申请会员ID：dlmlzz6【申请通过】

吾爱游客 *发表于 2017-3-16 16:48* · 发表于 2017-3-16 16:48

1、申请 I D ：dlmlzz6
2、个人邮箱：dlmlzz6@qq.com
3、原创技术文章：CSDN博客http://blog.csdn.net/dlmlzz09本人专注于iOS的App开发，有多款作品，自己本人也有1个app《摄影神器》在Appstore上，地址https://itunes.apple.com/cn/app/id1210244471?mt=8也涉足过cocos2dx游戏开发，最近在做iOS的App Hook开发，希望能加入吾爱破解，互相学习提高。下面是破解iOS版微信自动抢红包的分析过程和代码。
原理Objective-C 是一门动态语言，我们可以利用OC的Runtime动态的替换App原有的函数，来达到我们（不可告人）的目的。OC 中对某个对象的方法的调用并不像 C++ 一样直接取得方法的实现的偏移值来调用，所以 C++ 方法与实现的关系在编译时就可确定。而 OC 中方法和实现的关系是在运行时决定的。在调用某个对象的方法时，实际上是调用了 obj_msgsend 向对象发送一个名称为方法名的消息，而我们可以替换这个响应这个消息的实现内容。OC 中比较有力的动态特性 Method Swizzing 就是建立在这个基础之上。
简单来说就是以下三句代码：Method originalMethod = class_getInstanceMethod(theClass, originalSelector); Method newMethod = class_getInstanceMethod(theClass, newSelector); method_exchangeImplementations(originalMethod, newMethod);

1
2
3

1
2
3

这样一来，原来调用originalSelector函数，都会指向我们的newSelector函数，以此实现HOOK。第1步：砸壳首先ssh连上越狱iOS设备，执行ps -e查找微信的app地址

这里的app路径是/var/mobile/Containers/Bundle/Application/690828B8-B63F-4FAC-B7CC-DEFD8E23AF46/WeChat.app/WeChat，记下来先。
然后进入Cycript，查找出微信的Documents目录

把这个路径记下来/var/mobile/Containers/Data/Application/2B65DCC1-9FAD-41C8-A5EC-C3D9326EE3D6/Documents/
然后退出cycript，cd到documents目录下，执行以下命令：adminde-iPhone:~ root# adminde-iPhone:/var/mobile/Containers/Data/Application/2B65DCC1-9FAD-41C8-A5EC-C3D9326EE3D6/Documents root# DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Containers/Bundle/Application/690828B8-B63F-4FAC-B7CC-DEFD8E23AF46/WeChat.app/WeChatmach-o decryption dumperDISCLAIMER: This tool is only meant for security research purposes, not for application crackers.[+] detected 32bit ARM binary in memory.[+] offset to cryptid found: @0xd7a4c(from 0xd7000) = a4c[+] Found encrypted data at address 00004000 of length 49463296 bytes - type 1.[+] Opening /private/var/mobile/Containers/Bundle/Application/690828B8-B63F-4FAC-B7CC-DEFD8E23AF46/WeChat.app/WeChat for reading.[+] Reading header[+] Detecting header type[+] Executable is a FAT image - searching for right architecture[+] Correct arch is at offset 16384 in the file[+] Opening WeChat.decrypted for writing.[+] Copying the not encrypted start of the file[+] Dumping the decrypted data into the file[+] Copying the not encrypted remainder of the file[+] Setting the LC_ENCRYPTION_INFO->cryptid to 0 at offset 4a4c[+] Closing original file[+] Closing dump fileadminde-iPhone:/var/mobile/Containers/Data/Application/2B65DCC1-9FAD-41C8-A5EC-C3D9326EE3D6/Documents root# ls WeChat.decrypted

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

WeChat.decrypted文件就是我们砸壳后的二进制文件，我们可以拷贝到Mac上，各种工具都可以用上了。第2步：导出头文件使用class-dump，将我们砸壳出来的二进制文件的头文件导出来：admindeMac-mini:微信6.5.5 admin$ class-dump --arch armv7 -s -S -H WeChat.decrypted -o headers/admindeMac-mini:微信6.5.5 admin$ ls headers/AAAlertItem.hAACloseNotifyReq.hAACloseNotifyRes.hAACloseReq.hAACloseRes.hAALaunchByMoneyReq.hAALaunchByMoneyRes.hAALaunchByPersonReq.hAALaunchByPersonRes.hAALaunchItem.hAAListRecord.hAAOperationReq.hAAOperationRes.hAAPayReq.hAAPayRes.h

