PC Wechat 开启调试
作者:御风
日期:2020年3月28日
描述:开启微信调试
版本:2.8.0.133
1. 参考文章
PC微信逆向分析の强制输出微信调式信息
2. CE 操作
2.1. 定位 是否启用调试
2.1.1. 版本 2.8.0.133
基址信息
WeChatWin.dll + 0x1616B21
# 微信中这个地址中的数据被设置成 0,因此调试信息将不会输出
# 只要将这个地址中的数据更改为1,那么输出调试信息的开关就被打开了
CE 代码
<?xml version="1.0" encoding="utf-8"?>
<CheatTable>
<CheatEntries>
<CheatEntry>
<ID>0</ID>
<Description>"是否启用调试"</Description>
<LastState Value="0" RealAddress="54C16B21"/>
<VariableType>4 Bytes</VariableType>
<Address>WeChatWin.dll + 0x1616B21</Address>
</CheatEntry>
</CheatEntries>
</CheatTable>
特征码
74 14 FF B5 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83
汇编代码
WeChatWin.dll+D0C990 - 55 - push ebp
WeChatWin.dll+D0C991 - 8B EC - mov ebp,esp
WeChatWin.dll+D0C993 - 6A FF - push -01 { 255 }
WeChatWin.dll+D0C995 - 68 67ABAA67 - push WeChatWin.dll+118AB67 { (139) }
WeChatWin.dll+D0C99A - 64 A1 00000000 - mov eax,fs:[00000000] { 0 }
WeChatWin.dll+D0C9A0 - 50 - push eax
WeChatWin.dll+D0C9A1 - 81 EC 5C010000 - sub esp,0000015C { 348 }
WeChatWin.dll+D0C9A7 - A1 946BEE67 - mov eax,[WeChatWin.dll+15C6B94] { (-763891070) }
WeChatWin.dll+D0C9AC - 33 C5 - xor eax,ebp
WeChatWin.dll+D0C9AE - 89 45 F0 - mov [ebp-10],eax
WeChatWin.dll+D0C9B1 - 53 - push ebx
WeChatWin.dll+D0C9B2 - 56 - push esi
WeChatWin.dll+D0C9B3 - 57 - push edi
WeChatWin.dll+D0C9B4 - 50 - push eax
WeChatWin.dll+D0C9B5 - 8D 45 F4 - lea eax,[ebp-0C]
WeChatWin.dll+D0C9B8 - 64 A3 00000000 - mov fs:[00000000],eax { 0 }
WeChatWin.dll+D0C9BE - 80 3D 4C6DEE67 00 - cmp byte ptr [WeChatWin.dll+15C6D4C],00 { (0),0 }
WeChatWin.dll+D0C9C5 - 8B 45 08 - mov eax,[ebp+08]
WeChatWin.dll+D0C9C8 - 89 85 E8FEFFFF - mov [ebp-00000118],eax
WeChatWin.dll+D0C9CE - 8B 45 0C - mov eax,[ebp+0C]
WeChatWin.dll+D0C9D1 - 89 85 ECFEFFFF - mov [ebp-00000114],eax
WeChatWin.dll+D0C9D7 - 0F85 B5020000 - jne WeChatWin.dll+D0CC92
WeChatWin.dll+D0C9DD - E8 D7163D00 - call WeChatWin.dll+10DE0B9
WeChatWin.dll+D0C9E2 - 8B 30 - mov esi,[eax]
WeChatWin.dll+D0C9E4 - 89 B5 E4FEFFFF - mov [ebp-0000011C],esi
WeChatWin.dll+D0C9EA - A1 706FF367 - mov eax,[WeChatWin.dll+1616F70] { (3) }
WeChatWin.dll+D0C9EF - C7 45 FC 00000000 - mov [ebp-04],00000000 { 0 }
WeChatWin.dll+D0C9F6 - A8 01 - test al,01 { 1 }
WeChatWin.dll+D0C9F8 - 75 2A - jne WeChatWin.dll+D0CA24
WeChatWin.dll+D0C9FA - 83 C8 01 - or eax,01 { 1 }
WeChatWin.dll+D0C9FD - A3 706FF367 - mov [WeChatWin.dll+1616F70],eax { (3) }
WeChatWin.dll+D0CA02 - FF 15 68E2B167 - call dword ptr [WeChatWin.dll+11FE268] { ->->KERNELBASE.TlsAlloc }
WeChatWin.dll+D0CA08 - 68 2046B167 - push WeChatWin.dll+11F4620 { (255) }
WeChatWin.dll+D0CA0D - A3 686FF367 - mov [WeChatWin.dll+1616F68],eax { (54) }
WeChatWin.dll+D0CA12 - C7 05 6C6FF367 00000000 - mov [WeChatWin.dll+1616F6C],00000000 { (0),0 }
WeChatWin.dll+D0CA1C - E8 691AFDFF - call WeChatWin.dll+CDE48A
WeChatWin.dll+D0CA21 - 83 C4 04 - add esp,04 { 4 }
WeChatWin.dll+D0CA24 - FF 35 686FF367 - push [WeChatWin.dll+1616F68] { (54) }
WeChatWin.dll+D0CA2A - 8B 1D 64E2B167 - mov ebx,[WeChatWin.dll+11FE264] { (76EBEF40) }
WeChatWin.dll+D0CA30 - C7 85 E0FEFFFF 686FF367 - mov [ebp-00000120],WeChatWin.dll+1616F68 { (54) }
WeChatWin.dll+D0CA3A - FF D3 - call ebx
WeChatWin.dll+D0CA3C - 8D 78 01 - lea edi,[eax+01]
WeChatWin.dll+D0CA3F - 57 - push edi
WeChatWin.dll+D0CA40 - FF 35 686FF367 - push [WeChatWin.dll+1616F68] { (54) }
WeChatWin.dll+D0CA46 - FF 15 58E2B167 - call dword ptr [WeChatWin.dll+11FE258] { ->KERNEL32.TlsSetValue }
WeChatWin.dll+D0CA4C - 57 - push edi
