求问,抓包某个 APP 协议, HTTP, BODY 为二进制式加密,求下思路

2017-02-11 23:43:26 +08:00
 taxidriver

协议 A REQUEST = { 0xDD, 0x07, 0xF0, 0x00, 0x00, 0x00, 0x1D, 0x4F, 0x00, 0x00, 0x2C, 0x00, 0x36, 0x31, 0x37, 0x36, 0x33, 0x30, 0x35, 0x39, 0x32, 0x30, 0x3D, 0x31, 0x3D, 0x30, 0x3D, 0x30, 0x3D, 0x30, 0x3D, 0x35, 0x30, 0x33, 0x39, 0x37, 0x2E, 0x33, 0x36, 0x37, 0x3D, 0x34, 0x33, 0x30, 0x32, 0x36, 0x37, 0x33, 0x33, 0x36, 0x30, 0x3D, 0x3D, 0x30, 0x3D, 0x30, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6D, 0x8F, 0x41, 0x1B, 0x3E, 0x97, 0xCD, 0x3A, 0x52, 0x96, 0x89, 0x84, 0xA3, 0x37, 0x2A, 0xCF, 0x36, 0x77, 0x7F, 0xCB, 0x46, 0xA2, 0xAA, 0x65, 0xD3, 0x95, 0x68, 0x2C, 0x42, 0x30, 0x6B, 0xD5, 0xA7, 0xA5, 0x20, 0x1B, 0xE3, 0x5F, 0xE4, 0x95, 0xAE, 0x7C, 0x89, 0xA5, 0xD7, 0x87, 0xE9, 0xF5, 0x9C, 0x8E, 0x3B, 0x1C, 0x86, 0x31, 0x6F, 0x1E, 0xCE, 0xDB, 0x2D, 0x0C, 0x75, 0x44, 0x8B, 0x4E, 0x96, 0xEF, 0xF0, 0x6F, 0x3F, 0x8A, 0x98, 0xBB, 0x25, 0x78, 0x7E, 0xD1, 0x44, 0xFA, 0x22, 0xB8, 0x47, 0x5D, 0xAA, 0x56, 0x1D, 0xCD, 0x50, 0x45, 0x95, 0x46, 0x30, 0x71, 0x73, 0x91, 0xE0, 0x65, 0x4D, 0x92, 0xCB, 0xF2, 0x32, 0xD1, 0x37, 0x3D, 0x5C, 0xAC, 0x92, 0xC0, 0xD4, 0xE9, 0xE5, 0x95, 0xBC, 0xA4, 0xFF, 0x50, 0x07, 0xD7, 0x52, 0x9B, 0x2A, 0x71, 0x5A, 0xA2, 0x06, 0x6F, 0xD8, 0x43, 0x92, 0xEE, 0x00, 0xC6, 0x2A, 0x93, 0x49, 0xF2, 0xC1, 0x28, 0x35, 0x00, 0xDD, 0x0C, 0xB5, 0x40, 0x40, 0xE5, 0xE4, 0x16, 0x29, 0x4C, 0x87, 0x20, 0xCA, 0xD3, 0x65, 0x51, 0x3C, 0x99, 0xD3, 0x1C, 0x23, 0x7E, 0x1C, 0x6C, 0x5A, 0xA5, 0xB6, 0x47, 0xD4, 0x38, 0x7D, 0x2B, 0xB7, 0x32, 0x86, 0x87, 0xD6, 0x4E, 0x36, 0x81, 0xD3, 0x0D, 0xA6, 0x9A };

