据统计90%查看本帖的人,都已经注册本站了哦
您需要 登录 才可以下载或查看,没有账号?立即注册
×
VXPC端技术研究-消息防撤销
https://www.52pojie.cn/thread-831499-1-1.html
(出处: 吾爱破解论坛)
基于前辈的经验,分析起来确实更加容易了。首先看一下效果图
这个只是思路。稍微写代码即可完善成自己想要的样子!
[Asm] 纯文本查看 复制代码 5667BC3E |. 6A 00 PUSH 0x0[/font]
[font="]5667BC40 |. FF70 04 PUSH DWORD PTR DS:[EAX+0x4][/font]
[font="]5667BC43 |. E8 B8721700 CALL 567F2F00[/font]
[font="]5667BC48 |. E8 E36EF4FF CALL 565C2B30 ; 如果这个call执行完 返回的数据是1 则代表是撤回[/font]
[font="]5667BC4D |. 83C4 14 ADD ESP, 0x14[/font]
[font="]5667BC50 |. 84C0 TEST AL, AL[/font]
[font="]5667BC52 74 72 JE SHORT 5667BCC6[/font]
[font="]5667BC54 |. 0F1005 E03A36>MOVUPS XMM0, DQWORD PTR DS:[0x57363AE0][/font]
[font="]5667BC5B |. 83EC 10 SUB ESP, 0x10[/font]
[font="]5667BC5E |. 8BC4 MOV EAX, ESP[/font]
[font="]5667BC60 |. 83EC 10 SUB ESP, 0x10[/font]
[font="]5667BC63 |. 0F1100 MOVUPS DQWORD PTR DS:[EAX], XMM0[/font]
[font="]5667BC66 |. 8BC4 MOV EAX, ESP[/font]
[font="]5667BC68 |. 83EC 10 SUB ESP, 0x10[/font]
[font="]5667BC6B |. 0F1100 MOVUPS DQWORD PTR DS:[EAX], XMM0[/font]
[font="]5667BC6E |. 8BC4 MOV EAX, ESP[/font]
[font="]5667BC70 |. 83EC 10 SUB ESP, 0x10[/font]
[font="]5667BC73 |. 0F1100 MOVUPS DQWORD PTR DS:[EAX], XMM0[/font]
[font="]5667BC76 |. 8BC4 MOV EAX, ESP[/font]
[font="]5667BC78 |. 83EC 10 SUB ESP, 0x10[/font]
[font="]5667BC7B |. 0F1100 MOVUPS DQWORD PTR DS:[EAX], XMM0[/font]
[font="]5667BC7E |. 8BC4 MOV EAX, ESP[/font]
[font="]5667BC80 |. 83EC 10 SUB ESP, 0x10[/font]
[font="]5667BC83 |. 8BCC MOV ECX, ESP[/font]
[font="]5667BC85 |. FF75 E4 PUSH [LOCAL.7][/font]
[font="]5667BC88 |. 0F1100 MOVUPS DQWORD PTR DS:[EAX], XMM0[/font]
[font="]5667BC8B |. FF75 E0 PUSH [LOCAL.8][/font]
[font="]5667BC8E |. E8 1D83D7FF CALL 563F3FB0[/font]
[font="]5667BC93 |. 68 48053D57 PUSH 573D0548 ; On RevokeMsg svrId : %d[/font]
[font="]5667BC98 |. 68 5C003D57 PUSH 573D005C ; SyncMgr[/font]
[font="]5667BC9D |. 68 A4043D57 PUSH 573D04A4 ; SyncMgr::doAddMsg[/font]
[font="]5667BCA2 |. 68 56050000 PUSH 0x556[/font]
[font="]5667BCA7 |. BA C8003D57 MOV EDX, 573D00C8 ; 02_manager\SyncMgr.cpp[/font]
[font="]5667BCAC |. B9 02000000 MOV ECX, 0x2[/font]
[font="]5667BCB1 |. E8 7A641700 CALL 567F2130[/font]
