微信原来是32位的,计算key的偏移量可以参考刺心宝贝写的:AdminTest0/SharpWxDump: 微信客户端取证,可获取用户个人信息(昵称/账号/手机/邮箱/数据库密钥(用来解密聊天记录));支持获取多用户信息,不定期更新新版本偏移,目前支持所有新版本、正式版本 (github.com)
现在改为64位了,由于大家基础不好所以没人找到key的偏移量,直到出现了一位救世主。找到了
1272最近几个版本的key计算基址为
"ver": "3.9.8.15","addr": 64997904
"ver": "3.9.8.11","addr": 64998160
"ver": "3.9.8.9","addr": 65002384
"ver": "3.9.7.29", "addr": 63488256加上获取昵称,微信号,key,分别基址为
{"3.9.8.15",
new List<int>
{
64996632,
64997968,
64996440,
00000000,
64991910
}
}实现代码:
using System;
using System.Collections.Generic;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.Text;
namespace WeChatGetKey
{
internal class Program
{
private static void Main(string[] args)
{
try
{
Program.ReadTest();
}
catch (Exception ex)
{
Console.WriteLine("Error:" + ex.Message);
}
finally
{
//Console.ReadKey();
}
Console.WriteLine("[+] Done");
}
private static void ReadTest()
{
List<int> SupportList = null;
Process WeChatProcess = null;
foreach (Process ProcessesName in Process.GetProcessesByName("WeChat"))
{
WeChatProcess = ProcessesName;
Console.WriteLine("[+] WeChatProcessPID: " + WeChatProcess.Id.ToString());
foreach (object obj in WeChatProcess.Modules)
{
ProcessModule processModule = (ProcessModule)obj;
if (processModule.ModuleName == "WeChatWin.dll")
{
Program.WeChatWinBaseAddress = processModule.BaseAddress;
string FileVersion = processModule.FileVersionInfo.FileVersion;
Console.WriteLine("[+] WeChatVersion: " + FileVersion);
if (!Program.VersionList.TryGetValue(FileVersion, out SupportList))
{
Console.WriteLine("[-] WeChat Current Version Is: " + FileVersion + " Not Support");
return;
}
break;
}
}
if (SupportList == null)
{
Console.WriteLine("[-] WeChat Base Address Get Faild");
}
else
{
//int WeChatKey = (int)Program.WeChatWinBaseAddress + SupportList[4];
Int64 WeChatKey = (Int64)Program.WeChatWinBaseAddress + SupportList[4];
string HexKey = Program.GetHex(WeChatProcess.Handle, (IntPtr)WeChatKey);
if (string.IsNullOrWhiteSpace(HexKey))
{
Console.WriteLine("[-] WeChat Is Run, But Maybe No Login");
return;
}
else
{
Int64 WeChatName = (Int64)Program.WeChatWinBaseAddress + SupportList[0];
Console.WriteLine("[+] WeChatName: " + Program.GetName(WeChatProcess.Handle, (IntPtr)WeChatName, 100));
Int64 WeChatAccount = (Int64)Program.WeChatWinBaseAddress + SupportList[1];
string Account = Program.GetMobile(WeChatProcess.Handle, (IntPtr)WeChatAccount);
if (string.IsNullOrWhiteSpace(Account))
{
Console.WriteLine("[-] WeChatAccount: Maybe User Is No Set Account");
}
else
{
Console.WriteLine("[+] WeChatAccount: " + Program.GetAccount(WeChatProcess.Handle, (IntPtr)WeChatAccount, 100));
}
Int64 WeChatMobile = (Int64)Program.WeChatWinBaseAddress + SupportList[2];
string Mobile = Program.GetMobile(WeChatProcess.Handle, (IntPtr)WeChatMobile);
if (string.IsNullOrWhiteSpace(Mobile))
{
Console.WriteLine("[-] WeChatMobile: Maybe User Is No Binding Mobile");
}
else
{
Console.WriteLine("[+] WeChatMobile: " + Program.GetMobile(WeChatProcess.Handle, (IntPtr)WeChatMobile, 100));
}
Int64 WeChatMail = (Int64)Program.WeChatWinBaseAddress + SupportList[3];
string Mail = Program.GetMail(WeChatProcess.Handle, (IntPtr)WeChatMail);
if (string.IsNullOrWhiteSpace(Mail) != false) { }
else
{
Console.WriteLine("[+] WeChatMail: " + Program.GetMail(WeChatProcess.Handle, (IntPtr)WeChatMail, 100));
}
Console.WriteLine("[+] WeChatKey: " + HexKey);
}
}
}
if (WeChatProcess == null)
{
Console.WriteLine("[-] WeChat No Run");
return;
}
}
