Look at the web to see more, want to write page tour of the plug, in fact, the principle is the same, that is, the port is not the same as the Protocol field you do not know, and this also raised the point of technical threshold, see we come 1.1 points to break through these thresholds, this time we have to use Python contract to simulate flash client landing.
To the blood of the three countries 2 for example, the blood of the three countries 2 is a balabalaba self-check the game.
Step1: Register an account in sg2.ledu.com
Skip over ...
Step2: Landing game, Wireshark clutch analysis
Take the double line 784 clothing as an example, the game page address http://s784.sg2.ledu.com/, now the game is generally intermodal, is my domain name under the game to the IFRAME, of course, the request IFRAME will have a mutual signature between. And then it became like this.
The real address is
And this address brings us to the end.
A flash address with its parameters s
<object type= "Application/x-shockwave-flash" Data= "http://cdn.ledu.com/rxsg2/1.13.0.9/swf/Rxsg2Runner.swf?r= 1916775188 "width=" 100% "height=" 100% "id=" Web_game "style=" visibility:visible; " >
<param name= "Flashvars" value= "g_version=1.13.0.9&g_swf_path=http%3a%2f%2fcdn.ledu.com%2frxsg2% 2f1.13.0.9&g_res_path=http%3a%2f%2fcdn.ledu.com%2frxsg2%2f1.13.0&g_pass_type=ledu&g_ pass_port=testfoliet&g_pass_token=2dfdca253759b6986807421362e05e55&g_host=183.60.46.109& Amp;g_port=27614&g_pay_url=http%3a%2f%2fepay.ledu.com%2findex%2findex%2fgid%2f22%2fsid%2f17614& ; g_act_url=unique&g_fcm_url=http%3a%2f%2fkf.ledu.com%2ffcm%2f%3fgameid%3d0%26pid%3duuyx&g_ server_id=17614& " >
<param name= "allowscriptaccess" value= "Always" >
<param name= "wmode" value= "Opaque" >
<param name= "Menu" value= "false" >
<param name= "bgcolor" value= "#000000" >
</object>
And the first parameter, Flashvars, contains the variable of the communication, and we urldecode it to get it,
1.13. 0.9 #g_swf_path #g_res_path#g_pass_type ledu#g_pass_port testfoliet#g_pass_token string (MD5) 183.60. 46.109 27614#g_pat_url #g_act_url #g_fcm_url#g_server_id 17614
Capturing packets
Actually sent two bags, the second one is a continuous connection.
First one
The second one is a certified login.
From where we can read it.
6c ledu,
The middle is a 0a00.
Here is the 6f 6c, Testfoliet
2000
38 37 37 35 38 63 33 31 62 65 62 63 35 65 33 65 35 61 38 33 63 6237 35 63 39 36 35 34 66 32 64
This is our 32-character hash,
0800
2e 2e 39 2e This is our version of 1.13.0.9,
2000
61 63 65 32 30 39 63 65 64 66 30 36 35 34 39 33 34 61 63 62 38 62 35 6338 62 32 35 36 32
It's a 32-bit hash.
At this point the approximate outline comes out, with 2 bytes in front of each string representing the number of bytes of the string, such as ledu before 0400,testfoliet (10 bits) preceded by the 0a00,hash Front is 2000.
Then we'll read the decrypted SWF file as code.
