作 者: xee

時 間: 2008-02-23,22:13

鏈 接: http://bbs.pediy.com/showthread.php?t=60110

【文章標題】: 迅雷協議分析

【文章作者】: vessial

【郵件地址】: vessial@hotmail.com

【作者主頁】: http://blog.csdn.net/xee

【生產日期】: 20071122

【軟件名稱】: Thunder 5.7.4.404

【使用工具】: OD+Wireshark

【作者聲明】: 本文僅供研究學習，本人對因這篇文章而導致的一切后果，不承擔任何法律責任。本文中的不足之處請各位多多指教,歡迎轉載,但轉載請保留文章的完整性.

----------------------------------------------------------------------------------------------------------

分析背景: 本文基于迅雷版式本5.7.4.404

分析目的: 通過分析研究得出迅雷客戶端與服務器通信,獲取下載資源的鏈接地址,以及它們通信的加

密方式,以及附帶的源碼,歡迎大家討論.

涉及算法: MD5, 128 bit AES

----------------------------------------------------------------------------------------------------------

大家都知道迅雷下載為什么這么快,因為它是通過P2SP下載的,就是可以從多個具有相同下載資源的服務器上進行下載,這樣下載速度就會很快了,問題是你要從一個指定的下載鏈接下載文件,它是怎么知道其它的服務器也有相同的資源了,這就是本文討論的重點,我就不廢話了.

迅雷客戶端與服務器通信獲取多個下載資源的一個方式就是通過http協議,通過80端口進行加密傳輸,類似下面

這個就是客戶端向服務端58.254.39.10發送資源查詢的包

0x0000?? 50 4F 53 54 20 2F 20 48-54 54 50 2F 31 2E 31 0D?? POST / HTTP/1.1.

0x0010?? 0A 48 6F 73 74 3A 20 35-38 2E 32 35 34 2E 33 39?? .Host: 58.254.39

0x0020?? 2E 31 30 3A 38 30 0D 0A-43 6F 6E 74 65 6E 74 2D?? .10:80..Content-

0x0030?? 74 79 70 65 3A 20 61 70-70 6C 69 63 61 74 69 6F?? type: applicatio

0x0040?? 6E 2F 6F 63 74 65 74 2D-73 74 72 65 61 6D 0D 0A?? n/octet-stream..

0x0050?? 43 6F 6E 74 65 6E 74 2D-4C 65 6E 67 74 68 3A 20?? Content-Length:

0x0060?? 33 39 36 0D 0A 43 6F 6E-6E 65 63 74 69 6F 6E 3A?? 396..Connection:

0x0070?? 20 4B 65 65 70 2D 41 6C-69 76 65 0D 0A 0D 0A 34??? Keep-Alive....4

0x0080?? 00 00 00 96 00 00 00 80-01 00 00 02 3A A0 8A 5E?? ...?..€....:爦^

0x0090?? 52 22 AC 5E FA C8 F6 54-E8 DC 9A BC E6 78 11 D9?? R"琟 鯰柢毤鎥.?

0x00A0?? 59 C3 E8 64 8E B8 93 EA-E7 43 28 BA 16 FF C4 A9?? Y描d幐撽鏑(?末

0x00B0?? DC AB 26 7C 56 08 47 D9-A9 37 F6 C1 3A 7B 68 C8?? 塬&|V.G侃7雋:{h?

0x00C0?? 11 74 9D 62 6D 4C 6C E7-AD 08 46 70 31 AC 97 34?? .t漛mLl絳.Fp1瑮4

0x00D0?? AE 15 18 37 B3 97 32 91-13 F8 FB AA 30 75 10 02?? ?.7硹2? ?u..

0x00E0?? 78 8E F6 38 1D 43 6B B9-F4 DE C4 09 23 3A 27 8B?? x庼8.Ck劊弈.#:'?

0x00F0?? E6 2C 5D 87 BF 4C BF BF-54 15 4E DB 8F 77 95 C0?? ?]嚳L靠T.N蹚w暲

0x0100?? 67 EE 1E B4 B4 36 F6 EF-CF 96 77 1A EA 9E 63 11?? g?創6鯤蠔w.隇c.

0x0110?? 40 FC E1 23 81 90 92 5E-FE 23 36 FB 1A 23 37 9A?? @ #亹抆?6?#7?

0x0120?? 7D 20 95 CA 47 C2 DA E9-E8 FE 30 4C A0 FE 4F 6E?? } 暿G綸殍?L狛On

0x0130?? A0 A5 81 45 BA AF 68 EE-60 A1 D5 00 A8 DC CC 80?? 牓丒函h頯≌.ㄜ虁

0x0140?? 84 0C 19 CF 81 B9 13 C0-13 07 E8 70 05 79 15 F5?? ?.蟻??.鑠.y.?

0x0150?? D5 2B 05 A1 DD 34 D8 D9-C3 E7 05 70 05 79 15 F5?? ?.≥4剄苗.p.y.?

0x0160?? D5 2B 05 A1 DD 34 D8 D9-C3 E7 05 70 05 79 15 F5?? ?.≥4剄苗.p.y.?

0x0170?? D5 2B 05 A1 DD 34 D8 D9-C3 E7 05 10 3A CC 2F 13?? ?.≥4剄苗..:?.

0x0180?? E1 E1 8C 7B C9 C5 48 B3-85 73 55 87 EE 99 14 67?? 後寋膳H硡sU囶?g

0x0190?? B2 1B 01 1B 56 01 2F FB-47 07 88 BD 4C D2 1A 08?? ?..V./鸊.埥L?.

0x01A0?? 14 42 F3 F5 C2 7C 26 9E-24 00 A4 EA 5F 20 FC CA?? .B篚聕&?.り_

0x01B0?? 80 F6 9B C9 28 5B 55 22-94 33 4F 3E 1B C6 31 23?? €鰶?[U"?O>.?#

0x01C0?? 82 B1 97 3E C1 00 2F EF-CE 06 7B AA CD A6 61 F5?? 偙??/鏤.{ ?

0x01D0?? C9 59 8E DB F6 49 73 9C-B9 08 05 C3 1E EB A6 D3?? 蒠庅鯥s湽..?毽?

0x01E0?? 0F BB 86 FD FC CC 99 89-61 A9 B1 F9 30 C7 48 B1?? .粏 虣塧┍?荋?

0x01F0?? 79 6C 75 26 8C F5 46 F4-7F 04 ED D1 2B 16 2D 94?? ylu&岝F?.硌+.-?

0x0200?? 2F 2C DE 6E 7B 97 E7 28-8B DA 0D

很明顯從上面你看不出你熟悉的東西,通過分析,我發現了一些特征,

發現這些包的特征和結構如下:

0--3字節為命令請求

4--7字節我猜想為包序號:)

8--11字節為加密包體長度

12--最后為了加密的包體

拿上面的包為例

|| || ||

34 00 00 00 96 00 00 00 80-01 00 00接下來的數據就是AES加過密的數據了.

注意上面的數據來自于http的content數據.

既然是通過AES加密了,那密鑰是什么了,它是怎么生成的了,不會是DHE吧,那我估計就歇菜了,

功能不負有心人啊,這個AES的密鑰是通過包的前8個字節生成的,也就是命令請求字和序列號

和56個填充字組成的64個字節通過MD5計算出來的,剛好是16個字節.

但是這個填充的56個字節和標準的MD5填充的不一樣.該填充數據如下:

80 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00

它們組合到一起就是:

34 00 00 00 96 00 00 00 80 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00

經過MD5計算得到的HASH值如下:

f5 26 32 d9 0b 36 f0 58 25 53 71 a2 ae 2f 3e d3

這個就是數據包的AES加密解密的密鑰.

于是上面的數據包解密出來就是

94 01 05 00 00 00 c1 0b 10 00 00 00 30 30 31 36???? ??? ??? 0016

36 46 35 41 45 45 44 33 30 30 30 30 14 00 00 00???? 6F5AEED30000

7f 2f 32 dc d5 76 bc 1e 37 ef 83 30 0f 45 80 80???? /2苷v?7飪0E€€

6b 83 48 91 2b 00 00 00 68 74 74 70 3a 2f 2f 64???? k僅??? http://d

6f 77 6e 2e 73 61 6e 64 61 69 2e 6e 65 74 2f 54???? own.sandai.net/T

68 75 6e 64 65 72 35 2e 37 2e 34 2e 34 30 34 2e???? hunder5.7.4.404.

