1. First understand that two-dimensional code is clicked to switch accounts, or when landing generated, so it is two-dimensional code in the address stored value, from scratch, and will regenerate each time you open a two-dimensional code, so we can find the change of the value of the CE
2. Scan the end of the first results of the scan found a large outrageous
3. At this time we modify the scan type value changes, and click to switch accounts, because switching accounts would generate two-dimensional code, then save the value of two-dimensional code address will change, so we need to switch accounts, scan again
Found still great, so we need to take the phone to scan two-dimensional code, search again, switch accounts, search again after scanning. . . . . . Until we see a little upper-left corner of the search results after each search value changes so far, this time, we drag the bottom bar to see the results of the green base address
So we find the base address of the two-dimensional code, using a debugger, additional programs, at the address found in the memory write breakpoint (found here is 6cc97184) and run until the next break
Function first calls a function in WeChatWin.dll module, so I do not see the calling function other modules, and secondly, the stack back in time, try to find due to the outermost function, it is necessary to find more than down, and under breakpoints, watch, first (to cancel memory breakpoint before running) in which function off
Check the parameter values [ecx] found in the PNG file structure identification
OD script plug-in uses the file dump down https://www.cnblogs.com/JianXu/p/5158419.html
The files are saved in the root directory of the micro-channel installation files, find and open code.png, appear two-dimensional code scanning micro-channel ,, and this two-dimensional code using a mobile phone can direct landing micro letter stating the experiment is a success
