|
1 | | -;; |
2 | | -for(var addressname in address){ |
3 | | - address[addressname] = parseInt(address[addressname]); |
4 | | - // console.log(address[addressname]) |
5 | | -}; |
6 | | - |
| 1 | +; |
| 2 | +//获取WeChatAppEx.exe的基址 |
7 | 3 | var base = Process.findModuleByName("WeChatAppEx.exe").base |
8 | | -address.LaunchAppletBegin = base.add(address.LaunchAppletBegin); |
9 | | -address.WechatAppHtml = base.add(address.WechatAppHtml); |
10 | | -address.WechatWebHtml = base.add(address.WechatWebHtml); |
11 | 4 |
|
12 | 5 |
|
13 | | -function readStdString(s) { |
| 6 | +for (let key in address) { |
| 7 | + address[key] = base.add(address[key]); |
| 8 | +} |
14 | 9 |
|
| 10 | +function readStdString(s) { |
15 | 11 | var flag = s.add(23).readU8() |
16 | 12 | if (flag == 0x80) { |
17 | 13 | // 从堆中读取 |
@@ -42,29 +38,42 @@ function writeStdString(s, content) { |
42 | 38 | } |
43 | 39 | } |
44 | 40 |
|
45 | | -//HOOK 启动配置 |
| 41 | +//过新版8555检测 |
| 42 | +if(address.MenuItemDevToolsString){ |
| 43 | + var menuItemDevToolsStringCr = new Uint8Array(address.MenuItemDevToolsString.readByteArray(7)); |
| 44 | + var intptr_ = (menuItemDevToolsStringCr[3] & 0xFF) | ((menuItemDevToolsStringCr[4] & 0xFF) << 8) | ((menuItemDevToolsStringCr[5] & 0xFF) << 16) | ((menuItemDevToolsStringCr[6] & 0xFF) << 24); |
| 45 | + var menuItemDevToolsStringPtrData = address.MenuItemDevToolsString.add(intptr_+7); |
| 46 | + Memory.protect(menuItemDevToolsStringPtrData, 8, 'rw-') |
| 47 | + menuItemDevToolsStringPtrData.writeUtf8String("DevTools"); |
| 48 | +} |
| 49 | + |
| 50 | + |
46 | 51 | Interceptor.attach(address.LaunchAppletBegin, { |
47 | 52 | onEnter(args) { |
48 | 53 | send("[+] HOOK到小程序加载! " + readStdString(args[1])) |
49 | 54 | for (var i = 0; i < 0x1000; i+=8) { |
50 | 55 | try { |
51 | 56 | var s = readStdString(args[2].add(i)) |
52 | | - var s1 = s.replaceAll("md5", "md6").replaceAll('"enable_vconsole":false', '"enable_vconsole": true') |
| 57 | + |
| 58 | + var s1 = s.replaceAll("md5", "md6") |
| 59 | + .replaceAll('"enable_vconsole":false', '"enable_vconsole": true') |
| 60 | + .replaceAll('"frameset":false', '"frameset": true') |
| 61 | + //"frameset":false |
53 | 62 | if (s !== s1) { |
| 63 | + //send(s1) |
54 | 64 | writeStdString(args[2].add(i), s1) |
55 | 65 | } |
56 | 66 | } catch (a) { |
57 | 67 | } |
58 | 68 | } |
59 | 69 | } |
60 | 70 | }) |
61 | | -//HOOK F12配置 替换原本内容 |
| 71 | + |
| 72 | + |
62 | 73 | Interceptor.attach(address.WechatAppHtml, { |
63 | 74 | onEnter(args) { |
64 | 75 | this.context.rdx = address.WechatWebHtml; |
65 | 76 | send("[+] 已还原完整F12") |
66 | 77 | } |
67 | 78 | }) |
68 | | - |
69 | 79 | send("[+] WeChatAppEx.exe 注入成功!") |
70 | | - |
|
0 commit comments