破解 4399 古剑奇侠 网页游戏
这混蛋页游的加密真是蛋疼。简单说,用了对称加密,但是key要从php获取,我模拟http请求确获取不到。
先拿到LDLoader,找到:
private function loadFile() : void { var _loc_3:String = null; var _loc_4:String = null; var _loc_5:BigInteger = null; var _loc_6:String = null; var _loc_7:BigInteger = null; var _loc_8:URLRequest = null; var _loc_9:URLVariables = null; var _loc_1:* = loaderInfo.parameters; var _loc_2:* = int(Math.random() * 5000 + 3000); this.daba = new BigInteger(_loc_2.toString(16)); this.pawa = new BigInteger(_loc_1.P);//21a1 this.wodA = new BigInteger(_loc_1.A);//5b2 _loc_8 = new URLRequest("get_dec.php"); _loc_8.method = URLRequestMethod.POST; _loc_9 = new URLVariables(); _loc_6 = _loc_1.KEY;//gjqx_key_pre_7 _loc_9.KEY = _loc_6;//gjqx_key_pre_7 _loc_5 = new BigInteger(_loc_1.G);//dd _loc_7 = _loc_5.modPow(this.daba, this.pawa);//175e m _loc_9.B = _loc_7.valueOf();//1765 _loc_8.data = _loc_9; this._urlLoader.dataFormat = URLLoaderDataFormat.VARIABLES; this._urlLoader.addEventListener(Event.COMPLETE, this.phpCompleteHandler); this._urlLoader.addEventListener(IOErrorEvent.IO_ERROR, this.ioErrorHandler); this._urlLoader.load(_loc_8); _loc_5.dispose(); _loc_5 = null; _loc_7.dispose(); _loc_7 = null; this._ping = this._ping + "ke"; return; }// end function
这段代码就是获取key的。其中他又从swf的参数获取了3个babamama什么的。
public function startUp(param1:ByteArray, param2:String, param3:int) : void { var k:BigInteger; var mk:String; var data:* = param1; var key:* = param2; var swfLen:* = param3; var mm:* = key; k = this.wodA.modPow(this.daba, this.pawa); this.appendText("\nk:" + k.valueOf()); mk = MD5.hash(k.valueOf().toString()); k.dispose(); this.appendText("\nmd5:" + mk); mm = this.getFileName(this._keylab, mk); this._okeymama = this.getFileName(this._okeymama, mk); this.wodA.dispose(); this.daba.dispose(); this.pawa.dispose(); this.appendText("\nmd5Encrypt:" + mm); this.appendText("\nmd_okey:" + this._okeymama); try { data = BytesCrypt.getInstance().decryptBytes(data, mm, 2000); this.loader.contentLoaderInfo.addEventListener(Event.COMPLETE, this.completeHandler); this.loader.contentLoaderInfo.addEventListener(IOErrorEvent.IO_ERROR, this.errorHandler); this.loader.loadBytes(data, new LoaderContext(false, ApplicationDomain.currentDomain)); } catch (err:Error) { appendText("BytesCrypt error"); } return; }// end function
这段代码破解GameEntry.swf的。
下面开始破解:
CrackHelper.loadByteArray('../GameEntry.swf', function(path:String, byte:ByteArray):void { this._keylab = 'vCFWJ8YwoftT9A=='; for(var k:int = 0;k<9999;k++) { var b:ByteArray = new ByteArray; b.writeBytes(byte, 0, byte.length); var mk = MD5.hash(k.valueOf().toString()); var mm = getFileName(this._keylab, mk); try{ b = BytesCrypt.getInstance().decryptBytes(b, mm, 2000); } catch(e:Error) { continue; } if(b.length <= 50000000 && b.length > 0) trace(k, mm, byte.length); } trace('done'); });
破解完毕。
基本上他用php返回的K,+本地一个随机数modPOw运算得到的子进行混合得到解密的des秘钥。但是郁闷的是我无法模拟php请求,所以我穷举了。正好这个算法的范围不超过9999.所以找到:
2534 íG*i@öÎí 185482
3414 j8G3LgWk3h 185482
各位明白了把。