微信PC版发送群艾特消息研究
首先查找到普通发送消息的call,参考文档
https://bbs.pediy.com/thread-249542.htm
https://www.52pojie.cn/thread-873835-1-1.html
首先查找到普通发送消息的call,参考文档https://bbs.pediy.com/thread-249542.htm
在微信群内,随意发送一个普通文本消息 断下后 观察寄存器状态
参考文章内说到,edx 为 目标微信ID结构 eax是个指针 ecx是个缓存
然后发送一个艾特消息,发现eax的值不再为0
输入 dd [eax] 查看 04FC6758处是目标wxid结构,
eax+4 和eax+08 相同 ,那么,接下来就只需要找到 eax的来源即可
向上找到
0F309AFB |. 8D43 14 |LEA EAX, DWORD PTR DS:[EBX+0x14]
接着找ebx
0F309A53 |. 8D5E 04 LEA EBX, DWORD PTR DS:[ESI+0x4]
以此类推 eax
0F309A30 |. 8B30 MOV ESI, DWORD PTR DS:[EAX]
发现eax是来自参数1
0F309A28 |. 8B45 08 MOV EAX, [ARG.1]
0F3099E0 /$ 55 PUSH EBP
0F3099E1 |. 8BEC MOV EBP, ESP
0F3099E3 |. 6A FF PUSH -0x1
0F3099E5 |. 68 890A0610 PUSH 10060A89
0F3099EA |. 64:A1 0000000>MOV EAX, DWORD PTR FS:[0]
0F3099F0 |. 50 PUSH EAX
0F3099F1 |. 81EC 400D0000 SUB ESP, 0xD40
0F3099F7 |. A1 C4704310 MOV EAX, DWORD PTR DS:[0x104370C4] ; &(4Y
0F3099FC |. 33C5 XOR EAX, EBP
0F3099FE |. 8945 EC MOV [LOCAL.5], EAX
0F309A01 |. 53 PUSH EBX
0F309A02 |. 56 PUSH ESI
0F309A03 |. 57 PUSH EDI
0F309A04 |. 50 PUSH EAX
0F309A05 |. 8D45 F4 LEA EAX, [LOCAL.3]
0F309A08 |. 64:A3 0000000>MOV DWORD PTR FS:[0], EAX
0F309A0E |. 8BF9 MOV EDI, ECX
0F309A10 |. 897D C8 MOV [LOCAL.14], EDI
0F309A13 |. 837F 1C 00 CMP DWORD PTR DS:[EDI+0x1C], 0x0
0F309A17 |. 8D47 18 LEA EAX, DWORD PTR DS:[EDI+0x18]
0F309A1A |. 8945 CC MOV [LOCAL.13], EAX
0F309A1D |. 0F9EC0 SETLE AL
0F309A20 |. 84C0 TEST AL, AL
0F309A22 |. 0F85 29070000 JNZ 0F30A151
0F309A28 |. 8B45 08 MOV EAX, [ARG.1]
0F309A2B |. 8B48 04 MOV ECX, DWORD PTR DS:[EAX+0x4]
0F309A2E |. 8BD1 MOV EDX, ECX
0F309A30 |. 8B30 MOV ESI, DWORD PTR DS:[EAX]
0F309A32 |. 2BD6 SUB EDX, ESI
0F309A34 |. B8 398EE338 MOV EAX, 0x38E38E39
0F309A39 |. F7EA IMUL EDX
0F309A3B |. C1FA 03 SAR EDX, 0x3
0F309A3E |. 8BC2 MOV EAX, EDX
0F309A40 |. C1E8 1F SHR EAX, 0x1F
0F309A43 |. 03C2 ADD EAX, EDX
0F309A45 |. 0F84 06070000 JE 0F30A151
0F309A4B |. 3BF1 CMP ESI, ECX
0F309A4D |. 0F84 CD060000 JE 0F30A120
0F309A53 |. 8D5E 04 LEA EBX, DWORD PTR DS:[ESI+0x4]
0F309A56 |> 8B06 /MOV EAX, DWORD PTR DS:[ESI]
0F309A58 |. 48 |DEC EAX ; 分支 (案例 1..6)
0F309A59 |. 83F8 05 |CMP EAX, 0x5
