好友
阅读权限10
听众
最后登录1970-1-1
|
本帖最后由 JackLSQ 于 2022-9-21 12:41 编辑
接上回发表完消息防撤回和多开之后,想完善一些功能,发现按照网上一些帖子的思路去寻找到对应的函数call。(例如消息接收call的定位思路)发现方法已经不适用了,所以发一篇比较通用找寻call的思路。
后面会出消息call的定位过程。
还有个问题,吾爱的od在调试时会无缘故的崩溃停止(不知道其他人是否也遇到同样的问题),希望有大佬能修复一下。不得不使用x32dbg(站内的工具包有)。使用方法和吾爱的od差不多。
进入正题
首先要对日志输出格式有个概念,一般是哪一年那一月那一天什么时间点出现了什么问题,所以大概格式是这样的(%d-%d-%d %d:%d:%d %s)
接下来到主模块中去搜索这样的字符串
可以看到有几个已经命中了
5FAC2725 | 68 A00D5661 | push wechatwin.61560DA0 | 61560DA0:L"%d-%d-%d-%s"
5FBB6E1A | 68 DC615B61 | push wechatwin.615B61DC | 615B61DC:"(%d-%d-%d:%d:%02d:%02d:%03d %05d)-%s/%s:"
5FDA02EF | 68 DC615B61 | push wechatwin.615B61DC | 615B61DC:"(%d-%d-%d:%d:%02d:%02d:%03d %05d)-%s/%s:"
5FDA0626 | 68 08625B61 | push wechatwin.615B6208 | 615B6208:"(%d-%d-%d:%d:%02d:%02d:%03d)\n"
5FDB63DB | 68 DC615B61 | push wechatwin.615B61DC | 615B61DC:"(%d-%d-%d:%d:%02d:%02d:%03d %05d)-%s/%s:"
609A5B52 | 68 18615B61 | push wechatwin.615B6118 | 615B6118:"(%d-%d-%d:%d:%02d:%02d:%03d %05d)-%s/%s:%s\n"
一个一个的点开看看
第一个
5FAC2725 | 68 A00D5661 | push wechatwin.61560DA0 | 61560DA0:L"%d-%d-%d-%s"
5FAC272A | 57 | push edi |
5FAC272B | E8 10052E00 | call wechatwin.5FDA2C40 |
5FAC2730 | 83C4 18 | add esp,0x18 |
点击那个消息call
如下显示
5FDA2C40 | 55 | push ebp |
5FDA2C41 | 8BEC | mov ebp,esp |
5FDA2C43 | B8 08200000 | mov eax,0x2008 |
5FDA2C48 | E8 13DE2901 | call wechatwin.61040A60 |
5FDA2C4D | A1 B4A28D61 | mov eax,dword ptr ds:[0x618DA2B4] | 618DA2B4:"凣疶"
5FDA2C52 | 33C5 | xor eax,ebp |
5FDA2C54 | 8945 FC | mov dword ptr ss:[ebp-0x4],eax |
5FDA2C57 | 56 | push esi |
5FDA2C58 | 57 | push edi |
5FDA2C59 | 8B7D 08 | mov edi,dword ptr ss:[ebp+0x8] |
5FDA2C5C | 8D85 F8DFFFFF | lea eax,dword ptr ss:[ebp-0x2008] |
5FDA2C62 | 68 00200000 | push 0x2000 |
5FDA2C67 | 6A 00 | push 0x0 |
5FDA2C69 | 50 | push eax |
5FDA2C6A | E8 51EE3401 | call wechatwin.610F1AC0 |
5FDA2C6F | 83C4 0C | add esp,0xC |
5FDA2C72 | 8D45 10 | lea eax,dword ptr ss:[ebp+0x10] |
5FDA2C75 | 50 | push eax |
5FDA2C76 | 6A 00 | push 0x0 |
5FDA2C78 | FF75 0C | push dword ptr ss:[ebp+0xC] |
5FDA2C7B | 8D85 F8DFFFFF | lea eax,dword ptr ss:[ebp-0x2008] |
5FDA2C81 | 68 00100000 | push 0x1000 |
5FDA2C86 | 50 | push eax |
5FDA2C87 | E8 F445E2FF | call wechatwin.5FBC7280 |
5FDA2C8C | 8BF0 | mov esi,eax |
5FDA2C8E | 83C4 14 | add esp,0x14 |
5FDA2C91 | 85F6 | test esi,esi |
5FDA2C93 | 79 06 | jns wechatwin.5FDA2C9B |
5FDA2C95 | 33C0 | xor eax,eax |
5FDA2C97 | 66:8945 F6 | mov word ptr ss:[ebp-0xA],ax |
5FDA2C9B | 6A FF | push 0xFFFFFFFF |
5FDA2C9D | 8D85 F8DFFFFF | lea eax,dword ptr ss:[ebp-0x2008] |
5FDA2CA3 | 8BCF | mov ecx,edi |
5FDA2CA5 | 50 | push eax |
5FDA2CA6 | E8 15F3FFFF | call wechatwin.5FDA1FC0 |
5FDA2CAB | 8B4D FC | mov ecx,dword ptr ss:[ebp-0x4] |
5FDA2CAE | 8BC6 | mov eax,esi |
5FDA2CB0 | 5F | pop edi |
5FDA2CB1 | 33CD | xor ecx,ebp |
5FDA2CB3 | 5E | pop esi |
5FDA2CB4 | E8 05CD2901 | call wechatwin.6103F9BE |
5FDA2CB9 | 8BE5 | mov esp,ebp |
5FDA2CBB | 5D | pop ebp |
5FDA2CBC | C3 | ret |
并没有发现有什么意义的字符串
第二个
5FBB6E1A | 68 DC615B61 | push wechatwin.615B61DC | 615B61DC:"(%d-%d-%d:%d:%02d:%02d:%03d %05d)-%s/%s:"
5FBB6E1F | 8D8424 B4110000 | lea eax,dword ptr ss:[esp+0x11B4] |
5FBB6E26 | 68 00010000 | push 0x100 |
5FBB6E2B | 50 | push eax |
5FBB6E2C | E8 DFE4EFFF | call wechatwin.5FAB5310 |
5FBB6E31 | 83C4 34 | add esp,0x34 |
同样进call看看
往下翻翻看到这样的段汇编
5FAB5412 | 83EC 10 | sub esp,0x10 |
5FAB5415 | BA D8814A61 | mov edx,wechatwin.614A81D8 | 614A81D8:"D:\\Tools\\agent\\workspace\\MicroMsgWindowsV370\\MicroMsgWin\\04_base\\InstanceCounter.h"
5FAB541A | 8BC4 | mov eax,esp |
5FAB541C | B9 03000000 | mov ecx,0x3 |
5FAB5421 | 68 14814A61 | push wechatwin.614A8114 | 614A8114:"%s instance increase to %d"
5FAB5426 | 68 8C814A61 | push wechatwin.614A818C | 614A818C:"InstanceCounter"
5FAB542B | 68 B4FE5561 | push wechatwin.6155FEB4 | 6155FEB4:"InstanceCounter<class CustomEmotion,200>::onInstanceCreate"
5FAB5430 | 6A 32 | push 0x32 |
5FAB5432 | C600 02 | mov byte ptr ds:[eax],0x2 |
5FAB5435 | 8970 08 | mov dword ptr ds:[eax+0x8],esi |
5FAB5438 | E8 33AD2E00 | call <wechatwin.0x5FDA0170> |
5FAB543D | A1 3C179D61 | mov eax,dword ptr ds:[0x619D173C] |
5FAB5442 | 83C4 70 | add esp,0x70 |
注意那一段字符串,连续几个push 跟一个call 该call很有可能是所寻找的消息日志函数。
怎么确定是不是这个call,可以在这个call处下个断点,调试一下即可
对剩下搜索到的字符串地址进行同样的操作,看是否有相类似的字符串出现。
很明显接连几个都有类似的调用,可以确定该call就是日志call了。
跟进该call中看
call的汇编代码如下所示
5FDA0170 | 55 | push ebp | logMessage
5FDA0171 | 8BEC | mov ebp,esp |
5FDA0173 | 83E4 F8 | and esp,0xFFFFFFF8 |
5FDA0176 | B8 7C120000 | mov eax,0x127C |
5FDA017B | E8 E0082A01 | call wechatwin.61040A60 |
5FDA0180 | A1 B4A28D61 | mov eax,dword ptr ds:[0x618DA2B4] | 618DA2B4:"凣疶"
5FDA0185 | 33C4 | xor eax,esp |
5FDA0187 | 898424 78120000 | mov dword ptr ss:[esp+0x1278],eax |
5FDA018E | 8B45 0C | mov eax,dword ptr ss:[ebp+0xC] |
5FDA0191 | 53 | push ebx |
5FDA0192 | 8B5D 10 | mov ebx,dword ptr ss:[ebp+0x10] |
5FDA0195 | 56 | push esi |
5FDA0196 | 8B75 14 | mov esi,dword ptr ss:[ebp+0x14] |
5FDA0199 | 57 | push edi |
5FDA019A | 8BF9 | mov edi,ecx |
5FDA019C | 895424 10 | mov dword ptr ss:[esp+0x10],edx |
5FDA01A0 | 57 | push edi |
5FDA01A1 | 894424 18 | mov dword ptr ss:[esp+0x18],eax |
5FDA01A5 | E8 06A8ED00 | call wechatwin.60C7A9B0 |
5FDA01AA | 83C4 04 | add esp,0x4 |
5FDA01AD | 85C0 | test eax,eax |
5FDA01AF | 0F84 83020000 | je wechatwin.5FDA0438 |
5FDA01B5 | 8D8424 78100000 | lea eax,dword ptr ss:[esp+0x1078] |
5FDA01BC | B9 06000000 | mov ecx,0x6 |
5FDA01C1 | C600 FF | mov byte ptr ds:[eax],0xFF |
5FDA01C4 | 8D40 10 | lea eax,dword ptr ds:[eax+0x10] |
5FDA01C7 | 83E9 01 | sub ecx,0x1 |
5FDA01CA | 75 F5 | jne wechatwin.5FDA01C1 |
5FDA01CC | 0F1045 18 | movups xmm0,xmmword ptr ss:[ebp+0x18] |
5FDA01D0 | 8D4424 74 | lea eax,dword ptr ss:[esp+0x74] |
5FDA01D4 | 884C24 74 | mov byte ptr ss:[esp+0x74],cl |
5FDA01D8 | 894424 68 | mov dword ptr ss:[esp+0x68],eax |
5FDA01DC | 33C0 | xor eax,eax |
5FDA01DE | 0F118424 E0100000 | movups xmmword ptr ss:[esp+0x10E0],xmm0 |
5FDA01E6 | 894C24 6C | mov dword ptr ss:[esp+0x6C],ecx |
5FDA01EA | 33D2 | xor edx,edx |
5FDA01EC | 0F1045 28 | movups xmm0,xmmword ptr ss:[ebp+0x28] |
5FDA01F0 | 898C24 D8100000 | mov dword ptr ss:[esp+0x10D8],ecx |
5FDA01F7 | 8D8C24 E0100000 | lea ecx,dword ptr ss:[esp+0x10E0] |
5FDA01FE | C74424 70 00100000 | mov dword ptr ss:[esp+0x70],0x1000 |
5FDA0206 | 0F118424 F0100000 | movups xmmword ptr ss:[esp+0x10F0],xmm0 |
5FDA020E | 898424 DC100000 | mov dword ptr ss:[esp+0x10DC],eax |
5FDA0215 | 0F1045 38 | movups xmm0,xmmword ptr ss:[ebp+0x38] |
5FDA0219 | 0F118424 00110000 | movups xmmword ptr ss:[esp+0x1100],xmm0 |
5FDA0221 | 0F1045 48 | movups xmm0,xmmword ptr ss:[ebp+0x48] |
5FDA0225 | 0F118424 10110000 | movups xmmword ptr ss:[esp+0x1110],xmm0 |
5FDA022D | 0F1045 58 | movups xmm0,xmmword ptr ss:[ebp+0x58] |
5FDA0231 | 0F118424 20110000 | movups xmmword ptr ss:[esp+0x1120],xmm0 |
5FDA0239 | 0F1045 68 | movups xmm0,xmmword ptr ss:[ebp+0x68] |
5FDA023D | 0F118424 30110000 | movups xmmword ptr ss:[esp+0x1130],xmm0 |
5FDA0245 | 8039 FF | cmp byte ptr ds:[ecx],0xFF |
5FDA0248 | 74 25 | je wechatwin.5FDA026F |
5FDA024A | 0F1001 | movups xmm0,xmmword ptr ds:[ecx] |
5FDA024D | 03C0 | add eax,eax |
5FDA024F | 42 | inc edx |
5FDA0250 | 83C1 10 | add ecx,0x10 |
5FDA0253 | 0F1184C4 78100000 | movups xmmword ptr ss:[esp+eax*8+0x1078],xmm0 |
5FDA025B | 8B8424 DC100000 | mov eax,dword ptr ss:[esp+0x10DC] |
5FDA0262 | 40 | inc eax |
5FDA0263 | 898424 DC100000 | mov dword ptr ss:[esp+0x10DC],eax |
5FDA026A | 83FA 06 | cmp edx,0x6 |
5FDA026D | 7C D6 | jl wechatwin.5FDA0245 |
5FDA026F | 56 | push esi |
5FDA0270 | 8D4C24 6C | lea ecx,dword ptr ss:[esp+0x6C] |
5FDA0274 | E8 D7F9FFFF | call wechatwin.5FD9FC50 |
5FDA0279 | 6A 01 | push 0x1 |
5FDA027B | 8D4C24 6C | lea ecx,dword ptr ss:[esp+0x6C] |
5FDA027F | E8 DCF6FFFF | call wechatwin.5FD9F960 |
5FDA0284 | 8B4C24 6C | mov ecx,dword ptr ss:[esp+0x6C] |
5FDA0288 | 8B4424 68 | mov eax,dword ptr ss:[esp+0x68] |
5FDA028C | C60401 0A | mov byte ptr ds:[ecx+eax],0xA | A:'\n'
5FDA0290 | 8D4424 58 | lea eax,dword ptr ss:[esp+0x58] |
5FDA0294 | FF4424 6C | inc dword ptr ss:[esp+0x6C] |
5FDA0298 | 50 | push eax |
5FDA0299 | FF15 00A33161 | call dword ptr ds:[<&GetLocalTime>] |
5FDA029F | B8 67666666 | mov eax,0x66666667 |
5FDA02A4 | 8BCF | mov ecx,edi |
5FDA02A6 | F7EF | imul edi |
5FDA02A8 | 53 | push ebx |
5FDA02A9 | D1FA | sar edx,0x1 |
5FDA02AB | 8BC2 | mov eax,edx |
5FDA02AD | C1E8 1F | shr eax,0x1F |
5FDA02B0 | 03C2 | add eax,edx |
5FDA02B2 | 8D0480 | lea eax,dword ptr ds:[eax+eax*4] |
5FDA02B5 | 2BC8 | sub ecx,eax |
5FDA02B7 | FF348D D0625B61 | push dword ptr ds:[ecx*4+0x615B62D0] |
5FDA02BE | FF15 44A33161 | call dword ptr ds:[<&GetCurrentThreadId>] |
5FDA02C4 | 50 | push eax |
5FDA02C5 | 0FB74424 72 | movzx eax,word ptr ss:[esp+0x72] |
5FDA02CA | 50 | push eax |
5FDA02CB | 0FB74424 74 | movzx eax,word ptr ss:[esp+0x74] |
5FDA02D0 | 50 | push eax |
5FDA02D1 | 0FB74424 76 | movzx eax,word ptr ss:[esp+0x76] |
5FDA02D6 | 50 | push eax |
5FDA02D7 | 0FB74424 78 | movzx eax,word ptr ss:[esp+0x78] |
5FDA02DC | 50 | push eax |
5FDA02DD | 0FB74424 7A | movzx eax,word ptr ss:[esp+0x7A] |
5FDA02E2 | 50 | push eax |
5FDA02E3 | 0FB74424 7A | movzx eax,word ptr ss:[esp+0x7A] |
5FDA02E8 | 50 | push eax |
5FDA02E9 | 0FB74424 7C | movzx eax,word ptr ss:[esp+0x7C] |
5FDA02EE | 50 | push eax |
5FDA02EF | 68 DC615B61 | push wechatwin.615B61DC | 615B61DC:"(%d-%d-%d:%d:%02d:%02d:%03d %05d)-%s/%s:"
5FDA02F4 | 8D8424 AC110000 | lea eax,dword ptr ss:[esp+0x11AC] |
5FDA02FB | 68 00010000 | push 0x100 |
5FDA0300 | 50 | push eax |
5FDA0301 | E8 0A50D1FF | call wechatwin.5FAB5310 |
5FDA0306 | 83C4 34 | add esp,0x34 |
5FDA0309 | 80BC24 80110000 00 | cmp byte ptr ss:[esp+0x1180],0x0 |
5FDA0311 | 74 5D | je wechatwin.5FDA0370 |
5FDA0313 | 8DB424 80110000 | lea esi,dword ptr ss:[esp+0x1180] |
5FDA031A | 8D4E 01 | lea ecx,dword ptr ds:[esi+0x1] |
5FDA031D | 0F1F00 | nop dword ptr ds:[eax],eax |
5FDA0320 | 8A06 | mov al,byte ptr ds:[esi] |
5FDA0322 | 46 | inc esi |
5FDA0323 | 84C0 | test al,al |
5FDA0325 | 75 F9 | jne wechatwin.5FDA0320 |
5FDA0327 | 2BF1 | sub esi,ecx |
5FDA0329 | 8D4C24 68 | lea ecx,dword ptr ss:[esp+0x68] |
5FDA032D | 56 | push esi |
5FDA032E | E8 2DF6FFFF | call wechatwin.5FD9F960 |
5FDA0333 | 8B4424 6C | mov eax,dword ptr ss:[esp+0x6C] |
5FDA0337 | 40 | inc eax |
5FDA0338 | 50 | push eax |
5FDA0339 | 8B4424 6C | mov eax,dword ptr ss:[esp+0x6C] |
5FDA033D | 50 | push eax |
5FDA033E | 03C6 | add eax,esi |
5FDA0340 | 50 | push eax |
5FDA0341 | E8 DA183501 | call wechatwin.610F1C20 |
5FDA0346 | 83C4 0C | add esp,0xC |
5FDA0349 | 8D8424 80110000 | lea eax,dword ptr ss:[esp+0x1180] |
5FDA0350 | 56 | push esi |
5FDA0351 | 50 | push eax |
5FDA0352 | FF7424 70 | push dword ptr ss:[esp+0x70] |
5FDA0356 | E8 C5183501 | call wechatwin.610F1C20 |
5FDA035B | 8B4424 78 | mov eax,dword ptr ss:[esp+0x78] |
5FDA035F | 83C4 0C | add esp,0xC |
5FDA0362 | 8B4C24 68 | mov ecx,dword ptr ss:[esp+0x68] |
5FDA0366 | 03C6 | add eax,esi |
5FDA0368 | 894424 6C | mov dword ptr ss:[esp+0x6C],eax |
5FDA036C | 03F1 | add esi,ecx |
5FDA036E | EB 0A | jmp wechatwin.5FDA037A |
5FDA0370 | 8B4424 6C | mov eax,dword ptr ss:[esp+0x6C] |
5FDA0374 | 33F6 | xor esi,esi |
5FDA0376 | 8B4C24 68 | mov ecx,dword ptr ss:[esp+0x68] |
5FDA037A | 833D 086C9961 00 | cmp dword ptr ds:[0x61996C08],0x0 |
5FDA0381 | C60408 00 | mov byte ptr ds:[eax+ecx],0x0 |
5FDA0385 | 0F84 98000000 | je wechatwin.5FDA0423 |
5FDA038B | 6A 40 | push 0x40 |
5FDA038D | 8D8424 44110000 | lea eax,dword ptr ss:[esp+0x1144] |
5FDA0394 | 897C24 1C | mov dword ptr ss:[esp+0x1C],edi |
5FDA0398 | 6A 00 | push 0x0 |
5FDA039A | 50 | push eax |
5FDA039B | E8 20173501 | call wechatwin.610F1AC0 |
5FDA03A0 | 83C4 0C | add esp,0xC |
5FDA03A3 | 8D8424 40110000 | lea eax,dword ptr ss:[esp+0x1140] |
5FDA03AA | 53 | push ebx |
5FDA03AB | 68 AC615B61 | push wechatwin.615B61AC | 615B61AC:"MMPC_"
5FDA03B0 | 68 E4105B61 | push wechatwin.615B10E4 | 615B10E4:"%s%s"
5FDA03B5 | 6A 40 | push 0x40 |
5FDA03B7 | 50 | push eax |
5FDA03B8 | E8 534FD1FF | call wechatwin.5FAB5310 |
5FDA03BD | 8D8424 54110000 | lea eax,dword ptr ss:[esp+0x1154] |
5FDA03C4 | 83C4 14 | add esp,0x14 |
5FDA03C7 | 894424 1C | mov dword ptr ss:[esp+0x1C],eax |
5FDA03CB | 8B4424 10 | mov eax,dword ptr ss:[esp+0x10] |
5FDA03CF | 894424 20 | mov dword ptr ss:[esp+0x20],eax |
5FDA03D3 | 8B4424 14 | mov eax,dword ptr ss:[esp+0x14] |
5FDA03D7 | 894424 24 | mov dword ptr ss:[esp+0x24],eax |
5FDA03DB | 8B45 08 | mov eax,dword ptr ss:[ebp+0x8] |
5FDA03DE | 894424 28 | mov dword ptr ss:[esp+0x28],eax |
5FDA03E2 | 8D4424 2C | lea eax,dword ptr ss:[esp+0x2C] |
5FDA03E6 | 6A 00 | push 0x0 |
5FDA03E8 | 50 | push eax |
5FDA03E9 | E8 3237EE00 | call wechatwin.60C83B20 |
5FDA03EE | E8 8D38EE00 | call wechatwin.60C83C80 |
5FDA03F3 | 894424 40 | mov dword ptr ss:[esp+0x40],eax |
5FDA03F7 | 895424 44 | mov dword ptr ss:[esp+0x44],edx |
5FDA03FB | E8 F038EE00 | call wechatwin.60C83CF0 |
5FDA0400 | 894424 48 | mov dword ptr ss:[esp+0x48],eax |
5FDA0404 | 895424 4C | mov dword ptr ss:[esp+0x4C],edx |
5FDA0408 | E8 6338EE00 | call wechatwin.60C83C70 |
5FDA040D | 894424 50 | mov dword ptr ss:[esp+0x50],eax |
5FDA0411 | 8D4424 20 | lea eax,dword ptr ss:[esp+0x20] |
5FDA0415 | 56 | push esi |
5FDA0416 | 50 | push eax |
5FDA0417 | 895424 5C | mov dword ptr ss:[esp+0x5C],edx |
5FDA041B | E8 F0A5ED00 | call wechatwin.60C7AA10 |
5FDA0420 | 83C4 10 | add esp,0x10 |
5FDA0423 | 8B4424 68 | mov eax,dword ptr ss:[esp+0x68] |
5FDA0427 | 8D4C24 74 | lea ecx,dword ptr ss:[esp+0x74] |
5FDA042B | 3BC1 | cmp eax,ecx |
5FDA042D | 74 09 | je wechatwin.5FDA0438 |
5FDA042F | 50 | push eax |
5FDA0430 | E8 E0B73501 | call wechatwin.610FBC15 |
5FDA0435 | 83C4 04 | add esp,0x4 |
5FDA0438 | 8B8C24 84120000 | mov ecx,dword ptr ss:[esp+0x1284] |
5FDA043F | 5F | pop edi |
5FDA0440 | 5E | pop esi |
5FDA0441 | 5B | pop ebx |
5FDA0442 | 33CC | xor ecx,esp |
5FDA0444 | E8 75F52901 | call wechatwin.6103F9BE |
5FDA0449 | 8BE5 | mov esp,ebp |
5FDA044B | 5D | pop ebp |
5FDA044C | C3 | ret |
最后在确定一下,可以发现该call中有GetlocalTime()函数和GetCurrentThreadId()函数的调用。很明显就是这个位置了。
注意日志函数会被很频繁调用,调式的时候可能会崩溃。多试几次即可
接下来就是寻找合适hook的位置了,将hook代码写成dll文件注入到exe中。也可以写到pe中去,再结合DbugView工具(开源的Github上有),就能看到输出的日志消息了。
那如何根据日志消息定位到想要的消息call?期待下回的文章吧。今天的分析就到这了
续上次发如何定位微信日志消息函数,今天讲的是如何根据日志定位到某个消息call。
这次就以消息接收函数为例,其他函数大同小异。
使用的工具 :x32dbg DebugView++ ce(用来观测完整的数据)
基于的版本 3.7.0.30
操作步骤 :打开微信登录,注入日志hookdll,然后开启dbgview
先清空日志消息,等日志消息较为稳定之后拿另一个微信给在电脑登录的微信账号发送消息,然后果断暂停日志接收 这时候就要对接收到的日志进行风
以下是截取部分的日志消息内容0.000000 2022/09/20 23:03:30.480 0 DebugView++.exe File Identification Header, DebugView++ Format Version 1
0.000000 2022/09/20 23:02:04.852 11964 WeChat.exe WxLogs: RangeInfo MultiMsgSearchMgr Range : Start Index : %d, Start Id : %d endId %d, End Index : %d, StartId : %d EndId %d--FTSThreadHelper--FTSThreadHelper::GetMultiDBMsgListToJobList
0.000100 2022/09/20 23:02:04.852 11964 WeChat.exe WxLogs: RangeInfo FTSMultiDBMsgMgr Range : Start Index : %d, Start Id : %d endId %d, End Index : %d, StartId : %d EndId %d--FTSThreadHelper--FTSThreadHelper::GetMultiDBMsgListToJobList
0.000281 2022/09/20 23:02:04.852 11964 WeChat.exe WxLogs: %s Current Sql : %s--ChatCRMsgStorage--PrepareStmt
0.000874 2022/09/20 23:02:04.853 11964 WeChat.exe WxLogs: mCRMSearchMsgOnly now start id: %d , now end id %d , last get start id %d ,last get end id %d--FTSThreadHelper--FTSThreadHelper::GetMsgListToJobList
5.595504 2022/09/20 23:02:10.447 11964 WeChat.exe WxLogs: onNotify seq:%d cmd:%d--WinMarsMgr--WinMarsMgr::OnPush
5.595611 2022/09/20 23:02:10.447 11964 WeChat.exe WxLogs: last time: %d, now time: %d, diff: %d, switch: %d--SyncMgr--SyncMgr::doSync
5.595674 2022/09/20 23:02:10.448 11964 WeChat.exe WxLogs: new NetSceneSync (id:%d)--NetSceneSync--NetSceneSync::NetSceneSync
5.595720 2022/09/20 23:02:10.448 11964 WeChat.exe WxLogs: goDoScene(id:%d) is_accumlated: %d--NetSceneSync--NetSceneSync::goDoScene
5.595799 2022/09/20 23:02:10.448 11964 WeChat.exe WxLogs: req syncKey md5: %s bufferlen = %d--NetSceneSync--NetSceneSync::goDoScene
5.595883 2022/09/20 23:02:10.448 11964 WeChat.exe WxLogs: NetSceneSync id:%d New start--NetSceneSync--NetSceneSync::goDoScene
5.595967 2022/09/20 23:02:10.448 11964 WeChat.exe WxLogs: in send %s(id:%d)--NetSceneBase--NetSceneBase::send
5.596253 2022/09/20 23:02:10.448 11964 WeChat.exe WxLogs: current sync count: %d--NetSceneSync--NetSceneSync::goDoScene
5.596581 2022/09/20 23:02:10.448 11964 WeChat.exe WxLogs: encode--NetSceneBase--NetSceneBase::encodeReqBuf
5.597144 2022/09/20 23:02:10.449 11964 WeChat.exe WxLogs: out %s::req2Buf size:%d, id:%d--NetSceneNoBaseEx--NetSceneNoBaseEx<class micromsg::NewSyncRequest,class micromsg::NewSyncResponse>::req2Buf
5.679595 2022/09/20 23:02:10.531 11964 WeChat.exe WxLogs: out %s::buf2Resp id:%d--NetSceneBaseEx--NetSceneNoBaseEx<class micromsg::NewSyncRequest,class micromsg::NewSyncResponse>::buf2Resp
5.679955 2022/09/20 23:02:10.532 11964 WeChat.exe WxLogs: onGYNetEnd sceneID:%d errType:%d errCode:%d--WinMarsMgr--WinMarsMgr::OnTaskEnd
5.680297 2022/09/20 23:02:10.532 11964 WeChat.exe WxLogs: onGYNetEnd(NetSceneSync id:%d timecost: %d,errType:%d, errCode:%d)--NetSceneSync--NetSceneSync::onGYNetEnd
5.680710 2022/09/20 23:02:10.532 11964 WeChat.exe WxLogs: %s : %s--SyncKeyInfo --NetSceneInit::dumpSyncKey
5.681084 2022/09/20 23:02:10.533 11964 WeChat.exe WxLogs: %s : %s--SyncKeyInfo --NetSceneInit::dumpSyncKey
5.681385 2022/09/20 23:02:10.533 11964 WeChat.exe WxLogs: %s : %s--SyncKeyInfo --NetSceneInit::dumpSyncKey
5.681591 2022/09/20 23:02:10.533 11964 WeChat.exe WxLogs: saveUInfo mergeKey Buf md5: %s--NetSceneSync--NetSceneSync::saveUserInfo
5.681824 2022/09/20 23:02:10.534 11964 WeChat.exe WxLogs: NetSceneSync id: %d recv msg count: %d, total count: %d--NetSceneSync--NetSceneSync::onGYNetEnd
5.682480 2022/09/20 23:02:10.534 11964 WeChat.exe WxLogs: Do Sns SYNC--SyncMgr--SyncMgr::ProcessSyncSelector
5.682918 2022/09/20 23:02:10.535 11964 WeChat.exe WxLogs: NetSceneSync id:%d sync finish--NetSceneSync--NetSceneSync::onGYNetEnd
5.683189 2022/09/20 23:02:10.535 11964 WeChat.exe WxLogs: Start Sns Sync--SnsSyncMgr--SnsSyncMgr::DoSnsSync
5.683373 2022/09/20 23:02:10.535 11964 WeChat.exe WxLogs: new (id:%d)--NetSceneSnsSync--NetSceneSnsSync::NetSceneSnsSync
