作 者: xee
时 间: 2008-02-23,22:13
链 接: http://bbs.pediy.com/showthread.php?t=60110
【文章标题】: 迅雷协议分析
【文章作者】: vessial
【邮件地址】: vessial@hotmail.com
【作者主页】: http://blog.csdn.net/xee
【生产日期】: 20071122
【软件名称】: Thunder 5.7.4.404
【使用工具】: OD+Wireshark
【作者声明】: 本文仅供研究学习,本人对因这篇文章而导致的一切后果,不承担任何法律责任。本文中的不足之处请各位多多指教,欢迎转载,但转载请保留文章的完整性.
----------------------------------------------------------------------------------------------------------
分析背景: 本文基于迅雷版式本5.7.4.404
分析目的: 通过分析研究得出迅雷客户端与服务器通信,获取下载资源的链接地址,以及它们通信的加     
              密方式,以及附带的源码,欢迎大家讨论.
涉及算法: MD5, 128 bit AES
----------------------------------------------------------------------------------------------------------
   大家都知道迅雷下载为什么这么快,因为它是通过P2SP下载的,就是可以从多个具有相同下载资源的服务器上进行下载,这样下载速度就会很快了,问题是你要从一个指定的下载链接下载文件,它是怎么知道其它的服务器也有相同的资源了,这就是本文讨论的重点,我就不废话了.
   迅雷客户端与服务器通信获取多个下载资源的一个方式就是通过http协议,通过80端口进行加密传输,类似下面
这个就是客户端向服务端58.254.39.10发送资源查询的包
0x0000   50 4F 53 54 20 2F 20 48-54 54 50 2F 31 2E 31 0D   POST / HTTP/1.1.
0x0010   0A 48 6F 73 74 3A 20 35-38 2E 32 35 34 2E 33 39   .Host: 58.254.39
0x0020   2E 31 30 3A 38 30 0D 0A-43 6F 6E 74 65 6E 74 2D   .10:80..Content-
0x0030   74 79 70 65 3A 20 61 70-70 6C 69 63 61 74 69 6F   type: applicatio
0x0040   6E 2F 6F 63 74 65 74 2D-73 74 72 65 61 6D 0D 0A   n/octet-stream..
0x0050   43 6F 6E 74 65 6E 74 2D-4C 65 6E 67 74 68 3A 20   Content-Length:
0x0060   33 39 36 0D 0A 43 6F 6E-6E 65 63 74 69 6F 6E 3A   396..Connection:
0x0070   20 4B 65 65 70 2D 41 6C-69 76 65 0D 0A 0D 0A 34    Keep-Alive....4
0x0080   00 00 00 96 00 00 00 80-01 00 00 02 3A A0 8A 5E   ...?..€....:爦^
0x0090   52 22 AC 5E FA C8 F6 54-E8 DC 9A BC E6 78 11 D9   R"琟 鯰柢毤鎥.?
0x00A0   59 C3 E8 64 8E B8 93 EA-E7 43 28 BA 16 FF C4 A9   Y描d幐撽鏑(?末
0x00B0   DC AB 26 7C 56 08 47 D9-A9 37 F6 C1 3A 7B 68 C8   塬&|V.G侃7隽:{h?
0x00C0   11 74 9D 62 6D 4C 6C E7-AD 08 46 70 31 AC 97 34   .t漛mLl绛.Fp1瑮4
0x00D0   AE 15 18 37 B3 97 32 91-13 F8 FB AA 30 75 10 02   ?.7硹2? ?u..
0x00E0   78 8E F6 38 1D 43 6B B9-F4 DE C4 09 23 3A 27 8B   x庼8.Ck刽弈.#:'?
0x00F0   E6 2C 5D 87 BF 4C BF BF-54 15 4E DB 8F 77 95 C0   ?]嚳L靠T.N蹚w暲
0x0100   67 EE 1E B4 B4 36 F6 EF-CF 96 77 1A EA 9E 63 11   g?创6鲲蠔w.隇c.
0x0110   40 FC E1 23 81 90 92 5E-FE 23 36 FB 1A 23 37 9A   @ #亹抆?6?#7?
0x0120   7D 20 95 CA 47 C2 DA E9-E8 FE 30 4C A0 FE 4F 6E   } 暿G纶殍?L狛On
0x0130   A0 A5 81 45 BA AF 68 EE-60 A1 D5 00 A8 DC CC 80   牓丒函h頯≌.ㄜ虁
0x0140   84 0C 19 CF 81 B9 13 C0-13 07 E8 70 05 79 15 F5   ?.蟻??.鑠.y.?
0x0150   D5 2B 05 A1 DD 34 D8 D9-C3 E7 05 70 05 79 15 F5   ?.≥4刭苗.p.y.?
0x0160   D5 2B 05 A1 DD 34 D8 D9-C3 E7 05 70 05 79 15 F5   ?.≥4刭苗.p.y.?
0x0170   D5 2B 05 A1 DD 34 D8 D9-C3 E7 05 10 3A CC 2F 13   ?.≥4刭苗..:?.
0x0180   E1 E1 8C 7B C9 C5 48 B3-85 73 55 87 EE 99 14 67   後寋膳H硡sU囶?g
0x0190   B2 1B 01 1B 56 01 2F FB-47 07 88 BD 4C D2 1A 08   ?..V./鸊.埥L?.
0x01A0   14 42 F3 F5 C2 7C 26 9E-24 00 A4 EA 5F 20 FC CA   .B篚聕&?.り_
0x01B0   80 F6 9B C9 28 5B 55 22-94 33 4F 3E 1B C6 31 23   €鰶?[U"?O>.?#
0x01C0   82 B1 97 3E C1 00 2F EF-CE 06 7B AA CD A6 61 F5   偙??/镂.{ ?
0x01D0   C9 59 8E DB F6 49 73 9C-B9 08 05 C3 1E EB A6 D3   蒠庅鯥s湽..?毽?
0x01E0   0F BB 86 FD FC CC 99 89-61 A9 B1 F9 30 C7 48 B1   .粏 虣塧┍?荋?
0x01F0   79 6C 75 26 8C F5 46 F4-7F 04 ED D1 2B 16 2D 94   ylu&岝F?.硌+.-?
0x0200   2F 2C DE 6E 7B 97 E7 28-8B DA 0D
很明显从上面你看不出你熟悉的东西,通过分析,我发现了一些特征,
发现这些包的特征和结构如下:
0--3字节为命令请求
4--7字节我猜想为包序号:)
8--11字节为加密包体长度
12--最后为了加密的包体
拿上面的包为例
    |<--cmd-->| |<--seq-->| |<-length->|
    34 00 00 00 96 00 00 00 80-01 00 00接下来的数据就是AES加过密的数据了.
注意上面的数据来自于http的content数据.
既然是通过AES加密了,那密钥是什么了,它是怎么生成的了,不会是DHE吧,那我估计就歇菜了,
功能不负有心人啊,这个AES的密钥是通过包的前8个字节生成的,也就是命令请求字和序列号
和56个填充字组成的64个字节通过MD5计算出来的,刚好是16个字节.
但是这个填充的56个字节和标准的MD5填充的不一样.该填充数据如下:
                                          80 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00
它们组合到一起就是:
34 00 00 00 96 00 00 00 80 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00
经过MD5计算得到的HASH值如下:
f5 26 32 d9 0b 36 f0 58 25 53 71 a2 ae 2f 3e d3
这个就是数据包的AES加密解密的密钥.
于是上面的数据包解密出来就是
94 01 05 00 00 00 c1 0b 10 00 00 00 30 30 31 36     ?   ?   0016
36 46 35 41 45 45 44 33 30 30 30 30 14 00 00 00     6F5AEED30000  
7f 2f 32 dc d5 76 bc 1e 37 ef 83 30 0f 45 80 80     /2苷v?7飪0E€€
6b 83 48 91 2b 00 00 00 68 74 74 70 3a 2f 2f 64     k僅?   http://d
6f 77 6e 2e 73 61 6e 64 61 69 2e 6e 65 74 2f 54     own.sandai.net/T
68 75 6e 64 65 72 35 2e 37 2e 34 2e 34 30 34 2e     hunder5.7.4.404.
65 78 65 00 00 00 00 00 00 00 00 e0 86 6e 00 00     exe        鄦n
00 00 00 7d 7d 14 00 00 00 00 00 7a 65 13 00 00        }}     ze
00 00 00 e9 a3 46 00 00 00 00 00 00 00 00 00 50        椋F         P
00 00 00 03 00 00 00 65 78 65 0b 06 01 05 02 00           exe
20 05 00 00 00 00 00 00 00 00 00 00 00 00 00 05                  
02 80 d1 10 00 00 00 00 00 00 00 00 00 00 00 00     €?           
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00                    
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00                    
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00                    
00 00 00 00 00 00 00 02 00 00 00 04 00 00 00 09                     
00 00 00 35 2e 37 2e 34 2e 34 30 34 04 00 00 00        5.7.4.404  
30 30 30 30 00 00 00 00 00 00 00 00 00 00 00 00     0000           
00 00 00 00 00 00 00 00 da 3d 00 c2 c0 a8 b7 01             ? 吕ǚ
01 80 0c 00 00 00 00 00 14 00 00 00 c6 76 99 e7     €         苬欑
6e 66 10 4d 7c be c2 bc 40 3e 6f c2 30 9a 44 65     nfM|韭粿>o?欴e
00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00                   
00 14 00 00 00 54 68 75 6e 64 65 72 35 2e 37 2e         Thunder5.7.
34 2e 34 30 34 2e 65 78 65 07 07 07 07 07 07 07     4.404.exe
这就是构造的加密前的包,简单的说一下这个包的结构,你可以看到那个链接地址,
那是我下载这个程序的原始链接地址,我是用迅雷从
http://down.sandai.net/Thunder5.7.4.404.exe下载Thunder5.7.4.404.exe
那看看服务器回复的包有些什么了,
34 00 00 00 0c 00 00 00 f0 07 . n...4.........
0040   00 00 66 2b 99 1a af ed 82 56 af b2 93 c2 03 84 ..f+.....V......
0050   54 4d 1e 13 6a 65 7c 37 31 32 92 2c 7f 31 b5 32 TM..je|712.,.1.2
0060   8c 1e 5f b9 b9 10 f8 63 a1 45 a8 e1 76 f8 5b 2d .._....c.E..v.[-
0070   1d 07 7a 1d 8d e9 82 d6 b8 34 ef f2 ec 5d 1b eb ..z......4...]..
0080   a1 24 96 c4 ad 96 3e 55 0e 73 df 75 c2 9d 8b cc .$....>U.s.u....
0090   1e db dc b2 dc 7c 56 3a e8 01 d8 a1 a2 21 05 31 .....|V:.....!.1
00a0   b0 90 a2 40 8f 86 31 da c8 ee 85 c1 3c 5b 40 1b ...@..1.....<[@.
00b0   ef d5 5f a4 7d 96 8a 5f d3 38 7f b1 f2 bd b5 95 .._.}.._.8......
00c0   f7 15 a5 39 1a 1d 73 56 b0 12 cd 2e cf d9 fa 62 ...9..sV.......b
00d0   e3 d8 08 6c 93 68 02 15 4e ca 34 d8 9c 09 fa 6a ...l.h..N.4....j
00e0   62 35 43 5e de d4 52 f8 2b 61 0c 64 c4 bd d1 0a b5C^..R.+a.d....
00f0   fc 95 3f 22 e8 68 4d 1c 65 82 93 43 24 e7 55 5e ..?".hM.e..C$.U^
0100   f2 db 7e 07 3b bc bc ad 30 54 78 be f2 45 1e 2d ..~.;...0Tx..E.-
0110   2a 6b 11 9b 9e c7 2d 31 d9 e6 d8 3b 33 c9 26 b5 *k....-1...;3.&.
0120   41 e3 61 a1 ba 90 1d 70 55 d0 93 3f a4 f9 6a 55 A.a....pU..?..jU
0130   f9 19 43 e2 6c 38 a1 57 15 aa 2e d4 18 f1 c6 fe ..C.l8.W........
0140   fe bf e3 e3 62 1a 9e 6f 3b ee c1 44 b1 f8 d8 23 ....b..o;..D...#
0150   2c 66 f1 c4 43 a6 9f 0b a7 d5 5c 8c e5 68 19 9f ,f..C.....\..h..
0160   db aa 7c fa 6e 3a dd 4e f0 53 ce 45 51 25 18 8d ..|.n:.N.S.EQ%..
0170   a0 0d f0 8f e0 b0 cb 12 6d 92 80 f4 4f eb a9 c0 ........m...O...
0180   f4 27 4e 34 c0 8d 96 8e 3b 20 57 b0 fb df 5a 4b .'N4....; W...ZK
0190   18 e7 2d 54 6f ad da be a6 1e 94 1e f9 2b 9f d7 ..-To........+..
01a0   03 8d de c6 16 0b f4 a1 07 d2 15 85 7c fc 78 df ............|.x.
01b0   26 3d a7 eb 2f 0b 5f fa 60 4a 73 a5 5a 7e 4a 4e &=../._.`Js.Z~JN
01c0   80 a3 9a ad ae 53 b4 dc 6d a8 04 35 96 e5 93 70 .....S..m..5...p
01d0   7d 26 07 07 62 cc ce 3f ee 87 5e c4 b2 e5 0e b0 }&..b..?..^.....
01e0   b3 c5 ef dd 9b 2d ef 4b 13 2a ad 39 13 59 25 55 .....-.K.*.9.Y%U
01f0   c2 76 1b 95 74 66 2d 1c 3a 2f f6 f5 4e a4 dd 09 .v..tf-.:/..N...
0200   c8 36 66 bd cd c2 d6 ff 29 cd 20 a3 19 ab 3f d4 .6f.....). ...?.
0210   75 67 b5 d4 37 18 24 c0 57 67 f4 8d 06 33 95 1b ug..7.$.Wg...3..
0220   03 89 16 f0 b8 e5 52 4f a3 d4 be 38 c9 cc 89 65 ......RO...8...e
0230   e7 ef 32 df 2e 9f 87 a4 2f 8f c3 a3 41 77 7b cd ..2...../...Aw{.

服务器回复包如下:
                                         34 00 00 00 0c 00 00 00 f0 07 . n...4.........
0040   00 00 66 2b 99 1a af ed 82 56 af b2 93 c2 03 84 ..f+.....V......
0050   54 4d 1e 13 6a 65 7c 37 31 32 92 2c 7f 31 b5 32 TM..je|712.,.1.2
0060   8c 1e 5f b9 b9 10 f8 63 a1 45 a8 e1 76 f8 5b 2d .._....c.E..v.[-
0070   1d 07 7a 1d 8d e9 82 d6 b8 34 ef f2 ec 5d 1b eb ..z......4...]..
0080   a1 24 96 c4 ad 96 3e 55 0e 73 df 75 c2 9d 8b cc .$....>U.s.u....
0090   1e db dc b2 dc 7c 56 3a e8 01 d8 a1 a2 21 05 31 .....|V:.....!.1
00a0   b0 90 a2 40 8f 86 31 da c8 ee 85 c1 3c 5b 40 1b ...@..1.....<[@.
00b0   ef d5 5f a4 7d 96 8a 5f d3 38 7f b1 f2 bd b5 95 .._.}.._.8......
00c0   f7 15 a5 39 1a 1d 73 56 b0 12 cd 2e cf d9 fa 62 ...9..sV.......b
00d0   e3 d8 08 6c 93 68 02 15 4e ca 34 d8 9c 09 fa 6a ...l.h..N.4....j
00e0   62 35 43 5e de d4 52 f8 2b 61 0c 64 c4 bd d1 0a b5C^..R.+a.d....
00f0   fc 95 3f 22 e8 68 4d 1c 65 82 93 43 24 e7 55 5e ..?".hM.e..C$.U^
0100   f2 db 7e 07 3b bc bc ad 30 54 78 be f2 45 1e 2d ..~.;...0Tx..E.-
0110   2a 6b 11 9b 9e c7 2d 31 d9 e6 d8 3b 33 c9 26 b5 *k....-1...;3.&.
0120   41 e3 61 a1 ba 90 1d 70 55 d0 93 3f a4 f9 6a 55 A.a....pU..?..jU

解密如下:
058B2378 91 01 05 00 00 00 D2 07 01 B8 F7 6C 00 00 00 00 ?...?各l....
058B2388 00 14 00 00 00 90 4B 81 47 A5 0F 1E F6 6C 85 FA ....怟丟?鰈咜
058B2398 16 13 91 76 8A 91 C8 84 1A 00 00 00 00 00 00 00 憊姂葎.......
058B23A8 00 0A 00 00 00 8B 00 00 00 44 00 00 00 68 74 74 .....?..D...htt
058B23B8 70 3A 2F 2F 64 6F 77 6E 6C 6F 61 64 2E 7A 6F 6C p://download.zol
058B23C8 2E 63 6F 6D 2E 63 6E 2F 64 6F 77 6E 2E 70 68 70 .com.cn/down.php
058B23D8 3F 73 6F 66 74 69 64 3D 31 33 35 33 37 33 26 73 ?softid=135373&s
058B23E8 75 62 63 61 74 69 64 3D 33 33 26 73 69 74 65 3D ubcatid=33&site=
058B23F8 38 2F 00 00 00 68 74 74 70 3A 2F 2F 64 6F 77 6E 8/...http://down
058B2408 6C 6F 61 64 2E 7A 6F 6C 2E 63 6F 6D 2E 63 6E 2F load.zol.com.cn/
058B2418 6C 69 6E 6B 2F 31 34 2F 31 33 35 33 37 33 2E 73 link/14/135373.s
058B2428 68 74 6D 6C D0 42 0B 00 00 A0 00 00 00 5A 00 00 html蠦 ..?..Z..
058B2438 00 00 00 00 D6 00 00 00 7F 00 00 00 68 74 74 70 ....?.. ...http
058B2448 3A 2F 2F 72 65 64 69 72 65 63 74 2E 6D 79 64 6F ://redirect.mydo
058B2458 77 6E 2E 63 6F 6D 2F 6D 79 64 6F 77 6E 2F 70 72 wn.com/mydown/pr
058B2468 65 64 6F 77 6E 2E 6A 73 70 3F 69 64 3D 34 30 38 edown.jsp?id=408
058B2478 37 32 39 26 70 3D 30 26 6A 3D 31 32 26 6D 3D 31 729&p=0&j=12&m=1
058B2488 26 75 72 6C 3D 68 74 74 70 3A 2F 2F 6A 73 31 2E &url=http://js1.
058B2498 6D 79 64 6F 77 6E 2E 63 6F 6D 2F 73 6F 66 74 2F mydown.com/soft/
058B24A8 32 30 30 37 31 30 2F 54 68 75 6E 64 65 72 35 2E 200710/Thunder5.
058B24B8 37 2E 34 2E 34 30 31 2E 65 78 65 3F 00 00 00 68 7.4.401.exe?...h
058B24C8 74 74 70 3A 2F 2F 77 77 77 2E 6D 79 64 6F 77 6E ttp://www.mydown
058B24D8 2E 63 6F 6D 2F 73 6F 66 74 2F 6E 65 74 77 6F 72 .com/soft/networ
058B24E8 6B 2F 64 6F 77 6E 6C 6F 61 64 2F 32 32 39 2F 34 k/download/229/4
058B24F8 30 38 37 32 39 5F 64 73 2E 73 68 74 6D 6C D8 82 08729_ds.shtml貍
058B2508 0E 00 00 49 22 00 00 5A 00 00 00 00 00 00 5F 00 ..I"..Z......_.
058B2518 00 00 26 00 00 00 68 74 74 70 3A 2F 2F 64 2E 35 ..&...http://d.5
058B2528 32 70 6B 2E 63 6F 6D 2F 64 6F 77 6E 2E 61 73 70 2pk.com/down.asp
058B2538 3F 69 64 3D 31 35 32 26 6E 6F 3D 33 21 00 00 00 ?id=152&no=3!...
058B2548 68 74 74 70 3A 2F 2F 64 6F 77 6E 2E 35 32 70 6B http://down.52pk
058B2558 2E 63 6F 6D 2F 73 6F 66 74 2F 31 35 32 2E 68 74 .com/soft/152.ht
058B2568 6D 30 92 10 00 FF 95 00 00 00 5A 00 00 00 00 00 m0?.?..Z.....
058B2578 00 AA 00 00 00 3D 00 00 00 68 74 74 70 3A 2F 2F .?..=...http://
058B2588 36 31 2E 31 34 35 2E 31 31 33 2E 31 31 37 2F 62 61.145.113.117/b
058B2598 35 2F 64 6F 77 6E 2E 73 61 6E 64 61 69 2E 6E 65 5/down.sandai.ne
058B25A8 74 2F 54 68 75 6E 64 65 72 35 2E 37 2E 34 2E 34 t/Thunder5.7.4.4
058B25B8 30 31 2E 65 78 65 55 00 00 00 68 74 74 70 3A 2F 01.exeU...http:/
058B25C8 2F 36 31 2E 31 34 35 2E 31 31 33 2E 31 31 37 2F /61.145.113.117/
058B25D8 62 35 2F 64 6C 2E 70 63 6F 6E 6C 69 6E 65 2E 63 b5/dl.pconline.c
058B25E8 6F 6D 2E 63 6E 2F 68 74 6D 6C 5F 32 2F 31 2F 38 om.cn/html_2/1/8
058B25F8 39 2F 69 64 3D 34 32 34 34 33 26 70 6E 3D 30 26 9/id=42443&pn=0&
058B2608 6C 69 6E 6B 50 61 67 65 3D 31 2E 68 74 6D 6C 68 linkPage=1.htmlh
058B2618 77 0C 00 FF 81 00 00 00 5A 00 00 00 00 00 00 7A w..?..Z......z
058B2628 00 00 00 3E 00 00 00 68 74 74 70 3A 2F 2F 77 77 ...>...http://ww
058B2638 77 2E 39 39 37 2E 63 6E 2F 73 6F 66 74 2F 64 6F w.997.cn/soft/do
058B2648 77 6E 6C 6F 61 64 2E 61 73 70 3F 73 6F 66 74 69 wnload.asp?softi
058B2658 64 3D 37 36 36 26 64 6F 77 6E 69 64 3D 30 26 69 d=766&downid=0&i
058B2668 64 3D 37 39 30 24 00 00 00 68 74 74 70 3A 2F 2F d=790$...http://
058B2678 77 77 77 2E 39 39 37 2E 63 6E 2F 73 6F 66 74 2F www.997.cn/soft/
058B2688 31 2F 31 38 2F 37 36 36 2E 68 74 6D 6C 68 FA 0B 1/18/766.htmlh?
058B2698 00 00 3C 01 00 00 5A 00 00 00 00 00 00 80 00 00 ..<..Z......€..
058B26A8 00 33 00 00 00 68 74 74 70 3A 2F 2F 64 6F 77 6E .3...http://down
058B26B8 38 2E 7A 6F 6C 2E 63 6F 6D 2E 63 6E 2F 78 69 61 8.zol.com.cn/xia
058B26C8 7A 61 69 2F 54 68 75 6E 64 65 72 35 2E 37 2E 34 zai/Thunder5.7.4
058B26D8 2E 34 30 31 2E 65 78 65 35 00 00 00 68 74 74 70 .401.exe5...http
058B26E8 3A 2F 2F 64 6F 77 6E 6C 6F 61 64 2E 77 77 77 2E ://download.www.
058B26F8 66 65 6E 67 6E 69 61 6F 2E 63 6F 6D 2F 6C 69 6E fengniao.com/lin
058B2708 6B 2F 31 34 2F 31 33 35 33 37 33 2E 73 68 74 6D k/14/135373.shtm
058B2718 6C F8 F4 08 00 00 8F 00 00 00 5A 00 00 00 00 00 l ..?..Z.....
058B2728 00 97 00 00 00 4A 00 00 00 68 74 74 70 3A 2F 2F .?..J...http://
058B2738 64 6F 77 6E 6C 6F 61 64 2E 77 77 77 2E 66 65 6E download.www.fen
058B2748 67 6E 69 61 6F 2E 63 6F 6D 2F 64 6F 77 6E 2E 70 gniao.com/down.p
058B2758 68 70 3F 73 6F 66 74 69 64 3D 31 33 35 33 37 33 hp?softid=135373
058B2768 26 73 75 62 63 61 74 69 64 3D 33 33 26 73 69 74 &subcatid=33&sit
058B2778 65 3D 38 35 00 00 00 68 74 74 70 3A 2F 2F 64 6F e=85...http://do
058B2788 77 6E 6C 6F 61 64 2E 77 77 77 2E 66 65 6E 67 6E wnload.www.fengn
058B2798 69 61 6F 2E 63 6F 6D 2F 6C 69 6E 6B 2F 31 34 2F iao.com/link/14/
058B27A8 31 33 35 33 37 33 2E 73 68 74 6D 6C 68 00 0B 00 135373.shtmlh. .
058B27B8 00 9D 00 00 00 5A 00 00 00 00 00 00 93 00 00 00 .?..Z......?..
058B27C8 48 00 00 00 68 74 74 70 3A 2F 2F 64 6F 77 6E 6C H...http://downl
058B27D8 6F 61 64 2E 77 77 77 2E 78 69 79 75 69 74 2E 63 oad.www.xiyuit.c
058B27E8 6F 6D 2F 64 6F 77 6E 2E 70 68 70 3F 73 6F 66 74 om/down.php?soft
058B27F8 69 64 3D 31 33 35 33 37 33 26 73 75 62 63 61 74 id=135373&subcat
058B2808 69 64 3D 33 33 26 73 69 74 65 3D 38 33 00 00 00 id=33&site=83...
058B2818 68 74 74 70 3A 2F 2F 64 6F 77 6E 6C 6F 61 64 2E http://download.
058B2828 77 77 77 2E 78 69 79 75 69 74 2E 63 6F 6D 2F 6C www.xiyuit.com/l
058B2838 69 6E 6B 2F 31 34 2F 31 33 35 33 37 33 2E 73 68 ink/14/135373.sh
058B2848 74 6D 6C 60 31 0A 00 00 90 00 00 00 5A 00 00 00 tml`1...?..Z...
058B2858 00 00 00 46 00 00 00 2E 00 00 00 68 74 74 70 3A ...F.......http:
058B2868 2F 2F 64 6F 77 6E 2E 73 61 6E 64 61 69 2E 6E 65 //down.sandai.ne
058B2878 74 2F 54 68 75 6E 64 65 72 35 2E 37 2E 34 2E 34 t/Thunder5.7.4.4
058B2888 30 31 2E 65 78 65 3F 32 30 00 00 00 00 FF FF FF 01.exe?20....
058B2898 FF 00 FF FF FF FF 5A 00 00 00 00 00 00 46 00 00 .Z......F..
058B28A8 00 2E 00 00 00 68 74 74 70 3A 2F 2F 64 6F 77 6E .....http://down
058B28B8 2E 73 61 6E 64 61 69 2E 6E 65 74 2F 54 68 75 6E .sandai.net/Thun
058B28C8 64 65 72 35 2E 37 2E 34 2E 34 30 31 2E 65 78 65 der5.7.4.401.exe

看见了吗,回复包解密后,里面带着的链接地址就是P2SP的多个可供下载的服务器的链接地址.
而且回复里面包含一些文件相关的信息,比如SHA-1 HASH值之类的,大家有兴趣的话,可以自
已分析它的包的结构,我下篇文章分析它的包结构,呵呵:)
注意,上面的发送包和回复包不是关联的,因为我调试的时候没有把它们关取在一起,送了不同的包进行分析的.
好了,客户端与服务器之间的获取多个下载源的加密通信过程就到此结束了,这儿我主要的只介绍
它们通信的加密算法而已,具体其它的协议以后有时间再发.
               时间仓促,如有不足之处,还请多多指教.
最后附上加解密的源代码.
#include <stdio.h>
#include <string.h>
#include <openssl/aes.h>
#include "thunder-md5.h"
unsigned char thunder[]={
        0x34, 0x00, 0x00, 0x00, 0x96, 0x00, 0x00, 0x00,0x80,0x00,
        0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
        0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
        0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
        0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
unsigned char thunder_md5_pad[]={
        0x80,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
        0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
        0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
        0x00,0x00,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
unsigned char thunder_AES_key[16];//thunder MD5 padding data
unsigned char in[]={0x02,0x3A,0xA0,0x8A,0x5E
,0x52,0x22,0xAC,0x5E,0xFA,0xC8,0xF6,0x54,0xE8,0xDC,0x9A,0xBC,0xE6,0x78,0x11,0xD9
,0x59,0xC3,0xE8,0x64,0x8E,0xB8,0x93,0xEA,0xE7,0x43,0x28,0xBA,0x16,0xFF,0xC4,0xA9
,0xDC,0xAB,0x26,0x7C,0x56,0x08,0x47,0xD9,0xA9,0x37,0xF6,0xC1,0x3A,0x7B,0x68,0xC8
,0x11,0x74,0x9D,0x62,0x6D,0x4C,0x6C,0xE7,0xAD,0x08,0x46,0x70,0x31,0xAC,0x97,0x34
,0xAE,0x15,0x18,0x37,0xB3,0x97,0x32,0x91,0x13,0xF8,0xFB,0xAA,0x30,0x75,0x10,0x02
,0x78,0x8E,0xF6,0x38,0x1D,0x43,0x6B,0xB9,0xF4,0xDE,0xC4,0x09,0x23,0x3A,0x27,0x8B
,0xE6,0x2C,0x5D,0x87,0xBF,0x4C,0xBF,0xBF,0x54,0x15,0x4E,0xDB,0x8F,0x77,0x95,0xC0
,0x67,0xEE,0x1E,0xB4,0xB4,0x36,0xF6,0xEF,0xCF,0x96,0x77,0x1A,0xEA,0x9E,0x63,0x11
,0x40,0xFC,0xE1,0x23,0x81,0x90,0x92,0x5E,0xFE,0x23,0x36,0xFB,0x1A,0x23,0x37,0x9A
,0x7D,0x20,0x95,0xCA,0x47,0xC2,0xDA,0xE9,0xE8,0xFE,0x30,0x4C,0xA0,0xFE,0x4F,0x6E
,0xA0,0xA5,0x81,0x45,0xBA,0xAF,0x68,0xEE,0x60,0xA1,0xD5,0x00,0xA8,0xDC,0xCC,0x80
,0x84,0x0C,0x19,0xCF,0x81,0xB9,0x13,0xC0,0x13,0x07,0xE8,0x70,0x05,0x79,0x15,0xF5
,0xD5,0x2B,0x05,0xA1,0xDD,0x34,0xD8,0xD9,0xC3,0xE7,0x05,0x70,0x05,0x79,0x15,0xF5
,0xD5,0x2B,0x05,0xA1,0xDD,0x34,0xD8,0xD9,0xC3,0xE7,0x05,0x70,0x05,0x79,0x15,0xF5
,0xD5,0x2B,0x05,0xA1,0xDD,0x34,0xD8,0xD9,0xC3,0xE7,0x05,0x10,0x3A,0xCC,0x2F,0x13
,0xE1,0xE1,0x8C,0x7B,0xC9,0xC5,0x48,0xB3,0x85,0x73,0x55,0x87,0xEE,0x99,0x14,0x67
,0xB2,0x1B,0x01,0x1B,0x56,0x01,0x2F,0xFB,0x47,0x07,0x88,0xBD,0x4C,0xD2,0x1A,0x08
,0x14,0x42,0xF3,0xF5,0xC2,0x7C,0x26,0x9E,0x24,0x00,0xA4,0xEA,0x5F,0x20,0xFC,0xCA
,0x80,0xF6,0x9B,0xC9,0x28,0x5B,0x55,0x22,0x94,0x33,0x4F,0x3E,0x1B,0xC6,0x31,0x23
,0x82,0xB1,0x97,0x3E,0xC1,0x00,0x2F,0xEF,0xCE,0x06,0x7B,0xAA,0xCD,0xA6,0x61,0xF5
,0xC9,0x59,0x8E,0xDB,0xF6,0x49,0x73,0x9C,0xB9,0x08,0x05,0xC3,0x1E,0xEB,0xA6,0xD3
,0x0F,0xBB,0x86,0xFD,0xFC,0xCC,0x99,0x89,0x61,0xA9,0xB1,0xF9,0x30,0xC7,0x48,0xB1
,0x79,0x6C,0x75,0x26,0x8C,0xF5,0x46,0xF4,0x7F,0x04,0xED,0xD1,0x2B,0x16,0x2D,0x94
,0x2F,0x2C,0xDE,0x6E,0x7B,0x97,0xE7,0x28,0x8B,0xDA,0x0D};//Encrypt data
unsigned char out[4096];
int main(int argc, char *argv[])
{
     MD5_CTX c;
     AES_KEY aes_key;
     int i,j;
     MD5Init(&c);
     Transform((unsigned long *)c.buf,(unsigned long*)thunder);
     strncpy((char*)&thunder_AES_key,(const char*)&c.buf,16);
     AES_set_decrypt_key((const unsigned char *)&thunder_AES_key,128,&aes_key);
     for ( i=0;i<sizeof(in)/16;i++)
     {
         AES_decrypt((const unsigned char *)&in[i*16],(unsigned char *)&out[i*16],&aes_key);
     }
     for ( i=0;i<sizeof(in)/16;i++)
     {
         for ( j=0;j<16;j++)
         {
             printf("%02x ",out[i*16+j]);
         }
         printf("    ");
         for ( j=0;j<16;j++)
         {
             printf("%c",out[i*16+j]);
         }
         printf("\n");
     }
    return 0;
}