├── .gitignore ├── LICENSE ├── Lingc.sln ├── Lingc ├── Lingc.cpp ├── Lingc.h ├── Lingc.vcxproj ├── Lingc.vcxproj.filters ├── Lingc.vcxproj.user ├── RCa30820 ├── dllmain.cpp ├── util.cpp └── util.h ├── README.md ├── dist └── 9.9.0-14569.js ├── frida-gumjs └── include │ └── frida-gumjs.h └── vcpkg.json /.gitignore: -------------------------------------------------------------------------------- 1 | # Prerequisites 2 | *.d 3 | 4 | # Object files 5 | *.o 6 | *.ko 7 | *.obj 8 | *.elf 9 | 10 | # Linker output 11 | *.ilk 12 | *.map 13 | *.exp 14 | 15 | # Precompiled Headers 16 | *.gch 17 | *.pch 18 | 19 | # Libraries 20 | *.lib 21 | *.a 22 | *.la 23 | *.lo 24 | 25 | # Shared objects (inc. Windows DLLs) 26 | *.dll 27 | *.so 28 | *.so.* 29 | *.dylib 30 | 31 | # Executables 32 | *.exe 33 | *.out 34 | *.app 35 | *.i*86 36 | *.x86_64 37 | *.hex 38 | 39 | # Debug files 40 | *.dSYM/ 41 | *.su 42 | *.idb 43 | *.pdb 44 | 45 | # Kernel Module Compile Results 46 | *.mod* 47 | *.cmd 48 | .tmp_versions/ 49 | modules.order 50 | Module.symvers 51 | Mkfile.old 52 | dkms.conf 53 | 54 | build 55 | /Temp 56 | /.vs 57 | /vcpkg_installed 58 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /Lingc.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 17 4 | VisualStudioVersion = 17.5.33530.505 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Lingc", "Lingc\Lingc.vcxproj", "{BBBFD0AB-9964-4B3C-93BD-4225434E8DFF}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|x64 = Debug|x64 11 | Debug|x86 = Debug|x86 12 | Release|x64 = Release|x64 13 | Release|x86 = Release|x86 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {BBBFD0AB-9964-4B3C-93BD-4225434E8DFF}.Debug|x64.ActiveCfg = Debug|x64 17 | {BBBFD0AB-9964-4B3C-93BD-4225434E8DFF}.Debug|x64.Build.0 = Debug|x64 18 | {BBBFD0AB-9964-4B3C-93BD-4225434E8DFF}.Debug|x86.ActiveCfg = Debug|Win32 19 | {BBBFD0AB-9964-4B3C-93BD-4225434E8DFF}.Debug|x86.Build.0 = Debug|Win32 20 | {BBBFD0AB-9964-4B3C-93BD-4225434E8DFF}.Release|x64.ActiveCfg = Release|x64 21 | {BBBFD0AB-9964-4B3C-93BD-4225434E8DFF}.Release|x64.Build.0 = Release|x64 22 | {BBBFD0AB-9964-4B3C-93BD-4225434E8DFF}.Release|x86.ActiveCfg = Release|Win32 23 | {BBBFD0AB-9964-4B3C-93BD-4225434E8DFF}.Release|x86.Build.0 = Release|Win32 24 | EndGlobalSection 25 | GlobalSection(SolutionProperties) = preSolution 26 | HideSolutionNode = FALSE 27 | EndGlobalSection 28 | GlobalSection(ExtensibilityGlobals) = postSolution 29 | SolutionGuid = {263E53CC-2A55-4AD1-85F0-13E887E9EF64} 30 | EndGlobalSection 31 | EndGlobal 32 | -------------------------------------------------------------------------------- /Lingc/Lingc.cpp: -------------------------------------------------------------------------------- 1 | #include "Lingc.h" 2 | #include "util.h" 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | 10 | DWORD WINAPI frida_init(LPVOID lpParamter) { 11 | 12 | std::vector scriptStr; 13 | std::vector configStr; 14 | char scriptPath[255] = { 0 }; 15 | 16 | GError* error = NULL; 17 | gum_init_embedded(); 18 | backend = gum_script_backend_obtain_v8(); 19 | 20 | if (util::readFile("resources/app/versions/config.json", configStr)) { 