search

drcoms / drcom-generic

Dr.COM/DrCOM 现已覆盖 d p x三版。
GNU Affero General Public License v3.0
1.15k stars 268 forks source link

6.0.0(P)心跳失败 #277

Open sahrechiiz opened 6 years ago

sahrechiiz commented 6 years ago

log: [] auth svr: 192.168.167.6 [] pppoe_flag: 2e [] keep_alive2_flag: dc [] open local port:61440 [] DEBUG MODE:True [] pppoe: send challenge request packet:0701080001000000 [] pppoe: received challenge response packet:070110000283000067523c000ac888e1a8ac00004fe416c100000000dc020000 [] pppoe: send heartbeat request packet:0702600003000000000000000ac888e10062002e67523c000f9775f36f090f4400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 [] pppoe: heartbeat response failed, retry [] pppoe: reset idx to 0x01 [] pppoe: send challenge request packet:0701080001000000 [] pppoe: received challenge response packet:070110000283000083523c000ac888e1a8ac00004fe416c100000000dc020000 [] pppoe: send heartbeat request packet:0702600003000000000000000ac888e10062002e83523c00ace7b8343f22e4a900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 [] pppoe: heartbeat response failed, retry [] pppoe: reset idx to 0x01 [] pppoe: send challenge request packet:0701080001000000 [] pppoe: received challenge response packet:07011000028300009f523c000ac888e1a8ac00004fe416c100000000dc020000 [] pppoe: send heartbeat request packet:0702600003000000000000000ac888e10062002e9f523c0073b397c63837556900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 [] pppoe: heartbeat response failed, retry [] pppoe: reset idx to 0x01 [] pppoe: send challenge request packet:0701080001000000 [] pppoe: received challenge response packet:0701100002830000bb523c000ac888e1a8ac00004fe416c100000000dc020000 [] pppoe: send heartbeat request packet:0702600003000000000000000ac888e10062002ebb523c009b9523f920ed5ffc00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 [] pppoe: heartbeat response failed, retry [] pppoe: reset idx to 0x01 [] pppoe: send challenge request packet:0701080001000000 [] pppoe: received challenge response packet:0701100002820000d6523c000ac888e1a8ac00004fe416c100000000dc020000 [] pppoe: send heartbeat request packet:0702600003000000000000000ac888e10062002ed6523c0082d65b966f129ba300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 [] pppoe: heartbeat response failed, retry [] pppoe: reset idx to 0x01 [] pppoe: send challenge request packet:0701080001000000 [] pppoe: received challenge response packet:0701100002820000f2523c000ac888e1a8ac00004fe416c100000000dc020000 [] pppoe: send heartbeat request packet:0702600003000000000000000ac888e10062002ef2523c007f799ac1cc8d707e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 [] pppoe: heartbeat response failed, retry [] pppoe: reset idx to 0x01 [] pppoe: send challenge request packet:0701080001000000 [] pppoe: received challenge response packet:07011000028200000e533c000ac888e1a8ac00004fe416c100000000dc020000 [] pppoe: send heartbeat request packet:0702600003000000000000000ac888e10062002e0e533c00d838fb96460f7dd700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 [] pppoe: heartbeat response failed, retry [] pppoe: reset idx to 0x01 [] pppoe: send challenge request packet:0701080001000000 [] pppoe: received challenge response packet:070110000281000029533c000ac888e1a8ac00004fe416c100000000dc020000 [] pppoe: send heartbeat request packet:0702600003000000000000000ac888e10062002e29533c008a5dda712c58b96e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 [] pppoe: heartbeat response failed, retry [] pppoe: reset idx to 0x01 [] pppoe: send challenge request packet:0701080001000000 [] pppoe: received challenge response packet:070110000281000045533c000ac888e1a8ac00004fe416c100000000dc020000 [] pppoe: send heartbeat request packet:0702600003000000000000000ac888e10062002e45533c008bd969ae71bd900e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 [] pppoe: heartbeat response failed, retry [] pppoe: reset idx to 0x01 [] pppoe: send challenge request packet:0701080001000000 [] pppoe: received challenge response packet:070110000281000061533c000ac888e1a8ac00004fe416c100000000dc020000 [] pppoe: send heartbeat request packet:0702600003000000000000000ac888e10062002e61533c00f5fdd11e4b46899900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 [] pppoe: heartbeat response failed, retry [] pppoe: reset idx to 0x01 [] pppoe: send challenge request packet:0701080001000000 [] pppoe: received challenge response packet:07011000028100007d533c000ac888e1a8ac00004fe416c100000000dc020000 [] pppoe: send heartbeat request packet:0702600003000000000000000ac888e10062002e7d533c009b4c7047f3fe9fd500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 [] pppoe: heartbeat response failed, retry [] pppoe: reset idx to 0x01 [] pppoe: send challenge request packet:0701080001000000 [] pppoe: received challenge response packet:07011000028200009a533c000ac888e1a8ac00004fe416c100000000dc020000 [] pppoe: send heartbeat request packet:0702600003000000000000000ac888e10062002e9a533c001565d4e955a3d51100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 [] pppoe: heartbeat response failed, retry [] pppoe: reset idx to 0x01 [] pppoe: send challenge request packet:0701080001000000 Traceback (most recent call last): File "./drcom", line 450, in main() File "./drcom", line 446, in main pppoe.send(s) File "./drcom", line 297, in send s.send(data) File "./drcom", line 223, in send self.s.sendto(data, (self.server, self.port)) socket.error: [Errno 128] Network is unreachable

