归档 2013 年 3 月

PHP还原强智教务管理信息系统加密过程

求助帖,还是自己解决了。

概述

教务系统地址http://jwxt.whsw.cn/,你会发现登陆只能用ie浏览器,他喵的chrome和firefox都不支持。用其他浏览器登录时会提示密码错误,原因是他会先在前端加密密码再跟服务器通讯。而加密用的js和vbs,其他浏览器都只能js加密,vbs加密过程就不支持了,所以加密不完全导致提示密码错误。唉,这套系统也太老了,最后更新还是2005年,无力吐槽。

js加密还原

原过程

var pwd = theform.PassWord.value;
var rndNum = 394058;
rndNum = rndNum.toString();
var curPos = 0;
var tmpStr,EnCryptStr = "";
for(Cnt=0;Cnt<pwd.length;Cnt++){
  if(Cnt % rndNum.length == 0 ) curPos = 0;
 tmpStr = pwd.substring(Cnt,Cnt+1);
  EnCryptStr += String.fromCharCode(tmpStr.charCodeAt(0) - Cnt - rndNum.substring(curPos,curPos+1));
  curPos +=1;
}
theform.PassWord.value = EnCryptStr;//Assigned the EncryptPassword value to the PassWord TextFiled
theform.EnRndNum.value = rndNum;

用php还原

$pwd = "";
$rndNum = "394058";
$curPos = 0;
$tmpStr = "";
$EnCryptStr = "";
for($Cnt=0;$Cnt&amp;lt;strlen($pwd);$Cnt++)
  {
   if($Cnt % strlen($rndNum) == 0 ) $curPos = 0;
   $tmpStr = substr($pwd,$Cnt,1);
    $EnCryptStr = $EnCryptStr. fromCharCode(charCodeAt($tmpStr) - $Cnt - substr($rndNum,$curPos,1));
                      $curPos +=1;
  }
echo $EnCryptStr;
echo ''&amp;lt;br&amp;gt;'';
echo $rndNum;
echo ''&amp;lt;br&amp;gt;'';
echo EncryptString($EnCryptStr);

function fromCharCode($codes) {
  if (is_scalar($codes)) $codes= func_get_args();
  $str= '''';
  foreach ($codes as $code) $str.= chr($code);
  return $str;
}

function charCodeAt($word) {
  if (is_array($word))
    $arr = $word;
  else
    $arr = str_split($word);
  $bin_str = '''';
  foreach ($arr as $value)
    $bin_str .= decbin(ord($value));
  $bin_str = preg_replace(''/^.{4}(.{4}).{2}(.{6}).{2}(.{6})$/'',''$1$2$3'', $bin_str);
  return bindec($bin_str);
}

vbs加密还原

原函数

Function EncryptString(InputText , ThePassword )''用户口令加密
  Dim il_bit, il_x, il_y, il_z, il_len, i
  Dim is_out
  Password = InputText
  il_len = Len(Password)
  il_x = 0
  il_y = 0
  is_out = ""

  For i = 1 To il_len
    il_bit = AscW(Mid(Password, i, 1)) ''W系列支持unicode
    il_y = (il_bit * 13 Mod 256) + il_x
    is_out = is_out &amp; ChrW(Fix(il_y)) ''取整 int和fix区别: fix修正负数
    il_x = il_bit * 13 / 256
  Next

  is_out = is_out &amp; ChrW(Fix(il_x))
  Password = is_out
  il_len = Len(Password)
  il_x = 0
  il_y = 0
  is_out = ""

  For i = 1 To il_len
    il_bit = AscW(Mid(Password, i, 1)) ''取前4位值
   il_y = il_bit / 16 + 64
    is_out = is_out &amp; ChrW(Fix(il_y)) ''取后4位值
    il_y = (il_bit Mod 16) + 64
    is_out = is_out &amp; ChrW(Fix(il_y))
  Next

  EncryptString = is_out
  End Function
}

用php还原

function EncryptString($Password){    //密码前端加密部分
  $il_len = strlen($Password);
  $il_x = 0;
  $il_y = 0;
  $is_out = "";

 for($i=0;$i< $il_len;$i++){
   $il_bit = ord(substr($Password, $i, 1));
    $il_y = ($il_bit * 13 % 256) + $il_x;
   $is_out = $is_out. Chr(fix($il_y));
   $il_x = $il_bit * 13 / 256;
 }

 $is_out = $is_out. Chr(fix($il_x));
 $Password = $is_out;
  $il_len = strlen($Password);
  $il_x = 0;
  $il_y = 0;
  $is_out = "";

 for($i=0;$i<$il_len;$i++){
    $il_bit = ord(substr($Password, $i, 1));
    $il_y = $il_bit / 16 + 64;
          $is_out = $is_out. Chr(fix($il_y));
    $il_y = ($il_bit % 16) + 64;
          $is_out = $is_out. Chr(fix($il_y));

  }

 return $is_out;
}

function fix($il_y) {
 if(floor($il_y) < 0){
    return floor($il_y)+1;
  }else{
    return floor($il_y);
  }
}

自此php就完美还原了两个加密过程,再模拟登陆就简单了。
他喵的调试一下午啊啊啊啊啊、、、

  • 2013.7.06 更新 第二段加密函数里面floor不能完全还原fix函数,所以自定义fix函数。
1