2023-02-18 19:45:36 +08:00
|
|
|
|
#include "framework.h"
|
|
|
|
|
|
#include <sstream>
|
2022-08-20 17:39:21 +08:00
|
|
|
|
#include <vector>
|
2021-02-12 23:21:57 +08:00
|
|
|
|
|
2022-10-15 20:25:42 +08:00
|
|
|
|
#include "send_msg.h"
|
2022-10-16 22:14:06 +08:00
|
|
|
|
#include "spy_types.h"
|
2023-02-18 19:45:36 +08:00
|
|
|
|
#include "util.h"
|
2021-02-12 23:21:57 +08:00
|
|
|
|
|
|
|
|
|
|
extern HANDLE g_hEvent;
|
|
|
|
|
|
extern WxCalls_t g_WxCalls;
|
|
|
|
|
|
extern DWORD g_WeChatWinDllAddr;
|
|
|
|
|
|
|
2022-08-20 17:39:21 +08:00
|
|
|
|
typedef struct AtList {
|
|
|
|
|
|
DWORD start;
|
|
|
|
|
|
DWORD end1;
|
|
|
|
|
|
DWORD end2;
|
|
|
|
|
|
} AtList_t;
|
|
|
|
|
|
|
2023-02-18 19:45:36 +08:00
|
|
|
|
void SendTextMessage(string wxid, string msg, string atWxids)
|
2021-02-12 23:21:57 +08:00
|
|
|
|
{
|
2022-08-20 17:39:21 +08:00
|
|
|
|
char buffer[0x3B0] = { 0 };
|
|
|
|
|
|
AtList_t atList = { 0 };
|
|
|
|
|
|
TextStruct_t txtMsg = { 0 };
|
|
|
|
|
|
TextStruct_t txtWxid = { 0 };
|
|
|
|
|
|
TextStruct_t *tsArray = NULL;
|
2021-02-12 23:21:57 +08:00
|
|
|
|
|
|
|
|
|
|
// 发送消息Call地址 = 微信基址 + 偏移
|
|
|
|
|
|
DWORD sendCallAddress = g_WeChatWinDllAddr + g_WxCalls.sendTextMsg;
|
|
|
|
|
|
|
2023-02-18 19:45:36 +08:00
|
|
|
|
wstring wsWxid = String2Wstring(wxid);
|
|
|
|
|
|
wstring wsMsg = String2Wstring(msg);
|
2022-08-20 17:39:21 +08:00
|
|
|
|
|
2023-02-18 19:45:36 +08:00
|
|
|
|
txtMsg.text = (wchar_t *)wsMsg.c_str();
|
|
|
|
|
|
txtMsg.size = wsMsg.size();
|
|
|
|
|
|
txtMsg.capacity = wsMsg.capacity();
|
2021-02-12 23:21:57 +08:00
|
|
|
|
|
2023-02-18 19:45:36 +08:00
|
|
|
|
txtWxid.text = (wchar_t *)wsWxid.c_str();
|
|
|
|
|
|
txtWxid.size = wsWxid.size();
|
|
|
|
|
|
txtWxid.capacity = wsWxid.capacity();
|
|
|
|
|
|
|
2023-02-28 20:40:12 +08:00
|
|
|
|
vector<TextStruct_t> vTxtAtWxids;
|
2023-02-18 19:45:36 +08:00
|
|
|
|
if (!atWxids.empty()) {
|
2022-08-20 17:39:21 +08:00
|
|
|
|
vector<wstring> vAtWxids;
|
2023-02-28 20:40:12 +08:00
|
|
|
|
wstringstream wss(String2Wstring(atWxids));
|
2022-08-20 17:39:21 +08:00
|
|
|
|
while (wss.good()) {
|
2023-02-28 20:40:12 +08:00
|
|
|
|
wstring wstr;
|
2022-08-20 17:39:21 +08:00
|
|
|
|
getline(wss, wstr, L',');
|
|
|
|
|
|
vAtWxids.push_back(wstr);
|
2023-02-28 20:40:12 +08:00
|
|
|
|
TextStruct_t txtAtWxid = { 0 };
|
|
|
|
|
|
txtAtWxid.text = (wchar_t *)vAtWxids.back().c_str();
|
|
|
|
