这两天,本来想花点时间研究一下QQ空间、农场外挂,于是抓包分析一了下,只可惜,在QQ网页登录时进行了加密处理,可惜我对网页编程一窍不通。有些朋友曾讲过那些是通过JS代码进行加密,可惜我JS也是一片空白,真是“出师未杰身先死”,惭愧惭愧......
于是只好挑CSDN这类简易一些的尝试学习一下(仅供学习交流),下面是学习笔记:
程序运行截图:
1、本机环境:Windows XP SP3、ADSL
2、开发工具:WildPackets OmniPeek V5.1.4
Visual C++ 6.0
IE6.0
FlexEdit V2.3.1871
3、数据包截图:
(QQ登录时,在密码2222加密时卡壳了,我尝试过很多加密算法,最终以失败告终......)
4、验证码显示使用IStream和IPicture来显示:
view plaincopy to clipboardprint?
/************************************************************************/
/* 函数说明:获取应用程序当前目录
/* 参 数:无
/* 返 回 值:返回目录路径、CString类型字符串
/* By:Koma 2009.10.13 11:23
/************************************************************************/
CString C***Dlg::GetExePath()
{
char pathbuf[260];
int pathlen = ::GetModuleFileName(NULL,pathbuf,260);
// 替换掉单杠
while(TRUE)
{
if(pathbuf[pathlen--]=='\\')
break;
}
pathbuf[++pathlen]= 0x0;
CString fname = pathbuf;
return fname;
}
/************************************************************************/
/* 函数说明:获取应用程序当前目录
/* 参 数:无
/* 返 回 值:返回目录路径、CString类型字符串
/* By:Koma 2009.10.13 11:23
/************************************************************************/
CString C***Dlg::GetExePath()
{
char pathbuf[260];
int pathlen = ::GetModuleFileName(NULL,pathbuf,260);
// 替换掉单杠
while(TRUE)
{
if(pathbuf[pathlen--]=='\\')
break;
}
pathbuf[++pathlen]= 0x0;
CString fname = pathbuf;
return fname;
}
view plaincopy to clipboardprint?
/************************************************************************/
/* 函数说明:下载验证码图片
/* 参 数:无
/* 返 回 值:无
/* By:Koma 2009.10.13 11:50
/************************************************************************/
void C***Dlg::DownURLImage()
{
CInternetSession session;
CString strUrl;
CFile *pFile,out;
char buff[512];
CString strPath;
// 产生八位随机数数组成验证码
int nRand1 = rand()%100000+10000;
int nRand2 = rand()%200000+10000;
strUrl.Format("http://passport.csdn.net/ShowExPwd.aspx?temp=%d%d",nRand1,nRand2);
strPath = GetExePath() + "\\test.tmp";
pFile = session.OpenURL(strUrl);
out.Open(strPath, CFile::modeCreate | CFile::modeWrite);
while(pFile->Read(buff,512)){
out.Write(buff,512);
}
out.Flush();
out.Close();
}
/************************************************************************/
/* 函数说明:下载验证码图片
/* 参 数:无
/* 返 回 值:无
/* By:Koma 2009.10.13 11:50
/************************************************************************/
void C***Dlg::DownURLImage()
{
CInternetSession session;
CString strUrl;
CFile *pFile,out;
char buff[512];
CString strPath;
// 产生八位随机数数组成验证码
int nRand1 = rand()%100000+10000;
int nRand2 = rand()%200000+10000;
strUrl.Format("http://passport.csdn.net/ShowExPwd.aspx?temp=%d%d",nRand1,nRand2);
strPath = GetExePath() + "\\test.tmp";
pFile = session.OpenURL(strUrl);
out.Open(strPath, CFile::modeCreate | CFile::modeWrite);
while(pFile->Read(buff,512)){
out.Write(buff,512);
}
out.Flush();
out.Close();
}
view plaincopy to clipboardprint?
