模拟实现msn登陆过程(MSNP15)
2009-07-23 11:28
337 查看
这几天了解了一下msn协议的登陆部分,凑了几段代码实现了,有资料的话没什么难度,主要是了解一下相关的过程和机制。下面模拟的是msn 8.5.1238 版本(实际上就是抓包然后填到程序里) 废话少说,直接开始吧(细节不说了,自己补课) 首先登陆DS服务器:messenger.hotmail.com:1863 VER 1 MSNP15 MSNP14 MSNP13 CVR0 VER 1 MSNP15 MSNP14 MSNP13 CVR0 CVR 2 0x0804 winnt 5.1 i386 MSG80BETA 8.5.1238 msmsgs test@hotmail.com USR 3 SSO I test@hotmail.com CVR 2 8.1.0178 8.1.0178 8.1.0178 http://msgruser.dlservice.microsoft.com/download/B/D/3/BD343317-2DBF-48FE-8BD9-9E3212D65E6A/Install_Messenger.exe http://get.live.com/cn XFR 3 NS 207.46.108.67:1863 U D 获得NS服务器的地址:207.46.108.67:1863,后面要用;使用https进行Passport的验证过程,获得登陆必需的ticket和BinarySecret。msnp15采用了SSO的方式进行认证。SSO,Single Sign-On,我的理解就是一次验证便可获取对应不同服务的ticket。访问https://login.live.com/RST.srf,并且POST下列xml内容
{7108E71A-9926-4FCB-BCC9-9A9D3F32E423} 4 1 AQAAAAIAAABsYwQAAAAyMDUy test@hotmail.com test http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue http://Passport.NET/tb http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue messengerclear.live.com http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue messenger.msn.com http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue contacts.msn.com http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue messengersecure.live.com http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue spaces.live.com http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue storage.msn.com 注意其中的 http://schemas.xmlsoap.org/... messengersecure.live.com 每一个RST对应于一个服务,比如上面这个就是messengersecure.live.com了。一般会有下面几个: messengerclear.live.com:用于msn的认证 messenger.msn.com:msn网页认证 contacts.msn.com:Contact server 的认证 spaces.msn.com:msn spaces 的认证 当然,最重要的别忘了填入用户名和密码^_^ POST成功以后,接收服务器返回的内容,也是xml的:
1 00067FFEA125C93F 4.0.5633.0 3.100.2179.0 0x48803 0x0 BAYPPLOG2A06 2007.07.10.00.04.54 MH=; path=/; domain=.msn.com; expires=Wed, 30-Dec-2037 16:00:00 GMT MHW=; path=/; domain=.msn.com; expires=Thu, 30-Oct-1980 16:00:00 GMT MH=; path=/; domain=.live.com; expires=Wed, 30-Dec-2037 16:00:00 GMT MHW=; path=/; domain=.live.com; expires=Thu, 30-Oct-1980 16:00:00 GMT true 7b7c11618b2f2d9a 1 urn:passport:legacy http://Passport.NET/tb 2007-09-13T01:41:28Z 2007-09-14T01:41:28Z http://Passport.NET/STS ATLrT3rRR8zHnGWNy4dPvrnLjY3xMFwEUc4LcPJQAsuPeYbft6mBs/V+P3iTpCbWfwyCO+OtZbt6RGyEKnmpOFuVXLBZ3atB02Rpu2xcK2+mkpnZC1Qso/T9Fe5kakO5qOVQj9IlBlElfxCvjP8Tg/Re0426i+pe2+tIWrjYuRpaUjpyaw/hc3/j01ZrHBfZz4zeTKs27gbFgug7foJ6hBxYzL5VpK9cyTsZyO+VRznRjGvo7/Sc9fEsSfgkuKZS9kIjfSOH9uIYCm//UDbzJfdcvnI+fsVzF/6ef7Icv9xT2KFLbfhGbhGaghjF9wYjZ6LAY+inun5F5yYnGYI13t52myKUQQ7phuO0QKG4RvhBv7BvuZ4MgYLClcLG2f0+0lN91MILxQ6cTxMz8XQy3pnB1w3PL2sCWQGhGBXMU9hYW97+V1XwujWGak73nqrWssJbe90= WIU5wm+snSOlmofVFw0dhe/8/0RtPj3o urn:passport:compact messengerclear.live.com 2007-09-13T01:41:28Z 2007-09-13T09:41:28Z t=EwBIAswbAQAUs1/VcBU2sH7mwYy3BysWZ71CRDGAAIfUuctsB2U2m79i4QxvkDMHYSWdJOP8LFJpjV9pD5klSgcVE8Z6dcJC5ebppv0j90QvWNwBAcrwLjvRTboV8DnRIGzrYHGkLcYwXiLEM4S1F6lT3pxup+/jU8Cd402e05dVKUE6/FQk/D73AKFBm5q6dMaql7XbN5cZxc/Kj6VxA2YAAAgc+RFTh2xYzJgBesaKCJnKus5wW9J6WppJ3SpGz4P6QZkaA+8r3e3CuQYCgXKuPCpnQdgeJlelZt4uXbCKDU/ln8F9cFbMYAKvgoCWOsu1QsHk43t59vkpsvQnwg2CS5ARkop2/iud4dFrXxkMVVXEjO2xZKNisefE9HT/MnVR/4+bwPtWmCsJ0p4HpYtYzMc4Zu2j33hR7nkM3x87K95eJ+HC1N0cFDFHpDmBBYdQ3oaR8Faxi2Yx6cfaWXM/uExdldcCCRbsuBk0a4cXO+xq2eypPPFnYs/T73m34enbvjJTPV532wLJ1z7JSYFEhHodmdxJhquHfPrz8eve+4tzjMqtNP0jy9Xk7G7+o1fcCt7u9k3pIydXbwFv3FFm9sP8lrNuQq6/8dOQpXIMQ0+LDd3OS3bWGqwAfvk6cak+xVB8trOpSFaijZpCNv6jnLsGDvIxSWUBXsRm3JooV8/SMFuJEUCDKVLw77FreVz5Yu8mtFpTn52a+iIxXRl8HKFc7Mmg+a3D5b441seyr2CsZHWuEuooa/bNJivSCOqS29hMogE=&p= nQxBa/vqQ7rC/4lCKemlPPGYwiIf5sQk