Lumaqq debugger entry

Document directory

• Interface Preview
• Start work
• Analyze other packages
• Analysis Package
• Summary

Lumaqq developer documentation

Lumaqq debugger entry-1 part: Standalone Mode

Summary
The QQ protocol is extremely huge. We usually analyze the Protocol through packet capture. For packet capture, various platforms have corresponding tools. But what should we do after it is captured? Obviously, this process is very boring. I used to handle these tasks manually. Later, I made up my mind and wrote a tool, saving a lot of time. I'm leaving. In order to provide some useful tools for later users, leave the final document to the lumaqq debugger. The lumaqq debugger is a QQ package analysis tool. Although it is not perfect in some places (because it is difficult to complete, I am lazy), it is still very practical, it can be run as an independent program or as a sub-window of lumaqq. First, I will introduce how to use it in standalone mode.

Luma, Tsinghua University
Last Updated:

The lumaqq debugger source code is located in Edu. tsinghua. lumaqq. QQ. in the debug package, the main program is edu. tsinghua. lumaqq. QQ. debug. debugger, when running the program as an independent program, remember to add the parameter-djava. library. path = SWT

Interface Preview

When the lumaqq debugger runs in standalone mode, the interface is as follows:

Figure 1. Independent Mode Interface

The entire interface is divided into three areas: the package list on the left, the document display area on the top right, and the functional area on the bottom right. For the document display area, I originally planned to display the format of a package in real time, but this work has not yet been done, so the document display area is not very useful yet. In the package list area, all captured packages are displayed, and some packages are displayed.

Start work

To analyze the QQ package, you must have some initial conditions, such as the session key, user QQ number, and user password. These initial conditions can be input through "input initial argument" in the upper-left corner of the interface, the following is the input interface:

Figure 2. Initial Parameter input page

Well, you can see that we mainly provide three parameters here. One is the QQ number, the other is the password, and the other is the login reply package. The login reply package must be complete, that is, the header and the end of the packet must be included. After entering the preceding information, click OK to view the logon response package in the package list. At the same time, the buttons on the left will change, for example:

Figure 3. After Entering the initial parameters

The package list contains a login reply packet, which is the login response package you just entered (the icon in front of it indicates that this is a received package, incoming ), the button text is changed to "Debugger for user 375149072", which indicates that your initial parameter input is correct. The debugger can start subsequent work. If you enter an error, there is nothing.

Note that you cannot use the debugger without entering the initial parameters. You can also use functions that do not depend on the initial parameters in the functional area, functions that depend on initial parameters become grayed out and cannot be used.

Analyze other packages

If I have another package, how can I analyze it? Let's take a look at the functional area. In standalone mode, you can see two tabs on the functional area: "bytes" and "input ". Bytes is used to display the unencrypted content of a package, and the input is known by name, where the ciphertext is entered. Now let's enter a package to see the interface:

Figure 4. Input package

This package is a complete package. Its command is 0x001d, that is, the request key command. What should we do for the complete package? You can see a row of buttons in the input window:

1. Parse as packet: analyzes the input content as a complete package.
2. MD5: Make an MD5 for the content you entered. the MD5 result will be added to the content you entered, and your input will not be cleared.
3. Decrypt: This button is a drop-down button that provides many decryption options, because QQ has a lot of keys, you can choose based on the decryption method you need

Because we currently input a complete package, we can use parse as packet to analyze this package. Note that parse as packet will use the session key to decrypt the package. Therefore, if your package is not encrypted with the session key, this function is useless for the moment and can only be processed using the options in decrypt, this is not perfect, and I have never handled it.

After you click parse as packet, a "request key reply packet" option is added to the package list. This is the package name. You can select this package from the package list, then we can switch to the "bytes" window to view its specific content:

Figure 5. Observe the package content

The content displayed includes the header and the end of the packet. If you do not want to view the end of the packet, you can select "body only" to display only the content of the packet body.

Okay, so now we can analyze the package. But how tired it looks like so many numbers? It doesn't matter. I have provided you with some auxiliary menus to help you analyze them. You can select some content and right-click:

Figure 6. auxiliary function menu

There are still many functions. Since the names are so straightforward, we will not explain them. This right-click menu can also be used in input. In addition, if the package list contains too many breads and you want to clear some useless items, you can select some packages and right-click the package list to understand what to do. Also, if you think the package name is not intuitive enough, you can click them and give them a new name for identification. These will not be demonstrated.

Analysis Package

Sometimes you only want to analyze a piece and do not want to analyze the package (or because the debugger is not so strong), you can input a piece in the input, then use the decrypt menu for decryption. Therefore, when you use the decrypt menu for decryption, all input information should be ciphertext, and the contents such as the end of the packet header should not be. If the decryption fails, you must have incorrect input or incorrect key selection. Do not doubt my program. There is no bug in this regard. The following figure shows how to decrypt a piece:

Figure 7. decrypt drop-down menu

Figure 8. decrypted fragments

You see, after decryption is complete, there is an extra "fragment 1" in the package list, which indicates that it is the result of the decryption of a piece. You can select it, view the content in the bytes view.

I will explain the various keys in the decrypt drop-down menu:

1. Session Key: you should understand it all. Use the session key for decryption.
2. Password Key: the Key generated after the password is MD5.
3. File session key: The key used for transferring files
4. File agent key: Specifies the file transfer key, which is used for file transfer in transit mode.
5. Qq initial key: the initial key, that is, the key of the confidential login request package
6. User input key: if the key you want to use is not in the menu, you can use this. It will prompt you to enter a key. Note that the entered content must be a hexadecimal string, each byte is separated by a space. There are 16 bytes in total. Otherwise, an error is prompted.
7. Key of user input password: If you want to use a password key for decryption, you can enter a password here, the program will automatically use the password you entered for two MD5 attempts to decrypt your ciphertext

It must be noted that to use the file agent key for decryption, you must do more, because the login reply package does not contain the file agent key, you can also see that there is a link in the upper left corner called "input file agent Info", which is used to input information about file transfer. After you click, it requires you to enter the file agent key, 16 bytes, and then the file agent token, usually 56 bytes. Then you can use the decrypt menu. So where does the file agent key and file agent Token come from? From the 0x001d command, you must first analyze the 0x001d package, and then copy the corresponding key and Token input from it.

Summary

In fact, I don't want to write this content. I will always use it if I don't want it.

Lumaqq is a Java QQ client which has a reusable pure Java core and SWT-based GUI