版本 11475
rbx=0000006D45FFDB90 &"{\"buttonType\":\"menu\",\"menuIcons\":[],\"menuItems\":[]}"
onButtonPressed 在 .$28FA3D1
MessagePumpForUI::ProcessNextWindowsMessage GetQueueStatus
wmpf_host_export.$192C42
t.default=class{program;constructor(e){this.program=e}showShareMenu=!1;withShareTicket=!1;showGameWelfareButton=!1;additionalSubMenuConfig=[];getMainMenuConfig=()=>{const e=[];return o.adapterConfig.supportAddToDesktop&&e.unshift({words:["添加到","电脑桌面"],icon:c.default,action(){g.default.notifyEvent("addToDesktop",void 0)}}),(void 0===o.adapterConfig.supportAddToMyApp||o.adapterConfig.supportAddToMyApp)&&(o.adapterConfig.is_myapp?"windows"!==o.adapterConfig.platform&&e.unshift({words:["从我的小程","序中移除"],icon:r.default,action:()=>{g.default.notifyEvent("removeFromMyApp",void 0),o.adapterConfig.is_myapp=!1,setTimeout((()=>{this.updateMenu()}),300)}}):e.unshift({words:["添加到","我的小程序"],icon:s.default,action:()=>{g.default.notifyEvent("addToMyApp",void 0),o.adapterConfig.is_myapp=!0,setTimeout((()=>{this.updateMenu()}),300)}})),this.showShareMenu&&(void 0===o.adapterConfig.supportShareAppMessage||o.adapterConfig.supportShareAppMessage)&&e.unshift({words:["转发给朋友"],icon:a.default,action:async()=>{await(0,m.waitTimeout)(200),this.program.share(this.withShareTicket)}}),e};getSubMenuConfig=()=>{const e=[{words:["反馈与投诉"],icon:l.default,action(){g.default.notifyEvent("feedback",void 0)}},{words:["重新进入","小程序"],icon:d.default,action(){g.default.invokeSyncXWebJsApi("restart",{})}}];if(this.program.features.supportParallelMode&&e.unshift({words:["设置"],icon:h.default,action:()=>{this.program.getSystemComponent("setting").toggle()}}),this.showShareMenu){let t=0;this.program.type===y.WMPFProgramType.APP&&(t=this.program.navigator.currentPage.id),e.push({words:["复制链接"],icon:f.default,action:()=>{this.program.jsBridge.subscribeHandler("onCopyUrl",{webviewId:t,shortLinkEnable:!0})}})}return this.showGameWelfareButton&&e.push({words:["福利"],icon:u.default,action:()=>{v.default.info("[MENU_MANAGER]","GameWelfareButtonPressed."),this.program.jsBridge.subscribeHandler("onGameWelfareButtonPressed",{})}}),this.program.features.supportKeyboardMock&&e.unshift({words:["用键盘鼠标","玩游戏"],icon:p.default,action:()=>{this.program.getComponent("keyboardMap").changeShowState("menu")}}),[...e,...this.additionalSubMenuConfig]};get menuConfig(){return{subMenuConfig:this.getSubMenuConfig(),mainMenuConfig:this.getMainMenuConfig()}}updateMenu(){this.program.getSystemComponent("systemMenu").updateMenuConfig(this.menuConfig)}}
function(e,t,n){"use strict";var i=this&&this.__importDefault||function(e){return e&&e.__esModule?e:{default:e}};Object.defineProperty(t,"__esModule",{value:!0});const o=n(21883),a=i(n(9453));class r extends o.EventEmitter{api;constructor(){super(),a.default.info("init xweb binding start. xwebapi:"+typeof globalThis.XWebAPI),globalThis.XWebAPI&&(globalThis.XWebAPI&&(this.api=globalThis.XWebAPI),this.api.on("onButtonPressed",(e=>{const t=JSON.parse(e);this.emit("onButtonPressed",t)})))}notifyEvent(e,t){const n=JSON.stringify(t);a.default.info(`notifyEvent to xweb. eventName=${e}, args=${n}`),this.api.notifyEvent(e,n)}invokeSyncXWebJsApi(e,t){const n=JSON.stringify(t);return a.default.info(`invokeSyncXWebJsApi. name=${e}, args=${n}`),this.api.invokeHandler(e,n,0,-1)}invokeXWebJsApi(e,t){const n=JSON.stringify(t);return this.api.invokeHandler(e,n,0,-1)}invokeWeChatJsApi(e,t){return"function"!=typeof this.api.callCommonJsApi?Promise.reject(new Error("not supported")):new Promise(((n,i)=>{this.api.callCommonJsApi(e,JSON.stringify(t),((t,o)=>{0===t?n(JSON.parse(o)):i(new Error(`invokeWeChatJsApi ${e} fail: errCode=${t}`))}))}))}async getCurrentPerfInfo(){return"function"!=typeof this.api.getCurrentPerfInfo?{cpu:0,graphicsMemory:0,graphicsMemorySize:0,maxThreadCpu:0,memory:0,memorySize:0}:new Promise(((e,t)=>{this.api.getCurrentPerfInfo(((n,i)=>{n&&!i&&t(n);const o=JSON.parse(i);e(o)}))}))}}const s=new r;t.default=s}
格式化一下:可以看到
t.default = class {
program;
constructor(e) {
this.program = e
}
showShareMenu = !1;
withShareTicket = !1;
showGameWelfareButton = !1;
additionalSubMenuConfig = [];
getMainMenuConfig = () => {
const e = [];
return o.adapterConfig.supportAddToDesktop && e.unshift({
words: ["添加到", "电脑桌面"],
icon: c.default,
action() {
g.default.notifyEvent("addToDesktop", void 0)
}
}), (void 0 === o.adapterConfig.supportAddToMyApp || o.adapterConfig.supportAddToMyApp) && (o.adapterConfig.is_myapp ? "windows" !== o.adapterConfig.platform && e.unshift({
words: ["从我的小程", "序中移除"],
icon: r.default,
action: () => {
g.default.notifyEvent("removeFromMyApp", void 0), o.adapterConfig.is_myapp = !1, setTimeout((() => {
this.updateMenu()
}), 300)
}
}) : e.unshift({
words: ["添加到", "我的小程序"],
icon: s.default,
action: () => {
g.default.notifyEvent("addToMyApp", void 0), o.adapterConfig.is_myapp = !0, setTimeout((() => {
this.updateMenu()
}), 300)
}
})), this.showShareMenu && (void 0 === o.adapterConfig.supportShareAppMessage || o.adapterConfig.supportShareAppMessage) && e.unshift({
words: ["转发给朋友"],
icon: a.default,
action: async () => {
await (0, m.waitTimeout)(200), this.program.share(this.withShareTicket)
}
}), e
};
getSubMenuConfig = () => {
const e = [{
words: ["反馈与投诉"],
icon: l.default,
action() {
g.default.notifyEvent("feedback", void 0)
}
}, {
words: ["重新进入", "小程序"],
icon: d.default,
action() {
g.default.invokeSyncXWebJsApi("restart", {})
}
}];
if (this.program.features.supportParallelMode && e.unshift({
words: ["设置"],
icon: h.default,
action: () => {
this.program.getSystemComponent("setting").toggle()
}
}), this.showShareMenu) {
let t = 0;
this.program.type === y.WMPFProgramType.APP && (t = this.program.navigator.currentPage.id), e.push({
words: ["复制链接"],
icon: f.default,
action: () => {
this.program.jsBridge.subscribeHandler("onCopyUrl", {
webviewId: t,
shortLinkEnable: !0
})
}
})
}
return this.showGameWelfareButton && e.push({
words: ["福利"],
icon: u.default,
action: () => {
v.default.info("[MENU_MANAGER]", "GameWelfareButtonPressed."), this.program.jsBridge.subscribeHandler("onGameWelfareButtonPressed", {})
}
}), this.program.features.supportKeyboardMock && e.unshift({
words: ["用键盘鼠标", "玩游戏"],
icon: p.default,
action: () => {
this.program.getComponent("keyboardMap").changeShowState("menu")
}
}), [...e, ...this.additionalSubMenuConfig]
};
get menuConfig() {
return {
subMenuConfig: this.getSubMenuConfig(),
mainMenuConfig: this.getMainMenuConfig()
}
}
updateMenu() {
this.program.getSystemComponent("systemMenu").updateMenuConfig(this.menuConfig)
}
}
function(e, t, n) {
"use strict";
var i = this && this.__importDefault || function(e) {
return e && e.__esModule ? e : {
default: e
}
};
Object.defineProperty(t, "__esModule", {
value: !0
});
const o = n(21883),
a = i(n(9453));
class r extends o.EventEmitter {
api;
constructor() {
super(), a.default.info("init xweb binding start. xwebapi:" + typeof globalThis.XWebAPI), globalThis.XWebAPI && (globalThis.XWebAPI && (this.api = globalThis.XWebAPI), this.api.on("onButtonPressed", (e => {
const t = JSON.parse(e);
this.emit("onButtonPressed", t)
})))
}
notifyEvent(e, t) {
const n = JSON.stringify(t);
a.default.info(`notifyEvent to xweb. eventName=${e}, args=${n}`), this.api.notifyEvent(e, n)
}
invokeSyncXWebJsApi(e, t) {
const n = JSON.stringify(t);
return a.default.info(`invokeSyncXWebJsApi. name=${e}, args=${n}`), this.api.invokeHandler(e, n, 0, -1)
}
invokeXWebJsApi(e, t) {
const n = JSON.stringify(t);
return this.api.invokeHandler(e, n, 0, -1)
}
invokeWeChatJsApi(e, t) {
return "function" != typeof this.api.callCommonJsApi ? Promise.reject(new Error("not supported")) : new Promise(((n, i) => {
this.api.callCommonJsApi(e, JSON.stringify(t), ((t, o) => {
0 === t ? n(JSON.parse(o)) : i(new Error(`invokeWeChatJsApi ${e} fail: errCode=${t}`))
}))
}))
}
async getCurrentPerfInfo() {
return "function" != typeof this.api.getCurrentPerfInfo ? {
cpu: 0,
graphicsMemory: 0,
graphicsMemorySize: 0,
maxThreadCpu: 0,
memory: 0,
memorySize: 0
} : new Promise(((e, t) => {
this.api.getCurrentPerfInfo(((n, i) => {
n && !i && t(n);
const o = JSON.parse(i);
e(o)
}))
}))
}
}
const s = new r;
t.default = s
}
看起来从这一个版本开始, 已经不在原生GUI进行绘制了. 数据结构传递空, 显示一层 webview, 通过 jsBridge 进行通信.
