有一个offer,是一家与XXX公司有往来的公司,XXX公司末端使用了一套业务管理系统,末端使用工业PDA,也就是通俗说法的手持机进行业务确认,这个offer的需求之一就是这家公司与XXX公司之间的协同工作问题,也就是一项工作不做两次,把数据同时发送给两家公司,最好的方式就是我做一个手持程序,接入本公司的系统的同时把数据发送到XXX公司的服务器上,他们系统把这个服务器称为消息服务器。
结构就该明确了,XXX公司的消息服务器和数据库服务器,本系统的中间层服务器和数据库服务器,手持,无线网络,涉及到的设备仅这些。
要破解别人的结构,首先就要了解他们软件的运行架构。此系统的架构是手持直接与消息服务器建立TCP连接,消息服务器访问数据库,也就是充当手持与数据库之间的中间层。
要了解通讯指令,首先就要了解端口连接,可以在消息服务器上通过netstat -ano,获取所有打开了的端口,然后根据PID对应具体的应用程序,由此获得消息服务器占用了18060、18061、18062三个端口。
了解了端口之后,再有的就是了解通讯指令了,要监听指令,EtheReal就是一个很不错的选择,于是安装EtheReal,然后监控网卡,获得部分指令如下:
0000 00 1c 25 7a 27 50 00 1a 6b 36 46 37 08 00 45 00 ..%z'P..k6F7..E.
0010 00 d0 70 9e 40 00 80 06 06 36 c0 a8 01 01 c0 a8 ..p.@....6......
0020 01 02 08 c2 46 8c 18 8c 69 ce 2d 1b 56 00 50 18 ....F...i.-.V.P.
0030 fc d3 f7 f4 00 00 00 00 00 03 00 00 00 00 00 00 ................ ..........
0040 00 04 00 00 00 03 00 00 00 04 00 00 00 25 00 00 .............%..
0050 00 08 00 00 00 00 00 00 00 00 00 00 00 08 00 00 ................
0060 00 0d 00 00 00 0d 68 73 5f 64 69 72 65 63 74 70 ......hs_directp
0070 61 73 73 00 00 00 00 00 00 07 00 00 00 60 00 00 ass..........`..
0080 00 03 00 00 00 00 00 00 00 05 00 00 00 08 00 00 ................
0090 00 04 00 00 00 04 31 30 33 39 00 00 00 08 00 00 ......1039......
00a0 00 04 00 00 00 04 32 30 37 37 00 00 00 08 00 00 ......2077......
00b0 00 04 00 00 00 04 32 30 37 38 00 00 00 08 00 00 ......2078......
00c0 00 01 00 00 00 01 2d 00 00 00 00 00 00 08 00 00 ......-.........
00d0 00 05 00 00 00 05 34 30 33 30 36 00 00 00 ......40306...
0000 00 1a 6b 36 46 37 00 1c 25 7a 27 50 08 00 45 00 ..k6F7..%z'P..E.
0010 00 b0 fa df 40 00 80 06 7c 14 c0 a8 01 02 c0 a8 ....@...|.......
0020 01 01 46 8c 08 c2 2d 1b 56 14 18 8c 6a 76 50 18 ..F...-.V...jvP.
0030 fb bb 83 f6 00 00 00 00 00 03 00 00 00 00 00 00 ................ ..........
0040 00 04 00 00 00 03 00 00 00 04 00 00 00 25 00 00 .............%..
0050 00 08 00 00 00 00 00 00 00 00 00 00 00 03 00 00 ................
0060 00 04 00 00 00 00 00 00 00 07 00 00 00 50 00 00 .............P..
0070 00 03 00 00 00 00 00 00 00 05 00 00 00 08 00 00 ................
0080 00 01 00 00 00 01 30 00 00 00 00 00 00 08 00 00 ......0.........
0090 00 00 00 00 00 00 00 00 00 08 00 00 00 01 00 00 ................
00a0 00 01 30 00 00 00 00 00 00 08 00 00 00 00 00 00 ..0.............
00b0 00 00 00 00 00 08 00 00 00 00 00 00 00 00 ..............
0000 00 1c 25 7a 27 50 00 1a 6b 36 46 37 08 00 45 00 ..%z'P..k6F7..E.
0010 00 dc 70 a1 40 00 80 06 06 27 c0 a8 01 01 c0 a8 ..p.@....'......
0020 01 02 08 c2 46 8c 18 8c 6a 8a 2d 1b 56 9c 50 18 ....F...j.-.V.P.
0030 fc 37 05 f5 00 00 00 00 00 03 00 00 00 00 00 00 .7.............. ..........
0040 00 04 00 00 00 03 00 00 00 04 00 00 00 26 00 00 .............&..
0050 00 08 00 00 00 00 00 00 00 00 00 00 00 08 00 00 ................
0060 00 12 00 00 00 12 68 73 5f 66 69 6e 64 6e 65 77 ......hs_findnew
0070 63 6e 74 72 70 6c 61 63 00 00 00 00 00 07 00 00 cntrplac........
0080 00 68 00 00 00 03 00 00 00 00 00 00 00 05 00 00 .h..............
0090 00 08 00 00 00 0b 00 00 00 0b 54 47 48 55 30 31 ..........TGHU01
00a0 38 36 38 34 34 00 00 00 00 08 00 00 00 05 00 00 86844...........
00b0 00 05 34 30 33 30 36 00 00 00 00 00 00 08 00 00 ..40306.........
00c0 00 00 00 00 00 00 00 00 00 08 00 00 00 05 00 00 ................
00d0 00 05 34 30 33 30 36 00 00 00 00 00 00 08 00 00 ..40306.........
00e0 00 04 00 00 00 04 51 39 30 31 ......Q901
如果有条件,你尽可以通过EtheReal来监听TCP字节流,要具备的是具备对HEX比较熟悉或者非常熟悉,否则你将不会有敏感性。
从以上的TCP指令来看,此系统没有对数据进行加密,而是直接使用ANSII,这种情况下,难度系数将下降50%,非常幸运。