feat: add script

This commit is contained in:
ttttupup 2024-07-31 18:02:39 +08:00
parent 7d290e454c
commit cfb4e9461f
7 changed files with 320 additions and 19 deletions

View File

@ -30,7 +30,7 @@ add_subdirectory(../base base)
add_library(wxhelper SHARED ${CPP_FILES} ${ASM_FILES}) add_library(wxhelper SHARED ${CPP_FILES} ${ASM_FILES})
target_compile_definitions(wxhelper PRIVATE WECHAT_VERSION=391119) target_compile_definitions(wxhelper PRIVATE WECHAT_VERSION=391125)
# target_include_directories(wxhelper # target_include_directories(wxhelper
# PRIVATE ../base/src/include # PRIVATE ../base/src/include

View File

@ -6,6 +6,7 @@ namespace wechat {
#define V_3_9_9_43 39943 #define V_3_9_9_43 39943
#define V_3_9_10_19 391019 #define V_3_9_10_19 391019
#define V_3_9_11_19 391119 #define V_3_9_11_19 391119
#define V_3_9_11_25 391125
#ifndef WECHAT_VERSION #ifndef WECHAT_VERSION
#error " WECHAT_VERSION not defined ." #error " WECHAT_VERSION not defined ."
#endif #endif
@ -467,6 +468,125 @@ const uint64_t kAddFriend = 0x1f3a350;
const uint64_t kVerifyApply = 0x1f3a940; const uint64_t kVerifyApply = 0x1f3a940;
const uint64_t kDoDelContact = 0x2310120; const uint64_t kDoDelContact = 0x2310120;
const uint64_t kGetSearchContactMgr = 0x1f9a730;
const uint64_t kStartSearch = 0x22a4200;
#elif WECHAT_VERSION == V_3_9_11_25
const uint64_t kGetAccountServiceMgr = 0x1b50d00;
const uint64_t kSyncMsg = 0xc39680;
const uint64_t kSyncMsgNext = 0xc39680;
const uint64_t kGetCurrentDataPath = 0x2248ce0;
const uint64_t kGetAppDataSavePath = 0x25dc0e0;
const uint64_t kGetSendMessageMgr = 0x1b4f500;
const uint64_t kSendTextMsg = 0x22c2010;
const uint64_t kFreeChatMsg = 0x1b50d80;
const uint64_t kDoAddMsg = 0x230a3e0;
const uint64_t kSendImageMsg = 0x22b77a0;
const uint64_t kChatMsgInstanceCounter = 0x1b59670;
const uint64_t kSendFileMsg = 0x20cb6f0;
const uint64_t kGetAppMsgMgr = 0x1b544a0;
const uint64_t kGetContactMgr = 0x1b3ccd0;
const uint64_t kGetContactList = 0x219a1c0;
const uint64_t k_sqlite3_exec = 0x3a59b30;
const uint64_t k_sqlite3_prepare = 0x3a617b0;
const uint64_t k_sqlite3_open = 0x3a98fa0;
const uint64_t k_sqlite3_step = 0x3a1db30;
const uint64_t k_sqlite3_column_count = 0x3a1e350;
const uint64_t k_sqlite3_column_name = 0x3a1ed50;
const uint64_t k_sqlite3_column_type = 0x3a1eba0;
const uint64_t k_sqlite3_column_blob = 0x3a1e380;
const uint64_t k_sqlite3_column_bytes = 0x3a1e470;
const uint64_t k_sqlite3_finalize = 0x3a1cbe0;
const uint64_t kGPInstance = 0x58dd300;
const uint64_t kMultiDBMgr = 0x593abf8;
const uint64_t kPublicMsgMgr = 0x5938198;
const uint64_t kFavoriteStorageMgr = 0x593b790;
const uint64_t kHardLinkMgr = 0x593ab28;
const uint64_t kChatRoomMgr = 0x1b7f100;
const uint64_t kGetChatRoomDetailInfo = 0x2160bb0;
const uint64_t kNewChatRoomInfo = 0x2505120;
const uint64_t kFreeChatRoomInfo = 0x2505300;
const uint64_t kDoAddMemberToChatRoom = 0x21505b0;
const uint64_t kDoModChatRoomMemberNickName = 0x215a360;
const uint64_t kDelMemberFromChatRoom = 0x2150bf0;
const uint64_t kGetMemberFromChatRoom = 0x2162400;