65 78 65 00 00 00 00 00 00 00 00 e0 86 6e 00 00???? exe??????? 鄦n

00 00 00 7d 7d 14 00 00 00 00 00 7a 65 13 00 00??????? }}???? ze

00 00 00 e9 a3 46 00 00 00 00 00 00 00 00 00 50??????? 椋F???????? P

00 00 00 03 00 00 00 65 78 65 0b 06 01 05 02 00?????????? exe

20 05 00 00 00 00 00 00 00 00 00 00 00 00 00 05

02 80 d1 10 00 00 00 00 00 00 00 00 00 00 00 00???? €?

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 02 00 00 00 04 00 00 00 09

00 00 00 35 2e 37 2e 34 2e 34 30 34 04 00 00 00??????? 5.7.4.404

30 30 30 30 00 00 00 00 00 00 00 00 00 00 00 00???? 0000

00 00 00 00 00 00 00 00 da 3d 00 c2 c0 a8 b7 01???????????? ? 呂ǚ

01 80 0c 00 00 00 00 00 14 00 00 00 c6 76 99 e7???? €???????? 苬欑

6e 66 10 4d 7c be c2 bc 40 3e 6f c2 30 9a 44 65???? nfM|韭粿>o?欴e

00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00

00 14 00 00 00 54 68 75 6e 64 65 72 35 2e 37 2e???????? Thunder5.7.

34 2e 34 30 34 2e 65 78 65 07 07 07 07 07 07 07???? 4.404.exe

這就是構造的加密前的包,簡單的說一下這個包的結構,你可以看到那個鏈接地址,

那是我下載這個程序的原始鏈接地址,我是用迅雷從

http://down.sandai.net/Thunder5.7.4.404.exe下載Thunder5.7.4.404.exe

那看看服務器回復的包有些什么了,

34 00 00 00 0c 00 00 00 f0 07 . n...4.........

0040?? 00 00 66 2b 99 1a af ed 82 56 af b2 93 c2 03 84 ..f+.....V......

0050?? 54 4d 1e 13 6a 65 7c 37 31 32 92 2c 7f 31 b5 32 TM..je|712.,.1.2

0060?? 8c 1e 5f b9 b9 10 f8 63 a1 45 a8 e1 76 f8 5b 2d .._....c.E..v.[-

0070?? 1d 07 7a 1d 8d e9 82 d6 b8 34 ef f2 ec 5d 1b eb ..z......4...]..

0080?? a1 24 96 c4 ad 96 3e 55 0e 73 df 75 c2 9d 8b cc .$....>U.s.u....

0090?? 1e db dc b2 dc 7c 56 3a e8 01 d8 a1 a2 21 05 31 .....|V:.....!.1

00a0?? b0 90 a2 40 8f 86 31 da c8 ee 85 c1 3c 5b 40 1b ...@..1.....

00b0?? ef d5 5f a4 7d 96 8a 5f d3 38 7f b1 f2 bd b5 95 .._.}.._.8......

00c0?? f7 15 a5 39 1a 1d 73 56 b0 12 cd 2e cf d9 fa 62 ...9..sV.......b

00d0?? e3 d8 08 6c 93 68 02 15 4e ca 34 d8 9c 09 fa 6a ...l.h..N.4....j

00e0?? 62 35 43 5e de d4 52 f8 2b 61 0c 64 c4 bd d1 0a b5C^..R.+a.d....

00f0?? fc 95 3f 22 e8 68 4d 1c 65 82 93 43 24 e7 55 5e ..?".hM.e..C$.U^

0100?? f2 db 7e 07 3b bc bc ad 30 54 78 be f2 45 1e 2d ..~.;...0Tx..E.-

0110?? 2a 6b 11 9b 9e c7 2d 31 d9 e6 d8 3b 33 c9 26 b5 *k....-1...;3.&.

0120?? 41 e3 61 a1 ba 90 1d 70 55 d0 93 3f a4 f9 6a 55 A.a....pU..?..jU

0130?? f9 19 43 e2 6c 38 a1 57 15 aa 2e d4 18 f1 c6 fe ..C.l8.W........

0140?? fe bf e3 e3 62 1a 9e 6f 3b ee c1 44 b1 f8 d8 23 ....b..o;..D...#

0150?? 2c 66 f1 c4 43 a6 9f 0b a7 d5 5c 8c e5 68 19 9f ,f..C.....\..h..

0160?? db aa 7c fa 6e 3a dd 4e f0 53 ce 45 51 25 18 8d ..|.n:.N.S.EQ%..

0170?? a0 0d f0 8f e0 b0 cb 12 6d 92 80 f4 4f eb a9 c0 ........m...O...

0180?? f4 27 4e 34 c0 8d 96 8e 3b 20 57 b0 fb df 5a 4b .'N4....; W...ZK

0190?? 18 e7 2d 54 6f ad da be a6 1e 94 1e f9 2b 9f d7 ..-To........+..

01a0?? 03 8d de c6 16 0b f4 a1 07 d2 15 85 7c fc 78 df ............|.x.

01b0?? 26 3d a7 eb 2f 0b 5f fa 60 4a 73 a5 5a 7e 4a 4e &=../._.`Js.Z~JN

01c0?? 80 a3 9a ad ae 53 b4 dc 6d a8 04 35 96 e5 93 70 .....S..m..5...p

01d0?? 7d 26 07 07 62 cc ce 3f ee 87 5e c4 b2 e5 0e b0 }&..b..?..^.....

01e0?? b3 c5 ef dd 9b 2d ef 4b 13 2a ad 39 13 59 25 55 .....-.K.*.9.Y%U

01f0?? c2 76 1b 95 74 66 2d 1c 3a 2f f6 f5 4e a4 dd 09 .v..tf-.:/..N...

0200?? c8 36 66 bd cd c2 d6 ff 29 cd 20 a3 19 ab 3f d4 .6f.....). ...?.

0210?? 75 67 b5 d4 37 18 24 c0 57 67 f4 8d 06 33 95 1b ug..7.$.Wg...3..

0220?? 03 89 16 f0 b8 e5 52 4f a3 d4 be 38 c9 cc 89 65 ......RO...8...e

0230?? e7 ef 32 df 2e 9f 87 a4 2f 8f c3 a3 41 77 7b cd ..2...../...Aw{.

服務器回復包如下:

34 00 00 00 0c 00 00 00 f0 07 . n...4.........

0040?? 00 00 66 2b 99 1a af ed 82 56 af b2 93 c2 03 84 ..f+.....V......

0050?? 54 4d 1e 13 6a 65 7c 37 31 32 92 2c 7f 31 b5 32 TM..je|712.,.1.2

0060?? 8c 1e 5f b9 b9 10 f8 63 a1 45 a8 e1 76 f8 5b 2d .._....c.E..v.[-

0070?? 1d 07 7a 1d 8d e9 82 d6 b8 34 ef f2 ec 5d 1b eb ..z......4...]..

0080?? a1 24 96 c4 ad 96 3e 55 0e 73 df 75 c2 9d 8b cc .$....>U.s.u....

0090?? 1e db dc b2 dc 7c 56 3a e8 01 d8 a1 a2 21 05 31 .....|V:.....!.1

00a0?? b0 90 a2 40 8f 86 31 da c8 ee 85 c1 3c 5b 40 1b ...@..1.....

00b0?? ef d5 5f a4 7d 96 8a 5f d3 38 7f b1 f2 bd b5 95 .._.}.._.8......

00c0?? f7 15 a5 39 1a 1d 73 56 b0 12 cd 2e cf d9 fa 62 ...9..sV.......b

00d0?? e3 d8 08 6c 93 68 02 15 4e ca 34 d8 9c 09 fa 6a ...l.h..N.4....j

00e0?? 62 35 43 5e de d4 52 f8 2b 61 0c 64 c4 bd d1 0a b5C^..R.+a.d....

00f0?? fc 95 3f 22 e8 68 4d 1c 65 82 93 43 24 e7 55 5e ..?".hM.e..C$.U^

0100?? f2 db 7e 07 3b bc bc ad 30 54 78 be f2 45 1e 2d ..~.;...0Tx..E.-

0110?? 2a 6b 11 9b 9e c7 2d 31 d9 e6 d8 3b 33 c9 26 b5 *k....-1...;3.&.

0120?? 41 e3 61 a1 ba 90 1d 70 55 d0 93 3f a4 f9 6a 55 A.a....pU..?..jU

解密如下:

058B2378 91 01 05 00 00 00 D2 07 01 B8 F7 6C 00 00 00 00 ?...?各l....

058B2388 00 14 00 00 00 90 4B 81 47 A5 0F 1E F6 6C 85 FA ....怟丟?鰈咜

058B2398 16 13 91 76 8A 91 C8 84 1A 00 00 00 00 00 00 00 憊姂葎.......

058B23A8 00 0A 00 00 00 8B 00 00 00 44 00 00 00 68 74 74 .....?..D...htt

058B23B8 70 3A 2F 2F 64 6F 77 6E 6C 6F 61 64 2E 7A 6F 6C p://download.zol

058B23C8 2E 63 6F 6D 2E 63 6E 2F 64 6F 77 6E 2E 70 68 70 .com.cn/down.php

058B23D8 3F 73 6F 66 74 69 64 3D 31 33 35 33 37 33 26 73 ?softid=135373&s

058B23E8 75 62 63 61 74 69 64 3D 33 33 26 73 69 74 65 3D ubcatid=33&site=

058B23F8 38 2F 00 00 00 68 74 74 70 3A 2F 2F 64 6F 77 6E 8/...http://down

058B2408 6C 6F 61 64 2E 7A 6F 6C 2E 63 6F 6D 2E 63 6E 2F load.zol.com.cn/

058B2418 6C 69 6E 6B 2F 31 34 2F 31 33 35 33 37 33 2E 73 link/14/135373.s

058B2428 68 74 6D 6C D0 42 0B 00 00 A0 00 00 00 5A 00 00 html蠦 ..?..Z..

058B2438 00 00 00 00 D6 00 00 00 7F 00 00 00 68 74 74 70 ....?.. ...http

058B2448 3A 2F 2F 72 65 64 69 72 65 63 74 2E 6D 79 64 6F ://redirect.mydo

058B2458 77 6E 2E 63 6F 6D 2F 6D 79 64 6F 77 6E 2F 70 72 wn.com/mydown/pr

058B2468 65 64 6F 77 6E 2E 6A 73 70 3F 69 64 3D 34 30 38 edown.jsp?id=408

058B2478 37 32 39 26 70 3D 30 26 6A 3D 31 32 26 6D 3D 31 729&p=0&j=12&m=1

058B2488 26 75 72 6C 3D 68 74 74 70 3A 2F 2F 6A 73 31 2E &url=http://js1.

058B2498 6D 79 64 6F 77 6E 2E 63 6F 6D 2F 73 6F 66 74 2F mydown.com/soft/

058B24A8 32 30 30 37 31 30 2F 54 68 75 6E 64 65 72 35 2E 200710/Thunder5.

058B24B8 37 2E 34 2E 34 30 31 2E 65 78 65 3F 00 00 00 68 7.4.401.exe?...h

058B24C8 74 74 70 3A 2F 2F 77 77 77 2E 6D 79 64 6F 77 6E ttp://www.mydown

058B24D8 2E 63 6F 6D 2F 73 6F 66 74 2F 6E 65 74 77 6F 72 .com/soft/networ

058B24E8 6B 2F 64 6F 77 6E 6C 6F 61 64 2F 32 32 39 2F 34 k/download/229/4

058B24F8 30 38 37 32 39 5F 64 73 2E 73 68 74 6D 6C D8 82 08729_ds.shtml貍

058B2508 0E 00 00 49 22 00 00 5A 00 00 00 00 00 00 5F 00 ..I"..Z......_.

058B2518 00 00 26 00 00 00 68 74 74 70 3A 2F 2F 64 2E 35 ..&...http://d.5

058B2528 32 70 6B 2E 63 6F 6D 2F 64 6F 77 6E 2E 61 73 70 2pk.com/down.asp

058B2538 3F 69 64 3D 31 35 32 26 6E 6F 3D 33 21 00 00 00 ?id=152&no=3!...

058B2548 68 74 74 70 3A 2F 2F 64 6F 77 6E 2E 35 32 70 6B http://down.52pk

058B2558 2E 63 6F 6D 2F 73 6F 66 74 2F 31 35 32 2E 68 74 .com/soft/152.ht

058B2568 6D 30 92 10 00 FF 95 00 00 00 5A 00 00 00 00 00 m0?.?..Z.....

058B2578 00 AA 00 00 00 3D 00 00 00 68 74 74 70 3A 2F 2F .?..=...http://

058B2588 36 31 2E 31 34 35 2E 31 31 33 2E 31 31 37 2F 62 61.145.113.117/b

058B2598 35 2F 64 6F 77 6E 2E 73 61 6E 64 61 69 2E 6E 65 5/down.sandai.ne

058B25A8 74 2F 54 68 75 6E 64 65 72 35 2E 37 2E 34 2E 34 t/Thunder5.7.4.4

058B25B8 30 31 2E 65 78 65 55 00 00 00 68 74 74 70 3A 2F 01.exeU...http:/

058B25C8 2F 36 31 2E 31 34 35 2E 31 31 33 2E 31 31 37 2F /61.145.113.117/

058B25D8 62 35 2F 64 6C 2E 70 63 6F 6E 6C 69 6E 65 2E 63 b5/dl.pconline.c

058B25E8 6F 6D 2E 63 6E 2F 68 74 6D 6C 5F 32 2F 31 2F 38 om.cn/html_2/1/8

058B25F8 39 2F 69 64 3D 34 32 34 34 33 26 70 6E 3D 30 26 9/id=42443&pn=0&

058B2608 6C 69 6E 6B 50 61 67 65 3D 31 2E 68 74 6D 6C 68 linkPage=1.htmlh

058B2618 77 0C 00 FF 81 00 00 00 5A 00 00 00 00 00 00 7A w..?..Z......z

058B2628 00 00 00 3E 00 00 00 68 74 74 70 3A 2F 2F 77 77 ...>...http://ww

058B2638 77 2E 39 39 37 2E 63 6E 2F 73 6F 66 74 2F 64 6F w.997.cn/soft/do

058B2648 77 6E 6C 6F 61 64 2E 61 73 70 3F 73 6F 66 74 69 wnload.asp?softi

058B2658 64 3D 37 36 36 26 64 6F 77 6E 69 64 3D 30 26 69 d=766&downid=0&i

058B2668 64 3D 37 39 30 24 00 00 00 68 74 74 70 3A 2F 2F d=790$...http://

058B2678 77 77 77 2E 39 39 37 2E 63 6E 2F 73 6F 66 74 2F www.997.cn/soft/

058B2688 31 2F 31 38 2F 37 36 36 2E 68 74 6D 6C 68 FA 0B 1/18/766.htmlh?

058B2698 00 00 3C 01 00 00 5A 00 00 00 00 00 00 80 00 00 ..<..z......>

058B26A8 00 33 00 00 00 68 74 74 70 3A 2F 2F 64 6F 77 6E .3...http://down

058B26B8 38 2E 7A 6F 6C 2E 63 6F 6D 2E 63 6E 2F 78 69 61 8.zol.com.cn/xia

058B26C8 7A 61 69 2F 54 68 75 6E 64 65 72 35 2E 37 2E 34 zai/Thunder5.7.4

058B26D8 2E 34 30 31 2E 65 78 65 35 00 00 00 68 74 74 70 .401.exe5...http

058B26E8 3A 2F 2F 64 6F 77 6E 6C 6F 61 64 2E 77 77 77 2E ://download.www.

058B26F8 66 65 6E 67 6E 69 61 6F 2E 63 6F 6D 2F 6C 69 6E fengniao.com/lin

058B2708 6B 2F 31 34 2F 31 33 35 33 37 33 2E 73 68 74 6D k/14/135373.shtm

058B2718 6C F8 F4 08 00 00 8F 00 00 00 5A 00 00 00 00 00 l ..?..Z.....

058B2728 00 97 00 00 00 4A 00 00 00 68 74 74 70 3A 2F 2F .?..J...http://

058B2738 64 6F 77 6E 6C 6F 61 64 2E 77 77 77 2E 66 65 6E download.www.fen

058B2748 67 6E 69 61 6F 2E 63 6F 6D 2F 64 6F 77 6E 2E 70 gniao.com/down.p

058B2758 68 70 3F 73 6F 66 74 69 64 3D 31 33 35 33 37 33 hp?softid=135373

058B2768 26 73 75 62 63 61 74 69 64 3D 33 33 26 73 69 74 &subcatid=33&sit

058B2778 65 3D 38 35 00 00 00 68 74 74 70 3A 2F 2F 64 6F e=85...http://do

058B2788 77 6E 6C 6F 61 64 2E 77 77 77 2E 66 65 6E 67 6E wnload.www.fengn

058B2798 69 61 6F 2E 63 6F 6D 2F 6C 69 6E 6B 2F 31 34 2F iao.com/link/14/

058B27A8 31 33 35 33 37 33 2E 73 68 74 6D 6C 68 00 0B 00 135373.shtmlh. .

058B27B8 00 9D 00 00 00 5A 00 00 00 00 00 00 93 00 00 00 .?..Z......?..

058B27C8 48 00 00 00 68 74 74 70 3A 2F 2F 64 6F 77 6E 6C H...http://downl

058B27D8 6F 61 64 2E 77 77 77 2E 78 69 79 75 69 74 2E 63 oad.www.xiyuit.c

058B27E8 6F 6D 2F 64 6F 77 6E 2E 70 68 70 3F 73 6F 66 74 om/down.php?soft

058B27F8 69 64 3D 31 33 35 33 37 33 26 73 75 62 63 61 74 id=135373&subcat

058B2808 69 64 3D 33 33 26 73 69 74 65 3D 38 33 00 00 00 id=33&site=83...

058B2818 68 74 74 70 3A 2F 2F 64 6F 77 6E 6C 6F 61 64 2E http://download.

058B2828 77 77 77 2E 78 69 79 75 69 74 2E 63 6F 6D 2F 6C www.xiyuit.com/l

058B2838 69 6E 6B 2F 31 34 2F 31 33 35 33 37 33 2E 73 68 ink/14/135373.sh

058B2848 74 6D 6C 60 31 0A 00 00 90 00 00 00 5A 00 00 00 tml`1...?..Z...

058B2858 00 00 00 46 00 00 00 2E 00 00 00 68 74 74 70 3A ...F.......http:

058B2868 2F 2F 64 6F 77 6E 2E 73 61 6E 64 61 69 2E 6E 65 //down.sandai.ne

058B2878 74 2F 54 68 75 6E 64 65 72 35 2E 37 2E 34 2E 34 t/Thunder5.7.4.4

058B2888 30 31 2E 65 78 65 3F 32 30 00 00 00 00 FF FF FF 01.exe?20....

058B2898 FF 00 FF FF FF FF 5A 00 00 00 00 00 00 46 00 00 .Z......F..

058B28A8 00 2E 00 00 00 68 74 74 70 3A 2F 2F 64 6F 77 6E .....http://down

058B28B8 2E 73 61 6E 64 61 69 2E 6E 65 74 2F 54 68 75 6E .sandai.net/Thun

058B28C8 64 65 72 35 2E 37 2E 34 2E 34 30 31 2E 65 78 65 der5.7.4.401.exe

看見了嗎,回復包解密后,里面帶著的鏈接地址就是P2SP的多個可供下載的服務器的鏈接地址.

而且回復里面包含一些文件相關的信息,比如SHA-1 HASH值之類的,大家有興趣的話,可以自

已分析它的包的結構,我下篇文章分析它的包結構,呵呵:)

注意,上面的發送包和回復包不是關聯的,因為我調試的時候沒有把它們關取在一起,送了不同的包進行分析的.

好了,客戶端與服務器之間的獲取多個下載源的加密通信過程就到此結束了,這兒我主要的只介紹

它們通信的加密算法而已,具體其它的協議以后有時間再發.

時間倉促,如有不足之處,還請多多指教.

最后附上加解密的源代碼.

#include

#include

#include

#include "thunder-md5.h"

unsigned char thunder[]={

0x34, 0x00, 0x00, 0x00, 0x96, 0x00, 0x00, 0x00,0x80,0x00,

0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,

0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,

0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,

0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x00,0x00,0x00,0x00};

unsigned char thunder_md5_pad[]={

0x80,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,

0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,

0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,

0x00,0x00,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x00,0x00,0x00,0x00};