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

可以看到微信的头文件有8500多个（汗），如此茫茫代码海出如何找出我们需要的那一部分呢？第2步：精准定位我们想要HOOK的代码iOS开发是遵循MVC模式的，所以我们需要找到这个M模型层来找到我需要的业务逻辑代码。抢红包的原理是通过截取微信收到了红包消息，然后直接调用打开红包的接口来实现自动抢红包。
通过查找发现CMessageMgr这个类就是用来管理各种消息的，查看CMessageMgr.h头文件- (void)AddAppMsg:(id)arg1 MsgWrap:(id)arg2 Data:(id)arg3 Scene:(unsigned long)arg4;- (void)AddAppMsg:(id)arg1 MsgWrap:(id)arg2 DataPath:(id)arg3 Scene:(unsigned long)arg4;- (BOOL)AddBackupMsg:(id)arg1 MsgWrap:(id)arg2;- (void)AddEmoticonMsg:(id)arg1 MsgWrap:(id)arg2;- (void)AddFloatBottle:(id)arg1 MsgWrap:(id)arg2;- (void)AddHelloMsg:(id)arg1 MsgWrap:(id)arg2 HelloUser:(id)arg3 OpCode:(unsigned long)arg4 DES:(unsigned long)arg5 checkCreateTime:(BOOL)arg6 status:(unsigned long)arg7;- (void)AddHelloMsgList:(id)arg1 MsgList:(id)arg2;- (void)AddLocalMsg:(id)arg1 MsgWrap:(id)arg2;- (void)AddLocalMsg:(id)arg1 MsgWrap:(id)arg2 fixTime:(BOOL)arg3 NewMsgArriveNotify:(BOOL)arg4;- (void)AddLocalMsg:(id)arg1 MsgWrap:(id)arg2 fixTime:(BOOL)arg3 NewMsgArriveNotify:(BOOL)arg4 Unique:(BOOL)arg5;- (void)AddMsg:(id)arg1 MsgWrap:(id)arg2;- (void)AddMsgPattern:(id)arg1;- (void)AddPimMsg:(id)arg1 MsgWrap:(id)arg2;- (void)AddRecordMsg:(id)arg1 MsgWrap:(id)arg2;- (void)AddShortVideoLocalMsg:(id)arg1 ToUsr:(id)arg2 VideoInfo:(id)arg3 MsgType:(unsigned long)arg4;- (void)AddShortVideoMsg:(id)arg1 ToUsr:(id)arg2 VideoInfo:(id)arg3;- (void)AddUniqueLocalMsg:(id)arg1 MsgWrap:(id)arg2;- (void)AddVideoMsg:(id)arg1 ToUsr:(id)arg2 VideoInfo:(id)arg3;- (void)AddVideoMsg:(id)arg1 ToUsr:(id)arg2 VideoInfo:(id)arg3 MsgType:(unsigned long)arg4;- (void)AsyncOnAddMsg:(id)arg1 MsgWrap:(id)arg2;- (void)AsyncOnAddMsgForSession:(id)arg1 MsgWrap:(id)arg2;- (void)AsyncOnAddMsgForSession:(id)arg1 MsgWrap:(id)arg2 NewMsgArriveNotify:(BOOL)arg3;- (void)AsyncOnAddMsgListForSession:(id)arg1 NotifyUsrName:(id)arg2;- (void)AsyncOnCheckQQ;- (void)AsyncOnDelMsg:(id)arg1;- (void)AsyncOnDelMsg:(id)arg1 DelAll:(BOOL)arg2;- (void)AsyncOnDelMsg:(id)arg1 MsgWrap:(id)arg2;- (void)AsyncOnModMsg:(id)arg1 MsgWrap:(id)arg2;

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

通过猜想假设，再加上编写Tweak脚本测试，发现我们想要的接受消息的函数是AsyncOnAddMsg这个函数。找到接受消息的函数后接下来，我们要找打开红包的函数。
在头文件目录下搜索OpenRedEnvelopegrep -nR 'OpenRedEnvelope' ././/WCAtomicRedEnvReceiveHomeView.h:15: UIButton *m_oOpenRedEnvelopesButton;.//WCAtomicRedEnvReceiveHomeView.h:31:- (void)OnOpenRedEnvelopes;.//WCAtomicRedEnvReceiveHomeViewDelegate-Protocol.h:12:- (void)WCAtomicRedEnvReceiveHomeViewOpenRedEnvelopes:(_Bool)arg1;.//WCFestivalRedEnvFinishView.h:28:- (void)OnOpenRedEnvelopes;.//WCFestivalRedEnvReceiveHomeView.h:31:- (void)OnOpenRedEnvelopes;.//WCFestivalRedEnvReceiveHomeViewDelegate-Protocol.h:12:- (void)WCFestivalRedEnvReceiveHomeViewOpenRedEnvelopes:(_Bool)arg1;.//WCFestivalRedEnvShareView.h:28:- (void)OnOpenRedEnvelopes;.//WCRedEnvelopesControlData.h:31: NSDictionary *m_structDicAfterOpenRedEnvelopesInfo;.//WCRedEnvelopesControlData.h:49

property(retain, nonatomic) NSDictionary *m_structDicAfterOpenRedEnvelopesInfo; // @synthesize m_structDicAfterOpenRedEnvelopesInfo;.//WCRedEnvelopesEnterpriseControlLogic.h:39:- (void)WCFestivalRedEnvReceiveHomeViewOpenRedEnvelopes:(_Bool)arg1;.//WCRedEnvelopesGreetingReceiveControlLogic.h:37:- (void)OnOpenRedEnvelopesRequest:(id)arg1 Error:(id)arg2;.//WCRedEnvelopesGreetingReceiveControlLogic.h:52:- (void)WCRedEnvelopesReceiveHomeViewOpenRedEnvelopes;.//WCRedEnvelopesLogicMgr.h:42:- (void)OpenRedEnvelopesRequest:(id)arg1;

1
2
3
4
5
6
7
8
9
10
11
12
13
14

1
2
3
4
5
6
7
8
9
10
11
12
13
14

我们猜想WCRedEnvelopesLogicMgr.h里面的OpenRedEnvelopesRequest函数就是我们要找的目标函数，经常反复的测试和验证，这个函数确实是我们要的打开红包的函数。第3步：写代码完成开发经历了以上分析和验证的过程，写代码对于HOOK来说反而是很简单的水到渠成。具体抢红包的代码如下：@class CMessageMgr;CHDeclareClass(CMessageMgr);CHOptimizedMethod(2, self, void, CMessageMgr, AsyncOnAddMsg, id, arg1, MsgWrap, id, arg2) { CHSuper(2, CMessageMgr, AsyncOnAddMsg, arg1, MsgWrap, arg2); Ivar uiMessageTypeIvar = class_getInstanceVariable(objc_getClass("CMessageWrap"), "m_uiMessageType"); ptrdiff_t offset = ivar_getOffset(uiMessageTypeIvar); unsigned char *stuffBytes = (unsigned char *)(__bridge void *)arg2; NSUInteger m_uiMessageType = * ((NSUInteger *)(stuffBytes + offset)); Ivar nsFromUsrIvar = class_getInstanceVariable(objc_getClass("CMessageWrap"), "m_nsFromUsr"); id m_nsFromUsr = object_getIvar(arg2, nsFromUsrIvar); Ivar nsContentIvar = class_getInstanceVariable(objc_getClass("CMessageWrap"), "m_nsContent"); id m_nsContent = object_getIvar(arg2, nsContentIvar); switch(m_uiMessageType) { case 1: { } break; case 49: { // 49=红包 //微信的服务中心 Method methodMMServiceCenter = class_getClassMethod(objc_getClass("MMServiceCenter"), @selector(defaultCenter)); IMP impMMSC = method_getImplementation(methodMMServiceCenter); id MMServiceCenter = impMMSC(objc_getClass("MMServiceCenter"), @selector(defaultCenter)); //红包控制器 id logicMgr = ((id (*)(id, SEL, Class))objc_msgSend)(MMServiceCenter, @selector(getService:), objc_getClass("WCRedEnvelopesLogicMgr")); //通讯录管理器 id contactManager = ((id (*)(id, SEL, Class))objc_msgSend)(MMServiceCenter, @selector(getService:),objc_getClass("CContactMgr")); Method methodGetSelfContact = class_getInstanceMethod(objc_getClass("CContactMgr"), @selector(getSelfContact)); IMP impGS = method_getImplementation(methodGetSelfContact); id selfContact = impGS(contactManager, @selector(getSelfContact)); if ([m_nsContent rangeOfString

