能力值:
( LV2,RANK:10 )
|
-
-
2 楼
应该是和登录百度主页差不多吧。百度登录的POST地址为http://www.baidu.com/v2/api/?login
POST数据为:ppui_logintime=5位随机数&charset=utf-8&codestring=验证码地址&token=标识&isPhone=false&index=0&u=&safe***=0&staticpage=http%3A%2F%2Fwww.baidu.com%2Fcache%2Fuser%2Fhtml%2Fjump.html&loginType=1&tpl=mn&callback=parent.bdPass.api.login._postCallback&username=编码后的用户名&password=密码&verifycode=验证码&mem_pass=on
|
能力值:
( LV9,RANK:370 )
|
-
-
4 楼
大概看了看。。
百度HI的协议加密用到了下面的加密算法 DES,RSA: {以下汇编代码均来至于 百度HI客户端 版本4.2.7.2}
.data:1009E780 ; "DES-CDMF"
.data:1009E784 dd offset aDesCdmf ; "des-cdmf"
.data:1009E798 ; "rsaOAEPEncryptionSET"
.data:1009E79C dd offset aRsaoaepencrypt ; "rsaOAEPEncryptionSET"
如果第三方做“脱机”形式,那么工作量应该不小。
另外,百度HI采用了2种Socket模式,ws2_32.,winsock.。
建议你用Dll注入的方式,在下面地方Hook住,就可以实现第三方登录了。----不能细说,哈哈
.text:0049E185 sub_49E185 proc near ; CODE XREF: sub_4A727D+10p
.text:0049E185 push 6Ch
.text:0049E187 mov eax, offset loc_7C61E6
.text:0049E18C call __EH_prolog3
.text:0049E191 mov esi, ecx
.text:0049E193 mov eax, [esi]
.text:0049E195 xor ebx, ebx
.text:0049E197 cmp eax, ebx
.text:0049E199 jnz short loc_49E1A5
.................此处省略XXX行...................
.text:0049E1BF call dword ptr [edx+1Ch]
.text:0049E1C2
.text:0049E1C2 loc_49E1C2: ; 登录按钮
.text:0049E1C2 mov [ebp-10h], ebx
.text:0049E1C5 mov edi, [esi]
.text:0049E1C7 push offset aLoginbtn ; "loginBtn"
.................此处省略XXX行...................
.text:0049E20E call ds:AtlComPtrAssign
.text:0049E214
.text:0049E214 loc_49E214: ; 网络配置
.text:0049E214 mov eax, [esi]
.text:0049E216 push offset aNetconfigbtn ; "netConfigBtn"
.text:0049E21B lea ecx, [ebp-78h]
.................此处省略XXX行...................
.text:0049E256 lea eax, [ebp-10h]
.text:0049E259 push eax
.text:0049E25A call ds:AtlComPtrAssign
.text:0049E260
.text:0049E260 loc_49E260: ; 密码
.text:0049E260 mov [ebp-70h], ebx
.text:0049E263 mov eax, [esi]
.text:0049E265 push offset aPassword ; "password"
.text:0049E26A lea ecx, [ebp-78h]
.................此处省略XXX行...................
.text:0049E3D2 push eax
.text:0049E3D3 call ds:AtlComPtrAssign
.text:0049E3D9
.text:0049E3D9 loc_49E3D9: ; 记住密码
.text:0049E3D9 mov [ebp-68h], ebx
.text:0049E3DC mov eax, [esi]
.text:0049E3DE push offset aRememberpwd ; "rememberPwd"
.text:0049E3E3 lea ecx, [ebp-78h]
.................此处省略XXX行...................
.text:0049E42D push eax
.text:0049E42E call ds:AtlComPtrAssign
.text:0049E434
.text:0049E434 loc_49E434: ; 自动登录
.text:0049E434 mov [ebp-64h], ebx
.text:0049E437 mov eax, [esi]
.text:0049E439 push offset aAutologin ; "autoLogin"
.text:0049E43E lea ecx, [ebp-78h]
.................此处省略XXX行...................
.text:0049E4DD jz short loc_49E4EA
.text:0049E4DF push ebx
.text:0049E4E0 lea eax, [ebp-10h]
.text:0049E4E3 push eax
.text:0049E4E4 call ds:AtlComPtrAssign
.text:0049E4EA
.text:0049E4EA loc_49E4EA: ; 用户密码
.text:0049E4EA mov [ebp-5Ch], ebx
.text:0049E4ED mov eax, [esi]
.text:0049E4EF push offset aPasswordpanel ; "passwordPanel"
.text:0049E4F4 lea ecx, [ebp-78h]
.................此处省略XXX行...................
.text:0049E5F5 call ds:AtlComPtrAssign
.text:0049E5FB
.text:0049E5FB loc_49E5FB: ;注册按钮
.text:0049E5FB mov [ebp-50h], ebx
.text:0049E5FE mov eax, [esi]
.text:0049E600 push offset aRegister ; "register"
.text:0049E605 lea ecx, [ebp-78h]
.................此处省略XXX行...................
.text:0049E650 call ds:AtlComPtrAssign
.text:0049E656
.text:0049E656 loc_49E656: ; 忘记密码
.text:0049E656 mov [ebp-4Ch], ebx
.text:0049E659 mov eax, [esi]
.text:0049E65B push offset aForgetpwd ; "forgetPwd"
.text:0049E660 lea ecx, [ebp-78h]
.................此处省略XXX行...................
