Analysis of QQ simulated login implementation

Analysis of QQ simulated login implementation

0x00 Overview

It was originally issued together with the previous article. Later, it was put on hold.

I'm glad to have been involved in the discussion and discussion. (B) slot (4). In fact, I don't have any advanced technology. I just found out when I review and refactor the previous tools, few people discuss and share these things.

Today I will share two things.

QQ simulated login implementation-yugong mountain migration (process self-implemented) QQ simulated login Implementation Using arrows (client quick login implementation)

Of course, dry goods are boring. If you don't want to read the article, you can directly read the code.

The first sharing is a supplement to my previous article. The QQ simulated login implementation is (based on the V8 engine)

You can refer to the encryption process implemented by the tx js Code. Due to limited personal capabilities, the TX tea algorithm directly references the hoxide 2005 python-based implementation.

The second sharing is actually mainly to use the QQ client for fast login. Quick login depends on the environment, but it also has many advantages, so we don't need to process the password; of course, this logon method has limited application scenarios. Currently, it is mainly used in crawler and scanner scenarios.

0x01 QQ simulated login implementation: yugong mountain migration (Process Algorithm Implementation)

In the previous article: QQ simulated login implementation (based on the V8 engine)

We shared the QQ Account Password Logon Process and the password encryption method based on the JS engine. We used a simple and practical method to achieve "usable ".

But for a security enthusiast, sometimes we need to go deeper. Can we implement a set of encryption procedures and algorithms on our own? Therefore, this article focuses on the analysis of the TX password processing process.

Password handling process overview

After learning about the logon process, we need to consider a problem when analyzing and implementing simulated logon. What is the password?

To understand how passwords are handled, we must first understand the following three algorithms: MD5, RSA, and TEA. Among them, MD5 is a hash algorithm, which is commonly used; RSA is an asymmetric encryption algorithm, which is also known to everyone. Here we need to describe the TEA algorithm.

The TEA Algorithm Tiny Encryption Algorithm is a grouping Encryption Algorithm, which is easy to implement. The TEA algorithm uses a 64-bit plaintext group and a 128-bit key, and requires 64 rounds of iteration.

However, the TX_TEA algorithm makes some modifications to the traditional TEA algorithm. For details, refer to the logged-on JS. Here is a simple description: TX only uses 16 rounds of iteration; TX_TEA encrypts the data stream and uses the feedback random intertwined filling mode.

Encryption Process

Encryption Flowchart

Basically, you can understand the encryption process of the QQ password.

The light blue is the source data, while the green is the processing method of some passwords (encryption, HASH, replacement ).

Source data:

Password: passwordsalt: salt, returned from the check interface verifycode: returned from the check interface rsaKey can be obtained in the js source code

Data Description:

RsaData: rsa (md5 (pwd), rsaKey) hex_verifycode: hexadecimal verifycode

Finally, the tea algorithm tea (v, k)

V is the byte array k of (rsaDataLen + rsaData + salt + verifycodeLen + hex_verifycode) and is the byte array of md5 (md5 (pwd) + salt)

The result is base64-encoded.

Replace is a simple replacement to Replace the following three characters

/ -> -+ -> *= -> _

The encrypted password is a string of 216 characters. The format is as follows:

#!bash37Hro2-AgR4d8ZkU1L-6FqYhTUdhywhLlD2WihfVZGqZmz5R1RlwBsYPNowY0ZHJxcISmwpW0e7ppcoEDTGYyM5*6ZPJNUnZnb4h4Ke*qIBnFlTkiYFUhUwvXgOEvfIDTgCZIWsiFT6EauXujkB2i5yNFobx9aN5vw2xFyE1E2VoF*LV952q0mQO-HiooQZfMocl13kxFgxtVQaSRpm7Rg__

Reference code:

#! Pythondef tx_pwd_encode (self, pwd, salt, verifycode): "" js: getEncryption (t, e, I, n) t = pwd, e = salt binary form, I = verifycode, n: default undefined # "" salt = salt. replace (R' \ x', '') e = self. fromhex (salt) md5_pwd = o = self. tx_md5 (pwd) r = hashlib. md5 (pwd ). digest () p = self. tx_md5 (r + e) a = rsa. encrypt (r, self. rsaKey) rsaData = a = binascii. b2a_hex (a) # rsa length s = self. hexToString (len (a)/2) s = s. zfill (4) # verifycode is first converted to uppercase, and then converted to bytes verifycodeLen = hex (len (verifycode )). replace (r "0x ",""). zfill (4) l = binascii. b2a_hex (verifycode. upper () # verifycode length c = self. hexToString (len (l)/2) c = c. zfill (4) # TEA: KEY: p, s + a + TEA. strToBytes (e) + c + l new_pwd = s + a + salt + c + l saltpwd = base64.b64encode (tea. encrypt (self. fromhex (new_pwd), self. fromhex (p ))). decode (). replace ('/','-'). replace ('+ ','*'). replace ("= ","_")

Code Portal:
Https://github.com/LeoHuang2015/qqloginjs/blob/master/autologin_account.py

0x02 QQ simulated login Implementation Using arrows (client quick login implementation)

When we crawl and scan QQ, we often need to consider the login situation. If we use the user name and password, it may be due to some risk control rules, the image verification code is required when we log on multiple times, which can be avoided by using quick logon.