[font="]5667BCB6 |. 83C4 70 ADD ESP, 0x70[/font]
[font="]5667BCB9 |. 8D4D A8 LEA ECX, [LOCAL.22][/font]
[font="]5667BCBC |. E8 8F71F4FF CALL 565C2E50[/font]
[font="]
按照原贴的分析,可以实现防撤回,而且,修改5667BC52 的跳转也可以实现防止撤回。。也挺好奇@bester 说的 空白消息的call
于是就继续往下跟。
5667BC52 跳转实现的话,可以实现防止撤回,也就是说,在这个跳转区域内,存在撤回的call。
5667BC8E |. E8 1D83D7FF CALL 563F3FB0
5667BCB1 |. E8 7A641700 CALL 567F2130
5667BCBC |. E8 8F71F4FF CALL 565C2E50
经过调试 发现 是在 565C2E50的内部实现的功能,于是跟踪进群
[Asm] 纯文本查看 复制代码 565C2E50 /$ 55 PUSH EBP[/font]
[font="]565C2E51 |. 8BEC MOV EBP, ESP[/font]
[font="]565C2E53 |. 6A FF PUSH -0x1[/font]
[font="]565C2E55 |. 68 38CC1A57 PUSH 571ACC38[/font]
[font="]565C2E5A |. 64:A1 0000000>MOV EAX, DWORD PTR FS:[0][/font]
[font="]565C2E60 |. 50 PUSH EAX[/font]
[font="]565C2E61 |. 83EC 48 SUB ESP, 0x48[/font]
[font="]565C2E64 |. 53 PUSH EBX[/font]
[font="]565C2E65 |. 56 PUSH ESI[/font]
[font="]565C2E66 |. 57 PUSH EDI[/font]
[font="]565C2E67 |. A1 C4705657 MOV EAX, DWORD PTR DS:[0x575670C4] ; &(4Y[/font]
[font="]565C2E6C |. 33C5 XOR EAX, EBP[/font]
[font="]565C2E6E |. 50 PUSH EAX[/font]
[font="]565C2E6F |. 8D45 F4 LEA EAX, [LOCAL.3][/font]
[font="]565C2E72 |. 64:A3 0000000>MOV DWORD PTR FS:[0], EAX[/font]
[font="]565C2E78 |. 8BF1 MOV ESI, ECX[/font]
[font="]565C2E7A |. 8B46 14 MOV EAX, DWORD PTR DS:[ESI+0x14][/font]
[font="]565C2E7D |. 85C0 TEST EAX, EAX[/font]
[font="]565C2E7F |. 75 08 JNZ SHORT 565C2E89[/font]
[font="]565C2E81 |. A1 14DB5C57 MOV EAX, DWORD PTR DS:[0x575CDB14][/font]
[font="]565C2E86 |. 8B40 14 MOV EAX, DWORD PTR DS:[EAX+0x14][/font]
[font="]565C2E89 |> 83EC 14 SUB ESP, 0x14[/font]
[font="]565C2E8C |. 8BCC MOV ECX, ESP[/font]
[font="]565C2E8E |. 6A 00 PUSH 0x0[/font]
[font="]565C2E90 |. FF70 04 PUSH DWORD PTR DS:[EAX+0x4][/font]
[font="]565C2E93 |. E8 68002300 CALL 567F2F00[/font]
[font="]565C2E98 |. 8D4D C0 LEA ECX, [LOCAL.16][/font]
[font="]565C2E9B |. E8 600A2400 CALL 56803900[/font]
[font="]565C2EA0 |. 83C4 14 ADD ESP, 0x14[/font]
[font="]565C2EA3 |. C745 FC 00000>MOV [LOCAL.1], 0x0[/font]
[font="]565C2EAA |. 837D C4 00 CMP [LOCAL.15], 0x0[/font]
[font="]565C2EAE |. 0F9EC0 SETLE AL[/font]
[font="]565C2EB1 |. 84C0 TEST AL, AL[/font]
[font="]565C2EB3 |. 0F85 36010000 JNZ 565C2FEF[/font]
