feat: add script

2024-11-22 10:19:23 +08:00 · 2024-07-31 18:02:39 +08:00 · 2024-07-31 18:02:39 +08:00 · cfb4e9461f
commit cfb4e9461f
parent 7d290e454c
7 changed files with 320 additions and 19 deletions
--- a/app/wxhelper/CMakeLists.txt
+++ b/app/wxhelper/CMakeLists.txt
@ -30,7 +30,7 @@ add_subdirectory(../base base)
   
 add_library(wxhelper  SHARED ${CPP_FILES} ${ASM_FILES})

-target_compile_definitions(wxhelper PRIVATE WECHAT_VERSION=391119)
+target_compile_definitions(wxhelper PRIVATE WECHAT_VERSION=391125)

 # target_include_directories(wxhelper 
 #     PRIVATE     ../base/src/include
--- a/app/wxhelper/src/offset.h
+++ b/app/wxhelper/src/offset.h
@ -6,6 +6,7 @@ namespace wechat {
 #define V_3_9_9_43 39943
 #define V_3_9_10_19 391019
 #define V_3_9_11_19 391119
+#define V_3_9_11_25 391125
 #ifndef WECHAT_VERSION
 #error " WECHAT_VERSION not defined ."
 #endif
@ -467,6 +468,125 @@ const uint64_t kAddFriend = 0x1f3a350;
 const uint64_t kVerifyApply = 0x1f3a940;
 const uint64_t kDoDelContact = 0x2310120;