WeChatWin.dll+D0CA4D - FF 35 6C6FF367 - push [WeChatWin.dll+1616F6C] { (0) }
WeChatWin.dll+D0CA53 - 68 686FF367 - push WeChatWin.dll+1616F68 { (54) }
WeChatWin.dll+D0CA58 - E8 B3060800 - call WeChatWin.dll+D8D110
WeChatWin.dll+D0CA5D - 83 C4 0C - add esp,0C { 12 }
WeChatWin.dll+D0CA60 - A1 706FF367 - mov eax,[WeChatWin.dll+1616F70] { (3) }
WeChatWin.dll+D0CA65 - C6 45 FC 01 - mov byte ptr [ebp-04],01 { 1 }
WeChatWin.dll+D0CA69 - A8 02 - test al,02 { 2 }
WeChatWin.dll+D0CA6B - 75 2A - jne WeChatWin.dll+D0CA97
WeChatWin.dll+D0CA6D - 83 C8 02 - or eax,02 { 2 }
WeChatWin.dll+D0CA70 - A3 706FF367 - mov [WeChatWin.dll+1616F70],eax { (3) }
WeChatWin.dll+D0CA75 - FF 15 68E2B167 - call dword ptr [WeChatWin.dll+11FE268] { ->->KERNELBASE.TlsAlloc }
WeChatWin.dll+D0CA7B - 68 9043B167 - push WeChatWin.dll+11F4390 { (255) }
WeChatWin.dll+D0CA80 - A3 746FF367 - mov [WeChatWin.dll+1616F74],eax { (55) }
WeChatWin.dll+D0CA85 - C7 05 786FF367 30E39F67 - mov [WeChatWin.dll+1616F78],WeChatWin.dll+10DE330 { (679FE330),(8686313) }
WeChatWin.dll+D0CA8F - E8 F619FDFF - call WeChatWin.dll+CDE48A
WeChatWin.dll+D0CA94 - 83 C4 04 - add esp,04 { 4 }
# --------------------------------------------------------------------------------
WeChatWin.dll+D0CA97 - 80 3D 216BF367 00 - cmp byte ptr [WeChatWin.dll+1616B21],00 { (0),0 }
# WeChatWin.dll+1616B21 就是 是否启动调试 的地址
WeChatWin.dll+D0CA9E - 74 14 - je WeChatWin.dll+D0CAB4
WeChatWin.dll+D0CAA0 - FF B5 ECFEFFFF - push [ebp-00000114]
WeChatWin.dll+D0CAA6 - FF B5 E8FEFFFF - push [ebp-00000118]
WeChatWin.dll+D0CAAC - E8 AF3CFEFF - call WeChatWin.dll+CF0760
# [2.3 节 定位 调试数据代码段] 在此处下断点,断点触发跟进 WeChatWin.dll+CF0760
# --------------------------------------------------------------------------------
WeChatWin.dll+D0CAB1 - 83 C4 08 - add esp,08 { 8 }
WeChatWin.dll+D0CAB4 - FF 35 686FF367 - push [WeChatWin.dll+1616F68] { (54) }
WeChatWin.dll+D0CABA - FF D3 - call ebx
WeChatWin.dll+D0CABC - 83 F8 02 - cmp eax,02 { 2 }
WeChatWin.dll+D0CABF - 0F8C 2C010000 - jl WeChatWin.dll+D0CBF1
WeChatWin.dll+D0CAC5 - FF 35 746FF367 - push [WeChatWin.dll+1616F74] { (55) }
WeChatWin.dll+D0CACB - FF D3 - call ebx
WeChatWin.dll+D0CACD - 85 C0 - test eax,eax
WeChatWin.dll+D0CACF - 0F85 1C010000 - jne WeChatWin.dll+D0CBF1
WeChatWin.dll+D0CAD5 - FF 35 686FF367 - push [WeChatWin.dll+1616F68] { (54) }
WeChatWin.dll+D0CADB - FF D3 - call ebx
WeChatWin.dll+D0CADD - 83 F8 0A - cmp eax,0A { 10 }
WeChatWin.dll+D0CAE0 - 0F8F 75010000 - jg WeChatWin.dll+D0CC5B
WeChatWin.dll+D0CAE6 - 6A 01 - push 01 { 1 }
WeChatWin.dll+D0CAE8 - 68 00400000 - push 00004000 { 16384 }
WeChatWin.dll+D0CAED - E8 D6293D00 - call WeChatWin.dll+10DF4C8
WeChatWin.dll+D0CAF2 - 83 C4 08 - add esp,08 { 8 }
WeChatWin.dll+D0CAF5 - 8B F8 - mov edi,eax
WeChatWin.dll+D0CAF7 - A1 58E2B167 - mov eax,[WeChatWin.dll+11FE258] { (76EBEF90) }
WeChatWin.dll+D0CAFC - 57 - push edi
WeChatWin.dll+D0CAFD - FF 35 746FF367 - push [WeChatWin.dll+1616F74] { (55) }
WeChatWin.dll+D0CB03 - FF D0 - call eax
WeChatWin.dll+D0CB05 - 57 - push edi
WeChatWin.dll+D0CB06 - FF 35 786FF367 - push [WeChatWin.dll+1616F78] { (679FE330) }
WeChatWin.dll+D0CB0C - 68 746FF367 - push WeChatWin.dll+1616F74 { (55) }
WeChatWin.dll+D0CB11 - E8 FA050800 - call WeChatWin.dll+D8D110
WeChatWin.dll+D0CB16 - 8B 85 E8FEFFFF - mov eax,[ebp-00000118]
WeChatWin.dll+D0CB1C - 68 00010000 - push 00000100 { 256 }
WeChatWin.dll+D0CB21 - 6A 00 - push 00 { 0 }
WeChatWin.dll+D0CB23 - 0F10 00 - movups xmm0,[eax]
