XXPC版发送群艾特消息研究
本帖最后由 Kido 于 2019-6-6 18:33 编辑首先查找到普通发送消息的call,参考文档
https://bbs.pediy.com/thread-249542.htm
https://www.52pojie.cn/thread-873835-1-1.html
首先查找到普通发送消息的call,参考文档https://bbs.pediy.com/thread-249542.htm
在微信群内,随意发送一个普通文本消息 断下后 观察寄存器状态
参考文章内说到,edx 为 目标微信ID结构 eax是个指针 ecx是个缓存
http://att.125.la/data/attachment/forum/201903/05/044802rag31h1gi12agx2o.jpg
然后发送一个艾特消息,发现eax的值不再为0
http://att.125.la/data/attachment/forum/201903/05/044808x15v3lee3g1gequv.jpg
输入 dd 查看 04FC6758处是目标wxid结构,
eax+4 和eax+08 相同 ,那么,接下来就只需要找到 eax的来源即可
向上找到
0F309AFB|.8D43 14 |LEA EAX, DWORD PTR DS:
接着找ebx
0F309A53|.8D5E 04 LEA EBX, DWORD PTR DS:
以此类推 eax
0F309A30|.8B30 MOV ESI, DWORD PTR DS:
发现eax是来自参数1
0F309A28|.8B45 08 MOV EAX,
0F3099E0/$55 PUSH EBP0F3099E1|.8BEC MOV EBP, ESP0F3099E3|.6A FF PUSH -0x10F3099E5|.68 890A0610 PUSH 10060A890F3099EA|.64:A1 0000000>MOV EAX, DWORD PTR FS:0F3099F0|.50 PUSH EAX0F3099F1|.81EC 400D0000 SUB ESP, 0xD400F3099F7|.A1 C4704310 MOV EAX, DWORD PTR DS: ;&(4Y0F3099FC|.33C5 XOR EAX, EBP0F3099FE|.8945 EC MOV , EAX0F309A01|.53 PUSH EBX0F309A02|.56 PUSH ESI0F309A03|.57 PUSH EDI0F309A04|.50 PUSH EAX0F309A05|.8D45 F4 LEA EAX, 0F309A08|.64:A3 0000000>MOV DWORD PTR FS:, EAX0F309A0E|.8BF9 MOV EDI, ECX0F309A10|.897D C8 MOV , EDI0F309A13|.837F 1C 00 CMP DWORD PTR DS:, 0x00F309A17|.8D47 18 LEA EAX, DWORD PTR DS:0F309A1A|.8945 CC MOV , EAX0F309A1D|.0F9EC0 SETLE AL0F309A20|.84C0 TEST AL, AL0F309A22|.0F85 29070000 JNZ 0F30A1510F309A28|.8B45 08 MOV EAX, 0F309A2B|.8B48 04 MOV ECX, DWORD PTR DS:0F309A2E|.8BD1 MOV EDX, ECX0F309A30|.8B30 MOV ESI, DWORD PTR DS:0F309A32|.2BD6 SUB EDX, ESI0F309A34|.B8 398EE338 MOV EAX, 0x38E38E390F309A39|.F7EA IMUL EDX0F309A3B|.C1FA 03 SAR EDX, 0x30F309A3E|.8BC2 MOV EAX, EDX0F309A40|.C1E8 1F SHR EAX, 0x1F0F309A43|.03C2 ADD EAX, EDX0F309A45|.0F84 06070000 JE 0F30A1510F309A4B|.3BF1 CMP ESI, ECX0F309A4D|.0F84 CD060000 JE 0F30A1200F309A53|.8D5E 04 LEA EBX, DWORD PTR DS:0F309A56|>8B06 /MOV EAX, DWORD PTR DS:0F309A58|.48 |DEC EAX ;分支 (案例 1..6)0F309A59|.83F8 05 |CMP EAX, 0x50F309A5C|.0F87 A9060000 |JA 0F30A10B0F309A62|.FF2485 74A130>|JMP DWORD PTR DS:0F309A69|>8B03 |MOV EAX, DWORD PTR DS: ;案例 1 --> 分支 0F309A580F309A6B|.85C0 |TEST EAX, EAX0F309A6D|.74 06 |JE SHORT 0F309A750F309A6F|.66:8338 00 |CMP WORD PTR DS:, 0x00F309A73|.75 05 |JNZ SHORT 0F309A7A0F309A75|>B8 083B2310 |MOV EAX, 10233B080F309A7A|>6A FF |PUSH -0x10F309A7C|.50 |PUSH EAX0F309A7D|.8D4D 88 |LEA ECX, 0F309A80|.E8 2B933B00 |CALL 0F6C2DB00F309A85|.83EC 14 |SUB ESP, 0x140F309A88|.C745 FC 00000>|MOV , 0x00F309A8F|.8D45 88 |LEA EAX, 0F309A92|.8BCC |MOV ECX, ESP0F309A94|.50 |PUSH EAX0F309A95|.E8 56933B00 |CALL 0F6C2DF00F309A9A|.E8 C1FEFFFF |CALL 0F3099600F309A9F|.83C4 14 |ADD ESP, 0x140F309AA2|.84C0 |TEST AL, AL0F309AA4|.74 4D |JE SHORT 0F309AF30F309AA6|.8B45 08 |MOV EAX, 0F309AA9|.8B48 04 |MOV ECX, DWORD PTR DS:0F309AAC|.2B08 |SUB ECX, DWORD PTR DS:0F309AAE|.B8 398EE338 |MOV EAX, 0x38E38E390F309AB3|.F7E9 |IMUL ECX0F309AB5|.C1FA 03 |SAR EDX, 0x30F309AB8|.8BC2 |MOV EAX, EDX0F309ABA|.C1E8 1F |SHR EAX, 0x1F0F309ABD|.03C2 |ADD EAX, EDX0F309ABF|.83F8 01 |CMP EAX, 0x10F309AC2|.0F85 28010000 |JNZ 0F309BF00F309AC8|.6A 00 |PUSH 0x00F309ACA|.6A 00 |PUSH 0x00F309ACC|.6A 00 |PUSH 0x00F309ACE|.68 0B030000 |PUSH 0x30B0F309AD3|.E8 38402600 |CALL 0F56DB100F309AD8|.8BC8 |MOV ECX, EAX0F309ADA|.E8 B1502600 |CALL 0F56EB900F309ADF|.8D4D 88 |LEA ECX, 0F309AE2|.C745 FC FFFFF>|MOV , -0x10F309AE9|.E8 7284FEFF |CALL 0F2F1F600F309AEE|.E9 18060000 |JMP 0F30A10B0F309AF3|>E8 9861FBFF |CALL 0F2BFC900F309AF8|.8B55 CC |MOV EDX, 0F309AFB|.8D43 14 |LEA EAX, DWORD PTR DS:0F309AFE|.6A 01 |PUSH 0x10F309B00|.50 |PUSH EAX0F309B01|.53 |PUSH EBX0F309B02|.8D8D E4F7FFFF |LEA ECX, 0F309B08|.E8 13A32100 |CALL 0F523E20 ;这个call就是我们的发送文本的call
接下来返回上一层0F31B160/$55 PUSH EBP
0F31B161|.8BEC MOV EBP, ESP
0F31B163|.6A FF PUSH -0x1
0F31B165|.68 48250610 PUSH 10062548
0F31B16A|.64:A1 0000000>MOV EAX, DWORD PTR FS:
0F31B170|.50 PUSH EAX
0F31B171|.83EC 2C SUB ESP, 0x2C
0F31B174|.53 PUSH EBX
0F31B175|.56 PUSH ESI
0F31B176|.57 PUSH EDI
0F31B177|.A1 C4704310 MOV EAX, DWORD PTR DS: ;&(4Y
0F31B17C|.33C5 XOR EAX, EBP
0F31B17E|.50 PUSH EAX
0F31B17F|.8D45 F4 LEA EAX,
0F31B182|.64:A3 0000000>MOV DWORD PTR FS:, EAX
0F31B188|.8BD9 MOV EBX, ECX
0F31B18A|.C745 DC 00000>MOV , 0x0
0F31B191|.C745 E0 00000>MOV , 0x0
0F31B198|.C745 E4 00000>MOV , 0x0
0F31B19F|.8D45 DC LEA EAX,
0F31B1A2|.C745 FC 00000>MOV , 0x0
0F31B1A9|.8B8B 60050000 MOV ECX, DWORD PTR DS:
0F31B1AF|.50 PUSH EAX
0F31B1B0|.E8 1BCFFBFF CALL 0F2D80D0
0F31B1B5|.85C0 TEST EAX, EAX
0F31B1B7|.7F 7E JG SHORT 0F31B237
0F31B1B9|.51 PUSH ECX
0F31B1BA|.8B8B 60050000 MOV ECX, DWORD PTR DS:
0F31B1C0|.8BF9 MOV EDI, ECX
0F31B1C2|.68 D0070000 PUSH 0x7D0
0F31B1C7|.8B01 MOV EAX, DWORD PTR DS: ;WeChatWi.102421E0
0F31B1C9|.FF50 44 CALL DWORD PTR DS:
0F31B1CC|.8B17 MOV EDX, DWORD PTR DS:
0F31B1CE|.8BCF MOV ECX, EDI
0F31B1D0|.8BF0 MOV ESI, EAX
0F31B1D2|.FF52 3C CALL DWORD PTR DS:
0F31B1D5|.8B8B 64050000 MOV ECX, DWORD PTR DS:
0F31B1DB|.03F0 ADD ESI, EAX
0F31B1DD|.56 PUSH ESI
0F31B1DE|.8B01 MOV EAX, DWORD PTR DS: ;WeChatWi.102421E0
0F31B1E0|.FF50 58 CALL DWORD PTR DS:
0F31B1E3|.8B8B 60050000 MOV ECX, DWORD PTR DS:
0F31B1E9|.99 CDQ
0F31B1EA|.2BC2 SUB EAX, EDX
0F31B1EC|.8BF0 MOV ESI, EAX
0F31B1EE|.8B11 MOV EDX, DWORD PTR DS: ;WeChatWi.102421E0
0F31B1F0|.D1FE SAR ESI, 1
0F31B1F2|.FF52 40 CALL DWORD PTR DS:
0F31B1F5|.8B8B 60050000 MOV ECX, DWORD PTR DS:
0F31B1FB|.8BF8 MOV EDI, EAX
0F31B1FD|.2BFE SUB EDI, ESI
0F31B1FF|.8B11 MOV EDX, DWORD PTR DS: ;WeChatWi.102421E0
0F31B201|.FF52 38 CALL DWORD PTR DS:
0F31B204|.03C7 ADD EAX, EDI
0F31B206|.BA 16040000 MOV EDX, 0x416
0F31B20B|.50 PUSH EAX
0F31B20C|.83EC 14 SUB ESP, 0x14
0F31B20F|.8BCC MOV ECX, ESP
0F31B211|.E8 CA8A3A00 CALL 0F6C3CE0
0F31B216|.8BCB MOV ECX, EBX
0F31B218|.E8 F35F0000 CALL 0F321210
0F31B21D|.8B8B 3C050000 MOV ECX, DWORD PTR DS:
0F31B223|.6A 00 PUSH 0x0
0F31B225|.FFB3 60050000 PUSH DWORD PTR DS:
0F31B22B|.E8 98CB5E00 CALL 0F907DC8
0F31B230|.32DB XOR BL, BL
0F31B232|.E9 B2010000 JMP 0F31B3E9
0F31B237|>8B45 DC MOV EAX,
0F31B23A|.33C9 XOR ECX, ECX
0F31B23C|.8B55 E0 MOV EDX,
0F31B23F|.3BC2 CMP EAX, EDX
0F31B241|.74 12 JE SHORT 0F31B255
0F31B243|>8338 02 /CMP DWORD PTR DS:, 0x2
0F31B246|.75 06 |JNZ SHORT 0F31B24E
0F31B248|.41 |INC ECX
0F31B249|.83F9 0B |CMP ECX, 0xB
0F31B24C|.7D 7F |JGE SHORT 0F31B2CD
0F31B24E|>83C0 24 |ADD EAX, 0x24
0F31B251|.3BC2 |CMP EAX, EDX
0F31B253|.^ 75 EE \JNZ SHORT 0F31B243
0F31B255|>E8 467A0000 CALL 0F322CA0
0F31B25A|.84C0 TEST AL, AL
0F31B25C|.0F84 BD000000 JE 0F31B31F
0F31B262|.51 PUSH ECX
0F31B263|.8B8B 60050000 MOV ECX, DWORD PTR DS:
0F31B269|.8BF9 MOV EDI, ECX
0F31B26B|.68 D0070000 PUSH 0x7D0
0F31B270|.8B01 MOV EAX, DWORD PTR DS: ;WeChatWi.102421E0
0F31B272|.FF50 44 CALL DWORD PTR DS:
0F31B275|.8B17 MOV EDX, DWORD PTR DS:
0F31B277|.8BCF MOV ECX, EDI
0F31B279|.8BF0 MOV ESI, EAX
0F31B27B|.FF52 3C CALL DWORD PTR DS:
0F31B27E|.8B8B 64050000 MOV ECX, DWORD PTR DS:
0F31B284|.03F0 ADD ESI, EAX
0F31B286|.56 PUSH ESI
0F31B287|.8B01 MOV EAX, DWORD PTR DS: ;WeChatWi.102421E0
0F31B289|.FF50 58 CALL DWORD PTR DS:
0F31B28C|.8B8B 60050000 MOV ECX, DWORD PTR DS:
0F31B292|.99 CDQ
0F31B293|.2BC2 SUB EAX, EDX
0F31B295|.8BF0 MOV ESI, EAX
0F31B297|.8B11 MOV EDX, DWORD PTR DS: ;WeChatWi.102421E0
0F31B299|.D1FE SAR ESI, 1
0F31B29B|.FF52 40 CALL DWORD PTR DS:
0F31B29E|.8B8B 60050000 MOV ECX, DWORD PTR DS:
0F31B2A4|.8BF8 MOV EDI, EAX
0F31B2A6|.2BFE SUB EDI, ESI
0F31B2A8|.8B11 MOV EDX, DWORD PTR DS: ;WeChatWi.102421E0
0F31B2AA|.FF52 38 CALL DWORD PTR DS:
0F31B2AD|.BA 220E0000 MOV EDX, 0xE22
0F31B2B2|>03C7 ADD EAX, EDI
0F31B2B4|.50 PUSH EAX
0F31B2B5|.83EC 14 SUB ESP, 0x14
0F31B2B8|.8BCC MOV ECX, ESP
0F31B2BA|.E8 218A3A00 CALL 0F6C3CE0
0F31B2BF|.8BCB MOV ECX, EBX
0F31B2C1|.E8 4A5F0000 CALL 0F321210
0F31B2C6|.32DB XOR BL, BL
0F31B2C8|.E9 1C010000 JMP 0F31B3E9
0F31B2CD|>8BBB 60050000 MOV EDI, DWORD PTR DS:
0F31B2D3|.51 PUSH ECX
0F31B2D4|.8BCF MOV ECX, EDI
0F31B2D6|.68 D0070000 PUSH 0x7D0
0F31B2DB|.8B01 MOV EAX, DWORD PTR DS: ;WeChatWi.102421E0
0F31B2DD|.FF50 3C CALL DWORD PTR DS:
0F31B2E0|.8B17 MOV EDX, DWORD PTR DS:
0F31B2E2|.8BCF MOV ECX, EDI
0F31B2E4|.8BF0 MOV ESI, EAX
0F31B2E6|.FF52 44 CALL DWORD PTR DS:
