申请会员ID:dlmlzz6【申请通过】
1、申 请 I D :dlmlzz62、个人邮箱:dlmlzz6@qq.com
3、原创技术文章:CSDN博客http://blog.csdn.net/dlmlzz09本人专注于iOS的App开发,有多款作品,自己本人也有1个app《摄影神器》在Appstore上,地址https://itunes.apple.com/cn/app/id1210244471?mt=8也涉足过cocos2dx游戏开发,最近在做iOS的App Hook开发,希望能加入吾爱破解,互相学习提高。下面是破解iOS版微信自动抢红包的分析过程和代码。
原理Objective-C 是一门动态语言,我们可以利用OC的Runtime动态的替换App原有的函数,来达到我们(不可告人)的目的。OC 中对某个对象的方法的调用并不像 C++ 一样直接取得方法的实现的偏移值来调用,所以 C++ 方法与实现的关系在编译时就可确定。而 OC 中方法和实现的关系是在运行时决定的。在调用某个对象的方法时,实际上是调用了 obj_msgsend 向对象发送一个名称为方法名的消息,而我们可以替换这个响应这个消息的实现内容。OC 中比较有力的动态特性 Method Swizzing 就是建立在这个基础之上。
简单来说就是以下三句代码:Method originalMethod = class_getInstanceMethod(theClass, originalSelector); Method newMethod = class_getInstanceMethod(theClass, newSelector); method_exchangeImplementations(originalMethod, newMethod);
[*]1
[*]2
[*]3
[*]1
[*]2
[*]3
这样一来,原来调用originalSelector函数,都会指向我们的newSelector函数,以此实现HOOK。第1步:砸壳首先ssh连上越狱iOS设备,执行ps -e查找微信的app地址
http://img.blog.csdn.net/20170316102459295?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQvZGxtbHp6MDk=/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/SouthEast
这里的app路径是/var/mobile/Containers/Bundle/Application/690828B8-B63F-4FAC-B7CC-DEFD8E23AF46/WeChat.app/WeChat,记下来先。
然后进入Cycript,查找出微信的Documents目录
http://img.blog.csdn.net/20170316103004579?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQvZGxtbHp6MDk=/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/SouthEast
把这个路径记下来/var/mobile/Containers/Data/Application/2B65DCC1-9FAD-41C8-A5EC-C3D9326EE3D6/Documents/
然后退出cycript,cd到documents目录下,执行以下命令:adminde-iPhone:~ root# adminde-iPhone:/var/mobile/Containers/Data/Application/2B65DCC1-9FAD-41C8-A5EC-C3D9326EE3D6/Documents root# DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Containers/Bundle/Application/690828B8-B63F-4FAC-B7CC-DEFD8E23AF46/WeChat.app/WeChatmach-o decryption dumperDISCLAIMER: This tool is only meant for security research purposes, not for application crackers.[+] detected 32bit ARM binary in memory.[+] offset to cryptid found: @0xd7a4c(from 0xd7000) = a4c[+] Found encrypted data at address 00004000 of length 49463296 bytes - type 1.[+] Opening /private/var/mobile/Containers/Bundle/Application/690828B8-B63F-4FAC-B7CC-DEFD8E23AF46/WeChat.app/WeChat for reading.[+] Reading header[+] Detecting header type[+] Executable is a FAT image - searching for right architecture[+] Correct arch is at offset 16384 in the file[+] Opening WeChat.decrypted for writing.[+] Copying the not encrypted start of the file[+] Dumping the decrypted data into the file[+] Copying the not encrypted remainder of the file[+] Setting the LC_ENCRYPTION_INFO->cryptid to 0 at offset 4a4c[+] Closing original file[+] Closing dump fileadminde-iPhone:/var/mobile/Containers/Data/Application/2B65DCC1-9FAD-41C8-A5EC-C3D9326EE3D6/Documents root# ls WeChat.decrypted
