Fetion protocol analysis

Client message
Server Message

Login

Post/NAV/getsystemconfig. aspx HTTP/1.1
User-Agent: iic2.0/PC 2.2.0230
Content-Type: Application/X-WWW-form-urlencode; charset = UTF-8
HOST: nav.fetion.com.cn
Content-Length: 75
Connection: keep-alive

HTTP/1.1 100 continue

<Config> <client type = "PC" version = "2.2.0230" platform = "w5.1"/> </config>

HTTP/1.1 200 OK
Date: Wed, 11 Apr 2007 08:19:39 GMT
Server: Microsoft-Microsoft IIS/6.0
X-powered-by: ASP. NET
X-ASPnet-version: 2.0.50727
Content-language: ZH-CN
Set-COOKIE: Asp. net_sessionid = 3si%55hhsjllshsssw32; Path =/; HTTPOnly
Cache-control: Private
Content-Type: text/html; charset = UTF-8
Content-Length: 202

<? XML version = "1.0" encoding = "UTF-8"?> <Config> <Client Version = "2.0.0.0"> <compatible>
2.0.0.0 </compatible> <date> 18:48:27 </date> <PC-live-update value = "http: // 221.130.45.198/"/> </client> </config>
// The address of the upgraded server is returned.

Check whether there is any upgrade
GET/updateinfo. ashx? Version = 2.2.0230 & switch = http/1.1
User-Agent: iic2.0/PC 2.2.0230
HOST: 221.130.45.198
Connection: keep-alive

HTTP/1.1 204 NO content
Connection: Close
Date: Wed, 11 Apr 2007 08:19:39 GMT
Server: Microsoft-Microsoft IIS/6.0
X-powered-by: ASP. NET
X-ASPnet-version: 2.0.50727
Cache-control: Private
Content-Length: 0

// Start to retrieve the configuration file
Post/NAV/getsystemconfig. aspx HTTP/1.1
User-Agent: iic2.0/PC 2.2.0230
HOST: nav.fetion.com.cn
Content-Length: 262
Connection: Close

HTTP/1.1 100 continue

<Config> <user mobile-No = "13412344321"/> <client type = "PC" version = "2.2.0230" platform = "w5.1"/> <Servers version = "0" /> <service-No version = "0"/> <parameters version = "0"/>

HTTP/1.1 200 OK
Connection: Close
Date: Wed, 11 Apr 2007 09:41:41 GMT
Server: Microsoft-Microsoft IIS/6.0
X-powered-by: ASP. NET
X-ASPnet-version: 2.0.50727
Content-language: ZH-CN
Set-COOKIE: Asp. net_sessionid = 1lkl1h550rvost2ujpr0prfy; Path =/; HTTPOnly
Cache-control: Private
Content-Type: text/html; charset = UTF-8
Content-Length: 5644

<? XML version = "1.0" encoding = "UTF-8"?> <Config> <Servers version = "12"> <apply-Sub-service> http: // 221.130.45.201/NAV/applysubscribe. aspx </apply-Sub-service> <CRBT-portal> http: // 221.130.46.134/CRBT/default. aspx </CRBT-portal> <get-General-Info> http: // 221.130.45.201/NAV/generalgetinfo. aspx </get-General-Info> <get-pic-code> http: // 221.130.45.201/NAV/getpiccode. aspx </get-pic-code> <get-SVC-order-status> http: // 221.130.45.201/NAV/getsvcorderstatus. ASP X </get-SVC-order-status> <get-system-status> http: // 221.130.45.201/NAV/getsystemstatus. aspx </get-system-status> <get-Uri> http: // 221.130.45.205/HDS/geturi. aspx </get-Uri>

The following analysis is based on fetion 2006 beta version 2.1.0.0.

I was forced to start using fetion. It was so painful that it had been developed for several years (the guy on the fetion blog said that I have been participating in the fetion project for two years. net (the workload is less than C ++). It is a miracle that it is so bad .... Have fun and analyze the communication protocol of fetion... This is not a brute-force attack, and it is boring.
After reading the packet capture, Feixin uses a hybrid protocol:
1. Based on HTTP (XML Web Services ?) Obtain system configurations and updatesProgram, Registered user

2. Password verification during logon Based on https

3. the application layer protocol is a SIP protocol, but it is not a standard. Is it estimated to be self-developed? All interaction processes, such as sending messages and text messages, are performed through the SIP protocol.

There are many RFC descriptions about sip. The SIP protocol stack of Apsara stack implements TCP and HTTP bearer.

