吾爱破解 - 52pojie.cn

 找回密码
 注册[Register]

QQ登录

只需一步,快速开始

查看: 47924|回复: 192
收起左侧

[iOS 原创] 关于IOS QQ6.0抖动窗口那些事

    [复制链接]
brack 发表于 2015-12-3 23:09
初涉IOS逆向,蓄势待发,偶然被一好友无限抖动的头疼,所以就去想去看看IOS QQ是否也能无限抖动.就当练手了.
当然了,作为一只菜鸟,仅是分享自己的学习过程,大牛勿喷,么么哒.

所需工具:Reveal,IDA,theos
QQ版本:6.0.0
测试环境:ios8.4,iPhone 5s
备注:QQ为App Store安装已提前砸壳并导出头文件

首先打开QQ界面,并打开Reveal选择iphone看QQ界面的控件.因为点击抖一抖图片才会发送抖动,所以在控件的头文件或者Controller里面有响应事件.
1.png
发现控件类是QQRichControl,转至头文件去看一下.
[Objective-C] 纯文本查看 复制代码
#import "UIButton.h"
 
#import "AvatarServiceDelegate.h"
 
[url=home.php?mod=space&uid=341152]@Class[/url] NSString, UIImageView;
 
@interface QQRichControl : UIButton <AvatarServiceDelegate>
{
    NSString *_controlKey;
    unsigned long long _flag;
    id _userData;
    _Bool _shouldShowRedPoint;
    int _xo;
    NSString *_imageName;
    UIImageView *_redPoint;
}
 
+ (id)buttonWithFlag:(unsigned long long)arg1;
+ (id)buttonWithFlag:(unsigned long long)arg1 title:(id)arg2 icon:(id)arg3;
+ (id)buttonWithFlag:(unsigned long long)arg1 title:(id)arg2 icon:(id)arg3 userData:(id)arg4;
- (void)dealloc;
- (void)didLoadImage:(id)arg1 identity:(id)arg2 type:(int)arg3 size:(int)arg4 shape:(int)arg5 avatarInfo:(id)arg6;
- (struct CGRect)imageRectForContentRect:(struct CGRect)arg1;
- (id)initWithFrame:(struct CGRect)arg1;
- (void)loadImageWithImageName:(id)arg1 defaultImage:(id)arg2;
- (id)redPoint;
@property(nonatomic) _Bool shouldShowRedPoint; // [url=home.php?mod=space&uid=422403]@Dynamic[/url] shouldShowRedPoint;
- (struct CGRect)titleRectForContentRect:(struct CGRect)arg1;
 
// Remaining properties
@property(retain, nonatomic) NSString *controlKey; // @dynamic controlKey;
@property(readonly, copy) NSString *debugDescription;
@property(readonly, copy) NSString *description;
@property(nonatomic) unsigned long long flag; // @dynamic flag;
@property(readonly) unsigned long long hash;
@property(readonly) Class superclass;
@property(retain, nonatomic) id userData; // @dynamic userData;
 
@end


QQRichControl继承自UIButton,但是在头文件里面并没有发现有跟点击相关的 去Controller的头文件里面去看看

2.png

[Objective-C] 纯文本查看 复制代码
//
//     Generated by class-dump 3.5 (64 bit).
//
//     class-dump is Copyright (C) 1997-1998, 2000-2001, 2004-2013 by Steve Nygard.
//
 
#import "QQBaseChatViewController.h"
 
#import "GetTroopMemberProtocol.h"
#import "GetTroopRemarkProtocol.h"
#import "UIAlertViewDelegate.h"
 
@class NSDictionary, NSMutableArray, NSMutableDictionary, NSString, QC2CRoamMessageService, QCCallEntry, QQAIOTipModel, QQBlueTimer, QQEncounterChatSettingController, QQMessageModel, QQNetWorkTipsView, QQPublicAccountLoadingView, QQRichMsgPreviewDialog, UIActionSheet, UIActivityIndicatorView, UIButton, UILabel, UIProgressView, UIView;
 
@interface QQChatViewController : QQBaseChatViewController <UIAlertViewDelegate, GetTroopMemberProtocol, GetTroopRemarkProtocol>
{
    UIButton *_historyButton;
    UIButton *_voiceModal;
    UIButton *_cardButton;
    QQBlueTimer *timer;
    QQBlueTimer *processTimer;
    UIProgressView *progress;
    UIActivityIndicatorView *act;
    NSDictionary *Imagedict;
    NSMutableDictionary *identDic;
    _Bool ifint;
    _Bool KeyBoard;
    int _displayMsgCount;
    _Bool _flagMsgBarInfoGroup;
    int _flagMsgTmp;
    NSString *_flagMsgBarValueUin;
    _Bool _isReqVideActionSheetShow;
    _Bool _supportInterfaceRote;
    ............
}
 
- (void)ActionSelectVideoFromAlbum;
- (void)ActionShakeWindowMsg;
- (_Bool)Confirmation;
       ........
 
@end

发现了个可疑的函数 - (void)ActionShakeWindowMsg; {:1_897:} Shake的意思是抖动的意思.(事实其实是我刚开始也不确定是不是这个,用lldb挂载QQ后下断后才确定就是抖动函数:).undefined
在IDA中 转到 [QQChatViewController ActionShakeWindowMsg];


3.png

[Asm] 纯文本查看 复制代码
__text:00000001003F3990                 MOV             X19, X0
__text:00000001003F3994                 BL              _CFAbsoluteTimeGetCurrent
__text:00000001003F3998                 ADRP            X8, #qword_10368B8F8@PAGE
__text:00000001003F399C                 LDR             D1, [X8,#qword_10368B8F8@PAGEOFF]
__text:00000001003F39A0                 FSUB            D1, D0, D1
__text:00000001003F39A4                 FCMP            D0, #0.0
__text:00000001003F39A8                 FMOV            D2, #10.0
__text:00000001003F39AC                 FCCMP           D1, D2, #8, PL
__text:00000001003F39B0                 B.MI            loc_1003F3C24


CFAbsoluteTimeGetCurrent   看函数名就猜出是获取当前时间
__text:00000001003F39A8 FMOV D2, #10.0
这句赋值给D2一个常量10,而QQ的抖动间隔正是10S的时间.

分析到这其实修改跳转就已经理论实现无间隔抖动了(经测试手机抖动有效果,Windows下还是一样,应该是接收消息的函数有判断).
但是并不会用Tweak修改App的二进制内存,在Windows下直接劫持补丁或者WriteProcesMemory就ok了.被难到了.
于是苦逼的去逆了那段间隔大于10S才执行的函数.(具体过程就不贴了)
直接贴代码,英文太渣,大牛看见命名一笑而过就好了...


Tweak.xm
[Objective-C] 纯文本查看 复制代码
#import "QQShakeOffImpose.h"
 
%hook QQChatViewController
 
- (void)ActionShakeWindowMsg
{
 
    QQMessageModel *message = [%c(QQMessageModel) new];
    [message setLoadingState:YES];
    [message setTime:[[%c(CIMEngine) GetInstance] GetServerTimeDiff]];
    [message setContent:@"抖一抖"];
[message setInOut:NO];
[message setRead:1];
[message setMsgType:157];
[message setMsgState:1];
 
QQBaseChatModel *TchatModel = [self GetBaseChatModel];
NSString* Tuin = [TchatModel uin];
[message setUin:Tuin];
[message setGroupCode:nil];
unsigned int random = [[%c(QQMsgSyncManager) sharedInstance] getC2CSendMessageRandom];
 
unsigned short msgseq = [[%c(QQMsgSyncManager) sharedInstance] getC2CSendMessageSeq:[message uin].longLongValue];
 
[message setMsgSeq:msgseq];
[message setMessageRandom:random];
 
[message setMsgUid:[%c(QQMessageModel) randomToUid:random]];
QQPlatform *Tplatform = [%c(QQPlatform) sharedPlatform];
QQServiceCenter* TserviceCenter = [Tplatform QQServiceCenter];
C2CDBService_MultiTable *multiTablwDB =[TserviceCenter C2CMultiTableDB];
[multiTablwDB insertSendMessage:message];
QQAIOMsgModel *msgModel = [%c(QQAIOMsgModel) createAIOModelWithMessageModel:message];
 
QQChatListManager* listManager = [[%c(QServiceFactory) sharedFactory] getMessageListService];
 
[listManager addMessage:message];
[self appendMessage:msgModel];
[[%c(QQF2FMessageSender) getInstance] SendPbShakeWindowMessage:message];
 
}
 
%end


QQShakeOffImpose.h
[Objective-C] 纯文本查看 复制代码
@interface QServiceFactory : NSObject
+ (id)sharedFactory;
- (id)getMessageListService;
@end
 
@interface C2CDBService_MultiTable : NSObject
- (_Bool)insertSendMessage:(id)arg1;
@end
 
@interface QQServiceCenter : NSObject
{
    C2CDBService_MultiTable *m_c2cMultiTableDB;
}
- (id)C2CMultiTableDB;
@end
 
@interface CIMEngine : NSObject
+ (id)GetInstance;
- (int)GetServerTimeDiff;
@end
 
 
@interface QQPlatform : NSObject
+ (id)sharedPlatform;
- (id)QQServiceCenter;
@end
 
@interface QQMsgSyncManager : NSObject
 
+ (id)sharedInstance;
- (unsigned int)getC2CSendMessageRandom;
- (unsigned short)getC2CSendMessageSeq:(long long)arg1;
@end
 
@interface QQChatListManager : NSObject
- (void)addMessage:(id)arg1;
@end
 
@interface QQAIOModel : NSObject
+ (id)createAIOModelWithMessageModel:(id)arg1;
@end
 
@interface QQAIOMsgModel : QQAIOModel
{
}
@end
 
@interface QQPbMsgSenderBase : NSObject
- (int)SendPbShakeWindowMessage:(id)arg1;
@end
 
@interface QQF2FMessageSender : QQPbMsgSenderBase
+ (id)getInstance;
@end
 
@interface QQBaseChatModel : NSObject
@property(retain, nonatomic) NSString *uin;
@end
 
 
@interface QQMessageModel : NSObject
@property(nonatomic) _Bool loadingState;
@property(nonatomic) unsigned long long time;
@property(retain, nonatomic) id content;
@property(nonatomic) _Bool inOut;
@property(nonatomic) int read;
@property(nonatomic) int msgType;
@property(nonatomic, getter=msgState) int msgState;
@property(retain, nonatomic) NSString *uin;
@property(retain, nonatomic) NSString *groupCode;
@property(nonatomic) long long msgSeq;
@property(nonatomic) long long messageRandom;
@property(nonatomic) long long msgUid;
 
+ (unsigned long long)randomToUid:(unsigned int)arg1;
 
@end
 
 
 
 
@interface QQBaseChatViewController : NSObject
{
        QQBaseChatModel *_chatModel;
}
- (void)appendMessage:(id)arg1;
- (id)GetBaseChatModel;
@end
 
@interface QQChatViewController : QQBaseChatViewController
@end


Makefile
[C] 纯文本查看 复制代码
THEOS_DEVICE_IP = 192.168.0.100 [color=#ff00ff]//此行为make package install使用 生成deb可删除[/color]
ARCHS = armv7 arm64
 
TARGET = iPhone:latest:7.0
 
include theos/makefiles/common.mk
 
TWEAK_NAME = QQShakeOffImpose
QQShakeOffImpose_FILES = Tweak.xm
 
include $(THEOS_MAKE_PATH)/tweak.mk
 
after-install::
    install.exec "killall -9 QQ"


control
[Objective-C] 纯文本查看 复制代码
Package: com.brack.qqshakeoffimpose
Name: QQShakeOffImpose
Depends: mobilesubstrate
Version: 0.0.1
Architecture: iphoneos-arm
Description: An awesome MobileSubstrate tweak!
Maintainer: brack
Author: brack
Section: Tweaks

最后给想玩的朋友一个deb自行安装.{:1_914:}


效果图:

4.PNG




com.brack.qqshakeoffimpose_1.0-1_iphoneos-arm.deb.zip

5.23 KB, 下载次数: 583, 下载积分: 吾爱币 -1 CB

点评

城会玩啊  发表于 2016-1-6 14:35
城里人真会玩  发表于 2015-12-12 14:05
城会玩………………  发表于 2015-12-6 01:08
电脑上的话我一般用ce开速度,手机我还真的不知道,长见识了,谢谢楼主。  发表于 2015-12-5 21:59
B老师真霸道。。。潜心20年。不愧是我看好的骚年。。。这月保护费先交了吧。  发表于 2015-12-4 12:59
城会玩  发表于 2015-12-3 23:39

