Barclays交易平台分析(FLASH逆向分析)
2016-09-30 12:05
330 查看
注意: 本文内容是我几年前所写发于贴吧,现整理于此处。
免责声明:本文仅内容作为学习交流使用,不可用于任何商业途径
分析目标 Barclays外汇贵金属交易平台
分析目的 弄清楚通讯方式
该平台是一个网页形式的交易平台,实际是用的flash
首先可以在这里随意注册模拟帐号
https://www.barclaysstockbrokers.co.uk/Accounts/BarxDirect-Contracts-For-Difference/pages/How-to-open.aspx?WT.z_link=mm_cfdaccounts
申请到帐号
DM166714
123456789
然后在此处登录
https://trade.loginandtrade.com/demoitp/siteselector_BARSTB-demo.asp
(整理时 发现最新地址为 https://trade.loginandtrade.com/barclays/#/)
IE 加载 HTTPAnalyzerFullV7 工具 并打开登录页面
下载了html页面 很多js脚本 图片等。
并且有两个flash文件(*.swf),
尝试登录 观察到flash的通讯未使用http相关
使用socket通讯拦截工具加载IE 将所有通讯内容拦截, 即既有http的内容 也有flash通讯的内容。
拦截到的通讯内容如下
由于比较熟悉 一眼就知道这些17 XX XX 是https的东西(ssl)
所以继续往下看。
这段 明显不一样的 并且通讯的IP也与前面不同
这才是 flash进行的通讯 内容是加密处理过的
接下来使用 Sothink SWF Decompiler 打开falsh文件
将所有Actionscript脚本文件(*.as)导出
as文件非常多,需要挑出有用的。
通过文本搜索工具在所有文件中搜索Socket这个字符, 得到的结果只有4个脚本文件含有
先看一下这几个文件.
sprite496.as
sprite497.as
sprite498.as
此处 SendMessage(msg) 方法 即为发送数据的地方
而数据加密 则是在此
接下来 在所有脚本文件中搜索comms.transport.Encoder
此处即为加密解密的方法 代码其实不复杂 稍加阅读 即可整理为自己的代码。
将其简单整理为java代码 并调两端密文进行测试,如下
代码成功运行并输出明文
由此 即可解密出所有的明文。
免责声明:本文仅内容作为学习交流使用,不可用于任何商业途径
分析目标 Barclays外汇贵金属交易平台
分析目的 弄清楚通讯方式
该平台是一个网页形式的交易平台,实际是用的flash
首先可以在这里随意注册模拟帐号
https://www.barclaysstockbrokers.co.uk/Accounts/BarxDirect-Contracts-For-Difference/pages/How-to-open.aspx?WT.z_link=mm_cfdaccounts
申请到帐号
DM166714
123456789
然后在此处登录
https://trade.loginandtrade.com/demoitp/siteselector_BARSTB-demo.asp
(整理时 发现最新地址为 https://trade.loginandtrade.com/barclays/#/)
IE 加载 HTTPAnalyzerFullV7 工具 并打开登录页面
下载了html页面 很多js脚本 图片等。
并且有两个flash文件(*.swf),
尝试登录 观察到flash的通讯未使用http相关
使用socket通讯拦截工具加载IE 将所有通讯内容拦截, 即既有http的内容 也有flash通讯的内容。
拦截到的通讯内容如下
由于比较熟悉 一眼就知道这些17 XX XX 是https的东西(ssl)
所以继续往下看。
这段 明显不一样的 并且通讯的IP也与前面不同
这才是 flash进行的通讯 内容是加密处理过的
接下来使用 Sothink SWF Decompiler 打开falsh文件
将所有Actionscript脚本文件(*.as)导出
as文件非常多,需要挑出有用的。
通过文本搜索工具在所有文件中搜索Socket这个字符, 得到的结果只有4个脚本文件含有
先看一下这几个文件.
sprite496.as
// Action script...
// [Initial MovieClip Act
4000
ion of sprite 496]
#initclip 111
class comms.transport.XMLTransportSocketListener
{
_global.comms.transport.XMLTransportSocketListener = function ()
{
};
} // End of Class
#endinitclipsprite497.as
// Action script...
