From 7efe6bce55faba94d5e179148b4b5e772c497b0e Mon Sep 17 00:00:00 2001 From: lzb Date: Thu, 26 Sep 2024 19:53:15 +0800 Subject: [PATCH 1/2] =?UTF-8?q?=E6=B2=A1=E6=B5=8B=E8=BF=87=E7=9A=84?= =?UTF-8?q?=E5=8F=91=E9=80=81xml..?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- WeChatFerry/spy/send_msg.cpp | 93 +++++++++++++++--------------------- 1 file changed, 39 insertions(+), 54 deletions(-) diff --git a/WeChatFerry/spy/send_msg.cpp b/WeChatFerry/spy/send_msg.cpp index 4946108..6be13c0 100644 --- a/WeChatFerry/spy/send_msg.cpp +++ b/WeChatFerry/spy/send_msg.cpp @@ -28,6 +28,8 @@ extern string GetSelfWxid(); // Defined in spy.cpp #define OS_FORWARD_MSG 0x22C60E0 #define OS_GET_EMOTION_MGR 0x1bcef10 #define OS_SEND_EMOTION 0x21b52d5 +#define OS_XML_BUGSIGN 0x24F0D70 +#define OS_SEND_XML 0x20CF360 typedef QWORD (*New_t)(QWORD); typedef QWORD (*Free_t)(QWORD); @@ -43,6 +45,10 @@ typedef QWORD (*ForwardMsg_t)(QWORD, QWORD, QWORD, QWORD); typedef QWORD (*GetEmotionMgr_t)(); typedef QWORD (*SendEmotion_t)(QWORD, QWORD, QWORD, QWORD, QWORD, QWORD, QWORD, QWORD); + +typedef QWORD(*__XmlBufSignFunc)(QWORD, QWORD, QWORD); +typedef QWORD(*__SendXmlMsgFunc)(QWORD, QWORD, QWORD, QWORD, QWORD, QWORD, QWORD, QWORD, QWORD, QWORD); + void SendTextMessage(string wxid, string msg, string atWxids) { QWORD success = 0; @@ -228,70 +234,49 @@ void SendEmotionMessage(string wxid, string path) SendEmotion(mgr, (QWORD)pWxPath, (QWORD)buff, (QWORD)pWxWxid, 2, (QWORD)buff, 0, (QWORD)buff); } -#if 0 + void SendXmlMessage(string receiver, string xml, string path, int type) { if (g_WeChatWinDllAddr == 0) { return; } - // 发送消息Call地址 = 微信基址 + 偏移 - DWORD sendXmlCall1 = g_WeChatWinDllAddr + g_WxCalls.sendXml.call1; - DWORD sendXmlCall2 = g_WeChatWinDllAddr + g_WxCalls.sendXml.call2; - DWORD sendXmlCall3 = g_WeChatWinDllAddr + g_WxCalls.sendXml.call3; - DWORD sendXmlCall4 = g_WeChatWinDllAddr + g_WxCalls.sendXml.call4; - DWORD sendXmlParam = g_WeChatWinDllAddr + g_WxCalls.sendXml.param; - char buffer[0xFF0] = { 0 }; + New_t funcNew = (New_t)(g_WeChatWinDllAddr + OS_NEW); + Free_t funcFree = (Free_t)(g_WeChatWinDllAddr + OS_FREE); + + DWORD xmlBufSign = g_WeChatWinDllAddr + OS_XML_BUGSIGN; + DWORD sendXmlMsg = g_WeChatWinDllAddr + OS_SEND_XML; + __XmlBufSignFunc xmlBufSignFunc = (__XmlBufSignFunc)xmlBufSign; + __SendXmlMsgFunc sendXmlMsgFunc = (__SendXmlMsgFunc)sendXmlMsg; + + + char buff[0x500] = { 0 }; + char buff2[0x500] = { 0 }; char nullBuf[0x1C] = { 0 }; - wstring wsSender = String2Wstring(GetSelfWxid()); - wstring wsReceiver = String2Wstring(receiver); - wstring wsXml = String2Wstring(xml); + DWORD pBuf = reinterpret_cast(&buff); + DWORD pBuf2 = reinterpret_cast(&buff2); - WxString wxPath; - WxString wxNull; - WxString wxXml(wsXml); - WxString wxSender(wsSender); - WxString wxReceiver(wsReceiver); - if (!path.empty()) { - wstring wsPath = String2Wstring(path); - wxPath = WxString(wsPath); - } + funcNew(pBuf); + funcNew(pBuf2); - DWORD sendtype = type; - __asm { - pushad; - pushfd; - lea ecx, buffer; - call sendXmlCall1; - mov eax, [sendtype]; - push eax; - lea eax, nullBuf; - lea edx, wxSender; - push eax; - lea eax, wxPath; - push eax; - lea eax, wxXml; - push eax; - lea edi, wxReceiver; - push edi; - lea ecx, buffer; - call sendXmlCall2; - add esp, 0x14; - lea eax, wxNull; - push eax; - lea ecx, buffer; - call sendXmlCall3; - mov dl, 0x0; - lea ecx, buffer; - push sendXmlParam; - push sendXmlParam; - call sendXmlCall4; - add esp, 0x8; - popfd; - popad; - } + DWORD sbuf[4] = { 0,0,0, 0 }; + + DWORD sign = xmlBufSignFunc(pBuf2, reinterpret_cast(&sbuf), 0x1); + + + WxString* pReceiver = NewWxStringFromStr(receiver); + WxString* pXml = NewWxStringFromStr(xml); + WxString* pPath = NewWxStringFromStr(path); + WxString* pType = NewWxStringFromStr(type); + + wstring* pSender = NewWxStringFromStr(GetSelfWxid()); + + sendXmlMsgFunc(pBuf, pSender, pReceiver, pXml, pPath, reinterpret_cast(&nullBuf), pType, 0x4, sign, pBuf2); + + funcFree(reinterpret_cast(&buff)); + funcFree(reinterpret_cast(&buff2)); } -#endif + From d00edd8add6c6ea89abe3d5519bbfb46aeac764e Mon Sep 17 00:00:00 2001 From: wxlinzebin Date: Thu, 26 Sep 2024 23:24:35 +0800 Subject: [PATCH 2/2] =?UTF-8?q?OK=E7=BC=96=E8=AF=91=E9=80=9A=E8=BF=87?= =?UTF-8?q?=EF=BC=8C=E7=BE=A4=E4=B8=BB=E6=B5=8B=E5=90=A7?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- WeChatFerry/spy/send_msg.cpp | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/WeChatFerry/spy/send_msg.cpp b/WeChatFerry/spy/send_msg.cpp index 6be13c0..2e50985 100644 --- a/WeChatFerry/spy/send_msg.cpp +++ b/WeChatFerry/spy/send_msg.cpp @@ -235,13 +235,14 @@ void SendEmotionMessage(string wxid, string path) } -void SendXmlMessage(string receiver, string xml, string path, int type) +void SendXmlMessage(string receiver, string xml, string path, QWORD type) { if (g_WeChatWinDllAddr == 0) { return; } + New_t funcNew = (New_t)(g_WeChatWinDllAddr + OS_NEW); Free_t funcFree = (Free_t)(g_WeChatWinDllAddr + OS_FREE); @@ -270,11 +271,12 @@ void SendXmlMessage(string receiver, string xml, string path, int type) WxString* pReceiver = NewWxStringFromStr(receiver); WxString* pXml = NewWxStringFromStr(xml); WxString* pPath = NewWxStringFromStr(path); - WxString* pType = NewWxStringFromStr(type); - wstring* pSender = NewWxStringFromStr(GetSelfWxid()); + WxString* pSender = NewWxStringFromStr(GetSelfWxid()); + + //sendXmlMsgFunc(pBuf, pSender, pReceiver, pXml, pPath, reinterpret_cast(&nullBuf), pType, 0x4, sign, pBuf2); + sendXmlMsgFunc(pBuf, reinterpret_cast(pSender), reinterpret_cast(pReceiver), reinterpret_cast(pXml), reinterpret_cast(pPath), reinterpret_cast(&nullBuf), type, 0x4, sign, pBuf2); - sendXmlMsgFunc(pBuf, pSender, pReceiver, pXml, pPath, reinterpret_cast(&nullBuf), pType, 0x4, sign, pBuf2); funcFree(reinterpret_cast(&buff)); funcFree(reinterpret_cast(&buff2));