WeChatWin.dll+D0CB26 - 0F11 85 98FEFFFF - movups [ebp-00000168],xmm0
WeChatWin.dll+D0CB2D - C7 85 98FEFFFF 05000000 - mov [ebp-00000168],00000005 { 5 }
WeChatWin.dll+D0CB37 - 0F10 40 10 - movups xmm0,[eax+10]
WeChatWin.dll+D0CB3B - 0F11 85 A8FEFFFF - movups [ebp-00000158],xmm0
WeChatWin.dll+D0CB42 - 0F10 40 20 - movups xmm0,[eax+20]
WeChatWin.dll+D0CB46 - 0F11 85 B8FEFFFF - movups [ebp-00000148],xmm0
WeChatWin.dll+D0CB4D - F3 0F7E 40 30 - movq xmm0,[eax+30]
WeChatWin.dll+D0CB52 - 8D 85 F0FEFFFF - lea eax,[ebp-00000110]
WeChatWin.dll+D0CB58 - 50 - push eax
WeChatWin.dll+D0CB59 - 66 0FD6 85 C8FEFFFF - movq [ebp-00000138],xmm0
WeChatWin.dll+D0CB61 - E8 CAAA3B00 - call WeChatWin.dll+10C7630
WeChatWin.dll+D0CB66 - 83 C4 18 - add esp,18 { 24 }
WeChatWin.dll+D0CB69 - FF 35 686FF367 - push [WeChatWin.dll+1616F68] { (54) }
WeChatWin.dll+D0CB6F - FF D3 - call ebx
WeChatWin.dll+D0CB71 - 50 - push eax
WeChatWin.dll+D0CB72 - 68 2C4DB967 - push WeChatWin.dll+1274D2C { ("ERROR!!! xlogger_appender Recursive calls!!!, count:%d") }
WeChatWin.dll+D0CB77 - 8D 85 F0FEFFFF - lea eax,[ebp-00000110]
WeChatWin.dll+D0CB7D - 68 00010000 - push 00000100 { 256 }
WeChatWin.dll+D0CB82 - 50 - push eax
WeChatWin.dll+D0CB83 - E8 C8455BFF - call WeChatWin.dll+2C1150
WeChatWin.dll+D0CB88 - 83 C4 10 - add esp,10 { 16 }
WeChatWin.dll+D0CB8B - 8D 8D D0FEFFFF - lea ecx,[ebp-00000130]
WeChatWin.dll+D0CB91 - 68 00400000 - push 00004000 { 16384 }
WeChatWin.dll+D0CB96 - 6A 00 - push 00 { 0 }
WeChatWin.dll+D0CB98 - 57 - push edi
WeChatWin.dll+D0CB99 - E8 820D0800 - call WeChatWin.dll+D8D920
WeChatWin.dll+D0CB9E - 8D 85 D0FEFFFF - lea eax,[ebp-00000130]
WeChatWin.dll+D0CBA4 - C6 45 FC 02 - mov byte ptr [ebp-04],02 { 2 }
WeChatWin.dll+D0CBA8 - 50 - push eax
WeChatWin.dll+D0CBA9 - 8D 85 F0FEFFFF - lea eax,[ebp-00000110]
WeChatWin.dll+D0CBAF - 50 - push eax
WeChatWin.dll+D0CBB0 - 8D 85 98FEFFFF - lea eax,[ebp-00000168]
WeChatWin.dll+D0CBB6 - 50 - push eax
WeChatWin.dll+D0CBB7 - E8 F4270800 - call WeChatWin.dll+D8F3B0
WeChatWin.dll+D0CBBC - 68 00100000 - push 00001000 { 4096 }
WeChatWin.dll+D0CBC1 - FF B5 ECFEFFFF - push [ebp-00000114]
WeChatWin.dll+D0CBC7 - 57 - push edi
WeChatWin.dll+D0CBC8 - E8 A3653D00 - call WeChatWin.dll+10E3170
WeChatWin.dll+D0CBCD - 8D 85 98FEFFFF - lea eax,[ebp-00000168]
WeChatWin.dll+D0CBD3 - C6 87 FF0F0000 00 - mov byte ptr [edi+00000FFF],00 { 0 }
WeChatWin.dll+D0CBDA - 57 - push edi
WeChatWin.dll+D0CBDB - 50 - push eax
WeChatWin.dll+D0CBDC - E8 7F3BFEFF - call WeChatWin.dll+CF0760
WeChatWin.dll+D0CBE1 - 83 C4 20 - add esp,20 { 32 }
WeChatWin.dll+D0CBE4 - 8D 8D D0FEFFFF - lea ecx,[ebp-00000130]
WeChatWin.dll+D0CBEA - E8 116B33FF - call WeChatWin.dll+43700
WeChatWin.dll+D0CBEF - EB 6A - jmp WeChatWin.dll+D0CC5B
WeChatWin.dll+D0CBF1 - FF 35 746FF367 - push [WeChatWin.dll+1616F74] { (55) }
WeChatWin.dll+D0CBF7 - FF D3 - call ebx
WeChatWin.dll+D0CBF9 - 85 C0 - test eax,eax
WeChatWin.dll+D0CBFB - 74 3A - je WeChatWin.dll+D0CC37
WeChatWin.dll+D0CBFD - FF 35 746FF367 - push [WeChatWin.dll+1616F74] { (55) }
WeChatWin.dll+D0CC03 - FF D3 - call ebx
WeChatWin.dll+D0CC05 - 6A 00 - push 00 { 0 }
WeChatWin.dll+D0CC07 - FF 35 746FF367 - push [WeChatWin.dll+1616F74] { (55) }
WeChatWin.dll+D0CC0D - 8B F8 - mov edi,eax
WeChatWin.dll+D0CC0F - A1 58E2B167 - mov eax,[WeChatWin.dll+11FE258] { (76EBEF90) }
WeChatWin.dll+D0CC14 - FF D0 - call eax
WeChatWin.dll+D0CC16 - 6A 00 - push 00 { 0 }
