rqzh
commented
9 years ago 封包截取过程: 除了无线网卡,其他网卡全部禁用,开启封包软件,打开客户端登录,成功自动最小化后,打开百度,然后打开淘宝,关闭网页,注销客户端,停止封包软件。
Open rqzh opened 9 years ago
rqzh
commented
9 years ago 封包截取过程: 除了无线网卡,其他网卡全部禁用,开启封包软件,打开客户端登录,成功自动最小化后,打开百度,然后打开淘宝,关闭网页,注销客户端,停止封包软件。
rqzh
commented
9 years ago http://pan.baidu.com/s/1CPuEi 封包文件网盘下载。。
ly0
commented
9 years ago 对比了一下 0301001e94f37ae76cf2451ef3ba9fbb5e930cbe7a627a7a3939333534300000000000000000000000000000000000000000000000000000 0c01 10b88fb9852fbace3b3d7744a88e052237d92878cef901ac1de46300000000000000000000000096c5d8a31f72a10d010000000052656e5a68656e2d5043000000000000000000000000000000000000000000000808080800000000727272720000000000000000940000000600000001000000b11d00000200000053657276696365205061636b20310000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000900020cd06c8ed40000000000000000000019ea
尝试将 drcom-generic-debug-u62.py 206-207行
data += '\x20' #fixed unknow 1
data += '\x02' #unknow 2改成
data += '\x0c' #fixed unknow 1
data += '\x01' #unknow 2试试?
p.s. 这个01 02根据 jdrcom 的作者在 _drcom2011.lua 中提到是mac认证方式。 似乎 \x01 是不启用mac认证,\x02 是mac-ip认证,在此记录一下
rqzh
commented
9 years ago OK,我关闭客户端 去试试。。
rqzh
commented
9 years ago 出现新的错误提示:
C:\Users\RenZhen>E:\TDDOWNLOAD\drcom-generic-debug-u62.py
auth svr:192.168.4.35
username:zbzz993540
mac:0x844bf55ee9ddL
[challenge] recv 02021ab875fb3f0000000100d003e8f000000000ac1de463f000a8a400003aa
e6f3c00000000d8020000
[DEBUG] challenge:
02021ab875fb3f0000000100d003e8f000000000ac1de463f000a8a400003aae6f3c00000000d802
0000
[challenge] challenge packet sent.
[mkpkt] 0301001e7809f8d2010fb9402e3c158b2ca702727a627a7a393933353430000000000000
00000000000000000000000000000000000000000c01fc420d8ce8d28116a547fde0247fd484ee95
57b5d22701ac1de463000000000000000000000000fdb66f75537e2bc0010000000052454e5a4845
4e000000000000000000000000000000000000000000000000000808080800000000000000000000
000000000000940000000500000001000000280a0000020000003830383944000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000a00020c60c9
9d4b0000844bf55ee9dd0000e913
[login] send 0301001e7809f8d2010fb9402e3c158b2ca702727a627a7a3939333534300000000
0000000000000000000000000000000000000000000000c01fc420d8ce8d28116a547fde0247fd48
4ee9557b5d22701ac1de463000000000000000000000000fdb66f75537e2bc0010000000052454e5
a48454e0000000000000000000000000000000000000000000000000008080808000000000000000
00000000000000000940000000500000001000000280a00000200000038303839440000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000a00020
c60c99d4b0000844bf55ee9dd0000e913
[login] recv 4d15
[login] packet sent.
[challenge] recv 05000005150000000000000000000000000000000000
[DEBUG] challenge:
05000005150000000000000000000000000000000000
Traceback (most recent call last):
File "E:\TDDOWNLOAD\drcom-generic-debug-u62.py", line 322, in
ly0
commented
9 years ago 搞错了。。在改过的基础上 再将 233行
data += '\x0a\x00' # for u64, \x1a\x00改成
data += '\x09\x00' # for u64, \x1a\x00试试
rqzh
commented
9 years ago 再次修改233行后:
C:\Users\RenZhen>E:\TDDOWNLOAD\drcom-generic-debug-u62.py
auth svr:192.168.4.35
username:zbzz993540
mac:0x844bf55ee9ddL
[challenge] recv 0202debdacfb3f0000000100d003e8f000000000ac1de463f000a8a400003aa
e6f3c00000000d8020000
[DEBUG] challenge:
0202debdacfb3f0000000100d003e8f000000000ac1de463f000a8a400003aae6f3c00000000d802
0000
[challenge] challenge packet sent.
