返回顶部

收藏

模拟登录封包python实现

更多
#!/usr/bin/env python
# encoding:utf-8

from socket import  *
from ctypes import create_string_buffer
from struct import *
import sysconfig
import random
from ctypes.wintypes import BYTE
from msilib import datasizemask
from _ctypes import sizeof
from random import randint
from time import sleep

CODEC = 'utf-8'

global RECVBUFSIZ
global  m_wRecvSize
global  m_cbSendRound #发送字节映射
global  m_cbRecvRound  #接收字节映射
global  m_dwSendXorKey  #发送密钥
global  m_dwRecvXorKey #接收密钥

m_cbSendRound = 0
m_cbRecvRound = 0

RECVBUFSIZ = 16384
m_wRecvSize = 0
m_cbSendRound = 0 #发送字节映射
m_cbRecvRound = 0  #接收字节映射
m_dwSendXorKey = 0  #发送密钥
m_dwRecvXorKey = 0 #接收密钥

def SendLogonPacket(ADDR,SENDBUFF):
    global RECVBUFSIZ
    cs = socket(AF_INET, SOCK_STREAM)
    cs.connect(ADDR)
    cs.send(SENDBUFF)
    lennum = len( cs.recv(RECVBUFSIZ))
    cs.close()
    return lennum

def md5(str1):
    import hashlib
    m = hashlib.md5()
    m.update(str1)
    str1 = m.hexdigest()
    return  str1.upper()
def a2u(buff1,str1,start):
    i=0
    for letter in str1:
        pack_into("B",buff1,start+i,ord(letter))
        i += 2
def MapSendByte (byte):
    global m_cbSendRound
    index = byte + m_cbSendRound
    b = g_SendByteMap[index % 0x100]
    m_cbSendRound += 3
    return b
def MapRecvByte (byte):
    global m_cbRecvRound
    b = g_RecvByteMap[byte] - m_cbRecvRound
    b = b % 0x100
    m_cbRecvRound += 3
    return b
def SeedRandMap(wSeed):
    num = int(wSeed)
    num = ( num * 241103 + 2533101 ) >> 16
    return ((num  | int(0xFFFF0000)) -0xFFFF0000) #返回一个WORD类型

def CrevasseBuffer(buff,wDataSize):
    global dwXorKey
    global m_dwSendXorKey
    global m_dwRecvXorKey
    i = 0
    while i  < wDataSize:
        print hex(ord (buff[i])),
        i += 1
    dwXorKey = m_dwRecvXorKey
    if (((wDataSize -4) % 4 ) != 0):
        print "recv data error"
        exit()
    wEncrypCount = (wDataSize - 4) /4
    #解密数据
    i = 0
    j = 4   #排除cmd_info,从CMD_Command起
    k = 4
    while i < (wEncrypCount):
        wSeed =  (unpack_from("H",buff,k)[0])
        k += 2
        dwXorKey = SeedRandMap(wSeed)
        dwXorKey |= int( SeedRandMap(unpack_from ("H", buff, k)[0]) ) << 16
        k += 2
        dwXorKey ^= g_dwPacketKey
        n = unpack_from( "I", buff, j)[0]
        n ^= m_dwRecvXorKey
        pack_into("I",buff,j,n)
        j += 4
        m_dwRecvXorKey = dwXorKey
        i += 1

    i = 4
    cbCheckCode = unpack_from('B',buff,1)[0]
    while i < wDataSize:
        pack_into ("B", buff, i, MapRecvByte ( ord ( buff[i] ) ) )
        cbCheckCode += ord(buff[i])
        cbCheckCode = cbCheckCode % 0x100
        i += 1
    if cbCheckCode != 0:
        print ""
        print 'cb' , cbCheckCode
    i = 0
    while i  < wDataSize:
        print hex(ord(buff[i])),
        i += 1
    return wDataSize

def EncryptBuffer(buff,wDataSize):
    global dwXorKey
    global m_dwSendXorKey
    global m_dwRecvXorKey
    global SENDBUFF
    global m_dwSendPacketCount
    wEncryptSize = wDataSize - 4 #排除cmd_info4字节头不加密
    wSnapCount=0
    if ((wEncryptSize % 4) != 0): #待加密数据对齐粒度 4字节
        wSnapCount = 4 - ( wEncryptSize % 4 )  #不足4字节补-0
        n = 0
        t = wSnapCount
        while n < t:
            pack_into("B",buff,4 + wEncryptSize + n, 0x0)
            t += 1

    cbCheckCode = 0 #务必置0
    i = 4 #起始位置,排除CMD_INFO逐字节与发送映射表替换,并计算出校验和
    while i < wDataSize:
        #print hex(ord(buff[i]))
        cbCheckCode += ord(buff[i])
        #print cbCheckCode
        cbCheckCode = cbCheckCode % 0x100
        #print cbCheckCode
        t = MapSendByte(ord(buff[i]))
        #print t
        pack_into("B",buff,i,t)
        i += 1

