Author: zmrbak (Zhao Qingming teacher)
Preface:
I will not speak micro-channel dominance in the social field, we only Tencent revealed by numerous pits stepped on in the development process of micro-letters, and fill open pits associated with the micro-channel source, we can feel alone technically, micro-channel is a very great product. However, great products, tend to be obsessed with the technology of feeding laboratory, using all possible tools to pieces, in order to study and understanding of its "great" lies! .
WeTool, a free micro-channel community management tool, it is a group of people obsessed with the results of the study of micro-channel technology this great product is obtained. In the micro business sector, the software turns out to be famous, outsize. If you do not know this software, then you are certainly not micro-business people. If you want your micro-channel group management, but do not want to spend money, maybe this software is your best choice. Of course, free software routines are the same, WeTool "intentionally" does not meet some of your special needs, if you really want it, of course, is to pay, then buy "Enterprise Edition" of it.
However, for people who have a strong interest in technology, the research and study as interesting WeTool PC micro letter, where I put them together sent to two laboratories, a glimpse of the mystery!
The micro-channel WeTool
Because Tencent intervention, currently WeTool free version is no longer publicly available for download. But before the old version can still be automatically upgraded to the latest version. If you want to get WeTool this software, I think you should know how to do it. If you still do not know, I'm sorry, this article is for you too esoteric. So my advice to you is: turn off this page now.
WeTool at startup, checks on whether the current computer matches the PC version micro-channel installation. If not found, or a version mismatch, WeTool will guide you to its official website to download a version to match the PC micro-channel (which may be old, but can be used). After the download is complete, you need to manually install it.
When WeTool startup, login status also checks micro letter, if the micro-channel has not been completed after login, WeTool will wait to log micro letter, then open their own management interface.
The question here is: How is WeTool know whether it has been registered micro letter?
Here, we use PCHunter to check the micro-letter (WeChat.exe) process module. We can see, loaded with a special DLL file (WeHelp.dll) in the process of micro letter, and its parent directory is a special string: "2.6.8.65", exactly in line with our micro-channel version is currently running . And then up a directory, "WeToolCore", it is clear that this document is part of WeTool.
It is precisely this DLL file to help WeTool completed a variety of interactions between micro letter. In other words, WeTool by WeHelp.dll this file, you can perceive the activities of micro letter, of course, including whether the micro-channel already logged on and so on ...
Snoop WeTool
If you turn off WeTool inadvertently, you will find that your micro letter also was closed. This is why?
If you've ever had with OD debugging software, you will find that when you OD is closed, the software is being debugged OD also closed off. Therefore, we suspect, WeTool for micro letter, it should use the same principle is similar to the OD of the other software that is "debugging."
In WeTool micro-managing your letter, you will find that this time the OD micro-channel can not be attached. In fact, or "debugging." When the software under a debugger is already in a "debug", in order to prevent errors, the debugger has been in denial about this again debugger is debugging the software. This further confirms the fact WeTool for micro message "Start-up".
But is such a "small" setting, shattered a lot of "white" trying to debug WeTool dream.
Now that we have found the key to WeTool micro-channel, that is, the file "WeHelp.dll". So, we put the file into our labs please, let us take it apart bit by bit, bit by bit thin to explore the mystery of.
Dismantling WeTool
Before dismantling hands, we first look at WeTool in the end to our computer what stuff installed. Down "WeTool Free Edition" on the desktop, we find the directory WeTool installation, the installation directory under the 22 folders and 84 files. Of course, let's interested in is "WeChatVersion" this folder because its name with the micro-letter (WeChat) so people can think together.
Double-click the "WeChatVersion", we see the following results. Once the letter is just a micro version number named folder. We suspect that this folder there must be some connection between this version and the micro-channel. At present, we can get the latest micro-channel version is 2.6.8.68 (This version is an update; Tencent can be downloaded from the official website only to the version 2.6.8.65), which happen to have a named folder to the version number "2.6 .8.65. "
We double-click to open "2.6.8.65" folder. Earlier article mentioned "WeHelp.dll" file impressively in the head. Point to open other similar micro-channel version of the folder, the same, in both of these two files per folder. The only difference is the kind of file sizes.