5.683544 2022/09/20 23:02:10.535 11964 WeChat.exe WxLogs: doSceneImpl(seqid:%d)--NetSceneSnsSync--NetSceneSnsSync::DoScene
5.683730 2022/09/20 23:02:10.535 11964 WeChat.exe WxLogs: in send %s(id:%d)--NetSceneBase--NetSceneBase::send
5.684253 2022/09/20 23:02:10.536 11964 WeChat.exe WxLogs: net scene sync success. sync id: %d, accumulation: %d, sync ccount: %s --SyncMgr--SyncMgr::eventProc
5.684608 2022/09/20 23:02:10.536 11964 WeChat.exe WxLogs: %s Current Sql : %s--MSG0.db MultiDBMsgStorage--MultiDBMsgStorage::getListDescBySequence
5.685180 2022/09/20 23:02:10.537 11964 WeChat.exe WxLogs: encode--NetSceneBase--NetSceneBase::encodeReqBuf
5.685652 2022/09/20 23:02:10.537 11964 WeChat.exe WxLogs: doAddMsg srvid: %d, msgtyp: %d,cTime:%u,msgseq: %d--SyncMgr--SyncMgr::doAddMsg
5.685712 2022/09/20 23:02:10.537 11964 WeChat.exe WxLogs: msg acctype %d--SyncMgr--SyncMgr::doAddMsg
5.685735 2022/09/20 23:02:10.537 11964 WeChat.exe WxLogs: out %s::req2Buf size:%d, id:%d--NetSceneBaseEx--NetSceneBaseEx<class micromsg::SnsSyncRequest,class micromsg::SnsSyncResponse>::req2Buf
5.685769 2022/09/20 23:02:10.537 11964 WeChat.exe WxLogs: NetSceneSync id addMsgListToDB count = %d--SyncMgr--SyncMgr::addMsgListToDB
5.685838 2022/09/20 23:02:10.538 11964 WeChat.exe WxLogs: %s Current Sql : %s--MSG0.db MultiDBMsgStorage--PrepareStmt
5.686010 2022/09/20 23:02:10.538 11964 WeChat.exe WxLogs: %s--pageMonitor--StorageBase::logPageMonitorInfo
5.686043 2022/09/20 23:02:10.538 11964 WeChat.exe WxLogs: iPageTotal=%d, iPageFree=%d, iPageTableWrite=%d, iPageIndexWrite=%d,iPageOverflowWrite=%d,TimeConsuming = %d--pageMonitor--StorageBase::logPageMonitorInfo
5.686072 2022/09/20 23:02:10.538 11964 WeChat.exe WxLogs: iPageTableRead=%d, iPageIndexRead=%d, iPageOverflowRead=%d--pageMonitor--StorageBase::logPageMonitorInfo
5.686100 2022/09/20 23:02:10.538 11964 WeChat.exe WxLogs: Page Accsess statistics: cacheHit=%d, access1-4=%d, access4-8=%d, access>8=%d--pageMonitor--StorageBase::logPageMonitorInfo
5.686130 2022/09/20 23:02:10.538 11964 WeChat.exe WxLogs: Page Accsess statistics: totalWrite=%d,totalRead=%d,totalTrans=%d--pageMonitor--StorageBase::logPageMonitorInfo
5.686507 2022/09/20 23:02:10.538 11964 WeChat.exe WxLogs: %s Current Sql : %s--MSG0.db MultiDBMsgStorage--PrepareStmt
5.687006 2022/09/20 23:02:10.539 11964 WeChat.exe WxLogs: %s--MultiDBMsgMgr--MultiDBMsgMgr::AddFilteredMsgList
5.692128 2022/09/20 23:02:10.544 11964 WeChat.exe WxLogs: no sessions in group box--SessionListModel--SessionListModel::ShowGroupBox
5.693921 2022/09/20 23:02:10.546 11964 WeChat.exe WxLogs: RefreshSessionGroipVoipStatus, name %s status %d--SessionListItemUI--SessionListItemUI::RefreshSessionGroipVoipStatus
5.886836 2022/09/20 23:02:10.739 11964 WeChat.exe WxLogs: out %s::buf2Resp unpackSize: %d, id:%d--NetSceneBaseEx--NetSceneBaseEx<class micromsg::SnsSyncRequest,class micromsg::SnsSyncResponse>::buf2Resp
5.887095 2022/09/20 23:02:10.739 11964 WeChat.exe WxLogs: onGYNetEnd sceneID:%d errType:%d errCode:%d--WinMarsMgr--WinMarsMgr::OnTaskEnd
