QQ协议分析之TCPF包数据分析本文档说明的是解密以后的TCPF数据包的字段内容。有关如何解密,请参阅有关的其它文档。分析的结果,是基于QQ2003(0808)内部代码0A1D的版本。0x0022,登录命令发送方:客户端样本:000:4A355D6EAEDBFA9C008:96BE197EA3E2B248016:0000000000000000024:0000000000000000032:0000003A309B6960040:A83273B2221FAA65048:6C09F8010A3A0D30056:92CD77AB42B9BC64064:9F1757D4C3000-015:用户QQ密码的MD5的MD5作为密钥,对空字串进行加密的结果。0A1D版的TEA算法采取了随机PADDING的方式,所以这个数字每次看起来都不同。但是解密以后总是空字符串。016-016:总是0x00。017-020:以前为IP地址,现在为全零。不知道具有互联网IP的机器是否有真正的地址。021-022:以前为端口号,现在为全零。023-051:不明含义,总是相同。052-052:登录模式。0A为正常方式,28为隐身。053-068:应该是和机器相关的识别号,在相同的机器上总是相同。响应方:服务器成功登录的样本:000:0061425845556B58008:7A425736786E4941016:5901825D9040E7A7024:E30FA07F0000011F032:403F5122DA030A5B040:8350D29155AEFC3A048:5BD4E93197C58513056:646B300ACEF1333D064:8DC2CF1F403DACF9072:8E1F4000001CBB67080:00CB49E6FFB6FB01088:97416E9630487648096:EFB81D1E5AEAEBE9104:AB004A23D2000000112:0000000000000000120:0040E7A7E33F5122128:9100000000000000136:00000-000:成功登录应该为0。001-016:以后通信的密钥。017-020:登录的QQ号码。021-026:服务器检测到的客户端的IP地址和端口号。027-032:127.0.0.1:8000,应该是服务器检测到自己的IP和端口号?作用不明。033-036:本次登录时间?......063-068:一个端口为8000的IP地址,作用不明。069-074:一个端口为8000的IP地址,这个地址就是DTPF协议组通讯的服务器。075-076:总是0,应该为分隔。......109-120:总是0。121-124:客户端的IP。(上次登录的IP?)125-128:上次登录退出时间?...129-136:总是0。其它:未知。密码错误的样本(用RandomKey解密):000:02C3DCC2EBB4EDCE008:F3A3A1000-000:密码错误:02。001-010:字符串“密码错误!”,GB18030编码要求转到其它服务器登录(未观察到,根据perl-OICQ的资料):000-000:转到新服务器:01。001-004:请求的QQ号。005-008:新的服务器IP。009-010:新的服务器端口号。0x0001,注销命令:发送方:客户端(连续发送4次)样本:000:4280D89A5A03F812008:751F504CC10EE8A5000-015:QQ密码的MD5的MD5。0x001D,未知命令:发送方:客户端,在登录成功后发送。而且总是连发两个。第一个样本:000:03000-000:总是03,应该是子命令。第二个样本:000:04000-000:总是04,应该是子命令。响应方:服务器(定长的响应)第一个响应样本:000:0300526576656D6D008:4135655254644E36016:644B000000000000024:000000000000383D032:1E4A4E3653878EB5040:E0245C97808C6423048:F4FFBC426972391D056:F631226537BE00D1064:8EA6F84C7582F7B4072:491FFF723E260113080:1B18F65ABD8E5800088:010000000-000:03,应该表明是对03号子命令的响应。001-001:00,应该是分隔。002-017:16个字符,全由字母和数字组成。018-029:全0。030-030:总是38,应该是后面数据的长度。...087-090:总是00010000。第二个响应样本:000:040043447A7A3863008:746A52554B553543016:526B000000000000024:00000000000038A2032:5BB9D30E67E893BD040:0EB4F6AEBF5447D7048:0F69845DF2815DD8056:12BFEC1E1A83D258064:1D94D403EB913B13072:A6B466375CA19648080:158FBDE0A86C5F00088:010000000-000:04,应该表明是对04号子命令的响应。0x0006,获取用户信息:发送方:客户端样本:000:3235333230383438需要获取信息的用户QQ号码。ascii字符串形式。