这段时间闲来无事,遂打算逆向pc微信,看了下三年前写的代码,发现微信以及提示旧版本登录不上去,那么就开始研究一下如何绕过吧。
代码是用python实现的,主要使用到的库有
- import frida
- import os
- import sys, segno
- import re, time
- from win32api import HIWORD, LOWORD, GetFileVersionInfo
- import binascii
- import struct
- from pymem import Pymem, pattern, process
很多大佬实现的方式是特征码+dll模块基址偏移 +读取&修改内存实现目标,我的就比较简朴粗暴,使用搜刮内存的办法进行暴力搜刮。
还添加了一个功能,获取内存里的微信db数据库密钥。详细实现如下。
以及精确定位手机号的功能,可以精确定位得手机号,就可以实现很多功能, 这里用CE检察可以看到它是由基址+偏移实现的。
这个找手机号的代码我会贴在下面,有需要自取。
至于拿到的数据库暗码就可以解密本地的数据库文件,看看内里有什么内容。
关于Session内里会话的内容
关于关注的微信公众号数据
关于你所有的微信好友的信息
还有很多数据库存放不同范例的数据,这个是MicroMsg.db数据库,其他的玩法自己探索吧。
下面贴代码:
这是搜刮手机号的焦点代码;
- module = pymem.process.module_from_name(pm.process_handle, module_name)
- base_address = module.lpBaseOfDll
- module_size = module.SizeOfImage
- print(f"{module_name} 基地址: 0x{base_address:x}")
- print(f"{module_name} 大小: 0x{module_size:x}")
- found_phone_numbers = []
- # 遍历模块内存,搜索字符串
- for address in range(base_address, base_address + module_size, 4096):
- try:
- # 读取内存块
- data = pm.read_bytes(address, 4096)
- # 提取可打印的ASCII字符串
- printable_data = ''.join([chr(b) if 32 <= b < 127 else '\0' for b in data])
- # 使用正则表达式匹配手机号码
- phone_numbers = re.findall(r'\b1\d{10}\b', printable_data)
- for number in phone_numbers:
- # 添加找到的手机号码及其地址
- number_address = address + printable_data.index(number)
- found_phone_numbers.append((number_address, number))
- except pymem.exception.MemoryReadError:
- pass
- if not found_phone_numbers:
- print("[!] 未找到符合条件的手机号码")
- else:
- for number_address, number in found_phone_numbers:
- print(f"找到手机号码 '{number}',地址: 0x{number_address:x}")
- # 在手机号附近遍历内存,搜索符合规则的字符串
- search_range = 200 # 设置搜索范围为手机号附近50字节
- try:
- data = pm.read_bytes(number_address - search_range, search_range * 2)
- # 提取可打印的ASCII字符串
- printable_data = ''.join([chr(b) if 32 <= b < 127 else '\0' for b in data])
- # 使用正则表达式匹配符合规则的字符串
- valid_strings = re.findall(r'\b[A-Za-z_][A-Za-z0-9_-]{5,19}\b', printable_data)
- for string in valid_strings:
- if string.lower() not in ["iphone", "android"]:
- string_address = number_address - search_range + printable_data.index(string)
- print(f"找到符合规则的字符串 '{string}',地址: 0x{string_address:x}")
- except (pymem.exception.MemoryReadError, UnicodeDecodeError):
- pass
这是通过静态找数据库密钥的代码:
- import pefile
- import re
- import capstone
- import struct
- pe = pefile.PE("D:\\Wechat\\[3.9.10.19]\\WeChatWin.dll")
- target_bytes = b"\x4F\x6E\x20\x53\x65\x74\x20\x49\x6E\x66\x6F\x20\x69\x6E\x66\x6F\x20\x6D\x64\x35"
- def find_byte_sequence(data, pattern):
- return [m.start() for m in re.finditer(re.escape(pattern), data)]
- rdata_sections = [section for section in pe.sections if b'.rdata' in section.Name]
- data_offset = 0
- for section in rdata_sections:
- section_data = section.get_data()
- start_address = section.VirtualAddress
- matches = find_byte_sequence(section_data, target_bytes)
- if matches:
- for offset in matches:
- data_offset = offset + section.VirtualAddress
- # print(f"{data_offset:04x}")
- target_bytes = b"\x48\x8D\x05"