0F309A5C |. 0F87 A9060000 |JA 0F30A10B
0F309A62 |. FF2485 74A130>|JMP DWORD PTR DS:[EAX*4+0xF30A174]
0F309A69 |> 8B03 |MOV EAX, DWORD PTR DS:[EBX] ; 案例 1 --> 分支 0F309A58
0F309A6B |. 85C0 |TEST EAX, EAX
0F309A6D |. 74 06 |JE SHORT 0F309A75
0F309A6F |. 66:8338 00 |CMP WORD PTR DS:[EAX], 0x0
0F309A73 |. 75 05 |JNZ SHORT 0F309A7A
0F309A75 |> B8 083B2310 |MOV EAX, 10233B08
0F309A7A |> 6A FF |PUSH -0x1
0F309A7C |. 50 |PUSH EAX
0F309A7D |. 8D4D 88 |LEA ECX, [LOCAL.30]
0F309A80 |. E8 2B933B00 |CALL 0F6C2DB0
0F309A85 |. 83EC 14 |SUB ESP, 0x14
0F309A88 |. C745 FC 00000>|MOV [LOCAL.1], 0x0
0F309A8F |. 8D45 88 |LEA EAX, [LOCAL.30]
0F309A92 |. 8BCC |MOV ECX, ESP
0F309A94 |. 50 |PUSH EAX
0F309A95 |. E8 56933B00 |CALL 0F6C2DF0
0F309A9A |. E8 C1FEFFFF |CALL 0F309960
0F309A9F |. 83C4 14 |ADD ESP, 0x14
0F309AA2 |. 84C0 |TEST AL, AL
0F309AA4 |. 74 4D |JE SHORT 0F309AF3
0F309AA6 |. 8B45 08 |MOV EAX, [ARG.1]
0F309AA9 |. 8B48 04 |MOV ECX, DWORD PTR DS:[EAX+0x4]
0F309AAC |. 2B08 |SUB ECX, DWORD PTR DS:[EAX]
0F309AAE |. B8 398EE338 |MOV EAX, 0x38E38E39
0F309AB3 |. F7E9 |IMUL ECX
0F309AB5 |. C1FA 03 |SAR EDX, 0x3
0F309AB8 |. 8BC2 |MOV EAX, EDX
0F309ABA |. C1E8 1F |SHR EAX, 0x1F
0F309ABD |. 03C2 |ADD EAX, EDX
0F309ABF |. 83F8 01 |CMP EAX, 0x1
0F309AC2 |. 0F85 28010000 |JNZ 0F309BF0
0F309AC8 |. 6A 00 |PUSH 0x0
0F309ACA |. 6A 00 |PUSH 0x0
0F309ACC |. 6A 00 |PUSH 0x0
0F309ACE |. 68 0B030000 |PUSH 0x30B
0F309AD3 |. E8 38402600 |CALL 0F56DB10
0F309AD8 |. 8BC8 |MOV ECX, EAX
0F309ADA |. E8 B1502600 |CALL 0F56EB90
0F309ADF |. 8D4D 88 |LEA ECX, [LOCAL.30]
0F309AE2 |. C745 FC FFFFF>|MOV [LOCAL.1], -0x1
0F309AE9 |. E8 7284FEFF |CALL 0F2F1F60
0F309AEE |. E9 18060000 |JMP 0F30A10B
0F309AF3 |> E8 9861FBFF |CALL 0F2BFC90
0F309AF8 |. 8B55 CC |MOV EDX, [LOCAL.13]
0F309AFB |. 8D43 14 |LEA EAX, DWORD PTR DS:[EBX+0x14]
0F309AFE |. 6A 01 |PUSH 0x1
0F309B00 |. 50 |PUSH EAX
0F309B01 |. 53 |PUSH EBX
0F309B02 |. 8D8D E4F7FFFF |LEA ECX, [LOCAL.519]
0F309B08 |. E8 13A32100 |CALL 0F523E20 ; 这个call就是我们的发送文本的call
接下来返回上一层0F31B160 /$ 55 PUSH EBP
0F31B161 |. 8BEC MOV EBP, ESP
0F31B163 |. 6A FF PUSH -0x1
0F31B165 |. 68 48250610 PUSH 10062548
