning for a paid on-line TOEFL mock test, which involves massive amounts of audio going both ways, using Java in Internet Explorer.

I have been using this combination of patches all this time, and Proxo has yet to fail me. It is a champ, and a testament to Scott's brilliance.

Currently it's running on Server 2003 (original lab, re-purposed for the middle school), and Server 2008. For a 'remote' proxy I use a secondary one called Proxy+. Also ancient and discontinued, it has an extremely good caching technology and supports https and socks 4/5. Oh and it's a mail server, too.

Anyway! To give back to the community, here are my patches.

Changelog:
2014-05-08 : Initial Post
2014-05-11 : Added 'SSL Certificate CN Always Matches', Deprecated 'Bypass SSL Certificate Error'
2014-05-11 : Added 'Font Adjustments'
2014-05-12 : Added Note #3 to 'Font Adjustments'
2014-05-12 : Added Monospaced Message Log to 'Font Adjustments'
2014-05-12 : Added Note to 'For Reference: RWIN Patch', briefly explaining what it does.


All are for Naoko 4.5j (June release). Yes, you can apply them to any such copy, whether or not they've had a GUI patch[1]. The first column is the offset, the second is the changed byte, and the third is the original byte:

ADDRESS: NEW OLD


SSL Certificate CN Always Matches
Note: Rename or delete your certs.pem file in order to use this. Otherwise you'll need to use the deprecated patch below.


DEPRECATED: Bypass SSL Certificate Error
Note: With high load, using 1 as the return value can lead to a crashed SSL library. I'm experimenting with using 3 to reduce the likelihood. So far so good.


Bypass Texture Errors: "Failed to load texture bitmap"


Bypass Exception Errors: "ProxomiTron Application Error. Exception [%08X] raised in..."


Bypass Texture Errors: "Proxomitron Application Error. ** WARNING **\nAn unauthorized access at"
Also in the message log, so it's redundant.


Font Adjustments
Note 1: This example dictates the font size used in the Web Page Filter Editor's EDIT controls. I use Andale Mono size 7 for the main dialog, and this value matches that size. Converting point sizes isn't easy: it depends on the desktop DPI, amongst other things, and pos/neg values have different meanings. Just experiment going up and down, is my suggestion.

For further information, look up "CreateFontA" using your search engine of choice and refer to this assembler tutorial.

Note 2: There are two locations in the binary where there is a font name referenced:


The Web Page Edit example uses the second one, originally Courier New. All other calls use the other, originally MS Sans Serif. You can replace them with any other font, provided the font name is the same as or shorter than the original. If it is shorter, replace any excess characters from the original with 0x00 - NOT 0x20, which is space - to 'null-terminate' the string. The locations are as follows:


Note 3: I've found that replacing 'F8' with '0D' (a positive value) is a perfect match for Tahoma 8. It also works with Segoe UI, and I'm assuming many others. '0C' works well with the Message log - slightly smaller than normal, and still within my own comfort zone for visibility. Besides, I only look out for certain colors flashing by, not specific phrases.

At offset 00011FBB you will find this PUSH statement:
This is the Message Log. Change 6804884200 to 688C8D4200 to get use the other font, if you prefer monospace.



For Reference: RWIN Patch
Note: As a point of interest, this mod changes the length/size of the location where the RWIN value REALLY is, thereby negating it. 32768 in hex is 0x8000... 4 bytes long, hence the '04'.


For Reference: Multiple Instances Patch


Enjoy!


[1]: FYI. For all this time I've been using Henk's ProxoPatcher 3.6, modified to suit my own tastes. Recently I investigated the alternatives - I really liked MizzMona's and tried it out... only to have glitches and flickering in the editor windows.

It turns out that this is the result of adding a Manifest to Proxomitron's resources. Adding a Manifest tells Windows that it's okay to apply newer visual styles that came with COMCTL32 version 6... unfortunately, this new method is partially incompatible with version 5 and below when programmers use OWNERDRAW methods and make their own subroutines to handle window messages. Removing the Manifest fixes the problem, but then the GUI patch gets all fugly.

Talk about timely. This last weekend I told some people that the SSL warnings were now a constant significant pain, had began to assemble the tools, and here you are. Welcome back.
Did you consider jumping past the entire certificate verification routine?

Regarding "Multiple Instances Patch", I think Scott was asked about this. He said, the Proxomitron wasn't designed for it. So be aware.

