cyonjan/WeChatFerry
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Impl Functions_FUNC_ENABLE_RECV_TXT

Browse Source
This commit is contained in:
Changhua 2023-06-08 16:23:21 +08:00
parent e70fa39ad8
commit 29e260e345
5 changed files with 37 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
spy/load_calls.cpp
View File

@ -10,7 +10,7 @@ WxCalls_t wxCalls = {
{ 0x768140, 0xCE6C80, 0x756960 }, // Send Message { 0x768140, 0xCE6C80, 0x756960 }, // Send Message
/* Receive Message: /* Receive Message:
Hook, call, type, self, id, msgXml, roomId, wxId, content, thumb, extra */ Hook, call, type, self, id, msgXml, roomId, wxId, content, thumb, extra */
{ 0x550F4C, 0xA96350, 0x38, 0x3C, 0x184, 0x1EC, 0x48, 0x170, 0x70, 0x198, 0x1AC }, { 0xD19A0B, 0x756960, 0x38, 0x3C, 0x194, 0x1FC, 0x48, 0x180, 0x70, 0x1A8, 0x1BC },
{ 0x768140, 0XF59E40, 0XCE6640, 0x756960 }, // Send Image Message { 0x768140, 0XF59E40, 0XCE6640, 0x756960 }, // Send Image Message
{ 0x76AE20, 0xF59E40, 0xB6D1F0, 0x756960 }, // Send File Message { 0x76AE20, 0xF59E40, 0xB6D1F0, 0x756960 }, // Send File Message
{ 0xB8A70, 0x3ED5E0, 0x107F00, 0x3ED7B0, 0x2386FE4 }, // Send xml Message { 0xB8A70, 0x3ED5E0, 0x107F00, 0x3ED7B0, 0x2386FE4 }, // Send xml Message

39
spy/receive_msg.cpp
View File

@ -89,21 +89,20 @@ void UnHookAddress(DWORD hookAddr, CHAR restoreCode[5])
void DispatchMsg(DWORD reg) void DispatchMsg(DWORD reg)
{ {
WxMsg_t wxMsg; WxMsg_t wxMsg;
DWORD *p = (DWORD *)reg; // 消息结构基址
wxMsg.type = GET_DWORD(*p + g_WxCalls.recvMsg.type); wxMsg.type = GET_DWORD(reg + g_WxCalls.recvMsg.type);
wxMsg.is_self = GET_DWORD(*p + g_WxCalls.recvMsg.isSelf); wxMsg.is_self = GET_DWORD(reg + g_WxCalls.recvMsg.isSelf);
wxMsg.id = GetStringByAddress(*p + g_WxCalls.recvMsg.msgId); wxMsg.id = GetStringByStrAddr(reg + g_WxCalls.recvMsg.msgId);
wxMsg.xml = GetStringByAddress(*p + g_WxCalls.recvMsg.msgXml); wxMsg.xml = GetStringByStrAddr(reg + g_WxCalls.recvMsg.msgXml);
string roomid = GetStringByAddress(*p + g_WxCalls.recvMsg.roomId); string roomid = GetStringByWstrAddr(reg + g_WxCalls.recvMsg.roomId);
if (roomid.find("@chatroom") != string::npos) { // 群 ID 的格式为 xxxxxxxxxxx@chatroom if (roomid.find("@chatroom") != string::npos) { // 群 ID 的格式为 xxxxxxxxxxx@chatroom
wxMsg.is_group = true; wxMsg.is_group = true;
wxMsg.roomid = roomid; wxMsg.roomid = roomid;
if (wxMsg.is_self) { if (wxMsg.is_self) {
wxMsg.sender = GetSelfWxid(); wxMsg.sender = GetSelfWxid();
} else { } else {
wxMsg.sender = GetStringByAddress(*p + g_WxCalls.recvMsg.wxId); wxMsg.sender = GetStringByStrAddr(reg + g_WxCalls.recvMsg.wxId);
} }
} else { } else {
wxMsg.is_group = false; wxMsg.is_group = false;
@ -114,15 +113,16 @@ void DispatchMsg(DWORD reg)
} }
} }
wxMsg.content = GetStringByAddress(*p + g_WxCalls.recvMsg.content); wxMsg.content = GetStringByWstrAddr(reg + g_WxCalls.recvMsg.content);
wxMsg.thumb = GetStringByAddress(*p + g_WxCalls.recvMsg.thumb);
wxMsg.thumb = GetStringByStrAddr(reg + g_WxCalls.recvMsg.thumb);
if (!wxMsg.thumb.empty()) { if (!wxMsg.thumb.empty()) {
wxMsg.thumb = GetHomePath() + "\\WeChat Files\\" + wxMsg.thumb; wxMsg.thumb = GetHomePath() + wxMsg.thumb;
} }
wxMsg.extra = GetStringByAddress(*p + g_WxCalls.recvMsg.extra); wxMsg.extra = GetStringByStrAddr(reg + g_WxCalls.recvMsg.extra);
if (!wxMsg.extra.empty()) { if (!wxMsg.extra.empty()) {
wxMsg.extra = GetHomePath() + "\\WeChat Files\\" + wxMsg.extra; wxMsg.extra = GetHomePath() + wxMsg.extra;
} }
{ {
@ -136,13 +136,13 @@ void DispatchMsg(DWORD reg)
__declspec(naked) void RecieveMsgFunc() __declspec(naked) void RecieveMsgFunc()
{ {
__asm { __asm {
mov reg_buffer, edi // 把值复制出来 pushad
} pushfd
push ecx
DispatchMsg(reg_buffer); call DispatchMsg
add esp, 0x4
__asm popfd
{ popad
call recvMsgCallAddr // 这个为被覆盖的call call recvMsgCallAddr // 这个为被覆盖的call
jmp recvMsgJumpBackAddr // 跳回被HOOK指令的下一条指令 jmp recvMsgJumpBackAddr // 跳回被HOOK指令的下一条指令
} }
@ -150,6 +150,7 @@ __declspec(naked) void RecieveMsgFunc()
void ListenMessage() void ListenMessage()
{ {
// DbgMsg("ListenMessage");
// OutputDebugString(L"ListenMessage\n"); // OutputDebugString(L"ListenMessage\n");
// MessageBox(NULL, L"ListenMessage", L"ListenMessage", 0); // MessageBox(NULL, L"ListenMessage", L"ListenMessage", 0);
if (gIsListening || (g_WeChatWinDllAddr == 0)) { if (gIsListening || (g_WeChatWinDllAddr == 0)) {