// [Initial MovieClip Action of sprite 497]
#initclip 113
class comms.transport.XMLTransportSocket extends XMLSocket
{
var Owner;
function XMLTransportSocket(owner)
{
super();
Owner = owner;
} // End of the function
function connect(host, port)
{
return (super.connect(host, port));
} // End of the function
function onConnect(success)
{
util.Journal.trace("XMLTransportSocket: onConnect " + success);
Owner.onSocketConnect(success);
} // End of the function
function onData(src)
{
Owner.onSocketData(src);
} // End of the function
function onClose()
{
util.Journal.trace("XMLTransportSocket: onClose");
Owner.onSocketClose();
} // End of the function
} // End of Class
#endinitclipsprite498.as
// Action script...
// [Initial MovieClip Action of sprite 498]
#initclip 112
class comms.transport.XMLTransport extends comms.transport.TransportBase implements comms.transport.XMLTransportSocketListener
{
var TransportName, LinkStatus, connecting, timerId, DebugTrace, Parameters, LastError, connectStarted, OnTransportDown, OnTransportUp, OnRecvMsg;
function XMLTransport()
{
super();
TransportName = "XMLTransport";
LinkStatus = comms.transport.XMLTransport.LINKSTATUS_IDLE;
connecting = false;
timerId = setInterval(mx.utils.Delegate.create(this, OneSecondProcessor), 1000);
} // End of the function
function Dispose()
{
clearInterval(timerId);
} // End of the function
function Start()
{
this.DebugTrace("Started");
if (Parameters == null)
{
this.DebugTrace("Server parameters missing");
LastError = "Server parameters missing";
return (false);
} // end if
LinkStatus = comms.transport.XMLTransport.LINKSTATUS_OPENING;
connecting = true;
connectStarted = new util.DateTime();
this.DebugTrace("xmlsocket://" + Parameters.__get__address() + ":" + Parameters.__get__port());
System.security.loadPolicyFile("xmlsocket://" + Parameters.__get__address() + ":" + Parameters.__get__port());
socket = new comms.transport.XMLTransportSocket(this);
this.DebugTrace("Connecting to server " + Parameters.__get__address() + ":" + Parameters.__get__port());
if (!socket.connect(Parameters.__get__address(), Parameters.__get__port()))
{
this.DebugTrace("Error when calling socket connect");
this.SocketCleanUp();
this.OnTransportDown();
return (false);
} // end if
return (true);
} // End of the function
function SendMessage(msg)
{
var _loc4;
if (LinkStatus != comms.transport.XMLTransport.LINKSTATUS_UP)
{
this.DebugTrace("Send data when socket not ready");
_loc4 = false;
}
else
{
var _loc6 = msg.FormatForSending();
var _loc5 = comms.transport.Encoder.getInstance();
var _loc2 = "";
_loc2 = _loc5.EncodeToUTF8(_loc6);
this.DebugTrace("Sending to encoder - " + _loc2);
var _loc3 = _loc5.Encode(_loc2);
this.DebugTrace("Sending msg - " + _loc3);
socket.send(_loc3);
_loc4 = true;
} // end else if
false;
return (_loc4);
} // End of the function
function Stop()
{
if (LinkStatus != comms.transport.XMLTransport.LINKSTATUS_IDLE)
{
this.DebugTrace("Stopped");
socket.close();
this.SocketCleanUp();
this.OnTransportDown();
}
else
{
this.DebugTrace("stop when idle");
} // end else if
return (true);
} // End of the function
function OneSecondProcessor()
{
if (connecting && connectStarted.SecondsPast() > 3)
{
util.Journal.trace("Timed out connect " + Parameters.__get__address() + ":" + Parameters.__get__port());
delete this.socket;
this.OnTransportDown();
} // end if
} // End of the function
function onSocketConnect(success)
{
connecting = false;
if (success)
{
this.DebugTrace("On connect up");
LinkStatus = comms.transport.XMLTransport.LINKSTATUS_UP;
this.OnTransportUp();
}
else
{
this.DebugTrace("On connect down " + LinkStatus);
LinkStatus = comms.transport.XMLTransport.LINKSTATUS_DOWN;
this.OnTransportDown();
} // end else if
} // End of the function
function onSocketData(src)
{
this.DebugTrace("recving msg " + src);
if (LinkStatus != comms.transport.XMLTransport.LINKSTATUS_UP)
{
this.DebugTrace("Recved data when link status is not up");
return;
} // end if
var _loc3 = comms.transport.Encoder.getInstance();
var _loc4 = _loc3.Decode(src);
var _loc5 = _loc3.DecodeFromUTF8(_loc4);
var _loc2 = new comms.session.Message();
_loc2.UnpackMessage(_loc5);
this.OnRecvMsg(_loc2);
} // End of the function
function onSocketClose()
{
this.DebugTrace("On socket close");
LinkStatus = comms.transport.XMLTransport.LINKSTATUS_DOWN;
this.OnTransportDown();
} // End of the function
function SocketCleanUp()
{
delete this.socket;
socket = null;
LinkStatus = comms.transport.XMLTransport.LINKSTATUS_IDLE;
} // End of the function
static var LINKSTATUS_IDLE = 0;
static var LINKSTATUS_OPENING = 1;
static var LINKSTATUS_UP = 2;
static var LINKSTATUS_DOWN = 3;
var socket = null;
} // End of Class
#endinitclip此处 SendMessage(msg) 方法 即为发送数据的地方
而数据加密 则是在此
var _loc5 = comms.transport.Encoder.getInstance(); var _loc2 = ""; _loc2 = _loc5.EncodeToUTF8(_loc6);
接下来 在所有脚本文件中搜索comms.transport.Encoder
// Action script...
