cyonjan/WeChatFerry
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Impl send image

Browse Source
This commit is contained in:
Changhua 2024-06-10 16:05:43 +08:00
parent 68822467ff
commit e84473ec1b
2 changed files with 31 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
WeChatFerry/spy/rpc_server.cpp
View File

@ -242,7 +242,7 @@ bool func_send_txt(TextMsg txt, uint8_t *out, size_t *len)
return true; return true;
} }
#if 0
bool func_send_img(char *path, char *receiver, uint8_t *out, size_t *len) bool func_send_img(char *path, char *receiver, uint8_t *out, size_t *len)
{ {
Response rsp = Response_init_default; Response rsp = Response_init_default;
@ -269,7 +269,7 @@ bool func_send_img(char *path, char *receiver, uint8_t *out, size_t *len)
return true; return true;
} }
#if 0
bool func_send_file(char *path, char *receiver, uint8_t *out, size_t *len) bool func_send_file(char *path, char *receiver, uint8_t *out, size_t *len)
{ {
Response rsp = Response_init_default; Response rsp = Response_init_default;
@ -889,6 +889,10 @@ static bool dispatcher(uint8_t *in, size_t in_len, uint8_t *out, size_t *out_len
ret = func_send_txt(req.msg.txt, out, out_len); ret = func_send_txt(req.msg.txt, out, out_len);
break; break;
} }
case Functions_FUNC_SEND_IMG: {
ret = func_send_img(req.msg.file.path, req.msg.file.receiver, out, out_len);
break;
}
#if 0 #if 0
case Functions_FUNC_SEND_RICH_TXT: { case Functions_FUNC_SEND_RICH_TXT: {
ret = func_send_rich_txt(req.msg.rt, out, out_len); ret = func_send_rich_txt(req.msg.rt, out, out_len);
@ -898,10 +902,6 @@ static bool dispatcher(uint8_t *in, size_t in_len, uint8_t *out, size_t *out_len
ret = func_send_pat_msg(req.msg.pm.roomid, req.msg.pm.wxid, out, out_len); ret = func_send_pat_msg(req.msg.pm.roomid, req.msg.pm.wxid, out, out_len);
break; break;
} }
case Functions_FUNC_SEND_IMG: {
ret = func_send_img(req.msg.file.path, req.msg.file.receiver, out, out_len);
break;
}
case Functions_FUNC_SEND_FILE: { case Functions_FUNC_SEND_FILE: {
ret = func_send_file(req.msg.file.path, req.msg.file.receiver, out, out_len); ret = func_send_file(req.msg.file.path, req.msg.file.receiver, out, out_len);
break; break;

63
WeChatFerry/spy/send_msg.cpp
View File

@ -13,9 +13,12 @@ extern WxCalls_t g_WxCalls;
extern UINT64 g_WeChatWinDllAddr; extern UINT64 g_WeChatWinDllAddr;
extern string GetSelfWxid(); // Defined in spy.cpp extern string GetSelfWxid(); // Defined in spy.cpp
typedef UINT64 (*funcSendMsgMgr_t)(); typedef UINT64 (*funcNew_t)(UINT64);
typedef UINT64 (*funcSendTextMsg_t)(UINT64, UINT64, UINT64, UINT64, UINT64, UINT64, UINT64, UINT64);
typedef UINT64 (*funcFree_t)(UINT64); typedef UINT64 (*funcFree_t)(UINT64);
typedef UINT64 (*funcSendMsgMgr_t)();
typedef UINT64 (*funcSendTextMsg_t)(UINT64, UINT64, UINT64, UINT64, UINT64, UINT64, UINT64, UINT64);
typedef UINT64 (*funcSendImageMsg_t)(UINT64, UINT64, UINT64, UINT64, UINT64);
void SendTextMessage(string wxid, string msg, string atWxids) void SendTextMessage(string wxid, string msg, string atWxids)
{ {
@ -52,53 +55,37 @@ void SendTextMessage(string wxid, string msg, string atWxids)
funcFree((uint64_t)(&buffer)); funcFree((uint64_t)(&buffer));
} }
#if 0
void SendImageMessage(string wxid, string path) void SendImageMessage(string wxid, string path)
{ {
if (g_WeChatWinDllAddr == 0) {
return;
}
int success = 0;
DWORD tmpEAX = 0;
char buf[0x2D8] = { 0 };
wstring wsWxid = String2Wstring(wxid); wstring wsWxid = String2Wstring(wxid);
wstring wsPath = String2Wstring(path); wstring wsPath = String2Wstring(path);
WxString wxWxid(wsWxid); WxString wxWxid(wsWxid);
WxString wxPath(wsPath); WxString wxPath(wsPath);
WxString nullbuffer;
// 发送图片Call地址 = 微信基址 + 偏移 funcNew_t funcNew = (funcNew_t)(g_WeChatWinDllAddr + g_WxCalls.sendImage.call1);
DWORD sendCall1 = g_WeChatWinDllAddr + g_WxCalls.sendImg.call1; funcFree_t funcFree = (funcFree_t)(g_WeChatWinDllAddr + g_WxCalls.sendImage.call2);
DWORD sendCall2 = g_WeChatWinDllAddr + g_WxCalls.sendImg.call2; funcSendMsgMgr_t funcSendMsgMgr = (funcSendMsgMgr_t)(g_WeChatWinDllAddr + g_WxCalls.sendImage.call3);
DWORD sendCall3 = g_WeChatWinDllAddr + g_WxCalls.sendImg.call3; funcSendImageMsg_t funcSendImage = (funcSendImageMsg_t)(g_WeChatWinDllAddr + g_WxCalls.sendImage.call4);
DWORD sendCall4 = g_WeChatWinDllAddr + g_WxCalls.sendImg.call4;
__asm { char msg[0x460] = { 0 };
pushad; char msgTmp[0x460] = { 0 };
call sendCall1; QWORD *flag[10] = { 0 };
sub esp,0x14;
mov tmpEAX,eax; QWORD tmp1 = 0, tmp2 = 0;
lea eax,nullbuffer; QWORD pMsgTmp = funcNew((QWORD)(&msgTmp));
mov ecx,esp; flag[8] = &tmp1;
lea edi,wxPath; flag[9] = &tmp2;
push eax; flag[1] = (QWORD *)(pMsgTmp);
call sendCall2;
mov ecx,dword ptr [tmpEAX]; QWORD pMsg = funcNew((QWORD)(&msg));
lea eax,wxWxid; QWORD sendMgr = funcSendMsgMgr();
push edi; funcSendImage(sendMgr, pMsg, (QWORD)(&wxWxid), (QWORD)(&wxPath), (QWORD)(&flag));
push eax; funcFree(pMsg);
lea eax,buf; funcFree(pMsgTmp);
push eax;
call sendCall3;
mov success,eax;
lea ecx,buf;
call sendCall4;
popad;
}
} }
#if 0
void SendFileMessage(string wxid, string path) void SendFileMessage(string wxid, string path)
{ {
if (g_WeChatWinDllAddr == 0) { if (g_WeChatWinDllAddr == 0) {