cyonjan/WeChatFerry
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Impl send file

Browse Source
This commit is contained in:
Changhua 2024-06-10 17:44:48 +08:00
parent 644561af6a
commit 3ec0c9306b
2 changed files with 23 additions and 60 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
WeChatFerry/spy/rpc_server.cpp
View File

@ -269,7 +269,7 @@ bool func_send_img(char *path, char *receiver, uint8_t *out, size_t *len)
return true; return true;
} }
#if 0
bool func_send_file(char *path, char *receiver, uint8_t *out, size_t *len) bool func_send_file(char *path, char *receiver, uint8_t *out, size_t *len)
{ {
Response rsp = Response_init_default; Response rsp = Response_init_default;
@ -296,7 +296,7 @@ bool func_send_file(char *path, char *receiver, uint8_t *out, size_t *len)
return true; return true;
} }
#if 0
bool func_send_xml(XmlMsg xml, uint8_t *out, size_t *len) bool func_send_xml(XmlMsg xml, uint8_t *out, size_t *len)
{ {
Response rsp = Response_init_default; Response rsp = Response_init_default;
@ -893,6 +893,10 @@ static bool dispatcher(uint8_t *in, size_t in_len, uint8_t *out, size_t *out_len
ret = func_send_img(req.msg.file.path, req.msg.file.receiver, out, out_len); ret = func_send_img(req.msg.file.path, req.msg.file.receiver, out, out_len);
break; break;
} }
case Functions_FUNC_SEND_FILE: {
ret = func_send_file(req.msg.file.path, req.msg.file.receiver, out, out_len);
break;
}
#if 0 #if 0
case Functions_FUNC_SEND_RICH_TXT: { case Functions_FUNC_SEND_RICH_TXT: {
ret = func_send_rich_txt(req.msg.rt, out, out_len); ret = func_send_rich_txt(req.msg.rt, out, out_len);
@ -902,10 +906,6 @@ static bool dispatcher(uint8_t *in, size_t in_len, uint8_t *out, size_t *out_len
ret = func_send_pat_msg(req.msg.pm.roomid, req.msg.pm.wxid, out, out_len); ret = func_send_pat_msg(req.msg.pm.roomid, req.msg.pm.wxid, out, out_len);
break; break;
} }
case Functions_FUNC_SEND_FILE: {
ret = func_send_file(req.msg.file.path, req.msg.file.receiver, out, out_len);
break;
}
case Functions_FUNC_FORWARD_MSG: { case Functions_FUNC_FORWARD_MSG: {
ret = func_forward_msg(req.msg.fm.id, req.msg.fm.receiver, out, out_len); ret = func_forward_msg(req.msg.fm.id, req.msg.fm.receiver, out, out_len);
break; break;

