Happy Elimination Happy Holiday Protocol Decryption

Protocol/protocol/flow/volume/decryption/encryption

Analyze the protocol encryption method of the game traffic of Happy Elimination Happy Holiday.

sequence

Happy Elimination Happy Holiday is a synthesis + simulation home improvement game. In this game, you will become a passionate designer and run a studio with your friends. You'll need to redesign each room according to your client's needs, creating stunning and unique designs. Using your own imagination and creativity, you will conquer the challenge and create amazing crafts! This game can be played on multiple platforms, including iOS, Android, and applets. It seemed to be very popular a while ago. Someone asked me to play it, but the result was that the other party couldn’t use it due to the slow work of habitual work. Consider giving it a try.

Book

There is no doubt that for this type of archive game, the protocol routine is the same, and the data is encrypted. On the whole, a large series of archived data is uploaded to the server during the game, downloaded from the server at the right time, and synchronized to the local use. In the process of uploading and downloading, there are some checks, and of course, some risk control strategies. On the server or client side, it's done.

download archive

This game uses HTTP to upload and download archives, and the URL used by the applet is this:

https://kxjr.vzhifu.net/wxxyx/userinfo/getinfo

Using a POST request, the request body data is as follows:

params={"appid":"38865",
            "prjid":"38865",
            "openid":"ohk81cccccccY",
            "chaid":"wechat",
            "timestamp":"1673596666000",
             "sign":"660767676767677676E0B2C8607151"
            }

The only thing to watch here is the sign value, which can be obtained by adding salt and then MD5. The salt value can be obtained by unpacking the small program package. For unpacking the small program, please refer to the article before the end of the article, or find me in the background (public account: protocol Analysis and Restoration).

The developer of Android and iOS should be the same person, and the URL used is this:

https://kxjr.app.vzhifu.net/dnwx/game/login/v2

This packet capture process needs to pay attention to using the appropriate method.

Using a POST request, the request body data is as follows:

params= {
        "accountType": "0",
        "aid": "2ec511b87b96d69e",
        "appid": "38823",
        "brand": "apple",
        "chaid": "ios",
        "cmd": "1002",
        "email": "",
        "gold": "0",
        "idfa": "",
        "itemList": "",
        "level": "0",
        "loginId": "xxxx",
        "lsn": "220360577",
        "lv": "0",
        "model": "iphone11",
        "netType": "2",
        "os": "ios",
        "pid": "38111117",
        "pkgName": "com.xzd.holiday.hlxc",
        "pwd": "",
         "sign": "xxxx",
        "sysVer": "28",
        "timestamp": "1337049333359",
        "userName": "",
        "wxhead": "",
        "wxid": "",
        "wxname": ""
    }

There is still only the calculation of the sign value that needs attention. Add salt and then MD5 to get it. The salt value can be obtained from the program. If you encounter difficulties, you can find me in the background (public account: protocol analysis and restoration).

upload archive

In the process of uploading archives, the URL used by the applet is this:

https://kxjr.vzhifu.net/wxxyx/userinfo/update

Android and iOS use this:

https://kxjr.app.vzhifu.net/dnwx/game/report/v2

The archive inside is basically the same as the downloaded response body. There is a large amount of data or zipuserdata in an itemList, which needs to be decoded by base64, gzip, and then unquote, find the resources inside, process the values inside, and then reverse the process to restore :

itemdatab64=player['itemList']['data']#这个里面的resources 里面时数据，改这个才生效
    itemdata=base64.b64decode(itemdatab64.encode())
    itemdataunzip=gzdecode(itemdata)
    itemdataurldec =  urllib.parse.unquote(itemdataunzip)
    itemdatajson=json.loads(itemdataurldec)
    resources=itemdatajson['resources']

The rest is very simple, if you encounter problems, you can still find me.

Postscript