Click above ↑ ↑ ↑ blue word [ protocol analysis and restoration ] to follow us
" Introduce the negotiation process of the linking letter session encryption key. "
The framework of the protocol and the data format in the protocol have been introduced before in the official account, and you can review it if necessary:
The overall framework of Lianxin Agreement
Lianxin's protobuf data format
This article introduces the session encryption key negotiation process of Lianxin.
During the use of Lianxin, the data in the long connection and short connection are all encrypted with AES CBC, and the encrypted key key and vector iv are negotiated when you log in and open the APP, and are sent from the server.
The Lianxin login process is divided into two types. The first one is that you have not logged in on the current mobile phone before, and you use the mobile phone number to log in. The second one is that you have logged in on the current mobile phone, and the verification information is saved.
01
—
auth_login login
The first one is to use the account number for login verification after the verification code. The url used in the iPhone version is:
https://short.lianxinapp.com/webuic/auth/v13/auth_login.json
The message looks like this:
The value of Content-Encrypted-ZX in the request part is 1, indicating that the request body is encrypted, and Content-CKey-Version indicates the version of the RSA encryption key. The content in Content-CKey is the RSA-encrypted AES ECB key, and the request body uses this key encryption.
The contents of the request body are as follows:
dfp={
"teamid":"",
"isJailbreaking":False,
"channel":channel,#"appstore",
"simulator":"0",
"dylib":"",
"bundleid":bundleid,#"com.zenmen.palmchat",
"resolution":resolution,#"640-1136",
"ip":localip#"192.167.2.88"
}
dfpstr=json.dumps(dfp)
payload={
'channelId':channel,#'appstore',
'idfa': idfa,
'sdid':sdid,
'deviceId': dhid,
'hashKey': hashKey,
'appList':'{}',
'platform': Resource,#'iphone',
'versionCode':vcode,#'200404',
"did": dhid,
"idfv": idfv,
"authKey": authKey,
"dfp":dfpstr
}
The RSA encryption key of the data in the Content-CKey varies according to the version value of the Content-CKey-Version, one of the versions is:
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDhCalnroo3exCtNnDnk66dCGCiq/WVjYdwmlyPCubzRBD+0MZbQUpaZzWqguQ1XAxgFai/Qod+L0ALS7UptvXhCHxAY+Wh6mco876S9RDpMUcZvj0Ma1UK0o/StNvrJOOyZWRWQhXir/T93rkavKVu/VJqJFFOcq4sz9WqhjeDOwIDAQAB
Of course, the value of the version vxx in the url is also different when the RSA key is different.
The decrypted content of the response body includes some information on the server and the key and iv for subsequent encryption:
"{\n \"resultCode\":0,\n \"data\":{\n \"uid\":\"490xxx92\",\n \"skey\":\"kp1bppYcF1yA0W6Z\",\n \"iv\":\"B5le192ZOPZZ2chq\",\n \"sessionId\":\"34daxxx7e56b10fca16993\",\n \t\"refreshKey\":\"iMvq3kwJXbQh0Wlt\",\n \"account\":\"\",\n \t\"nickname\":\"\u53e4\u53e4\u602a\u602a\",\n \t\"pyInitial\":\"GGGG\",\n \t\"pyQuanPin\":\"GuGuGuaiGuai\",\n \"headImgUrl\":\"https://avatar.cdn.lianxinapp.com/avatar2/u/c/2020/5/1/e/a/1cbc07gefxxx7a63205f38f-q9nbqj.crop\",\n \"headIconUrl\":\"https://avatar.cdn.lianxinapp.com/avatar2/u/c/2020/5/1/e/a/1cbc0xxx5af48e08f9357a63205f38f-q9nbqj_small.crop\",\n \t\"signature\":\"\u5f53\u7136\",\n \"ic\":\"1\",\n \"privacyConfig\":\"0\",\n \"phone\":\"438xxxx4\",\n \"sex\":0,\n \"country\":\"\",\n \"province\":\"\",\n \"city\":\"\",\n \"birthday\":\"\",\n \t\"age\":0,\n\t \"hobby\":\"\",\n \"email\":\"\",\n \"syncKey\":\"1\",\n \"version\":\"17030009\",\n \"newUser\":1,\n \"hintStyle\":0,\n \"showUserStyle\":0,\n \"exid\":\"V1qYdxxx-jn8gv\"\n }\n}"
02
—
token login
The second is to perform login verification every time the APP is opened. The url used by the iPhone version is:
https://short.lianxinapp.com/token/v10/ak
The message looks like this:
Same as auth_login login, the value of Content-Encrypted-ZX in the request part is 1 to indicate request body encryption, Content-CKey-Version indicates the version of the RSA encryption key, and the content in Content-CKey is the AES ECB key encrypted by RSA. The request body is encrypted with this key.
The contents of the request body are as follows:
payload={
'ckey':aesecbkey,
'sessionId': sessionId,
'sdid':sdid,
'refreshKey': refreshKey
}
The RSA encryption key of the data in Content-CKey is the same as auth_login.
The value of the version vxx in the url is also different when the RSA key is different.
The decrypted content of the response body includes the key and iv for subsequent encryption:
"{\"key\":\"LlGQmBfQurP1X13p\",\"iv\":\"uJt76oWLOlrvKV7z\",\"sync\":0,\"exid\":\"5d1kNyyPPxxxx1-JgG55\",\"resultCode\":0}"
This process is equivalent to updating the key and iv once, and subsequent data encryption is performed using this pair of key and iv.
03
—
Finish
The key negotiation process is like this. The key is to find the RSA public key. The public key in this article is the test version public key in the ios version of Lianxin. To avoid trouble, its official public key will not be released.
Don't forget to click "Looking", "Like" and "Share"
The new rule, to receive tweets in time, you must first star the official account
Don't forget to star or you will miss out
Long press to follow and communicate all the time.