5.887772 2022/09/20 23:02:10.739 11964 WeChat.exe WxLogs: onGYNetEnd(errType:%d, errCode:%d, sceneID:%d)--NetSceneSnsSync--NetSceneSnsSync::onGYNetEnd
5.887873 2022/09/20 23:02:10.740 11964 WeChat.exe WxLogs: saveUInfo get SyncKey Buf md5: %s--SyncMgr--SyncMgr::MergeAndSaveSyncKeyBuf
5.888137 2022/09/20 23:02:10.740 11964 WeChat.exe WxLogs: %s : %s--SyncKeyInfo --NetSceneInit::dumpSyncKey
5.888206 2022/09/20 23:02:10.740 11964 WeChat.exe WxLogs: %s : %s--SyncKeyInfo --NetSceneInit::dumpSyncKey
5.888309 2022/09/20 23:02:10.740 11964 WeChat.exe WxLogs: %s : %s--SyncKeyInfo --NetSceneInit::dumpSyncKey
5.888410 2022/09/20 23:02:10.740 11964 WeChat.exe WxLogs: saveUInfo mergeKey Buf md5: %s--SyncMgr--SyncMgr::MergeAndSaveSyncKeyBuf
5.888491 2022/09/20 23:02:10.740 11964 WeChat.exe WxLogs: On Sns Cmd List size : %d--SnsSyncMgr--SnsSyncMgr::OnSyncCmdList
5.888573 2022/09/20 23:02:10.740 11964 WeChat.exe WxLogs: Process Sns Object : id %lu, size %d --SnsSyncMgr--SnsSyncMgr::ProcessSnsObject
5.888672 2022/09/20 23:02:10.740 11964 WeChat.exe WxLogs: the ad enable is %d--SNSAD_ONOFF--AdSwitch::AdvertiseEnable
5.888825 2022/09/20 23:02:10.741 11964 WeChat.exe WxLogs: CmdItem to SnsObject : id %lu time : %d type : %d user : %s--SnsSyncMgr--SnsSyncMgr::ProcessSnsObject
5.889718 2022/09/20 23:02:10.741 11964 WeChat.exe WxLogs: Do not preload before 10 min after login--SnsSyncMgr--SnsSyncMgr::ProcessSnsObject
5.889757 2022/09/20 23:02:10.741 11964 WeChat.exe WxLogs: Do Sync Finish--NetSceneSnsSync--NetSceneSnsSync::onGYNetEnd
5.889801 2022/09/20 23:02:10.742 11964 WeChat.exe WxLogs: ~ (id:%d)--NetSceneSnsSync--NetSceneSnsSync::~NetSceneSnsSync
7.101882 2022/09/20 23:02:11.954 0 [internal] <paused>
7.101921 2022/09/20 23:02:11.954 0 [internal] Source 'Win32 Messages' was removed.
既然是消息接收肯定会有跟消息相关的英文简写 可以尝试去猜测 通过对日志内容的粗略观察 doAddMsg srvid: %d, msgtyp: %d,cTime:%u,msgseq: %d--SyncMgr--SyncMgr::doAddMsg 这一句话很可疑
然后到xdbg32中WeChatWin.dll模块中去搜索doAddMsg 这个字符串
对地址的观察 发现前四个字节的数字是一样的,所以毫不犹豫的跳转到函数的头部下断 ,让程序跑起来
再让另一个微信号给登录在电脑上的微信账号发送消息,发现在函数头部断下来了。
接下来就是一条一条的跟,这个跟也是有技巧的 ,重点来了,别人给你发送消息,接收到消息,肯定会有两个重要的内容 一个是消息发送者 另一是消息内容 。
这时候注意寄存器内的 有没有wxid的出现 ,这里需要反复的跟几遍,这个消息接收call距离函数头部并不是太远
下面是我定位到的消息接收call位置处
[mw_shl_code=asm,true]5FB4935B | 85C0 | test eax,eax |
5FB4935D | 75 08 | jne wechatwin.5FB49367 |
5FB4935F | A1 1C8E9661 | mov eax,dword ptr ds:[0x61968E1C] |
5FB49364 | 8B40 14 | mov eax,dword ptr ds:[eax+0x14] |
5FB49367 | 6A 00 | push 0x0 |
5FB49369 | FF70 04 | push dword ptr ds:[eax+0x4] |
5FB4936C | 8D8D 74EEFFFF | lea ecx,dword ptr ss:[ebp-0x118C] |
5FB49372 | E8 99892200 | call <wechatwin.0x5FD71D10l> |
可以在这里断下 ,让另一个微信发送各种消息格式,确定各种消息格式。
这个消息接收call,还有另外一个作用 --------------解密加密的图片---得到aeskey值对图片进行解密 不过这里有个要注意的点,发送的图片不能是发送过的,如果是发送过的就不会带有 aeskey
今天先到这里吧。最后附加一个,hook日志的dll
|
免费评分
-
| 参与人数 4 | 吾爱币 +10 |
热心值 +4 |
收起
理由
|
 Hmily
| + 7 |
+ 1 |
欢迎分析讨论交流,吾爱破解论坛有你更精彩! |
 吾爱破解1111
| + 1 |
+ 1 |
用心讨论,共获提升! |
 笙若
| + 1 |
+ 1 |
谢谢@Thanks! |
 幽溪左畔
| + 1 |
+ 1 |
用心讨论,共获提升! |
查看全部评分
|
发表于 2022-9-12 12:09