const uint64_t kNewChatRoom = 0x2502540;
const uint64_t kFreeChatRoom = 0x2502740;
const uint64_t kTopMsg = 0x1d7d160;
const uint64_t kRemoveTopMsg = 0x2166090;
const uint64_t kInviteMember = 0x214ff90;
const uint64_t kHookLog = 0x1304e60;
const uint64_t kCreateChatRoom = 0x214fc60;
const uint64_t kQuitChatRoom = 0x215ac00;
const uint64_t kForwardMsg = 0x22c1590;
const uint64_t kOnSnsTimeLineSceneFinish = 0x1a73150;
const uint64_t kSNSGetFirstPage = 0x2e1bec0;
const uint64_t kSNSGetNextPageScene = 0x2e41a70;
const uint64_t kSNSDataMgr = 0x21dd6b0;
const uint64_t kSNSTimeLineMgr = 0x2dadf20;
const uint64_t kGetMgrByPrefixLocalId = 0x213afb0;
const uint64_t kAddFavFromMsg = 0x2930e40;
const uint64_t kGetChatMgr = 0x1b82bf0;
const uint64_t kGetFavoriteMgr = 0x1b57ba0;
const uint64_t kAddFavFromImage = 0x293d0f0;
const uint64_t kGetContact = 0x21945d0;
const uint64_t kNewContact = 0x2519300;
const uint64_t kFreeContact = 0x25199b0;
const uint64_t kNewMMReaderItem = 0x8c79a0;
const uint64_t kFreeMMReaderItem = 0x8c6da0;
const uint64_t kForwordPublicMsg = 0xddc6c0;
const uint64_t kParseAppMsgXml = 0x11b0a70;
const uint64_t kNewAppMsgInfo = 0x91a550;
const uint64_t kFreeAppMsgInfo = 0x8fd1a0;
const uint64_t kGetPreDownLoadMgr = 0x1c0a3a0;
const uint64_t kPushAttachTask = 0x1cda920;
const uint64_t kGetCustomSmileyMgr = 0x1ca0320;
const uint64_t kSendCustomEmotion = 0x21b04c0;
const uint64_t kNewJsApiShareAppMessage = 0x26cda20;
const uint64_t kInitJsConfig = 0x137bc00;
const uint64_t kSendApplet = 0x13c0920;
const uint64_t kSendAppletSecond = 0x13c1150;
const uint64_t kGetAppInfoByWaid = 0x13c5790;
const uint64_t kCopyShareAppMessageRequest = 0x13c0670;
const uint64_t kNewWAUpdatableMsgInfo = 0x919ca0;
const uint64_t kFreeWAUpdatableMsgInfo = 0x8fc230;
const uint64_t kSendPatMsg = 0x2ca9790;
const uint64_t kGetOCRManager = 0x999780;
const uint64_t kDoOCRTask = 0x2c53910;
const uint64_t kGetLockWechatMgr = 0x1c85010;
const uint64_t kRequestLockWechat = 0x1c397d0;
const uint64_t kRequestUnLockWechat = 0x1c39a70;
const uint64_t kOnLoginBtnClick = 0x202bc30;
const uint64_t kGetQRCodeLoginMgr = 0x201e350;
const uint64_t kUpdateMsg = 0x21421a0;
const uint64_t kGetVoiceMgr = 0x1e13320;
const uint64_t kChatMsg2NetSceneSendMsg = 0x1b70fd0;
const uint64_t kTranslateVoice = 0x2353d50;
const uint64_t kNewWebViewPageConfig = 0x1b53ae0;
const uint64_t kFreeWebViewPageConfig = 0x1b53d10;
const uint64_t kGetWebViewMgr = 0x1b43950;
const uint64_t kShowWebView = 0x302ed30;
const uint64_t kSetUrl = 0x13dd410;
const uint64_t kNewPayInfo = 0x1bcd930;
const uint64_t kFreePayInfo = 0x1b92450;
const uint64_t kTransferConfirm = 0x2f8c750;
const uint64_t kTransferRefuse = 0x2f8d340;
const uint64_t kAddFriend = 0x1f3a350;
const uint64_t kVerifyApply = 0x1f3a940;
const uint64_t kDoDelContact = 0x2310120;
const uint64_t kGetSearchContactMgr = 0x1f9a730; const uint64_t kGetSearchContactMgr = 0x1f9a730;
const uint64_t kStartSearch = 0x22a4200; const uint64_t kStartSearch = 0x22a4200;
#else #else

