Hieuzest
commented
1 year ago it might be impossible to create fake messages previous impls
Closed ilharp closed 1 year ago
Hieuzest
commented
1 year ago it might be impossible to create fake messages previous impls
std-microblock
commented
1 year ago it might be impossible to create fake messages previous impls
AFAIK it could only be implemented in native side
std-microblock
commented
1 year ago It's also not easy though, they used a ton of unknown structures rather than STL things. Also, there are pointer pointed to a pointer pointed to a pointer pointed to...., all with many messy offsets.
std-microblock
commented
1 year ago The feasibility of fake message multi-message forward in QQNT is proved by Lagrange.Core here
std-microblock
commented
1 year ago I've approached sending the fake multi-message forward manually through native hooks, but I don't have enough time to make it practically usable in the production environment.
All addresses below are related to wrapper.node+0x180000000, with QQNT 9.9.2-16183 x64.
It basically has these approaches:
multiForwardMsgWithComment ipc method with fake msgIds(note that the id is parsed as uint64 so strings won't work. using magic numbers like 114514 would be helpful). On the native side, hook the SQL query function and return a fake message object when meeting the magic number. The SQL call functions are around 0x181fa6c07. We can pass the fake message object in the ipc method, and retrieve it by hooking multiForwardV8APIWrapper at 0x181fa6c07.Some information:
QQNT uses RC really heavily. Here's the (inaccurate and uncompleted) definition of memory span of it.
(see the Chinese part for the updated version)(The correction is not guaranteed for this, you'd better take a look at RC_USE(0x1812f4fe0) and some RC_FREE like code (for example 0x1812f4fe0, in buildSingleMsg) yourself, don't trust me :P)
QQNT loves virtual methods. All data can and only can (seemingly) be retrieved by virtual methods conveniently.
If there's nobody really hurry about this, we can wait until I have time to implement this(that would be a long time to wait). If there is, the info above can be used :)
ChatGPT 机翻
我已经尝试通过原生钩子手动发送虚假的多消息转发,但是我没有足够的时间将其在生产环境中实际可用。
以下所有地址都与 wrapper.node+0x180000000 有关,带 QQNT 9.9.2-16183 x64。
基本上有以下几种方法:
multiForwardMsgWithComment ipc 方法并使用虚假的 msgIds(注意,id 被解析为 uint64,所以字符串不起作用。使用像 114514 这样的魔法数值将很有帮助)。在本地端,通过 hook SQL 查询函数,并在遇到魔法数值时返回一个虚假的消息对象。SQL 调用函数大约在 0x181fa6c07 附近。我们可以在 ipc 方法中传递虚假的消息对象,并通过 hook multiForwardV8APIWrapper 在 0x181fa6c07 处检索它。一些信息:
QQNT 在使用 RC 时非常频繁。这是它的(不准确和未完成的)内存跨度定义。
struct RcInfo {
int64_t unknown; // 0x0 | 函数,不知道干什么用的
int32_t refCount; // 0x8
int32_t unknown2;
};
struct Rc {
void* destructor; // 指针被假设为8位 | 0x0 | 函数定义:int64_t destruct(Rc* rc)
void* unknown;
void* unknown2;
void* pointer; // 0x18
RcInfo* data; // 0x20
};
// RC_USE 的返回值:RcUseRes*
struct RcUseRes {
void* rawPointer;
RcInfo* info;
};(对于这个定义不一定是正确的,最好查看 RC_USE(0x1812f4fe0) 和一些 RC_FREE 类似的代码(例如 0x1812f4fe0,在 buildSingleMsg 中)自己查看,不要相信我 :P)
QQNT 非常喜欢虚拟方法。所有的数据只能通过虚拟方法方便地检索。
如果没有人真的急于这个问题,我们可以等到我有时间实现它(那需要很长时间)。如果有急需的话,上述信息可以被使用 :)
cc @ilharp
std-microblock
commented
1 year ago I've completed it. Everything's ready except the native layer monorepo to initialize. As I know nothing about monorepo, @ilharp
std-microblock
commented
1 year ago Native part's ready now.
当前 Chronocat 不支持发送合并转发消息,希望支持此功能。