public static bool Impersonate(string user)
{
System.Diagnostics.Debug.Write("[PSH BINDING] Invoking binding call Impersonate");
Tlv tlv = new Tlv();
tlv.Pack(TlvType.IncognitoImpersonateToken, user);
var result = Core.InvokeMeterpreterBinding(true, tlv.ToRequest("incognito_impersonate_token"));
if (result != null)
{
System.Diagnostics.Debug.Write("[PSH BINDING] Result returned, incognito is probably loaded");
var responseTlv = Tlv.FromResponse(result);
if (responseTlv[TlvType.Result].Count > 0 &&
(int)responseTlv[TlvType.Result][0] == 0)
{
return true;
}
return false;
}
System.Diagnostics.Debug.Write("[PSH BINDING] Result not returned, incognito is probably not loaded");
throw new InvalidOperationException("incognito extension is not loaded");
}
public static SysInfo Info()
{
Tlv tlv = new Tlv();
var result = Core.InvokeMeterpreterBinding(true, tlv.ToRequest("stdapi_sys_config_sysinfo"));
if (result != null)
{
System.Diagnostics.Debug.Write("[PSH BINDING] Info result returned");
var responseTlv = Tlv.FromResponse(result);
if (responseTlv[TlvType.Result].Count > 0 &&
(int)responseTlv[TlvType.Result][0] == 0)
{
System.Diagnostics.Debug.Write("[PSH BINDING] Info succeeded");
return new SysInfo
{
Host = Tlv.GetValue<string>(responseTlv, TlvType.ComputerName, string.Empty),
OperatingSystem = Tlv.GetValue<string>(responseTlv, TlvType.OsName, string.Empty),
Architecture = Tlv.GetValue<string>(responseTlv, TlvType.Architecture, string.Empty),
Language = Tlv.GetValue<string>(responseTlv, TlvType.LangSystem, string.Empty),
Domain = Tlv.GetValue<string>(responseTlv, TlvType.Domain, string.Empty),
LoggedOnUsers = Tlv.GetValue<int>(responseTlv, TlvType.LoggedOnUserCount)
};
}
System.Diagnostics.Debug.Write("[PSH BINDING] ShowMount failed");
}
else
{
System.Diagnostics.Debug.Write("[PSH BINDING] ShowMount result was null");
}
return null;
}
public static bool AddUser(string server, string username, string password)
{
System.Diagnostics.Debug.Write("[PSH BINDING] Invoking binding call AddUser");
Tlv tlv = new Tlv();
tlv.Pack(TlvType.IncognitoServerName, server);
tlv.Pack(TlvType.IncognitoUserName, username);
tlv.Pack(TlvType.IncognitoPassword, password);
var result = Core.InvokeMeterpreterBinding(true, tlv.ToRequest("incognito_add_user"));
if (result != null)
{
System.Diagnostics.Debug.Write("[PSH BINDING] Result returned, incognito is probably loaded");
var responseTlv = Tlv.FromResponse(result);
if (responseTlv[TlvType.Result].Count > 0 &&
(int)responseTlv[TlvType.Result][0] == 0)
{
return true;
}
return false;
}
System.Diagnostics.Debug.Write("[PSH BINDING] Result not returned, incognito is probably not loaded");
throw new InvalidOperationException("incognito extension is not loaded");
}
public static Tlv MakeTLV(int typeCode, byte[] data)
{
Tlv retval = new Tlv();
retval.TypeNumber = (ushort) typeCode;
retval.Data = data;
retval.DataSize = (ushort) ((data == null) ? 0 : data.Length);
return retval;
}
public static bool Add(TransportInstance transport, int sessionExpiry = 0)
{
Tlv tlv = new Tlv();
tlv.Pack(TlvType.TransUrl, transport.Url);
if (sessionExpiry > 0)
{
tlv.Pack(TlvType.TransSessExp, sessionExpiry);
}
if (transport.CommTimeout > 0)
{
tlv.Pack(TlvType.TransCommTimeout, transport.CommTimeout);
}
if (transport.RetryTotal > 0)
{
tlv.Pack(TlvType.TransRetryTotal, transport.RetryTotal);
}
if (transport.RetryWait > 0)
{
tlv.Pack(TlvType.TransRetryWait, transport.RetryWait);
}
if (!string.IsNullOrEmpty(transport.UserAgent))
{
tlv.Pack(TlvType.TransUa, transport.UserAgent);
}
if (!string.IsNullOrEmpty(transport.ProxyHost))
{
tlv.Pack(TlvType.TransUa, transport.ProxyHost);
}
if (!string.IsNullOrEmpty(transport.ProxyUser))
{
tlv.Pack(TlvType.TransUa, transport.ProxyUser);
}
if (!string.IsNullOrEmpty(transport.ProxyPass))
{
tlv.Pack(TlvType.TransUa, transport.ProxyPass);
}
if (transport.CertHash != null && transport.CertHash.Length > 0)
{
tlv.Pack(TlvType.TransCertHash, transport.CertHash);
}
var result = Core.InvokeMeterpreterBinding(true, tlv.ToRequest("core_transport_add"));
if (result != null)
{
System.Diagnostics.Debug.Write("[PSH BINDING] List result returned");
var responseTlv = Tlv.FromResponse(result);
if (responseTlv[TlvType.Result].Count > 0 &&
(int)responseTlv[TlvType.Result][0] == 0)
{
return true;
}
}
return false;
}
public void ShouldParseValidHexArray()
{
var validHexArray = Enumerable
.Range(0, _validAsciiHexString.Length)
.Where(x => x % 2 == 0)
.Select(x => Convert.ToByte(_validAsciiHexString.Substring(x, 2), 16))
.ToArray();
var tlvs = Tlv.ParseTlv(validHexArray);
AssertTlv(tlvs);
}
public void TestMultipleResource()
{
// Table 7.4.3.2-1 example. Taken from middle section
Tlv[] result = _parser.Parse(Utilities.StringToByteArray("88070842000ED842011388"));
Tlv expected = new Tlv(TlvType.MULTIPLE_RESOURCE, 0x07,
new Tlv[] {
new Tlv(TlvType.RESOURCE_INSTANCE, 0x00, null, Utilities.StringToByteArray("0ED8")),
new Tlv(TlvType.RESOURCE_INSTANCE, 0x01, null, Utilities.StringToByteArray("1388")),
}, null);
Assert.Equal(expected, result[0]);
}
public override byte[] GetMessageBytes()
{
//Check if optional parameter message_payload is present
Tlv.Tlv tlv = Tlv.GetTlvByTag(Tag.message_payload);
if (tlv == null)
{
return(null);
}
else
{
return(tlv.RawValue);
}
}
static void Main(string[] args)
{
//var x = MSF.Powershell.Runner.Get("Default");
//System.Console.Write(x.Execute("$x = $(whoami)"));
//System.Console.Write(x.Execute("$x"));
//MSF.Powershell.Runner.Remove("Default");
Tlv t = new Tlv();
t.Pack(TlvType.ElevateTechnique, 1);
t.Pack(TlvType.ElevateServiceName, "abcd1234");
var x = t.ToRequest("priv_elevate_getsystem");
var y = 0;
}
public override void SetMessageBytes(byte[] message)
{
if (message == null)
{
throw new ArgumentNullException("message");
}
//Check if optional parameter message_payload is present
Tlv.Tlv tlv = Tlv.GetTlvByTag(Tag.message_payload);
if (tlv == null)
{
throw new InvalidOperationException("Tlv parameter 'message_payload' is not present");
}
tlv.ParseValue(message);
}
static void Main(string[] args)
{
//var x = MSF.Powershell.Runner.Get("Default");
//System.Console.Write(x.Execute("$x = $(whoami)"));
//System.Console.Write(x.Execute("$x"));
//MSF.Powershell.Runner.Remove("Default");
Tlv t = new Tlv();
t.Pack(TlvType.ElevateTechnique, 1);
t.Pack(TlvType.ElevateServiceName, "abcd1234");
var x = t.ToRequest("priv_elevate_getsystem");
var y = 0;
}
public void TestObjectInstance()
{
// Table 7.4.3.2-3 example. With object children length fixed (0x0D -> 0x0F)
Tlv[] result = _parser.Parse(Utilities.StringToByteArray("08000FC10001C40100015180C10601C10755"));
