模擬登錄封包python實現
#!/usr/bin/env pythonencoding:utf-8
from socket import from ctypes import create_string_buffer from struct import import sysconfig import random from ctypes.wintypes import BYTE from msilib import datasizemask from _ctypes import sizeof from random import randint from time import sleep
CODEC = 'utf-8'
global RECVBUFSIZ global m_wRecvSize global m_cbSendRound #發送字節映射 global m_cbRecvRound #接收字節映射 global m_dwSendXorKey #發送密鑰 global m_dwRecvXorKey #接收密鑰
m_cbSendRound = 0 m_cbRecvRound = 0
RECVBUFSIZ = 16384 m_wRecvSize = 0 m_cbSendRound = 0 #發送字節映射 m_cbRecvRound = 0 #接收字節映射 m_dwSendXorKey = 0 #發送密鑰 m_dwRecvXorKey = 0 #接收密鑰
def SendLogonPacket(ADDR,SENDBUFF): global RECVBUFSIZ cs = socket(AF_INET, SOCK_STREAM) cs.connect(ADDR) cs.send(SENDBUFF) lennum = len( cs.recv(RECVBUFSIZ)) cs.close() return lennum
def md5(str1): import hashlib m = hashlib.md5() m.update(str1) str1 = m.hexdigest() return str1.upper() def a2u(buff1,str1,start): i=0 for letter in str1: pack_into("B",buff1,start+i,ord(letter)) i += 2 def MapSendByte (byte): global m_cbSendRound index = byte + m_cbSendRound b = g_SendByteMap[index % 0x100] m_cbSendRound += 3 return b def MapRecvByte (byte): global m_cbRecvRound b = g_RecvByteMap[byte] - m_cbRecvRound b = b % 0x100 m_cbRecvRound += 3 return b def SeedRandMap(wSeed): num = int(wSeed) num = ( num * 241103 + 2533101 ) >> 16 return ((num | int(0xFFFF0000)) -0xFFFF0000) #返回一個WORD類型
def CrevasseBuffer(buff,wDataSize): global dwXorKey global m_dwSendXorKey global m_dwRecvXorKey i = 0 while i < wDataSize: print hex(ord (buff[i])), i += 1 dwXorKey = m_dwRecvXorKey if (((wDataSize -4) % 4 ) != 0): print "recv data error" exit() wEncrypCount = (wDataSize - 4) /4
#解密數據 i = 0 j = 4 #排除cmd_info,從CMD_Command起 k = 4 while i < (wEncrypCount): wSeed = (unpack_from("H",buff,k)[0]) k += 2 dwXorKey = SeedRandMap(wSeed) dwXorKey |= int( SeedRandMap(unpack_from ("H", buff, k)[0]) ) << 16 k += 2 dwXorKey ^= g_dwPacketKey n = unpack_from( "I", buff, j)[0] n ^= m_dwRecvXorKey pack_into("I",buff,j,n) j += 4 m_dwRecvXorKey = dwXorKey i += 1 i = 4 cbCheckCode = unpack_from('B',buff,1)[0] while i < wDataSize: pack_into ("B", buff, i, MapRecvByte ( ord ( buff[i] ) ) ) cbCheckCode += ord(buff[i]) cbCheckCode = cbCheckCode % 0x100 i += 1 if cbCheckCode != 0: print "" print 'cb' , cbCheckCode i = 0 while i < wDataSize: print hex(ord(buff[i])), i += 1 return wDataSizedef EncryptBuffer(buff,wDataSize): global dwXorKey global m_dwSendXorKey global m_dwRecvXorKey global SENDBUFF global m_dwSendPacketCount wEncryptSize = wDataSize - 4 #排除cmd_info4字節頭不加密 wSnapCount=0 if ((wEncryptSize % 4) != 0): #待加密數據對齊粒度 4字節 wSnapCount = 4 - ( wEncryptSize % 4 ) #不足4字節補-0 n = 0 t = wSnapCount while n < t: pack_into("B",buff,4 + wEncryptSize + n, 0x0) t += 1
cbCheckCode = 0 #務必置0 i = 4 #起始位置,排除CMD_INFO逐字節與發送映射表替換,并計算出校驗和 while i < wDataSize: #print hex(ord(buff[i])) cbCheckCode += ord(buff[i]) #print cbCheckCode cbCheckCode = cbCheckCode % 0x100 #print cbCheckCode t = MapSendByte(ord(buff[i])) #print t pack_into("B",buff,i,t) i += 1 #填寫計算出的校驗碼 pack_into ("B", buff, 1, ( ~cbCheckCode + 1) % 0x100) dwXorKey = m_dwSendXorKey if ( m_dwSendPacketCount == 0 ): dwXorKey = random.randint(0x11111111, 0xeeeeeeee) #生成隨機密鑰 dwXorKey = g_dwPacketKey m_dwSendXorKey = dwXorKey m_dwRecvXorKey = dwXorKey #加密數據 i = 0 j = 4 #排除cmd_info,從CMD_Command起 k = 4 while i < ((wEncryptSize + wSnapCount) / 4): n = (unpack_from("I",buff,j)[0]) n ^= dwXorKey pack_into("I", buff, j, n) j += 4 #逐4字節異或加密數據 dwXorKey = SeedRandMap ( unpack_from ( "H", buff, k )[0]) #用加密后的數據加密生成新的密鑰 k += 2 dwXorKey |= int( SeedRandMap( unpack_from ("H", buff, k)[0])) << 16 # k += 2 dwXorKey ^= g_dwPacketKey i += 1 if (m_dwSendPacketCount == 0): i = 0 while i < 8: pack_into("B", SENDBUFF, i, ord ( buff[i] ) ) #前八個字節相同 i += 1 pack_into ( "I", SENDBUFF, 8, m_dwSendXorKey ) #插入異或密鑰key PacketSize = wDataSize + 4 #因為插入了4B的密鑰 pack_into("H",SENDBUFF,2,PacketSize) j = 8 while j < wDataSize: pack_into("B", SENDBUFF, j+4, ord( buff[j] ) ) j += 1 pack_into("H",SENDBUFF,2,wDataSize + 4) #m_dwSendPacketCount += 1 #m_dwSendXorKey = dwXorKey"網絡數據定義"
SOCKET_VER = 0x05 #"#網絡版本" ida_pro 逆向找到EncryptBuffer函數后可以確定此值 SOCKET_BUFFER = 8192 #"#網絡緩沖" CMD_HEAD_SIZE = 4 DWORD_SIZE= 4 WORD_SIZE = 2 BYTE_SIZE = 1 SOCKET_PACKET = ( SOCKET_BUFFER - CMD_HEAD_SIZE - 2 * DWORD_SIZE ) g_dwPacketKey = 0xA55AA55A #"加密密鑰" #從WHSocket.dll獲取
"發送映射" #從WHSocket.dll獲取
g_SendByteMap = (0x70, 0x2F, 0x40, 0x5F, 0x44, 0x8E, 0x6E, 0x45, 0x7E, 0xAB, 0x2C, 0x1F, 0xB4, 0xAC, 0x9D, 0x91, 0x0D, 0x36, 0x9B, 0x0B, 0xD4, 0xC4, 0x39, 0x74, 0xBF, 0x23, 0x16, 0x14, 0x06, 0xEB, 0x04, 0x3E, 0x12, 0x5C, 0x8B, 0xBC, 0x61, 0x63, 0xF6, 0xA5, 0xE1, 0x65, 0xD8, 0xF5, 0x5A, 0x07, 0xF0, 0x13, 0xF2, 0x20, 0x6B, 0x4A, 0x24, 0x59, 0x89, 0x64, 0xD7, 0x42, 0x6A, 0x5E, 0x3D, 0x0A, 0x77, 0xE0, 0x80, 0x27, 0xB8, 0xC5, 0x8C, 0x0E, 0xFA, 0x8A, 0xD5, 0x29, 0x56, 0x57, 0x6C, 0x53, 0x67, 0x41, 0xE8, 0x00, 0x1A, 0xCE, 0x86, 0x83, 0xB0, 0x22, 0x28, 0x4D, 0x3F, 0x26, 0x46, 0x4F, 0x6F, 0x2B, 0x72, 0x3A, 0xF1, 0x8D, 0x97, 0x95, 0x49, 0x84, 0xE5, 0xE3, 0x79, 0x8F, 0x51, 0x10, 0xA8, 0x82, 0xC6, 0xDD, 0xFF, 0xFC, 0xE4, 0xCF, 0xB3, 0x09, 0x5D, 0xEA, 0x9C, 0x34, 0xF9, 0x17, 0x9F, 0xDA, 0x87, 0xF8, 0x15, 0x05, 0x3C, 0xD3, 0xA4, 0x85, 0x2E, 0xFB, 0xEE, 0x47, 0x3B, 0xEF, 0x37, 0x7F, 0x93, 0xAF, 0x69, 0x0C, 0x71, 0x31, 0xDE, 0x21, 0x75, 0xA0, 0xAA, 0xBA, 0x7C, 0x38, 0x02, 0xB7, 0x81, 0x01, 0xFD, 0xE7, 0x1D, 0xCC, 0xCD, 0xBD, 0x1B, 0x7A, 0x2A, 0xAD, 0x66, 0xBE, 0x55, 0x33, 0x03, 0xDB, 0x88, 0xB2, 0x1E, 0x4E, 0xB9, 0xE6, 0xC2, 0xF7, 0xCB, 0x7D, 0xC9, 0x62, 0xC3, 0xA6, 0xDC, 0xA7, 0x50, 0xB5, 0x4B, 0x94, 0xC0, 0x92, 0x4C, 0x11, 0x5B, 0x78, 0xD9, 0xB1, 0xED, 0x19, 0xE9, 0xA1, 0x1C, 0xB6, 0x32, 0x99, 0xA3, 0x76, 0x9E, 0x7B, 0x6D, 0x9A, 0x30, 0xD6, 0xA9, 0x25, 0xC7, 0xAE, 0x96, 0x35, 0xD0, 0xBB, 0xD2, 0xC8, 0xA2, 0x08, 0xF3, 0xD1, 0x73, 0xF4, 0x48, 0x2D, 0x90, 0xCA, 0xE2, 0x58, 0xC1, 0x18, 0x52, 0xFE, 0xDF, 0x68, 0x98, 0x54, 0xEC, 0x60, 0x43, 0x0F)
#
HOST = "192.168.1.108" PORT = 8300 ADDR = (HOST, PORT) m_cbLogonMode = 0xB LOGON_BY_GAME_ID = 0xB LOGON_BY_ACCOUNTS = 0xC MachineID = md5 (str(random.randint(0x11111111, 0xeeeeeeee))) PassWord = md5('123456') if m_cbLogonMode == LOGON_BY_ACCOUNTS: WPACKETSIZE = 0x100 #發送登錄數據包的總大小,抓包可獲取 Accounts = 'youruser' #0x42B 登錄賬號 if m_cbLogonMode == LOGON_BY_GAME_ID: WPACKETSIZE = 0xC4 GameID = 7990986
'''-----------------Packet_struct--------------------------------------------'''
#######CMD_Head
CMD_Info
cbVersion = SOCKET_VER #1B 數據類型 cbCheckCode = 0x00 #1B 校驗字段 發送數據的所有字節相加 wPacketSize = WPACKETSIZE #2B 數據大小 發送登錄數據包的總大小,抓包可獲取
CMD_Command
wMainCmdID = 0x000B #2B 主命令碼 源碼結合逆向分析出各個命令碼意義 wSubCmdID = m_cbLogonMode #2B 子命令碼
#######CMD_Head
CMD_GP_LogonAccounts
PlazaVersion = 0x06090302 #4B 廣場版本 逆向找到 dwNum = 0x0100007F # MachineID = MachineID #0x44B 機器序列 PassWord = PassWord #0x44B 登錄密碼 cbNeeValidateMBCard = 0x00 #密保校驗 '''-----------------Packet_struct--------------------------------------------'''
global SENDBUFF SENDBUFF = create_string_buffer(wPacketSize) buff = create_string_buffer(wPacketSize)
pack_into ( "B", buff, 0, cbVersion ) #固定值 pack_into ( "B", buff, 1, cbCheckCode ) #校驗碼計算正確即可 pack_into ( "H", buff, 2, wPacketSize ) #固定值 pack_into ( "HH",buff, 4, wMainCmdID, wSubCmdID ) #不同登錄類型不同固定值
CMD_GP_LogonAccounts_Size = wPacketSize - 4 - 4 - 4 #cmd_info 、cmd_command 、m_dwSendXorKey PlazaVersion_offset = 8
pack_into ("I", buff, PlazaVersion_offset, PlazaVersion ) pack_into ("I", buff, PlazaVersion_offset + 4, dwNum )
MachineID_offset = PlazaVersion_offset + DWORD_SIZE + DWORD_SIZE #PlazaVersion 和 dwNum a2u (buff, MachineID, MachineID_offset ) if wSubCmdID == LOGON_BY_GAME_ID: pack_into ("I", buff, MachineID_offset + 0x42, GameID ) a2u (buff, PassWord, MachineID_offset + 0x42 + 4 ) if wSubCmdID == LOGON_BY_ACCOUNTS: a2u (buff, PassWord, MachineID_offset + 0x42 ) a2u (buff, Accounts, MachineID_offset + 0x42 + 0x42 ) pack_into ("B", buff, MachineID_offset + 0x42 + 0x42 + 0x40, cbNeeValidateMBCard )
wDataSize = wPacketSize - 4 #前面把m_dwSendXorKey 也算上了 ''' i = 0 while i < wDataSize: print hex(i), print hex(ord(buff[i]))
i += 1exit() '''
EncryptBuffer(buff, wDataSize)
SendLogonPacket(ADDR,SENDBUFF) #accounts登錄時返回數據大小 257 用戶名密碼機器碼正確, 12機器碼更換 68用戶密碼錯誤 78機器碼不正確</pre>