|
[转帖]史蒂夫·鲍尔默就退休致微软员工内部信件全文
史蒂夫·鲍尔默 |
|
[招聘]深圳爱施德网络安全团队诚聘
又是北京的,,,,, |
|
[转帖]寒门再难出贵子
mark下 明天看 |
|
|
|
[开源兼求职]Web远程控制软件
后生可畏!! |
|
[下载]中国电信漏洞威海分(转载的资料)
的确给力,我都收到短信,系统升级了。你摊上大事了。。。。呵呵 |
|
[求助]关于苹果AirPlay协议问题
【iTunes版本】11.0.4.4 【分析流程】 明文协议的拼装成xml的过程: AirPlay 的下载过程:登录,选择app,下载。 {一下明文协议来源于真实的iTunes通讯过程中截获。} S3>productType=C&price=0&salableAdamId=392502204&pricingParameters=STDQ&appExtVrsId=3048772&origPage=Search-CN&origPageCh=Media%20Search%20Pages&origPageLocation=Tab_allResults%7CSwoosh_1%7CLockup_1%7CBuy&origPage2=Genre-CN-Mobile%20Software%20Applications -29099&origPageCh2=Mobile%20Software%20Applications-main&origPageSearch=B%7Cairplay%7C392502204(15C)Ret=(Key=%) S3>buyParams(09)Ret=(Key=%) S3>airplay.ch(0A)Ret=(Key=%) S3>itemName(08)Ret=(Key=%) S3>mz_at0(06)Ret=(Key=origin) S3>https://init.itunes.apple.com/WebObjects/MZInit.woa/wa/signSapSetupCert(47)Ret=(Key=origin) S3>p2-buy.itunes.apple.com(18)Ret=(Key=TRANSMITTING REQUEST) S3>https://buy.itunes.apple.com/WebObjects/MZPlay.woa/wa/signSapSetup(42)Ret=(Key=%) S3>balgron@gmail.com(15)Ret=(Key=appleId) 帐号 S3>fuck1Q(08)Ret=(Key=password) 密码 S3>QJIU0YK86WW6B9N(0F)Ret=(Key=attempt) 终端设备名 S3>https://p59-buy.itunes.apple.com/WebObjects/MZFinance.woa/wa/authenticate?Pod=59&PRH=59(57)Ret=(Key=,) S3>¥.00+0+0+0+0+0(0E)Ret=(Key=) 表示免费app S3>AwIAAAECAAGttAAAAABSAhJNtmsrY2BVkGQK6g+dEjV6U/qocvU=(34)Ret=(Key=X-Token) 楼主可能是需要这个东西吧? S3>http://ax.init.itunes.apple.com./bag.xml?ix=4&dsid=1773837888&ign-bsn=2(47)Ret=(Key=TRANSMITTING REQUEST) S3>AwIAAAECAAGttAAAAABSAhJNtmsrY2BVkGQK6g+dEjV6U/qocvU=(34)Ret=(Key=X-Token) S3>Preferences:130(0F)Ret=(Key=%) S3>Machine Preferences:200(17)Ret=(Key=%s) S3>Pairing Preferences:301(17)Ret=(Key=%s) S3>Touch Remote Preferences:400(1C)Ret=(Key=%s) S3>mz_at0(06)Ret=(Key=,) S3>https://upp.itunes.apple.com/WebObjects/MZBookkeeper.woa/wa/getAll(42)Ret=(Key=,) S3>https://p59-buy.itunes.apple.com/WebObjects/MZBuy.woa/wa/buyProduct(43)Ret=(Key=,) S3>¥.00+0+0+0+0+0(0E)Ret=(Key=) S3>https://securemetrics.apple.com/b/ss/applesuperglobal/1/G.6--NS?cc=CNY&pccr=true&c22=XML&products=%3B1F1%3B1%3B0.00&ch=Purchase&c15=Search-CN&c16=Media%20Search%20Pages&cl=15778463&c19=B%7Cairplay%7C392502204&h5=appleitmswww%2Cappleitmscn&c27=Mobile%20S oftware%20Applications-main&pageName=Buy&v15=Search-CN&v22=XML&v26=Genre-CN-Mobile%20Software%20Applications-29099&v27=Mobile%20Software%20Applications-main&events=purchase&c26=Genre-CN-Mobile%20Software%20Applications-29099&v16=Media%20Search%20Pages&purc haseID=99001635738929&v19=B%7Cairplay%7C392502204(22E)Ret=(Key=,) S3>download.app(0C)Ret=(Key=none) 。。。。正在下载 S3>https://p59-buy.itunes.apple.com/WebObjects/MZFastFinance.woa/wa/songDownloadDone?songId=392502204&guid=4AEF365B.E2D6CD5B.14E5F282.FDD88C5B.09DA8172.860BA25D.FE7A2F8A&download-id=590001796578643(C2)Ret=(Key=,) |
|
求分析 百度hi 软件的 登录地址(登录数据包)
1,测底看懂 sub_49E185 。 2,写个dll,注入进去,然后,调用此call。 3,在相应的内存地址修改Acc,pin。完全可以实现第三方接入登录。 |
|
求分析 百度hi 软件的 登录地址(登录数据包)
大概看了看。。 百度HI的协议加密用到了下面的加密算法 DES,RSA: {以下汇编代码均来至于 百度HI客户端 版本4.2.7.2} .data:1009E780 ; "DES-CDMF" .data:1009E784 dd offset aDesCdmf ; "des-cdmf" .data:1009E798 ; "rsaOAEPEncryptionSET" .data:1009E79C dd offset aRsaoaepencrypt ; "rsaOAEPEncryptionSET" 如果第三方做“脱机”形式,那么工作量应该不小。 另外,百度HI采用了2种Socket模式,ws2_32.,winsock.。 建议你用Dll注入的方式,在下面地方Hook住,就可以实现第三方登录了。----不能细说,哈哈 .text:0049E185 sub_49E185 proc near ; CODE XREF: sub_4A727D+10p .text:0049E185 push 6Ch .text:0049E187 mov eax, offset loc_7C61E6 .text:0049E18C call __EH_prolog3 .text:0049E191 mov esi, ecx .text:0049E193 mov eax, [esi] .text:0049E195 xor ebx, ebx .text:0049E197 cmp eax, ebx .text:0049E199 jnz short loc_49E1A5 .................此处省略XXX行................... .text:0049E1BF call dword ptr [edx+1Ch] .text:0049E1C2 .text:0049E1C2 loc_49E1C2: ; 登录按钮 .text:0049E1C2 mov [ebp-10h], ebx .text:0049E1C5 mov edi, [esi] .text:0049E1C7 push offset aLoginbtn ; "loginBtn" .................此处省略XXX行................... .text:0049E20E call ds:AtlComPtrAssign .text:0049E214 .text:0049E214 loc_49E214: ; 网络配置 .text:0049E214 mov eax, [esi] .text:0049E216 push offset aNetconfigbtn ; "netConfigBtn" .text:0049E21B lea ecx, [ebp-78h] .................此处省略XXX行................... .text:0049E256 lea eax, [ebp-10h] .text:0049E259 push eax .text:0049E25A call ds:AtlComPtrAssign .text:0049E260 .text:0049E260 loc_49E260: ; 密码 .text:0049E260 mov [ebp-70h], ebx .text:0049E263 mov eax, [esi] .text:0049E265 push offset aPassword ; "password" .text:0049E26A lea ecx, [ebp-78h] .................此处省略XXX行................... .text:0049E3D2 push eax .text:0049E3D3 call ds:AtlComPtrAssign .text:0049E3D9 .text:0049E3D9 loc_49E3D9: ; 记住密码 .text:0049E3D9 mov [ebp-68h], ebx .text:0049E3DC mov eax, [esi] .text:0049E3DE push offset aRememberpwd ; "rememberPwd" .text:0049E3E3 lea ecx, [ebp-78h] .................此处省略XXX行................... .text:0049E42D push eax .text:0049E42E call ds:AtlComPtrAssign .text:0049E434 .text:0049E434 loc_49E434: ; 自动登录 .text:0049E434 mov [ebp-64h], ebx .text:0049E437 mov eax, [esi] .text:0049E439 push offset aAutologin ; "autoLogin" .text:0049E43E lea ecx, [ebp-78h] .................此处省略XXX行................... .text:0049E4DD jz short loc_49E4EA .text:0049E4DF push ebx .text:0049E4E0 lea eax, [ebp-10h] .text:0049E4E3 push eax .text:0049E4E4 call ds:AtlComPtrAssign .text:0049E4EA .text:0049E4EA loc_49E4EA: ; 用户密码 .text:0049E4EA mov [ebp-5Ch], ebx .text:0049E4ED mov eax, [esi] .text:0049E4EF push offset aPasswordpanel ; "passwordPanel" .text:0049E4F4 lea ecx, [ebp-78h] .................此处省略XXX行................... .text:0049E5F5 call ds:AtlComPtrAssign .text:0049E5FB .text:0049E5FB loc_49E5FB: ;注册按钮 .text:0049E5FB mov [ebp-50h], ebx .text:0049E5FE mov eax, [esi] .text:0049E600 push offset aRegister ; "register" .text:0049E605 lea ecx, [ebp-78h] .................此处省略XXX行................... .text:0049E650 call ds:AtlComPtrAssign .text:0049E656 .text:0049E656 loc_49E656: ; 忘记密码 .text:0049E656 mov [ebp-4Ch], ebx .text:0049E659 mov eax, [esi] .text:0049E65B push offset aForgetpwd ; "forgetPwd" .text:0049E660 lea ecx, [ebp-78h] .................此处省略XXX行................... .text:0049E6AB call ds:AtlComPtrAssign .text:0049E6B1 .text:0049E6B1 loc_49E6B1: ; CODE XREF: sub_49E185+51Fj .text:0049E6B1 mov [ebp-48h], ebx .text:0049E6B4 mov eax, [esi] .text:0049E6B6 push offset aDeleteaccount ; "deleteAccount" .text:0049E6BB lea ecx, [ebp-78h] .text:0049E6BE mov byte ptr [ebp- .................