diff --git a/App/App.cpp b/App/App.cpp index e9ba49c..38f8a3f 100644 --- a/App/App.cpp +++ b/App/App.cpp @@ -56,10 +56,10 @@ int main() if (status != 0) { return 0; } -#if 0 + wcout << L"Message: 接收通知中......" << endl; WxSetTextMsgCb(onTextMsg); - +#if 0 // 测试消息发送 WxSendTextMsg(wxid, at_wxid, content); // 发送照片 diff --git a/Spy/load_calls.cpp b/Spy/load_calls.cpp index bd854de..362dbb4 100644 --- a/Spy/load_calls.cpp +++ b/Spy/load_calls.cpp @@ -6,11 +6,11 @@ #define SUPPORT_VERSION L"3.7.0.29" WxCalls_t wxCalls = { 0x23631D0, // Login Status - { 0x1DDF4BC, 0x1DDF534, 0x1DDF568 }, // User Info: wxid, nickname, mobile + { 0x236307C, 0x23630F4, 0x2363128 }, // User Info: wxid, nickname, mobile 0x3E3B80, // Send Message /* Receive Message: Hook, call, type, self, id, msgXml, roomId, wxId, content */ - { 0x3C0D70, 0x3C0FA0, 0x38, 0x3C, 0x184, 0x1D8, 0x48, 0x170, 0x70 }, + { 0x550F4C, 0xA94A50, 0x38, 0x3C, 0x184, 0x1EC, 0x48, 0x170, 0x70 }, { 0x5CCB50, 0x6F5C0, 0x3E3490 } // Send Image Message }; diff --git a/Spy/monitor.cpp b/Spy/monitor.cpp index eb6eb1d..f02fce1 100644 --- a/Spy/monitor.cpp +++ b/Spy/monitor.cpp @@ -8,7 +8,6 @@ HANDLE g_hEvent = NULL; WxCalls_t g_WxCalls = { 0 }; -RpcMessage_t *g_pMsg = NULL; // Find a palce to free DWORD g_WeChatWinDllAddr = 0; int InitDLL(void) @@ -31,7 +30,6 @@ int InitDLL(void) return -3; } - g_pMsg = new RpcMessage_t; g_hEvent = CreateEvent(NULL, TRUE, FALSE, NULL); return 0; @@ -39,7 +37,7 @@ int InitDLL(void) DWORD WINAPI Monitor(HMODULE hModule) { - //ListenMessage(); + ListenMessage(); return TRUE; } diff --git a/Spy/receive_msg.cpp b/Spy/receive_msg.cpp index ab562b9..ce21af1 100644 --- a/Spy/receive_msg.cpp +++ b/Spy/receive_msg.cpp @@ -14,39 +14,37 @@ MsgQueue_t g_MsgQueue; DWORD reg_buffer = 0; DWORD recvMsgCallAddr = 0; DWORD recvMsgJumpBackAddr = 0; +RpcMessage_t *pMsg = NULL; // Find a palce to free void DispatchMsg(DWORD reg) { - DWORD **p = (DWORD **)reg; //消息结构基址 + DWORD *p = (DWORD *)reg; //消息结构基址 - memset(g_pMsg, 0, sizeof(RpcMessage_t)); + memset(pMsg, 0, sizeof(RpcMessage_t)); - g_pMsg->type = GET_DWORD(**p + g_WxCalls.recvMsg.type); - g_pMsg->self = GET_DWORD(**p + g_WxCalls.recvMsg.isSelf); + pMsg->type = GET_DWORD(*p + g_WxCalls.recvMsg.type); + pMsg->self = GET_DWORD(*p + g_WxCalls.recvMsg.isSelf); - GetWstringByAddress(**p + g_WxCalls.recvMsg.msgId, g_pMsg->id, MSG_SIZE_MSG_ID); - GetWstringByAddress(**p + g_WxCalls.recvMsg.msgXml, g_pMsg->xml, MSG_SIZE_MSG_XML); + GetWstringByAddress(*p + g_WxCalls.recvMsg.msgId, pMsg->id, MSG_SIZE_MSG_ID); + GetWstringByAddress(*p + g_WxCalls.recvMsg.msgXml, pMsg->xml, MSG_SIZE_MSG_XML); - if (wcsstr(g_pMsg->xml, L"") == NULL) { - // g_pMsg.roomId = {0}; - GetWstringByAddress(**p + g_WxCalls.recvMsg.roomId, g_pMsg->wxId, MSG_SIZE_WXID); + if (wcsstr(pMsg->xml, L"") == NULL) { + // pMsg.roomId = {0}; + GetWstringByAddress(*p + g_WxCalls.recvMsg.roomId, pMsg->wxId, MSG_SIZE_WXID); } else { - g_pMsg->source = 1; - GetWstringByAddress(**p + g_WxCalls.recvMsg.roomId, g_pMsg->roomId, MSG_SIZE_ROOMID); - GetWstringByAddress(**p + g_WxCalls.recvMsg.wxId, g_pMsg->wxId, MSG_SIZE_WXID); + pMsg->source = 1; + GetWstringByAddress(*p + g_WxCalls.recvMsg.roomId, pMsg->roomId, MSG_SIZE_ROOMID); + GetWstringByAddress(*p + g_WxCalls.recvMsg.wxId, pMsg->wxId, MSG_SIZE_WXID); } - GetWstringByAddress(**p + g_WxCalls.recvMsg.content, g_pMsg->content, MSG_SIZE_CONTENT); - g_MsgQueue.push(*g_pMsg); // 发送消息 - SetEvent(g_hEvent); // 发送消息通知 + GetWstringByAddress(*p + g_WxCalls.recvMsg.content, pMsg->content, MSG_SIZE_CONTENT); + g_MsgQueue.push(*pMsg); // 发送消息 + SetEvent(g_hEvent); // 发送消息通知 } __declspec(naked) void RecieveMsgHook() { __asm { - push ebp // 保护现场 - add ebp, 0x3C // 地址为 ebp + 0x3C - mov reg_buffer, ebp //把值复制出来 - pop ebp // 还原现场 + mov reg_buffer, edi //把值复制出来 } DispatchMsg(reg_buffer); @@ -65,6 +63,7 @@ void ListenMessage() return; } + pMsg = new RpcMessage_t; DWORD hookAddress = g_WeChatWinDllAddr + g_WxCalls.recvMsg.hook; recvMsgCallAddr = g_WeChatWinDllAddr + g_WxCalls.recvMsg.call; recvMsgJumpBackAddr = hookAddress + 5; @@ -76,4 +75,4 @@ void ListenMessage() // 6FB6A350 E8 4B020000 call WeChatWi .6FB6A5A0; WriteProcessMemory(GetCurrentProcess(), (LPVOID)hookAddress, jmpCode, 5, 0); -} \ No newline at end of file +}