urn:passport:legacy messenger.msn.com 2007-09-13T01:41:28Z 2007-09-13T01:49:48Z t=9f1kwMVt8HI11ZMGynBpTk9b8K0LpmcY3YqfiFkcHmDQJogbzZyWvsn9SZ7Rel0tgUiTosdUotoGaaXcOwXC4X4lci7jR0mK*DuS0ocFBPmaEXJTq8xUF5UGUiIiv7t46t&p=9DR5dce4tGhM6N5XZG6vKb8uxjswww8Esc*Y*JghIMSWI5!ZyBiBHhnatz1P7xzDaJmgx9tf3OuMmtr*t*btBrjTx2StrO0TvsnwZUon!CQhHlkYK2blKMXlhrof9O7mQ2ytdloWhXoq!KuRWXxgQoUZyWZjC0WYusIjaIvEUa*ZU$ urn:passport:compact contacts.msn.com 2007-09-13T01:41:28Z 2007-09-13T09:41:28Z t=EwDAAcBdAAAU7/9PdvvYJ23zPPtor/FYp6zOOb+AABUNAHBVIIifFj3qmqBZhJs0Bc3VWtLJoEBxH7T5+nW5TlsKToefZ0YgHEgaxE7gtCM0wTBBFjDA9df7H1jUx6V3QDDQFHByb6WkWSqrk99/TJ3+lMLeMB8SPaXES1ZHiqRTjnT4ta/fwvxoEw+ZTPO/o6HSOu9L91iP9tf1inahA2YAAAgmYvttWSQqCRABPQyikAvUy93r6eBUtapuOZu1O9YRmV1cqNV/1VTx6JdSom/3x32P/BgCZs8VjdQGpGaPhUiQs9HV8ufvmNfnk8xu+IEv8+N5P1xv2CWEceNPKJ/EhiAQEWB9y8i3yOVaywIegvEfqoE8xMDJPO5o43pIiS0xg0s8ntPdg6ATuVmdzS9NbrzZwWQXfXP1E2xJFJ4NqdPRXnhuCNdHavk+YPd7gVdrBPM1EF+A7zruzG/94euC0Sdw03400jt42Lh7YrqXjiY3NFVtc50mE30UOYIU9nZz7FAHmOZffX/QVN8HQixUZCG568fma51Pb1v3ZjYyMDW3CsDwh7eOQGBT3PoUpj6z8YIan2/cWCp2clciAQ==&p= urn:passport:compact messengersecure.live.com 2007-09-13T01:41:28Z 2007-09-14T01:41:28Z t=EwDAATIiAQAUno9QpucDnNi8T5syqJTstzjjm3WAAF0zVmkkTtjdJWEF16otckRaNSTfmPSJE6NA8LjA96t5kWvG/RxR9xG1X5SPIjftUMobZQq+Qilg/TQdEukbra5uYqgt2Gw37M6aopEe1zuqKcO6QtJuZJam08kohqLQfLNHoUabbVHE9mwyajhargs8hHz5JKNnUc/jd5kfbcmgA2YAAAi6PjAH1aqujRABCkmg56fEF6Ujl4p6VaZm/zx+C80C529UQDn1V7WqUySLsdhxWJDoy1G22WQlyV5/c1fan1d7EC+gV70/d77BA2bHleOLnrBQWyECfoah/XRIJRqJ5CVNvRaN2KFB5C/fTwgLulI6UBqcMgDm7O/V8xgH2JSsR2U+ps9tNiYcj0EpMSZFiNWIozXC211gOCfv+3s8/ZRJNKhTNWb9IyA/2e7tvmKHHqI0iALFsEQ7xgogKPiU1V8Zb1DBQBNK/ekEQ6hAXNPEF3606wcVrdomO+BStqEbDFVankTlEkikTgQoK+QPYZ2thyKeiQkgiGN4qnHi/a3CzKiM+IRQsZA/LjVqpj4G497aLQmvUZ9sTF4iAQ==&p= urn:passport:compact spaces.live.com 2007-09-13T01:41:28Z 2007-09-13T09:41:28Z t=EwDAARAnAAAURATre1Nkcu71L953y0QRAvwyKdOAANj6EddaH2UO/jVHlOjovb18yvn3KMHKs4zT8e9faKchYDlA1XPRaOxw2B93oqPwPJswZVRCY1IgBS3fTHd4HgasQGi89VVpl12lBwG5lgPPGE8NrS/frhOLScm2Py8q+oqzRSU40ZvHSQvoXQLWbktBq+brpJ/sCfnOInECG1qYA2YAAAg0lAeYfjrozhABxvngo2FVy1VCWecQcTHdPZMq2WGoz8csK89x2xUajaJ2+izlQNmBLg4/WyP11RsHY140ueqFLCnbcKt8NvwV+Y5U1iC0VtN4ky0tJQKUV0V1zG/VBIwCe7qbNGBxF1rrq+L9tC0blGbajPbkZVcAuAKQ7EmGQVVmbKeijZA/i2pYreMGXnHIUEB7wr8icdoeXTaoEwLsWH00S/rmA77BzC6v4CDUY8lw7wo1acTxn/9zsb8V7QYaafXSZILJ0lHQ1Hmz0aMxRRlQQAiXqFnlznhqNDu6I9NzJBm13ycxx5staZi7xjvrv8svCvGeX0Z++kVcaNwi1dNpmpX5Y+wCbATgGz5tah5SLQ44BBvr0zUiAQ==&p= urn:passport:compact storage.msn.com 2007-09-13T01:41:28Z 2007-09-13T09:41:28Z t=EwDAAW+jAAAU7/9PdvvYJ23zPPtor/FYp6zOOb+AAOztl5rymSKrVexJAxpbKrIhqLKeglw+nhOvKDzoJbJBajlOpZ4PCHef0hQ4x3KWoE6Awz9abj3ACemcGwCLAEm7vnnQNjueDLzsomCIsdtZyiAWN6QAAjKavhQuDxEzPEF894au9lnvXJ53YAv9mZRFL4jRnql8U4wUEMS4M7oOA2YAAAioM9DwyzgDgBABiS/OhBKYEjw/S0Yx7Ygk/WDuVe+HTStTFl7996q06jnPueC7+F0DL6psv2QYukK4LpF/7XGkesXJAAHZDEuZdpkzOirXfe12mFnGYR7V82wjIMIj4cElhnt8+0w2/gl4LzHg/DpiETauqBQpC8r11JkcBy7UszfiLVm8JOykmSoHtxs8f8E3QsC3Lqv9guNRe+/7sol/rfkIgK86g/s0p1gKYYbUBi3nAVNINDrb3xUOBo7aqs/qw39/Z4A/2M4Bkq+SZAthjnygXcRNKJU2BXjRlIS76f1hupKUTJSGahN4KlpzHxGvr9BvTIc+ekND4s8BraTDt8zrWFe9Ee5eZ+tiunLcwV3/6nef2cMzhlsiAQ==&p= 对应的,每一个RST都会返回一个这样的内容: urn:passport:compact messengerclear.live.com 2007-09-13T01:41:28Z 2007-09-13T09:41:28Z t=EwBIAswbAQAU...