第一个撤退胜利使用的是OnBeforeRequest命令 在js档可以找到这一段
- <font color="#ff0000">tatic function OnBeforeRequest(oSession: Session)</font> {
- if (oSession.url.Contains("ac.php")){
- oSession["ui-color"] = "red";
- var str = oSession.GetRequestBodyAsString();
- if(/*str.Contains("battleResult%22%3a2") || */str.Contains("battleResult%22%3a3"))
- {
- //if(str.Contains("battleResult%22%3a3"))
- // {
- var tmp = Math.random()*8+5;
- var val = tmp.toFixed(0);
- var turn = /elapsedTurn%22%3ad+/ig;
- str = str.replace(turn,"elapsedTurn%22%3a" + val);
- //str = str.replace("elapsedTurn%22%3a2%2c%22","elapsedTurn%22%3a8%2c%22");
- // }
- str = str.replace("battleResult%22%3a3", "battleResult%22%3a1");
- //str = str.replace("battleResult%22%3a2", "battleResult%22%3a1");
- var regex1 = /aliveUniqueIds%22%3a%5b([d+,%2c]+)%5d/gi;
- str = str.replace(regex1,"aliveUniqueIds%22%3a%5b%5d");
- //FiddlerObject.log(str);
- oSession.utilSetRequestBody(str);
- }
-
複製代碼 第二个改攻击使用的是OnBeforeResponse命令 你在js档未修改前可以找到这一段- static function OnBeforeResponse(oSession: Session) {
- if (m_Hide304s && oSession.responseCode == 304) {
- oSession["ui-hide"] = "true";
複製代碼 之后将这段改成这样 static function OnBeforeResponse(oSession: Session) { if (oSession.url.Contains("ac.php")) {
后面再贴上改攻击的代码就可以了
static function OnBeforeResponse(oSession: Session) {
if (oSession.url.Contains("ac.php")) {
oSession.utilDecodeResponse()
var i = 0;
var str1 = oSession.GetResponseBodyAsString();
var wtf = str1.Remove(0,str1.Length-3);
while(wtf == "%3D"){
var str1 = str1.Substring(0,str1.Length-3);
wtf = str1.Remove(0,str1.Length-3);
i = i+1;
}
if(i == 1){
str1 = str1 + "=";
}
if(i == 2){
str1 = str1 + "==";
}
var str2 = System.Text.Encoding.UTF8.GetString(System.Convert.FromBase64String(str1));
FiddlerObject.log("解密后"+ str2);
var attack = /userid":"[0-9,":w]+"atk":"?d+/gi;
var hp = /userid":"[0-9,":w]+"hp":"?d+/gi;
if(str2.match(attack)){
FiddlerObject.log("匹配");
str2 = str2.replace(attack,"$&0");
str2 = str2.replace(hp,"$&0");
//FiddlerObject.log("替换后"+ str2);
}
str2 = System.Convert.ToBase64String(System.Text.Encoding.ASCII.GetBytes(str2));
oSession.utilSetResponseBody(str2);
}
大概这样?
|