关于IOS QQ6.0抖动窗口那些事

brack

初涉IOS逆向,蓄势待发,偶然被一好友无限抖动的头疼,所以就去想去看看IOS QQ是否也能无限抖动.就当练手了.
当然了,作为一只菜鸟,仅是分享自己的学习过程,大牛勿喷,么么哒.

所需工具:Reveal,IDA,theos
QQ版本:6.0.0
测试环境:ios8.4,iPhone 5s
备注:QQ为App Store安装已提前砸壳并导出头文件

首先打开QQ界面,并打开Reveal选择iphone看QQ界面的控件.因为点击抖一抖图片才会发送抖动,所以在控件的头文件或者Controller里面有响应事件.

发现控件类是QQRichControl,转至头文件去看一下.

[Objective-C] 纯文本查看 复制代码

?

01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39

#import "UIButton.h"    #import "AvatarServiceDelegate.h"    [url=home.php?mod=space&uid=341152]@Class[/url] NSString, UIImageView;    @interface QQRichControl : UIButton <AvatarServiceDelegate> {     NSString *_controlKey;     unsigned long long _flag;     id _userData;     _Bool _shouldShowRedPoint;     int _xo;     NSString *_imageName;     UIImageView *_redPoint; }    + (id)buttonWithFlag:(unsigned long long)arg1; + (id)buttonWithFlag:(unsigned long long)arg1 title:(id)arg2 icon:(id)arg3; + (id)buttonWithFlag:(unsigned long long)arg1 title:(id)arg2 icon:(id)arg3 userData:(id)arg4; - (void)dealloc; - (void)didLoadImage:(id)arg1 identity:(id)arg2 type:(int)arg3 size:(int)arg4 shape:(int)arg5 avatarInfo:(id)arg6; - (struct CGRect)imageRectForContentRect:(struct CGRect)arg1; - (id)initWithFrame:(struct CGRect)arg1; - (void)loadImageWithImageName:(id)arg1 defaultImage:(id)arg2; - (id)redPoint; @property(nonatomic) _Bool shouldShowRedPoint; // [url=home.php?mod=space&uid=422403]@Dynamic[/url] shouldShowRedPoint; - (struct CGRect)titleRectForContentRect:(struct CGRect)arg1;    // Remaining properties @property(retain, nonatomic) NSString *controlKey; // @dynamic controlKey; @property(readonly, copy) NSString *debugDescription; @property(readonly, copy) NSString *description; @property(nonatomic) unsigned long long flag; // @dynamic flag; @property(readonly) unsigned long long hash; @property(readonly) Class superclass; @property(retain, nonatomic) id userData; // @dynamic userData;    @end

QQRichControl继承自UIButton,但是在头文件里面并没有发现有跟点击相关的 去Controller的头文件里面去看看

[Objective-C] 纯文本查看 复制代码

?

01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42

// //     Generated by class-dump 3.5 (64 bit). // //     class-dump is Copyright (C) 1997-1998, 2000-2001, 2004-2013 by Steve Nygard. //    #import "QQBaseChatViewController.h"    #import "GetTroopMemberProtocol.h" #import "GetTroopRemarkProtocol.h" #import "UIAlertViewDelegate.h"    @class NSDictionary, NSMutableArray, NSMutableDictionary, NSString, QC2CRoamMessageService, QCCallEntry, QQAIOTipModel, QQBlueTimer, QQEncounterChatSettingController, QQMessageModel, QQNetWorkTipsView, QQPublicAccountLoadingView, QQRichMsgPreviewDialog, UIActionSheet, UIActivityIndicatorView, UIButton, UILabel, UIProgressView, UIView;    @interface QQChatViewController : QQBaseChatViewController <UIAlertViewDelegate, GetTroopMemberProtocol, GetTroopRemarkProtocol> {     UIButton *_historyButton;     UIButton *_voiceModal;     UIButton *_cardButton;     QQBlueTimer *timer;     QQBlueTimer *processTimer;     UIProgressView *progress;     UIActivityIndicatorView *act;     NSDictionary *Imagedict;     NSMutableDictionary *identDic;     _Bool ifint;     _Bool KeyBoard;     int _displayMsgCount;     _Bool _flagMsgBarInfoGroup;     int _flagMsgTmp;     NSString *_flagMsgBarValueUin;     _Bool _isReqVideActionSheetShow;     _Bool _supportInterfaceRote;     ............ }    - (void)ActionSelectVideoFromAlbum; - (void)ActionShakeWindowMsg; - (_Bool)Confirmation;        ........    @end

