Use WinPcap to simulate network packets to forge flash screen packets and winpcap packets

Use WinPcap to simulate network packets to forge flash screen packets and winpcap packets
Cause

I don't know when my colleagues started to vibrate on the screen in the autumn. Later, I became a daily flash. It is also troublesome to flash back. As a programmer, is there any way to be lazy? (My colleagues are responsible for user experience and do not know much about programming ). Then I tried the following ideas:

UI Automation

You can use UISpy to view the feiqiu chat window. Unfortunately, you cannot find the button for sending the pop-up screen vibration.

Simulate mouse events

Prepare to use mouse_event to send mouse events to simulate the pressing of the pop-up screen vibration. However, the positions of the vibrating buttons on the pop-up screen are different. If you want to move the window or change the window layout, You have to reset the coordinates.

Counterfeit network packets

I used to know WinPcap and Wireshark. Some time ago, I saw [c #] in the blog Park, recording the ARP spoofing of the lab Lan-Yosef Gao-blog Park, I learned that C # also has related parsing and sending tools. Start this plan decisively.

Feiqiu message data conjecture feiqiu Network Transmission

I know that feiqiu Chat uses UDP, and the default port is 2425. It doesn't matter if you don't know. Open feiqiu-> Settings-> network settings, and then you will find that feiqiu has clearly told us.

Pop-up screen Vibration

First open WireShark, set the filter condition to udp. port = 2425, and then send a pop-up screen vibration to the test machine.

Two messages are found, one of which is sent from the local machine to the other, and the other is sent to the local machine.

After sending a few flashes of screen vibration, we can roughly guess the rule of the vibration packets of the feiqiu screen. The sent packets are in the format of 1_lbt6_0 #128 # (the sender's MAC address, 16 bits) #0 #0 #0 #4001 #9: (the guess should be the serial number, but it is unclear) :( sender's user name) :( sender's host name) 209 :, the received message is ipvlbt6_0 #128 # (sender's MAC address, 16 bits) #0 #0 #0 #4001 #9: (guess it should be a serial number, but it is unclear) (sender's user name) (sender's host name) 210 :. We used WinPcap to simulate the packet sent from the pop-up vibration packet, and received the pop-up vibration on the test machine (I thought the serial number field would have an impact ).

Information

After sending a message to the test machine, several messages are found.

After comparing the message length and source, it is estimated that the other shorter packets from the local machine are sent messages such as being input and stopped, while the longer messages are sent messages. This is also true after verification. Feiqiu's information packets should be encrypted and cannot be directly guessed from them.

Emotion

The expression is similar to the information, but the expression looks compressed.

File

Generally, files are transmitted over TCP and verified. Indeed, the list of files to be sent by feiqiu is transmitted over UDP, and the specific file content is transmitted over TCP.

In UDP transmission, the local Party sends two packets, and the other party sends two packets. The file name is displayed for the second message sent by the local party.

In the TCP packet, apart from the three-way handshake established by the TCP connection and the four-way handshake established by the connection, the packet content can be clearly seen in the packets sent from other local machines.

This is a text file:

This is a binary file:

View the binary file in UltraEdit:

Description

Because I am mainly interested in the study of pop-up screen vibration, I simply checked the other functions and did not study them in depth.

Code implementation software interface

Initially, the system creates a simulated pop-up screen vibration without entering any message information, but the login user name cannot be obtained through the network, in addition, you can enter other message strings copied from WireShark in the sending message string to simulate other messages (such as information and expressions.

Notes

To use PacketDotNet. dll and SharpPcap. dll, you need to install WinPcap (I directly installed WireShark, which contains WinPcap ).

Download link

Blog: FeiqCheater

Update and update challenges