1. TCP bearer mode: connect to port 8080 of the server (currently 221.130.45.203). In this case, "TCP direct connection" is displayed in the "Network Settings" of the client ", the sip signaling is directly placed in the TCP package.
2. HTTP bearer mode: connect to port 80 of the server (currently 221.130.45.203) and use the POST method to send the signaling packet to the POST request, in this case, "HTTP direct connection" is displayed in the "Network Settings" of the client"

Because it is carried by TCP and HTTP, the packet format is very clear, so attention can be put directly on the SIP protocol or sip signaling, detailed content will be written later.

In general, the Apsara stack protocol is relatively simple. No, the accurate statement is relatively standard and clear, but the Protocol itself is complicated. In addition:
1. the Apsara protocol is plain text, which is inferior to QQ and RTX, just like its brother MSN. Therefore, the communication process through Apsara can be easily intercepted, and through simple tools, we can intercept all the conversations in the same network segment. It is estimated that some people will write fetion chat sniffer, just like MSN. If one day fetion is so popular ...... do you want me to write one? :)

2. The Protocol efficiency is relatively low. I added nearly 200 people and the amount of data to be transferred during a login process exceeded 230 kb.

3. If there is a problem with the status, presence is not very well handled. It is strange that I am offline when others see it online. It is annoying to send a presence later.

The following analysis is based on fetion 2006 beta version 2.1.0.0.

During protocol analysis, we captured the packet and found that the server 221.130.45.203 was connected when Apsara was working. Where does this IP address come from? Will it change? The server address is not configured in the Apsara client. Fixed an IP address? No. A nationwide system cannot use an IP address. Is one of the multiple IP addresses resolved by a fixed domain name? Capture the DNS package, and it will only resolve the domain name once at the beginning: nav.fetion.com.cn, the IP address of this domain name is 221.130.45.201 -- I heard that the developer of Apsara is the person who developed Microsoft MSN, so everything is the same as MSN. You can see the main interface elements of Apsara, can you find a location and function different from that of MSN? Even domain name resolution is the same as MSN. It's boring. In my mind, MSN also resolved an address from the very beginning, like messenger.msn.com? If you want to block MSN in the LAN, point this domain name to 127.0.0.1, MSN will be silly.

Since only nav.fetion.com.cn has been resolved, the address of 221.130.45.203, which is the proxy server of the SIP, should be returned by nav.fetion.com.cn. Yes, but it is only returned at the First Login and saved locally. When you log on later, if the version is not updated, the system configuration information will not be returned. Therefore, the configuration information is not visible except for the first time.

The local configuration file is not stored in the fetion program directory, but in the % USERPROFILE % \ Application \ fetion directory. The directory contains configuration. user Directories of DAT and Apsara, and configuration under each Apsara user directory. dat, contacts. dat, userinfo. the dat configuration files are user-related system configuration files, friend list files, and user's personal information files.

These files are all in XML format, so they can be opened using notepad. However, after you open the file, you will find that all the content of these files is encrypted, abnormal, what is the encryption of these files.

How can we get the header information here?

There are two methods:

1. We asked fetion not to encrypt the content of these files by modifying the fetionfx. EXE file. Use ildasm to convert feionfx.. client. PC. persistentmanager. encodemode1 and imps. client. PC. persistentmanager. the decodemode1 functions are removed and changed to the following:
. Maxstack 1
Il_0000: ldarg.0
Il_0001: Ret
That is, return the parameter immediately. Then, use the ilasm tool to reassemble and generate the fetionfx. EXE file, overwrite the previous one, and then run fetion. All the configuration files will not be encrypted.

2. Construct a request to nav.fetion.com.cn and let it return. The request content is very simple. Capture the package and you will know that the request process for getting the system configuration is:
XXX. XXX: XXXX >>>>>>>> 221.130.45.201: 80
Post/NAV/getsystemconfig. aspx HTTP/1.1
User-Agent: iic2.0/PC 2.1.0.0
HOST: nav.fetion.com.cn
Content-Length: 233
Connection: keep-alive

--------------------------------------
XXX. XXX: XXXX <221.130.45.201: 80
HTTP/1.1 100 continue

--------------------------------------
XXX. XXX: XXXX >>>>>>>> 221.130.45.201: 80
<Config> <user mobile-No = "139 XXXXXXXX"/> <client type = "PC" version = "2.1.0.0" platform = "w5.1"/> <Servers version = "12 "/> <service-No version =" 1 "/> <parameters version =" 4 "/>

Set all versions starting from Servers version to "0", and the server will return the configuration information. Note that the configuration information is all UTF-8-encoded. Using NC, You can construct an HTTP request and send it to the server immediately.

