From 2851ab4f50d2122330eda5e29162a1053eceb16f Mon Sep 17 00:00:00 2001 From: Changhua Date: Sat, 24 Jun 2023 10:25:22 +0800 Subject: [PATCH] Impl Functions_FUNC_RECV_TRANSFER --- rpc/proto/wcf.proto | 3 +- spy/load_calls.cpp | 2 +- spy/receive_transfer.cpp | 66 ++++++++++++++++++++++++++++------------ spy/receive_transfer.h | 2 +- spy/rpc_server.cpp | 8 ++--- spy/spy_types.h | 1 + 6 files changed, 54 insertions(+), 28 deletions(-) diff --git a/rpc/proto/wcf.proto b/rpc/proto/wcf.proto index 34d1d83..b0d05bc 100644 --- a/rpc/proto/wcf.proto +++ b/rpc/proto/wcf.proto @@ -167,5 +167,6 @@ message DecPath message Transfer { string wxid = 1; // 转账人 - string tid = 2; // 转账id transferid + string tfid = 2; // 转账id transferid + string taid = 3; // Transaction id } diff --git a/spy/load_calls.cpp b/spy/load_calls.cpp index fab2a89..31680f1 100644 --- a/spy/load_calls.cpp +++ b/spy/load_calls.cpp @@ -23,7 +23,7 @@ WxCalls_t wxCalls = { { 0x141BDF0, 0x2366934, 0x1428, 0x142C, 0x3C, 0x50 }, { 0xA17D50, 0xF59E40, 0xA18BD0, 0xA17E70 }, // Accept New Friend application { 0x78CF20, 0xF59E40, 0xBD1DC0 }, // Add chatroom members - { 0x771980, 0xCD2A90 } // Receive transfer + { 0x7B2E60, 0x15E2C20, 0x79C250 } // Receive transfer }; int LoadCalls(const wchar_t *version, WxCalls_t *calls) diff --git a/spy/receive_transfer.cpp b/spy/receive_transfer.cpp index 80346c2..6e1f006 100644 --- a/spy/receive_transfer.cpp +++ b/spy/receive_transfer.cpp @@ -1,4 +1,4 @@ -#include "receive_transfer.h" +#include "receive_transfer.h" #include "load_calls.h" #include "log.h" #include "util.h" @@ -8,31 +8,57 @@ using namespace std; extern WxCalls_t g_WxCalls; extern DWORD g_WeChatWinDllAddr; -int ReceiveTransfer(string wxid, string transferid) +int ReceiveTransfer(string wxid, string transferid, string transactionid) { int rv = 0; - DWORD recvTransferCall = g_WeChatWinDllAddr + g_WxCalls.tf.call1; + DWORD recvTransferCall1 = g_WeChatWinDllAddr + g_WxCalls.tf.call1; DWORD recvTransferCall2 = g_WeChatWinDllAddr + g_WxCalls.tf.call2; + DWORD recvTransferCall3 = g_WeChatWinDllAddr + g_WxCalls.tf.call3; - wstring wsWxid = String2Wstring(wxid); - wstring wsTid = String2Wstring(transferid); + char payInfo[0x134] = { 0 }; + wstring wsWxid = String2Wstring(wxid); + WxString_t wxWxid = { 0 }; + wxWxid.text = (wchar_t *)wsWxid.c_str(); + wxWxid.size = wsWxid.size(); + wxWxid.capacity = wsWxid.capacity(); - LOG_DEBUG("Receiving transfer, from: {}, transferid: {}", wxid, transferid); + wstring wsTfid = String2Wstring(transferid); + WxString_t wxTfid = { 0 }; + wxTfid.text = (wchar_t *)wsTfid.c_str(); + wxTfid.size = wsTfid.size(); + wxTfid.capacity = wsTfid.capacity(); + + wstring wsTaid = String2Wstring(transactionid); + WxString_t wxTaid = { 0 }; + wxTaid.text = (wchar_t *)wsTaid.c_str(); + wxTaid.size = wsTaid.size(); + wxTaid.capacity = wsTaid.capacity(); + + LOG_DEBUG("Receiving transfer, from: {}, transferid: {}, transactionid: {}", wxid, transferid, transactionid); __asm { - pushad - sub esp, 0x30 - mov ecx, esp - lea eax, wsTid - push eax - call recvTransferCall - lea ecx, dword ptr ds:[esp+0x14] - lea eax, wsWxid - push eax - call recvTransferCall - call recvTransferCall2 - add esp, 0x30 - mov rv, eax - popad + pushad; + lea ecx, payInfo; + call recvTransferCall1; + mov dword ptr[payInfo + 0x4], 0x1; + mov dword ptr[payInfo + 0x4C], 0x1; + popad; + } + memcpy(&payInfo[0x1C], &wxTaid, sizeof(wxTaid)); + memcpy(&payInfo[0x38], &wxTfid, sizeof(wxTfid)); + + __asm { + pushad; + push 0x1; + sub esp, 0x8; + lea edx, wxWxid; + lea ecx, payInfo; + call recvTransferCall2; + mov rv, eax; + add esp, 0xC; + push 0x0; + lea ecx, payInfo; + call recvTransferCall3; + popad; } return rv; diff --git a/spy/receive_transfer.h b/spy/receive_transfer.h index 82fd0aa..1942fb1 100644 --- a/spy/receive_transfer.h +++ b/spy/receive_transfer.h @@ -2,4 +2,4 @@ #include -int ReceiveTransfer(std::string wxid, std::string transferid); +int ReceiveTransfer(std::string wxid, std::string transferid, std::string transactionid); diff --git a/spy/rpc_server.cpp b/spy/rpc_server.cpp index f1898d1..ffed0f7 100644 --- a/spy/rpc_server.cpp +++ b/spy/rpc_server.cpp @@ -486,14 +486,14 @@ bool func_add_room_members(char *roomid, char *wxids, uint8_t *out, size_t *len) return true; } -bool func_receive_transfer(char *wxid, char *transferid, uint8_t *out, size_t *len) +bool func_receive_transfer(char *wxid, char *tfid, char *taid, uint8_t *out, size_t *len) { Response rsp = Response_init_default; rsp.func = Functions_FUNC_RECV_TRANSFER; rsp.which_msg = Response_status_tag; rsp.msg.status = 0; - rsp.msg.status = ReceiveTransfer(wxid, transferid); + rsp.msg.status = ReceiveTransfer(wxid, tfid, taid); if (rsp.msg.status != 1) { LOG_ERROR("AddChatroomMember failed: {}", rsp.msg.status); } @@ -630,13 +630,11 @@ static bool dispatcher(uint8_t *in, size_t in_len, uint8_t *out, size_t *out_len ret = func_add_room_members(req.msg.m.roomid, req.msg.m.wxids, out, out_len); break; } -#if 0 case Functions_FUNC_RECV_TRANSFER: { LOG_DEBUG("[Functions_FUNC_RECV_TRANSFER]"); - ret = func_receive_transfer(req.msg.tf.wxid, req.msg.tf.tid, out, out_len); + ret = func_receive_transfer(req.msg.tf.wxid, req.msg.tf.tfid, req.msg.tf.taid, out, out_len); break; } -#endif case Functions_FUNC_DECRYPT_IMAGE: { LOG_DEBUG("[FUNCTIONS_FUNC_DECRYPT_IMAGE]"); ret = func_decrypt_image(req.msg.dec.src, req.msg.dec.dst, out, out_len); diff --git a/spy/spy_types.h b/spy/spy_types.h index 22a8c81..e34cd67 100644 --- a/spy/spy_types.h +++ b/spy/spy_types.h @@ -82,6 +82,7 @@ typedef struct Xml { typedef struct TF { DWORD call1; DWORD call2; + DWORD call3; } TF_t; typedef struct WxCalls {