DrCOM(ver.D) in HHU Packet Analysis


0x00 Packet List

  1. Challenge
  2. Login
  3. Logout
  4. KeepAlive_1
  5. KeepAlive_2

0x01 Login & Logout Route

0x011 Login Route

First, a chanllange packet is made and sent to server, and the response should start with 0x02 and contain 4 bytes salt at the offset 0x14.

Second, a login packet can be made with the salt we've got, after we send it to the server, it should respond with data which starts with 0x04 provided that the username and password are correct, if not, the response data should start with 0x?? 0x05. Then at the offset 0x17 we can find the 16 bytes tail, which can be used for next KeepAlive procedure or logout route.

Third, with the help of salt and tail, a KeepAlive_1 packet can be built and sent. If the server response starts with 0x07, we can go to next phase, which is KeepAlive_2.

Fourth, a KeepAlive_2 packet is made by tail2 and svr_num then sent to server, these data are in return updated within the procedure.

Finally, we step into the final procedure, KeepAlive_Loop. In this stage, we continually make and send KeepAlive_1 and KeepAlive_2 packet, but different to KeepAlive_2 phase, the tail2 is now a constant and only the svr_num is getting updated in the progress.

0x012 Logout Route

First, make challenge to obtain the salt just like what we do in Login Route.

Second, use the salt acquired in first phase and the tail got in Login Route to generate the logout packet, if the return data from server starts with 0x04, the logout procedure ends.

Aforementioned routes can be illustrated via following figure.

0x02 Packet Detail

0x021 Challenge

Challenge packet should be consist of 20 bytes, it follows the pattern below:

the third byte and fourth byte is random byte, it is doesn't matter what they are, but make sure that every challenge use different bytes.

A code sample to generate Challenge packet

0x22 Login

Login packet should be consist of 400 bytes, it follows the struct below:

In Header part, it follows the pattern below:

the fourth byte should be the username's length plus 20.

in PasswordMd5 part, we have to undergo a MD5 encryption progress, the MD5 source's size is equal to password's length plus 6, and it follows the pattern below:

the first 4 0x?? byte is the salt we obtained in above challenge process, and the following 0x?? byte is the password.

the PasswordMd5 is 16 bytes long and it is the hash of MD5 source, we can call it MD5A, it will be used in following KeepAlive packet.

In Account part, we should fill the bytes with username. Attention should be paid to it that we should truncate the bytes if the username is too long and make sure it won't be longer than 36.

In ControlCheckStatus part, we should fill two bytes with _CONTROLCHECKSTATUS and _ADAPTERNUM. To different college's client, these two parameters may vary, when it comes to HHU, they should be 0x20 and 0x01.

In MacAddrXORPasswordMD5 part, we xor on the PasswordMD5 with user's mac address, it should be 6 bytes long.

In PasswordMd5_2 part, we create a new MD5 source whose length is  password's length plus 9, we fill  the first byte with ox01, and copy the password and salt to the rest part of it. Finally, we copy the 16 bytes long hash of the new MD5 source to the login packet.

In HostIpNum and HostIPList part, we fill the first byte with 0x01, which is the ip_number, and the rest part should be hexadecimal form of host_ip, which is 4 bytes long. If your college has multiple campuses, the host_ip may differ. In HHU, this part should be:

In HalfMD5 part, we create another MD5 source whose length is the current packet length(not 400) plus 4, and we fill the the current packet into the source then fill the last 4 bytes with:

afterwards, we insert the hash of this source, which should be 8 bytes long, into the packet.

In DogFlag and unkown2 part, it consists of 4 bytes data, we can leave the rest 3 bytes 0x00, and the first byte, it depends on client version and protocol, for HHU, it should be 0x01.

In HostInfo part, the _tagHostInfo can be desribed as the following struct:

the HostName in HHU is "fuyumi". The DNSIP1,DHCPServerIP,DNSIP2 depend on your campus, for HHU, they are { 202, 119, 112, 32 }, { 202, 119, 113, 125 } and { 202, 119, 112, 32 }.

WINSIP1 and WINSIP2 can be left blank.

the OSVersion's struct is depicted as follows:

the OSVersionInfoSize is 0x94,0x00,0x00,0x00.

the MajorVersion is 0x05,0x00,0x00,0x00.

the MinorVersion is 0x01,0x00,0x00,0x00.

the BuildNumber is 0x28,0x0A,0x00,0x00.

the PlatformID is 0x02,0x00,0x00,0x00.

the ServicePack is the hash of "Windows 10" or other system's tag.

Now we have come to the last part of Login packet, the CheckSum, I will show you the code since it is hard to describe how the algorithm works in text.

That's the end of the login packet, A sample code is listed as follows:

0x23 Logout

The logout packet is much simpler than the login packet, if you are using a unlimited traffic account, you even don't need to do logout. But if not, you have to pay attention to do a logout so as to avoid additional traffic fee.

The logout packet should be 80 bytes long, and it start with 0x06,0x01,0x00,0x??. The fourth byte is the byte form of username's length plus 20.

First, we create a MD5 source whose length is password's length plus 6, it follows the pattern below:

Then, we calculate the hash of the source, and paste the 16 bytes hash to the packet.

Afterwards, we fill the next 36 bytes with the username.

The next 2 bytes should be _CONTROLCHECKSTATUS and _ADAPTERNUM mentioned before in Login packet.

Furthermore, now we should use the MD5 source we created in first step, and copy the first 6 bytes into the packet and make a XOR operation over the bytes.

Finally, we copy the 16 bytes tail to the end of the packet. A logout packet is done.

The sample code is listed below:

0x24 KeepAlive_1

The KeepAlive_1 packet is a 42 bytes long byte array, which starts with 0xff.

Remember the hash MD5A we made in Login packet? Now we have to copy the first 16 bytes of it to the KeepAlive_1 packet.

After doing this, we add another 3 0x00 to the packet and copy the 16 bytes tail and 2 bytes random number to the end of packet.

Then the KeepAlive_1 packet is finished.

The sample code is listed as follows:

0x25 KeepAlive_2

There are 3 types of KeepAlive_2 packet, the first 2 types is used in KeepAlive_1 and KeepAlive_2 Routing and the last type is used in KeepAlive_Loop Routing, they are almost the same, but a small difference exists.

The KeepAlive_2 packet is a 40 bytes long packet, which starts with {0x07,0x??,0x28,0x00,0x0b,0x??}.

The first 0x?? is the svr_num, the second one is the type_num used to distinguish KeepAlive_2 packet in different route, the first 2 types are 1, the last type is 3.

For the first 2 types, there are difference in the next 2 bytes. One type is {0x0F,0x27}, the other one is the _KEEPALIVE_VERSION, for HHU, it is { 0xdc, 0x02 }.

The next 8 bytes should be:

Then we insert the first 4 bytes of tail to the packet.

If the type_num is 1, we are finished here, but if it is 3, we have to copy the host_ip to the postition which is 12 bytes after the tail inserted position.

The example code is listed as follows:

0x03 Reference

https://github.com/drcoms/drcom-generic

https://github.com/yang-er/jlu-drcom-csharp

声明:Edward Linus|版权所有,违者必究|如未注明,均为原创|本网站采用BY-NC-SA协议进行授权

转载:转载请注明原文链接 - DrCOM(ver.D) in HHU Packet Analysis


[stay(s) for s in ['humble','diligent']]