0F31B2E9|.8B8B 64050000 MOV ECX, DWORD PTR DS:
0F31B2EF|.03F0 ADD ESI, EAX
0F31B2F1|.56 PUSH ESI
0F31B2F2|.8B01 MOV EAX, DWORD PTR DS: ;WeChatWi.102421E0
0F31B2F4|.FF50 58 CALL DWORD PTR DS:
0F31B2F7|.8B8B 60050000 MOV ECX, DWORD PTR DS:
0F31B2FD|.99 CDQ
0F31B2FE|.2BC2 SUB EAX, EDX
0F31B300|.8BF0 MOV ESI, EAX
0F31B302|.8B11 MOV EDX, DWORD PTR DS: ;WeChatWi.102421E0
0F31B304|.D1FE SAR ESI, 1
0F31B306|.FF52 40 CALL DWORD PTR DS:
0F31B309|.8B8B 60050000 MOV ECX, DWORD PTR DS:
0F31B30F|.8BF8 MOV EDI, EAX
0F31B311|.2BFE SUB EDI, ESI
0F31B313|.8B11 MOV EDX, DWORD PTR DS: ;WeChatWi.102421E0
0F31B315|.FF52 38 CALL DWORD PTR DS:
0F31B318|.BA 21040000 MOV EDX, 0x421
0F31B31D|.^ EB 93 JMP SHORT 0F31B2B2
0F31B31F|>0F57C0 XORPS XMM0, XMM0
0F31B322|.C745 D8 00000>MOV , 0x0
0F31B329|.0F1145 C8 MOVUPS DQWORD PTR SS:, XMM0
0F31B32D|.8D45 C8 LEA EAX,
0F31B330|.C645 FC 01 MOV BYTE PTR SS:, 0x1
0F31B334|.8B8B 58050000 MOV ECX, DWORD PTR DS:
0F31B33A|.50 PUSH EAX
0F31B33B|.8D45 DC LEA EAX,
0F31B33E|.81C1 E0090000 ADD ECX, 0x9E0
0F31B344|.50 PUSH EAX
0F31B345|.E8 F6F2FEFF CALL 0F30A640
0F31B34A|.84C0 TEST AL, AL
0F31B34C|.75 51 JNZ SHORT 0F31B39F
0F31B34E|.8845 F3 MOV BYTE PTR SS:, AL
0F31B351|.8B45 C8 MOV EAX,
0F31B354|.85C0 TEST EAX, EAX
0F31B356|.74 06 JE SHORT 0F31B35E
0F31B358|.66:8338 00 CMP WORD PTR DS:, 0x0
0F31B35C|.75 05 JNZ SHORT 0F31B363
0F31B35E|>B8 083B2310 MOV EAX, 10233B08
0F31B363|>83EC 14 SUB ESP, 0x14
0F31B366|.8BCC MOV ECX, ESP
0F31B368|.8965 EC MOV , ESP
0F31B36B|.6A FF PUSH -0x1
0F31B36D|.50 PUSH EAX
0F31B36E|.E8 3D7A3A00 CALL 0F6C2DB0
0F31B373|.83EC 14 SUB ESP, 0x14
0F31B376|.C645 FC 02 MOV BYTE PTR SS:, 0x2
0F31B37A|.BA 0E040000 MOV EDX, 0x40E
0F31B37F|.8BCC MOV ECX, ESP
0F31B381|.E8 5A893A00 CALL 0F6C3CE0
0F31B386|.8A55 F3 MOV DL, BYTE PTR SS:
0F31B389|.C645 FC 01 MOV BYTE PTR SS:, 0x1
0F31B38D|.8B8B 5C050000 MOV ECX, DWORD PTR DS:
0F31B393|.E8 C8370300 CALL 0F34EB60
0F31B398|.83C4 28 ADD ESP, 0x28
0F31B39B|.32DB XOR BL, BL
0F31B39D|.EB 42 JMP SHORT 0F31B3E1
0F31B39F|>8B8B 60050000 MOV ECX, DWORD PTR DS:
0F31B3A5|.E8 C6D5FBFF CALL 0F2D8970