换个思路: 找启动小程序的命令,WeChatWin 日志里有 WmpfAppletSDKImpl::LaunchApplet
void __fastcall sub_182710C70(__int64 a1, _QWORD *a2)
{
_BYTE *v3; // rax
__int64 v4; // rdx
__int128 v5; // [rsp+60h] [rbp-29h] BYREF
__int128 v6; // [rsp+70h] [rbp-19h] BYREF
__int128 v7; // [rsp+80h] [rbp-9h] BYREF
__int128 v8; // [rsp+90h] [rbp+7h] BYREF
__int128 v9; // [rsp+A0h] [rbp+17h] BYREF
__int128 v10; // [rsp+B0h] [rbp+27h] BYREF
__int64 v11; // [rsp+C0h] [rbp+37h]
__int64 v12; // [rsp+C8h] [rbp+3Fh]
if ( (unsigned __int8)sub_1826975B0() )
{
v5 = xmmword_184E2C418;
v6 = xmmword_184E2C418;
v7 = xmmword_184E2C418;
v8 = xmmword_184E2C418;
v9 = xmmword_184E2C418;
v10 = xmmword_184E2C418;
sub_18261B890(
2,
(__int64)"D:\\Tools\\agent\\workspace\\MicroMsgWindowsV3912\\MicroMsgWin\\05_plugins\\Applet\\manager\\AppletPkgDownLoadMgr.cpp",
1558,
(__int64)"AppletPkgDownLoadMgr::launchAppletByInternal",
"AppletPkgDownLoadMgr",
"launchAppletByInternal launch applet by wmpf",
&v10,
&v9,
&v8,
&v7,
&v6,
&v5);
*(_QWORD *)&v10 = 0i64;
v12 = 15i64;
v11 = 0i64;
if ( byte_185923A70 )
{
v3 = (_BYTE *)sub_1826AF8D0();
sub_1826B0760(v3, v4, (__int64)a2);
}
}
else
{
if ( a2[3] >= 0x10ui64 )
a2 = (_QWORD *)*a2;
LOBYTE(v5) = 2;
*((_QWORD *)&v5 + 1) = a2;
v10 = xmmword_184E2C418;
v9 = xmmword_184E2C418;
v8 = xmmword_184E2C418;
v7 = xmmword_184E2C418;
v6 = xmmword_184E2C418;
sub_18261B890(
2,
(__int64)"D:\\Tools\\agent\\workspace\\MicroMsgWindowsV3912\\MicroMsgWin\\05_plugins\\Applet\\manager\\AppletPkgDownLoadMgr.cpp",
1562,
(__int64)"AppletPkgDownLoadMgr::launchAppletByInternal",
"AppletPkgDownLoadMgr",
"not ready ,appid=%s,wait for download wmpf",
&v5,
&v6,
&v7,
&v8,
&v9,
&v10);
}
}
handleJsEvent %s 执行js 回调的地方 .$3067850 可以看到打开了什么app
{"__callback_id":"1000","__msg_type":"call","func":"openWeApp","params":{"appId":"wx9882f2a891880616","hwnd":2429026,"openType":0,"scene":1260,"sceneNote":"gh_73f77c13f6fe@app;;;0","userName":"gh_73f77c13f6fe@app"},"sessionid":""}
考虑是不是 chrome 的消息循环 sub_1831B4130(a1 + 328, (__int64)"MessageLoop::PostTask", (__int64 *)a2);
_QWORD *__fastcall sub_1826B3900(__int64 a1, _QWORD *a2, void **a3)
{
__int64 v5; // rax
void **v6; // rcx
__int64 *v7; // rax
__int64 v8; // rbx
void **v9; // rcx
__int64 *v10; // rax
__int64 v11; // rbx
void **v12; // rcx
__int64 *v13; // rax
__int64 v14; // rbx
__int64 *v15; // rax
__int64 v16; // rbx
void **v17; // rcx
__int64 *v18; // rax
__int64 v19; // rbx
void **v20; // rcx
__int64 *v21; // rax
__int64 v22; // rbx
void **v23; // rcx
__int64 *v24; // rax
__int64 v25; // rbx
__int64 *v26; // rax
__int64 v27; // rbx
void **v28; // rcx
__int64 *v29; // rax
__int64 v30; // rbx
void **v31; // rbx
__int64 *v32; // rax
__int64 v33; // rbx
void **v34; // rbx
__int64 *v35; // rax
__int64 v36; // rbx
void **v37; // rbx
__int64 *v38; // rax
__int64 v39; // rbx
void **v40; // rbx
__int64 *v41; // rax
__int64 v42; // rbx
void **v43; // rbx
__int64 *v44; // rax
__int64 v45; // rbx
void **v46; // rbx
__int64 *v47; // rax
__int64 v48; // rbx
void **v49; // rbx
__int64 *v50; // rax
__int64 v51; // rbx
void **v52; // rbx
__int64 *v53; // rax
__int64 v54; // rbx
void **v55; // rbx
__int64 *v56; // rax
__int64 v57; // rbx
void **v58; // rbx
__int64 *v59; // rax
__int64 v60; // rbx
void **v61; // rbx
__int64 *v62; // rax
__int64 v63; // rbx
__int64 v64; // rbx
__int64 *v65; // rax
__int64 v66; // rbx
__int64 v67; // rbx
__int64 *v68; // rax
__int64 v69; // rbx
__int64 **v70; // rbx
__int64 *v71; // rax
__int64 v72; // rbx
__int64 **v73; // rbx
__int64 *v74; // rax
__int64 v75; // rbx
__int64 v76; // rbx
__int64 *v77; // rax
__int64 v78; // rbx
__int64 v79; // rax
__int64 v80; // rbx
__int64 *v81; // rax
void *v82; // rbx
void **v83; // rbx
__int64 *v84; // rax
void *v85; // rbx
void **v86; // rbx
__int64 *v87; // rax
void *v88; // rbx
void **v89; // rbx
__int64 *v90; // rax
void *v91; // rbx
void **v92; // rbx
__int64 *v93; // rax
void *v94; // rbx
void **v95; // rbx
__int64 *v96; // rax
void *v97; // rbx
void **v98; // rbx
__int64 *v99; // rax
void *v100; // rbx
__int64 v101; // rbx
__int64 *v102; // rax
void *v103; // rbx
void **v104; // rbx
__int64 *v105; // rax
void *v106; // rbx
void **v107; // rbx
__int64 *v108; // rax
void *v109; // rbx
__int64 *v110; // rax
void **v111; // rbx
__int64 *v112; // rax
void *v113; // rbx
__int64 v114; // rbx
__int64 *v115; // rax
void *v116; // rbx
void **v117; // rbx
__int64 *v118; // rax
void *v119; // rbx
char v120; // bl
__int64 *v121; // rax
void *v122; // rbx
char v123; // bl
__int64 *v124; // rax
void *v125; // rbx
__int64 *v126; // rax
char v127; // bl
__int64 *v128; // rax
void *v129; // rbx
__int64 *v130; // rax
__int64 *v131; // rax
__int64 v132; // rbx
__int64 *v133; // rax
void *v134; // rbx
char v135; // bl
__int64 *v136; // rax
void *v137; // rbx
char v138; // bl
__int64 *v139; // rax
void *v140; // rbx
__int64 *v141; // rax
__int64 *v142; // rax
__int64 v143; // rbx
__int64 *v144; // rax
void *v145; // rbx
__int64 *v146; // rax
char v147; // bl
__int64 *v148; // rax
void *v149; // rbx
__int64 v150; // rbx
__int64 v151; // rbx
__int64 v153; // [rsp+20h] [rbp-59h] BYREF
int v154; // [rsp+28h] [rbp-51h]
__int128 v155; // [rsp+30h] [rbp-49h]
__int64 v156; // [rsp+40h] [rbp-39h]
__int64 v157[2]; // [rsp+48h] [rbp-31h] BYREF
void *v158; // [rsp+58h] [rbp-21h]
__int64 **v159; // [rsp+70h] [rbp-9h] BYREF
int v160; // [rsp+78h] [rbp-1h]
__int128 v161; // [rsp+80h] [rbp+7h]
__int64 v162; // [rsp+90h] [rbp+17h]
__int64 v163[5]; // [rsp+98h] [rbp+1Fh] BYREF
__int64 v164; // [rsp+E0h] [rbp+67h]
__int64 v165; // [rsp+E0h] [rbp+67h]
LOBYTE(v160) = 7;
v160 &= ~0x100u;
v161 = 0i64;
v162 = 0i64;
v164 = operator new(16i64);
*(_QWORD *)v164 = 0i64;