发现了个可疑的函数 - (void)ActionShakeWindowMsg; {:1_897:} Shake的意思是抖动的意思.(事实其实是我刚开始也不确定是不是这个,用lldb挂载QQ后下断后才确定就是抖动函数:).undefined
在IDA中 转到 [QQChatViewController ActionShakeWindowMsg];

[Asm] 纯文本查看 复制代码

?

1 2 3 4 5 6 7 8 9

__text:00000001003F3990                 MOV             X19, X0 __text:00000001003F3994                 BL              _CFAbsoluteTimeGetCurrent __text:00000001003F3998                 ADRP            X8, #qword_10368B8F8@PAGE __text:00000001003F399C                 LDR             D1, [X8,#qword_10368B8F8@PAGEOFF] __text:00000001003F39A0                 FSUB            D1, D0, D1 __text:00000001003F39A4                 FCMP            D0, #0.0 __text:00000001003F39A8                 FMOV            D2, #10.0 __text:00000001003F39AC                 FCCMP           D1, D2, #8, PL __text:00000001003F39B0                 B.MI            loc_1003F3C24

CFAbsoluteTimeGetCurrent   看函数名就猜出是获取当前时间
__text:00000001003F39A8 FMOV D2, #10.0
这句赋值给D2一个常量10,而QQ的抖动间隔正是10S的时间.

分析到这其实修改跳转就已经理论实现无间隔抖动了(经测试手机抖动有效果,Windows下还是一样,应该是接收消息的函数有判断).
但是并不会用Tweak修改App的二进制内存,在Windows下直接劫持补丁或者WriteProcesMemory就ok了.被难到了.
于是苦逼的去逆了那段间隔大于10S才执行的函数.(具体过程就不贴了)
直接贴代码,英文太渣,大牛看见命名一笑而过就好了...

Tweak.xm

[Objective-C] 纯文本查看 复制代码

?

01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43

#import "QQShakeOffImpose.h"    %hook QQChatViewController    - (void)ActionShakeWindowMsg {        QQMessageModel *message = [%c(QQMessageModel) new];     [message setLoadingState:YES];     [message setTime:[[%c(CIMEngine) GetInstance] GetServerTimeDiff]];     [message setContent:@"抖一抖"]; [message setInOut:NO]; [message setRead:1]; [message setMsgType:157]; [message setMsgState:1];    QQBaseChatModel *TchatModel = [self GetBaseChatModel]; NSString* Tuin = [TchatModel uin]; [message setUin:Tuin]; [message setGroupCode:nil]; unsigned int random = [[%c(QQMsgSyncManager) sharedInstance] getC2CSendMessageRandom];    unsigned short msgseq = [[%c(QQMsgSyncManager) sharedInstance] getC2CSendMessageSeq:[message uin].longLongValue];    [message setMsgSeq:msgseq]; [message setMessageRandom:random];    [message setMsgUid:[%c(QQMessageModel) randomToUid:random]]; QQPlatform *Tplatform = [%c(QQPlatform) sharedPlatform]; QQServiceCenter* TserviceCenter = [Tplatform QQServiceCenter]; C2CDBService_MultiTable *multiTablwDB =[TserviceCenter C2CMultiTableDB]; [multiTablwDB insertSendMessage:message]; QQAIOMsgModel *msgModel = [%c(QQAIOMsgModel) createAIOModelWithMessageModel:message];    QQChatListManager* listManager = [[%c(QServiceFactory) sharedFactory] getMessageListService];    [listManager addMessage:message]; [self appendMessage:msgModel]; [[%c(QQF2FMessageSender) getInstance] SendPbShakeWindowMessage:message];    }    %end

QQShakeOffImpose.h

[Objective-C] 纯文本查看 复制代码

?

