首页
社区
课程
招聘
[原创]PC Wechat 开启调试
发表于: 2020-7-15 11:20 13718

[原创]PC Wechat 开启调试

2020-7-15 11:20
13718

PC Wechat 开启调试

作者:御风

 

日期:2020年3月28日

 

描述:开启微信调试

 

版本:2.8.0.133

 

目录

1. 参考文章

PC微信逆向分析の强制输出微信调式信息

2. CE 操作

2.1. 定位 是否启用调试

2.1.1. 版本 2.8.0.133

基址信息
WeChatWin.dll + 0x1616B21

# 微信中这个地址中的数据被设置成 0,因此调试信息将不会输出
# 只要将这个地址中的数据更改为1,那么输出调试信息的开关就被打开了
CE 代码
<?xml version="1.0" encoding="utf-8"?>
<CheatTable>
  <CheatEntries>
    <CheatEntry>
      <ID>0</ID>
      <Description>"是否启用调试"</Description>
      <LastState Value="0" RealAddress="54C16B21"/>
      <VariableType>4 Bytes</VariableType>
      <Address>WeChatWin.dll + 0x1616B21</Address>
    </CheatEntry>
  </CheatEntries>
</CheatTable>
特征码
74 14 FF B5 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83
汇编代码
WeChatWin.dll+D0C990 - 55                    - push ebp
WeChatWin.dll+D0C991 - 8B EC                 - mov ebp,esp
WeChatWin.dll+D0C993 - 6A FF                 - push -01 { 255 }
WeChatWin.dll+D0C995 - 68 67ABAA67           - push WeChatWin.dll+118AB67 { (139) }
WeChatWin.dll+D0C99A - 64 A1 00000000        - mov eax,fs:[00000000] { 0 }
WeChatWin.dll+D0C9A0 - 50                    - push eax
WeChatWin.dll+D0C9A1 - 81 EC 5C010000        - sub esp,0000015C { 348 }
WeChatWin.dll+D0C9A7 - A1 946BEE67           - mov eax,[WeChatWin.dll+15C6B94] { (-763891070) }
WeChatWin.dll+D0C9AC - 33 C5                 - xor eax,ebp
WeChatWin.dll+D0C9AE - 89 45 F0              - mov [ebp-10],eax
WeChatWin.dll+D0C9B1 - 53                    - push ebx
WeChatWin.dll+D0C9B2 - 56                    - push esi
WeChatWin.dll+D0C9B3 - 57                    - push edi
WeChatWin.dll+D0C9B4 - 50                    - push eax
WeChatWin.dll+D0C9B5 - 8D 45 F4              - lea eax,[ebp-0C]
WeChatWin.dll+D0C9B8 - 64 A3 00000000        - mov fs:[00000000],eax { 0 }
WeChatWin.dll+D0C9BE - 80 3D 4C6DEE67 00     - cmp byte ptr [WeChatWin.dll+15C6D4C],00 { (0),0 }
WeChatWin.dll+D0C9C5 - 8B 45 08              - mov eax,[ebp+08]
WeChatWin.dll+D0C9C8 - 89 85 E8FEFFFF        - mov [ebp-00000118],eax
WeChatWin.dll+D0C9CE - 8B 45 0C              - mov eax,[ebp+0C]
WeChatWin.dll+D0C9D1 - 89 85 ECFEFFFF        - mov [ebp-00000114],eax
WeChatWin.dll+D0C9D7 - 0F85 B5020000         - jne WeChatWin.dll+D0CC92
WeChatWin.dll+D0C9DD - E8 D7163D00           - call WeChatWin.dll+10DE0B9
WeChatWin.dll+D0C9E2 - 8B 30                 - mov esi,[eax]
WeChatWin.dll+D0C9E4 - 89 B5 E4FEFFFF        - mov [ebp-0000011C],esi
WeChatWin.dll+D0C9EA - A1 706FF367           - mov eax,[WeChatWin.dll+1616F70] { (3) }
WeChatWin.dll+D0C9EF - C7 45 FC 00000000     - mov [ebp-04],00000000 { 0 }
WeChatWin.dll+D0C9F6 - A8 01                 - test al,01 { 1 }
WeChatWin.dll+D0C9F8 - 75 2A                 - jne WeChatWin.dll+D0CA24
WeChatWin.dll+D0C9FA - 83 C8 01              - or eax,01 { 1 }
WeChatWin.dll+D0C9FD - A3 706FF367           - mov [WeChatWin.dll+1616F70],eax { (3) }
WeChatWin.dll+D0CA02 - FF 15 68E2B167        - call dword ptr [WeChatWin.dll+11FE268] { ->->KERNELBASE.TlsAlloc }
WeChatWin.dll+D0CA08 - 68 2046B167           - push WeChatWin.dll+11F4620 { (255) }
WeChatWin.dll+D0CA0D - A3 686FF367           - mov [WeChatWin.dll+1616F68],eax { (54) }
WeChatWin.dll+D0CA12 - C7 05 6C6FF367 00000000 - mov [WeChatWin.dll+1616F6C],00000000 { (0),0 }
WeChatWin.dll+D0CA1C - E8 691AFDFF           - call WeChatWin.dll+CDE48A
WeChatWin.dll+D0CA21 - 83 C4 04              - add esp,04 { 4 }
WeChatWin.dll+D0CA24 - FF 35 686FF367        - push [WeChatWin.dll+1616F68] { (54) }
WeChatWin.dll+D0CA2A - 8B 1D 64E2B167        - mov ebx,[WeChatWin.dll+11FE264] { (76EBEF40) }
WeChatWin.dll+D0CA30 - C7 85 E0FEFFFF 686FF367 - mov [ebp-00000120],WeChatWin.dll+1616F68 { (54) }
WeChatWin.dll+D0CA3A - FF D3                 - call ebx
WeChatWin.dll+D0CA3C - 8D 78 01              - lea edi,[eax+01]
WeChatWin.dll+D0CA3F - 57                    - push edi
WeChatWin.dll+D0CA40 - FF 35 686FF367        - push [WeChatWin.dll+1616F68] { (54) }
WeChatWin.dll+D0CA46 - FF 15 58E2B167        - call dword ptr [WeChatWin.dll+11FE258] { ->KERNEL32.TlsSetValue }
WeChatWin.dll+D0CA4C - 57                    - push edi
WeChatWin.dll+D0CA4D - FF 35 6C6FF367        - push [WeChatWin.dll+1616F6C] { (0) }
WeChatWin.dll+D0CA53 - 68 686FF367           - push WeChatWin.dll+1616F68 { (54) }
WeChatWin.dll+D0CA58 - E8 B3060800           - call WeChatWin.dll+D8D110
WeChatWin.dll+D0CA5D - 83 C4 0C              - add esp,0C { 12 }
WeChatWin.dll+D0CA60 - A1 706FF367           - mov eax,[WeChatWin.dll+1616F70] { (3) }
WeChatWin.dll+D0CA65 - C6 45 FC 01           - mov byte ptr [ebp-04],01 { 1 }
WeChatWin.dll+D0CA69 - A8 02                 - test al,02 { 2 }
WeChatWin.dll+D0CA6B - 75 2A                 - jne WeChatWin.dll+D0CA97
WeChatWin.dll+D0CA6D - 83 C8 02              - or eax,02 { 2 }
WeChatWin.dll+D0CA70 - A3 706FF367           - mov [WeChatWin.dll+1616F70],eax { (3) }
WeChatWin.dll+D0CA75 - FF 15 68E2B167        - call dword ptr [WeChatWin.dll+11FE268] { ->->KERNELBASE.TlsAlloc }
WeChatWin.dll+D0CA7B - 68 9043B167           - push WeChatWin.dll+11F4390 { (255) }
WeChatWin.dll+D0CA80 - A3 746FF367           - mov [WeChatWin.dll+1616F74],eax { (55) }
WeChatWin.dll+D0CA85 - C7 05 786FF367 30E39F67 - mov [WeChatWin.dll+1616F78],WeChatWin.dll+10DE330 { (679FE330),(8686313) }
WeChatWin.dll+D0CA8F - E8 F619FDFF           - call WeChatWin.dll+CDE48A
WeChatWin.dll+D0CA94 - 83 C4 04              - add esp,04 { 4 }

