iOS逆向记录(五)微信抢红包第一篇
2017-09-14 本文已影响198人
Flonger
14. 项目实战(微信抢红包插件)
14.1 定位红包消息响应方法
14.1.1 砸壳和导出头文件以供分析用
详细过程见笔记第7章
DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Containers/Bundle/Application/749DC69A-3A8D-4B5C-9926-1220E69FC85F/WeChat.app/WeChat
class-dump -s -S -H WeChat.decrypted -o ./MyHeaders
14.1.2 借助cycript来动态分析界面定位视图控制器(ViewController)
- 打开应用并使用cycript附加进程
cycript -p WeChat
- 使用recursiveDescription打印UIView对象
[[UIApp keyWindow] recursiveDescription].toString()
或者
UIApp.keyWindow.recursiveDescription().toString()
- 选择一个UIView对象的id,借助nextResponder方法获取视图控制器
<UIView: 0x14eaed070; frame = (0 0; 320 568); autoresize = W+H; layer = <CALayer: 0x14eafa130>>
//使用nextResponder找到视图控制器(ViewController)
cy# [#0x14eaed070 nextResponder]
#"<BaseMsgContentViewController: 0x14f1dc200>"
- 在class-dump到处的头文件中,查找BaseMsgContentViewController相关的文件
➜ ls -al *BaseMsgContentViewController*
-rw-r--r-- 1 liuzhongzheng staff 26105 Aug 25 15:59 BaseMsgContentViewController.h
-
cycript的其它用法介绍
-
_printHierarchy - 直接打印所有UIViewController
[[[UIWindow keyWindow] rootViewController] _printHierarchy].toString() -
_autolayoutTrace - recursiveDescription的简化版,去掉了UIView的一些描述
[[UIApp keyWindow] _autolayoutTrace].toString()- 获取bundle info
[[NSBundle mainBundle] infoDictionary].toString() -
14.1.3 借助Reveal来动态分析界面定位视图控制器(ViewController)
-
OSX 上安装Reveal
官网:https://revealapp.com/ -
iOS 上安装Reveal Loader
通过Cydia搜索安装Reveal Loader -
使用Reveal观察界面结构
14.1.4 借助thoes模块Logify来精确定位消息响应方法
-
创建Tweak工程
-
批量生成hook BaseMsgContentViewController.h文件中方法的Tweak.xm文件
/opt/theos/bin/logify.pl ../WeChat/Headers/BaseMsgContentViewController.h > Tweak.xm
-
用logify.pl生成的Tweak.xm文件替换Tweak工程中的Tweak.xm文件
-
编译Tweak工程并安装
make package
make install
- 通过查看和分析日志定位消息响应的方法
tail -f /var/log/syslog | grep WeChat
[<BaseMsgContentViewController: 0x1368e9c00> addMessageNode:{m_uiMesLocalID=38, m_ui64MesSvrID=6021494297990342718, m_nsFromUsr=wxi*431~19, m_nsToUsr=wxi*r12~19, m_uiStatus=4, type=1, msgSource="<msgsource><sequence_id>649531066</sequence_id></msgsource>"} layout:1 addMoreMsg:0]
//定位到与消息响应相关的方法
- (void)addMessageNode:(id)arg1 layout:(_Bool)arg2 addMoreMsg:(_Bool)arg3 { %log; %orig; }
14.1.5 借助lldb进行动态调试
- 在iOS上配置debugserver
- 把iPhone连接xcode,在iOS上/Developer/usr/bin/目录下面生成调试工具debugserver
Flongers-iPhone:/Developer/usr/bin root# ls
DTDeviceArbitration* ScreenShotr* XcodeDeviceMonitor* debugserver* iprofiler* xctest*
-
给debugserver瘦身和重新签名,并放入/usr/bin/目录下方便随时调用
lipo(静态库拆分与合并)命令的介绍: http://www.jianshu.com/p/e590f041c5f6//拷贝到OS X上去 scp debugserver luz@192.168.1.138:/tmp //查看CPU架构信息 ➜lipo -info debugserver Architectures in the fat file: debugserver are: armv7 armv7s arm64 //瘦身 lipo -thin arm64 debugserver -output debugserver.thin //使用ldid添加task_for_pid权限 ➜ ldid -Sent.xml debugserver.thin ➜ ldid -e debugserver.thin <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.springboard.debugapplications</key> <true/> <key>get-task-allow</key> <true/> <key>task_for_pid-allow</key> <true/> <key>run-unsigned-code</key> <true/> </dict> </plist> //使用codesign添加task_for_pid权限 codesign -s - --entitlements ent.plist -f debugserver.thin ➜ ldid -e debugserver.thin <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/ PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.springboard.debugapplications</key> <true/> <key>run-unsigned-code</key> <true/> <key>get-task-allow</key> <true/> <key>task_for_pid-allow</key> <true/> </dict> </plist> -
在iOS使用debugserver附加程序
- 打开调试
debugserver -x backboard IP:port /path/to/executable- 附加调试
debugserver *:9527 -a "WeChat" -
在OSX使用lldb连接debugserver进行调试
lldb
process connect connect://192.168.1.113:9527 //ip是iPhone的地址,端口要一致
- 使用usbmuxd工具通过USB口转发ssh和调式信息
- 通过USB口转发ssh
//把本地2222端口转发到iOS的22(ssh)端口
./tcprelay.py -t 22:2222
Forwarding local port 2222 to remote port 22
//ssh进行连接 - localhost(127.0.0.1)是本地主机(本机的标准域名)
ssh root@localhost -p 2222
-
通过USB口转发lldb调试
//把本地9527端口转发到iOS的9527端口 ./tcprelay.py -t 9527:9527 //在iOS上指定debugserver监听的端口号(要与9527:9527冒号前面的一致9527) debugserver *:9527 -a "WeChat" //在OSX上指定连接的端口号(要与9527:9527冒号后面的一致) lldb process connect connect://localhost:9527 -
查看ASLR偏移
image list -o -f
(lldb) image list -o -f
[ 0] 0x0000000000054000 /private/var/mobile/Containers/Bundle/Application/749DC69A-3A8D-4B5C-9926-1220E69FC85F/WeChat.app/WeChat(0x0000000100054000)
偏移后模块基地址 = 偏移前模块基地址 + 模块的ASLR偏移
偏移后符号基地址 = 偏移前符号基地址 + 符号所在模块的ASLR偏移(一般用在这儿)
偏移后指令基地址 = 偏移前指令基地址 + 指令所在模块的ASLR偏移
- 使用Hopper查看函数基地址
-[BaseMsgContentViewController addMessageNode:layout:addMoreMsg:]:
0000000101dcbb0c db 0xe9 ; '.'
0000000101dcbb0d db 0x23 ; '#'
-
使用lldb的br命令设备断点br
br s -a '0x0000000000054000+0x0000000101dcbb0c' 设置断点 b function br s –a address br s –a 'ASLROffset+address' //查看所有断点 br list //删除断点 br delete 1 //程序继续运行 -
发送消息,等待触发断点,然后查看函数调用堆栈
(lldb) bt
* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 2.1
* frame #0: 0x0000000101defb0c WeChat`_mcwxh_dydx33_8to8(_VDecStruct*, unsigned char*, unsigned char*, unsigned int, unsigned int, unsigned int, unsigned int) + 23979876
frame #1: 0x0000000102035434 WeChat`_mcwxh_dydx33_8to8(_VDecStruct*, unsigned char*, unsigned char*, unsigned int, unsigned int, unsigned int, unsigned int) + 26361996
frame #2: 0x000000010202059c WeChat`_mcwxh_dydx33_8to8(_VDecStruct*, unsigned char*, unsigned char*, unsigned int, unsigned int, unsigned int, unsigned int) + 26276340
frame #3:
WeChat`_mcwxh_dydx33_8to8(_VDecStruct*, unsigned char*, unsigned char*, unsigned int, unsigned int, unsigned int, unsigned int) + 34703800
frame #4: 0x0000000187955f9c Foundation`__NSThreadPerformPerform + 372
frame #5: 0x0000000186a0c240 CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 24
frame #6: 0x0000000186a0b4e4 CoreFoundation`__CFRunLoopDoSources0 + 264
frame #7: 0x0000000186a09594 CoreFoundation`__CFRunLoopRun + 712
frame #8: 0x00000001869352d4 CoreFoundation`CFRunLoopRunSpecific + 396
frame #9: 0x00000001901536fc GraphicsServices`GSEventRunModal + 168
frame #10: 0x000000018b4fafac UIKit`UIApplicationMain + 1488
frame #11: 0x00000001000bab5c WeChat`_mh_execute_header + 617308
frame #12: 0x00000001988a6a08 libdyld.dylib`start + 4
//计算函数地址
偏移后符号基地址 = 偏移前符号基地址 + 符号所在模块的ASLR偏移
偏移后符号基地址 - 符号所在模块的ASLR偏移 = 偏移前符号基地址
0x0000000101e3db24 - 00000000000f4000 = 101D49B24
-
在Hopper或者IDA中分析函数调用关系
0x0000000101dcbb0c -[BaseMsgContentViewController addMessageNode:layout:addMoreMsg:] //在此处设置断点,发现只有在当前聊天界面才会触发,不是我们找的目标方法 0x102011434 = 0x0000000102035434 - 0x0000000000024000 -[BaseMsgContentLogicController DidAddMsg:] a //在此处设置断点,发现只有在当前聊天界面才会触发,不是我们找的目标方法 0x101FFC59C = 0x000000010202059c - 0x0000000000024000 -[BaseMsgContentLogicController OnAddMsg:MsgWrap:] //在此处设置断点,只要收到消息就会触发,符合我们寻址的目标方法 0x102805D60 = 0x0000000102829d60 - 0x0000000000024000 -[CMessageMgr MainThreadNotifyToExt:] 注:定位到另一个与消息接收有关的类CMessageMgr,在微信到处头文件中发现有同名文件CMessageMgr.h -
继续使用Tweak来hook CMessageMgr中的方法,观察日志输出
//使用logify来继续追踪CMessageMgr这个类,发现消息到来时,这几个方法有响应 //单独分析这几个方法 %hook CMessageMgr - (void)AsyncOnPreAddMsg:(id)arg1 MsgWrap:(id)arg2 { %log; %orig; } - (void)AsyncOnAddMsg:(id)arg1 MsgWrap:(id)arg2 { %log; %orig; } - (void)AsyncOnPushMsg:(id)arg1 { %log; %orig; } - (void)CheckMessageStatus:(id)arg1 Msg:(id)arg2 { %log; %orig; } %end 1.打开聊天界面时CheckMessageStatus有反应,所以排除它 2.AsyncOnPreAddMsg、AsyncOnAddMsg、AsyncOnPushMsg这三个方法都是在消息到来时触发,从 方法命名AsyncOnPreAddMsg应该是消息的前置处理,AsyncOnPushMsg可能是往队列里面添加消息。 这三个方法都可以用来备选,我们先选AsyncOnAddMsg。 //分析AsyncOnAddMsg的参数 %hook CMessageMgr - (void)AsyncOnAddMsg:(id)arg1 MsgWrap:(id)arg2 { NSLog(@"arg1 = %@ , arg2 = %@", arg1, arg2); NSLog(@"arg1 class = %@ , arg2 class = %@", [arg1 class], [arg2 class]); %orig; } %end //参数输出日志如下 Sep 9 16:39:53 Flongers-iPhone WeChat[16048]: arg1 = wxid_lx85gyfaib9431 , arg2 = {m_uiMesLocalID=61, m_ui64MesSvrID=6890149828648546534, m_nsFromUsr=wxi*431~19, m_nsToUsr=wxi*r12~19, m_uiStatus=3, type=1, msgSource="<msgsource><sequence_id>649531092</sequence_id></msgsource>"} Sep 9 16:39:53 Flongers-iPhone WeChat[16048]: arg1 = __NSCFString , arg2 = CMessageWrap //所以消息响应函数如下,CMessageWrap亦有同名的导出头文件CMessageWrap.h - (void)AsyncOnAddMsg:(NSString *)wxid MsgWrap:(CMessageWrap *)wrap; -
