下面是内存溢出 jb51.cc 通过网络收集整理的代码片段。
内存溢出小编现在分享给大家,也给大家做个参考。
#!/usr/bin/env python# enCoding:utf-8 from socket import *from ctypes import create_string_bufferfrom struct import *import sysconfigimport randomfrom ctypes.wintypes import BYTEfrom msilib import datasizemaskfrom _ctypes import sizeoffrom random import randintfrom time import sleep CODEC = 'utf-8' global RECVBUFSIZglobal m_wRecvSizeglobal m_cbSendRound #发送字节映射global m_cbRecvRound #接收字节映射global m_DWSendXorKey #发送密钥global m_DWRecvXorKey #接收密钥 m_cbSendRound = 0m_cbRecvRound = 0 RECVBUFSIZ = 16384m_wRecvSize = 0m_cbSendRound = 0 #发送字节映射m_cbRecvRound = 0 #接收字节映射m_DWSendXorKey = 0 #发送密钥m_DWRecvXorKey = 0 #接收密钥 def SendlogonPacket(ADDR,SENDBUFF): global RECVBUFSIZ cs = socket(AF_INET,SOCK_STREAM) cs.connect(ADDR) cs.send(SENDBUFF) lennum = len( cs.recv(RECVBUFSIZ)) cs.close() return lennum def md5(str1): import hashlib m = hashlib.md5() m.update(str1) str1 = m.hexdigest() return str1.upper()def a2u(buff1,str1,start): i=0 for letter in str1: pack_into("B",buff1,start+i,ord(letter)) i += 2def MapSendByte (byte): global m_cbSendRound index = byte + m_cbSendRound b = g_SendByteMap[index % 0x100] m_cbSendRound += 3 return bdef MapRecvByte (byte): global m_cbRecvRound b = g_RecvByteMap[byte] - m_cbRecvRound b = b % 0x100 m_cbRecvRound += 3 return bdef SeedRandMap(wSeed): num = int(wSeed) num = ( num * 241103 + 2533101 ) >> 16 return ((num | int(0xFFFF0000)) -0xFFFF0000) #返回一个WORD类型 def CrevasseBuffer(buff,wDataSize): global DWXorKey global m_DWSendXorKey global m_DWRecvXorKey i = 0 while i < wDataSize: print hex(ord (buff[i])),i += 1 DWXorKey = m_DWRecvXorKey if (((wDataSize -4) % 4 ) != 0): print "recv data error" exit() wEncrypCount = (wDataSize - 4) /4 #解密数据 i = 0 j = 4 #排除cmd_info,从CMD_Command起 k = 4 while i < (wEncrypCount): wSeed = (unpack_from("H",buff,k)[0]) k += 2 DWXorKey = SeedRandMap(wSeed) DWXorKey |= int( SeedRandMap(unpack_from ("H",k)[0]) ) << 16 k += 2 DWXorKey ^= g_DWPacketKey n = unpack_from( "I",j)[0] n ^= m_DWRecvXorKey pack_into("I",j,n) j += 4 m_DWRecvXorKey = DWXorKey i += 1 i = 4 cbCheckCode = unpack_from('B',1)[0] while i < wDataSize: pack_into ("B",i,MapRecvByte ( ord ( buff[i] ) ) ) cbCheckCode += ord(buff[i]) cbCheckCode = cbCheckCode % 0x100 i += 1 if cbCheckCode != 0: print "" print 'cb',cbCheckCode i = 0 while i < wDataSize: print hex(ord(buff[i])),i += 1 return wDataSize def EncryptBuffer(buff,wDataSize): global DWXorKey global m_DWSendXorKey global m_DWRecvXorKey global SENDBUFF global m_DWSendPacketCount wEncryptSize = wDataSize - 4 #排除cmd_info4字节头不加密 wSnapCount=0 if ((wEncryptSize % 4) != 0): #待加密数据对齐粒度 4字节 wSnapCount = 4 - ( wEncryptSize % 4 ) #不足4字节补-0 n = 0 t = wSnapCount while n < t: pack_into("B",4 + wEncryptSize + n,0x0) t += 1 cbCheckCode = 0 #务必置0 i = 4 #起始位置,排除CMD_INFO逐字节与发送映射表替换,并计算出校验和 while i < wDataSize: #print hex(ord(buff[i])) cbCheckCode += ord(buff[i]) #print cbCheckCode cbCheckCode = cbCheckCode % 0x100 #print cbCheckCode t = MapSendByte(ord(buff[i])) #print t pack_into("B",t) i += 1 #填写计算出的校验码 pack_into ("B",1,( ~cbCheckCode + 1) % 0x100) DWXorKey = m_DWSendXorKey if ( m_DWSendPacketCount == 0 ): DWXorKey = random.randint(0x11111111,0xeeeeeeee) #生成随机密钥 DWXorKey = g_DWPacketKey m_DWSendXorKey = DWXorKey m_DWRecvXorKey = DWXorKey #加密数据 i = 0 j = 4 #排除cmd_info,从CMD_Command起 k = 4 while i < ((wEncryptSize + wSnapCount) / 4): n = (unpack_from("I",j)[0]) n ^= DWXorKey pack_into("I",n) j += 4 #逐4字节异或加密数据 DWXorKey = SeedRandMap ( unpack_from ( "H",k )[0]) #用加密后的数据加密生成新的密钥 k += 2 DWXorKey |= int( SeedRandMap( unpack_from ("H",k)[0])) << 16 # k += 2 DWXorKey ^= g_DWPacketKey i += 1 if (m_DWSendPacketCount == 0): i = 0 while i < 8: pack_into("B",SENDBUFF,ord ( buff[i] ) ) #前八个字节相同 i += 1 pack_into ( "I",8,m_DWSendXorKey ) #插入异或密钥key PacketSize = wDataSize + 4 #因为插入了4B的密钥 pack_into("H",2,PacketSize) j = 8 while j < wDataSize: pack_into("B",j+4,ord( buff[j] ) ) j += 1 pack_into("H",wDataSize + 4) #m_DWSendPacketCount += 1 #m_DWSendXorKey = DWXorKey #"网络数据定义"SOCKET_VER = 0x05 #"#网络版本" IDa_pro 逆向找到EncryptBuffer函数后可以确定此值SOCKET_BUFFER = 8192 #"#网络缓冲"CMD_head_SIZE = 4DWORD_SIZE= 4WORD_SIZE = 2BYTE_SIZE = 1SOCKET_PACKET = ( SOCKET_BUFFER - CMD_head_SIZE - 2 * DWORD_SIZE )g_DWPacketKey = 0xA55AA55A #"加密密钥" #从WHSocket.dll获取 #"发送映射" #从WHSocket.dll获取g_SendByteMap = (0x70,0x2F,0x40,0x5F,0x44,0x8E,0x6E,0x45,0x7E,0xAB,0x2C,0x1F,0xB4,0xAC,0x9D,0x91,0x0D,0x36,0x9B,0x0B,0xD4,0xC4,0x39,0x74,0xBF,0x23,0x16,0x14,0x06,0xEB,0x04,0x3E,0x12,0x5C,0x8B,0xBC,0x61,0x63,0xF6,0xA5,0xE1,0x65,0xD8,0xF5,0x5A,0x07,0xF0,0x13,0xF2,0x20,0x6B,0x4A,0x24,0x59,0x89,0x64,0xD7,0x42,0x6A,0x5E,0x3D,0x0A,0x77,0xE0,0x80,0x27,0xB8,0xC5,0x8C,0x0E,0xFA,0x8A,0xD5,0x29,0x56,0x57,0x6C,0x53,0x67,0x41,0xE8,0x00,0x1A,0xCE,0x86,0x83,0xB0,0x22,0x28,0x4D,0x3F,0x26,0x46,0x4F,0x6F,0x2B,0x72,0x3A,0xF1,0x8D,0x97,0x95,0x49,0x84,0xE5,0xE3,0x79,0x8F,0x51,0x10,0xA8,0x82,0xC6,0xDD,0xFF,0xFC,0xE4,0xCF,0xB3,0x09,0x5D,0xEA,0x9C,0x34,0xF9,0x17,0x9F,0xDA,0x87,0xF8,0x15,0x05,0x3C,0xD3,0xA4,0x85,0x2E,0xFB,0xEE,0x47,0x3B,0xEF,0x37,0x7F,0x93,0xAF,0x69,0x0C,0x71,0x31,0xDE,0x21,0x75,0xA0,0xAA,0xBA,0x7C,0x38,0x02,0xB7,0x81,0x01,0xFD,0xE7,0x1D,0xCC,0xCD,0xBD,0x1B,0x7A,0x2A,0xAD,0x66,0xBE,0x55,0x33,0x03,0xDB,0x88,0xB2,0x1E,0x4E,0xB9,0xE6,0xC2,0xF7,0xCB,0x7D,0xC9,0x62,0xC3,0xA6,0xDC,0xA7,0x50,0xB5,0x4B,0x94,0xC0,0x92,0x4C,0x11,0x5B,0x78,0xD9,0xB1,0xED,0x19,0xE9,0xA1,0x1C,0xB6,0x32,0x99,0xA3,0x76,0x9E,0x7B,0x6D,0x9A,0x30,0xD6,0xA9,0x25,0xC7,0xAE,0x96,0x35,0xD0,0xBB,0xD2,0xC8,0xA2,0x08,0xF3,0xD1,0x73,0xF4,0x48,0x2D,0x90,0xCA,0xE2,0x58,0xC1,0x18,0x52,0xFE,0xDF,0x68,0x98,0x54,0xEC,0x60,0x43,0x0F)############################################################################################# HOST = "192.168.1.108"PORT = 8300ADDR = (HOST,PORT)m_cblogonMode = 0xBlogoN_BY_GAME_ID = 0xBlogoN_BY_ACCOUNTS = 0xCMachineID = md5 (str(random.randint(0x11111111,0xeeeeeeee)))PassWord = md5('123456')if m_cblogonMode == logoN_BY_ACCOUNTS: WPACKETSIZE = 0x100 #发送登录数据包的总大小,抓包可获取 Accounts = 'youruser' #0x42B 登录账号if m_cblogonMode == logoN_BY_GAME_ID: WPACKETSIZE = 0xC4 GameID = 7990986 '''-----------------Packet_struct--------------------------------------------'''#############CMD_head####################CMD_InfocbVersion = SOCKET_VER #1B 数据类型cbCheckCode = 0x00 #1B 校验字段 发送数据的所有字节相加wPacketSize = WPACKETSIZE #2B 数据大小 发送登录数据包的总大小,抓包可获取#CMD_CommandwMainCmdID = 0x000B #2B 主命令码 源码结合逆向分析出各个命令码意义wSubCmdID = m_cblogonMode #2B 子命令码#############CMD_head####################CMD_GP_logonAccountsPlazaVersion = 0x06090302 #4B 广场版本 逆向找到 DWNum = 0x0100007F # MachineID = MachineID #0x44B 机器序列PassWord = PassWord #0x44B 登录密码cbNeeValIDateMBCard = 0x00 #密保校验'''-----------------Packet_struct--------------------------------------------''' global SENDBUFFSENDBUFF = create_string_buffer(wPacketSize)buff = create_string_buffer(wPacketSize) pack_into ( "B",cbVersion ) #固定值pack_into ( "B",cbCheckCode ) #校验码计算正确即可pack_into ( "H",wPacketSize ) #固定值pack_into ( "HH",4,wMainCmdID,wSubCmdID ) #不同登录类型不同固定值 CMD_GP_logonAccounts_Size = wPacketSize - 4 - 4 - 4 #cmd_info 、cmd_command 、m_DWSendXorKeyPlazaVersion_offset = 8 pack_into ("I",PlazaVersion_offset,PlazaVersion )pack_into ("I",PlazaVersion_offset + 4,DWNum ) MachineID_offset = PlazaVersion_offset + DWORD_SIZE + DWORD_SIZE #PlazaVersion 和 DWNuma2u (buff,MachineID,MachineID_offset )if wSubCmdID == logoN_BY_GAME_ID: pack_into ("I",MachineID_offset + 0x42,GameID ) a2u (buff,PassWord,MachineID_offset + 0x42 + 4 )if wSubCmdID == logoN_BY_ACCOUNTS: a2u (buff,MachineID_offset + 0x42 ) a2u (buff,Accounts,MachineID_offset + 0x42 + 0x42 ) pack_into ("B",MachineID_offset + 0x42 + 0x42 + 0x40,cbNeeValIDateMBCard ) wDataSize = wPacketSize - 4 #前面把m_DWSendXorKey 也算上了'''i = 0while i < wDataSize: print hex(i),print hex(ord(buff[i])) i += 1exit()''' EncryptBuffer(buff,wDataSize) SendlogonPacket(ADDR,SENDBUFF) #accounts登录时返回数据大小 257 用户名密码机器码正确, 12机器码更换 68用户密码错误 78机器码不正确 以上是内存溢出(jb51.cc)为你收集整理的全部代码内容,希望文章能够帮你解决所遇到的程序开发问题。
如果觉得内存溢出网站内容还不错,欢迎将内存溢出网站推荐给程序员好友。
总结以上是内存溢出为你收集整理的模拟登录封包python实现全部内容,希望文章能够帮你解决模拟登录封包python实现所遇到的程序开发问题。
如果觉得内存溢出网站内容还不错,欢迎将内存溢出网站推荐给程序员好友。
欢迎分享,转载请注明来源:内存溢出
微信扫一扫
支付宝扫一扫
评论列表(0条)