我的小工具-远程读卡器web客户端(PHP+LUA)

2020-08-05 10:56:53 浏览数 (1)

本工具是在浏览器中以Lua脚本的形式对CPU卡,M1卡就行读、写等各种操作,配和使用改造过后的E711读卡器。 远端把读卡器接到电脑上,并运行读写卡服务。告知客户端IP地址和端口,并放上卡。客户端调用相关指令,运行脚本,输出结果。 远程读卡器就是一个普通usb口或串口的读卡器,如E711读卡器。配合一个电脑软件作为tcp读写卡服务。这样可以在公司电脑上运行客户端程序连到服务器上,服务器端操控现场的读卡器。之前做保定公交老卡兼容,让现场寄卡过来,结果拖了好久,卡也没寄过来。说是卡片管理严格,老年卡,学生卡需要从系统上从新办卡。于是让现场同事配合抓下包,读取一下卡上数据,但现场同事连串口助手都没听说过,指望不上了。最后没办法,还是出差跑去一趟,做了些很简单的事。回来想想,其实可以做一个远程读卡器,在公司把现场的卡给操作了。再封装一些读卡的客户端接口,可以实现远程仿真调试程序读卡消费逻辑 ,或者实现一完全软件模拟的pos机。之前用java做过一个读写卡工具,但是只能在本地电脑上读写卡。

交通部卡测试消费成功的lua脚本指令:

代码语言:javascript复制
--192.168.157.135/test3/runcode.php
--读卡服务地址
ip= "192.168.157.135"
--读卡服务端口
port = 5050

--连接到读卡服务
ret = CONNECT(ip,port)                     --建立连接
-------------------------------------------  CPU卡操作
ret,rcv = S_SFI("x3Fx00",1)              --选择PSAM卡应用3F00
ret,rcv = R_BFile(0x15,0,0,1)              --读取PSAM卡15文件
ret,rcv = R_BFile(0x16,0,0,1)              --读取PSAM卡16文件
if ret == 0x9000 then
	PasmTID = string.sub(rcv,1,12)
	print("pasmTID:"..PasmTID)
end

ret,rcv = S_AID("xA0x00x00x06x32x01x01x05",0x08,0)      --选择交通部应用

ret,rcv = R_BFile(0x15,0,0,0)              --读取卡片0x15文件
if ret == 0x9000 then
	MakeCardId = string.sub(rcv,1,16)
	CardASN = string.sub(rcv,25,25 16-1)
	print(rcv)
	print("MakeCardId:"..MakeCardId)
	print("CardASN:"..CardASN)
end
ret,rcv = R_BFile(0x16,0,0,0)

ret,rcv = R_BFile(0x17,0,0,0)    

ret,rcv = S_SFI("x80x11",1)              --选择交通部PSAM卡应用

ret,rcv = APDU("805C030204",0)              --读取余额

--消费初始化
cmd = '805001020B'
index = '01'
money = '00000001'

cmdstr = cmd..index..money..PasmTID
print("xiao fei chu shi hua:")
ret,rcv = APDU(cmdstr,0)   --消费初始化
if ret == 0x9000 then
	PullCTC = string.sub(rcv,9,9 4-1)  --脱机交易序号
	KeyVer = string.sub(rcv,19,19 2-1)
	KeyDrk = string.sub(rcv,21,21 2-1)
	Icc =  string.sub(rcv,23,23 8-1)  --随机数
	print("PullCTC:"..PullCTC)
	print("KeyVer:"..KeyVer)
	print("KeyDrk:"..KeyDrk)
	print("Icc:"..Icc)
end

cmd = '8070000024'
time ='20161128170231'
cmdstr = cmd..Icc..PullCTC..money..'06'..time..KeyVer..KeyDrk..CardASN..MakeCardId 

ret,rcv = APDU(cmdstr,1)   --PSAM卡算MAC

if ret == 0x9000 then
	TTC = string.sub(rcv,1,8)  --脱机交易序号
	MAC1 = string.sub(rcv,9,9 8-1)
	print("TTC:"..TTC)
	print("MAC1:"..MAC1)
end

cmd = '805401000F'
cmdstr = cmd..TTC..time..MAC1

ret,rcv = APDU(cmdstr,0)