View File

@ -1506,7 +1506,7 @@ int64_t wechat::WeChatService::SearchContact(
(func::__GetSearchContactMgr)search_mgr_addr; (func::__GetSearchContactMgr)search_mgr_addr;
func::__StartSearch search = (func::__StartSearch)search_addr; func::__StartSearch search = (func::__StartSearch)search_addr;
uint64_t mgr = get_mgr(); uint64_t mgr = get_mgr();
success = search(mgr,&key); // success = search(mgr,&key);
return success; return success;
} }
@ -1552,7 +1552,7 @@ int64_t wechat::WeChatService::DoConfirmReceipt(
memcpy(&pay_info[0x30], &transcation_id, sizeof(transcation_id)); memcpy(&pay_info[0x30], &transcation_id, sizeof(transcation_id));
memcpy(&pay_info[0x58], &transfer_id, sizeof(transfer_id)); memcpy(&pay_info[0x58], &transfer_id, sizeof(transfer_id));
// memcpy(&pay_info[0xA0], &recv_id, sizeof(recv_id)); // memcpy(&pay_info[0xA0], &recv_id, sizeof(recv_id));
success = do_confirm(&pay_info, &recv_id); success = do_confirm(reinterpret_cast<uint64_t>(&pay_info), reinterpret_cast<uint64_t>(&recv_id));
free_pay_info(reinterpret_cast<uint64_t>(&pay_info)); free_pay_info(reinterpret_cast<uint64_t>(&pay_info));
@ -1583,7 +1583,7 @@ int64_t wechat::WeChatService::DoRefuseReceipt(
memcpy(&pay_info[0x30], &transcation_id, sizeof(transcation_id)); memcpy(&pay_info[0x30], &transcation_id, sizeof(transcation_id));
memcpy(&pay_info[0x58], &transfer_id, sizeof(transfer_id)); memcpy(&pay_info[0x58], &transfer_id, sizeof(transfer_id));
// memcpy(&pay_info[0xA0], &recv_id, sizeof(recv_id)); // memcpy(&pay_info[0xA0], &recv_id, sizeof(recv_id));
success = do_refuse(&pay_info, &recv_id); success = do_refuse(reinterpret_cast<uint64_t>(&pay_info), reinterpret_cast<uint64_t>(&recv_id));
free_pay_info(reinterpret_cast<uint64_t>(&pay_info)); free_pay_info(reinterpret_cast<uint64_t>(&pay_info));
return success; return success;

Binary file not shown.

View File

@ -0,0 +1,53 @@
import java.util.ArrayList;
import java.util.List;
import docking.widgets.filter.ContainsTextFilterFactory;
import docking.widgets.filter.TextFilter;
import docking.widgets.filter.TextFilterFactory;
import ghidra.app.script.GhidraScript;
import ghidra.program.model.symbol.Symbol;
import ghidra.program.model.symbol.SymbolIterator;
import ghidra.program.model.symbol.SymbolTable;
public class FindCallScript extends GhidraScript {
@Override
protected void run() throws Exception {
ContainsTextFilterFactory containsTextFilterFactory = new ContainsTextFilterFactory(false, true);
find_send_msg(containsTextFilterFactory);
}
void find_send_msg(ContainsTextFilterFactory factory) {
SymbolTable symbolTable = currentProgram.getSymbolTable();
List<Symbol> searchSymbol = searchSymbol(symbolTable,"SendMessageMgr::sendMsg",factory,"SendMessageMgr::sendMsg");
for (Symbol symbol : searchSymbol) {
println("found SendMessageMgr::sendMsg" + symbol.getAddress().toString());
println("=================copy source========================");
printf("const uint64_t kSendTextMsg = " + symbol.getAddress().toString() + "; \n");
}
}
void find_sendMessageMgr(ContainsTextFilterFactory factory) {
SymbolTable symbolTable = currentProgram.getSymbolTable();
List<Symbol> searchSymbol = searchSymbol(symbolTable,"SendMessageMgr::SendMessageMgr",factory,"SendMessageMgr::SendMessageMgr");
for (Symbol symbol : searchSymbol) {
}
}
List<Symbol> searchSymbol(SymbolTable symbolTable,String text,TextFilterFactory factory,String filterText) {
List<Symbol> list = new ArrayList<>();
TextFilter textFilter = factory.getTextFilter(filterText);
SymbolIterator symbols = symbolTable.getSymbols(text);
while (symbols.hasNext()) {
Symbol next = symbols.next();
if(textFilter.matches(next.getName())) {
list.add(next);
}
}
return list;
}
}