分析消息内容相关的类CMessageWrap
@interface CMessageWrap
@property (nonatomic, strong) NSString* m_nsContent;
@property (nonatomic, assign) NSInteger m_uiMessageType;
@property(retain, nonatomic) NSString *m_nsFromUsr;
@property(retain, nonatomic) NSString *m_nsToUsr;
@property(retain, nonatomic) NSString *m_nsAtUserList; // @synthesize m_nsAtUserList;
@property(retain, nonatomic) NSString *m_nsBizChatId; // @synthesize m_nsBizChatId;
@property(retain, nonatomic) NSString *m_nsBizClientMsgID; // @synthesize m_nsBizClientMsgID;
@property(retain, nonatomic) NSString *m_nsDisplayName; // @synthesize m_nsDisplayName;
@property(retain, nonatomic) NSString *m_nsKFWorkerOpenID; // @synthesize m_nsKFWorkerOpenID;
@property(retain, nonatomic) NSString *m_nsMsgSource; // @synthesize m_nsMsgSource;
@property(retain, nonatomic) NSString *m_nsPattern; // @synthesize m_nsPattern;
@property(retain, nonatomic) NSString *m_nsPushContent; // @synthesize m_nushContent;
@property(retain, nonatomic) NSString *m_nsRealChatUsr; // @synthesize m_nsRealChatUsr;
@end
%hook CMessageMgr
- (void)AsyncOnAddMsg:(NSString *)wxid MsgWrap:(CMessageWrap *)wrap {
%orig;
NSInteger uiMessageType = [wrap m_uiMessageType];
NSString* content = [wrap m_nsContent];
NSString* nsFromUsr = [wrap m_nsFromUsr];
NSString* nsToUsr = [wrap m_nsToUsr];
NSString* nsAtUserList = [wrap m_nsAtUserList];
NSString* nsBizChatId = [wrap m_nsBizChatId];
NSString* nsBizClientMsgID = [wrap m_nsBizClientMsgID];
NSString* nsKFWorkerOpenID = [wrap m_nsKFWorkerOpenID];
NSString* nsMsgSource = [wrap m_nsMsgSource];
NSString* nsDisplayName = [wrap m_nsDisplayName];
NSString* nsPattern = [wrap m_nsPattern];
NSString* nsRealChatUsr = [wrap m_nsRealChatUsr];
NSString* nsPushContent = [wrap m_nsPushContent];
NSLog(@"m_uiMessageType=%zd m_nsContent=%@ m_nsFromUsr=%@ m_nsToUsr=%@ m_nsAtUserList=%@ m_nsBizChatId=%@ m_nsBizClientMsgID=%@ m_nsDisplayName=%@ m_nsKFWorkerOpenID=%@ m_nsMsgSource=%@ m_nsPattern=%@ m_nsPushContent=%@ m_nsRealChatUsr=%@",
uiMessageType,
content,
nsFromUsr,
nsToUsr,
nsAtUserList,nsBizChatId,
nsBizClientMsgID,
nsDisplayName,
nsKFWorkerOpenID,
nsMsgSource,
nsPattern,
nsPushContent,
nsRealChatUsr);
//记录消息
if( 1 == uiMessageType ){ //普通消息
if( 0 == nsPushContent.length){
if([nsToUsr rangeOfString:@"filehelper"].location != NSNotFound)
NSLog(@"[文件助手: %@]",content);
else NSLog(@"[我: %@]",content);
}else
NSLog(@"[%@]",nsPushContent);
}else if ( 3 == uiMessageType ){ //图片消息
NSLog(@"收到图片消息");
}else if ( 49 == uiMessageType ){ //红包消息
NSLog(@"收到红包消息");
}
}%end
