QQwry.dat format analysis and query IP location of the PHP program

Program QQwry.dat format analysis and query IP location of the PHP program

by STRONGC http://strongc.51.net/d2x/
Reprint do not remove my name and my homepage link, thank you!

The previous manhunt database was too large and has not been updated for a long time.
So I think of using QQwry.dat this file query IP location, QQwry.dat in many places can be found, the general look at the IP address of the QQ compression package have.

But there is no relevant format information.

I analyzed the format of this document, and now I have the following conclusion:

The format is as follows:

A. File header, total 8 bytes
B. End address of several records + country and region
C. Fixed length, 7 bytes by starting address + End address offset from small to large arrangement
D. All IP is recorded in 4-byte integers, and is in the Intel order, high on the back, low in front.
E. All offsets are absolute offsets, which are computed from the beginning of the file.
F. In addition to the file header with two 4 byte offsets, the remaining offsets are in 3 bytes.
G. All offsets are low in the front, high on the back
H. Some string compression techniques are used

1. File header, total 8 bytes
Firststartipoffset:4 the absolute offset of the first starting IP
Laststartipoffset:4 the absolute offset of the last originating IP

2. Start address + End address offset record area
7 bytes per record, from small to large by start address

Startip:4 start address, integer form of IP
Endipoffset:3 End Address Absolute offset

3. End Address + country + Area record area

Endip:4
Country + Regional record: indefinite length

4. National + Regional Records, there are several forms
4.1.
Country string, ending with 0x0
Area string, ending with 0x0

4.2.
Flag:1 Identity value: 0x1, no local records after
0x2, there's a local record back there.
Scountryoffset:3 the actual string is going to this offset position to find
Localrec: Indefinite length, optional according to flag value. This record is similar to country and may be compressed

4.3 LOCALREC structure A
Flag:1 is not quite aware of this flag meaning, 0x1 or 0x2
Slocaloffset:3

4.4 LOCALREC Structure II
Slocal: Indefinite long normal C-style string

Note: The location of the Scountryoffset point may still be in the 4.2 format, and I don't know why.


Flag take 0x1, Scountryoffset point to the location may be flag for 0x2, at this time, Localrec also here to find.

Now I don't understand what it means to record the location of the local to the 0X2 flag.

There seem to be some errors in the Qqwry.dat.
Individual records local will be written as:
0x2,0x0,0x0,0x0
According to the rules, you should go to the beginning of the file to look for it, however, the first document is obviously not record these.

I learned PHP soon, you do not laugh, you have to improve of course good, remember to give me a copy.
I refer to some of the code found on the Internet, I do not write the source.

To tell you the truth, I have a headache. PHP cannot explicitly specify the type of the variable.
For example, I want to make a number is an unsigned plastic surgery, it is very disobedient, not if with a minus sign, I have to try all kinds of possible writing ...
How do you guys deal with something like that?




Define (' Qqwry ', $qqwry _root_path. ' QQwry.dat ');

function Iptoint ($Ip) {
$array =explode ('. ', $Ip);
$Int = ($array [0] * 256*256*256) + ($array [1]*256*256) + ($array [2]*256) + $array [3];
return $Int;
}

function Inttoip ($Int) {
$b 1= ($Int & 0xff000000) >>24;
if ($b 1<0) $b 1+=0x100;
$b 2= ($Int & 0x00ff0000) >>16;
if ($b 2<0) $b 2+=0x100;
$b 3= ($Int & 0x0000ff00) >>8;
if ($b 3<0) $b 3+=0x100;
$b 4= $Int & 0x000000ff;
if ($b 4<0) $b 4+=0x100;
$Ip = $b 1. '. $b 2. '. ' $b 3. '. ' $b 4;
return $Ip;
}