Also, there is a patch for "unexpected crash due to buffer overflow error when copying log messages into clipboard" in the files section of the prox-list. I'd note the author but I haven't ask for permission yet. I have not used it.

A request to all, please don't post modified EXEs and mark modified EXEs so they can be recognized as modified.

(May. 08, 2014 02:22 AM)JJoe Wrote: [ -> ]Did you consider jumping past the entire certificate verification routine?

I'd certainly be interested in that also...

(May. 08, 2014 02:22 AM)JJoe Wrote: [ -> ]Talk about timely. This last weekend I told some people that the SSL warnings were now a constant significant pain, had began to assemble the tools, and here you are. Welcome back.

Thanks! I think it's safe to blame HSTS for a lot of this, especially with Chrome's force-ssl list. Without the command line switch to ignore certificate errors I'd probably be working on my own fork. As it is, there's barely enough room in a Windows shortcut - there seems to be a maximum of 260 characters - so unless you start installing directly to C:\ things get tight pretty quick. BTW, if you look at the source for Chromium, it supports two prefix methods for recognizing switches: the normal unix '--' and the windows '/'. That actually made the difference for me!

Quote:Did you consider jumping past the entire certificate verification routine?

Now there's a thought. I'll investigate that this weekend. Doing that would eliminate quite a large amount of unnecessary overhead and bring CPU use down under load. When I did this, it was for my own use only and I was just wanting rid of the dialog.

Quote:Regarding "Multiple Instances Patch", I think Scott was asked about this. He said, the Proxomitron wasn't designed for it. So be aware.

Haha yeah. Funnily enough I wasn't aware of this patch - I came across the same solution by myself. I did it so that I could test a secondary config while the primary was live. I never intended to actually run two instances on a permanent basis. I couldn't, and still can't, see the point.

Quote:Also, there is a patch for "unexpected crash due to buffer overflow error when copying log messages into clipboard" in the files section of the prox-list. I'd note the author but I haven't ask for permission yet. I have not used it.

Interesting, thanks. I've never encountered that error, but then I only ever copy a few lines at a time at most. Usually it's one line, because I'm too lazy to type the url.

Quote:A request to all, please don't post modified EXEs and mark modified EXEs so they can be recognized as modified.

My solution:



As an aside, is there a problem with the prxbx server? I can't upload attachments at all, and I failed utterly to set an avatar last night even using imgur.

By the way, if you still use Resource Hacker there's a new 'upgrade' for it.

I hex'd in the "multi instance" patch many moon ago with the intentions of having each 'instance' run on a different port number...

the thinking being that then different browsers could run different configs based on the browsers proxy port setting...

never did anything with it though and i un-hex'd it 'cause i got tired of "accidentally" clicking my desktop shortcut to run Proxo only to find out "oops, i already had it running and now i have two of them, each with the same config, each running on the same port"...

(May. 08, 2014 04:05 AM)ProxRocks Wrote: [ -> ]I hex'd in the "multi instance" patch many moon ago with the intentions of having each 'instance' run on a different port number...

the thinking being that then different browsers could run different configs based on the browsers proxy port setting...

never did anything with it though and i un-hex'd it 'cause i got tired of "accidentally" clicking my desktop shortcut to run Proxo only to find out "oops, i already had it running and now i have two of them, each with the same config, each running on the same port"...

Yep, I went through the exact same process. In my case, though, I chose to keep two binaries. The one with this enabled is "Proxomitron_multi.exe" and it doesn't have a shortcut.

Having serious issues connecting with this server now. This is my 3rd attempt to post a reply. :p Is it getting DDOS'd?

SSL Certificate CN Always Matches

Try this in place of my previous SSL patch. It's working for me and and skips the CN check. Can't skip anything else, as the SSL connection is a few lines of code before this. I've tested it for a few hours using only Half-SSL on youtube and a bunch of reference sites.

Once you've confirmed I'll edit my original post and remove the previous patch to limit confusion.

BTW, has anyone got a fix for gmail on Chrome XMLHttpRequest rejection when using Half-SSL? The 'standard' view loading bar gets to 95% then freezes. Basic view works fine. It's S / Cross Site Scripting that's the problem - Chrome thinks http://https.. is an invalid origin. If anyone's got a working and tested solution, do tell and save me the hassle.

thank you, thank you, thank you...
i could kiss your feet...

you da man !!!...