// [Initial MovieClip Action of sprite 495]
#initclip 110
class comms.transport.Encoder
{
var convert2, x, y;
static var __get__Encryption, key, savedStateTable, __set__Encryption;
function Encoder()
{
} // End of the function
static function getInstance()
{
if (comms.transport.Encoder._instance == null)
{
_instance = new comms.transport.Encoder();
} // end if
return (comms.transport.Encoder._instance);
} // End of the function
static function set Encryption(encryptit)
{
Encrypt = encryptit;
//return (comms.transport.Encoder.Encryption());
null;
} // End of the function
static function AddTranslation(chr, str)
{
comms.transport.Encoder.xlateTable[chr] = str;
} // End of the function
function DecodeFromUTF8(szSource)
{
var _loc10 = szSource.length;
var _loc7 = "";
for (var _loc1 = 0; _loc1 < _loc10; ++_loc1)
{
var _loc2 = szSource.charCodeAt(_loc1);
if (_loc2 < 127)
{
_loc7 = _loc7 + String.fromCharCode(_loc2);
continue;
} // end if
var _loc4;
if (_loc2 >= 192 && _loc2 <= 223)
{
_loc4 = szSource.charCodeAt(_loc1 + 1);
_loc7 = _loc7 + String.fromCharCode((_loc2 - 192) * 64 + (_loc4 - 128));
_loc1 = _loc1 + 1;
continue;
} // end if
var _loc5;
if (_loc2 >= 224 && _loc2 <= 239)
{
_loc4 = szSource.charCodeAt(_loc1 + 1);
_loc5 = szSource.charCodeAt(_loc1 + 2);
_loc7 = _loc7 + String.fromCharCode((_loc2 - 224) * 4096 + (_loc4 - 128) * 64 + (_loc5 - 128));
_loc1 = _loc1 + 4;
continue;
} // end if
var _loc6;
if (_loc2 >= 240 && _loc2 <= 247)
{
_loc4 = szSource.charCodeAt(_loc1 + 1);
_loc5 = szSource.charCodeAt(_loc1 + 2);
_loc6 = szSource.charCodeAt(_loc1 + 3);
_loc7 = _loc7 + String.fromCharCode((_loc2 - 240) * 262144 + (_loc4 - 128) * 4096 + (_loc5 - 128) * 64 + (_loc6 - 128));
_loc1 = _loc1 + 7;
continue;
} // end if
var _loc8;
if (_loc2 >= 248 && _loc2 <= 251)
{
_loc4 = szSource.charCodeAt(_loc1 + 1);
_loc5 = szSource.charCodeAt(_loc1 + 2);
_loc6 = szSource.charCodeAt(_loc1 + 3);
_loc8 = szSource.charCodeAt(_loc1 + 4);
_loc7 = _loc7 + String.fromCharCode((_loc2 - 248) * 16777216 + (_loc4 - 128) * 262144 + (_loc5 - 128) * 4096 + (_loc6 - 128) * 64 + (_loc8 - 128));
_loc1 = _loc1 + 10;
continue;
} // end if
if (_loc2 >= 252 && _loc2 <= 253)
{
_loc4 = szSource.charCodeAt(_loc1 + 1);
_loc5 = szSource.charCodeAt(_loc1 + 2);
_loc6 = szSource.charCodeAt(_loc1 + 3);
_loc8 = szSource.charCodeAt(_loc1 + 4);
var _loc9 = szSource.charCodeAt(_loc1 + 5);
_loc7 = _loc7 + String.fromCharCode((_loc2 - 252) * 1073741824 + (_loc4 - 128) * 16777216 + (_loc5 - 128) * 262144 + (_loc6 - 128) * 4096 + (_loc8 - 128) * 64 + (_loc9 - 128));
_loc1 = _loc1 + 13;
} // end if
} // end of for
return (_loc7);