[*]1
[*]2
[*]3
[*]4
[*]5
[*]6
[*]7
[*]8
[*]9
[*]10
[*]11
[*]12
[*]13
[*]14
[*]15
[*]16
[*]17
[*]18
[*]19
[*]20
[*]21
[*]22
[*]23
[*]24
[*]1
[*]2
[*]3
[*]4
[*]5
[*]6
[*]7
[*]8
[*]9
[*]10
[*]11
[*]12
[*]13
[*]14
[*]15
[*]16
[*]17
[*]18
[*]19
[*]20
[*]21
[*]22
[*]23
[*]24
WeChat.decrypted文件就是我们砸壳后的二进制文件,我们可以拷贝到Mac上,各种工具都可以用上了。第2步:导出头文件使用class-dump,将我们砸壳出来的二进制文件的头文件导出来:admindeMac-mini:微信6.5.5 admin$ class-dump --arch armv7-s -S -H WeChat.decrypted -o headers/admindeMac-mini:微信6.5.5 admin$ ls headers/AAAlertItem.hAACloseNotifyReq.hAACloseNotifyRes.hAACloseReq.hAACloseRes.hAALaunchByMoneyReq.hAALaunchByMoneyRes.hAALaunchByPersonReq.hAALaunchByPersonRes.hAALaunchItem.hAAListRecord.hAAOperationReq.hAAOperationRes.hAAPayReq.hAAPayRes.h
[*]1
[*]2
[*]3
[*]4
[*]5
[*]6
[*]7
[*]8
[*]9
[*]10
[*]11
[*]12
[*]13
[*]14
[*]15
[*]16
[*]17
[*]18
[*]1
[*]2
[*]3
[*]4
[*]5
[*]6
[*]7
[*]8
[*]9
[*]10
[*]11
[*]12
[*]13
[*]14
[*]15
[*]16
[*]17
[*]18
可以看到微信的头文件有8500多个(汗),如此茫茫代码海出如何找出我们需要的那一部分呢?第2步:精准定位我们想要HOOK的代码iOS开发是遵循MVC模式的,所以我们需要找到这个M模型层来找到我需要的业务逻辑代码。抢红包的原理是通过截取微信收到了红包消息,然后直接调用打开红包的接口来实现自动抢红包。
通过查找发现CMessageMgr这个类就是用来管理各种消息的,查看CMessageMgr.h头文件- (void)AddAppMsg:(id)arg1 MsgWrap:(id)arg2 Data:(id)arg3 Scene:(unsigned long)arg4;- (void)AddAppMsg:(id)arg1 MsgWrap:(id)arg2 DataPath:(id)arg3 Scene:(unsigned long)arg4;- (BOOL)AddBackupMsg:(id)arg1 MsgWrap:(id)arg2;- (void)AddEmoticonMsg:(id)arg1 MsgWrap:(id)arg2;- (void)AddFloatBottle:(id)arg1 MsgWrap:(id)arg2;- (void)AddHelloMsg:(id)arg1 MsgWrap:(id)arg2 HelloUser:(id)arg3 OpCode:(unsigned long)arg4 DES:(unsigned long)arg5 checkCreateTime:(BOOL)arg6 status:(unsigned long)arg7;- (void)AddHelloMsgList:(id)arg1 MsgList:(id)arg2;- (void)AddLocalMsg:(id)arg1 MsgWrap:(id)arg2;- (void)AddLocalMsg:(id)arg1 MsgWrap:(id)arg2 fixTime:(BOOL)arg3 NewMsgArriveNotify:(BOOL)arg4;- (void)AddLocalMsg:(id)arg1 MsgWrap:(id)arg2 fixTime:(BOOL)arg3 NewMsgArriveNotify:(BOOL)arg4 Unique:(BOOL)arg5;- (void)AddMsg:(id)arg1 MsgWrap:(id)arg2;- (void)AddMsgPattern:(id)arg1;- (void)AddPimMsg:(id)arg1 MsgWrap:(id)arg2;- (void)AddRecordMsg:(id)arg1 