We recommend that you use method 1 to view and modify all configuration information. method 2 only has system configuration information.

The information related to the server address that we are interested in is displayed in configuration. dat in the user directory of the letter:
....
<Sipc-proxy> 221.130.45.203: 8080 </sipc-proxy> This is the server address of TCP direct connection.
<Http-tunnel> http: // 221.130.45.203/ht/SD. aspx </HTTP-tunnel> endpoint address for HTTP direct connection
<Get-pic-code> http: // 221.130.45.201/NAV/getpiccode. aspx </get-pic-code>CodeImage URL
<Get-system-status> http: // 221.130.45.201/NAV/getsystemstatus. aspx </get-system-status>
....

There is a reason why this configuration information is stored in the user directory of Apsara stack. Just like the SIP protocol, login servers can be divided into user groups. Different users can log on to different proxy servers, each Feixin user (mobile phone) can log on to the proxy server in this province, just like the current mobile phone and telephone network.

In fact, there is nothing to do with these configurations. Why should we encrypt them? In addition, you can obtain the content by constructing an HTTP request. The most unusual thing is that the conversation content of fetion is not encrypted and not changed, but the configuration files that are irrelevant are encrypted.

In addition, the user's password is saved in the configuration under the Application Data \ fetion directory. in dat, of course, the password is changed. Unfortunately, the user password is restored in the program. Therefore, the user password can be easily obtained by others. Fortunately, you can retrieve the phone if you lose it. But this is still a very insecure factor.

The communication protocol of j2-based Apsara stack is completely different from that of PC-BASED.
Both versions of the Protocol are based on HTTP. The difference is that the PC version of fetion

And uses the SIP Protocol over HTTP.
While the j2-based fetion is transmitted over HTTP, It is a custom data grid. .

The communication protocol of j2-based Apsara stack (hereinafter referred to as Apsara stack) based on the HTTP protocol.

. It communicates with the server through the Post action. The data to be transmitted is placed in the data section of the POST request.

Each request is initiated by a client., Accept the response from the server, and then close the connection. Process the response.

=== Data packet format ===

The data format contained in the HTTP request (or response) data section:

We can see that each package is divided into two parts: header and payload.
The header is a fixed length of 4 bytes, of which the first three bytes(Length) indicates the extent of the entire data packet, including the length of the header itselfDegree, 4th bytes (CODE) indicates the Request command. Indicates that the length of three bytes is-Endian) format (that is, network byte order) to represent an integer. Specifically, byte 0 indicates the maximum length of 8 bits, byte 1 indicates the middle 8 bits, and byte 2 indicates the Lower 8 bits. 3 bytes indicates the request code.

This length can be very large. Of course, this length is not used for the time being.

Payload is variable.. The part length can be 0. Some simple commands, such as logging out, You only need to set the code to the corresponding code, and the payload part does not need to countData.

The data format returned by the server is the same as that sent by the client.

=== Special package ===
In the server response, there is a special packet whose code is-1. A package whose code is-1 actually consists of multiple packages. All these packages need to be separated.To process them one by one.

** I don't know if I can send multiple packets to the server at the same time using a package with code-1.But in the Feixin Code, there is no such application, only the response received from the serverThere should be a package with code-1

=== Log on to the navigation server ===

The first step is to log on to the navigation server when the Apsara client communicates with the server.

. The purpose is to obtain the real service URL. It may be because mobile will change the service in the future. URL, or dynamically return the most recent response from the mobile phone that uses Feixin according to the principle of proximity service. The service URL on the server.

The obtained service URL is the destination address for logon, chat, and logout.

The default navigation server URL is
Http://nav.m161.com.cn/getadaptEruri. aspx

This navigation server URL is also defined in manifest. MF. If manifest. MF does not define serveripUse the default URL.

To obtain the service URL, You need to post a byte to the navigation server URL, which can be any data.
If the request is successful, an XML document will be returned, as shown below:<?XML version = "1.0" encoding = "UTF-8"?>

<RootXmlns= "Http://tempuri.org/DateExchange.xsd">

<Response>

<Error>0</Error>

<Memo/>

</Response>

<Uri>

Http://liveja.amigo.bjmcc.net/transfer.vurl

</Uri>

</Root>

The service URL used by the Apsara stack protocol is obtained from the URI node. Subsequent CommunicationIt has nothing to do with the navigation server.