/************************************************************************/
/* 函数说明:显示验证码图片
/* 参 数:无
/* 返 回 值:无
/* By:Koma 2009.10.13 13:12
/************************************************************************/
void C***Dlg::ShowImage()
{
::CoInitialize(NULL); // 初始化COM
HRESULT hr;
CFile file;
CString strPath;
CPaintDC dc(this);
strPath = GetExePath() + "\\test.tmp";
file.Open(strPath, CFile::modeRead | CFile::shareDenyNone);
DWORD dwSize = file.GetLength();
HGLOBAL hMem = ::GlobalAlloc( GMEM_MOVEABLE, dwSize );
LPVOID lpBuf = ::GlobalLock( hMem );
file.ReadHuge( lpBuf, dwSize );
file.Close();
::GlobalUnlock( hMem );
// 由HGLOBAL得到IStream,参数TRUE 表示释放IStream的同时,释放内存
hr = ::CreateStreamOnHGlobal(hMem,TRUE,&pStream );
ASSERT(SUCCEEDED(hr));
hr = ::OleLoadPicture(pStream, dwSize, TRUE, IID_IPicture,(LPVOID *)&pPicture);
ASSERT(hr==S_OK);
long nWidth,nHeight; // 宽高 MM_HIMETRIC模式,单位是0.01毫米
pPicture->get_Width( &nWidth ); // 宽
pPicture->get_Height( &nHeight ); // 高
CSize sz(nWidth,nHeight); // 原大显示
dc.HIMETRICtoDP(&sz); // 转换MM_HIMETRIC模式单位为MM_TEXT像素单位
pPicture->Render(dc.m_hDC,10,100,sz.cx,sz.cy,0,nHeight,nWidth,-nHeight,NULL);
CRect rect(10,100,sz.cx + 10,sz.cy + 100);
// 将图片区域保存,以便后面只刷新图片区域
m_PicRect = rect;
if(pPicture) // 释放IPicture指针
pPicture->Release();
if(pStream) // 释放IStream指针,同时释放hMem
pStream->Release();
::CoUninitialize();
}
/************************************************************************/
/* 函数说明:显示验证码图片
/* 参 数:无
/* 返 回 值:无
/* By:Koma 2009.10.13 13:12
/************************************************************************/
void C***Dlg::ShowImage()
{
::CoInitialize(NULL); // 初始化COM
HRESULT hr;
CFile file;
CString strPath;
CPaintDC dc(this);
strPath = GetExePath() + "\\test.tmp";
file.Open(strPath, CFile::modeRead | CFile::shareDenyNone);
DWORD dwSize = file.GetLength();
HGLOBAL hMem = ::GlobalAlloc( GMEM_MOVEABLE, dwSize );
LPVOID lpBuf = ::GlobalLock( hMem );
file.ReadHuge( lpBuf, dwSize );
file.Close();
::GlobalUnlock( hMem );
// 由HGLOBAL得到IStream,参数TRUE 表示释放IStream的同时,释放内存
hr = ::CreateStreamOnHGlobal(hMem,TRUE,&pStream );
ASSERT(SUCCEEDED(hr));
hr = ::OleLoadPicture(pStream, dwSize, TRUE, IID_IPicture,(LPVOID *)&pPicture);
ASSERT(hr==S_OK);
long nWidth,nHeight; // 宽高 MM_HIMETRIC模式,单位是0.01毫米
pPicture->get_Width( &nWidth ); // 宽
pPicture->get_Height( &nHeight ); // 高
CSize sz(nWidth,nHeight); // 原大显示
dc.HIMETRICtoDP(&sz); // 转换MM_HIMETRIC模式单位为MM_TEXT像素单位
pPicture->Render(dc.m_hDC,10,100,sz.cx,sz.cy,0,nHeight,nWidth,-nHeight,NULL);
CRect rect(10,100,sz.cx + 10,sz.cy + 100);
// 将图片区域保存,以便后面只刷新图片区域
m_PicRect = rect;
if(pPicture) // 释放IPicture指针
pPicture->Release();
if(pStream) // 释放IStream指针,同时释放hMem
pStream->Release();
::CoUninitialize();
}
5、经过OmniPeek抓包分析得到:
登录时POST格式:
__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwULLTEyMzU0NzEzNDkPFgIeCkZpbmlzaFN0YXlnFgJmD2QWBAIBDxYCHgRUZXh0BQznlKjmiLfnmbvlvZVkAgIPZBYCAgMPZBYCAgEPFgIeB1Zpc2libGVoZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAgUeY3RsMDAkQ1BIX0NvbnRlbnQkY2JfU2F2ZVN0YXRlBR1jdGwwMCRDUEhfQ29udGVudCRJbWFnZV9Mb2dpbjFp31Bt8XH%2B3e%2Bh97Uk6ofQQady&ctl00%24CPH_Content%24tb_LoginNameOrLoginEmail=testkoma&ctl00%24CPH_Content%24tb_Password=ningyusky&ctl00%24CPH_Content%24tb_ExPwd=BZTS3&ClientKey=c77f51c7-cbaf-427d-9314-a04303f79847&ctl00%24CPH_Content%24cb_SaveState=on&from=http%3A%2F%2Fhi.csdn.net%2F&MailParameters=&PrePage=&MailParameters=&ctl00%24CPH_Content%24Image_Login.x=33&ctl00%24CPH_Content%24Image_Login.y=13
至于其他动作的话,自己抓包分析吧!