21 | Json::Reader reader; 22 | Json::Value root; 23 | std::string pathString = (char*)configStr.data(); 24 | if (reader.parse(pathString, root)) { 25 | if (root["curVersion"].isString()) { 26 | sprintf(scriptPath, "lingc/%s.js", root["curVersion"].asString().c_str()); 27 | } 28 | } 29 | } 30 | 31 | if (util::readFile(scriptPath, scriptStr) & 1) { 32 | script = gum_script_backend_create_sync(backend, "NTQQ", (const char*)scriptStr.data(), NULL, cancellable, &error); 33 | if (error == NULL) { 34 | gum_script_load_sync(script, cancellable); 35 | } 36 | else { 37 | MessageBoxA(0, error->message, "Error", MB_ICONERROR); 38 | g_error_free(error); 39 | } 40 | } 41 | return 0; 42 | } 43 | -------------------------------------------------------------------------------- /Lingc/Lingc.h: -------------------------------------------------------------------------------- 1 | #ifndef LINGC_H 2 | #define LINGC_H 3 | 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | static GumScriptBackend* backend; 10 | static GCancellable* cancellable = NULL; 11 | static GumScript* script; 12 | static GMainContext* context; 13 | 14 | DWORD WINAPI frida_init(LPVOID lpParamter); 15 | 16 | #endif -------------------------------------------------------------------------------- /Lingc/Lingc.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 17.0 23 | {BBBFD0AB-9964-4B3C-93BD-4225434E8DFF} 24 | MFCDLLProj 25 | Lingc 26 | 10.0 27 | 28 | 29 | 30 | DynamicLibrary 31 | true 32 | v143 33 | Unicode 34 | false 35 | 36 | 37 | 38 | 39 | DynamicLibrary 40 | false 41 | v143 42 | false 43 | MultiByte 44 | false 45 | 16 46 | 47 | 48 | 49 | 50 | DynamicLibrary 51 | true 52 | v143 53 | Unicode 54 | false 55 | 56 | 57 | DynamicLibrary 58 | false 59 | v143 60 | true 61 | Unicode 62 | false 63 | 16 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | true 85 | $(SolutionDir)build\$(Platform)\ 86 | $(SolutionDir)Temp\$(Platform)\$(Configuration)\ 87 | $(ProjectName)_d 88 | 89 | 90 | true 91 | $(SolutionDir)build\$(Platform)\ 92 | $(SolutionDir)Temp\$(Platform)\$(Configuration)\ 93 | $(ProjectName)_d 94 | 95 | 96 | false 97 | $(SolutionDir)build\$(Platform)\ 98 | $(SolutionDir)Temp\$(Platform)\$(Configuration)\ 99 | 100 | 101 | false 102 | $(SolutionDir)build\$(Platform)\ 103 | $(SolutionDir)Temp\$(Platform)\$(Configuration)\ 104 | 105 | 106 | true 107 | 108 | 109 | 110 | 111 | false 112 | 113 | 114 | 115 | 116 | false 117 | 118 | 119 | 120 | 121 | false 122 | 123 | 124 | 125 | 126 | false 127 | 128 | 129 | 130 | NotUsing 131 | Level3 132 | true 133 | _CRT_SECURE_NO_WARNINGS;_WINDOWS;_DEBUG;_USRDLL;%(PreprocessorDefinitions) 134 | pch.h 135 | $(SolutionDir)frida-gumjs\include 136 | MultiThreadedDebug 137 | stdcpp17 138 | stdc11 139 | 140 | 141 | Windows 142 | 143 | 144 | frida-gumjs.lib;$(CoreLibraryDependencies);%(AdditionalDependencies) 145 | $(SolutionDir)frida-gumjs\libs\$(Platform) 146 | 147 | 148 | false 149 | _DEBUG;%(PreprocessorDefinitions) 150 | 151 | 152 | 0x0804 153 | _DEBUG;%(PreprocessorDefinitions) 154 | $(IntDir);%(AdditionalIncludeDirectories) 155 | 156 | 157 | 158 | 159 | NotUsing 160 | Level3 161 | true 162 | _CRT_SECURE_NO_WARNINGS;WIN32;_WINDOWS;_DEBUG;_USRDLL;%(PreprocessorDefinitions) 163 | pch.h 164 | $(SolutionDir)frida-gumjs\include 165 | MultiThreadedDebug 166 | stdcpp17 167 | stdc11 168 | 169 | 170 | Windows 171 | 172 | 173 | frida-gumjs.lib;$(CoreLibraryDependencies);%(AdditionalDependencies) 174 | $(SolutionDir)frida-gumjs\libs\$(Platform) 175 | 176 | 177 | false 178 | _DEBUG;%(PreprocessorDefinitions) 179 | 180 | 181 | 0x0804 182 | _DEBUG;%(PreprocessorDefinitions) 183 | $(IntDir);%(AdditionalIncludeDirectories) 184 | 185 | 186 | 187 | 188 | NotUsing 189 | Level3 190 | true 191 | true 192 | true 193 | _CRT_SECURE_NO_WARNINGS;WIN32_LEAN_AND_MEAN;WIN32;_WINDOWS;NDEBUG;_USRDLL;%(PreprocessorDefinitions) 194 | pch.h 195 | $(SolutionDir)frida-gumjs\include 196 | MultiThreaded 197 | stdc11 198 | stdcpp17 199 | 200 | 201 | Windows 202 | true 203 | true 204 | 205 | 206 | frida-gumjs.lib;$(CoreLibraryDependencies);%(AdditionalDependencies) 207 | $(SolutionDir)frida-gumjs\libs\$(Platform) 208 | 209 | 210 | false 211 | NDEBUG;%(PreprocessorDefinitions) 212 | 213 | 214 | 0x0804 215 | NDEBUG;%(PreprocessorDefinitions) 216 | $(IntDir);%(AdditionalIncludeDirectories) 217 | 218 | 219 | 220 | 221 | NotUsing 222 | Level3 223 | true 224 | true 225 | true 226 | _CRT_SECURE_NO_WARNINGS;_WINDOWS;NDEBUG;_USRDLL;%(PreprocessorDefinitions) 227 | pch.h 228 | $(SolutionDir)frida-gumjs\include 229 | MultiThreaded 230 | stdc11 231 | stdcpp17 232 | 233 | 234 | Windows 235 | true 236 | true 237 | 238 | 239 | frida-gumjs.lib;$(CoreLibraryDependencies);%(AdditionalDependencies) 240 | $(SolutionDir)frida-gumjs\libs\$(Platform) 241 | 242 | 243 | false 244 | NDEBUG;%(PreprocessorDefinitions) 245 | 246 | 247 | 0x0804 248 | NDEBUG;%(PreprocessorDefinitions) 249 | $(IntDir);%(AdditionalIncludeDirectories) 250 | 251 | 252 | 253 | 254 | 255 | 256 | 257 | 258 | 259 | 260 | 261 | 262 | 263 | 264 | -------------------------------------------------------------------------------- /Lingc/Lingc.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 6 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 7 | 8 | 9 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 10 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 11 | 12 | 13 | 14 | 15 | Source 16 | 17 | 18 | Source 19 | 20 | 21 | Source 22 | 23 | 24 | 25 | 26 | Header 27 | 28 | 29 | Header 30 | 31 | 32 | -------------------------------------------------------------------------------- /Lingc/Lingc.vcxproj.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | -------------------------------------------------------------------------------- /Lingc/RCa30820: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ziweni/NtQQHook/869acac915cdf76a5a2a3257ebf72a62af9c82e6/Lingc/RCa30820 -------------------------------------------------------------------------------- /Lingc/dllmain.