MsgWrap:(id)arg2;- (void)AddShortVideoLocalMsg:(id)arg1 ToUsr:(id)arg2 VideoInfo:(id)arg3 MsgType:(unsigned long)arg4;- (void)AddShortVideoMsg:(id)arg1 ToUsr:(id)arg2 VideoInfo:(id)arg3;- (void)AddUniqueLocalMsg:(id)arg1 MsgWrap:(id)arg2;- (void)AddVideoMsg:(id)arg1 ToUsr:(id)arg2 VideoInfo:(id)arg3;- (void)AddVideoMsg:(id)arg1 ToUsr:(id)arg2 VideoInfo:(id)arg3 MsgType:(unsigned long)arg4;- (void)AsyncOnAddMsg:(id)arg1 MsgWrap:(id)arg2;- (void)AsyncOnAddMsgForSession:(id)arg1 MsgWrap:(id)arg2;- (void)AsyncOnAddMsgForSession:(id)arg1 MsgWrap:(id)arg2 NewMsgArriveNotify:(BOOL)arg3;- (void)AsyncOnAddMsgListForSession:(id)arg1 NotifyUsrName:(id)arg2;- (void)AsyncOnCheckQQ;- (void)AsyncOnDelMsg:(id)arg1;- (void)AsyncOnDelMsg:(id)arg1 DelAll:(BOOL)arg2;- (void)AsyncOnDelMsg:(id)arg1 MsgWrap:(id)arg2;- (void)AsyncOnModMsg:(id)arg1 MsgWrap:(id)arg2;
[*]1
[*]2
[*]3
[*]4
[*]5
[*]6
[*]7
[*]8
[*]9
[*]10
[*]11
[*]12
[*]13
[*]14
[*]15
[*]16
[*]17
[*]18
[*]19
[*]20
[*]21
[*]22
[*]23
[*]24
[*]25
[*]26
[*]27
[*]28
[*]1
[*]2
[*]3
[*]4
[*]5
[*]6
[*]7
[*]8
[*]9
[*]10
[*]11
[*]12
[*]13
[*]14
[*]15
[*]16
[*]17
[*]18
[*]19
[*]20
[*]21
[*]22
[*]23
[*]24
[*]25
[*]26
[*]27
[*]28
通过猜想假设,再加上编写Tweak脚本测试,发现我们想要的接受消息的函数是AsyncOnAddMsg这个函数。找到接受消息的函数后接下来,我们要找打开红包的函数。
在头文件目录下搜索OpenRedEnvelopegrep -nR 'OpenRedEnvelope' ././/WCAtomicRedEnvReceiveHomeView.h:15: UIButton *m_oOpenRedEnvelopesButton;.//WCAtomicRedEnvReceiveHomeView.h:31:- (void)OnOpenRedEnvelopes;.//WCAtomicRedEnvReceiveHomeViewDelegate-Protocol.h:12:- (void)WCAtomicRedEnvReceiveHomeViewOpenRedEnvelopes:(_Bool)arg1;.//WCFestivalRedEnvFinishView.h:28:- (void)OnOpenRedEnvelopes;.//WCFestivalRedEnvReceiveHomeView.h:31:- (void)OnOpenRedEnvelopes;.//WCFestivalRedEnvReceiveHomeViewDelegate-Protocol.h:12:- (void)WCFestivalRedEnvReceiveHomeViewOpenRedEnvelopes:(_Bool)arg1;.//WCFestivalRedEnvShareView.h:28:- (void)OnOpenRedEnvelopes;.//WCRedEnvelopesControlData.h:31: NSDictionary *m_structDicAfterOpenRedEnvelopesInfo;.//WCRedEnvelopesControlData.h:49:@property(retain, nonatomic) NSDictionary *m_structDicAfterOpenRedEnvelopesInfo; // @synthesize m_structDicAfterOpenRedEnvelopesInfo;.//WCRedEnvelopesEnterpriseControlLogic.h:39:- (void)WCFestivalRedEnvReceiveHomeViewOpenRedEnvelopes:(_Bool)arg1;.//WCRedEnvelopesGreetingReceiveControlLogic.h:37:- (void)OnOpenRedEnvelopesRequest:(id)arg1 Error:(id)arg2;.//WCRedEnvelopesGreetingReceiveControlLogic.h:52:- (void)WCRedEnvelopesReceiveHomeViewOpenRedEnvelopes;.//WCRedEnvelopesLogicMgr.h:42:- (void)OpenRedEnvelopesRequest:(id)arg1;
