HTTP数据包,发生什么事?

时间:2010-02-26 19:21:19

标签: http authentication encryption header packet

基本上,我在查看Motorstorm排行榜的同时在我的PS3上打包数据包。排行榜以XML格式发送到我的ps3,但只有在我获得授权后才能发送。那么有人可以告诉我这三个数据包之间发生了什么以及我如何在浏览器中复制它?

数据包1从我的PS3到索尼服务器

POST /ranking_view/func/get_player_rank HTTP/1.1
Host: ranking-view-a01.u0.np.community.playstation.net
Connection: Keep-Alive
Content-Length: 213
Authorization: Digest username="c7y-ranking01", realm="c7y-ranking", nonce="2SpsV4WABAA=47a2b36030cd94de1190f6b9f05db1bd5584bc2a", uri="/ranking_view/func/get_player_rank", qop="auth", nc="00000001", cnonce="d4eb1eb60ab4efaea1476869d83a6e0b", response="96b55c6e79f84dd41b46eb66bed1c167"
Accept-Encoding: identity
User-Agent: PS3Community-agent/1.0.0 libhttp/1.0.0

<?xml version="1.0" encoding="utf-8"?><ranking platform="ps3" sv="3.15"><titleid>NPWR00012_00</titleid><board>7</board><jid>Panzerborn@a5.gb.np.playstation.net</jid><option message="false" info="false"/></ranking>

Packet 2 Sony Server对我PS3的回应

Date: Fri, 26 Feb 2010 19:06:12 GMT
WWW-Authenticate: Digest realm="c7y-ranking", nonce="a3PFl4WABAA=6d375259676ec79641448a8032a795b8e12ccae4", algorithm=MD5, stale=true, qop="auth"
Content-Length: 401
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Authorization Required</title>
</head><body>
<h1>Authorization Required</h1>
<p>This server could not verify that you
are authorized to access the document
requested.  Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
</body></html>

Packet 3 PS3对Sony Servers最后一个数据包的响应

POST /ranking_view/func/get_player_rank HTTP/1.1
Host: ranking-view-a01.u0.np.community.playstation.net
Connection: Keep-Alive
Authorization: Digest username="c7y-ranking01", realm="c7y-ranking", nonce="a3PFl4WABAA=6d375259676ec79641448a8032a795b8e12ccae4", uri="/ranking_view/func/get_player_rank", qop="auth", nc="00000001", cnonce="58869490a891002d8c56573496274a3a", response="ca3d6f252d4e398b8f751c201a3f8f08"
Accept-Encoding: identity
User-Agent: PS3Community-agent/1.0.0 libhttp/1.0.0

<?xml version="1.0" encoding="utf-8"?><ranking platform="ps3" sv="3.15"><titleid>NPWR00012_00</titleid><board>7</board><jid>Panzerborn@a5.gb.np.playstation.net</jid><option message="false" info="false"/></ranking>

我试图在Firefox和篡改标题以及PHP cURL中复制它,但我无处可去。我假设它与nonce,cnonce和responce变量有关,这些变量不断变化&gt;&lt;请帮助=)

2 个答案:

答案 0 :(得分:6)

Nonce,cnonce等与HTTP Digest Authentication相关,{{3}}是一种身份验证机制,可以在不以纯文本格式发送密码的情况下启用身份验证。因此,如果你想在你的PS3游戏中作弊,你首先必须从MD5哈希中破解该密码,我猜。

并且它不被称为HTTP 数据包,在第7层,您通常会说请求/响应或类似信息。

答案 1 :(得分:3)

noncecnonce的随机数看起来像哈希码。

对抗骗子的一种可能的防御机制可能是:

def ps3client_send_score():
    score = "bazillion points"
    nonce = md5(score + "something you don't know about")
    send_to_server(score, nonce)

在服务器端:

def get_client_score(score, nonce):
    if md5(score+"something you don't know about")==nonce:
        accept_score(score)
    else:
        reject_score_and_ban_the_fool_if_he_continues_this()

因此,除非您想花费数周时间尝试在游戏中找到salt,否则请忘掉它。