# --------------------------------------------------------------------------------

WeChatWin.dll+D0CA97 - 80 3D 216BF367 00     - cmp byte ptr [WeChatWin.dll+1616B21],00 { (0),0 }

#  WeChatWin.dll+1616B21 就是 是否启动调试 的地址

WeChatWin.dll+D0CA9E - 74 14                 - je WeChatWin.dll+D0CAB4
WeChatWin.dll+D0CAA0 - FF B5 ECFEFFFF        - push [ebp-00000114]
WeChatWin.dll+D0CAA6 - FF B5 E8FEFFFF        - push [ebp-00000118]
WeChatWin.dll+D0CAAC - E8 AF3CFEFF           - call WeChatWin.dll+CF0760

#  [2.3 节 定位 调试数据代码段] 在此处下断点,断点触发跟进 WeChatWin.dll+CF0760

# --------------------------------------------------------------------------------

WeChatWin.dll+D0CAB1 - 83 C4 08              - add esp,08 { 8 }
WeChatWin.dll+D0CAB4 - FF 35 686FF367        - push [WeChatWin.dll+1616F68] { (54) }
WeChatWin.dll+D0CABA - FF D3                 - call ebx
WeChatWin.dll+D0CABC - 83 F8 02              - cmp eax,02 { 2 }
WeChatWin.dll+D0CABF - 0F8C 2C010000         - jl WeChatWin.dll+D0CBF1
WeChatWin.dll+D0CAC5 - FF 35 746FF367        - push [WeChatWin.dll+1616F74] { (55) }
WeChatWin.dll+D0CACB - FF D3                 - call ebx
WeChatWin.dll+D0CACD - 85 C0                 - test eax,eax
WeChatWin.dll+D0CACF - 0F85 1C010000         - jne WeChatWin.dll+D0CBF1
WeChatWin.dll+D0CAD5 - FF 35 686FF367        - push [WeChatWin.dll+1616F68] { (54) }
WeChatWin.dll+D0CADB - FF D3                 - call ebx
WeChatWin.dll+D0CADD - 83 F8 0A              - cmp eax,0A { 10 }
WeChatWin.dll+D0CAE0 - 0F8F 75010000         - jg WeChatWin.dll+D0CC5B
WeChatWin.dll+D0CAE6 - 6A 01                 - push 01 { 1 }
WeChatWin.dll+D0CAE8 - 68 00400000           - push 00004000 { 16384 }
WeChatWin.dll+D0CAED - E8 D6293D00           - call WeChatWin.dll+10DF4C8
WeChatWin.dll+D0CAF2 - 83 C4 08              - add esp,08 { 8 }
WeChatWin.dll+D0CAF5 - 8B F8                 - mov edi,eax
WeChatWin.dll+D0CAF7 - A1 58E2B167           - mov eax,[WeChatWin.dll+11FE258] { (76EBEF90) }
WeChatWin.dll+D0CAFC - 57                    - push edi
WeChatWin.dll+D0CAFD - FF 35 746FF367        - push [WeChatWin.dll+1616F74] { (55) }
WeChatWin.dll+D0CB03 - FF D0                 - call eax
WeChatWin.dll+D0CB05 - 57                    - push edi
WeChatWin.dll+D0CB06 - FF 35 786FF367        - push [WeChatWin.dll+1616F78] { (679FE330) }
WeChatWin.dll+D0CB0C - 68 746FF367           - push WeChatWin.dll+1616F74 { (55) }
WeChatWin.dll+D0CB11 - E8 FA050800           - call WeChatWin.dll+D8D110
WeChatWin.dll+D0CB16 - 8B 85 E8FEFFFF        - mov eax,[ebp-00000118]
WeChatWin.dll+D0CB1C - 68 00010000           - push 00000100 { 256 }
WeChatWin.dll+D0CB21 - 6A 00                 - push 00 { 0 }
WeChatWin.dll+D0CB23 - 0F10 00               - movups xmm0,[eax]
WeChatWin.dll+D0CB26 - 0F11 85 98FEFFFF      - movups [ebp-00000168],xmm0
WeChatWin.dll+D0CB2D - C7 85 98FEFFFF 05000000 - mov [ebp-00000168],00000005 { 5 }
WeChatWin.dll+D0CB37 - 0F10 40 10            - movups xmm0,[eax+10]
WeChatWin.dll+D0CB3B - 0F11 85 A8FEFFFF      - movups [ebp-00000158],xmm0
WeChatWin.dll+D0CB42 - 0F10 40 20            - movups xmm0,[eax+20]
WeChatWin.dll+D0CB46 - 0F11 85 B8FEFFFF      - movups [ebp-00000148],xmm0
WeChatWin.dll+D0CB4D - F3 0F7E 40 30         - movq xmm0,[eax+30]
WeChatWin.dll+D0CB52 - 8D 85 F0FEFFFF        - lea eax,[ebp-00000110]
WeChatWin.dll+D0CB58 - 50                    - push eax
WeChatWin.dll+D0CB59 - 66 0FD6 85 C8FEFFFF   - movq [ebp-00000138],xmm0
WeChatWin.dll+D0CB61 - E8 CAAA3B00           - call WeChatWin.dll+10C7630
WeChatWin.dll+D0CB66 - 83 C4 18              - add esp,18 { 24 }
WeChatWin.dll+D0CB69 - FF 35 686FF367        - push [WeChatWin.dll+1616F68] { (54) }
WeChatWin.dll+D0CB6F - FF D3                 - call ebx
WeChatWin.dll+D0CB71 - 50                    - push eax
WeChatWin.dll+D0CB72 - 68 2C4DB967           - push WeChatWin.dll+1274D2C { ("ERROR!!! xlogger_appender Recursive calls!!!, count:%d") }
WeChatWin.dll+D0CB77 - 8D 85 F0FEFFFF        - lea eax,[ebp-00000110]
WeChatWin.dll+D0CB7D - 68 00010000           - push 00000100 { 256 }
WeChatWin.dll+D0CB82 - 50                    - push eax
WeChatWin.dll+D0CB83 - E8 C8455BFF           - call WeChatWin.dll+2C1150
WeChatWin.dll+D0CB88 - 83 C4 10              - add esp,10 { 16 }
WeChatWin.dll+D0CB8B - 8D 8D D0FEFFFF        - lea ecx,[ebp-00000130]
WeChatWin.dll+D0CB91 - 68 00400000           - push 00004000 { 16384 }
WeChatWin.dll+D0CB96 - 6A 00                 - push 00 { 0 }
WeChatWin.dll+D0CB98 - 57                    - push edi
WeChatWin.dll+D0CB99 - E8 820D0800           - call WeChatWin.dll+D8D920
WeChatWin.dll+D0CB9E - 8D 85 D0FEFFFF        - lea eax,[ebp-00000130]
WeChatWin.dll+D0CBA4 - C6 45 FC 02           - mov byte ptr [ebp-04],02 { 2 }
WeChatWin.dll+D0CBA8 - 50                    - push eax
WeChatWin.dll+D0CBA9 - 8D 85 F0FEFFFF        - lea eax,[ebp-00000110]
WeChatWin.dll+D0CBAF - 50                    - push eax
WeChatWin.dll+D0CBB0 - 8D 85 98FEFFFF        - lea eax,[ebp-00000168]
WeChatWin.dll+D0CBB6 - 50                    - push eax
WeChatWin.dll+D0CBB7 - E8 F4270800           - call WeChatWin.dll+D8F3B0
WeChatWin.dll+D0CBBC - 68 00100000           - push 00001000 { 4096 }
WeChatWin.dll+D0CBC1 - FF B5 ECFEFFFF        - push [ebp-00000114]
WeChatWin.dll+D0CBC7 - 57                    - push edi
WeChatWin.dll+D0CBC8 - E8 A3653D00           - call WeChatWin.dll+10E3170
WeChatWin.dll+D0CBCD - 8D 85 98FEFFFF        - lea eax,[ebp-00000168]
WeChatWin.dll+D0CBD3 - C6 87 FF0F0000 00     - mov byte ptr [edi+00000FFF],00 { 0 }
WeChatWin.dll+D0CBDA - 57                    - push edi
WeChatWin.dll+D0CBDB - 50                    - push eax
WeChatWin.dll+D0CBDC - E8 7F3BFEFF           - call WeChatWin.dll+CF0760
WeChatWin.dll+D0CBE1 - 83 C4 20              - add esp,20 { 32 }
WeChatWin.dll+D0CBE4 - 8D 8D D0FEFFFF        - lea ecx,[ebp-00000130]
WeChatWin.dll+D0CBEA - E8 116B33FF           - call WeChatWin.dll+43700
WeChatWin.dll+D0CBEF - EB 6A                 - jmp WeChatWin.dll+D0CC5B
WeChatWin.dll+D0CBF1 - FF 35 746FF367        - push [WeChatWin.dll+1616F74] { (55) }
WeChatWin.dll+D0CBF7 - FF D3                 - call ebx
WeChatWin.dll+D0CBF9 - 85 C0                 - test eax,eax
WeChatWin.dll+D0CBFB - 74 3A                 - je WeChatWin.dll+D0CC37
WeChatWin.dll+D0CBFD - FF 35 746FF367        - push [WeChatWin.dll+1616F74] { (55) }
WeChatWin.dll+D0CC03 - FF D3                 - call ebx
WeChatWin.dll+D0CC05 - 6A 00                 - push 00 { 0 }
WeChatWin.dll+D0CC07 - FF 35 746FF367        - push [WeChatWin.dll+1616F74] { (55) }
WeChatWin.dll+D0CC0D - 8B F8                 - mov edi,eax
WeChatWin.dll+D0CC0F - A1 58E2B167           - mov eax,[WeChatWin.dll+11FE258] { (76EBEF90) }
WeChatWin.dll+D0CC14 - FF D0                 - call eax
WeChatWin.dll+D0CC16 - 6A 00                 - push 00 { 0 }
WeChatWin.dll+D0CC18 - FF 35 786FF367        - push [WeChatWin.dll+1616F78] { (679FE330) }
WeChatWin.dll+D0CC1E - 68 746FF367           - push WeChatWin.dll+1616F74 { (55) }
WeChatWin.dll+D0CC23 - E8 E8040800           - call WeChatWin.dll+D8D110
WeChatWin.dll+D0CC28 - 57                    - push edi
WeChatWin.dll+D0CC29 - E8 F2E5FFFF           - call WeChatWin.dll+D0B220
WeChatWin.dll+D0CC2E - 57                    - push edi
WeChatWin.dll+D0CC2F - E8 FC163D00           - call WeChatWin.dll+10DE330
WeChatWin.dll+D0CC34 - 83 C4 14              - add esp,14 { 20 }
WeChatWin.dll+D0CC37 - 83 3D 446BF367 01     - cmp dword ptr [WeChatWin.dll+1616B44],01 { (0),1 }
WeChatWin.dll+D0CC3E - FF B5 ECFEFFFF        - push [ebp-00000114]
WeChatWin.dll+D0CC44 - FF B5 E8FEFFFF        - push [ebp-00000118]
WeChatWin.dll+D0CC4A - 75 07                 - jne WeChatWin.dll+D0CC53
WeChatWin.dll+D0CC4C - E8 6FC7FFFF           - call WeChatWin.dll+D093C0
WeChatWin.dll+D0CC51 - EB 05                 - jmp WeChatWin.dll+D0CC58
WeChatWin.dll+D0CC53 - E8 C8C5FFFF           - call WeChatWin.dll+D09220
WeChatWin.dll+D0CC58 - 83 C4 08              - add esp,08 { 8 }
WeChatWin.dll+D0CC5B - FF 35 686FF367        - push [WeChatWin.dll+1616F68] { (54) }
WeChatWin.dll+D0CC61 - C6 45 FC 03           - mov byte ptr [ebp-04],03 { 3 }
WeChatWin.dll+D0CC65 - FF D3                 - call ebx
WeChatWin.dll+D0CC67 - 8D 78 FF              - lea edi,[eax-01]
WeChatWin.dll+D0CC6A - 57                    - push edi
WeChatWin.dll+D0CC6B - FF 35 686FF367        - push [WeChatWin.dll+1616F68] { (54) }
WeChatWin.dll+D0CC71 - FF 15 58E2B167        - call dword ptr [WeChatWin.dll+11FE258] { ->KERNEL32.TlsSetValue }
WeChatWin.dll+D0CC77 - 57                    - push edi
WeChatWin.dll+D0CC78 - FF 35 6C6FF367        - push [WeChatWin.dll+1616F6C] { (0) }
WeChatWin.dll+D0CC7E - 68 686FF367           - push WeChatWin.dll+1616F68 { (54) }
WeChatWin.dll+D0CC83 - E8 88040800           - call WeChatWin.dll+D8D110
WeChatWin.dll+D0CC88 - 83 C4 0C              - add esp,0C { 12 }
WeChatWin.dll+D0CC8B - E8 29143D00           - call WeChatWin.dll+10DE0B9
WeChatWin.dll+D0CC90 - 89 30                 - mov [eax],esi
WeChatWin.dll+D0CC92 - 8B 4D F4              - mov ecx,[ebp-0C]
WeChatWin.dll+D0CC95 - 64 89 0D 00000000     - mov fs:[00000000],ecx { 0 }
WeChatWin.dll+D0CC9C - 59                    - pop ecx
WeChatWin.dll+D0CC9D - 5F                    - pop edi
WeChatWin.dll+D0CC9E - 5E                    - pop esi
WeChatWin.dll+D0CC9F - 5B                    - pop ebx
WeChatWin.dll+D0CCA0 - 8B 4D F0              - mov ecx,[ebp-10]
WeChatWin.dll+D0CCA3 - 33 CD                 - xor ecx,ebp
WeChatWin.dll+D0CCA5 - E8 3314FDFF           - call WeChatWin.dll+CDE0DD
WeChatWin.dll+D0CCAA - 8B E5                 - mov esp,ebp
WeChatWin.dll+D0CCAC - 5D                    - pop ebp
WeChatWin.dll+D0CCAD - C3                    - ret