抓包: 600PHB.zip

xiaoliu-heng commented 6 years ago

井大的?

sahrechiiz commented 6 years ago

嗯呐

xiaoliu-heng commented 6 years ago

6.0.0p 的crc加密算法变了,我试了同一个seed的sha1,md5,md4. 没发现有和原包吻合的数据

ly0 commented 6 years ago

先po一下客户端吧,最好各系统都有

sahrechiiz commented 6 years ago

Clients.zip

xiaoliu-heng commented 6 years ago

drcomauthsvr.zip 这个是 MAC 版 6.0.0P (1.7.4p)版运行时提取的程序,这个程序运行时绑定的udp 61440 端口,应该是和加密有关的。

xiaoliu-heng commented 6 years ago

补充mac版的 抓包 1.zip

ly0 commented 6 years ago 
//----- (000057F0) --------------------------------------------------------
int __cdecl GetCrcCheckField(void *a1, size_t a2, int a3, _DWORD *a4, _DWORD *a5)
{
  int result; // eax
  int v6; // edx
  size_t v7; // [esp+4h] [ebp-1C4h]
  int v8; // [esp+Ch] [ebp-1BCh]
  char *v9; // [esp+10h] [ebp-1B8h]
  int *v10; // [esp+14h] [ebp-1B4h]
  char *v11; // [esp+18h] [ebp-1B0h]
  int *v12; // [esp+1Ch] [ebp-1ACh]
  MD5_CTX *v13; // [esp+20h] [ebp-1A8h]
  unsigned __int8 *md; // [esp+24h] [ebp-1A4h]
  int v15; // [esp+28h] [ebp-1A0h]
  _DWORD *v16; // [esp+2Ch] [ebp-19Ch]
  char v17; // [esp+30h] [ebp-198h]
  int v18; // [esp+98h] [ebp-130h]
  int v19; // [esp+9Ch] [ebp-12Ch]
  int v20; // [esp+A0h] [ebp-128h]
  int v21; // [esp+A4h] [ebp-124h]
  int v22; // [esp+A8h] [ebp-120h]
  _DWORD *v23; // [esp+ACh] [ebp-11Ch]
  char v24; // [esp+B0h] [ebp-118h]
  int v25; // [esp+10Ch] [ebp-BCh]
  char v26[12]; // [esp+110h] [ebp-B8h]
  _DWORD *v27; // [esp+11Ch] [ebp-ACh]
  MD5_CTX c; // [esp+120h] [ebp-A8h]
  int v29; // [esp+17Ch] [ebp-4Ch]
  int v30; // [esp+180h] [ebp-48h]
  __int64 v31; // [esp+184h] [ebp-44h]
  unsigned __int64 v32; // [esp+18Ch] [ebp-3Ch]
  void *v33; // [esp+194h] [ebp-34h]
  int v34; // [esp+198h] [ebp-30h]
  int v35; // [esp+19Ch] [ebp-2Ch]
  int v36; // [esp+1A0h] [ebp-28h]
  _DWORD *v37; // [esp+1A4h] [ebp-24h]
  _DWORD *v38; // [esp+1A8h] [ebp-20h]
  size_t v39; // [esp+1ACh] [ebp-1Ch]
  size_t len; // [esp+1B0h] [ebp-18h]
  void *data; // [esp+1B4h] [ebp-14h]
  int v42; // [esp+1B8h] [ebp-10h]