DISCONNECT()                --断开连接

要远程读写卡得有个后台服务去操控远程的读卡器。有了后台读写卡服务,客户端不能只是接口,得简单好用,于是有了这个web端。

附截图:

截图1,运行效果

截图2,相关指令介绍:

截图3,后台文件

截图4,后台读写卡服务显示的收发日志:

后台的解析lua脚本的文件lua_test.c

代码语言:javascript复制
//包含LUA的头文件,用来支持脚本
#include <stdio.h>
#include "lib/lua-5.3.1/lua.h"  
#include "lib/lua-5.3.1/lualib.h"  
#include "lib/lua-5.3.1/lauxlib.h"   

#include "lib/includes.h"

#define PICC_ADD                    0xC1            //加
#define PICC_SUB                    0xC0            //减
#define PICC_RESTORE                0xC2            //恢复

#define PICC_KEYA                   0x60            //KEY A
#define PICC_KEYB                   0x61            //KEY B

#define PICC_NULL                   0x00            //不校验KEY


lua_State* L;  

U08 gCardSN[8]; //物理卡号

U32 ICF_SelectAID( const char *AID, U32 ilen, U32 ich )
{
    U32 rcode;
    
    gCmdBuffer[0] = 0x00;   //CLA
    gCmdBuffer[1] = 0xA4;   //INS
    gCmdBuffer[2] = 0x04;   //P1
    gCmdBuffer[3] = 0x00;   //P2
    gCmdBuffer[4] = ilen;   //Lc
    CurCalc_DataCpy( gCmdBuffer 5, (U08*)AID, ilen );
    
    rcode = ICC_APDU_Exchange( ich, gCmdBuffer, ilen 5, gpRcvBuffer, &Grcv_Len, 260 );
    if( rcode != 0 )
    { return rcode; }
    
    if( Grcv_Len < 2 )  
    { return 2;}
    rcode = ( ( gpRcvBuffer[ Grcv_Len - 2 ] << 8 ) | gpRcvBuffer[ Grcv_Len - 1 ] );

    return rcode;

}
U32 ICF_SelectSFI( const char *SFI, U32 ich )
{
    U32 rcode;

    gCmdBuffer[0] = 0x00;   //CLA
    gCmdBuffer[1] = 0xA4;   //INS
    gCmdBuffer[2] = 0x00;   //P1
    gCmdBuffer[3] = 0x00;   //P2
    gCmdBuffer[4] = 0x02;   //Lc
    CurCalc_DataCpy( gCmdBuffer 5, (U08*)SFI, 2 );
    
    rcode = ICC_APDU_Exchange( ich, gCmdBuffer, 2 5, gpRcvBuffer, &Grcv_Len, 260 );
    if( rcode != 0 )
    { return rcode; }
    
    if( Grcv_Len < 2 )
    { return 2;}
    rcode = ( ( gpRcvBuffer[ Grcv_Len - 2 ] << 8 ) | gpRcvBuffer[ Grcv_Len - 1 ] );

    return rcode;
}
U32 ICF_ReadBinaryFile( U08 SFI, U08 Offset, U08 BytesToRead, U32 ich )
{
    unsigned short rcode;
    
    gCmdBuffer[0] = 0x00;   //CLA
    gCmdBuffer[1] = 0xB0;   //INS
    gCmdBuffer[2] = 0x80 | ( SFI & 0x1F );  //P1
    gCmdBuffer[3] = Offset; //P2
    gCmdBuffer[4] = BytesToRead;    //Le

    rcode = ICC_APDU_Exchange( ich, gCmdBuffer, 5, gpRcvBuffer, &Grcv_Len, 260 );
    if( rcode != 0 )
    { return rcode; }

    if( Grcv_Len < 2 )                                          //长度判断
    { return 2;}
    rcode = ( ( gpRcvBuffer[ Grcv_Len - 2 ] << 8 ) | gpRcvBuffer[ Grcv_Len - 1 ] );

    return rcode;
}

int LConnect(lua_State* L)
{
    int ret = 0;
    size_t le = 0;
    printf("Connecting...n");
    const char * ipaddr = luaL_checklstring(L,1,&le);
    //printf("cmd is %s,le is %dn",aid,le);  
    //从L栈中取出索引为2的数值,并检查  
    int port = luaL_checkinteger(L,2); 
    printf("ServerIP:%s,Port:%dn", ipaddr,port);
    ret = Connect(ipaddr,port);
   