2.2. 定位 调试级别

2.2.1. 版本 2.8.0.133

基址信息
WeChatWin.dll + 0x15C6D54

# 微信中这个地址中的数据被设置成 2,也就是高于 kLevelDebug 的信息才会被输出
# 只要将这个地址中的数据更改为 0,也就是 kLevelAll 或 kLevelVerbose,也就是输出全部调试信息
CE 代码
<?xml version="1.0" encoding="utf-8"?>
<CheatTable>
  <CheatEntries>
    <CheatEntry>
      <ID>1</ID>
      <Description>"调试级别"</Description>
      <LastState Value="2" RealAddress="54BC6D54"/>
      <VariableType>4 Bytes</VariableType>
      <Address>WeChatWin.dll + 0x15C6D54</Address>
    </CheatEntry>
  </CheatEntries>
</CheatTable>
特征码
56 89 9D F0 FB FF FF
汇编代码

第一段函数代码

WeChatWin.dll+CE1430 - 55                    - push ebp
WeChatWin.dll+CE1431 - 8B EC                 - mov ebp,esp
WeChatWin.dll+CE1433 - 81 EC 10040000        - sub esp,00000410 { 1040 }
WeChatWin.dll+CE1439 - A1 946BEE67           - mov eax,[WeChatWin.dll+15C6B94] { (-763891070) }
WeChatWin.dll+CE143E - 33 C5                 - xor eax,ebp
WeChatWin.dll+CE1440 - 89 45 FC              - mov [ebp-04],eax
WeChatWin.dll+CE1443 - 8B 45 10              - mov eax,[ebp+10]
WeChatWin.dll+CE1446 - 53                    - push ebx
WeChatWin.dll+CE1447 - 56                    - push esi
WeChatWin.dll+CE1448 - 8B 75 08              - mov esi,[ebp+08]
WeChatWin.dll+CE144B - 8B D9                 - mov ebx,ecx
WeChatWin.dll+CE144D - 57                    - push edi
WeChatWin.dll+CE144E - 89 85 F8FBFFFF        - mov [ebp-00000408],eax
WeChatWin.dll+CE1454 - 8B 45 20              - mov eax,[ebp+20]
WeChatWin.dll+CE1457 - 56                    - push esi
WeChatWin.dll+CE1458 - 89 9D F0FBFFFF        - mov [ebp-00000410],ebx
WeChatWin.dll+CE145E - 89 85 F4FBFFFF        - mov [ebp-0000040C],eax

