V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
推荐学习书目
Learn Python the Hard Way
Python Sites
PyPI - Python Package Index
http://diveintopython.org/toc/index.html
Pocoo
值得关注的项目
PyPy
Celery
Jinja2
Read the Docs
gevent
pyenv
virtualenv
Stackless Python
Beautiful Soup
结巴中文分词
Green Unicorn
Sentry
Shovel
Pyflakes
pytest
Python 编程
pep8 Checker
Styles
PEP 8
Google Python Style Guide
Code Style from The Hitchhiker's Guide
taxidriver
V2EX  ›  Python

求问,抓包某个 APP 协议, HTTP, BODY 为二进制式加密,求下思路

  •  
  •   taxidriver · 2017-02-11 23:43:26 +08:00 · 4964 次点击
    这是一个创建于 2847 天前的主题,其中的信息可能已经有所发展或是发生改变。

    协议 A REQUEST = { 0xDD, 0x07, 0xF0, 0x00, 0x00, 0x00, 0x1D, 0x4F, 0x00, 0x00, 0x2C, 0x00, 0x36, 0x31, 0x37, 0x36, 0x33, 0x30, 0x35, 0x39, 0x32, 0x30, 0x3D, 0x31, 0x3D, 0x30, 0x3D, 0x30, 0x3D, 0x30, 0x3D, 0x35, 0x30, 0x33, 0x39, 0x37, 0x2E, 0x33, 0x36, 0x37, 0x3D, 0x34, 0x33, 0x30, 0x32, 0x36, 0x37, 0x33, 0x33, 0x36, 0x30, 0x3D, 0x3D, 0x30, 0x3D, 0x30, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6D, 0x8F, 0x41, 0x1B, 0x3E, 0x97, 0xCD, 0x3A, 0x52, 0x96, 0x89, 0x84, 0xA3, 0x37, 0x2A, 0xCF, 0x36, 0x77, 0x7F, 0xCB, 0x46, 0xA2, 0xAA, 0x65, 0xD3, 0x95, 0x68, 0x2C, 0x42, 0x30, 0x6B, 0xD5, 0xA7, 0xA5, 0x20, 0x1B, 0xE3, 0x5F, 0xE4, 0x95, 0xAE, 0x7C, 0x89, 0xA5, 0xD7, 0x87, 0xE9, 0xF5, 0x9C, 0x8E, 0x3B, 0x1C, 0x86, 0x31, 0x6F, 0x1E, 0xCE, 0xDB, 0x2D, 0x0C, 0x75, 0x44, 0x8B, 0x4E, 0x96, 0xEF, 0xF0, 0x6F, 0x3F, 0x8A, 0x98, 0xBB, 0x25, 0x78, 0x7E, 0xD1, 0x44, 0xFA, 0x22, 0xB8, 0x47, 0x5D, 0xAA, 0x56, 0x1D, 0xCD, 0x50, 0x45, 0x95, 0x46, 0x30, 0x71, 0x73, 0x91, 0xE0, 0x65, 0x4D, 0x92, 0xCB, 0xF2, 0x32, 0xD1, 0x37, 0x3D, 0x5C, 0xAC, 0x92, 0xC0, 0xD4, 0xE9, 0xE5, 0x95, 0xBC, 0xA4, 0xFF, 0x50, 0x07, 0xD7, 0x52, 0x9B, 0x2A, 0x71, 0x5A, 0xA2, 0x06, 0x6F, 0xD8, 0x43, 0x92, 0xEE, 0x00, 0xC6, 0x2A, 0x93, 0x49, 0xF2, 0xC1, 0x28, 0x35, 0x00, 0xDD, 0x0C, 0xB5, 0x40, 0x40, 0xE5, 0xE4, 0x16, 0x29, 0x4C, 0x87, 0x20, 0xCA, 0xD3, 0x65, 0x51, 0x3C, 0x99, 0xD3, 0x1C, 0x23, 0x7E, 0x1C, 0x6C, 0x5A, 0xA5, 0xB6, 0x47, 0xD4, 0x38, 0x7D, 0x2B, 0xB7, 0x32, 0x86, 0x87, 0xD6, 0x4E, 0x36, 0x81, 0xD3, 0x0D, 0xA6, 0x9A };