[mkpkt] 0301001e5078a7cde8111a9bae48da47ae4a3aef7a627a7a393933353430000000000000
00000000000000000000000000000000000000000c01d433529301ccbad1a207dc57f6b3afb41239
f69f368a01ac1de463000000000000000000000000ec2bef3b3f434003010000000052454e5a4845
4e000000000000000000000000000000000000000000000000000808080800000000000000000000
000000000000940000000500000001000000280a0000020000003830383944000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000900020cc0a1
162e0000844bf55ee9dd0000e913
[login] send 0301001e5078a7cde8111a9bae48da47ae4a3aef7a627a7a3939333534300000000
0000000000000000000000000000000000000000000000c01d433529301ccbad1a207dc57f6b3afb
41239f69f368a01ac1de463000000000000000000000000ec2bef3b3f434003010000000052454e5
a48454e0000000000000000000000000000000000000000000000000008080808000000000000000
00000000000000000940000000500000001000000280a00000200000038303839440000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000900020
cc0a1162e0000844bf55ee9dd0000e913
[login] recv 4d15
[login] packet sent.
[challenge] recv 05000005150000000000000000000000000000000000
[DEBUG] challenge:
05000005150000000000000000000000000000000000
Traceback (most recent call last):
File "E:\TDDOWNLOAD\drcom-generic-debug-u62.py", line 321, in
C:\Users\RenZhen>
ly0
commented
9 years ago 实在没看出来问题在哪儿…你把mac改成0x000000000000试试……
返回4d15应该是某种提示你登陆过快的东西 ,也许
rqzh
commented
9 years ago Traceback (most recent call last):
File "E:\TDDOWNLOAD\drcom-generic-debug-u62.py", line 321, in
C:\Users\RenZhen>
MAC修改后最后改变了。
ly0
commented
9 years ago 咦?没有其他的错误信息了么
rqzh
commented
9 years ago 有啊。
[login] send 0301001e7a29e928a55d7e99d92f1a0d25b9a61a7a627a7a3939333534300000000
0000000000000000000000000000000000000000000000c017a29e928a55df0c08758bf368b2531c
2cd6dd924c57e01ac1de463000000000000000000000000daeff4b5594df9a8010000000052454e5
a48454e0000000000000000000000000000000000000000000000000008080808000000000000000
00000000000000000940000000500000001000000280a00000200000038303839440000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000900020
cf02b822b0000000000e913
[login] recv 05000005150000000000000000000000000000000000
[login] packet sent.
[challenge] recv 0202d9bfc3fb3f0000000100d003e8f000000000ac1de463f000a8a400003aa
e6f3c00000000d8020000
[DEBUG] challenge:
0202d9bfc3fb3f0000000100d003e8f000000000ac1de463f000a8a400003aae6f3c00000000d802
0000
[challenge] challenge packet sent.
[mkpkt] 0301001e7a29e928a55d7e99d92f1a0d25b9a61a7a627a7a393933353430000000000000
00000000000000000000000000000000000000000c017a29e928a55df0c08758bf368b2531c2cd6d
d924c57e01ac1de463000000000000000000000000daeff4b5594df9a8010000000052454e5a4845
4e000000000000000000000000000000000000000000000000000808080800000000000000000000
000000000000940000000500000001000000280a0000020000003830383944000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000900020cf02b
822b0000000000e913
[login] send 0301001e7a29e928a55d7e99d92f1a0d25b9a61a7a627a7a3939333534300000000
0000000000000000000000000000000000000000000000c017a29e928a55df0c08758bf368b2531c
2cd6dd924c57e01ac1de463000000000000000000000000daeff4b5594df9a8010000000052454e5
a48454e0000000000000000000000000000000000000000000000000008080808000000000000000
00000000000000000940000000500000001000000280a00000200000038303839440000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000900020
cf02b822b0000000000e913
[login] recv 05000005150000000000000000000000000000000000
[login] packet sent.
[challenge] recv 4d15
[DEBUG] challenge:
4d15
Traceback (most recent call last):
File "E:\TDDOWNLOAD\drcom-generic-debug-u62.py", line 321, in
ly0
commented
9 years ago 试试在以上的基础上 238 行
data += dump(mac)改成
data += '\x00'*6MAC修改为0x844bf55ee9dd 错误提示:
[login] send 0301001eec8fc55eb44cae72a4fa5919853dc9bd7a627a7a3939333534300000000
0000000000000000000000000000000000000000000000c0168c430005d9123a2ca199df040e7e17
88ff267c79bd401ac1de46300000000000000000000000098174604b43f4864010000000052454e5
a48454e0000000000000000000000000000000000000000000000000008080808000000000000000
00000000000000000940000000500000001000000280a00000200000038303839440000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000900020
c80ffb0fb0000844bf55ee9dd0000e913
[login] recv 05000005150000000000000000000000000000000000
[login] packet sent.