Package Rxsg2.common {Importnireus.base.service.socket.*; Public classLogin {Private Static var_login_func:function =NULL; Private Static var_code_transfer_loaded:Boolean=false; Private Static var_mask:string =""; Public Static functionLogin (_arg1:function):void{ varsucc_func:* =_arg1; _login_func=Succ_func; Socketservice.getinstance (). Registernotify (Procdef.user_notify_login, Onuserlogin); Socketservice.getinstance (). Callprocraw (Procdef.system_proc_login,function(_arg1:netdata):void{ _arg1.writeint (globaldata.server_id); _arg1.writestring (Globaldata.pass_type); _arg1.writestring (Globaldata.pass_port); _arg1.writestring (Globaldata.pass_token); _arg1.writestring (globaldata.version); _arg1.writestring (Crypto.hash (((Globaldata.pass_port+ globaldata.version) + "8ij18hisl1na0ous2f") +( procdef.proc_sign) )); }); } Public Static functionOnuserlogin (_arg1:netdata):void{ var_local2:int =_arg1.readbyte (); var_LOCAL3 =! ((_arg1.readbyte () = = 0)); var_local4:string =_arg1.readstring (); ((_login_func)&& (_login_func (_local2 > 0) , _local3)); if(_local2 >= 0) {loadproctransfer (_LOCAL4); }; } Public Static functionLoadproctransfer (_arg1:string):void{onloadproctransfer (); } Private Static functionOnloadproctransfer ():void{_code_transfer_loaded=true; Tryentergame (); } Public Static functionTryentergame ():void{ if((((Globaldata.allow_enter) && (globaldata.main_loaded)) &&(_code_transfer_loaded))) {socketservice.getinstance (). Callproc (Procdef.user_proc_enter_game); Sendmask (); }; } Public Static functionSetmask (_arg1:string):void{_mask=_arg1; Sendmask (); } Private Static functionSendmask ():void{ if(GlobalData.login_mask.length > 0) {socketservice.getinstance (). Sendproc (Procdef.user_proc_send_login_mask,function(_arg1:netdata):void{_arg1.writestring (globaldata.login_mask); }); }; } }}//Package Rxsg2.common
Procdef.proc_sign is a constant proc_sign_default, in fact, we did not guess is the front of a ServerID
Step3: Simulating the packet package process with code
#!/usr/bin/env python#-*-encoding:utf-8-*-" "Created on Wed 10:13:18 CST 2014@author [email protected]" "#Flashvar#g_version 1.13.0.9#G_swf_path#G_res_path#G_pass_type ledu#G_pass_port Testfoliet#G_pass_token String (MD5) A7E13597BE485EC3CD2741335BB81B10#g_host 183.60.46.109#G_port 27617#G_pat_url#G_act_url#G_fcm_url#g_server_id 16431 ImportOSImportSYSImportSocketImportHashlibImportstructImportBinasciipassport="Testfoliet"version="1.13.0.9"Hash='B7D6941A8E4FD04AC771F72FAD167F10'ServerID= 17614ServerIP='183.60.46.109'ServerPort= 27614#acquisition of token encryption stringdefGetToken (passport,version): Key="8ij18hisl1na0ous2f" Sign="Proc_sign_default" returnHASHLIB.MD5 (passport+version+key+Sign ). Hexdigest ()#first time Socket#sock = Socket.socket (socket.af_inet,socket. SOCK_STREAM)#server_address = (' 183.60.46.107 ', 843)#Sock.connect (server_address)#sock.send ("<POLICY-FILE-REQUEST/>.") #print Sock.recv (1024x768)#Sck.close #Login SocketSock2=Socket.socket (Socket.af_inet,socket. SOCK_STREAM) Server_address2=(Serverip,serverport) sock2.connect (server_address2) sock2.settimeout (3)# atD1='0000000000000000000000000000000000000000000000'# theD2="'D2+='0100c800'D2+='00000100'D2+='00000000'D2+='00006000'D2+='0000'+str (Hex (ServerID) [4:]+hex (ServerID) [2:4]) D2+='00000400'D2+ = Binascii.hexlify ("ledu") D2+="0"+str (Hex (len Passport))) [2:]+"xx"D2+=binascii.hexlify (Passport) D2+=' -'D2+=binascii.hexlify (hash) D2+='0800'D2+=binascii.hexlify (version) D2+=' -'D2+=binascii.hexlify (GetToken (passport,version)) sock2.send (binascii.unhexlify (D1)) Sock2.send ( Binascii.unhexlify (D2)) Res=""Try: whileTrue:buffer= SOCK2.RECV (1460) if notBuffer: BreakRes+=Bufferexcept: PassPrintRessock2.close
Printed out of something
A socket connection hash can only be used once, so each test need to change the hash of course you can also combine my previous PYTHON simulation Web login with your Leducookie request game page, dynamically parse HTML get Hash_ Token so you don't have to change the hash every time.
On the web game plug-in Python simulation game (2) Login