somidad
commented
1 month ago I quickly captured packets response to FTP LIST command and the following is its Hexdump and ASCII code (-: fake VPN off, +: fake VPN on)
0000 5c e9 1e c0 a3 1f 64 e5 99 a5 c5 18 08 00 45 00 \.....d.......E.
-0010 05 dc d1 1b 40 00 6a 06 d3 2d c3 ee e2 23 c0 a8 ....@.j..-...#..
-0020 00 18 2a fa dd 97 19 f1 64 bb f6 eb c7 05 50 10 ..*.....d.....P.
-0030 04 02 0a 5b 00 00 30 34 2d 31 36 2d 31 37 20 20 ...[..04-16-17
+0010 05 dc d4 09 40 00 6a 06 d0 3f c3 ee e2 23 c0 a8 ....@.j..?...#..
+0020 00 18 2b 06 eb 1f 87 97 7e 12 0f 60 c6 99 50 10 ..+.....~..`..P.
+0030 04 02 5d c1 00 00 30 34 2d 31 36 2d 31 37 20 20 ..]...04-16-17
0040 30 38 3a 35 35 50 4d 20 20 20 20 20 20 20 20 20 08:55PM
0050 20 20 20 20 20 20 37 35 31 39 39 37 20 33 38 33 751997 383
0060 33 31 2d 30 30 31 2e 7a 69 70 0d 0a 30 34 2d 31 31-001.zip..04-1
0070 36 2d 31 37 20 20 30 38 3a 35 35 50 4d 20 20 20 6-17 08:55PM
0080 20 20 20 20 20 20 20 20 20 20 20 20 37 35 31 36 7516
0090 34 38 20 33 38 33 33 31 2d 30 30 32 2e 7a 69 70 48 38331-002.zip
00a0 0d 0a 30 35 2d 31 30 2d 31 37 20 20 30 38 3a 35 ..05-10-17 08:5
# Unchanged parts are omitted
Before start, 'fake VPN' I mentioned here is an app called 'Unicorn HTTPs'. The purpose of this app is bypassing Korea's HTTPS SNI inspection policy (to prevent from accessing sites regulated by the gov). Detailed mechanisms are unknown but they explain it as 'fake VPN'. (I also asked them about technical details.)
When I launch this app and enable it,
list()method returnsBadResponse. When it is disabled it returns an expected result (Vec<String>). Also, macOS builtin FTP (via Finder) works fine.Questions are:
list()method returnsBadResponse? InBadResponsedocumentation, it only saysThe response syntax is invalid.BadResponsevariant has no more information unlike other variants. Does inspecting FTP packet, for example, via Wireshark work?