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include "Lingc.h" 4 | 5 | #define LINGC_EXPORT __declspec(dllexport) 6 | 7 | BOOL APIENTRY DllMain(HMODULE /* hModule */, DWORD ul_reason_for_call, LPVOID /* lpReserved */) 8 | { 9 | switch (ul_reason_for_call) 10 | { 11 | case DLL_PROCESS_ATTACH: 12 | CreateThread(NULL, 0, frida_init, NULL, 0, NULL); 13 | case DLL_THREAD_ATTACH: 14 | case DLL_THREAD_DETACH: 15 | case DLL_PROCESS_DETACH: 16 | break; 17 | } 18 | return TRUE; 19 | } 20 | 21 | size_t ReceiveData(void* contents, size_t size, size_t nmemb, std::string* str) 22 | { 23 | str->append((char*)contents, size * nmemb); 24 | return size * nmemb; 25 | } 26 | 27 | extern "C" { 28 | /* 对外发送数据;用于提供给Js调用 */ 29 | LINGC_EXPORT CURLcode PrintLog(const char* url, const char* data) { 30 | CURLcode res; 31 | CURL* curl = curl_easy_init(); 32 | struct curl_slist* headers = NULL; 33 | headers = curl_slist_append(headers, "Content-Type:application/json;charset=UTF-8"); 34 | if (curl == NULL) 35 | { 36 | return CURLE_FAILED_INIT; 37 | } 38 | std::string response; 39 | 40 | curl_easy_setopt(curl, CURLOPT_URL, url); 41 | curl_easy_setopt(curl, CURLOPT_HTTPHEADER, headers); 42 | curl_easy_setopt(curl, CURLOPT_HEADER, 0); 43 | curl_easy_setopt(curl, CURLOPT_TIMEOUT_MS, 200); 44 | curl_easy_setopt(curl, CURLOPT_POSTFIELDS, data); 45 | curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, ReceiveData); 46 | curl_easy_setopt(curl, CURLOPT_WRITEDATA, (void*)&response); 47 | res = curl_easy_perform(curl); 48 | curl_easy_cleanup(curl); 49 | 50 | return res; 51 | } 52 | } -------------------------------------------------------------------------------- /Lingc/util.cpp: -------------------------------------------------------------------------------- 1 | #include "util.h" 2 | #include 3 | #include 4 | #include 5 | 6 | bool util::readFile(std::string path, std::vector& buffer) { 7 | std::ifstream file(path, std::ios::binary); 8 | if (file.fail()) { 9 | perror(path.c_str()); 10 | return false; 11 | } 12 | // 把文件读取指针移动到末尾并获取位置 13 | file.seekg(0, std::ios::end); 14 | std::streamoff fileSize = file.tellg(); 15 | // 把文件读取指针移动到首字节位置并与之前的相减 16 | file.seekg(0, std::ios::beg); 17 | fileSize -= file.tellg(); 18 | buffer.resize(fileSize); 19 | file.read((char*)&(buffer[0]), fileSize); 20 | file.close(); 21 | return true; 22 | } 23 | 24 | void cbin2hex(char* out, uint8_t* in, size_t len) 25 | { 26 | if (out) { 27 | unsigned int i; 28 | for (i = 0; i < len; i++) 29 | sprintf(out + (i * 2), "%02x", (uint8_t)in[i]); 30 | } 31 | } 32 | 33 | std::string util::bin2hex(uint8_t* in, size_t len) 34 | { 35 | char* s = new char[(len * 2) + 1](); 36 | if (!s) 37 | return NULL; 38 | cbin2hex(s, in, len); 39 | return std::string(s); 40 | } 41 | 42 | size_t util::hex2bin(uint8_t* dest, const char* src, size_t srclen) { 43 | size_t i = 0; 44 | if (srclen % 2 != 0) return 0; 45 | for (i = 0; i < srclen / 2; i++) 46 | { 47 | char tmp[3]; 48 | tmp[0] = *(src + 2 * i); 49 | tmp[1] = *(src + 2 * i + 1); 50 | tmp[2] = 0; 51 | int out = 0; 52 | sscanf(tmp, "%x", &out); 53 | uint8_t ch = (uint8_t)out; 54 | *(dest + i) = ch; 55 | } 56 | return i; 57 | } 58 | -------------------------------------------------------------------------------- /Lingc/util.h: -------------------------------------------------------------------------------- 1 | #ifndef UTIL_H 2 | #define UTIL_H 3 | #include 4 | #include 5 | #include 6 | 7 | class util 8 | { 9 | public: 10 | static size_t hex2bin(uint8_t* dest, const char* src, size_t srclen); 11 | static std::string bin2hex(uint8_t* in, size_t len); 12 | static bool readFile(std::string path, std::vector& buffer); 13 | }; 14 | #endif -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # NtQQHook 2 | 3 | > 支持的功能如下 4 | 5 | * 部分 Tea 6 | * 部分 AES 7 | * Ecdh密钥(不含PrivateKey) 8 | 9 | > 使用的库如下 10 | 11 | * frida-gumjs 12 | * jsoncpp 13 | * curl 14 | 15 | 16 | 17 | **如何编译?** 18 | 19 | 1. 建立`frida-gumjs/libs/x64`、`frida-gumjs/libs/Win32`文件夹 20 | 2. 前往 [Frida](https://github.com/frida/frida/releases/tag/16.2.1) 下载名称为 `frida-gumjs-devkit-X.X.X-windows-X.tar.xz` 的压缩包 21 | 3. 根据所下载的架构类型将`frida-gumjs.lib`解压放入所对应的文件夹 22 | 4. 使用 [vcpkg](https://github.com/microsoft/vcpkg) 自动化编译安装其他库, 在项目目录内使用命令`vcpkg install`安装/打开VS编译时会附带一同进行编译,手动下载并编译可通过下面的命令 23 | 24 | ```bash 25 | vcpkg install jsoncpp:x86-windows jsoncpp:x64-windows curl:x86-windows curl:x64-windows 26 | ``` 27 | 28 | *Tips: 如不需要编译32位的,可以去除对应的安装指令* 29 | 30 | 31 | 32 | **如何使用?** 33 | 34 | 方式一、通过导入表修改工具,编译的文件`Lingc.dll`添加到`wrapper.node`的导入项目中,并且移动`Lingc.dll`到`wrapper.node`所在目录(所依赖Dll也需要,如已存在请忽略) 35 | 36 | 方式二、通过劫持文件,如`version.dll`来实现注入。同样需要移动文件以及其依赖,但需注意并非所有NTQQ的进程都加载`wrapper.node`,需要自行编写代码进行判断。具体可[参考](https://github.com/LiteLoaderQQNT/QQNTFileVerifyPatch/tree/DLLHijackMethod) 37 | -------------------------------------------------------------------------------- /dist/9.9.0-14569.js: -------------------------------------------------------------------------------- 1 | function PrintLog (value) { 2 | const PrintLogPtr = Module.findExportByName('Lingc.dll', 'PrintLog') 3 | if(PrintLogPtr) { 4 | const callFunction = new NativeFunction(PrintLogPtr, 'int', ['pointer', 'pointer']) 5 | callFunction(Memory.allocAnsiString("http://127.0.0.1:8888/"), Memory.allocAnsiString(JSON.stringify(value))) 6 | } 7 | } 8 | const wrapper = Module.findBaseAddress("wrapper.node") 9 | 10 | function bytesToHex(arrayBuffer) { 11 | var bytes = new Uint8Array(arrayBuffer) 12 | for (var hex = [], i = 0; i < bytes.length; i++) { 13 | hex.push((bytes[i] >>> 4).toString(16)); 14 | hex.push((bytes[i] & 0xF).toString(16)); 15 | } 16 | return hex.join(""); 17 | } 18 | 19 | // ecc公钥导出 20 | Interceptor.attach(wrapper.add(0x1FACE50), { 21 | onEnter: function (args) { 22 | this.outPublic = args[1] 23 | this.outPublicLength = args[2] 24 | }, 25 | onLeave: function(retval) { 26 | var pubKey = null 27 | if (this.outPublicLength.toInt32() > retval.toInt32()) { 28 | var pubKey = this.outPublic.readByteArray(retval.toInt32()) 29 | } else { 30 | var pubKey = this.outPublic.readByteArray(this.outPublicLength.toInt32()) 31 | } 32 | PrintLog({"publicKey": bytesToHex(pubKey)}) 33 | } 34 | }) 35 | 36 | // ecdh密钥协商 37 | Interceptor.attach(wrapper.add(0x1FBD820), { 38 | onEnter: function (args) { 39 | this.outShare = this.context.ecx 40 | }, 41 | onLeave: function(retval) { 42 | var shaKey = this.outShare.readByteArray(retval.toInt32()) 43 | PrintLog({"shareKey": bytesToHex(shaKey)}) 44 | } 45 | }) 46 | 47 | // B1F6D0 48 | // AES加密算法 49 | Interceptor.attach(wrapper.add(0xC5F4E0), { 50 | onEnter: function (args) { 51 | //console.log("AES_encrypt START======================") 52 | this.out1 = args[1] 53 | this.out2 = args[2] 54 | var dataSize = this.context.ecx.add(0x4).readPointer().sub(this.context.ecx.readPointer()) 55 | this.iv = args[0].readPointer().readByteArray(0xc) 56 | this.key = this.context.edx.readPointer().readByteArray(0x20) 57 | this.data = this.context.ecx.readPointer().readByteArray(dataSize.toInt32()) 58 | //console.log("AES_encrypt => size:", dataSize, "key:", bytesToHex(key), "iv:", bytesToHex(iv), "data:", bytesToHex(data)) 59 | 60 | }, 61 | onLeave: function(retval) { 62 | var resultSize = this.out2.add(0x4).readPointer().sub(this.out2.readPointer()) 63 | // console.log("tag", bytesToHex(this.out1.readPointer().readByteArray(0x10))) 64 | // console.log("data", bytesToHex(this.out2.readPointer().readByteArray(resultSize.toInt32()))) 65 | // console.log("AES_encrypt END========================") 66 | PrintLog({ 67 | "AES_encrypt": bytesToHex(this.data), 68 | "result": bytesToHex(this.out2.readPointer().readByteArray(resultSize.toInt32())), 69 | "key": bytesToHex(this.key), 70 | "iv:": bytesToHex(this.iv), 71 | "tag": bytesToHex(this.out1.readPointer().readByteArray(0x10)) 72 | }) 73 | } 74 | }) 75 | 76 | // B1FB30 77 | // AES解密算法 78 | Interceptor.attach(wrapper.add(0xC5F900), { 79 | onEnter: function (args) { 80 | //console.log("AES_decrypt START======================") 81 | this.out1 = args[1] 82 | this.out2 = args[2] 83 | var dataSize = this.context.ecx.add(0x4).readPointer().sub(this.context.ecx.readPointer()) 84 | this.iv = args[0].readPointer().readByteArray(0xc) 85 | this.key = this.context.edx.readPointer().readByteArray(0x20) 86 | this.data = this.context.ecx.readPointer().readByteArray(dataSize.toInt32()) 87 | // console.log("AES_decrypt => size:", dataSize, "key:", bytesToHex(key), "iv:", bytesToHex(iv), "data:", bytesToHex(data)) 88 | }, 89 | onLeave: function(retval) { 90 | var resultSize = this.out2.add(0x4).readPointer().sub(this.out2.readPointer()) 91 | // console.log("tag", bytesToHex(this.out1.readPointer().readByteArray(0x10))) 92 | // console.log("data", bytesToHex(this.out2.readPointer().readByteArray(resultSize.toInt32()))) 93 | // console.log("AES_decrypt END========================") 94 | PrintLog({ 95 | "AES_decrypt": bytesToHex(this.data), 96 | "result": bytesToHex(this.out2.readPointer().readByteArray(resultSize.toInt32())), 97 | "key": bytesToHex(this.key), 98 | "iv:": bytesToHex(this.iv), 99 | "tag": bytesToHex(this.out1.readPointer().readByteArray(0x10)) 100 | }) 101 | } 102 | }) 103 | 104 | 105 | // TEA加密(业务部分) 106 | Interceptor.attach(wrapper.add(0x1F4FC00), { 107 | onEnter: function (args) { 108 | this.data = this.context.ecx.readByteArray(this.context.edx.toInt32()) 109 | this.key = args[0].readByteArray(0x10) 110 | this.out1 = args[2] 111 | this.out2 = args[3] 112 | //PrintLog({"key":"encode","size:": this.context.edx, "key:": bytesToHex(key), "data:": bytesToHex(data)}) 113 | }, 114 | onLeave: function(retval) { 115 | if (retval == 0) { 116 | PrintLog({ 117 | "Tea_encrypt": bytesToHex(this.data), 118 | "result": "失败", 119 | "key": bytesToHex(this.key) 120 | }) 121 | } else { 122 | var resultSize = this.out2.readU32() 123 | PrintLog({ 124 | "Tea_encrypt": bytesToHex(this.data), 125 | "result": bytesToHex(this.out1.readByteArray(resultSize)), 126 | "key": bytesToHex(this.key) 127 | }) 128 | } 129 | } 130 | }) 131 | // TEA解密(业务部分) 132 | Interceptor.attach(wrapper.add(0x1F4FEE0), { 133 | onEnter: function (args) { 134 | this.data = this.context.ecx.readByteArray(this.context.edx.toInt32()) 135 | this.key = args[0].readByteArray(0x10) 136 | this.out1 = args[2] 137 | this.out2 = args[3] 138 | //PrintLog({"key":"decode","size:": this.context.edx, "key:": bytesToHex(key), "data:": bytesToHex(data)}) 139 | }, 140 | onLeave: function(retval) { 141 | if (retval == 0) { 142 | PrintLog({ 143 | "Tea_encrypt": bytesToHex(this.data), 144 | "result": "失败", 145 | "key": bytesToHex(this.key) 146 | }) 147 | } else { 148 | var resultSize = this.out2.readU32() 149 | PrintLog({ 150 | "Tea_encrypt": bytesToHex(this.data), 151 | "result": bytesToHex(this.out1.readByteArray(resultSize)), 152 | "key": bytesToHex(this.key) 153 | }) 154 | } 155 | } 156 | }) 157 | // TEA加密(扫码登录部分) 158 | Interceptor.attach(wrapper.add(0xC5DC60), { 159 | onEnter: function (args) { 160 | this.data = this.context.ecx.readByteArray(this.context.edx.toInt32()) 161 | this.key = args[0].readByteArray(0x10) 162 | this.out1 = args[1] 163 | this.out2 = args[2] 164 | // PrintLog({"key":"encode","size:": this.context.edx, "key:": bytesToHex(key), "data:": bytesToHex(data)}) 165 | }, 166 | onLeave: function(retval) { 167 | if (retval == 0) { 168 | PrintLog({ 169 | "Tea_encrypt": bytesToHex(this.data), 170 | "result": "失败", 171 | "key": bytesToHex(this.key) 172 | }) 173 | } else { 174 | var resultSize = this.out2.readU32() 175 | PrintLog({ 176 | "Tea_encrypt": bytesToHex(this.data), 177 | "result": bytesToHex(this.out1.readByteArray(resultSize)), 178 | "key": bytesToHex(this.key) 179 | }) 180 | } 181 | } 182 | }) 183 | // TEA解密(扫码登录部分) 184 | Interceptor.attach(wrapper.add(0xC5DFD0), { 185 | onEnter: function (args) { 186 | this.data = this.context.ecx.readByteArray(this.context.edx.toInt32()) 187 | this.key = args[0].readByteArray(0x10) 188 | //PrintLog({"key":"decode","size:": this.context.edx, "key:": bytesToHex(key), "data:": bytesToHex(data)}) 189 | this.out1 = args[1] 190 | this.out2 = args[2] 191 | }, 192 | onLeave: function(retval) { 193 | if (retval == 0) { 194 | PrintLog({ 195 | "Tea_decrypt": bytesToHex(this.data), 196 | "result": "失败", 197 | "key": bytesToHex(this.key) 198 | }) 199 | } else { 200 | var resultSize = this.out2.readU32() 201 | PrintLog({ 202 | "Tea_decrypt": bytesToHex(this.data), 203 | "result": bytesToHex(this.out1.readByteArray(resultSize)), 204 | "key": bytesToHex(this.key) 205 | }) 206 | } 207 | } 208 | }) -------------------------------------------------------------------------------- /vcpkg.json: -------------------------------------------------------------------------------- 1 | { 2 | "dependencies": [ 3 | "curl", 4 | "jsoncpp" 5 | ] 6 | } 7 | --------------------------------------------------------------------------------