} // End of the function
function EncodeToUTF8(inputString)
{
var _loc11 = inputString.length;
var _loc7 = "";
for (var _loc9 = 0; _loc9 < _loc11; ++_loc9)
{
var _loc1 = inputString.charCodeAt(_loc9);
if (_loc1 < 128)
{
_loc7 = _loc7 + String.fromCharCode(_loc1);
continue;
} // end if
var _loc4;
var _loc3;
var _loc2;
if (_loc1 <= 2047)
{
_loc3 = 192 + _loc1 / 64;
_loc2 = 128 + _loc1 % 64;
_loc4 = String.fromCharCode(_loc3) + String.fromCharCode(_loc2);
_loc7 = _loc7 + _loc4;
continue;
} // end if
var _loc5;
if (_loc1 <= 65535)
{
_loc3 = 224 + _loc1 / 4096;
_loc2 = 128 + _loc1 / 64 % 64;
_loc5 = 128 + _loc1 % 64;
_loc4 = String.fromCharCode(_loc3) + String.fromCharCode(_loc2) + String.fromCharCode(_loc5);
_loc7 = _loc7 + _loc4;
continue;
} // end if
var _loc6;
if (_loc1 <= 2097151)
{
_loc3 = 240 + _loc1 / 262144;
_loc2 = 128 + _loc1 / 4096 % 64;
_loc5 = 128 + _loc1 / 64 % 64;
_loc6 = 128 + _loc1 % 64;
_loc4 = String.fromCharCode(_loc3) + String.fromCharCode(_loc2) + String.fromCharCode(_loc5) + String.fromCharCode(_loc6);
_loc7 = _loc7 + _loc4;
continue;
} // end if
var _loc8;
if (_loc1 <= 67108863)
{
_loc3 = 248 + _loc1 / 16777216;
_loc2 = 128 + _loc1 / 262144 % 64;
_loc5 = 128 + _loc1 / 4096 % 64;
_loc6 = 128 + _loc1 / 64 % 64;
_loc8 = 128 + _loc1 % 64;
_loc4 = String.fromCharCode(_loc3) + String.fromCharCode(_loc2) + String.fromCharCode(_loc5) + String.fromCharCode(_loc6) + String.fromCharCode(_loc8);
_loc7 = _loc7 + _loc4;
continue;
} // end if
if (_loc1 <= 2147483647)
{
_loc3 = 252 + _loc1 / 1073741824;
_loc2 = 128 + _loc1 / 16777216 % 64;
_loc5 = 128 + _loc1 / 262144 % 64;
_loc6 = 128 + _loc1 / 4096 % 64;
_loc8 = 128 + _loc1 / 64 % 64;
var _loc10 = 128 + _loc1 % 64;
_loc4 = String.fromCharCode(_loc3) + String.fromCharCode(_loc2) + String.fromCharCode(_loc5) + String.fromCharCode(_loc6) + String.fromCharCode(_loc8) + String.fromCharCode(_loc10);
_loc7 = _loc7 + _loc4;
} // end if
} // end of for
return (_loc7);
} // End of the function
function Encode(src)
{
this.reset();
var _loc2;
var _loc3;
var _loc6 = 1;
var _loc5 = 0;
var _loc7 = "";
_loc7 = _loc7 + "0";
var _loc8 = src.length;
for (var _loc4 = 0; _loc4 < _loc8; ++_loc4)
{
_loc2 = src.charCodeAt(_loc4) ^ this.nextEncryptByte();
switch (_loc6)
{
case 1:
{
_loc3 = _loc2 >> 2;
_loc5 = _loc2 % 4;
break;
}
case 2:
{
_loc3 = (_loc5 << 4) + (_loc2 >> 4);
_loc5 = _loc2 % 16;
break;
}
case 3:
{
_loc3 = (_loc5 << 2) + (_loc2 >> 6);
_loc7 = _loc7 + comms.transport.Encoder.convert1.charAt(_loc3);
_loc3 = _loc2 % 64;
break;
}
default:
{
trace ("Bad state");
break;
}
} // End of switch
_loc7 = _loc7 + comms.transport.Encoder.convert1.charAt(_loc3);