此处省略XXX行................... .text:0049E702 lea eax, [ebp-10h] .text:0049E705 push eax .text:0049E706 call ds:AtlComPtrAssign .text:0049E70C .text:0049E70C loc_49E70C: ; CODE XREF: sub_49E185+57Aj .text:0049E70C mov [ebp-44h], ebx .text:0049E70F mov eax, [esi] .text:0049E711 push offset aAccount_errorp ; "account_errorPrompt" .text:0049E716 lea ecx, [ebp-78h] .................此处省略XXX行................... .text:0049E761 call ds:AtlComPtrAssign .text:0049E767 .text:0049E767 loc_49E767: ; CODE XREF: sub_49E185+5D5j .text:0049E767 mov [ebp-40h], ebx .text:0049E76A mov eax, [esi] .text:0049E76C push offset aPassword_error ; "password_errorPrompt" .text:0049E771 lea ecx, [ebp-78h] .text:0049E774 mov byte ptr [ebp-4], 1Eh .................此处省略XXX行................... .text:0049E7C2 .text:0049E7C2 loc_49E7C2: ; CODE XREF: sub_49E185+630j .text:0049E7C2 mov [ebp-3Ch], ebx .text:0049E7C5 mov eax, [esi] .text:0049E7C7 push offset aLoginswf ; "LoginSwf" .text:0049E7CC lea ecx, [ebp-14h] .text:0049E7CF mov byte ptr [ebp-4], 20h .text:0049E7D3 mov [ebp-78h], eax .................此处省略XXX行................... .text:0049EA1C lea eax, [ebp-10h] .text:0049EA1F push eax .text:0049EA20 call ds:AtlComPtrAssign .text:0049EA26 .text:0049EA26 loc_49EA26: ; 登录区域 .text:0049EA26 mov [ebp-28h], ebx .text:0049EA29 mov eax, [esi] .text:0049EA2B push offset aLogininputarea ; "loginInputArea" .................此处省略XXX行................... .text:0049EA7A lea eax, [ebp-10h] .text:0049EA7D push eax .text:0049EA7E call ds:AtlComPtrAssign .text:0049EA84 .text:0049EA84 loc_49EA84: ; .text:0049EA84 mov [ebp-24h], ebx .text:0049EA87 mov eax, [esi] .text:0049EA89 push offset aLoginbefore_ex ; "LoginBefore_Ext" .text:0049EA8E lea ecx, [ebp-78h] .................此处省略XXX行................... .text:0049EAD5 jz short loc_49EAE2 .text:0049EAD7 push ebx .text:0049EAD8 lea eax, [ebp-10h] .text:0049EADB push eax .text:0049EADC call ds:AtlComPtrAssign .text:0049EAE2 .text:0049EAE2 loc_49EAE2: ; 登录按钮 .text:0049EAE2 mov [ebp-20h], ebx .text:0049EAE5 mov eax, [esi] .text:0049EAE7 push offset aLoginbuttonpan ; "loginButtonPanel" .text:0049EAEC lea ecx, [ebp-78h] .text:0049EAEF mov byte ptr [ebp-4], 30h .text:0049EAF3 mov [ebp-18h], eax .text:0049EAF6 call sub_414B5B .................此处省略XXX行................... .text:0049EB39 push eax .text:0049EB3A call ds:AtlComPtrAssign .text:0049EB40 .text:0049EB40 loc_49EB40: ; //模块 .text:0049EB40 mov [ebp-1Ch], ebx .text:0049EB43 mov eax, [esi] .text:0049EB45 push offset aExtentionpanel ; "ExtentionPanel" .................此处省略XXX行................... .text:0049ED38 xor eax, eax .text:0049ED3A .text:0049ED3A loc_49ED3A: ; CODE XREF: sub_49E185+1Bj .text:0049ED3A call __EH_epilog3 .text:0049ED3F retn .text:0049ED3F sub_49E185 endp 1,测底看懂 sub_49E185 。 2,写个dll,注入进去,然后,调用此call。 3,在相应的内存地址修改Acc,pin。完全可以实现第三方接入登录。 |
|
[转帖]DefCon黑客大会 DEFCON 20 2013 Docu HDRip X264 AC3-FooKaS
看雪 啥时候搞一个“大会”啊? |
|
OD下了一个断点,但是很卡
是线程太多了。 |
|
[原创]新手学ssdt_hook
当A给B讲抽象的概念的时候,B听的云里雾里,不知所云。 这不是B的错,是因为A的水平还没达到---可以把复杂抽象的东西用简单的事物比拟,换言之,A还没深刻理解。 显然,楼主已经对ssdt深刻理解了。赞一个。 |
|
[原创]去掉标题免得被喷......
来我这吧,我管饭 |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值