WeChatWin.dll+D0CC18 - FF 35 786FF367 - push [WeChatWin.dll+1616F78] { (679FE330) }
WeChatWin.dll+D0CC1E - 68 746FF367 - push WeChatWin.dll+1616F74 { (55) }
WeChatWin.dll+D0CC23 - E8 E8040800 - call WeChatWin.dll+D8D110
WeChatWin.dll+D0CC28 - 57 - push edi
WeChatWin.dll+D0CC29 - E8 F2E5FFFF - call WeChatWin.dll+D0B220
WeChatWin.dll+D0CC2E - 57 - push edi
WeChatWin.dll+D0CC2F - E8 FC163D00 - call WeChatWin.dll+10DE330
WeChatWin.dll+D0CC34 - 83 C4 14 - add esp,14 { 20 }
WeChatWin.dll+D0CC37 - 83 3D 446BF367 01 - cmp dword ptr [WeChatWin.dll+1616B44],01 { (0),1 }
WeChatWin.dll+D0CC3E - FF B5 ECFEFFFF - push [ebp-00000114]
WeChatWin.dll+D0CC44 - FF B5 E8FEFFFF - push [ebp-00000118]
WeChatWin.dll+D0CC4A - 75 07 - jne WeChatWin.dll+D0CC53
WeChatWin.dll+D0CC4C - E8 6FC7FFFF - call WeChatWin.dll+D093C0
WeChatWin.dll+D0CC51 - EB 05 - jmp WeChatWin.dll+D0CC58
WeChatWin.dll+D0CC53 - E8 C8C5FFFF - call WeChatWin.dll+D09220
WeChatWin.dll+D0CC58 - 83 C4 08 - add esp,08 { 8 }
WeChatWin.dll+D0CC5B - FF 35 686FF367 - push [WeChatWin.dll+1616F68] { (54) }
WeChatWin.dll+D0CC61 - C6 45 FC 03 - mov byte ptr [ebp-04],03 { 3 }
WeChatWin.dll+D0CC65 - FF D3 - call ebx
WeChatWin.dll+D0CC67 - 8D 78 FF - lea edi,[eax-01]
WeChatWin.dll+D0CC6A - 57 - push edi
WeChatWin.dll+D0CC6B - FF 35 686FF367 - push [WeChatWin.dll+1616F68] { (54) }
WeChatWin.dll+D0CC71 - FF 15 58E2B167 - call dword ptr [WeChatWin.dll+11FE258] { ->KERNEL32.TlsSetValue }
WeChatWin.dll+D0CC77 - 57 - push edi
WeChatWin.dll+D0CC78 - FF 35 6C6FF367 - push [WeChatWin.dll+1616F6C] { (0) }
WeChatWin.dll+D0CC7E - 68 686FF367 - push WeChatWin.dll+1616F68 { (54) }
WeChatWin.dll+D0CC83 - E8 88040800 - call WeChatWin.dll+D8D110
WeChatWin.dll+D0CC88 - 83 C4 0C - add esp,0C { 12 }
WeChatWin.dll+D0CC8B - E8 29143D00 - call WeChatWin.dll+10DE0B9
WeChatWin.dll+D0CC90 - 89 30 - mov [eax],esi
WeChatWin.dll+D0CC92 - 8B 4D F4 - mov ecx,[ebp-0C]
WeChatWin.dll+D0CC95 - 64 89 0D 00000000 - mov fs:[00000000],ecx { 0 }
WeChatWin.dll+D0CC9C - 59 - pop ecx
WeChatWin.dll+D0CC9D - 5F - pop edi
WeChatWin.dll+D0CC9E - 5E - pop esi
WeChatWin.dll+D0CC9F - 5B - pop ebx
WeChatWin.dll+D0CCA0 - 8B 4D F0 - mov ecx,[ebp-10]
WeChatWin.dll+D0CCA3 - 33 CD - xor ecx,ebp
WeChatWin.dll+D0CCA5 - E8 3314FDFF - call WeChatWin.dll+CDE0DD
WeChatWin.dll+D0CCAA - 8B E5 - mov esp,ebp
WeChatWin.dll+D0CCAC - 5D - pop ebp
WeChatWin.dll+D0CCAD - C3 - ret
2.2. 定位 调试级别
2.2.1. 版本 2.8.0.133
基址信息
WeChatWin.dll + 0x15C6D54
# 微信中这个地址中的数据被设置成 2,也就是高于 kLevelDebug 的信息才会被输出
# 只要将这个地址中的数据更改为 0,也就是 kLevelAll 或 kLevelVerbose,也就是输出全部调试信息
CE 代码
<?xml version="1.0" encoding="utf-8"?>
<CheatTable>
<CheatEntries>
<CheatEntry>
<ID>1</ID>
<Description>"调试级别"</Description>
<LastState Value="2" RealAddress="54BC6D54"/>
<VariableType>4 Bytes</VariableType>
<Address>WeChatWin.dll + 0x15C6D54</Address>
</CheatEntry>
</CheatEntries>
</CheatTable>
特征码
56 89 9D F0 FB FF FF
汇编代码
第一段函数代码
WeChatWin.dll+CE1430 - 55 - push ebp
WeChatWin.dll+CE1431 - 8B EC - mov ebp,esp
WeChatWin.dll+CE1433 - 81 EC 10040000 - sub esp,00000410 { 1040 }
WeChatWin.dll+CE1439 - A1 946BEE67 - mov eax,[WeChatWin.dll+15C6B94] { (-763891070) }
WeChatWin.dll+CE143E - 33 C5 - xor eax,ebp
WeChatWin.dll+CE1440 - 89 45 FC - mov [ebp-04],eax
WeChatWin.dll+CE1443 - 8B 45 10 - mov eax,[ebp+10]
WeChatWin.dll+CE1446 - 53 - push ebx
WeChatWin.dll+CE1447 - 56 - push esi
WeChatWin.dll+CE1448 - 8B 75 08 - mov esi,[ebp+08]
WeChatWin.dll+CE144B - 8B D9 - mov ebx,ecx
WeChatWin.dll+CE144D - 57 - push edi