[*]1
[*]2
[*]3
[*]4
[*]5
[*]6
[*]7
[*]8
[*]9
[*]10
[*]11
[*]12
[*]13
[*]14
[*]1
[*]2
[*]3
[*]4
[*]5
[*]6
[*]7
[*]8
[*]9
[*]10
[*]11
[*]12
[*]13
[*]14
我们猜想WCRedEnvelopesLogicMgr.h里面的OpenRedEnvelopesRequest函数就是我们要找的目标函数,经常反复的测试和验证,这个函数确实是我们要的打开红包的函数。第3步:写代码完成开发经历了以上分析和验证的过程,写代码对于HOOK来说反而是很简单的水到渠成。具体抢红包的代码如下:@class CMessageMgr;CHDeclareClass(CMessageMgr);CHOptimizedMethod(2, self, void, CMessageMgr, AsyncOnAddMsg, id, arg1, MsgWrap, id, arg2) { CHSuper(2, CMessageMgr, AsyncOnAddMsg, arg1, MsgWrap, arg2); Ivar uiMessageTypeIvar = class_getInstanceVariable(objc_getClass("CMessageWrap"), "m_uiMessageType"); ptrdiff_t offset = ivar_getOffset(uiMessageTypeIvar); unsigned char *stuffBytes = (unsigned char *)(__bridge void *)arg2; NSUInteger m_uiMessageType = * ((NSUInteger *)(stuffBytes + offset)); Ivar nsFromUsrIvar = class_getInstanceVariable(objc_getClass("CMessageWrap"), "m_nsFromUsr"); id m_nsFromUsr = object_getIvar(arg2, nsFromUsrIvar); Ivar nsContentIvar = class_getInstanceVariable(objc_getClass("CMessageWrap"), "m_nsContent"); id m_nsContent = object_getIvar(arg2, nsContentIvar); switch(m_uiMessageType) { case 1: { } break; case 49: { // 49=红包 //微信的服务中心 Method methodMMServiceCenter = class_getClassMethod(objc_getClass("MMServiceCenter"), @selector(defaultCenter)); IMP impMMSC = method_getImplementation(methodMMServiceCenter); id MMServiceCenter = impMMSC(objc_getClass("MMServiceCenter"), @selector(defaultCenter)); //红包控制器 id logicMgr = ((id (*)(id, SEL, Class))objc_msgSend)(MMServiceCenter, @selector(getService:), objc_getClass("WCRedEnvelopesLogicMgr")); //通讯录管理器 id contactManager = ((id (*)(id, SEL, Class))objc_msgSend)(MMServiceCenter, @selector(getService:),objc_getClass("CContactMgr")); Method methodGetSelfContact = class_getInstanceMethod(objc_getClass("CContactMgr"), @selector(getSelfContact)); IMP impGS = method_getImplementation(methodGetSelfContact); id selfContact = impGS(contactManager, @selector(getSelfContact)); if ("wxpay://"].location != NSNotFound) { NSString *nativeUrl = m_nsContent; NSRange rangeStart = "wxpay://c2cbizmessagehandler/hongbao"]; if (rangeStart.location != NSNotFound) { NSUInteger locationStart = rangeStart.location; nativeUrl = ; } NSRange rangeEnd = "]]"]; if (rangeEnd.location != NSNotFound) { NSUInteger locationEnd = rangeEnd.location; nativeUrl = ; } NSString *naUrl = "wxpay://c2cbizmessagehandler/hongbao/receivehongbao?" length]]; NSArray *parameterPairs ="&"]; NSMutableDictionary *parameters = [NSMutableDictionary dictionaryWithCapacity:]; for (NSString *currentPair in parameterPairs) { NSRange range = "="]; if(range.location == NSNotFound) continue; NSString *key = .location]; NSString *value =.location + 1]; ; } //红包参数 NSMutableDictionary *params = [@{} mutableCopy]; "msgtype"]?:@"null" forKey:@"msgType"]; "sendid"]?:@"null" forKey:@"sendId"]; "channelid"]?:@"null" forKey:@"channelId"]; id getContactDisplayName = objc_msgSend(selfContact, @selector(getContactDisplayName)); id m_nsHeadImgUrl = objc_msgSend(selfContact, @selector(m_nsHeadImgUrl)); "nickName"]; "headImg"]; NSString stringWithFormat:@"%@", nativeUrl]?:@"null" forKey:@"nativeUrl"]; "null" forKey:@"sessionUserName"]; ((void (*)(id, SEL, NSMutableDictionary*))objc_msgSend)(logicMgr, @selector(OpenRedEnvelopesRequest:), params); return; } break; } default: break; }}
[*]1
[*]2
[*]3
[*]4
[*]5
[*]6
[*]7
[*]8
[*]9
[*]10
[*]11
[*]12
[*]13
[*]14
[*]15
[*]16
[*]17
[*]18
[*]19
[*]20
[*]21
[*]22
[*]23
[*]24
[*]25
[*]26
[*]27
[*]28
[*]29
[*]30
[*]31
[*]32
[*]33
[*]34
[*]35
[*]36
[*]37
[*]38
[*]39
[*]40
[*]41
[*]42
[*]43
[*]44
[*]45
[*]46
[*]47
[*]48
[*]49
[*]50
[*]51
[*]52
[*]53
[*]54
[*]55
[*]56
[*]57
[*]58
[*]59
[*]60
[*]61
[*]62
[*]63
[*]64
[*]65
[*]66
[*]67
[*]68
[*]69
[*]70
[*]71
[*]72
[*]73
[*]74
[*]75
[*]76
[*]77
[*]78
[*]79
[*]80
[*]81
[*]82
[*]83
[*]84
[*]85
[*]86
[*]87
[*]88
[*]89
[*]90
[*]91
[*]92
[*]93
[*]94
[*]1
[*]2
[*]3
[*]4
[*]5
[*]6
[*]7
[*]8
[*]9
[*]10
[*]11
[*]12
[*]13
[*]14
[*]15
[*]16
[*]17
[*]18
[*]19
[*]20
[*]21
[*]22
[*]23
[*]24
[*]25
[*]26
[*]27
[*]28
[*]29
[*]30
[*]31
[*]32
[*]33
[*]34
[*]35
[*]36
[*]37
[*]38
[*]39
[*]40
[*]41
[*]42
[*]43
[*]44
[*]45
[*]46
[*]47
[*]48
[*]49
[*]50
[*]51
[*]52
[*]53
[*]54
[*]55
[*]56
[*]57
[*]58
[*]59
[*]60
[*]61
[*]62
[*]63
[*]64
[*]65
[*]66
[*]67
[*]68
[*]69
[*]70
[*]71
[*]72
[*]73
[*]74
[*]75
[*]76
[*]77
[*]78
[*]79
[*]80
[*]81
[*]82
[*]83
[*]84
[*]85
[*]86
[*]87
[*]88
[*]89
[*]90
[*]91
[*]92
[*]93
[*]94
以上就是微信抢红包的分析和代码过程,采用的是越狱方式开发,打包的dylib动态链接库文件是直接注入到系统文件目录里面的。至于非越狱开发,要更复杂一点,涉及到原始app文件的解包,修改,添加动态链接库,然后再签名打包的一系列复杂过程。
复制过来的好乱啊,在博客发个贴说明这个帖子是本人申请的吧。 {:1_908:}编辑的时候显示好好的,CSDN我已发了个博文
http://blog.csdn.net/dlmlzz09/article/details/63688579 ID:dlmlzz6
邮箱:dlmlzz6@qq.com
申请通过,欢迎光临吾爱破解论坛,期待吾爱破解有你更加精彩,ID和密码自己通过邮件密码找回功能修改,请即时登陆并修改密码!
登陆后请在一周内在此帖报道,否则将删除ID信息。 感谢版主通过申请,在此报到! @Hmily 已经报道了
页:
[1]