协议 A RESPONSE = { 0xDD, 0x07, 0xB1, 0x00, 0x00, 0x00, 0x1D, 0x4F, 0x02, 0x00, 0x2C, 0x00, 0x36, 0x31, 0x37, 0x36, 0x33, 0x30, 0x35, 0x39, 0x32, 0x30, 0x3D, 0x31, 0x3D, 0x30, 0x3D, 0x30, 0x3D, 0x30, 0x3D, 0x35, 0x30, 0x33, 0x39, 0x37, 0x2E, 0x33, 0x36, 0x37, 0x3D, 0x34, 0x33, 0x30, 0x32, 0x36, 0x37, 0x33, 0x33, 0x36, 0x30, 0x3D, 0x3D, 0x30, 0x3D, 0x30, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x39, 0x5D, 0xB1, 0x89, 0x7A, 0x85, 0x64, 0xE5, 0xD8, 0xD1, 0xDD, 0x7E, 0x43, 0x4A, 0x5A, 0xBF, 0x4F, 0x36, 0x9F, 0x14, 0x49, 0xF8, 0xFB, 0x77, 0xE0, 0xAD, 0x4F, 0x3C, 0x34, 0x20, 0xBB, 0x2D, 0xDB, 0xB6, 0xD2, 0xCA, 0xF9, 0x46, 0x48, 0x3B, 0xFD, 0xDB, 0x27, 0xA2, 0x3A, 0xC7, 0x96, 0xC6, 0x91, 0xCA, 0xC5, 0x48, 0xBC, 0xA2, 0xF0, 0x34, 0xDB, 0x8E, 0xCE, 0x61, 0xF4, 0xBA, 0x0D, 0x9D, 0x25, 0xED, 0xB4, 0x9B, 0x74, 0xE6, 0xDA, 0x0F, 0x04, 0xCF, 0x1C, 0x35, 0x98, 0xDE, 0x73, 0x7D, 0x68, 0x55, 0xB1, 0xFB, 0x39, 0xA4, 0x78, 0x9B, 0x00, 0x5A, 0xF4, 0x45, 0x36, 0x35, 0x84, 0xDC, 0x30, 0x82, 0x12, 0x83, 0x7B, 0x32, 0xB3, 0x15, 0x4A, 0x42, 0xEF, 0xA0, 0x8F, 0x03, 0x51, 0x0D, 0xD6, 0x89, 0x64, 0x74, 0x12, 0x5F, 0x2C, 0x3C, 0xAE };

协议 B REQUEST = { 0xDD, 0x07, 0xE0, 0x00, 0x00, 0x00, 0x14, 0xA4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE7, 0xAF, 0xCC, 0x48, 0x1F, 0xDA, 0x4A, 0xC7, 0xEB, 0xC9, 0x81, 0xF2, 0xE3, 0x13, 0x55, 0x5A, 0xE6, 0x57, 0xC3, 0x78, 0x5A, 0x02, 0xF2, 0x09, 0x59, 0x1B, 0x1D, 0x63, 0x6F, 0x82, 0xD6, 0xAE, 0xB1, 0x04, 0xB3, 0x7A, 0x37, 0x13, 0x88, 0x2B, 0x90, 0x75, 0xF2, 0x46, 0xAD, 0xF4, 0xE0, 0xF7, 0xDF, 0xCE, 0x7E, 0x03, 0x17, 0x39, 0xAE, 0xB0, 0xC1, 0xCB, 0x2E, 0xD4, 0xC8, 0xDD, 0x7F, 0x16, 0x70, 0xC3, 0xFE, 0x48, 0xC4, 0x36, 0x0C, 0xA4, 0x6B, 0xD7, 0x65, 0x5D, 0xB7, 0x00, 0xFA, 0xE5, 0x76, 0x9A, 0x2B, 0x9C, 0xF7, 0xE1, 0xBC, 0xA3, 0xFF, 0x17, 0x98, 0x26, 0xC7, 0x39, 0x0B, 0xFD, 0x2D, 0xB7, 0x81, 0xDB, 0x07, 0x59, 0x82, 0x4E, 0x16, 0x17, 0xB1, 0xFB, 0xB9, 0xEB, 0xA9, 0xC7, 0xCD, 0x0C, 0x6D, 0x4A, 0x16, 0x81, 0x2F, 0x3B, 0xB0, 0xE4, 0xAC, 0x54, 0x18, 0xB8, 0x6B, 0x65, 0x40, 0x84, 0x27, 0xCF, 0x1E, 0x19, 0xD1, 0x0B, 0x09, 0x55, 0x33, 0xC7, 0xB6, 0x66, 0x99, 0xD7, 0x2B, 0x4C, 0xE1, 0x1D, 0xA9, 0x74, 0x4D, 0xB7, 0x01, 0x5A, 0x77, 0xA6, 0x31, 0xED, 0x1A, 0xF4, 0x4F, 0x45, 0x6D, 0x7D, 0xA1, 0xF1, 0xD2, 0xE8, 0xEC, 0xCC, 0x68, 0xF7, 0x6E, 0x23, 0x30, 0x0D, 0xAD, 0x57, 0x06, 0xB9, 0xC3, 0xFF, 0x0C, 0xE5, 0x78, 0xF7, 0x9A, 0xC4, 0xDB, 0x83, 0xD5, 0x52, 0xF9, 0xFA, 0x26, 0x7B, 0xF4, 0x17, 0xDA, 0x83, 0x97, 0x60, 0x5F, 0xDB, 0x5F, 0x21, 0x2C, 0x15, 0x33, 0xD9, 0xDE, 0x1D };