Tlv expected = new Tlv(TlvType.OBJECT_INSTANCE, 0x00,
new Tlv[] {
new Tlv(TlvType.RESOURCE_VALUE, 0x00, null, Utilities.StringToByteArray("01")),
new Tlv(TlvType.RESOURCE_VALUE, 0x01, null, Utilities.StringToByteArray("00015180")),
new Tlv(TlvType.RESOURCE_VALUE, 0x06, null, Utilities.StringToByteArray("01")),
new Tlv(TlvType.RESOURCE_VALUE, 0x07, null, Utilities.StringToByteArray("55")),
}, null);
Assert.Equal(expected, result[0]);
}
public static SessionDefinition List()
{
Tlv tlv = new Tlv();
var result = Core.InvokeMeterpreterBinding(true, tlv.ToRequest("core_transport_list"));
if (result != null)
{
System.Diagnostics.Debug.Write("[PSH BINDING] List result returned");
var responseTlv = Tlv.FromResponse(result);
if (responseTlv[TlvType.Result].Count > 0 &&
(int)responseTlv[TlvType.Result][0] == 0)
{
System.Diagnostics.Debug.Write("[PSH BINDING] List succeeded");
var expirySeconds = Tlv.GetValue<int>(responseTlv, TlvType.TransSessExp);
var session = new SessionDefinition(DateTime.Now.AddSeconds(expirySeconds));
foreach (var transportObj in responseTlv[TlvType.TransGroup])
{
var transportDict = (Dictionary<TlvType, List<object>>)transportObj;
var transport = new TransportInstance
{
Url = Tlv.GetValue<string>(transportDict, TlvType.TransUrl, string.Empty),
CommTimeout = Tlv.GetValue<int>(transportDict, TlvType.TransCommTimeout),
RetryTotal = Tlv.GetValue<int>(transportDict, TlvType.TransRetryTotal),
RetryWait = Tlv.GetValue<int>(transportDict, TlvType.TransRetryWait),
UserAgent = Tlv.GetValue<string>(transportDict, TlvType.TransUa, string.Empty),
ProxyHost = Tlv.GetValue<string>(transportDict, TlvType.TransProxyHost, string.Empty),
ProxyUser = Tlv.GetValue<string>(transportDict, TlvType.TransProxyUser, string.Empty),
ProxyPass = Tlv.GetValue<string>(transportDict, TlvType.TransProxyPass, string.Empty),
CertHash = Tlv.GetValue<byte[]>(transportDict, TlvType.TransCertHash)
};
session.Transports.Add(transport);
}
return session;
}
System.Diagnostics.Debug.Write("[PSH BINDING] List failed");
}
else
{
System.Diagnostics.Debug.Write("[PSH BINDING] List result was null");
}
return null;
}
public void TestObjectInstance2()
{
// Table 7.4.3.2-2 example. First object instance
Tlv[] result = _parser.Parse(Utilities.StringToByteArray("08000EC10001C101008302417F07C1037F"));
Tlv expected = new Tlv(TlvType.OBJECT_INSTANCE, 0x00,
new Tlv[] {
new Tlv(TlvType.RESOURCE_VALUE, 0x00, null, Utilities.StringToByteArray("01")),
new Tlv(TlvType.RESOURCE_VALUE, 0x01, null, Utilities.StringToByteArray("00")),
new Tlv(TlvType.MULTIPLE_RESOURCE, 0x02, new Tlv[] {
new Tlv(TlvType.RESOURCE_INSTANCE, 0x7F, null, Utilities.StringToByteArray("07"))
}, null),
new Tlv(TlvType.RESOURCE_VALUE, 0x03, null, Utilities.StringToByteArray("7F"))
}, null);
Assert.Equal(expected, result[0]);
}
public static bool Rev2Self()
{
System.Diagnostics.Debug.Write("[PSH BINDING] Invoking binding call Rev2Self");
Tlv tlv = new Tlv();
var result = Core.InvokeMeterpreterBinding(true, tlv.ToRequest("stdapi_sys_config_rev2self"));
if (result != null)
{
var responseTlv = Tlv.FromResponse(result);
return responseTlv[TlvType.Result].Count > 0 &&
(int)responseTlv[TlvType.Result][0] == 0;
}
return false;
}
public static List<Credential> CredsAll()
{
System.Diagnostics.Debug.Write("[PSH BINDING] Invoking binding call CredsAll");
if (!User.IsSystem())
{
throw new InvalidOperationException("Current session is not running as SYSTEM");
}
Tlv tlv = new Tlv();
tlv.Pack(TlvType.KiwiPwdId, 0);
var result = Core.InvokeMeterpreterBinding(true, tlv.ToRequest("kiwi_scrape_passwords"));
var ids = new Dictionary<string, Credential>();
if (result != null)
{
System.Diagnostics.Debug.Write("[PSH BINDING] Result returned, kiwi is probably loaded");
var responseTlv = Tlv.FromResponse(result);
if (responseTlv[TlvType.Result].Count > 0 &&
(int)responseTlv[TlvType.Result][0] == 0)
{
foreach (var credObj in responseTlv[TlvType.KiwiPwdResult])
{
var credDict = (Dictionary<TlvType, List<object>>)credObj;
var credential = new Credential
{
Domain = Tlv.GetValue<string>(credDict, TlvType.KiwiPwdDomain, string.Empty),
Username = Tlv.GetValue<string>(credDict, TlvType.KiwiPwdUserName, string.Empty),
Password = Tlv.GetValue<string>(credDict, TlvType.KiwiPwdPassword, string.Empty)
};
if (!ids.ContainsKey(credential.ToString()))
{
ids.Add(credential.ToString(), credential);
}
}
return new List<Credential>(ids.Values);
}
}
System.Diagnostics.Debug.Write("[PSH BINDING] Result not returned, kiwi is probably not loaded");
throw new InvalidOperationException("Kiwi extension is not loaded");
}
/// <summary>
/// Tlv结构转为byte[]
/// </summary>
private byte[] _writeTlvToBt(Tlv tlv)
{
MemoryStream arr = new MemoryStream();
BinaryWriter binaryWriter = new BinaryWriter(arr);
// arr.Seek(0, SeekOrigin.Begin);
binaryWriter.Write(tlv.Type);
byte[] len = BitConverter.GetBytes(tlv.Length);
if (_tlvConn.Endian)
{
Array.Reverse(len);
}
binaryWriter.Write(len);
byte[] val = tlv.Value;
binaryWriter.Write(val);
byte[] b = arr.ToArray();
return(b);
}
public static bool StealToken(int pid)
{
System.Diagnostics.Debug.Write(string.Format("[PSH BINDING] Invoking binding call StealToken({0})", pid));
Tlv tlv = new Tlv();
tlv.Pack(TlvType.Pid, pid);
var result = Core.InvokeMeterpreterBinding(true, tlv.ToRequest("stdapi_sys_config_steal_token"));
if (result != null)
{
var responseTlv = Tlv.FromResponse(result);
return responseTlv[TlvType.Result].Count > 0 &&
(int)responseTlv[TlvType.Result][0] == 0;
}
return false;
}
public static List<ProcessInfo> ProcessList()
{
Tlv tlv = new Tlv();
var result = Core.InvokeMeterpreterBinding(true, tlv.ToRequest("stdapi_sys_process_get_processes"));
if (result != null)
{
System.Diagnostics.Debug.Write("[PSH BINDING] ProcessList result returned");
var responseTlv = Tlv.FromResponse(result);
if (responseTlv[TlvType.Result].Count > 0 &&
(int)responseTlv[TlvType.Result][0] == 0)
{
System.Diagnostics.Debug.Write("[PSH BINDING] ProcessList succeeded");
var processes = new List<ProcessInfo>();
foreach (var processObj in responseTlv[TlvType.ProcessGroup])
{
var processDict = (Dictionary<TlvType, List<object>>)processObj;
var process = new ProcessInfo
{
Architecture = Tlv.GetValue<int>(processDict, TlvType.ProcessArch) == 1 ? "x86" : "x86_64",
Name = Tlv.GetValue<string>(processDict, TlvType.ProcessName, string.Empty),
Username = Tlv.GetValue<string>(processDict, TlvType.UserName, string.Empty),
Pid = Tlv.GetValue<int>(processDict, TlvType.Pid),
ParentPid = Tlv.GetValue<int>(processDict, TlvType.ParentPid),
Path = Tlv.GetValue<string>(processDict, TlvType.ProcessPath, string.Empty),
Session = Tlv.GetValue<int>(processDict, TlvType.ProcessSession)
};
processes.Add(process);
}
return processes;
}
System.Diagnostics.Debug.Write("[PSH BINDING] ProcessList failed");
}
else
{
System.Diagnostics.Debug.Write("[PSH BINDING] ProcessList result was null");
}
return null;
}
/// <summary>
/// Read all records from BinaryReader
/// </summary>
/// <param name="br">BinaryReader object</param>
/// <returns>Is sucess?</returns>
public bool Read(BinaryReader br)
{
this.Type = br.ReadByte();
this.Ttl = br.ReadByte();
this.Sequence = br.ReadUInt16Reverse();
while (br.BaseStream.Length > br.BaseStream.Position)
{
var item = new Tlv();
bool ok = item.Read(br);
if (!ok)
{
return(false);
}
this.Items.Add(item);
}
return(true);
}
public static bool GetSystem()
{
System.Diagnostics.Debug.Write("[PSH BINDING] Invoking binding call GetSystem");
Tlv tlv = new Tlv();
tlv.Pack(TlvType.ElevateTechnique, 1);
tlv.Pack(TlvType.ElevateServiceName, "abcd1234");
var result = Core.InvokeMeterpreterBinding(true, tlv.ToRequest("priv_elevate_getsystem"));
if (result != null)
{
var responseTlv = Tlv.FromResponse(result);
return responseTlv[TlvType.Result].Count > 0 &&
(int)responseTlv[TlvType.Result][0] == 0;
}
return false;
}
public static List<Mount> ShowMount()
{
Tlv tlv = new Tlv();
var result = Core.InvokeMeterpreterBinding(true, tlv.ToRequest("stdapi_fs_mount_show"));
if (result != null)
{
System.Diagnostics.Debug.Write("[PSH BINDING] ShowMount result returned");
var responseTlv = Tlv.FromResponse(result);
if (responseTlv[TlvType.Result].Count > 0 &&
(int)responseTlv[TlvType.Result][0] == 0)
{
System.Diagnostics.Debug.Write("[PSH BINDING] ShowMount succeeded");
var mounts = new List<Mount>();
foreach (var mountObj in responseTlv[TlvType.Mount])
{
var mountDict = (Dictionary<TlvType, List<object>>)mountObj;
var mount = new Mount
{
Name = Tlv.GetValue<string>(mountDict, TlvType.MountName, string.Empty),
Type = Tlv.GetValue<MountType>(mountDict, TlvType.MountType, MountType.Unknown),
SpaceUser = Tlv.GetValue<Int64>(mountDict, TlvType.MountSpaceUser),
SpaceTotal = Tlv.GetValue<Int64>(mountDict, TlvType.MountSpaceTotal),
SpaceFree = Tlv.GetValue<Int64>(mountDict, TlvType.MountSpaceFree),
UncPath = Tlv.GetValue<string>(mountDict, TlvType.MountUncPath, string.Empty)
};
mounts.Add(mount);
}
return mounts;
}
System.Diagnostics.Debug.Write("[PSH BINDING] ShowMount failed");
}
else
{
System.Diagnostics.Debug.Write("[PSH BINDING] ShowMount result was null");
}
return null;
}
public PairingReturn Post(Tlv parts)
{
var state = parts.GetTypeAsInt(Constants.State);
var method = parts.GetTypeAsInt(Constants.Method);
var responseTlv = new Tlv();
if (state == 1)
{
if (method == 3) // Add Pairing
{
_logger.LogDebug("* Add Pairing");
var identifier = parts.GetType(Constants.Identifier);
var publickey = parts.GetType(Constants.PublicKey);
var permissions = parts.GetType(Constants.Permissions);
responseTlv.AddType(Constants.State, 2);
}
else if (method == 4) // Remove Pairing
{
_logger.LogDebug("* Remove Pairing");
responseTlv.AddType(Constants.State, 2);
}
else if (method == 5) // List Pairing
{
_logger.LogDebug("* List Pairings");
responseTlv.AddType(Constants.State, 2);
}
}
else
{
responseTlv.AddType(Constants.State, 2);
responseTlv.AddType(Constants.Error, ErrorCodes.Busy);
}
return(new PairingReturn
{
ContentType = "application/pairing+tlv8",
TlvData = responseTlv
});
}
private static byte[] FindValue(Tlv tlv, IEnumerator <string> tags)
{
if (tlv.HexTag == tags.Current)
{
if (!tags.MoveNext())
{
return(tlv.Value);
}
foreach (Tlv child in tlv.Children)
{
var val = FindValue(child, tags);
if (val != null)
{
return(val);
}
}
}
return(null);
}
public static string GetUid()
{
System.Diagnostics.Debug.Write("[PSH BINDING] Invoking binding call GetUid");
Tlv tlv = new Tlv();
var result = Core.InvokeMeterpreterBinding(true, tlv.ToRequest("stdapi_sys_config_getuid"));
if (result != null)
{
var responseTlv = Tlv.FromResponse(result);
if (responseTlv[TlvType.Result].Count > 0 &&
(int)responseTlv[TlvType.Result][0] == 0)
{
return(Tlv.GetValue <string>(responseTlv, TlvType.UserName));
}
}
return(null);
}
public static string GetUid()
{
System.Diagnostics.Debug.Write("[PSH BINDING] Invoking binding call GetUid");
Tlv tlv = new Tlv();
var result = Core.InvokeMeterpreterBinding(true, tlv.ToRequest("stdapi_sys_config_getuid"));
if (result != null)
{
var responseTlv = Tlv.FromResponse(result);
if (responseTlv[TlvType.Result].Count > 0 &&
(int)responseTlv[TlvType.Result][0] == 0)
{
return Tlv.GetValue<string>(responseTlv, TlvType.UserName);
}
}
return null;
}
private bool Handle_LoginDenied(Core core, OicqRequest request)
{
Console.WriteLine("[Error] Login denied.");
var tlvs = request.oicqRequestBody.TakeAllBytes(out var _);
var unpacker = new TlvUnpacker(tlvs, true);
Tlv tlv146 = unpacker.TryGetTlv(0x146);
if (tlv146 != null)
{
var errorTitle = ((T146Body)tlv146._tlvBody)._title;
var errorMessage = ((T146Body)tlv146._tlvBody)._message;
Console.WriteLine($"[Error] {errorTitle} {errorMessage}");
}
core.PostSystemEvent(EventType.LoginFailed);
return(false);
}
private bool Handle_VerifySliderCaptcha(Core core, OicqRequest request)
{
Console.WriteLine("Do slider verification.");
var tlvs = request.oicqRequestBody.TakeAllBytes(out var _);
var unpacker = new TlvUnpacker(tlvs, true);
Tlv tlv104 = unpacker.TryGetTlv(0x104);
Tlv tlv192 = unpacker.TryGetTlv(0x192);
if (tlv104 != null && tlv192 != null)
{
var sigSession = ((T104Body)tlv104._tlvBody)._sigSession;
var sigCaptchaURL = ((T192Body)tlv192._tlvBody)._url;
core.SigInfo.WtLoginSession = sigSession;
core.PostUserEvent(EventType.WtLoginVerifySliderCaptcha, sigCaptchaURL,
DeviceInfo.Browser.UserAgent);
}
return(false);
}
static void Main(string[] args)
{
#region Dont even bother looking, just testing out how json works
string json = @"{
'Email': '*****@*****.**',
'Active': true,
'CreatedDate': '2013-01-20T00:00:00Z',
'Roles': [
'User',
'Admin'
]
}";
ClientExisting dataReciever = JsonConvert.DeserializeObject <ClientExisting>(json);
// Console.WriteLine(dataReciever.EndpointClientName);
ICollection <Tlv> tlvs = Tlv.ParseTlv("6F1A840E315041592E5359532E4444463031A5088801025F2D02656E");
Console.WriteLine(tlvs);
#endregion
}
protected override void ParseBody()
{
Decrypt(User.TXProtocol.BufDhShareKey);
Result = Reader.ReadByte();
//返回错误
if (Result == (byte)ResultCode.DoMain || Result == (byte)ResultCode.其它错误 ||
Result == (byte)ResultCode.密码错误 ||
Result == (byte)ResultCode.帐号被回收 ||
Result == (byte)ResultCode.要求切换TCP ||
Result == (byte)ResultCode.过载保护 ||
Result == (byte)ResultCode.需要验证密保 ||
Result == (byte)ResultCode.需要验证码)
{
