Barclays交易平台分析(FLASH逆向分析)
2016-09-30 12:05
330 查看
注意: 本文内容是我几年前所写发于贴吧,现整理于此处。
免责声明:本文仅内容作为学习交流使用,不可用于任何商业途径
分析目标 Barclays外汇贵金属交易平台
分析目的 弄清楚通讯方式
该平台是一个网页形式的交易平台,实际是用的flash
首先可以在这里随意注册模拟帐号
https://www.barclaysstockbrokers.co.uk/Accounts/BarxDirect-Contracts-For-Difference/pages/How-to-open.aspx?WT.z_link=mm_cfdaccounts
申请到帐号
DM166714
123456789
然后在此处登录
https://trade.loginandtrade.com/demoitp/siteselector_BARSTB-demo.asp
(整理时 发现最新地址为 https://trade.loginandtrade.com/barclays/#/)
IE 加载 HTTPAnalyzerFullV7 工具 并打开登录页面
下载了html页面 很多js脚本 图片等。
并且有两个flash文件(*.swf),
尝试登录 观察到flash的通讯未使用http相关
使用socket通讯拦截工具加载IE 将所有通讯内容拦截, 即既有http的内容 也有flash通讯的内容。
拦截到的通讯内容如下
由于比较熟悉 一眼就知道这些17 XX XX 是https的东西(ssl)
所以继续往下看。
这段 明显不一样的 并且通讯的IP也与前面不同
这才是 flash进行的通讯 内容是加密处理过的
接下来使用 Sothink SWF Decompiler 打开falsh文件
将所有Actionscript脚本文件(*.as)导出
as文件非常多,需要挑出有用的。
通过文本搜索工具在所有文件中搜索Socket这个字符, 得到的结果只有4个脚本文件含有
先看一下这几个文件.
sprite496.as
sprite497.as
sprite498.as
此处 SendMessage(msg) 方法 即为发送数据的地方
而数据加密 则是在此
接下来 在所有脚本文件中搜索comms.transport.Encoder
此处即为加密解密的方法 代码其实不复杂 稍加阅读 即可整理为自己的代码。
将其简单整理为java代码 并调两端密文进行测试,如下
代码成功运行并输出明文
由此 即可解密出所有的明文。
免责声明:本文仅内容作为学习交流使用,不可用于任何商业途径
分析目标 Barclays外汇贵金属交易平台
分析目的 弄清楚通讯方式
该平台是一个网页形式的交易平台,实际是用的flash
首先可以在这里随意注册模拟帐号
https://www.barclaysstockbrokers.co.uk/Accounts/BarxDirect-Contracts-For-Difference/pages/How-to-open.aspx?WT.z_link=mm_cfdaccounts
申请到帐号
DM166714
123456789
然后在此处登录
https://trade.loginandtrade.com/demoitp/siteselector_BARSTB-demo.asp
(整理时 发现最新地址为 https://trade.loginandtrade.com/barclays/#/)
IE 加载 HTTPAnalyzerFullV7 工具 并打开登录页面
下载了html页面 很多js脚本 图片等。
并且有两个flash文件(*.swf),
尝试登录 观察到flash的通讯未使用http相关
使用socket通讯拦截工具加载IE 将所有通讯内容拦截, 即既有http的内容 也有flash通讯的内容。
拦截到的通讯内容如下
由于比较熟悉 一眼就知道这些17 XX XX 是https的东西(ssl)
所以继续往下看。
这段 明显不一样的 并且通讯的IP也与前面不同
这才是 flash进行的通讯 内容是加密处理过的
接下来使用 Sothink SWF Decompiler 打开falsh文件
将所有Actionscript脚本文件(*.as)导出
as文件非常多,需要挑出有用的。
通过文本搜索工具在所有文件中搜索Socket这个字符, 得到的结果只有4个脚本文件含有
先看一下这几个文件.