_loc6 = _loc6 + 1;
if (_loc6 > 3)
{
_loc6 = 1;
} // end if
} // end of for
switch (_loc6)
{
case 1:
{
break;
}
case 2:
{
_loc3 = _loc5 << 4;
_loc7 = _loc7 + comms.transport.Encoder.convert1.charAt(_loc3);
break;
}
case 3:
{
_loc3 = _loc5 << 2;
_loc7 = _loc7 + comms.transport.Encoder.convert1.charAt(_loc3);
break;
}
} // End of switch
return (_loc7);
} // End of the function
function Decode(src)
{
this.reset();
var _loc3;
var _loc2;
var _loc5 = 1;
var _loc6 = "";
var _loc7 = src.length;
var _loc8 = convert2;
for (var _loc4 = 1; _loc4 < _loc7; ++_loc4)
{
_loc3 = _loc8[src.charAt(_loc4)];
if (_loc3 < 0)
{
trace ("Invalid character");
_loc3 = 0;
} // end if
switch (_loc5)
{
case 1:
{
_loc2 = _loc3 << 2;
break;
}
case 2:
{
_loc2 = _loc2 + (_loc3 >> 4);
_loc6 = _loc6 + this.DecodeByte(_loc2);
_loc2 = _loc3 % 16 << 4;
break;
}
case 3:
{
_loc2 = _loc2 + (_loc3 >> 2);
_loc6 = _loc6 + this.DecodeByte(_loc2);
_loc2 = _loc3 % 4 << 6;
break;
}
case 4:
{
_loc2 = _loc2 + _loc3;
_loc6 = _loc6 + this.DecodeByte(_loc2);
break;
}
} // End of switch
_loc5 = _loc5 + 1;
if (_loc5 > 4)
{
_loc5 = 1;
} // end if
} // end of for
return (_loc6);
} // End of the function
static function setKey(newkey)
{
if (newkey.length > comms.transport.Encoder.MAX_KEY_LEN)
{
trace ("Illegal key, greater than " + comms.transport.Encoder.MAX_KEY_LEN + "long");
return;
} // end if
key = newkey;
delete comms.transport.Encoder.savedStateTable;
} // End of the function
function reset()
{
var _loc2;
x = 0;
y = 0;
var _loc4 = comms.transport.Encoder.STATE_SIZE;
if (comms.transport.Encoder.savedStateTable == undefined)
{
savedStateTable = new Array();
var _loc6;
var _loc7;
var _loc5;
var _loc3;
for (var _loc2 = 0; _loc2 < _loc4; ++_loc2)
{
comms.transport.Encoder.savedStateTable[_loc2] = _loc2;
} // end of for
_loc5 = 0;
_loc3 = 0;
for (var _loc2 = 0; _loc2 < _loc4; ++_loc2)
{
_loc6 = comms.transport.Encoder.savedStateTable[_loc2];
_loc3 = _loc3 + comms.transport.Encoder.key[_loc5] + _loc6 & 255;
_loc7 = comms.transport.Encoder.savedStateTable[_loc3];
comms.transport.Encoder.savedStateTable[_loc3] = _loc6;
comms.transport.Encoder.savedStateTable[_loc2] = _loc7;
if (++_loc5 >= comms.transport.Encoder.key.length)
{
_loc5 = 0;
} // end if
} // end of for
convert2 = new Object();
var _loc11 = comms.transport.Encoder.convert1.length;
var _loc8;
for (var _loc2 = 0; _loc2 < _loc11; ++_loc2)
{
_loc8 = comms.transport.Encoder.convert1.charAt(_loc2);
convert2[_loc8] = _loc2;
} // end of for
} // end if
var _loc10 = stateTable;
var _loc9 = comms.transport.Encoder.savedStateTable;
for (var _loc2 = 0; _loc2 < _loc4; ++_loc2)
{
_loc10[_loc2] = _loc9[_loc2];