private static string GetName(IntPtr hProcess, IntPtr lpBaseAddress, int nSize = 100)
{
byte[] array = new byte[nSize];
if (Program.ReadProcessMemory(hProcess, lpBaseAddress, array, nSize, 0) == 0)
{
return "";
}
string text = "";
foreach (char c in Encoding.UTF8.GetString(array))
{
if (c == '\0')
{
break;
}
text += c.ToString();
}
return text;
}
private static string GetAccount(IntPtr hProcess, IntPtr lpBaseAddress, int nSize = 100)
{
byte[] array = new byte[nSize];
if (Program.ReadProcessMemory(hProcess, lpBaseAddress, array, nSize, 0) == 0)
{
return "";
}
string text = "";
foreach (char c in Encoding.UTF8.GetString(array))
{
if (c == '\0')
{
break;
}
text += c.ToString();
}
return text;
}
private static string GetMobile(IntPtr hProcess, IntPtr lpBaseAddress, int nSize = 100)
{
byte[] array = new byte[nSize];
if (Program.ReadProcessMemory(hProcess, lpBaseAddress, array, nSize, 0) == 0)
{
return "";
}
string text = "";
foreach (char c in Encoding.UTF8.GetString(array))
{
if (c == '\0')
{
break;
}
text += c.ToString();
}
return text;
}
private static string GetMail(IntPtr hProcess, IntPtr lpBaseAddress, int nSize = 100)
{
byte[] array = new byte[nSize];
if (Program.ReadProcessMemory(hProcess, lpBaseAddress, array, nSize, 0) == 0)
{
return "";
}
string text = "";
foreach (char c in Encoding.UTF8.GetString(array))
{
if (c == '\0')
{
break;
}
text += c.ToString();
}
return text;
}
//private static string GetHex(IntPtr hProcess, IntPtr lpBaseAddress)
//{
// byte[] array = new byte[4];
// if (Program.ReadProcessMemory(hProcess, lpBaseAddress, array, 4, 0) == 0)
// {
// return "";
// }
// int num = 32;
// byte[] array2 = new byte[num];
// IntPtr lpBaseAddress2 = (IntPtr)(((int)array[3] << 24) + ((int)array[2] << 16) + ((int)array[1] << 8) + (int)array[0]);
// if (Program.ReadProcessMemory(hProcess, lpBaseAddress2, array2, num, 0) == 0)
// {
// return "";
// }
// return Program.bytes2hex(array2);
//}
private static string GetHex(IntPtr hProcess, IntPtr lpBaseAddress)
{
byte[] array = new byte[8];
if (Program.ReadProcessMemory(hProcess, lpBaseAddress, array, 8, 0) == 0)
{
return "";
}
int num = 32;
byte[] array2 = new byte[num];
IntPtr lpBaseAddress2 = (IntPtr)(((long)array[7] << 56) + ((long)array[6] << 48) + ((long)array[5] << 40) + ((long)array[4] << 32) + ((long)array[3] << 24) + ((long)array[2] << 16) + ((long)array[1] << 8) + (long)array[0]);
if (Program.ReadProcessMemory(hProcess, lpBaseAddress2, array2, num, 0) == 0)
{
return "";
}
return Program.bytes2hex(array2);
}
private static string bytes2hex(byte[] bytes)
{
return BitConverter.ToString(bytes, 0).Replace("-", string.Empty).ToLower().ToUpper();
}
[DllImport("kernel32.dll")]
public static extern int OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId);
[DllImport("kernel32.dll")]
public static extern int GetModuleHandleA(string moduleName);
[DllImport("kernel32.dll")]
public static extern int ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, int nSize, int lpNumberOfBytesRead);
public static Dictionary<string, List<int>> VersionList = new Dictionary<string, List<int>>
{
{
"3.2.1.154",
new List<int>
{
328121948,
328122328,
328123056,
328121976,
328123020
}
},
{
"3.3.0.115",
new List<int>
{
31323364,
31323744,
31324472,
31323392,
31324436
}
},
{
"3.3.0.84",
new List<int>
{
31315212,
31315592,
31316320,
31315240,
31316284
}
},
{
"3.3.0.93",
new List<int>
{
31323364,
31323744,
31324472,
31323392,
31324436
