Python软件逆向-SE工具箱

原因

今天在网上看见以个SE工具箱，号称可以通过某人的qq、手机号或者微博进行反查信息，只需知道其中一个便可查询其他信息。我一看，这不就是一社工库吗，于是便想下载来看一下

结果发现这软件竟然收费，而且是用python写的

破解过程

解包

对exe进行解包用的是pyinstxtractor
下载地址：https://github.com/extremecoders-re/pyinstxtractor/releases/
下载完成后将压缩包进行解压，得到了一下文件

然后将要解包的exe放进这个目录

打开powershell进入当前目录输入

python .\pyinstxtractor.py <要解包程序的地址>

然后执行

这时在当前目录下便出现了一个新的文件夹

反编译

进入该文件夹，找到与exe文件同名的pyc文件，尝试使用uncompyle6进行反编译

pip install uncompyle6
 uncompyle6 .\SE工具箱.pyc >so.py

这里的so.py是将反编译的结果保存至so.py这一文件

但是发现使用uncompyle6反编译失败，于是果断选择在网上寻找在线反编译工具

https://tool.lu/pyc/

反编译的到如下代码

#!/usr/bin/env python
# visit https://tool.lu/pyc/ for more information
# Version: Python 3.9

import threading
import win32api
import pyDes
from binascii import b2a_hex, a2b_hex
import base64
import requests
import re
import os
import random
import time
import PySimpleGUI as Sg
Des_Key = '12345678'
Des_IV = '00000000'
TYPE = 'DB'

class Register:
    
    def __init__(self, TYPE):
        self.TYPE = TYPE
        self.Des_Key = Des_Key
        self.Des_IV = Des_IV

    
    def getCVolumeSerialNumber(self):
        CVolumeSerialNumber = win32api.GetVolumeInformation('C:\\')[1]
        if CVolumeSerialNumber:
            return str(CVolumeSerialNumber)
        return None

    
    def DesEncrypt(self, str):
        k = pyDes.des(self.Des_Key, pyDes.CBC, self.Des_IV, None, pyDes.PAD_PKCS5, **('pad', 'padmode'))
        encryptStr = k.encrypt(str)
        string = base64.b64encode(encryptStr)
        return string

    
    def DesDecrypt(self, string):
        string = base64.b64decode(string)
        k = pyDes.des(self.Des_Key, pyDes.CBC, self.Des_IV, None, pyDes.PAD_PKCS5, **('pad', 'padmode'))
        decryptStr = k.decrypt(string)
        return decryptStr

    
    def Regist_New(self):
        pass
    # WARNING: Decompyle incomplete

    
    def encryCode(self):
        global serialnumber
        rand = str(random.randrange(1, 1000))
        serialnumber = self.getCVolumeSerialNumber()
        content = str({
            'stat': '',
            'Serial': serialnumber,
            'Random': rand,
            'Type': self.TYPE })
        encryptstr = self.DesEncrypt(content).decode('utf8')
        return encryptstr

    
    def checKey(self):
        key = values['-key-']
    # WARNING: Decompyle incomplete

    
    def GetTime(self):
        url = 'http://api.m.taobao.com/rest/api3.do?api=mtop.common.getTimestamp'
    # WARNING: Decompyle incomplete

    
    def CheckTimeTri(self):
        if int(self.GetTime()) >= self.deadline:
            os.remove('conf.bin')
            return 403


headers = {
    'user-agent': 'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.25 Safari/537.36 Core/1.70.3877.400 QQBrowser/10.8.4506.400' }

def SeTool():
    global phone, phonediqu, lolName, lolDaqu, qqlm, weibo, qq, qq, phone, weibo
    
    def qqMsg():
        global phone, phonediqu, lolName, lolDaqu, qqlm
        print('正在查询...')
        url = 'https://www.hmily.vip/api/qb/?qq=' + str(qq)
        html = requests.get(url, headers, **('url', 'headers'))
        if html.json()['code'] == 1:
            phone = html.json()['phone']
            phonediqu = html.json()['phonediqu']
            lolName = html.json()['lolName']
            lolDaqu = html.json()['lolDaqu']
            qqlm = html.json()['qqlm']

    
    def phoneMsg():
        global qq, phonediqu, weibo
        print('正在查询...')
        url3 = 'https://hmily.vip/api/phone/?phone=' + str(phone)
        html = requests.get(url3, headers, **('url', 'headers'))
        if html.json()['code'] == 1:
            qq = html.json()['qq']
            phonediqu = html.json()['phonediqu']
            weibo = html.json()['weibo']

    
    def wbMsg():
        global phone, phonediqu
        print('正在查询...')
        url3 = 'https://www.hmily.vip/api/wb/?id=' + str(weibo)
        html = requests.get(url3, headers, **('url', 'headers'))
        if html.json()['code'] == 1:
            phone = html.json()['phone']
            phonediqu = html.json()['phonediqu']