.text:0049E6AB call ds:AtlComPtrAssign
.text:0049E6B1
.text:0049E6B1 loc_49E6B1: ; CODE XREF: sub_49E185+51Fj
.text:0049E6B1 mov [ebp-48h], ebx
.text:0049E6B4 mov eax, [esi]
.text:0049E6B6 push offset aDeleteaccount ; "deleteAccount"
.text:0049E6BB lea ecx, [ebp-78h]
.text:0049E6BE mov byte ptr [ebp-
.................此处省略XXX行...................
.text:0049E702 lea eax, [ebp-10h]
.text:0049E705 push eax
.text:0049E706 call ds:AtlComPtrAssign
.text:0049E70C
.text:0049E70C loc_49E70C: ; CODE XREF: sub_49E185+57Aj
.text:0049E70C mov [ebp-44h], ebx
.text:0049E70F mov eax, [esi]
.text:0049E711 push offset aAccount_errorp ; "account_errorPrompt"
.text:0049E716 lea ecx, [ebp-78h]
.................此处省略XXX行...................
.text:0049E761 call ds:AtlComPtrAssign
.text:0049E767
.text:0049E767 loc_49E767: ; CODE XREF: sub_49E185+5D5j
.text:0049E767 mov [ebp-40h], ebx
.text:0049E76A mov eax, [esi]
.text:0049E76C push offset aPassword_error ; "password_errorPrompt"
.text:0049E771 lea ecx, [ebp-78h]
.text:0049E774 mov byte ptr [ebp-4], 1Eh
.................此处省略XXX行...................
.text:0049E7C2
.text:0049E7C2 loc_49E7C2: ; CODE XREF: sub_49E185+630j
.text:0049E7C2 mov [ebp-3Ch], ebx
.text:0049E7C5 mov eax, [esi]
.text:0049E7C7 push offset aLoginswf ; "LoginSwf"
.text:0049E7CC lea ecx, [ebp-14h]
.text:0049E7CF mov byte ptr [ebp-4], 20h
.text:0049E7D3 mov [ebp-78h], eax
.................此处省略XXX行...................
.text:0049EA1C lea eax, [ebp-10h]
.text:0049EA1F push eax
.text:0049EA20 call ds:AtlComPtrAssign
.text:0049EA26
.text:0049EA26 loc_49EA26: ; 登录区域
.text:0049EA26 mov [ebp-28h], ebx
.text:0049EA29 mov eax, [esi]
.text:0049EA2B push offset aLogininputarea ; "loginInputArea"
.................此处省略XXX行...................
.text:0049EA7A lea eax, [ebp-10h]
.text:0049EA7D push eax
.text:0049EA7E call ds:AtlComPtrAssign
.text:0049EA84
.text:0049EA84 loc_49EA84: ;
.text:0049EA84 mov [ebp-24h], ebx
.text:0049EA87 mov eax, [esi]
.text:0049EA89 push offset aLoginbefore_ex ; "LoginBefore_Ext"
.text:0049EA8E lea ecx, [ebp-78h]
.................此处省略XXX行...................
.text:0049EAD5 jz short loc_49EAE2
.text:0049EAD7 push ebx
.text:0049EAD8 lea eax, [ebp-10h]
.text:0049EADB push eax
.text:0049EADC call ds:AtlComPtrAssign
.text:0049EAE2
.text:0049EAE2 loc_49EAE2: ; 登录按钮
.text:0049EAE2 mov [ebp-20h], ebx
.text:0049EAE5 mov eax, [esi]
.text:0049EAE7 push offset aLoginbuttonpan ; "loginButtonPanel"
.text:0049EAEC lea ecx, [ebp-78h]
.text:0049EAEF mov byte ptr [ebp-4], 30h
.text:0049EAF3 mov [ebp-18h], eax
.text:0049EAF6 call sub_414B5B
.................此处省略XXX行...................
.text:0049EB39 push eax
.text:0049EB3A call ds:AtlComPtrAssign
.text:0049EB40
.text:0049EB40 loc_49EB40: ; //模块
.text:0049EB40 mov [ebp-1Ch], ebx
.text:0049EB43 mov eax, [esi]
.text:0049EB45 push offset aExtentionpanel ; "ExtentionPanel"
.................此处省略XXX行...................
.text:0049ED38 xor eax, eax
.text:0049ED3A
.text:0049ED3A loc_49ED3A: ; CODE XREF: sub_49E185+1Bj
.text:0049ED3A call __EH_epilog3
.text:0049ED3F retn
.text:0049ED3F sub_49E185 endp
1,测底看懂 sub_49E185 。
2,写个dll,注入进去,然后,调用此call。
3,在相应的内存地址修改Acc,pin。完全可以实现第三方接入登录。
|
能力值:
( LV9,RANK:370 )
|
-
-
5 楼
1,测底看懂 sub_49E185 。
2,写个dll,注入进去,然后,调用此call。
3,在相应的内存地址修改Acc,pin。完全可以实现第三方接入登录。
|
能力值:
( LV2,RANK:10 )
|
-
-
9 楼
fosom大婶真是好心情!
2l激动了把~
|