=&p= nQxBa/vqQ7rC/4lCKemlPPGYwiIf5sQk 其中的BinarySecurityToken就是这个服务的ticket了,就是"t="后面的那一串。我们要实现msn的登陆过程,则上面内容中的BinarySecret也是需要用到的。 好,现在我们已经获得登陆必需的ticket和BinarySecret了,可以连接NS服务器了。 通信过程如下 VER 4 MSNP15 CVR0 VER 4 MSNP15 CVR0 CVR 5 0x0804 winnt 5.1 i386 MSG80BETA 8.5.1238 msmsgs test@hotmail.com CVR 5 8.1.0178 8.1.0178 8.1.0178 http://msgruser.dlservice.microsoft.com/download/B/D/3/BD343317-2DBF-48FE-8BD9- 9E3212D65E6A/Install_Messenger.exe http://get.live.com/cn USR 6 SSO I test@hotmail.com USR 6 SSO S MBI_KEY_OLD PKD3fof9V9uwVWrUxMEpi+Dki1oMkO1tpthPVEKjB7DGHwrkyBYzb6mOnU3EHlPi GCF 0 69 ... USR 7 SSO S t=EwBIAswbAQAU...=&p= HAAAAAEAAAADZgAA... USR 7 OK test@hotmail.com 1 0 SBS 0 null ... BLP 8 BL BLP 8 BL ADL 9 67 ... ADL 9 OK PRP 10 MFN g PRP 10 MFN g CHL 0 29987175131175130567 QRY 12 PROD0118R6%2WYOS 32 4c6b96c27122919ae4a8d24a3015313d QRY 12 在USR 6 SSO S 处获得服务器发送的Nonce,就是MBI_KEY_OLD后面的那一串;然后在USR 7 SSO S 处发 送认证的内容,包含了两部分,第一个t=...就是上面获得的ticket了,后面的那一串实际上是一个结 构体的内容,这个结构体由BinarySecret和获得的Nonce生成,具体的生成算法见http://msnpiki.msnfanatic.com/index.php/MSNP15:SSO,我把代码也一块贴上吧: CString GenerateLoginBlob(CString key, CString challenge) ...{ BYTE key1[24] = ...{0}; BYTE key2[24] = ...{0}; BYTE key3[24] = ...{0}; BYTE hash[20] = ...{0}; BYTE randomdata[8] = ...{0}; CString szRet =""; DWORD dwBase64Size; CryptStringToBinary(key,0,CRYPT_STRING_BASE64,0,&dwBase64Size,0,0); ASSERT(dwBase64Size<=24); if (dwBase64Size>24) return ""; dwBase64Size = 24; CryptStringToBinary(key,0,CRYPT_STRING_BASE64,key1,&dwBase64Size,0,0); DeriveLoginKey(key1,24,"WS-SecureConversationSESSION KEY HASH",key2,24); DeriveLoginKey(key1,24,"WS-SecureConversationSESSION KEY ENCRYPTION",key3,24); HCRYPTPROV hProvider; if ( !CryptAcquireContext(&hProvider,0,0,PROV_RSA_FULL,0) ) if(!CryptAcquireContext(&hProvider,0,0,PROV_RSA_FULL,CRYPT_NEWKEYSET)) return ""; ...{ HCRYPTKEY hCryptKey; HCRYPTKEY hCryptKey2; BYTE * pImportKey = new BYTE[ 24+STDKEYHDRSIZE ]; memcpy(pImportKey,cKeyStdHeader,STDKEYHDRSIZE); memcpy(pImportKey+STDKEYHDRSIZE,key2,24); CryptImportKey(hProvider,pImportKey,24+STDKEYHDRSIZE,0,CRYPT_SF,&hCryptKey2); memcpy(pImportKey+STDKEYHDRSIZE,key3,24); if ( CryptImportKey(hProvider,pImportKey,24+STDKEYHDRSIZE,0,CRYPT_SF,&hCryptKey) ) ...{ HCRYPTKEY hKeyDupe1; HCRYPTKEY hKeyDupe2; HCRYPTHASH hHash; CryptDuplicateKey(hCryptKey,0,0,&hKeyDupe1); DWORD dwMode = CRYPT_MODE_CBC; CryptSetKeyParam(hKeyDupe1,KP_MODE,(BYTE*)&dwMode,0); if (CryptCreateHash(hProvider,CALG_HMAC,hCryptKey2,0,&hHash)) ...{ HMAC_INFO hmcinfo; ZeroMemory(&hmcinfo, sizeof(HMAC_INFO)); hmcinfo.HashAlgid = CALG_SHA1; CryptSetHashParam(hHash,HP_HMAC_INFO,(BYTE*)&hmcinfo,0); DWORD dwDataLen = challenge.GetLength(); CryptDuplicateKey(hKeyDupe1,0,0,&hKeyDupe2); CryptEncrypt(hKeyDupe2,0,TRUE,0,0,&dwDataLen,0); CryptDestroyKey(hKeyDupe2); if ( dwDataLen > 0) ...{ CryptGenRandom(hProvider,8,randomdata); CryptSetKeyParam(hKeyDupe1,KP_IV,randomdata,0); BYTE * pEncryptBytes = new BYTE[dwDataLen]; ZeroMemory(pEncryptBytes,dwDataLen); memcpy(pEncryptBytes,(LPCSTR)(LPCTSTR)challenge,challenge.GetLength()); DWORD dwData = challenge.GetLength(); if (CryptEncrypt(hKeyDupe1,hHash,TRUE,0,pEncryptBytes,&dwData,dwDataLen)) ...{ ASSERT(dwData == 72); // The size of the encryption *should* always be 72. If it's not you'll need to fix it. dwData = 20; CryptGetHashParam(hHash,HP_HASHVAL,hash,&dwData,0); MSGUSRKEY usrkey; memcpy(usrkey.aIVBytes, randomdata,8); memcpy(usrkey.aHashBytes, hash,20); memcpy(usrkey.aCipherBytes , pEncryptBytes,72); CryptBinaryToString((BYTE*)&usrkey,sizeof(MSGUSRKEY),CRYPT_STRING_BASE64, 0,&dwBase64Size); CryptBinaryToString((BYTE*)&usrkey,sizeof(MSGUSRKEY),CRYPT_STRING_BASE64, szRet.GetBuffer(dwBase64Size),&dwBase64Size); szRet.ReleaseBuffer(); szRet.Replace(" ",""); } delete[] pEncryptBytes; } CryptDestroyHash(hHash); } CryptDestroyKey(hKeyDupe1); CryptDestroyKey(hCryptKey); } delete[] pImportKey; if ( hCryptKey2 ) CryptDestroyKey(hCryptKey2); CryptReleaseContext(hProvider,0); } return szRet; } 好了,当服务器回应USR 7 OK时,就登陆上去了。ADL是发送联系人列表,这个列表是通过https方式从contacts.msn.com服务器得到的,这个过程同样也需要对应的ticket,这里就不详述了。(msn只在第一次登陆时从服务器上获取列表,以后就直接从本地的加密文件中读取。) 登陆成功以后,服务器会发送一个验证请求,就是CHL命令,带了一串challenge,需要我们回应正确的验证值。验证值由challenge、PRODUCT_KEY和PRODUCT_ID生成,其中PRODUCT_KEY和PRODUCT_ID是两个固定的字符串,不同版本的msn有着不同的key和id,比如我们现在模拟的这个版本就分别是: PRODUCT_KEY:YIXPX@5I2P0UT*LK PRODUCT_ID:PROD0118R6%2WYOS 验证值生成如下: int MSN_handle_chl(char *input, char *output) ...{ char *productKey = MSN_PRODUCT_KEY, *productID = MSN_PRODUCT_ID, *hexChars = "0123456789abcdef", buf[BUFSIZE]; unsigned char md5Hash[16], *newHash; unsigned int *md5Parts, *chlStringParts, newHashParts[5]; LONG64 nHigh=0, nLow=0; int i, bigEndian; /**//* Determine our endianess */ bigEndian = isBigEndian(); /**//* Create the MD5 hash */ _snprintf(buf, BUFSIZE-1, "%s%s", input, productKey); MD5((unsigned char *)buf, strlen(buf), md5Hash); /**//* Split it into four integers */ md5Parts = (unsigned int *)md5Hash; for(i=0; i<4; i++) ...{ /**//* check for endianess */ if(bigEndian) md5Parts[i] = swapInt(md5Parts[i]); /**//* & each integer with 0x7FFFFFFF */ /**//* and save one unmodified array for later */ newHashParts[i] = md5Parts[i]; md5Parts[i] &= 0x7FFFFFFF; } /**//* make a new string and pad with '0' */ _snprintf(buf, BUFSIZE-5, "%s%s", input, productID); i = strlen(buf); memset(&buf[i], '0', 8 - (i % 8)); buf[i + (8 - (i % 8))]='/0'; /* split into integers */ chlStringParts = (unsigned int *)buf; /* this is magic */ for (i=0; i<(strlen(buf)/4)-1; i+=2) { LONG64 temp; if(bigEndian) { chlStringParts[i] = swapInt(chlStringParts[i]); chlStringParts[i+1] = swapInt(chlStringParts[i+1]); } temp=(md5Parts[0] * (((0x0E79A9C1 * (LONG64)chlStringParts[i]) % 0x7FFFFFFF)+nHigh) + md5Parts[1])%0x7FFFFFFF; nHigh=(md5Parts[2] * (((LONG64)chlStringParts[i+1]+temp) % 0x7FFFFFFF) + md5Parts[3]) % 0x7FFFFFFF; nLow=nLow + nHigh + temp; } nHigh=(nHigh+md5Parts[1]) % 0x7FFFFFFF; nLow=(nLow+md5Parts[3]) % 0x7FFFFFFF; newHashParts[0]^=nHigh; newHashParts[1]^=nLow; newHashParts[2]^=nHigh; newHashParts[3]^=nLow; /* swap more bytes if big endian */ for(i=0; i<4 && bigEndian; i++) newHashParts[i] = swapInt(newHashParts[i]); /* make a string of the parts */ newHash = (unsigned char *)newHashParts; /* convert to hexadecimal */ for (i=0; i<16; i++) { output[i*2]=hexChars[(newHash[i]>>4)&0xF]; output[(i*2)+1]=hexChars[newHash[i]&0xF]; } output[32]='/0'; return 0; } 如上向服务器发回验证值,服务器回复QRY则说明通过验证,否则会断开连接。至此登陆验证过程完毕。 本文来自CSDN博客,转载请标明出处:http://blog.csdn.net/iiprogram/archive/2008/04/16/2298867.aspx
{7108E71A-9926-4FCB-BCC9-9A9D3F32E423} 4 1 AQAAAAIAAABsYwQAAAAyMDUy test@hotmail.com test http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue http://Passport.NET/tb http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue messengerclear.live.com http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue messenger.msn.com http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue contacts.msn.com http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue messengersecure.live.com http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue spaces.live.com http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue storage.msn.com 注意其中的 http://schemas.xmlsoap.org/... messengersecure.live.com 每一个RST对应于一个服务,比如上面这个就是messengersecure.live.com了。一般会有下面几个: messengerclear.live.com:用于msn的认证 messenger.msn.com:msn网页认证 contacts.msn.com:Contact server 的认证 spaces.msn.com:msn spaces 的认证 当然,最重要的别忘了填入用户名和密码^_^ POST成功以后,接收服务器返回的内容,也是xml的:
1 00067FFEA125C93F 4.0.5633.0 3.100.2179.0 0x48803 0x0 BAYPPLOG2A06 2007.07.10.00.04.54 MH=; path=/; domain=.msn.com; expires=Wed, 30-Dec-2037 16:00:00 GMT MHW=; path=/; domain=.msn.com; expires=Thu, 30-Oct-1980 16:00:00 GMT MH=; path=/; domain=.live.com; expires=Wed, 30-Dec-2037 16:00:00 GMT MHW=; path=/; domain=.live.com; expires=Thu, 30-Oct-1980 16:00:00 GMT true 7b7c11618b2f2d9a 1 urn:passport:legacy http://Passport.NET/tb 2007-09-13T01:41:28Z 2007-09-14T01:41:28Z http://Passport.NET/STS ATLrT3rRR8zHnGWNy4dPvrnLjY3xMFwEUc4LcPJQAsuPeYbft6mBs/V+P3iTpCbWfwyCO+OtZbt6RGyEKnmpOFuVXLBZ3atB02Rpu2xcK2+mkpnZC1Qso/T9Fe5kakO5qOVQj9IlBlElfxCvjP8Tg/Re0426i+pe2+tIWrjYuRpaUjpyaw/hc3/j01ZrHBfZz4zeTKs27gbFgug7foJ6hBxYzL5VpK9cyTsZyO+VRznRjGvo7/Sc9fEsSfgkuKZS9kIjfSOH9uIYCm//UDbzJfdcvnI+fsVzF/6ef7Icv9xT2KFLbfhGbhGaghjF9wYjZ6LAY+inun5F5yYnGYI13t52myKUQQ7phuO0QKG4RvhBv7BvuZ4MgYLClcLG2f0+0lN91MILxQ6cTxMz8XQy3pnB1w3PL2sCWQGhGBXMU9hYW97+V1XwujWGak73nqrWssJbe90= WIU5wm+snSOlmofVFw0dhe/8/0RtPj3o urn:passport:compact messengerclear.live.com 2007-09-13T01:41:28Z 2007-09-13T09:41:28Z t=EwBIAswbAQAUs1/VcBU2sH7mwYy3BysWZ71CRDGAAIfUuctsB2U2m79i4QxvkDMHYSWdJOP8LFJpjV9pD5klSgcVE8Z6dcJC5ebppv0j90QvWNwBAcrwLjvRTboV8DnRIGzrYHGkLcYwXiLEM4S1F6lT3pxup+/jU8Cd402e05dVKUE6/FQk/D73AKFBm5q6dMaql7XbN5cZxc/Kj6VxA2YAAAgc+RFTh2xYzJgBesaKCJnKus5wW9J6WppJ3SpGz4P6QZkaA+8r3e3CuQYCgXKuPCpnQdgeJlelZt4uXbCKDU/ln8F9cFbMYAKvgoCWOsu1QsHk43t59vkpsvQnwg2CS5ARkop2/iud4dFrXxkMVVXEjO2xZKNisefE9HT/MnVR/4+bwPtWmCsJ0p4HpYtYzMc4Zu2j33hR7nkM3x87K95eJ+HC1N0cFDFHpDmBBYdQ3oaR8Faxi2Yx6cfaWXM/uExdldcCCRbsuBk0a4cXO+xq2eypPPFnYs/T73m34enbvjJTPV532wLJ1z7JSYFEhHodmdxJhquHfPrz8eve+4tzjMqtNP0jy9Xk7G7+o1fcCt7u9k3pIydXbwFv3FFm9sP8lrNuQq6/8dOQpXIMQ0+LDd3OS3bWGqwAfvk6cak+xVB8trOpSFaijZpCNv6jnLsGDvIxSWUBXsRm3JooV8/SMFuJEUCDKVLw77FreVz5Yu8mtFpTn52a+iIxXRl8HKFc7Mmg+a3D5b441seyr2CsZHWuEuooa/bNJivSCOqS29hMogE=&p= nQxBa/vqQ7rC/4lCKemlPPGYwiIf5sQk urn:passport:legacy messenger.msn.com 2007-09-13T01:41:28Z 2007-09-13T01:49:48Z t=9f1kwMVt8HI11ZMGynBpTk9b8K0LpmcY3YqfiFkcHmDQJogbzZyWvsn9SZ7Rel0tgUiTosdUotoGaaXcOwXC4X4lci7jR0mK*DuS0ocFBPmaEXJTq8xUF5UGUiIiv7t46t&p=9DR5dce4tGhM6N5XZG6vKb8uxjswww8Esc*Y*JghIMSWI5!ZyBiBHhnatz1P7xzDaJmgx9tf3OuMmtr*t*btBrjTx2StrO0TvsnwZUon!CQhHlkYK2blKMXlhrof9O7mQ2ytdloWhXoq!KuRWXxgQoUZyWZjC0WYusIjaIvEUa*ZU$ urn:passport:compact contacts.msn.com 2007-09-13T01:41:28Z 2007-09-13T09:41:28Z t=EwDAAcBdAAAU7/9PdvvYJ23zPPtor/FYp6zOOb+AABUNAHBVIIifFj3qmqBZhJs0Bc3VWtLJoEBxH7T5+nW5TlsKToefZ0YgHEgaxE7gtCM0wTBBFjDA9df7H1jUx6V3QDDQFHByb6WkWSqrk99/TJ3+lMLeMB8SPaXES1ZHiqRTjnT4ta/fwvxoEw+ZTPO/o6HSOu9L91iP9tf1inahA2YAAAgmYvttWSQqCRABPQyikAvUy93r6eBUtapuOZu1O9YRmV1cqNV/1VTx6JdSom/3x32P/BgCZs8VjdQGpGaPhUiQs9HV8ufvmNfnk8xu+IEv8+N5P1xv2CWEceNPKJ/EhiAQEWB9y8i3yOVaywIegvEfqoE8xMDJPO5o43pIiS0xg0s8ntPdg6ATuVmdzS9NbrzZwWQXfXP1E2xJFJ4NqdPRXnhuCNdHavk+YPd7gVdrBPM1EF+A7zruzG/94euC0Sdw03400jt42Lh7YrqXjiY3NFVtc50mE30UOYIU9nZz7FAHmOZffX/QVN8HQixUZCG568fma51Pb1v3ZjYyMDW3CsDwh7eOQGBT3PoUpj6z8YIan2/cWCp2clciAQ==&p= urn:passport:compact messengersecure.live.com 2007-09-13T01:41:28Z 2007-09-14T01:41:28Z t=EwDAATIiAQAUno9QpucDnNi8T5syqJTstzjjm3WAAF0zVmkkTtjdJWEF16otckRaNSTfmPSJE6NA8LjA96t5kWvG/RxR9xG1X5SPIjftUMobZQq+Qilg/TQdEukbra5uYqgt2Gw37M6aopEe1zuqKcO6QtJuZJam08kohqLQfLNHoUabbVHE9mwyajhargs8hHz5JKNnUc/jd5kfbcmgA2YAAAi6PjAH1aqujRABCkmg56fEF6Ujl4p6VaZm/zx+C80C529UQDn1V7WqUySLsdhxWJDoy1G22WQlyV5/c1fan1d7EC+gV70/d77BA2bHleOLnrBQWyECfoah/XRIJRqJ5CVNvRaN2KFB5C/fTwgLulI6UBqcMgDm7O/V8xgH2JSsR2U+ps9tNiYcj0EpMSZFiNWIozXC211gOCfv+3s8/ZRJNKhTNWb9IyA/2e7tvmKHHqI0iALFsEQ7xgogKPiU1V8Zb1DBQBNK/ekEQ6hAXNPEF3606wcVrdomO+BStqEbDFVankTlEkikTgQoK+QPYZ2thyKeiQkgiGN4qnHi/a3CzKiM+IRQsZA/LjVqpj4G497aLQmvUZ9sTF4iAQ==&p= urn:passport:compact spaces.live.com 2007-09-13T01:41:28Z 2007-09-13T09:41:28Z t=EwDAARAnAAAURATre1Nkcu71L953y0QRAvwyKdOAANj6EddaH2UO/jVHlOjovb18yvn3KMHKs4zT8e9faKchYDlA1XPRaOxw2B93oqPwPJswZVRCY1IgBS3fTHd4HgasQGi89VVpl12lBwG5lgPPGE8NrS/frhOLScm2Py8q+oqzRSU40ZvHSQvoXQLWbktBq+brpJ/sCfnOInECG1qYA2YAAAg0lAeYfjrozhABxvngo2FVy1VCWecQcTHdPZMq2WGoz8csK89x2xUajaJ2+izlQNmBLg4/WyP11RsHY140ueqFLCnbcKt8NvwV+Y5U1iC0VtN4ky0tJQKUV0V1zG/VBIwCe7qbNGBxF1rrq+L9tC0blGbajPbkZVcAuAKQ7EmGQVVmbKeijZA/i2pYreMGXnHIUEB7wr8icdoeXTaoEwLsWH00S/rmA77BzC6v4CDUY8lw7wo1acTxn/9zsb8V7QYaafXSZILJ0lHQ1Hmz0aMxRRlQQAiXqFnlznhqNDu6I9NzJBm13ycxx5staZi7xjvrv8svCvGeX0Z++kVcaNwi1dNpmpX5Y+wCbATgGz5tah5SLQ44BBvr0zUiAQ==&p= urn:passport:compact storage.msn.com 2007-09-13T01:41:28Z 2007-09-13T09:41:28Z t=EwDAAW+jAAAU7/9PdvvYJ23zPPtor/FYp6zOOb+AAOztl5rymSKrVexJAxpbKrIhqLKeglw+nhOvKDzoJbJBajlOpZ4PCHef0hQ4x3KWoE6Awz9abj3ACemcGwCLAEm7vnnQNjueDLzsomCIsdtZyiAWN6QAAjKavhQuDxEzPEF894au9lnvXJ53YAv9mZRFL4jRnql8U4wUEMS4M7oOA2YAAAioM9DwyzgDgBABiS/OhBKYEjw/S0Yx7Ygk/WDuVe+HTStTFl7996q06jnPueC7+F0DL6psv2QYukK4LpF/7XGkesXJAAHZDEuZdpkzOirXfe12mFnGYR7V82wjIMIj4cElhnt8+0w2/gl4LzHg/DpiETauqBQpC8r11JkcBy7UszfiLVm8JOykmSoHtxs8f8E3QsC3Lqv9guNRe+/7sol/rfkIgK86g/s0p1gKYYbUBi3nAVNINDrb3xUOBo7aqs/qw39/Z4A/2M4Bkq+SZAthjnygXcRNKJU2BXjRlIS76f1hupKUTJSGahN4KlpzHxGvr9BvTIc+ekND4s8BraTDt8zrWFe9Ee5eZ+tiunLcwV3/6nef2cMzhlsiAQ==&p= 对应的,每一个RST都会返回一个这样的内容: urn:passport:compact messengerclear.live.com 2007-09-13T01:41:28Z 2007-09-13T09:41:28Z t=EwBIAswbAQAU...=&p= nQxBa/vqQ7rC/4lCKemlPPGYwiIf5sQk 其中的BinarySecurityToken就是这个服务的ticket了,就是"t="后面的那一串。我们要实现msn的登陆过程,则上面内容中的BinarySecret也是需要用到的。 好,现在我们已经获得登陆必需的ticket和BinarySecret了,可以连接NS服务器了。 通信过程如下 VER 4 MSNP15 CVR0 VER 4 MSNP15 CVR0 CVR 5 0x0804 winnt 5.1 i386 MSG80BETA 8.5.1238 msmsgs test@hotmail.com CVR 5 8.1.0178 8.1.0178 8.1.0178 http://msgruser.dlservice.microsoft.com/download/B/D/3/BD343317-2DBF-48FE-8BD9- 9E3212D65E6A/Install_Messenger.exe http://get.live.com/cn USR 6 SSO I test@hotmail.com USR 6 SSO S MBI_KEY_OLD PKD3fof9V9uwVWrUxMEpi+Dki1oMkO1tpthPVEKjB7DGHwrkyBYzb6mOnU3EHlPi GCF 0 69 ... USR 7 SSO S t=EwBIAswbAQAU...=&p= HAAAAAEAAAADZgAA... USR 7 OK test@hotmail.com 1 0 SBS 0 null ... BLP 8 BL BLP 8 BL ADL 9 67 ... ADL 9 OK PRP 10 MFN g PRP 10 MFN g CHL 0 29987175131175130567 QRY 12 PROD0118R6%2WYOS 32 4c6b96c27122919ae4a8d24a3015313d QRY 12 在USR 6 SSO S 处获得服务器发送的Nonce,就是MBI_KEY_OLD后面的那一串;然后在USR 7 SSO S 处发 送认证的内容,包含了两部分,第一个t=...就是上面获得的ticket了,后面的那一串实际上是一个结 构体的内容,这个结构体由BinarySecret和获得的Nonce生成,具体的生成算法见http://msnpiki.msnfanatic.com/index.php/MSNP15:SSO,我把代码也一块贴上吧: CString GenerateLoginBlob(CString key, CString challenge) ...{ BYTE key1[24] = ...{0}; BYTE key2[24] = ...{0}; BYTE key3[24] = ...{0}; BYTE hash[20] = ...{0}; BYTE randomdata[8] = ...{0}; CString szRet =""; DWORD dwBase64Size; CryptStringToBinary(key,0,CRYPT_STRING_BASE64,0,&dwBase64Size,0,0); ASSERT(dwBase64Size<=24); if (dwBase64Size>24) return ""; dwBase64Size = 24; CryptStringToBinary(key,0,CRYPT_STRING_BASE64,key1,&dwBase64Size,0,0); DeriveLoginKey(key1,24,"WS-SecureConversationSESSION KEY HASH",key2,24); DeriveLoginKey(key1,24,"WS-SecureConversationSESSION KEY ENCRYPTION",key3,24); HCRYPTPROV hProvider; if ( !CryptAcquireContext(&hProvider,0,0,PROV_RSA_FULL,0) ) if(!CryptAcquireContext(&hProvider,0,0,PROV_RSA_FULL,CRYPT_NEWKEYSET)) return ""; ...{ HCRYPTKEY hCryptKey; HCRYPTKEY hCryptKey2; BYTE * pImportKey = new BYTE[ 24+STDKEYHDRSIZE ]; memcpy(pImportKey,cKeyStdHeader,STDKEYHDRSIZE); memcpy(pImportKey+STDKEYHDRSIZE,key2,24); CryptImportKey(hProvider,pImportKey,24+STDKEYHDRSIZE,0,CRYPT_SF,&hCryptKey2); memcpy(pImportKey+STDKEYHDRSIZE,key3,24); if ( CryptImportKey(hProvider,pImportKey,24+STDKEYHDRSIZE,0,CRYPT_SF,&hCryptKey) ) ...{ HCRYPTKEY hKeyDupe1; HCRYPTKEY hKeyDupe2; HCRYPTHASH hHash; CryptDuplicateKey(hCryptKey,0,0,&hKeyDupe1); DWORD dwMode = CRYPT_MODE_CBC; CryptSetKeyParam(hKeyDupe1,KP_MODE,(BYTE*)&dwMode,0); if (CryptCreateHash(hProvider,CALG_HMAC,hCryptKey2,0,&hHash)) ...{ HMAC_INFO hmcinfo; ZeroMemory(&hmcinfo, sizeof(HMAC_INFO)); hmcinfo.HashAlgid = CALG_SHA1; CryptSetHashParam(hHash,HP_HMAC_INFO,(BYTE*)&hmcinfo,0); DWORD dwDataLen = challenge.GetLength(); CryptDuplicateKey(hKeyDupe1,0,0,&hKeyDupe2); CryptEncrypt(hKeyDupe2,0,TRUE,0,0,&dwDataLen,0); CryptDestroyKey(hKeyDupe2); if ( dwDataLen > 0) ...{ CryptGenRandom(hProvider,8,randomdata); CryptSetKeyParam(hKeyDupe1,KP_IV,randomdata,0); BYTE * pEncryptBytes = new BYTE[dwDataLen]; ZeroMemory(pEncryptBytes,dwDataLen); memcpy(pEncryptBytes,(LPCSTR)(LPCTSTR)challenge,challenge.GetLength()); DWORD dwData = challenge.GetLength(); if (CryptEncrypt(hKeyDupe1,hHash,TRUE,0,pEncryptBytes,&dwData,dwDataLen)) ...{ ASSERT(dwData == 72); // The size of the encryption *should* always be 72. If it's not you'll need to fix it. dwData = 20; CryptGetHashParam(hHash,HP_HASHVAL,hash,&dwData,0); MSGUSRKEY usrkey; memcpy(usrkey.aIVBytes, randomdata,8); memcpy(usrkey.aHashBytes, hash,20); memcpy(usrkey.aCipherBytes , pEncryptBytes,72); CryptBinaryToString((BYTE*)&usrkey,sizeof(MSGUSRKEY),CRYPT_STRING_BASE64, 0,&dwBase64Size); CryptBinaryToString((BYTE*)&usrkey,sizeof(MSGUSRKEY),CRYPT_STRING_BASE64, szRet.GetBuffer(dwBase64Size),&dwBase64Size); szRet.ReleaseBuffer(); szRet.Replace(" ",""); } delete[] pEncryptBytes; } CryptDestroyHash(hHash); } CryptDestroyKey(hKeyDupe1); CryptDestroyKey(hCryptKey); } delete[] pImportKey; if ( hCryptKey2 ) CryptDestroyKey(hCryptKey2); CryptReleaseContext(hProvider,0); } return szRet; } 好了,当服务器回应USR 7 OK时,就登陆上去了。