[challenge] recv 0202dac0d0fb3f0000000100d003e8f000000000ac1de463f000a8a400003aa
e6f3c00000000d8020000
[DEBUG] challenge:
0202dac0d0fb3f0000000100d003e8f000000000ac1de463f000a8a400003aae6f3c00000000d802
0000
[challenge] challenge packet sent.
[mkpkt] 0301001eec8fc55eb44cae72a4fa5919853dc9bd7a627a7a393933353430000000000000
00000000000000000000000000000000000000000c0168c430005d9123a2ca199df040e7e1788ff2
67c79bd401ac1de46300000000000000000000000098174604b43f4864010000000052454e5a4845
4e000000000000000000000000000000000000000000000000000808080800000000000000000000
000000000000940000000500000001000000280a0000020000003830383944000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000900020c80ff
b0fb0000844bf55ee9dd0000e913
[login] send 0301001eec8fc55eb44cae72a4fa5919853dc9bd7a627a7a3939333534300000000
0000000000000000000000000000000000000000000000c0168c430005d9123a2ca199df040e7e17
88ff267c79bd401ac1de46300000000000000000000000098174604b43f4864010000000052454e5
a48454e0000000000000000000000000000000000000000000000000008080808000000000000000
00000000000000000940000000500000001000000280a00000200000038303839440000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000900020
c80ffb0fb0000844bf55ee9dd0000e913
[login] recv 05000005150000000000000000000000000000000000
[login] packet sent.
[challenge] recv 4d15
[DEBUG] challenge:
4d15
Traceback (most recent call last):
File "E:\TDDOWNLOAD\drcom-generic-debug-u62.py", line 321, in
C:\Users\RenZhen>
rqzh
commented
9 years ago 238行修改后
[login] send 0301001eafb80df95f0fe3033c53a2b7d279d13a7a627a7a3939333534300000000
0000000000000000000000000000000000000000000000c012bf3f8a7b6d223a53a921f1c1a42e23
ece4b9d801f7801ac1de463000000000000000000000000454e1e4c370636f1010000000052454e5
a48454e0000000000000000000000000000000000000000000000000008080808000000000000000
00000000000000000940000000500000001000000280a00000200000038303839440000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000900020
cb0e98b9b00000000000000000000e913
[login] recv 05000005150000000000000000000000000000000000
[login] packet sent.
[challenge] recv 020248c1d6fb3f0000000100d003e8f000000000ac1de463f000a8a400003aa
e6f3c00000000d8020000
[DEBUG] challenge:
020248c1d6fb3f0000000100d003e8f000000000ac1de463f000a8a400003aae6f3c00000000d802
0000
[challenge] challenge packet sent.
[mkpkt] 0301001eafb80df95f0fe3033c53a2b7d279d13a7a627a7a393933353430000000000000
00000000000000000000000000000000000000000c012bf3f8a7b6d223a53a921f1c1a42e23ece4b
9d801f7801ac1de463000000000000000000000000454e1e4c370636f1010000000052454e5a4845
4e000000000000000000000000000000000000000000000000000808080800000000000000000000
000000000000940000000500000001000000280a0000020000003830383944000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000900020cb0e9
8b9b00000000000000000000e913
[login] send 0301001eafb80df95f0fe3033c53a2b7d279d13a7a627a7a3939333534300000000
0000000000000000000000000000000000000000000000c012bf3f8a7b6d223a53a921f1c1a42e23
ece4b9d801f7801ac1de463000000000000000000000000454e1e4c370636f1010000000052454e5
a48454e0000000000000000000000000000000000000000000000000008080808000000000000000
00000000000000000940000000500000001000000280a00000200000038303839440000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000900020
cb0e98b9b00000000000000000000e913
[login] recv 05000005150000000000000000000000000000000000
[login] packet sent.