71
WeChatFerry/spy/send_msg.cpp
View File

@ -16,9 +16,12 @@ extern string GetSelfWxid(); // Defined in spy.cpp
typedef QWORD (*funcNew_t)(QWORD); typedef QWORD (*funcNew_t)(QWORD);
typedef QWORD (*funcFree_t)(QWORD); typedef QWORD (*funcFree_t)(QWORD);
typedef QWORD (*funcSendMsgMgr_t)(); typedef QWORD (*funcSendMsgMgr_t)();
typedef QWORD (*funcGetAppMsgMgr_t)();
typedef QWORD (*funcSendTextMsg_t)(QWORD, QWORD, QWORD, QWORD, QWORD, QWORD, QWORD, QWORD); typedef QWORD (*funcSendTextMsg_t)(QWORD, QWORD, QWORD, QWORD, QWORD, QWORD, QWORD, QWORD);
typedef QWORD (*funcSendImageMsg_t)(QWORD, QWORD, QWORD, QWORD, QWORD); typedef QWORD (*funcSendImageMsg_t)(QWORD, QWORD, QWORD, QWORD, QWORD);
typedef QWORD (*funcSendFileMsg_t)(QWORD, QWORD, QWORD, QWORD, QWORD, QWORD *, QWORD, QWORD *, QWORD, QWORD *, QWORD,
QWORD);
void SendTextMessage(string wxid, string msg, string atWxids) void SendTextMessage(string wxid, string msg, string atWxids)
{ {
@ -85,16 +88,8 @@ void SendImageMessage(string wxid, string path)
funcFree(pMsgTmp); funcFree(pMsgTmp);
} }
#if 0
void SendFileMessage(string wxid, string path) void SendFileMessage(string wxid, string path)
{ {
if (g_WeChatWinDllAddr == 0) {
return;
}
int success = 0;
DWORD tmpEAX = 0;
char buffer[0x2D8] = { 0 };
wstring wsWxid = String2Wstring(wxid); wstring wsWxid = String2Wstring(wxid);
wstring wsPath = String2Wstring(path); wstring wsPath = String2Wstring(path);
@ -102,54 +97,22 @@ void SendFileMessage(string wxid, string path)
WxString wxPath(wsPath); WxString wxPath(wsPath);
WxString nullbuffer; WxString nullbuffer;
// 发送文件Call地址 = 微信基址 + 偏移 funcNew_t funcNew = (funcNew_t)(g_WeChatWinDllAddr + g_WxCalls.sendFile.call1);
DWORD sendCall1 = g_WeChatWinDllAddr + g_WxCalls.sendFile.call1; funcFree_t funcFree = (funcFree_t)(g_WeChatWinDllAddr + g_WxCalls.sendFile.call2);
DWORD sendCall2 = g_WeChatWinDllAddr + g_WxCalls.sendFile.call2; funcGetAppMsgMgr_t funcGetAppMsgMgr = (funcGetAppMsgMgr_t)(g_WeChatWinDllAddr + g_WxCalls.sendFile.call3);
DWORD sendCall3 = g_WeChatWinDllAddr + g_WxCalls.sendFile.call3; funcSendFileMsg_t funcSendFile = (funcSendFileMsg_t)(g_WeChatWinDllAddr + g_WxCalls.sendFile.call4);
DWORD sendCall4 = g_WeChatWinDllAddr + g_WxCalls.sendFile.call4;
__asm { char msg[0x460] = { 0 };
pushad; QWORD tmp1[4] = { 0 };
pushfd; QWORD tmp2[4] = { 0 };
call sendCall1; QWORD tmp3[4] = { 0 };
sub esp, 0x14;
mov tmpEAX, eax; QWORD pMsg = funcNew((QWORD)(&msg));
lea eax, nullbuffer; QWORD appMgr = funcGetAppMsgMgr();
mov ecx, esp; funcSendFile(appMgr, pMsg, (QWORD)(&wxWxid), (QWORD)(&wxPath), 1, tmp1, 0, tmp2, 0, tmp3, 0, 0);
push eax; funcFree(pMsg);
call sendCall2;
push 0x0;
sub esp, 0x14;
mov edi, esp;
mov dword ptr[edi], 0;
mov dword ptr[edi + 0x4], 0;
mov dword ptr[edi + 0x8], 0;
mov dword ptr[edi + 0xc], 0;
mov dword ptr[edi + 0x10], 0;
sub esp, 0x14;
lea eax, wxPath;
mov ecx, esp;
push eax;
call sendCall2;
sub esp, 0x14;
lea eax, wxWxid;
mov ecx, esp;
push eax;
call sendCall2;
mov ecx, dword ptr[tmpEAX];
lea eax, buffer;
push eax;
call sendCall3;
mov al, byte ptr[eax + 0x38];
movzx eax, al;
mov success, eax;
lea ecx, buffer;
call sendCall4;
popfd;
popad;
}
} }
#if 0
void SendXmlMessage(string receiver, string xml, string path, int type) void SendXmlMessage(string receiver, string xml, string path, int type)
{ {
if (g_WeChatWinDllAddr == 0) { if (g_WeChatWinDllAddr == 0) {