OICQ 99C version encryption method research report

zhaozj2021-02-08  288

OICQ is a commonly used communication software on the Internet. This article will give the password encryption method of the OICQ latest version 99C, encrypting the encryption method between the servers and the encryption method between users. First, password encryption of each OICQ account is saved in a local file. When logging in to OICQ, first compare the input passwords with the local file. If the password is not in accordance with the file, the prompt is prompted "The password entered is inconsistent with the last successful login, is it to server authentication?". The password file of OICQ 99C is Matrix.cnt. The password file of OICQ 99B is Matric.EWH. The function prototype of the password encryption algorithm is: Void Calcpassword (int LEN, CHAR * OUTBUFFER) Parameters: Password is the input clear password Len: Password length Outbuffer: Secure 16 bytes of encryption passwords. Description: This function finds the debugging tool to 15F: 456718. This function is used when communicating between password encryption and users. The maximum password that is known to be calculated is 20 bytes, and the encrypted communication is encrypted between users. The password file of OICQ99B is MATRIX.EWH saved in each OICQ account directory after calcpassword calculation, which is 16 bytes. Therefore, this file can be used to use violence to crack. The password file of OICQ99C is more complicated. The first time the password will be calculated with Calcpassword, and then the result is calculated as a password, and iterates many times. The number of calculations is represented by a double word of 4 bytes. Save 4 bytes of the number of times and the calculated password in the Matrix.cnt file of each OICQ account, this file is just 20 byte lengths. Because iterative calculations have been calculated, the password calculation time is greatly extended, and the password of using violent crack OICQ99C is almost unlikely. Second, the history of chat history is in the history of each person's chat, the file name is the other OICQ. MSH (99b) or .msj (99c) file. The prototype of the core decryption function is: BOOL DECODE (Char * SRC, INT SRCLEN, CHAR * DECODEKEY, CHAR * OUTBUFFER, INT * Poutlen) Parameters: SRC: Buffer that stores encrypted data. Srclen: SRC bytes. DecodeKey: Secure 16 bytes of keys. Outbuffer: Outputs the address of the plain text buffer. Poutlen: Decoupted the length storage address. Description: This function entry address: 15F: 456D33. This function is decrypted in a key. If you returned to true, you will return false. Obviously, the key to decryption is how to get 16 bytes of key DecodeKey. The key generation of chat history is not required. The algorithm is: 1. Call the password calculation function Calcpassword with the current IICQ number, and draw a temporary key KeyCode 1.2, with keycode1 as the key, decrypt. The data is file Matrix2.EWH (99B to Matrix.EWH) from 0 to 0st, the length is 32 bytes, the 16-byte key is solved to KeyCode 2.3, with keycode2 as the key, can Solve the history of chatting with anyone. For example, to view the chat history of the OICQ number 123456, the algorithm is: byte keycode1 [16]; byte filebuffer [32]; // read file matrix2.ewh, from 0, 17th word, length 32 Save in FileBuffer. ReadTobuffer (FileBuffer); // Calculate Keycode1CalcPassword ('123456', 6, Keycode1) with the current OICQ number.

// Calculate keycode2byte keycode2 [16]; int LEN = 16; DEOCODE (FileBuffer, 32, Keycode1, Keycode2, & Len); // Now Keycode2 is a key to see any chat history. // Look with the history of 888888, read the file 888888.msj to the buffer LargerBufferDecode (Largerbuffer, LargerBufferlen, Keycode2, Outbuffer, * Outlen), and after successful Outbuffler's chat record. Third, encryption with server communication corresponds to Decode, is an encryption function ENCODE. Void Encode (Char * SRC, INT SRCLEN, CHAR * ENCODEKEY, CHAR * OUTBUFFER, INT * Poutlen) Parameters: SRC: Ming Text Buffer. Srclen: The length of the plain text buffer. EncodeKey: Secure 16 bytes of encrypted keys. Outbuffer: Output an encrypted buffer. Poutlen: The save address of the output length. Description: This function entry address: 15F: 456B62. Encrypt the plain text, the key is EncodeKey. Decryption can be decrypted with the DECODE function and the same key. l Login Server: The transmitted packet is {byte B1; fixed to 0x2byte B2; fixed to 0x3Byte B3; fixed to 0xAbyte B4; fixed to 0x0byte cmd; login server is 0x15. Word seq; sequence number, store DWORD OICQ number from high to low; to store binary OICQ numbers from high to low. BYTE Key [16]; randomly generated 16 bytes of key. BYTE BUFFER [64]; 64 bytes of encrypted content. BYTE Endchar; fixed to 0x3. The core is the content of Buffer [64]. Call Calcpassword with passwords, then encrypt the particle of 0 length as the key to the key, result in a 16-byte result, and then transmit it. For example, the password is' abc123 ', algorithm is Byte Passkey [16] Calcpassword (' ABC123 ', 6', passkey) Byte Keycode [16] int keycodelen = 16; Encode (0, 0, passkey, keycode, & keycodelen) Byte Sndbuffer 51]; MEMSET (SNDBUFFER, 0, 51) Memcpy (SNDBuffer, Keycode, 16) // Sndbuffer The rest of the content is the current machine IP and other information, unrelated to the check password byte result [64] int SResultlen = 64encode (SNDBuffer, 51 Randomly generate 16 bytes of key, Result, & Resultlen finally send the 16-byte random key and 64-byte encrypted password to the server verification. If you can use Sniffer to listen to the communication of others with the server, you can make a password crack. Of course, you can also crack the online password by the server, but the speed is slow, no practical value. l If the login is successful, the server returns a 16-byte key-ServerKey. l UPD packet format is BYTE B1; fixed to 2Byte B2; fixed to 1byte B4; fixed to 0Byte B4; fixed to 0Byte CMD; log in to 0x15word SEQ; from high to low order, the sequence of sequence is consistent with the sent SEQ. BYTE MSG [56]; BYTE Endchar; Fixed 0x3. With the password, pass the Calcpassword calculation, draw 16 bytes of keys, decrypt MSG. The 16 bytes starting from the first byte are temporarily called ServerKey. This key is often changed.

转载请注明原文地址:https://www.9cbs.com/read-1462.html

New Post(0)