diff --git a/WeChatFerry/com/util.cpp b/WeChatFerry/com/util.cpp index 08bde9d..5e906e6 100644 --- a/WeChatFerry/com/util.cpp +++ b/WeChatFerry/com/util.cpp @@ -1,5 +1,5 @@ #include "Shlwapi.h" -#include "../sdk/framework.h" +#include "framework.h" #include #include #include diff --git a/WeChatFerry/com/util.h b/WeChatFerry/com/util.h index 7fb1e38..8f252df 100644 --- a/WeChatFerry/com/util.h +++ b/WeChatFerry/com/util.h @@ -1,7 +1,6 @@ #pragma once #include -#include #include "spy_types.h" diff --git a/WeChatFerry/rpc/tool/proto/__init__.pyc b/WeChatFerry/rpc/tool/proto/__init__.pyc deleted file mode 100644 index 535ce6f..0000000 Binary files a/WeChatFerry/rpc/tool/proto/__init__.pyc and /dev/null differ diff --git a/WeChatFerry/rpc/tool/proto/_utils.pyc b/WeChatFerry/rpc/tool/proto/_utils.pyc deleted file mode 100644 index 80431e1..0000000 Binary files a/WeChatFerry/rpc/tool/proto/_utils.pyc and /dev/null differ diff --git a/WeChatFerry/sdk/SDK.vcxproj b/WeChatFerry/sdk/SDK.vcxproj index 4ce290f..af47a4b 100644 --- a/WeChatFerry/sdk/SDK.vcxproj +++ b/WeChatFerry/sdk/SDK.vcxproj @@ -25,30 +25,19 @@ DynamicLibrary true - v143 + v142 Unicode -<<<<<<< HEAD - - DynamicLibrary - false - v143 - true - Unicode - - -======= ->>>>>>> master DynamicLibrary true - v143 + v142 Unicode DynamicLibrary false - v143 + v142 true Unicode @@ -104,7 +93,6 @@ true Use pch.h - stdcpp17 Windows @@ -154,21 +142,11 @@ xcopy /y $(OutDir)$(TargetFileName) $(SolutionDir)..\clients\python\wcferry - - NotUsing - - - NotUsing - - - NotUsing - - - NotUsing - - - NotUsing - + + + + + diff --git a/WeChatFerry/sdk/injector.cpp b/WeChatFerry/sdk/injector.cpp index 76a2446..cc06298 100644 --- a/WeChatFerry/sdk/injector.cpp +++ b/WeChatFerry/sdk/injector.cpp @@ -4,7 +4,7 @@ #include #include "injector.h" -#include "../com/util.h" +#include "util.h" using namespace std; diff --git a/WeChatFerry/sdk/sdk.cpp b/WeChatFerry/sdk/sdk.cpp index 88708a0..5a14180 100644 --- a/WeChatFerry/sdk/sdk.cpp +++ b/WeChatFerry/sdk/sdk.cpp @@ -6,7 +6,7 @@ #include "injector.h" #include "sdk.h" -#include "../com/util.h" +#include "util.h" static BOOL injected = false; static HANDLE wcProcess = NULL; diff --git a/WeChatFerry/smc/Codec.lib b/WeChatFerry/smc/Codec.lib index 96ce349..b994395 100755 Binary files a/WeChatFerry/smc/Codec.lib and b/WeChatFerry/smc/Codec.lib differ diff --git a/WeChatFerry/spy/Spy.vcxproj b/WeChatFerry/spy/Spy.vcxproj index 0f6cd3b..0c44f9a 100644 --- a/WeChatFerry/spy/Spy.vcxproj +++ b/WeChatFerry/spy/Spy.vcxproj @@ -26,30 +26,19 @@ DynamicLibrary true - v143 + v142 Unicode -<<<<<<< HEAD - - DynamicLibrary - false - v143 - true - Unicode - - -======= ->>>>>>> master DynamicLibrary true - v143 + v142 Unicode DynamicLibrary false - v143 + v142 true Unicode @@ -85,6 +74,7 @@ true + Release true @@ -102,7 +92,7 @@ $(SolutionDir)com;$(SolutionDir)rpc;$(SolutionDir)rpc\nanopb;$(SolutionDir)rpc\proto;$(SolutionDir)smc;$(SolutionDir)spy;C:\Tools\vcpkg\installed\x64-windows-static\include true false - MultiThreadedDebug + MultiThreaded true 4251;4731;4819 @@ -120,7 +110,7 @@ cd $(SolutionDir)rpc\proto -F:\C++\vcpkg\installed\x64-windows-static\tools\protobuf\protoc.exe --nanopb_out=. wcf.proto +$(SolutionDir)rpc\tool\protoc --nanopb_out=. wcf.proto Generating PB files @@ -255,7 +245,6 @@ xcopy /y $(OutDir)$(TargetFileName) $(SolutionDir)..\clients\python\wcferry - diff --git a/WeChatFerry/spy/Spy.vcxproj.filters b/WeChatFerry/spy/Spy.vcxproj.filters index 78b1c9e..f2b9096 100644 --- a/WeChatFerry/spy/Spy.vcxproj.filters +++ b/WeChatFerry/spy/Spy.vcxproj.filters @@ -87,9 +87,6 @@ 头文件 - - 头文件 - diff --git a/WeChatFerry/spy/dllmain.cpp b/WeChatFerry/spy/dllmain.cpp index 8229961..580ec4c 100644 --- a/WeChatFerry/spy/dllmain.cpp +++ b/WeChatFerry/spy/dllmain.cpp @@ -4,14 +4,11 @@ #include #include "spy.h" + BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) { switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: - //PortPath_t p; - //p.port = 1234; - ////p.path = ""; - //InitSpy(&p); case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: diff --git a/WeChatFerry/spy/exec_sql.cpp b/WeChatFerry/spy/exec_sql.cpp index cd8202e..5de9628 100644 --- a/WeChatFerry/spy/exec_sql.cpp +++ b/WeChatFerry/spy/exec_sql.cpp @@ -1,53 +1,48 @@ #include #include "exec_sql.h" -<<<<<<< HEAD -#include "load_calls.h" -======= #include "log.h" ->>>>>>> master #include "sqlite3.h" #include "util.h" -#define OFFSET_DB_INSTANCE 0x2FFDDC8 -#define OFFSET_DB_MICROMSG 0x68 -#define OFFSET_DB_CHAT_MSG 0x1C0 -#define OFFSET_DB_MISC 0x3D8 -#define OFFSET_DB_EMOTION 0x558 -#define OFFSET_DB_MEDIA 0x9B8 -#define OFFSET_DB_BIZCHAT_MSG 0x1120 -#define OFFSET_DB_FUNCTION_MSG 0x11B0 -#define OFFSET_DB_NAME 0x14 -#define OFFSET_DB_MSG_MGR 0x30403B8 +#define OFFSET_DB_INSTANCE 0x5A40598 +#define OFFSET_DB_MICROMSG 0xb8 +#define OFFSET_DB_CHAT_MSG 0x2c8 +#define OFFSET_DB_MISC 0x5f0 +#define OFFSET_DB_EMOTION 0x15f0 +#define OFFSET_DB_MEDIA 0xF48 +#define OFFSET_DB_BIZCHAT_MSG 0x1A70 +#define OFFSET_DB_FUNCTION_MSG 0x1b98 +#define OFFSET_DB_NAME 0x28 +#define OFFSET_DB_MSG_MGR 0x5ABB5D8 extern UINT64 g_WeChatWinDllAddr; -typedef map dbMap_t; +typedef map dbMap_t; static dbMap_t dbMap; -#if 0 -static void GetDbHandle(DWORD base, DWORD offset) + +static void GetDbHandle(QWORD base, QWORD offset) { - wchar_t *wsp; - wsp = (wchar_t *)(*(DWORD *)(base + offset + OFFSET_DB_NAME)); + wchar_t *wsp = (wchar_t *)(*(QWORD *)(base + offset + OFFSET_DB_NAME)); string dbname = Wstring2String(wstring(wsp)); - dbMap[dbname] = GET_DWORD(base + offset); + dbMap[dbname] = GET_QWORD(base + offset); } -static void GetMsgDbHandle(DWORD msgMgrAddr) +static void GetMsgDbHandle(QWORD msgMgrAddr) { - DWORD dbIndex = GET_DWORD(msgMgrAddr + 0x38); - DWORD pStart = GET_DWORD(msgMgrAddr + 0x2C); + QWORD dbIndex = GET_QWORD(msgMgrAddr + 0x68); + QWORD pStart = GET_QWORD(msgMgrAddr + 0x50); for (uint32_t i = 0; i < dbIndex; i++) { - DWORD dbAddr = GET_DWORD(pStart + i * 0x04); + QWORD dbAddr = GET_QWORD(pStart + i * 0x08); if (dbAddr) { // MSGi.db string dbname = Wstring2String(GET_WSTRING(dbAddr)); - dbMap[dbname] = GET_DWORD(dbAddr + 0x60); + dbMap[dbname] = GET_QWORD(dbAddr + 0x78); // MediaMsgi.db - DWORD mmdbAddr = GET_DWORD(dbAddr + 0x14); - string mmdbname = Wstring2String(GET_WSTRING(mmdbAddr + 0x4C)); - dbMap[mmdbname] = GET_DWORD(mmdbAddr + 0x38); + QWORD mmdbAddr = GET_QWORD(dbAddr + 0x20); + string mmdbname = Wstring2String(GET_WSTRING(mmdbAddr + 0x78)); + dbMap[mmdbname] = GET_QWORD(mmdbAddr + 0x50); } } } @@ -56,7 +51,7 @@ dbMap_t GetDbHandles() { dbMap.clear(); - DWORD dbInstanceAddr = GET_DWORD(g_WeChatWinDllAddr + OFFSET_DB_INSTANCE); + QWORD dbInstanceAddr = GET_QWORD(g_WeChatWinDllAddr + OFFSET_DB_INSTANCE); GetDbHandle(dbInstanceAddr, OFFSET_DB_MICROMSG); // MicroMsg.db GetDbHandle(dbInstanceAddr, OFFSET_DB_CHAT_MSG); // ChatMsg.db @@ -65,7 +60,7 @@ dbMap_t GetDbHandles() GetDbHandle(dbInstanceAddr, OFFSET_DB_MEDIA); // Media.db