0F31B16A |. 64:A1 0000000>MOV EAX, DWORD PTR FS:[0]
0F31B170 |. 50 PUSH EAX
0F31B171 |. 83EC 2C SUB ESP, 0x2C
0F31B174 |. 53 PUSH EBX
0F31B175 |. 56 PUSH ESI
0F31B176 |. 57 PUSH EDI
0F31B177 |. A1 C4704310 MOV EAX, DWORD PTR DS:[0x104370C4] ; &(4Y
0F31B17C |. 33C5 XOR EAX, EBP
0F31B17E |. 50 PUSH EAX
0F31B17F |. 8D45 F4 LEA EAX, [LOCAL.3]
0F31B182 |. 64:A3 0000000>MOV DWORD PTR FS:[0], EAX
0F31B188 |. 8BD9 MOV EBX, ECX
0F31B18A |. C745 DC 00000>MOV [LOCAL.9], 0x0
0F31B191 |. C745 E0 00000>MOV [LOCAL.8], 0x0
0F31B198 |. C745 E4 00000>MOV [LOCAL.7], 0x0
0F31B19F |. 8D45 DC LEA EAX, [LOCAL.9]
0F31B1A2 |. C745 FC 00000>MOV [LOCAL.1], 0x0
0F31B1A9 |. 8B8B 60050000 MOV ECX, DWORD PTR DS:[EBX+0x560]
0F31B1AF |. 50 PUSH EAX
0F31B1B0 |. E8 1BCFFBFF CALL 0F2D80D0
0F31B1B5 |. 85C0 TEST EAX, EAX
0F31B1B7 |. 7F 7E JG SHORT 0F31B237
0F31B1B9 |. 51 PUSH ECX
0F31B1BA |. 8B8B 60050000 MOV ECX, DWORD PTR DS:[EBX+0x560]
0F31B1C0 |. 8BF9 MOV EDI, ECX
0F31B1C2 |. 68 D0070000 PUSH 0x7D0
0F31B1C7 |. 8B01 MOV EAX, DWORD PTR DS:[ECX] ; WeChatWi.102421E0
0F31B1C9 |. FF50 44 CALL DWORD PTR DS:[EAX+0x44]
0F31B1CC |. 8B17 MOV EDX, DWORD PTR DS:[EDI]
0F31B1CE |. 8BCF MOV ECX, EDI
0F31B1D0 |. 8BF0 MOV ESI, EAX
0F31B1D2 |. FF52 3C CALL DWORD PTR DS:[EDX+0x3C]
0F31B1D5 |. 8B8B 64050000 MOV ECX, DWORD PTR DS:[EBX+0x564]
0F31B1DB |. 03F0 ADD ESI, EAX
0F31B1DD |. 56 PUSH ESI
0F31B1DE |. 8B01 MOV EAX, DWORD PTR DS:[ECX] ; WeChatWi.102421E0
0F31B1E0 |. FF50 58 CALL DWORD PTR DS:[EAX+0x58]
0F31B1E3 |. 8B8B 60050000 MOV ECX, DWORD PTR DS:[EBX+0x560]
0F31B1E9 |. 99 CDQ
0F31B1EA |. 2BC2 SUB EAX, EDX
0F31B1EC |. 8BF0 MOV ESI, EAX
0F31B1EE |. 8B11 MOV EDX, DWORD PTR DS:[ECX] ; WeChatWi.102421E0
0F31B1F0 |. D1FE SAR ESI, 1
0F31B1F2 |. FF52 40 CALL DWORD PTR DS:[EDX+0x40]
0F31B1F5 |. 8B8B 60050000 MOV ECX, DWORD PTR DS:[EBX+0x560]
0F31B1FB |. 8BF8 MOV EDI, EAX
0F31B1FD |. 2BFE SUB EDI, ESI
0F31B1FF |. 8B11 MOV EDX, DWORD PTR DS:[ECX] ; WeChatWi.102421E0
0F31B201 |. FF52 38 CALL DWORD PTR DS:[EDX+0x38]
0F31B204 |. 03C7 ADD EAX, EDI
0F31B206 |. BA 16040000 MOV EDX, 0x416
0F31B20B |. 50 PUSH EAX
0F31B20C |. 83EC 14 SUB ESP, 0x14
0F31B20F |. 8BCC MOV ECX, ESP
0F31B211 |. E8 CA8A3A00 CALL 0F6C3CE0
0F31B216 |. 8BCB MOV ECX, EBX
0F31B218 |. E8 F35F0000 CALL 0F321210
0F31B21D |. 8B8B 3C050000 MOV ECX, DWORD PTR DS:[EBX+0x53C]
0F31B223 |. 6A 00 PUSH 0x0
0F31B225 |. FFB3 60050000 PUSH DWORD PTR DS:[EBX+0x560]
0F31B22B |. E8 98CB5E00 CALL 0F907DC8
0F31B230 |. 32DB XOR BL, BL
0F31B232 |. E9 B2010000 JMP 0F31B3E9
0F31B237 |> 8B45 DC MOV EAX, [LOCAL.9]
0F31B23A |. 33C9 XOR ECX, ECX
0F31B23C |. 8B55 E0 MOV EDX, [LOCAL.8]
0F31B23F |. 3BC2 CMP EAX, EDX
0F31B241 |. 74 12 JE SHORT 0F31B255
0F31B243 |> 8338 02 /CMP DWORD PTR DS:[EAX], 0x2
0F31B246 |. 75 06 |JNZ SHORT 0F31B24E
0F31B248 |. 41 |INC ECX
0F31B249 |. 83F9 0B |CMP ECX, 0xB
0F31B24C |. 7D 7F |JGE SHORT 0F31B2CD
0F31B24E |> 83C0 24 |ADD EAX, 0x24
0F31B251 |. 3BC2 |CMP EAX, EDX
0F31B253 |.^ 75 EE \JNZ SHORT 0F31B243
0F31B255 |> E8 467A0000 CALL 0F322CA0
0F31B25A |. 84C0 TEST AL, AL
0F31B25C |. 0F84 BD000000 JE 0F31B31F
0F31B262 |. 51 PUSH ECX
0F31B263 |. 8B8B 60050000 MOV ECX, DWORD PTR DS:[EBX+0x560]
0F31B269 |. 8BF9 MOV EDI, ECX
0F31B26B |. 68 D0070000 PUSH 0x7D0
0F31B270 |. 8B01 MOV EAX, DWORD PTR DS:[ECX] ; WeChatWi.102421E0
0F31B272 |. FF50 44 CALL DWORD PTR DS:[EAX+0x44]
0F31B275 |. 8B17 MOV EDX, DWORD PTR DS:[EDI]
0F31B277 |. 8BCF MOV ECX, EDI
0F31B279 |. 8BF0 MOV ESI, EAX
0F31B27B |. FF52 3C CALL DWORD PTR DS:[EDX+0x3C]
0F31B27E |. 8B8B 64050000 MOV ECX, DWORD PTR DS:[EBX+0x564]
0F31B284 |. 03F0 ADD ESI, EAX
0F31B286 |. 56 PUSH ESI
0F31B287 |. 8B01 MOV EAX, DWORD PTR DS:[ECX] ; WeChatWi.102421E0
0F31B289 |. FF50 58 CALL DWORD PTR DS:[EAX+0x58]
0F31B28C |. 8B8B 60050000 MOV ECX, DWORD PTR DS:[EBX+0x560]
0F31B292 |. 99 CDQ
0F31B293 |. 2BC2 SUB EAX, EDX
0F31B295 |. 8BF0 MOV ESI, EAX
0F31B297 |. 8B11 MOV EDX, DWORD PTR DS:[ECX] ; WeChatWi.102421E0
0F31B299 |. D1FE SAR ESI, 1
0F31B29B |. FF52 40 CALL DWORD PTR DS:[EDX+0x40]
0F31B29E |. 8B8B 60050000 MOV ECX, DWORD PTR DS:[EBX+0x560]
0F31B2A4 |. 8BF8 MOV EDI, EAX
0F31B2A6 |. 2BFE SUB EDI, ESI
0F31B2A8 |. 8B11 MOV EDX, DWORD PTR DS:[ECX] ; WeChatWi.102421E0
0F31B2AA |. FF52 38 CALL DWORD PTR DS:[EDX+0x38]
0F31B2AD |. BA 220E0000 MOV EDX, 0xE22