|
|
txtAtWxid.size = vAtWxids.back().size();
|
|
|
|
|
|
txtAtWxid.capacity = vAtWxids.back().capacity();
|
|
|
|
|
|
vTxtAtWxids.push_back(txtAtWxid);
|
2022-08-20 17:39:21 +08:00
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
__asm
|
|
|
|
|
|
{
|
2023-02-28 20:40:12 +08:00
|
|
|
|
lea eax, vTxtAtWxids;
|
2022-08-20 17:39:21 +08:00
|
|
|
|
push 0x01;
|
|
|
|
|
|
push eax;
|
|
|
|
|
|
lea edi, txtMsg;
|
|
|
|
|
|
push edi;
|
|
|
|
|
|
lea edx, txtWxid;
|
2021-02-12 23:21:57 +08:00
|
|
|
|
lea ecx, buffer;
|
2022-08-20 17:39:21 +08:00
|
|
|
|
call sendCallAddress;
|
|
|
|
|
|
add esp, 0xC;
|
|
|
|
|
|
}
|
2021-02-12 23:21:57 +08:00
|
|
|
|
}
|
2021-08-22 21:57:16 +08:00
|
|
|
|
|
2023-02-18 19:45:36 +08:00
|
|
|
|
void SendImageMessage(string wxid, string path)
|
2021-08-22 21:57:16 +08:00
|
|
|
|
{
|
|
|
|
|
|
if (g_WeChatWinDllAddr == 0) {
|
|
|
|
|
|
return;
|
2022-08-20 17:39:21 +08:00
|
|
|
|
}
|
2022-08-06 21:44:59 +08:00
|
|
|
|
DWORD tmpEAX = 0;
|
2022-08-06 21:44:26 +08:00
|
|
|
|
char buf1[0x48] = { 0 };
|
|
|
|
|
|
char buf2[0x3B0] = { 0 };
|
2021-08-22 21:57:16 +08:00
|
|
|
|
TextStruct_t imgWxid = { 0 };
|
|
|
|
|
|
TextStruct_t imgPath = { 0 };
|
|
|
|
|
|
|
2023-02-18 19:45:36 +08:00
|
|
|
|
wstring wsWxid = String2Wstring(wxid);
|
|
|
|
|
|
wstring wspath = String2Wstring(path);
|
|
|
|
|
|
|
|
|
|
|
|
imgWxid.text = (wchar_t *)wsWxid.c_str();
|
|
|
|
|
|
imgWxid.size = wsWxid.size();
|
|
|
|
|
|
imgWxid.capacity = wsWxid.capacity();
|
2021-08-22 21:57:16 +08:00
|
|
|
|
|
2023-02-18 19:45:36 +08:00
|
|
|
|
imgPath.text = (wchar_t *)wspath.c_str();
|
|
|
|
|
|
imgPath.size = wspath.size();
|
|
|
|
|
|
imgPath.capacity = wspath.capacity();
|
2021-08-22 21:57:16 +08:00
|
|
|
|
|
|
|
|
|
|
// 发送图片Call地址 = 微信基址 + 偏移
|
|
|
|
|
|
DWORD sendCall1 = g_WeChatWinDllAddr + g_WxCalls.sendImg.call1;
|
|
|
|
|
|
DWORD sendCall2 = g_WeChatWinDllAddr + g_WxCalls.sendImg.call2;
|
|
|
|
|
|
DWORD sendCall3 = g_WeChatWinDllAddr + g_WxCalls.sendImg.call3;
|
|
|
|
|
|
|
|
|
|
|
|
__asm {
|
|
|
|
|
|
pushad
|
2022-08-20 17:39:21 +08:00
|
|
|
|
call sendCall1
|
|
|
|
|
|
sub esp, 0x14
|
|
|
|
|
|
mov tmpEAX, eax
|
|
|
|
|
|
lea eax, buf1
|
|
|
|
|
|
mov ecx, esp
|
|
|
|
|
|
lea edi, imgPath
|
|
|
|
|
|
push eax
|
|
|
|
|
|
call sendCall2
|
|
|
|
|
|
mov ecx, dword ptr[tmpEAX]
|
|
|
|
|
|
lea eax, imgWxid
|
|
|
|
|
|
push edi
|
|
|
|
|
|
push eax
|
|
|
|
|
|
lea eax, buf2
|
|
|
|
|
|
push eax
|
|
|
|
|
|
call sendCall3
|
2022-08-06 21:44:26 +08:00
|
|
|
|
popad
|
2021-08-22 21:57:16 +08:00
|
|
|
|
}
|
|
|
|
|
|
}
|
2023-02-23 07:42:58 +08:00
|
|
|
|
|
|
|
|
|
|
void SendFileMessage(string wxid, string path)
|
|
|
|
|
|
{
|
|
|
|
|
|
if (g_WeChatWinDllAddr == 0) {
|
|
|
|
|
|
return;
|
|
|
|
|
|
}
|
|
|
|
|
|
DWORD tmpEAX = 0;
|
|
|
|
|
|
char buffer[0x3B0] = { 0 };
|
|
|
|
|
|
TextStruct_t fileWxid = { 0 };
|
|
|
|
|
|
TextStruct_t filePath = { 0 };
|
|
|
|
|
|
TextStruct_t nullbuffer = { 0 };
|
|
|
|
|
|
|
|
|
|
|
|
wstring wsWxid = String2Wstring(wxid);
|
|
|
|
|
|
wstring wspath = String2Wstring(path);
|
|
|
|
|
|
|
|
|
|
|
|
fileWxid.text = (wchar_t *)wsWxid.c_str();
|
|
|
|
|
|
fileWxid.size = wsWxid.size();
|
|
|
|
|
|
fileWxid.capacity = wsWxid.capacity();
|
|
|
|
|
|
|
|
|
|
|
|
filePath.text = (wchar_t *)wspath.c_str();
|
|
|
|
|
|
filePath.size = wspath.size();
|
|
|
|
|
|
filePath.capacity = wspath.capacity();
|
|
|
|
|
|
|
|
|
|
|
|
// 发送文件Call地址 = 微信基址 + 偏移
|
|
|
|
|
|
DWORD sendCall1 = g_WeChatWinDllAddr + g_WxCalls.sendFile.call1;
|
|
|
|
|
|
DWORD sendCall2 = g_WeChatWinDllAddr + g_WxCalls.sendFile.call2;
|
|
|
|
|
|
DWORD sendCall3 = g_WeChatWinDllAddr + g_WxCalls.sendFile.call3;
|
|
|
|
|
|
|
|
|
|
|
|
__asm {
|
|
|
|
|
|
pushad;
|
|
|
|
|
|
pushfd;
|
|
|
|
|
|
call sendCall1;
|
|
|
|
|
|
sub esp, 0x14;
|
|
|
|
|
|
mov tmpEAX, eax;
|
|
|
|
|
|
lea eax, nullbuffer;
|
|
|
|
|
|
mov ecx, esp;
|
|
|
|
|
|
push eax;
|
|
|
|
|
|
call sendCall2;
|
|
|
|
|
|
push 0x00DBE200;
|
|
|
|
|
|
sub esp, 0x14;
|
|
|
|
|
|
mov edi, esp;
|
|
|
|
|
|
mov dword ptr ds : [edi] , 0x0;
|
|
|
|
|
|
mov dword ptr ds : [edi + 0x4] , 0x0;
|
|
|
|
|
|
mov dword ptr ds : [edi + 0x8] , 0x0;
|
|
|
|
|
|
mov dword ptr ds : [edi + 0xC] , 0x0;
|
|
|
|
|
|
mov dword ptr ds : [edi + 0x10] , 0x0;
|
|
|
|
|
|
sub esp, 0x14;
|
|
|
|
|
|
lea eax, filePath;
|
|
|
|
|
|
mov ecx, esp;
|
|
|
|
|
|
push eax;
|
|
|
|
|
|
call sendCall2;
|
|
|
|
|
|
sub esp, 0x14;
|
|
|
|
|
|
lea eax, fileWxid;
|
|
|
|
|
|
mov ecx, esp;
|
|
|
|
|
|
push eax;
|
|
|
|
|
|
call sendCall2;
|
|
|
|
|
|
mov ecx, dword ptr [tmpEAX];
|
|
|
|
|
|
lea eax, buffer;
|
|
|
|
|
|
push eax;
|
|
|
|
|
|
call sendCall3;
|
|
|
|
|
|
mov al,byte ptr [eax + 0x38];
|
|
|
|
|
|
movzx eax,al;
|
|
|
|
|
|
popfd;
|
|
|
|
|
|
popad;
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
