Feixin, are you really safe?

Introduction to China Mobile Feixin: Feixin is a real-time communication product launched by China Mobile that carries business applications and entertainment functions. Through PCs or mobile terminals, users can achieve text and voice communication anytime and anywhere, this satisfies the needs of mobile phone users for in-depth communication. As long as the China Mobile Network is covered, you will not lose contact with your friends. apsara provides an unrestricted communication and communication platform.

The launch of fetion is a continuation of the Chinese IM market's basic model of copying the Korean IM market. With the huge advantage of mobile operation, fetion is launched to the market. Although it is still in the promotion stage, however, it is foreseeable that the mobile phone-PC interactive communication function will further strengthen the improved market potential and have a huge impact on the IM market.
Here I will not talk much about how good Feixin is. In the future, there will be a lot of prospects and money. I just want to use it to analyze its security. A few days ago, I saw an advertisement on csdn saying that Feixin was super secure, and there were no Trojans, such as account theft,
(I do not remember how to say the original advertisement, which is probably the meaning ). I laugh, and even the best shield will have a spear that can be stabbed. There is no Trojan to steal the number, just because people have not realized the value of this thing.
It's okay to coax a child, cool a programmer.
Download and install Apsara. net.
I'm a little happy to write about 2.0. NET development has always been plagued. net is still very difficult to promote in China, and it is hoped that the success of China's Feixin will also be more active in China by the way. NET Enterprise success, get down to the truth, log on to the Apsara stack owner
Interface, enter the account password, do not click to log on, take out spy ++ to see, a look dizzy, actually combox and edit can directly get the handle ..., no processing, no msn
Directui does not have qq np protection, and the remaining result is:

What do you see? The password is out, and it is an unencrypted password. you should understand the program here. Is there security? Send a message to textbox to retrieve the password...
For further analysis, the default method of Apsara stack is to save the user password. Since the password can be decrypted and restored when you start Apsara stack, the password can be restored locally. however.. net programs are not protected.
Reflector is almost the source code level. The fetion client does not perform any obfuscation encryption (probably for stability), and the reader looks at the code with patience, the storage method is to encrypt the configuration in XML.
In the file, the password in the configuration is encrypted again with DES, but the two keys required for decryption ....
Here, I just want to briefly describe that this encryption method is very insecure. Considering the harmfulness, the specific decryption code is not disclosed and I am interested in it.
When I read reflector myself, it is easy to copy the source code. I guess if the Apsara server uses the hash comparison instead of the plaintext comparison, why does the client not store the hash password? In this way, only one
Hash pass, Feixin, local protection is so fragile, how can we rest assured?
I made a passreader according to the method of fetion. Below are some
 
The program EXE and code will not be released. I just want to describe the improvement of fetion.
In terms of network transmission, Apsara uses the HTTPS protocol and does not analyze it because it is relatively secure.

Another interesting thing was found: the Feixin directory.
Vmdotnet is not installed. the net2.0 machine can run Apsara but cannot run my program. That is to say, Apsara has a VM ..., able to read by yourself.. Net Package content
You need to install the. NET environment... you don't know how to implement it. I want to know the technical details :)

This article only analyzes the unsafe factors of Apsara from a technical perspective. We hope that Apsara engineers will improve the next version after reading this article: after all, everyone wants to use relatively secure IM software :) and the free SMS of fetion is very good ^ o ^