*(_QWORD *)(v164 + 8) = 0i64;
v5 = operator new(88i64);
*(_QWORD *)v5 = v5;
*(_QWORD *)(v5 + 8) = v5;
*(_QWORD *)(v5 + 16) = v5;
*(_WORD *)(v5 + 24) = 257;
*(_QWORD *)v164 = v5;
v159 = (__int64 **)v164;
LOBYTE(v154) = 4;
v154 |= 0x100u;
v155 = 0i64;
v156 = 0i64;
v6 = a3;
if ( (unsigned __int64)a3[3] >= 0x10 )
v6 = (void **)*a3;
v153 = sub_1839D1270(v6, *((unsigned int *)a3 + 4));
v7 = sub_1839D3450(&v159, "appId", (int)"");
sub_1839D1D30(&v153, v7);
sub_1839D32B0(&v153);
v8 = v155;
if ( (_QWORD)v155 )
{
`eh vector destructor iterator'((void *)v155, 0x20ui64, 3ui64, (void (__stdcall *)(void *))sub_181B3F0A0);
j_j_free_1_0(v8);
}
v9 = a3 + 4;
LOBYTE(v154) = 4;
v154 |= 0x100u;
v155 = 0i64;
v156 = 0i64;
if ( (unsigned __int64)a3[7] >= 0x10 )
v9 = (void **)*v9;
v153 = sub_1839D1270(v9, *((unsigned int *)a3 + 12));
v10 = sub_1839D3450(&v159, "brandName", (int)"");
sub_1839D1D30(&v153, v10);
sub_1839D32B0(&v153);
v11 = v155;
if ( (_QWORD)v155 )
{
`eh vector destructor iterator'((void *)v155, 0x20ui64, 3ui64, (void (__stdcall *)(void *))sub_181B3F0A0);
j_j_free_1_0(v11);
}
v12 = a3 + 8;
LOBYTE(v154) = 4;
v154 |= 0x100u;
v155 = 0i64;
v156 = 0i64;
if ( (unsigned __int64)a3[11] >= 0x10 )
v12 = (void **)*v12;
v153 = sub_1839D1270(v12, *((unsigned int *)a3 + 20));
v13 = sub_1839D3450(&v159, "iconUrl", (int)"");
sub_1839D1D30(&v153, v13);
sub_1839D32B0(&v153);
v14 = v155;
if ( (_QWORD)v155 )
{
`eh vector destructor iterator'((void *)v155, 0x20ui64, 3ui64, (void (__stdcall *)(void *))sub_181B3F0A0);
j_j_free_1_0(v14);
}
LOBYTE(v154) = 1;
v154 &= ~0x100u;
v155 = 0i64;
v156 = 0i64;
v153 = *((int *)a3 + 24);
v15 = sub_1839D3450(&v159, "debugType", (int)"");
sub_1839D1D30(&v153, v15);
sub_1839D32B0(&v153);
v16 = v155;
if ( (_QWORD)v155 )
{
`eh vector destructor iterator'((void *)v155, 0x20ui64, 3ui64, (void (__stdcall *)(void *))sub_181B3F0A0);
j_j_free_1_0(v16);
}
v17 = a3 + 13;
LOBYTE(v154) = 4;
v154 |= 0x100u;
v155 = 0i64;
v156 = 0i64;
if ( (unsigned __int64)a3[16] >= 0x10 )
v17 = (void **)*v17;
v153 = sub_1839D1270(v17, *((unsigned int *)a3 + 30));
v18 = sub_1839D3450(&v159, "orientation", (int)"");
sub_1839D1D30(&v153, v18);
sub_1839D32B0(&v153);
v19 = v155;
if ( (_QWORD)v155 )
{
`eh vector destructor iterator'((void *)v155, 0x20ui64, 3ui64, (void (__stdcall *)(void *))sub_181B3F0A0);
j_j_free_1_0(v19);
}
v20 = a3 + 17;
LOBYTE(v154) = 4;
v154 |= 0x100u;
v155 = 0i64;
v156 = 0i64;
if ( (unsigned __int64)a3[20] >= 0x10 )
v20 = (void **)*v20;
v153 = sub_1839D1270(v20, *((unsigned int *)a3 + 38));
v21 = sub_1839D3450(&v159, "pkgDirPath", (int)"");
sub_1839D1D30(&v153, v21);
sub_1839D32B0(&v153);
v22 = v155;
if ( (_QWORD)v155 )
{
`eh vector destructor iterator'((void *)v155, 0x20ui64, 3ui64, (void (__stdcall *)(void *))sub_181B3F0A0);
j_j_free_1_0(v22);
}
v23 = a3 + 21;
LOBYTE(v154) = 4;
v154 |= 0x100u;
v155 = 0i64;
v156 = 0i64;
if ( (unsigned __int64)a3[24] >= 0x10 )
v23 = (void **)*v23;
v153 = sub_1839D1270(v23, *((unsigned int *)a3 + 46));
v24 = sub_1839D3450(&v159, "publicPkgDirPath", (int)"");
sub_1839D1D30(&v153, v24);
sub_1839D32B0(&v153);
v25 = v155;
if ( (_QWORD)v155 )
{
`eh vector destructor iterator'((void *)v155, 0x20ui64, 3ui64, (void (__stdcall *)(void *))sub_181B3F0A0);
j_j_free_1_0(v25);
}
LOBYTE(v154) = 1;
v154 &= ~0x100u;
v155 = 0i64;
v156 = 0i64;
v153 = *((int *)a3 + 50);
v26 = sub_1839D3450(&v159, "publicVer", (int)"");
sub_1839D1D30(&v153, v26);
sub_1839D32B0(&v153);
v27 = v155;
if ( (_QWORD)v155 )
{
`eh vector destructor iterator'((void *)v155, 0x20ui64, 3ui64, (void (__stdcall *)(void *))sub_181B3F0A0);
j_j_free_1_0(v27);
}
v28 = a3 + 26;
LOBYTE(v154) = 4;
v154 |= 0x100u;
v155 = 0i64;
v156 = 0i64;
if ( (unsigned __int64)a3[29] >= 0x10 )
v28 = (void **)*v28;
v153 = sub_1839D1270(v28, *((unsigned int *)a3 + 56));
v29 = sub_1839D3450(&v159, "moduleListInfo", (int)"");
sub_1839D1D30(&v153, v29);
sub_1839D32B0(&v153);
v30 = v155;
if ( (_QWORD)v155 )
{
`eh vector destructor iterator'((void *)v155, 0x20ui64, 3ui64, (void (__stdcall *)(void *))sub_181B3F0A0);
j_j_free_1_0(v30);
}
v31 = a3 + 30;
*(_QWORD *)&v155 = 0i64;
sub_1839D3070(&v153, 4i64);
if ( (unsigned __int64)a3[33] >= 0x10 )
v31 = (void **)*v31;
v153 = sub_1839D1270(v31, *((unsigned int *)a3 + 64));
v32 = sub_1839D3450(&v159, "dataPath", (int)"");
sub_1839D1D30(&v153, v32);
sub_1839D32B0(&v153);
v33 = v155;
if ( (_QWORD)v155 )
{
`eh vector destructor iterator'((void *)v155, 0x20ui64, 3ui64, (void (__stdcall *)(void *))sub_181B3F0A0);
j_j_free_1_0(v33);
}
v34 = a3 + 34;
*(_QWORD *)&v155 = 0i64;
sub_1839D3070(&v153, 4i64);
if ( (unsigned __int64)a3[37] >= 0x10 )
v34 = (void **)*v34;
v153 = sub_1839D1270(v34, *((unsigned int *)a3 + 72));
v35 = sub_1839D3450(&v159, "tmpPath", (int)"");
sub_1839D1D30(&v153, v35);
sub_1839D32B0(&v153);
v36 = v155;
if ( (_QWORD)v155 )
{
`eh vector destructor iterator'((void *)v155, 0x20ui64, 3ui64, (void (__stdcall *)(void *))sub_181B3F0A0);
j_j_free_1_0(v36);
}
v37 = a3 + 38;
*(_QWORD *)&v155 = 0i64;
sub_1839D3070(&v153, 4i64);
if ( (unsigned __int64)a3[41] >= 0x10 )
v37 = (void **)*v37;
v153 = sub_1839D1270(v37, *((unsigned int *)a3 + 80));
v38 = sub_1839D3450(&v159, (void *)"username", (int)"");
sub_1839D1D30(&v153, v38);
sub_1839D32B0(&v153);
v39 = v155;
if ( (_QWORD)v155 )
{
`eh vector destructor iterator'((void *)v155, 0x20ui64, 3ui64, (void (__stdcall *)(void *))sub_181B3F0A0);
j_j_free_1_0(v39);
}
v40 = a3 + 42;
*(_QWORD *)&v155 = 0i64;
sub_1839D3070(&v153, 4i64);
if ( (unsigned __int64)a3[45] >= 0x10 )
v40 = (void **)*v40;
v153 = sub_1839D1270(v40, *((unsigned int *)a3 + 88));
v41 = sub_1839D3450(&v159, "nickName", (int)"");
sub_1839D1D30(&v153, v41);
sub_1839D32B0(&v153);
v42 = v155;
if ( (_QWORD)v155 )
{
`eh vector destructor iterator'((void *)v155, 0x20ui64, 3ui64, (void (__stdcall *)(void *))sub_181B3F0A0);
j_j_free_1_0(v42);
}
v43 = a3 + 46;
*(_QWORD *)&v155 = 0i64;
sub_1839D3070(&v153, 4i64);
if ( (unsigned __int64)a3[49] >= 0x10 )
v43 = (void **)*v43;
v153 = sub_1839D1270(v43, *((unsigned int *)a3 + 96));
v44 = sub_1839D3450(&v159, "signature", (int)"");
sub_1839D1D30(&v153, v44);
sub_1839D32B0(&v153);
v45 = v155;
if ( (_QWORD)v155 )
{
`eh vector destructor iterator'((void *)v155, 0x20ui64, 3ui64, (void (__stdcall *)(void *))sub_181B3F0A0);
j_j_free_1_0(v45);
}
v46 = a3 + 50;
*(_QWORD *)&v155 = 0i64;
sub_1839D3070(&v153, 4i64);
if ( (unsigned __int64)a3[53] >= 0x10 )
v46 = (void **)*v46;
v153 = sub_1839D1270(v46, *((unsigned int *)a3 + 104));
v47 = sub_1839D3450(&v159, "logPath", (int)"");
sub_1839D1D30(&v153, v47);
sub_1839D32B0(&v153);
v48 = v155;
if ( (_QWORD)v155 )
{
`eh vector destructor iterator'((void *)v155, 0x20ui64, 3ui64, (void (__stdcall *)(void *))sub_181B3F0A0);
j_j_free_1_0(v48);
}
v49 = a3 + 54;
*(_QWORD *)&v155 = 0i64;
sub_1839D3070(&v153, 4i64);
if ( (unsigned __int64)a3[57] >= 0x10 )
v49 = (void **)*v49;
v153 = sub_1839D1270(v49, *((unsigned int *)a3 + 112));
v50 = sub_1839D3450(&v159, "clientJsExtInfo", (int)"");
sub_1839D1D30(&v153, v50);
sub_1839D32B0(&v153);
v51 = v155;
if ( (_QWORD)v155 )
{
`eh vector destructor iterator'((void *)v155, 0x20ui64, 3ui64, (void (__stdcall *)(void *))sub_181B3F0A0);
j_j_free_1_0(v51);
}
v52 = a3 + 58;
*(_QWORD *)&v155 = 0i64;
sub_1839D3070(&v153, 4i64);
if ( (unsigned __int64)a3[61] >= 0x10 )
v52 = (void **)*v52;
v153 = sub_1839D1270(v52, *((unsigned int *)a3 + 120));
v53 = sub_1839D3450(&v159, "operationInfo", (int)"");
sub_1839D1D30(&v153, v53);
sub_1839D32B0(&v153);
v54 = v155;
if ( (_QWORD)v155 )
{
`eh vector destructor iterator'((void *)v155, 0x20ui64, 3ui64, (void (__stdcall *)(void *))sub_181B3F0A0);
j_j_free_1_0(v54);
}
v55 = a3 + 62;
*(_QWORD *)&v155 = 0i64;
sub_1839D3070(&v153, 4i64);
if ( (unsigned __int64)a3[65] >= 0x10 )
v55 = (void **)*v55;
v153 = sub_1839D1270(v55, *((unsigned int *)a3 + 128));
v56 = sub_1839D3450(&v159, "shareName", (int)"");
sub_1839D1D30(&v153, v56);
sub_1839D32B0(&v153);
v57 = v155;
if ( (_QWORD)v155 )
{
`eh vector destructor iterator'((void *)v155, 0x20ui64, 3ui64, (void (__stdcall *)(void *))sub_181B3F0A0);
j_j_free_1_0(v57);
}
v58 = a3 + 66;
*(_QWORD *)&v155 = 0i64;
sub_1839D3070(&v153, 4i64);
if ( (unsigned __int64)a3[69] >= 0x10 )
v58 = (void **)*v58;
v153 = sub_1839D1270(v58, *((unsigned int *)a3 + 136));
v59 = sub_1839D3450(&v159, "shareKey", (int)"");
sub_1839D1D30(&v153, v59);
sub_1839D32B0(&v153);
v60 = v155;
if ( (_QWORD)v155 )
{
`eh vector destructor iterator'((void *)v155, 0x20ui64, 3ui64, (void (__stdcall *)(void *))sub_181B3F0A0);
j_j_free_1_0(v60);
}
v61 = a3 + 70;
*(_QWORD *)&v155 = 0i64;
sub_1839D3070(&v153, 4i64);
if ( (unsigned __int64)a3[73] >= 0x10 )
v61 = (void **)*v61;
v153 = sub_1839D1270(v61, *((unsigned int *)a3 + 144));
v62 = sub_1839D3450(&v159, "remote_debug_endpoint", (int)"");
sub_1839D1D30(&v153, v62);
sub_1839D32B0(&v153);
v63 = v155;
if ( (_QWORD)v155 )
{
`eh vector destructor iterator'((void *)v155, 0x20ui64, 3ui64, (void (__stdcall *)(void *))sub_181B3F0A0);
j_j_free_1_0(v63);
}
v64 = *((int *)a3 + 148);
*(_QWORD *)&v155 = 0i64;
sub_1839D3070(&v153, 1i64);
v153 = v64;
v65 = sub_1839D3450(&v159, "appVersion", (int)"");
sub_1839D1D30(&v153, v65);
sub_1839D32B0(&v153);
v66 = v155;
if ( (_QWORD)v155 )
{
`eh vector destructor iterator'((void *)v155, 0x20ui64, 3ui64, (void (__stdcall *)(void *))sub_181B3F0A0);
j_j_free_1_0(v66);
}
v67 = *((int *)a3 + 149);
*(_QWORD *)&v155 = 0i64;
sub_1839D3070(&v153, 1i64);
v153 = v67;
v68 = sub_1839D3450(&v159, "versionState", (int)"");
sub_1839D1D30(&v153, v68);
sub_1839D32B0(&v153);
v69 = v155;
if ( (_QWORD)v155 )
{
`eh vector destructor iterator'((void *)v155, 0x20ui64, 3ui64, (void (__stdcall *)(void *))sub_181B3F0A0);
j_j_free_1_0(v69);
}
v70 = (__int64 **)*((unsigned __int16 *)a3 + 300);
*(_QWORD *)&v155 = 0i64;
sub_1839D3070(&v153, 1i64);
v153 = (__int64)v70;
v71 = sub_1839D3450(&v159, "width", (int)"");
sub_1839D1D30(&v153, v71);
sub_1839D32B0(&v153);
v72 = v155;
if ( (_QWORD)v155 )
{
`eh vector destructor iterator'((void *)v155, 0x20ui64, 3ui64, (void (__stdcall *)(void *))sub_181B3F0A0);
j_j_free_1_0(v72);
}
v73 = (__int64 **)*((unsigned __int16 *)a3 + 301);
*(_QWORD *)&v155 = 0i64;
sub_1839D3070(&v153, 1i64);
v153 = (__int64)v73;
v74 = sub_1839D3450(&v159, "height", (int)"");
sub_1839D1D30(&v153, v74);
sub_1839D32B0(&v153);
v75 = v155;
if ( (_QWORD)v155 )
{
`eh vector destructor iterator'((void *)v155, 0x20ui64, 3ui64, (void (__stdcall *)(void *))sub_181B3F0A0);
j_j_free_1_0(v75);
}
v76 = *((int *)a3 + 151);
*(_QWORD *)&v155 = 0i64;
sub_1839D3070(&v153, 1i64);
v153 = v76;
v77 = sub_1839D3450(&v159, "needSysBtn", (int)"");
sub_1839D1D30(&v153, v77);
sub_1839D32B0(&v153);
v78 = v155;
if ( (_QWORD)v155 )
{
`eh vector destructor iterator'((void *)v155, 0x20ui64, 3ui64, (void (__stdcall *)(void *))sub_181B3F0A0);
j_j_free_1_0(v78);
}
*(_QWORD *)&v155 = 0i64;
sub_1839D3070(&v153, 7i64);
v165 = operator new(16i64);
*(_QWORD *)v165 = 0i64;
*(_QWORD *)(v165 + 8) = 0i64;
v79 = operator new(88i64);
*(_QWORD *)v79 = v79;
*(_QWORD *)(v79 + 8) = v79;
*(_QWORD *)(v79 + 16) = v79;
*(_WORD *)(v79 + 24) = 257;
*(_QWORD *)v165 = v79;
v153 = v165;
v80 = *((int *)a3 + 152);
v158 = 0i64;
sub_1839D3070(v157, 1i64);
v157[0] = v80;
v81 = sub_1839D3450((__int64 ***)&v153, "launchScene", (int)"");
sub_1839D1D30(v157, v81);
sub_1839D32B0(v157);
v82 = v158;
if ( v158 )
{
`eh vector destructor iterator'(v158, 0x20ui64, 3ui64, (void (__stdcall *)(void *))sub_181B3F0A0);
j_j_free_1_0(v82);
}
v83 = a3 + 77;
v158 = 0i64;
sub_1839D3070(v157, 4i64);
if ( (unsigned __int64)a3[80] >= 0x10 )
v83 = (void **)*v83;
v157[0] = sub_1839D1270(v83, *((unsigned int *)a3 + 158));
v84 = sub_1839D3450((__int64 ***)&v153, "appId", (int)"");
sub_1839D1D30(v157, v84);
sub_1839D32B0(v157);
v85 = v158;
if ( v158 )
{
`eh vector destructor iterator'(v158, 0x20ui64, 3ui64, (void (__stdcall *)(void *))sub_181B3F0A0);
j_j_free_1_0(v85);
}
v86 = a3 + 81;
v158 = 0i64;
sub_1839D3070(v157, 4i64);
if ( (unsigned __int64)a3[84] >= 0x10 )
v86 = (void **)*v86;
v157[0] = sub_1839D1270(v86, *((unsigned int *)a3 + 166));
v87 = sub_1839D3450((__int64 ***)&v153, "extraData", (int)"");
sub_1839D1D30(v157, v87);
sub_1839D32B0(v157);
v88 = v158;
if ( v158 )
{
`eh vector destructor iterator'(v158, 0x20ui64, 3ui64, (void (__stdcall *)(void *))sub_181B3F0A0);
j_j_free_1_0(v88);
}
v89 = a3 + 85;
v158 = 0i64;
sub_1839D3070(v157, 4i64);
if ( (unsigned __int64)a3[88] >= 0x10 )
v89 = (void **)*v89;
v157[0] = sub_1839D1270(v89, *((unsigned int *)a3 + 174));
v90 = sub_1839D3450((__int64 ***)&v153, "privateExtraData", (int)"");
sub_1839D1D30(v157, v90);
sub_1839D32B0(v157);
v91 = v158;
if ( v158 )
{
`eh vector destructor iterator'(v158, 0x20ui64, 3ui64, (void (__stdcall *)(void *))sub_181B3F0A0);
j_j_free_1_0(v91);
}
v92 = a3 + 89;
v158 = 0i64;
sub_1839D3070(v157, 4i64);
if ( (unsigned __int64)a3[92] >= 0x10 )
v92 = (void **)*v92;
v157[0] = sub_1839D1270(v92, *((unsigned int *)a3 + 182));
v93 = sub_1839D3450((__int64 ***)&v153, "messageExtraData", (int)"");
sub_1839D1D30(v157, v93);
sub_1839D32B0(v157);
v94 = v158;
if ( v158 )
{
`eh vector destructor iterator'(v158, 0x20ui64, 3ui64, (void (__stdcall *)(void *))sub_181B3F0A0);
j_j_free_1_0(v94);
}
v95 = a3 + 93;
v158 = 0i64;
sub_1839D3070(v157, 4i64);
if ( (unsigned __int64)a3[96] >= 0x10 )
v95 = (void **)*v95;
v157[0] = sub_1839D1270(v95, *((unsigned int *)a3 + 190));
v96 = sub_1839D3450((__int64 ***)&v153, "url", (int)"");
sub_1839D1D30(v157, v96);
sub_1839D32B0(v157);
v97 = v158;
if ( v158 )
{
`eh vector destructor iterator'(v158, 0x20ui64, 3ui64, (void (__stdcall *)(void *))sub_181B3F0A0);
j_j_free_1_0(v97);
}
v98 = a3 + 97;
v158 = 0i64;
sub_1839D3070(v157, 4i64);
if ( (unsigned __int64)a3[100] >= 0x10 )
v98 = (void **)*v98;
v157[0] = sub_1839D1270(v98, *((unsigned int *)a3 + 198));
v99 = sub_1839D3450((__int64 ***)&v153, "agentId", (int)"");
sub_1839D1D30(v157, v99);
sub_1839D32B0(v157);
v100 = v158;
if ( v158 )
{
`eh vector destructor iterator'(v158, 0x20ui64, 3ui64, (void (__stdcall *)(void *))sub_181B3F0A0);
j_j_free_1_0(v100);
}
v101 = *((int *)a3 + 202);
v158 = 0i64;
sub_1839D3070(v157, 1i64);
v157[0] = v101;
v102 = sub_1839D3450((__int64 ***)&v153, "sourceType", (int)"");
sub_1839D1D30(v157, v102);
sub_1839D32B0(v157);
v103 = v158;
if ( v158 )
{
`eh vector destructor iterator'(v158, 0x20ui64, 3ui64, (void (__stdcall *)(void *))sub_181B3F0A0);
j_j_free_1_0(v103);
}
v104 = a3 + 102;
v158 = 0i64;
sub_1839D3070(v157, 4i64);
if ( (unsigned __int64)a3[105] >= 0x10 )
v104 = (void **)*v104;
v157[0] = sub_1839D1270(v104, *((unsigned int *)a3 + 208));
v105 = sub_1839D3450((__int64 ***)&v153, "openapiInvokeData", (int)"");
sub_1839D1D30(v157, v105);
sub_1839D32B0(v157);
v106 = v158;
if ( v158 )
{
`eh vector destructor iterator'(v158, 0x20ui64, 3ui64, (void (__stdcall *)(void *))sub_181B3F0A0);
j_j_free_1_0(v106);
}
v107 = a3 + 106;
v158 = 0i64;
sub_1839D3070(v157, 4i64);
if ( (unsigned __int64)a3[109] >= 0x10 )
v107 = (void **)*v107;
v157[0] = sub_1839D1270(v107, *((unsigned int *)a3 + 216));
v108 = sub_1839D3450((__int64 ***)&v153, "transitiveData", (int)"");
sub_1839D1D30(v157, v108);
sub_1839D32B0(v157);
v109 = v158;
if ( v158 )
{
`eh vector destructor iterator'(v158, 0x20ui64, 3ui64, (void (__stdcall *)(void *))sub_181B3F0A0);
j_j_free_1_0(v109);
}
v110 = sub_1839D3450(&v159, "referrer", (int)"");
sub_1839D1CA0(v110, &v153);
v111 = a3 + 110;
v158 = 0i64;
sub_1839D3070(v157, 4i64);
if ( (unsigned __int64)a3[113] >= 0x10 )
v111 = (void **)*v111;
v157[0] = sub_1839D1270(v111, *((unsigned int *)a3 + 224));
v112 = sub_1839D3450(&v159, "enterPath", (int)"");
sub_1839D1D30(v157, v112);
sub_1839D32B0(v157);
v113 = v158;
if ( v158 )
{
`eh vector destructor iterator'(v158, 0x20ui64, 3ui64, (void (__stdcall *)(void *))sub_181B3F0A0);
j_j_free_1_0(v113);
}
v114 = *((int *)a3 + 228);
v158 = 0i64;
sub_1839D3070(v157, 1i64);
v157[0] = v114;
v115 = sub_1839D3450(&v159, "originalFlag", (int)"");
sub_1839D1D30(v157, v115);
sub_1839D32B0(v157);
v116 = v158;
if ( v158 )
{
`eh vector destructor iterator'(v158, 0x20ui64, 3ui64, (void (__stdcall *)(void *))sub_181B3F0A0);
j_j_free_1_0(v116);
}
v117 = a3 + 115;
v158 = 0i64;
sub_1839D3070(v157, 4i64);
if ( (unsigned __int64)a3[118] >= 0x10 )
v117 = (void **)*v117;
v157[0] = sub_1839D1270(v117, *((unsigned int *)a3 + 234));
v118 = sub_1839D3450(&v159, "originalRedirectUrl", (int)"");
sub_1839D1D30(v157, v118);
sub_1839D32B0(v157);
v119 = v158;
if ( v158 )
{
`eh vector destructor iterator'(v158, 0x20ui64, 3ui64, (void (__stdcall *)(void *))sub_181B3F0A0);
j_j_free_1_0(v119);
}
v120 = *((_BYTE *)a3 + 952);
v158 = 0i64;
sub_1839D3070(v157, 5i64);
LOBYTE(v157[0]) = v120;
v121 = sub_1839D3450(&v159, "isNativeView", (int)"");
sub_1839D1D30(v157, v121);
sub_1839D32B0(v157);
v122 = v158;
if ( v158 )
{
`eh vector destructor iterator'(v158, 0x20ui64, 3ui64, (void (__stdcall *)(void *))sub_181B3F0A0);
j_j_free_1_0(v122);
}
v123 = *((_BYTE *)a3 + 953);
v158 = 0i64;
sub_1839D3070(v157, 5i64);
LOBYTE(v157[0]) = v123;
v124 = sub_1839D3450(&v159, "isDebug", (int)"");
sub_1839D1D30(v157, v124);
sub_1839D32B0(v157);
v125 = v158;
if ( v158 )
{
`eh vector destructor iterator'(v158, 0x20ui64, 3ui64, (void (__stdcall *)(void *))sub_181B3F0A0);
j_j_free_1_0(v125);
}
sub_1839D1B80(v157, a3 + 120);
v126 = sub_1839D3450(&v159, "xwalkRemoteDebugPort", (int)"");
sub_1839D1D30(v157, v126);
sub_1839D1C50(v157);
v127 = *((_BYTE *)a3 + 992);
v158 = 0i64;
sub_1839D3070(v157, 5i64);
LOBYTE(v157[0]) = v127;
v128 = sub_1839D3450(&v159, "xwalkDebugJs", (int)"");
sub_1839D1D30(v157, v128);
sub_1839D32B0(v157);
v129 = v158;
if ( v158 )
{
`eh vector destructor iterator'(v158, 0x20ui64, 3ui64, (void (__stdcall *)(void *))sub_181B3F0A0);
j_j_free_1_0(v129);
}
sub_1839D1B80(v157, a3 + 125);
v130 = sub_1839D3450(&v159, "uin", (int)"");
sub_1839D1D30(v157, v130);
sub_1839D1C50(v157);
sub_1839D1B80(v163, a3 + 129);
v131 = sub_1839D3450(&v159, "deviceType", (int)"");
sub_1839D1D30(v163, v131);
sub_1839D1C50(v163);
v132 = *((int *)a3 + 266);
v158 = 0i64;
sub_1839D3070(v157, 1i64);
v157[0] = v132;
v133 = sub_1839D3450(&v159, "clientVersion", (int)"");
sub_1839D1D30(v157, v133);
sub_1839D32B0(v157);
v134 = v158;
if ( v158 )
{
`eh vector destructor iterator'(v158, 0x20ui64, 3ui64, (void (__stdcall *)(void *))sub_181B3F0A0);
j_j_free_1_0(v134);
}
v135 = *((_BYTE *)a3 + 1068);
v158 = 0i64;
sub_1839D3070(v157, 5i64);
LOBYTE(v157[0]) = v135;
v136 = sub_1839D3450(&v159, "isTest", (int)"");
sub_1839D1D30(v157, v136);
sub_1839D32B0(v157);
v137 = v158;
if ( v158 )
{
`eh vector destructor iterator'(v158, 0x20ui64, 3ui64, (void (__stdcall *)(void *))sub_181B3F0A0);
j_j_free_1_0(v137);
}
v138 = *((_BYTE *)a3 + 1069);
v158 = 0i64;
sub_1839D3070(v157, 5i64);
LOBYTE(v157[0]) = v138;
v139 = sub_1839D3450(&v159, "isPreload", (int)"");
sub_1839D1D30(v157, v139);
sub_1839D32B0(v157);
v140 = v158;
if ( v158 )
{
`eh vector destructor iterator'(v158, 0x20ui64, 3ui64, (void (__stdcall *)(void *))sub_181B3F0A0);
j_j_free_1_0(v140);
}
sub_1839D1B80(v163, a3 + 134);
v141 = sub_1839D3450(&v159, "wxIconUrl", (int)"");
sub_1839D1D30(v163, v141);
sub_1839D1C50(v163);
sub_1839D1B80(v157, a3 + 138);
v142 = sub_1839D3450(&v159, "wxNickName", (int)"");
sub_1839D1D30(v157, v142);
sub_1839D1C50(v157);
v143 = *((int *)a3 + 284);
v158 = 0i64;
sub_1839D3070(v157, 1i64);
v157[0] = v143;
v144 = sub_1839D3450(&v159, "productId", (int)"");
sub_1839D1D30(v157, v144);
sub_1839D32B0(v157);
v145 = v158;
if ( v158 )
{
`eh vector destructor iterator'(v158, 0x20ui64, 3ui64, (void (__stdcall *)(void *))sub_181B3F0A0);
j_j_free_1_0(v145);
}
sub_1839D1B80(v163, a3 + 143);
v146 = sub_1839D3450(&v159, "commonJsInfo", (int)"");
sub_1839D1D30(v163, v146);
sub_1839D1C50(v163);
v147 = *((_BYTE *)a3 + 1176);
v158 = 0i64;
sub_1839D3070(v157, 5i64);
LOBYTE(v157[0]) = v147;
v148 = sub_1839D3450(&v159, "isMiniGame", (int)"");
sub_1839D1D30(v157, v148);
sub_1839D32B0(v157);
v149 = v158;
if ( v158 )
{
`eh vector destructor iterator'(v158, 0x20ui64, 3ui64, (void (__stdcall *)(void *))sub_181B3F0A0);
j_j_free_1_0(v149);
}
v158 = 0i64;
sub_1839D30F0(v157, &v159);
sub_1839D3380(v157, &v159);
sub_182615AF0(a2, (__int64)v157);
sub_1839D32B0(&v153);
v150 = v155;
if ( (_QWORD)v155 )
{
`eh vector destructor iterator'((void *)v155, 0x20ui64, 3ui64, (void (__stdcall *)(void *))sub_181B3F0A0);
j_j_free_1_0(v150);
}
sub_1839D32B0(&v159);
v151 = v161;
if ( (_QWORD)v161 )
{
`eh vector destructor iterator'((void *)v161, 0x20ui64, 3ui64, (void (__stdcall *)(void *))sub_181B3F0A0);
j_j_free_1_0(v151);
}
return a2;
}
版本: win 3.9.12.17 appEx 版本: 11275
如何查看版本
C:\Users\%s\AppData\Roaming\Tencent\WeChat\XPlugin\Plugins\RadiumWMPF\%d\extracted\runtime
%d 代表的就是版本
如何打开调试器
WeChatWin.dll.js 的整体思路就是判断微信版本和位置, 将 createProccessW 的命令hook住, 在 WeChat 调用 createProccessW 的时候, 把命令行 --log-level=2 替换成 --log-level=0 --xweb-enable-inspect=1 , 默认则右键可以打开调试器.
小程序开发者工具分析
RVA: WeChatAppEx.exe+2AC456F
00007FF7B114456F | 48:8D05 B119AD07 | lea rax,qword ptr ds:[7FF7B8C15F27] | 00007FF7B8C15F27:"devTools"
// 小程序那开启 dev 按钮, 上一个指令把添加 dev 的按钮语句全部跳过了.
RVA: WeChatAppEx.exe+0x2AC456D
00007FF7B114456D | 74 67 | je wechatappex.7FF7B11445D6 |
这个就是 00007FF7B114456F 的上一个语句, je 表示如果寄存器zf=1的话则进行跳转 jz表示如果zf=0.
JE and JZ are just different names for exactly the same thing: a conditional > jump when ZF (the "zero" flag) is equal to 1. JNE and JNZ are just different names for a conditional jump when ZF is equal to 0.
00007FF7B0D53B38 | 4C:0F45C0 | cmovne r8,rax
// 不等于 0 的时候传送; 当传送条件满足时,指令把源值S复制到目的R。
小程序右上角按钮菜单的 特征码
48 8D 15 ?? ?? ?? ?? 48 8D BC 24 B0 00 00 00 48 89 F9 E8 ?? ?? ?? ?? 48 C7 47 ?? 04 00 00 00 48 8D 05 ?? ?? ?? ?? 48 8D 94 24 00 02 00 00 48 89 02 48 C7 42 ?? 0A 00 00 00 48 8D 8C 24 90 00 00 00 49 89 F8 E8 ?? ?? ?? ?? 48 8B 57 ?? 48 8D 8C 24 E8 01 00 00 48 89 39 E8 ?? ?? ?? ?? 31 C0 48 89 84 24 80 00 00 00 0F 57 C0 0F 29 44 24 70 48 89 44 24 60 0F 29 44 24 50 48 8B 46 ?? 48 8B B8 ?? ?? ?? ?? 80 BF ?? ?? ?? ?? 00 74 67 48 8D 05 ?? ?? ?? ?? 48 8D 94 24 B0 00 00 00 48 89 02 4C 8D 74 24 70 4C 89 F1 E8 ?? ?? ?? ?? 48 8B 5C 24 58 49 89 46 ?? 48 8D 05 ?? ?? ?? ?? 48 89 84 24 00 02 00 00 48 3B 5C 24 60 0F 82 C6 FE FF FF 48 8D 4C 24 50 48 8D 94 24 00 02 00 00 E8 ?? ?? ?? ?? 48 89 C3 48 89 5C 24 58 48 8B 46 ?? 48 8B B8 ?? ?? ?? ?? 48 8D 6C 24 38 48 89 6D 00 48 89 6D 08 48 C7 45 10 00 00 00 00 4C 8B B7 ?? ?? ?? ?? 48 81 C7 60 03 00 00 49 39 FE 0F 84 A1 01 00 00
__asm
00007FF7B11444C6 | 0F2947 10 | movaps xmmword ptr ds:[rdi+10],xmm0 |
00007FF7B11444CA | 0F2907 | movaps xmmword ptr ds:[rdi],xmm0 |
00007FF7B11444CD | 48:89F9 | mov rcx,rdi |
00007FF7B11444D0 | B2 06 | mov dl,6 |
00007FF7B11444D2 | E8 399D73FD | call wechatappex.7FF7AE87E210 |
00007FF7B11444D7 | 48:837F 18 06 | cmp qword ptr ds:[rdi+18],6 |
