注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

山歌

微信公众号:Jack-Xiaoshan

 
 
 
 
 

日志

 
 

协议分析  

2009-12-02 13:07:22|  分类: 默认分类 |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |
旺旺协议分析: 1.Get:http://sip.alisoft.com/sip/rest?sip_apiname=alisoft.getPlugins4ww&sip_appkey=16116&AppIdVers=8001:*,8003:*,17411:1.0&time=1259728937 2.Get:http://newallot.im.alisoft.com/imlogingw/tcp60login?ver=6.10.30&loginId=cntaobaoarnold78 返回旺旺客户端登录地址与端口,有很多个可选择 3.连接121.0.19.242:16000, 发送数据包80个字节。 (1)Login There are different packets in the login process : including UDP,TCP(not including HTTP),HTTP . We found that the HTTP packets can be divided into two classes: some are generated by Aliwangwang directly and the others are generated by Web browser (for example: IE, Firefox, Netscape, Opera).Only the HTTP packets generated by Aliwangwang should be focused on. The http packets generated by Aliwangwang have the following features: having the keywords with the hex format as “b0a2c0efcdfacdfa” in the User-Agent field differs from ordinary http pkts,some packets with keywords “the im.alisoft.com” and “Cookie: ali_” which also differ from ordinary http pkts Another phenomenon was noticed that even to the same remote ip and port , there are different HTTP packets falling the two different classes due to the different source port. After TCP's negotiation ,the packets with data has a obvious feature having the keywords with the hex format as “8f010100” in the first four bytes in data segment.This can be used to identify the link and this is the same in the following process. When login Aliwagnwang, there are two UDP packets generated to a ip belong to Hangzhou Telcomm,We deal with it also,although it is small. These udp packets have keywords with hex format as “8f010121” in the first four bytes. (2)Chat Text Chat When chat with text message, the packets are most tcp packets with the same features as the login process, so the same method can do it well. Audio chat: This process includes tcp and udp,they need to be processed respectively. Here Aliwangwang will interact with a nummber of servers to get information for example multimedia.im.alisoft.com , forum.split.taobao.com and establish the link and transfer udp packets with the audio data. Another phenomenon is that in the process Aliwangwang is trying to interact with the local ISP (for example:TianJin Telcomm and Tianjin CNC) and the Telcomm of Hangzhou. This will lead to some a number of UDP packets. Be luck enough, the UDP packets are identified. The UDP packets have the keywords of hex format as “52554450” in the first 4 bytes of the data segment. Video chat: This process is similar to the Audio chat above, so it is easy to deal with after the above effort on audio chat. (3)File Transfer In the process of file transfer between internet, there are the same feature in the TCP negotiation so the rules above can still work. And there emerge UDP packets with keywords of hex format as “710206” in the first 3 bytes. 细节如下: 1、  GET /sip/rest?sip_apiname=alisoft.getPlugins4ww&sip_appkey=16116&AppIdVers=8001:*,8003:*,17411:1.0&time=1259728937 HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Accept-Language: zh-cn Accept-Encoding: gzip, deflate User-Agent: SimpleHttpFetch Host: sip.alisoft.com Connection: Keep-Alive Cache-Control: no-cache Cookie: cna=tiVRAuqdA; __last_login_ww__=cntaobaoxmanjsj; ali_apache_id=125.34.66.73.51076032595087.6 -------------------------- HTTP/1.1 200 OK Date: Wed, 02 Dec 2009 04:41:46 GMT Server: Apache/2.2.11 (Unix) mod_jk/1.2.27 mod_AliCookie(for apache2.x)/1.1 Set-Cookie: ali_apache_sid=123.117.55.234.14972128906593.0|1259730706; path=/; domain=.alisoft.com X-Powered-By: Servlet 2.4; JBoss-4.2.1.GA (build: SVNTag=JBoss_4_2_1_GA date=200707131605)/Tomcat-5.5 sip_status: 9999 Content-Length: 1460 Connection: close Content-Type: application/xml;charset=UTF-8 <?xml version="1.0" encoding="utf-8"?><WangWangPluginResult-array> <WangWangPluginResult> <appId>8001</appId> <appStatus></appStatus> <version>*</version> <isvId>1</isvId> <pluginMd5>233b76c8a205f9d85036d0fbe0f45a3c</pluginMd5> <secLevel>20</secLevel><errorCode></errorCode><sign>2dab3381a8911c86ad1970a4cb880ba6</sign><time>1259728937</time><apiLastModified>1238148658000</apiLastModified><slotLastModified>1238148658000</slotLastModified></WangWangPluginResult><WangWangPluginResult><appId>8003</appId><appStatus></appStatus><version>*</version><isvId>1</isvId><pluginMd5>847be8d432ec43ae1d884aad8428fe35</pluginMd5><secLevel>20</secLevel><errorCode></errorCode><sign>9ac6ee76252493f7d9efeef2f67a4385</sign><time>1259728937</time><apiLastModified>1238148658000</apiLastModified><slotLastModified>12</slotLastModified></WangWangPluginResult><WangWangPluginResult><appId>17411</appId><appStatus></appStatus> <version>1.0</version> <isvId>11888140</isvId> <pluginMd5>5a7d37ea646837b011257810d98ededf</pluginMd5> <secLevel>20</secLevel> <errorCode></errorCode> <sign>f85ba1fdac7ece9562637299d94f907f</sign> <time>1259728937</time> <apiLastModified>1244187533000</apiLastModified> <slotLastModified>1238148658000</slotLastModified> </WangWangPluginResult> </WangWangPluginResult-array> 2. GET http://newallot.im.alisoft.com/imlogingw/tcp60login?ver=6.10.30&loginId=cntaobaoarnold78 HTTP/1.1 Accept: */* Content-Type: text/html Proxy-Connection: Keep-Alive Host:newallot.im.alisoft.com ---------------------------------------------------- HTTP/1.1 200 OK Date: Wed, 02 Dec 2009 04:41:46 GMT Server: Apache/2.2.9 (Unix) Cache-Control: no-cache Content-Length: 297 Connection: close Content-Type: text/html;charset=utf-8 121.0.19.242:16000,121.0.19.220:16000,121.0.19.220:80,121.0.19.220:443,121.0.19.236:16000,121.0.19.236:80,121.0.19.236:443,121.0.19.232:16000,121.0.19.232:80,121.0.19.232:443,110.75.161.4:16000,110.75.161.4:80,110.75.161.4:443,121.0.30.203:16000,121.0.30.203:80,121.0.30.203:443,121.0.19.232:16000
  评论这张
 
阅读(287)| 评论(0)
推荐 转载

历史上的今天

在LOFTER的更多文章

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2017