#!/usr/bin/env python # encoding:utf-8 from socket import * from ctypes import create_string_buffer from struct import * import sysconfig import random from ctypes.wintypes import BYTE from msilib import datasizemask from _ctypes import sizeof from random import randint from time import sleep CODEC = 'utf-8' global RECVBUFSIZ global m_wRecvSize global m_cbSendRound #发送字节映射 global m_cbRecvRound #接收字节映射 global m_dwSendXorKey #发送密钥 global m_dwRecvXorKey #接收密钥 m_cbSendRound = 0 m_cbRecvRound = 0 RECVBUFSIZ = 16384 m_wRecvSize = 0 m_cbSendRound = 0 #发送字节映射 m_cbRecvRound = 0 #接收字节映射 m_dwSendXorKey = 0 #发送密钥 m_dwRecvXorKey = 0 #接收密钥 def SendLogonPacket(ADDR,SENDBUFF): global RECVBUFSIZ cs = socket(AF_INET, SOCK_STREAM) cs.connect(ADDR) cs.send(SENDBUFF) lennum = len( cs.recv(RECVBUFSIZ)) cs.close() return lennum def md5(str1): import hashlib m = hashlib.md5() m.update(str1) str1 = m.hexdigest() return str1.upper() def a2u(buff1,str1,start): i=0 for letter in str1: pack_into("B",buff1,start+i,ord(letter)) i += 2 def MapSendByte (byte): global m_cbSendRound index = byte + m_cbSendRound b = g_SendByteMap[index % 0x100] m_cbSendRound += 3 return b def MapRecvByte (byte): global m_cbRecvRound b = g_RecvByteMap[byte] - m_cbRecvRound b = b % 0x100 m_cbRecvRound += 3 return b def SeedRandMap(wSeed): num = int(wSeed) num = ( num * 241103 + 2533101 ) >> 16 return ((num | int(0xFFFF0000)) -0xFFFF0000) #返回一个WORD类型 def CrevasseBuffer(buff,wDataSize): global dwXorKey global m_dwSendXorKey global m_dwRecvXorKey i = 0 while i < wDataSize: print hex(ord (buff[i])), i += 1 dwXorKey = m_dwRecvXorKey if (((wDataSize -4) % 4 ) != 0): print "recv data error" exit() wEncrypCount = (wDataSize - 4) /4 #解密数据 i = 0 j = 4 #排除cmd_info,从CMD_Command起 k = 4 while i < (wEncrypCount): wSeed = (unpack_from("H",buff,k)[0]) k += 2 dwXorKey = SeedRandMap(wSeed) dwXorKey |= int( SeedRandMap(unpack_from ("H", buff, k)[0]) ) << 16 k += 2 dwXorKey ^= g_dwPacketKey n = unpack_from( "I", buff, j)[0] n ^= m_dwRecvXorKey pack_into("I",buff,j,n) j += 4 m_dwRecvXorKey = dwXorKey i += 1 i = 4 cbCheckCode = unpack_from('B',buff,1)[0] while i < wDataSize: pack_into ("B", buff, i, MapRecvByte ( ord ( buff[i] ) ) ) cbCheckCode += ord(buff[i]) cbCheckCode = cbCheckCode % 0x100 i += 1 if cbCheckCode != 0: print "" print 'cb' , cbCheckCode i = 0 while i < wDataSize: print hex(ord(buff[i])), i += 1 return wDataSize def EncryptBuffer(buff,wDataSize): global dwXorKey global m_dwSendXorKey global m_dwRecvXorKey global SENDBUFF global m_dwSendPacketCount wEncryptSize = wDataSize - 4 #排除cmd_info4字节头不加密 wSnapCount=0 if ((wEncryptSize % 4) != 0): #待加密数据对齐粒度 4字节 wSnapCount = 4 - ( wEncryptSize % 4 ) #不足4字节补-0 n = 0 t = wSnapCount while n < t: pack_into("B",buff,4 + wEncryptSize + n, 0x0) t += 1 cbCheckCode = 0 #务必置0 i = 4 #起始位置,排除CMD_INFO逐字节与发送映射表替换,并计算出校验和 while i < wDataSize: #print hex(ord(buff[i])) cbCheckCode += ord(buff[i]) #print cbCheckCode cbCheckCode = cbCheckCode % 0x100 #print cbCheckCode t = MapSendByte(ord(buff[i])) #print t pack_into("B",buff,i,t) i += 1 #填写计算出的校验码 pack_into ("B", buff, 1, ( ~cbCheckCode + 1) % 0x100) dwXorKey = m_dwSendXorKey if ( m_dwSendPacketCount == 0 ): dwXorKey = random.randint(0x11111111, 0xeeeeeeee) #生成随机密钥 dwXorKey = g_dwPacketKey m_dwSendXorKey = dwXorKey m_dwRecvXorKey = dwXorKey #加密数据 i = 0 j = 4 #排除cmd_info,从CMD_Command起 k = 4 while i < ((wEncryptSize + wSnapCount) / 4): n = (unpack_from("I",buff,j)[0]) n ^= dwXorKey pack_into("I", buff, j, n) j += 4 #逐4字节异或加密数据 dwXorKey = SeedRandMap ( unpack_from ( "H", buff, k )[0]) #用加密后的数据加密生成新的密钥 k += 2 dwXorKey |= int( SeedRandMap( unpack_from ("H", buff, k)[0])) << 16 # k += 2 dwXorKey ^= g_dwPacketKey i += 1 if (m_dwSendPacketCount == 0): i = 0 while i < 8: pack_into("B", SENDBUFF, i, ord ( buff[i] ) ) #前八个字节相同 i += 1 pack_into ( "I", SENDBUFF, 8, m_dwSendXorKey ) #插入异或密钥key PacketSize = wDataSize + 4 #因为插入了4B的密钥 pack_into("H",SENDBUFF,2,PacketSize) j = 8 while j < wDataSize: pack_into("B", SENDBUFF, j+4, ord( buff[j] ) ) j += 1 pack_into("H",SENDBUFF,2,wDataSize + 4) #m_dwSendPacketCount += 1 #m_dwSendXorKey = dwXorKey #"网络数据定义" SOCKET_VER = 0x05 #"#网络版本" ida_pro 逆向找到EncryptBuffer函数后可以确定此值 SOCKET_BUFFER = 8192 #"#网络缓冲" CMD_HEAD_SIZE = 4 DWORD_SIZE= 4 WORD_SIZE = 2 BYTE_SIZE = 1 SOCKET_PACKET = ( SOCKET_BUFFER - CMD_HEAD_SIZE - 2 * DWORD_SIZE ) g_dwPacketKey = 0xA55AA55A #"加密密钥" #从WHSocket.dll获取 #"发送映射" #从WHSocket.dll获取 g_SendByteMap = (0x70, 0x2F, 0x40, 0x5F, 0x44, 0x8E, 0x6E, 0x45, 0x7E, 0xAB, 0x2C, 0x1F, 0xB4, 0xAC, 0x9D, 0x91, 0x0D, 0x36, 0x9B, 0x0B, 0xD4, 0xC4, 0x39, 0x74, 0xBF, 0x23, 0x16, 0x14, 0x06, 0xEB, 0x04, 0x3E, 0x12, 0x5C, 0x8B, 0xBC, 0x61, 0x63, 0xF6, 0xA5, 0xE1, 0x65, 0xD8, 0xF5, 0x5A, 0x07, 0xF0, 0x13, 0xF2, 0x20, 0x6B, 0x4A, 0x24, 0x59, 0x89, 0x64, 0xD7, 0x42, 0x6A, 0x5E, 0x3D, 0x0A, 0x77, 0xE0, 0x80, 0x27, 0xB8, 0xC5, 0x8C, 0x0E, 0xFA, 0x8A, 0xD5, 0x29, 0x56, 0x57, 0x6C, 0x53, 0x67, 0x41, 0xE8, 0x00, 0x1A, 0xCE, 0x86, 0x83, 0xB0, 0x22, 0x28, 0x4D, 0x3F, 0x26, 0x46, 0x4F, 0x6F, 0x2B, 0x72, 0x3A, 0xF1, 0x8D, 0x97, 0x95, 0x49, 0x84, 0xE5, 0xE3, 0x79, 0x8F, 0x51, 0x10, 0xA8, 0x82, 0xC6, 0xDD, 0xFF, 0xFC, 0xE4, 0xCF, 0xB3, 0x09, 0x5D, 0xEA, 0x9C, 0x34, 0xF9, 0x17, 0x9F, 0xDA, 0x87, 0xF8, 0x15, 0x05, 0x3C, 0xD3, 0xA4, 0x85, 0x2E, 0xFB, 0xEE, 0x47, 0x3B, 0xEF, 0x37, 0x7F, 0x93, 0xAF, 0x69, 0x0C, 0x71, 0x31, 0xDE, 0x21, 0x75, 0xA0, 0xAA, 0xBA, 0x7C, 0x38, 0x02, 0xB7, 0x81, 0x01, 0xFD, 0xE7, 0x1D, 0xCC, 0xCD, 0xBD, 0x1B, 0x7A, 0x2A, 0xAD, 0x66, 0xBE, 0x55, 0x33, 0x03, 0xDB, 0x88, 0xB2, 0x1E, 0x4E, 0xB9, 0xE6, 0xC2, 0xF7, 0xCB, 0x7D, 0xC9, 0x62, 0xC3, 0xA6, 0xDC, 0xA7, 0x50, 0xB5, 0x4B, 0x94, 0xC0, 0x92, 0x4C, 0x11, 0x5B, 0x78, 0xD9, 0xB1, 0xED, 0x19, 0xE9, 0xA1, 0x1C, 0xB6, 0x32, 0x99, 0xA3, 0x76, 0x9E, 0x7B, 0x6D, 0x9A, 0x30, 0xD6, 0xA9, 0x25, 0xC7, 0xAE, 0x96, 0x35, 0xD0, 0xBB, 0xD2, 0xC8, 0xA2, 0x08, 0xF3, 0xD1, 0x73, 0xF4, 0x48, 0x2D, 0x90, 0xCA, 0xE2, 0x58, 0xC1, 0x18, 0x52, 0xFE, 0xDF, 0x68, 0x98, 0x54, 0xEC, 0x60, 0x43, 0x0F) ############################################################################################# HOST = "192.168.1.108" PORT = 8300 ADDR = (HOST, PORT) m_cbLogonMode = 0xB LOGON_BY_GAME_ID = 0xB LOGON_BY_ACCOUNTS = 0xC MachineID = md5 (str(random.randint(0x11111111, 0xeeeeeeee))) PassWord = md5('123456') if m_cbLogonMode == LOGON_BY_ACCOUNTS: WPACKETSIZE = 0x100 #发送登录数据包的总大小,抓包可获取 Accounts = 'youruser' #0x42B 登录账号 if m_cbLogonMode == LOGON_BY_GAME_ID: WPACKETSIZE = 0xC4 GameID = 7990986 '''-----------------Packet_struct--------------------------------------------''' #############CMD_Head################### #CMD_Info cbVersion = SOCKET_VER #1B 数据类型 cbCheckCode = 0x00 #1B 校验字段 发送数据的所有字节相加 wPacketSize = WPACKETSIZE #2B 数据大小 发送登录数据包的总大小,抓包可获取 #CMD_Command wMainCmdID = 0x000B #2B 主命令码 源码结合逆向分析出各个命令码意义 wSubCmdID = m_cbLogonMode #2B 子命令码 #############CMD_Head################### #CMD_GP_LogonAccounts PlazaVersion = 0x06090302 #4B 广场版本 逆向找到 dwNum = 0x0100007F # MachineID = MachineID #0x44B 机器序列 PassWord = PassWord #0x44B 登录密码 cbNeeValidateMBCard = 0x00 #密保校验 '''-----------------Packet_struct--------------------------------------------''' global SENDBUFF SENDBUFF = create_string_buffer(wPacketSize) buff = create_string_buffer(wPacketSize) pack_into ( "B", buff, 0, cbVersion ) #固定值 pack_into ( "B", buff, 1, cbCheckCode ) #校验码计算正确即可 pack_into ( "H", buff, 2, wPacketSize ) #固定值 pack_into ( "HH",buff, 4, wMainCmdID, wSubCmdID ) #不同登录类型不同固定值 CMD_GP_LogonAccounts_Size = wPacketSize - 4 - 4 - 4 #cmd_info 、cmd_command 、m_dwSendXorKey PlazaVersion_offset = 8 pack_into ("I", buff, PlazaVersion_offset, PlazaVersion ) pack_into ("I", buff, PlazaVersion_offset + 4, dwNum ) MachineID_offset = PlazaVersion_offset + DWORD_SIZE + DWORD_SIZE #PlazaVersion 和 dwNum a2u (buff, MachineID, MachineID_offset ) if wSubCmdID == LOGON_BY_GAME_ID: pack_into ("I", buff, MachineID_offset + 0x42, GameID ) a2u (buff, PassWord, MachineID_offset + 0x42 + 4 ) if wSubCmdID == LOGON_BY_ACCOUNTS: a2u (buff, PassWord, MachineID_offset + 0x42 ) a2u (buff, Accounts, MachineID_offset + 0x42 + 0x42 ) pack_into ("B", buff, MachineID_offset + 0x42 + 0x42 + 0x40, cbNeeValidateMBCard ) wDataSize = wPacketSize - 4 #前面把m_dwSendXorKey 也算上了 ''' i = 0 while i < wDataSize: print hex(i), print hex(ord(buff[i])) i += 1 exit() ''' EncryptBuffer(buff, wDataSize) SendLogonPacket(ADDR,SENDBUFF) #accounts登录时返回数据大小 257 用户名密码机器码正确, 12机器码更换 68用户密码错误 78机器码不正确