var tlvs = Tlv.ParseTlv(Reader.ReadBytes((int)(Reader.BaseStream.Length - 1)));
//重置指针(因为tlv解包后指针已经移动到末尾)
Reader.BaseStream.Position = 1;
TlvExecutionProcessing(tlvs);
if (tlvs.Any(c => c.Tag == 0x0100))
{
var errorData = tlvs.FirstOrDefault(c => c.Tag == 0x0100);
var errReader = new BinaryReader(new MemoryStream(errorData.Value));
var tlv = new TLV0100();
tlv.Parser_Tlv2(User, errReader, errorData.Length);
ErrorMsg = tlv.ErrorMsg;
}
}
else
{
BodyDecrypted = QQTea.Decrypt(BodyDecrypted, User.TXProtocol.BufTgtgtKey);
Reader = new BinaryReader(new MemoryStream(BodyDecrypted));
Result = Reader.ReadByte();
var tlvs = Tlv.ParseTlv(Reader.ReadBytes((int)(Reader.BaseStream.Length - 1)));
//重置指针(因为tlv解包后指针已经移动到末尾)
Reader.BaseStream.Position = 1;
TlvExecutionProcessing(tlvs);
}
}
internal Tlv HandlePairSetupM5Raw(ConnectionSession session, out KeyPair keyPair)
{
var hdkf = new HkdfSha512();
var accessory = hdkf.DeriveBytes(
SharedSecret.Import(SrpInteger.FromHex(session.ServerSession.Key).ToByteArray()),
Encoding.UTF8.GetBytes("Pair-Setup-Accessory-Sign-Salt"),
Encoding.UTF8.GetBytes("Pair-Setup-Accessory-Sign-Info"), 32);
keyPair = KeyGenerator.GenerateNewPair();
var serverUsername = Encoding.UTF8.GetBytes(HapControllerServer.HapControllerId);
var material = accessory.Concat(serverUsername).Concat(keyPair.PublicKey).ToArray();
var signature = Chaos.NaCl.Ed25519.Sign(material, keyPair.PrivateKey);
var encoder = new Tlv();
encoder.AddType(Constants.Identifier, serverUsername);
encoder.AddType(Constants.PublicKey, keyPair.PublicKey);
encoder.AddType(Constants.Signature, signature);
return(encoder);
}
public void ParseEmvHexTest()
{
var tlvs = Tlv.ParseTlv(_emvHexTlv);
AssertTlv(tlvs);
}
/// <summary>
/// Send a message to the server. Should be in a try catch block
/// </summary>
/// <param name="tlv"></param>
public void SendMessage(Tlv tlv)
{
System.Diagnostics.Debug.WriteLine($"Socket ---> [{(SocketMessageTypes) tlv.Type}]");
_socket?.Send(tlv.GetBytes());
}
public PairVerifyReturn Post(Tlv parts, HapSession session)
{
var state = parts.GetTypeAsInt(Constants.State);
if (state == 1)
{
_logger.LogDebug("* Pair Verify Step 1/4");
_logger.LogDebug("* Verify Start Request");
var clientPublicKey = parts.GetType(Constants.PublicKey);
byte[] privateKey = new byte[32];
Random random = new Random();
random.NextBytes(privateKey);
var publicKey = Curve25519.GetPublicKey(privateKey);
var sharedSecret = Curve25519.GetSharedSecret(privateKey, clientPublicKey);
var serverUsername = Encoding.UTF8.GetBytes(HapControllerServer.HapControllerId);
var material = publicKey.Concat(serverUsername).Concat(clientPublicKey).ToArray();
var accessoryLtsk = StringToByteArray(HapControllerServer.HapControllerLtsk);
var proof = Chaos.NaCl.Ed25519.Sign(material, accessoryLtsk);
var hdkf = new HkdfSha512();
var hkdfEncKey = hdkf.DeriveBytes(SharedSecret.Import(sharedSecret), Encoding.UTF8.GetBytes("Pair-Verify-Encrypt-Salt"),
Encoding.UTF8.GetBytes("Pair-Verify-Encrypt-Info"), 32);
var encoder = new Tlv();
encoder.AddType(Constants.Identifier, serverUsername);
encoder.AddType(Constants.Signature, proof);
var plaintext = TlvParser.Serialize(encoder);
var zeros = new byte[] { 0, 0, 0, 0 };
var nonce = new Nonce(zeros, Encoding.UTF8.GetBytes("PV-Msg02"));
var encryptedOutput = AeadAlgorithm.ChaCha20Poly1305.Encrypt(
Key.Import(AeadAlgorithm.ChaCha20Poly1305, hkdfEncKey, KeyBlobFormat.RawSymmetricKey), nonce,
new byte[0], plaintext);
var responseTlv = new Tlv();
responseTlv.AddType(Constants.State, 2);
responseTlv.AddType(Constants.EncryptedData, encryptedOutput);
responseTlv.AddType(Constants.PublicKey, publicKey);
// Store the details on the session.
//
session.ClientPublicKey = clientPublicKey;
session.PrivateKey = privateKey;
session.PublicKey = publicKey;
session.SharedSecret = sharedSecret;
session.HkdfPairEncKey = hkdfEncKey;
var encSalt = Encoding.UTF8.GetBytes("Control-Salt");
var infoRead = Encoding.UTF8.GetBytes("Control-Read-Encryption-Key");
var infoWrite = Encoding.UTF8.GetBytes("Control-Write-Encryption-Key");
session.AccessoryToControllerKey = hdkf.DeriveBytes(SharedSecret.Import(sharedSecret), encSalt, infoRead, 32);
session.ControllerToAccessoryKey = hdkf.DeriveBytes(SharedSecret.Import(sharedSecret), encSalt, infoWrite, 32);
return(new PairVerifyReturn
{
TlvData = responseTlv,
Ok = true,
HapSession = session
});
}
if (state == 3)
{
_logger.LogDebug("* Pair Verify Step 3/4");
_logger.LogDebug("* Verify Finish Request");
var encryptedData = parts.GetType(Constants.EncryptedData);
var zeros = new byte[] { 0, 0, 0, 0 };
var nonce = new Nonce(zeros, Encoding.UTF8.GetBytes("PV-Msg03"));
var decrypt = AeadAlgorithm.ChaCha20Poly1305.Decrypt(Key.Import(AeadAlgorithm.ChaCha20Poly1305, session.HkdfPairEncKey, KeyBlobFormat.RawSymmetricKey), nonce, new byte[0], encryptedData, out var output);
if (!decrypt)
{
var errorTlv = new Tlv();
errorTlv.AddType(Constants.State, 4);
errorTlv.AddType(Constants.Error, ErrorCodes.Authentication);
return(new PairVerifyReturn
{
TlvData = errorTlv,
Ok = false
});
}
var subData = TlvParser.Parse(output);
var clientUserName = subData.GetType(Constants.Identifier);
var signature = subData.GetType(Constants.Signature);
var clientPublicKey = StringToByteArray(HapControllerServer.HapControllerLtpk);
var material = session.ClientPublicKey.Concat(clientUserName).Concat(session.PublicKey).ToArray();
session.ClientUsername = Automatica.Core.Driver.Utility.Utils.ByteArrayToString(in clientUserName);
if (!Chaos.NaCl.Ed25519.Verify(signature, material, clientPublicKey))
{
var errorTlv = new Tlv();
errorTlv.AddType(Constants.State, 4);
errorTlv.AddType(Constants.Error, ErrorCodes.Authentication);
return(new PairVerifyReturn
{
TlvData = errorTlv,
Ok = false
});
}
var responseTlv = new Tlv();
responseTlv.AddType(Constants.State, 4);
session.IsVerified = true;
session.SkipFirstEncryption = true;
return(new PairVerifyReturn
{
Ok = true,
TlvData = responseTlv
});
}
return(null);
}
private static void WarmUpCard(Transaction transaction)
{
logger.Info("Warming up card");
// We perform initial, constant interactions in this phase
// For now - hard-coded queries, ignore responses
byte[] SEL_FILE = new byte[] { 0x00, 0xA4, 0x04, 0x00, 0x0E, 0x32, 0x50, 0x41, 0x59, 0x2E, 0x53, 0x59, 0x53, 0x2E, 0x44, 0x44, 0x46, 0x30, 0x31, 0x00 };
var selResponse = GetResponse(SEL_FILE, transaction, "Select Payment");
var tlvSelResponse = Tlv.ParseTlv(selResponse);
var paymentApp = tlvSelResponse;
var SelApp = transaction.InitApdu(true);
SelApp.Instruction = InstructionCode.SelectFile;
SelApp.P1 = 0x04; // read the first file (I think?)