协议 B RESPONSE = { 0xDD, 0x07, 0x45, 0x00, 0x00, 0x00, 0x14, 0xA4, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x29, 0xEA, 0xC2, 0x2A, 0xF8, 0x5E, 0xF2, 0xF2, 0xEF, 0x75, 0xA3, 0x2B, 0x9B, 0x60, 0x04, 0xA5, 0x93, 0xD3, 0xBD, 0xC3, 0x6A, 0x02, 0x6D, 0x16, 0xB0, 0x2F, 0xCC, 0x99, 0xDB, 0x25, 0x1A, 0xC3, 0xFB, 0x32, 0x98, 0x47, 0x30, 0xFF, 0x6D, 0xB5, 0x7C, 0x93, 0xD9, 0x88, 0x52, 0x8A, 0xB9, 0x55, 0x87, 0xE6, 0xB5, 0xF5, 0x17, 0xC1, 0x91, 0x55, 0x96 };

已经分析:0XDD07应该是头FLAG,接下来四个字节是后续数据长度,小端表示形式

4761 次点击
所在节点    Python
13 条回复
nyanyh
2017-02-12 00:35:25 +08:00
我觉得这个东西,发到看雪可能会得到更好的帮助
virusdefender
2017-02-12 00:37:36 +08:00
逆向 app 啊
AltairT
2017-02-12 00:58:29 +08:00
擦,自定义协议 udp 或 tcp 通讯的啊,嵌入式上常用
这个破解有难度,有文档都要仔细去看
cnnblike
2017-02-12 02:23:11 +08:00
搜 magic signature ,估计是某个 stream compression 算法
phrack
2017-02-12 08:29:37 +08:00
不逆向搞不出来,没有人直接看包就能分析的。
forestyuan
2017-02-12 09:32:08 +08:00
包里的数据肯定跟你的应用有关
ic3z
2017-02-12 10:00:25 +08:00
这些数据也许上帝知道含义吧。
0xcb
2017-02-12 10:42:25 +08:00
给一组数据包想逆出协议,连 app 环境都没,怎么分析
des
2017-02-12 11:06:26 +08:00
android 的话上 xposed hook 试试,还有只有一个包的话基本没办法分析的。
realpg
2017-02-12 11:13:43 +08:00
记得 N 年前 V2 有个一样的帖子
当时的那个答案是: content-encoding:gzip
adslxyz
2017-02-12 12:15:04 +08:00
腾讯相关 APP 的包。包体已经加密过的了。协商密钥的部分这几个没有,加密部分解不出来的。
adslxyz
2017-02-12 12:20:10 +08:00
瞎猜一下:
DD 07 // header flag
F0 00 00 00 // type short int ,body length = 240
1D 4F // type short ,flag
00 00 // type short
2C 00 // type short , header length = 44
36 31 37 36 33 30 35 39 32 30 3D 31 3D 30 3D 30 3D 30 3D 35 30 33 39 37 2E 33 36 37 3D 34 33 30 32 36 37 33 33 36 30 3D 3D 30 3D 30 (length = 44,str="6176305920=1=0=0=0=50397.367=4302673360==0=0")
00 00 00 00 // int
00 00 // short

// encrypted body
6D 8F 41 1B 3E 97 CD 3A 52 96 89 84 A3 37 2A CF 36 77 7F CB 46 A2 AA 65 D3 95 68 2C 42 30 6B D5 A7 A5 20 1B E3 5F E4 95 AE 7C 89 A5 D7 87 E9 F5 9C 8E 3B 1C 86 31 6F 1E CE DB 2D 0C 75 44 8B 4E 96 EF F0 6F 3F 8A 98 BB 25 78 7E D1 44 FA 22 B8 47 5D AA 56 1D CD 50 45 95 46 30 71 73 91 E0 65 4D 92 CB F2 32 D1 37 3D 5C AC 92 C0 D4 E9 E5 95 BC A4 FF 50 07 D7 52 9B 2A 71 5A A2 06 6F D8 43 92 EE 00 C6 2A 93 49 F2 C1 28 35 00 DD 0C B5 40 40 E5 E4 16 29 4C 87 20 CA D3 65 51 3C 99 D3 1C 23 7E 1C 6C 5A A5 B6 47 D4 38 7D 2B B7 32 86 87 D6 4E 36 81 D3 0D A6 9A
thisisvoa
2017-02-13 09:03:57 +08:00
密钥变化滚动的,无法解析

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/339834

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX