original:
http://bbs.ped.com/showthread.php?s=81db34495070105750b05461f05e5c0b&threadid=7933
The test can really view the chat history of the unit, the other has not been tested, let's see what is inspirated, huh, huh ^ _ ^
//
Fully analyze the local encryption strategy of QQ2004 SP1! (Original)
QQ2004 SP1 Encrypted File Structure and Encryption Algorithm Analysis
Author: out of the universe (lotusroots)
Completion time: 2004.12.3
Type: Author Original
My intention is to write a violent cracking QQ local password, but now I find QQ is nausea, circulating N (n> 60000) times. What can I still write, but it may take a long time to calculate a short password. Ugh! Go back and look at your own MD5 algorithm to see where it can be greatly improved. If you don't work, you can see if you can write to the form of a machine online, this may need to start with a decryption algorithm.
Ok, don't talk about nonsense, the problem of QQ local file encryption will be described below. The QQ local password file is saved in the file EWH.DB, and the encryption method is the combination of MD5 and simple bit transformation.
One: Password file structure.
The password file structure can be represented as follows:
Struct file_ewh.db
{
FileHeader * header; // file header
FileBlock * blocks; // number of file blocks
}
The graphical structure of the file is as follows:
__________________________________
| | | | | | |
| File head | file block one | file block two | ....... |
| | | | | | |
-----------------------------------
Below we analyze the structure of file headers and file blocks, respectively.
1. File head.
A total of 6 bytes of file header, the first byte is fixed to 51 ('q'), and the second byte is fixed to 44 ('d'), third, and four-byte are 01. The 16-bit data started by the 5th byte indicates the number of file blocks.
2. Document block.
The structure of the file block is as follows:
Struct Fileblock
{
INT8 TYPE; // block type (only 4 and 7 in QQ)
INT16 Namelen; // Block Name Length
INT8 name [namelen]; // block name
INT32 DATALEN; // block data length
INT8 DATA [DATALEN]; // block data
}
For convenience, INT8 here represents a byte, and the rest is pushed.
Practical examples:
My own QQ password file (don't crack me!), The data is as follows:
00000000: 51 44 01 01 03 00 04 03 00 BD AF A8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000010: C9 6A 09 00 07 03 00 B9 AB B4 10 00 00 0F C5
00000020: E9 D4 31 15 2F 12 C4 1C 0A 46 95 90 DB 98 04 03
00000030: 00 A9 B5 B2 04 00 00 00 69 F4 aa 02
A total of 60 bytes.
It is seen that there are 3 pieces in the document, and the type is 4, 7, 4, respectively. The 7th represents the password block later.
Everyone can analyze, see if the file structure is in line.
2: QQ encryption algorithm
The result of the password encryption is saved in EWH.DB. The data of the first data block is a password for MD5 encryption, and the second data block is the result of encrypted.
Its encryption process is simple to describe as follows:
1) Set the password to m [], the encryption wheel is n;
2) for (i = 0; i / / N = 0x96ac9 in the above file; { m = md5 (m); } 3) for (i = 0; i <16; i ) { M [i] = (! m [i]) ^ al; // Al here refers to the length of the password block data / / AL = 10h in the above file; } Postscript, QQ encryption algorithm and encrypted files are actually as simple. Since I first actually analyze the program (previously only a theoretical level), I spent 3 to 4 days of analysis, and the analysis of the assembly function may have more than 30-40, and the notes written by more than 20 pages ( A4 paper), also printed 16 codes. In addition, the name of the data block is also an encrypted (algorithm class), and the names of the three blocks in the above example are: "AST", "EWH", and "UIN". In fact, I also analyze some of the structures of some QQ memory, but there is no big use, but I still understand the level of deeper class will bring great pain to the decryptors (QQ files said in memory 4 Layer pointer). / A little added: It's too rushing when writing, forgetting it. The data content of the third file block of the EWH.DB password file is the QQ number corresponding to the password file. It is the last four bytes of content. Often have brothers asking how to look at the local computer chat record offline. In fact, it is very simple, modify the last 4 bytes of your QQ password file into someone else 's QQ number, then copy this file to the directory of someone else's directory override it. Of course, the password to the login is your own QQ password. (This way, if there is no anti-virus software to check out? Haha, I remembered the last time a brother revised QQ to see the local chat record, and the result is that the anti-virus is considered to be a QQ virus! Depressed him!)
