After that, F9 runsĪt this time, the file path is xlog, which obviously does not meet our requirements. Save chat pictures in practiceįind the call to save voice in OD, send a picture message to disconnect the program, and disconnect CreateFileW at the same time. Now that we know the process of image processing and have a call to receive image messages, we can find the algorithm and function to encrypt the image after receiving the image message and before CreateFileW creates the image, and save the image before encryption. Ideas about automatically saving pictures
![wechat xlog wechat xlog](https://raw.githubusercontent.com/Jinkeycode/XloggerSwiftDemo/master/README_image/xlogger6.jpg)
The whole process is shown in the figure: After the encryption completes, the API of the file operation is called, and the encrypted picture is written to the local. If it is a picture, the picture data will be taken out and the picture will be encrypted in memory.
WECHAT XLOG SERIES
Then we might as well guess the processing flow related to the picture.įirst, after receiving the original message, a series of processing will be carried out on the message, including judging whether the message is a picture. And we already know that the pictures received by wechat will be saved locally by XOR encryption. Since this place is the most original message content, the message will be processed later.
![wechat xlog wechat xlog](https://emacsist.github.io/img/image-20200522141423612.png)
Because there are too many messages here, it will be relatively troublesome to process. Of course, we can write HOOK in this place to save pictures, but it's not necessary. The content of stores the relevant data of the picture sent this time, including a series of original data such as wechat ID. In fact, this place not only has voice messages, but also picture messages.
WECHAT XLOG CODE
The offset is 0x30E326, and the following characteristic code Copy code behind codeĦ7E3E319 C745 FC 0100000>mov dword ptr ss:,0x1Ħ7E3E320 FF77 34 push dword ptr ds: lengthĦ7E3E323 FF77 30 push dword ptr ds: contentĦ7E3E326 E8 85F07300 call WeChatWi.6857D3B0Ħ7E3E32B 8D85 58FFFFFF lea eax,dword ptr ss:Ħ7E3E332 E8 090E0000 call WeChatWi.67E3F140 Copy code behind codeĬ745 FC 01000000 FF77 ? FF77 ? E8 ? 8D85 ? 50 E8 ? Correlation extension based on saved speech Here, the relevant feature codes are directly given for easy location (the wechat version I use is still 2.6.8.52) In this article, the anhkgg boss found the interface to save voice messages.
![wechat xlog wechat xlog](http://www.solarbear.tw/inc/ASP/send_thumbnail.asp?siteName=solarbear&fName=340574.jpg)
WECHAT XLOG SOFTWARE
I must note, randomly deleting files that are not part of a cache can cause the app to crash when it is restarted or destroy data that you do not want to delete.This article is based on anhkgg big man's article "Research on wechat PC end technology (2) - win voice", the original link: Research on wechat PC technology (2) - save chat voice - Software Reverse - Snow watching Forum - Security Community | security recruitment | Deleting and reinstalling the app will likely delete the file, but double check that your contacts are saved somewhere else before doing that. If it doesn't, that is a data file for the app probably holding contacts and messages. If you are concerned with saving space: After deleting your old messages, if the file does not shrink, clear the app cache through settings-> apps->wechat->clear cache and see if the file disappears. If you are merely concerned with what it is, it's probably the file that contains your messages. If you want to get rid of it to save space, do the things I listed below. Otherwise, it could be a cache or data that was never deleted by the app when it was done with it. If it does, it's the file that contains all of your messages. Clear out your old messages and see if the file shrinks (assuming you are concerned with this because of the large amount of storage it is taking).