sprite496.as
// Action script... // [Initial MovieClip Act 4000 ion of sprite 496] #initclip 111 class comms.transport.XMLTransportSocketListener { _global.comms.transport.XMLTransportSocketListener = function () { }; } // End of Class #endinitclip
sprite497.as
// Action script... // [Initial MovieClip Action of sprite 497] #initclip 113 class comms.transport.XMLTransportSocket extends XMLSocket { var Owner; function XMLTransportSocket(owner) { super(); Owner = owner; } // End of the function function connect(host, port) { return (super.connect(host, port)); } // End of the function function onConnect(success) { util.Journal.trace("XMLTransportSocket: onConnect " + success); Owner.onSocketConnect(success); } // End of the function function onData(src) { Owner.onSocketData(src); } // End of the function function onClose() { util.Journal.trace("XMLTransportSocket: onClose"); Owner.onSocketClose(); } // End of the function } // End of Class #endinitclip
sprite498.as
// Action script... // [Initial MovieClip Action of sprite 498] #initclip 112 class comms.transport.XMLTransport extends comms.transport.TransportBase implements comms.transport.XMLTransportSocketListener { var TransportName, LinkStatus, connecting, timerId, DebugTrace, Parameters, LastError, connectStarted, OnTransportDown, OnTransportUp, OnRecvMsg; function XMLTransport() { super(); TransportName = "XMLTransport"; LinkStatus = comms.transport.XMLTransport.LINKSTATUS_IDLE; connecting = false; timerId = setInterval(mx.utils.Delegate.create(this, OneSecondProcessor), 1000); } // End of the function function Dispose() { clearInterval(timerId); } // End of the function function Start() { this.DebugTrace("Started"); if (Parameters == null) { this.DebugTrace("Server parameters missing"); LastError = "Server parameters missing"; return (false); } // end if LinkStatus = comms.transport.XMLTransport.LINKSTATUS_OPENING; connecting = true; connectStarted = new util.DateTime(); this.DebugTrace("xmlsocket://" + Parameters.__get__address() + ":" + Parameters.__get__port()); System.security.loadPolicyFile("xmlsocket://" + Parameters.__get__address() + ":" + Parameters.__get__port()); socket = new comms.transport.XMLTransportSocket(this); this.DebugTrace("Connecting to server " + Parameters.__get__address() + ":" + Parameters.__get__port()); if (!socket.connect(Parameters.__get__address(), Parameters.__get__port())) { this.DebugTrace("Error when calling socket connect"); this.SocketCleanUp(); this.OnTransportDown(); return (false); } // end if return (true); } // End of the function function SendMessage(msg) { var _loc4; if (LinkStatus != comms.transport.XMLTransport.LINKSTATUS_UP) { this.DebugTrace("Send data when socket not ready"); _loc4 = false; } else { var _loc6 = msg.FormatForSending(); var _loc5 = comms.transport.Encoder.getInstance(); var _loc2 = ""; _loc2 = _loc5.EncodeToUTF8(_loc6); this.DebugTrace("Sending to encoder - " + _loc2); var _loc3 = _loc5.Encode(_loc2); this.DebugTrace("Sending msg - " + _loc3); socket.send(_loc3); _loc4 = true; } // end else if false; return (_loc4); } // End of the function function Stop() { if (LinkStatus != comms.transport.XMLTransport.LINKSTATUS_IDLE) { this.DebugTrace("Stopped"); socket.close(); this.SocketCleanUp(); this.OnTransportDown(); } else { this.DebugTrace("stop when idle"); } // end else if return (true); } // End of the function function OneSecondProcessor() { if (connecting && connectStarted.SecondsPast() > 3) { util.Journal.trace("Timed out connect " + Parameters.__get__address() + ":" + Parameters.__get__port()); delete this.socket; this.OnTransportDown(); } // end if } // End of the function function onSocketConnect(success) { connecting = false; if (success) { this.DebugTrace("On connect up"); LinkStatus = comms.transport.XMLTransport.LINKSTATUS_UP; this.OnTransportUp(); } else { this.DebugTrace("On connect down " + LinkStatus); LinkStatus = comms.transport.XMLTransport.LINKSTATUS_DOWN; this.OnTransportDown(); } // end else if } // End of the function function onSocketData(src) { this.DebugTrace("recving msg " + src); if (LinkStatus != comms.transport.XMLTransport.LINKSTATUS_UP) { this.DebugTrace("Recved data when link status is not up"); return; } // end if var _loc3 = comms.transport.Encoder.getInstance(); var _loc4 = _loc3.Decode(src); var _loc5 = _loc3.DecodeFromUTF8(_loc4); var _loc2 = new comms.session.Message(); _loc2.UnpackMessage(_loc5); this.OnRecvMsg(_loc2); } // End of the function function onSocketClose() { this.DebugTrace("On socket close"); LinkStatus = comms.transport.XMLTransport.LINKSTATUS_DOWN; this.OnTransportDown(); } // End of the function function SocketCleanUp() { delete this.socket; socket = null; LinkStatus = comms.transport.XMLTransport.LINKSTATUS_IDLE; } // End of the function static var LINKSTATUS_IDLE = 0; static var LINKSTATUS_OPENING = 1; static var LINKSTATUS_UP = 2; static var LINKSTATUS_DOWN = 3; var socket = null; } // End of Class #endinitclip
此处 SendMessage(msg) 方法 即为发送数据的地方
而数据加密 则是在此
var _loc5 = comms.transport.Encoder.getInstance(); var _loc2 = ""; _loc2 = _loc5.EncodeToUTF8(_loc6);
接下来 在所有脚本文件中搜索comms.transport.Encoder
// Action script... // [Initial MovieClip Action of sprite 495] #initclip 110 class comms.transport.Encoder { var convert2, x, y; static var __get__Encryption, key, savedStateTable, __set__Encryption; function Encoder() { } // End of the function static function getInstance() { if (comms.transport.Encoder._instance == null) { _instance = new comms.transport.Encoder(); } // end if return (comms.transport.Encoder._instance); } // End of the function static function set Encryption(encryptit) { Encrypt = encryptit; //return (comms.transport.Encoder.Encryption()); null; } // End of the function static function AddTranslation(chr, str) { comms.transport.Encoder.xlateTable[chr] = str; } // End of the function function DecodeFromUTF8(szSource) { var _loc10 = szSource.length; var _loc7 = ""; for (var _loc1 = 0; _loc1 < _loc10; ++_loc1) { var _loc2 = szSource.charCodeAt(_loc1); if (_loc2 < 127) { _loc7 = _loc7 + String.fromCharCode(_loc2); continue; } // end if var _loc4; if (_loc2 >= 192 && _loc2 <= 223) { _loc4 = szSource.charCodeAt(_loc1 + 1); _loc7 = _loc7 + String.fromCharCode((_loc2 - 192) * 64 + (_loc4 - 128)); _loc1 = _loc1 + 1; continue; } // end if var _loc5; if (_loc2 >= 224 && _loc2 <= 239) { _loc4 = szSource.charCodeAt(_loc1 + 1); _loc5 = szSource.charCodeAt(_loc1 + 2); _loc7 = _loc7 + String.fromCharCode((_loc2 - 224) * 4096 + (_loc4 - 128) * 64 + (_loc5 - 128)); _loc1 = _loc1 + 4; continue; } // end if var _loc6; if (_loc2 >= 240 && _loc2 <= 247) { _loc4 = szSource.charCodeAt(_loc1 + 1); _loc5 = szSource.charCodeAt(_loc1 + 2); _loc6 = szSource.charCodeAt(_loc1 + 3); _loc7 = _loc7 + String.fromCharCode((_loc2 - 240) * 262144 + (_loc4 - 128) * 4096 + (_loc5 - 128) * 64 + (_loc6 - 128)); _loc1 = _loc1 + 7; continue; } // end if var _loc8; if (_loc2 >= 248 && _loc2 <= 251) { _loc4 = szSource.charCodeAt(_loc1 + 1); _loc5 = szSource.charCodeAt(_loc1 + 2); _loc6 = szSource.charCodeAt(_loc1 + 3); _loc8 = szSource.charCodeAt(_loc1 + 4); _loc7 = _loc7 + String.fromCharCode((_loc2 - 248) * 16777216 + (_loc4 - 128) * 262144 + (_loc5 - 128) * 4096 + (_loc6 - 128) * 64 + (_loc8 - 128)); _loc1 = _loc1 + 10; continue; } // end if if (_loc2 >= 252 && _loc2 <= 253) { _loc4 = szSource.charCodeAt(_loc1 + 1); _loc5 = szSource.charCodeAt(_loc1 + 2); _loc6 = szSource.charCodeAt(_loc1 + 3); _loc8 = szSource.charCodeAt(_loc1 + 4); var _loc9 = szSource.charCodeAt(_loc1 + 5); _loc7 = _loc7 + String.fromCharCode((_loc2 - 252) * 1073741824 + (_loc4 - 128) * 16777216 + (_loc5 - 128) * 262144 + (_loc6 - 128) * 4096 + (_loc8 - 128) * 64 + (_loc9 - 128)); _loc1 = _loc1 + 13; } // end if } // end of for return (_loc7); } // End of the function function EncodeToUTF8(inputString) { var _loc11 = inputString.length; var _loc7 = ""; for (var _loc9 = 0; _loc9 < _loc11; ++_loc9) { var _loc1 = inputString.charCodeAt(_loc9); if (_loc1 < 128) { _loc7 = _loc7 + String.fromCharCode(_loc1); continue; } // end if var _loc4; var _loc3; var _loc2; if (_loc1 <= 2047) { _loc3 = 192 + _loc1 / 64; _loc2 = 128 + _loc1 % 64; _loc4 = String.fromCharCode(_loc3) + String.fromCharCode(_loc2); _loc7 = _loc7 + _loc4; continue; } // end if var _loc5; if (_loc1 <= 65535) { _loc3 = 224 + _loc1 / 4096; _loc2 = 128 + _loc1 / 64 % 64; _loc5 = 128 + _loc1 % 64; _loc4 = String.fromCharCode(_loc3) + String.fromCharCode(_loc2) + String.fromCharCode(_loc5); _loc7 = _loc7 + _loc4; continue; } // end if var _loc6; if (_loc1 <= 2097151) { _loc3 = 240 + _loc1 / 262144; _loc2 = 128 + _loc1 / 4096 % 64; _loc5 = 128 + _loc1 / 64 % 64; _loc6 = 128 + _loc1 % 64; _loc4 = String.fromCharCode(_loc3) + String.fromCharCode(_loc2) + String.fromCharCode(_loc5) + String.fromCharCode(_loc6); _loc7 = _loc7 + _loc4; continue; } // end if var _loc8; if (_loc1 <= 67108863) { _loc3 = 248 + _loc1 / 16777216; _loc2 = 128 + _loc1 / 262144 % 64; _loc5 = 128 + _loc1 / 4096 % 64; _loc6 = 128 + _loc1 / 64 % 64; _loc8 = 128 + _loc1 % 64; _loc4 = String.fromCharCode(_loc3) + String.fromCharCode(_loc2) + String.fromCharCode(_loc5) + String.fromCharCode(_loc6) + String.fromCharCode(_loc8); _loc7 = _loc7 + _loc4; continue; } // end if if (_loc1 <= 2147483647) { _loc3 = 252 + _loc1 / 1073741824; _loc2 = 128 + _loc1 / 16777216 % 64; _loc5 = 128 + _loc1 / 262144 % 64; _loc6 = 128 + _loc1 / 4096 % 64; _loc8 = 128 + _loc1 / 64 % 64; var _loc10 = 128 + _loc1 % 64; _loc4 = String.fromCharCode(_loc3) + String.fromCharCode(_loc2) + String.fromCharCode(_loc5) + String.fromCharCode(_loc6) + String.fromCharCode(_loc8) + String.fromCharCode(_loc10); _loc7 = _loc7 + _loc4; } // end if } // end of for return (_loc7); } // End of the function function Encode(src) { this.reset(); var _loc2; var _loc3; var _loc6 = 1; var _loc5 = 0; var _loc7 = ""; _loc7 = _loc7 + "0"; var _loc8 = src.length; for (var _loc4 = 0; _loc4 < _loc8; ++_loc4) { _loc2 = src.charCodeAt(_loc4) ^ this.nextEncryptByte(); switch (_loc6) { case 1: { _loc3 = _loc2 >> 2; _loc5 = _loc2 % 4; break; } case 2: { _loc3 = (_loc5 << 4) + (_loc2 >> 4); _loc5 = _loc2 % 16; break; } case 3: { _loc3 = (_loc5 << 2) + (_loc2 >> 6); _loc7 = _loc7 + comms.transport.Encoder.convert1.charAt(_loc3); _loc3 = _loc2 % 64; break; } default: { trace ("Bad state"); break; } } // End of switch _loc7 = _loc7 + comms.transport.Encoder.convert1.charAt(_loc3); _loc6 = _loc6 + 1; if (_loc6 > 3) { _loc6 = 1; } // end if } // end of for switch (_loc6) { case 1: { break; } case 2: { _loc3 = _loc5 << 4; _loc7 = _loc7 + comms.transport.Encoder.convert1.charAt(_loc3); break; } case 3: { _loc3 = _loc5 << 2; _loc7 = _loc7 + comms.transport.Encoder.convert1.charAt(_loc3); break; } } // End of switch return (_loc7); } // End of the function function Decode(src) { this.reset(); var _loc3; var _loc2; var _loc5 = 1; var _loc6 = ""; var _loc7 = src.length; var _loc8 = convert2; for (var _loc4 = 1; _loc4 < _loc7; ++_loc4) { _loc3 = _loc8[src.charAt(_loc4)]; if (_loc3 < 0) { trace ("Invalid character"); _loc3 = 0; } // end if switch (_loc5) { case 1: { _loc2 = _loc3 << 2; break; } case 2: { _loc2 = _loc2 + (_loc3 >> 4); _loc6 = _loc6 + this.DecodeByte(_loc2); _loc2 = _loc3 % 16 << 4; break; } case 3: { _loc2 = _loc2 + (_loc3 >> 2); _loc6 = _loc6 + this.DecodeByte(_loc2); _loc2 = _loc3 % 4 << 6; break; } case 4: { _loc2 = _loc2 + _loc3; _loc6 = _loc6 + this.DecodeByte(_loc2); break; } } // End of switch _loc5 = _loc5 + 1; if (_loc5 > 4) { _loc5 = 1; } // end if } // end of for return (_loc6); } // End of the function static function setKey(newkey) { if (newkey.length > comms.transport.Encoder.MAX_KEY_LEN) { trace ("Illegal key, greater than " + comms.transport.Encoder.MAX_KEY_LEN + "long"); return; } // end if key = newkey; delete comms.transport.Encoder.savedStateTable; } // End of the function function reset() { var _loc2; x = 0; y = 0; var _loc4 = comms.transport.Encoder.STATE_SIZE; if (comms.transport.Encoder.savedStateTable == undefined) { savedStateTable = new Array(); var _loc6; var _loc7; var _loc5; var _loc3; for (var _loc2 = 0; _loc2 < _loc4; ++_loc2) { comms.transport.Encoder.savedStateTable[_loc2] = _loc2; } // end