SelApp.Data = FindValue(tlvSelResponse.First(), new string[] { "6F", "A5", "BF0C", "61", "4F" });
var appResponse = transaction.SendCommand(SelApp, "Select App");
// Extract the PDOL
var appTlv = Tlv.ParseTlv(appResponse.GetData());
var pdolData = FindValue(appTlv.First(), new string[] { "6F", "A5", "9F38" });
var pdolParsed = PDOL.ParsePDOL(pdolData);
// Normally this would get sent back to the client to be filled by the terminal
PDOL.FillWithDummyData(pdolParsed);
var gpo = transaction.InitApdu(true);
gpo.CLA = 0x80;
gpo.Instruction = (InstructionCode)0xA8;
gpo.Data = PDOL.GeneratePDOL(pdolParsed);
var gpoResponse = transaction.SendCommand(gpo, "GPO");
var gpoTlv = Tlv.ParseTlv(gpoResponse.GetData());
var fileData = FindValue(gpoTlv.First(), new string[] { "77", "94" });
var fileList = ParseAddresses(fileData);
byte[] cdol = null;
foreach (var file in fileList)
{
for (byte recordNum = file.FromRecord; recordNum <= file.ToRecord; recordNum++)
{
var rr = transaction.InitApdu(false);
BuildReadRecordApdu(rr, file, recordNum);
var record = transaction.SendCommand(rr, "ReadRecord");
var rrtlv = Tlv.ParseTlv(record.GetData());
if (cdol == null)
{
cdol = FindValue(rrtlv.First(), new string[] { "70", "8C" });
}
}
}
if (cdol != null)
{
var cdolParsed = PDOL.ParsePDOL(cdol);
PDOL.FillWithDummyData(cdolParsed);
var GenerateCrypto = transaction.InitApdu(true);
GenerateCrypto.CLA = 0x80;
GenerateCrypto.Instruction = (InstructionCode)0xAE;
GenerateCrypto.P1 = 0x80;
GenerateCrypto.Data = PDOL.GenerateCDOL(cdolParsed);
var fuckinAye = transaction.SendCommand(GenerateCrypto, "GenerateCrypto");
var faBytes = fuckinAye.GetData();
}
//if (commandApdu.SequenceEqual(SEL_FILE))
// return new byte[] { 0x6F, 0x2C, 0x84, 0x0E, 0x32, 0x50, 0x41, 0x59, 0x2E, 0x53, 0x59, 0x53, 0x2E, 0x44, 0x44, 0x46, 0x30, 0x31, 0xA5, 0x1A, 0xBF, 0x0C, 0x17, 0x61, 0x15, 0x4F, 0x07, 0xA0, 0x00, 0x00, 0x02, 0x77, 0x10, 0x10, 0x50, 0x07, 0x49, 0x6E, 0x74, 0x65, 0x72, 0x61, 0x63, 0x87, 0x01, 0x01, 0x90, 0x00 };
//byte[] SEL_INTERAC = new byte[] { 0x00, 0xA4, 0x04, 0x00, 0x07, 0xA0, 0x00, 0x00, 0x02, 0x77, 0x10, 0x10, 0x00 };
////transaction.SendCommand(SEL_INTERAC, transaction, "Select Interac");
////var tlvSelResponse = BerTlv.Tlv.ParseTlv(selResponse);
//byte[] GET_ATC = new byte[] { 0x80, 0xCA, 0x9F, 0x36, 0x00 };
//var r1 = GetResponse(GET_ATC, transaction, "Get App Transaction Counter");
//byte[] GET_OATC = new byte[] { 0x80, 0xCA, 0x9F, 0x13, 0x00 };
//var r2 = GetResponse(GET_OATC, transaction, "Get App Transaction Counter (Online)");
//byte[] GET_PINC = new byte[] { 0x80, 0xCA, 0x9F, 0x17, 0x00 };
//var r3 = GetResponse(GET_PINC, transaction, "Get Pin Tries");
//byte[] GET_LOG = new byte[] { 0x80, 0xCA, 0x9F, 0x4F, 0x00 };
//var r4 = GetResponse(GET_LOG, transaction, "Get Log");
////if (commandApdu.SequenceEqual(SEL_INTERAC))
//// return new byte[] { 0x6F, 0x31, 0x84, 0x07, 0xA0, 0x00, 0x00, 0x02, 0x77, 0x10, 0x10, 0xA5, 0x26, 0x50, 0x07, 0x49, 0x6E, 0x74, 0x65, 0x72, 0x61, 0x63, 0x87, 0x01, 0x01, 0x5F, 0x2D, 0x04, 0x65, 0x6E, 0x66, 0x72, 0xBF, 0x0C, 0x10, 0x9F, 0x4D, 0x02, 0x0B, 0x0A, 0x5F, 0x56, 0x03, 0x43, 0x41, 0x4E, 0xDF, 0x62, 0x02, 0x80, 0x80, 0x90, 0x00 };
//var GPO = new byte[] { 0x80, 0xA8, 0x00, 0x00, 0x02, 0x83, 0x00, 0x00 };
//GetResponse(GPO, transaction, "Warmup");
//if (GPO.SequenceEqual(commandApdu))
// return new byte[] { 0x77, 0x0A, 0x82, 0x02, 0x18, 0x00, 0x94, 0x04, 0x08, 0x01, 0x02, 0x00, 0x90, 0x00 };
}
private void ProcessDirectoryQueryResponseUserDetails(Tlv t, ref FullUserInfo ui)
{
List <TlvBlock> tlvlist = null;
ByteStream bstream = new ByteStream(t.Data);
switch (t.TypeNumber)
{
case 0x96: // Home Address
tlvlist = readTlvList(bstream, 1);
break;
case 0xa0: // Origin Address
tlvlist = readTlvList(bstream, 1);
break;
case 0xc8: // Phone Numbers
tlvlist = readTlvList(bstream, 5);
break;
case 0x8c: // Emails
tlvlist = readTlvList(bstream, 4);
break;
case 0x118: // Work
tlvlist = readTlvList(bstream, 1);
break;
case 0x10e: // Education
tlvlist = readTlvList(bstream, 1);
break;
case 0x122: // Interests
tlvlist = readTlvList(bstream, 4);
break;
}
if (tlvlist != null)
{
ushort count = 0;
foreach (TlvBlock block in tlvlist)
{
count++;
switch (t.TypeNumber)
{
case 0x96: // Home Address
ui.HomeAddress = block.ReadString(0x64, Encoding.UTF8);
ui.HomeCity = block.ReadString(0x6e, Encoding.UTF8);
ui.HomeState = block.ReadString(0x78, Encoding.UTF8);
ui.HomeZip = block.ReadString(0x82, Encoding.UTF8);
ui.HomeCountry = (CountryList)block.ReadUint(0x8c, 0);
break;
case 0xa0: // Origin Address
ui.OriginCity = block.ReadString(0x6e, Encoding.UTF8);
ui.OriginState = block.ReadString(0x78, Encoding.UTF8);
ui.OriginCountry = (CountryList)block.ReadUint(0x8c, 0);
break;
case 0xc8: // Phone Numbers
switch (count)
{
case 1: ui.HomePhone = block.ReadString(0x64, Encoding.ASCII); break;
case 2: ui.HomeFax = block.ReadString(0x64, Encoding.ASCII); break;
case 3: ui.MobilePhone = block.ReadString(0x64, Encoding.ASCII); break;
case 4: ui.WorkPhone = block.ReadString(0x64, Encoding.ASCII); break;
case 5: ui.WorkFax = block.ReadString(0x64, Encoding.ASCII); break;
default: return;
}
break;
case 0x8c: // Emails
string email = block.ReadString(0x64, Encoding.ASCII);
if (!string.IsNullOrEmpty(email))
{
if (ui.EmailAddresses == null)
{
ui.EmailAddresses = new string[0];
}
Array.Resize <string>(ref ui.EmailAddresses, ui.EmailAddresses.Length + 1);
ui.EmailAddresses[ui.EmailAddresses.Length - 1] = email;
}
break;
case 0x118: // Work
ui.WorkPosition = block.ReadString(0x64, Encoding.UTF8);
