首页
论坛
课程
招聘
[HOOK注入] [逆向分析] [原创]IOS微信逆向-免越狱抢红包防撤回等自定义功能实现
2021-2-10 08:48 4188

[HOOK注入] [逆向分析] [原创]IOS微信逆向-免越狱抢红包防撤回等自定义功能实现

2021-2-10 08:48
4188

IOS微信逆向-免越狱抢红包防撤回等自定义功能实现

环境

环境 版本
操作系统 MacOS Mojave 10.14.6
手机系统 Iphone6 IOS12
mac上面的 theos 最新版
xcode 11.3.1
MonkeyDev -

效果

微信步数

 

防撤回

 

自动抢红包

微信砸壳

CrackerXI+砸壳,或手动使用dumpdecrypted砸壳

 

这里我使用的微信版本是8.0.0

 

 

使用scp或者助手把已砸壳的wechat.ipa导出

 

monkeydev

MonkeyDev集成在xcode上面,可以快速开发hook的代码,链接到Mach-O文件,支持修改ipa后的免越狱安装。

 

新建MonkeyDev项目

 

 

把砸壳后的微信ipa拖进工程中的TargetApp目录

 

run编译真机调试

 

打开微信设置页面,xcode打开Debug View Hierarychy查看层级。

 

 

新增控件类WCTableViewManager

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
%hook NewSettingViewController
- (void)reloadTableData{
    %orig;
    WCTableViewManager *tableViewMgr = MSHookIvar<id>(self, "m_tableViewMgr");
    MMTableView *tableView = [tableViewMgr getTableView];
    WCTableViewNormalCellManager *newCell = [%c(WCTableViewNormalCellManager) normalCellForSel:@selector(setting) target:self title:@"你懂的"];
    [((WCTableViewSectionManager*)tableViewMgr.sections[0]) addCell: newCell];
    [tableView reloadData];
}
 
%new
- (void)setting {
    UIViewController *vc = [[HZWechatSettingController alloc] init];
    [((UIViewController *)self).navigationController PushViewController:vc animated:true];
}
 
%end

新增自动抢红包、消息防撤回、微信步数修改选项

1
2
3
4
5
6
7
8
WCTableViewCellManager *autoEnvelopCell = [HZWechat switchCellWithSel:@selector(autoEnvelopSwitchChange:) target:self title:@"自动抢红包" switchOn:[HZWechatConfig autoRedEnvelop]];
[nidongde addCell:autoEnvelopCell];
 
WCTableViewCellManager *revokeIntercept = [HZWechat switchCellWithSel:@selector(revokeIntercept:) target:self title:@"消息防撤回" switchOn:[HZWechatConfig preventRevoke]];
[nidongde addCell:revokeIntercept];
 
WCTableViewCellManager *changeStepsCell = [HZWechat switchCellWithSel:@selector(changedSteps:) target:self title:@"修改微信步数" switchOn:[HZWechatConfig changeSteps]];
[nidongde addCell:changeStepsCell];

 

hook红包消息实现自动抢

1
2
3
4
5
6
7
8
9
10
11
12
13
BOOL (^shouldReceiveRedEnvelop)() = ^BOOL() {
                    if (!HZWechatConfig.autoRedEnvelop) { return NO; }
                    if (isGroupInBlackList()) { return NO; }
                    if (isContaintKeyWords()) { return NO; }
                    return isGroupReceiver() ||
                           (isGroupSender() && isReceiveSelfRedEnvelop()) ||
                           (!isGroupReceiver() && HZWechatConfig.personalRedEnvelopEnable);
                };
 
                NSDictionary *(^parseNativeUrl)(NSString *nativeUrl) = ^(NSString *nativeUrl) {
                    nativeUrl = [nativeUrl substringFromIndex:[@"wxpay://c2cbizmessagehandler/hongbao/receivehongbao?" length]];
                    return [%c(WCBizUtil) dictionaryWithDecodedComponets:nativeUrl separator:@"&"];
                };

防撤回实现

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
%hook CMessageMgr
  - (void)onRevokeMsg:(CMessageWrap *)arg1 {
 
    if (HZWechatConfig.preventRevoke) {
        NSString *msgContent = arg1.m_nsContent;
 