} // end of for
} // End of the function
function DecodeByte(theByte)
{
var _loc2 = String.fromCharCode(theByte ^ this.nextEncryptByte());
if (comms.transport.Encoder.xlateTable[_loc2] != undefined)
{
_loc2 = comms.transport.Encoder.xlateTable[_loc2];
} // end if
return (_loc2);
} // End of the function
function nextEncryptByte()
{
var _loc2 = stateTable;
var _loc4 = x + 1 & 255;
var _loc5 = _loc2[_loc4];
var _loc3 = _loc5 + y & 255;
var _loc6 = _loc2[_loc3];
x = _loc4;
y = _loc3;
_loc2[_loc3] = _loc5;
_loc2[_loc4] = _loc6;
return (_loc2[_loc5 + _loc6 & 255]);
} // End of the function
static var _instance = null;
static var convert1 = "()0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
static var MAX_KEY_LEN = 16;
static var STATE_SIZE = 256;
var stateTable = new Array();
static var xlateTable = new Object();
static var Encrypt = false;
} // End of Class
#endinitclip此处即为加密解密的方法 代码其实不复杂 稍加阅读 即可整理为自己的代码。
将其简单整理为java代码 并调两端密文进行测试,如下
import java.lang.Object;
public class test{
public int x;
public int y;
public static final int STATE_SIZE = 256;
public static final int KEY_SIZE = 16;
public int[] savedStateTable = new int[STATE_SIZE];
public int[] stateTable = new int[STATE_SIZE];
public int[] keyBytes = new int[]{71, 202, 201, 105, 157, 132, 163, 238, 51, 155, 234, 159, 225, 39, 221, 128};
public int[] convert2 = new int[STATE_SIZE];
public String convert1 = "()0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
public static void main(String ars[])
{
test aObj = new test();
System.out.println(aObj.Decode("0rWdL)X9GoGaDihn(w7EvyPaAmKCij9SKIUByIqgrbCxha5X31R0t2zHVcKWMEOD3IEk(5ZgSFTTcDdumr5TKKnZG8kXczRjgB7e5bDHUSn3unSC)qBopD9Rpwp32349MD66"));
System.out.println(aObj.Decode("0rWdL)XTCoE4hv6CMuQFwUtTsmmGKmgaHIEByKaMruzQqe)yEFR0VBdS3WHf4FCaIFaAlNn)88yCX8QvnvHfQLXs37(8oYsj)FgL1idDxBXIysDeCmwBaI8stYJNBKl0iEjo01xNAbIPgZn9CYKjrmY)xF2bFwu9(L99Eq7NJeVTQybge0Iwrov1TNnVmOj9l9saJC8NXTqpgbEAy8f)OUWTY7wlXzUUPx9G1vTNLz1msfz3Pqf828fGmwL8Cnzq4xd8VYKzQHTUk41eSWEdgD0vtpnH9))SjWCjvvEwxkKgj(mKEkB8KAaOoCYkEThO8Gd8G(FY)cP)cqcNNplBRc431PvGaJzkGzcJqQha(NBlQrIbCF1FGsvQvie5WSs3F2og7kPWLrH0lnfvnxkUHQJ3bbpjWtDDuQIsjH51Xw6OhbQJLsQaNMiFbzOhyTNxt1lw8d83(LqlhWfRV)n8JBq6XaC08jRxcNhoMZeB0zYvu2NS88sVZdVPvboxYppIdhYoIoFGL26k2A(sSyhU(wIgtpQBO7J8HT5JUg6YMsk2F"));
}
public void reset()
{
int _loc2;
int _loc5;
int _loc6;
int _loc3;
int _loc7;
int _loc8;
x = 0;
y = 0;
for (_loc2 = 0; _loc2 < STATE_SIZE;_loc2++)
{
savedStateTable[_loc2] = _loc2;
}
_loc5 = 0;
_loc3 = 0;
for (_loc2 = 0; _loc2 < STATE_SIZE;_loc2++)
{
_loc6 = savedStateTable[_loc2];
_loc3 = (_loc3 + keyBytes[_loc5] + _loc6) & 255;