- code_sections = [section for section in pe.sections if b'.text' in section.Name]
- for section in code_sections:
- section_data = section.get_data()
- start_address = section.VirtualAddress
- cs = capstone.Cs(capstone.CS_ARCH_X86, capstone.CS_MODE_64)
- matches = find_byte_sequence(section_data, target_bytes)
- if matches:
- for offset in matches:
- inst = list(cs.disasm(section_data[offset:offset + 7], offset + start_address))[0]
- unpacked_value = struct.unpack("<I", inst.bytes[3:])[0]
- if inst.address + inst.size + unpacked_value == data_offset:
- instructions = list(
- cs.disasm(section_data[inst.address - start_address:inst.address - start_address + 256],
- inst.address))
- call = 0
- for inst in instructions:
- if inst.mnemonic == "call":
- call = call + 1
- if call == 2:
- addr = int(inst.op_str, 16)
- instructions = list(
- cs.disasm(section_data[addr - start_address:addr - start_address + 256], addr))
- for inst in instructions:
- # print(f"{inst.address:04x}: {inst.mnemonic} {inst.op_str}")
- opcode = inst.bytes
- if len(opcode) == 1 and opcode[0] == 0xC3:
- break
- if len(opcode) > 3:
- if opcode[0] == 0x48 and opcode[1] == 0x8D and opcode[2] == 0x05:
- unpacked_value = struct.unpack("<I", opcode[3:])[0]
- as_addr = inst.address + inst.size + unpacked_value
- dbkey_offset = 1760
- print("final AccoutService addr:", as_addr, hex(as_addr))
- print("final DBkey addr:", as_addr + dbkey_offset, hex(as_addr + dbkey_offset))
- break
- frida_script = """
- const moduleName = 'WeChatWin.dll';
- const targetValue = {target_value};
- const newValue = {new_value};
- function intToBytesLE(value) {{
- let bytes = [];
- for (let i = 0; i < 4; i++) {{
- bytes.push(value & 0xFF);
- value = value >> 8;
- }}
- return bytes;
- }}
- function bytesToHex(bytes) {{
- return bytes.map(byte => ('0' + (byte & 0xFF).toString(16)).slice(-2)).join('');
- }}
- const targetBytes = intToBytesLE(targetValue);
- const targetPattern = bytesToHex(targetBytes);
- function searchAndModifyMemory() {{
- var module = Process.findModuleByName(moduleName);
- if (!module) {{
- console.log(moduleName + ' 模块未找到');
- send(null);
- return;
- }}
- var baseAddress = module.base;
- var moduleSize = module.size;
- console.log(moduleName + ' 基地址: ' + baseAddress);
- console.log(moduleName + ' 大小: ' + moduleSize);
- var modifiedAddresses = [];
- Memory.scan(baseAddress, moduleSize, targetPattern, {{
- onMatch: function(address, size) {{
- console.log('找到目标数值 0x' + targetValue.toString(16) + ' 在地址: ' + address);
- Memory.writeUInt(address, newValue);
- modifiedAddresses.push(address.toString());
- }},
- onComplete: function() {{
- if (modifiedAddresses.length === 0) {{
- console.log('未在内存中搜索到目标数值');
- send(null);
- }} else {{
- console.log('数值修改完成');
- send(modifiedAddresses);
- }}
- }}
- }});
- }}
- searchAndModifyMemory();
- """.format(target_value=target_value, new_value=new_value)
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!更多信息从访问主页:qidao123.com:ToB企服之家,中国第一个企服评测及商务社交产业平台。 |