[challenge] recv 4d15
[DEBUG] challenge:
4d15
Traceback (most recent call last):
File "E:\TDDOWNLOAD\drcom-generic-debug-u62.py", line 321, in
C:\Users\RenZhen>
ly0
commented
9 years ago 疑难杂症了…drcom的资料全都放在学校了,等开学我回学校的时候看看吧,我对比了一下应该没有问题,问题处在哪儿实在不清楚。 我先记录下
官方封包
0301001e
a3b4454e73aec02a08cdb598e70a1994
7a627a7a3939333534300000000000000000000000000000000000000000000000000000
0c01
27ffb0109a73
ab1800c0645f036768d95c1cd56fc8b8
01
ac1de463
00000000
00000000
00000000
34f9476c982b13c6010000000052656e5a68656e2d504300000000000000000000000000000000000000000000
08080808
00000000
72727272
0000000000000000
94000000
06000000
01000000
b11d0000
02000000
53657276696365205061636b2031000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0900020c
c0c1a4ce
0000
000000000000
00000581
脚本产生的封包
0301001e
afb80df95f0fe3033c53a2b7d279d13a
7a627a7a3939333534300000000000000000000000000000000000000000000000000000
0c01
2bf3f8a7b6d2
23a53a921f1c1a42e23ece4b9d801f78
01
ac1de463
00000000
00000000
00000000
454e1e4c370636f1010000000052454e5a48454e00000000000000000000000000000000000000000000000000
08080808
00000000
00000000
0000000000000000
94000000
05000000
01000000
280a0000
02000000
3830383944000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0900020c
b0e98b9b
0000
000000000000
0000e913http://pan.baidu.com/s/1i3HuMAL 5.20的封包截取
rqzh
commented
9 years ago
登录器界面
服务器IP界面(没有网页登录权限)
使用路由器做交换机用,通过无线网卡连接路由器发出的WIFI用公司的客户端来进行认证。 上端线路插入路由器的lan口,wan口空着。 路由器设置为静态IP,与本机设置为一样的IP,客户端正常登录。
本地网卡与路由器静态IP设置如下: ip地址:172.29.228.99 子网掩码:255.255.255.0 网关地址:172.29.228.1 DNS服务器: 8.8.8.8 114.114.114.114
之前CMD里是不停的,这次再试的时候自己停下来了。 登陆时的调试显示: [login] send 0301001e9f828c7febc64b2c7ba74bb3b30a56b77a627a7a3939333534300000000 00000000000000000000000000000000000000000000020021bc97921021bfcb073467e502e06da9 16ebab639f74a01ac1de463000000000000000000000000e90b6ef14da095b2010000000052454e5 a48454e0000000000000000000000000000000000000000000000000008080808000000000000000 00000000000000000940000000500000001000000280a00000200000038303839440000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000a00020 c20af47060000844bf55ee9dd0000e913 [login] recv 05000005150000000000000000000000000000000000 [login] packet sent. [challenge] recv 0202ccabe3fa3f0000000100d003e8f000000000ac1de463f000a8a400003aa e6f3c00000000d8020000 [DEBUG] challenge: 0202ccabe3fa3f0000000100d003e8f000000000ac1de463f000a8a400003aae6f3c00000000d802 0000 [challenge] challenge packet sent. [mkpkt] 0301001e9f828c7febc64b2c7ba74bb3b30a56b77a627a7a393933353430000000000000 000000000000000000000000000000000000000020021bc97921021bfcb073467e502e06da916eba b639f74a01ac1de463000000000000000000000000e90b6ef14da095b2010000000052454e5a4845 4e000000000000000000000000000000000000000000000000000808080800000000000000000000 000000000000940000000500000001000000280a0000020000003830383944000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000a00020c20af 47060000844bf55ee9dd0000e913 [login] send 0301001e9f828c7febc64b2c7ba74bb3b30a56b77a627a7a3939333534300000000 00000000000000000000000000000000000000000000020021bc97921021bfcb073467e502e06da9 16ebab639f74a01ac1de463000000000000000000000000e90b6ef14da095b2010000000052454e5 a48454e0000000000000000000000000000000000000000000000000008080808000000000000000 00000000000000000940000000500000001000000280a00000200000038303839440000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000a00020 c20af47060000844bf55ee9dd0000e913 [login] recv 4d15 [login] packet sent. [challenge] recv 05000005150000000000000000000000000000000000 [DEBUG] challenge: 05000005150000000000000000000000000000000000 Traceback (most recent call last): File "E:\TDDOWNLOAD\drcom-generic-debug-u62.py", line 322, in
main()
File "E:\TDDOWNLOAD\drcom-generic-debug-u62.py", line 312, in main
package_tail = login(username, password, server)
File "E:\TDDOWNLOAD\drcom-generic-debug-u62.py", line 252, in login
salt = challenge(svr,time.time()+random.randint(0xF,0xFF))
File "E:\TDDOWNLOAD\drcom-generic-debug-u62.py", line 61, in challenge
raise ChallengeException
main.ChallengeException