[font="]565C2EB9 |. 0F57C0 XORPS XMM0, XMM0[/font]
[font="]565C2EBC |. C745 BC 00000>MOV [LOCAL.17], 0x0[/font]
[font="]565C2EC3 |. 6A FF PUSH -0x1[/font]
[font="]565C2EC5 |. 68 083B3657 PUSH 57363B08[/font]
[font="]565C2ECA |. 8D4D AC LEA ECX, [LOCAL.21][/font]
[font="]565C2ECD |. 66:0F1345 E8 MOVLPS QWORD PTR SS:[EBP-0x18], XMM0[/font]
[font="]565C2ED2 |. 0F1145 AC MOVUPS DQWORD PTR SS:[EBP-0x54], XMM0[/font]
[font="]565C2ED6 |. E8 D5012300 CALL 567F30B0[/font]
[font="]565C2EDB |. 6A FF PUSH -0x1[/font]
[font="]565C2EDD |. 0F57C0 XORPS XMM0, XMM0[/font]
[font="]565C2EE0 |. C745 E4 00000>MOV [LOCAL.7], 0x0[/font]
[font="]565C2EE7 |. 68 083B3657 PUSH 57363B08[/font]
[font="]565C2EEC |. 8D4D D4 LEA ECX, [LOCAL.11][/font]
[font="]565C2EEF |. 0F1145 D4 MOVUPS DQWORD PTR SS:[EBP-0x2C], XMM0[/font]
[font="]565C2EF3 |. E8 B8012300 CALL 567F30B0[/font]
[font="]565C2EF8 |. 8D45 D4 LEA EAX, [LOCAL.11][/font]
[font="]565C2EFB |. C645 FC 02 MOV BYTE PTR SS:[EBP-0x4], 0x2[/font]
[font="]565C2EFF |. 50 PUSH EAX[/font]
[font="]565C2F00 |. 83EC 14 SUB ESP, 0x14[/font]
[font="]565C2F03 |. 8D7D AC LEA EDI, [LOCAL.21][/font]
[font="]565C2F06 |. 8BCC MOV ECX, ESP[/font]
[font="]565C2F08 |. 8D5D E8 LEA EBX, [LOCAL.6][/font]
[font="]565C2F0B |. 6A FF PUSH -0x1[/font]
[font="]565C2F0D |. C701 00000000 MOV DWORD PTR DS:[ECX], 0x0[/font]
[font="]565C2F13 |. C741 04 00000>MOV DWORD PTR DS:[ECX+0x4], 0x0[/font]
[font="]565C2F1A |. C741 08 00000>MOV DWORD PTR DS:[ECX+0x8], 0x0[/font]
[font="]565C2F21 |. C741 0C 00000>MOV DWORD PTR DS:[ECX+0xC], 0x0[/font]
[font="]565C2F28 |. C741 10 00000>MOV DWORD PTR DS:[ECX+0x10], 0x0[/font]
[font="]565C2F2F |. FF75 C0 PUSH [LOCAL.16][/font]
[font="]565C2F32 |. E8 79012300 CALL 567F30B0[/font]
[font="]565C2F37 |. 8BD7 MOV EDX, EDI[/font]
[font="]565C2F39 |. 8BCB MOV ECX, EBX[/font]
[font="]565C2F3B |. E8 D0450000 CALL 565C7510[/font]
[font="]565C2F40 |. 8B7D AC MOV EDI, [LOCAL.21][/font]
[font="]565C2F43 |. 83C4 18 ADD ESP, 0x18[/font]
[font="]565C2F46 |. 84C0 TEST AL, AL[/font]
[font="]565C2F48 |. 74 45 JE SHORT 565C2F8F[/font]
[font="]565C2F4A |. 8B76 2C MOV ESI, DWORD PTR DS:[ESI+0x2C][/font]
[font="]565C2F4D |. 83EC 14 SUB ESP, 0x14[/font]
[font="]565C2F50 |. 8BCC MOV ECX, ESP[/font]
[font="]565C2F52 |. 6A FF PUSH -0x1[/font]
[font="]565C2F54 |. C701 00000000 MOV DWORD PTR DS:[ECX], 0x0[/font]
[font="]565C2F5A |. C741 04 00000>MOV DWORD PTR DS:[ECX+0x4], 0x0[/font]
[font="]565C2F61 |. C741 08 00000>MOV DWORD PTR DS:[ECX+0x8], 0x0[/font]
[font="]565C2F68 |. 57 PUSH EDI[/font]
[font="]565C2F69 |. C741 0C 00000>MOV DWORD PTR DS:[ECX+0xC], 0x0[/font]
[font="]565C2F70 |. C741 10 00000>MOV DWORD PTR DS:[ECX+0x10], 0x0[/font]
[font="]565C2F77 |. E8 34012300 CALL 567F30B0[/font]
[font="]565C2F7C |. FF75 EC PUSH [LOCAL.5][/font]
[font="]565C2F7F |. 8BD6 MOV EDX, ESI[/font]
[font="]565C2F81 |. 8D4D D4 LEA ECX, [LOCAL.11][/font]
[font="]565C2F84 |. FF75 E8 PUSH [LOCAL.6][/font]
[font="]565C2F87 |. E8 94010000 CALL 565C3120 ; 此处可以看到堆栈内有各种相关信息,对Call进行nop之后,发现可以防止撤回,于是继续跟进[/font]
[font="]
[Asm] 纯文本查看 复制代码 565C3393 |. E8 18FD2200 CALL 567F30B0 ; eax显示已撤回[/font]
[font="]565C3398 |. 8D95 58FDFFFF LEA EDX, [LOCAL.170][/font]
[font="]565C339E |. 8D4D C4 LEA ECX, [LOCAL.15][/font]
[font="]565C33A1 |. E8 FA0C0000 CALL 565C40A0[/font]
[font="]565C33A6 |. 83C4 14 ADD ESP, 0x14[/font]
[font="]565C33A9 |. 8D85 C0FDFFFF LEA EAX, [LOCAL.144][/font]
[font="]565C33AF |. C645 FC 06 MOV BYTE PTR SS:[EBP-0x4], 0x6[/font]
[font="]565C33B3 |. 50 PUSH EAX ; eax 消息内容 原始消息内容[/font]
[font="]565C33B4 |. 8D8D 58FDFFFF LEA ECX, [LOCAL.170][/font]
[font="]565C33BA |. E8 6196FEFF CALL 565ACA20[/font]
[font="]565C33BF |. 8B45 C4 MOV EAX, [LOCAL.15] ; 运行完毕之后 会给eax赋值一个操作,比如 你已经撤回,等等[/font]
[font="]565C33C2 |. 85C0 TEST EAX, EAX[/font]
[font="]565C33C4 |> 74 06 JE SHORT 565C33CC[/font]
[font="]565C33C6 |. 66:8338 00 CMP WORD PTR DS:[EAX], 0x0[/font]
[font="]
[Asm] 纯文本查看 复制代码 565C33DA |. 50 PUSH EAX[/font]
[font="]565C33DB |. E8 D0FC2200 CALL 567F30B0 ; 这里运行一个可能是替换的call[/font]
[font="]565C33E0 |. 8B85 20FFFFFF MOV EAX, [LOCAL.56][/font]
[font="]565C33E6 |. 25 00020000 AND EAX, 0x200[/font]
[font="]565C33EB |. C785 88FDFFFF>MOV [LOCAL.158], 0x2710[/font]
[font="]
至于为什么说是替换的call,我对C代码不太了解,IDA分析之后进去函数看了下,麻烦C大神解释一下了。。。
[C] 纯文本查看 复制代码 wchar_t *__thiscall sub_104830B0(int *this, wchar_t *a2, size_t a3)[/font]
