版本: win 3.9.12.17
着手点
老样子, 日志开关起手, 找收信息的日志
(2024-10-3:15:03:20:606 12012)-i/SyncMgr:start process cmdlist size : 1
SyncMgr D:\Tools\agent\workspace\MicroMsgWindowsV3912\MicroMsgWin\02_manager\SyncMgr.cpp
(2024-10-3:15:03:20:606 12012)-i/SyncMgr:msg cmd count : 1
SyncMgr D:\Tools\agent\workspace\MicroMsgWindowsV3912\MicroMsgWin\02_manager\SyncMgr.cpp
(2024-10-3:15:03:20:606 12012)-i/SyncMgr:doAddMsg srvid: xxx, msgtyp: 1,cTime:xxx,msgseq: xxx from : xxx to xxx
SyncMgr D:\Tools\agent\workspace\MicroMsgWindowsV3912\MicroMsgWin\02_manager\SyncMgr.cpp
(2024-10-3:15:03:20:606 12012)-i/SyncMgr:msg acctype 0 from user <NULL>
SyncMgr D:\Tools\agent\workspace\MicroMsgWindowsV3912\MicroMsgWin\02_manager\SyncMgr.cpp
(2024-10-3:15:03:20:606 12012)-i/SyncMgr:process cmdlist end tot msg : 1
SyncMgr D:\Tools\agent\workspace\MicroMsgWindowsV3912\MicroMsgWin\02_manager\SyncMgr.cpp
(2024-10-3:15:03:20:606 12012)-i/SyncMgr:Sync Msg count : 16, pass to chatmgr msg count : 10
SyncMgr D:\Tools\agent\workspace\MicroMsgWindowsV3912\MicroMsgWin\02_manager\SyncMgr.cpp
看到一个 SyncMgr:doAddMsg 很可疑, SyncMgr:doAddMsg 找函数开头, 进入到 .$230FF80
往下走,stack 区域出现一个熟悉的XML结构:
0000007DA59FED48
0000020BDCF93950 &"<msgsource>\n\t<bizflag>0</bizflag>\n\t<pua>1</pua>\n\t<eggIncluded>1</eggIncluded>\n\t<signature>V1_BDCgPX2o|v1_BDCgPX2o</signature>\n\t<tmp_node>\n\t\t<publisher-id></publisher-id>\n\t</tmp_node>\n</msgsource>\n"
好,出现消息本体, 就这里了.
00007FFAD64F0668 | 48:8B52 08 | mov rdx,qword ptr ds:[rdx+0x8] |
00007FFAD64F066C | 48:8D4D 88 | lea rcx,qword ptr ss:[rbp-0x78] | rbp-78:StartWechat+7F290
00007FFAD64F0670 | E8 AB173100 | call wechatwin.7FFAD6801E20 |
00007FFAD64F0675 | 90 | nop |
00007FFAD64F0676 | 48:8B75 D0 | mov rsi,qword ptr ss:[rbp-0x30] |
00007FFAD64F067A | 48:8D86 88000000 | lea rax,qword ptr ds:[rsi+0x88] |
00007FFAD64F0681 | 48:8945 00 | mov qword ptr ss:[rbp],rax | rbp:StartWechat+7F308
00007FFAD64F0685 | 48:8B55 88 | mov rdx,qword ptr ss:[rbp-0x78] | rbp-78:StartWechat+7F290
00007FFAD64F0689 | 48:85D2 | test rdx,rdx |
00007FFAD64F068C | 74 06 | je wechatwin.7FFAD64F0694 |
特征 asm
mov rdx,qword ptr ds:[rdx+0x8]
lea rcx,qword ptr ss:[rbp-78]
特征码
48 8B 75 D0 48 8D 86 ?? ?? ?? ?? 48 89 45 00 48 8B 55 88 48 85 D2 74 06
运行至 .$2310685 可以得到
- 消息本体 [rax]
- 发送者 [rsi]
- 收信人 [rsp+130]
- 消息定义 [rdx] 指针
看消息定义xml如下:
<msg>
<emoji fromusername = "" tousername = "" type="2" idbuffer="media:0_0" md5="" len = "" productid="" androidmd5="" androidlen="" s60v3md5 = "" s60v3len="" s60v5md5 = "" s60v5len="" cdnurl = "" designerid = "" thumburl = "" encrypturl = "" aeskey= "" externurl = "" externmd5 = "" width= "" height= "" tpurl= "" tpauthkey= "" attachedtext= "" attachedtextcolor= "" lensid= "" emojiattr= "" linkid= "" desc= "" ></emoji>
<gameext type="0" content="0" ></gameext>
</msg>