    #填写计算出的校验码
    pack_into ("B", buff, 1, ( ~cbCheckCode + 1) % 0x100)

    dwXorKey = m_dwSendXorKey
    if ( m_dwSendPacketCount == 0 ):
        dwXorKey = random.randint(0x11111111, 0xeeeeeeee) #生成随机密钥

        dwXorKey = g_dwPacketKey

        m_dwSendXorKey = dwXorKey
        m_dwRecvXorKey = dwXorKey

    #加密数据
    i = 0
    j = 4   #排除cmd_info,从CMD_Command起
    k = 4
    while i < ((wEncryptSize + wSnapCount) / 4):
        n =  (unpack_from("I",buff,j)[0])
        n ^= dwXorKey
        pack_into("I", buff, j, n)
        j += 4 #逐4字节异或加密数据
        dwXorKey = SeedRandMap ( unpack_from ( "H", buff, k )[0])  #用加密后的数据加密生成新的密钥
        k += 2
        dwXorKey |= int( SeedRandMap( unpack_from ("H", buff, k)[0])) << 16 #
        k += 2
        dwXorKey ^= g_dwPacketKey
        i += 1

    if (m_dwSendPacketCount == 0):
        i = 0
        while i < 8:
            pack_into("B", SENDBUFF, i, ord ( buff[i] ) )      #前八个字节相同
            i += 1
        pack_into ( "I", SENDBUFF, 8, m_dwSendXorKey )  #插入异或密钥key
        PacketSize = wDataSize + 4 #因为插入了4B的密钥
        pack_into("H",SENDBUFF,2,PacketSize)
        j = 8
        while j <  wDataSize:
            pack_into("B", SENDBUFF, j+4, ord( buff[j] ) )
            j += 1
        pack_into("H",SENDBUFF,2,wDataSize + 4)

    #m_dwSendPacketCount += 1
    #m_dwSendXorKey = dwXorKey

#"网络数据定义"
SOCKET_VER = 0x05    #"#网络版本"  ida_pro 逆向找到EncryptBuffer函数后可以确定此值
SOCKET_BUFFER = 8192    #"#网络缓冲"
CMD_HEAD_SIZE = 4
DWORD_SIZE= 4
WORD_SIZE = 2
BYTE_SIZE = 1
SOCKET_PACKET = ( SOCKET_BUFFER - CMD_HEAD_SIZE - 2 * DWORD_SIZE )
g_dwPacketKey = 0xA55AA55A  #"加密密钥" #从WHSocket.dll获取

#"发送映射"  #从WHSocket.dll获取
g_SendByteMap = (0x70,  0x2F, 0x40, 0x5F, 0x44, 0x8E, 0x6E, 0x45, 0x7E, 0xAB, 0x2C, 0x1F, 0xB4, 0xAC, 0x9D, 0x91,
    0x0D, 0x36, 0x9B, 0x0B, 0xD4, 0xC4, 0x39, 0x74, 0xBF, 0x23, 0x16, 0x14, 0x06, 0xEB, 0x04, 0x3E,
    0x12, 0x5C, 0x8B, 0xBC, 0x61, 0x63, 0xF6, 0xA5, 0xE1, 0x65, 0xD8, 0xF5, 0x5A, 0x07, 0xF0, 0x13,
    0xF2, 0x20, 0x6B, 0x4A, 0x24, 0x59, 0x89, 0x64, 0xD7, 0x42, 0x6A, 0x5E, 0x3D, 0x0A, 0x77, 0xE0,
    0x80, 0x27, 0xB8, 0xC5, 0x8C, 0x0E, 0xFA, 0x8A, 0xD5, 0x29, 0x56, 0x57, 0x6C, 0x53, 0x67, 0x41,
    0xE8, 0x00, 0x1A, 0xCE, 0x86, 0x83, 0xB0, 0x22, 0x28, 0x4D, 0x3F, 0x26, 0x46, 0x4F, 0x6F, 0x2B,
    0x72, 0x3A, 0xF1, 0x8D, 0x97, 0x95, 0x49, 0x84, 0xE5, 0xE3, 0x79, 0x8F, 0x51, 0x10, 0xA8, 0x82,
    0xC6, 0xDD, 0xFF, 0xFC, 0xE4, 0xCF, 0xB3, 0x09, 0x5D, 0xEA, 0x9C, 0x34, 0xF9, 0x17, 0x9F, 0xDA,
    0x87, 0xF8, 0x15, 0x05, 0x3C, 0xD3, 0xA4, 0x85, 0x2E, 0xFB, 0xEE, 0x47, 0x3B, 0xEF, 0x37, 0x7F,
    0x93, 0xAF, 0x69, 0x0C, 0x71, 0x31, 0xDE, 0x21, 0x75, 0xA0, 0xAA, 0xBA, 0x7C, 0x38, 0x02, 0xB7,
    0x81, 0x01, 0xFD, 0xE7, 0x1D, 0xCC, 0xCD, 0xBD, 0x1B, 0x7A, 0x2A, 0xAD, 0x66, 0xBE, 0x55, 0x33,
    0x03, 0xDB, 0x88, 0xB2, 0x1E, 0x4E, 0xB9, 0xE6, 0xC2, 0xF7, 0xCB, 0x7D, 0xC9, 0x62, 0xC3, 0xA6,
    0xDC, 0xA7, 0x50, 0xB5, 0x4B, 0x94, 0xC0, 0x92, 0x4C, 0x11, 0x5B, 0x78, 0xD9, 0xB1, 0xED, 0x19,
    0xE9, 0xA1, 0x1C, 0xB6, 0x32, 0x99, 0xA3, 0x76, 0x9E, 0x7B, 0x6D, 0x9A, 0x30, 0xD6, 0xA9, 0x25,
    0xC7, 0xAE, 0x96, 0x35, 0xD0, 0xBB, 0xD2, 0xC8, 0xA2, 0x08, 0xF3, 0xD1, 0x73, 0xF4, 0x48, 0x2D,
    0x90, 0xCA, 0xE2, 0x58, 0xC1, 0x18, 0x52, 0xFE, 0xDF, 0x68, 0x98, 0x54, 0xEC, 0x60, 0x43, 0x0F)
#############################################################################################

HOST = "192.168.1.108"
PORT = 8300
ADDR = (HOST, PORT)
m_cbLogonMode = 0xB
LOGON_BY_GAME_ID = 0xB
LOGON_BY_ACCOUNTS = 0xC
MachineID = md5 (str(random.randint(0x11111111, 0xeeeeeeee)))
PassWord = md5('123456')
if m_cbLogonMode == LOGON_BY_ACCOUNTS:
    WPACKETSIZE = 0x100 #发送登录数据包的总大小,抓包可获取
    Accounts = 'youruser'   #0x42B 登录账号
if m_cbLogonMode == LOGON_BY_GAME_ID:
    WPACKETSIZE = 0xC4
    GameID = 7990986

'''-----------------Packet_struct--------------------------------------------'''
#############CMD_Head###################
#CMD_Info
cbVersion  = SOCKET_VER  #1B    数据类型
cbCheckCode = 0x00  #1B   校验字段    发送数据的所有字节相加
wPacketSize = WPACKETSIZE  #2B   数据大小    发送登录数据包的总大小,抓包可获取
#CMD_Command
wMainCmdID = 0x000B #2B 主命令码 源码结合逆向分析出各个命令码意义
wSubCmdID = m_cbLogonMode  #2B 子命令码
#############CMD_Head###################
#CMD_GP_LogonAccounts
PlazaVersion = 0x06090302 #4B 广场版本 逆向找到 
dwNum = 0x0100007F  # 
MachineID = MachineID #0x44B 机器序列
PassWord = PassWord #0x44B 登录密码
cbNeeValidateMBCard = 0x00 #密保校验
'''-----------------Packet_struct--------------------------------------------'''

global SENDBUFF
SENDBUFF = create_string_buffer(wPacketSize)
buff = create_string_buffer(wPacketSize)

pack_into ( "B", buff, 0, cbVersion )   #固定值
pack_into ( "B", buff, 1, cbCheckCode ) #校验码计算正确即可
pack_into ( "H", buff, 2, wPacketSize ) #固定值
pack_into ( "HH",buff, 4, wMainCmdID, wSubCmdID ) #不同登录类型不同固定值

CMD_GP_LogonAccounts_Size = wPacketSize - 4 - 4  - 4  #cmd_info 、cmd_command 、m_dwSendXorKey
PlazaVersion_offset = 8

pack_into ("I", buff, PlazaVersion_offset, PlazaVersion )
pack_into ("I", buff, PlazaVersion_offset + 4, dwNum )

MachineID_offset = PlazaVersion_offset + DWORD_SIZE + DWORD_SIZE  #PlazaVersion 和 dwNum
a2u (buff, MachineID, MachineID_offset  )
if wSubCmdID == LOGON_BY_GAME_ID:
    pack_into ("I", buff, MachineID_offset + 0x42, GameID )
    a2u (buff, PassWord, MachineID_offset + 0x42 + 4 )
if wSubCmdID == LOGON_BY_ACCOUNTS:
    a2u (buff, PassWord, MachineID_offset + 0x42 )
    a2u (buff, Accounts, MachineID_offset  + 0x42 + 0x42 )
    pack_into ("B", buff, MachineID_offset + 0x42 + 0x42 + 0x40, cbNeeValidateMBCard )

wDataSize = wPacketSize - 4 #前面把m_dwSendXorKey 也算上了
'''
i = 0
while i < wDataSize:
    print hex(i),
    print hex(ord(buff[i]))

    i += 1
exit()
'''

EncryptBuffer(buff, wDataSize)

SendLogonPacket(ADDR,SENDBUFF) #accounts登录时返回数据大小 257 用户名密码机器码正确, 12机器码更换   68用户密码错误 78机器码不正确

标签:python

收藏

0人收藏

支持

0

反对

0

发表评论