        NSString *(^parseParam)(NSString *, NSString *,NSString *) = ^NSString *(NSString *content, NSString *paramBegin,NSString *paramEnd) {
            NSUInteger startIndex = [content rangeOfString:paramBegin].location + paramBegin.length;
            NSUInteger endIndex = [content rangeOfString:paramEnd].location;
            NSRange range = NSMakeRange(startIndex, endIndex - startIndex);
            return [content substringWithRange:range];
        };
 
        NSString *session = parseParam(msgContent, @"<session>", @"</session>");
        NSString *newmsgid = parseParam(msgContent, @"<newmsgid>", @"</newmsgid>");
        NSString *fromUsrName = parseParam(msgContent, @"<![CDATA[", @"撤回了一条消息");
        CMessageWrap *revokemsg = [self GetMsg:session n64SvrID:[newmsgid integerValue]];
 
        CContactMgr *contactMgr = [[objc_getClass("MMServiceCenter") defaultCenter] getService:objc_getClass("CContactMgr")];
        CContact *selfContact = [contactMgr getSelfContact];
        NSString *newMsgContent = @"";
 
 
        if ([revokemsg.m_nsFromUsr isEqualToString:selfContact.m_nsUsrName]) {
            if (revokemsg.m_uiMessageType == 1) {       // 判断是否为文本消息
                newMsgContent = [NSString stringWithFormat:@"拦截到你撤回了一条消息:\n %@",revokemsg.m_nsContent];
            } else {
                newMsgContent = @"拦截到你撤回一条消息";
            }
        } else {
            if (revokemsg.m_uiMessageType == 1) {
                newMsgContent = [NSString stringWithFormat:@"拦截到一条 %@撤回消息:\n %@",fromUsrName, revokemsg.m_nsContent];
            } else {
                newMsgContent = [NSString stringWithFormat:@"拦截到一条 %@撤回消息",fromUsrName];
            }
        }
 
        CMessageWrap *newWrap = ({
            CMessageWrap *msg = [[%c(CMessageWrap) alloc] initWithMsgType:0x2710];
            [msg setM_nsFromUsr:revokemsg.m_nsFromUsr];
            [msg setM_nsToUsr:revokemsg.m_nsToUsr];
            [msg setM_uiStatus:0x4];
            [msg setM_nsContent:newMsgContent];
            [msg setM_uiCreateTime:[arg1 m_uiCreateTime]];
 
            msg;
        });
 
        [self AddLocalMsg:session MsgWrap:newWrap fixTime:0x1 NewMsgArriveNotify:0x0];
        return;
    }
    %orig;
}
 
%end

修改微信运动步数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
%hook WCDeviceStepObject
-(NSInteger)m7StepCount {
    NSInteger stepCount = %orig;
    NSInteger newStepCount = HZWechatConfig.changedSteps;
 
    return HZWechatConfig.changeSteps ? newStepCount : stepCount;
}
 
-(NSInteger)hkStepCount {
    NSInteger stepCount = %orig;
    NSInteger newStepCount = HZWechatConfig.changedSteps;
 
    return HZWechatConfig.changeSteps ? newStepCount : stepCount;
}
 
%end

自签名打包后实现多开,配合AltDeploy+AltStore食用更佳

 

感谢

MonkeyDev
WeChatRedEnvelop
[iOS应用逆向与安全之道]

最后

新年快乐


看雪学院推出的专业资质证书《看雪安卓应用安全能力认证 v1.0》(中级和高级)!

最后于 2021-2-10 08:49 被HaDazs编辑 ,原因:
收藏
点赞1
打赏
分享
最新回复 (2)
雪    币: 2431
活跃值: 活跃值 (414)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
romobin 活跃值 2021-2-10 18:06
2
0
太强大了 ,不过动手能力不行也用不上啊 
雪    币: 3580
活跃值: 活跃值 (297)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
wanttobeno 活跃值 2021-2-23 11:38
3
0
感谢大佬的无私分享
游客
登录 | 注册 方可回帖
返回