Click above ↑ ↑ ↑ blue word [ protocol analysis and restoration ] to follow us
" The overall framework of the Lianxin Agreement. "
A while ago, the joint letter agreement was abolished, and the risk control has been difficult, and it is impossible to pass 8, plus a bunch of other muddled problems, it seems that there is no way to connect the letter from the agreement, let it out, let everyone play together, I hope everyone has to help.
I write slowly, and everyone reads slowly. If you have any questions, you can message or leave a message to interact and try to solve them.
01
—
Overall situation
Lianxin's agreement, in a big framework, is a bit like WeChat, but in fact it is not like it in essence.
Its android version and ios version generally have the same protocol framework, there are some subtle differences in keys and domain names, and the analysis of the android version is relatively difficult, so I didn't do it.
The following describes the process of the entire software.
First of all, open the software, here is the risk control, the risk control of Shuzilm, and the http message of the shuzilm domain name. I ignored it, and later found out that after registration, it is a half-dead account, which cannot be seen by others, and cannot be actively added to others, so I contacted it under the prompts of various experts. This risk control can be passed, and the real machine can be used to generate data. , The data of Shumeng can be decrypted to see, but the server of Shumeng will not tell you whether it has passed the risk control result, there should be other interfaces to get it.
At the same time, there are three HTTPs, which have existed since the opening of the software. They should be the risk control of Lianxin's own family, and the industry of Brother Da Nian, reporting various actions and statuses. In addition, there are too many data in them. I don't know the source of this data, so I guess it's a crime. Fortunately, I'm impatient.
Secondly, to log in, you use a third-party mobile phone number verification code to log in. Of course, this third party is still a third party in the Lianxin family, and the products of the Lianshang series are a model of the so-called fat and water not flowing to outsiders.
After the third-party login, it is the login of Lianxin's own real server, which is encapsulated by http or https, and an RSA public key is used to encrypt the transmitted data for key negotiation. I can't figure out the public key of android. The RSA public key for ios and android is different. The server returns the AES encrypted key and iv data used after this login.
After logging in, a TCP long connection will be established, which transmits various messages. In addition, there is also a http short connection, which transmits some data such as update, token, synchronization, registration, authentication, etc., but the encryption method of the two is the same of.
Every time you switch to the background and wait for a while and then switch back, the Lianxin APP will update the token once, which is equivalent to going online again, and the high probability is a bug in the system implementation.
After successfully logging in, you can send and receive messages, stand on the street, add friends, post to Moments, etc.
Of course, a lot of log and other information will be uploaded during the running process. Every operation in the APP will have data reported to the domain name related to 51y5.net. This should be Lianxin’s own risk control. The data in it, At this point, I basically just gave up.
The information related to the overall process is basically like this.
02
—
Risk related
Lianxin's protocol seems to be easy to implement. Find the RSA public key, as well as a few fixed keys and ivs, and you can encrypt all the data. However, when it is done, you will find that risk control is a bit difficult.
First of all, when the program is started, the risk control of Shumeng is called to detect some basic equipment information, such as network card, mac, ip, operator, various equipment ids and other information. Friends who are interested in research can go to the Internet to search Data analysis of Shumeng Testing:
This data is reported through the http://idaa.shuzilm.cn/report interface, and of course the server returns success to the client.
There is a cdid in it, which is an id generated by Shumeng itself. I personally speculate that customers of Shumeng can use this ID to check whether they can pass the risk control on Shumeng’s own server.
Secondly, Lianxin login uses a mobile phone number to log in. It is very picky about the mobile phone number. At least the mobile phone number of the online code receiving platform is basically useless. It won't be seen by people nearby, and you can't add others as friends or say hello, but passive operations are still possible, and more often, an exception pops up directly after registration to prevent you from logging in.
There is a simple way to identify whether the account is dead or not, that is, the first step of entering Lianxin after registration, there will be a recommendation page, the first few recommended data, if there is a colored circle, it is a live account, implemented in the protocol , you can see the uid of the recommended data, if they are all very small values, all the recommended ones are robots, no doubt, you are considered to be a dead account, for example, when the recommended data is like this, it is a dead account:
The link to obtain the recommended data is:
http://short.lianxinapp.com/recommend/v5/getRecommendUser.json
Finally, these risk controls have passed, but it is still not enough. As mentioned earlier, during the operation of Lianxin, the operations and logs in each APP will be reported to the relevant server of Lianxin. The reported information is very messy, and the following urls are mainly used:
http://kepler.51y5.net/alps/fcompb.pgs
http://dcmdaa.51y5.net/dc/fcompb.pgs
http://taichi-pub.51y5.net/alps/fcompb.pgs
https://log.lianxinapp.com/logs/v2/realtime
Here, the content transmitted in the log url is slightly clearer, without encryption, and the outer https transmission:
--X5uNEck44kxP1C1l38Q_KF2f1kxwtThFjqi6p
Content-Disposition: form-data; name="logType"
1000
--X5uNEck44kxP1C1l38Q_KF2f1kxwtThFjqi6p
Content-Disposition: form-data; name="isGzip"
0
--X5uNEck44kxP1C1l38Q_KF2f1kxwtThFjqi6p
Content-Disposition: form-data; name="file"
{"index":{"_index":"zhangxin-client-20xxxx","_type":"log","_id":"xxxx"}}
{"pfm":"xxxx","uid":"xxx","ver":"200422","ts":xxxx,"@timestamp":"2020xxxx+0800","did":"xxxxx","log_code":1000,"imei":"xxxx","mac":"xxxxx","channelId":"xxxx","uiType":1,"pth":"1p","extra":"{\"uid\":\"xxxx\",\"mid\":\"xxxx\"}","action":"1","comp":"12"}
--X5uNEck44kxP1C1l38Q_KF2f1kxwtThFjqi6p--
The post request data body of several 51y5 links is more complicated and encrypted with AES CBC, but the format is basically uniform. The outer format is as follows:
Among them, the data of headpb is encoded by protobuf, encdata is encrypted data, several links of encrypted key iv are independent, and each platform is also independent.
The data format before encdata encryption is as follows:
Among them, encpb1 and encpb2 are both protobuf codes.
The response body is also encrypted, the outer layer:
Inner encdata:
Does it look refreshing? It took me a long time to abstract it and organize it like this. In fact, there are still some things in it that are muddled.
03
—
to be continued
That's all for today. If there is a need, more details will be added later. I hope everyone will give us your advice and make progress together.
Long press to follow and communicate all the time.
If the article is helpful to you, please click "Like", "Looking at" and "Share" more