关于遍历找key (`def get_key(pid, db_path, addr_len):`) #102

TaihouKai · 2024-06-13T05:43:07Z

我自己手动写代码测试了这个遍历找key的get_key function:

void_p = ctypes.c_void_p
addr_len = 64
pid = 9092
pm = pymem.Pymem(pid)
module_name = "WeChatWin.dll"
MicroMsg_path = "MicroMsg.db"
MicroMsg_path = os.path.join("C:\\Users\\<USERNAME>\\Documents\\WeChat Files\\wxid_<ID>\\", "MSG", "MicroMsg.db")
ReadProcessMemory = ctypes.windll.kernel32.ReadProcessMemory

def read_key_bytes(h_process, address, address_len=8):
  # ... copy-paste

def verify_key(key, wx_db_path):
  # ... copy-paste

phone_type1 = "iphone\x00"
phone_type2 = "android\x00"
phone_type3 = "ipad\x00"

type1_addrs = pm.pattern_scan_module(phone_type1.encode(), module_name, return_multiple=True)
type2_addrs = pm.pattern_scan_module(phone_type2.encode(), module_name, return_multiple=True)
type3_addrs = pm.pattern_scan_module(phone_type3.encode(), module_name, return_multiple=True)
if type1_addrs == None or type2_addrs == None or type3_addrs == None:
    print("Error: pattern_scan_module failed")
    exit()

print(type1_addrs, type2_addrs, type3_addrs)

type_addrs = []
if len(type1_addrs) >= 2: type_addrs += type1_addrs
if len(type2_addrs) >= 2: type_addrs += type2_addrs
if len(type3_addrs) >= 2: type_addrs += type3_addrs
if len(type_addrs) == 0:
    print("Error: type_addrs is empty")
    exit()

type_addrs.sort()
print(type_addrs)

for i in type_addrs[::-1]:
    for j in range(i, i - 2000, -addr_len):
        key_bytes = read_key_bytes(pm.process_handle, j, addr_len)
        if key_bytes == "None":
            continue
        # print(key_bytes.hex())
        if verify_key(key_bytes, MicroMsg_path):
            key = key_bytes.hex()

print(key)

我发现addr_len=64的情况下找不到key，只有在addr_len=16或者8的情况下可以。
（我试过get_exe_bit，确实返回的是64）
请问这是为什么？

The text was updated successfully, but these errors were encountered:

simoole · 2024-06-13T06:52:31Z

因为key是个32位的字节串

TaihouKai · 2024-06-13T06:55:31Z

因为key是个32位的字节串

感谢回复。如果按照代码里的话，get_exe_bit会返回64吧？（因为是64位的exe）
那样的话addr_len就得是64了……？

(get_wx_info.py)

addrLen = get_exe_bit(process.exe())
...
...
if rd['filePath'] != "None" and rd['key'] == "None" and not isKey:
    rd['key'] = get_key(rd['pid'], rd['filePath'], addrLen)

xaoyaoo · 2024-06-13T14:58:21Z

这个和系统位数以及内存读写方式有关。
32位系统和64位系统，对内存读写单元大小不同。

TaihouKai · 2024-06-14T03:06:48Z

这个和系统位数以及内存读写方式有关。
32位系统和64位系统，对内存读写单元大小不同。

感谢回复。
这样的话，如果我要手动复现遍历，请问这个地方的for j in range(i, i - 2000, -addr_len):是不是该改成-int(addr_len/8)，以匹配读写单元的大小(4/8 bytes)？我试了下，不改成/8的话在我的电脑上遍历不着key

for i in type_addrs[::-1]:
    for j in range(i, i - 2000, -addr_len):
        key_bytes = read_key_bytes(pm.process_handle, j, addr_len)
        if key_bytes == "None":
            continue
        # print(key_bytes.hex())
        if verify_key(key_bytes, MicroMsg_path):
            key = key_bytes.hex()

xaoyaoo · 2024-06-14T15:58:35Z

@TaihouKai
所以你已经有了结论。

xaoyaoo closed this as completed Jun 17, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

关于遍历找key (`def get_key(pid, db_path, addr_len):`) #102

关于遍历找key (`def get_key(pid, db_path, addr_len):`) #102

TaihouKai commented Jun 13, 2024 •

edited

Loading

simoole commented Jun 13, 2024

TaihouKai commented Jun 13, 2024 •

edited

Loading

xaoyaoo commented Jun 13, 2024

TaihouKai commented Jun 14, 2024 •

edited

Loading

xaoyaoo commented Jun 14, 2024

关于遍历找key (def get_key(pid, db_path, addr_len):) #102

关于遍历找key (def get_key(pid, db_path, addr_len):) #102

Comments

TaihouKai commented Jun 13, 2024 • edited Loading

simoole commented Jun 13, 2024

TaihouKai commented Jun 13, 2024 • edited Loading

xaoyaoo commented Jun 13, 2024

TaihouKai commented Jun 14, 2024 • edited Loading

xaoyaoo commented Jun 14, 2024

关于遍历找key (`def get_key(pid, db_path, addr_len):`) #102

关于遍历找key (`def get_key(pid, db_path, addr_len):`) #102

TaihouKai commented Jun 13, 2024 •

edited

Loading

TaihouKai commented Jun 13, 2024 •

edited

Loading

TaihouKai commented Jun 14, 2024 •

edited

Loading