QQBackup
add frida script and key_func_trait for qq on version 9.9.17-31363 (64bit)
add frida script and key_func_trait for qq on version 9.9.17-31363 (64bit)
procedure: 0. find the key_function_addr
- close qq and open qq, stop at login UI
- python pkey_get\pcqq_get_key.py
- pkey will show as below
logs: 14252 1 ['C:\Program Files (x86)\Tencent\QQNT\QQ.exe'] QQ pid is: 14252
104493056 0 [] wrapper.node pattern FOUND!! [] 41 56 56 57 53 48 83 ec 28 44 89 ce 4c 89 c7 49 89 d6 48 89 cb 48 8d 15 17 d3 65 01 b9 08 00 00 [] [{'address': '0x7ffc75fe5c70', 'size': 32}] [] 0x7ffc75fe5c70 Bytecode at 0x7ffc75fe5c70: Bytecode: 41 56 56 57 53 48 83 ec 28 44 89 ce 4c 89 c7 49 104493056 0 [] wrapper.node pattern FOUND!! [] 41 56 56 57 53 48 83 ec 28 31 f6 48 85 d2 74 2d 8b 59 30 85 db 7e 26 48 89 d7 4c 8b 71 28 31 f6 [] [{'address': '0x7ffc75fe55b0', 'size': 32}] [] 0x7ffc75fe55b0 Bytecode at 0x7ffc75fe55b0: Bytecode: 41 56 56 57 53 48 83 ec 28 31 f6 48 85 d2 74 2d hooked. Memory at 0x1b2f1cee730 (16 bytes as chars): @y.pkey___ Memory at 0x1b2f1cee6e0 (16 bytes as chars): @y.pkey___ ... Memory at 0x1b314ec2050 (16 bytes as chars): @y.pkey___ Memory at 0x1b314ec2010 (16 bytes as chars): @y.pkey___
首先获取QQ版本方法很多 1.参考WechatMsg的get_wx_info.py 2.用GetFileVersionInfo/GetFileVersionInfoSize 3.读注册表 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall(64位) HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall(32位) 前2种方法还要结合读取文件PE头的a.IMAGE_DOS_HEADER.e_lfanew(IMAGE_NT_HEADERS).IMAGE_OPTIONAL_HEADER.Magic(0x10B=32,0x20B=64) b.判断位数也可以用:GetBinaryType(文件路径,返回位数[0=32,6=64]) c.还可以用IsWow64Process
1.参考WechatMsg的get_wx_info.py 2.用GetFileVersionInfo/GetFileVersionInfoSize
1的本质就是2,这个没有问题。
3.读注册表
由于绿色版一类的东西,不考虑。
前2种方法还要结合
确实可以。另外在这个项目里用Frida的Process.arch也没问题。
如果方便的话,可否发个PR,实现上述内容?谢谢!