  v16 = a5;
  data = a1;
  len = a2;
  v39 = a3;
  v38 = a4;
  v37 = a5;
  v34 = 0;
  v33 = 0;
  HIDWORD(v32) = 0;
  v15 = 22529;
  if ( a2 > 3 )
  {
    v33 = data;
    HIDWORD(v32) = *(_DWORD *)data & 3;
    if ( v37 )
      *v37 = HIDWORD(v32);
    if ( v39 == 2 )
    {
      *(_DWORD *)((char *)data + len) = 20161130;
      len += 4;
    }
    show_data((int)data, len, v15 + 155434);
    if ( v39 )
    {
      v34 = 1;
      if ( HIDWORD(v32) )
      {
        switch ( HIDWORD(v32) )
        {
          case 1:
            v32 = __PAIR__(1, (unsigned int)v38);
            v31 = 0LL;
            v30 = 0;
            v29 = 0;
            md = (unsigned __int8 *)&v29;
            v13 = &c;
            MD5_Init(&c);
            MD5_Update(&c, data, len);
            MD5_Final((unsigned __int8 *)&v29, &c);
            *(_WORD *)v32 = HIWORD(v29);
            *(_WORD *)(v32 + 2) = v31;
            *(_WORD *)(v32 + 4) = *(_WORD *)((char *)&v30 + 1);
            *(_WORD *)(v32 + 6) = *(_WORD *)((char *)&v31 + 5);
            break;
          case 2:
            v27 = v38;
            *(_QWORD *)&v26[4] = 0LL;
            *(_QWORD *)v26 = 0LL;
            v25 = 0;
            v12 = &v25;
            v11 = &v24;
            MD4Init(&v24);
            MD4Update((int)&v24, (char *)data, len);
            MD4Final((int)&v25, &v24);
            *(_WORD *)v27 = *(_WORD *)((char *)&v25 + 1);
            *((_WORD *)v27 + 1) = *(_WORD *)&v26[4];
            *((_WORD *)v27 + 2) = *(_WORD *)v26;
            *((_BYTE *)v27 + 6) = v26[7];
            *((_BYTE *)v27 + 7) = v26[8];
            break;
          case 3:
            v23 = v38;
            v22 = 0;
            v21 = 0;
            v20 = 0;
            v19 = 0;
            v18 = 0;
            v10 = &v18;
            v9 = &v17;
            SHA1Reset((int)&v17);
            SHA1Input((int)&v17, data, len);
            SHA1Result(&v17, (int)&v18);
            *(_WORD *)v23 = HIWORD(v18);
            *((_WORD *)v23 + 1) = *(_WORD *)((char *)&v20 + 1);
            *((_WORD *)v23 + 2) = *(_WORD *)((char *)&v19 + 1);
            *((_BYTE *)v23 + 6) = HIBYTE(v21);
            *((_BYTE *)v23 + 7) = v22;
            break;
          default:
            v7 = v39;
            ErrorMessage(&aGetcrccheckfie_1[v15 - 22529], v39);
            v34 = 0;
            break;
        }
      }
      else
      {
        *v38 = 20000711;
        *(_DWORD *)((char *)v38 + (_DWORD)&loc_5805 - 22529) = 126;
      }
    }
    else
    {
      *v38 = 20000711;
      *(_DWORD *)((char *)v38 + (_DWORD)&loc_5805 - 22529) = 126;
      v34 = 0;
    }
    v35 = v34;
  }
  else
  {
    v7 = len;
    ErrorMessage(&aGetcrccheckfie[v15 - 22529], len);
    v35 = 0;
  }
  v36 = v35;
  result = v35;
  v6 = **(_DWORD **)(v15 + 235707);
  v8 = v35;
  if ( v6 == v42 )
    result = v8;
  return result;
}

看上去并没有什么区别。。

xiaoliu-heng commented 6 years ago

是的,这个算法没变。但是最后生成的结果不一样。是不是还有别的处理这一段数据的操作?

ly0 commented 6 years ago

IDA F5一把手动分析吧

xiaoliu-heng commented 6 years ago 
//----- (00028000) --------------------------------------------------------
int __cdecl MadeCmdPacketCRCSum(int a1, int a2)
{
  unsigned __int16 v3; // [sp+8h] [bp-1Ch]@1
  int i; // [sp+10h] [bp-14h]@1

  v3 = 0;
  *(_WORD *)(a1 + a2) = 0;
  for ( i = 0; i < (a2 + 1) / 2; ++i )
    v3 ^= *(_WORD *)(a1 + 2 * i);
  return v3 * (unsigned __int16)PACKET_CRC_CONST;
}
xiaoliu-heng commented 6 years ago

IDA F5 类型搞得我一脸懵逼

ly0 commented 6 years ago

这只是个不停的异或最后乘个数而已

sahrechiiz commented 6 years ago

说起来 win的客户端会不停的停止工作 但是网没断

xiaoliu-heng commented 6 years ago

@sahrechiiz 为什么我的不仅会停止,而且会断网

sahrechiiz commented 6 years ago

我这开着玩吃鸡不会掉 只是会不停的弹出去

sahrechiiz commented 6 years ago

重启一下就不弹了

sahrechiiz commented 6 years ago

另外 寝室路由一直没断电的 学校更新后 照样能用 而且晚上不会断网了 过了两天我觉得网有点卡就重启了下 然后发现心跳不过了 之前给别的寝室也装了一台 他们到现在还能正常用

xiaoliu-heng commented 6 years ago

重启一下路由器就GG了,我本来也以为不断网了,

linshigongzi commented 6 years ago

我也井大的...

linshigongzi commented 6 years ago

心跳过不了啊,怎么弄

linshigongzi commented 6 years ago

能教教我吗?QQ215851318

sahrechiiz commented 6 years ago

不是你弄错了 是大佬们还没找到问题(;´∀`)

linshigongzi commented 6 years ago

我当初也是重启了一下路由器。唉