    lua_pushnumber(L,ret); 
    return 1;
}

int LDisConnect(lua_State* L)
{
    printf("Close connect!n");
    Com_Dev_Disconnect( 0 );  
    return 1;
}

int LTxData(lua_State* L)
{
    int ret = 0;
    unsigned int len = 0;
    size_t le = 0;
    unsigned char buf[1024];
    unsigned char outbuf[2048];
    memset(buf, 0, 1024);
    memset(outbuf, 0, 2048);
    //从L栈中取出索引为1的数值,并检查  
    const char * txdata = luaL_checklstring(L,1,&le);
    //printf("tx is %s,le is %dn",txdata,le);  
    StrToHex( (char*)txdata, le, buf );

    ret = Com_Dev_TxData( buf, le/2, 0, 0 );
	if( ret != 0 )
	{ DEF_SysCard_Debug; return ret; }
	
    ret = Com_Dev_RxData( buf, &len,  1024, 0, 0 ); 
	if( ret != 0 )
	{ DEF_SysCard_Debug; return ret; }

	HexToStr(buf,len,(char*)outbuf);
    lua_pushinteger(L,ret); 
    lua_pushlstring(L,(char*)outbuf,strlen((char*)outbuf));
    return 2;

}

int LTxData1(lua_State* L)
{
    int ret = 0;
    unsigned int len = 0;
    size_t le = 0;
    unsigned char buf[1024];
    unsigned char outbuf[2048];
    memset(buf, 0, 1024);
    memset(outbuf, 0, 2048);
    //从L栈中取出索引为1的数值,并检查  
    const char * txdata = luaL_checklstring(L,1,&le);
   // printf("tx is %s,le is %dn",txdata,le);  
    //StrToHex( (char*)txdata, le, buf );

    ret = Com_Dev_TxData1( (unsigned char*)txdata, le, 0, 0 );
	if( ret != 0 )
	{ DEF_SysCard_Debug; return ret; }
	
    ret = Com_Dev_RxData1( buf, &len,  1024, 0, 0 ); 
	if( ret != 0 )
	{ DEF_SysCard_Debug; return ret; }

	//HexToStr(buf,len,(char*)outbuf);
    lua_pushinteger(L,ret); 
    lua_pushlstring(L,(char*)buf,len);
    return 2;

}
int LAPDU_Exchange(lua_State* L)
{
	int ret = 0;
 	size_t le = 0;
 	unsigned char buf[520];
	
	memset(buf, 0, 520);
 	//从L栈中取出索引为1的数值,并检查  
    const char * cmd = luaL_checklstring(L,1,&le);
    //printf("cmd is %s,le is %dn",aid,le);  
    //从L栈中取出索引为2的数值,并检查  
    int ich = luaL_checkinteger(L,2); 

    StrToHex( (char*)cmd, le, gCmdBuffer );

    ret = ICC_APDU_Exchange( ich, gCmdBuffer, le/2, gpRcvBuffer, &Grcv_Len, 260 );
    if( Grcv_Len < 2)
	{ return 1;}

    ret = ( ( gpRcvBuffer[ Grcv_Len - 2 ] << 8 ) | gpRcvBuffer[ Grcv_Len - 1 ] );

    HexToStr(gpRcvBuffer,Grcv_Len,(char*)buf);
    lua_pushinteger(L,ret); 
    lua_pushlstring(L,(char*)buf,strlen((char*)buf));
    return 2;
}
int LSelectAID(lua_State* L)
{
    int ret = 0;
    size_t le = 0;
    unsigned char buf[520];
    
    memset(buf, 0, 520);
    //从L栈中取出索引为1的数值,并检查  
    const char * aid = luaL_checklstring(L,1,&le);
    //printf("aid is %s,le is %dn",aid,le);  
    //从L栈中取出索引为2的数值,并检查  
    int len = luaL_checkinteger(L,2); 
    int ich = luaL_checkinteger(L,3); 

    ret = ICF_SelectAID( aid, len, ich );
    HexToStr(gpRcvBuffer,Grcv_Len,(char*)buf);
    lua_pushinteger(L,ret); 
    lua_pushlstring(L,(char*)buf,strlen((char*)buf));
    return 2;

}

int LSelectSFI(lua_State* L)
{
    int ret = 0;
    size_t le = 0;
    unsigned char buf[520];
    
    memset(buf, 0, 520);
    //从L栈中取出索引为1的数值,并检查  
    const char * sfi = luaL_checklstring(L,1,&le);
    //printf("aid is %s,le is %dn",aid,le);  
    //从L栈中取出索引为2的数值,并检查  
    int ich = luaL_checkinteger(L,2); 

    ret = ICF_SelectSFI( sfi, ich );
    HexToStr(gpRcvBuffer,Grcv_Len,(char*)buf);
    lua_pushinteger(L,ret); 
    lua_pushlstring(L,(char*)buf,strlen((char*)buf));
    return 2;

}
int LReadBinaryFile( lua_State* L )
{
    int ret = 0;
    unsigned char buf[520];
    
    memset(buf, 0, 520);
    //从L栈中取出索引为1的数值,并检查  
    int sfi =  luaL_checkinteger(L,1); 
    int oft =  luaL_checkinteger(L,2);
    int rlen = luaL_checkinteger(L,3);
    int ich =  luaL_checkinteger(L,4); 

    ret = ICF_ReadBinaryFile(sfi,oft,rlen,ich);

    HexToStr(gpRcvBuffer,Grcv_Len,(char*)buf);
    lua_pushinteger(L,ret); 
    lua_pushlstring(L,(char*)buf,strlen((char*)buf));

    //stackDump(L);
    return 2;
}
//获取CPU或M1卡的物理卡号
int LGetPhySn( lua_State* L )
{
    int ret = 0;
    unsigned char buf[20];
    unsigned char buf1[20];

    memset(buf,0,20);
    memset(buf1,0,20);

    ret = ICC_MiOne_GetPhySn(buf);

    memcpy(gCardSN,buf,8);//保存全局物理卡号

    HexToStr(buf,8,(char*)buf1);
    lua_pushinteger(L,ret); 
    lua_pushlstring(L,(char*)buf1,strlen((char*)buf1));
    //stackDump(L);
    return 2;
}
//M1卡扇区读
int LBlkRead( lua_State* L )
{
    int ret = 0;
    size_t le = 0;
    unsigned char rbuf[50];
    unsigned char sbuf[50];
    unsigned char key[16];
    unsigned char cmd=0;

    int block   =  luaL_checkinteger(L,1); 
    const char * keys = luaL_checklstring(L,2,&le);
    int keytype =  luaL_checkinteger(L,3); //密码类型,0,不校验 1,A码,2,B码

    memset(rbuf,0,50);
    memset(sbuf,0,50);
    StrToHex( (char*)keys, le, key );

    cmd = PICC_KEYA;
    if(keytype == 1)
    { cmd = PICC_KEYA; }
    else if(keytype == 2)
    { cmd = PICC_KEYB; }

    ret = ICC_MiOne_BlkRead(block,cmd,key, gCardSN, rbuf );

    HexToStr(rbuf,16,(char*)sbuf);

    lua_pushinteger(L,ret); 
    lua_pushlstring(L,(char*)sbuf,strlen((char*)sbuf));
    //stackDump(L);
    return 2;
}

//M1卡扇区写
int LBlkWrite( lua_State* L )
{
    int ret = 0;
    size_t le = 0,le1 =0;
    unsigned char wbuf[50];
    unsigned char key[16];
    unsigned char cmd=0;

    int block   =  luaL_checkinteger(L,1); 
    const char * wbufs = luaL_checklstring(L,2,&le);
    const char * keys = luaL_checklstring(L,3,&le1);
    int keytype =  luaL_checkinteger(L,4); //密码类型,0,不校验 1,A码,2,B码

    memset(wbuf,0,50);

    StrToHex( (char*)wbufs, le, wbuf );
    StrToHex( (char*)keys, le1, key );

    cmd = PICC_KEYA;
    if(keytype == 1)
    { cmd = PICC_KEYA; }
    else if(keytype == 2)
    { cmd = PICC_KEYB; }

    ret = ICC_MiOne_BlkWrite(block,cmd,key, gCardSN, wbuf );

    lua_pushinteger(L,ret); 
    //stackDump(L);
    return 1;
}

//DES加密
int LDES_Encrypt( lua_State* L )
{
   // int ret = 0;
    size_t le = 0,le1 =0;
    unsigned char inkey[16];
    unsigned char indata[16];
    unsigned char outdata[16];
	unsigned char str_out[50];
    const char * str_inkey = luaL_checklstring(L,1,&le);
    const char * str_indata = luaL_checklstring(L,2,&le1);

    StrToHex( (char*)str_inkey, le, inkey );
    StrToHex( (char*)str_indata, le1, indata );

	CurCalc_DES_Encrypt( inkey, indata, outdata );
	
	HexToStr(outdata,8,(char*)str_out);

    //lua_pushinteger(L,ret); 
    lua_pushlstring(L,(char*)str_out,16);
    //stackDump(L);
    return 1;
}

//DES解密
int LDES_Decrypt( lua_State* L )
{
   // int ret = 0;
    size_t le = 0,le1 =0;
    unsigned char inkey[16];
    unsigned char indata[16];
    unsigned char outdata[16];
	unsigned char str_out[50];
    const char * str_inkey = luaL_checklstring(L,1,&le);
    const char * str_indata = luaL_checklstring(L,2,&le1);

    StrToHex( (char*)str_inkey, le, inkey );
    StrToHex( (char*)str_indata, le1, indata );

	CurCalc_DES_Decrypt( inkey, indata, outdata );
	
	HexToStr(outdata,8,(char*)str_out);

    //lua_pushinteger(L,ret); 
    lua_pushlstring(L,(char*)str_out,16);
    //stackDump(L);
    return 1;
}


//3DES加密
int LDES_3Encrypt( lua_State* L )
{
   // int ret = 0;
    size_t le = 0,le1 =0;
    unsigned char inkey[16];
    unsigned char indata[16];
    unsigned char outdata[16];
	unsigned char str_out[50];
    const char * str_inkey = luaL_checklstring(L,1,&le);
    const char * str_indata = luaL_checklstring(L,2,&le1);

    StrToHex( (char*)str_inkey, le, inkey );
    StrToHex( (char*)str_indata, le1, indata );

	CurCalc_3DES_Encrypt( inkey, indata, outdata );
	
	HexToStr(outdata,16,(char*)str_out);

    //lua_pushinteger(L,ret); 
    lua_pushlstring(L,(char*)str_out,32);
    //stackDump(L);
    return 1;
}

//3DES解密
int LDES_3Decrypt( lua_State* L )
{
   // int ret = 0;
    size_t le = 0,le1 =0;
    unsigned char inkey[16];
    unsigned char indata[16];
    unsigned char outdata[16];
	unsigned char str_out[50];
    const char * str_inkey = luaL_checklstring(L,1,&le);
    const char * str_indata = luaL_checklstring(L,2,&le1);

    StrToHex( (char*)str_inkey, le, inkey );
    StrToHex( (char*)str_indata, le1, indata );

	CurCalc_3DES_Decrypt( inkey, indata, outdata );
	
	HexToStr(outdata,16,(char*)str_out);

    //lua_pushinteger(L,ret); 
    lua_pushlstring(L,(char*)str_out,32);
    //stackDump(L);
    return 1;
}


U32 MathDesMac( U08 *pbuf, U32 length, U08 *key,U08 checktype )
{
	U32 len ;
	U08 mac[8], mac1[8];

	len = length ;

	if( checktype == 0 )
	{
		CurCalc_DES_MAC64( (SINGLE_DES_ENCRYPTION|ZERO_CBC_IV), key, 0, pbuf, len ,  mac );
		memcpy( pbuf len, mac, 8 );
		return 0 ;
	}
	else
	{
		//暂存源校验码
		memcpy( mac1, pbuf len-8, 8 ) ; 
		CurCalc_DES_MAC64( (SINGLE_DES_ENCRYPTION|ZERO_CBC_IV), key, 0, pbuf, len-8 ,  mac) ; 

		if ( memcmp( mac, mac1, 8 ) == 0x00 )
		{
			return 0 ;	 	//校验产生的校验码和原校验码相等, 校验成功
		}
		else
		{
			return 1 ;	  	//校验产生的校验码和原校验码不等, 校验失败
		}
	}	
}

int LMathDesMac( lua_State* L )
{
    int ret = 0;
    size_t le = 0,le1 =0;
    unsigned char inkey[16];
    unsigned char indata[1024];
	unsigned char str_out[2048];
    
