- #!/usr/bin/env python
- # encoding:utf-8
- from socket import *
- from ctypes import create_string_buffer
- from struct import *
- import sysconfig
- import random
- from ctypes.wintypes import BYTE
- from msilib import datasizemask
- from _ctypes import sizeof
- from random import randint
- from time import sleep
- CODEC = 'utf-8'
- global RECVBUFSIZ
- global m_wRecvSize
- global m_cbSendRound #发送字节映射
- global m_cbRecvRound #接收字节映射
- global m_dwSendXorKey #发送密钥
- global m_dwRecvXorKey #接收密钥
- m_cbSendRound = 0
- m_cbRecvRound = 0
- RECVBUFSIZ = 16384
- m_wRecvSize = 0
- m_cbSendRound = 0 #发送字节映射
- m_cbRecvRound = 0 #接收字节映射
- m_dwSendXorKey = 0 #发送密钥
- m_dwRecvXorKey = 0 #接收密钥
- def SendLogonPacket(ADDR,SENDBUFF):
- global RECVBUFSIZ
- cs = socket(AF_INET, SOCK_STREAM)
- cs.connect(ADDR)
- cs.send(SENDBUFF)
- lennum = len( cs.recv(RECVBUFSIZ))
- cs.close()
- return lennum
- def md5(str1):
- import hashlib
- m = hashlib.md5()
- m.update(str1)
- str1 = m.hexdigest()
- return str1.upper()
- def a2u(buff1,str1,start):
- i=0
- for letter in str1:
- pack_into("B",buff1,start+i,ord(letter))
- i += 2
- def MapSendByte (byte):
- global m_cbSendRound
- index = byte + m_cbSendRound
- b = g_SendByteMap[index % 0x100]
- m_cbSendRound += 3
- return b
- def MapRecvByte (byte):
- global m_cbRecvRound
- b = g_RecvByteMap[byte] - m_cbRecvRound
- b = b % 0x100
- m_cbRecvRound += 3
- return b
- def SeedRandMap(wSeed):
- num = int(wSeed)
- num = ( num * 241103 + 2533101 ) >> 16
- return ((num | int(0xFFFF0000)) -0xFFFF0000) #返回一个WORD类型
- def CrevasseBuffer(buff,wDataSize):
- global dwXorKey
- global m_dwSendXorKey
- global m_dwRecvXorKey
- i = 0
- while i < wDataSize:
- print hex(ord (buff[i])),
- i += 1
- dwXorKey = m_dwRecvXorKey
- if (((wDataSize -4) % 4 ) != 0):
- print "recv data error"
- exit()
- wEncrypCount = (wDataSize - 4) /4
- #解密数据
- i = 0
- j = 4 #排除cmd_info,从CMD_Command起
- k = 4
- while i < (wEncrypCount):
- wSeed = (unpack_from("H",buff,k)[0])
- k += 2
- dwXorKey = SeedRandMap(wSeed)
- dwXorKey |= int( SeedRandMap(unpack_from ("H", buff, k)[0]) ) << 16
- k += 2
- dwXorKey ^= g_dwPacketKey
- n = unpack_from( "I", buff, j)[0]
- n ^= m_dwRecvXorKey
- pack_into("I",buff,j,n)
- j += 4
- m_dwRecvXorKey = dwXorKey
- i += 1
- i = 4
- cbCheckCode = unpack_from('B',buff,1)[0]
- while i < wDataSize:
- pack_into ("B", buff, i, MapRecvByte ( ord ( buff[i] ) ) )
- cbCheckCode += ord(buff[i])
- cbCheckCode = cbCheckCode % 0x100
- i += 1
- if cbCheckCode != 0:
- print ""
- print 'cb' , cbCheckCode
- i = 0
- while i < wDataSize:
- print hex(ord(buff[i])),
- i += 1
- return wDataSize
- def EncryptBuffer(buff,wDataSize):
- global dwXorKey
- global m_dwSendXorKey
- global m_dwRecvXorKey
- global SENDBUFF
- global m_dwSendPacketCount
- wEncryptSize = wDataSize - 4 #排除cmd_info4字节头不加密
- wSnapCount=0
- if ((wEncryptSize % 4) != 0): #待加密数据对齐粒度 4字节
- wSnapCount = 4 - ( wEncryptSize % 4 ) #不足4字节补-0
- n = 0
- t = wSnapCount
- while n < t:
- pack_into("B",buff,4 + wEncryptSize + n, 0x0)
- t += 1
- cbCheckCode = 0 #务必置0
- i = 4 #起始位置,排除CMD_INFO逐字节与发送映射表替换,并计算出校验和
- while i < wDataSize:
- #print hex(ord(buff[i]))
- cbCheckCode += ord(buff[i])
- #print cbCheckCode
- cbCheckCode = cbCheckCode % 0x100
- #print cbCheckCode
- t = MapSendByte(ord(buff[i]))
- #print t
- pack_into("B",buff,i,t)
- i += 1
- #填写计算出的校验码
- pack_into ("B", buff, 1, ( ~cbCheckCode + 1) % 0x100)
- dwXorKey = m_dwSendXorKey
- if ( m_dwSendPacketCount == 0 ):
- dwXorKey = random.randint(0x11111111, 0xeeeeeeee) #生成随机密钥
- dwXorKey = g_dwPacketKey
- m_dwSendXorKey = dwXorKey
- m_dwRecvXorKey = dwXorKey
- #加密数据
- i = 0
- j = 4 #排除cmd_info,从CMD_Command起
- k = 4
- while i < ((wEncryptSize + wSnapCount) / 4):
- n = (unpack_from("I",buff,j)[0])
- n ^= dwXorKey
- pack_into("I", buff, j, n)
- j += 4 #逐4字节异或加密数据
- dwXorKey = SeedRandMap ( unpack_from ( "H", buff, k )[0]) #用加密后的数据加密生成新的密钥
- k += 2
- dwXorKey |= int( SeedRandMap( unpack_from ("H", buff, k)[0])) << 16 #
- k += 2
- dwXorKey ^= g_dwPacketKey
- i += 1
- if (m_dwSendPacketCount == 0):
- i = 0
- while i < 8:
- pack_into("B", SENDBUFF, i, ord ( buff[i] ) ) #前八个字节相同
- i += 1
- pack_into ( "I", SENDBUFF, 8, m_dwSendXorKey ) #插入异或密钥key
- PacketSize = wDataSize + 4 #因为插入了4B的密钥
- pack_into("H",SENDBUFF,2,PacketSize)
- j = 8
- while j < wDataSize:
- pack_into("B", SENDBUFF, j+4, ord( buff[j] ) )
- j += 1
- pack_into("H",SENDBUFF,2,wDataSize + 4)
- #m_dwSendPacketCount += 1
- #m_dwSendXorKey = dwXorKey
- #"网络数据定义"
- SOCKET_VER = 0x05 #"#网络版本" ida_pro 逆向找到EncryptBuffer函数后可以确定此值
- SOCKET_BUFFER = 8192 #"#网络缓冲"
- CMD_HEAD_SIZE = 4
- DWORD_SIZE= 4
- WORD_SIZE = 2
- BYTE_SIZE = 1
- SOCKET_PACKET = ( SOCKET_BUFFER - CMD_HEAD_SIZE - 2 * DWORD_SIZE )
- g_dwPacketKey = 0xA55AA55A #"加密密钥" #从WHSocket.dll获取
- #"发送映射" #从WHSocket.dll获取
- g_SendByteMap = (0x70, 0x2F, 0x40, 0x5F, 0x44, 0x8E, 0x6E, 0x45, 0x7E, 0xAB, 0x2C, 0x1F, 0xB4, 0xAC, 0x9D, 0x91,
- 0x0D, 0x36, 0x9B, 0x0B, 0xD4, 0xC4, 0x39, 0x74, 0xBF, 0x23, 0x16, 0x14, 0x06, 0xEB, 0x04, 0x3E,
- 0x12, 0x5C, 0x8B, 0xBC, 0x61, 0x63, 0xF6, 0xA5, 0xE1, 0x65, 0xD8, 0xF5, 0x5A, 0x07, 0xF0, 0x13,
- 0xF2, 0x20, 0x6B, 0x4A, 0x24, 0x59, 0x89, 0x64, 0xD7, 0x42, 0x6A, 0x5E, 0x3D, 0x0A, 0x77, 0xE0,
- 0x80, 0x27, 0xB8, 0xC5, 0x8C, 0x0E, 0xFA, 0x8A, 0xD5, 0x29, 0x56, 0x57, 0x6C, 0x53, 0x67, 0x41,
- 0xE8, 0x00, 0x1A, 0xCE, 0x86, 0x83, 0xB0, 0x22, 0x28, 0x4D, 0x3F, 0x26, 0x46, 0x4F, 0x6F, 0x2B,
- 0x72, 0x3A, 0xF1, 0x8D, 0x97, 0x95, 0x49, 0x84, 0xE5, 0xE3, 0x79, 0x8F, 0x51, 0x10, 0xA8, 0x82,
- 0xC6, 0xDD, 0xFF, 0xFC, 0xE4, 0xCF, 0xB3, 0x09, 0x5D, 0xEA, 0x9C, 0x34, 0xF9, 0x17, 0x9F, 0xDA,
- 0x87, 0xF8, 0x15, 0x05, 0x3C, 0xD3, 0xA4, 0x85, 0x2E, 0xFB, 0xEE, 0x47, 0x3B, 0xEF, 0x37, 0x7F,
- 0x93, 0xAF, 0x69, 0x0C, 0x71, 0x31, 0xDE, 0x21, 0x75, 0xA0, 0xAA, 0xBA, 0x7C, 0x38, 0x02, 0xB7,
- 0x81, 0x01, 0xFD, 0xE7, 0x1D, 0xCC, 0xCD, 0xBD, 0x1B, 0x7A, 0x2A, 0xAD, 0x66, 0xBE, 0x55, 0x33,
- 0x03, 0xDB, 0x88, 0xB2, 0x1E, 0x4E, 0xB9, 0xE6, 0xC2, 0xF7, 0xCB, 0x7D, 0xC9, 0x62, 0xC3, 0xA6,
- 0xDC, 0xA7, 0x50, 0xB5, 0x4B, 0x94, 0xC0, 0x92, 0x4C, 0x11, 0x5B, 0x78, 0xD9, 0xB1, 0xED, 0x19,
- 0xE9, 0xA1, 0x1C, 0xB6, 0x32, 0x99, 0xA3, 0x76, 0x9E, 0x7B, 0x6D, 0x9A, 0x30, 0xD6, 0xA9, 0x25,
- 0xC7, 0xAE, 0x96, 0x35, 0xD0, 0xBB, 0xD2, 0xC8, 0xA2, 0x08, 0xF3, 0xD1, 0x73, 0xF4, 0x48, 0x2D,
- 0x90, 0xCA, 0xE2, 0x58, 0xC1, 0x18, 0x52, 0xFE, 0xDF, 0x68, 0x98, 0x54, 0xEC, 0x60, 0x43, 0x0F)
- #############################################################################################
- HOST = "192.168.1.108"
- PORT = 8300
- ADDR = (HOST, PORT)
- m_cbLogonMode = 0xB
- LOGON_BY_GAME_ID = 0xB
- LOGON_BY_ACCOUNTS = 0xC
- MachineID = md5 (str(random.randint(0x11111111, 0xeeeeeeee)))
- PassWord = md5('123456')
- if m_cbLogonMode == LOGON_BY_ACCOUNTS:
- WPACKETSIZE = 0x100 #发送登录数据包的总大小,抓包可获取
- Accounts = 'youruser' #0x42B 登录账号
- if m_cbLogonMode == LOGON_BY_GAME_ID:
- WPACKETSIZE = 0xC4
- GameID = 7990986
- '''-----------------Packet_struct--------------------------------------------'''
- #############CMD_Head###################
- #CMD_Info
- cbVersion = SOCKET_VER #1B 数据类型
- cbCheckCode = 0x00 #1B 校验字段 发送数据的所有字节相加
- wPacketSize = WPACKETSIZE #2B 数据大小 发送登录数据包的总大小,抓包可获取
- #CMD_Command
- wMainCmdID = 0x000B #2B 主命令码 源码结合逆向分析出各个命令码意义
- wSubCmdID = m_cbLogonMode #2B 子命令码
- #############CMD_Head###################
- #CMD_GP_LogonAccounts
- PlazaVersion = 0x06090302 #4B 广场版本 逆向找到
- dwNum = 0x0100007F #
- MachineID = MachineID #0x44B 机器序列
- PassWord = PassWord #0x44B 登录密码
- cbNeeValidateMBCard = 0x00 #密保校验
- '''-----------------Packet_struct--------------------------------------------'''
- global SENDBUFF
- SENDBUFF = create_string_buffer(wPacketSize)
- buff = create_string_buffer(wPacketSize)
- pack_into ( "B", buff, 0, cbVersion ) #固定值
- pack_into ( "B", buff, 1, cbCheckCode ) #校验码计算正确即可
- pack_into ( "H", buff, 2, wPacketSize ) #固定值
- pack_into ( "HH",buff, 4, wMainCmdID, wSubCmdID ) #不同登录类型不同固定值
- CMD_GP_LogonAccounts_Size = wPacketSize - 4 - 4 - 4 #cmd_info 、cmd_command 、m_dwSendXorKey
- PlazaVersion_offset = 8
- pack_into ("I", buff, PlazaVersion_offset, PlazaVersion )
- pack_into ("I", buff, PlazaVersion_offset + 4, dwNum )
- MachineID_offset = PlazaVersion_offset + DWORD_SIZE + DWORD_SIZE #PlazaVersion 和 dwNum
- a2u (buff, MachineID, MachineID_offset )
- if wSubCmdID == LOGON_BY_GAME_ID:
- pack_into ("I", buff, MachineID_offset + 0x42, GameID )
- a2u (buff, PassWord, MachineID_offset + 0x42 + 4 )
- if wSubCmdID == LOGON_BY_ACCOUNTS:
- a2u (buff, PassWord, MachineID_offset + 0x42 )
- a2u (buff, Accounts, MachineID_offset + 0x42 + 0x42 )
- pack_into ("B", buff, MachineID_offset + 0x42 + 0x42 + 0x40, cbNeeValidateMBCard )
- wDataSize = wPacketSize - 4 #前面把m_dwSendXorKey 也算上了
- '''
- i = 0
- while i < wDataSize:
- print hex(i),
- print hex(ord(buff[i]))
- i += 1
- exit()
- '''
- EncryptBuffer(buff, wDataSize)
- SendLogonPacket(ADDR,SENDBUFF) #accounts登录时返回数据大小 257 用户名密码机器码正确, 12机器码更换 68用户密码错误 78机器码不正确
来源: http://www.phpxs.com/code/1009716/