diff --git a/spy/load_calls.cpp b/spy/load_calls.cpp index 07747a8..1164c98 100644 --- a/spy/load_calls.cpp +++ b/spy/load_calls.cpp @@ -7,7 +7,7 @@ WxCalls_t wxCalls = { 0x2FFD638, // Login Status { 0x2FFD4E8, 0x23660F4, 0x2366128, 0x2386F7C }, // User Info: wxid, nickname, mobile, home - 0x521D30, // Send Message + { 0x768140, 0xCE6C80, 0x756960 }, // Send Message /* Receive Message: Hook, call, type, self, id, msgXml, roomId, wxId, content, thumb, extra */ { 0x550F4C, 0xA96350, 0x38, 0x3C, 0x184, 0x1EC, 0x48, 0x170, 0x70, 0x198, 0x1AC }, diff --git a/spy/rpc_server.cpp b/spy/rpc_server.cpp index f58af3c..3d76804 100644 --- a/spy/rpc_server.cpp +++ b/spy/rpc_server.cpp @@ -579,12 +579,12 @@ static bool dispatcher(uint8_t *in, size_t in_len, uint8_t *out, size_t *out_len ret = func_get_user_info(out, out_len); break; } -#if 0 case Functions_FUNC_SEND_TXT: { LOG_DEBUG("[Functions_FUNC_SEND_TXT]"); ret = func_send_txt(req.msg.txt, out, out_len); break; } +#if 0 case Functions_FUNC_SEND_IMG: { LOG_DEBUG("[Functions_FUNC_SEND_IMG]"); ret = func_send_img(req.msg.file.path, req.msg.file.receiver, out, out_len); diff --git a/spy/send_msg.cpp b/spy/send_msg.cpp index 7c93e5e..d26ca62 100644 --- a/spy/send_msg.cpp +++ b/spy/send_msg.cpp @@ -13,12 +13,15 @@ extern string GetSelfWxid(); // Defined in spy.cpp void SendTextMessage(string wxid, string msg, string atWxids) { - char buffer[0x3B0] = { 0 }; + int success = 0; + char buffer[0x2D8] = { 0 }; WxString_t wxMsg = { 0 }; WxString_t wxWxid = { 0 }; // 发送消息Call地址 = 微信基址 + 偏移 - DWORD sendCallAddress = g_WeChatWinDllAddr + g_WxCalls.sendTextMsg; + DWORD sendCall1 = g_WeChatWinDllAddr + g_WxCalls.sendText.call1; + DWORD sendCall2 = g_WeChatWinDllAddr + g_WxCalls.sendText.call2; + DWORD sendCall3 = g_WeChatWinDllAddr + g_WxCalls.sendText.call3; wstring wsWxid = String2Wstring(wxid); wstring wsMsg = String2Wstring(msg); @@ -49,15 +52,24 @@ void SendTextMessage(string wxid, string msg, string atWxids) __asm { + pushad; + call sendCall1; + push 0x0; + push 0x0; + push 0x0; + push 0x1; lea eax, vTxtAtWxids; - push 0x01; push eax; - lea edi, wxMsg; - push edi; + lea eax, wxMsg; + push eax; lea edx, wxWxid; lea ecx, buffer; - call sendCallAddress; - add esp, 0xC; + call sendCall2; + mov success, eax; + add esp, 0x18; + lea ecx, buffer; + call sendCall3; + popad; } } @@ -260,7 +272,7 @@ void SendEmotionMessage(string wxid, string path) return; } - char buffer[0x1C] = { 0 }; + char buffer[0x1C] = { 0 }; WxString_t emoWxid = { 0 }; WxString_t emoPath = { 0 }; WxString_t nullbuffer = { 0 }; diff --git a/spy/spy_types.h b/spy/spy_types.h index e11860e..baf71bc 100644 --- a/spy/spy_types.h +++ b/spy/spy_types.h @@ -23,6 +23,12 @@ typedef struct RecvMsg { DWORD extra; // 附加数据 } RecvMsg_t; +typedef struct SendText { + DWORD call1; + DWORD call2; + DWORD call3; +} SendText_t; + typedef struct Sendfile { DWORD call1; DWORD call2; @@ -79,7 +85,7 @@ typedef struct TF { typedef struct WxCalls { DWORD login; // 登录状态 UserInfoCall_t ui; // 用户信息 - DWORD sendTextMsg; // 发送消息 + SendText_t sendText; // 发送消息 RecvMsg_t recvMsg; // 接收消息 Sendfile_t sendImg; // 发送图片 Sendfile_t sendFile; // 发送文件