2009年7月

迅雷,快车,旋风下载地址加密和解密分析

迅雷,快车,旋风下载地址加密和解密分析
1、普通地址转换为迅雷地址

在原地址前面加"AA",后面加"ZZ"(注:不包括引号),地址变为
AAhttp://p2s.newhua.com/down/wrar371sc.exeZZ
此地址base64编码为
QUFodHRwOi8vcDJzLm5ld2h1YS5jb20vZG93bi93cmFyMzcxc2MuZXhlWlo=
迅雷专链即在上地址前加thunder://,即
thunder://QUFodHRwOi8vcDJzLm5ld2h1YS5jb20vZG93bi93cmFyMzcxc2MuZXhlWlo=
2、普通地址转换为快车地址
在原地址前后都加上"[FLASHGET]"(注:不包括引号),地址变为
[FLASHGET]http://p2s.newhua.com/down/wrar371sc.exe[FLASHGET]
此地址base64编码为
W0ZMQVNIR0VUXWh0dHA6Ly9wMnMubmV3aHVhLmNvbS9kb3duL3dyYXIzNzFzYy5leGVbRkxBU0hHRVRd
快车专链即在上地址前加flashget://,注意后面还要加上"&符号",符号怎么得出我也不清楚,我自己在最后后面加的是我个人信息,至今未有人报告转换错误,即
Flashget://W0ZMQVNIR0VUXWh0dHA6Ly9wMnMubmV3aHVhLmNvbS9kb3duL3dyYXIzNzFzYy5leGVbRkxBU0hHRVRd&yinbing1986
3、普通地址转换为旋风地址
旋风相对就简单多了,将原地址直接base64编码为
aHR0cDovL3Aycy5uZXdodWEuY29tL2Rvd24vd3JhcjM3MXNjLmV4ZQ==
旋风专链即在上地址前加qqdl://,即
qqdl://aHR0cDovL3Aycy5uZXdodWEuY29tL2Rvd24vd3JhcjM3MXNjLmV4ZQ==

Nginx的浏览器/服务器双向SSL证书认证配置

转自:http://blog.chinaunix.net/u/504/showart_1742061.html

Nginx的浏览器/服务器双向SSL证书认证配置

Nginx的浏览器/服务器双向SSL证书认证配置

| http://blog.csdn.net/rosw/archive/2008/12/03/3441187.aspx

最近的项目中需要安全性控制,而我又懒得改动后台的程序代码,故而想在反向代理层加入SSL证书验证。

一直在用Nginx做反向代理,但是其SSL的配置只用过普通的服务端单向证书。在Google,百度狂搜一通之后,一无所获,依旧是那老三样,只有单向认证的示例。浏览器端双向认证的配置好像从没人写过。

无奈之下,只好从OpenSSL的客户端证书开始学起,一点一点啃,大段大段的E文让我这半瓶子醋看的头晕眼晕。最后在
http://it.toolbox.com/blogs/securitymonkey/howto-securing-a-website-with-client-ssl-certificates-11500
的提示下终于把这个证书搞定,来秀一个。

这需要一下几个步骤:
1) 安装openssl用来做证书认证
2) 创建一个CA根证书
3) 创建一个自签名的服务器证书
4) 设置Nginx
5) 创建客户端证书
6) 安装客户端证书到浏览器
7) Profit.

1)
这一步我是在ubuntu下直接apt-get装的openssl, 配置文件安装在/etc/ssl/openssl.cnf
修改openssl.cnf的以下几段
[ ca ]
default_ca = foo


Openssl将会寻找名称为foo的配置段

[ foo ]
dir = /etc/ssl/private
database = $dir/index.txt
serial = $dir/serial
private_key = $dir/ca.key
certificate = $dir/ca.crt
default_days = 3650
default_md = md5
new_certs_dir = $dir
policy = policy_match

policy_match我保持默认值没有改

[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = match
commonName = supplied
emailAddress = optional


默认签发有效期为10年,你可以自己设置一个合适的值

2)
创建一个新的CA根证书
下面的几个脚本我都放在/etc/ssl目录下

new_ca.sh:
#!/bin/sh
# Generate the key.
openssl genrsa -out private/ca.key
# Generate a certificate request.
openssl req -new -key private/ca.key -out private/ca.csr
# Self signing key is bad... this could work with a third party signed key... registeryfly has them on for $16 but I'm too cheap lazy to get one on a lark.
# I'm also not 100% sure if any old certificate will work or if you have to buy a special one that you can sign with. I could investigate further but since this
# service will never see the light of an unencrypted Internet see the cheap and lazy remark.
# So self sign our root key.
openssl x509 -req -days 3650 -in private/ca.csr -signkey private/ca.key -out private/ca.crt
# Setup the first serial number for our keys... can be any 4 digit hex string... not sure if there are broader bounds but everything I've seen uses 4 digits.
echo FACE > private/serial
# Create the CA's key database.
touch private/index.txt
# Create a Certificate Revocation list for removing 'user certificates.'
openssl ca -gencrl -out /etc/ssl/private/ca.crl -crldays 7

执行 sh new_ca.sh 生成新的CA证书

3)
生成服务器证书的脚本

new_server.sh:
# Create us a key. Don't bother putting a password on it since you will need it to start apache. If you have a better work around I'd love to hear it.
openssl genrsa -out private/server.key
# Take our key and create a Certificate Signing Request for it.
openssl req -new -key
private/server.key -outprivate/server.csr
# Sign this bastard key with our bastard CA key.
openssl ca -in
private/server.csr -cert private/ca.crt -keyfile private/ca.key -outprivate/server.crt

执行 sh new_server.sh 生成新服务器的证书

4)
最要命的一步,尝试多次后终于搞明白。
配置 nginx 的ssl支持

我的配置如下:

# HTTPS server
#
server {
listen 443;
server_name localhost;

# 打开ssl
ssl on;
# 上一步生成的服务器证书
ssl_certificate /etc/ssl/private/server.crt;
# 服务器证书公钥
ssl_certificate_key /etc/ssl/private/server.key;
# 客户端证书签名 也就是第二步生成的CA签名证书
ssl_client_certificate /etc/ssl/private/ca.crt;
# ssl session 超时
ssl_session_timeout 5m;
# 打开SSL客户端校验 (双向证书检测)
ssl_verify_client on;

#ssl_protocols SSLv2 SSLv3 TLSv1;
#ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;

location / {
root /var/www/nginx-default;
index index.html index.htm;
}

启动你的nginx ,等待客户连接

5)
现在来生成客户端证书

new_user.sh:
#!/bin/sh
# The base of where our SSL stuff lives.
base="/etc/ssl/private"
# Were we would like to store keys... in this case we take the username given to us and store everything there.
mkdir -p $base/users/$1/

# Let's create us a key for this user... yeah not sure why people want to use DES3 but at least let's make us a nice big key.
openssl genrsa -des3 -out $base/users/$1/$1.key 1024
# Create a Certificate Signing Request for said key.
openssl req -new -key $base/users/$1/$1.key -out $base/users/$1/$1.csr
# Sign the key with our CA's key and cert and create the user's certificate out of it.
openssl ca -in $base/users/$1/$1.csr -cert $base/ca.crt -keyfile $base/ca.key -out $base/users/$1/$1.crt

# This is the tricky bit... convert the certificate into a form that most browsers will understand PKCS12 to be specific.
# The export password is the password used for the browser to extract the bits it needs and insert the key into the user's keychain.
# Take the same precaution with the export password that would take with any other password based authentication scheme.
openssl pkcs12 -export -clcerts -in $base/users/$1/$1.crt -inkey $base/users/$1/$1.key -out $base/users/$1/$1.p12

执行 shnew_user.sh yourname 来生成一个 yourname 的client证书
按照提示一步一步来,这里要注意的是客户证书的几个项目要和根证书匹配
也就是第一步时配置的:
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = match


不一致的话无法生成最后的客户证书

6)
发送上一步生成的 yourname.p12 到客户端。
IE下双击安装就可以导入。
FireFox安装 :
Go into preferences.
Advanced.
View Certificates.
Import.
Enter master password for FireFox (if you don't have one set one here otherwise stolen laptop = easy access).
Enter in the export password given to you by the dude who created your cert.
Hit OK like a mad man.

打开网站会弹出对话框来要求你选择使用哪个证书,选择刚才安装的证书。选择接受服务器证书。现在你可以正常访问服务器拉。如果没弄对的话就会出现400 Bad request certification的错误

7)
没啥拉,有问题多试几次,其实都是很简单的事。就是中文的资料太少了。
:)

非常遗憾的是: 浏览器是信任知名几家机构的CA签名,而这样自己制作的CA签名,浏览器是不信任的,但至少你点继续后可以通过https: 进行访问了