前言
海鲜市场买了一VN007+,然后了解到这个东西还有改串和锁频和锁小区功能,但是这个需要超级密码。
然后这个超级密码目前网上只找到一个在线的计算器,本来还有第二个在线计算器,但是那个网站挂了。
找不到第二个可用网站,故寻找一下算法,然后发现 C83blog 写的一片文章,然后就顺着这个思路继续下去找到了/usr/lib/libcfgapi.so 以及tz_create_web_superkey 方法,顺便反编译了一下,然后修改成Js代码并将其“开源”
根据博文提示找到两个生成key的方法
IDA反编译生成的代码
tz_create_web_superkey
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
| signed __int64 __fastcall tz_create_web_superkey(__int64 a1, __int64 a2)
{
__int64 v3;
__int64 v4;
signed int j;
signed int i;
unsigned int v7;
v4 = a1;
v3 = a2;
if ( (unsigned int)strlen(a1) != 15 )
return 0xFFFFFFFFLL;
if ( !(unsigned int)is_all_number() )
return 4294967294LL;
v7 = 1;
for ( i = 0; i <= 9; ++i )
{
for ( j = 0; j < 15; ++j )
{
if ( v7 > 0xFFFFFF )
v7 = ~v7 & 0xFFFFFF;
v7 += *(unsigned __int8 *)(v4 + (j + i) % 15) * ((i + 1) * (j + 1) & 0xFF);
}
if ( v7 > 0xFFFFFF )
v7 = ~v7 & 0xFFFFFF;
v7 = 283 * v7 & 0x3F;
*(_BYTE *)(v3 + i) = aUph2Iqu7aish6a[v7];
}
return 0LL;
}
|
对应的数组
1
| aUph2Iqu7aish6a DCB "uph2!iqu7aish#6ahk@6Aed^ee6utha_u?rohgh1i-eHaey3ieY=0jiJah%z4ou2"
|
改造的
js版tz_create_web_superkey
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
| const aUph2Iqu7aish6a = "uph2!iqu7aish#6ahk@6Aed^ee6utha_u?rohgh1i-eHaey3ieY=0jiJah%z4ou2";
function tz_create_web_superkey(a1) {
let v4 = a1;
let v3 = [];
let v7 = 1;
for (let i = 0; i <= 9; i++) {
for (let j = 0; j < 15; j++) {
if (v7 > 0xFFFFFF) {
v7 = ~v7 & 0xFFFFFF;
}
v7 += v4.charCodeAt((j + i) % 15) * ((i + 1) * (j + 1) & 0xFF);
if (v7 > 0xFFFFFF) {
v7 = ~v7 & 0xFFFFFF;
}
}
v7 = (283 * v7) & 0x3F;
v3[i]= aUph2Iqu7aish6a[v7];
}
return v3.join("");
}
console.log(tz_create_web_superkey('000000000000001'))
console.log(tz_create_web_superkey('000000000000002'))
console.log(tz_create_web_superkey('000000000000003'))
|
跟【墨天逸— 007+IMEI超密计算器】生成的码是一样的,【墨天逸— 007+IMEI超密计算器】生成的码是可以直接登录的,所以算是成功了。
另外一个方法,不知道有没有用
tz_create_telnet_superkey
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
| signed __int64 __fastcall tz_create_telnet_superkey(__int64 a1, __int64 a2)
{
__int64 v3;
__int64 v4;
__int64 v5;
int v6;
int j;
int i;
unsigned int v9;
v3 = a2;
v4 = 0LL;
v5 = 0LL;
if ( !(unsigned int)check_special_char_and_change_capital() )
return 4294967294LL;
v6 = strlen(&v4);
if ( v6 != 12 )
return 0xFFFFFFFFLL;
v9 = 1;
for ( i = 0; i <= 9; ++i )
{
for ( j = 0; j < v6; ++j )
{
if ( v9 > 0xFFFFFF )
{
v9 = ~v9;
v9 &= 0xFFFFFFu;
}
v9 += *((unsigned __int8 *)&v4 + j + i - (j + i) / v6 * v6) * ((i + 1) * (j + 1) & 0xFF);
}
if ( v9 > 0xFFFFFF )
{
v9 = ~v9;
v9 &= 0xFFFFFFu;
}
v9 = 253 * v9 & 0x3F;
*(_BYTE *)(v3 + i) = aIex5ahbOh3oWai[v9];
}
return 0LL;
}
|
对应的数组
1
| aIex5ahbOh3oWai DCB "Iex5ahb#oh3o@wai!hoh8q-uaeye+9ti@4Oob=ohm4uP!heiN?u3thei:g<aec",0x24
|
js版tz_create_telnet_superkey
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
| function tz_create_telnet_superkey(v4) {
let v3 = [];
let aIex5ahbOh3oWai = "Iex5ahb#oh3o@wai!hoh8q-uaeye+9ti@4Oob=ohm4uP!heiN?u3thei:g<aec";
let v6 = v4.length;
if (v6 != 12) {
return "LengthError";
}
let v9 = 1;
for (let i = 0; i <= 9; ++i) {
for (let j = 0; j < v6; ++j) {
const charCode = v4.charAt((j + i) % v6).charCodeAt(0);
if (v9 > 0xFFFFFF) {
v9 = ~v9 & 0xFFFFFF;
}
v9 += charCode * ((i + 1) * (j + 1) & 0xFF);
if (v9 > 0xFFFFFF) {
v9 = ~v9 & 0xFFFFFF;
}
}
v9 = 253 * v9 & 0x3F;
v3[i] = aIex5ahbOh3oWai.charAt(v9);
}
return v3.join("");
}
console.log(tz_create_telnet_superkey('abcdefghijk1'))
|
在线计算器
既然算法都有了,那就直接整改在线版
联通(华盛通信)vn007+超级密码在线免费计算器 (nobige.cn)
参考