# --------------------------------------------------------------------------------

WeChatWin.dll+CE1464 - E8 F7BD0200           - call WeChatWin.dll+D0D260

#  跟入此 Call 地址:WeChatWin.dll+D0D260,请看第二段函数代码分析

# --------------------------------------------------------------------------------

WeChatWin.dll+CE1469 - 85 C0                 - test eax,eax
WeChatWin.dll+CE146B - 8D 7B 08              - lea edi,[ebx+08]
WeChatWin.dll+CE146E - 6A 38                 - push 38 { 56 }
WeChatWin.dll+CE1470 - 0F95 C0               - setne al
WeChatWin.dll+CE1473 - 6A 00                 - push 00 { 0 }
WeChatWin.dll+CE1475 - 57                    - push edi
WeChatWin.dll+CE1476 - 88 03                 - mov [ebx],al
WeChatWin.dll+CE1478 - E8 B3613E00           - call WeChatWin.dll+10C7630
WeChatWin.dll+CE147D - 0F57 C0               - xorps xmm0,xmm0
WeChatWin.dll+CE1480 - 83 C4 10              - add esp,10 { 16 }
WeChatWin.dll+CE1483 - 66 0FD6 83 C0000000   - movq [ebx+000000C0],xmm0
WeChatWin.dll+CE148B - C7 83 DC000000 0F000000 - mov [ebx+000000DC],0000000F { 15 }
WeChatWin.dll+CE1495 - C7 83 D8000000 00000000 - mov [ebx+000000D8],00000000 { 0 }
WeChatWin.dll+CE149F - C6 83 C8000000 00     - mov byte ptr [ebx+000000C8],00 { 0 }
WeChatWin.dll+CE14A6 - 80 3B 00              - cmp byte ptr [ebx],00 { 0 }
WeChatWin.dll+CE14A9 - 89 37                 - mov [edi],esi
WeChatWin.dll+CE14AB - 0F84 C7000000         - je WeChatWin.dll+CE1578
WeChatWin.dll+CE14B1 - 8B 45 0C              - mov eax,[ebp+0C]
WeChatWin.dll+CE14B4 - 8D 73 1C              - lea esi,[ebx+1C]
WeChatWin.dll+CE14B7 - 89 43 0C              - mov [ebx+0C],eax
WeChatWin.dll+CE14BA - 8B 45 14              - mov eax,[ebp+14]
WeChatWin.dll+CE14BD - 89 43 10              - mov [ebx+10],eax
WeChatWin.dll+CE14C0 - 8B 45 18              - mov eax,[ebp+18]
WeChatWin.dll+CE14C3 - 89 43 14              - mov [ebx+14],eax
WeChatWin.dll+CE14C6 - 8B 45 1C              - mov eax,[ebp+1C]
WeChatWin.dll+CE14C9 - 6A 00                 - push 00 { 0 }
WeChatWin.dll+CE14CB - 56                    - push esi
WeChatWin.dll+CE14CC - 89 43 18              - mov [ebx+18],eax
WeChatWin.dll+CE14CF - E8 5C660300           - call WeChatWin.dll+D17B30
WeChatWin.dll+CE14D4 - 68 80000000           - push 00000080 { 128 }
WeChatWin.dll+CE14D9 - FF B5 F8FBFFFF        - push [ebp-00000408]
WeChatWin.dll+CE14DF - 8D 7B 40              - lea edi,[ebx+40]
WeChatWin.dll+CE14E2 - C7 43 28 FFFFFFFF     - mov [ebx+28],FFFFFFFF { -1 }
WeChatWin.dll+CE14E9 - 57                    - push edi
WeChatWin.dll+CE14EA - C7 43 2C FFFFFFFF     - mov [ebx+2C],FFFFFFFF { -1 }
WeChatWin.dll+CE14F1 - C7 43 30 FFFFFFFF     - mov [ebx+30],FFFFFFFF { -1 }
WeChatWin.dll+CE14F8 - C7 43 34 FFFFFFFF     - mov [ebx+34],FFFFFFFF { -1 }
WeChatWin.dll+CE14FF - C7 43 38 FFFFFFFF     - mov [ebx+38],FFFFFFFF { -1 }
WeChatWin.dll+CE1506 - C7 43 3C FFFFFFFF     - mov [ebx+3C],FFFFFFFF { -1 }
WeChatWin.dll+CE150D - E8 2EEE3F00           - call WeChatWin.dll+10E0340
WeChatWin.dll+CE1512 - C6 83 BF000000 00     - mov byte ptr [ebx+000000BF],00 { 0 }
WeChatWin.dll+CE1519 - 8B 06                 - mov eax,[esi]
WeChatWin.dll+CE151B - 89 83 C0000000        - mov [ebx+000000C0],eax
WeChatWin.dll+CE1521 - 8B 46 04              - mov eax,[esi+04]
WeChatWin.dll+CE1524 - 68 00040000           - push 00000400 { 1024 }
WeChatWin.dll+CE1529 - 89 83 C4000000        - mov [ebx+000000C4],eax
WeChatWin.dll+CE152F - 8D 85 FCFBFFFF        - lea eax,[ebp-00000404]
WeChatWin.dll+CE1535 - 6A 00                 - push 00 { 0 }
WeChatWin.dll+CE1537 - 50                    - push eax
WeChatWin.dll+CE1538 - E8 F3603E00           - call WeChatWin.dll+10C7630
WeChatWin.dll+CE153D - 8B 8D F4FBFFFF        - mov ecx,[ebp-0000040C]
WeChatWin.dll+CE1543 - B8 58CEC867           - mov eax,WeChatWin.dll+136CE58 { (0) }
WeChatWin.dll+CE1548 - 85 C9                 - test ecx,ecx
WeChatWin.dll+CE154A - 0F45 C1               - cmovne eax,ecx
WeChatWin.dll+CE154D - 50                    - push eax
WeChatWin.dll+CE154E - 57                    - push edi
WeChatWin.dll+CE154F - 68 F81AB967           - push WeChatWin.dll+1271AF8 { ("-> %s %s") }
WeChatWin.dll+CE1554 - 8D 85 FCFBFFFF        - lea eax,[ebp-00000404]
WeChatWin.dll+CE155A - 68 00040000           - push 00000400 { 1024 }
WeChatWin.dll+CE155F - 50                    - push eax
WeChatWin.dll+CE1560 - E8 EBFB5DFF           - call WeChatWin.dll+2C1150
WeChatWin.dll+CE1565 - 8D 85 FCFBFFFF        - lea eax,[ebp-00000404]
WeChatWin.dll+CE156B - 50                    - push eax
WeChatWin.dll+CE156C - 8D 43 08              - lea eax,[ebx+08]
WeChatWin.dll+CE156F - 50                    - push eax
WeChatWin.dll+CE1570 - E8 3BBD0200           - call WeChatWin.dll+D0D2B0
WeChatWin.dll+CE1575 - 83 C4 3C              - add esp,3C { 60 }
WeChatWin.dll+CE1578 - 8B 4D FC              - mov ecx,[ebp-04]
WeChatWin.dll+CE157B - 8B C3                 - mov eax,ebx
WeChatWin.dll+CE157D - 5F                    - pop edi
WeChatWin.dll+CE157E - 5E                    - pop esi
WeChatWin.dll+CE157F - 33 CD                 - xor ecx,ebp
WeChatWin.dll+CE1581 - 5B                    - pop ebx
WeChatWin.dll+CE1582 - E8 56CBFFFF           - call WeChatWin.dll+CDE0DD
WeChatWin.dll+CE1587 - 8B E5                 - mov esp,ebp
WeChatWin.dll+CE1589 - 5D                    - pop ebp
WeChatWin.dll+CE158A - C2 1C00               - ret 001C { 28 }