GetDbHandle(dbInstanceAddr, OFFSET_DB_FUNCTION_MSG); // Function.db - GetMsgDbHandle(GET_DWORD(g_WeChatWinDllAddr + OFFSET_DB_MSG_MGR)); // MSGi.db & MediaMsgi.db + GetMsgDbHandle(GET_QWORD(g_WeChatWinDllAddr + OFFSET_DB_MSG_MGR)); // MSGi.db & MediaMsgi.db return dbMap; } @@ -137,7 +132,13 @@ DbRows_t ExecDbQuery(const string db, const string sql) dbMap = GetDbHandles(); } - DWORD *stmt; + QWORD *stmt; + QWORD handle = dbMap[db]; + if (handle == 0) { + LOG_WARN("Empty handle, retrying..."); + dbMap = GetDbHandles(); + } + int rc = func_prepare(dbMap[db], sql.c_str(), -1, &stmt, 0); if (rc != SQLITE_OK) { return rows; @@ -166,16 +167,16 @@ DbRows_t ExecDbQuery(const string db, const string sql) int GetLocalIdandDbidx(uint64_t id, uint64_t *localId, uint32_t *dbIdx) { - DWORD msgMgrAddr = GET_DWORD(g_WeChatWinDllAddr + OFFSET_DB_MSG_MGR); - DWORD dbIndex = GET_DWORD(msgMgrAddr + 0x38); - DWORD pStart = GET_DWORD(msgMgrAddr + 0x2C); + QWORD msgMgrAddr = GET_QWORD(g_WeChatWinDllAddr + OFFSET_DB_MSG_MGR); + int dbIndex = (int)GET_QWORD(msgMgrAddr + 0x68); // 总不能 int 还不够吧? + QWORD pStart = GET_QWORD(msgMgrAddr + 0x50); *dbIdx = 0; for (int i = dbIndex - 1; i >= 0; i--) { // 从后往前遍历 - DWORD dbAddr = GET_DWORD(pStart + i * 0x04); + QWORD dbAddr = GET_QWORD(pStart + i * 0x08); if (dbAddr) { string dbname = Wstring2String(GET_WSTRING(dbAddr)); - dbMap[dbname] = GET_DWORD(dbAddr + 0x60); + dbMap[dbname] = GET_QWORD(dbAddr + 0x78); string sql = "SELECT localId FROM MSG WHERE MsgSvrID=" + to_string(id) + ";"; DbRows_t rows = ExecDbQuery(dbname, sql); if (rows.empty()) { @@ -191,7 +192,7 @@ int GetLocalIdandDbidx(uint64_t id, uint64_t *localId, uint32_t *dbIdx) } *localId = strtoull((const char *)(field.content.data()), NULL, 10); - *dbIdx = GET_DWORD(GET_DWORD(dbAddr + 0x18) + 0x144); + *dbIdx = (uint32_t)(GET_QWORD(GET_QWORD(dbAddr + 0x28) + 0x1E8) >> 32); return 0; } @@ -202,10 +203,10 @@ int GetLocalIdandDbidx(uint64_t id, uint64_t *localId, uint32_t *dbIdx) vector GetAudioData(uint64_t id) { - DWORD msgMgrAddr = GET_DWORD(g_WeChatWinDllAddr + OFFSET_DB_MSG_MGR); - DWORD dbIndex = GET_DWORD(msgMgrAddr + 0x38); + QWORD msgMgrAddr = GET_QWORD(g_WeChatWinDllAddr + OFFSET_DB_MSG_MGR); + int dbIndex = (int)GET_QWORD(msgMgrAddr + 0x68); - string sql = "SELECT Buf from Media WHERE Reserved0=" + to_string(id) + ";"; + string sql = "SELECT Buf FROM Media WHERE Reserved0=" + to_string(id) + ";"; for (int i = dbIndex - 1; i >= 0; i--) { string dbname = "MediaMSG" + to_string(i) + ".db"; DbRows_t rows = ExecDbQuery(dbname, sql); @@ -229,4 +230,3 @@ vector GetAudioData(uint64_t id) return vector(); } -#endif diff --git a/WeChatFerry/spy/funcs.cpp b/WeChatFerry/spy/funcs.cpp index c79bb9a..9ff3edc 100644 --- a/WeChatFerry/spy/funcs.cpp +++ b/WeChatFerry/spy/funcs.cpp @@ -10,7 +10,6 @@ #include "log.h" #include "spy_types.h" #include "util.h" -#include "wechat_function.h" using namespace std; namespace fs = std::filesystem; @@ -50,13 +49,8 @@ typedef QWORD (*PushAttachTask_t)(QWORD, QWORD, QWORD, QWORD); typedef QWORD (*GetOCRManager_t)(); typedef QWORD (*DoOCRTask_t)(QWORD, QWORD, QWORD, QWORD, QWORD, QWORD); -<<<<<<< HEAD -int IsLogin(void) { return (int)GET_UINT64(g_WeChatWinDllAddr + offset::wcf_kLoginStatu); } -======= int IsLogin(void) { return (int)GET_QWORD(g_WeChatWinDllAddr + OS_LOGIN_STATUS); } ->>>>>>> master -#if 0 static string get_key(uint8_t header1, uint8_t header2, uint8_t *key) { // PNG? @@ -83,6 +77,7 @@ static string get_key(uint8_t header1, uint8_t header2, uint8_t *key) string DecryptImage(string src, string dir) { if (!fs::exists(src)) { + LOG_ERROR("File not exists: {}", src); return ""; } @@ -276,56 +271,7 @@ int DownloadAttach(QWORD id, string thumb, string extra) return status; } -<<<<<<< HEAD -int RevokeMsg(uint64_t id) -{ - int status = -1; - uint64_t localId; - uint32_t dbIdx; - if (GetLocalIdandDbidx(id, &localId, &dbIdx) != 0) { - LOG_ERROR("Failed to get localId, Please check id: {}", to_string(id)); - return status; - } - - char chat_msg[0x2D8] = { 0 }; - - DWORD rmCall1 = g_WeChatWinDllAddr + g_WxCalls.rm.call1; - DWORD rmCall2 = g_WeChatWinDllAddr + g_WxCalls.rm.call2; - DWORD rmCall3 = g_WeChatWinDllAddr + g_WxCalls.rm.call3; - DWORD rmCall4 = g_WeChatWinDllAddr + g_WxCalls.rm.call4; - DWORD rmCall5 = g_WeChatWinDllAddr + g_WxCalls.rm.call5; - - __asm { - pushad; - pushfd; - lea ecx, chat_msg; - call rmCall1; - call rmCall2; - push dword ptr [dbIdx]; - lea ecx, chat_msg; - push dword ptr [localId]; - call rmCall3; - add esp, 0x8; - call rmCall2; - lea ecx, chat_msg; - push ecx; - mov ecx, eax; - call rmCall4; - mov status, eax; - lea ecx, chat_msg; - push 0x0; - call rmCall5; - popfd; - popad; - } - - return status; -} - -string GetAudio(uint64_t id, string dir) -======= string GetAudio(QWORD id, string dir) ->>>>>>> master { string mp3path = (dir.back() == '\\' || dir.back() == '/') ? dir : (dir + "/"); mp3path += to_string(id) + ".mp3"; diff --git a/WeChatFerry/spy/load_calls.cpp b/WeChatFerry/spy/load_calls.cpp deleted file mode 100644 index dbccaa9..0000000 --- a/WeChatFerry/spy/load_calls.cpp +++ /dev/null @@ -1,58 +0,0 @@ -#include -#include - -#include "load_calls.h" - -#define SUPPORT_VERSION L"3.9.10.27" - -WxCalls_t wxCalls = { - //0x5AB8A2C, // Login Status - //{ 0x5AB7FB8, 0x5AB8098, 0x5AB7FD8, 0x5A7E190 }, // User Info: wxid, nickname, mobile, home - //{ 0x1C1E690, 0x238DDD0, 0x1C1FF10 }, // Send Text Message - ///* Receive Message: - // Hook, call, msgId, type, isSelf, ts, roomId, content, wxid, sign, thumb, extra, msgXml */ - //{ 0x00, 0x2205510, 0x30, 0x38, 0x3C, 0x44, 0x48, 0x88, 0x240, 0x260, 0x280, 0x2A0, 0x308 }, - //{ 0x1C28800, 0x1C1FF10, 0x1C1E690, 0x2383560 }, // Send Image Message - //{ 0x1C28800, 0x1C1FF10, 0x1C23630, 0x21969E0 }, // Send File Message - //{ 0xB8A70, 0x3ED5E0, 0x107F00, 0x3ED7B0, 0x2386FE4 }, // Send xml Message - //{ 0x771980, 0x4777E0, 0x239E888 }, // Send Emotion Message - ///* Get Contacts: - // call1, call2, wxId, Code, Remark,Name, Gender, Country, Province, City*/ - //{ 0x75A4A0, 0xC089F0, 0x10, 0x24, 0x58, 0x6C, 0x0E, 0x00, 0x00, 0x00 }, - ///* Exec Sql: - // Exec, base, start, end, slot, name*/ - //{ 0x141BDF0, 0x2366934, 0x1428, 0x142C, 0x3C, 0x50 }, - //{ 0xA17D50, 0xF59E40, 0xA18BD0, 0xA17E70 }, // Accept New Friend application - //{ 0x78CF20, 0xF59E40, 0xBD1DC0 }, // Add chatroom members - //{ 0x78CF20, 0xF59E40, 0xBD22A0 }, // Delete chatroom members - //{ 0x7B2E60, 0x15E2C20, 0x79C250 }, // Receive transfer - ///* Receive PYQ - // hook, call, call1, call2, call3, start, end, ts, wxid, content, xml, step*/ - //{ 0x14F9E15, 0x14FA0A0, 0xC39680, 0x14E2140, 0x14E21E0, 0x20, 0x24, 0x2C, 0x18, 0x3C, 0x384, 0xB48 }, - ///* call1, call2, call3, call4, call5, call6*/ - //{ 0x76F010, 0x792700, 0xBC0370, 0x80F110, 0x82BB40, 0x756E30}, - ///* call1, call2, call3, call4, call5*/ - //{0x76F010, 0x792700, 0xBC0370, 0xBB5F70, 0x756E30}, - //{0x1C27D50, 0x1C27120, 0x1C23630, 0x21A09C0}, // Send Rich Text Message - ///* call1, call2, call3 */ - //{0x931730, 0x1D58751, 0x1421940}, - ///* call1, call2, call3, call4, call5, call6, call7, call8*/ - //{0x78CB40, 0x7F99D0, 0x78CF20, 0x78CEF0, 0xF59E40, 0xBD1A00, 0x7FA980, 0x755060}, - ///* call1, call2, call3 */ - //{0x80A800, 0x80F270, 0x13DA3E0}, - ///* call1, call2 */ - //{0xF59E40, 0xCE6730}, - ///* call1, call2, url */ - //{0xAE9DB0, 0xCDA6F0, 0x3040DE8} -}; - -int LoadCalls(const wchar_t *version, WxCalls_t *calls) -{ - if (wcscmp(version, SUPPORT_VERSION) != 0) { - return -1; - } - - memcpy_s(calls, sizeof(WxCalls_t), &wxCalls, sizeof(WxCalls_t)); - - return 0; -} diff --git a/WeChatFerry/spy/receive_msg.cpp b/WeChatFerry/spy/receive_msg.cpp index f55da1b..8d385db 100644 --- a/WeChatFerry/spy/receive_msg.cpp +++ b/WeChatFerry/spy/receive_msg.cpp @@ -10,7 +10,6 @@ #include "receive_msg.h" #include "user_info.h" #include "util.h" -#include "wechat_function.h" // Defined in rpc_server.cpp extern bool gIsLogging, gIsListening, gIsListeningPyq; @@ -99,17 +98,6 @@ static QWORD DispatchMsg(QWORD arg1, QWORD arg2) { WxMsg_t wxMsg = { 0 }; try { -<<<<<<< HEAD - wxMsg.id = GET_QWORD(arg2 + offset::wcf_msgId); - wxMsg.type = GET_DWORD(arg2 + offset::wcf_type); - wxMsg.is_self = GET_DWORD(arg2 + offset::wcf_isSelf); - wxMsg.ts = GET_DWORD(arg2 + offset::wcf_ts); - wxMsg.content = GetStringByWstrAddr(arg2 + offset::wcf_content); - wxMsg.sign = GetStringByWstrAddr(arg2 + offset::wcf_sign); - wxMsg.xml = GetStringByWstrAddr(arg2 + offset::wcf_msgXml); - - string roomid = GetStringByWstrAddr(arg2 + offset::wcf_roomId); -======= wxMsg.id = GET_QWORD(arg2 + OS_RECV_MSG_ID); wxMsg.type = GET_DWORD(arg2 + OS_RECV_MSG_TYPE); wxMsg.is_self = GET_DWORD(arg2 + OS_RECV_MSG_SELF); @@ -120,17 +108,12 @@ static QWORD DispatchMsg(QWORD arg1, QWORD arg2) string roomid = GetStringByWstrAddr(arg2 + OS_RECV_MSG_ROOMID); wxMsg.roomid = roomid; ->>>>>>> master if (roomid.find("@chatroom") != string::npos) { // 群 ID 的格式为 xxxxxxxxxxx@chatroom wxMsg.is_group = true; if (wxMsg.is_self) { wxMsg.sender = GetSelfWxid(); } else { -<<<<<<< HEAD - wxMsg.sender = GetStringByWstrAddr(arg2 + offset::wcf_wxid); -======= wxMsg.sender = GetStringByWstrAddr(arg2 + OS_RECV_MSG_WXID); ->>>>>>> master } } else { wxMsg.is_group = false; @@ -141,21 +124,13 @@ static QWORD DispatchMsg(QWORD arg1, QWORD arg2) } } -<<<<<<< HEAD - wxMsg.thumb = GetStringByWstrAddr(arg2 + offset::wcf_thumb); -======= wxMsg.thumb = GetStringByWstrAddr(arg2 + OS_RECV_MSG_THUMB); ->>>>>>> master if (!wxMsg.thumb.empty()) { wxMsg.thumb = GetHomePath() + wxMsg.thumb; replace(wxMsg.thumb.begin(), wxMsg.thumb.end(), '\\', '/'); } -<<<<<<< HEAD - wxMsg.extra = GetStringByWstrAddr(arg2 + offset::wcf_extra); -======= wxMsg.extra = GetStringByWstrAddr(arg2 + OS_RECV_MSG_EXTRA); ->>>>>>> master if (!wxMsg.extra.empty()) { wxMsg.extra = GetHomePath() + wxMsg.extra; replace(wxMsg.extra.begin(), wxMsg.extra.end(), '\\', '/'); @@ -305,11 +280,7 @@ void ListenMessage() LOG_WARN("gIsListening"); return; } -<<<<<<< HEAD - funcRecvMsg = (funcRecvMsg_t)(g_WeChatWinDllAddr + offset::wcf_HookCall); -======= funcRecvMsg = (RecvMsg_t)(g_WeChatWinDllAddr + OS_RECV_MSG_CALL); ->>>>>>> master status = InitializeHook(); if (status != MH_OK) { @@ -352,190 +323,6 @@ void UnListenMessage() LOG_ERROR("MH_Uninitialize failed: {}", to_string(status)); return; } -<<<<<<< HEAD - - gIsListening = false; -} - -void ListenPyq() { } - -void UnListenPyq() { } - -#if 0 -// static DWORD reg_buffer = 0; -// static DWORD recvMsgHookAddr = 0; -// static DWORD recvMsgCallAddr = 0; -// static DWORD recvMsgJumpBackAddr = 0; -// static CHAR recvMsgBackupCode[5] = { 0 }; - -// static DWORD recvPyqHookAddr = 0; -// static DWORD recvPyqCallAddr = 0; -// static DWORD recvPyqJumpBackAddr = 0; -// static CHAR recvPyqBackupCode[5] = { 0 }; - -void HookAddress(DWORD hookAddr, LPVOID funcAddr, CHAR recvMsgBackupCode[5]) -{ - // 组装跳转数据 - BYTE jmpCode[5] = { 0 }; - jmpCode[0] = 0xE9; - - // 计算偏移 - *(DWORD *)&jmpCode[1] = (DWORD)funcAddr - hookAddr - 5; - - // 备份原来的代码 - ReadProcessMemory(GetCurrentProcess(), (LPVOID)hookAddr, recvMsgBackupCode, 5, 0); - // 写入新的代码 - WriteProcessMemory(GetCurrentProcess(), (LPVOID)hookAddr, jmpCode, 5, 0); -} - -void UnHookAddress(DWORD hookAddr, CHAR restoreCode[5]) -{ - WriteProcessMemory(GetCurrentProcess(), (LPVOID)hookAddr, restoreCode, 5, 0); -} - -void DispatchMsg(DWORD reg) -{ - WxMsg_t wxMsg; - try { - wxMsg.id = GET_QWORD(reg + offset::wcf_msgId); - wxMsg.type = GET_DWORD(reg + offset::wcf_type); - wxMsg.is_self = GET_DWORD(reg + offset::wcf_isSelf); - wxMsg.ts = GET_DWORD(reg + offset::wcf_ts); - wxMsg.content = GetStringByWstrAddr(reg + offset::wcf_content); - wxMsg.sign = GetStringByStrAddr(reg + offset::wcf_sign); - wxMsg.xml = GetStringByStrAddr(reg + offset::wcf_msgXml); - - string roomid = GetStringByWstrAddr(reg + offset::wcf_roomId); - if (roomid.find("@chatroom") != string::npos) { // 群 ID 的格式为 xxxxxxxxxxx@chatroom - wxMsg.is_group = true; - wxMsg.roomid = roomid; - if (wxMsg.is_self) { - wxMsg.sender = GetSelfWxid(); - } else { - wxMsg.sender = GetStringByStrAddr(reg + offset::wcf_wxid); - } - } else { - wxMsg.is_group = false; - if (wxMsg.is_self) { - wxMsg.sender = GetSelfWxid(); - } else { - wxMsg.sender = roomid; - } - } - - wxMsg.thumb = GetStringByStrAddr(reg + offset::wcf_thumb); - if (!wxMsg.thumb.empty()) { - wxMsg.thumb = GetHomePath() + wxMsg.thumb; - replace(wxMsg.thumb.begin(), wxMsg.thumb.end(), '\\', '/'); - } - - wxMsg.extra = GetStringByStrAddr(reg + offset::wcf_extra); - if (!wxMsg.extra.empty()) { - wxMsg.extra = GetHomePath() + wxMsg.extra; - replace(wxMsg.extra.begin(), wxMsg.extra.end(), '\\', '/'); - } - } catch (const std::exception &e) { - LOG_ERROR(GB2312ToUtf8(e.what())); - } catch (...) { - LOG_ERROR("Unknow exception."); - } - - { - unique_lock lock(gMutex); - gMsgQueue.push(wxMsg); // 推送到队列 - } - - gCV.notify_all(); // 通知各方消息就绪 -} - -__declspec(naked) void RecieveMsgFunc() -{ - __asm { - pushad - pushfd - push ecx - call DispatchMsg - add esp, 0x4 - popfd - popad - call recvMsgCallAddr // 这个为被覆盖的call - jmp recvMsgJumpBackAddr // 跳回被HOOK指令的下一条指令 - } -} - -void ListenMessage() -{ - // DbgMsg("ListenMessage"); - // OutputDebugString(L"ListenMessage\n"); - // MessageBox(NULL, L"ListenMessage", L"ListenMessage", 0); - if (gIsListening || (g_WeChatWinDllAddr == 0)) { - return; - } - - recvMsgHookAddr = g_WeChatWinDllAddr + offset::wcf_hook; - recvMsgCallAddr = g_WeChatWinDllAddr + offset::wcf_call; - recvMsgJumpBackAddr = recvMsgHookAddr + 5; - - HookAddress(recvMsgHookAddr, RecieveMsgFunc, recvMsgBackupCode); - gIsListening = true; -} - -void UnListenMessage() -{ - if (!gIsListening) { - return; - } - UnHookAddress(recvMsgHookAddr, recvMsgBackupCode); - gIsListening = false; -} - -void DispatchPyq(DWORD reg) -{ - DWORD startAddr = *(DWORD *)(reg + g_WxCalls.pyq.start); - DWORD endAddr = *(DWORD *)(reg + g_WxCalls.pyq.end); - - if (startAddr == 0) { - return; - } - - while (startAddr < endAddr) { - WxMsg_t