diff --git a/spy/load_calls.cpp b/spy/load_calls.cpp index 8218767..492cb18 100644 --- a/spy/load_calls.cpp +++ b/spy/load_calls.cpp @@ -10,7 +10,7 @@ WxCalls_t wxCalls = { { 0x768140, 0xCE6C80, 0x756960 }, // Send Message /* Receive Message: Hook, call, type, self, id, msgXml, roomId, wxId, content, thumb, extra */ - { 0x550F4C, 0xA96350, 0x38, 0x3C, 0x184, 0x1EC, 0x48, 0x170, 0x70, 0x198, 0x1AC }, + { 0xD19A0B, 0x756960, 0x38, 0x3C, 0x194, 0x1FC, 0x48, 0x180, 0x70, 0x1A8, 0x1BC }, { 0x768140, 0XF59E40, 0XCE6640, 0x756960 }, // Send Image Message { 0x76AE20, 0xF59E40, 0xB6D1F0, 0x756960 }, // Send File Message { 0xB8A70, 0x3ED5E0, 0x107F00, 0x3ED7B0, 0x2386FE4 }, // Send xml Message diff --git a/spy/receive_msg.cpp b/spy/receive_msg.cpp index 9e58ee9..6be0b1e 100644 --- a/spy/receive_msg.cpp +++ b/spy/receive_msg.cpp @@ -89,21 +89,20 @@ void UnHookAddress(DWORD hookAddr, CHAR restoreCode[5]) void DispatchMsg(DWORD reg) { WxMsg_t wxMsg; - DWORD *p = (DWORD *)reg; // 消息结构基址 - wxMsg.type = GET_DWORD(*p + g_WxCalls.recvMsg.type); - wxMsg.is_self = GET_DWORD(*p + g_WxCalls.recvMsg.isSelf); - wxMsg.id = GetStringByAddress(*p + g_WxCalls.recvMsg.msgId); - wxMsg.xml = GetStringByAddress(*p + g_WxCalls.recvMsg.msgXml); + wxMsg.type = GET_DWORD(reg + g_WxCalls.recvMsg.type); + wxMsg.is_self = GET_DWORD(reg + g_WxCalls.recvMsg.isSelf); + wxMsg.id = GetStringByStrAddr(reg + g_WxCalls.recvMsg.msgId); + wxMsg.xml = GetStringByStrAddr(reg + g_WxCalls.recvMsg.msgXml); - string roomid = GetStringByAddress(*p + g_WxCalls.recvMsg.roomId); + string roomid = GetStringByWstrAddr(reg + g_WxCalls.recvMsg.roomId); if (roomid.find("@chatroom") != string::npos) { // 群 ID 的格式为 xxxxxxxxxxx@chatroom wxMsg.is_group = true; wxMsg.roomid = roomid; if (wxMsg.is_self) { wxMsg.sender = GetSelfWxid(); } else { - wxMsg.sender = GetStringByAddress(*p + g_WxCalls.recvMsg.wxId); + wxMsg.sender = GetStringByStrAddr(reg + g_WxCalls.recvMsg.wxId); } } else { wxMsg.is_group = false; @@ -114,15 +113,16 @@ void DispatchMsg(DWORD reg) } } - wxMsg.content = GetStringByAddress(*p + g_WxCalls.recvMsg.content); - wxMsg.thumb = GetStringByAddress(*p + g_WxCalls.recvMsg.thumb); + wxMsg.content = GetStringByWstrAddr(reg + g_WxCalls.recvMsg.content); + + wxMsg.thumb = GetStringByStrAddr(reg + g_WxCalls.recvMsg.thumb); if (!wxMsg.thumb.empty()) { - wxMsg.thumb = GetHomePath() + "\\WeChat Files\\" + wxMsg.thumb; + wxMsg.thumb = GetHomePath() + wxMsg.thumb; } - wxMsg.extra = GetStringByAddress(*p + g_WxCalls.recvMsg.extra); + wxMsg.extra = GetStringByStrAddr(reg + g_WxCalls.recvMsg.extra); if (!wxMsg.extra.empty()) { - wxMsg.extra = GetHomePath() + "\\WeChat Files\\" + wxMsg.extra; + wxMsg.extra = GetHomePath() + wxMsg.extra; } { @@ -136,13 +136,13 @@ void DispatchMsg(DWORD reg) __declspec(naked) void RecieveMsgFunc() { __asm { - mov reg_buffer, edi // 把值复制出来 - } - - DispatchMsg(reg_buffer); - - __asm - { + pushad + pushfd + push ecx + call DispatchMsg + add esp, 0x4 + popfd + popad call recvMsgCallAddr // 这个为被覆盖的call jmp recvMsgJumpBackAddr // 跳回被HOOK指令的下一条指令 } @@ -150,6 +150,7 @@ __declspec(naked) void RecieveMsgFunc() void ListenMessage() { + // DbgMsg("ListenMessage"); // OutputDebugString(L"ListenMessage\n"); // MessageBox(NULL, L"ListenMessage", L"ListenMessage", 0); if (gIsListening || (g_WeChatWinDllAddr == 0)) { diff --git a/spy/rpc_server.cpp b/spy/rpc_server.cpp index b2b2451..e48536a 100644 --- a/spy/rpc_server.cpp +++ b/spy/rpc_server.cpp @@ -605,11 +605,13 @@ static bool dispatcher(uint8_t *in, size_t in_len, uint8_t *out, size_t *out_len ret = func_send_emotion(req.msg.file.path, req.msg.file.receiver, out, out_len); break; } +#endif case Functions_FUNC_ENABLE_RECV_TXT: { LOG_DEBUG("[Functions_FUNC_ENABLE_RECV_TXT]"); ret = func_enable_recv_txt(out, out_len); break; } +#if 0 case Functions_FUNC_DISABLE_RECV_TXT: { LOG_DEBUG("[Functions_FUNC_DISABLE_RECV_TXT]"); ret = func_disable_recv_txt(out, out_len); diff --git a/spy/util.cpp b/spy/util.cpp index 66a831e..7b22be5 100644 --- a/spy/util.cpp +++ b/spy/util.cpp @@ -213,6 +213,18 @@ string GetStringByAddress(DWORD address) return Wstring2String(wstring(GET_WSTRING(address), strLength)); } +string GetStringByStrAddr(DWORD addr) +{ + DWORD strLength = GET_DWORD(addr + 4); + return strLength ? string(GET_STRING(addr), strLength) : string(); +} + +string GetStringByWstrAddr(DWORD addr) +{ + DWORD strLength = GET_DWORD(addr + 4); + return strLength ? Wstring2String(wstring(GET_WSTRING(addr), strLength)) : string(); +} + DWORD GetMemoryIntByAddress(HANDLE hProcess, DWORD address) { DWORD value = 0; diff --git a/spy/util.h b/spy/util.h index b33c685..5cf305f 100644 --- a/spy/util.h +++ b/spy/util.h @@ -28,4 +28,6 @@ std::wstring GetUnicodeInfoByAddress(HANDLE hProcess, DWORD address); std::wstring String2Wstring(std::string s); std::string Wstring2String(std::wstring ws); std::string GetStringByAddress(DWORD address); +std::string GetStringByStrAddr(DWORD addr); +std::string GetStringByWstrAddr(DWORD addr); void DbgMsg(const char *zcFormat, ...);