0F31B2B2 |> 03C7 ADD EAX, EDI
0F31B2B4 |. 50 PUSH EAX
0F31B2B5 |. 83EC 14 SUB ESP, 0x14
0F31B2B8 |. 8BCC MOV ECX, ESP
0F31B2BA |. E8 218A3A00 CALL 0F6C3CE0
0F31B2BF |. 8BCB MOV ECX, EBX
0F31B2C1 |. E8 4A5F0000 CALL 0F321210
0F31B2C6 |. 32DB XOR BL, BL
0F31B2C8 |. E9 1C010000 JMP 0F31B3E9
0F31B2CD |> 8BBB 60050000 MOV EDI, DWORD PTR DS:[EBX+0x560]
0F31B2D3 |. 51 PUSH ECX
0F31B2D4 |. 8BCF MOV ECX, EDI
0F31B2D6 |. 68 D0070000 PUSH 0x7D0
0F31B2DB |. 8B01 MOV EAX, DWORD PTR DS:[ECX] ; WeChatWi.102421E0
0F31B2DD |. FF50 3C CALL DWORD PTR DS:[EAX+0x3C]
0F31B2E0 |. 8B17 MOV EDX, DWORD PTR DS:[EDI]
0F31B2E2 |. 8BCF MOV ECX, EDI
0F31B2E4 |. 8BF0 MOV ESI, EAX
0F31B2E6 |. FF52 44 CALL DWORD PTR DS:[EDX+0x44]
0F31B2E9 |. 8B8B 64050000 MOV ECX, DWORD PTR DS:[EBX+0x564]
0F31B2EF |. 03F0 ADD ESI, EAX
0F31B2F1 |. 56 PUSH ESI
0F31B2F2 |. 8B01 MOV EAX, DWORD PTR DS:[ECX] ; WeChatWi.102421E0
0F31B2F4 |. FF50 58 CALL DWORD PTR DS:[EAX+0x58]
0F31B2F7 |. 8B8B 60050000 MOV ECX, DWORD PTR DS:[EBX+0x560]
0F31B2FD |. 99 CDQ
0F31B2FE |. 2BC2 SUB EAX, EDX
0F31B300 |. 8BF0 MOV ESI, EAX
0F31B302 |. 8B11 MOV EDX, DWORD PTR DS:[ECX] ; WeChatWi.102421E0
0F31B304 |. D1FE SAR ESI, 1
0F31B306 |. FF52 40 CALL DWORD PTR DS:[EDX+0x40]
0F31B309 |. 8B8B 60050000 MOV ECX, DWORD PTR DS:[EBX+0x560]
0F31B30F |. 8BF8 MOV EDI, EAX
0F31B311 |. 2BFE SUB EDI, ESI
0F31B313 |. 8B11 MOV EDX, DWORD PTR DS:[ECX] ; WeChatWi.102421E0
0F31B315 |. FF52 38 CALL DWORD PTR DS:[EDX+0x38]
0F31B318 |. BA 21040000 MOV EDX, 0x421
0F31B31D |.^ EB 93 JMP SHORT 0F31B2B2
0F31B31F |> 0F57C0 XORPS XMM0, XMM0
0F31B322 |. C745 D8 00000>MOV [LOCAL.10], 0x0
0F31B329 |. 0F1145 C8 MOVUPS DQWORD PTR SS:[EBP-0x38], XMM0
0F31B32D |. 8D45 C8 LEA EAX, [LOCAL.14]
0F31B330 |. C645 FC 01 MOV BYTE PTR SS:[EBP-0x4], 0x1
0F31B334 |. 8B8B 58050000 MOV ECX, DWORD PTR DS:[EBX+0x558]
0F31B33A |. 50 PUSH EAX
0F31B33B |. 8D45 DC LEA EAX, [LOCAL.9]
0F31B33E |. 81C1 E0090000 ADD ECX, 0x9E0
0F31B344 |. 50 PUSH EAX
0F31B345 |. E8 F6F2FEFF CALL 0F30A640
0F31B34A |. 84C0 TEST AL, AL
0F31B34C |. 75 51 JNZ SHORT 0F31B39F
0F31B34E |. 8845 F3 MOV BYTE PTR SS:[EBP-0xD], AL
0F31B351 |. 8B45 C8 MOV EAX, [LOCAL.14]
