From 285b23cd2dadbdf227851ba5726f6e08ad4051f0 Mon Sep 17 00:00:00 2001 From: Changhua Date: Thu, 23 Feb 2023 07:42:58 +0800 Subject: [PATCH] Impl SendFileMessage --- rpc/proto/wcf.proto | 1 + spy/load_calls.cpp | 1 + spy/rpc_server.cpp | 28 +++++++++++++++++++ spy/send_msg.cpp | 67 +++++++++++++++++++++++++++++++++++++++++++++ spy/send_msg.h | 1 + spy/spy_types.h | 21 +++++++------- 6 files changed, 109 insertions(+), 10 deletions(-) diff --git a/rpc/proto/wcf.proto b/rpc/proto/wcf.proto index 2b8d8f1..0410d0a 100644 --- a/rpc/proto/wcf.proto +++ b/rpc/proto/wcf.proto @@ -30,6 +30,7 @@ enum Functions { FUNC_GET_DB_TABLES = 0x14; FUNC_SEND_TXT = 0x20; FUNC_SEND_IMG = 0x21; + FUNC_SEND_FILE = 0x22; FUNC_ENABLE_RECV_TXT = 0x30; FUNC_DISABLE_RECV_TXT = 0x40; FUNC_EXEC_DB_QUERY = 0x50; diff --git a/spy/load_calls.cpp b/spy/load_calls.cpp index dae885b..be4ace1 100644 --- a/spy/load_calls.cpp +++ b/spy/load_calls.cpp @@ -12,6 +12,7 @@ WxCalls_t wxCalls = { Hook, call, type, self, id, msgXml, roomId, wxId, content */ { 0x550F4C, 0xA96350, 0x38, 0x3C, 0x184, 0x1EC, 0x48, 0x170, 0x70 }, { 0xBD780, 0x771980, 0x521640 }, // Send Image Message + { 0xC3B70, 0x771980, 0x3ED8C0 }, // Send File Message /* Get Contacts: Base, head, wxId, Code, Name, Gender, Country, Province, City*/ { 0x23668F4, 0x4C, 0x30, 0x44, 0x8C, 0x184, 0x1D0, 0x1E4, 0x1F8 }, diff --git a/spy/rpc_server.cpp b/spy/rpc_server.cpp index 6ddc235..522c2ee 100644 --- a/spy/rpc_server.cpp +++ b/spy/rpc_server.cpp @@ -206,6 +206,29 @@ bool func_send_img(char *path, char *receiver, uint8_t *out, size_t *len) return true; } +bool func_send_file(char *path, char *receiver, uint8_t *out, size_t *len) +{ + Response rsp = Response_init_default; + rsp.func = Functions_FUNC_SEND_IMG; + rsp.which_msg = Response_status_tag; + rsp.msg.status = 0; + + if ((path == NULL) || (receiver == NULL)) { + rsp.msg.status = -1; + } else { + SendImageMessage(receiver, path); + } + + pb_ostream_t stream = pb_ostream_from_buffer(out, *len); + if (!pb_encode(&stream, Response_fields, &rsp)) { + LOG_ERROR("Encoding failed: {}", PB_GET_ERROR(&stream)); + return false; + } + *len = stream.bytes_written; + + return true; +} + static void PushMessage() { static nng_socket msg_sock; @@ -425,6 +448,11 @@ static bool dispatcher(uint8_t *in, size_t in_len, uint8_t *out, size_t *out_len ret = func_send_img(req.msg.file.path, req.msg.file.receiver, out, out_len); break; } + case Functions_FUNC_SEND_FILE: { + LOG_DEBUG("[Functions_FUNC_SEND_FILE]"); + ret = func_send_file(req.msg.file.path, req.msg.file.receiver, out, out_len); + break; + } case Functions_FUNC_ENABLE_RECV_TXT: { LOG_DEBUG("[Functions_FUNC_ENABLE_RECV_TXT]"); ret = func_enable_recv_txt(out, out_len); diff --git a/spy/send_msg.cpp b/spy/send_msg.cpp index f961d33..86092be 100644 --- a/spy/send_msg.cpp +++ b/spy/send_msg.cpp @@ -129,3 +129,70 @@ void SendImageMessage(string wxid, string path) popad } } + +void SendFileMessage(string wxid, string path) +{ + if (g_WeChatWinDllAddr == 0) { + return; + } + DWORD tmpEAX = 0; + char buffer[0x3B0] = { 0 }; + TextStruct_t fileWxid = { 0 }; + TextStruct_t filePath = { 0 }; + TextStruct_t nullbuffer = { 0 }; + + wstring wsWxid = String2Wstring(wxid); + wstring wspath = String2Wstring(path); + + fileWxid.text = (wchar_t *)wsWxid.c_str(); + fileWxid.size = wsWxid.size(); + fileWxid.capacity = wsWxid.capacity(); + + filePath.text = (wchar_t *)wspath.c_str(); + filePath.size = wspath.size(); + filePath.capacity = wspath.capacity(); + + // 发送文件Call地址 = 微信基址 + 偏移 + DWORD sendCall1 = g_WeChatWinDllAddr + g_WxCalls.sendFile.call1; + DWORD sendCall2 = g_WeChatWinDllAddr + g_WxCalls.sendFile.call2; + DWORD sendCall3 = g_WeChatWinDllAddr + g_WxCalls.sendFile.call3; + + int isSuccess = 0; + __asm { + pushad; + pushfd; + call sendCall1; + sub esp, 0x14; + mov tmpEAX, eax; + lea eax, nullbuffer; + mov ecx, esp; + push eax; + call sendCall2; + push 0x00DBE200; + sub esp, 0x14; + mov edi, esp; + mov dword ptr ds : [edi] , 0x0; + mov dword ptr ds : [edi + 0x4] , 0x0; + mov dword ptr ds : [edi + 0x8] , 0x0; + mov dword ptr ds : [edi + 0xC] , 0x0; + mov dword ptr ds : [edi + 0x10] , 0x0; + sub esp, 0x14; + lea eax, filePath; + mov ecx, esp; + push eax; + call sendCall2; + sub esp, 0x14; + lea eax, fileWxid; + mov ecx, esp; + push eax; + call sendCall2; + mov ecx, dword ptr [tmpEAX]; + lea eax, buffer; + push eax; + call sendCall3; + mov al,byte ptr [eax + 0x38]; + movzx eax,al; + popfd; + popad; + } +} diff --git a/spy/send_msg.h b/spy/send_msg.h index 4f744c2..9abac22 100644 --- a/spy/send_msg.h +++ b/spy/send_msg.h @@ -6,3 +6,4 @@ using namespace std; void SendTextMessage(string wxid, string msg, string atWxids); void SendImageMessage(string wxid, string path); +void SendFileMessage(string wxid, string path); diff --git a/spy/spy_types.h b/spy/spy_types.h index 2bf072b..5bb9373 100644 --- a/spy/spy_types.h +++ b/spy/spy_types.h @@ -20,11 +20,11 @@ typedef struct RecvMsg { DWORD content; // 消息内容地址 } RecvMsg_t; -typedef struct SendImg { +typedef struct Sendfile { DWORD call1; DWORD call2; DWORD call3; -} SendImg_t; +} Sendfile_t; typedef struct Contact { DWORD base; @@ -54,14 +54,15 @@ typedef struct NewFriend { } NewFriend_t; typedef struct WxCalls { - DWORD login; // 登录状态 - UserInfoCall_t ui; // 用户信息 - DWORD sendTextMsg; // 发送消息 - RecvMsg_t recvMsg; // 接收消息 - SendImg_t sendImg; // 发送图片 - Contact_t contact; // 获取联系人 - Sql_t sql; // 执行 SQL - NewFriend_t anf; // 通过好友申请 + DWORD login; // 登录状态 + UserInfoCall_t ui; // 用户信息 + DWORD sendTextMsg; // 发送消息 + RecvMsg_t recvMsg; // 接收消息 + Sendfile_t sendImg; // 发送图片 + Sendfile_t sendFile; // 发送文件 + Contact_t contact; // 获取联系人 + Sql_t sql; // 执行 SQL + NewFriend_t anf; // 通过好友申请 } WxCalls_t;