of for _loc5 = 0; _loc3 = 0; for (var _loc2 = 0; _loc2 < _loc4; ++_loc2) { _loc6 = comms.transport.Encoder.savedStateTable[_loc2]; _loc3 = _loc3 + comms.transport.Encoder.key[_loc5] + _loc6 & 255; _loc7 = comms.transport.Encoder.savedStateTable[_loc3]; comms.transport.Encoder.savedStateTable[_loc3] = _loc6; comms.transport.Encoder.savedStateTable[_loc2] = _loc7; if (++_loc5 >= comms.transport.Encoder.key.length) { _loc5 = 0; } // end if } // end of for convert2 = new Object(); var _loc11 = comms.transport.Encoder.convert1.length; var _loc8; for (var _loc2 = 0; _loc2 < _loc11; ++_loc2) { _loc8 = comms.transport.Encoder.convert1.charAt(_loc2); convert2[_loc8] = _loc2; } // end of for } // end if var _loc10 = stateTable; var _loc9 = comms.transport.Encoder.savedStateTable; for (var _loc2 = 0; _loc2 < _loc4; ++_loc2) { _loc10[_loc2] = _loc9[_loc2]; } // end of for } // End of the function function DecodeByte(theByte) { var _loc2 = String.fromCharCode(theByte ^ this.nextEncryptByte()); if (comms.transport.Encoder.xlateTable[_loc2] != undefined) { _loc2 = comms.transport.Encoder.xlateTable[_loc2]; } // end if return (_loc2); } // End of the function function nextEncryptByte() { var _loc2 = stateTable; var _loc4 = x + 1 & 255; var _loc5 = _loc2[_loc4]; var _loc3 = _loc5 + y & 255; var _loc6 = _loc2[_loc3]; x = _loc4; y = _loc3; _loc2[_loc3] = _loc5; _loc2[_loc4] = _loc6; return (_loc2[_loc5 + _loc6 & 255]); } // End of the function static var _instance = null; static var convert1 = "()0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; static var MAX_KEY_LEN = 16; static var STATE_SIZE = 256; var stateTable = new Array(); static var xlateTable = new Object(); static var Encrypt = false; } // End of Class #endinitclip
此处即为加密解密的方法 代码其实不复杂 稍加阅读 即可整理为自己的代码。
将其简单整理为java代码 并调两端密文进行测试,如下
import java.lang.Object; public class test{ public int x; public int y; public static final int STATE_SIZE = 256; public static final int KEY_SIZE = 16; public int[] savedStateTable = new int[STATE_SIZE]; public int[] stateTable = new int[STATE_SIZE]; public int[] keyBytes = new int[]{71, 202, 201, 105, 157, 132, 163, 238, 51, 155, 234, 159, 225, 39, 221, 128}; public int[] convert2 = new int[STATE_SIZE]; public String convert1 = "()0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; public static void main(String ars[]) { test aObj = new test(); System.out.println(aObj.Decode("0rWdL)X9GoGaDihn(w7EvyPaAmKCij9SKIUByIqgrbCxha5X31R0t2zHVcKWMEOD3IEk(5ZgSFTTcDdumr5TKKnZG8kXczRjgB7e5bDHUSn3unSC)qBopD9Rpwp32349MD66")); System.out.println(aObj.Decode("0rWdL)XTCoE4hv6CMuQFwUtTsmmGKmgaHIEByKaMruzQqe)yEFR0VBdS3WHf4FCaIFaAlNn)88yCX8QvnvHfQLXs37(8oYsj)FgL1idDxBXIysDeCmwBaI8stYJNBKl0iEjo01xNAbIPgZn9CYKjrmY)xF2bFwu9(L99Eq7NJeVTQybge0Iwrov1TNnVmOj9l9saJC8NXTqpgbEAy8f)OUWTY7wlXzUUPx9G1vTNLz1msfz3Pqf828fGmwL8Cnzq4xd8VYKzQHTUk41eSWEdgD0vtpnH9))SjWCjvvEwxkKgj(mKEkB8KAaOoCYkEThO8Gd8G(FY)cP)cqcNNplBRc431PvGaJzkGzcJqQha(NBlQrIbCF1FGsvQvie5WSs3F2og7kPWLrH0lnfvnxkUHQJ3bbpjWtDDuQIsjH51Xw6OhbQJLsQaNMiFbzOhyTNxt1lw8d83(LqlhWfRV)n8JBq6XaC08jRxcNhoMZeB0zYvu2NS88sVZdVPvboxYppIdhYoIoFGL26k2A(sSyhU(wIgtpQBO7J8HT5JUg6YMsk2F")); } public