免费评分

参与人数 65吾爱币 +3 热心值 +65 收起 理由
小野 + 2 + 1 用心讨论,共获提升!
Ymxx + 1 + 1 谢谢@Thanks!
逍遥游i + 1 已经处理,感谢您对吾爱破解论坛的支持!
noblesport + 1 我很赞同!
k18556 + 1 我很赞同!
新林 + 1 谢谢@Thanks!
sunbeat + 1 城会玩
qq314024716 + 1 我很赞同!
woai412891910 + 1 热心回复!
Ally + 1 热心回复!
244508088 + 1 我很赞同!
83238971 + 1 我很赞同!
HCJ + 1 热心回复!
脉动 + 1 我很赞同!
lonely_coder + 1 城会玩儿。。
qq519165351 + 1 为什么我make一直出错呢。请问楼主是按哪个.
马至秦 + 1 6666666666666666666的不行
1485573943 + 1 热心回复!
tmsdy + 1 牛牛牛。。。。。。
z27492 + 1 欢迎分析讨论交流,吾爱破解论坛有你更精彩.
q348114971 + 1 我很赞同!
evido + 1 谢谢@Thanks!
q914562027 + 1 交保护费先!
gta56 + 1 谢谢@Thanks!
末日制造者 + 1 我很赞同!
zxRainbow + 1 谢谢@Thanks!
干鸡毛 + 1 热心回复!
15999543 + 1 这个文件怎么安装的告诉下谢谢
嘉嘉大仙 + 1 感谢发布原创作品,吾爱破解论坛因你更精彩.
霸气二爷 + 1 感谢发布原创作品,吾爱破解论坛因你更精彩.
Evelina + 1 热心回复!
gdf + 1 我很赞同!
katkat + 1 我很赞同!
qingda + 1 谢谢@Thanks!
hxjf + 1 你已渐行渐远...
aimenl + 1 谢谢@Thanks!
fenghaoda + 1 已答复!
进化野人 + 1 我很赞同!
x373796968 + 1 谢谢@Thanks!
滑稽哥哥哥 + 1 已答复!
twotwo + 1 已答复!
wwx1068 + 1 谢谢@Thanks!
1447552891 + 1 请勿灌水,提高回帖质量是每位会员应尽的义.
颠一下你的奶 + 1 牛逼
lies2014 + 1 鼓励转贴优秀软件安全工具和文档!
猎户座xemo + 1 我很赞同!
大黄的大尾巴狼 + 1 我很赞同!
Tortoise + 1 谢谢@Thanks!
z741571 + 1 哇哦~ 不明觉厉!
Thefirst1 + 1 赶紧把京东买的那根东西退货了,感谢楼主!
ldark + 1 鼓励转贴优秀软件安全工具和文档!
左卫门先生 + 1 我很赞同!
songmey + 1 玩ios的大牛
yAYa + 1 我B牛师傅就是牛逼!
罒_罒 + 1 感谢发布原创作品,吾爱破解论坛因你更精彩.
山顶的一棵草 + 1 城会玩哈哈
Terrorblade + 1 ios的分析较少,支持一个!
Junkrat + 1 谢谢@Thanks!
搜索中文字符串 + 1 膜拜会玩IOS的大大
定个一份爱 + 1 你们真会玩 但是还是很佩服你们的强大
Syer + 1 我brack师傅就是牛逼!
yypE + 1 66666666666666
凉游浅笔深画眉 + 1 666666
梦游枪手 + 1 膜拜会玩IOS的大大
Arm + 1 已经处理,感谢您对吾爱破解论坛的支持!

查看全部评分

本帖被以下淘专辑推荐:

发帖前要善用论坛搜索功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。

z254665257 发表于 2015-12-4 13:06
你们城里人真会玩啊  可以的 可以当那什么棒使用了
Arm 发表于 2015-12-3 23:23
空白。 发表于 2015-12-3 23:11
a73037 发表于 2015-12-3 23:11
新版QQ看到就感觉恶心
idccc 发表于 2015-12-3 23:34
非常牛····前来膜拜
晓贤 发表于 2015-12-3 23:35
抱大腿,,,
liuhongjun 发表于 2015-12-4 00:12
会玩哦大神,支持
we2e 发表于 2015-12-4 00:29
真会玩 这个厉害 不卡机啊 老弹窗
知足zz 发表于 2015-12-4 10:08
好牛掰啊。。
Hslim 发表于 2015-12-4 10:24
这个吊,膜拜会crack的IOS
您需要登录后才可以回帖 登录 | 注册[Register]

本版积分规则

返回列表

RSS订阅|小黑屋|处罚记录|联系我们|吾爱破解 - LCG - LSG ( 京ICP备16042023号 | 京公网安备 11010502030087号 )

GMT+8, 2024-11-24 11:06

Powered by Discuz!

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表