第二段函数代码

WeChatWin.dll+D0D260 - 55                    - push ebp
WeChatWin.dll+D0D261 - 8B EC                 - mov ebp,esp

# --------------------------------------------------------------------------------

WeChatWin.dll+D0D263 - 8B 0D 546DEE67        - mov ecx,[WeChatWin.dll+15C6D54] { (2) }

#  WeChatWin.dll+15C6D54 就是 调试级别 的地址

# --------------------------------------------------------------------------------

WeChatWin.dll+D0D269 - 33 C0                 - xor eax,eax
WeChatWin.dll+D0D26B - 3B 4D 08              - cmp ecx,[ebp+08]
WeChatWin.dll+D0D26E - 0F9E C0               - setle al
WeChatWin.dll+D0D271 - 5D                    - pop ebp
WeChatWin.dll+D0D272 - C3                    - ret

2.3. 定位 调试数据代码段

2.3.1. 版本 2.8.0.133

基址信息
WeChatWin.dll + 0xCF0813

# 需要 Hook 6 字节:
# WeChatWin.dll+CF0813 - 83 C4 4C              - add esp,4C { 76 }
# WeChatWin.dll+CF0816 - 5E                    - pop esi
# WeChatWin.dll+CF0817 - 85 C9                 - test ecx,ecx

# 调试输出数据地址为:[ebp - 0x40E0]
断点调试

在找到 是否启动调试 基址后,下断点(参考 2.1.1 节 汇编代码 中的注释)

 

触发断点后,先 F7 单步步入 call WeChatWin.dll+D0D260

 

看下面汇编代码,找到 add esp,4C,大概在函数尾部,对此处下断点,然后 F9 让程序继续运行,会在此处触发断点

 

堆栈窗口右键选择 全栈 模式,可以看到堆栈信息如下:

0EFFA28C(ebp-40E0)   - 0EFFA2E8             - (pointer)0EFFA2E8   
0EFFA290(ebp-40DC)   - 00004000             - (双字)00004000(16384)
0EFFA294(ebp-40D8)   - 67B92D94             - (pointer)WeChatWin.dll+1272D94
0EFFA298(ebp-40D4)   - 67DAFC54             - (pointer)WeChatWin.dll+148FC54
0EFFA29C(ebp-40D0)   - 0EFFF5F8             - (pointer)0EFFF5F8   
0EFFA2A0(ebp-40CC)   - 67CEAF34             - (pointer)WeChatWin.dll+13CAF34
0EFFA2A4(ebp-40C8)   - 0EFFE2E8             - (pointer)0EFFE2E8   
0EFFA2A8(ebp-40C4)   - 00000350             - (双字)00000350(848)
0EFFA2AC(ebp-40C0)   - 0EFFE5BD             - (pointer)0EFFE5BD   
0EFFA2B0(ebp-40BC)   - 0EFFA2E8             - (pointer)0EFFA2E8   
0EFFA2B4(ebp-40B8)   - 00000000             - (双字)00000000(0) 
0EFFA2B8(ebp-40B4)   - 00004000             - (双字)00004000(16384)
0EFFA2BC(ebp-40B0)   - 67CEAF24             - (pointer)WeChatWin.dll+13CAF24
0EFFA2C0(ebp-40AC)   - 67CEB244             - (pointer)WeChatWin.dll+13CB244
0EFFA2C4(ebp-40A8)   - 0EFFE2E8             - (pointer)0EFFE2E8   
0EFFA2C8(ebp-40A4)   - 00000080             - (双字)00000080(128)
0EFFA2CC(ebp-40A0)   - 0EFFE2E8             - (pointer)0EFFE2E8   
0EFFA2D0(ebp-409C)   - 00000000             - (双字)00000000(0) 
0EFFA2D4(ebp-4098)   - 00000080             - (双字)00000080(128)
0EFFA2D8(ebp-4094)   - 00000000             - (双字)00000000(0) 
0EFFA2DC(ebp-4090)   - 00000001             - (双字)00000001(1) 
0EFFA2E0(ebp-408C)   - 76EBEF40             - (pointer)KERNEL32.TlsGetValue
0EFFA2E4(ebp-4088)   - 0EFFA328             - (pointer)0EFFA328   
0EFFA2E8(ebp-4084)   - 5B5D495B             - [I][                
0EFFA2EC(ebp-4080)   - 43504D4D             - MMPC                
0EFFA2F0(ebp-407C)   - 5354465F             - _FTS

单击栈顶地址 0EFFA28C(ebp-40E0),内存窗口跳转到指定地址 0EFFA2E8,可以看到内存信息如下:

0EFFA2E8  5B 49 5D 5B 4D 4D 50 43  [I][MMPC
0EFFA2F0  5F 46 54 53 54 68 72 65  _FTSThre
0EFFA2F8  61 64 48 65 6C 70 65 72  adHelper
0EFFA300  5D 5B 46 54 53 54 68 72  ][FTSThr
0EFFA308  65 61 64 48 65 6C 70 65  eadHelpe
0EFFA310  72 2E 63 70 70 2C 20 46  r.cpp, F
0EFFA318  54 53 54 68 72 65 61 64  TSThread
0EFFA320  48 65 6C 70 65 72 3A 3A  Helper::
0EFFA328  50 72 6F 63 65 73 73 43  ProcessC
0EFFA330  68 61 74 4D 73 67 4A 6F  hatMsgJo
0EFFA338  62 49 74 65 6D 2C 20 38  bItem, 8
0EFFA340  34 38 5D 5B 52 61 6E 67  48][Rang
0EFFA348  65 49 6E 66 6F 20 55 70  eInfo Up
0EFFA350  64 61 74 65 52 61 6E 67  dateRang
0EFFA358  65 54 6F 20 44 42 20 52  eTo DB R
0EFFA360  61 6E 67 65 20 3A 20 53  ange : S
0EFFA368  74 61 72 74 20 49 6E 64  tart Ind
0EFFA370  65 78 20 3A 20 31 2C 20  ex : 1, 
0EFFA378  53 74 61 72 74 20 49 64  Start Id
0EFFA380  20 3A 20 31 20 65 6E 64   : 1 end
0EFFA388  49 64 20 31 32 37 34 2C  Id 1274,
0EFFA390  20 45 6E 64 20 49 6E 64   End Ind
0EFFA398  65 78 20 3A 20 30 2C 20  ex : 0, 
0EFFA3A0  53 74 61 72 74 49 64 20  StartId 
0EFFA3A8  3A 20 31 31 34 31 32 32  : 114122
0EFFA3B0  20 45 6E 64 49 64 20 31   EndId 1
0EFFA3B8  31 34 31 32 32 0A 0A 00  14122...

可以得到 ebp-40E0 就是调试输出的数据

特征码
68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 83 C4 ?? 5E
汇编代码
WeChatWin.dll+CF0760 - 55                    - push ebp
WeChatWin.dll+CF0761 - 8B EC                 - mov ebp,esp
WeChatWin.dll+CF0763 - B8 88400000           - mov eax,00004088 { 16520 }
WeChatWin.dll+CF0768 - E8 A3E4FEFF           - call WeChatWin.dll+CDEC10
WeChatWin.dll+CF076D - A1 946BEE67           - mov eax,[WeChatWin.dll+15C6B94] { (-714801034) }
WeChatWin.dll+CF0772 - 33 C5                 - xor eax,ebp
WeChatWin.dll+CF0774 - 89 45 FC              - mov [ebp-04],eax
WeChatWin.dll+CF0777 - 53                    - push ebx
WeChatWin.dll+CF0778 - 8B 5D 0C              - mov ebx,[ebp+0C]
WeChatWin.dll+CF077B - 57                    - push edi
WeChatWin.dll+CF077C - 8B 7D 08              - mov edi,[ebp+08]
WeChatWin.dll+CF077F - 85 FF                 - test edi,edi
WeChatWin.dll+CF0781 - 0F84 AC000000         - je WeChatWin.dll+CF0833
WeChatWin.dll+CF0787 - 85 DB                 - test ebx,ebx
WeChatWin.dll+CF0789 - 0F84 A4000000         - je WeChatWin.dll+CF0833
WeChatWin.dll+CF078F - 56                    - push esi
WeChatWin.dll+CF0790 - 68 80000000           - push 00000080 { 128 }
WeChatWin.dll+CF0795 - 8D 85 7CFFFFFF        - lea eax,[ebp-00000084]
WeChatWin.dll+CF079B - 6A 00                 - push 00 { 0 }
WeChatWin.dll+CF079D - 50                    - push eax
WeChatWin.dll+CF079E - E8 8D6E3D00           - call WeChatWin.dll+10C7630
WeChatWin.dll+CF07A3 - 68 80000000           - push 00000080 { 128 }
WeChatWin.dll+CF07A8 - 8D 85 7CFFFFFF        - lea eax,[ebp-00000084]
WeChatWin.dll+CF07AE - 50                    - push eax
WeChatWin.dll+CF07AF - FF 77 0C              - push [edi+0C]
WeChatWin.dll+CF07B2 - E8 59D40400           - call WeChatWin.dll+D3DC10
WeChatWin.dll+CF07B7 - FF 77 08              - push [edi+08]
WeChatWin.dll+CF07BA - E8 11D40400           - call WeChatWin.dll+D3DBD0
WeChatWin.dll+CF07BF - 68 00400000           - push 00004000 { 16384 }
WeChatWin.dll+CF07C4 - 8B F0                 - mov esi,eax
WeChatWin.dll+CF07C6 - 8D 85 7CBFFFFF        - lea eax,[ebp-00004084]
WeChatWin.dll+CF07CC - 6A 00                 - push 00 { 0 }
WeChatWin.dll+CF07CE - 50                    - push eax
WeChatWin.dll+CF07CF - E8 5C6E3D00           - call WeChatWin.dll+10C7630
WeChatWin.dll+CF07D4 - 8B 4F 04              - mov ecx,[edi+04]
WeChatWin.dll+CF07D7 - 8D 85 7CFFFFFF        - lea eax,[ebp-00000084]
WeChatWin.dll+CF07DD - 53                    - push ebx
WeChatWin.dll+CF07DE - FF 77 10              - push [edi+10]
WeChatWin.dll+CF07E1 - 85 C9                 - test ecx,ecx
WeChatWin.dll+CF07E3 - BA 58CEC867           - mov edx,WeChatWin.dll+136CE58 { (0) }
WeChatWin.dll+CF07E8 - 50                    - push eax
WeChatWin.dll+CF07E9 - 8B 07                 - mov eax,[edi]
WeChatWin.dll+CF07EB - 0F45 D1               - cmovne edx,ecx
WeChatWin.dll+CF07EE - 56                    - push esi
WeChatWin.dll+CF07EF - 52                    - push edx
WeChatWin.dll+CF07F0 - FF 34 85 1C6CEE67     - push [eax*4+WeChatWin.dll+15C6C1C]
WeChatWin.dll+CF07F7 - 8D 85 7CBFFFFF        - lea eax,[ebp-00004084]
WeChatWin.dll+CF07FD - 68 942DB967           - push WeChatWin.dll+1272D94 { ("[%s][%s][%s, %s, %d][%s
") }
WeChatWin.dll+CF0802 - 68 00400000           - push 00004000 { 16384 }
WeChatWin.dll+CF0807 - 50                    - push eax
WeChatWin.dll+CF0808 - E8 43095DFF           - call WeChatWin.dll+2C1150
WeChatWin.dll+CF080D - 8B 0D 0467F367        - mov ecx,[WeChatWin.dll+1616704] { (0) }