WeChatWin.dll+CE144E - 89 85 F8FBFFFF - mov [ebp-00000408],eax
WeChatWin.dll+CE1454 - 8B 45 20 - mov eax,[ebp+20]
WeChatWin.dll+CE1457 - 56 - push esi
WeChatWin.dll+CE1458 - 89 9D F0FBFFFF - mov [ebp-00000410],ebx
WeChatWin.dll+CE145E - 89 85 F4FBFFFF - mov [ebp-0000040C],eax
# --------------------------------------------------------------------------------
WeChatWin.dll+CE1464 - E8 F7BD0200 - call WeChatWin.dll+D0D260
# 跟入此 Call 地址:WeChatWin.dll+D0D260,请看第二段函数代码分析
# --------------------------------------------------------------------------------
WeChatWin.dll+CE1469 - 85 C0 - test eax,eax
WeChatWin.dll+CE146B - 8D 7B 08 - lea edi,[ebx+08]
WeChatWin.dll+CE146E - 6A 38 - push 38 { 56 }
WeChatWin.dll+CE1470 - 0F95 C0 - setne al
WeChatWin.dll+CE1473 - 6A 00 - push 00 { 0 }
WeChatWin.dll+CE1475 - 57 - push edi
WeChatWin.dll+CE1476 - 88 03 - mov [ebx],al
WeChatWin.dll+CE1478 - E8 B3613E00 - call WeChatWin.dll+10C7630
WeChatWin.dll+CE147D - 0F57 C0 - xorps xmm0,xmm0
WeChatWin.dll+CE1480 - 83 C4 10 - add esp,10 { 16 }
WeChatWin.dll+CE1483 - 66 0FD6 83 C0000000 - movq [ebx+000000C0],xmm0
WeChatWin.dll+CE148B - C7 83 DC000000 0F000000 - mov [ebx+000000DC],0000000F { 15 }
WeChatWin.dll+CE1495 - C7 83 D8000000 00000000 - mov [ebx+000000D8],00000000 { 0 }
WeChatWin.dll+CE149F - C6 83 C8000000 00 - mov byte ptr [ebx+000000C8],00 { 0 }
WeChatWin.dll+CE14A6 - 80 3B 00 - cmp byte ptr [ebx],00 { 0 }
WeChatWin.dll+CE14A9 - 89 37 - mov [edi],esi
WeChatWin.dll+CE14AB - 0F84 C7000000 - je WeChatWin.dll+CE1578
WeChatWin.dll+CE14B1 - 8B 45 0C - mov eax,[ebp+0C]
WeChatWin.dll+CE14B4 - 8D 73 1C - lea esi,[ebx+1C]
WeChatWin.dll+CE14B7 - 89 43 0C - mov [ebx+0C],eax
WeChatWin.dll+CE14BA - 8B 45 14 - mov eax,[ebp+14]
WeChatWin.dll+CE14BD - 89 43 10 - mov [ebx+10],eax
WeChatWin.dll+CE14C0 - 8B 45 18 - mov eax,[ebp+18]
WeChatWin.dll+CE14C3 - 89 43 14 - mov [ebx+14],eax
WeChatWin.dll+CE14C6 - 8B 45 1C - mov eax,[ebp+1C]
WeChatWin.dll+CE14C9 - 6A 00 - push 00 { 0 }
WeChatWin.dll+CE14CB - 56 - push esi
WeChatWin.dll+CE14CC - 89 43 18 - mov [ebx+18],eax
WeChatWin.dll+CE14CF - E8 5C660300 - call WeChatWin.dll+D17B30
WeChatWin.dll+CE14D4 - 68 80000000 - push 00000080 { 128 }
WeChatWin.dll+CE14D9 - FF B5 F8FBFFFF - push [ebp-00000408]
WeChatWin.dll+CE14DF - 8D 7B 40 - lea edi,[ebx+40]
WeChatWin.dll+CE14E2 - C7 43 28 FFFFFFFF - mov [ebx+28],FFFFFFFF { -1 }
WeChatWin.dll+CE14E9 - 57 - push edi
WeChatWin.dll+CE14EA - C7 43 2C FFFFFFFF - mov [ebx+2C],FFFFFFFF { -1 }
WeChatWin.dll+CE14F1 - C7 43 30 FFFFFFFF - mov [ebx+30],FFFFFFFF { -1 }
WeChatWin.dll+CE14F8 - C7 43 34 FFFFFFFF - mov [ebx+34],FFFFFFFF { -1 }
WeChatWin.dll+CE14FF - C7 43 38 FFFFFFFF - mov [ebx+38],FFFFFFFF { -1 }
WeChatWin.dll+CE1506 - C7 43 3C FFFFFFFF - mov [ebx+3C],FFFFFFFF { -1 }
WeChatWin.dll+CE150D - E8 2EEE3F00 - call WeChatWin.dll+10E0340
WeChatWin.dll+CE1512 - C6 83 BF000000 00 - mov byte ptr [ebx+000000BF],00 { 0 }
WeChatWin.dll+CE1519 - 8B 06 - mov eax,[esi]
WeChatWin.dll+CE151B - 89 83 C0000000 - mov [ebx+000000C0],eax
WeChatWin.dll+CE1521 - 8B 46 04 - mov eax,[esi+04]
WeChatWin.dll+CE1524 - 68 00040000 - push 00000400 { 1024 }
WeChatWin.dll+CE1529 - 89 83 C4000000 - mov [ebx+000000C4],eax
WeChatWin.dll+CE152F - 8D 85 FCFBFFFF - lea eax,[ebp-00000404]
WeChatWin.dll+CE1535 - 6A 00 - push 00 { 0 }
WeChatWin.dll+CE1537 - 50 - push eax
WeChatWin.dll+CE1538 - E8 F3603E00 - call WeChatWin.dll+10C7630
WeChatWin.dll+CE153D - 8B 8D F4FBFFFF - mov ecx,[ebp-0000040C]
