Support for WMPF version 19881

[haoyueding26-sys]

WMPF Version

19881

WMPF Path

C:\Users\23093\AppData\Roaming\Tencent\xwechat\xplugin\plugins\RadiumWMPF\19881\extracted\runtime

Description

WMPF 19881 is not in the supported version list. I tried adapting it manually using the instructions in ADAPTATION.md.

Findings

CDPFilterHookOffset: Found the correct offset at 0x30A8DF0 by matching byte patterns from 19841. The CDPFilter hook loads successfully with this offset.

LoadStartHookOffset: Found the function at 0x25CE168 using wildcard byte pattern matching against the 19841 function. The bytes match:

8b 13 4c 8b 43 08 48 89 f1 e8 fa fe d3 01 48 8d 15 6b bc 63 08 41 b8 02 00 00 00 48 89 c1 e8 e5 fe d3 01 48 8d 15 36 10 c0 08 41 b8 0d 00 00 00

Error

When trying to hook LoadStart with Interceptor.attach, Frida reports:

Error: unable to intercept function at 00007FFDFCEEE168; please file a bug

This error occurs in all WeChatAppEx.exe processes (parent and children). The function appears to be protected by CET/IBT (Control-flow Enforcement Technology).

The CDPFilter hook works fine:

[hook] CDPFilter hook: SUCCESS

Proposed Config

{
    "Version": 19881,
    "LoadStartHookOffset": "0x25CE168",
    "CDPFilterHookOffset": "0x30A8DF0",
    "SceneOffsets": [64, 1408, 8, 1344, 16, 456]
}

The SceneOffsets are copied from 19841 as I could not verify them without a working LoadStart hook.

Environment

• OS: Windows 11 Enterprise 10.0.26200
• Node.js: v24.15.0
• frida: 17.3.2
• WeChat PC version: latest (auto-updates to WMPF 19881)

[linguo2625469]

LoadStartHookOffset找错了（很接近） SceneOffsets也不对