打开空间、微博的时候能够自动检测到本地登录的QQ号。今天简单跟了一下,发现这个神奇的链接来自:http://xui.ptlogin2.qq.com/cgi-bin/qlogin 只要一打开,就能知道登录的QQ了,它是如何实现的呢,继续分析js,
发现其主要是用了一个ActivexObject,
q_hummerQtrl = new ActiveXObject(“SSOAxCtrlForPTLogin.SSOForPTLogin2″);
在XP下,这个Dll的存放路径为C:\Program Files\Common Files\Tencent\TXSSO\Bin\SSOAxCtrlForPTLogin.dll,既然都用dll了,那么判断个登录QQ就没什么好奇怪了。
但是还有个问题,这个activeX是否可被别人利用?于是,做了个小小的实验。挑出必要的检测代码,放在了如下的html文件中。(IE走activex流程,而firefox走的是embed application/nptxsso),如果成功,则会弹出你的QQ号等一系列信息。
结果发现在本地打开该html的时候,create ActiveXObject 失败了,猜想腾讯必然对其进行了域名限制,于是修改本地host文件,加了一条:
xui.ptlogin2.qq.com 127.0.0.1
再用xui.ptlogin2.qq.com这个域名去访问本地的这个html果然,可以正常实现了,那么说明判断域名的时候是在这个dll中判断的,所以网页无法篡改。做了简单测试,发现对于域名还是限制挺严格的,如xue.ptlogin2.qq.com xue.ptlogin2.paipai.com等才能成功,而www.qq.com就不成功了。反解了一下,这些域名都指向同一个服务器,202.106.195.30
- <html>
- <body>
- <script>
- var g_vOptData;
- var mylocation= “xui.ptlogin2.qq.com/cgi-bin1/qlogintest.html”;
- var pt = {
- ishttps: false,
- low_login: 0,
- keyindex: 9,
- init: function()
- {
- pt.ishttps = /^https/.test(mylocation);
- //if (navigator.mimeTypes["application/nptxsso"]) {
- var B = document.createElement(“embed”);
- B.type = “application/nptxsso”;
- B.style.width = “0px”;
- B.style.height = “0px”;
- document.body.appendChild(B);
- pt.sso = B
- }
- };
- pt.init();
- try {
- if (window.ActiveXObject)
- {
- q_hummerQtrl = new ActiveXObject(“SSOAxCtrlForPTLogin.SSOForPTLogin2″);
- var A = q_hummerQtrl.CreateTXSSOData();
- q_hummerQtrl.InitSSOFPTCtrl(0, A);
- g_vOptData = q_hummerQtrl.CreateTXSSOData()
- }
- hummer_loaduin();
- } catch(B) {
- alert(/create ActiveXObject failed/)
- }
- function hummer_loaduin()
- {
- if (window.ActiveXObject)
- {
- var Y = q_hummerQtrl.DoOperation(1, g_vOptData);
- if (null == Y) {
- return
- }
- try
- {
- var T = Y.GetArray(“PTALIST”);
- var c = T.GetSize();
- var X = “”;
- for (var d = 0; d < c; d++)
- {
- var E = T.GetData(d);
- var a = E.GetDWord(“dwSSO_Account_dwAccountUin”);
- var J = “”;
- var O = E.GetByte(“cSSO_Account_cAccountType”);
- var b = a;
- if (O == 1)
- {
- try
- {
- J = E.GetArray(“SSO_Account_AccountValueList”);
- b = J.GetStr(0)
- } catch(Z) {}
- }
- var Q = 0;
- try {
- Q = E.GetWord(“wSSO_Account_wFaceIndex”)
- } catch(Z) {
- Q = 0
- }
- var S = “”;
- try {
- S = E.GetStr(“strSSO_Account_strNickName”)
- } catch(Z) {
- S = “”
- }
- var F = E.GetBuf(“bufGTKey_PTLOGIN”);
- var G = E.GetBuf(“bufST_PTLOGIN”);
- var N = “”;
- var A = G.GetSize();
- for (var W = 0; W < A; W++) {
- var B = G.GetAt(W).toString(“16″);
- if (B.length == 1) {
- B = “0″ + B
- }
- N += B
- }
- var M = {
- uin: a,
- name: b,
- type: O,
- face: Q,
- nick: S,
- key: N
- };
- var str = “QQinfo\r\n”+
- “uin:” + M['uin']+”\r\n”+
- “name:”+M['name']+”\r\n”+
- “type:”+M['type']+”\r\n”+
- “face:”+M['face']+”\r\n”+
- “nick:”+M['nick']+”\r\n”+
- “key:”+M['key']+”\r\n”;
- alert(str);
- q_aUinList[d] = M
- }
- } catch(Z) {}
- } else
- {
- try {
- var M = pt.sso;
- var L = M.InitPVA();
- if (L != false)
- {
- var I = M.GetPVACount();
- for (var W = 0; W < I; W++)
- {
- var C = M.GetUin(W);
- var D = M.GetAccountName(W);
- var K = M.GetFaceIndex(W);
- var U = M.GetNickname(W);
- var P = M.GetGender(W);
- var V = M.GetUinFlag(W);
- var f = M.GetGTKey(W);
- var R = M.GetST(W);
- }
- var str = “QQinfo\r\n”+
- “uin:” + C +”\r\n”+
- “name:”+D+”\r\n”+
- “face:”+K +”\r\n”+
- “nick:”+U+”\r\n”+
- “key:”+f+”\r\n”;
- alert(str);
- }
- } catch(Z) {}
- }
- }
- </script>
- </body>
- </html>
关于QQ空间自动检测本地已经通过客户端登陆的账号
https://www.discuz.1314study.com/thread-76643-1-1.html
检测本机是否登录了指定QQ账号
https://www.discuz.1314study.com/thread-76645-1-1.html
|
上一篇: 关于QQ空间自动检测本地已经通过客户端登陆的账号下一篇: 检测本机是否登录了指定QQ账号
|