ui.WorkCompany = block.ReadString(0x6e, Encoding.UTF8);
ui.WorkDepartment = block.ReadString(0x7d, Encoding.UTF8);
ui.WorkWebsite = block.ReadString(0x78, Encoding.ASCII);
ui.WorkIndustry = (IndustryList)block.ReadUshort(0x82, 0);
ui.WorkAddress = block.ReadString(0xaa, Encoding.UTF8);
ui.WorkCity = block.ReadString(0xb4, Encoding.UTF8);
ui.WorkState = block.ReadString(0xbe, Encoding.UTF8);
ui.WorkZip = block.ReadString(0xc8, Encoding.UTF8);
ui.WorkCountry = (CountryList)block.ReadUint(0xd2, 0);
break;
case 0x10e: // Education
ui.StudyLevel = (StudyLevelList)block.ReadUshort(0x64, 0);
ui.StudyInstitute = block.ReadString(0x6e, Encoding.UTF8);
ui.StudyDegree = block.ReadString(0x78, Encoding.UTF8);
ui.StudyYear = block.ReadUshort(0x8c, 0);
break;
case 0x122: // Interests
string info = block.ReadString(0x64, Encoding.UTF8);
ushort cat = block.ReadUshort(0x6e, 0);
if (!string.IsNullOrEmpty(info) || cat > 0)
{
if (ui.InterestInfos == null)
{
ui.InterestInfos = new FullUserInfo.InterestInfo[0];
}
Array.Resize <FullUserInfo.InterestInfo>(ref ui.InterestInfos, ui.InterestInfos.Length + 1);
ui.InterestInfos[ui.InterestInfos.Length - 1].Info = info;
ui.InterestInfos[ui.InterestInfos.Length - 1].Category = (InterestList)cat;
}
break;
}
}
}
}
public static TokenSet ListTokens(TokenType type)
{
System.Diagnostics.Debug.Write("[PSH BINDING] Invoking binding call ListTokens");
Tlv tlv = new Tlv();
tlv.Pack(TlvType.IncognitoListTokensTokenOrder, (int)type);
var result = Core.InvokeMeterpreterBinding(true, tlv.ToRequest("incognito_list_tokens"));
if (result != null)
{
System.Diagnostics.Debug.Write("[PSH BINDING] Result returned, incognito is probably loaded");
var responseTlv = Tlv.FromResponse(result);
if (responseTlv[TlvType.Result].Count > 0 &&
(int)responseTlv[TlvType.Result][0] == 0)
{
var impersonationTokens = Tlv.GetValue<string>(responseTlv, TlvType.IncognitoListTokensImpersonation, string.Empty);
var delegationTokens = Tlv.GetValue<string>(responseTlv, TlvType.IncognitoListTokensDelegation, string.Empty);
return new TokenSet(impersonationTokens, delegationTokens);
}
}
System.Diagnostics.Debug.Write("[PSH BINDING] Result not returned, incognito is probably not loaded");
throw new InvalidOperationException("incognito extension is not loaded");
}
void TlvReaderEncodes(uint typeLength, uint sizeLength, byte[] expectedOutput, Tlv tlv)
{
var parser = new TlvParser(typeLength, sizeLength);
using (var memStream = new MemoryStream())
{
parser.Encode(memStream, tlv);
var output = memStream.ToArray();
Assert.Equal(expectedOutput, output);
}
}
private bool Handle_VerifySmsCaptcha(Core core, OicqRequest request)
{
Console.WriteLine("Do sms verification.");
var tlvs = request.oicqRequestBody.TakeAllBytes(out var _);
var unpacker = new TlvUnpacker(tlvs, true);
if (unpacker.Count == 8 || unpacker.Count == 9)
{
Tlv tlv104 = unpacker.TryGetTlv(0x104);
Tlv tlv174 = unpacker.TryGetTlv(0x174);
Tlv tlv204 = unpacker.TryGetTlv(0x204);
Tlv tlv178 = unpacker.TryGetTlv(0x178);
Tlv tlv179 = unpacker.TryGetTlv(0x179);
Tlv tlv17d = unpacker.TryGetTlv(0x17d);
Tlv tlv402 = unpacker.TryGetTlv(0x402);
Tlv tlv403 = unpacker.TryGetTlv(0x403);
Tlv tlv17e = unpacker.TryGetTlv(0x17e);
if (tlv104 != null && tlv174 != null &&
tlv204 != null && tlv178 != null &&
tlv17d != null && tlv402 != null &&
tlv403 != null && tlv17e != null)
{
var sigSession = ((T104Body)tlv104._tlvBody)._sigSession;
var sigMessage = ((T17eBody)tlv17e._tlvBody)._message;
var smsPhone = ((T178Body)tlv178._tlvBody)._phone;
var smsCountryCode = ((T178Body)tlv178._tlvBody)._countryCode;
var smsToken = ((T174Body)tlv174._tlvBody)._smsToken;
Console.WriteLine($"[Hint] {sigMessage}");
core.SigInfo.WtLoginSmsPhone = $"+{smsCountryCode} {smsPhone}";
core.SigInfo.WtLoginSmsToken = smsToken;
core.SigInfo.WtLoginSession = sigSession;
core.PostSystemEvent(EventType.WtLoginSendSms);
return(true);
}
}
else if (unpacker.Count == 2)
{
Tlv tlv104 = unpacker.TryGetTlv(0x104);
Tlv tlv17b = unpacker.TryGetTlv(0x17b);
if (tlv104 != null && tlv17b != null)
{
var sigSession = ((T104Body)tlv104._tlvBody)._sigSession;
core.SigInfo.WtLoginSession = sigSession;
core.PostUserEvent(EventType.WtLoginVerifySmsCaptcha, core.SigInfo.WtLoginSmsPhone);
return(true);
}
}
else
{
core.PostSystemEvent(EventType.LoginFailed);
Console.WriteLine("[Error] Unknown data received.");
}
return(false);
}
public PairSetupReturn Post(Tlv parts, ConnectionSession session)
{
var state = parts.GetTypeAsInt(Constants.State);
if (session.Salt == null)
{
session.Salt = SrpGenerator.GenerateSalt(16);
}
_logger.LogDebug($"State is {state}");
if (state == 1) //srp sign up
{
var saltInt = SrpInteger.FromByteArray(session.Salt);
var privateKey = SrpGenerator.DerivePrivateKey(saltInt.ToHex(), Username, _code);
session.Verifier = SrpGenerator.DeriveVerifier(privateKey);
session.ServerEphemeral = SrpGenerator.GenerateServerEphemeral(session.Verifier);
var responseTlv = new Tlv();
responseTlv.AddType(Constants.State, 2);
responseTlv.AddType(Constants.PublicKey, StringToByteArray(session.ServerEphemeral.Public));
responseTlv.AddType(Constants.Salt, session.Salt);
_logger.LogDebug($"return salt {saltInt.ToHex()}, pub {session.ServerEphemeral.Public} and state 2");
return(new PairSetupReturn
{
State = 1,
TlvData = responseTlv,
Ok = true
});
}
if (state == 3) //srp authenticate
{
_logger.LogDebug("Pair Setup Step 3/5");
_logger.LogDebug("SRP Verify Request");
var pubKey = parts.GetType(Constants.PublicKey);
var proof = parts.GetType(Constants.Proof);
var iOsPublicKey = SrpInteger.FromByteArray(pubKey);
var iOsProof = SrpInteger.FromByteArray(proof);
var responseTlv = new Tlv();
responseTlv.AddType(Constants.State, 4);
var ok = true;
try
{
session.ServerSession = SrpGenerator.DeriveServerSession(session.ServerEphemeral.Secret, iOsPublicKey.ToHex(), SrpInteger.FromByteArray(session.Salt).ToHex(), Username, session.Verifier,
iOsProof.ToHex());
_logger.LogInformation("Verification was successful. Generating Server Proof (M2)");
responseTlv.AddType(Constants.Proof, StringToByteArray(session.ServerSession.Proof));
_logger.LogDebug($"return proof {session.ServerSession.Proof}, secret {session.ServerEphemeral.Secret} and state 4");
}
catch (Exception e)
{
ok = false;
_logger.LogError(e, "Verification failed as iOS provided code was incorrect");
responseTlv.AddType(Constants.Error, ErrorCodes.Authentication);
}
return(new PairSetupReturn
{
State = 3,
Ok = ok,
TlvData = responseTlv
});
}
if (state == 5)
{
return(HandlePairSetupM5(parts, session));
}
return(null);
}
protected void Th_handler(object rc)
{
Tlv tlv = (Tlv)rc;
ReaderHandler(tlv);
}
protected void _reader()
{
MemoryStream Bio = new MemoryStream();
BinaryWriter binaryWriter = new BinaryWriter(Bio);
BinaryReader binaryReader = new BinaryReader(Bio);
uint Biol = 0;
byte[] readerIo = new byte[_tlvConn.ReadBufferSize];
Tlv tlv = new Tlv();
tlv.Type = 0;
tlv.Length = 0;
//EOF 标识
bool EOF = false;
int Reader_index = 0;
while (true)
{
if (tlv.Length == 0 && Biol >= 5)
{
Bio.Seek(Reader_index, SeekOrigin.Begin);
Reader_index += 1;
tlv.Type = binaryReader.ReadByte();
byte[] LenBt = new byte[4];
LenBt = binaryReader.ReadBytes(4);
Reader_index += 4;
if (_tlvConn.Endian)
{
Array.Reverse(LenBt);
}
tlv.Length = System.BitConverter.ToUInt32(LenBt, 0);
Biol -= 5;
}
if (tlv.Length != 0 && Biol >= tlv.Length)
{
tlv.Value = new byte[(int)tlv.Length];
tlv.Value = binaryReader.ReadBytes((int)tlv.Length);
Biol -= tlv.Length;
Reader_index += (int)tlv.Length;
// ReaderHandler(tlv,this);
Thread _handler = new Thread(new ParameterizedThreadStart(Th_handler));
_handler.Start(tlv);
tlv = new Tlv();
if (Biol <= 0 && EOF)
{
break;
}
continue;
}
int len = _tlvConn.Conn.Receive(readerIo, 0, readerIo.Length, SocketFlags.None);
if (len > 0)
{
byte[] temp = new byte[len];
Array.Copy(readerIo, 0, temp, 0, len);
binaryWriter.Write(temp);
Biol += (uint)len;
}
else
{
EOF = true;
}
}
}
public PairSetupReturn Post(Tlv parts)
{
var customParams = SrpParameters.Create3072 <SHA512>();
var state = parts.GetTypeAsInt(Constants.State);
if (state == 1) //srp sign up
{
var rnd = new Random();
_salt = new byte[16];
rnd.NextBytes(_salt);
_saltInt = SrpInteger.FromByteArray(_salt);
var srp = new SrpClient(customParams);
_privateKey = srp.DerivePrivateKey(_saltInt.ToHex(), Username, _code);
_verifier = srp.DeriveVerifier(_privateKey);
_server = new SrpServer(customParams);
_serverEphemeral = _server.GenerateEphemeral(_verifier);
var responseTlv = new Tlv();
responseTlv.AddType(Constants.State, 2);
responseTlv.AddType(Constants.PublicKey, StringToByteArray(_serverEphemeral.Public));
responseTlv.AddType(Constants.Salt, _salt);
return(new PairSetupReturn
{
State = 1,
TlvData = responseTlv,
Ok = true
});
}
if (state == 3) //srp authenticate
{
_logger.LogDebug("Pair Setup Step 3/6");
_logger.LogDebug("SRP Verify Request");
var pubKey = parts.GetType(Constants.PublicKey);
var proof = parts.GetType(Constants.Proof);
var iOsPublicKey = SrpInteger.FromByteArray(pubKey);
var iOsProof = SrpInteger.FromByteArray(proof);
var responseTlv = new Tlv();
responseTlv.AddType(Constants.State, 4);
var ok = true;
try
{
_serverSession = _server.DeriveSession(_serverEphemeral.Secret, iOsPublicKey.ToHex(), _saltInt.ToHex(), Username, _verifier,
iOsProof.ToHex());
_logger.LogInformation("Verification was successful. Generating Server Proof (M2)");
responseTlv.AddType(Constants.Proof, StringToByteArray(_serverSession.Proof));
}
catch (Exception)
{
ok = false;
_logger.LogError("Verification failed as iOS provided code was incorrect");
responseTlv.AddType(Constants.Error, ErrorCodes.Authentication);
}
return(new PairSetupReturn
{
State = 3,
Ok = ok,
TlvData = responseTlv
});
}
if (state == 5)
{
_logger.LogDebug("Pair Setup Step 5/6");
_logger.LogDebug("Exchange Response");
try
{
var iOsEncryptedData = parts.GetType(Constants.EncryptedData).AsSpan(); // A
var zeros = new byte[] { 0, 0, 0, 0 };
var nonce = new Nonce(zeros, Encoding.UTF8.GetBytes("PS-Msg05"));
var hdkf = new HkdfSha512();
var hkdfEncKey = hdkf.DeriveBytes(
SharedSecret.Import(SrpInteger.FromHex(_serverSession.Key).ToByteArray()),
Encoding.UTF8.GetBytes("Pair-Setup-Encrypt-Salt"),
Encoding.UTF8.GetBytes("Pair-Setup-Encrypt-Info"), 32);
var decrypt = AeadAlgorithm.ChaCha20Poly1305.Decrypt(
Key.Import(AeadAlgorithm.ChaCha20Poly1305, hkdfEncKey, KeyBlobFormat.RawSymmetricKey), nonce,
new byte[0], iOsEncryptedData, out var output);
var responseTlv = new Tlv();
responseTlv.AddType(Constants.State, 6);
if (!decrypt)
{
responseTlv.AddType(Constants.Error, ErrorCodes.Authentication);
return(new PairSetupReturn
{
State = 5,
TlvData = responseTlv,
Ok = false
});
}
var subData = TlvParser.Parse(output);
byte[] username = subData.GetType(Constants.Identifier);
byte[] ltpk = subData.GetType(Constants.PublicKey);
byte[] proof = subData.GetType(Constants.Signature);
var okm = hdkf.DeriveBytes(
SharedSecret.Import(SrpInteger.FromHex(_serverSession.Key).ToByteArray()),
Encoding.UTF8.GetBytes("Pair-Setup-Controller-Sign-Salt"),
Encoding.UTF8.GetBytes("Pair-Setup-Controller-Sign-Info"), 32);
var completeData = okm.Concat(username).Concat(ltpk).ToArray();
if (!SignatureAlgorithm.Ed25519.Verify(
PublicKey.Import(SignatureAlgorithm.Ed25519, ltpk, KeyBlobFormat.RawPublicKey), completeData,
proof))
{
var errorTlv = new Tlv();
errorTlv.AddType(Constants.Error, ErrorCodes.Authentication);
return(new PairSetupReturn
{
State = 5,
TlvData = errorTlv,
Ok = false
});
}
var accessory = hdkf.DeriveBytes(
SharedSecret.Import(SrpInteger.FromHex(_serverSession.Key).ToByteArray()),
Encoding.UTF8.GetBytes("Pair-Setup-Accessory-Sign-Salt"),
Encoding.UTF8.GetBytes("Pair-Setup-Accessory-Sign-Info"), 32);
var seed = new byte[32];
RandomNumberGenerator.Create().GetBytes(seed);
Chaos.NaCl.Ed25519.KeyPairFromSeed(out var accessoryLtpk, out var accessoryLtsk, seed);
var serverUsername = Encoding.UTF8.GetBytes(HapControllerServer.HapControllerId);
var material = accessory.Concat(serverUsername).Concat(accessoryLtpk).ToArray();
var signature = Chaos.NaCl.Ed25519.Sign(material, accessoryLtsk);
var encoder = new Tlv();
encoder.AddType(Constants.Identifier, serverUsername);
encoder.AddType(Constants.PublicKey, accessoryLtpk);
encoder.AddType(Constants.Signature, signature);
var plaintext = TlvParser.Serialise(encoder);
var nonce6 = new Nonce(zeros, Encoding.UTF8.GetBytes("PS-Msg06"));
var encryptedOutput = AeadAlgorithm.ChaCha20Poly1305.Encrypt(
Key.Import(AeadAlgorithm.ChaCha20Poly1305, hkdfEncKey, KeyBlobFormat.RawSymmetricKey), nonce6,
new byte[0], plaintext);
responseTlv.AddType(Constants.EncryptedData, encryptedOutput);
return(new PairSetupReturn
{
State = 5,
TlvData = responseTlv,
Ok = true,
Ltsk = ByteArrayToString(accessoryLtsk),
Ltpk = ByteArrayToString(ltpk)
});
}
catch (Exception e)
{
_logger.LogError(e, "Could not exchange request");
throw;
}
}
return(null);
}
private bool Handle_WtloginSuccess(Core core, OicqRequest request)
{
Console.WriteLine("Wtlogin success.");
var tlvs = request.oicqRequestBody.TakeAllBytes(out var _);
var unpacker = new TlvUnpacker(tlvs, true);
if (unpacker.Count == 2)
{
Tlv tlv119 = unpacker.TryGetTlv(0x119);
Tlv tlv161 = unpacker.TryGetTlv(0x161);
if (tlv119 != null && tlv161 != null)
{
var decrtpted = tlv119._tlvBody.TakeDecryptedBytes(out var _,
TeaCryptor.Instance, core.SigInfo.TgtgKey);
var tlv119Unpacker = new TlvUnpacker(decrtpted, true);
Tlv tlv16a = tlv119Unpacker.TryGetTlv(0x16a); // no pic sig
Tlv tlv106 = tlv119Unpacker.TryGetTlv(0x106);
Tlv tlv10c = tlv119Unpacker.TryGetTlv(0x10c); // gt key
Tlv tlv10a = tlv119Unpacker.TryGetTlv(0x10a); // tgt
Tlv tlv10d = tlv119Unpacker.TryGetTlv(0x10d); // tgt key
Tlv tlv114 = tlv119Unpacker.TryGetTlv(0x114); // st
Tlv tlv10e = tlv119Unpacker.TryGetTlv(0x10e); // st key
Tlv tlv103 = tlv119Unpacker.TryGetTlv(0x103); // stwx_web
Tlv tlv133 = tlv119Unpacker.TryGetTlv(0x133);
Tlv tlv134 = tlv119Unpacker.TryGetTlv(0x134); // ticket key
Tlv tlv528 = tlv119Unpacker.TryGetTlv(0x528);
Tlv tlv322 = tlv119Unpacker.TryGetTlv(0x322); // device token
Tlv tlv11d = tlv119Unpacker.TryGetTlv(0x11d); // st, st key
Tlv tlv11f = tlv119Unpacker.TryGetTlv(0x11f);
Tlv tlv138 = tlv119Unpacker.TryGetTlv(0x138);
Tlv tlv11a = tlv119Unpacker.TryGetTlv(0x11a); // age, sex, nickname
Tlv tlv522 = tlv119Unpacker.TryGetTlv(0x522);
Tlv tlv537 = tlv119Unpacker.TryGetTlv(0x537);
Tlv tlv550 = tlv119Unpacker.TryGetTlv(0x550);
Tlv tlv203 = tlv119Unpacker.TryGetTlv(0x203);
Tlv tlv120 = tlv119Unpacker.TryGetTlv(0x120); // skey
Tlv tlv16d = tlv119Unpacker.TryGetTlv(0x16d);
Tlv tlv512 = tlv119Unpacker.TryGetTlv(0x512); // Map<domain, p_skey>
Tlv tlv305 = tlv119Unpacker.TryGetTlv(0x305); // d2key
Tlv tlv143 = tlv119Unpacker.TryGetTlv(0x143); // d2
Tlv tlv118 = tlv119Unpacker.TryGetTlv(0x118);
Tlv tlv163 = tlv119Unpacker.TryGetTlv(0x163);
Tlv tlv130 = tlv119Unpacker.TryGetTlv(0x130);
Tlv tlv403 = tlv119Unpacker.TryGetTlv(0x403);
var noPicSig = ((T16aBody)tlv16a._tlvBody)._noPicSig;
var tgtKey = ((T10dBody)tlv10d._tlvBody)._tgtKey;
var tgtToken = ((T10aBody)tlv10a._tlvBody)._tgtToken;
var d2Key = ((T305Body)tlv305._tlvBody)._d2Key;
var d2Token = ((T143Body)tlv143._tlvBody)._d2Token;
var wtSessionTicketSig = ((T133Body)tlv133._tlvBody)._wtSessionTicketSig;
var wtSessionTicketKey = ((T134Body)tlv134._tlvBody)._wtSessionTicketKey;
var gtKey = ((T10cBody)tlv10c._tlvBody)._gtKey;
var stKey = ((T10eBody)tlv10e._tlvBody)._stKey;
var userAge = ((T11aBody)tlv11a._tlvBody)._age;
var userFace = ((T11aBody)tlv11a._tlvBody)._face;
var userNickname = ((T11aBody)tlv11a._tlvBody)._nickName;
core.SigInfo.TgtKey = tgtKey;
core.SigInfo.TgtToken = tgtToken;
core.SigInfo.D2Key = d2Key;
core.SigInfo.D2Token = d2Token;
core.SigInfo.WtSessionTicketSig = wtSessionTicketSig;
core.SigInfo.WtSessionTicketKey = wtSessionTicketKey;
core.SigInfo.GtKey = gtKey;
core.SigInfo.StKey = stKey;
core.SsoMan.SetD2Pair(d2Token, d2Key);
core.SsoMan.SetTgtPair(tgtToken, tgtKey);
core.SsoMan.DestroyServiceSequence(name);
core.PostSystemEvent(EventType.WtLoginOK);
Console.WriteLine($"gtKey => {Hex.Bytes2HexStr(gtKey)}");
Console.WriteLine($"stKey => {Hex.Bytes2HexStr(stKey)}");
Console.WriteLine($"tgtKey => {Hex.Bytes2HexStr(tgtKey)}");
Console.WriteLine($"tgtToken => {Hex.Bytes2HexStr(tgtToken)}");
Console.WriteLine($"d2Key => {Hex.Bytes2HexStr(d2Key)}");
Console.WriteLine($"d2Token => {Hex.Bytes2HexStr(d2Token)}");
return(true);
}
}
return(false);
}
void TlvReaderDecodes(uint typeLength, uint sizeLength, byte[] serializedTlv, Tlv expectedTlv)
{
var parser = new TlvParser(typeLength, sizeLength);
using (var memStream = new MemoryStream(serializedTlv))
{
var tlv = parser.Decode(memStream);
Assert.Equal(expectedTlv, tlv);
}
}