WeChatWin.dll+CE1543 - B8 58CEC867 - mov eax,WeChatWin.dll+136CE58 { (0) }
WeChatWin.dll+CE1548 - 85 C9 - test ecx,ecx
WeChatWin.dll+CE154A - 0F45 C1 - cmovne eax,ecx
WeChatWin.dll+CE154D - 50 - push eax
WeChatWin.dll+CE154E - 57 - push edi
WeChatWin.dll+CE154F - 68 F81AB967 - push WeChatWin.dll+1271AF8 { ("-> %s %s") }
WeChatWin.dll+CE1554 - 8D 85 FCFBFFFF - lea eax,[ebp-00000404]
WeChatWin.dll+CE155A - 68 00040000 - push 00000400 { 1024 }
WeChatWin.dll+CE155F - 50 - push eax
WeChatWin.dll+CE1560 - E8 EBFB5DFF - call WeChatWin.dll+2C1150
WeChatWin.dll+CE1565 - 8D 85 FCFBFFFF - lea eax,[ebp-00000404]
WeChatWin.dll+CE156B - 50 - push eax
WeChatWin.dll+CE156C - 8D 43 08 - lea eax,[ebx+08]
WeChatWin.dll+CE156F - 50 - push eax
WeChatWin.dll+CE1570 - E8 3BBD0200 - call WeChatWin.dll+D0D2B0
WeChatWin.dll+CE1575 - 83 C4 3C - add esp,3C { 60 }
WeChatWin.dll+CE1578 - 8B 4D FC - mov ecx,[ebp-04]
WeChatWin.dll+CE157B - 8B C3 - mov eax,ebx
WeChatWin.dll+CE157D - 5F - pop edi
WeChatWin.dll+CE157E - 5E - pop esi
WeChatWin.dll+CE157F - 33 CD - xor ecx,ebp
WeChatWin.dll+CE1581 - 5B - pop ebx
WeChatWin.dll+CE1582 - E8 56CBFFFF - call WeChatWin.dll+CDE0DD
WeChatWin.dll+CE1587 - 8B E5 - mov esp,ebp
WeChatWin.dll+CE1589 - 5D - pop ebp
WeChatWin.dll+CE158A - C2 1C00 - ret 001C { 28 }
第二段函数代码
WeChatWin.dll+D0D260 - 55 - push ebp
WeChatWin.dll+D0D261 - 8B EC - mov ebp,esp
# --------------------------------------------------------------------------------
WeChatWin.dll+D0D263 - 8B 0D 546DEE67 - mov ecx,[WeChatWin.dll+15C6D54] { (2) }
# WeChatWin.dll+15C6D54 就是 调试级别 的地址
# --------------------------------------------------------------------------------
WeChatWin.dll+D0D269 - 33 C0 - xor eax,eax
WeChatWin.dll+D0D26B - 3B 4D 08 - cmp ecx,[ebp+08]
WeChatWin.dll+D0D26E - 0F9E C0 - setle al
WeChatWin.dll+D0D271 - 5D - pop ebp
WeChatWin.dll+D0D272 - C3 - ret
2.3. 定位 调试数据代码段
2.3.1. 版本 2.8.0.133
基址信息
WeChatWin.dll + 0xCF0813
# 需要 Hook 6 字节:
# WeChatWin.dll+CF0813 - 83 C4 4C - add esp,4C { 76 }
# WeChatWin.dll+CF0816 - 5E - pop esi
# WeChatWin.dll+CF0817 - 85 C9 - test ecx,ecx
# 调试输出数据地址为:[ebp - 0x40E0]
断点调试
在找到 是否启动调试
基址后,下断点(参考 2.1.1 节 汇编代码 中的注释)
触发断点后,先 F7 单步步入 call WeChatWin.dll+D0D260
看下面汇编代码,找到 add esp,4C
,大概在函数尾部,对此处下断点,然后 F9 让程序继续运行,会在此处触发断点
堆栈窗口右键选择 全栈
模式,可以看到堆栈信息如下:
0EFFA28C(ebp-40E0) - 0EFFA2E8 - (pointer)0EFFA2E8
0EFFA290(ebp-40DC) - 00004000 - (双字)00004000(16384)
0EFFA294(ebp-40D8) - 67B92D94 - (pointer)WeChatWin.dll+1272D94
0EFFA298(ebp-40D4) - 67DAFC54 - (pointer)WeChatWin.dll+148FC54
0EFFA29C(ebp-40D0) - 0EFFF5F8 - (pointer)0EFFF5F8
0EFFA2A0(ebp-40CC) - 67CEAF34 - (pointer)WeChatWin.dll+13CAF34
0EFFA2A4(ebp-40C8) - 0EFFE2E8 - (pointer)0EFFE2E8
0EFFA2A8(ebp-40C4) - 00000350 - (双字)00000350(848)
0EFFA2AC(ebp-40C0) - 0EFFE5BD - (pointer)0EFFE5BD
0EFFA2B0(ebp-40BC) - 0EFFA2E8 - (pointer)0EFFA2E8
0EFFA2B4(ebp-40B8) - 00000000 - (双字)00000000(0)
0EFFA2B8(ebp-40B4) - 00004000 - (双字)00004000(16384)
0EFFA2BC(ebp-40B0) - 67CEAF24 - (pointer)WeChatWin.dll+13CAF24
0EFFA2C0(ebp-40AC) - 67CEB244 - (pointer)WeChatWin.dll+13CB244
0EFFA2C4(ebp-40A8) - 0EFFE2E8 - (pointer)0EFFE2E8
0EFFA2C8(ebp-40A4) - 00000080 - (双字)00000080(128)
0EFFA2CC(ebp-40A0) - 0EFFE2E8 - (pointer)0EFFE2E8
0EFFA2D0(ebp-409C) - 00000000 - (双字)00000000(0)
0EFFA2D4(ebp-4098) - 00000080 - (双字)00000080(128)
0EFFA2D8(ebp-4094) - 00000000 - (双字)00000000(0)
0EFFA2DC(ebp-4090) - 00000001 - (双字)00000001(1)
0EFFA2E0(ebp-408C) - 76EBEF40 - (pointer)KERNEL32.TlsGetValue
0EFFA2E4(ebp-4088) - 0EFFA328 - (pointer)0EFFA328
0EFFA2E8(ebp-4084) - 5B5D495B - [I][
0EFFA2EC(ebp-4080) - 43504D4D - MMPC
0EFFA2F0(ebp-407C) - 5354465F - _FTS
单击栈顶地址 0EFFA28C(ebp-40E0)
,内存窗口跳转到指定地址 0EFFA2E8
,可以看到内存信息如下:
0EFFA2E8 5B 49 5D 5B 4D 4D 50 43 [I][MMPC
0EFFA2F0 5F 46 54 53 54 68 72 65 _FTSThre
0EFFA2F8 61 64 48 65 6C 70 65 72 adHelper
0EFFA300 5D 5B 46 54 53 54 68 72 ][FTSThr
0EFFA308 65 61 64 48 65 6C 70 65 eadHelpe
0EFFA310 72 2E 63 70 70 2C 20 46 r.cpp, F
0EFFA318 54 53 54 68 72 65 61 64 TSThread
0EFFA320 48 65 6C 70 65 72 3A 3A Helper::
0EFFA328 50 72 6F 63 65 73 73 43 ProcessC
0EFFA330 68 61 74 4D 73 67 4A 6F hatMsgJo
0EFFA338 62 49 74 65 6D 2C 20 38 bItem, 8
0EFFA340 34 38 5D 5B 52 61 6E 67 48][Rang
0EFFA348 65 49 6E 66 6F 20 55 70 eInfo Up
0EFFA350 64 61 74 65 52 61 6E 67 dateRang
0EFFA358 65 54 6F 20 44 42 20 52 eTo DB R
0EFFA360 61 6E 67 65 20 3A 20 53 ange : S
0EFFA368 74 61 72 74 20 49 6E 64 tart Ind
0EFFA370 65 78 20 3A 20 31 2C 20 ex : 1,
0EFFA378 53 74 61 72 74 20 49 64 Start Id
0EFFA380 20 3A 20 31 20 65 6E 64 : 1 end
0EFFA388 49 64 20 31 32 37 34 2C Id 1274,
0EFFA390 20 45 6E 64 20 49 6E 64 End Ind
0EFFA398 65 78 20 3A 20 30 2C 20 ex : 0,
0EFFA3A0 53 74 61 72 74 49 64 20 StartId
0EFFA3A8 3A 20 31 31 34 31 32 32 : 114122
0EFFA3B0 20 45 6E 64 49 64 20 31 EndId 1
0EFFA3B8 31 34 31 32 32 0A 0A 00 14122...
可以得到 ebp-40E0
就是调试输出的数据
特征码
68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 83 C4 ?? 5E
汇编代码
WeChatWin.dll+CF0760 - 55 - push ebp
WeChatWin.dll+CF0761 - 8B EC - mov ebp,esp
WeChatWin.dll+CF0763 - B8 88400000 - mov eax,00004088 { 16520 }
WeChatWin.dll+CF0768 - E8 A3E4FEFF - call WeChatWin.dll+CDEC10
WeChatWin.dll+CF076D - A1 946BEE67 - mov eax,[WeChatWin.dll+15C6B94] { (-714801034) }
WeChatWin.dll+CF0772 - 33 C5 - xor eax,ebp
WeChatWin.dll+CF0774 - 89 45 FC - mov [ebp-04],eax
WeChatWin.dll+CF0777 - 53 - push ebx
WeChatWin.dll+CF0778 - 8B 5D 0C - mov ebx,[ebp+0C]
WeChatWin.dll+CF077B - 57 - push edi
WeChatWin.dll+CF077C - 8B 7D 08 - mov edi,[ebp+08]
WeChatWin.dll+CF077F - 85 FF - test edi,edi
WeChatWin.dll+CF0781 - 0F84 AC000000 - je WeChatWin.dll+CF0833
WeChatWin.dll+CF0787 - 85 DB - test ebx,ebx
WeChatWin.dll+CF0789 - 0F84 A4000000 - je WeChatWin.dll+CF0833
WeChatWin.dll+CF078F - 56 - push esi
WeChatWin.dll+CF0790 - 68 80000000 - push 00000080 { 128 }
WeChatWin.dll+CF0795 - 8D 85 7CFFFFFF - lea eax,[ebp-00000084]
WeChatWin.dll+CF079B - 6A 00 - push 00 { 0 }
WeChatWin.dll+CF079D - 50 - push eax
WeChatWin.dll+CF079E - E8 8D6E3D00 - call WeChatWin.dll+10C7630
WeChatWin.dll+CF07A3 - 68 80000000 - push 00000080 { 128 }
WeChatWin.dll+CF07A8 - 8D 85 7CFFFFFF - lea eax,[ebp-00000084]
WeChatWin.dll+CF07AE - 50 - push eax
WeChatWin.dll+CF07AF - FF 77 0C - push [edi+0C]
WeChatWin.dll+CF07B2 - E8 59D40400 - call WeChatWin.dll+D3DC10
WeChatWin.dll+CF07B7 - FF 77 08 - push [edi+08]
WeChatWin.dll+CF07BA - E8 11D40400 - call WeChatWin.dll+D3DBD0
WeChatWin.dll+CF07BF - 68 00400000 - push 00004000 { 16384 }
WeChatWin.dll+CF07C4 - 8B F0 - mov esi,eax
WeChatWin.dll+CF07C6 - 8D 85 7CBFFFFF - lea eax,[ebp-00004084]
WeChatWin.dll+CF07CC - 6A 00 - push 00 { 0 }
WeChatWin.dll+CF07CE - 50 - push eax
WeChatWin.dll+CF07CF - E8 5C6E3D00 - call WeChatWin.dll+10C7630
WeChatWin.dll+CF07D4 - 8B 4F 04 - mov ecx,[edi+04]
WeChatWin.dll+CF07D7 - 8D 85 7CFFFFFF - lea eax,[ebp-00000084]
WeChatWin.dll+CF07DD - 53 - push ebx
WeChatWin.dll+CF07DE - FF 77 10 - push [edi+10]
WeChatWin.dll+CF07E1 - 85 C9 - test ecx,ecx
WeChatWin.dll+CF07E3 - BA 58CEC867 - mov edx,WeChatWin.dll+136CE58 { (0) }
WeChatWin.dll+CF07E8 - 50 - push eax
WeChatWin.dll+CF07E9 - 8B 07 - mov eax,[edi]
WeChatWin.dll+CF07EB - 0F45 D1 - cmovne edx,ecx
WeChatWin.dll+CF07EE - 56 - push esi
WeChatWin.dll+CF07EF - 52 - push edx
WeChatWin.dll+CF07F0 - FF 34 85 1C6CEE67 - push [eax*4+WeChatWin.dll+15C6C1C]
WeChatWin.dll+CF07F7 - 8D 85 7CBFFFFF - lea eax,[ebp-00004084]
WeChatWin.dll+CF07FD - 68 942DB967 - push WeChatWin.dll+1272D94 { ("[%s][%s][%s, %s, %d][%s
") }
WeChatWin.dll+CF0802 - 68 00400000 - push 00004000 { 16384 }
WeChatWin.dll+CF0807 - 50 - push eax
WeChatWin.dll+CF0808 - E8 43095DFF - call WeChatWin.dll+2C1150
WeChatWin.dll+CF080D - 8B 0D 0467F367 - mov ecx,[WeChatWin.dll+1616704] { (0) }
# --------------------------------------------------------------------------------
# Hook 点
# 记下当前版本地址 WeChatWin.dll+CF0813,手动添加地址,右键选择 反汇编此内存区域,即可到达
WeChatWin.dll+CF0813 - 83 C4 4C - add esp,4C { 76 }
# --------------------------------------------------------------------------------
WeChatWin.dll+CF0816 - 5E - pop esi
WeChatWin.dll+CF0817 - 85 C9 - test ecx,ecx
WeChatWin.dll+CF0819 - 74 18 - je WeChatWin.dll+CF0833
WeChatWin.dll+CF081B - 8D 85 7CBFFFFF - lea eax,[ebp-00004084]
WeChatWin.dll+CF0821 - 89 85 78BFFFFF - mov [ebp-00004088],eax
WeChatWin.dll+CF0827 - 8D 95 78BFFFFF - lea edx,[ebp-00004088]
WeChatWin.dll+CF082D - 8B 01 - mov eax,[ecx]
WeChatWin.dll+CF082F - 52 - push edx
WeChatWin.dll+CF0830 - FF 50 08 - call dword ptr [eax+08]
WeChatWin.dll+CF0833 - 8B 4D FC - mov ecx,[ebp-04]
WeChatWin.dll+CF0836 - 5F - pop edi
WeChatWin.dll+CF0837 - 33 CD - xor ecx,ebp
WeChatWin.dll+CF0839 - 5B - pop ebx
WeChatWin.dll+CF083A - E8 9ED8FEFF - call WeChatWin.dll+CDE0DD
WeChatWin.dll+CF083F - 8B E5 - mov esp,ebp
WeChatWin.dll+CF0841 - 5D - pop ebp
WeChatWin.dll+CF0842 - C3 - ret
2.4. 调用调试函数
2.4.1. 查找 OutputDebugString
在 CE 工具的 内存查看器
界面,选择 视图
- 枚举DLL和符号表
打开 枚举DLL
窗口
Ctrl + F 查找 OutputDebugStringA
:
754D9DA0 - KERNEL32.OutputDebugStringA
得到 OutputDebugStringA 函数地址为 754D9DA0
2.4.2. 注入代码
选中 2.3.1 节中 Hook 点的代码位置(WeChatWin.dll + 0xCF0813)
在 CE 工具的 内存查看器
界面,选择 工具
- 自动汇编
打开 自动汇编
窗口
如果是首次操作,可以选择菜单 模板
- 代码注入
生成模板,然后稍微改动得到如下代码:
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)
newmem: //this is allocated memory, you have read,write,execute access
// ---------- 添加注入代码开始 ----------
pushad
// 旧版操作
// push [ebp-0x40E0] // ebp-0x40E0 为调试数据,见 2.3.1 节
// 之前的操作是 push [ebp-0x40E0], 后来发现, 可以直接取 esp 的地址指针, 但是因为前面注入代码有 pushad 了, esp 位置发生了变化, 这时就需要 push [esp+20h] 就行了
push [esp+20h]
call 0x754D9DA0 // 0x754D9DA0 为 OutputDebugStringA 函数地址,见 2.4.1 节
popad
// ---------- 添加注入代码结束 ----------
originalcode:
add esp,4C
pop esi
test ecx,ecx
exit:
jmp returnhere
"WeChatWin.dll"+CF0813:
jmp newmem
nop
returnhere:
选择执行代码,之后会在 CE 主窗口上出现新的一行,改名为 OutPutDebug
,并将其激活(前面的选择框点亮)
2.4.3. 运行 DebugView
将 调试开关 和 调试级别 设置好,注入代码执行,就可以在 DebugView 中看到调试输出的信息
3. 版本基址记录
3.1. 版本 2.8.0.112
说明 |
地址 |
备注 |
是否启用调试 |
WeChatWin.dll + 0x160E9C1 |
将此地址数据改为 1,则可打开输出调试信息开关,微信默认置为 0 |
调试级别 |
WeChatWin.dll + 0x15BED54 |
将此地址数据改为 0,则可输出全部调试信息,微信默认置为 2 |
日志函数 |
WeChatWin.dll + 0x0CE9983 |
- |
3.2. 版本 2.8.0.133
说明 |
地址 |
备注 |
是否启用调试 |
WeChatWin.dll + 0x1616B21 |
将此地址数据改为 1,则可打开输出调试信息开关,微信默认置为 0 |
调试级别 |
WeChatWin.dll + 0x15C6D54 |
将此地址数据改为 0,则可输出全部调试信息,微信默认置为 2 |
日志函数 |
WeChatWin.dll + 0x0CF0813 |
- |
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课