模拟登录封包python实现
发布时间:2020-12-17 17:29:29 所属栏目:Python 来源:网络整理
导读:今天PHP站长网 52php.cn把收集自互联网的代码分享给大家,仅供参考。 #!/usr/bin/env python# encoding:utf-8 from socket import *from ctypes import create_string_bufferfrom struct import *import sysconfigimport
|
以下代码由PHP站长网 52php.cn收集自互联网 现在PHP站长网小编把它分享给大家,仅供参考 #!/usr/bin/env python
# encoding:utf-8
from socket import *
from ctypes import create_string_buffer
from struct import *
import sysconfig
import random
from ctypes.wintypes import BYTE
from msilib import datasizemask
from _ctypes import sizeof
from random import randint
from time import sleep
CODEC = 'utf-8'
global RECVBUFSIZ
global m_wRecvSize
global m_cbSendRound #发送字节映射
global m_cbRecvRound #接收字节映射
global m_dwSendXorKey #发送密钥
global m_dwRecvXorKey #接收密钥
m_cbSendRound = 0
m_cbRecvRound = 0
RECVBUFSIZ = 16384
m_wRecvSize = 0
m_cbSendRound = 0 #发送字节映射
m_cbRecvRound = 0 #接收字节映射
m_dwSendXorKey = 0 #发送密钥
m_dwRecvXorKey = 0 #接收密钥
def SendLogonPacket(ADDR,SENDBUFF):
global RECVBUFSIZ
cs = socket(AF_INET,SOCK_STREAM)
cs.connect(ADDR)
cs.send(SENDBUFF)
lennum = len( cs.recv(RECVBUFSIZ))
cs.close()
return lennum
def md5(str1):
import hashlib
m = hashlib.md5()
m.update(str1)
str1 = m.hexdigest()
return str1.upper()
def a2u(buff1,str1,start):
i=0
for letter in str1:
pack_into("B",buff1,start+i,ord(letter))
i += 2
def MapSendByte (byte):
global m_cbSendRound
index = byte + m_cbSendRound
b = g_SendByteMap[index % 0x100]
m_cbSendRound += 3
return b
def MapRecvByte (byte):
global m_cbRecvRound
b = g_RecvByteMap[byte] - m_cbRecvRound
b = b % 0x100
m_cbRecvRound += 3
return b
def SeedRandMap(wSeed):
num = int(wSeed)
num = ( num * 241103 + 2533101 ) >> 16
return ((num | int(0xFFFF0000)) -0xFFFF0000) #返回一个WORD类型
def CrevasseBuffer(buff,wDataSize):
global dwXorKey
global m_dwSendXorKey
global m_dwRecvXorKey
i = 0
while i < wDataSize:
print hex(ord (buff[i])),i += 1
dwXorKey = m_dwRecvXorKey
if (((wDataSize -4) % 4 ) != 0):
print "recv data error"
exit()
wEncrypCount = (wDataSize - 4) /4
#解密数据
i = 0
j = 4 #排除cmd_info,从CMD_Command起
k = 4
while i < (wEncrypCount):
wSeed = (unpack_from("H",buff,k)[0])
k += 2
dwXorKey = SeedRandMap(wSeed)
dwXorKey |= int( SeedRandMap(unpack_from ("H",k)[0]) ) << 16
k += 2
dwXorKey ^= g_dwPacketKey
n = unpack_from( "I",j)[0]
n ^= m_dwRecvXorKey
pack_into("I",j,n)
j += 4
m_dwRecvXorKey = dwXorKey
i += 1
i = 4
cbCheckCode = unpack_from('B',1)[0]
while i < wDataSize:
pack_into ("B",i,MapRecvByte ( ord ( buff[i] ) ) )
cbCheckCode += ord(buff[i])
cbCheckCode = cbCheckCode % 0x100
i += 1
if cbCheckCode != 0:
print ""
print 'cb',cbCheckCode
i = 0
while i < wDataSize:
print hex(ord(buff[i])),i += 1
return wDataSize
def EncryptBuffer(buff,wDataSize):
global dwXorKey
global m_dwSendXorKey
global m_dwRecvXorKey
global SENDBUFF
global m_dwSendPacketCount