"wxpay://"].location != NSNotFound) { NSString *nativeUrl = m_nsContent; NSRange rangeStart = [m_nsContent rangeOfString

"wxpay://c2cbizmessagehandler/hongbao"]; if (rangeStart.location != NSNotFound) { NSUInteger locationStart = rangeStart.location; nativeUrl = [nativeUrl substringFromIndex:locationStart]; } NSRange rangeEnd = [nativeUrl rangeOfString

"]]"]; if (rangeEnd.location != NSNotFound) { NSUInteger locationEnd = rangeEnd.location; nativeUrl = [nativeUrl substringToIndex:locationEnd]; } NSString *naUrl = [nativeUrl substringFromIndex:[@"wxpay://c2cbizmessagehandler/hongbao/receivehongbao?" length]]; NSArray *parameterPairs =[naUrl componentsSeparatedByString

"&"]; NSMutableDictionary *parameters = [NSMutableDictionary dictionaryWithCapacity:[parameterPairs count]]; for (NSString *currentPair in parameterPairs) { NSRange range = [currentPair rangeOfString

"="]; if(range.location == NSNotFound) continue; NSString *key = [currentPair substringToIndex:range.location]; NSString *value =[currentPair substringFromIndex:range.location + 1]; [parameters setObject:value forKey:key]; } //红包参数 NSMutableDictionary *params = [@{} mutableCopy]; [params setObject:parameters[@"msgtype"]?

"null" forKey

"msgType"]; [params setObject:parameters[@"sendid"]?

"null" forKey

"sendId"]; [params setObject:parameters[@"channelid"]?:@"null" forKey:@"channelId"]; id getContactDisplayName = objc_msgSend(selfContact, @selector(getContactDisplayName)); id m_nsHeadImgUrl = objc_msgSend(selfContact, @selector(m_nsHeadImgUrl)); [params setObject:getContactDisplayName forKey:@"nickName"]; [params setObject:m_nsHeadImgUrl forKey:@"headImg"]; [params setObject:[NSString stringWithFormat:@"%@", nativeUrl]?:@"null" forKey:@"nativeUrl"]; [params setObject:m_nsFromUsr?:@"null" forKey:@"sessionUserName"]; ((void (*)(id, SEL, NSMutableDictionary*))objc_msgSend)(logicMgr, @selector(OpenRedEnvelopesRequest:), params); return; } break; } default: break; }}

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94

以上就是微信抢红包的分析和代码过程，采用的是越狱方式开发，打包的dylib动态链接库文件是直接注入到系统文件目录里面的。至于非越狱开发，要更复杂一点，涉及到原始app文件的解包，修改，添加动态链接库，然后再签名打包的一系列复杂过程。

Hmily · 发表于 2017-3-17 18:00

复制过来的好乱啊，在博客发个贴说明这个帖子是本人申请的吧。

吾爱游客 *发表于 2017-3-19 20:20* · 发表于 2017-3-19 20:20

编辑的时候显示好好的，CSDN我已发了个博文
http://blog.csdn.net/dlmlzz09/article/details/63688579

Hmily · 发表于 2017-3-20 14:49

ID：dlmlzz6
邮箱：dlmlzz6@qq.com

申请通过，欢迎光临吾爱破解论坛，期待吾爱破解有你更加精彩，ID和密码自己通过邮件密码找回功能修改，请即时登陆并修改密码！
登陆后请在一周内在此帖报道，否则将删除ID信息。

dlmlzz6 · 发表于 2017-3-21 00:56

感谢版主通过申请，在此报到！

dlmlzz6 · 发表于 2017-3-22 11:06

@Hmily 已经报道了

帐号		自动登录	找回密码
密码			注册[Register]

选中篇:

[会员申请] 申请会员ID：dlmlzz6【申请通过】

个人中心


	选中篇: 置顶\|

选中 篇:

[会员申请] 申请会员ID：dlmlzz6【申请通过】

个人中心

选中篇: