From 48342c4cfa011ff321d644960e8edb572bd3ef6f Mon Sep 17 00:00:00 2001 From: Him188 Date: Fri, 10 Jan 2020 22:51:42 +0800 Subject: [PATCH] LoginPacket subCommand9 analysis --- .../qqandroid/network/protocol/README.md | 2 +- .../protocol/packet/OutgoingPacketAndroid.kt | 8 +- .../qqandroid/network/protocol/packet/Tlv.kt | 4 +- .../protocol/packet/login/LoginPacket.kt | 361 +++++++++++++++++- 4 files changed, 351 insertions(+), 24 deletions(-) diff --git a/mirai-core-qqandroid/src/commonMain/kotlin/net/mamoe/mirai/qqandroid/network/protocol/README.md b/mirai-core-qqandroid/src/commonMain/kotlin/net/mamoe/mirai/qqandroid/network/protocol/README.md index 18ca3edb5..065b05666 100644 --- a/mirai-core-qqandroid/src/commonMain/kotlin/net/mamoe/mirai/qqandroid/network/protocol/README.md +++ b/mirai-core-qqandroid/src/commonMain/kotlin/net/mamoe/mirai/qqandroid/network/protocol/README.md @@ -48,7 +48,7 @@ OutgoingPacket { short 27 + 2 + remaining.length ushort client.protocolVersion // const 8001 ushort 0x0001 - uint client.account.id + uint client.uin byte 3 // const ubyte encryptMethod.value // [EncryptMethod] byte 0 // const diff --git a/mirai-core-qqandroid/src/commonMain/kotlin/net/mamoe/mirai/qqandroid/network/protocol/packet/OutgoingPacketAndroid.kt b/mirai-core-qqandroid/src/commonMain/kotlin/net/mamoe/mirai/qqandroid/network/protocol/packet/OutgoingPacketAndroid.kt index 95e8d3774..c6db4b024 100644 --- a/mirai-core-qqandroid/src/commonMain/kotlin/net/mamoe/mirai/qqandroid/network/protocol/packet/OutgoingPacketAndroid.kt +++ b/mirai-core-qqandroid/src/commonMain/kotlin/net/mamoe/mirai/qqandroid/network/protocol/packet/OutgoingPacketAndroid.kt @@ -68,7 +68,7 @@ internal inline fun PacketFactory<*, *>.buildLoginOutgoingPacket( } writeByte(0x00) - client.account.id.toString().let { + client.uin.toString().let { writeInt(it.length + 4) writeStringUtf8(it) } @@ -143,7 +143,7 @@ private inline fun BytePacketBuilder.writeLoginSsoPacket( writeInt(4) - client.device.ksid.let { + client.ksid.let { writeShort((it.length + 2).toShort()) writeStringUtf8(it) } @@ -279,7 +279,7 @@ internal interface EncryptMethodECDH : EncryptMethod { * short 27 + 2 + remaining.length * ushort client.protocolVersion // const 8001 * ushort 0x0001 - * uint client.account.id + * uint client.uin * byte 3 // const * ubyte encryptMethod.value // [EncryptMethod] * byte 0 // const @@ -304,7 +304,7 @@ internal fun BytePacketBuilder.writeOicqRequestPacket( writeShort(client.protocolVersion) writeShort(packetId.commandId.toShort()) writeShort(1) // const?? - writeQQ(client.account.id) + writeQQ(client.uin) writeByte(3) // originally const writeByte(encryptMethod.id.toByte()) writeByte(0) // const8_always_0 diff --git a/mirai-core-qqandroid/src/commonMain/kotlin/net/mamoe/mirai/qqandroid/network/protocol/packet/Tlv.kt b/mirai-core-qqandroid/src/commonMain/kotlin/net/mamoe/mirai/qqandroid/network/protocol/packet/Tlv.kt index a2e59737f..244ce9cad 100644 --- a/mirai-core-qqandroid/src/commonMain/kotlin/net/mamoe/mirai/qqandroid/network/protocol/packet/Tlv.kt +++ b/mirai-core-qqandroid/src/commonMain/kotlin/net/mamoe/mirai/qqandroid/network/protocol/packet/Tlv.kt @@ -5,7 +5,7 @@ import kotlinx.io.core.ByteReadPacket import kotlinx.io.core.toByteArray import kotlinx.io.core.writeFully import net.mamoe.mirai.qqandroid.utils.NetworkType -import net.mamoe.mirai.utils.currentTime +import net.mamoe.mirai.utils.currentTimeMillis import net.mamoe.mirai.utils.io.* import net.mamoe.mirai.utils.md5 import kotlin.random.Random @@ -497,7 +497,7 @@ fun BytePacketBuilder.t400( writeFully(dpwd) writeInt(appId.toInt()) writeInt(subAppId.toInt()) - writeLong(currentTime) + writeLong(currentTimeMillis) writeFully(randomSeed) } } diff --git a/mirai-core-qqandroid/src/commonMain/kotlin/net/mamoe/mirai/qqandroid/network/protocol/packet/login/LoginPacket.kt b/mirai-core-qqandroid/src/commonMain/kotlin/net/mamoe/mirai/qqandroid/network/protocol/packet/login/LoginPacket.kt index d38c10b62..d48d4e3f3 100644 --- a/mirai-core-qqandroid/src/commonMain/kotlin/net/mamoe/mirai/qqandroid/network/protocol/packet/login/LoginPacket.kt +++ b/mirai-core-qqandroid/src/commonMain/kotlin/net/mamoe/mirai/qqandroid/network/protocol/packet/login/LoginPacket.kt @@ -1,24 +1,29 @@ package net.mamoe.mirai.qqandroid.network.protocol.packet.login -import kotlinx.io.core.ByteReadPacket -import kotlinx.io.core.buildPacket -import kotlinx.io.core.readBytes +import kotlinx.io.core.* import net.mamoe.mirai.data.Packet import net.mamoe.mirai.qqandroid.QQAndroidBot -import net.mamoe.mirai.qqandroid.network.QQAndroidClient +import net.mamoe.mirai.qqandroid.network.* import net.mamoe.mirai.qqandroid.network.protocol.packet.* import net.mamoe.mirai.qqandroid.utils.GuidSource import net.mamoe.mirai.qqandroid.utils.MacOrAndroidIdChangeFlag import net.mamoe.mirai.qqandroid.utils.guidFlag +import net.mamoe.mirai.qqandroid.utils.inline +import net.mamoe.mirai.utils.MiraiInternalAPI import net.mamoe.mirai.utils.cryptor.DecrypterByteArray import net.mamoe.mirai.utils.cryptor.DecrypterType -import net.mamoe.mirai.utils.io.toByteArray +import net.mamoe.mirai.utils.cryptor.decryptBy +import net.mamoe.mirai.utils.currentTimeMillis +import net.mamoe.mirai.utils.currentTimeSeconds +import net.mamoe.mirai.utils.io.* +import net.mamoe.mirai.utils.io.discardExact class LoginPacketDecrypter(override val value: ByteArray) : DecrypterByteArray { companion object : DecrypterType } +@UseExperimental(ExperimentalUnsignedTypes::class) internal object LoginPacket : PacketFactory(LoginPacketDecrypter) { init { this._id = PacketId(commandId = 0x0810, commandName = "wtlogin.login") @@ -28,6 +33,7 @@ internal object LoginPacket : PacketFactory @@ -36,17 +42,17 @@ internal object LoginPacket : PacketFactory SubCommand9.run { decode(bot) } - else -> error("Unknown subCommand: $subCommand") + // 00 09 sub cmd + // 00 typeval client = bot.client + + val subCommand = readShort().toInt() + val type = readByte() + discardExact(3) + val tlvMap = this.readTLVMap() + + tlvMap[0x150]?.let { client.analysisTlv150(it) } + tlvMap[0x161]?.let { client.analysisTlv161(it) } + tlvMap[0x172]?.let { client.rollbackSig = it } + tlvMap[0x119]?.let { t119Data -> + t119Data.decryptBy(client.tgtgtKey).read { + val tlvMap119 = this.readTLVMap() + + tlvMap119[0x149]?.let { client.analysisTlv149(it) } + tlvMap119[0x130]?.let { client.analysisTlv130(it) } + tlvMap119[0x113]?.let { client.analysisTlv113(it) } + + // t528, t530 QQ 中最终保存到 oicq.wlogin_sdk.request.WUserSigInfo#loginResultTLVMap + tlvMap119[0x528]?.let { client.t528 = it } + tlvMap119[0x530]?.let { client.t530 = it } + + tlvMap119[0x118]?.let { client.mainDisplayName = it.encodeToString() } + tlvMap119[0x108]?.let { client.ksid = it.encodeToString() } + + var openId: ByteArray + var openKey: ByteArray + + when (val t125 = tlvMap119[0x125]) { + null -> { + openId = byteArrayOf() + openKey = byteArrayOf() + } + else -> t125.read { + openId = readUShortLVByteArray() + openKey = readUShortLVByteArray() + } + } + + /* + util.LOGI("tgt len:" + util.buf_len(t10a.get_body_data()) + + " tgt_key len:" + util.buf_len(t10d.get_body_data()) + + " st len:" + util.buf_len(t114.get_body_data()) + + " st_key len:" + util.buf_len(t10e.get_body_data()) + + " stwx_web len:" + util.buf_len(t103Data) + + " lskey len:" + util.buf_len(t11cData) + + " skey len:" + util.buf_len(t120Data) + + " sig64 len:" + util.buf_len(t121Data) + + " openid len:" + util.buf_len(openId) + + " openkey len:" + util.buf_len(openKey) + + " pwdflag: " + t186.get_data_len() + t186.getPwdflag(), "" + this.field_61436.uin); + + */ + tlvMap119[0x186]?.let { client.analysisTlv186(it) } + tlvMap119[0x537]?.let { client.analysisTlv537(it) } + tlvMap119[0x169]?.let { t169 -> + client.wFastLoginInfo = WFastLoginInfo( + outA1 = client.runCatching { + parseWFastLoginInfoDataOutA1(t169) + }.getOrElse { ByteReadPacket(byteArrayOf()) } + ) + } + tlvMap119[0x167]?.let { + val imgType = byteArrayOf(readByte()) + val imgFormat = byteArrayOf(readByte()) + val imgUrl = readUShortLVByteArray() + // dont move into constructor, keep order + client.reserveUinInfo = ReserveUinInfo(imgType, imgFormat, imgUrl) + } + client.qrPushSig = tlvMap119[0x317] ?: byteArrayOf() + + + val face: Int + val gender: Int + val nick: String + val age: Int + when (val t11a = tlvMap119[0x11a]) { + null -> error("Cannot find tlv 0x11a, which is account info(face, gender, nick, age)") + else -> t11a.read { + face = readUShort().toInt() + age = readUByte().toInt() + gender = readUByte().toInt() + nick = readUByteLVString() + } + } + + var payToken: ByteArray + when (val t199 = tlvMap119[0x199]) { + null -> payToken = byteArrayOf() + else -> t199.read { + openId = readUShortLVByteArray() + payToken = readUShortLVByteArray() + } + } + + val pf: ByteArray + val pfKey: ByteArray + when (val t200 = tlvMap119[0x200]) { + null -> { + pf = byteArrayOf() + pfKey = byteArrayOf() + } + else -> t200.read { + pf = readUShortLVByteArray() + pfKey = readUShortLVByteArray() + } + } + + val creationTime = currentTimeSeconds + val expireTime = creationTime + 2160000L + @Suppress("UNREACHABLE_CODE") // FOR STUB + client.wLoginSigInfo = WLoginSigInfo( + uin = client.uin, + encryptA1 = inline { + val t10c = tlvMap119[0x10c] + val t106 = tlvMap119[0x106] + if (t106 != null && t10c != null) { + t106 + t10c + } else ByteArray(0) + }, + noPicSig = tlvMap119.getOrEmpty(0x16a), + G = byteArrayOf(), // defaults {}, from asyncContext._G + dpwd = byteArrayOf(), // defaults {}, from asyncContext._G + randSeed = tlvMap119.getOrEmpty(0x403), // or from asyncContext._t403.get_body_data() + simpleInfo = WLoginSimpleInfo( + uin = client.uin, + face = face, + age = age, + gender = gender, + nick = nick, + imgType = client.reserveUinInfo.imgType, + imgFormat = client.reserveUinInfo.imgFormat, + imgUrl = client.reserveUinInfo.imgUrl, + mainDisplayName = tlvMap119[0x118] ?: error("Cannot find tlv 0x118") + ), + appPri = tlvMap119[0x11f]?.let { it.read { discardExact(4); readUInt().toLong() } } ?: 4294967295L, + a2ExpiryTime = expireTime, + loginBitmap = 0, // from asyncContext._login_bitmap + tgt = tlvMap119.getOrEmpty(0x10a), + a2CreationTime = creationTime, + tgtKey = tlvMap119.getOrEmpty(0x10d), + sKey = SKey(tlvMap119.getOrEmpty(0x120), creationTime, expireTime), + userSig64 = UserSig64(tlvMap119.getOrEmpty(0x121), creationTime), + accessToken = AccessToken(tlvMap119.getOrEmpty(0x136), creationTime), + openId = openId, + openKey = OpenKey(openKey, creationTime), + d2 = D2(tlvMap119.getOrEmpty(0x143), creationTime, expireTime), + d2Key = tlvMap119.getOrEmpty(0x305), + sid = Sid(tlvMap119.getOrEmpty(0x164), creationTime, expireTime), + aqSig = AqSig(tlvMap119.getOrEmpty(0x171), creationTime), + psKey = PSKey(tlvMap119.getOrEmpty(0x512), creationTime), + superKey = tlvMap119.getOrEmpty(0x16d), + payToken = payToken, + pf = pf, + pfKey = pfKey, + da2 = tlvMap119.getOrEmpty(0x203), + wtSessionTicket = WtSessionTicket(tlvMap119.getOrEmpty(0x133), creationTime), + wtSessionTicketKey = tlvMap119.getOrEmpty(0x134), + deviceToken = tlvMap119.getOrEmpty(0x322), + vKey = VKey(tlvMap119.getOrEmpty(0x136), creationTime, expireTime), + userStWebSig = UserStWebSig(tlvMap119.getOrEmpty(0x103), creationTime, expireTime), + userStSig = UserStSig((tlvMap119.getOrEmpty(0x114)), creationTime), + userStKey = tlvMap119.getOrEmpty(0x10e), + lsKey = LSKey(tlvMap119.getOrEmpty(0x11c), creationTime, expireTime), + userA5 = UserA5(tlvMap119.getOrEmpty(0x10b), creationTime), + userA8 = UserA8(tlvMap119.getOrEmpty(0x102), creationTime, expireTime) + ) + } + } + + if (type.toInt() == 0) { + return LoginPacketResponse.Success + } else TODO("Unknown type") + } + + + private fun Map.getOrEmpty(key: Int): ByteArray { + return this[key] ?: byteArrayOf() + } + + /** + * @throws error + */ + private fun QQAndroidClient.parseWFastLoginInfoDataOutA1(t169: ByteArray): ByteReadPacket { + val map = t169.toReadPacket().readTLVMap() + + val t106 = map[0x106] + val t10c = map[0x10c] + val t16a = map[0x16a] + + check(t106 != null) { "getWFastLoginInfoDataOutA1: Cannot find tlv 0x106!!" } + check(t10c != null) { "getWFastLoginInfoDataOutA1: Cannot find tlv 0x10c!!" } + check(t16a != null) { "getWFastLoginInfoDataOutA1: Cannot find tlv 0x16a!!" } + + return buildPacket { + writeByte(64) + writeShort(4) + + // TLV + writeShort(0x106) + writeShortLVByteArray(t106) + + writeShort(0x10c) + writeShortLVByteArray(t10c) + + writeShort(0x16a) + writeShortLVByteArray(t16a) + + t145(device.guid) + } + } + + /** + * login extra data + */ + private fun QQAndroidClient.analysisTlv537(t537: ByteArray) = t537.read { + loginExtraData = LoginExtraData( + uin = readUInt().toLong(), + ip = readUByteLVByteArray(), + time = readInt(), // correct + version = readInt() + ) + } + + /** + * pwd flag + */ + private fun QQAndroidClient.analysisTlv186(t186: ByteArray) = t186.read { + discardExact(1) + pwdFlag = readByte().toInt() == 1 + } + + /** + */ + private fun QQAndroidClient.analysisTlv528(t528: ByteArray) = t528.read { + } + + /** + * 设置 [QQAndroidClient.uin] + */ + private fun QQAndroidClient.analysisTlv113(t113: ByteArray) = t113.read { + uin = readUInt().toLong() + + /* + // nothing to do + + if (!asyncContext.ifQQLoginInQim(class_1048.productType)) { + this.field_61436.method_62330(this.field_61436.field_63973, this.field_61436.uin); + } + */ + } + + /** + * 设置 [QQAndroidClient.timeDifference] 和 [QQAndroidClient.ipFromT149] + */ + private fun QQAndroidClient.analysisTlv130(t130: ByteArray) = t130.read { + discardExact(2) + timeDifference = readUInt().toLong() - currentTimeMillis + ipFromT149 = readBytes(4) + } + + private fun QQAndroidClient.analysisTlv150(t150: ByteArray) { + this.t150 = t150 + } + + private fun QQAndroidClient.analysisTlv161(t161: ByteArray) { + val tlv = t161.toReadPacket().readTLVMap() + + tlv[0x173]?.let { analysisTlv173(it) } + tlv[0x17f]?.let { analysisTlv17f(it) } + } + + /** + * 错误消息 + */ + private fun QQAndroidClient.analysisTlv149(t149: ByteArray) { + data class ErrorMessage( + val type: Short, + val title: String, + val content: String, + val otherInfo: String + ) + + t149.read { + val type: Short = readShort() + val title: String = readUShortLVString() + val content: String = readUShortLVString() + val otherInfo: String = readUShortLVString() + + // do not write class into read{} block. CompilationException!! + error("Got error message: " + ErrorMessage(type, title, content, otherInfo)) // nice toString + } + } + + /** + * server host + */ + private fun QQAndroidClient.analysisTlv173(t173: ByteArray) { + t173.read { + val type = readByte() + val host = readUShortLVString() + val port = readShort() + + // TODO: 2020/1/9 SET HOST ADDRESS ?? MAY BE IMPORTANT + // SEE oicq_request.java at method analysisT173 + } + } + + /** + * ipv6 address + */ + private fun QQAndroidClient.analysisTlv17f(t17f: ByteArray) { + t17f.read { + val type = readByte() + val host = readUShortLVString() + val port = readShort() + + // TODO: 2020/1/9 SET IPV6 ADDRESS + // SEE oicq_request.java at method analysisT17f } } }