应答方:服务器样本:000:3235333230383438008:1E6A6566665F7965016:636E1ED6D0BBAAC8024:CBC3F1B9B2BACDB9032:FA1EB9E3B6ABCAA1040:1E3531303030301E048:646F6E672066656E056:672072642E203134064:351E2D1E33311EC4072:D01E2D1E6A656666080:5F7965636E407369088:6E6F6D61632E636F096:6D1E1E1E1E301E1E104:CDA8D0C51E2D1E30112:1E1E1E3230341E31120:3330303531363132128:34341E301ECFB2BB136:B6BACDC8CEBACEC8144:CBC1C4CCECA1A31E152:B9E3D6DD1E2D1E2D160:1E301E321E301E55168:5354431E31321E31176:321E321E301E2D返回的数值由一个个字段组成,数字也是以字符串表示,没有填写的很多为-。每个字段用1E分隔。分别的含义为:QQ号码,昵称,国家,省,邮政编码,街道地址,电话,年纪,性别:男女的GB编码。真实姓名,电子邮件,寻呼编号,寻呼号,寻呼机供应商,寻呼台号,寻呼机类型,职业,主页,添加好友认证方式:'0'不认证,'1'需认证,'2'不许添加未知20,未知21,头像:0-255的字符串表示,每三个代表一组正常,离开,忙的头像手机号码,手机类型:'0'为无移动QQ,'1'为开通移动QQ。自我描述:城市,未知27,未知28,未知29,是否公开手机:'0'公开'1'好友'2'不公开是否公开联系方式:'0'公开'1'好友'2'不公开学校,星座:以下的对应关系,见pagers.plist生肖,血型,QQShow,未知37。0x000D,设置状态:发送者:客户端样本:000:0A00000000000-000:状态:0A正常,1E离开,40隐身001-004:总是0。应答者:服务器样本:000:30成功返回30('0')。0x0026,获取好友列表:发送者:客户端样本:000:000000000-001:获取的好友列表的位置标志(第一个从0000开始,以后的根据上一次响应包的标志值)。002-002:总是0。(QQ2000无此数据)应答者:服务器样本:000:00320172D19000ED008:110004B0A2BBA200016:00017455CD00D815024:0106BBA8D4F3C0E0032:0240017C133000DE040:180108CFEBB7C9B5048:C4D0C40000017C50056:8A00991D00034759064:480002017D1A2A00072:B7000104D4B6BABD080:0000017E79A500A2088:130104D1A9C2D800096:000181E125002117104:0107B2BBD2AABFDE112:2000000001829000120:601F00046A656666128:000000133EDF0060136:1701092020736162144:72696E6100400032152:F55E003919010679160:766F6E6E65000000168:38F3B900C3000008176:CAB1B4FAC0CFC8CB184:0000004198950090192:1501044465657200200:000044B710009014208:0108D4C2B9E2C5AE216:BAA2020000550461224:0090110108C6AFC1232:C1B1A6B1B4020000240:59AF2100601A0107248:CFB8CEC3D7D07E02256:66005A869B002100264:0104C0B6D6BD0000272:005C036E00A52000280:06B3CCBAA3C2D700288:0000677CEC00721C296:00066A6163333333304:000000707FC80078312:000104C3A8C1E100320:00008200BF005100328:0009202020B7BDBE336:F5CFFE000000A0C0344:6A0063120104C3CE352:BEB2000000D10659360:0060000008D2BBBD368:A3C6AECFE3004000376:F0BA07008A000104384:C7E0C7E0000000F2392:699F00AB16010A5E400:5F5EC7EFC7EF5E5F408:5E000001031B4400416:D5130008B0AEC4E3424:B5C4C8CB0000010F432:A2D5007802010557440:F2ABC4DE02400117448:48760051000006BA456:DCB0B2C8AB000001464:3BADD700F018010A472:B9C6BBF3A1CACCEC480:CAB900000144AE12488:008720000A202020496:205151D6AEB8B800504:0001B38C7100991A512:0008C3E6B4F8CEA2520:D0A6000001C02968528:00F9120106D0A1C0536:B1BDB7000001CA96544:0300F9000104D0A1552:BBA2024001CB81C2560:009012010B4CA1EE568:7665CFE3C4CEB6F9576:000001E91B7F000C584:180008B6FEC2BFB1592:E4C1CB00000220F1600:D400A8130104CEA8608:D2BB00000236B507616:00A81A0104BFC9DD624:E60200024C038800632:A80F010CA6C4A6D3640:A7F1A7D1C6A1C0E6648:0200024D988B00B4656:16