01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91

@interface QServiceFactory : NSObject + (id)sharedFactory; - (id)getMessageListService; @end    @interface C2CDBService_MultiTable : NSObject - (_Bool)insertSendMessage:(id)arg1; @end    @interface QQServiceCenter : NSObject {     C2CDBService_MultiTable *m_c2cMultiTableDB; } - (id)C2CMultiTableDB; @end    @interface CIMEngine : NSObject + (id)GetInstance; - (int)GetServerTimeDiff; @end       @interface QQPlatform : NSObject + (id)sharedPlatform; - (id)QQServiceCenter; @end    @interface QQMsgSyncManager : NSObject    + (id)sharedInstance; - (unsigned int)getC2CSendMessageRandom; - (unsigned short)getC2CSendMessageSeq:(long long)arg1; @end    @interface QQChatListManager : NSObject - (void)addMessage:(id)arg1; @end    @interface QQAIOModel : NSObject + (id)createAIOModelWithMessageModel:(id)arg1; @end    @interface QQAIOMsgModel : QQAIOModel { } @end    @interface QQPbMsgSenderBase : NSObject - (int)SendPbShakeWindowMessage:(id)arg1; @end    @interface QQF2FMessageSender : QQPbMsgSenderBase + (id)getInstance; @end    @interface QQBaseChatModel : NSObject @property(retain, nonatomic) NSString *uin; @end       @interface QQMessageModel : NSObject @property(nonatomic) _Bool loadingState; @property(nonatomic) unsigned long long time; @property(retain, nonatomic) id content; @property(nonatomic) _Bool inOut; @property(nonatomic) int read; @property(nonatomic) int msgType; @property(nonatomic, getter=msgState) int msgState; @property(retain, nonatomic) NSString *uin; @property(retain, nonatomic) NSString *groupCode; @property(nonatomic) long long msgSeq; @property(nonatomic) long long messageRandom; @property(nonatomic) long long msgUid;    + (unsigned long long)randomToUid:(unsigned int)arg1;    @end             @interface QQBaseChatViewController : NSObject {         QQBaseChatModel *_chatModel; } - (void)appendMessage:(id)arg1; - (id)GetBaseChatModel; @end    @interface QQChatViewController : QQBaseChatViewController @end

Makefile

[C] 纯文本查看 复制代码

?

01 02 03 04 05 06 07 08 09 10 11 12 13 14

THEOS_DEVICE_IP = 192.168.0.100 [color=#ff00ff]//此行为make package install使用 生成deb可删除[/color] ARCHS = armv7 arm64    TARGET = iPhone:latest:7.0    include theos/makefiles/common.mk    TWEAK_NAME = QQShakeOffImpose QQShakeOffImpose_FILES = Tweak.xm    include $(THEOS_MAKE_PATH)/tweak.mk    after-install::     install.exec "killall -9 QQ"

control

[Objective-C] 纯文本查看 复制代码

?

1 2 3 4 5 6 7 8 9

Package: com.brack.qqshakeoffimpose Name: QQShakeOffImpose Depends: mobilesubstrate Version: 0.0.1 Architecture: iphoneos-arm Description: An awesome MobileSubstrate tweak! Maintainer: brack Author: brack Section: Tweaks

最后给想玩的朋友一个deb自行安装.{:1_914:}

效果图:

z254665257

你们城里人真会玩啊  可以的 可以当那什么棒使用了

Arm

膜拜大B哥{:1_931:}{:1_931:}

空白。

大牛  膜拜

a73037

新版QQ看到就感觉恶心

idccc

非常牛····前来膜拜

晓贤

抱大腿，，，

liuhongjun

会玩哦大神,支持

we2e

真会玩 这个厉害 不卡机啊 老弹窗

知足zz

好牛掰啊。。

Hslim

这个吊，膜拜会crack的IOS