之前看到博客园深蓝居一篇文章关于C#写的CSDN提交表单
http://www.cnblogs.com/studyzy/archive/2008/05/08/1187626.html
所以在前辈的基础上,我增加了VC获取Cookie ClientKey值,下面是POST代码:
view plaincopy to clipboardprint?
void C***Dlg::OnBtnLogin()
{
// TODO: Add your control notification handler code here
UpdateData(TRUE);
if(m_strUser.IsEmpty())
{
MessageBox("用户名不能为空!","提示",MB_ICONERROR | MB_OK);
(CEdit*)GetDlgItem(IDC_EDIT_USER)->SetFocus();
return;
}
if( m_strPassword.IsEmpty())
{
MessageBox("密码不能为空!","提示",MB_ICONERROR | MB_OK);
(CEdit*)GetDlgItem(IDC_EDIT_PASSWORD)->SetFocus();
return;
}
CString str;
try
{
CInternetSession Session ;
CHttpConnection *pHttpConnect = Session.GetHttpConnection("passport.csdn.net") ;
if( pHttpConnect )
{
CHttpFile* pFile = pHttpConnect->OpenRequest( CHttpConnection::HTTP_VERB_GET,
_T("/UserLogin.aspx"),
NULL,
1,
NULL,
NULL,
INTERNET_FLAG_NO_COOKIES );
// 获取COOKIE ClientKey值
CInternetSession Session;
Session.OpenURL("http://passport.csdn.net/UserLogin.aspx");
if(!Session.GetCookie("http://passport.csdn.net/UserLogin.aspx",
_T("ClientKey"),m_strCookies))
{
MessageBox("获取Cookies时出错!");
return;
}
CString strKey = m_strCookies;
int result = strKey.Find("ClientKey=",0);
m_strClientKey = strKey.Mid(result+10);
UpdateData(TRUE);
CString szFormData = "__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwULLTE4NDgzMDI2NjcPFgIeCkZpbmlzaFN0YXloFgJmD2QWBAIBDxYCHgRUZXh0BQznlKjmiLfnmbvlvZVkAgIPZBYCAgMPZBYCAgEPFgIeB1Zpc2libGVoZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAgUeY3RsMDAkQ1BIX0NvbnRlbnQkY2JfU2F2ZVN0YXRlBR1jdGwwMCRDUEhfQ29udGVudCRJbWFnZV9Mb2dpbr5SL%2FGtMqVCJ%2FCh4jH%2FXp4DhlVU&ctl00%24CPH_Content%24tb_LoginNameOrLoginEmail="+ m_strUser +"&ctl00%24CPH_Content%24tb_Password="+ m_strPassword +"&ctl00%24CPH_Content%24tb_ExPwd="+ m_strCode +"&ClientKey="+ m_strClientKey +"&ctl00%24CPH_Content%24cb_SaveState=on&from=http%3A%2F%2Fhi.csdn.net%2Fmy.html&MailParameters=&MailParameters=&ctl00%24CPH_Content%24Image_Login.x=26&ctl00%24CPH_Content%24Image_Login.y=11";
if (pFile)
{
pFile->AddRequestHeaders("POST /UserLogin.aspx HTTP/1.1\r\n");
pFile->AddRequestHeaders("Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/QVOD, application/QVOD, */*\r\n");
pFile->AddRequestHeaders("Referer: http://passport.csdn.net/UserLogin.aspx\r\n");
pFile->AddRequestHeaders("Accept-Language: zh-cn\r\n");
pFile->AddRequestHeaders("Content-Type: application/x-www-form-urlencoded\r\n");
pFile->AddRequestHeaders("Accept-Encoding: gzip, deflate\r\n");
pFile->AddRequestHeaders("User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; POTU(RR:28031409:0:5513822); Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 2.0.50727; CIBA)\r\n");
pFile->AddRequestHeaders("Connection: Keep-Alive\r\n");
pFile->AddRequestHeaders("Cache-Control: no-cache\r\n");
pFile->AddRequestHeaders(szFormData);
pFile->SendRequest();
// 返回的HTML
CString s ;
while (pFile->ReadString(s))
str += s ;
//MessageBox(str);
pFile->Close();
delete pFile ;
}
CFile file;
file.Open("Test.aspx",CFile::modeCreate | CFile::modeWrite,NULL);
file.Write(str,str.GetLength());
file.Flush();
file.Close();
pHttpConnect->Close() ;
delete pHttpConnect ;
}
wchar_t* pWChar = NULL;
DWORD nLen1;
// 将新浪网页UTF-8格式编码转换成Unicode
nLen1 = MultiByteToWideChar(CP_UTF8,0,str,str.GetLength(),pWChar,0);
pWChar = new wchar_t[nLen1 + 1];
memset(pWChar,0,(nLen1 + 1 ) * sizeof(wchar_t));
MultiByteToWideChar(CP_UTF8,0,str,str.GetLength(),pWChar,nLen1);
char* pChar = NULL;
DWORD nLen2;
nLen2 = WideCharToMultiByte(CP_ACP,0,pWChar,nLen1,pChar,0,NULL,NULL);
pChar = new char[nLen2 + 1];
memset(pChar,0, nLen2 + 1);
WideCharToMultiByte(CP_ACP,0,pWChar,nLen1,pChar,nLen2,NULL,NULL);
// 查找登录时服务器时返回的信息
str.Format("%s",pChar);
MessageBox(str);
}
catch( CInternetException *e )
{
e->Delete();
}
}
void C***Dlg::OnBtnLogin()
{
// TODO: Add your control notification handler code here
UpdateData(TRUE);
if(m_strUser.IsEmpty())
{
MessageBox("用户名不能为空!","提示",MB_ICONERROR | MB_OK);
(CEdit*)GetDlgItem(IDC_EDIT_USER)->SetFocus();
return;
}
if( m_strPassword.IsEmpty())
{
MessageBox("密码不能为空!","提示",MB_ICONERROR | MB_OK);
(CEdit*)GetDlgItem(IDC_EDIT_PASSWORD)->SetFocus();
return;
}
CString str;
try
{
CInternetSession Session ;
CHttpConnection *pHttpConnect = Session.GetHttpConnection("passport.csdn.net") ;
if( pHttpConnect )
{
CHttpFile* pFile = pHttpConnect->OpenRequest( CHttpConnection::HTTP_VERB_GET,
_T("/UserLogin.aspx"),
NULL,
1,
NULL,
NULL,
INTERNET_FLAG_NO_COOKIES );
// 获取COOKIE ClientKey值
CInternetSession Session;
Session.OpenURL("http://passport.csdn.net/UserLogin.aspx");
if(!Session.GetCookie("http://passport.csdn.net/UserLogin.aspx",
_T("ClientKey"),m_strCookies))
{
MessageBox("获取Cookies时出错!");
return;
}
CString strKey = m_strCookies;
int result = strKey.Find("ClientKey=",0);
m_strClientKey = strKey.Mid(result+10);
UpdateData(TRUE);