wEncryptSize = wDataSize - 4 #排除cmd_info4字节头不加密
wSnapCount=0
if ((wEncryptSize % 4) != 0): #待加密数据对齐粒度 4字节
wSnapCount = 4 - ( wEncryptSize % 4 ) #不足4字节补-0
n = 0
t = wSnapCount
while n < t:
pack_into("B",4 + wEncryptSize + n,0x0)
t += 1
cbCheckCode = 0 #务必置0
i = 4 #起始位置,排除CMD_INFO逐字节与发送映射表替换,并计算出校验和
while i < wDataSize:
#print hex(ord(buff[i]))
cbCheckCode += ord(buff[i])
#print cbCheckCode
cbCheckCode = cbCheckCode % 0x100
#print cbCheckCode
t = MapSendByte(ord(buff[i]))
#print t
pack_into("B",t)
i += 1
#填写计算出的校验码
pack_into ("B",1,( ~cbCheckCode + 1) % 0x100)
dwXorKey = m_dwSendXorKey
if ( m_dwSendPacketCount == 0 ):
dwXorKey = random.randint(0x22222111,0xeeeeeeee) #生成随机密钥
dwXorKey = g_dwPacketKey
m_dwSendXorKey = dwXorKey
m_dwRecvXorKey = dwXorKey
#加密数据
i = 0
j = 4 #排除cmd_info,从CMD_Command起
k = 4
while i < ((wEncryptSize + wSnapCount) / 4):
n = (unpack_from("I",j)[0])
n ^= dwXorKey
pack_into("I",n)
j += 4 #逐4字节异或加密数据
dwXorKey = SeedRandMap ( unpack_from ( "H",k )[0]) #用加密后的数据加密生成新的密钥
k += 2
dwXorKey |= int( SeedRandMap( unpack_from ("H",k)[0])) << 16 #
k += 2
dwXorKey ^= g_dwPacketKey
i += 1
if (m_dwSendPacketCount == 0):
i = 0
while i < 8:
pack_into("B",SENDBUFF,ord ( buff[i] ) ) #前八个字节相同
i += 1
pack_into ( "I",8,m_dwSendXorKey ) #插入异或密钥key
PacketSize = wDataSize + 4 #因为插入了4B的密钥
pack_into("H",2,PacketSize)
j = 8
while j < wDataSize:
pack_into("B",j+4,ord( buff[j] ) )
j += 1
pack_into("H",wDataSize + 4)
#m_dwSendPacketCount += 1
#m_dwSendXorKey = dwXorKey
#"网络数据定义"
SOCKET_VER = 0x05 #"#网络版本" ida_pro 逆向找到EncryptBuffer函数后可以确定此值
SOCKET_BUFFER = 8192 #"#网络缓冲"
CMD_HEAD_SIZE = 4
DWORD_SIZE= 4
WORD_SIZE = 2
BYTE_SIZE = 1
SOCKET_PACKET = ( SOCKET_BUFFER - CMD_HEAD_SIZE - 2 * DWORD_SIZE )
g_dwPacketKey = 0xA55AA55A #"加密密钥" #从WHSocket.dll获取
#"发送映射" #从WHSocket.dll获取
g_SendByteMap = (0x70,0x2F,0x40,0x5F,0x44,0x8E,0x6E,0x45,0x7E,0xAB,0x2C,0x1F,0xB4,0xAC,0x9D,0x91,0x0D,0x36,0x9B,0x0B,0xD4,0xC4,0x39,0x74,0xBF,0x23,0x16,0x14,0x06,0xEB,0x04,0x3E,0x12,0x5C,0x8B,0xBC,0x61,0x63,0xF6,0xA5,0xE1,0x65,0xD8,0xF5,0x5A,0x07,0xF0,0x13,0xF2,0x20,0x6B,0x4A,0x24,0x59,0x89,0x64,0xD7,0x42,0x6A,0x5E,0x3D,0x0A,0x77,0xE0,0x80,0x27,0xB8,0xC5,0x8C,0x0E,0xFA,0x8A,0xD5,0x29,0x56,0x57,0x6C,0x53,0x67,0x41,0xE8,0x00,0x1A,0xCE,0x86,0x83,0xB0,0x22,0x28,0x4D,0x3F,0x26,0x46,0x4F,0x6F,0x2B,0x72,0x3A,0xF1,0x8D,0x97,0x95,0x49,0x84,0xE5,0xE3,0x79,0x8F,0x51,0x10,0xA8,0x82,0xC6,0xDD,0xFF,0xFC,0xE4,0xCF,0xB3,0x09,0x5D,0xEA,0x9C,0x34,0xF9,0x17,0x9F,0xDA,0x87,0xF8,0x15,0x05,0x3C,0xD3,0xA4,0x85,0x2E,0xFB,0xEE,0x47,0x3B,0xEF,0x37,0x7F,0x93,0xAF,0x69,0x0C,0x71,0x31,0xDE,0x21,0x75,0xA0,0xAA,0xBA,0x7C,0x38,0x02,0xB7,0x81,0x01,0xFD,0xE7,0x1D,0xCC,0xCD,0xBD,0x1B,0x7A,0x2A,0xAD,0x66,0xBE,0x55,0x33,0x03,0xDB,0x88,0xB2,0x1E,0x4E,0xB9,0xE6,0xC2,0xF7,0xCB,0x7D,0xC9,0x62,0xC3,0xA6,0xDC,0xA7,0x50,0xB5,0x4B,0x94,0xC0,0x92,0x4C,0x11,0x5B,0x78,0xD9,0xB1,0xED,0x19,0xE9,0xA1,0x1C,0xB6,0x32,0x99,0xA3,0x76,0x9E,0x7B,0x6D,0x9A,0x30,0xD6,0xA9,0x25,0xC7,0xAE,0x96,0x35,0xD0,0xBB,0xD2,0xC8,0xA2,0x08,0xF3,0xD1,0x73,0xF4,0x48,0x2D,0x90,0xCA,0xE2,0x58,0xC1,0x18,0x52,0xFE,0xDF,0x68,0x98,0x54,0xEC,0x60,0x43,0x0F)
#############################################################################################
HOST = "192.168.1.108"
PORT = 8300
ADDR = (HOST,PORT)
m_cbLogonMode = 0xB
LOGON_BY_GAME_ID = 0xB
LOGON_BY_ACCOUNTS = 0xC
MachineID = md5 (str(random.randint(0x22222111,0xeeeeeeee)))
PassWord = md5('123456')
if m_cbLogonMode == LOGON_BY_ACCOUNTS:
WPACKETSIZE = 0x100 #发送登录数据包的总大小,抓包可获取
Accounts = 'youruser' #0x42B 登录账号
if m_cbLogonMode == LOGON_BY_GAME_ID:
WPACKETSIZE = 0xC4
GameID = 7990986
'''-----------------Packet_struct--------------------------------------------'''
#############CMD_Head###################
#CMD_Info
cbVersion = SOCKET_VER #1B 数据类型
cbCheckCode = 0x00 #1B 校验字段 发送数据的所有字节相加
wPacketSize = WPACKETSIZE #2B 数据大小 发送登录数据包的总大小,抓包可获取
#CMD_Command
wMainCmdID = 0x000B #2B 主命令码 源码结合逆向分析出各个命令码意义
wSubCmdID = m_cbLogonMode #2B 子命令码
#############CMD_Head###################
#CMD_GP_LogonAccounts
PlazaVersion = 0x06090302 #4B 广场版本 逆向找到
dwNum = 0x0100007F #
MachineID = MachineID #0x44B 机器序列
PassWord = PassWord #0x44B 登录密码
cbNeeValidateMBCard = 0x00 #密保校验
'''-----------------Packet_struct--------------------------------------------'''
global SENDBUFF
SENDBUFF = create_string_buffer(wPacketSize)
buff = create_string_buffer(wPacketSize)
pack_into ( "B",cbVersion ) #固定值
pack_into ( "B",cbCheckCode ) #校验码计算正确即可
pack_into ( "H",wPacketSize ) #固定值
pack_into ( "HH",4,wMainCmdID,wSubCmdID ) #不同登录类型不同固定值
CMD_GP_LogonAccounts_Size = wPacketSize - 4 - 4 - 4 #cmd_info 、cmd_command 、m_dwSendXorKey
PlazaVersion_offset = 8
pack_into ("I",PlazaVersion_offset,PlazaVersion )
pack_into ("I",PlazaVersion_offset + 4,dwNum )
MachineID_offset = PlazaVersion_offset + DWORD_SIZE + DWORD_SIZE #PlazaVersion 和 dwNum
a2u (buff,MachineID,MachineID_offset )
if wSubCmdID == LOGON_BY_GAME_ID:
pack_into ("I",MachineID_offset + 0x42,GameID )
a2u (buff,PassWord,MachineID_offset + 0x42 + 4 )
if wSubCmdID == LOGON_BY_ACCOUNTS:
a2u (buff,MachineID_offset + 0x42 )
a2u (buff,Accounts,MachineID_offset + 0x42 + 0x42 )
pack_into ("B",MachineID_offset + 0x42 + 0x42 + 0x40,cbNeeValidateMBCard )
wDataSize = wPacketSize - 4 #前面把m_dwSendXorKey 也算上了
'''
i = 0
while i < wDataSize:
print hex(i),print hex(ord(buff[i]))
i += 1
exit()
'''
EncryptBuffer(buff,wDataSize)
SendLogonPacket(ADDR,SENDBUFF) #accounts登录时返回数据大小 257 用户名密码机器码正确, 12机器码更换 68用户密码错误 78机器码不正确
以上内容由PHP站长网【52php.cn】收集整理供大家参考研究 如果以上内容对您有帮助,欢迎收藏、点赞、推荐、分享。 (编辑:李大同) 【声明】本站内容均来自网络,其相关言论仅代表作者个人观点,不代表本站立场。若无意侵犯到您的权利,请及时与联系站长删除相关内容! |