MacOS-微信登录二维码获取
## MacOS-微信登录二维码获取### 0.前言
------
> 本人所发布的文章仅限用于学习和研究目的;不得将上述内容用于商业或者非法用途,否则,一切后果请用户自负。如有侵权请联系我删除处理。
本篇文章将带领大家去获取微信登录的二维码,并保存为图片。
### 1.微信版本
------
### 2.分析
------
上篇文章已经演示了如何dump微信头文件,本篇不再赘述。
我们想要获取到登录二维码,还是跟上篇文章一样,我们需要用关键字进行定位分析,登录-Login 二维码QR,先筛选一遍试试看。
```shell
# n @ localhost in ~/vscodewsp/wechat/dump
$ ll -l|grep Login|wc -l
48
```
可以看到登录相关的文件有48个。那么继续把二维码QR也加上试试
```shell
# n @ localhost in ~/vscodewsp/wechat/dump
$ ll -l|grep Login|grep QR|wc -l
10
# n @ localhost in ~/vscodewsp/wechat/dump
$ ll -l|grep Login|grep QR
-rw-r--r--1 nstaff 1.7K2 15 19:19 CheckLoginQRCodeRequest.h
-rw-r--r--1 nstaff 1.0K2 15 19:19 CheckLoginQRCodeResponse.h
-rw-r--r--1 nstaff 2.8K2 15 19:19 GetLoginQRCodeRequest.h
-rw-r--r--1 nstaff 2.6K2 15 19:19 GetLoginQRCodeResponse.h
-rw-r--r--1 nstaff 3.1K2 15 19:19 LoginQRCodeNotify.h
-rw-r--r--1 nstaff 977B2 15 19:19 LoginQRCodeNotifyPkg.h
-rw-r--r--1 nstaff 2.2K2 15 19:19 MMLoginQRCodeViewController.h
-rw-r--r--1 nstaff 2.4K2 15 19:19 QRCodeLoginCGI.h
-rw-r--r--1 nstaff 982B2 15 19:19 QRCodeLoginInfo.h
-rw-r--r--1 nstaff 1.7K2 15 19:19 QRCodeLoginLogic.h
```
可以看到就剩10个了。那么我们不确定到底是哪个文件怎么办?那么我们就继续把frida给启动起来进行分析,执行以下命令:
`frida-trace -m "-[*Login* *QR*]" 微信`
```shell
# n @ localhost in ~/vscodewsp/wechat
$ frida-trace -m "-[*Login* *QR*]" 微信
Instrumenting...
-: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/MMLoginQRCodeViewController/showLoadingQRCode.js"
-: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/MMLoginQRCodeViewController/updateQRCodeImage_.js"
-: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/MMLoginStateMachine/setStateLoadingQRCode_.js"
-: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/MMLoginStateMachine/setStateWaittingRefreshQRCode_.js"
-: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/MMLoginStateMachine/setStateShowingQRCode_.js"
-: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/MMLoginStateMachine/stateLoadingQRCode.js"
-: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/MMLoginStateMachine/stateWaittingRefreshQRCode.js"
-: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/MMLoginStateMachine/stateShowingQRCode.js"
-: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/MMLoginStateMachine/setUseQRCodeLogin_.js"
-: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/MMLoginStateMachine/setLoadQRCodeSucc_.js"
-: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/MMLoginStateMachine/setLoadQRCodeFailed_.js"
-: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/MMLoginStateMachine/setRefreshQRCode_.js"
-: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/MMLoginStateMachine/setConfirmQRCodeLogIn_.js"
-: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/MMLoginStateMachine/useQRCodeLogin.js"
-: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/MMLoginStateMachine/loadQRCodeSucc.js"
-: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/MMLoginStateMachine/loadQRCodeFailed.js"
-: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/MMLoginStateMachine/refreshQRCode.js"
-: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/MMLoginStateMachine/confirmQRCodeLogIn.js"
-: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/MMLoginViewController/onRefreshQRLoginStateIfNeeded.js"
-: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/MMLoginViewController/setupQRCodeLogic.js"
-: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/MMLoginViewController/getQRCodeViewController.js"
-: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/MMLoginViewController/setupQRCodeEvents.js"
-: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/QRCodeLoginCGI/checkQRCodeTimer.js"
-: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/QRCodeLoginCGI/setCheckQRCodeTimer_.js"
-: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/QRCodeLoginCGI/stopCheckQRCodeTimer.js"
-: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/QRCodeLoginCGI/stopQRCodeExpireTimer.js"
-: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/QRCodeLoginCGI/checkLoginQRCode.js"
-: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/QRCodeLoginCGI/didExpiredQRCodeLoginCGIBlock.js"
-: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/QRCodeLoginCGI/didCancelQRCodeLoginCGIBlock.js"
-: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/QRCodeLoginCGI/didScannedQRCodeLoginCGIBlock.js"
-: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/QRCodeLoginCGI/didConfirmedQRCodeLoginCGIBlock.js"
-: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/QRCodeLoginCGI/getQRCodeWithCompletion_.js"
-: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/QRCodeLoginCGI/setDidScannedQRCodeLoginCGIBlock_.js"
-: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/QRCodeLoginCGI/setDidConfirmedQRCodeLoginCGIBlock_.js"
-: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/QRCodeLoginCGI/setDidCancelQRCodeLoginCGIBlock_.js"
-: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/QRCodeLoginCGI/setDidExpiredQRCodeLoginCGIBlock_.js"
-: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/QRCodeLoginLogic/setupQRCodeCGI.js"
-: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/QRCodeLoginLogic/didScannedQRCodeLoginLogicBlock.js"
-: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/QRCodeLoginLogic/didConfirmQRCodeLoginLogicBlock.js"
-: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/QRCodeLoginLogic/didCancelQRCodeLoginLogicBlock.js"
-: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/QRCodeLoginLogic/didExpiredQRCodeLoginLogicBlock.js"
-: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/QRCodeLoginLogic/getQRCode.js"
-: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/QRCodeLoginLogic/didGetQRCodeLoginLogicBlock.js"
-: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/QRCodeLoginLogic/setDidGetQRCodeLoginLogicBlock_.js"
-: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/QRCodeLoginLogic/setDidScannedQRCodeLoginLogicBlock_.js"
-: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/QRCodeLoginLogic/setDidConfirmQRCodeLoginLogicBlock_.js"
-: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/QRCodeLoginLogic/setDidCancelQRCodeLoginLogicBlock_.js"
-: Loaded handler at "/Users/n/vscodewsp/wechat/__handlers__/QRCodeLoginLogic/setDidExpiredQRCodeLoginLogicBlock_.js"
Started tracing 48 functions. Press Ctrl+C to stop.
```
可以看到hook啦48个方法,那么我们将微信退出,然后登录获取二维码试试。
```shell
15336 ms-
15336 ms-
15336 ms | -
15336 ms | -
15336 ms | -
15336 ms-
15336 ms-
15336 ms-
15336 ms-
15340 ms-
15342 ms-
15342 ms-
15342 ms-
15342 ms | -
15343 ms | | -
15343 ms | | -
15343 ms | | -
15343 ms | | -
15343 ms | -
15343 ms | | -
15343 ms | | | -
15431 ms-
15431 ms-
15432 ms-
15432 ms-
15432 ms-
15432 ms-
15432 ms | -
15432 ms-
```
可以看到很多方法都得到了响应,那么就要分析分析啦。**updateQRCodeImage** 经过一通分析这个方法很显眼啊!引起了我们的注意,于是我们就去修改这个方法进行hook。
```js
console.log("Type of arg -> " + new ObjC.Object(args).$className)
console.log("Type of arg -> " + new ObjC.Object(args))
```
添加如上2行代码,查看下参数类型再次执行并重新退出微信看输出信息
`frida-trace -m "-[*Login* *QR*]" 微信`
得到以下输出
```
Type of arg -> NSImage
Type of arg -> <NSImage 0x6000033a8640 Size={185, 185} RepProvider=<NSImageArrayRepProvider: 0x60000079e3a0, reps:(
"NSBitmapImageRep 0x600002db7e20 Size={185, 185} ColorSpace=(not yet loaded) BPS=8 BPP=(not yet loaded) Pixels=185x185 Alpha=YES Planar=NO Format=(not yet loaded) CurrentBacking=nil (faulting) CGImageSource=0x60000040cde0"
)>>
```
类型是NSImage,那么到这基本就结束了。他就是个图片对象,我们只需要把图片保存到本地就结束了。添加以下代码:
```js
var nSImage = new ObjC.Object(args);
var data = nSImage.TIFFRepresentation();
var qrfile = new File("/Users/n/Downloads/qr.png", "wb")
qrfile.write(Memory.readByteArray(data.bytes(), data.length()));
qrfile.flush();
qrfile.close();
```
然后再次运行看看能不能生成这个文件,如下。
!(https://gitee.com/ekukuku/docimg/raw/master/20210217104610.png)
### 文章完结 谢谢楼主分享,学习了!
感谢楼主分享! 谢谢楼主分享思路 还能够这么获取,优秀! 很好的思路 感谢楼主 学习了{:301_978:} 丿多谢分享 厉害厉害 原来mac微信是oc写的 原来如此,感谢楼主,学习了!{:1_893:}