CString szFormData = "__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwULLTE4NDgzMDI2NjcPFgIeCkZpbmlzaFN0YXloFgJmD2QWBAIBDxYCHgRUZXh0BQznlKjmiLfnmbvlvZVkAgIPZBYCAgMPZBYCAgEPFgIeB1Zpc2libGVoZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAgUeY3RsMDAkQ1BIX0NvbnRlbnQkY2JfU2F2ZVN0YXRlBR1jdGwwMCRDUEhfQ29udGVudCRJbWFnZV9Mb2dpbr5SL%2FGtMqVCJ%2FCh4jH%2FXp4DhlVU&ctl00%24CPH_Content%24tb_LoginNameOrLoginEmail="+ m_strUser +"&ctl00%24CPH_Content%24tb_Password="+ m_strPassword +"&ctl00%24CPH_Content%24tb_ExPwd="+ m_strCode +"&ClientKey="+ m_strClientKey +"&ctl00%24CPH_Content%24cb_SaveState=on&from=http%3A%2F%2Fhi.csdn.net%2Fmy.html&MailParameters=&MailParameters=&ctl00%24CPH_Content%24Image_Login.x=26&ctl00%24CPH_Content%24Image_Login.y=11";
if (pFile)
{
pFile->AddRequestHeaders("POST /UserLogin.aspx HTTP/1.1\r\n");
pFile->AddRequestHeaders("Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/QVOD, application/QVOD, */*\r\n");
pFile->AddRequestHeaders("Referer: http://passport.csdn.net/UserLogin.aspx\r\n");
pFile->AddRequestHeaders("Accept-Language: zh-cn\r\n");
pFile->AddRequestHeaders("Content-Type: application/x-www-form-urlencoded\r\n");
pFile->AddRequestHeaders("Accept-Encoding: gzip, deflate\r\n");
pFile->AddRequestHeaders("User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; POTU(RR:28031409:0:5513822); Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 2.0.50727; CIBA)\r\n");
pFile->AddRequestHeaders("Connection: Keep-Alive\r\n");
pFile->AddRequestHeaders("Cache-Control: no-cache\r\n");
pFile->AddRequestHeaders(szFormData);
pFile->SendRequest();
// 返回的HTML
CString s ;
while (pFile->ReadString(s))
str += s ;
//MessageBox(str);
pFile->Close();
delete pFile ;
}
CFile file;
file.Open("Test.aspx",CFile::modeCreate | CFile::modeWrite,NULL);
file.Write(str,str.GetLength());
file.Flush();
file.Close();
pHttpConnect->Close() ;
delete pHttpConnect ;
}
wchar_t* pWChar = NULL;
DWORD nLen1;
// 将新浪网页UTF-8格式编码转换成Unicode
nLen1 = MultiByteToWideChar(CP_UTF8,0,str,str.GetLength(),pWChar,0);
pWChar = new wchar_t[nLen1 + 1];
memset(pWChar,0,(nLen1 + 1 ) * sizeof(wchar_t));
MultiByteToWideChar(CP_UTF8,0,str,str.GetLength(),pWChar,nLen1);
char* pChar = NULL;
DWORD nLen2;
nLen2 = WideCharToMultiByte(CP_ACP,0,pWChar,nLen1,pChar,0,NULL,NULL);
pChar = new char[nLen2 + 1];
memset(pChar,0, nLen2 + 1);
WideCharToMultiByte(CP_ACP,0,pWChar,nLen1,pChar,nLen2,NULL,NULL);
// 查找登录时服务器时返回的信息
str.Format("%s",pChar);
MessageBox(str);
}
catch( CInternetException *e )
{
e->Delete();
}
}
(编程水平有限,其中代码并没有经过严格测试,难免有所不足,敬请谅解!)
6、源代码下载:
http://download.csdn.net/source/1740481
本文来自CSDN博客,转载请标明出处:http://blog.csdn.net/wangningyu/archive/2009/10/14/4667954.aspx