2
spy/rpc_server.cpp
View File

@ -605,11 +605,13 @@ static bool dispatcher(uint8_t *in, size_t in_len, uint8_t *out, size_t *out_len
ret = func_send_emotion(req.msg.file.path, req.msg.file.receiver, out, out_len); ret = func_send_emotion(req.msg.file.path, req.msg.file.receiver, out, out_len);
break; break;
} }
#endif
case Functions_FUNC_ENABLE_RECV_TXT: { case Functions_FUNC_ENABLE_RECV_TXT: {
LOG_DEBUG("[Functions_FUNC_ENABLE_RECV_TXT]"); LOG_DEBUG("[Functions_FUNC_ENABLE_RECV_TXT]");
ret = func_enable_recv_txt(out, out_len); ret = func_enable_recv_txt(out, out_len);
break; break;
} }
#if 0
case Functions_FUNC_DISABLE_RECV_TXT: { case Functions_FUNC_DISABLE_RECV_TXT: {
LOG_DEBUG("[Functions_FUNC_DISABLE_RECV_TXT]"); LOG_DEBUG("[Functions_FUNC_DISABLE_RECV_TXT]");
ret = func_disable_recv_txt(out, out_len); ret = func_disable_recv_txt(out, out_len);

12
spy/util.cpp
View File

@ -213,6 +213,18 @@ string GetStringByAddress(DWORD address)
return Wstring2String(wstring(GET_WSTRING(address), strLength)); return Wstring2String(wstring(GET_WSTRING(address), strLength));
} }
string GetStringByStrAddr(DWORD addr)
{
DWORD strLength = GET_DWORD(addr + 4);
return strLength ? string(GET_STRING(addr), strLength) : string();
}
string GetStringByWstrAddr(DWORD addr)
{
DWORD strLength = GET_DWORD(addr + 4);
return strLength ? Wstring2String(wstring(GET_WSTRING(addr), strLength)) : string();
}
DWORD GetMemoryIntByAddress(HANDLE hProcess, DWORD address) DWORD GetMemoryIntByAddress(HANDLE hProcess, DWORD address)
{ {
DWORD value = 0; DWORD value = 0;

2
spy/util.h
View File

@ -28,4 +28,6 @@ std::wstring GetUnicodeInfoByAddress(HANDLE hProcess, DWORD address);
std::wstring String2Wstring(std::string s); std::wstring String2Wstring(std::string s);
std::string Wstring2String(std::wstring ws); std::string Wstring2String(std::wstring ws);
std::string GetStringByAddress(DWORD address); std::string GetStringByAddress(DWORD address);
std::string GetStringByStrAddr(DWORD addr);
std::string GetStringByWstrAddr(DWORD addr);
void DbgMsg(const char *zcFormat, ...); void DbgMsg(const char *zcFormat, ...);