# --------------------------------------------------------------------------------

#  Hook 点
# 记下当前版本地址 WeChatWin.dll+CF0813,手动添加地址,右键选择 反汇编此内存区域,即可到达

WeChatWin.dll+CF0813 - 83 C4 4C              - add esp,4C { 76 }

# --------------------------------------------------------------------------------

WeChatWin.dll+CF0816 - 5E                    - pop esi
WeChatWin.dll+CF0817 - 85 C9                 - test ecx,ecx
WeChatWin.dll+CF0819 - 74 18                 - je WeChatWin.dll+CF0833
WeChatWin.dll+CF081B - 8D 85 7CBFFFFF        - lea eax,[ebp-00004084]
WeChatWin.dll+CF0821 - 89 85 78BFFFFF        - mov [ebp-00004088],eax
WeChatWin.dll+CF0827 - 8D 95 78BFFFFF        - lea edx,[ebp-00004088]
WeChatWin.dll+CF082D - 8B 01                 - mov eax,[ecx]
WeChatWin.dll+CF082F - 52                    - push edx
WeChatWin.dll+CF0830 - FF 50 08              - call dword ptr [eax+08]
WeChatWin.dll+CF0833 - 8B 4D FC              - mov ecx,[ebp-04]
WeChatWin.dll+CF0836 - 5F                    - pop edi
WeChatWin.dll+CF0837 - 33 CD                 - xor ecx,ebp
WeChatWin.dll+CF0839 - 5B                    - pop ebx
WeChatWin.dll+CF083A - E8 9ED8FEFF           - call WeChatWin.dll+CDE0DD
WeChatWin.dll+CF083F - 8B E5                 - mov esp,ebp
WeChatWin.dll+CF0841 - 5D                    - pop ebp
WeChatWin.dll+CF0842 - C3                    - ret

2.4. 调用调试函数

2.4.1. 查找 OutputDebugString

在 CE 工具的 内存查看器 界面,选择 视图 - 枚举DLL和符号表 打开 枚举DLL 窗口

 

Ctrl + F 查找 OutputDebugStringA

754D9DA0 - KERNEL32.OutputDebugStringA

得到 OutputDebugStringA 函数地址为 754D9DA0

2.4.2. 注入代码

选中 2.3.1 节中 Hook 点的代码位置(WeChatWin.dll + 0xCF0813)

 

在 CE 工具的 内存查看器 界面,选择 工具 - 自动汇编 打开 自动汇编 窗口

 

如果是首次操作,可以选择菜单 模板 - 代码注入 生成模板,然后稍微改动得到如下代码:

alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)

newmem: //this is allocated memory, you have read,write,execute access

// ---------- 添加注入代码开始 ----------

pushad

// 旧版操作
// push [ebp-0x40E0]    // ebp-0x40E0 为调试数据,见 2.3.1 节

// 之前的操作是 push [ebp-0x40E0], 后来发现, 可以直接取 esp 的地址指针, 但是因为前面注入代码有 pushad 了, esp 位置发生了变化, 这时就需要 push [esp+20h] 就行了
push [esp+20h]

call 0x754D9DA0      // 0x754D9DA0 为 OutputDebugStringA 函数地址,见 2.4.1 节
popad

// ---------- 添加注入代码结束 ----------

originalcode:
add esp,4C
pop esi
test ecx,ecx

exit:
jmp returnhere

"WeChatWin.dll"+CF0813:
jmp newmem
nop
returnhere:

选择执行代码,之后会在 CE 主窗口上出现新的一行,改名为 OutPutDebug,并将其激活(前面的选择框点亮)

2.4.3. 运行 DebugView

将 调试开关 和 调试级别 设置好,注入代码执行,就可以在 DebugView 中看到调试输出的信息

3. 版本基址记录

3.1. 版本 2.8.0.112

说明 地址 备注
是否启用调试 WeChatWin.dll + 0x160E9C1 将此地址数据改为 1,则可打开输出调试信息开关,微信默认置为 0
调试级别 WeChatWin.dll + 0x15BED54 将此地址数据改为 0,则可输出全部调试信息,微信默认置为 2
日志函数 WeChatWin.dll + 0x0CE9983 -

3.2. 版本 2.8.0.133

说明 地址 备注
是否启用调试 WeChatWin.dll + 0x1616B21 将此地址数据改为 1,则可打开输出调试信息开关,微信默认置为 0
调试级别 WeChatWin.dll + 0x15C6D54 将此地址数据改为 0,则可输出全部调试信息,微信默认置为 2
日志函数 WeChatWin.dll + 0x0CF0813 -

[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

收藏
免费 0
支持
分享
最新回复 (6)
雪    币: 2354
活跃值: (3907)
能力值: ( LV6,RANK:81 )
在线值:
发帖
回帖
粉丝
2
最近整理一下学习笔记,陆续发布,大部分是看大佬们文章之后自己跑一遍记录一下
2020-7-15 11:26
0
雪    币: 2354
活跃值: (3907)
能力值: ( LV6,RANK:81 )
在线值:
发帖
回帖
粉丝
3

当然也可以不用拿 DebugView 来操作,直接在自己代码里 Hook


这里发一个简单的代码例子

__asm {
    pushad
    push dword [esp+20h]
    call myDebugFunc
    popad
}


2020-7-15 11:37
0
雪    币: 20
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
4
2020-7-15 13:48
0
雪    币: 2710
活跃值: (1898)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
5
高手
2020-7-15 15:36
0
雪    币:
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
6
高手
2020-7-15 21:50
0
雪    币:
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
7
学习。。。
2020-8-7 17:27
0
游客
登录 | 注册 方可回帖
返回
//