0F31B3AA|.8D45 DC LEA EAX,
0F31B3AD|.50 PUSH EAX
0F31B3AE|.E8 ED7F0000 CALL 0F3233A0 ;call的位置
eax是来自 一个局部变量。。
LEA EAX, DWORD PTR SS:
在函数头下断,重新发送一个艾特消息。
http://att.125.la/data/attachment/forum/201903/05/044823vmtebmedzdhwy44h.jpg
0F31B1AF|.50 PUSH EAX
0F31B1B0|.E8 1BCFFBFF CALL 0F2D80D0 ;经过这个call之后 ebp-0x24一出现一个结构
跟踪进入call头部下断,重新发送消息 这个call比较长,所以,只需要一直F8往下走即可,到图片中的位置,发现,构建了一串数据在edx中,里面包含了,被艾特人的微信ID,和昵称
http://att.125.la/data/attachment/forum/201903/05/044829z23mwwo3a3slfat0.jpg
0F2D844A .C645 FC 08 MOV BYTE PTR SS:, 0x8
0F2D844E .50 PUSH EAX ;昵称
0F2D844F .8D8D 10FFFFFF LEA ECX, DWORD PTR SS: ;ecx空白区
0F2D8455 .E8 B6AE3E00 CALL 0F6C3310 ;经过call之后 ecx空白区多出了昵称结构
0F2D845A .8D85 D4FEFFFF LEA EAX, DWORD PTR SS:
0F2D8460 .50 PUSH EAX ;微信ID
0F2D8461 .8D8D 44FFFFFF LEA ECX, DWORD PTR SS: ;空白区
0F2D8467 .E8 74BDFBFF CALL 0F2941E0 ;经过call之后,空白区多了一串类似于call附近eax的结构
0F2D846C .8D8D ACFEFFFF LEA ECX, DWORD PTR SS:
http://att.125.la/data/attachment/forum/201903/05/044835r0a1as1smsww180m.jpg
dd 0x2f617c0 发现确实是 微信ID。那就明白了,这个call就是构建结构的call。
那么,我们来提取一下参数
eax 是微信ID结构
结构 如下
$ ==> >02F196E0UNICODE "这里是你的wxid"
$+4 >0000000E
$+8 >00000010
ecx是个缓存,也就是传一个空白区域进去即可,至少保证有3*4的长度 保险点的话,取5*4好一些
结构构建完成之后,按照文章开头的参考文档,传入eax的值 就可以在群内艾特人了!
所以请勿见怪。这个还不算太完美,最好是能读取 被艾特人的 昵称 在内容中加上 这样才是最完美的
http://att.125.la/data/attachment/forum/201903/05/044841ij8k684lkj49yh1p.jpg
微信PC版发送视频消息研究
https://www.52pojie.cn/thread-887349-1-1.html
(出处: 吾爱破解论坛)
揰掵佲 发表于 2019-3-5 14:24
其实研究很久了,只是有人先发了一些,感觉挺不错的,也试着分享一下
有个防撤回的问题不知道虫子师傅能不能解答,看了前辈们的案例知道了撤回的原理其实就是把原来的消息改成了xx撤回了一条消息,把这个函数段首retn即可,但是这样有个问题就是说,不知道哪条消息是撤回的,所以我想问一下虫子师傅知道不知道,怎么不修改原来的消息内容,但是又有防止撤回的提示呢?比如xx撤回了一条消息改成已经阻止撤回此条消息,但是还能显示原来的消息内容呢?今天玩了一天还没弄明白,现在在想把不能发送空白消息的这个call弄出来,撤回了就在这个地方弹提示 Hmily 发表于 2019-3-5 10:20
@plpplppl 你这点评啥意思?什么学费收了?
这货之前收费教学然后自己都不会就忽悠人教学费, 然后现在这种技术视频到处都是了自己才学会 就在这里来拉广告 这货色发的东西都是有目的 图片都变成防盗链了兄弟 Pzymmd9_ 发表于 2019-3-5 03:55
图片都变成防盗链了兄弟
现在呢? 揰掵佲 发表于 2019-3-5 04:53
现在呢?
现在OK了{:301_998:} 不几天就会被封号的;www 虫子师傅也研究微信啦? TX好像现在对微信这些更新比较快啊 牛逼大佬萌新膜拜 我想研究ipad端的协议,PC端的不能接受红包。。但我这里有别人封装好的ipad协议,想破解一下看看。