Process sorting

The client quick logon method is that the user has logged on to the QQ client software on the PC end. If the user opens the Web page to log on again, you do not need to enter the user name and password. You only need to select the account you have logged on, click OK to log on.

In essence, quick logon replaces tokens with clientkey.

After logging on to the QQ client, a 224-long clientkey authentication string is generated. Each login will change as follows:

#!bash000156DCEB4E0068663F53B8B402784291BB6E74C482BFB6367FF48FB970443E9B9682359E8F1F92D5A814B097D12D938B96B30742DDE5CDA8E453EB7CD31A5121416637D945615C661285F5306884D959184AB1E4F7CFA83BC9FAF069C1E5878320ECF79EF8751320763492752A1433

Early quick logon was implemented by various browsers using plug-ins, such as supported by IE ActiveX controls. firefox is a plug-in that embeds clientkey through the plug-in.

Later, non-plug-ins are supported. Each dynamic access to the local server (localhost.ptlogin2.qq.com) bound to the QQ client gets the clientkey, and then replaces the token with the clientkey.

Overall process

Client quick logon is mainly divided into two situations:

One is the plug-in mode. Use clientkey to replace the token for login;

The other is the fee plug-in mode, or the clientkey has some exceptions. You can request the server to set the clientkey to the cookie and then replace the token for login.

Process Analysis clientkey exists and normal/plug-in Mode

1. component loading & getting user profile information

Log On with the same account and password, but here you get the user profile and nickname that have logged on to the QQ client.

Get login information, user
Http://ptlogin2.qq.com/getface

Return: account and Avatar address (there are multiple accounts logged on from clients and multiple accounts are requested)

2. Log in

Clicking login is actually a process in which the clientkey replaces the token.

The request carries the clientkey for authentication.
Http://ptlogin2.qq.com/jump

If the client is incorrect, the client will fail to log on. Subsequent login will not trust the original clientkey and will follow the process where the clientkey does not exist/is abnormal.

Clientkey not stored or abnormal/no plug-in installed

1. component loading & getting User Information & getting user profile information

Because the clientkey here provides a step-by-step process for obtaining user information

Reference url:

#!bashhttp://localhost.ptlogin2.qq.com:4300/pt_get_uins?callback=ptui_getuins_CB&r=0.5314265366275367&pt_local_tk=0.3291951622654449

Return, account information, client type, nickname, and other information

PS: If no result is obtained, the system will try again for a total of five times. For example, the http ports are 4308, in sequence.

Then obtain the user profile information (same as above ).

2. Log in

Obtain the clientkey

Reference URL:

#!bashhttp://localhost.ptlogin2.qq.com:4300/pt_get_st?clientuin=1802014971&callback=ptui_getst_CB&r=0.11057236711379814&pt_local_tk=0.3291951622654449

Return: sets the clientkey to cookie, and returns the callback method.

#!jsvar var_sso_get_st_uin={uin:"1802014971"};ptui_getst_CB(var_sso_get_st_uin);

Then perform login replacement
Http://ptlogin2.qq.com/jump

Return: Set cookie

#!jsptui_qlogin_CB('0', 'http://www.qq.com/qq2012/loginSuccess.htm', '');

After setting the cookie, request the following url of the ptlogin2.qq.com domain to complete the cookie setting for the ptlogin2.qq.com domain and the qq.com domain, and delete the two cookie values: clientuin and clientkey.

Simulation Implementation

We need to simulate the implementation of quick logon and adopt a non-plug-in mode process. The process itself is relatively simple and there is no complicated algorithm, as shown below:

Obtain the signature. Obtain the client's QQ number. User Name and environment detection. Obtain the clientkey and replace the token.

Note the following two security points:

Token verification: the requested pt_local_tk will be verified with pt_local_tk in the cookie; Referrer verification: referer limits the QQ domain.

Reference code:

#!pythondef get_client_uins(self):    '''    get client unis info    need: token check & referer check    '''    tk =  "%s%s" %(random.random(), random.randint(1000, 10000) )    self.session.cookies['pt_local_token'] = tk    self.session.headers.update({'Referer':'http://ui.ptlogin2.qq.com/'})

Reference code for specific implementation:
Https://github.com/LeoHuang2015/qqloginjs/blob/master/autologin_quick.py