    const char * str_indata = luaL_checklstring(L,1,&le);
	int   inlen   =  luaL_checkinteger(L,2);
	const char * str_inkey = luaL_checklstring(L,3,&le1);
	int   type   =   luaL_checkinteger(L,4);
    StrToHex( (char*)str_indata, le, indata );
	StrToHex( (char*)str_inkey, le1, inkey );

	ret = MathDesMac( indata, inlen,inkey,type );
	
	memset(str_out,0,2048);
	HexToStr(indata,inlen 8,(char*)str_out);

    lua_pushinteger(L,ret); 
    lua_pushlstring(L,(char*)str_out,strlen((char*)str_out));
    //stackDump(L);
    return 1;
}
int main( void )  
{  
    //初始化全局L  
    L = luaL_newstate();  //创建lua的栈 
    //打开库  
    luaL_openlibs(L);  
    //把函数压入栈中  
    //lua_pushcfunction(L, add);  
    //设置全局ADD  
    //lua_setglobal(L, "ADD");  
    //lua_register(L,"ADD",add);
    lua_pushcfunction(L, LConnect);  
    //设置全局ADD  
    lua_setglobal(L, "CONNECT"); 
    
    lua_register(L,"DISCONNECT", LDisConnect); 

    lua_register(L,"TxData",LTxData);
	lua_register(L,"TxData1",LTxData1);
	
    lua_register(L,"APDU", LAPDU_Exchange);  

    lua_register(L,"S_AID",LSelectAID); 
    lua_register(L,"S_SFI",LSelectSFI); 
    lua_register(L,"R_BFile",LReadBinaryFile);
    
    lua_register(L,"G_SN",LGetPhySn);
    lua_register(L,"R_Block",LBlkRead);
    lua_register(L,"W_Block",LBlkWrite);
	
	lua_register(L,"DES_Enc",LDES_Encrypt);
    lua_register(L,"DES_Dec",LDES_Decrypt);
	
	lua_register(L,"DES_3Enc",LDES_3Encrypt);
    lua_register(L,"DES_3Dec",LDES_3Decrypt);
	
	lua_register(L,"MathDesMac",LMathDesMac);
	
    //加载我们的lua脚本文件  
    if(luaL_loadfile(L,"test.lua"))  //载入lua脚本,是通过fopen打开的,
    {  
        printf("error,failed to analysis script!nmaybe syntax error!n");  
    }  
    //安全检查  
    lua_pcall(L,0,0,0); //这个函数会执行lua脚本 
    //push进lua函数  
   // lua_getglobal(L, "mylua1"); 
   // lua_pcall(L,0,0,0);   
    printf("end my lua script,finish!n"); 
    lua_close(L); //关闭lua的栈  

    return 0;  
}  

php后台的处理原理:

compile.php

代码语言:javascript复制
<?php
header('Content-Type:json; charset=UTF-8');
set_time_limit(0);
//var_dump($_POST);
$str= $_POST['code'];
//echo $str;
file_put_contents("test.lua",$str);

$flv_cmd="lua_test.exe >out.txt";
exec($flv_cmd);

if(file_exists("out.txt"))
{
	$txt1 = file_get_contents("out.txt");
	$err ="ok";
	$txt =iconv("GB2312","UTF-8//IGNORE",$txt1); //将编码从GB2312转成UTF-8
	//echo $txt; 
}
else
{
	$txt ="output err!n";
	$err ="exec err!n";
}
$json = array("output"=>$txt,"langid"=>"17","code"=>"print("Hello World!")","errors"=>$err,"time"=>"01n");
//var_dump($json);
$result = json_encode($json);
//var_dump($result);
$output = $result;
echo $output; 
?>

后台库文件的makefile:

代码语言:javascript复制
(wildcard *.c) DIR  = (notdir (SRC)) OBJS = (patsubst %.c,(OBJ_DIR)%.o,(BINARY).exe prebuild: @echo Building app... (BINARY).exe : (OBJS) @echo Generating ... (CC) -o (BINARY).exe (OBJS) (LDFLAGS) (LDSCRIPT)  @echo OK! (OBJ_DIR)%.o : %.c(CC) -c (CFLAGS) < -o  

0 人点赞