好友
阅读权限10
听众
最后登录1970-1-1
|
25吾爱币
hook v信发送xml消息 好友之间转发公众号文章
od里面如下 偏移地址为 (534B0000 - 5376946B )
534B0000
5376946B FFB5 DCF2FFFF push dword ptr ss:[ebp-0xD24] ; push 0x5
53769471 8D85 78FFFFFF lea eax,dword ptr ss:[ebp-0x88]
53769477 50 push eax ; eax 缓存0x88
53769478 8D85 64FFFFFF lea eax,dword ptr ss:[ebp-0x9C]
5376947E 50 push eax ; 缩略图图片地址
5376947F 8D85 20FFFFFF lea eax,dword ptr ss:[ebp-0xE0]
53769485 50 push eax ; xml内容
53769486 57 push edi ; 接收者ID
53769487 8D95 B8F3FFFF lea edx,dword ptr ss:[ebp-0xC48] ; 我的ID 公众号id和公众号名称
5376948D 8D8D B0FCFFFF lea ecx,dword ptr ss:[ebp-0x350] ; 缓存 0x350
53769493 E8 68DEFFFF call WeChatWi.53767300 ; 发送xml消息结构体
以下为delphi代码 每次单步调试走到call1时 也就是上面的call就报错 实在不清楚什么问题导致啊,求教大佬给个思路。
procedure TFrmWeChat_Robot.Button2Click(Sender: TObject);
var
buff1, buff2, buff3: PChar;
xmlStr, PicPathStr: string;
GZHInfo: TwxIDAtList;
Param, call1, call2: DWORD;
PicPathDuiStr,xmlPathDuistr, RcvUserDuiStr, MyIDDuiStr: DUI_STRING;
begin
PicPathStr := 'C:\Users\zjm\Documents\WeChat Files\wxid_v6vrnrvmqnu612\FileStorage\Cache\2021-03\040984ffd5a314533a934fec79d922b5_t.jpg';
PicPathDuiStr.MsgBuf := PWideChar(PicPathStr);
PicPathDuiStr.Len1 := Length(PicPathStr);
PicPathDuiStr.Len2 := Length(PicPathStr) + $2E;
PicPathDuiStr.NonParam1 := $0;
PicPathDuiStr.NonParam2 := $0;
xmlStr := '<msg>'+
'<fromusername>发送者wxid(自己的ID防止删帖去掉)</fromusername>'+
'<scene>0</scene>'+
'<commenturl></commenturl>'+
'<appmsg appid="" sdkver="0">'+
'<title>潍坊最新公告!禁止发布现场照片!</title>'+
'<des>点击查看↑↑</des>'+
'<action>view</action>'+
'<type>5</type>'+
'<showtype>0</showtype>'+
'<content></content>'+
'<url>http://mp.weixin.qq.com/s?__biz=MjM5MDg1OTYwNA==&mid=2663457384&idx=1&sn=c8d41589c00fe5e05b105dcb4fe16f5f&'+
'chksm=bd8bea538afc6345d34e6ae0cdedab7d3705e995022ef25745e01eedb8487bce9f3ceb67625d&scene=126&&sessionid=1615361554#rd</url>'+
'<dataurl></dataurl>'+
'<lowurl></lowurl>'+
'<lowdataurl></lowdataurl>'+
'<recorditem>'+
'<![CDATA[]]>'+
'</recorditem>'+
'<thumburl>https://mmbiz.qpic.cn/mmbiz_jpg/qH1lLYZesOkhD3OaruQ2OnC6C7HoOQoF6lH8P6SRSUfEd4gH4MUEemPUmxBrx8VbUAGpx8LTnJOPx0124ym9GQ/300?wxtype=jpeg&wxfrom=0</thumburl>'+
'<messageaction></messageaction>'+
'<extinfo></extinfo>'+
'<sourceusername>gh_186467bbb778</sourceusername>'+
'<sourcedisplayname>大众网潍坊</sourcedisplayname>'+
'<commenturl></commenturl>'+
'<appattach>'+
'<totallen>0</totallen>'+
'<attachid></attachid>'+
'<emoticonmd5></emoticonmd5>'+
'<fileext></fileext>'+
'<cdnthumburl>30530201000447304502010002045ae8d9d002032df08e02044e96bc770204604870c6042033373439303064303761663865326238626565373034396366313265303933380204010408030201000405004c54a200</cdnthumburl>'+
'<cdnthumblength>3824</cdnthumblength>'+
'<cdnthumbheight>150</cdnthumbheight>'+
'<cdnthumbwidth>150</cdnthumbwidth>'+
'<aeskey></aeskey>'+
'<cdnthumbaeskey>3fe611a93638eb06244c77790f0a627b</cdnthumbaeskey>'+
'<cdnthumblength>3824</cdnthumblength>'+
'<cdnthumbheight>150</cdnthumbheight>'+
'<cdnthumbwidth>150</cdnthumbwidth>'+
'</appattach>'+
'<weappinfo>'+
'<pagepath></pagepath>'+
'<username></username>'+
'<appid></appid>'+
'<appservicetype>0</appservicetype>'+
'</weappinfo>'+
'<websearch />'+
'<finderFeed>'+
'<objectId>0</objectId>'+
'<objectNonceId>0</objectNonceId>'+
'<feedType>-1</feedType>'+
'<nickname></nickname>'+
'<username></username>'+
'<avatar></avatar>'+
'<desc></desc>'+
'<mediaCount>0</mediaCount>'+
'<localId>0</localId>'+
'<mediaList />'+
'</finderFeed>'+
'<finderLive>'+
'<finderLiveID>0</finderLiveID>'+
'<finderUsername></finderUsername>'+
'<finderObjectID>0</finderObjectID>'+
'<nickname></nickname>'+
'<desc></desc>'+
'<finderNonceID>0</finderNonceID>'+
'<headUrl></headUrl>'+
'<liveStatus>-1</liveStatus>'+
'<media>'+
'<thumbUrl></thumbUrl>'+
'<videoPlayDuration>0</videoPlayDuration>'+
'<url></url>'+
'<coverUrl></coverUrl>'+
'<height>0</height>'+
'<width>0</width>'+
'<mediaType>-1</mediaType>'+
'</media>'+
'</finderLive>'+
'</appmsg>'+
'<appinfo>'+
'<version>1</version>'+
'<appname>Window wechat</appname>'+
'</appinfo>'+
'</msg>';
xmlPathDuistr.MsgBuf := PWideChar(xmlStr);
xmlPathDuistr.Len1 := Length(xmlStr);
xmlPathDuistr.Len2 := Length(xmlStr);
xmlPathDuistr.NonParam1 := $0;
xmlPathDuistr.NonParam2 := $0;
RcvUserDuiStr.MsgBuf := PWideChar('filehelper');
RcvUserDuiStr.Len1 := Length('filehelper');
RcvUserDuiStr.Len2 := Length('filehelper') * 2;
RcvUserDuiStr.NonParam1 := $0;
RcvUserDuiStr.NonParam2 := $0;
SetLength(GZHInfo, 3);
GZHInfo[0].MsgBuf := PWideChar('wxid_dm8wfludpmbs21');
GZHInfo[0].Len1 := Length('wxid_dm8wfludpmbs21');
GZHInfo[0].Len2 := Length('wxid_dm8wfludpmbs21') * 2;
GZHInfo[0].NonParam1 := $0;
GZHInfo[0].NonParam2 := $0;
GZHInfo[1].MsgBuf := PWideChar('大众网潍坊');
GZHInfo[1].Len1 := Length('大众网潍坊');
GZHInfo[1].Len2 := Length('大众网潍坊') * 2;
GZHInfo[1].NonParam1 := $0;
GZHInfo[1].NonParam2 := $0;
GZHInfo[2].MsgBuf := PWideChar('gh_186467bbb778');
GZHInfo[2].Len1 := Length('gh_186467bbb778');
GZHInfo[2].Len2 := Length('gh_186467bbb778') * 2;
GZHInfo[2].NonParam1 := $0;
GZHInfo[2].NonParam2 := $0;
MyIDDuiStr.MsgBuf := PWideChar('wxid_dm8wfludpmbs21');
MyIDDuiStr.Len1 := Length('wxid_dm8wfludpmbs21');
MyIDDuiStr.Len2 := Length('wxid_dm8wfludpmbs21') * 2;
MyIDDuiStr.NonParam1 := $0;
MyIDDuiStr.NonParam2 := $0;
call1 := WinAdd + $2B7300;
try
GetMem(buff1, $88); //4f 7a 88
GetMem(buff2, $350); //26F 350
GetMem(buff3, $9C); //26F 350
asm
pushad
push $5
mov eax, buff1
push eax
lea eax, PicPathDuiStr
push eax
lea eax, xmlPathDuistr
push eax
lea edi, RcvUserDuiStr
push edi
lea edx, MyIDDuiStr
mov ecx, buff2
call call1
popad
end;
finally
FreeMem(buff1);
FreeMem(buff2);
FreeMem(buff3);
end;
end; |
|
发帖前要善用【论坛搜索】功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。 |
|
|
|
|
|
|
发表于 2021-3-11 10:03