00007FF7B11444DC | 0F85 53060000 | jne wechatappex.7FF7B1144B35 |
00007FF7B11444E2 | 48:8D15 F4357A07 | lea rdx,qword ptr ds:[7FF7B88E7ADD] | 00007FF7B88E7ADD:"menu"
00007FF7B11444E9 | 48:8DBC24 B0000000 | lea rdi,qword ptr ss:[rsp+B0] |
00007FF7B11444F1 | 48:89F9 | mov rcx,rdi |
00007FF7B11444F4 | E8 573D8A02 | call wechatappex.7FF7B39E8250 |
00007FF7B11444F9 | 48:C747 18 04000000 | mov qword ptr ds:[rdi+18],4 |
00007FF7B1144501 | 48:8D05 DA357A07 | lea rax,qword ptr ds:[7FF7B88E7AE2] | 00007FF7B88E7AE2:"buttonType"
00007FF7B1144508 | 48:8D9424 00020000 | lea rdx,qword ptr ss:[rsp+200] |
00007FF7B1144510 | 48:8902 | mov qword ptr ds:[rdx],rax |
00007FF7B1144513 | 48:C742 08 0A000000 | mov qword ptr ds:[rdx+8],A | 0A:'\n'
00007FF7B114451B | 48:8D8C24 90000000 | lea rcx,qword ptr ss:[rsp+90] |
00007FF7B1144523 | 49:89F8 | mov r8,rdi |
00007FF7B1144526 | E8 B505E801 | call wechatappex.7FF7B2FC4AE0 |
00007FF7B114452B | 48:8B57 18 | mov rdx,qword ptr ds:[rdi+18] |
00007FF7B114452F | 48:8D8C24 E8010000 | lea rcx,qword ptr ss:[rsp+1E8] |
00007FF7B1144537 | 48:8939 | mov qword ptr ds:[rcx],rdi |
00007FF7B114453A | E8 51966B01 | call wechatappex.7FF7B27FDB90 |
00007FF7B114453F | 31C0 | xor eax,eax |
00007FF7B1144541 | 48:898424 80000000 | mov qword ptr ss:[rsp+80],rax |
00007FF7B1144549 | 0F57C0 | xorps xmm0,xmm0 |
00007FF7B114454C | 0F294424 70 | movaps xmmword ptr ss:[rsp+70],xmm0 |
00007FF7B1144551 | 48:894424 60 | mov qword ptr ss:[rsp+60],rax |
00007FF7B1144556 | 0F294424 50 | movaps xmmword ptr ss:[rsp+50],xmm0 |
00007FF7B114455B | 48:8B46 08 | mov rax,qword ptr ds:[rsi+8] | rsi+08:"€>"
00007FF7B114455F | 48:8BB8 70040000 | mov rdi,qword ptr ds:[rax+470] |
00007FF7B1144566 | 80BF F2000000 00 | cmp byte ptr ds:[rdi+F2],0 |
00007FF7B114456D | 74 67 | je wechatappex.7FF7B11445D6 |
00007FF7B114456F | 48:8D05 B119AD07 | lea rax,qword ptr ds:[7FF7B8C15F27] | 00007FF7B8C15F27:"devTools"
00007FF7B1144576 | 48:8D9424 B0000000 | lea rdx,qword ptr ss:[rsp+B0] |
00007FF7B114457E | 48:8902 | mov qword ptr ds:[rdx],rax |
00007FF7B1144581 | 4C:8D7424 70 | lea r14,qword ptr ss:[rsp+70] |
00007FF7B1144586 | 4C:89F1 | mov rcx,r14 |
00007FF7B1144589 | E8 B28368FE | call wechatappex.7FF7AF7CC940 |
00007FF7B114458E | 48:8B5C24 58 | mov rbx,qword ptr ss:[rsp+58] |
00007FF7B1144593 | 49:8946 08 | mov qword ptr ds:[r14+8],rax |
00007FF7B1144597 | 48:8D05 DA282307 | lea rax,qword ptr ds:[7FF7B8376E78] |
00007FF7B114459E | 48:898424 00020000 | mov qword ptr ss:[rsp+200],rax |
00007FF7B11445A6 | 48:3B5C24 60 | cmp rbx,qword ptr ss:[rsp+60] |
00007FF7B11445AB | 0F82 C6FEFFFF | jb wechatappex.7FF7B1144477 |
00007FF7B11445B1 | 48:8D4C24 50 | lea rcx,qword ptr ss:[rsp+50] |
00007FF7B11445B6 | 48:8D9424 00020000 | lea rdx,qword ptr ss:[rsp+200] |
00007FF7B11445BE | E8 7D8368FE | call wechatappex.7FF7AF7CC940 |
00007FF7B11445C3 | 48:89C3 | mov rbx,rax |
00007FF7B11445C6 | 48:895C24 58 | mov qword ptr ss:[rsp+58],rbx |
00007FF7B11445CB | 48:8B46 08 | mov rax,qword ptr ds:[rsi+8] | rsi+08:"€>"
00007FF7B11445CF | 48:8BB8 70040000 | mov rdi,qword ptr ds:[rax+470] |
00007FF7B11445D6 | 48:8D6C24 38 | lea rbp,qword ptr ss:[rsp+38] |
00007FF7B11445DB | 48:896D 00 | mov qword ptr ss:[rbp],rbp |
00007FF7B11445DF | 48:896D 08 | mov qword ptr ss:[rbp+8],rbp |
00007FF7B11445E3 | 48:C745 10 00000000 | mov qword ptr ss:[rbp+10],0 |
00007FF7B11445EB | 4C:8BB7 68030000 | mov r14,qword ptr ds:[rdi+368] |
00007FF7B11445F2 | 48:81C7 60030000 | add rdi,360 |
00007FF7B11445F9 | 49:39FE | cmp r14,rdi |
00007FF7B11445FC | 0F84 A1010000 | je wechatappex.7FF7B11447A3 |
00007FF7B1144602 | 0F57F6 | xorps xmm6,xmm6 |
00007FF7B1144605 | B9 80000000 | mov ecx,80 |
00007FF7B114460A | E8 91908402 | call wechatappex.7FF7B398D6A0 |
00007FF7B114460F | 48:85C0 | test rax,rax |
00007FF7B1144612 | 0F84 1A050000 | je wechatappex.7FF7B1144B32 |
00007FF7B1144618 | 48:89C3 | mov rbx,rax |
00007FF7B114461B | 49:8D56 10 | lea rdx,qword ptr ds:[r14+10] | r14+10:">4"
00007FF7B114461F | 48:89C1 | mov rcx,rax |
00007FF7B1144622 | 48:83C1 10 | add rcx,10 |
00007FF7B1144626 | 0F1130 | movups xmmword ptr ds:[rax],xmm6 |
00007FF7B1144629 | E8 E2A6DFFF | call wechatappex.7FF7B0F3ED10 |
00007FF7B114462E | 48:896B 08 | mov qword ptr ds:[rbx+8],rbp |
00007FF7B1144632 | 48:8B4424 38 | mov rax,qword ptr ss:[rsp+38] |
00007FF7B1144637 | 48:8903 | mov qword ptr ds:[rbx],rax |
00007FF7B114463A | 48:8958 08 | mov qword ptr ds:[rax+8],rbx |
00007FF7B114463E | 48:895C24 38 | mov qword ptr ss:[rsp+38],rbx |
00007FF7B1144643 | 48:FF4424 48 | inc qword ptr ss:[rsp+48] |
00007FF7B1144648 | 4D:8B76 08 | mov r14,qword ptr ds:[r14+8] |
00007FF7B114464C | 49:39FE | cmp r14,rdi |
00007FF7B114464F | 75 B4 | jne wechatappex.7FF7B1144605 |
00007FF7B1144651 | 48:8B7C24 40 | mov rdi,qword ptr ss:[rsp+40] | [rsp+40]:timeBeginPeriod+108
00007FF7B1144656 | 48:39EF | cmp rdi,rbp |
找到的方法是什么
对于 app 模式的开发者工具覆盖 web 的情况 可以开启 cheat engine 不要开utf-8 不要开 case sensitive 去搜索 devtools/wechat_%s.html 就可以得到RVA了(这个是dump里面定义的,我们开断点看看谁在访问)。然后开 x64dbg 去看对应的地方如:
WechatAppHtml & WechatWebHtml
显然这个名字的由来就是内置的开发者工具html的名字, 主要是 wechat 开发者工具的类型, 一个是小程序版本, 一个是web版本, web版本的开发者工具能看到更多东西.
RVA: WeChatAppEx.exe+0x26D3B38 // /devtools/wechat_%s.html
00007FF7B0D53B38 | 4C:0F45C0 | cmovne r8,rax | r8:"app", rax:"web"
devTool 里面存了两种开发者工具的类型, 这个语句在判断cmovne 如果寄存器 zf 不等于0的话 就把 r8 赋值给 rax
没想好怎么找到这里方便, 现在就是以固定的字符串 "/devtools/wechat_%s.html" 但是未来如果变更了不是找不到了?
现在只能考虑到如果是访问了dump里面的常量字符串, 那么就有可能断点到
目前RVA是 WeChatAppEx.exe+A22788C , 为什么他复制RVA的时候不能把模块带上. 不知道按到什么了 dump 的图像变成了红色的?还带一些闪烁
00007FF7B88A7889 A0 4A F8 68 74 74 70 73 3A 2F 2F 61 70 70 6C 65 Jøhttps://apple
00007FF7B88A7899 74 2D 64 65 62 75 67 2E 63 6F 6D 00 61 70 70 00 t-debug.com.app.