unsigned char thunder_AES_key[16];//thunder MD5 padding data

unsigned char in[]={0x02,0x3A,0xA0,0x8A,0x5E

,0x52,0x22,0xAC,0x5E,0xFA,0xC8,0xF6,0x54,0xE8,0xDC,0x9A,0xBC,0xE6,0x78,0x11,0xD9

,0x59,0xC3,0xE8,0x64,0x8E,0xB8,0x93,0xEA,0xE7,0x43,0x28,0xBA,0x16,0xFF,0xC4,0xA9

,0xDC,0xAB,0x26,0x7C,0x56,0x08,0x47,0xD9,0xA9,0x37,0xF6,0xC1,0x3A,0x7B,0x68,0xC8

,0x11,0x74,0x9D,0x62,0x6D,0x4C,0x6C,0xE7,0xAD,0x08,0x46,0x70,0x31,0xAC,0x97,0x34

,0xAE,0x15,0x18,0x37,0xB3,0x97,0x32,0x91,0x13,0xF8,0xFB,0xAA,0x30,0x75,0x10,0x02

,0x78,0x8E,0xF6,0x38,0x1D,0x43,0x6B,0xB9,0xF4,0xDE,0xC4,0x09,0x23,0x3A,0x27,0x8B

,0xE6,0x2C,0x5D,0x87,0xBF,0x4C,0xBF,0xBF,0x54,0x15,0x4E,0xDB,0x8F,0x77,0x95,0xC0

,0x67,0xEE,0x1E,0xB4,0xB4,0x36,0xF6,0xEF,0xCF,0x96,0x77,0x1A,0xEA,0x9E,0x63,0x11

,0x40,0xFC,0xE1,0x23,0x81,0x90,0x92,0x5E,0xFE,0x23,0x36,0xFB,0x1A,0x23,0x37,0x9A

,0x7D,0x20,0x95,0xCA,0x47,0xC2,0xDA,0xE9,0xE8,0xFE,0x30,0x4C,0xA0,0xFE,0x4F,0x6E

,0xA0,0xA5,0x81,0x45,0xBA,0xAF,0x68,0xEE,0x60,0xA1,0xD5,0x00,0xA8,0xDC,0xCC,0x80

,0x84,0x0C,0x19,0xCF,0x81,0xB9,0x13,0xC0,0x13,0x07,0xE8,0x70,0x05,0x79,0x15,0xF5

,0xD5,0x2B,0x05,0xA1,0xDD,0x34,0xD8,0xD9,0xC3,0xE7,0x05,0x70,0x05,0x79,0x15,0xF5

,0xD5,0x2B,0x05,0xA1,0xDD,0x34,0xD8,0xD9,0xC3,0xE7,0x05,0x70,0x05,0x79,0x15,0xF5

,0xD5,0x2B,0x05,0xA1,0xDD,0x34,0xD8,0xD9,0xC3,0xE7,0x05,0x10,0x3A,0xCC,0x2F,0x13

,0xE1,0xE1,0x8C,0x7B,0xC9,0xC5,0x48,0xB3,0x85,0x73,0x55,0x87,0xEE,0x99,0x14,0x67

,0xB2,0x1B,0x01,0x1B,0x56,0x01,0x2F,0xFB,0x47,0x07,0x88,0xBD,0x4C,0xD2,0x1A,0x08

,0x14,0x42,0xF3,0xF5,0xC2,0x7C,0x26,0x9E,0x24,0x00,0xA4,0xEA,0x5F,0x20,0xFC,0xCA

,0x80,0xF6,0x9B,0xC9,0x28,0x5B,0x55,0x22,0x94,0x33,0x4F,0x3E,0x1B,0xC6,0x31,0x23

,0x82,0xB1,0x97,0x3E,0xC1,0x00,0x2F,0xEF,0xCE,0x06,0x7B,0xAA,0xCD,0xA6,0x61,0xF5

,0xC9,0x59,0x8E,0xDB,0xF6,0x49,0x73,0x9C,0xB9,0x08,0x05,0xC3,0x1E,0xEB,0xA6,0xD3

,0x0F,0xBB,0x86,0xFD,0xFC,0xCC,0x99,0x89,0x61,0xA9,0xB1,0xF9,0x30,0xC7,0x48,0xB1

,0x79,0x6C,0x75,0x26,0x8C,0xF5,0x46,0xF4,0x7F,0x04,0xED,0xD1,0x2B,0x16,0x2D,0x94

,0x2F,0x2C,0xDE,0x6E,0x7B,0x97,0xE7,0x28,0x8B,0xDA,0x0D};//Encrypt data

unsigned char out[4096];

int main(int argc, char *argv[])

{

MD5_CTX c;

AES_KEY aes_key;

int i,j;

MD5Init(&c);

Transform((unsigned long *)c.buf,(unsigned long*)thunder);

strncpy((char*)&thunder_AES_key,(const char*)&c.buf,16);

AES_set_decrypt_key((const unsigned char *)&thunder_AES_key,128,&aes_key);

for ( i=0;i

{

AES_decrypt((const unsigned char *)&in[i*16],(unsigned char *)&out[i*16],&aes_key);

}

for ( i=0;i

{

for ( j=0;j<16;j++)

{

printf("%02x ",out[i*16+j]);

}

printf("??? ");

for ( j=0;j<16;j++)

{

printf("%c",out[i*16+j]);

}

printf("\n");

}

return 0;

}

發表于 2009-05-06 15:45 星仁 閱讀(952) 評論(0) ?編輯?收藏 引用 所屬分類: P2P

總結

以上是生活随笔為你收集整理的迅雷7 down.php,迅雷协议分析的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。