wxMsg; - - wxMsg.type = 0x00; // 朋友圈消息 - wxMsg.is_self = false; - wxMsg.is_group = false; - wxMsg.id = GET_QWORD(startAddr); - wxMsg.ts = GET_DWORD(startAddr + g_WxCalls.pyq.ts); - wxMsg.xml = GetStringByWstrAddr(startAddr + g_WxCalls.pyq.xml); - wxMsg.sender = GetStringByWstrAddr(startAddr + g_WxCalls.pyq.wxid); - wxMsg.content = GetStringByWstrAddr(startAddr + g_WxCalls.pyq.content); - - { - unique_lock lock(gMutex); - gMsgQueue.push(wxMsg); // 推送到队列 - } - - gCV.notify_all(); // 通知各方消息就绪 - - startAddr += g_WxCalls.pyq.step; - } -} - -__declspec(naked) void RecievePyqFunc() -{ - __asm { - pushad - pushfd - push [esp + 0x24] - call DispatchPyq - add esp, 0x4 - popfd - popad - call recvPyqCallAddr // 这个为被覆盖的call - jmp recvPyqJumpBackAddr // 跳回被HOOK指令的下一条指令 - } -======= ->>>>>>> master } void ListenPyq() diff --git a/WeChatFerry/spy/rpc_server.cpp b/WeChatFerry/spy/rpc_server.cpp index 586cbb9..679d38f 100644 --- a/WeChatFerry/spy/rpc_server.cpp +++ b/WeChatFerry/spy/rpc_server.cpp @@ -214,7 +214,7 @@ bool func_get_audio_msg(uint64_t id, char *dir, uint8_t *out, size_t *len) return true; } -#endif + bool func_send_txt(TextMsg txt, uint8_t *out, size_t *len) { Response rsp = Response_init_default; @@ -383,7 +383,6 @@ bool func_send_rich_txt(RichText rt, uint8_t *out, size_t *len) return true; } -#if 0 bool func_send_pat_msg(char *roomid, char *wxid, uint8_t *out, size_t *len) { Response rsp = Response_init_default; @@ -429,7 +428,7 @@ bool func_forward_msg(uint64_t id, char *receiver, uint8_t *out, size_t *len) return true; } -#endif + static void PushMessage() { static uint8_t buffer[G_BUF_SIZE] = { 0 }; @@ -546,7 +545,6 @@ bool func_disable_recv_txt(uint8_t *out, size_t *len) return true; } -#if 0 bool func_exec_db_query(char *db, char *sql, uint8_t *out, size_t *len) { Response rsp = Response_init_default; @@ -573,55 +571,6 @@ bool func_exec_db_query(char *db, char *sql, uint8_t *out, size_t *len) return true; } -<<<<<<< HEAD -bool func_accept_friend(char *v3, char *v4, int32_t scene, uint8_t *out, size_t *len) -{ - Response rsp = Response_init_default; - rsp.func = Functions_FUNC_ACCEPT_FRIEND; - rsp.which_msg = Response_status_tag; - - if ((v3 == NULL) || (v4 == NULL)) { - rsp.msg.status = -1; - LOG_ERROR("Empty V3 or V4."); - } else { - rsp.msg.status = AcceptNewFriend(v3, v4, scene); - } - - pb_ostream_t stream = pb_ostream_from_buffer(out, *len); - if (!pb_encode(&stream, Response_fields, &rsp)) { - LOG_ERROR("Encoding failed: {}", PB_GET_ERROR(&stream)); - return false; - } - *len = stream.bytes_written; - - return true; -} - -bool func_receive_transfer(char *wxid, char *tfid, char *taid, uint8_t *out, size_t *len) -{ - Response rsp = Response_init_default; - rsp.func = Functions_FUNC_RECV_TRANSFER; - rsp.which_msg = Response_status_tag; - - if ((wxid == NULL) || (tfid == NULL) || (taid == NULL)) { - rsp.msg.status = -1; - LOG_ERROR("Empty wxid, tfid or taid."); - } else { - rsp.msg.status = ReceiveTransfer(wxid, tfid, taid); - } - - pb_ostream_t stream = pb_ostream_from_buffer(out, *len); - if (!pb_encode(&stream, Response_fields, &rsp)) { - LOG_ERROR("Encoding failed: {}", PB_GET_ERROR(&stream)); - return false; - } - *len = stream.bytes_written; - - return true; -} - -======= ->>>>>>> master bool func_refresh_pyq(uint64_t id, uint8_t *out, size_t *len) { Response rsp = Response_init_default; @@ -697,8 +646,6 @@ bool func_refresh_qrcode(uint8_t *out, size_t *len) return true; } -<<<<<<< HEAD -======= bool func_receive_transfer(char *wxid, char *tfid, char *taid, uint8_t *out, size_t *len) { @@ -770,7 +717,6 @@ bool func_get_contact_info(string wxid, uint8_t *out, size_t *len) return true; } #endif ->>>>>>> master bool func_decrypt_image(DecPath dec, uint8_t *out, size_t *len) { @@ -893,11 +839,7 @@ bool func_invite_room_members(char *roomid, char *wxids, uint8_t *out, size_t *l return true; } -<<<<<<< HEAD -#endif -======= ->>>>>>> master static bool dispatcher(uint8_t *in, size_t in_len, uint8_t *out, size_t *out_len) { bool ret = false; @@ -944,7 +886,6 @@ static bool dispatcher(uint8_t *in, size_t in_len, uint8_t *out, size_t *out_len ret = func_get_audio_msg(req.msg.am.id, req.msg.am.dir, out, out_len); break; } -#endif case Functions_FUNC_SEND_TXT: { ret = func_send_txt(req.msg.txt, out, out_len); break; @@ -961,7 +902,6 @@ static bool dispatcher(uint8_t *in, size_t in_len, uint8_t *out, size_t *out_len ret = func_send_rich_txt(req.msg.rt, out, out_len); break; } -#if 0 case Functions_FUNC_SEND_PAT_MSG: { ret = func_send_pat_msg(req.msg.pm.roomid, req.msg.pm.wxid, out, out_len); break; @@ -970,14 +910,11 @@ static bool dispatcher(uint8_t *in, size_t in_len, uint8_t *out, size_t *out_len ret = func_forward_msg(req.msg.fm.id, req.msg.fm.receiver, out, out_len); break; } -<<<<<<< HEAD -======= case Functions_FUNC_SEND_EMOTION: { ret = func_send_emotion(req.msg.file.path, req.msg.file.receiver, out, out_len); break; } #if 0 ->>>>>>> master case Functions_FUNC_SEND_XML: { ret = func_send_xml(req.msg.xml, out, out_len); break; @@ -991,22 +928,10 @@ static bool dispatcher(uint8_t *in, size_t in_len, uint8_t *out, size_t *out_len ret = func_disable_recv_txt(out, out_len); break; } -#if 0 case Functions_FUNC_EXEC_DB_QUERY: { ret = func_exec_db_query(req.msg.query.db, req.msg.query.sql, out, out_len); break; } -<<<<<<< HEAD - case Functions_FUNC_ACCEPT_FRIEND: { - ret = func_accept_friend(req.msg.v.v3, req.msg.v.v4, req.msg.v.scene, out, out_len); - break; - } - case Functions_FUNC_RECV_TRANSFER: { - ret = func_receive_transfer(req.msg.tf.wxid, req.msg.tf.tfid, req.msg.tf.taid, out, out_len); - break; - } -======= ->>>>>>> master case Functions_FUNC_REFRESH_PYQ: { ret = func_refresh_pyq(req.msg.ui64, out, out_len); break; @@ -1027,8 +952,6 @@ static bool dispatcher(uint8_t *in, size_t in_len, uint8_t *out, size_t *out_len ret = func_refresh_qrcode(out, out_len); break; } -<<<<<<< HEAD -======= #if 0 case Functions_FUNC_ACCEPT_FRIEND: { ret = func_accept_friend(req.msg.v.v3, req.msg.v.v4, req.msg.v.scene, out, out_len); @@ -1039,7 +962,6 @@ static bool dispatcher(uint8_t *in, size_t in_len, uint8_t *out, size_t *out_len break; } #endif ->>>>>>> master case Functions_FUNC_DECRYPT_IMAGE: { ret = func_decrypt_image(req.msg.dec, out, out_len); break; diff --git a/WeChatFerry/spy/send_msg.cpp b/WeChatFerry/spy/send_msg.cpp index d5c7919..70b0900 100644 --- a/WeChatFerry/spy/send_msg.cpp +++ b/WeChatFerry/spy/send_msg.cpp @@ -7,7 +7,6 @@ #include "send_msg.h" #include "spy_types.h" #include "util.h" -#include "wechat_function.h" extern HANDLE g_hEvent; extern QWORD g_WeChatWinDllAddr; @@ -15,13 +14,6 @@ extern string GetSelfWxid(); // Defined in spy.cpp #define SRTM_SIZE 0x3F0 -<<<<<<< HEAD -typedef QWORD (*funcSendTextMsg_t)(QWORD, QWORD, QWORD, QWORD, QWORD, QWORD, QWORD, QWORD); -typedef QWORD (*funcSendImageMsg_t)(QWORD, QWORD, QWORD, QWORD, QWORD); -typedef QWORD (*funcSendFileMsg_t)(QWORD, QWORD, QWORD, QWORD, QWORD, QWORD *, QWORD, QWORD *, QWORD, QWORD *, QWORD, - QWORD); -typedef QWORD (*funcSendRichTextMsg_t)(QWORD, QWORD, QWORD); -======= #define OS_NEW 0x1C28800 #define OS_FREE 0x1C1FF10 #define OS_SEND_MSG_MGR 0x1C1E690 @@ -50,7 +42,6 @@ typedef QWORD (*SendPatMsg_t)(QWORD, QWORD); typedef QWORD (*ForwardMsg_t)(QWORD, QWORD, QWORD, QWORD); typedef QWORD (*GetEmotionMgr_t)(); typedef QWORD (*SendEmotion_t)(QWORD, QWORD, QWORD, QWORD, QWORD, QWORD, QWORD, QWORD); ->>>>>>> master void SendTextMessage(string wxid, string msg, string atWxids) { @@ -78,17 +69,10 @@ void SendTextMessage(string wxid, string msg, string atWxids) QWORD wxAters = (QWORD) & ((RawVector_t *)&vWxAtWxids)->start; -<<<<<<< HEAD - char buffer[0x460] = { 0 }; - funcSendMsgMgr_t funcSendMsgMgr = (funcSendMsgMgr_t)(g_WeChatWinDllAddr + offset::kGetSendMessageMgr); - funcSendTextMsg_t funcSendTextMsg = (funcSendTextMsg_t)(g_WeChatWinDllAddr + offset::kSendTextMsg); - funcFree_t funcFree = (funcFree_t)(g_WeChatWinDllAddr + offset::kFreeChatMsg); -======= char buffer[0x460] = { 0 }; SendMsgMgr_t funcSendMsgMgr = (SendMsgMgr_t)(g_WeChatWinDllAddr + OS_SEND_MSG_MGR); SendTextMsg_t funcSendTextMsg = (SendTextMsg_t)(g_WeChatWinDllAddr + OS_SEND_TEXT); Free_t funcFree = (Free_t)(g_WeChatWinDllAddr + OS_FREE); ->>>>>>> master funcSendMsgMgr(); success = funcSendTextMsg((QWORD)(&buffer), (QWORD)(&wxWxid), (QWORD)(&wxMsg), wxAters, 1, 1, 0, 0); funcFree((QWORD)(&buffer)); @@ -102,17 +86,10 @@ void SendImageMessage(string wxid, string path) WxString wxWxid(wsWxid); WxString wxPath(wsPath); -<<<<<<< HEAD - funcNew_t funcNew = (funcNew_t)(g_WeChatWinDllAddr + offset::kNewChatMsgByDownloadMgr); - funcFree_t funcFree = (funcFree_t)(g_WeChatWinDllAddr + offset::kFreeChatMsg); - funcSendMsgMgr_t funcSendMsgMgr = (funcSendMsgMgr_t)(g_WeChatWinDllAddr + offset::kGetSendMessageMgr); - funcSendImageMsg_t funcSendImage = (funcSendImageMsg_t)(g_WeChatWinDllAddr + offset::kSendImageMsg); -======= New_t funcNew = (New_t)(g_WeChatWinDllAddr + OS_NEW); Free_t funcFree = (Free_t)(g_WeChatWinDllAddr + OS_FREE); SendMsgMgr_t funcSendMsgMgr = (SendMsgMgr_t)(g_WeChatWinDllAddr + OS_SEND_MSG_MGR); SendImageMsg_t funcSendImage = (SendImageMsg_t)(g_WeChatWinDllAddr + OS_SEND_IMAGE); ->>>>>>> master char msg[0x460] = { 0 }; char msgTmp[0x460] = { 0 }; @@ -139,17 +116,10 @@ void SendFileMessage(string wxid, string path) WxString wxWxid(wsWxid); WxString wxPath(wsPath); -<<<<<<< HEAD - funcNew_t funcNew = (funcNew_t)(g_WeChatWinDllAddr + offset::kChatMsgInstanceCounter); - funcFree_t funcFree = (funcFree_t)(g_WeChatWinDllAddr + offset::kFreeChatMsg); - funcGetAppMsgMgr_t funcGetAppMsgMgr = (funcGetAppMsgMgr_t)(g_WeChatWinDllAddr + offset::kGetAppMsgMgr); - funcSendFileMsg_t funcSendFile = (funcSendFileMsg_t)(g_WeChatWinDllAddr + offset::kSendFileMsg); -======= New_t funcNew = (New_t)(g_WeChatWinDllAddr + OS_NEW); Free_t funcFree = (Free_t)(g_WeChatWinDllAddr + OS_FREE); GetAppMsgMgr_t funcGetAppMsgMgr = (GetAppMsgMgr_t)(g_WeChatWinDllAddr + OS_GET_APP_MSG_MGR); SendFileMsg_t funcSendFile = (SendFileMsg_t)(g_WeChatWinDllAddr + OS_SEND_FILE); ->>>>>>> master char msg[0x460] = { 0 }; QWORD tmp1[4] = { 0 }; @@ -166,25 +136,10 @@ int SendRichTextMessage(RichText_t &rt) { // TODO: Fix memory leak QWORD status = -1; -<<<<<<< HEAD - wstring receiver = String2Wstring(rt.receiver); - wstring title = String2Wstring(rt.title); - wstring url = String2Wstring(rt.url); - wstring thumburl = String2Wstring(rt.thumburl); - wstring account = String2Wstring(rt.account); - wstring name = String2Wstring(rt.name); - wstring digest = String2Wstring(rt.digest); - - funcNew_t funcNew = (funcNew_t)(g_WeChatWinDllAddr + offset::kNewRChatMsg); - funcFree_t funcFree = (funcFree_t)(g_WeChatWinDllAddr + offset::kFreeRChatMsg); - funcGetAppMsgMgr_t funcGetAppMsgMgr = (funcGetAppMsgMgr_t)(g_WeChatWinDllAddr + offset::kGetAppMsgMgr); - funcSendRichTextMsg_t funcForwordPublicMsg = (funcSendRichTextMsg_t)(g_WeChatWinDllAddr + offset::kSendRichTextMsg); -======= New_t funcNew = (New_t)(g_WeChatWinDllAddr + OS_RTM_NEW); Free_t funcFree = (Free_t)(g_WeChatWinDllAddr + OS_RTM_FREE); GetAppMsgMgr_t funcGetAppMsgMgr = (GetAppMsgMgr_t)(g_WeChatWinDllAddr + OS_GET_APP_MSG_MGR); SendRichTextMsg_t funcForwordPublicMsg = (SendRichTextMsg_t)(g_WeChatWinDllAddr + OS_SEND_RICH_TEXT); ->>>>>>> master char *buff = (char *)HeapAlloc(GetProcessHeap(), 0, SRTM_SIZE); if (buff == NULL) { @@ -216,8 +171,6 @@ int SendRichTextMessage(RichText_t &rt) return (int)status; } -<<<<<<< HEAD -======= int SendPatMessage(string roomid, string wxid) { QWORD status = -1; @@ -275,7 +228,6 @@ void SendEmotionMessage(string wxid, string path) SendEmotion(mgr, (QWORD)pWxPath, (QWORD)buff, (QWORD)pWxWxid, 2, (QWORD)buff, 0, (QWORD)buff); } ->>>>>>> master #if 0 void SendXmlMessage(string receiver, string xml, string path, int type) { @@ -342,206 +294,4 @@ void SendXmlMessage(string receiver, string xml, string path, int type) popad; } } -<<<<<<< HEAD - -void SendEmotionMessage(string wxid, string path) -{ - if (g_WeChatWinDllAddr == 0) { - return; - } - - char buffer[0x1C] = { 0 }; - wstring wsWxid = String2Wstring(wxid); - wstring wsPath = String2Wstring(path); - - WxString wxWxid(wsWxid); - WxString wxPath(wsPath); - WxString nullbuffer; - - // 发送文件Call地址 = 微信基址 + 偏移 - DWORD sendCall1 = g_WeChatWinDllAddr + g_WxCalls.sendEmo.call1; - DWORD sendCall2 = g_WeChatWinDllAddr + g_WxCalls.sendEmo.call2; - DWORD sendCall3 = g_WeChatWinDllAddr + g_WxCalls.sendEmo.call3; - - __asm { - pushad; - pushfd; - mov ebx, dword ptr[sendCall3]; - lea eax, buffer; - push eax; - push 0x0; - sub esp, 0x14; - mov esi, esp; - mov dword ptr [esi], 0x0; - mov dword ptr [esi+0x4], 0x0; - mov dword ptr [esi+0x8], 0x0; - mov dword ptr [esi+0xC], 0x0; - mov dword ptr [esi+0x10], 0x0; - push 0x2; - lea eax, wxWxid; - sub esp, 0x14; - mov ecx, esp; - push eax; - call sendCall1; - sub esp, 0x14; - mov esi, esp; - mov dword ptr [esi], 0x0; - mov dword ptr [esi+0x4], 0x0; - mov dword ptr [esi+0x8], 0x0; - mov dword ptr [esi+0xC], 0x0; - mov dword ptr [esi+0x10], 0x0; - sub esp, 0x14; - mov ecx, esp; - lea eax, wxPath; - push eax; - call sendCall1; - mov ecx, ebx; - call sendCall2; - popfd; - popad; - } -} - -int SendRichTextMessage(RichText_t &rt) -{ - int status = -1; - char buff[0x238] = { 0 }; - - DWORD rtCall3 = g_WeChatWinDllAddr + g_WxCalls.rt.call3; - DWORD rtCall2 = g_WeChatWinDllAddr + g_WxCalls.rt.call2; - DWORD rtCall1 = g_WeChatWinDllAddr + g_WxCalls.rt.call1; - DWORD rtCall5 = g_WeChatWinDllAddr + g_WxCalls.rt.call5; - DWORD rtCall4 = g_WeChatWinDllAddr + g_WxCalls.rt.call4; - - __asm { - pushad; - pushfd; - lea ecx,buff; - call rtCall1; - popfd; - popad; - } - - wstring receiver = String2Wstring(rt.receiver); - wstring title = String2Wstring(rt.title); - wstring url = String2Wstring(rt.url); - wstring thumburl = String2Wstring(rt.thumburl); - wstring account = String2Wstring(rt.account); - wstring name = String2Wstring(rt.name); - wstring digest = String2Wstring(rt.digest); - - WxString wxReceiver(receiver); - WxString wxTitle(title); - WxString wxUrl(url); - WxString wxThumburl(thumburl); - WxString wxAccount(account); - WxString wxName(name); - WxString wxDigest(digest); - - memcpy(&buff[0x4], &wxTitle, sizeof(wxTitle)); - memcpy(&buff[0x2C], &wxUrl, sizeof(wxUrl)); - memcpy(&buff[0x6C], &wxThumburl, sizeof(wxThumburl)); - memcpy(&buff[0x94], &wxDigest, sizeof(wxDigest)); - memcpy(&buff[0x1A0], &wxAccount, sizeof(wxAccount)); - memcpy(&buff[0x1B4], &wxName, sizeof(wxName)); - - __asm { - pushad; - pushfd; - call rtCall2; - lea ecx, buff; - push ecx; - sub esp, 0x14; - mov edi, eax; - mov ecx, esp; - lea ebx, wxReceiver; - push ebx; - call rtCall3; - mov ecx, edi; - call rtCall4; - mov status, eax; - add ebx, 0x14; - lea ecx, buff; - push 0x0; - call rtCall5; - popfd; - popad; - } - - return status; -} - -int SendPatMessage(string roomid, string wxid) -{ - int status = -1; - - wstring wsRoomid = String2Wstring(roomid); - wstring wsWxid = String2Wstring(wxid); - WxString wxRoomid(wsRoomid); - WxString wxWxid(wsWxid); - - DWORD pmCall1 = g_WeChatWinDllAddr + g_WxCalls.pm.call1; - DWORD pmCall2 = g_WeChatWinDllAddr + g_WxCalls.pm.call2; - DWORD pmCall3 = g_WeChatWinDllAddr + g_WxCalls.pm.call3; - - __asm { - pushad; - call pmCall1; - push pmCall2; - push 0x0; - push eax; - lea ecx, wxRoomid; - lea edx, wxWxid; - call pmCall3; - add esp, 0xc; - movzx eax, al; - mov status, eax; - popad; - } - - return status; -} - -int ForwardMessage(QWORD msgid, string receiver) -{ - int status = -1; - uint32_t dbIdx = 0; - QWORD localId = 0; - - if (GetLocalIdandDbidx(msgid, &localId, &dbIdx) != 0) { - LOG_ERROR("Failed to get localId, Please check id: {}", to_string(msgid)); - return status; - } - - wstring wsReceiver = String2Wstring(receiver); - WxString wxReceiver(wsReceiver); - - DWORD fmCall1 = g_WeChatWinDllAddr + g_WxCalls.fm.call1; - DWORD fmCall2 = g_WeChatWinDllAddr + g_WxCalls.fm.call2; - - __asm { - pushad; - pushfd; - mov edx, dword ptr [dbIdx]; - push edx; - mov eax, dword ptr [localId]; - push eax; - sub esp, 0x14; - mov ecx, esp; - lea esi, wxReceiver; - push esi; - call fmCall1; - xor ecx, ecx; - call fmCall2; - movzx eax, al; - mov status, eax; - add esp, 0x1c; - popfd; - popad; - } - - return status; -} -======= ->>>>>>> master #endif diff --git a/WeChatFerry/spy/spy.cpp b/WeChatFerry/spy/spy.cpp index 3f76f8c..576276c 100644 --- a/WeChatFerry/spy/spy.cpp +++ b/WeChatFerry/spy/spy.cpp @@ -5,10 +5,6 @@ #include "spy.h" #include "util.h" -<<<<<<< HEAD -//WxCalls_t g_WxCalls = { 0 }; -======= ->>>>>>> master UINT64 g_WeChatWinDllAddr = 0; static bool IsWxVersionMatched(const wchar_t *version) @@ -37,19 +33,11 @@ void InitSpy(LPVOID args) return; } LOG_INFO("WeChat version: {}", Wstring2String(version).c_str()); -<<<<<<< HEAD - //if (LoadCalls(version, &g_WxCalls) != 0) { // 加载微信版本对应的Call地址 - // LOG_ERROR("不支持当前版本"); - // MessageBox(NULL, L"不支持当前版本", L"错误", 0); - // return; - //} -======= if (!IsWxVersionMatched(version)) { LOG_ERROR("不支持当前版本"); MessageBox(NULL, L"不支持当前版本", L"错误", 0); return; } ->>>>>>> master RpcStartServer(pp->port); } diff --git a/WeChatFerry/spy/spy.h b/WeChatFerry/spy/spy.h index 13e094c..f985134 100644 --- a/WeChatFerry/spy/spy.h +++ b/WeChatFerry/spy/spy.h @@ -2,11 +2,7 @@ #include "framework.h" -<<<<<<< HEAD -void InitSpy(LPVOID port); -======= #define SUPPORT_VERSION L"3.9.10.27" void InitSpy(int port); ->>>>>>> master void CleanupSpy(); diff --git a/WeChatFerry/spy/spy_types.h b/WeChatFerry/spy/spy_types.h index 8a77d4e..7fd1008 100644 --- a/WeChatFerry/spy/spy_types.h +++ b/WeChatFerry/spy/spy_types.h @@ -4,212 +4,6 @@ #include typedef uint64_t QWORD; -<<<<<<< HEAD -typedef struct UserInfoCall { - DWORD wxid = 0x5AB7FB8; - DWORD nickName = 0x5AB8098; - DWORD mobile = 0x5AB7FD8; - DWORD home = 0x5A7E190; -} UserInfoCall_t; - -typedef struct RecvMsg { - DWORD hook = 0x00; // Hook地址 - DWORD call = 0x2205510; // Call地址 - DWORD msgId = 0x30; // 消息ID地址 - DWORD type = 0x38; // 消息类型地址 - DWORD isSelf = 0x3C; // 是否自己发送标志地址 - DWORD ts = 0x44; // TimeStamp - DWORD roomId = 0x48; // 群聊时,为群ID;私聊时,为微信ID - DWORD content = 0x88; // 消息内容地址 - DWORD wxid = 0x240; // 私聊时,为空;群聊时,为发送者微信ID - DWORD sign = 0x260; // Sign - DWORD thumb = 0x280; // 缩略图 - DWORD extra = 0x2A0; // 附加数据 - DWORD msgXml = 0x308; // 消息xml内容地址 -} RecvMsg_t; - -typedef struct SendText { - DWORD call1 = 0x1C1E690; - DWORD call2 = 0x238DDD0; - DWORD call3 = 0x1C1FF10; -}; - -typedef struct Sendfile { - DWORD call1 = 0x1C28800; - DWORD call2 = 0x1C1FF10; - DWORD call3 = 0x1C23630; - DWORD call4 = 0x21969E0; -}; -typedef struct SendEmo { - DWORD call1 = 0x771980; - DWORD call2 = 0x4777E0; - DWORD call3 = 0x239E888; -}; - - -typedef struct SendImage { - DWORD call1 = 0x1C28800; - DWORD call2 = 0x1C1FF10; - DWORD call3 = 0x1C1E690; - DWORD call4 = 0x2383560; -}; - - -typedef struct Contact { - DWORD base; - DWORD head; - DWORD wxId; - DWORD wxCode; - DWORD wxRemark; - DWORD wxName; - DWORD wxGender; - DWORD wxCountry; - DWORD wxProvince; - DWORD wxCity; -} Contact_t; - -typedef struct Sql { - DWORD exec; - DWORD base; - DWORD start; - DWORD end; - DWORD slot; - DWORD name; -} Sql_t; - -typedef struct NewFriend { - DWORD call1; - DWORD call2; - DWORD call3; - DWORD call4; -} NewFriend_t; - -typedef struct AddRoomMember { - DWORD call1; - DWORD call2; - DWORD call3; -} ; - -typedef struct DelRoomMember { - DWORD call1; - DWORD call2; - DWORD call3; -}; - -typedef struct Xml { - DWORD call1; - DWORD call2; - DWORD call3; - DWORD call4; - DWORD param; -} Xml_t; - -typedef struct TF { - DWORD call1; - DWORD call2; - DWORD call3; -} TF_t; - -typedef struct Pyq { - DWORD hook; - DWORD call; - DWORD call1; - DWORD call2; - DWORD call3; - DWORD start; - DWORD end; - DWORD ts; - DWORD wxid; - DWORD content; - DWORD xml; - DWORD step; -} Pyq_t; - -typedef struct DlAttach { - DWORD call1; - DWORD call2; - DWORD call3; - DWORD call4; - DWORD call5; - DWORD call6; -} DlAttach_t; - -typedef struct RevokeMsg { - DWORD call1; - DWORD call2; - DWORD call3; - DWORD call4; - DWORD call5; -} RevokeMsg_t; - -typedef struct CallRichText { - DWORD call1; - DWORD call2; - DWORD call3; - DWORD call4; -} CallRichText_t; - -typedef struct CallPatMsg { - DWORD call1; - DWORD call2; - DWORD call3; -} CallPatMsg_t; - -typedef struct CallInviteCM { - DWORD call1; - DWORD call2; - DWORD call3; - DWORD call4; - DWORD call5; - DWORD call6; - DWORD call7; - DWORD call8; -} CallInviteCM_t; - -typedef struct CallOcr { - DWORD call1; - DWORD call2; - DWORD call3; -} CallOcr_t; - -typedef struct CallFm { - DWORD call1; - DWORD call2; -} CallFm_t; - -typedef struct CallRfLoginQr { - DWORD call1; - DWORD call2; - DWORD url; -} CallRfLoginQr_t; - -typedef struct WxCalls { - //DWORD login = 0x5AB8A2C; // 登录状态 - //UserInfoCall_t ui; // 用户信息 - //SendText sendText; // 发送消息 - //RecvMsg_t recvMsg; // 接收消息 - //SendImage sendImg; // 发送图片 - //Sendfile sendFile; // 发送文件 - //Xml_t sendXml; // 发送XML - //SendEmo sendEmo; // 发送表情 - //Contact_t contact; // 获取联系人 - //Sql_t sql; // 执行 SQL - //NewFriend_t anf; // 通过好友申请 - //AddRoomMember arm; // 添加群成员 - //DelRoomMember drm; // 删除群成员 - //TF_t tf; // 接收转账 - //Pyq_t pyq; // 接收朋友圈消息 - //DlAttach_t da; // 下载资源(图片、文件、视频) - //RevokeMsg_t rm; // 撤回消息 - //CallRichText_t rt; // 发送消息卡片 - //CallPatMsg_t pm; // 发送拍一拍消息 - //CallInviteCM_t irm; // 邀请群成员 - //CallOcr_t ocr; // OCR - //CallFm_t fm; // 转发消息 - //CallRfLoginQr_t rlq; // 刷新登录二维码 -} WxCalls_t; -======= ->>>>>>> master struct WxString { const wchar_t *wptr; diff --git a/WeChatFerry/spy/sqlite3.h b/WeChatFerry/spy/sqlite3.h index 8f4fa35..09bc15d 100644 --- a/WeChatFerry/spy/sqlite3.h +++ b/WeChatFerry/spy/sqlite3.h @@ -138,9 +138,9 @@ #define SQLITE_NULL 5 #define SQLITE_TEXT 3 -#define SQLITE3_EXEC_OFFSET 0x1E24F70 +#define SQLITE3_EXEC_OFFSET 0x3AFBCE0 #define SQLITE3_BACKUP_INIT_OFFSET 0x1DEA900 -#define SQLITE3_PREPARE_OFFSET 0x1E2B8C0 +#define SQLITE3_PREPARE_OFFSET 0x3B03990 #define SQLITE3_OPEN_OFFSET 0x1E598B0 #define SQLITE3_BACKUP_STEP_OFFSET 0x1DEAD00 #define SQLITE3_BACKUP_REMAINING_OFFSET 0x1DEB440 @@ -149,46 +149,46 @@ #define SQLITE3_SLEEP_OFFSET 0x1E5A0F0 #define SQLITE3_ERRCODE_OFFSET 0x1E58550 #define SQLITE3_CLOSE_OFFSET 0x1E56CD0 -#define SQLITE3_STEP_OFFSET 0x1DF3770 -#define SQLITE3_COLUMN_COUNT_OFFSET 0x1DF3C80 -#define SQLITE3_COLUMN_NAME_OFFSET 0x1DF4570 -#define SQLITE3_COLUMN_TYPE_OFFSET 0x1DF4410 -#define SQLITE3_COLUMN_BLOB_OFFSET 0x1DF3CC0 -#define SQLITE3_COLUMN_BYTES_OFFSET 0x1DF3DA0 -#define SQLITE3_FINALIZE_OFFSET 0x1DF2740 +#define SQLITE3_STEP_OFFSET 0x3ABFCE0 +#define SQLITE3_COLUMN_COUNT_OFFSET 0x3AC0500 +#define SQLITE3_COLUMN_NAME_OFFSET 0x3AC0F00 +#define SQLITE3_COLUMN_TYPE_OFFSET 0x3AC0D50 +#define SQLITE3_COLUMN_BLOB_OFFSET 0x3AC0530 +#define SQLITE3_COLUMN_BYTES_OFFSET 0x3AC0620 +#define SQLITE3_FINALIZE_OFFSET 0x3ABED90 typedef int (*Sqlite3_callback)(void *, int, char **, char **); -typedef int(__cdecl *Sqlite3_exec)(DWORD, /* An open database */ +typedef int(__cdecl *Sqlite3_exec)(QWORD, /* An open database */ const char *sql, /* SQL to be evaluated */ Sqlite3_callback, /* Callback function */ void *, /* 1st argument to callback */ char **errmsg /* Error msg written here */ ); -typedef DWORD(__cdecl *Sqlite3_backup_init)(DWORD *pDest, /* Destination database handle */ +typedef QWORD(__cdecl *Sqlite3_backup_init)(QWORD *pDest, /* Destination database handle */ const char *zDestName, /* Destination database name */ - DWORD *pSource, /* Source database handle */ + QWORD *pSource, /* Source database handle */ const char *zSourceName /* Source database name */ ); -typedef int(__cdecl *Sqlite3_prepare)(DWORD db, /* Database handle */ +typedef int(__cdecl *Sqlite3_prepare)(QWORD db, /* Database handle */ const char *zSql, /* SQL statement, UTF-8 encoded */ int nByte, /* Maximum length of zSql in bytes. */ - DWORD **ppStmt, /* OUT: Statement handle */ + QWORD **ppStmt, /* OUT: Statement handle */ const char **pzTail /* OUT: Pointer to unused portion of zSql */ ); -typedef int(__cdecl *Sqlite3_open)(const char *filename, DWORD **ppDb); -typedef int(__cdecl *Sqlite3_backup_step)(DWORD *p, int nPage); -typedef int(__cdecl *Sqlite3_backup_remaining)(DWORD *p); -typedef int(__cdecl *Sqlite3_backup_pagecount)(DWORD *p); -typedef int(__cdecl *Sqlite3_backup_finish)(DWORD *p); +typedef int(__cdecl *Sqlite3_open)(const char *filename, QWORD **ppDb); +typedef int(__cdecl *Sqlite3_backup_step)(QWORD *p, int nPage); +typedef int(__cdecl *Sqlite3_backup_remaining)(QWORD *p); +typedef int(__cdecl *Sqlite3_backup_pagecount)(QWORD *p); +typedef int(__cdecl *Sqlite3_backup_finish)(QWORD *p); typedef int(__cdecl *Sqlite3_sleep)(int); -typedef int(__cdecl *Sqlite3_errcode)(DWORD *db); -typedef int(__cdecl *Sqlite3_close)(DWORD *); +typedef int(__cdecl *Sqlite3_errcode)(QWORD *db); +typedef int(__cdecl *Sqlite3_close)(QWORD *); -typedef int(__cdecl *Sqlite3_step)(DWORD *); -typedef int(__cdecl *Sqlite3_column_count)(DWORD *pStmt); -typedef const char *(__cdecl *Sqlite3_column_name)(DWORD *, int N); -typedef int(__cdecl *Sqlite3_column_type)(DWORD *, int iCol); -typedef const void *(__cdecl *Sqlite3_column_blob)(DWORD *, int iCol); -typedef int(__cdecl *Sqlite3_column_bytes)(DWORD *, int iCol); -typedef int(__cdecl *Sqlite3_finalize)(DWORD *pStmt); +typedef int(__cdecl *Sqlite3_step)(QWORD *); +typedef int(__cdecl *Sqlite3_column_count)(QWORD *pStmt); +typedef const char *(__cdecl *Sqlite3_column_name)(QWORD *, int N); +typedef int(__cdecl *Sqlite3_column_type)(QWORD *, int iCol); +typedef const void *(__cdecl *Sqlite3_column_blob)(QWORD *, int iCol); +typedef int(__cdecl *Sqlite3_column_bytes)(QWORD *, int iCol); +typedef int(__cdecl *Sqlite3_finalize)(QWORD *pStmt); diff --git a/WeChatFerry/spy/user_info.cpp b/WeChatFerry/spy/user_info.cpp index ca32d57..3c7152c 100644 --- a/WeChatFerry/spy/user_info.cpp +++ b/WeChatFerry/spy/user_info.cpp @@ -1,7 +1,6 @@ #include "user_info.h" #include "log.h" #include "util.h" -#include "wechat_function.h" extern UINT64 g_WeChatWinDllAddr; @@ -15,11 +14,7 @@ static char home[MAX_PATH] = { 0 }; string GetHomePath() { if (home[0] == 0) { -<<<<<<< HEAD - string path = Wstring2String(GET_WSTRING(g_WeChatWinDllAddr + offset::wcf_home)) + "\\WeChat Files\\"; -======= string path = Wstring2String(GET_WSTRING(g_WeChatWinDllAddr + OS_USER_HOME)) + "\\WeChat Files\\"; ->>>>>>> master strncpy_s(home, path.c_str(), path.size()); } @@ -30,17 +25,6 @@ string GetSelfWxid() { UINT64 wxidType = 0; try { -<<<<<<< HEAD - wxidType = GET_UINT64(g_WeChatWinDllAddr + offset::wcf_iwxid + 0x18); - if (wxidType == 0xF) { - return GET_STRING_FROM_P(g_WeChatWinDllAddr + offset::wcf_iwxid); - } else { - return GET_STRING(g_WeChatWinDllAddr + offset::wcf_iwxid); - } - } catch (...) { - LOG_ERROR("wxid type: {:#x}", wxidType); - LOG_BUFFER((uint8_t *)(g_WeChatWinDllAddr + offset::wcf_iwxid), 20); -======= wxidType = GET_UINT64(g_WeChatWinDllAddr + OS_USER_WXID + 0x18); if (wxidType == 0xF) { return GET_STRING_FROM_P(g_WeChatWinDllAddr + OS_USER_WXID); @@ -50,7 +34,6 @@ string GetSelfWxid() } catch (...) { LOG_ERROR("wxid type: {:#x}", wxidType); LOG_BUFFER((uint8_t *)(g_WeChatWinDllAddr + OS_USER_WXID), 20); ->>>>>>> master return "empty_wxid"; } } @@ -61,16 +44,6 @@ UserInfo_t GetUserInfo() ui.wxid = GetSelfWxid(); -<<<<<<< HEAD - UINT64 nameType = GET_UINT64(g_WeChatWinDllAddr + offset::wcf_nickName + 0x18); - if (nameType == 0xF) { - ui.name = GET_STRING_FROM_P(g_WeChatWinDllAddr + offset::wcf_nickName); - } else { // 0x1F - ui.name = GET_STRING(g_WeChatWinDllAddr + offset::wcf_nickName); - } - - ui.mobile = GET_STRING_FROM_P(g_WeChatWinDllAddr + offset::wcf_mobile); -======= UINT64 nameType = GET_UINT64(g_WeChatWinDllAddr + OS_USER_NAME + 0x18); if (nameType == 0xF) { ui.name = GET_STRING_FROM_P(g_WeChatWinDllAddr + OS_USER_NAME); @@ -79,7 +52,6 @@ UserInfo_t GetUserInfo() } ui.mobile = GET_STRING_FROM_P(g_WeChatWinDllAddr + OS_USER_MOBILE); ->>>>>>> master ui.home = GetHomePath(); return ui; diff --git a/WeChatFerry/spy/wechat_function.h b/WeChatFerry/spy/wechat_function.h deleted file mode 100644 index 531bdcc..0000000 --- a/WeChatFerry/spy/wechat_function.h +++ /dev/null @@ -1,177 +0,0 @@ -#include -#include -#include - -namespace offset { - const UINT64 kGetAccountServiceMgr = 0x1B50D00; //ok - const UINT64 kGetCurrentDataPath = 0x2248D40; //ok - const UINT64 kGetAppDataSavePath = 0x25DBFE0; //ok - const UINT64 kGetSendMessageMgr = 0x1B4F500; //OK - const UINT64 kNewChatMsgByDownloadMgr = 0x1B59670; //ok - const UINT64 kSendTextMsg = 0x22C2070; //OK - const UINT64 kFreeChatMsg = 0x1B50D80; //OK - - const UINT64 kDoAddMsg = 0x230A490; //ok - const UINT64 kSendImageMsg = 0x22B7800; //ok - const UINT64 kChatMsgInstanceCounter = kNewChatMsgByDownloadMgr; //ok - const UINT64 kSendFileMsg = 0x20CB750;//ok - const UINT64 kGetAppMsgMgr = 0x1B544A0; //ok - const UINT64 kGetContactMgr = 0x1B3CCD0;//ok - const UINT64 kGetContactList = 0x219A220;//ok - - const UINT64 k_sqlite3_exec = 0x3A59B40;//ok - const UINT64 k_sqlite3_prepare = 0x3A617F0;//ok - //const UINT64 k_sqlite3_open = 0x27242a0; //1 - const UINT64 k_sqlite3_step = 0x3A1DB40;//ok - const UINT64 k_sqlite3_column_count = 0x3A1E360;//ok - const UINT64 k_sqlite3_column_name = 0x3A1ED60;//ok - const UINT64 k_sqlite3_column_type = 0x3A1EBB0;//ok - const UINT64 k_sqlite3_column_blob = 0x3A1E390;//ok - const UINT64 k_sqlite3_column_bytes = 0x3A1E480;//ok - const UINT64 k_sqlite3_finalize = 0x3A1CBF0; //ok - - const UINT64 kGPInstance = 0x58DD340; //ok - - const UINT64 kMicroMsgDB = 0xb8; //ok - const UINT64 kChatMsgDB = 0x2c8; //ok - const UINT64 kMiscDB = 0x5f0; //ok - const UINT64 kEmotionDB = 0x15f0; //ok - const UINT64 kMediaDB = 0xF48; //ok - const UINT64 kBizchatMsgDB = 0x1AC0;//ok - - const UINT64 kFunctionMsgDB = 0x1b98;//ok - const UINT64 kDBName = 0x28; - const UINT64 kStorageStart = 0x0; - const UINT64 kStorageEnd = 0x0; - - - const UINT64 kMultiDBMgr = 0x593AC38; //ok - const UINT64 kPublicMsgMgr = 0x59381D8; //ok - const UINT64 kFavoriteStorageMgr = 0x593B7D0; //ok - - - const UINT64 kChatRoomMgr = 0x1B7EEC0; //ok - const UINT64 kGetChatRoomDetailInfo = 0x2160C10; //ok - const UINT64 kNewChatRoomInfo = 0x25051D0;//ok - const UINT64 kFreeChatRoomInfo = 0x25053B0;//ok - //const UINT64 kDoAddMemberToChatRoom = 0xe63c70; - //const UINT64 kDoModChatRoomMemberNickName = 0xe6db00; - //const UINT64 kDelMemberFromChatRoom = 0xe64290; - const UINT64 kGetMemberFromChatRoom = 0x2162460;//ok - const UINT64 kNewChatRoom = 0x25025F0;//ok - const UINT64 kFreeChatRoom = 0x25027F0;//ok - - //const UINT64 kTopMsg = 0xa5e4f0; - //const UINT64 kRemoveTopMsg = 0xe787b0; - //const UINT64 kInviteMember = 0xe63650; - //const UINT64 kHookLog = 0x1304e60; - - //const UINT64 kCreateChatRoom = 0xe63340; - //const UINT64 kQuitChatRoom = 0xe6e3b0; - const UINT64 kForwardMsg = 0x22C15F0; //ok - - //const UINT64 kOnSnsTimeLineSceneFinish = 0x1a73150; - //const UINT64 kSNSGetFirstPage = 0x1a51dd0; - //const UINT64 kSNSGetNextPageScene = 0x1a77240; - //const UINT64 kSNSDataMgr = 0xeebda0; - //const UINT64 kSNSTimeLineMgr = 0x19e83a0; - const UINT64 kGetMgrByPrefixLocalId = 0x213B010; //ok - //const UINT64 kAddFavFromMsg = 0x1601520; - const UINT64 kGetChatMgr = 0x1B82BF0; //ok - //const UINT64 kGetFavoriteMgr = 0x8c69b0; - //const UINT64 kAddFavFromImage = 0x160b920; - const UINT64 kGetContact = 0x2194630; //ok - const UINT64 kNewContact = 0x25193B0; //ok - const UINT64 kFreeContact = 0x2519A60; //ok - //const UINT64 kNewMMReaderItem = 0x8c79a0; - //const UINT64 kFreeMMReaderItem = 0x8c6da0; - //const UINT64 kForwordPublicMsg = 0xddc6c0; - const UINT64 kParseAppMsgXml = 0x24B3FD0; //ok - const UINT64 kNewAppMsgInfo = 0x1BCE7B0; //ok - const UINT64 kFreeAppMsgInfo = 0x1B93D80; //ok - const UINT64 kGetPreDownLoadMgr = 0x1C0A3A0; //ok - const UINT64 kPushAttachTask = 0x1CDA9B0; //ok - //const UINT64 kGetCustomSmileyMgr = 0x915c00; - //const UINT64 kSendCustomEmotion = 0xec0a40; - //const UINT64 kNewJsApiShareAppMessage = 0x13be1a0; - //const UINT64 kInitJsConfig = 0x137bc00; - //const UINT64 kSendApplet = 0x13c0920; - //const UINT64 kSendAppletSecond = 0x13c1150; - //const UINT64 kGetAppInfoByWaid = 0x13c5790; - //const UINT64 kCopyShareAppMessageRequest = 0x13c0670; - //const UINT64 kNewWAUpdatableMsgInfo = 0x919ca0; - //const UINT64 kFreeWAUpdatableMsgInfo = 0x8fc230; - //const UINT64 kSendPatMsg = 0x195f340; - //const UINT64 kGetOCRManager = 0x999780; - //const UINT64 kDoOCRTask = 0x190b2a0; - - const UINT64 kGetLockWechatMgr = 0x1C84DA0;//ok - const UINT64 kRequestLockWechat = 0x1C39860;//ok - const UINT64 kRequestUnLockWechat = 0x1C39B00;//ok - - const UINT64 kOnLoginBtnClick = 0x202BC90;//ok - const UINT64 kOnLoginBtnParam = 0x4ECEE08;//ok - - const UINT64 kGetQRCodeLoginMgr = 0x201E420;//ok - - const UINT64 kUpdateMsg = 0x2142200;//ok - const UINT64 kGetVoiceMgr = 0x1E13320;//ok - const UINT64 kChatMsg2NetSceneSendMsg = 0x1B71FD0;//ok - const UINT64 kTranslateVoice = 0x2353E00;//ok - const UINT64 kNewWebViewPageConfig = 0x1B53AE0; //ok - const UINT64 kFreeWebViewPageConfig = 0x1B53D10; //ok - const UINT64 kGetWebViewMgr = 0x1B43950; //ok - - const UINT64 kShowWebView = 0x302ED40;//ok - const UINT64 kSetUrl = 0x26155F0; //ok - - - - //发送小程序 - const UINT64 kNewJsApiShareAppMessage = 0x26CDA30; //ok - const UINT64 kInitJsConfig = 0x268A970; //ok - const UINT64 kSendApplet = 0x26D01D0; //ok - const UINT64 kSendAppletSecond = 0x26D0A00; //ok - const UINT64 kGetAppInfoByWaid = 0x26D4F80; //ok - const UINT64 kCopyShareAppMessageRequest = 0x26CFF20;//ok - const UINT64 kNewWAUpdatableMsgInfo = 0x1BCDD10; //ok - const UINT64 kFreeWAUpdatableMsgInfo = 0x1B92AC0;//ok - const UINT64 kSendPatMsg = 0x2CA97A0;//ok PatMgr::SendPatMsg - const UINT64 kSendAppletRcxParam = 0x4F64A60; //ok - - //取群联系人昵称 - const UINT64 kChatRoomNickNameMgr = 0x1B7F100; //ok - const UINT64 kGetChatRoomNickName = 0x21625D0; //ok - - - - //卡片 - //const UINT64 kRichTextMgr = 0x1C23630; - const UINT64 kSendRichTextMsg = 0x20D5730; - const UINT64 kNewRChatMsg = 0x1B58BC0; - const UINT64 kFreeRChatMsg = 0x1B57F90; - - //HOOK偏移 - const UINT64 wcf_hook = 0x00; // Hook地址 - const UINT64 wcf_HookCall = 0x213A2A0; // Call地址 - const UINT64 wcf_msgId = 0x30; // 消息ID地址 - const UINT64 wcf_type = 0x38; // 消息类型地址 - const UINT64 wcf_isSelf = 0x3C; // 是否自己发送标志地址 - const UINT64 wcf_ts = 0x44; // TimeStamp - const UINT64 wcf_roomId = 0x48; // 群聊时,为群ID;私聊时,为微信ID - const UINT64 wcf_content = 0x88; // 消息内容地址 - const UINT64 wcf_wxid = 0x240; // 私聊时,为空;群聊时,为发送者微信ID - const UINT64 wcf_sign = 0x260; // Sign - const UINT64 wcf_thumb = 0x280; // 缩略图 - const UINT64 wcf_extra = 0x2A0; // 附加数据 - const UINT64 wcf_msgXml = 0x308; // 消息xml内容地址 - - //登录状态 - const UINT64 wcf_kLoginStatu = 0x59380B0; - const UINT64 wcf_iwxid = 0x5AB7FB8; - const UINT64 wcf_nickName = 0x5AB8098; - const UINT64 wcf_mobile = 0x5AB7FD8; - const UINT64 wcf_home = 0x5A7E190; - - -} // namespace offset