0F31B354 |. 85C0 TEST EAX, EAX
0F31B356 |. 74 06 JE SHORT 0F31B35E
0F31B358 |. 66:8338 00 CMP WORD PTR DS:[EAX], 0x0
0F31B35C |. 75 05 JNZ SHORT 0F31B363
0F31B35E |> B8 083B2310 MOV EAX, 10233B08
0F31B363 |> 83EC 14 SUB ESP, 0x14
0F31B366 |. 8BCC MOV ECX, ESP
0F31B368 |. 8965 EC MOV [LOCAL.5], ESP
0F31B36B |. 6A FF PUSH -0x1
0F31B36D |. 50 PUSH EAX
0F31B36E |. E8 3D7A3A00 CALL 0F6C2DB0
0F31B373 |. 83EC 14 SUB ESP, 0x14
0F31B376 |. C645 FC 02 MOV BYTE PTR SS:[EBP-0x4], 0x2
0F31B37A |. BA 0E040000 MOV EDX, 0x40E
0F31B37F |. 8BCC MOV ECX, ESP
0F31B381 |. E8 5A893A00 CALL 0F6C3CE0
0F31B386 |. 8A55 F3 MOV DL, BYTE PTR SS:[EBP-0xD]
0F31B389 |. C645 FC 01 MOV BYTE PTR SS:[EBP-0x4], 0x1
0F31B38D |. 8B8B 5C050000 MOV ECX, DWORD PTR DS:[EBX+0x55C]
0F31B393 |. E8 C8370300 CALL 0F34EB60
0F31B398 |. 83C4 28 ADD ESP, 0x28
0F31B39B |. 32DB XOR BL, BL
0F31B39D |. EB 42 JMP SHORT 0F31B3E1
0F31B39F |> 8B8B 60050000 MOV ECX, DWORD PTR DS:[EBX+0x560]
0F31B3A5 |. E8 C6D5FBFF CALL 0F2D8970
0F31B3AA |. 8D45 DC LEA EAX, [LOCAL.9]
0F31B3AD |. 50 PUSH EAX
0F31B3AE |. E8 ED7F0000 CALL 0F3233A0 ; call的位置
eax是来自 一个局部变量。。
LEA EAX, DWORD PTR SS:[EBP-0x24]
在函数头下断,重新发送一个艾特消息。
0F31B1AF |. 50 PUSH EAX
0F31B1B0 |. E8 1BCFFBFF CALL 0F2D80D0 ; 经过这个call之后 ebp-0x24一出现一个结构
跟踪进入call头部下断,重新发送消息 这个call比较长,所以,只需要一直F8往下走即可,到图片中的位置,发现,构建了一串数据在edx中,里面包含了,被艾特人的微信ID,和昵称
0F2D844A . C645 FC 08 MOV BYTE PTR SS:[EBP-0x4], 0x8
0F2D844E . 50 PUSH EAX ; 昵称
0F2D844F . 8D8D 10FFFFFF LEA ECX, DWORD PTR SS:[EBP-0xF0] ; ecx空白区
0F2D8455 . E8 B6AE3E00 CALL 0F6C3310 ; 经过call之后 ecx空白区多出了昵称结构
0F2D845A . 8D85 D4FEFFFF LEA EAX, DWORD PTR SS:[EBP-0x12C]
0F2D8460 . 50 PUSH EAX ; 微信ID
0F2D8461 . 8D8D 44FFFFFF LEA ECX, DWORD PTR SS:[EBP-0xBC] ; 空白区
0F2D8467 . E8 74BDFBFF CALL 0F2941E0 ; 经过call之后,空白区多了一串类似于call附近eax的结构
0F2D846C . 8D8D ACFEFFFF LEA ECX, DWORD PTR SS:[EBP-0x154]
dd 0x2f617c0 发现确实是 微信ID。那就明白了,这个call就是构建结构的call。
那么,我们来提取一下参数
eax 是微信ID结构
结构 如下
$ ==> >02F196E0 UNICODE "这里是你的wxid"
$+4 >0000000E
$+8 >00000010
ecx是个缓存,也就是传一个空白区域进去即可,至少保证有3*4的长度 保险点的话,取5*4好一些
结构构建完成之后,按照文章开头的参考文档,传入eax的值 就可以在群内艾特人了!
所以请勿见怪。这个还不算太完美,最好是能读取 被艾特人的 昵称 在内容中加上 这样才是最完美的