Glad to be of help! Let me know if you have any probs. It seems fine though - I'm doing a hammer test this morning: On +++GET 27452+++ and climbing rapidly. Even better, I'm seeing much less CPU load.

(May. 08, 2014 03:38 AM)Stone-D Wrote: [ -> ]Thanks! I think it's safe to blame HSTS for a lot of this, especially with Chrome's force-ssl list. Without the command line switch to ignore certificate errors I'd probably be working on my own fork. As it is, there's barely enough room in a Windows shortcut - there seems to be a maximum of 260 characters - so unless you start installing directly to C:\ things get tight pretty quick.

I'm using a chrome variant without a force-ssl list. Problems are unnecessary required https use, wildcard certs, cert names that don't match the sites, and pages that never quit loading. But, I wouldn't want anybody to know I'd clicked a yahoo *news* link to see why some woman wore the same dress two days in a row either, so maybe it is necessary.

I use a shortcut linked to a "chrome.bat" file in the exe's folder to get around the character limit

(May. 08, 2014 05:17 PM)Stone-D Wrote: [ -> ]Try this in place of my previous SSL patch. It's working for me and and skips the CN check. Can't skip anything else, as the SSL connection is a few lines of code before this.

If the Proxomitron doesn't find "certs.pem" it responds "Can't load SSL cert file - no checking will be done!!!" This does not include the CN check, however.
So removing "certs.pem" and adding your latest patch does seem to skip all, so far.

Quote:Once you've confirmed I'll edit my original post and remove the previous patch to limit confusion.

Wouldn't it be better to move it to a new post and mark it as deprecated? It does have value.

Feet kissing is reserved for a dll to regain proper modern SSL or a new proxy but I'm not missing the alerts.

For readers, I've always recommended a new browser instance and a direct connection for banking and etc.
Be aware, be careful, and use Proxomitron and these patches at your own risk.

Quote:Chrome thinks http://https.. is an invalid origin.

We wanted the program to match the help file and at the time only IE6? was complaining so we didn't patch the exe for this.
We use a header filter and the format "http://https-px-." The header filter catches "https-px-.www.google.com/" and $RDIR(https://www.google.com/)

(May. 09, 2014 04:03 AM)JJoe Wrote: [ -> ]I'm using a chrome variant without a force-ssl list.

I've settled on Opera - it allows for a localized install that doesn't interfere with the registry (ie, USB mode) so it's easy for me to maintain and distribute across a network.

Quote:I use a shortcut linked to a "chrome.bat" file in the exe's folder to get around the character limit

Code:

--ppapi-flash-path=c:\Users\user1\AppData\Local\MapleStudio\ChromePlus\

Wait, ChromePlus? Isn't that what CoolNovo was called? I started investigating that but backed off when I found out that it's been essentially abandoned. Obviously I've got no problem with abandonware (up until recently I still use Opera 12.16 at home) but as a lot of our Proxo problems stem from recent 'innovations' I'm leery of getting involved with an outdated and unsupported build. However, if you recommend it I'll definitely give it a whirl!

Quote:

(May. 08, 2014 05:17 PM)Stone-D Wrote: [ -> ]Try this in place of my previous SSL patch. It's working for me and and skips the CN check. Can't skip anything else, as the SSL connection is a few lines of code before this.

If the Proxomitron doesn't find "certs.pem" it responds "Can't load SSL cert file - no checking will be done!!!" This does not include the CN check, however.
So removing "certs.pem" and adding your latest patch does seem to skip all, so far.

Yes! I had forgotten that I had renamed my certs.pem file for testing.

Quote:

Quote:Once you've confirmed I'll edit my original post and remove the previous patch to limit confusion.

Wouldn't it be better to move it to a new post and mark it as deprecated? It does have value.

Feet kissing is reserved for a dll to regain proper modern SSL or a new proxy but I'm not missing the alerts.

I'll leave it in the original post with a big 'deprecated' sign. Nice for reference, I guess! Feet kissing is reserved for Scott in my book. Delving into his code has made me realize just how efficient his source was.

As for a new proxy, I recently (but have yet to test) discovered a Russian proxy called HandyCache. It seems to do filtering.

Quote:For readers, I've always recommended a new browser instance and a direct connection for banking and etc.
Be aware, be careful, and use Proxomitron and these patches at your own risk.