    协议 A RESPONSE = { 0xDD, 0x07, 0xB1, 0x00, 0x00, 0x00, 0x1D, 0x4F, 0x02, 0x00, 0x2C, 0x00, 0x36, 0x31, 0x37, 0x36, 0x33, 0x30, 0x35, 0x39, 0x32, 0x30, 0x3D, 0x31, 0x3D, 0x30, 0x3D, 0x30, 0x3D, 0x30, 0x3D, 0x35, 0x30, 0x33, 0x39, 0x37, 0x2E, 0x33, 0x36, 0x37, 0x3D, 0x34, 0x33, 0x30, 0x32, 0x36, 0x37, 0x33, 0x33, 0x36, 0x30, 0x3D, 0x3D, 0x30, 0x3D, 0x30, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x39, 0x5D, 0xB1, 0x89, 0x7A, 0x85, 0x64, 0xE5, 0xD8, 0xD1, 0xDD, 0x7E, 0x43, 0x4A, 0x5A, 0xBF, 0x4F, 0x36, 0x9F, 0x14, 0x49, 0xF8, 0xFB, 0x77, 0xE0, 0xAD, 0x4F, 0x3C, 0x34, 0x20, 0xBB, 0x2D, 0xDB, 0xB6, 0xD2, 0xCA, 0xF9, 0x46, 0x48, 0x3B, 0xFD, 0xDB, 0x27, 0xA2, 0x3A, 0xC7, 0x96, 0xC6, 0x91, 0xCA, 0xC5, 0x48, 0xBC, 0xA2, 0xF0, 0x34, 0xDB, 0x8E, 0xCE, 0x61, 0xF4, 0xBA, 0x0D, 0x9D, 0x25, 0xED, 0xB4, 0x9B, 0x74, 0xE6, 0xDA, 0x0F, 0x04, 0xCF, 0x1C, 0x35, 0x98, 0xDE, 0x73, 0x7D, 0x68, 0x55, 0xB1, 0xFB, 0x39, 0xA4, 0x78, 0x9B, 0x00, 0x5A, 0xF4, 0x45, 0x36, 0x35, 0x84, 0xDC, 0x30, 0x82, 0x12, 0x83, 0x7B, 0x32, 0xB3, 0x15, 0x4A, 0x42, 0xEF, 0xA0, 0x8F, 0x03, 0x51, 0x0D, 0xD6, 0x89, 0x64, 0x74, 0x12, 0x5F, 0x2C, 0x3C, 0xAE };

    协议 B REQUEST = { 0xDD, 0x07, 0xE0, 0x00, 0x00, 0x00, 0x14, 0xA4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE7, 0xAF, 0xCC, 0x48, 0x1F, 0xDA, 0x4A, 0xC7, 0xEB, 0xC9, 0x81, 0xF2, 0xE3, 0x13, 0x55, 0x5A, 0xE6, 0x57, 0xC3, 0x78, 0x5A, 0x02, 0xF2, 0x09, 0x59, 0x1B, 0x1D, 0x63, 0x6F, 0x82, 0xD6, 0xAE, 0xB1, 0x04, 0xB3, 0x7A, 0x37, 0x13, 0x88, 0x2B, 0x90, 0x75, 0xF2, 0x46, 0xAD, 0xF4, 0xE0, 0xF7, 0xDF, 0xCE, 0x7E, 0x03, 0x17, 0x39, 0xAE, 0xB0, 0xC1, 0xCB, 0x2E, 0xD4, 0xC8, 0xDD, 0x7F, 0x16, 0x70, 0xC3, 0xFE, 0x48, 0xC4, 0x36, 0x0C, 0xA4, 0x6B, 0xD7, 0x65, 0x5D, 0xB7, 0x00, 0xFA, 0xE5, 0x76, 0x9A, 0x2B, 0x9C, 0xF7, 0xE1, 0xBC, 0xA3, 0xFF, 0x17, 0x98, 0x26, 0xC7, 0x39, 0x0B, 0xFD, 0x2D, 0xB7, 0x81, 0xDB, 0x07, 0x59, 0x82, 0x4E, 0x16, 0x17, 0xB1, 0xFB, 0xB9, 0xEB, 0xA9, 0xC7, 0xCD, 0x0C, 0x6D, 0x4A, 0x16, 0x81, 0x2F, 0x3B, 0xB0, 0xE4, 0xAC, 0x54, 0x18, 0xB8, 0x6B, 0x65, 0x40, 0x84, 0x27, 0xCF, 0x1E, 0x19, 0xD1, 0x0B, 0x09, 0x55, 0x33, 0xC7, 0xB6, 0x66, 0x99, 0xD7, 0x2B, 0x4C, 0xE1, 0x1D, 0xA9, 0x74, 0x4D, 0xB7, 0x01, 0x5A, 0x77, 0xA6, 0x31, 0xED, 0x1A, 0xF4, 0x4F, 0x45, 0x6D, 0x7D, 0xA1, 0xF1, 0xD2, 0xE8, 0xEC, 0xCC, 0x68, 0xF7, 0x6E, 0x23, 0x30, 0x0D, 0xAD, 0x57, 0x06, 0xB9, 0xC3, 0xFF, 0x0C, 0xE5, 0x78, 0xF7, 0x9A, 0xC4, 0xDB, 0x83, 0xD5, 0x52, 0xF9, 0xFA, 0x26, 0x7B, 0xF4, 0x17, 0xDA, 0x83, 0x97, 0x60, 0x5F, 0xDB, 0x5F, 0x21, 0x2C, 0x15, 0x33, 0xD9, 0xDE, 0x1D };

    协议 B RESPONSE = { 0xDD, 0x07, 0x45, 0x00, 0x00, 0x00, 0x14, 0xA4, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x29, 0xEA, 0xC2, 0x2A, 0xF8, 0x5E, 0xF2, 0xF2, 0xEF, 0x75, 0xA3, 0x2B, 0x9B, 0x60, 0x04, 0xA5, 0x93, 0xD3, 0xBD, 0xC3, 0x6A, 0x02, 0x6D, 0x16, 0xB0, 0x2F, 0xCC, 0x99, 0xDB, 0x25, 0x1A, 0xC3, 0xFB, 0x32, 0x98, 0x47, 0x30, 0xFF, 0x6D, 0xB5, 0x7C, 0x93, 0xD9, 0x88, 0x52, 0x8A, 0xB9, 0x55, 0x87, 0xE6, 0xB5, 0xF5, 0x17, 0xC1, 0x91, 0x55, 0x96 };

    已经分析:0XDD07应该是头FLAG,接下来四个字节是后续数据长度,小端表示形式

    13 条回复    2017-02-13 09:03:57 +08:00
    nyanyh
        1
    nyanyh  
       2017-02-12 00:35:25 +08:00   ❤️ 1
    我觉得这个东西,发到看雪可能会得到更好的帮助
    virusdefender
        2
    virusdefender  
       2017-02-12 00:37:36 +08:00 via iPhone
    逆向 app 啊
    AltairT
        3
    AltairT  
       2017-02-12 00:58:29 +08:00 via iPhone
    擦,自定义协议 udp 或 tcp 通讯的啊,嵌入式上常用
    这个破解有难度,有文档都要仔细去看
    cnnblike
        4
    cnnblike  
       2017-02-12 02:23:11 +08:00 via iPhone   ❤️ 1
    搜 magic signature ,估计是某个 stream compression 算法
    phrack
        5
    phrack  
       2017-02-12 08:29:37 +08:00 via Android   ❤️ 1
    不逆向搞不出来,没有人直接看包就能分析的。
    forestyuan
        6
    forestyuan  
       2017-02-12 09:32:08 +08:00
    包里的数据肯定跟你的应用有关
    ic3z
        7
    ic3z  
       2017-02-12 10:00:25 +08:00 via Android   ❤️ 1
    这些数据也许上帝知道含义吧。
    0xcb
        8
    0xcb  
       2017-02-12 10:42:25 +08:00 via Android
    给一组数据包想逆出协议,连 app 环境都没,怎么分析
    des
        9
    des  
       2017-02-12 11:06:26 +08:00
    android 的话上 xposed hook 试试,还有只有一个包的话基本没办法分析的。
    realpg
        10
    realpg  
       2017-02-12 11:13:43 +08:00   ❤️ 1
    记得 N 年前 V2 有个一样的帖子
    当时的那个答案是: content-encoding:gzip
    adslxyz
        11
    adslxyz  
       2017-02-12 12:15:04 +08:00
    腾讯相关 APP 的包。包体已经加密过的了。协商密钥的部分这几个没有,加密部分解不出来的。
    adslxyz
        12
    adslxyz  
       2017-02-12 12:20:10 +08:00
    瞎猜一下:
    DD 07 // header flag
    F0 00 00 00 // type short int ,body length = 240
    1D 4F // type short ,flag
    00 00 // type short
    2C 00 // type short , header length = 44
    36 31 37 36 33 30 35 39 32 30 3D 31 3D 30 3D 30 3D 30 3D 35 30 33 39 37 2E 33 36 37 3D 34 33 30 32 36 37 33 33 36 30 3D 3D 30 3D 30 (length = 44,str="6176305920=1=0=0=0=50397.367=4302673360==0=0")
    00 00 00 00 // int
    00 00 // short

    // encrypted body
    6D 8F 41 1B 3E 97 CD 3A 52 96 89 84 A3 37 2A CF 36 77 7F CB 46 A2 AA 65 D3 95 68 2C 42 30 6B D5 A7 A5 20 1B E3 5F E4 95 AE 7C 89 A5 D7 87 E9 F5 9C 8E 3B 1C 86 31 6F 1E CE DB 2D 0C 75 44 8B 4E 96 EF F0 6F 3F 8A 98 BB 25 78 7E D1 44 FA 22 B8 47 5D AA 56 1D CD 50 45 95 46 30 71 73 91 E0 65 4D 92 CB F2 32 D1 37 3D 5C AC 92 C0 D4 E9 E5 95 BC A4 FF 50 07 D7 52 9B 2A 71 5A A2 06 6F D8 43 92 EE 00 C6 2A 93 49 F2 C1 28 35 00 DD 0C B5 40 40 E5 E4 16 29 4C 87 20 CA D3 65 51 3C 99 D3 1C 23 7E 1C 6C 5A A5 B6 47 D4 38 7D 2B B7 32 86 87 D6 4E 36 81 D3 0D A6 9A
    thisisvoa
        13
    thisisvoa  
       2017-02-13 09:03:57 +08:00
    密钥变化滚动的,无法解析
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   3300 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 24ms · UTC 00:41 · PVG 08:41 · LAX 16:41 · JFK 19:41
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.