_loc7 = savedStateTable[_loc3];
savedStateTable[_loc3] = _loc6;
savedStateTable[_loc2] = _loc7;
_loc5++;
if (_loc5 >= KEY_SIZE)
{
_loc5 = 0;
}
}
for (_loc2 = 0; _loc2 < STATE_SIZE;_loc2++)
{
convert2[_loc2] = 0;
}
for (_loc2 = 0; _loc2 < convert1.length(); _loc2++)
{
_loc8 = convert1.charAt(_loc2);
convert2[_loc8] = _loc2;
}
for (_loc2 = 0; _loc2 < STATE_SIZE;_loc2++)
{
stateTable[_loc2] = savedStateTable[_loc2];
}
}
public int nextEncryptByte()
{
int _loc3;
int _loc4;
int _loc5;
int _loc6;
//var _loc2 = stateTable;
_loc4 = (x + 1) & 255;
_loc5 = stateTable[_loc4];
_loc3 = (_loc5 + y) & 255; //
_loc6 = stateTable[_loc3];
x = _loc4;
y = _loc3;
stateTable[_loc3] = _loc5;
stateTable[_loc4] = _loc6;
return (stateTable[(_loc5 + _loc6) & 255]);
}
public int DecodeByte(int theByte)
{
return theByte ^ nextEncryptByte();
}
public String Decode(String src)
{
reset();
String _loc6 = "";
int _loc4;
int _loc3;
int _loc5;
int _loc2;
_loc2 = 0;
_loc5 = 1;
for (_loc4 = 1; _loc4 < src.length(); _loc4++)
{
_loc3 = convert2[src.charAt(_loc4)];
switch (_loc5)
{
case 1:
_loc2 = _loc3 << 2;
break;
case 2:
_loc2 = _loc2 + (_loc3 >> 4);
_loc6 = _loc6 + (char)DecodeByte(_loc2);
_loc2 = (_loc3 % 16) << 4;
break;
case 3:
_loc2 = _loc2 + (_loc3 >> 2);
_loc6 = _loc6 + (char)DecodeByte(_loc2);
_loc2 = (_loc3 % 4) << 6;
break;
case 4:
_loc2 = _loc2 + _loc3;
_loc6 = _loc6 + (char)DecodeByte(_loc2);
break;
default:;
}
_loc5 = _loc5 + 1;
if (_loc5 > 4)
{
_loc5 = 1;
}
}
return _loc6;
}
}代码成功运行并输出明文
0L $UN DM166714 $PW 123456789 $VR V1.0 APIManager PT 1 $fver undefined $CU en-GB $CUID 69 $AO 4089 0L $PR login.asp $UN DM166714 SN 91df08d3-e30d-4eea-bed0-a5388dab1fd9 Z 1 MC 0 FN ZZZZZZ FFFFFFFFFFF TZ 26 CU en-GB MS 0 UA 1 CD CB 0 CD0 CB0 0 HE 0 CLC 400233579 CC 6 CC0 6 CDT 2,1 TAPT0 2 TAPC0 2 TAID0 400344618 TAPT1 1 TAPC1 2 TAID1 400344619 PT 3 LLD 04/07/13 08:46:07 LFA 0 LRP 1 LAS 0 LUS 0 ITM 1440 $PW 123456789 $VR V1.0 APIManager $fver undefined $CU en-GB $CUID 69 $AO 4089 $SP 443 $IP 172.25.81.254:41027
由此 即可解密出所有的明文。
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- CTP综合交易平台 下单字段分析
- 【中国数据创新琅琊榜】荣之联证券行业交易日志分析平台,实力圈粉的交易数据管理中枢!
- Flash平台的分析与RIA的趋势
- 网络平台交易模式分析
- Flash平台的分析与RIA的趋势
- 一个webskin交易平台 (能下jpg的说 丷_丷)
- 基于 linux 平台的 libpcap 源代码分析
- 实例分析-在FLASH上构造JFFS2文件系统
- 应用框架的设计与实现——.NET平台(4.3 SAF代码分析)
- 应用框架的设计与实现——.NET平台(5 缓存服务.源码分析)
- UNIX/LINUX 平台可执行文件格式分析(转)
- 应用框架的设计与实现——.NET平台(4.3 SAF代码分析.源码1)
- 解读SOA平台---概念分析
- 基于 linux 平台的 libpcap 源代码分析
- 管理软件的新生存法则-平台软件趋势分析
- Flash的XMLSocket的性能分析(性能是随传递信息的加大而迅速下降的)
- UNIX/LINUX 平台可执行文件格式分析
- 根据企业信息化应用需求来分析工作流平台的选型
- UNIX-LINUX平台可执行文件格式分析
- Intel平台下linux中 ELF文件动态链接的加载、解析及实例分析(二): 函数解析与卸载