+const uint64_t kGetSearchContactMgr = 0x1f9a730;
+const uint64_t kStartSearch = 0x22a4200;
+#elif WECHAT_VERSION == V_3_9_11_25
+const uint64_t kGetAccountServiceMgr = 0x1b50d00;
+const uint64_t kSyncMsg = 0xc39680;
+const uint64_t kSyncMsgNext = 0xc39680;
+const uint64_t kGetCurrentDataPath = 0x2248ce0;
+const uint64_t kGetAppDataSavePath = 0x25dc0e0;
+const uint64_t kGetSendMessageMgr = 0x1b4f500;
+const uint64_t kSendTextMsg = 0x22c2010;
+const uint64_t kFreeChatMsg = 0x1b50d80;
+
+const uint64_t kDoAddMsg = 0x230a3e0;
+const uint64_t kSendImageMsg = 0x22b77a0;
+const uint64_t kChatMsgInstanceCounter = 0x1b59670;
+const uint64_t kSendFileMsg = 0x20cb6f0;
+const uint64_t kGetAppMsgMgr = 0x1b544a0;
+const uint64_t kGetContactMgr = 0x1b3ccd0;
+const uint64_t kGetContactList = 0x219a1c0;
+
+const uint64_t k_sqlite3_exec = 0x3a59b30;
+const uint64_t k_sqlite3_prepare = 0x3a617b0;
+const uint64_t k_sqlite3_open = 0x3a98fa0;
+const uint64_t k_sqlite3_step = 0x3a1db30;
+const uint64_t k_sqlite3_column_count = 0x3a1e350;
+const uint64_t k_sqlite3_column_name = 0x3a1ed50;
+const uint64_t k_sqlite3_column_type = 0x3a1eba0;
+const uint64_t k_sqlite3_column_blob = 0x3a1e380;
+const uint64_t k_sqlite3_column_bytes = 0x3a1e470;
+const uint64_t k_sqlite3_finalize = 0x3a1cbe0;
+
+const uint64_t kGPInstance = 0x58dd300;
+const uint64_t kMultiDBMgr = 0x593abf8;
+const uint64_t kPublicMsgMgr = 0x5938198;
+const uint64_t kFavoriteStorageMgr = 0x593b790;
+const uint64_t kHardLinkMgr = 0x593ab28;
+
+const uint64_t kChatRoomMgr = 0x1b7f100;
+const uint64_t kGetChatRoomDetailInfo = 0x2160bb0;
+const uint64_t kNewChatRoomInfo = 0x2505120;
+const uint64_t kFreeChatRoomInfo = 0x2505300;
+const uint64_t kDoAddMemberToChatRoom = 0x21505b0;
+const uint64_t kDoModChatRoomMemberNickName = 0x215a360;
+const uint64_t kDelMemberFromChatRoom = 0x2150bf0;
+const uint64_t kGetMemberFromChatRoom = 0x2162400;
+const uint64_t kNewChatRoom = 0x2502540;
+const uint64_t kFreeChatRoom = 0x2502740;
+
+const uint64_t kTopMsg = 0x1d7d160;
+const uint64_t kRemoveTopMsg = 0x2166090;
+const uint64_t kInviteMember = 0x214ff90;
+const uint64_t kHookLog = 0x1304e60;
+
+const uint64_t kCreateChatRoom = 0x214fc60;
+const uint64_t kQuitChatRoom = 0x215ac00;
+const uint64_t kForwardMsg = 0x22c1590;
+
+const uint64_t kOnSnsTimeLineSceneFinish = 0x1a73150;
+const uint64_t kSNSGetFirstPage = 0x2e1bec0;
+const uint64_t kSNSGetNextPageScene = 0x2e41a70;
+const uint64_t kSNSDataMgr = 0x21dd6b0;
+const uint64_t kSNSTimeLineMgr = 0x2dadf20;
+const uint64_t kGetMgrByPrefixLocalId = 0x213afb0;
+const uint64_t kAddFavFromMsg = 0x2930e40;
+const uint64_t kGetChatMgr = 0x1b82bf0;
+const uint64_t kGetFavoriteMgr = 0x1b57ba0;
+const uint64_t kAddFavFromImage = 0x293d0f0;
+const uint64_t kGetContact = 0x21945d0;
+const uint64_t kNewContact = 0x2519300;
+const uint64_t kFreeContact = 0x25199b0;
+const uint64_t kNewMMReaderItem = 0x8c79a0;
+const uint64_t kFreeMMReaderItem = 0x8c6da0;
+const uint64_t kForwordPublicMsg = 0xddc6c0;
+const uint64_t kParseAppMsgXml = 0x11b0a70;
+const uint64_t kNewAppMsgInfo = 0x91a550;
+const uint64_t kFreeAppMsgInfo = 0x8fd1a0;
+const uint64_t kGetPreDownLoadMgr = 0x1c0a3a0;
+const uint64_t kPushAttachTask = 0x1cda920;
+const uint64_t kGetCustomSmileyMgr = 0x1ca0320;
+const uint64_t kSendCustomEmotion = 0x21b04c0;
+const uint64_t kNewJsApiShareAppMessage = 0x26cda20;
+const uint64_t kInitJsConfig = 0x137bc00;
+const uint64_t kSendApplet = 0x13c0920;
+const uint64_t kSendAppletSecond = 0x13c1150;
+const uint64_t kGetAppInfoByWaid = 0x13c5790;
+const uint64_t kCopyShareAppMessageRequest = 0x13c0670;
+const uint64_t kNewWAUpdatableMsgInfo = 0x919ca0;
+const uint64_t kFreeWAUpdatableMsgInfo = 0x8fc230;
+const uint64_t kSendPatMsg = 0x2ca9790;
+const uint64_t kGetOCRManager = 0x999780;
+const uint64_t kDoOCRTask = 0x2c53910;
+
+const uint64_t kGetLockWechatMgr = 0x1c85010;
+const uint64_t kRequestLockWechat = 0x1c397d0;
+const uint64_t kRequestUnLockWechat = 0x1c39a70;
+
+const uint64_t kOnLoginBtnClick = 0x202bc30;
+
+const uint64_t kGetQRCodeLoginMgr = 0x201e350;
+
+const uint64_t kUpdateMsg = 0x21421a0;
+const uint64_t kGetVoiceMgr = 0x1e13320;
+const uint64_t kChatMsg2NetSceneSendMsg = 0x1b70fd0;
+const uint64_t kTranslateVoice = 0x2353d50;
+const uint64_t kNewWebViewPageConfig = 0x1b53ae0;
+const uint64_t kFreeWebViewPageConfig = 0x1b53d10;
+const uint64_t kGetWebViewMgr = 0x1b43950;
+const uint64_t kShowWebView = 0x302ed30;
+const uint64_t kSetUrl = 0x13dd410;
+
+const uint64_t kNewPayInfo = 0x1bcd930;
+const uint64_t kFreePayInfo = 0x1b92450;
+const uint64_t kTransferConfirm = 0x2f8c750;
+const uint64_t kTransferRefuse = 0x2f8d340;
+
+const uint64_t kAddFriend = 0x1f3a350;
+const uint64_t kVerifyApply = 0x1f3a940;
+const uint64_t kDoDelContact = 0x2310120;
+
 const uint64_t kGetSearchContactMgr = 0x1f9a730;
 const uint64_t kStartSearch = 0x22a4200;
 #else
--- a/app/wxhelper/src/wechat_service.cc
+++ b/app/wxhelper/src/wechat_service.cc
@ -1506,7 +1506,7 @@ int64_t wechat::WeChatService::SearchContact(
      (func::__GetSearchContactMgr)search_mgr_addr;
  func::__StartSearch search = (func::__StartSearch)search_addr;
  uint64_t mgr = get_mgr();
-  success = search(mgr,&key);
+  // success = search(mgr,&key);

  return success;
 }
@ -1552,7 +1552,7 @@ int64_t wechat::WeChatService::DoConfirmReceipt(
  memcpy(&pay_info[0x30], &transcation_id, sizeof(transcation_id));
  memcpy(&pay_info[0x58], &transfer_id, sizeof(transfer_id));
  // memcpy(&pay_info[0xA0], &recv_id, sizeof(recv_id));
-  success = do_confirm(&pay_info, &recv_id);
+  success = do_confirm(reinterpret_cast<uint64_t>(&pay_info), reinterpret_cast<uint64_t>(&recv_id));

  free_pay_info(reinterpret_cast<uint64_t>(&pay_info));

@ -1583,7 +1583,7 @@ int64_t wechat::WeChatService::DoRefuseReceipt(
  memcpy(&pay_info[0x30], &transcation_id, sizeof(transcation_id));
  memcpy(&pay_info[0x58], &transfer_id, sizeof(transfer_id));
  // memcpy(&pay_info[0xA0], &recv_id, sizeof(recv_id));
-  success = do_refuse(&pay_info, &recv_id);
+  success = do_refuse(reinterpret_cast<uint64_t>(&pay_info), reinterpret_cast<uint64_t>(&recv_id));

  free_pay_info(reinterpret_cast<uint64_t>(&pay_info));
  return success;
--- a/script/ghidra_script/3.9.11.25fid.fidb
+++ b/script/ghidra_script/3.9.11.25fid.fidb
--- a/script/ghidra_script/FindCallScript.java
+++ b/script/ghidra_script/FindCallScript.java
@ -0,0 +1,53 @@
+import java.util.ArrayList;
+import java.util.List;
+
+import docking.widgets.filter.ContainsTextFilterFactory;
+import docking.widgets.filter.TextFilter;
+import docking.widgets.filter.TextFilterFactory;
+import ghidra.app.script.GhidraScript;
+import ghidra.program.model.symbol.Symbol;
+import ghidra.program.model.symbol.SymbolIterator;
+import ghidra.program.model.symbol.SymbolTable;
+
+public class FindCallScript extends GhidraScript {
+
+	
+	@Override
+	protected void run() throws Exception {
+		ContainsTextFilterFactory containsTextFilterFactory = new ContainsTextFilterFactory(false, true);
+		
+		find_send_msg(containsTextFilterFactory);
+	}
+	
+	void find_send_msg(ContainsTextFilterFactory factory) {
+		SymbolTable symbolTable = currentProgram.getSymbolTable();
+		List<Symbol> searchSymbol = searchSymbol(symbolTable,"SendMessageMgr::sendMsg",factory,"SendMessageMgr::sendMsg");
+		for (Symbol symbol : searchSymbol) {
+			println("found SendMessageMgr::sendMsg" + symbol.getAddress().toString());
+			println("=================copy source========================");
+			printf("const uint64_t kSendTextMsg = " + symbol.getAddress().toString() + "; \n");
+		}
+	}
+	
+	void find_sendMessageMgr(ContainsTextFilterFactory factory) {
+		SymbolTable symbolTable = currentProgram.getSymbolTable();
+		List<Symbol> searchSymbol = searchSymbol(symbolTable,"SendMessageMgr::SendMessageMgr",factory,"SendMessageMgr::SendMessageMgr");
+		for (Symbol symbol : searchSymbol) {
+			
+		}
+	}
+	
+	List<Symbol> searchSymbol(SymbolTable symbolTable,String text,TextFilterFactory factory,String filterText) {
+		List<Symbol> list = new ArrayList<>();
+		TextFilter textFilter = factory.getTextFilter(filterText);
+		SymbolIterator symbols = symbolTable.getSymbols(text);
+		while (symbols.hasNext()) {
+			Symbol next = symbols.next();
+			if(textFilter.matches(next.getName())) {
+				list.add(next);
+			}
+		}
+		return list;
+	}
+
+}
--- a/script/ghidra_script/FindSqliteCloseScript.java
+++ b/script/ghidra_script/FindSqliteCloseScript.java
@ -0,0 +1,133 @@
+import java.util.List;
+
+import docking.widgets.filter.ContainsTextFilterFactory;
+import docking.widgets.filter.TextFilter;
+import ghidra.app.decompiler.DecompInterface;
+import ghidra.app.decompiler.DecompileOptions;
+import ghidra.app.script.GhidraScript;
+import ghidra.feature.fid.hash.FidHashQuad;
+import ghidra.feature.fid.service.FidService;
+import ghidra.program.model.address.Address;
+import ghidra.program.model.listing.CodeUnit;
+import ghidra.program.model.listing.Function;
+import ghidra.program.model.listing.FunctionManager;
+import ghidra.program.model.mem.MemoryAccessException;
+import ghidra.program.model.symbol.Reference;
+import ghidra.program.model.symbol.ReferenceIterator;
+import ghidra.program.model.symbol.ReferenceManager;
+import ghidra.program.util.string.FoundString;
+import ghidra.util.UndefinedFunction;
+
+public class FindSqliteCloseScript extends GhidraScript {
+	FidService service;
+	DecompInterface decompiler;
+	
+	long sql3close_full_hash =   -1574752015815545339L;
+	long sql3close_spec_hash =  -1262376715505923342L;
+
+	@Override
+	protected void run() throws Exception {
+		service = new FidService();
+
+		decompiler = new DecompInterface();
+		DecompileOptions decompileOptions = new DecompileOptions();
+		decompiler.setOptions(decompileOptions);
+		decompiler.openProgram(currentProgram);
+
+		List<FoundString> findStrings = findStrings(null, 5, 1, true, false);
+		ContainsTextFilterFactory containsTextFilterFactory = new ContainsTextFilterFactory(false, true);
+		find_sqlite3Close(findStrings,containsTextFilterFactory);
+
+	}
+	
+
+
+	void find_sqlite3Close(List<FoundString> list, ContainsTextFilterFactory factory) throws MemoryAccessException {
+		int size = currentProgram.getLanguage().getLanguageDescription().getSize() / 8;
+		FunctionManager functionManager = currentProgram.getFunctionManager();
+		ReferenceManager referenceManager = currentProgram.getReferenceManager();
+		TextFilter textFilter = factory.getTextFilter("unable to close due to unfinalized statements or unfinished backups");
+		for (FoundString foundString : list) {
+			if(monitor.isCancelled()) {
+				break;
+			}
+			String string = foundString.getString(currentProgram.getMemory());
+			if(textFilter.matches(string)) {
+				Address address = foundString.getAddress();
+				println("=====text addr :"+address.toString() );
+				ReferenceIterator referencesTo = referenceManager.getReferencesTo(address);
+				while (referencesTo.hasNext()) {
+					Reference ref = referencesTo.next();
+					Address sql3CloseAddr = ref.getFromAddress();
+					Function sql3CloseFunction = functionManager.getFunctionContaining(sql3CloseAddr);
+					if(null ==sql3CloseFunction ) {
+						continue;
+					}
+					FidHashQuad hashQuad = service.hashFunction(sql3CloseFunction);
+					if(hashQuad.getFullHash() == sql3close_full_hash && hashQuad.getSpecificHash() == sql3close_spec_hash) {
+						println("found sql3Close :" + sql3CloseFunction.getName() + " at " + sql3CloseFunction.getEntryPoint() +
+								" full hash   " + hashQuad.getFullHash()   + " specific hash " + hashQuad.getSpecificHash());
+						Address entryPoint = sql3CloseFunction.getEntryPoint();
+						ReferenceIterator referencesTo2 = referenceManager.getReferencesTo(entryPoint);
+						while (referencesTo2.hasNext()) {
+							Reference next = referencesTo2.next();
+							Address  addr = next.getFromAddress();
+							Function sql_close_func = functionManager.getFunctionContaining(addr);
+							if(null !=sql_close_func ) {
+								continue;
+							}
+
+							CodeUnit codeUnitAt = currentProgram.getListing().getCodeUnitAt(addr);
+							if(null != codeUnitAt) {
+								String mnemonicString = codeUnitAt.getMnemonicString();
+								if("JMP".equals(mnemonicString)) {
+									CodeUnit codeUnitBefore = currentProgram.getListing().getCodeUnitBefore(addr);
+									String mnemonicString2 = codeUnitBefore.getMnemonicString();
+									Function function = UndefinedFunction.findFunction(currentProgram, addr, monitor);
+									if (null != function) {
+										Address entryPoint2 = function.getEntryPoint();
+										if("XOR".equals(mnemonicString2)) {
+											createFunction(entryPoint2, "sqlite3_close");
+											currentProgram.getListing().setComment(entryPoint2, CodeUnit.POST_COMMENT,
+													"auto define function: sqlite3_close");
+											println("sqlite3_close  addr: " + entryPoint2.toString());
+										}else if ("MOV".equals(mnemonicString2)) {
+											createFunction(entryPoint2, "sqlite3_close_v2");
+											currentProgram.getListing().setComment(entryPoint2, CodeUnit.POST_COMMENT,
+													"auto define function : sqlite3_close_v2" );
+											println("sqlite3_close_v2  addr: " + entryPoint2.toString());
+										}
+										ReferenceIterator referencesTo3 = referenceManager.getReferencesTo(entryPoint2);
+										while (referencesTo3.hasNext()) {
+											Reference next2 = referencesTo3.next();
+											Address fromAddress = next2.getFromAddress();
+											if("XOR".equals(mnemonicString2)) {
+												long l = fromAddress.getOffset() - 16*size;
+												println("sqlite3_close  xref:" + fromAddress.toString());
+												printf("sqlite3_api_routines  addr: %x \n", l);
+											}else if ("MOV".equals(mnemonicString2)) {
+												long l = fromAddress.getOffset()- 179*size;
+												println("sqlite3_close_v2  xref:" +fromAddress.toString());
+												printf("sqlite3_api_routines  addr: %x \n", l);
+											}
+											
+										}
+									}
+									
+								}
+								
+							}
+							
+						}
+					}
+			
+				}
+			
+			}
+		}
+		
+		
+		
+	}
+
+}
--- a/script/ghidra_script/NamedScript.java
+++ b/script/ghidra_script/NamedScript.java
@ -31,6 +31,7 @@ public class NamedScript extends GhidraScript {
 		FunctionManager functionManager = currentProgram.getFunctionManager();
 		ReferenceManager referenceManager = currentProgram.getReferenceManager();
 		AddressFactory addressFactory = currentProgram.getAddressFactory();
+		

 		AddressSpace space = addressFactory.getDefaultAddressSpace();
 		AddressSpace[] addressSpaces = addressFactory.getAddressSpaces();
@ -43,32 +44,26 @@ public class NamedScript extends GhidraScript {
 	
 		Address funcAddress = selectAddress;
 		Function logFunction = functionManager.getFunctionAt(funcAddress);
-//		for (AddressSpace sp : addressSpaces) {
-//			funcAddress = sp.getAddress(selectAddress.getOffset());
-//			logFunction = functionManager.getFunctionAt(funcAddress);
-//			space = sp;
-//			if (null != logFunction) {
-//				break;
-//			}
-//		}
+

 		ReferenceIterator referenceIterator = referenceManager.getReferencesTo(logFunction.getEntryPoint());
-		for (Reference ref : referenceIterator) {
-			Address fromAddress = ref.getFromAddress();
-//			if (fromAddress.getOffset() != 0x18284bb19L) {
-//				continue;
-//			}
+		while(referenceIterator.hasNext()) {
+			monitor.checkCancelled();
+			Reference next = referenceIterator.next();
+			Address fromAddress = next.getFromAddress();
+			println("lookup address: " + fromAddress.toString());
 			handle(fromAddress, functionManager, decompiler, space, listing,selectAddress);
-			println("caller address: " + fromAddress);
+			println("caller address: " + fromAddress.toString());
 		}

+
 	}

 	private void handle(Address address, FunctionManager functionManager, DecompInterface decompiler,
 			AddressSpace space, Listing listing,Address selectAddress) {
 		Function functionContaining = functionManager.getFunctionContaining(address);
 		if (null == functionContaining) {
-			println("no found function: " + address);
+			println("no found function: " + address.toString());
 			return;
 		}
 		DecompileResults res = decompiler.decompileFunction(functionContaining, 20, null);