Because we use micro-channel version is 2.6.8.65, then we carry out research on the "WeHelp.dll" folder under 2.6.8.65. By binary comparison, we find that folder under the "WeHelp.dll" micro-letter file loaded "WeHelp.dll" file to the same file.
Thus, we conclude that: WeTool for the micro-channel versions offer different WeHelp.dll file separately, when WeTool start of the application folder and copy the files in the current version of the micro signal to the current Windows user login corresponding WeChatVersion program data folder, and then there's "WeHelp.dll" loaded into memory in the micro-channel process.
WeHelp resolve
WeTool as "WeHelp.dll" set up barriers to prevent a "dynamic debugging", which is enough to make all dynamic debuggers, no special treatment before, you can not start.
If you can take a detour, then why storm it? So we ask the static analysis tool --IDA PRO 32. Note that, here, be sure to use 32-bit version, because only in 32-bit version, it can be converted into assembly code in C language pseudocode. Compared to assembly code is, C code more intuitive.
After opening the IDA, click on the button "GO", and then drag the WeHelp.dll where the next step is to resolve ten seconds, parsing is completed, the interface is as follows:
From the results of IDA parsed, so we are very surprised that, in the "WeHelp.dll" are actually not found what ah packers, encryption, ah, ah, and so confuse these procedures for copyright protection technology. Maybe too confident WeTool it! After all, WeTool is the de facto industry leader, its position no one can shake.
For this part of the function and the interaction between micro-letters, in fact, for a just getting started, more diligent reverse novice, just after six months to a year of practicing hand, this is also part of the function can be completed. For WeTool, its real core value is not here, but in its "forward" management logic, as well as their own back-end Web server. In its management interface, various functions to achieve in complex logic, if you want to reverse it, might as well rewrite Well, besides it have been free for you to use, and is also necessary to reverse it! ! Of course, WeTool background server, you simply can not touch.
From the results of IDA resolved, we can see WeHelp in various functions, methods, without masking fully displayed in front. In the right window, pressing the F5, instantly assembly code into C language pseudocode.
For a little some Window API programming experience, these are all familiar C code, simply guess, Nengkanmingbai what is written. If you still do not understand, then it would open Visual Studio, on the shining look. Here is DllMain, is the entry point of the DLL. Our project is to create a C ++ dynamic link library (dll), and to come and see shining:
fdwReason = 1, precisely, DLL_PROCESS_ATTACH = 1. Once the DLL is loaded, branching is performed immediately DLL_PROCESS_ATTACH DllMain in this function. In other words, when "WeHelp.dll" This file is loaded into the micro-channel processes, immediately execute it DllMain function, DLL_PROCESS_ATTACH branch inside these two functions will be executed immediately.
Double click on a function (sub_10003040), to go inside and see what's inside this function, as shown below, its return value from a Windows Api (pink font) - "RegisterWindowMessageW", see the MSDN, found, The original is a registered Windows messages.
This is not what we most want, press the ESC key to return.
Double click next function (sub_100031B0), the page becomes friends. Obviously, registering a window class. For a window, the most important is its callback function, because in the callback function to complete all event handlers for the window. Here, lpfnWndProc = sub_10003630, is quite clear, this is the callback function.
Double-sub_10003630 this function, the window switches to the following. In addition if the first statement, and the rest if ... else if ... else if is so compelling. After each comparison and judgment, they are a function is called. The basis for judgment is passed in the parameter "lParam" to compare the value of a dword.
We hypothesize that these functions are probably related to the interaction between WeHelp function bar and micro-letters. Of course, this is just speculation, we will further verify the job.
sub_10003630 This function is a callback function of the window, we want to focus on. So, we give it a change of name it. Right click on the function name, select "Rename global item", a name we call "Fn_WndProc" it. So it becomes a page like this:
Although in IDA, "WeHelp.dll" in the function (method) show all out, but it also has more than 40, we find a simple thing to try. CWeHelp :: Logout (void), this function has no parameters, then we choose this. (If you show or compilation, please click on the assembly code press F5) Double-click CWeHelp :: Logout (void) function in the left window, right window replaced the function of the C language pseudo-code.
In the front, we see that in the callback function, lParam to be compared with a dword value. In this function, we find here a dword assigned a value for the type of lParam. In order to facilitate memory, we put this dowrd value change of the name of it, because it is used in digital Logout function, it is called "D_Logout" it.
Next, we'll look at "Who" with this value. On our revised "D_Logout" right click and select "Jump to xref ...". So this value only two places, one is the current "Logout" function, while the other is in "Fn_WndProc" in front of that is not that the callback function Well! Select "Fn_WndProc" this line, click on the OK!
Once again we see the familiar if ... else if ..., there and "D_Logout" branch comparison, but this branch only inside a function is called sub_10005940, and no arguments.
Double-click function "sub_10005940", found that this function is very simple. Core only two statements, the first call sub_100030F0 function, and then get a return value. Next, add a return value to the value "0x3F2BF0", converted to a function pointer as a parameter to give a 0, and then calls the function pointer. Finally, return the results.
We are here to focus on, from "sub_100030F0" function's return value result in the end is what?
Similarly, double-click function (sub_100030F0), go in and see the pictures! It turned out to call a Windows API function (GetModuleHandleW), after viewing MSDN, found the original of this function is to take micro-channel base address (WeChatWin.dll).
It is much simpler! Does that mean that if we execute in micro letter "((int (__stdcall *) (_ DWORD)) (weChatWinBaseAddress + 0x3F2BF0)) (0);" such a code, you can achieve Logout function?
Of course, this is just speculation, we need further validation.
Guess verification
Open C ++ dynamic link library project originally created, the case branch DLL_PROCESS_ATTACH replaced by the following:
case DLL_PROCESS_ATTACH: { DWORD weChatWinBaseAddress = (int)GetModuleHandleW(L"WeChatWin.dll"); ((int(__stdcall*)(DWORD))(weChatWinBaseAddress + 0x3F2BF0))(0); }
Note: the copied code from IDA in "_DWORD" Underscore removed, it can be compiled by the.
Start micro-channel, log micro letter (this time, mobile micro-channel will show "Windows logged micro letter").
OD using additional micro letter (to ensure WeTool already quit, or OD additional unsuccessful).
Right click in the window assembly code OD, select "StrongOD \ InjectDll \ Remote Thread", just select the Visual Studio dll file successfully compiled.
one second! OK, magical happened: micro letter tips, you have to exit the micro-letter!
At the same time, the previously displayed on the phone micro letter "Windows Micro letter logged in", also disappeared.
From here we can determine, micro-channel "really" is pulled out, rather than bounced off.
to sum up:
In fact, the reverse research, not just by coolies, more important is the strong sense of curiosity and divergent thinking. Perhaps a moment, a change in thinking, the moment everything is cheerful. A person's power is limited, into a circle, to learn from the successful experience of others, and contribute their own successful experience, you will find, in fact, the reverse research is a very interesting thing. Of course, I studied writing is free and open source, you can download on GitHub, and we also welcome to learn and study together.
postscript:
Before 17 March 2019, he conducted some exploration of WeTool, has not made progress. After a lapse of two months, has suddenly discovered, then in May 29, 2019 I will record the results of exploration into a video, share with me the research and exploration of micro-letter friends. As a result, provoked a strong reaction among them, there are a lot of friends with a leap of progress of the study of development, there are a few friends among just a few days, it is far beyond my research progress. See such a scene, so I am filled with joy. Of course, there are many friends of evaluation, but also makes me happy.
Source Share: