I have nothing to do with studying the encryption method of the Ku dog cache file kgtemp, and I have nothing to do with kgtemp.
This post is original. For more information, see the source order.
A few days ago, I updated the cool dog that had been beaten in the Cold palace for a long time. After entering the room, I felt a tight chrysanthemum ----Test listening to the home must all enable music package (high product and lossless)Okay, WTF!
This means that the previous cache won't be able to hear any more. In line with the principle that haomu will not go back to the grass, he does not intend to downgrade it. the download of PJ is worried about being implanted with malicious code, fail
As a programmer, how can I be defeated by your tricks? You must have a color look!
Exploration
First, we compared the cached file and the downloaded mp3 file, and found that the cached file contains 1024 more bytes, and compared with several cached files, the first 1024 bytes are the same, it seems a blind eye, removing these 1024 bytes should be the original audio data.
Then the comparison before and after encryption:
We will find that a bunch of 0x55 values before encryption are converted into 0xA9 0xE9 0xDA 0x52 cycles. This indicates that 4-byte cyclic encryption is used, and then switched to a binary system.
0x55 0x55 0x55 0x55 01010101 01010101 01010101 before encryption
Encrypted 0xA9 0xE9 0xDA 0x52 10101001 11101001 11011010
Symmetric byte-based encryption operations also shift cyclically or change the number or take the opposite, but the above several sets of cyclic shift and take the opposite are not similar, assume that it is an odd or fixed number a B C D, and then fill in the blank question:
0x55 0x55 0x55 0x55 01010101 01010101
A B C D 11111100 10111100 10001111 00000111
0xA9 0xE9 0xDA 0x52 10101001 11101001 11011010
It is concluded that a B C D is 0xFC 0xBC 0x8F 0x07 respectively, and then the data at the beginning is verified:
0x49 0x44 0x33 0x03 01001001 01000100 00110011
Xor 0x3C 0xAC 0xEF 0x67 00111100 10101100 11101111
Encrypted 0x75 0xE8 0xDC 0x64 01110101 11101000 11011100
This time a B C D is 0x3C 0xAC 0xEF 0x67
Nana? Not fixed? WTF!
Both groups a B C D low 4 digits are C A F 7
It seems that the final result is calculated by xor, but the four-digit value is more complex.
Based on the nature of 0 xor X = X, I found a group of comparisons before and after 0 encryption,
0x00 0x00 0x00 0x00 00000000 00000000
Encrypted 0xAC 0xEC 0xDF 0x57 10101100 11101100 11011111 01010111
Then a B C D 4-bit high corresponds to 0xA 0xE 0xD 0x5
Verify with the data starting:
0x49 0x44 0x33 0x03 01001001 01000100 00110011
Xor 0xAC 0xEC 0xDF 0x57 10101100 11101100 11011111
Encrypted 0xE5 0xA8 0xEC 0x54 11100101 10101000 11101100
Still wrong, and found that as long as the number before encryption is 4 bits high = 4 bits low, the encrypted 4 bits are fixed as 0xA 0xE 0xD 0x5
Isn't this the 4-digit high 4-digit in xor? From (0 xor X = X) and (X xor X = 0), we can see that the 4-digit high algorithm should be like this:
Take the 4-bit high and 4-bit H and L of the input number respectively, and then take the 4-bit high of the xor. The result is Y = H xor L xor I.
Check the preceding three groups of data.
Verification Code
Now that the encryption algorithm has been guessed, verify the verification code to check whether the MD5 of the decrypted file is equal to the cached File Name:
Class Program {static void Main (string [] args) {byte [] key = {0xC, 0xC, 0xF, 0x7}; byte [] xor = {0xA, 0xE, 0xD, 0x5}; using (var input = new FileStream (@ "E: \ KuGou \ Temp \ 23799b6016c6e98365e5225f488dd7a. kgtemp ", FileMode. open, FileAccess. read) {var output = File. openWrite (@ "d: \ test.pdf"); // output file input. seek (1024, SeekOrigin. begin); // skip the header byte [] buffer = new byte [key. length]; int length; while (length = input. read (buffer, 0, buffer. length)> 0) {for (int I = 0; I <length; I ++) {var B = buffer [I]; var low = B & 0xf ^ key [I]; // the decrypted low 4-bit var high = (B> 4) ^ xor [I] ^ low & 0xf; // The decrypted high 4-bit buffer [I] = (byte) (high <4 | low);} output. write (buffer, 0, length);} output. close ();} Console. writeLine ("press any key to exit... "); Console. readKey ();}}
Result: The MD5 value of the output file is the same as that of the cache file.