    layout = [
        [
            Sg.T('查询结果：')],
        [
            Sg.Multiline('查询需要时间，提交后请耐心等待结果\n', (70, 20), '-show-', True, **('size', 'key', 'autoscroll'))],
        [
            Sg.T('说明：请选择与输入号码相对应的查询方式', '-text-', 'white', **('key', 'text_color'))],
        [
            Sg.T('请输入查询号码'),
            Sg.In('-content-', **('key',))],
        [
            Sg.T('请选择查询方式')] + (lambda .0: [ Sg.Radio(i, 1, i, **('group_id', 'key')) for i in .0 ])(('qq号', '手机号', '微博UID')),
        [
            Sg.B('确认提交'),
            Sg.B('清空')]]
    window = Sg.Window('SE工具箱', layout)
    flag = Sg.popup_ok_cancel('免责声明：请勿把软件用在违法犯罪途径！\n造成的一切后果本作者概不负责\n如若同意请点击ok进入软件', '提示', ('黑体', 13), **('title', 'font'))
    if flag == 'Cancel':
        os._exit(0)
    (event, values) = window.read(300)
    if res2 == 3 or res1 == 3:
        res = Reg.CheckTimeTri()
        if res == 403:
            Sg.popup('软件使用时间已到期\n请重新购买登录码', '提示', ('黑体', 13), **('title', 'font'))
        
    if event == '确认提交' and values['-content-'] != '':
        phone = '没有查询到'
        phonediqu = '没有查询到'
        lolName = '没有查询到'
        lolDaqu = '没有查询到'
        qqlm = '没有查询到'
        weibo = '没有查询到'
        qq = '没有查询到'
        message = ''
        msg = ''
        t = time.strftime('%Y/%m/%d %H:%M:%S', time.localtime())
        if values['qq号']:
            qq = values['-content-']
            message = window['-show-'].get()
            window['-show-'].update('')
            t1 = threading.Thread(qqMsg, **('target',))
            t1.start()
            t1.join()
            if phone == '没有查询到':
                msg = f'''\n时间: {t}\nQQ号码: {qq}\n未查到任何信息！     \n'''
            else:
                msg = f'''\n查询成功！\n时间: {t}\nQQ号码: {qq}\n手机号码: {phone}\n地区: {phonediqu}\nLOL账号: {lolName}\nLOL大区: {lolDaqu}\nQQ密码: {qqlm}\n    '''
        elif values['手机号']:
            phone = values['-content-']
            message = window['-show-'].get()
            window['-show-'].update('')
            t2 = threading.Thread(phoneMsg, **('target',))
            t2.start()
            t2.join()
            if qq == '没有查询到':
                msg = f'''\n时间: {t}\n手机号码: {phone}\n未查到任何信息！     \n'''
            else:
                msg = f'''\n查询成功！\n时间: {t}\n手机号码: {phone}\n地区: {phonediqu}\nQQ账号: {qq}\n微博ID: {weibo}\n'''
        elif values['微博UID']:
            weibo = values['-content-']
            message = window['-show-'].get()
            window['-show-'].update('')
            wbMsg()
            if phone == '没有查询到':
                msg = f'''\n时间: {t}\n微博ID: {weibo}\n未查到任何信息！     \n'''
            else:
                msg = f'''\n查询成功！\n时间: {t}\n微博ID: {weibo}\n手机号码: {phone}\n地区: {phonediqu}\n'''
        else:
            window['-show-'].update('请选择一个查询方式，点击提交后请耐心等待查询结果')
        window['-show-'].update(message + '\n' + msg)
        window['-content-'].update('')
    if event == '清空':
        window['-show-'].update('')
    if event is None:
        pass
    
    window.close()

Reg = Register(TYPE)
res1 = Reg.Regist_New()
deadline = ''
res2 = ''
if res1 in (1, 2, 3):
    SeTool()
elif res1 == 4:
    Sg.popup('登陆码验证失败 请重新输入', '提示', ('黑体', 13), **('title', 'font'))
if res1 == 5:
    Sg.popup('请勿非法获得验证文件！', '提示', ('黑体', 13), **('title', 'font'))
entryCode = Reg.encryCode()
layout = [
    [
        Sg.Text('输入你的登录码后进入软件', ('黑体', 13), **('font',))],
    [
        Sg.Text('机器码：', True, (7, 1), ('黑体', 12), **('enable_events', 'size', 'font')),
        Sg.InputText(entryCode, '-serial-', **('key',))],
    [
        Sg.Text('登录码：', (7, 1), ('黑体', 12), **('size', 'font')),
        Sg.InputText('', '-key-', **('key',))],
    [
        Sg.Button('确认', ('微软雅黑', 9), **('font',)),
        Sg.Button('退出', ('微软雅黑', 9), **('font',)),
        Sg.Text('点我购买登录码', ((200, 10), (0, 0)), True, '#fff200', **('pad', 'enable_events', 'text_color'))]]
window1 = Sg.Window('SE工具箱', layout)
(event, values) = window1.read()
if event == None:
    pass
elif event == '确认' and values['-key-'] != '':
    res2 = Reg.checKey()
    if res2 == 1:
        Sg.popup('登录成功！', ('黑体', 12), **('font',))
        window1.close()
        SeTool()
    elif res2 == 3:
        timeArry = time.localtime(Reg.deadline / 1000)
        Sg.popup(f'''登录成功！到期时间\n{time.strftime('%Y/%m/%d %H:%M:%S', timeArry)}''', ('黑体', 13), **('font',))
        window1.close()
        SeTool()
    elif res2 == 5:
        Sg.popup('登陆码验证失败 请重新输入', '提示', ('黑体', 12), **('title', 'font'))
if event == '退出':
    pass
elif event == '点我购买登录码':
    Sg.popup('购买登录码20R\n联系QQ：2900548175\n微信号：tangmin903', '提示', ('黑体', 12), **('title', 'font'))
    continue
    window1.close()
    return None

结果

然后翻阅源码发现如下几个接口：

• https://www.hmily.vip/api/qb/?qq=
• https://hmily.vip/api/phone/?phone=
• https://www.hmily.vip/api/wb/?id=
  这分别是QQ，手机号及微博ID的查询接口

THE END