ADL是发送联系人列表,这个列表是通过https方式从contacts.msn.com服务器得到的,这个过程同样也需要对应的ticket,这里就不详述了。(msn只在第一次登陆时从服务器上获取列表,以后就直接从本地的加密文件中读取。) 登陆成功以后,服务器会发送一个验证请求,就是CHL命令,带了一串challenge,需要我们回应正确的验证值。验证值由challenge、PRODUCT_KEY和PRODUCT_ID生成,其中PRODUCT_KEY和PRODUCT_ID是两个固定的字符串,不同版本的msn有着不同的key和id,比如我们现在模拟的这个版本就分别是: PRODUCT_KEY:YIXPX@5I2P0UT*LK PRODUCT_ID:PROD0118R6%2WYOS 验证值生成如下: int MSN_handle_chl(char *input, char *output) ...{ char *productKey = MSN_PRODUCT_KEY, *productID = MSN_PRODUCT_ID, *hexChars = "0123456789abcdef", buf[BUFSIZE]; unsigned char md5Hash[16], *newHash; unsigned int *md5Parts, *chlStringParts, newHashParts[5]; LONG64 nHigh=0, nLow=0; int i, bigEndian; /**//* Determine our endianess */ bigEndian = isBigEndian(); /**//* Create the MD5 hash */ _snprintf(buf, BUFSIZE-1, "%s%s", input, productKey); MD5((unsigned char *)buf, strlen(buf), md5Hash); /**//* Split it into four integers */ md5Parts = (unsigned int *)md5Hash; for(i=0; i<4; i++) ...{ /**//* check for endianess */ if(bigEndian) md5Parts[i] = swapInt(md5Parts[i]); /**//* & each integer with 0x7FFFFFFF */ /**//* and save one unmodified array for later */ newHashParts[i] = md5Parts[i]; md5Parts[i] &= 0x7FFFFFFF; } /**//* make a new string and pad with '0' */ _snprintf(buf, BUFSIZE-5, "%s%s", input, productID); i = strlen(buf); memset(&buf[i], '0', 8 - (i % 8)); buf[i + (8 - (i % 8))]='/0'; /* split into integers */ chlStringParts = (unsigned int *)buf; /* this is magic */ for (i=0; i<(strlen(buf)/4)-1; i+=2) { LONG64 temp; if(bigEndian) { chlStringParts[i] = swapInt(chlStringParts[i]); chlStringParts[i+1] = swapInt(chlStringParts[i+1]); } temp=(md5Parts[0] * (((0x0E79A9C1 * (LONG64)chlStringParts[i]) % 0x7FFFFFFF)+nHigh) + md5Parts[1])%0x7FFFFFFF; nHigh=(md5Parts[2] * (((LONG64)chlStringParts[i+1]+temp) % 0x7FFFFFFF) + md5Parts[3]) % 0x7FFFFFFF; nLow=nLow + nHigh + temp; } nHigh=(nHigh+md5Parts[1]) % 0x7FFFFFFF; nLow=(nLow+md5Parts[3]) % 0x7FFFFFFF; newHashParts[0]^=nHigh; newHashParts[1]^=nLow; newHashParts[2]^=nHigh; newHashParts[3]^=nLow; /* swap more bytes if big endian */ for(i=0; i<4 && bigEndian; i++) newHashParts[i] = swapInt(newHashParts[i]); /* make a string of the parts */ newHash = (unsigned char *)newHashParts; /* convert to hexadecimal */ for (i=0; i<16; i++) { output[i*2]=hexChars[(newHash[i]>>4)&0xF]; output[(i*2)+1]=hexChars[newHash[i]&0xF]; } output[32]='/0'; return 0; } 如上向服务器发回验证值,服务器回复QRY则说明通过验证,否则会断开连接。至此登陆验证过程完毕。 本文来自CSDN博客,转载请标明出处:http://blog.csdn.net/iiprogram/archive/2008/04/16/2298867.aspx
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- 模拟实现msn登陆过程(MSNP15)
- 模拟实现msn登陆过程(MSNP15)
- php模拟登陆的实现方法分析
- 使用C#发送Http 请求实现模拟登陆(以博客园为例)
- Python实现HIT软件学院Java第一次实验(模拟ATM过程)
- c#模拟网页实现12306登陆、自动刷票、自动抢票完全篇
- 模拟加载登陆动画的实现(三)
- Struts2拦截器之使用拦截器模拟实现登陆校验
- 使用HttpWebRequest和HttpWebResponse实现模拟登录需要登陆后才可以访问的页面
- QT5(15)模拟登陆百度
- 基于WebClient实现Http协议的Post与Get对网站进行模拟登陆和浏览实例
- httpclient模拟登陆操作实现
- C#实现QQ群成员列表导出及邮件群发之模拟QQ登陆
- 超详细的Python实现百度云盘模拟登陆(模拟登陆进阶)
- PHP简单实现模拟登陆功能示例
- c# networkcomms 3.0实现模拟登陆总结
- php中通过curl模拟登陆discuz论坛的实现代码
- 用PHP向MSN发消息支持MSNP15
- 【转】详解抓取网站,模拟登陆,抓取动态网页的原理和实现(Python,C#等)
- c# winform实现网页上用户自动登陆,模拟网站登录