Class Tqqwry
{
var $StartIP = 0;
var $EndIP = 0;
var $Country = ';
var $Local = ';

var $CountryFlag = 0; Identify Country Location
0x01, followed by a 3 byte country offset, no local
0x02, followed by a country offset of 3 bytes, followed by local
Other, country,local,local have similar compression. may be multiple references.
var $fp;

var $FirstStartIp = 0;
var $LastStartIp = 0;
var $EndIpOff = 0;

function Getstartip ($RecNo) {
$offset = $this->firststartip + $RecNo * 7;
@fseek ($this->fp, $offset, Seek_set);
$buf = Fread ($this->fp, 7);
$this->endipoff = Ord ($buf [4]) + (ORD ($buf [5]) *256) + (ord ($buf [6]) * 256*256);
$this->startip = ord ($buf [0]) + (ORD ($buf [1]) *256) + (Ord ($buf [2]) *256*256) + (Ord ($buf [3]) *256*256*256);
return $this->startip;
}

function Getendip () {
@fseek ($this->fp, $this->endipoff, Seek_set);
$buf = Fread ($this->fp, 5);
$this->endip = ord ($buf [0]) + (ORD ($buf [1]) *256) + (Ord ($buf [2]) *256*256) + (Ord ($buf [3]) *256*256*256);
$this->countryflag = Ord ($buf [4]);
return $this->endip;
}

function Getcountry () {

Switch ($this->countryflag) {
Case 1:
Case 2:
$this->country = $this->getflagstr ($this->endipoff+4);
echo sprintf (' endipoffset= (%x) ', $this->endipoff);
$this->local = (1 = = $this->countryflag)? ': $this->getflagstr ($this->endipoff+8);
break;
Default:
$this->country = $this->getflagstr ($this->endipoff+4);
$this->local = $this->getflagstr (ftell ($this->fp));

}
}


function Getflagstr ($offset)
{

$flag = 0;
while (1) {
@fseek ($this->fp, $offset, Seek_set);
$flag = Ord (fgetc ($this->fp));
if ($flag = = 1 | | $flag = = 2) {
$buf = Fread ($this->fp, 3);
if ($flag = = 2) {
$this->countryflag = 2;
$this->endipoff = $offset-4;
}
$offset = Ord ($buf [0]) + (ORD ($buf [1]) *256) + (Ord ($buf [2]) * 256*256);
}else{
break;
}

}
if ($offset < 12)
Return ";
@fseek ($this->fp, $offset, Seek_set);
return $this->getstr ();
}
function Getstr ()
{
$str = ';
while (1) {
$c = fgetc ($this->fp);
if (Ord ($c [0]) = = 0)
break;
$str. = $c;
}
return $str;
}


function Qqwry ($dotip) {

$nRet;
$ip = Iptoint ($dotip);

$this->fp= @fopen (Qqwry, "RB");
if ($this-&GT;FP = = NULL) {
$szLocal = "Openfileerror";
return 1;

}
@fseek ($this->fp, 0, Seek_set);
$buf = Fread ($this->fp, 8);
$this->firststartip = ord ($buf [0]) + (ORD ($buf [1]) *256) + (Ord ($buf [2]) *256*256) + (Ord ($buf [3]) *256*256*256);
$this->laststartip = Ord ($buf [4]) + (ORD ($buf [5]) *256) + (ord ($buf [6]) *256*256) + (ord ($buf [7]) *256*256*256);

$RecordCount = Floor (($this->laststartip-$this->firststartip)/7);
if ($RecordCount <= 1) {
$this->country = "Filedataerror";
Fclose ($this-&GT;FP);
return 2;
}

$RangB = 0;
$RangE = $RecordCount;
Match ...
while ($RangB < $RangE-1)
{
$RecNo = Floor (($RangB + $RangE)/2);
$this->getstartip ($RecNo);

if ($ip = = $this->startip)
{
$RangB = $RecNo;
break;
}
if ($ip > $this->startip)
$RangB = $RecNo;
Else
$RangE = $RecNo;
}
$this->getstartip ($RangB);
$this->getendip ();

if ($this->startip <= $ip) && ($this->endip >= $ip)) {
$nRet = 0;
$this->getcountry ();
It's not so good ... it's not nice. So..........
$this->local = Str_replace ("We must liberate Taiwan!!! "," ", $this->local);

}else {
$nRet = 3;
$this->country = ' unknown ';
$this->local = ';
}
Fclose ($this-&GT;FP);
return $nRet;
}
}


function Ip2location ($IP)
{
$wry = new Tqqwry;
$nRet = $wry->qqwry ($IP);
can use $nRet to do something, I was let him automatically record unknown IP to a table, the code is not written.
Return $wry->country. $wry->local;
}