View File

@ -0,0 +1,133 @@
import java.util.List;
import docking.widgets.filter.ContainsTextFilterFactory;
import docking.widgets.filter.TextFilter;
import ghidra.app.decompiler.DecompInterface;
import ghidra.app.decompiler.DecompileOptions;
import ghidra.app.script.GhidraScript;
import ghidra.feature.fid.hash.FidHashQuad;
import ghidra.feature.fid.service.FidService;
import ghidra.program.model.address.Address;
import ghidra.program.model.listing.CodeUnit;
import ghidra.program.model.listing.Function;
import ghidra.program.model.listing.FunctionManager;
import ghidra.program.model.mem.MemoryAccessException;
import ghidra.program.model.symbol.Reference;
import ghidra.program.model.symbol.ReferenceIterator;
import ghidra.program.model.symbol.ReferenceManager;
import ghidra.program.util.string.FoundString;
import ghidra.util.UndefinedFunction;
public class FindSqliteCloseScript extends GhidraScript {
FidService service;
DecompInterface decompiler;
long sql3close_full_hash = -1574752015815545339L;
long sql3close_spec_hash = -1262376715505923342L;
@Override
protected void run() throws Exception {
service = new FidService();
decompiler = new DecompInterface();
DecompileOptions decompileOptions = new DecompileOptions();
decompiler.setOptions(decompileOptions);
decompiler.openProgram(currentProgram);
List<FoundString> findStrings = findStrings(null, 5, 1, true, false);
ContainsTextFilterFactory containsTextFilterFactory = new ContainsTextFilterFactory(false, true);
find_sqlite3Close(findStrings,containsTextFilterFactory);
}
void find_sqlite3Close(List<FoundString> list, ContainsTextFilterFactory factory) throws MemoryAccessException {
int size = currentProgram.getLanguage().getLanguageDescription().getSize() / 8;
FunctionManager functionManager = currentProgram.getFunctionManager();
ReferenceManager referenceManager = currentProgram.getReferenceManager();
TextFilter textFilter = factory.getTextFilter("unable to close due to unfinalized statements or unfinished backups");
for (FoundString foundString : list) {
if(monitor.isCancelled()) {
break;
}
String string = foundString.getString(currentProgram.getMemory());
if(textFilter.matches(string)) {
Address address = foundString.getAddress();
println("=====text addr :"+address.toString() );
ReferenceIterator referencesTo = referenceManager.getReferencesTo(address);
while (referencesTo.hasNext()) {
Reference ref = referencesTo.next();
Address sql3CloseAddr = ref.getFromAddress();
Function sql3CloseFunction = functionManager.getFunctionContaining(sql3CloseAddr);
if(null ==sql3CloseFunction ) {
continue;
}
FidHashQuad hashQuad = service.hashFunction(sql3CloseFunction);
if(hashQuad.getFullHash() == sql3close_full_hash && hashQuad.getSpecificHash() == sql3close_spec_hash) {
println("found sql3Close :" + sql3CloseFunction.getName() + " at " + sql3CloseFunction.getEntryPoint() +
" full hash " + hashQuad.getFullHash() + " specific hash " + hashQuad.getSpecificHash());
Address entryPoint = sql3CloseFunction.getEntryPoint();
ReferenceIterator referencesTo2 = referenceManager.getReferencesTo(entryPoint);
while (referencesTo2.hasNext()) {
Reference next = referencesTo2.next();
Address addr = next.getFromAddress();
Function sql_close_func = functionManager.getFunctionContaining(addr);
if(null !=sql_close_func ) {
continue;
}
CodeUnit codeUnitAt = currentProgram.getListing().getCodeUnitAt(addr);
if(null != codeUnitAt) {
String mnemonicString = codeUnitAt.getMnemonicString();
if("JMP".equals(mnemonicString)) {
CodeUnit codeUnitBefore = currentProgram.getListing().getCodeUnitBefore(addr);
String mnemonicString2 = codeUnitBefore.getMnemonicString();
Function function = UndefinedFunction.findFunction(currentProgram, addr, monitor);
if (null != function) {
Address entryPoint2 = function.getEntryPoint();
if("XOR".equals(mnemonicString2)) {
createFunction(entryPoint2, "sqlite3_close");
currentProgram.getListing().setComment(entryPoint2, CodeUnit.POST_COMMENT,
"auto define function: sqlite3_close");
println("sqlite3_close addr: " + entryPoint2.toString());
}else if ("MOV".equals(mnemonicString2)) {
createFunction(entryPoint2, "sqlite3_close_v2");
currentProgram.getListing().setComment(entryPoint2, CodeUnit.POST_COMMENT,
"auto define function : sqlite3_close_v2" );
println("sqlite3_close_v2 addr: " + entryPoint2.toString());
}
ReferenceIterator referencesTo3 = referenceManager.getReferencesTo(entryPoint2);
while (referencesTo3.hasNext()) {
Reference next2 = referencesTo3.next();
Address fromAddress = next2.getFromAddress();
if("XOR".equals(mnemonicString2)) {
long l = fromAddress.getOffset() - 16*size;
println("sqlite3_close xref:" + fromAddress.toString());
printf("sqlite3_api_routines addr: %x \n", l);
}else if ("MOV".equals(mnemonicString2)) {
long l = fromAddress.getOffset()- 179*size;
println("sqlite3_close_v2 xref:" +fromAddress.toString());
printf("sqlite3_api_routines addr: %x \n", l);
}
}
}
}
}
}
}
}
}
}
}
}

View File

@ -32,6 +32,7 @@ public class NamedScript extends GhidraScript {
ReferenceManager referenceManager = currentProgram.getReferenceManager(); ReferenceManager referenceManager = currentProgram.getReferenceManager();
AddressFactory addressFactory = currentProgram.getAddressFactory(); AddressFactory addressFactory = currentProgram.getAddressFactory();
AddressSpace space = addressFactory.getDefaultAddressSpace(); AddressSpace space = addressFactory.getDefaultAddressSpace();
AddressSpace[] addressSpaces = addressFactory.getAddressSpaces(); AddressSpace[] addressSpaces = addressFactory.getAddressSpaces();
@ -43,32 +44,26 @@ public class NamedScript extends GhidraScript {
Address funcAddress = selectAddress; Address funcAddress = selectAddress;
Function logFunction = functionManager.getFunctionAt(funcAddress); Function logFunction = functionManager.getFunctionAt(funcAddress);
// for (AddressSpace sp : addressSpaces) {
// funcAddress = sp.getAddress(selectAddress.getOffset());
// logFunction = functionManager.getFunctionAt(funcAddress);
// space = sp;
// if (null != logFunction) {
// break;
// }
// }
ReferenceIterator referenceIterator = referenceManager.getReferencesTo(logFunction.getEntryPoint()); ReferenceIterator referenceIterator = referenceManager.getReferencesTo(logFunction.getEntryPoint());
for (Reference ref : referenceIterator) { while(referenceIterator.hasNext()) {
Address fromAddress = ref.getFromAddress(); monitor.checkCancelled();
// if (fromAddress.getOffset() != 0x18284bb19L) { Reference next = referenceIterator.next();
// continue; Address fromAddress = next.getFromAddress();
// } println("lookup address: " + fromAddress.toString());
handle(fromAddress, functionManager, decompiler, space, listing,selectAddress); handle(fromAddress, functionManager, decompiler, space, listing,selectAddress);
println("caller address: " + fromAddress); println("caller address: " + fromAddress.toString());
} }
} }
private void handle(Address address, FunctionManager functionManager, DecompInterface decompiler, private void handle(Address address, FunctionManager functionManager, DecompInterface decompiler,
AddressSpace space, Listing listing,Address selectAddress) { AddressSpace space, Listing listing,Address selectAddress) {
Function functionContaining = functionManager.getFunctionContaining(address); Function functionContaining = functionManager.getFunctionContaining(address);
if (null == functionContaining) { if (null == functionContaining) {
println("no found function: " + address); println("no found function: " + address.toString());
return; return;
} }
DecompileResults res = decompiler.decompileFunction(functionContaining, 20, null); DecompileResults res = decompiler.decompileFunction(functionContaining, 20, null);