Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Windows QQNT 如何“略加修改” #22

Closed
LeSnow-Ye opened this issue Feb 18, 2024 · 7 comments
Closed

Windows QQNT 如何“略加修改” #22

LeSnow-Ye opened this issue Feb 18, 2024 · 7 comments
Labels
question Further information is requested

Comments

@LeSnow-Ye
Copy link

根据 repo 提供的脚本略加修改,很容易得到我们需要的 pKey 和 nKey

请务必写详细一点

我尝试改了,但并不 work

hook_script = """
function buf2hex(buffer) {
  const byteArray = new Uint8Array(buffer);
  const hexParts = [];
  for(let i = 0; i < byteArray.length; i++) {
    const hex = byteArray[i].toString(16);
    const paddedHex = ('00' + hex).slice(-2);
    hexParts.push(paddedHex);
  }
  return '0x' + hexParts.join(', 0x');
}

const wrapper_node = Module.load('wrapper.node');
function single_function(pattern) {
    pattern = pattern.replaceAll("##", "").replaceAll(" ", "").toLowerCase().replace(/\\s/g,'').replace(/(.{2})/g,"$1 ");
    var akey_function_list = Memory.scanSync(wrapper_node.base, wrapper_node.size, pattern);
    if (akey_function_list.length > 1) {
        send("pattern FOUND MULTI!!")
        send(pattern)
        send(akey_function_list)
        send("!!exit")
    }
    if (akey_function_list.length == 0) {
        send("pattern NOT FOUND!!")
        send("!!exit")
    }
    return akey_function_list[0]['address'];
}

const key_function = single_function("48 89 5C 24 08")

Interceptor.attach(key_function, {
    onEnter: function (args, state) {
        console.log("¦- nKey: " + args[2].toInt32());
        console.log("¦- *pkey: " + buf2hex(args[1].readByteArray(args[2].toInt32())));
    },
    
    onLeave: function (retval, state) {
    }

});
"""
@Young-Lord
Copy link
Member

Young-Lord commented Feb 18, 2024
edited
Loading

我看不出你的代码有什么问题,这个不能用表现在哪里?没有输出?
你是什么时候hook的?理想情况应该是进程启动时……大概?(我没有试过)
那个文件下面还有另一种用IDA debugger的,你也可以试试
如果还有问题可以 @ Alphagocc,鉴于这篇教程是这位写的

@LeSnow-Ye
Copy link
Author

LeSnow-Ye commented Feb 18, 2024
edited by Young-Lord
Loading

我看不出你的代码有什么问题,这个不能用表现在哪里?没有输出?
你是什么时候hook的?理想情况应该是进程启动时……大概?(我没有试过)
那个文件下面还有另一种用IDA debugger的,你也可以试试
如果还有问题可以 @ Alphagocc,鉴于这篇教程是这位写的

Module.load() 失败

我并不会 frida,所以姑且只能算瞎改的。所以这个“略加修改”真的很emmm
@alphagocc

hook 的时机也是合理的

ida debugger 我也试了,也出现神奇的问题,那边也提了个 issue( Mythologyli/qq-nt-db#3

@Young-Lord
Copy link
Member

不是 你为什么要Module.load
这东西本来就不是一个普通的dll,你应该直接等它加载后去用single_function取地址,而非再次加载
下次问问题把问题带上

@LeSnow-Ye
Copy link
Author

不是 你为什么要Module.load 这东西本来就不是一个普通的dll,你应该直接等它加载后去用single_function取地址,而非再次加载 下次问问题把问题带上

我并不会 frida,所以姑且只能算瞎改的。

问题不是我的代码出了什么问题,而是我根本就不知道怎么写这个 frida 的 hook

@Young-Lord
Copy link
Member

你会不会写那个是你的问题,我能解决的是你的代码有什么问题(
如果你要完整代码/教程那我是没时间的

你要改的话是把这里 https://github.com/QQBackup/qq-win-db-key/blob/master/android_get_key.py#L29 改成对应模块wrapper.node,下面签名换掉,hook进程换成对应进程pid,get_remote_device换成本机

@Young-Lord Young-Lord mentioned this issue Feb 24, 2024
Closed
@Young-Lord
Copy link
Member

看看这个? 65deb73

@Young-Lord Young-Lord added the question Further information is requested label Feb 27, 2024
@Young-Lord
Copy link
Member

由于没有回应,我先 close 了,有问题再 reopen

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@LeSnow-Ye @Young-Lord