}
},
{
"3.3.5.34",
new List<int>
{
30603028,
30603408,
30604120,
30603056,
30604100
}
},
{
"3.3.5.42",
new List<int>
{
30603012,
30603392,
30604120,
30603040,
30604084
}
},
{
"3.3.5.46",
new List<int>
{
30578372,
30578752,
30579480,
30578400,
30579444
}
},
{
"3.4.0.37",
new List<int>
{
31608116,
31608496,
31609224,
31608144,
31609188
}
},
{
"3.4.0.38",
new List<int>
{
31604044,
31604424,
31605152,
31604072,
31605116
}
},
{
"3.4.0.50",
new List<int>
{
31688500,
31688880,
31689608,
31688528,
31689572
}
},
{
"3.4.0.54",
new List<int>
{
31700852,
31701248,
31700920,
31700880,
31701924
}
},
{
"3.4.5.27",
new List<int>
{
32133788,
32134168,
32134896,
32133816,
32134860
}
},
{
"3.4.5.45",
new List<int>
{
32147012,
32147392,
32147064,
32147040,
32148084
}
},
{
"3.5.0.20",
new List<int>
{
35494484,
35494864,
35494536,
35494512,
35495556
}
},
{
"3.5.0.29",
new List<int>
{
35507980,
35508360,
35508032,
35508008,
35509052
}
},
{
"3.5.0.33",
new List<int>
{
35512140,
35512520,
35512192,
35512168,
35513212
}
},
{
"3.5.0.39",
new List<int>
{
35516236,
35516616,
35516288,
35516264,
35517308
}
},
{
"3.5.0.42",
new List<int>
{
35512140,
35512520,
35512192,
35512168,
35513212
}
},
{
"3.5.0.44",
new List<int>
{
35510836,
35511216,
35510896,
35510864,
35511908
}
},
{
"3.5.0.46",
new List<int>
{
35506740,
35507120,
35506800,
35506768,
35507812
}
},
{
"3.6.0.18",
new List<int>
{
35842996,
35843376,
35843048,
35843024,
35844068
}
},
{
"3.6.5.7",
new List<int>
{
35864356,
35864736,
35864408,
35864384,
35865428
}
},
{
"3.6.5.16",
new List<int>
{
35909428,
35909808,
35909480,
35909456,
35910500
}
},
{
"3.7.0.26",
new List<int>
{
37105908,
37106288,
37105960,
37105936,
37106980
}
},
{
"3.7.0.29",
new List<int>
{
37105908,
37106288,
37105960,
37105936,
37106980
}
},
{
"3.7.0.30",
new List<int>
{
37118196,
37118576,
37118248,
37118224,
37119268
}
},
{
"3.7.5.11",
new List<int>
{
37883280,
37884088,
37883136,
37883008,
37884052
}
},
{
"3.7.5.23",
new List<int>
{
37895736,
37896544,
37895592,
37883008,
37896508
}
},
{
"3.7.5.27",
new List<int>
{
37895736,
37896544,
37895592,
37895464,
37896508
}
},
{
"3.7.5.31",
new List<int>
{
37903928,
37904736,
37903784,
37903656,
37904700
}
},
{
"3.7.6.24",
new List<int>
{
38978840,
38979648,
38978696,
38978604,
38979612
}
},
{
"3.7.6.29",
new List<int>
{
38986376,
38987184,
38986232,
38986104,
38987148
}
},
{
"3.7.6.44",
new List<int>
{
39016520,
39017328,
39016376,
38986104,
39017292
}
},
{
"3.8.0.31",
new List<int>
{
46064088,
46064912,
46063944,
38986104,
46064876
}
},
{
"3.8.0.33",
new List<int>
{
46059992,
46060816,
46059848,
38986104,
46060780
}
},
{
"3.8.0.41",
new List<int>
{
46064024,
46064848,
46063880,
38986104,
46064812
}
},
{
"3.8.1.26",
new List<int>
{
46409448,
46410272,
46409304,
38986104,
46410236
}
},
{
"3.9.0.28",
new List<int>
{
48418376,
48419280,
48418232,
38986104,
48419244
}
},
{
"3.9.2.23",
new List<int>
{
50320784,
50321712,
50320640,
38986104,
50321676
}
},
{
"3.9.2.26",
new List<int>
{
50329040,
50329968,
50328896,
38986104,
50329932
}
},
{
"3.9.5.91",
new List<int>
{
61654904,
61654680,
61654712,
38986104,
61656176
}
},
{
"3.9.6.19",
new List<int>
{
61997688,
61997464,
61997496,
38986104,
61998960
}
},
{ "3.9.6.33",
new List<int>
{
62030600,
62031936,
62030408,
38986104,
62031872
}
},
{"3.9.8.15",
new List<int>
{
64996632,
64997968,
64996440,
00000000,
64991910
}
}
};
private static IntPtr WeChatWinBaseAddress = IntPtr.Zero;
}
}