110,534
社区成员
发帖
与我相关
我的任务
分享世纪天成破解全自动登录破解(分享)
个人工作需求,分享出来供大家参考。
主要是HTTP协议的一些分析,实现的是模仿人工操作登录平台然后进行相应的操作。注:验证码还需手动输入。
一直挺崇拜那些做抢票软件的大神,由于工作原因自己也解除了这方面的一些东西,就开始自己钻研,已可以实现所有主流平台的自动化操作,个人觉得核心内容还是对HTTP协议的分析。
以下拿世纪天成的破解做一个事例讲解。
本次事例是世纪天成本月8号更新的最新版本。新版本很蛋疼的一点是协议使用了RSA算法进行了加密,让我破解中途有点小波折,不过还是花了两个小时时间破解成功。
开始正题;
破解地址世纪天成官网:http://passport.tiancity.com/login/login.aspx
以上请求会反馈一个json如下:
jsonp1381460129001({"R":"0"})
R:0代表不需要验证码。
R:1代表需要验证码。
验证码获取地址:
以上请求会获取到一张验证码图片。
开始登录请求:
请求地址:
如上请求会返回以下内容:
参数说明:
code 为反回码;
mt 空无说明;
pk 密钥;
pm 公钥;
rsa 是否需要加密;
登录请求地址:
以上请求会得到以下结果:
到此即登录完成保留cookie即可做相应的任何操作。
主要是HTTP协议的一些分析,实现的是模仿人工操作登录平台然后进行相应的操作。注:验证码还需手动输入。
一直挺崇拜那些做抢票软件的大神,由于工作原因自己也解除了这方面的一些东西,就开始自己钻研,已可以实现所有主流平台的自动化操作,个人觉得核心内容还是对HTTP协议的分析。
以下拿世纪天成的破解做一个事例讲解。
本次事例是世纪天成本月8号更新的最新版本。新版本很蛋疼的一点是协议使用了RSA算法进行了加密,让我破解中途有点小波折,不过还是花了两个小时时间破解成功。
开始正题;
破解地址世纪天成官网:http://passport.tiancity.com/login/login.aspx
1:先请求一下官网
string refer = "http://passport.tiancity.com/login/login.aspx";
string html = RequestPage(refer, "GET", string.Empty, string.Empty, cookie);
验证是否需要验证码:
string url = "http://captcha.tiancity.com/CheckSwitch.ashx?jsoncallback=jsonp1404802761412&fid=104&uid=" + 用户名;
html = RequestPage(url, "GET", ”“, "utf-8", cookie, ”http://passport.tiancity.com/login/login.aspx“);
参数说明:
回调地址:string refer = "http://passport.tiancity.com/login/login.aspx";
请求方式:GET;
编码:UTF-8
以上请求会反馈一个json如下:
jsonp1381460129001({"R":"0"})
R:0代表不需要验证码。
R:1代表需要验证码。
验证码获取地址:
url = string.Format("http://captcha.tiancity.com/client.ashx?fid=104&code=1&uid={0}&tid=4a297921b4f0c659e7e7f108d7962abb&rnd={1}", 用户名, rnd,);
RequestImage(url, ”http://passport.tiancity.com/login/login.aspx“, out image, cookie);
参数说明:
rnd为随机数,生成方式如下。
string rnd = (new Random().NextDouble() * 99999).ToString();
回调地址:string refer = "http://passport.tiancity.com/login/login.aspx";
以上请求会获取到一张验证码图片。
开始登录请求:
请求地址:
string lastAddress = string.Empty;
string Url = "https://passport.tiancity.com/handler/GetMatrix.ashx?jsoncallback=jsonp1404959492357&id=" + 用户名;
string html = RequestPage(Url, "GET", string.Empty, "utf-8", ck, "http://passport.tiancity.com/login/login.aspx", out lastAddress);
如上请求会返回以下内容:
jsonp1404876136440({code:199,mt:"",pk:"CAAA375F893C9ED5B396C40D4618D6C8E75ACF7E58B65EF337C3D3F37E5E51EAF1E2C19AE39A74401C5510EAC2F9C435B4DD1FEB797B71B3088F45FF132418C14652F2F30DC7421B140460C9AEB9A36898D16A52B8563CAFEE7AFDEF5297DC8B714FEB4F95581B902DD87B3B87256AADED94ACA3317EC2481866986AEC3F1753",pm:"010001",rsa:"True"})
参数说明:
code 为反回码;
mt 空无说明;
pk 密钥;
pm 公钥;
rsa 是否需要加密;
登录请求地址:
Url = "https://passport.tiancity.com/Login.ashx?jsoncallback=jsonp1404802761413&FCQ={0}&cp={1}&st=&fl=";
参数说明:
此处就是让我十分蛋疼的地方。
fcq : ( 账号+密码+&mt=<=0)拼接成的字符串通过rsa加密后得到的加密字符串。加密方式见后面
cp:(验证码结果+GUID) GUID即为获取验证码时候的tid ,两者要保持一致。
st: 空
fl: 空
以上请求会得到以下结果:
jsonp1381460129003({code:1,id:"账号",url:""})
code:1为登录成功;
code:4&2为验证码或密码错误;
到此即登录完成保留cookie即可做相应的任何操作。
...全文
请发表友善的回复…
发表回复
threenewbee 2014-08-15
- 打赏
- 举报
感谢lz分享,能把这些混淆压缩过的js看明白的确挺不容易的。
泡泡龙 2014-08-15
- 打赏
- 举报
http://javascriptdotnet.codeplex.com/
http://jint.codeplex.com/
http://clearscript.codeplex.com/ (这个看上去很不错)
http://stackoverflow.com/questions/172753/embedding-javascript-engine-into-net[/quote]
谢谢
threenewbee 2014-08-15
- 打赏
- 举报
http://javascriptdotnet.codeplex.com/
http://jint.codeplex.com/
http://clearscript.codeplex.com/ (这个看上去很不错)
http://stackoverflow.com/questions/172753/embedding-javascript-engine-into-net
泡泡龙 2014-08-15
- 打赏
- 举报
C# 如何调用js里面的函数呢?有没有示例?
梁山草寇 2014-07-10
- 打赏
- 举报
function biCompare(x, y) { if (x.isNeg != y.isNeg) { return 1 - 2 * Number(x.isNeg) } for (var i = x.digits.length - 1; i >= 0; --i) { if (x.digits[i] != y.digits[i]) { if (x.isNeg) { return 1 - 2 * Number(x.digits[i] > y.digits[i]) } else { return 1 - 2 * Number(x.digits[i] < y.digits[i]) } } } return 0 } function biDivideModulo(x, y) { var nb = biNumBits(x); var tb = biNumBits(y); var origYIsNeg = y.isNeg; var q, r; if (nb < tb) { if (x.isNeg) { q = biCopy(bigOne); q.isNeg = !y.isNeg; x.isNeg = false; y.isNeg = false; r = biSubtract(y, x); x.isNeg = true; y.isNeg = origYIsNeg } else { q = new BigInt(); r = biCopy(x) } return new Array(q, r) } q = new BigInt(); r = x; var t = Math.ceil(tb / bitsPerDigit) - 1; var lambda = 0; while (y.digits[t] < biHalfRadix) { y = biShiftLeft(y, 1); ++lambda; ++tb; t = Math.ceil(tb / bitsPerDigit) - 1 } r = biShiftLeft(r, lambda); nb += lambda; var n = Math.ceil(nb / bitsPerDigit) - 1; var b = biMultiplyByRadixPower(y, n - t); while (biCompare(r, b) != -1) { ++q.digits[n - t]; r = biSubtract(r, b) } for (var i = n; i > t; --i) { var ri = (i >= r.digits.length) ? 0 : r.digits[i]; var ri1 = (i - 1 >= r.digits.length) ? 0 : r.digits[i - 1]; var ri2 = (i - 2 >= r.digits.length) ? 0 : r.digits[i - 2]; var yt = (t >= y.digits.length) ? 0 : y.digits[t]; var yt1 = (t - 1 >= y.digits.length) ? 0 : y.digits[t - 1]; if (ri == yt) { q.digits[i - t - 1] = maxDigitVal } else { q.digits[i - t - 1] = Math.floor((ri * biRadix + ri1) / yt) } var c1 = q.digits[i - t - 1] * ((yt * biRadix) + yt1); var c2 = (ri * biRadixSquared) + ((ri1 * biRadix) + ri2); while (c1 > c2) { --q.digits[i - t - 1]; c1 = q.digits[i - t - 1] * ((yt * biRadix) | yt1); c2 = (ri * biRadix * biRadix) + ((ri1 * biRadix) + ri2) } b = biMultiplyByRadixPower(y, i - t - 1); r = biSubtract(r, biMultiplyDigit(b, q.digits[i - t - 1])); if (r.isNeg) { r = biAdd(r, b); --q.digits[i - t - 1] } } r = biShiftRight(r, lambda); q.isNeg = x.isNeg != origYIsNeg; if (x.isNeg) { if (origYIsNeg) { q = biAdd(q, bigOne) } else { q = biSubtract(q, bigOne) } y = biShiftRight(y, lambda); r = biSubtract(y, r) } if (r.digits[0] == 0 && biHighIndex(r) == 0) r.isNeg = false; return new Array(q, r) } function biDivide(x, y) { return biDivideModulo(x, y)[0] } function biModulo(x, y) { return biDivideModulo(x, y)[1] } function biMultiplyMod(x, y, m) { return biModulo(biMultiply(x, y), m) } function biPow(x, y) { var result = bigOne; var a = x; while (true) { if ((y & 1) != 0) result = biMultiply(result, a); y >>= 1; if (y == 0) break; a = biMultiply(a, a) } return result } function biPowMod(x, y, m) { var result = bigOne; var a = x; var k = y; while (true) { if ((k.digits[0] & 1) != 0) result = biMultiplyMod(result, a, m); k = biShiftRight(k, 1); if (k.digits[0] == 0 && biHighIndex(k) == 0) break; a = biMultiplyMod(a, a, m) } return result } function RSAKeyPair(encryptionExponent, decryptionExponent, modulus) { this.e = biFromHex(encryptionExponent); this.d = biFromHex(decryptionExponent); this.m = biFromHex(modulus); this.digitSize = 2 * biHighIndex(this.m) + 2; this.chunkSize = this.digitSize - 11; this.radix = 16; this.barrett = new BarrettMu(this.m) } function twoDigit(n) { return (n < 10 ? "0" : "") + String(n) } function encryptedString(key, s) { if (key.chunkSize > key.digitSize - 11) { return "Error" } var a = new Array(); var sl = s.length; var i = 0; while (i < sl) { a[i] = s.charCodeAt(i); i++ } var al = a.length; var result = ""; var j, k, block; for (i = 0; i < al; i += key.chunkSize) { block = new BigInt(); j = 0; var x; var msgLength = (i + key.chunkSize) > al ? al % key.chunkSize : key.chunkSize; var b = new Array(); for (x = 0; x < msgLength; x++) { b[x] = a[i + msgLength - 1 - x] } b[msgLength] = 0; var paddedSize = Math.max(8, key.digitSize - 3 - msgLength); for (x = 0; x < paddedSize; x++) { b[msgLength + 1 + x] = Math.floor(Math.random() * 254) + 1 } b[key.digitSize - 2] = 2; b[key.digitSize - 1] = 0; for (k = 0; k < key.digitSize; ++j) { block.digits[j] = b[k++]; block.digits[j] += b[k++] << 8 } var crypt = key.barrett.powMod(block, key.e); var text = key.radix == 16 ? biToHex(crypt) : biToString(crypt, key.radix); result += text + " " } return result.substring(0, result.length - 1) } function decryptedString(key, s) { var blocks = s.split(" "); var result = ""; var i, j, block; for (i = 0; i < blocks.length; ++i) { var bi; if (key.radix == 16) { bi = biFromHex(blocks[i]) } else { bi = biFromString(blocks[i], key.radix) } block = key.barrett.powMod(bi, key.d); for (j = 0; j <= biHighIndex(block); ++j) { result += String.fromCharCode(block.digits[j] & 255, block.digits[j] >> 8) } } if (result.charCodeAt(result.length - 1) == 0) { result = result.substring(0, result.length - 1) } return result } function BarrettMu(m) { this.modulus = biCopy(m); this.k = biHighIndex(this.modulus) + 1; var b2k = new BigInt(); b2k.digits[2 * this.k] = 1; this.mu = biDivide(b2k, this.modulus); this.bkplus1 = new BigInt(); this.bkplus1.digits[this.k + 1] = 1; this.modulo = BarrettMu_modulo; this.multiplyMod = BarrettMu_multiplyMod; this.powMod = BarrettMu_powMod } function BarrettMu_modulo(x) { var q1 = biDivideByRadixPower(x, this.k - 1); var q2 = biMultiply(q1, this.mu); var q3 = biDivideByRadixPower(q2, this.k + 1); var r1 = biModuloByRadixPower(x, this.k + 1); var r2term = biMultiply(q3, this.modulus); var r2 = biModuloByRadixPower(r2term, this.k + 1); var r = biSubtract(r1, r2); if (r.isNeg) { r = biAdd(r, this.bkplus1) } var rgtem = biCompare(r, this.modulus) >= 0; while (rgtem) { r = biSubtract(r, this.modulus); rgtem = biCompare(r, this.modulus) >= 0 } return r } function BarrettMu_multiplyMod(x, y) { var xy = biMultiply(x, y); return this.modulo(xy) } function BarrettMu_powMod(x, y) { var result = new BigInt(); result.digits[0] = 1; var a = x; var k = y; while (true) { if ((k.digits[0] & 1) != 0) result = this.multiplyMod(result, a); k = biShiftRight(k, 1); if (k.digits[0] == 0 && biHighIndex(k) == 0) break; a = this.multiplyMod(a, a) } return result }
[/code]
梁山草寇 2014-07-10
- 打赏
- 举报
核心:
FCQ加密串
保存以下JS文件既可,你不需要看懂他,你只需要调用他的getPw方法然后传入相应的参数即可返回你一个加工好的FCQ串。
[code=javascript]
function getPw(UserId, Password, Secret, SecretExponent, SecretKey) {
var ei = "id=" + UserId + "&pw=" + encodeURIComponent(Password) + "&mt=<=0";
if (Secret) {
setMaxDigits(129);
var key = new RSAKeyPair(SecretExponent, "", SecretKey);
var encrypted = encryptedString(key, ei);
return encrypted.toString();
} else {
return ei;
}
}
var biRadixBase = 2; var biRadixBits = 16; var bitsPerDigit = biRadixBits; var biRadix = 1 << 16; var biHalfRadix = biRadix >>> 1; var biRadixSquared = biRadix * biRadix; var maxDigitVal = biRadix - 1; var maxInteger = 9999999999999998; var maxDigits; var ZERO_ARRAY; var bigZero, bigOne; function setMaxDigits(value) { maxDigits = value; ZERO_ARRAY = new Array(maxDigits); for (var iza = 0; iza < ZERO_ARRAY.length; iza++) ZERO_ARRAY[iza] = 0; bigZero = new BigInt(); bigOne = new BigInt(); bigOne.digits[0] = 1 } setMaxDigits(20); var dpl10 = 15; var lr10 = biFromNumber(1000000000000000); function BigInt(flag) { if (typeof flag == "boolean" && flag == true) { this.digits = null } else { this.digits = ZERO_ARRAY.slice(0) } this.isNeg = false } function biFromDecimal(s) { var isNeg = s.charAt(0) == '-'; var i = isNeg ? 1 : 0; var result; while (i < s.length && s.charAt(i) == '0') ++i; if (i == s.length) { result = new BigInt() } else { var digitCount = s.length - i; var fgl = digitCount % dpl10; if (fgl == 0) fgl = dpl10; result = biFromNumber(Number(s.substr(i, fgl))); i += fgl; while (i < s.length) { result = biAdd(biMultiply(result, lr10), biFromNumber(Number(s.substr(i, dpl10)))); i += dpl10 } result.isNeg = isNeg } return result } function biCopy(bi) { var result = new BigInt(true); result.digits = bi.digits.slice(0); result.isNeg = bi.isNeg; return result } function biFromNumber(i) { var result = new BigInt(); result.isNeg = i < 0; i = Math.abs(i); var j = 0; while (i > 0) { result.digits[j++] = i & maxDigitVal; i = Math.floor(i / biRadix) } return result } function reverseStr(s) { var result = ""; for (var i = s.length - 1; i > -1; --i) { result += s.charAt(i) } return result } var hexatrigesimalToChar = new Array('0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z'); function biToString(x, radix) { var b = new BigInt(); b.digits[0] = radix; var qr = biDivideModulo(x, b); var result = hexatrigesimalToChar[qr[1].digits[0]]; while (biCompare(qr[0], bigZero) == 1) { qr = biDivideModulo(qr[0], b); digit = qr[1].digits[0]; result += hexatrigesimalToChar[qr[1].digits[0]] } return (x.isNeg ? "-" : "") + reverseStr(result) } function biToDecimal(x) { var b = new BigInt(); b.digits[0] = 10; var qr = biDivideModulo(x, b); var result = String(qr[1].digits[0]); while (biCompare(qr[0], bigZero) == 1) { qr = biDivideModulo(qr[0], b); result += String(qr[1].digits[0]) } return (x.isNeg ? "-" : "") + reverseStr(result) } var hexToChar = new Array('0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'); function digitToHex(n) { var mask = 0xf; var result = ""; for (i = 0; i < 4; ++i) { result += hexToChar[n & mask]; n >>>= 4 } return reverseStr(result) } function biToHex(x) { var result = ""; var n = biHighIndex(x); for (var i = biHighIndex(x); i > -1; --i) { result += digitToHex(x.digits[i]) } return result } function charToHex(c) { var ZERO = 48; var NINE = ZERO + 9; var littleA = 97; var littleZ = littleA + 25; var bigA = 65; var bigZ = 65 + 25; var result; if (c >= ZERO && c <= NINE) { result = c - ZERO } else if (c >= bigA && c <= bigZ) { result = 10 + c - bigA } else if (c >= littleA && c <= littleZ) { result = 10 + c - littleA } else { result = 0 } return result } function hexToDigit(s) { var result = 0; var sl = Math.min(s.length, 4); for (var i = 0; i < sl; ++i) { result <<= 4; result |= charToHex(s.charCodeAt(i)) } return result } function biFromHex(s) { var result = new BigInt(); var sl = s.length; for (var i = sl, j = 0; i > 0; i -= 4, ++j) { result.digits[j] = hexToDigit(s.substr(Math.max(i - 4, 0), Math.min(i, 4))) } return result } function biFromString(s, radix) { var isNeg = s.charAt(0) == '-'; var istop = isNeg ? 1 : 0; var result = new BigInt(); var place = new BigInt(); place.digits[0] = 1; for (var i = s.length - 1; i >= istop; i--) { var c = s.charCodeAt(i); var digit = charToHex(c); var biDigit = biMultiplyDigit(place, digit); result = biAdd(result, biDigit); place = biMultiplyDigit(place, radix) } result.isNeg = isNeg; return result } function biDump(b) { return (b.isNeg ? "-" : "") + b.digits.join(" ") } function biAdd(x, y) { var result; if (x.isNeg != y.isNeg) { y.isNeg = !y.isNeg; result = biSubtract(x, y); y.isNeg = !y.isNeg } else { result = new BigInt(); var c = 0; var n; for (var i = 0; i < x.digits.length; ++i) { n = x.digits[i] + y.digits[i] + c; result.digits[i] = n % biRadix; c = Number(n >= biRadix) } result.isNeg = x.isNeg } return result } function biSubtract(x, y) { var result; if (x.isNeg != y.isNeg) { y.isNeg = !y.isNeg; result = biAdd(x, y); y.isNeg = !y.isNeg } else { result = new BigInt(); var n, c; c = 0; for (var i = 0; i < x.digits.length; ++i) { n = x.digits[i] - y.digits[i] + c; result.digits[i] = n % biRadix; if (result.digits[i] < 0) result.digits[i] += biRadix; c = 0 - Number(n < 0) } if (c == -1) { c = 0; for (var i = 0; i < x.digits.length; ++i) { n = 0 - result.digits[i] + c; result.digits[i] = n % biRadix; if (result.digits[i] < 0) result.digits[i] += biRadix; c = 0 - Number(n < 0) } result.isNeg = !x.isNeg } else { result.isNeg = x.isNeg } } return result } function biHighIndex(x) { var result = x.digits.length - 1; while (result > 0 && x.digits[result] == 0) --result; return result } function biNumBits(x) { var n = biHighIndex(x); var d = x.digits[n]; var m = (n + 1) * bitsPerDigit; var result; for (result = m; result > m - bitsPerDigit; --result) { if ((d & 0x8000) != 0) break; d <<= 1 } return result } function biMultiply(x, y) { var result = new BigInt(); var c; var n = biHighIndex(x); var t = biHighIndex(y); var u, uv, k; for (var i = 0; i <= t; ++i) { c = 0; k = i; for (j = 0; j <= n; ++j, ++k) { uv = result.digits[k] + x.digits[j] * y.digits[i] + c; result.digits[k] = uv & maxDigitVal; c = uv >>> biRadixBits } result.digits[i + n + 1] = c } result.isNeg = x.isNeg != y.isNeg; return result } function biMultiplyDigit(x, y) { var n, c, uv; result = new BigInt(); n = biHighIndex(x); c = 0; for (var j = 0; j <= n; ++j) { uv = result.digits[j] + x.digits[j] * y + c; result.digits[j] = uv & maxDigitVal; c = uv >>> biRadixBits } result.digits[1 + n] = c; return result } function arrayCopy(src, srcStart, dest, destStart, n) { var m = Math.min(srcStart + n, src.length); for (var i = srcStart, j = destStart; i < m; ++i, ++j) { dest[j] = src[i] } } var highBitMasks = new Array(0x0000, 0x8000, 0xC000, 0xE000, 0xF000, 0xF800, 0xFC00, 0xFE00, 0xFF00, 0xFF80, 0xFFC0, 0xFFE0, 0xFFF0, 0xFFF8, 0xFFFC, 0xFFFE, 0xFFFF); function biShiftLeft(x, n) { var digitCount = Math.floor(n / bitsPerDigit); var result = new BigInt(); arrayCopy(x.digits, 0, result.digits, digitCount, result.digits.length - digitCount); var bits = n % bitsPerDigit; var rightBits = bitsPerDigit - bits; for (var i = result.digits.length - 1, i1 = i - 1; i > 0; --i, --i1) { result.digits[i] = ((result.digits[i] << bits) & maxDigitVal) | ((result.digits[i1] & highBitMasks[bits]) >>> (rightBits)) } result.digits[0] = ((result.digits[i] << bits) & maxDigitVal); result.isNeg = x.isNeg; return result } var lowBitMasks = new Array(0x0000, 0x0001, 0x0003, 0x0007, 0x000F, 0x001F, 0x003F, 0x007F, 0x00FF, 0x01FF, 0x03FF, 0x07FF, 0x0FFF, 0x1FFF, 0x3FFF, 0x7FFF, 0xFFFF); function biShiftRight(x, n) { var digitCount = Math.floor(n / bitsPerDigit); var result = new BigInt(); arrayCopy(x.digits, digitCount, result.digits, 0, x.digits.length - digitCount); var bits = n % bitsPerDigit; var leftBits = bitsPerDigit - bits; for (var i = 0, i1 = i + 1; i < result.digits.length - 1; ++i, ++i1) { result.digits[i] = (result.digits[i] >>> bits) | ((result.digits[i1] & lowBitMasks[bits]) << leftBits) } result.digits[result.digits.length - 1] >>>= bits; result.isNeg = x.isNeg; return result } function biMultiplyByRadixPower(x, n) { var result = new BigInt(); arrayCopy(x.digits, 0, result.digits, n, result.digits.length - n); return result } function biDivideByRadixPower(x, n) { var result = new BigInt(); arrayCopy(x.digits, n, result.digits, 0, result.digits.length - n); return result } function biModuloByRadixPower(x, n) { var result = new BigInt(); arrayCopy(x.digits, 0, result.digits, 0, n); return result }