00007FF7B88A78A9 2F 64 65 76 74 6F 6F 6C 73 2F 77 65 63 68 61 74 /devtools/wechat
00007FF7B88A78B9 5F 25 73 2E 68 74 6D 6C 00 2E 2E 5C 2E 2E 5C 66 _%s.html...\..\f
00007FF7B88A78C9 6C 75 65 5C 62 72 6F 77 73 65 72 5C 64 65 76 74 lue\browser\devt
00007FF7B88A78D9 6F 6F 6C 73 5C 66 6C 75 65 5F 64 65 76 74 6F 6F ools\flue_devtoo
00007FF7B88A78E9 6C 73 5F 6D 61 6E 61 67 65 72 5F 64 65 6C 65 67 ls_manager_deleg
00007FF7B88A78F9 61 74 65 2E 63 63 00 46 6C 75 65 44 65 76 74 6F ate.cc.FlueDevto
00007FF7B88A7909 6F 6C 73 4D 61 6E 61 67 65 72 44 65 6C 65 67 61 olsManagerDelega
00007FF7B88A7919 74 65 3A 3A 43 72 65 61 74 65 4E 65 77 54 61 72 te::CreateNewTar
00007FF7B88A7929 67 65 74 00 64 6F 77 6E 6C 6F 61 64 3A 3A 42 61 get.download::Ba
00007FF7B88A7939 63 6B 67 72 6F 75 6E 64 44 6F 77 6E 6C 6F 61 64 ckgroundDownload
00007FF7B88A7949 53 65 72 76 69 63 65 00 00 00 00 00 00 00 00 02 Service.........
/devtools/wehcat_%s.html的特征码
48 8D 05 ?? ?? ?? ?? 4C 8D 05 ?? ?? ?? ?? 84 DB 4C 0F 45 C0 4C 8D BC 24 B0 00 00 00 4D 89 67 ?? 41 0F 29 37 48 8D 15 ?? ?? ?? ?? 4C 89 F9 E8 ?? ?? ?? ?? 41 0F B6 47 ?? 84 C0 79 10 48 8B 84 24 B8 00 00 00 4C 8B BC 24 B0 00 00 00 48 85 C0 0F 88 F9 00 00 00 74 09 4D 85 FF 0F 84 F1 00 00 00
这里是 app 常量的特征码
00007FF7B88A78A5 61 70 70 00 2F 64 65 76 74 6F 6F 6C 73 2F 77 65 app./devtools/we
这里是 web 常量的特征码
00007FF7B86C1053 77 65 62 00 6F 73 00 6E 6F 74 2D 00 00 98 F8 12 web.os.not-...ø.
__asm:
00007FF7B0D53ACA | 48:8D05 BB3DB507 | lea rax,qword ptr ds:[7FF7B88A788C] | 00007FF7B88A788C:"https://applet-debug.com"
00007FF7B0D53AD1 | 48:8D9424 60010000 | lea rdx,qword ptr ss:[rsp+160] |
00007FF7B0D53AD9 | 48:8902 | mov qword ptr ds:[rdx],rax |
00007FF7B0D53ADC | 48:C742 08 18000000 | mov qword ptr ds:[rdx+8],18 |
00007FF7B0D53AE4 | E8 976BF301 | call wechatappex.7FF7B2C8A680 |
00007FF7B0D53AE9 | 4C:8DB424 10010000 | lea r14,qword ptr ss:[rsp+110] |
00007FF7B0D53AF1 | 41:0F2976 40 | movaps xmmword ptr ds:[r14+40],xmm6 |
00007FF7B0D53AF6 | 41:0F2976 30 | movaps xmmword ptr ds:[r14+30],xmm6 |
00007FF7B0D53AFB | 41:0F2976 20 | movaps xmmword ptr ds:[r14+20],xmm6 |
00007FF7B0D53B00 | 41:0F2976 10 | movaps xmmword ptr ds:[r14+10],xmm6 |
00007FF7B0D53B05 | 41:0F2936 | movaps xmmword ptr ds:[r14],xmm6 |
00007FF7B0D53B09 | 0F57C0 | xorps xmm0,xmm0 |
00007FF7B0D53B0C | 41:0F2946 C0 | movaps xmmword ptr ds:[r14-40],xmm0 |
00007FF7B0D53B11 | 41:0F2946 D0 | movaps xmmword ptr ds:[r14-30],xmm0 |
00007FF7B0D53B16 | 41:0F2946 E0 | movaps xmmword ptr ds:[r14-20],xmm0 |
00007FF7B0D53B1B | 41:0F2946 F0 | movaps xmmword ptr ds:[r14-10],xmm0 |
00007FF7B0D53B20 | 4C:89F1 | mov rcx,r14 |
00007FF7B0D53B23 | E8 F87B0802 | call wechatappex.7FF7B2DDB720 |
00007FF7B0D53B28 | 48:8D05 24D59607 | lea rax,qword ptr ds:[7FF7B86C1053] | 00007FF7B86C1053:"web"
00007FF7B0D53B2F | 4C:8D05 6F3DB507 | lea r8,qword ptr ds:[7FF7B88A78A5] | 00007FF7B88A78A5:"app"
00007FF7B0D53B36 | 84DB | test bl,bl |
00007FF7B0D53B38 | 4C:0F45C0 | cmovne r8,rax |
00007FF7B0D53B3C | 4C:8DBC24 B0000000 | lea r15,qword ptr ss:[rsp+B0] |
00007FF7B0D53B44 | 4D:8967 10 | mov qword ptr ds:[r15+10],r12 |
00007FF7B0D53B48 | 41:0F2937 | movaps xmmword ptr ds:[r15],xmm6 |
00007FF7B0D53B4C | 48:8D15 563DB507 | lea rdx,qword ptr ds:[7FF7B88A78A9] | 00007FF7B88A78A9:"/devtools/wechat_%s.html"
00007FF7B0D53B53 | 4C:89F9 | mov rcx,r15 |
00007FF7B0D53B56 | E8 B549A901 | call wechatappex.7FF7B27E8510 |
00007FF7B0D53B5B | 41:0FB647 17 | movzx eax,byte ptr ds:[r15+17] |
00007FF7B0D53B60 | 84C0 | test al,al |
00007FF7B0D53B62 | 79 10 | jns wechatappex.7FF7B0D53B74 |
00007FF7B0D53B64 | 48:8B8424 B8000000 | mov rax,qword ptr ss:[rsp+B8] |
00007FF7B0D53B6C | 4C:8BBC24 B0000000 | mov r15,qword ptr ss:[rsp+B0] |
00007FF7B0D53B74 | 48:85C0 | test rax,rax |
00007FF7B0D53B77 | 0F88 F9000000 | js wechatappex.7FF7B0D53C76 |
00007FF7B0D53B7D | 74 09 | je wechatappex.7FF7B0D53B88 |
00007FF7B0D53B7F | 4D:85FF | test r15,r15 |
00007FF7B0D53B82 | 0F84 F1000000 | je wechatappex.7FF7B0D53C79 |
LaunchAppletBegin 是在启动app的时候调用call
Interceptor.attach(address.LaunchAppletBegin, {
onEnter(args) {
send("[+] HOOK到小程序加载! " + readStdString(this.context.rsi))
let ComJsInfo = this.context.rsi.add(896); // 命令参数 在结构体里面是固定的位置
var s = readStdString(ComJsInfo)
var s1 = s.replaceAll('"enable_vconsole":false', '"enable_vconsole": true').replaceAll('"frameset":false', '"frameset": true')
writeStdString(ComJsInfo, s1)
}
});
这样小程序启动的时候就自动加载了vconsole了.
enable-inspect
__asm
00007FF7492B6E5E | 833D CF2EBF08 FF | cmp dword ptr ds:[0x7FF751EA9D34],0xFFFFFFFF |
00007FF7492B6E65 | 0F85 A9FBFFFF | jne wechatappex.7FF7492B6A14 |
00007FF7492B6E6B | 48:8B0D 0608C008 | mov rcx,qword ptr ds:[0x7FF751EB7678] | 00007FF751EB7678:"包&"
00007FF7492B6E72 | 48:8D15 671FAD07 | lea rdx,qword ptr ds:[0x7FF750D88DE0] | 00007FF750D88DE0:"enable-chrome-inspector"
00007FF7492B6E79 | E8 22488801 | call wechatappex.7FF74AB3B6A0 |
00007FF7492B6E7E | 89C1 | mov ecx,eax |
00007FF7492B6E80 | B0 01 | mov al,0x1 |
00007FF7492B6E82 | 84C9 | test cl,cl |
00007FF7492B6E84 | 75 13 | jne wechatappex.7FF7492B6E99 |
00007FF7492B6E86 | 48:8B0D EB07C008 | mov rcx,qword ptr ds:[0x7FF751EB7678] | 00007FF751EB7678:"包&"
00007FF7492B6E8D | 48:8D15 FC1FAD07 | lea rdx,qword ptr ds:[0x7FF750D88E90] | 00007FF750D88E90:"xweb-enable-inspect"
00007FF7492B6E94 | E8 07488801 | call wechatappex.7FF74AB3B6A0 |
00007FF7492B6E99 | 8805 912EBF08 | mov byte ptr ds:[0x7FF751EA9D30],al |
特征码:
83 3D ?? ?? ?? ?? FF 0F 85 A9 FB FF FF 48 8B 0D ?? ?? ?? ?? 48 8D 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 C1 B0 01 84 C9 75 13 48 8B 0D ?? ?? ?? ?? 48 8D 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 88 05 ?? ?? ?? ??
后记
自11475, 文章 所描述特征均不存在,方法已失效,该开启方法需要另寻路径。