[font="]{[/font]
[font="] int *v3; // edi[/font]
[font="] unsigned int v4; // esi[/font]
[font="] bool v5; // zf[/font]
[font="] wchar_t *result; // eax[/font]
[font="] v3 = this;[/font]
[font="] if ( a2 && *a2 )[/font]
[font="] {[/font]
[font="] v4 = a3;[/font]
[font="] v5 = a3 == 0;[/font]
[font="] if ( (a3 & 0x80000000) != 0 )[/font]
[font="] {[/font]
[font="] v4 = wcslen(a2);[/font]
[font="] v5 = v4 == 0;[/font]
[font="] }[/font]
[font="] if ( v5 )[/font]
[font="] {[/font]
[font="] result = (wchar_t *)*this;[/font]
[font="] if ( *this )[/font]
[font="] {[/font]
[font="] *result = 0;[/font]
[font="] this[2] = 0;[/font]
[font="] this[1] = 0;[/font]
[font="] }[/font]
[font="] }[/font]
[font="] else[/font]
[font="] {[/font]
[font="] sub_10483930(v4);[/font]
[font="] wcsncpy((wchar_t *)*v3, a2, v4);[/font]
[font="] result = (wchar_t *)*v3;[/font]
[font="] *(_WORD *)(*v3 + 2 * v4) = 0;[/font]
[font="] v3[1] = v4;[/font]
[font="] }[/font]
[font="] }[/font]
[font="] else[/font]
[font="] {[/font]
[font="] result = (wchar_t *)*this;[/font]
[font="] if ( *this )[/font]
[font="] {[/font]
[font="] *result = 0;[/font]
[font="] this[2] = 0;[/font]
[font="] this[1] = 0;[/font]
[font="] }[/font]
[font="] }[/font]
[font="] return result;[/font]
[font="]}
感觉上像是替换的,因为运行完毕,原内容就没了。。。
[Asm] 纯文本查看 复制代码 565C34BA |. 6A 01 PUSH 0x1[/font]
[font="]565C34BC |. 6A 01 PUSH 0x1[/font]
[font="]565C34BE |. 51 PUSH ECX[/font]
[font="]565C34BF |. 8BC8 MOV ECX, EAX[/font]
[font="]565C34C1 |. FF52 18 CALL DWORD PTR DS:[EDX+0x18] ; 这个call是最后关键的call[/font]
[font="]565C34C4 |. EB 63 JMP SHORT 565C3529[/font]
[font="]
有兴趣继续跟 我就没往下继续了,因为基本的功能,可以实现了,也就说,这里并没有把所谓空白的信息的call跟出来,只是简单的利用HOOK 来显示出原来的消息!
如果编写代码的话,还可以替换成自定义的消息 。往下面跟,应该可以跟到绘制的功能~
我选择在 565C33BF |. 8B45 C4 MOV EAX, [LOCAL.15] 的位置HOOK
[Asm] 纯文本查看 复制代码 565C33BF /E9 114E7F00 JMP 56DB81D5 ; 运行完毕之后 会给eax赋值一个操作,比如 你已经撤回,等等[/font]
[font="]
只是简单的获取原来的信息,只要给eax赋值自己想要的文字,那就会这样提示。这里可以获取原消息内容,聊天的wxid 基本足够了
[Asm] 纯文本查看 复制代码 56DB81D5 . 8B4424 78 MOV EAX, DWORD PTR SS:[ESP+0x78] ; WeChatWi.56A2FECE[/font]
[font="]56DB81D9 . 85C0 TEST EAX, EAX[/font]
[font="]56DB81DB .^ E9 E4B180FF JMP 565C33C4[/font]
[font="]
|