|
|
本帖最后由 q644571381 于 2021-5-2 10:30 编辑
微信过低版本分析1.微信是如何计算版本号的 复制代码 隐藏代码 微信的显示的版本取决于WeChatWin.dll文件. 获取文件信息GetFileVersionInfoSizeW->GetFileVersionInfoW->VerQueryValueW 打开OD 拖入WeChat.exe 对GetFileVersionInfoSizeW函数下断 一直F9直到发现有 WeChatWin.dll的路径出现 [Asm] 纯文本查看 复制代码
?
1
2
3
| <span class="hljs-number">005</span>CE9C4 <span class="hljs-number">5</span>C517F09 /CALL 到 GetFileVersionInfoSizeW 来自 WeChatWi.<span class="hljs-number">5</span>C517F03
<span class="hljs-number">005</span>CE9C8 <span class="hljs-number">00</span>B031C0 |FileName = <span class="hljs-string">"G:\xxxxxx\WeChat\WeChatWin.dll"</span>
<span class="hljs-number">005</span>CE9CC <span class="hljs-number">005</span>CEA00 \pHandle = <span class="hljs-number">005</span>CEA00
|
返回到 WeChatWi.5C517F03[Asm] 纯文本查看 复制代码
?
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
| 5C517E80 /$ 55 PUSH EBP
5C517E81 |. 8BEC MOV EBP, ESP
5C517E83 |. A1 987D405D MOV EAX, DWORD PTR DS:[zxsq-anti-bbcode-0x5D407D98]
5C517E88 |. 83EC 2C SUB ESP, 0x2C
5C517E8B |. 53 PUSH EBX
5C517E8C |. 56 PUSH ESI
5C517E8D |. 57 PUSH EDI
5C517E8E |. 85C0 TEST EAX, EAX
5C517E90 |. 75 2B JNZ SHORT 5C517EBD
5C517E92 |. 68 04010000 PUSH 0x104 ; /BufSize = 104 (260.)
5C517E97 |. 68 B8C6415D PUSH 5D41C6B8 ; |PathBuffer = WeChatWi.5D41C6B8
5C517E9C |. 50 PUSH EAX ; |hModule = 00B031C0
5C517E9D |. FF15 4C22055D CALL DWORD PTR DS:[<&KERNEL32.GetModuleF>; \GetModuleFileNameW
5C517EA3 |. 68 B8C6415D PUSH 5D41C6B8 ; /Path = "G:\xxxxxx\WeChat"
5C517EA8 |. FF15 6C26055D CALL DWORD PTR DS:[<&SHLWAPI.PathRemoveF>; \PathRemoveFileSpecW
5C517EAE |. C705 987D405D>MOV DWORD PTR DS:[zxsq-anti-bbcode-0x5D407D98], 5D41C6B8 ; UNICODE "G:\xxxxxx\WeChat"
5C517EB8 |. B8 B8C6415D MOV EAX, 5D41C6B8 ; UNICODE "G:\xxxxxx\WeChat"
5C517EBD |> 6A FF PUSH -0x1
5C517EBF |. 0F57C0 XORPS XMM0, XMM0
5C517EC2 |. C745 E8 00000>MOV [LOCAL.6], 0x0
5C517EC9 |. 50 PUSH EAX
5C517ECA |. 8D4D D8 LEA ECX, [LOCAL.10]
5C517ECD |. 0F1145 D8 MOVUPS DQWORD PTR SS:[EBP-0x28], XMM0
5C517ED1 |. E8 3AC9FFFF CALL 5C514810
5C517ED6 |. 68 C44F215D PUSH 5D214FC4 ; UNICODE "\WeChatWin.dll"
5C517EDB |. 8D4D D8 LEA ECX, [LOCAL.10]
5C517EDE |. E8 ADCAFFFF CALL 5C514990
5C517EE3 |. 8B75 D8 MOV ESI, [LOCAL.10]
5C517EE6 |. C745 F8 00000>MOV [LOCAL.2], 0x0
5C517EED |. 85F6 TEST ESI, ESI
5C517EEF |. 74 08 JE SHORT 5C517EF9
5C517EF1 |. 66:833E 00 CMP WORD PTR DS:[zxsq-anti-bbcode-ESI], 0x0
5C517EF5 |. 8BC6 MOV EAX, ESI
5C517EF7 |. 75 05 JNZ SHORT 5C517EFE
5C517EF9 |> B8 10D3165D MOV EAX, 5D16D310
5C517EFE |> 8D4D F8 LEA ECX, [LOCAL.2]
5C517F01 |. 51 PUSH ECX ; /pHandle = 005CEA00
5C517F02 |. 50 PUSH EAX ; |FileName = "G:\xxxxxx\WeChat\WeChatWin.dll"
5C517F03 |. FF15 7429055D CALL DWORD PTR DS:[<&VERSION.GetFileVers>; \GetFileVersionInfoSizeW
5C517F09 |. 8BD8 MOV EBX, EAX
5C517F0B |. C745 EC 00000>MOV [LOCAL.5], 0x0
5C517F12 |. C745 F0 00000>MOV [LOCAL.4], 0x0
5C517F19 |. 8D0C5D 020000>LEA ECX, DWORD PTR DS:[EBX*2+0x2]
5C517F20 |. 51 PUSH ECX
5C517F21 |. 8D4D EC LEA ECX, [LOCAL.5]
5C517F24 |. E8 07AEFFFF CALL 5C512D30
5C517F29 |. 85F6 TEST ESI, ESI
5C517F2B |. 74 08 JE SHORT 5C517F35
5C517F2D |. 66:833E 00 CMP WORD PTR DS:[zxsq-anti-bbcode-ESI], 0x0
5C517F31 |. 8BC6 MOV EAX, ESI
5C517F33 |. 75 05 JNZ SHORT 5C517F3A
5C517F35 |> B8 10D3165D MOV EAX, 5D16D310
5C517F3A |> 8B7D EC MOV EDI, [LOCAL.5] ; WeChatWi.5D406B00
5C517F3D |. 57 PUSH EDI ; /Buffer = 0000035D
5C517F3E |. 53 PUSH EBX ; |BufSize = 5D1 (1489.)
5C517F3F |. 6A 00 PUSH 0x0 ; |Reserved = 0x0
5C517F41 |. 50 PUSH EAX ; |FileName = "G:\xxxxxx\WeChat\WeChatWin.dll"
5C517F42 |. FF15 7029055D CALL DWORD PTR DS:[<&VERSION.GetFileVers>; \GetFileVersionInfoW
5C517F48 |. 85C0 TEST EAX, EAX
5C517F4A |. 74 2F JE SHORT 5C517F7B
5C517F4C |. 8D45 F4 LEA EAX, [LOCAL.3]
5C517F4F |. C745 F4 00000>MOV [LOCAL.3], 0x0
5C517F56 |. 50 PUSH EAX ; /pValueSize = 00B031C0
5C517F57 |. 8D45 FC LEA EAX, [LOCAL.1] ; |
5C517F5A |. C745 FC 00000>MOV [LOCAL.1], 0x0 ; |
5C517F61 |. 50 PUSH EAX ; |ppValue = 00B031C0
5C517F62 |. 68 E801175D PUSH 5D1701E8 ; |pSubBlock = "\"
5C517F67 |. 57 PUSH EDI ; |pBlock = 0000035D
5C517F68 |. FF15 6C29055D CALL DWORD PTR DS:[<&VERSION.VerQueryVal>; \VerQueryValueW
5C517F6E |. 8B45 FC MOV EAX, [LOCAL.1]
5C517F71 |. 85C0 TEST EAX, EAX
5C517F73 |. 74 06 JE SHORT 5C517F7B
5C517F75 |. 0FB758 0C MOVZX EBX, WORD PTR DS:[EAX+0xC]
5C517F79 |. EB 02 JMP SHORT 5C517F7D
5C517F7B |> 33DB XOR EBX, EBX
5C517F7D |> 85FF TEST EDI, EDI
5C517F7F |. 74 09 JE SHORT 5C517F8A
5C517F81 |. 57 PUSH EDI
5C517F82 |. E8 B42CA400 CALL 5CF5AC3B
5C517F87 |. 83C4 04 ADD ESP, 0x4
5C517F8A |> 85F6 TEST ESI, ESI
5C517F8C |. 74 09 JE SHORT 5C517F97
5C517F8E |. 56 PUSH ESI
5C517F8F |. E8 A72CA400 CALL 5CF5AC3B
5C517F94 |. 83C4 04 ADD ESP, 0x4
5C517F97 |> 8B45 E4 MOV EAX, [LOCAL.7]
5C517F9A |. 85C0 TEST EAX, EAX
5C517F9C |. 74 09 JE SHORT 5C517FA7
5C517F9E |. 50 PUSH EAX
5C517F9F |. E8 972CA400 CALL 5CF5AC3B
5C517FA4 |. 83C4 04 ADD ESP, 0x4
5C517FA7 |> 5F POP EDI ; WeChatWi.5C517F09
5C517FA8 |. 5E POP ESI ; WeChatWi.5C517F09
5C517FA9 |. 8BC3 MOV EAX, EBX
5C517FAB |. 5B POP EBX ; WeChatWi.5C517F09
5C517FAC |. 8BE5 MOV ESP, EBP
5C517FAE |. 5D POP EBP ; WeChatWi.5C517F09
5C517FAF . C3 RETN
|
retn下断
等结果 看eax 0x58=88,我们用的是2.7.1.88 刚好是尾数
[Asm] 纯文本查看 复制代码
?
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
| EAX 00000058
ECX 00AE0000
EDX 00AE0000
EBX 000005D1
ESP 005CEA0C UNICODE "医尊"
EBP 005CEA1C
ESI 5D053D00 WeChatWi.5D053D00
EDI 0000035D
EIP 5C517FAF WeChatWi.5C517FAF
C 0 ES 002B 32 位 0(FFFFFFFF)
P 1 CS 0023 32 位 0(FFFFFFFF)
A 0 SS 002B 32 位 0(FFFFFFFF)
Z 1 DS 002B 32 位 0(FFFFFFFF)
S 0 FS 0053 32 位 96D000(FFF)
T 0 GS 002B 32 位 0(FFFFFFFF)
D 0
O 0 LastErr ERROR_SUCCESS (00000000)
EFL 00000246 (NO,NB,E,BE,NS,PE,GE,LE)
ST0 empty 0.0
ST1 empty 0.0
ST2 empty 0.0
ST3 empty 0.0
ST4 empty 0.0
ST5 empty 1.0000000000000000000
ST6 empty 1.0000000000000000000
ST7 empty 1.0000000000000000000
3 2 1 0 E S P U O Z D I
FST 4000 Cond 1 0 0 0 Err 0 0 0 0 0 0 0 0 (EQ)
FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1
|
F8下一步看到如下代码
[Asm] 纯文本查看 复制代码
?
1
2
3
4
5
6
7
8
| 5C0A91AB |. 0FB6C0 MOVZX EAX, AL
5C0A91AE |. 0D 00010762 OR EAX, 0x62070100
5C0A91B3 |> A3 B885405D MOV DWORD PTR DS:[zxsq-anti-bbcode-0x5D4085B8], EAX
5C0A91B8 |> A3 68F5405D MOV DWORD PTR DS:[zxsq-anti-bbcode-0x5D40F568], EAX
5C0A91BD |. 8BE5 MOV ESP, EBP
5C0A91BF |. 5D POP EBP
5C0A91C0 . C3 RETN<p></p>
<p></p>
|
取得到的版本号和0x62070100位或得到结果 0x62070158
分别赋值给 0x5D4085B8 和 0x5D40F568 这2个肯定是读取的.先记录一下
0x62070100是怎么来的呢,从代码看,很像是固定的.
2.7.1.00 => 转换一下0x02070100
0x62070100 => 0x60000000+0x02070100
我们来计算1个,假如版本号是 3.3.3.33
0x03030300+0x60000000=0x63030300 or 0x21 => 0x63030321
修改eax的值 0x63030321
F9放行
原来是 
后面确实改成功了
版本的算法 可以自己编写出来
2.如何过掉低版本 复制代码 隐藏代码重新运行微信 打开CE 附加搜索 0x62070158 版本号计算的结果 写入最新的版本 或者更高版本即可 
我写入的是 3.3.3.33
点击登陆即可
|
|
粤公网安备 44522102000125 增值电信业务经营许可证 粤B2-20192173
发表于 2021-5-2 09:53:57
主题置顶卡
沉默卡
变色卡
扫一扫,关注易界动态