Actually I confess to not using it at home. I now solely use it for lab control - toggling access to specific types of sites, based on whether or not my students' have completed their work. The only real filtering I do is anti porn and major advertising. Banking et al are strictly forbidden and on the permanent deny lists.

Quote:

Quote:Chrome thinks http://https.. is an invalid origin.

We wanted the program to match the help file and at the time only IE6? was complaining so we didn't patch the exe for this.
We use a header filter and the format "http://https-px-." The header filter catches "https-px-.www.google.com/" and $RDIR(https://www.google.com/)

Ahaaa!

(May. 09, 2014 05:35 AM)Stone-D Wrote: [ -> ]Wait, ChromePlus? Isn't that what CoolNovo was called? ... However, if you recommend it I'll definitely give it a whirl!

No, I can't recommend it. I'm looking for a new browser and finding little joy. I'd settle on Pale Moon, if not for the certificate routine and other things.

ChromePlus was a surprise. I'll have to look at the new Opera.

I'm not a gamer but your students might be interested in http://coowon.com/ .

(May. 09, 2014 05:35 AM)Stone-D Wrote: [ -> ]As for a new proxy, I recently (but have yet to test) discovered a Russian proxy called HandyCache. It seems to do filtering.

I'm aware of that one and others. They just don't do what I want the way I want.
It has been a year since I last looked at HandyCache tho.

(May. 09, 2014 03:04 PM)JJoe Wrote: [ -> ]

(May. 09, 2014 05:35 AM)Stone-D Wrote: [ -> ]Wait, ChromePlus? Isn't that what CoolNovo was called? ... However, if you recommend it I'll definitely give it a whirl!

No, I can't recommend it. I'm looking for a new browser and finding little joy. I'd settle on Pale Moon, if not for the certificate routine and other things.

ChromePlus was a surprise. I'll have to look at the new Opera.

I'm not a gamer but your students might be interested in http://coowon.com/ .

Yeah I saw that, and thought the same thing. The last thing they need is another distraction.

Opera now uses the Chrome engine, and accepts all the Chrome flags. As with Chrome there's no support for flags in a pref file, which Chromium does have.

I'm fond of Opera as I used it for many years while they were using their in-house engine, and got used to their gesture system which I'm pleased has made it into their Chrome variant.

The biggest sell, however, is portability. I'm not keen on the hacks employed by portableapps et al as I'm paranoid about a crash resulting in a registry littered with unassociated entries. It's gotta be either native or not at all!

Stone-D;

I too have problems with the browser thinking that http://https.. is invalid. Fortunately, Scott gave us an alternate syntax: try using http://https// - that should work, at least on that page. I find that some sites code their links in a way that shortcuts the host name (the top level name) by using inferred naming instead of fully formed names. (As in "./this_sub_page" instead of "http://xyz.tld/this_sub_page".) Such shenanigans will throw a browser error, usually a 404. Proxo can rewrite these links, but trying for a heuristic approach is not a walk in the park, to put it mildly.

HTH

Oh, and thanks for the half-SSL work-around. Let me relate my "face-palm of the day". Whenever I"m on the road, I can't use my mail provider's IMAP, it requires me to be at home on my static IP. But they do provide a web-based client, so I'm not totally cut off. However, when I compose something (using the web-based client), and if I want to quit out of the composition form (not hit Send, I've changed my mind and want to go somewhere else), I get the unsightly dialog box "Are you sure you want to leave this message unfinished?" That was one of the first things that got filtered by Proxo, years ago. But when HTTPS hit town, I was in deep kimche, thanks to CURL (and thanks to JJoe for pointing me down that path of investigation). The double-slash gets me out of that particular jam nearly every time.

That, and other sites like those which insist on using SSL for hosting images, as well as the big boys who "take your security seriously", a great majority of them just can't be bothered to keep their Certificates up to date and/or pointing to the correct CN. I realize that it's rocket science and all that, but for Pete's sake, those site admins are getting paid like rocket scientists, aren't they? ??? Or does their calendar have more way more vacation days than mine?

Anyways, that's why I have to leave half-SSL on and running at all times. Your work-around has just made my day! Thanks!!






Oddysey

I'll give that a go, thanks man.

To tell the truth, what pleases me more than knowing that you're benefiting from my patch is that you even still using Proxo.