void reset() { int _loc2; int _loc5; int _loc6; int _loc3; int _loc7; int _loc8; x = 0; y = 0; for (_loc2 = 0; _loc2 < STATE_SIZE;_loc2++) { savedStateTable[_loc2] = _loc2; } _loc5 = 0; _loc3 = 0; for (_loc2 = 0; _loc2 < STATE_SIZE;_loc2++) { _loc6 = savedStateTable[_loc2]; _loc3 = (_loc3 + keyBytes[_loc5] + _loc6) & 255; _loc7 = savedStateTable[_loc3]; savedStateTable[_loc3] = _loc6; savedStateTable[_loc2] = _loc7; _loc5++; if (_loc5 >= KEY_SIZE) { _loc5 = 0; } } for (_loc2 = 0; _loc2 < STATE_SIZE;_loc2++) { convert2[_loc2] = 0; } for (_loc2 = 0; _loc2 < convert1.length(); _loc2++) { _loc8 = convert1.charAt(_loc2); convert2[_loc8] = _loc2; } for (_loc2 = 0; _loc2 < STATE_SIZE;_loc2++) { stateTable[_loc2] = savedStateTable[_loc2]; } } public int nextEncryptByte() { int _loc3; int _loc4; int _loc5; int _loc6; //var _loc2 = stateTable; _loc4 = (x + 1) & 255; _loc5 = stateTable[_loc4]; _loc3 = (_loc5 + y) & 255; // _loc6 = stateTable[_loc3]; x = _loc4; y = _loc3; stateTable[_loc3] = _loc5; stateTable[_loc4] = _loc6; return (stateTable[(_loc5 + _loc6) & 255]); } public int DecodeByte(int theByte) { return theByte ^ nextEncryptByte(); } public String Decode(String src) { reset(); String _loc6 = ""; int _loc4; int _loc3; int _loc5; int _loc2; _loc2 = 0; _loc5 = 1; for (_loc4 = 1; _loc4 < src.length(); _loc4++) { _loc3 = convert2[src.charAt(_loc4)]; switch (_loc5) { case 1: _loc2 = _loc3 << 2; break; case 2: _loc2 = _loc2 + (_loc3 >> 4); _loc6 = _loc6 + (char)DecodeByte(_loc2); _loc2 = (_loc3 % 16) << 4; break; case 3: _loc2 = _loc2 + (_loc3 >> 2); _loc6 = _loc6 + (char)DecodeByte(_loc2); _loc2 = (_loc3 % 4) << 6; break; case 4: _loc2 = _loc2 + _loc3; _loc6 = _loc6 + (char)DecodeByte(_loc2); break; default:; } _loc5 = _loc5 + 1; if (_loc5 > 4) { _loc5 = 1; } } return _loc6; } }
代码成功运行并输出明文
0L $UN DM166714 $PW 123456789 $VR V1.0 APIManager PT 1 $fver undefined $CU en-GB $CUID 69 $AO 4089 0L $PR login.asp $UN DM166714 SN 91df08d3-e30d-4eea-bed0-a5388dab1fd9 Z 1 MC 0 FN ZZZZZZ FFFFFFFFFFF TZ 26 CU en-GB MS 0 UA 1 CD CB 0 CD0 CB0 0 HE 0 CLC 400233579 CC 6 CC0 6 CDT 2,1 TAPT0 2 TAPC0 2 TAID0 400344618 TAPT1 1 TAPC1 2 TAID1 400344619 PT 3 LLD 04/07/13 08:46:07 LFA 0 LRP 1 LAS 0 LUS 0 ITM 1440 $PW 123456789 $VR V1.0 APIManager $fver undefined $CU en-GB $CUID 69 $AO 4089 $SP 443 $IP 172.25.81.254:41027
由此 即可解密出所有的明文。
相关文章推荐
- CTP综合交易平台 下单字段分析
- 【中国数据创新琅琊榜】荣之联证券行业交易日志分析平台,实力圈粉的交易数据管理中枢!
- Flash平台的分析与RIA的趋势
- 网络平台交易模式分析
- Flash平台的分析与RIA的趋势
- 一个webskin交易平台 (能下jpg的说 丷_丷)
- 基于 linux 平台的 libpcap 源代码分析
- 实例分析-在FLASH上构造JFFS2文件系统
- 应用框架的设计与实现——.NET平台(4.3 SAF代码分析)
- 应用框架的设计与实现——.NET平台(5 缓存服务.源码分析)
- UNIX/LINUX 平台可执行文件格式分析(转)
- 应用框架的设计与实现——.NET平台(4.3 SAF代码分析.源码1)
- 解读SOA平台---概念分析
- 基于 linux 平台的 libpcap 源代码分析
- 管理软件的新生存法则-平台软件趋势分析
- Flash的XMLSocket的性能分析(性能是随传递信息的加大而迅速下降的)
- UNIX/LINUX 平台可执行文件格式分析
- 根据企业信息化应用需求来分析工作流平台的选型
- UNIX-LINUX平台可执行文件格式分析
- Intel平台下linux中 ELF文件动态链接的加载、解析及实例分析(二): 函数解析与卸载